Back to overview

Identity / Keys

The access layer that stays consistent everywhere

Technical name: Heddle

Identity, session, and SSO truth for the stack.

Heddle keeps identity, session, and SSO from behaving differently in every part of the system.

This repository is the stack's technical auth control surface for:

identity runtime bootstrap OIDC client profile contracts session and revocation posture fail-closed Fabric-consumer behavior reconcile/verification tooling around identity-related runtime paths

Status Available now README sync 29 Apr 2026

Why start here?

Heddle keeps identity, session, and SSO from behaving differently in every part of the system.

When do I need this?

Start here when you want to see why users, roles, and sessions are not handled differently in every module.

What role it plays here

Identity, session, and SSO truth for the stack.

Without Heddle, shadow identities emerge. With Heddle, access remains traceable and consistent across the system.

What the module actually does

It keeps login, session, claim, and SSO behavior consistent so other modules do not build their own auth truth.

At the core

Publishes and validates canonical claim/session contracts used by downstream modules.

Runs OIDC bridge surfaces for Plane and Loom integration paths.

Defines admitted client contract templates for stack services.

Enforces fail-closed consumption of Fabric contract/projection surfaces.

Provides scripts/tests for fast repo verification and live runtime checks.

What role it plays in the stack

Owned truth in this repo:

technical identity runtime contracts OIDC client templates and validation claim/session/revocation posture contracts

Consumed truth (not re-authored here):

business identity and eligibility truth from jhf-spindle policy/projection truth from helpifyr-fabric runtime materialization ownership from jhf-openclaw-env

Explicit non-ownership:

no local business-role authoring no local second identity truth family no direct runtime bypass of canonical upstream truth owners

What this looks like in practice

Without Heddle, shadow identities emerge. With Heddle, access remains traceable and consistent across the system.

01

A signal comes in.

02

The system assigns the right role and path.

03

Execution happens through controlled handoffs.

04

Result and evidence return together.

How it fits into the system

Heddle does not stand alone. It connects to neighboring modules so a single capability becomes dependable follow-through.

Fabric The rules that always hold Keystore The controlled path to sensitive access Loom The place where no document gets lost Warp The conductor that assigns the work

Important boundary

Heddle stays bounded to its role as Identity, session, and SSO truth for the stack. It does not replace other modules; it makes its part of the system traceable, connectable, and reviewable.

What is intentionally out of scope

replace Fabric as canonical policy/projection truth

replace Spindle as business identity/role truth

embed environment owner logic that belongs to runtime-owner repos

maintain local secret inventories or plaintext operational credentials

What keeps this page honest

This explanation stays anchored to the module’s current truth, including its real boundaries, responsibilities, and contracts.

Heddle is the identity layer of Helpifyr.

It keeps login, session, claim, and SSO behavior consistent so other modules do not build their own auth truth.

Without Heddle, shadow identities emerge. With Heddle, access remains traceable and consistent across the system.

Active part of the system with clearly defined boundaries.

Source and repo truth

This page is rendered from the repo-owned projection truth and remains tied to the README, module boundaries, and status.

GitHub JaddaHelpifyr/jhf-heddle

Heddle

Without Heddle, shadow identities emerge. With Heddle, access remains traceable and consistent across the system.

Back to overview Contact