generated from coulomb/repo-seed
Land foundations: assessment, ADR-001/002/003, FLEX-WP-0005, Go skeleton
Pre-implementation assessment and boundary review
(docs/pre-implementation-assessment.md) lead to three ADRs:
- ADR-001 Go + repo skeleton
- ADR-002 Rego-in-Markdown policy package format
- ADR-003 Topaz-aligned MVP (Topaz spike moves into foundations)
New workplan FLEX-WP-0005 (Foundations and Topaz Alignment) is inserted
between WP-0001 (done) and WP-0002 (core). WP-0002 pins Rego-in-Markdown
for P2.3; WP-0004 P4.1 refocused from Topaz evaluation to Topaz adapter.
Go skeleton at repo root: cmd/flex-auth + internal/{registry,policy,
decision,audit,adapters} + pkg/api + Makefile + .golangci.yml + GitHub
Actions CI. make ci green locally; bin/flex-auth --version works.
INTENT/SCOPE cite the NetKingdom IAM Profile and add the ops-warden /
ops-bridge disjoint-surface clarifications.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -1,10 +1,10 @@
|
||||
# Flex-Auth Workplan Planning Map
|
||||
|
||||
Date: 2026-05-04
|
||||
Date: 2026-05-15
|
||||
|
||||
## Purpose
|
||||
|
||||
This document captures the initial sequencing view for flex-auth workplans.
|
||||
This document captures the current sequencing view for flex-auth workplans.
|
||||
|
||||
## Priority Scale
|
||||
|
||||
@@ -20,27 +20,39 @@ This document captures the initial sequencing view for flex-auth workplans.
|
||||
| Workplan | Priority | Status | Depends On | Current View |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| `FLEX-WP-0001` | complete | done | none | Repo intent, boundaries, and authorization landscape research are complete. |
|
||||
| `FLEX-WP-0002` | P0 | todo | `FLEX-WP-0001` | Standalone policy-as-code core: schemas, local registry, policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
|
||||
| `FLEX-WP-0003` | P1 | todo | `FLEX-WP-0002` | Markitect consumer integration: resource namespace, manifest import, action vocabulary, decision fixtures, integration docs. |
|
||||
| `FLEX-WP-0004` | P2 | todo | `FLEX-WP-0002` | Delegated PDP and directory adapters: Topaz, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM. |
|
||||
| `FLEX-WP-0005` | P0 | todo | `FLEX-WP-0001` | Foundations and Topaz alignment: ADR-001/002/003, Go skeleton, `FlexAuthResourceManifest` schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification. |
|
||||
| `FLEX-WP-0002` | P0 | blocked | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core: schemas, local registry, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
|
||||
| `FLEX-WP-0003` | P1 | blocked | `FLEX-WP-0002` | Markitect consumer integration: resource namespace, manifest import, action vocabulary, decision fixtures, integration docs. |
|
||||
| `FLEX-WP-0004` | P2 | blocked | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapters: Topaz adapter implementation (evaluation already done in `0005`), OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM. |
|
||||
|
||||
## Dependency Notes
|
||||
|
||||
`FLEX-WP-0002` should come first because the protected-system-facing API must
|
||||
be stable before flex-auth delegates decisions to external engines.
|
||||
`FLEX-WP-0005` is inserted between `0001` and `0002` per the
|
||||
pre-implementation assessment in `docs/pre-implementation-assessment.md`.
|
||||
It pulls forward the decisions the original `0002` left implicit (language,
|
||||
policy format, evaluator alignment) and runs the Topaz mapping spike
|
||||
before the core's schemas and check API are written.
|
||||
|
||||
`FLEX-WP-0003` follows the core and uses Markitect as the first concrete
|
||||
consumer. Markitect has already completed its side of the initial contract in
|
||||
`MKTT-WP-0014`, but flex-auth must still implement the service-side registry
|
||||
and decision behavior.
|
||||
`FLEX-WP-0002` comes after `0005` so the standalone evaluator embeds the
|
||||
OPA Rego library and produces decision envelopes shaped to match the
|
||||
delegated-mode envelopes added later.
|
||||
|
||||
`FLEX-WP-0004` should wait for the standalone core so delegated engines do not
|
||||
define the whole architecture accidentally.
|
||||
`FLEX-WP-0003` follows the core. Markitect has already completed its
|
||||
side of the contract in `MKTT-WP-0014`; flex-auth pins the manifest in
|
||||
`FLEX-WP-0005 T03` and implements the service-side registry and decision
|
||||
behavior in `0003`.
|
||||
|
||||
`FLEX-WP-0004` waits for the standalone core for the same reason as
|
||||
before, but its Topaz evaluation task moved to `0005 T04`; this workplan
|
||||
now implements the Topaz adapter against the spike's output.
|
||||
|
||||
## State Hub Mirror
|
||||
|
||||
Native State Hub dependency edges should mirror:
|
||||
Native State Hub dependency edges:
|
||||
|
||||
- `FLEX-WP-0002 -> FLEX-WP-0001`
|
||||
- `FLEX-WP-0005 -> FLEX-WP-0001`
|
||||
- `FLEX-WP-0002 -> FLEX-WP-0005`
|
||||
- `FLEX-WP-0002 -> FLEX-WP-0001` (preserved)
|
||||
- `FLEX-WP-0003 -> FLEX-WP-0002`
|
||||
- `FLEX-WP-0004 -> FLEX-WP-0002`
|
||||
- `FLEX-WP-0004 -> FLEX-WP-0005` (Topaz adapter consumes the spike)
|
||||
|
||||
Reference in New Issue
Block a user