Refine workplans for CARING profile
Some checks failed
CI / Build and Test (push) Has been cancelled
CI / Lint (push) Has been cancelled

This commit is contained in:
2026-05-17 04:15:38 +02:00
parent f930e96568
commit dd0b9663c4
6 changed files with 306 additions and 20 deletions

View File

@@ -13,7 +13,7 @@ depends_on_workplans:
related_workplans:
- FLEX-WP-0003
created: "2026-05-04"
updated: "2026-05-15"
updated: "2026-05-17"
state_hub_workstream_id: "99a82976-d376-42b0-89cc-c44e01c0bec6"
---
@@ -35,6 +35,11 @@ vocabulary are stable.
> speaks Rego, so adapter work focuses on directory delegation, wire
> protocol, and consistency metadata rather than re-deciding fit.
> **CARING note (2026-05-17).** Delegated adapters must preserve the
> CARING decision envelope fields defined by the standalone core. Backend
> native semantics may differ, but protected systems should still see the
> same descriptor, exposure, restriction, conformance, and audit shape.
## P4.1 - Implement Topaz adapter
```task
@@ -61,6 +66,9 @@ Scope:
- Failure modes: Topaz unavailable, stale directory, partial result —
each produces a decision envelope that the standalone code path
could also have produced.
- CARING preservation: delegated decisions include the same CARING
descriptor, restriction precedence, exposure mode, conformance findings,
and exposure-event hooks as standalone decisions.
Output: adapter package under `internal/adapters/topaz/`, end-to-end
integration test using the `examples/topaz/` docker-compose from the
@@ -83,6 +91,8 @@ Define and implement adapter contracts for OpenFGA and SpiceDB-style checks:
- batch/list operations
- consistency metadata
- error and stale-data diagnostics
- preservation of CARING scope, plane, capability, exposure, and derived
capability metadata across tuple-oriented backends
## P4.3 - Add rule PDP adapter boundary
@@ -99,6 +109,8 @@ Define and implement adapter contracts for OPA/Rego and Cedar-style policies:
- policy package versioning
- test fixtures
- obligations and diagnostics
- CARING frontmatter and conformance findings when backend-native policy
languages cannot represent every descriptor dimension directly
## P4.4 - Add Keycloak Authorization Services adapter path
@@ -130,6 +142,9 @@ Implement directory group resolver patterns for:
- Keycloak admin API
Each resolver must expose freshness, source, and overage metadata.
Resolvers must also identify which organization relation, subject type,
group, or role claim was derived from the external directory so CARING
descriptor provenance remains inspectable.
## P4.6 - Add delegated-mode operations docs
@@ -151,3 +166,5 @@ consistency, and audit behavior for delegated backends.
- Backend changes do not alter the protected-system-facing flex-auth API.
- Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs are documented with
practical guidance.
- Delegated backends preserve CARING descriptor and conformance metadata
instead of leaking backend-native role semantics into protected systems.