Add enterprise identity and access architecture

architecture/workspace/enterprise-identity-access-architecture.puml

@@ -0,0 +1,63 @@
+@startuml
+!include https://raw.githubusercontent.com/plantuml-stdlib/C4-PlantUML/master/C4_Container.puml
+
+LAYOUT_WITH_LEGEND()
+
+title Kell Creations - Enterprise Identity & Access Architecture
+
+Person(owner, "Business Owner", "Full business governance and administrative authority")
+Person(staff, "Operations Staff", "Daily operational user with limited business-role access")
+
+System_Boundary(platform, "Kell Creations Platform") {
+  Container(auth, "Authentication Service", "Identity Service", "Central authentication, session management, identity verification, and role enforcement")
+  Container(rbac, "Authorization & Role Policy", "Policy Service", "Defines roles, permissions, and access rules across applications and services")
+  Container(audit, "Audit & Logging Service", "Observability Service", "Captures authentication events, authorization decisions, and administrative actions")
+  Container(api, "API Orchestrator", "Integration Service", "Validates identity and enforces access on service-to-service and external integration calls")
+
+  Container(inventory, "Inventory Application", "Business Application", "Inventory operations with role-based access controls")
+  Container(social, "Social Media Management", "Business Application", "Campaign and publishing operations with role-based access controls")
+  Container(wpmanage, "WordPress Management", "Business Application", "Site administration and publishing management with controlled privileges")
+  Container(mrp, "Craft Manufacturing / MRP", "Business Application", "Production, BOM, and work-order operations with role-based access controls")
+  Container(finance, "Financial Analysis", "Business Application", "Reporting and financial analysis with restricted access")
+  Container(policyrepo, "Policy Repository", "Document Service", "Controlled access to policies, procedures, and governance records")
+}
+
+System_Ext(mail, "Mail Server", "mail.kellcreations.com")
+System_Ext(wordpress, "WordPress", "www.kellcreations.com")
+System_Ext(git, "Forgejo Git", "git.kellsupport.com")
+System_Ext(n8n, "n8n", "Automation and workflow engine")
+
+Rel(owner, auth, "Authenticates through")
+Rel(staff, auth, "Authenticates through")
+
+Rel(auth, rbac, "Evaluates roles and permissions through")
+Rel(auth, audit, "Logs authentication events to")
+
+Rel(inventory, auth, "Authenticates and validates access through")
+Rel(social, auth, "Authenticates and validates access through")
+Rel(wpmanage, auth, "Authenticates and validates access through")
+Rel(mrp, auth, "Authenticates and validates access through")
+Rel(finance, auth, "Authenticates and validates access through")
+Rel(policyrepo, auth, "Authenticates and validates access through")
+
+Rel(inventory, rbac, "Uses role policies from")
+Rel(social, rbac, "Uses role policies from")
+Rel(wpmanage, rbac, "Uses role policies from")
+Rel(mrp, rbac, "Uses role policies from")
+Rel(finance, rbac, "Uses role policies from")
+Rel(policyrepo, rbac, "Uses role policies from")
+
+Rel(api, auth, "Validates identity through")
+Rel(api, rbac, "Enforces service and integration permissions through")
+Rel(api, audit, "Logs access events to")
+
+Rel(wpmanage, wordpress, "Administers and synchronizes with")
+Rel(api, n8n, "Applies controlled integration access to")
+Rel(policyrepo, git, "Controls governed document access to")
+Rel(auth, mail, "Sends authentication and approval notifications through")
+
+Rel(rbac, audit, "Logs policy decisions to")
+Rel(policyrepo, audit, "Logs document access and approvals to")
+Rel(finance, audit, "Logs privileged access to")
+
+@enduml

docs/architecture/containers/enterprise-identity-access-architecture.md

@@ -0,0 +1,40 @@
+# Enterprise Identity & Access Architecture
+
+This diagram shows the shared identity, authentication, authorization, and access-control architecture for the Kell Creations platform.
+
+## Purpose
+
+This view defines the enterprise model for authentication, role-based access control, policy enforcement, integration access, and auditability across all business applications and shared services.
+
+## Diagram Source
+
+The source for this diagram is maintained as architecture code in:
+
+`architecture/workspace/enterprise-identity-access-architecture.puml`
+
+## Included Shared Identity and Access Services
+
+- Authentication Service
+- Authorization & Role Policy
+- Audit & Logging Service
+- API Orchestrator
+
+## Connected Business Applications
+
+- Inventory Application
+- Social Media Management
+- WordPress Management
+- Craft Manufacturing / MRP
+- Financial Analysis
+- Policy Repository
+
+## Connected External Systems
+
+- Mail Server at `mail.kellcreations.com`
+- WordPress at `www.kellcreations.com`
+- Forgejo Git at `git.kellsupport.com`
+- n8n automation at `n8n.kellsupport.com`
+
+## Notes
+
+This architecture establishes the enterprise access-control model for the platform. Future application and component designs should align to this identity and authorization pattern so that authentication, role enforcement, privileged access, integration control, and audit logging remain consistent across the Kell Creations environment.

mkdocs.yml

@@ -39,6 +39,7 @@ nav:
           - Platform Containers: "architecture/containers/platform-containers.md"
           - Enterprise Shared Services: "architecture/containers/enterprise-services.md"
           - Enterprise Data Architecture: "architecture/containers/enterprise-data-architecture.md"
+          - Enterprise Identity & Access Architecture: "architecture/containers/enterprise-identity-access-architecture.md"
       - Components:
           - Inventory Components: "architecture/components/inventory.md"
       - Deployment: