From 99869b39fbc2154abfafb00d9112c92df87acdc3 Mon Sep 17 00:00:00 2001 From: tegwick Date: Tue, 30 Jun 2026 01:40:19 +0200 Subject: [PATCH] =?UTF-8?q?docs(scope):=20reflect=20baseline=20complete=20?= =?UTF-8?q?=E2=80=94=20all=20FLEX-WP-0001..0007=20done?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Correct a stale Current State paragraph: FLEX-WP-0002 (standalone core), 0003 (Markitect integration), and 0004 (delegated PDP/directory adapters) were completed in May 2026, not "planned". Record FLEX-WP-0007 closure: ops-warden ran the joint OpenBao smoke (2026-06-29, decision 032b096c433ad80c allow; ttl_out_of_bounds deny), with production policy.enabled deliberately left off while the ecosystem is build-stage. Co-Authored-By: Claude Opus 4.8 --- SCOPE.md | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/SCOPE.md b/SCOPE.md index 5314da2..65af9ea 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -72,22 +72,30 @@ can be coordinated behind a stable flex-auth API. ## Current State -The standalone core is implemented. The repository carries the intent -baseline, authorization landscape research, ADR set, and a working Go -service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and -`POST /v1/check` plus registry, policy, decision, and audit internals. -`FLEX-WP-0001`, `FLEX-WP-0005` (foundations and Topaz alignment), and -`FLEX-WP-0006` (the ops-warden SSH signing policy gate) are complete. +The standalone core is implemented and **all seven baseline workplans +(`FLEX-WP-0001` through `FLEX-WP-0007`) are complete.** The repository carries +the intent baseline, authorization landscape research, ADR set, and a working +Go service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and +`POST /v1/check` plus registry, policy, decision, audit, Markitect, and +delegated-adapter internals. The standalone policy-as-code core (`FLEX-WP-0002`), +Markitect consumer integration (`FLEX-WP-0003`, manifest ingest, decisions, and +fixtures), and the delegated PDP/directory adapter shapes (`FLEX-WP-0004`, +Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs documented with at least one +controlled adapter shape) all landed in May 2026. The **first shipped protected-system consumer is ops-warden**: its opt-in pre-sign gate calls `POST /v1/check` for `resource.type: ssh-certificate`, `action: sign` decisions (`examples/ops-warden/`, policy package, allow/deny -fixtures, and tests). `FLEX-WP-0007` deploys flex-auth as a reachable -production runtime for that gate; it is `blocked` only on T4 — the joint -OpenBao-backed smoke awaiting a refreshed scoped `VAULT_TOKEN` — with all -repo-side artifacts already published. Markitect consumer integration -(`FLEX-WP-0003`) and delegated PDP/directory adapters (`FLEX-WP-0004`) -remain planned on top of the stable core contracts. +fixtures, and tests). `FLEX-WP-0006` published that gate and `FLEX-WP-0007` +deployed flex-auth as a reachable production runtime for it. The joint +OpenBao-backed smoke is verified (2026-06-29: vault-backed allow recorded +`decision:032b096c433ad80c`; TTL-over-max denied `ttl_out_of_bounds` by +flex-auth before OpenBao). Production `policy.enabled` is **deliberately left +off** for now — the ecosystem is still build-stage/pre-testing, so the gate is +verified and banked for later live enforcement rather than forced into premature +production rigor. With the baseline complete, new work (live enforcement +rollout, additional consumers, deeper delegated backends) will open as fresh +workplans. State Hub integration is present through: @@ -141,8 +149,10 @@ local diagnostics. inventory; flex-auth owns the policy decision. ops-warden's routing charter names flex-auth as the owner of every "may I perform action X?" question. -- Markitect: first planned **knowledge-pipeline** consumer and policy - enforcement point (`FLEX-WP-0003`). +- Markitect: first **knowledge-pipeline** consumer. Integration is complete on + the flex-auth side (`FLEX-WP-0003` — resource-manifest ingest, Markitect- + compatible decisions, and fixtures); a live Markitect runtime calling the gate + in production is the next consumer milestone after ops-warden. - Topaz: aligned evaluator. Per ADR-003 the standalone core is shaped to match Topaz's Rego + directory model from day one; the Topaz adapter in `FLEX-WP-0004` is therefore a small step rather than a