Land foundations: assessment, ADR-001/002/003, FLEX-WP-0005, Go skeleton

Pre-implementation assessment and boundary review
(docs/pre-implementation-assessment.md) lead to three ADRs:
- ADR-001 Go + repo skeleton
- ADR-002 Rego-in-Markdown policy package format
- ADR-003 Topaz-aligned MVP (Topaz spike moves into foundations)

New workplan FLEX-WP-0005 (Foundations and Topaz Alignment) is inserted
between WP-0001 (done) and WP-0002 (core). WP-0002 pins Rego-in-Markdown
for P2.3; WP-0004 P4.1 refocused from Topaz evaluation to Topaz adapter.

Go skeleton at repo root: cmd/flex-auth + internal/{registry,policy,
decision,audit,adapters} + pkg/api + Makefile + .golangci.yml + GitHub
Actions CI. make ci green locally; bin/flex-auth --version works.

INTENT/SCOPE cite the NetKingdom IAM Profile and add the ops-warden /
ops-bridge disjoint-surface clarifications.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

INTENT.md

@@ -44,6 +44,11 @@ authorization logic sprawl across applications.
 
 ## Responsibility Boundary
 
+The identity contract flex-auth consumes is the **NetKingdom IAM Profile**
+(`~/the-custodian/canon/standards/iam-profile_v0.1.md`), implemented by
+key-cape in lightweight mode and by Keycloak in heavy mode. flex-auth
+treats the profile as normative input and never re-defines it.
+
 ### key-cape / NetKingdom Owns Identity
 
 - OIDC discovery and token issuance.