coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Document Markitect integration flow
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-17 06:41:07 +02:00
parent 131fd2cd9b
commit 184ce5a380
2 changed files with 121 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
docs/markitect-integration-flow.md Normal file
View File

@@ -0,0 +1,119 @@
# Markitect Integration Flow
This document describes how Markitect should use flex-auth as its first
protected-system consumer integration.
## 1. Publish Resources
Markitect emits a `FlexAuthResourceManifest` for each knowledge base or
resource slice it wants flex-auth to authorize. The emitted manifest should use
the namespace in `docs/markitect-resource-namespace.md` and include:
- stable resource ids such as `document:internal-note`
- resource type and parent links
- path, labels, trust zone, owner, and durable backend metadata
- `metadata.flex_auth_contract: resource-registration-v0`
- `caring_profile: caring-0.4.0-rc2` when the emitter can provide it
flex-auth imports the manifest through `internal/markitect.ImportResourceManifest`.
The importer enriches resources with CARING scope and plane classification and
returns diagnostics when a resource type, trust zone, label set, or CARING
profile is missing or ambiguous.
## 2. Submit Check Requests
For one resource, Markitect submits `CheckRequest`:
```text
subject + action + resource + context + optional caring_context
```
For repeated checks, Markitect submits `BatchCheckRequest` with the same
subject/action/context and a resource list. Resource order is preserved in the
response.
Markitect should pass local frontmatter and backend metadata as resource
attributes when they affect policy:
- `labels`
- `trust_zone`
- `markitect_path`
- `frontmatter_visibility`
- `source_revision`
- `workflow_state`
- `freshness_seconds`
- `data_classes`
Subject roles and groups should be normalized into subject attributes or loaded
into the registry as subject/group/team manifests. CARING dimensions should be
attached as `caring_context` when Markitect already knows the intended
descriptor; otherwise flex-auth can derive descriptors from relationship facts.
## 3. Enforce Decisions
Markitect maps flex-auth decision envelopes into its gateway contract with
`internal/markitect.ToGatewayDecision`.
Expected effects:
- `allow`: render, answer, package, activate, export, or run workflow.
- `deny`: block the operation.
- `redact`: continue with returned obligations such as `mask_fields`.
- `audit_denied`: block or quarantine while preserving an audit-grade record.
Markitect should enforce obligations before exposing data. For example, a
`mask_fields` obligation must be applied before rendering or model use, and a
`record_context_activation` obligation must be logged when a context package is
activated.
## 4. Record Decision IDs
Every gateway operation should persist the flex-auth decision id alongside the
Markitect request id, workflow id, rendered artifact id, or export id.
At minimum, always record:
- denies
- redactions
- exports
- context package activations
- workflow runs
- support, break-glass, or other CARING exposure events
The local flex-auth JSONL log is suitable for local development. Markitect may
also write the same decision id into its own event log.
## 5. Explain Decisions
When users need an explanation, Markitect can call flex-auth `explain` or use
the decision id to retrieve the persisted envelope and project it with
`ToGatewayDecision`.
Explanations should preserve CARING language:
- subject relation and canonical role, for example `Customer Doer`
- scope, for example `Resource document:internal-note`
- plane, for example `Data`
- capability, for example `View` or `Export`
- exposure mode, for example `Masked`, `Plaintext`, or `Exportable`
- restrictions, conditions, and conformance findings
Example explanation:
```text
Customer Doer may View Data Plane resource document:internal-note because reader_group.
```
## Local Mapping Summary
| Markitect local concept | flex-auth field | CARING dimension |
| --- | --- | --- |
| frontmatter visibility | `resource.attributes.frontmatter_visibility` | Exposure mode hint |
| document labels | `resource.attributes.labels` | Scope and exposure hint |
| owner/steward | `resource.owner`, subject groups/roles | Canonical role and relation |
| workflow state | `resource.attributes.workflow_state`, request context | Lifecycle/condition hint |
| context freshness | `request.context.freshness_seconds` | Condition and conformance finding |
| export request | `action: export` | `Export` capability and `Exportable` exposure |
The examples in `examples/markitect/` are the executable contract fixtures for
this flow.

4
workplans/FLEX-WP-0003-markitect-consumer-integration.md
View File

@@ -3,7 +3,7 @@ id: FLEX-WP-0003
type: workplan type: workplan
title: "Markitect Consumer Integration" title: "Markitect Consumer Integration"
domain: netkingdom domain: netkingdom
status: todo status: completed
owner: flex-auth owner: flex-auth
topic_slug: flex-auth topic_slug: flex-auth
planning_priority: P1 planning_priority: P1
@@ -144,7 +144,7 @@ Add tests that produce flex-auth decisions in the shape Markitect expects:
```task ```task
id: FLEX-WP-0003-T006 id: FLEX-WP-0003-T006
status: todo status: done
priority: medium priority: medium
state_hub_task_id: "e34b0303-4416-40a3-8b34-e0e80d644aea" state_hub_task_id: "e34b0303-4416-40a3-8b34-e0e80d644aea"
``` ```