generated from coulomb/repo-seed
docs(scope): reflect baseline complete — all FLEX-WP-0001..0007 done
Correct a stale Current State paragraph: FLEX-WP-0002 (standalone core), 0003 (Markitect integration), and 0004 (delegated PDP/directory adapters) were completed in May 2026, not "planned". Record FLEX-WP-0007 closure: ops-warden ran the joint OpenBao smoke (2026-06-29, decision 032b096c433ad80c allow; ttl_out_of_bounds deny), with production policy.enabled deliberately left off while the ecosystem is build-stage. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
38
SCOPE.md
38
SCOPE.md
@@ -72,22 +72,30 @@ can be coordinated behind a stable flex-auth API.
|
||||
|
||||
## Current State
|
||||
|
||||
The standalone core is implemented. The repository carries the intent
|
||||
baseline, authorization landscape research, ADR set, and a working Go
|
||||
service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and
|
||||
`POST /v1/check` plus registry, policy, decision, and audit internals.
|
||||
`FLEX-WP-0001`, `FLEX-WP-0005` (foundations and Topaz alignment), and
|
||||
`FLEX-WP-0006` (the ops-warden SSH signing policy gate) are complete.
|
||||
The standalone core is implemented and **all seven baseline workplans
|
||||
(`FLEX-WP-0001` through `FLEX-WP-0007`) are complete.** The repository carries
|
||||
the intent baseline, authorization landscape research, ADR set, and a working
|
||||
Go service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and
|
||||
`POST /v1/check` plus registry, policy, decision, audit, Markitect, and
|
||||
delegated-adapter internals. The standalone policy-as-code core (`FLEX-WP-0002`),
|
||||
Markitect consumer integration (`FLEX-WP-0003`, manifest ingest, decisions, and
|
||||
fixtures), and the delegated PDP/directory adapter shapes (`FLEX-WP-0004`,
|
||||
Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs documented with at least one
|
||||
controlled adapter shape) all landed in May 2026.
|
||||
|
||||
The **first shipped protected-system consumer is ops-warden**: its opt-in
|
||||
pre-sign gate calls `POST /v1/check` for `resource.type: ssh-certificate`,
|
||||
`action: sign` decisions (`examples/ops-warden/`, policy package, allow/deny
|
||||
fixtures, and tests). `FLEX-WP-0007` deploys flex-auth as a reachable
|
||||
production runtime for that gate; it is `blocked` only on T4 — the joint
|
||||
OpenBao-backed smoke awaiting a refreshed scoped `VAULT_TOKEN` — with all
|
||||
repo-side artifacts already published. Markitect consumer integration
|
||||
(`FLEX-WP-0003`) and delegated PDP/directory adapters (`FLEX-WP-0004`)
|
||||
remain planned on top of the stable core contracts.
|
||||
fixtures, and tests). `FLEX-WP-0006` published that gate and `FLEX-WP-0007`
|
||||
deployed flex-auth as a reachable production runtime for it. The joint
|
||||
OpenBao-backed smoke is verified (2026-06-29: vault-backed allow recorded
|
||||
`decision:032b096c433ad80c`; TTL-over-max denied `ttl_out_of_bounds` by
|
||||
flex-auth before OpenBao). Production `policy.enabled` is **deliberately left
|
||||
off** for now — the ecosystem is still build-stage/pre-testing, so the gate is
|
||||
verified and banked for later live enforcement rather than forced into premature
|
||||
production rigor. With the baseline complete, new work (live enforcement
|
||||
rollout, additional consumers, deeper delegated backends) will open as fresh
|
||||
workplans.
|
||||
|
||||
State Hub integration is present through:
|
||||
|
||||
@@ -141,8 +149,10 @@ local diagnostics.
|
||||
inventory; flex-auth owns the policy decision. ops-warden's routing
|
||||
charter names flex-auth as the owner of every "may I perform action X?"
|
||||
question.
|
||||
- Markitect: first planned **knowledge-pipeline** consumer and policy
|
||||
enforcement point (`FLEX-WP-0003`).
|
||||
- Markitect: first **knowledge-pipeline** consumer. Integration is complete on
|
||||
the flex-auth side (`FLEX-WP-0003` — resource-manifest ingest, Markitect-
|
||||
compatible decisions, and fixtures); a live Markitect runtime calling the gate
|
||||
in production is the next consumer milestone after ops-warden.
|
||||
- Topaz: aligned evaluator. Per ADR-003 the standalone core is shaped
|
||||
to match Topaz's Rego + directory model from day one; the Topaz
|
||||
adapter in `FLEX-WP-0004` is therefore a small step rather than a
|
||||
|
||||
Reference in New Issue
Block a user