generated from coulomb/repo-seed
Refine workplans for CARING profile
This commit is contained in:
@@ -13,7 +13,7 @@ depends_on_workplans:
|
||||
related_workplans:
|
||||
- FLEX-WP-0003
|
||||
created: "2026-05-04"
|
||||
updated: "2026-05-15"
|
||||
updated: "2026-05-17"
|
||||
state_hub_workstream_id: "99a82976-d376-42b0-89cc-c44e01c0bec6"
|
||||
---
|
||||
|
||||
@@ -35,6 +35,11 @@ vocabulary are stable.
|
||||
> speaks Rego, so adapter work focuses on directory delegation, wire
|
||||
> protocol, and consistency metadata rather than re-deciding fit.
|
||||
|
||||
> **CARING note (2026-05-17).** Delegated adapters must preserve the
|
||||
> CARING decision envelope fields defined by the standalone core. Backend
|
||||
> native semantics may differ, but protected systems should still see the
|
||||
> same descriptor, exposure, restriction, conformance, and audit shape.
|
||||
|
||||
## P4.1 - Implement Topaz adapter
|
||||
|
||||
```task
|
||||
@@ -61,6 +66,9 @@ Scope:
|
||||
- Failure modes: Topaz unavailable, stale directory, partial result —
|
||||
each produces a decision envelope that the standalone code path
|
||||
could also have produced.
|
||||
- CARING preservation: delegated decisions include the same CARING
|
||||
descriptor, restriction precedence, exposure mode, conformance findings,
|
||||
and exposure-event hooks as standalone decisions.
|
||||
|
||||
Output: adapter package under `internal/adapters/topaz/`, end-to-end
|
||||
integration test using the `examples/topaz/` docker-compose from the
|
||||
@@ -83,6 +91,8 @@ Define and implement adapter contracts for OpenFGA and SpiceDB-style checks:
|
||||
- batch/list operations
|
||||
- consistency metadata
|
||||
- error and stale-data diagnostics
|
||||
- preservation of CARING scope, plane, capability, exposure, and derived
|
||||
capability metadata across tuple-oriented backends
|
||||
|
||||
## P4.3 - Add rule PDP adapter boundary
|
||||
|
||||
@@ -99,6 +109,8 @@ Define and implement adapter contracts for OPA/Rego and Cedar-style policies:
|
||||
- policy package versioning
|
||||
- test fixtures
|
||||
- obligations and diagnostics
|
||||
- CARING frontmatter and conformance findings when backend-native policy
|
||||
languages cannot represent every descriptor dimension directly
|
||||
|
||||
## P4.4 - Add Keycloak Authorization Services adapter path
|
||||
|
||||
@@ -130,6 +142,9 @@ Implement directory group resolver patterns for:
|
||||
- Keycloak admin API
|
||||
|
||||
Each resolver must expose freshness, source, and overage metadata.
|
||||
Resolvers must also identify which organization relation, subject type,
|
||||
group, or role claim was derived from the external directory so CARING
|
||||
descriptor provenance remains inspectable.
|
||||
|
||||
## P4.6 - Add delegated-mode operations docs
|
||||
|
||||
@@ -151,3 +166,5 @@ consistency, and audit behavior for delegated backends.
|
||||
- Backend changes do not alter the protected-system-facing flex-auth API.
|
||||
- Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs are documented with
|
||||
practical guidance.
|
||||
- Delegated backends preserve CARING descriptor and conformance metadata
|
||||
instead of leaking backend-native role semantics into protected systems.
|
||||
|
||||
Reference in New Issue
Block a user