Land foundations: assessment, ADR-001/002/003, FLEX-WP-0005, Go skeleton

Pre-implementation assessment and boundary review
(docs/pre-implementation-assessment.md) lead to three ADRs:
- ADR-001 Go + repo skeleton
- ADR-002 Rego-in-Markdown policy package format
- ADR-003 Topaz-aligned MVP (Topaz spike moves into foundations)

New workplan FLEX-WP-0005 (Foundations and Topaz Alignment) is inserted
between WP-0001 (done) and WP-0002 (core). WP-0002 pins Rego-in-Markdown
for P2.3; WP-0004 P4.1 refocused from Topaz evaluation to Topaz adapter.

Go skeleton at repo root: cmd/flex-auth + internal/{registry,policy,
decision,audit,adapters} + pkg/api + Makefile + .golangci.yml + GitHub
Actions CI. make ci green locally; bin/flex-auth --version works.

INTENT/SCOPE cite the NetKingdom IAM Profile and add the ops-warden /
ops-bridge disjoint-surface clarifications.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

SCOPE.md

@@ -72,11 +72,15 @@ can be coordinated behind a stable flex-auth API.
 
 ## Current State
 
-The repository contains the intent baseline, authorization landscape research,
-and initial workplans. `FLEX-WP-0001` is complete. Current implementation work
-starts with `FLEX-WP-0002`, the standalone policy-as-code core. Markitect
-consumer integration and delegated PDP/directory adapters are planned after
-the core contracts stabilize.
+The repository contains the intent baseline, authorization landscape
+research, initial workplans, and the pre-implementation assessment and
+ADR set produced on 2026-05-15. `FLEX-WP-0001` is complete. Implementation
+now proceeds through `FLEX-WP-0005 Foundations and Topaz Alignment` —
+which lands the Go skeleton, pins the `FlexAuthResourceManifest` schema,
+runs the Topaz mapping spike, and records ADR-001/002/003 — before the
+standalone policy-as-code core in `FLEX-WP-0002`. Markitect consumer
+integration and delegated PDP/directory adapters are planned after the
+core contracts stabilize.
 
 State Hub integration is present through:
 
@@ -120,17 +124,34 @@ local diagnostics.
 
 ## Related / Overlapping
 
-- key-cape / NetKingdom SSO: identity source and coarse claims provider.
+- key-cape / NetKingdom SSO: identity source and coarse claims provider;
+  flex-auth consumes the **NetKingdom IAM Profile**
+  (`~/the-custodian/canon/standards/iam-profile_v0.1.md`).
 - Markitect: first protected-system consumer and policy enforcement point.
-- Topaz: candidate MVP delegated backend combining local directory and
-  OPA/Rego evaluation.
+- Topaz: aligned evaluator. Per ADR-003 the standalone core is shaped
+  to match Topaz's Rego + directory model from day one; the Topaz
+  adapter in `FLEX-WP-0004` is therefore a small step rather than a
+  conversion.
 - OpenFGA and SpiceDB: candidate relationship authorization backends.
 - OPA and Cedar: candidate rule and typed-policy engines.
 - Keycloak Authorization Services: adapter path for Keycloak-centric
-  deployments.
+  deployments. Default architecture is "Keycloak as SSO only,
+  flex-auth owns authorization"; Keycloak AuthZ is one optional
+  delegated PDP.
 - Entra, Graph, SCIM, LDAP, and Keycloak APIs: directory and group resolver
   sources.
 
+## Disjoint From
+
+- **ops-warden** signs short-lived SSH certificates for ops actors
+  (`adm`/`agt`/`atm`). That is a separate identity surface — SSH certs,
+  not OIDC subjects — and ops-warden disclaims being a resource-policy
+  engine. flex-auth and ops-warden therefore do not overlap. (A future
+  flow could surface an `agt` actor as a flex-auth subject; nothing in
+  the current design requires it.)
+- **ops-bridge** owns SSH reverse-tunnel connectivity and explicitly
+  disclaims being a credential authority or policy engine. No overlap.
+
 ## Provided Capabilities
 
 ```capability