docs(scope): reflect baseline complete — all FLEX-WP-0001..0007 done
Some checks are pending
CI / Build and Test (push) Waiting to run
CI / Lint (push) Waiting to run

Correct a stale Current State paragraph: FLEX-WP-0002 (standalone core),
0003 (Markitect integration), and 0004 (delegated PDP/directory adapters)
were completed in May 2026, not "planned". Record FLEX-WP-0007 closure:
ops-warden ran the joint OpenBao smoke (2026-06-29, decision
032b096c433ad80c allow; ttl_out_of_bounds deny), with production
policy.enabled deliberately left off while the ecosystem is build-stage.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-30 01:40:19 +02:00
parent 339c35e876
commit 99869b39fb

View File

@@ -72,22 +72,30 @@ can be coordinated behind a stable flex-auth API.
## Current State
The standalone core is implemented. The repository carries the intent
baseline, authorization landscape research, ADR set, and a working Go
service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and
`POST /v1/check` plus registry, policy, decision, and audit internals.
`FLEX-WP-0001`, `FLEX-WP-0005` (foundations and Topaz alignment), and
`FLEX-WP-0006` (the ops-warden SSH signing policy gate) are complete.
The standalone core is implemented and **all seven baseline workplans
(`FLEX-WP-0001` through `FLEX-WP-0007`) are complete.** The repository carries
the intent baseline, authorization landscape research, ADR set, and a working
Go service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and
`POST /v1/check` plus registry, policy, decision, audit, Markitect, and
delegated-adapter internals. The standalone policy-as-code core (`FLEX-WP-0002`),
Markitect consumer integration (`FLEX-WP-0003`, manifest ingest, decisions, and
fixtures), and the delegated PDP/directory adapter shapes (`FLEX-WP-0004`,
Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs documented with at least one
controlled adapter shape) all landed in May 2026.
The **first shipped protected-system consumer is ops-warden**: its opt-in
pre-sign gate calls `POST /v1/check` for `resource.type: ssh-certificate`,
`action: sign` decisions (`examples/ops-warden/`, policy package, allow/deny
fixtures, and tests). `FLEX-WP-0007` deploys flex-auth as a reachable
production runtime for that gate; it is `blocked` only on T4 — the joint
OpenBao-backed smoke awaiting a refreshed scoped `VAULT_TOKEN` — with all
repo-side artifacts already published. Markitect consumer integration
(`FLEX-WP-0003`) and delegated PDP/directory adapters (`FLEX-WP-0004`)
remain planned on top of the stable core contracts.
fixtures, and tests). `FLEX-WP-0006` published that gate and `FLEX-WP-0007`
deployed flex-auth as a reachable production runtime for it. The joint
OpenBao-backed smoke is verified (2026-06-29: vault-backed allow recorded
`decision:032b096c433ad80c`; TTL-over-max denied `ttl_out_of_bounds` by
flex-auth before OpenBao). Production `policy.enabled` is **deliberately left
off** for now — the ecosystem is still build-stage/pre-testing, so the gate is
verified and banked for later live enforcement rather than forced into premature
production rigor. With the baseline complete, new work (live enforcement
rollout, additional consumers, deeper delegated backends) will open as fresh
workplans.
State Hub integration is present through:
@@ -141,8 +149,10 @@ local diagnostics.
inventory; flex-auth owns the policy decision. ops-warden's routing
charter names flex-auth as the owner of every "may I perform action X?"
question.
- Markitect: first planned **knowledge-pipeline** consumer and policy
enforcement point (`FLEX-WP-0003`).
- Markitect: first **knowledge-pipeline** consumer. Integration is complete on
the flex-auth side (`FLEX-WP-0003` — resource-manifest ingest, Markitect-
compatible decisions, and fixtures); a live Markitect runtime calling the gate
in production is the next consumer milestone after ops-warden.
- Topaz: aligned evaluator. Per ADR-003 the standalone core is shaped
to match Topaz's Rego + directory model from day one; the Topaz
adapter in `FLEX-WP-0004` is therefore a small step rather than a