generated from coulomb/repo-seed
Workplan sketch out and statehub registration
This commit is contained in:
150
workplans/FLEX-WP-0003-markitect-consumer-integration.md
Normal file
150
workplans/FLEX-WP-0003-markitect-consumer-integration.md
Normal file
@@ -0,0 +1,150 @@
|
||||
---
|
||||
id: FLEX-WP-0003
|
||||
type: workplan
|
||||
title: "Markitect Consumer Integration"
|
||||
domain: netkingdom
|
||||
status: todo
|
||||
owner: flex-auth
|
||||
topic_slug: flex-auth
|
||||
planning_priority: P1
|
||||
planning_order: 30
|
||||
depends_on_workplans:
|
||||
- FLEX-WP-0002
|
||||
related_workplans:
|
||||
- MKTT-WP-0014
|
||||
created: "2026-05-04"
|
||||
updated: "2026-05-04"
|
||||
state_hub_workstream_id: "c0a6c9f6-bb6b-416d-b537-f30504c63d75"
|
||||
---
|
||||
|
||||
# FLEX-WP-0003: Markitect Consumer Integration
|
||||
|
||||
## Purpose
|
||||
|
||||
Make Markitect the first concrete protected-system consumer of flex-auth.
|
||||
|
||||
Markitect already has a local enterprise integration boundary in
|
||||
`MKTT-WP-0014`: identity claim normalization fixtures, policy-subject mapping,
|
||||
resource manifests, local decision-log sink, workflow declarations, and CLI
|
||||
inspection. This flex-auth workplan implements the service-side contract that
|
||||
Markitect can call.
|
||||
|
||||
## P3.1 - Define Markitect resource namespace
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0003-T001
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "53f2fa67-780b-4e40-bbda-e669e4cecc32"
|
||||
```
|
||||
|
||||
Define resource types and hierarchy for Markitect:
|
||||
|
||||
```text
|
||||
knowledge_base
|
||||
-> repository
|
||||
-> document/path
|
||||
-> section/span
|
||||
-> context_package
|
||||
-> workflow_artifact/export
|
||||
```
|
||||
|
||||
Output: namespace docs, schema examples, and compatibility notes for
|
||||
Markitect frontmatter and backend metadata.
|
||||
|
||||
## P3.2 - Import Markitect resource manifests
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0003-T002
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "90082eaf-37f5-492f-a884-ff8eec0eccaa"
|
||||
```
|
||||
|
||||
Accept the Markitect-side `FlexAuthResourceManifest` shape and import it into
|
||||
the flex-auth registry.
|
||||
|
||||
Output: importer, validation diagnostics, example fixtures, and tests.
|
||||
|
||||
## P3.3 - Define Markitect action vocabulary
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0003-T003
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "cfc78bbb-5425-4780-a860-9109df62ea37"
|
||||
```
|
||||
|
||||
Define actions:
|
||||
|
||||
- `read`
|
||||
- `query`
|
||||
- `search`
|
||||
- `package`
|
||||
- `activate_context`
|
||||
- `export`
|
||||
- `workflow_run`
|
||||
- `admin`
|
||||
|
||||
Map these actions to Markitect policy-gateway decisions.
|
||||
|
||||
## P3.4 - Implement Markitect check fixtures
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0003-T004
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "1d5de3b2-c581-4ca3-9107-93211eb02c6b"
|
||||
```
|
||||
|
||||
Create fixtures that mirror Markitect examples:
|
||||
|
||||
- public document allow
|
||||
- internal document deny
|
||||
- internal document allow for reader group
|
||||
- restricted export requires steward role and MFA
|
||||
- context package activation includes policy version and freshness metadata
|
||||
|
||||
## P3.5 - Add Markitect adapter contract tests
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0003-T005
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "f9297b0d-69dc-495c-a650-ca671f2c59c7"
|
||||
```
|
||||
|
||||
Add tests that produce flex-auth decisions in the shape Markitect expects:
|
||||
|
||||
- `allow`
|
||||
- `deny`
|
||||
- `redact`
|
||||
- `audit_denied`
|
||||
- reason and rule id
|
||||
- policy version
|
||||
- resource metadata
|
||||
- obligations/diagnostics
|
||||
|
||||
## P3.6 - Document integration flow
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0003-T006
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "e34b0303-4416-40a3-8b34-e0e80d644aea"
|
||||
```
|
||||
|
||||
Document how Markitect should:
|
||||
|
||||
1. Publish resources.
|
||||
2. Submit check or batch_check requests.
|
||||
3. Enforce allow/deny/redact.
|
||||
4. Record decision ids.
|
||||
5. Explain decisions back to users.
|
||||
|
||||
## Exit Criteria
|
||||
|
||||
- flex-auth can ingest Markitect resource manifests.
|
||||
- flex-auth can return Markitect-compatible decisions.
|
||||
- Markitect examples can be represented in flex-auth fixtures.
|
||||
- Integration remains generic enough for other protected systems.
|
||||
Reference in New Issue
Block a user