Land foundations: assessment, ADR-001/002/003, FLEX-WP-0005, Go skeleton

Pre-implementation assessment and boundary review
(docs/pre-implementation-assessment.md) lead to three ADRs:
- ADR-001 Go + repo skeleton
- ADR-002 Rego-in-Markdown policy package format
- ADR-003 Topaz-aligned MVP (Topaz spike moves into foundations)

New workplan FLEX-WP-0005 (Foundations and Topaz Alignment) is inserted
between WP-0001 (done) and WP-0002 (core). WP-0002 pins Rego-in-Markdown
for P2.3; WP-0004 P4.1 refocused from Topaz evaluation to Topaz adapter.

Go skeleton at repo root: cmd/flex-auth + internal/{registry,policy,
decision,audit,adapters} + pkg/api + Makefile + .golangci.yml + GitHub
Actions CI. make ci green locally; bin/flex-auth --version works.

INTENT/SCOPE cite the NetKingdom IAM Profile and add the ops-warden /
ops-bridge disjoint-surface clarifications.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/adapters/doc.go

@@ -0,0 +1,8 @@
+// Package adapters hosts pluggable PDP and directory adapters: Topaz,
+// OpenFGA, SpiceDB, OPA-as-remote, Cedar, Keycloak Authorization
+// Services, and Entra/Graph/SCIM/LDAP group resolvers.
+//
+// Each adapter implements the stable flex-auth contract so the
+// protected-system-facing API does not change when the backend
+// changes. Implementation lands across FLEX-WP-0004.
+package adapters

internal/audit/doc.go

@@ -0,0 +1,6 @@
+// Package audit persists compact decision envelopes. Denies, redactions,
+// exports, and emergency actions are always recorded; allows may be
+// sampled.
+//
+// Implementation lands in FLEX-WP-0002 P2.6.
+package audit

internal/decision/doc.go

@@ -0,0 +1,10 @@
+// Package decision implements check, batch_check, list_allowed, and
+// explain on top of the registry and policy packages.
+//
+// Decision envelopes carry effect, reason, matched policy version,
+// matched rule, resource metadata, subject metadata, obligations,
+// diagnostics, and provenance. Envelopes are identical for local and
+// delegated evaluation per ADR-003.
+//
+// Implementation lands in FLEX-WP-0002 P2.4 and P2.5.
+package decision

internal/policy/doc.go

@@ -0,0 +1,11 @@
+// Package policy implements the Rego-in-Markdown policy package loader,
+// validator, and evaluator.
+//
+// Per ADR-002 a policy package is a Markdown document with YAML
+// frontmatter (metadata), prose intent sections, fenced rego rule
+// blocks, fenced rego test blocks, and fenced yaml fixture blocks.
+// Loader extracts blocks, runs opa parse and opa test, and evaluates
+// fixtures before marking a package valid.
+//
+// Implementation lands in FLEX-WP-0002 P2.3.
+package policy

internal/registry/doc.go

@@ -0,0 +1,7 @@
+// Package registry holds the local stores for protected systems,
+// resources, subjects, groups, teams, tenants, and relationship facts.
+//
+// Implementation lands in FLEX-WP-0002 P2.2. The directory and relation
+// vocabulary is chosen to map cleanly onto Topaz directory objects and
+// relations per ADR-003.
+package registry