coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0fbb2a45c2bc4cd8d68b52723f8b44e7b7fe2a0a
flex-auth/workplans/FLEX-WP-0001-repo-intent-and-architecture-baseline.md

2.7 KiB
Raw Blame History

id, type, title, domain, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
FLEX-WP-0001 workplan Repo Intent and Authorization Architecture Baseline netkingdom done flex-auth flex-auth complete 10 2026-05-04 2026-05-04 4dbefd19-bb7d-405c-9a50-e7dbd11cf4d9

FLEX-WP-0001: Repo Intent and Authorization Architecture Baseline

Purpose

Fixate flex-auth as the NetKingdom-side policy-as-code authorization registry and control plane, distinct from key-cape identity and from protected systems such as Markitect.

Implementation Summary

Completed the initial project baseline:

  • INTENT.md defines purpose, scope, responsibility boundaries, design principles, core concepts, standalone/delegated modes, first consumer, and non-goals.
  • docs/flex-auth-authorization-registry-research.md captures product and component research across Keycloak Authorization Services, Entra, Topaz, OpenFGA, SpiceDB, OPA/OPAL, Cedar, Cerbos, Casbin, Oso, and related authorization patterns.
  • README.md points newcomers at intent and research.
  • The repo has been registered in State Hub under the NetKingdom authorization area.

P1.1 - Define project intent

id: FLEX-WP-0001-T001
status: done
priority: high
state_hub_task_id: "5af30b01-ea72-4f87-b74e-a595fd3a5bd7"

Define flex-auth as a policy-as-code authorization registry and control plane that can run standalone or coordinate with Topaz, OpenFGA, SpiceDB, OPA, Cedar, Keycloak Authorization Services, Entra/Graph, and directory systems.

P1.2 - Define responsibility boundaries

id: FLEX-WP-0001-T002
status: done
priority: high
state_hub_task_id: "145ec0ec-130a-4209-9028-1ae06e3664e3"

Capture boundaries:

  • key-cape/NetKingdom owns identity.
  • flex-auth owns authorization registry, policy packages, relationships, decision logging, and PDP coordination.
  • protected systems own enforcement.

P1.3 - Capture open-source and enterprise landscape

id: FLEX-WP-0001-T003
status: done
priority: high
state_hub_task_id: "c52a9e3e-e264-418d-b462-d5a9d6e22b30"

Document relevant concepts and lessons from current authorization tools and enterprise IAM patterns.

P1.4 - Establish first-consumer architecture

id: FLEX-WP-0001-T004
status: done
priority: medium
state_hub_task_id: "7756c4c5-598a-4894-9352-6e7145cb3522"

Use Markitect as the first concrete protected-system consumer while keeping the flex-auth model generic enough for other systems.

Exit Criteria

  • Repository purpose is explicit.
  • Boundaries are clear enough to prevent identity and protected-system logic from creeping into flex-auth.
  • Initial research informs implementation workplans.
Reference in New Issue View Git Blame Copy Permalink