# Flex-Auth Workplan Planning Map

Date: 2026-06-23

## Purpose

This document captures the current sequencing view for flex-auth workplans.

## Priority Scale

| Priority | Meaning |
| --- | --- |
| `P0` | Current mainline implementation work. |
| `P1` | Next integration work once core contracts exist. |
| `P2` | Delegated/backend expansion after core shape stabilizes. |
| `complete` | Finished foundation or completed decision work. |

## Current Ordering

| Workplan | Priority | Status | Depends On | Current View |
| --- | --- | --- | --- | --- |
| `FLEX-WP-0001` | complete | done | none | Repo intent, boundaries, and authorization landscape research are complete. |
| `FLEX-WP-0005` | complete | done | `FLEX-WP-0001` | Foundations and Topaz alignment are complete: ADR-001/002/003, Go skeleton, `FlexAuthResourceManifest` schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification. |
| `FLEX-WP-0002` | complete | completed | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core is complete: schemas, local registry, CARING profile/descriptors, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
| `FLEX-WP-0003` | complete | completed | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark are complete: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
| `FLEX-WP-0004` | complete | completed | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapter boundary work is complete: Topaz adapter shape, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
| `FLEX-WP-0006` | complete | finished | `FLEX-WP-0002`, `FLEX-WP-0005` | Ops-warden unblocker is complete: flex-auth publishes `ssh-certificate` / `sign` policies, fixtures, and `/v1/check` smoke evidence for the opt-in pre-sign gate shipped in ops-warden `WARDEN-WP-0007` and tracked for production in `WARDEN-WP-0009`. |
| `FLEX-WP-0007` | `P0` | blocked | `FLEX-WP-0006` | Repo-side production registry fixture, sync contract, runtime command, healthz coverage, and real actor/IAM tests are implemented. Operator deployment and OpenBao smoke remain blocked on reachable runtime selection and scoped VAULT_TOKEN refresh. |

## Dependency Notes

`FLEX-WP-0005` is inserted between `0001` and `0002` per the
pre-implementation assessment in `docs/pre-implementation-assessment.md`.
It pulls forward the decisions the original `0002` left implicit (language,
policy format, evaluator alignment) and runs the Topaz mapping spike
before the core's schemas and check API are written.

`docs/caring-architecture-blueprint.md` adds the 2026-05-17 CARING
refinement: CARING remains the semantic standard, while flex-auth becomes
the practical reference implementation for descriptors, conformance
findings, decision metadata, explain output, and exposure-event audit
records. This refinement changes the shape of `FLEX-WP-0002` but does not
add a new predecessor workplan.

`FLEX-WP-0002` comes after `0005` so the standalone evaluator embeds the
OPA Rego library and produces decision envelopes shaped to match the
delegated-mode envelopes added later. It now also pins the executable
CARING profile in the same schema slice.

`FLEX-WP-0003` follows the core. Markitect has already completed its
side of the contract in `MKTT-WP-0014`; flex-auth pins the manifest in
`FLEX-WP-0005 T03` and implements the service-side registry and decision
behavior in `0003`.
It also becomes the first consumer benchmark for proving local roles and
resource semantics can map cleanly into CARING dimensions.

`FLEX-WP-0004` waits for the standalone core for the same reason as
before, but its Topaz evaluation task moved to `0005 T04`; this workplan
now implements the Topaz adapter against the spike's output.
Delegated adapters must preserve flex-auth's CARING descriptor and
conformance fields even when backend-native role semantics differ.

`FLEX-WP-0006` was the cross-repo integration unblocker for
ops-warden. ops-warden already implements the opt-in policy call
(`policy.enabled: true`) and production OpenBao signing works without the
gate. flex-auth now publishes the protected-system manifest,
`ssh-certificate` / `sign` policy package, allow/deny fixtures, and
`POST /v1/check` evidence that ops-warden can use before enabling
`policy.enabled` in production.

## State Hub Mirror

Native State Hub dependency edges:

- `FLEX-WP-0005 -> FLEX-WP-0001`
- `FLEX-WP-0002 -> FLEX-WP-0005`
- `FLEX-WP-0002 -> FLEX-WP-0001` (preserved)
- `FLEX-WP-0003 -> FLEX-WP-0002`
- `FLEX-WP-0004 -> FLEX-WP-0002`
- `FLEX-WP-0004 -> FLEX-WP-0005` (Topaz adapter consumes the spike)
- `FLEX-WP-0006 -> FLEX-WP-0002`
- `FLEX-WP-0006 -> FLEX-WP-0005`
- ops-warden: `WARDEN-WP-0009` finished (caller + registry smoke). Production
  `policy.enabled: true` waits for `FLEX-WP-0007` (reachable flex-auth runtime).
- `FLEX-WP-0007 -> FLEX-WP-0006`