The OAuth client / gateway-access principal — what application
is brokering the request, as opposed to which user is using it
(SubjectExtension) and which attested workload is the network
peer (WorkloadIdentity). Populated from a client-credentials or
session JWT by an identity-resolver plugin (or supplied directly
by a trusted upstream gateway).
SPIFFE-style workload identity, used for both inbound callers
(SecurityExtension.caller_workload — added in a subsequent slice)
and our own outbound identity (SecurityExtension.this_workload).
Trust classification for the OAuth client / gateway that brokered
the request. Distinct from the user’s subject identity — the same
human can connect through a first-party browser flow or a
third-party agent, and policies often want to distinguish them.