generated from coulomb/repo-seed
docs(intent/scope): align with ops-warden as first shipped consumer
ops-warden's SSH signing policy gate (FLEX-WP-0006 finished, FLEX-WP-0007 deploying) makes it flex-auth's first shipped protected-system consumer. Update the intent baseline to match the implemented reality: - SCOPE Current State: standalone Go core + /v1/check is implemented; FLEX-WP-0001/0005/0006 complete, 0007 blocked only on T4 VAULT_TOKEN. - SCOPE Related/Overlapping + Disjoint From: ops-warden is now a consumer, not merely disjoint; the once-hypothetical "agt as flex-auth subject" flow is realized through the signing gate. Disjointness narrowed to the identity surface (warden issues certs, flex-auth never does). - INTENT Consumer Patterns: lead with the shipped action-gate shape (ops-warden), keep Markitect as the planned knowledge-pipeline consumer. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
48
SCOPE.md
48
SCOPE.md
@@ -72,15 +72,22 @@ can be coordinated behind a stable flex-auth API.
|
||||
|
||||
## Current State
|
||||
|
||||
The repository contains the intent baseline, authorization landscape
|
||||
research, initial workplans, and the pre-implementation assessment and
|
||||
ADR set produced on 2026-05-15. `FLEX-WP-0001` is complete. Implementation
|
||||
now proceeds through `FLEX-WP-0005 Foundations and Topaz Alignment` —
|
||||
which lands the Go skeleton, pins the `FlexAuthResourceManifest` schema,
|
||||
runs the Topaz mapping spike, and records ADR-001/002/003 — before the
|
||||
standalone policy-as-code core in `FLEX-WP-0002`. Markitect consumer
|
||||
integration and delegated PDP/directory adapters are planned after the
|
||||
core contracts stabilize.
|
||||
The standalone core is implemented. The repository carries the intent
|
||||
baseline, authorization landscape research, ADR set, and a working Go
|
||||
service (`cmd/flex-auth`) with `validate`, `load-registry`, `serve`, and
|
||||
`POST /v1/check` plus registry, policy, decision, and audit internals.
|
||||
`FLEX-WP-0001`, `FLEX-WP-0005` (foundations and Topaz alignment), and
|
||||
`FLEX-WP-0006` (the ops-warden SSH signing policy gate) are complete.
|
||||
|
||||
The **first shipped protected-system consumer is ops-warden**: its opt-in
|
||||
pre-sign gate calls `POST /v1/check` for `resource.type: ssh-certificate`,
|
||||
`action: sign` decisions (`examples/ops-warden/`, policy package, allow/deny
|
||||
fixtures, and tests). `FLEX-WP-0007` deploys flex-auth as a reachable
|
||||
production runtime for that gate; it is `blocked` only on T4 — the joint
|
||||
OpenBao-backed smoke awaiting a refreshed scoped `VAULT_TOKEN` — with all
|
||||
repo-side artifacts already published. Markitect consumer integration
|
||||
(`FLEX-WP-0003`) and delegated PDP/directory adapters (`FLEX-WP-0004`)
|
||||
remain planned on top of the stable core contracts.
|
||||
|
||||
State Hub integration is present through:
|
||||
|
||||
@@ -127,7 +134,15 @@ local diagnostics.
|
||||
- key-cape / NetKingdom SSO: identity source and coarse claims provider;
|
||||
flex-auth consumes the **NetKingdom IAM Profile**
|
||||
(`~/net-kingdom/canon/standards/iam-profile_v0.2.md`).
|
||||
- Markitect: first protected-system consumer and policy enforcement point.
|
||||
- ops-warden: first **shipped** protected-system consumer. Its opt-in
|
||||
pre-sign gate calls flex-auth for `ssh-certificate` / `sign` decisions
|
||||
before issuing a short-lived SSH certificate (`FLEX-WP-0006`,
|
||||
`FLEX-WP-0007`). ops-warden owns the SSH CA, OpenBao signing, and actor
|
||||
inventory; flex-auth owns the policy decision. ops-warden's routing
|
||||
charter names flex-auth as the owner of every "may I perform action X?"
|
||||
question.
|
||||
- Markitect: first planned **knowledge-pipeline** consumer and policy
|
||||
enforcement point (`FLEX-WP-0003`).
|
||||
- Topaz: aligned evaluator. Per ADR-003 the standalone core is shaped
|
||||
to match Topaz's Rego + directory model from day one; the Topaz
|
||||
adapter in `FLEX-WP-0004` is therefore a small step rather than a
|
||||
@@ -143,12 +158,13 @@ local diagnostics.
|
||||
|
||||
## Disjoint From
|
||||
|
||||
- **ops-warden** signs short-lived SSH certificates for ops actors
|
||||
(`adm`/`agt`/`atm`). That is a separate identity surface — SSH certs,
|
||||
not OIDC subjects — and ops-warden disclaims being a resource-policy
|
||||
engine. flex-auth and ops-warden therefore do not overlap. (A future
|
||||
flow could surface an `agt` actor as a flex-auth subject; nothing in
|
||||
the current design requires it.)
|
||||
- **ops-warden** is a flex-auth *consumer*, not an overlap (see Related /
|
||||
Overlapping). The two remain disjoint on **identity surface**: ops-warden
|
||||
issues SSH certificates for ops actors (`adm`/`agt`/`atm`) and is not a
|
||||
resource-policy engine; flex-auth decides whether a given sign request is
|
||||
allowed and never issues certificates. The once-hypothetical flow of
|
||||
surfacing an `agt` actor as a flex-auth subject is now realized through
|
||||
the signing policy gate.
|
||||
- **ops-bridge** owns SSH reverse-tunnel connectivity and explicitly
|
||||
disclaims being a credential authority or policy engine. No overlap.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user