# Flex-Auth Workplan Planning Map

Date: 2026-05-04

## Purpose

This document captures the initial sequencing view for flex-auth workplans.

## Priority Scale

| Priority | Meaning |
| --- | --- |
| `P0` | Current mainline implementation work. |
| `P1` | Next integration work once core contracts exist. |
| `P2` | Delegated/backend expansion after core shape stabilizes. |
| `complete` | Finished foundation or completed decision work. |

## Current Ordering

| Workplan | Priority | Status | Depends On | Current View |
| --- | --- | --- | --- | --- |
| `FLEX-WP-0001` | complete | done | none | Repo intent, boundaries, and authorization landscape research are complete. |
| `FLEX-WP-0002` | P0 | todo | `FLEX-WP-0001` | Standalone policy-as-code core: schemas, local registry, policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
| `FLEX-WP-0003` | P1 | todo | `FLEX-WP-0002` | Markitect consumer integration: resource namespace, manifest import, action vocabulary, decision fixtures, integration docs. |
| `FLEX-WP-0004` | P2 | todo | `FLEX-WP-0002` | Delegated PDP and directory adapters: Topaz, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM. |

## Dependency Notes

`FLEX-WP-0002` should come first because the protected-system-facing API must
be stable before flex-auth delegates decisions to external engines.

`FLEX-WP-0003` follows the core and uses Markitect as the first concrete
consumer. Markitect has already completed its side of the initial contract in
`MKTT-WP-0014`, but flex-auth must still implement the service-side registry
and decision behavior.

`FLEX-WP-0004` should wait for the standalone core so delegated engines do not
define the whole architecture accidentally.

## State Hub Mirror

Native State Hub dependency edges should mirror:

- `FLEX-WP-0002 -> FLEX-WP-0001`
- `FLEX-WP-0003 -> FLEX-WP-0002`
- `FLEX-WP-0004 -> FLEX-WP-0002`