Refine workplans for CARING profile

docs/workplan-planning-map.md

@@ -1,6 +1,6 @@
 # Flex-Auth Workplan Planning Map
 
-Date: 2026-05-15
+Date: 2026-05-17
 
 ## Purpose
 
@@ -20,10 +20,10 @@ This document captures the current sequencing view for flex-auth workplans.
 | Workplan | Priority | Status | Depends On | Current View |
 | --- | --- | --- | --- | --- |
 | `FLEX-WP-0001` | complete | done | none | Repo intent, boundaries, and authorization landscape research are complete. |
-| `FLEX-WP-0005` | P0 | todo | `FLEX-WP-0001` | Foundations and Topaz alignment: ADR-001/002/003, Go skeleton, `FlexAuthResourceManifest` schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification. |
-| `FLEX-WP-0002` | P0 | blocked | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core: schemas, local registry, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
-| `FLEX-WP-0003` | P1 | blocked | `FLEX-WP-0002` | Markitect consumer integration: resource namespace, manifest import, action vocabulary, decision fixtures, integration docs. |
-| `FLEX-WP-0004` | P2 | blocked | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapters: Topaz adapter implementation (evaluation already done in `0005`), OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM. |
+| `FLEX-WP-0005` | complete | done | `FLEX-WP-0001` | Foundations and Topaz alignment are complete: ADR-001/002/003, Go skeleton, `FlexAuthResourceManifest` schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification. |
+| `FLEX-WP-0002` | P0 | ready | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core: schemas, local registry, CARING profile/descriptors, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
+| `FLEX-WP-0003` | P1 | blocked | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
+| `FLEX-WP-0004` | P2 | blocked | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapters: Topaz adapter implementation (evaluation already done in `0005`), OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
 
 ## Dependency Notes
 
@@ -33,18 +33,30 @@ It pulls forward the decisions the original `0002` left implicit (language,
 policy format, evaluator alignment) and runs the Topaz mapping spike
 before the core's schemas and check API are written.
 
+`docs/caring-architecture-blueprint.md` adds the 2026-05-17 CARING
+refinement: CARING remains the semantic standard, while flex-auth becomes
+the practical reference implementation for descriptors, conformance
+findings, decision metadata, explain output, and exposure-event audit
+records. This refinement changes the shape of `FLEX-WP-0002` but does not
+add a new predecessor workplan.
+
 `FLEX-WP-0002` comes after `0005` so the standalone evaluator embeds the
 OPA Rego library and produces decision envelopes shaped to match the
-delegated-mode envelopes added later.
+delegated-mode envelopes added later. It now also pins the executable
+CARING profile in the same schema slice.
 
 `FLEX-WP-0003` follows the core. Markitect has already completed its
 side of the contract in `MKTT-WP-0014`; flex-auth pins the manifest in
 `FLEX-WP-0005 T03` and implements the service-side registry and decision
 behavior in `0003`.
+It also becomes the first consumer benchmark for proving local roles and
+resource semantics can map cleanly into CARING dimensions.
 
 `FLEX-WP-0004` waits for the standalone core for the same reason as
 before, but its Topaz evaluation task moved to `0005 T04`; this workplan
 now implements the Topaz adapter against the spike's output.
+Delegated adapters must preserve flex-auth's CARING descriptor and
+conformance fields even when backend-native role semantics differ.
 
 ## State Hub Mirror