--- id: FLEX-WP-0001 type: workplan title: "Repo Intent and Authorization Architecture Baseline" domain: netkingdom status: done owner: flex-auth topic_slug: flex-auth planning_priority: complete planning_order: 10 created: "2026-05-04" updated: "2026-05-04" state_hub_workstream_id: "4dbefd19-bb7d-405c-9a50-e7dbd11cf4d9" --- # FLEX-WP-0001: Repo Intent and Authorization Architecture Baseline ## Purpose Fixate flex-auth as the NetKingdom-side policy-as-code authorization registry and control plane, distinct from key-cape identity and from protected systems such as Markitect. ## Implementation Summary Completed the initial project baseline: - `INTENT.md` defines purpose, scope, responsibility boundaries, design principles, core concepts, standalone/delegated modes, first consumer, and non-goals. - `docs/flex-auth-authorization-registry-research.md` captures product and component research across Keycloak Authorization Services, Entra, Topaz, OpenFGA, SpiceDB, OPA/OPAL, Cedar, Cerbos, Casbin, Oso, and related authorization patterns. - `README.md` points newcomers at intent and research. - The repo has been registered in State Hub under the NetKingdom authorization area. ## P1.1 - Define project intent ```task id: FLEX-WP-0001-T001 status: done priority: high state_hub_task_id: "5af30b01-ea72-4f87-b74e-a595fd3a5bd7" ``` Define flex-auth as a policy-as-code authorization registry and control plane that can run standalone or coordinate with Topaz, OpenFGA, SpiceDB, OPA, Cedar, Keycloak Authorization Services, Entra/Graph, and directory systems. ## P1.2 - Define responsibility boundaries ```task id: FLEX-WP-0001-T002 status: done priority: high state_hub_task_id: "145ec0ec-130a-4209-9028-1ae06e3664e3" ``` Capture boundaries: - key-cape/NetKingdom owns identity. - flex-auth owns authorization registry, policy packages, relationships, decision logging, and PDP coordination. - protected systems own enforcement. ## P1.3 - Capture open-source and enterprise landscape ```task id: FLEX-WP-0001-T003 status: done priority: high state_hub_task_id: "c52a9e3e-e264-418d-b462-d5a9d6e22b30" ``` Document relevant concepts and lessons from current authorization tools and enterprise IAM patterns. ## P1.4 - Establish first-consumer architecture ```task id: FLEX-WP-0001-T004 status: done priority: medium state_hub_task_id: "7756c4c5-598a-4894-9352-6e7145cb3522" ``` Use Markitect as the first concrete protected-system consumer while keeping the flex-auth model generic enough for other systems. ## Exit Criteria - Repository purpose is explicit. - Boundaries are clear enough to prevent identity and protected-system logic from creeping into flex-auth. - Initial research informs implementation workplans.