coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(intent/scope): align with ops-warden as first shipped consumer
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Build and Test (push) Has been cancelled
Details

Browse Source 
ops-warden's SSH signing policy gate (FLEX-WP-0006 finished, FLEX-WP-0007
deploying) makes it flex-auth's first shipped protected-system consumer.
Update the intent baseline to match the implemented reality:

- SCOPE Current State: standalone Go core + /v1/check is implemented;
  FLEX-WP-0001/0005/0006 complete, 0007 blocked only on T4 VAULT_TOKEN.
- SCOPE Related/Overlapping + Disjoint From: ops-warden is now a consumer,
  not merely disjoint; the once-hypothetical "agt as flex-auth subject"
  flow is realized through the signing gate. Disjointness narrowed to the
  identity surface (warden issues certs, flex-auth never does).
- INTENT Consumer Patterns: lead with the shipped action-gate shape
  (ops-warden), keep Markitect as the planned knowledge-pipeline consumer.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-27 20:37:07 +02:00
parent 941501c590
commit b4520bd731
2 changed files with 57 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
INTENT.md
View File

@@ -149,9 +149,29 @@ adopting their models as its own:
Flex-auth remains the stable control plane even when the backend changes.
## First Consumer Pattern
## Consumer Patterns
The first concrete consumer is a knowledge and document management pipeline:
Two consumer shapes drive flex-auth, and the first one to ship deliberately
is not a document pipeline — proving the control plane stays generic.
**First shipped consumer — an action gate (ops-warden SSH signing).** A
protected system asks flex-auth a single "may this actor perform this action
now?" question before doing irreversible work:
- it registers a protected system, a resource type (`ssh-certificate`), and an
action (`sign`)
- it sends one policy check per request, passing subject, resource, and
context (actor type, principals, TTL, key fingerprint)
- it enforces the allow/deny decision and records the decision id for audit
- flex-auth owns the policy and durable decision log; the protected system
keeps custody of its own keys and secrets
This first consumer validated that flex-auth's resource/action/context model,
`POST /v1/check` contract, and decision envelope work for a non-document,
high-stakes gate without any consumer-specific routes.
**First knowledge-pipeline consumer (planned) — a document and knowledge
pipeline (Markitect):**
- it registers knowledge bases, repositories, documents, sections, context
packages, workflow artifacts, and exports
@@ -159,8 +179,9 @@ The first concrete consumer is a knowledge and document management pipeline:
- it can redact or drop results based on decisions
- flex-auth owns central policy administration and durable audit
This first consumer should shape flex-auth around real document and knowledge
pipelines without making the policy service consumer-specific.
Together these shape flex-auth around real authorization needs — both
point-in-time action gates and result-filtering pipelines without making the
policy service consumer-specific.
## Non-Goals