diff --git a/SCOPE.md b/SCOPE.md index 5314da2..65af9ea 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -72,22 +72,30 @@ can be coordinated behind a stable flex-auth API. ## Current State -The standalone core is implemented. The repository carries the intent -baseline, authorization landscape research, ADR set, and a working Go -service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and -`POST /v1/check` plus registry, policy, decision, and audit internals. -`FLEX-WP-0001`, `FLEX-WP-0005` (foundations and Topaz alignment), and -`FLEX-WP-0006` (the ops-warden SSH signing policy gate) are complete. +The standalone core is implemented and **all seven baseline workplans +(`FLEX-WP-0001` through `FLEX-WP-0007`) are complete.** The repository carries +the intent baseline, authorization landscape research, ADR set, and a working +Go service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and +`POST /v1/check` plus registry, policy, decision, audit, Markitect, and +delegated-adapter internals. The standalone policy-as-code core (`FLEX-WP-0002`), +Markitect consumer integration (`FLEX-WP-0003`, manifest ingest, decisions, and +fixtures), and the delegated PDP/directory adapter shapes (`FLEX-WP-0004`, +Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs documented with at least one +controlled adapter shape) all landed in May 2026. The **first shipped protected-system consumer is ops-warden**: its opt-in pre-sign gate calls `POST /v1/check` for `resource.type: ssh-certificate`, `action: sign` decisions (`examples/ops-warden/`, policy package, allow/deny -fixtures, and tests). `FLEX-WP-0007` deploys flex-auth as a reachable -production runtime for that gate; it is `blocked` only on T4 — the joint -OpenBao-backed smoke awaiting a refreshed scoped `VAULT_TOKEN` — with all -repo-side artifacts already published. Markitect consumer integration -(`FLEX-WP-0003`) and delegated PDP/directory adapters (`FLEX-WP-0004`) -remain planned on top of the stable core contracts. +fixtures, and tests). `FLEX-WP-0006` published that gate and `FLEX-WP-0007` +deployed flex-auth as a reachable production runtime for it. The joint +OpenBao-backed smoke is verified (2026-06-29: vault-backed allow recorded +`decision:032b096c433ad80c`; TTL-over-max denied `ttl_out_of_bounds` by +flex-auth before OpenBao). Production `policy.enabled` is **deliberately left +off** for now — the ecosystem is still build-stage/pre-testing, so the gate is +verified and banked for later live enforcement rather than forced into premature +production rigor. With the baseline complete, new work (live enforcement +rollout, additional consumers, deeper delegated backends) will open as fresh +workplans. State Hub integration is present through: @@ -141,8 +149,10 @@ local diagnostics. inventory; flex-auth owns the policy decision. ops-warden's routing charter names flex-auth as the owner of every "may I perform action X?" question. -- Markitect: first planned **knowledge-pipeline** consumer and policy - enforcement point (`FLEX-WP-0003`). +- Markitect: first **knowledge-pipeline** consumer. Integration is complete on + the flex-auth side (`FLEX-WP-0003` — resource-manifest ingest, Markitect- + compatible decisions, and fixtures); a live Markitect runtime calling the gate + in production is the next consumer milestone after ops-warden. - Topaz: aligned evaluator. Per ADR-003 the standalone core is shaped to match Topaz's Rego + directory model from day one; the Topaz adapter in `FLEX-WP-0004` is therefore a small step rather than a