diff --git a/.custodian-brief.md b/.custodian-brief.md
new file mode 100644
index 0000000..f88db17
--- /dev/null
+++ b/.custodian-brief.md
@@ -0,0 +1,54 @@
+<!-- custodian-brief: generated by fix-consistency — do not edit manually -->
+# Custodian Brief — flex-auth
+
+**Domain:** netkingdom  
+**Last synced:** 2026-05-04 16:01 UTC  
+**State Hub:** http://127.0.0.1:8000 *(adjust if running on a remote machine)*
+
+## Active Workstreams
+
+### Standalone Policy-as-Code Core
+Progress: 0/8 done  |  workstream_id: `aa60e183-9a87-4e03-99b0-15786bfa11ae`
+
+**Open tasks:**
+- · P2.1 - Define canonical schemas  `534e5251`
+- · P2.2 - Implement local registry store  `d8045124`
+- · P2.3 - Implement policy package loader and validator  `09be0f25`
+- · P2.4 - Implement deterministic check and batch_check APIs  `f6427575`
+- · P2.5 - Implement list_allowed and explain  `e8fcbabd`
+- · P2.6 - Add local decision log  `2def10c1`
+- · P2.7 - Add CLI and service skeleton  `ee9ae6dd`
+- … and 1 more open tasks
+
+### Markitect Consumer Integration
+Progress: 0/6 done  |  workstream_id: `c0a6c9f6-bb6b-416d-b537-f30504c63d75`
+
+**Open tasks:**
+- · P3.1 - Define Markitect resource namespace  `53f2fa67`
+- · P3.2 - Import Markitect resource manifests  `90082eaf`
+- · P3.3 - Define Markitect action vocabulary  `cfc78bbb`
+- · P3.4 - Implement Markitect check fixtures  `1d5de3b2`
+- · P3.5 - Add Markitect adapter contract tests  `f9297b0d`
+- · P3.6 - Document integration flow  `e34b0303`
+
+### Delegated PDP and Directory Adapters
+Progress: 0/6 done  |  workstream_id: `99a82976-d376-42b0-89cc-c44e01c0bec6`
+
+**Open tasks:**
+- · P4.1 - Evaluate Topaz as MVP delegated backend  `9046418c`
+- · P4.2 - Add relationship PDP adapter boundary  `b77a0b70`
+- · P4.3 - Add rule PDP adapter boundary  `4e4e5e45`
+- · P4.4 - Add Keycloak Authorization Services adapter path  `8d3bbc28`
+- · P4.5 - Add Entra/Graph and SCIM group resolver adapters  `4fc3fb91`
+- · P4.6 - Add delegated-mode operations docs  `491260f9`
+
+### Repo Intent and Authorization Architecture Baseline
+Progress: 4/4 done  |  workstream_id: `4dbefd19-bb7d-405c-9a50-e7dbd11cf4d9`
+
+---
+## MCP Orientation (when available)
+
+If the state-hub MCP server is reachable, call:
+`get_domain_summary("netkingdom")`
+This provides richer cross-domain context.
+If the MCP call fails, use this file as your orientation source.