flex-auth/docs/ProductRequirementsDocument.md

# flex-auth Product Requirements Document

Date: 2026-05-04
Status: Draft for alignment

## 1. Definition

flex-auth is a policy-as-code authorization registry and control plane for
organizations that need to grow from simple application roles into
enterprise-grade, inspectable authorization.

The product is expected to define and operate the authorization layer between
verified identity claims and protected systems. It should let resource owners
register protected systems and resources, publish reviewable policy packages,
evaluate authorization requests, explain decisions, and preserve decision
records for diagnostics and audit.

This PRD defines what flex-auth must achieve within this repository's current
boundary. It intentionally avoids prescribing internal architecture or
implementation details beyond the product-level constraints already established
by the repo.

## 2. Context

NetKingdom-aligned systems separate identity from authorization:

```text
key-cape / NetKingdom SSO
  -> verified OIDC/SAML identity claims
  -> flex-auth policy-as-code and authorization registry
  -> protected systems and knowledge tools
```

Identity providers issue tokens, manage login, and provide coarse claims.
Protected systems enforce allow, deny, redact, and audit outcomes at their own
runtime boundaries. flex-auth exists between those responsibilities as the
stable authorization product surface.

The first concrete consumer is Markitect, which needs central authorization for
knowledge bases, repositories, documents, sections, context packages, workflow
artifacts, and exports. The product must use that consumer to validate real
resource and decision needs without becoming Markitect-specific.

## 3. Product Intent

flex-auth should provide a path that starts small and grows cleanly:

- Local developers and small teams can run flex-auth in standalone mode.
- Policy authors can version, review, validate, test, publish, and activate
  policy packages.
- Protected systems can register resources and ask stable authorization
  questions.
- Operators can inspect and export decision records with enough provenance to
  diagnose policy behavior.
- Enterprise deployments can later delegate relationship, rule, or directory
  concerns to established backends without changing protected-system contracts.

The product outcome is not merely a collection of adapters. The core value is a
canonical, backend-neutral authorization model that keeps ownership clear as
policy complexity grows.

## 4. Users and Stakeholders

### Primary Users

- Protected-system developers integrating authorization checks.
- Policy authors defining resource-specific access behavior.
- Platform engineers operating local or shared flex-auth instances.
- Product and architecture owners aligning identity, authorization, and
  protected-system boundaries.

### Secondary Users

- Security reviewers inspecting policy behavior and audit records.
- Support or operations staff diagnosing denied, redacted, stale, partial, or
  uncertain decisions.
- Future backend integrators connecting Topaz, OpenFGA, SpiceDB, OPA, Cedar,
  Keycloak Authorization Services, Entra, Graph, SCIM, LDAP, or related
  systems.

## 5. In Scope

### Standalone Authorization Core

- Protected-system manifests.
- Resource manifests and resource hierarchies.
- Subject, group, team, tenant, role, service-account, and emergency-principal
  representations needed for authorization.
- Relationship fact manifests.
- Canonical action vocabularies.
- Check request and decision envelope definitions.
- Deterministic `check` and `batch_check` behavior.
- `list_allowed` for discoverable allowed resources.
- `explain` for decision diagnostics.
- Local registry storage suitable for development, tests, and small
  deployments.

### Policy-as-Code Lifecycle

- Policy package metadata, validation, fixtures, tests, versions, and
  activation state.
- Local policy package testing before activation.
- Policy decision outputs that include effect, reason, matched policy version,
  matched rule, obligations, diagnostics, and provenance.

### Audit and Diagnostics

- Local decision records.
- Durable recording for denies, redactions, exports, and emergency actions.
- Compact decision envelopes suitable for later audit export.
- Clear diagnostics for stale, partial, uncertain, denied, and redacted
  results.

### Developer and Operator Experience

- CLI workflows for validating manifests, loading registry data, testing
  policies, checking one request, batch checking, and explaining a decision.
- A service entry point after library and CLI behavior are stable enough.
- Examples and tests for local users, groups, teams, project resources,
  inherited relationships, and policy fixtures.

### First Consumer: Markitect

- Markitect resource namespace and hierarchy.
- Import of Markitect resource manifests into the flex-auth registry.
- Markitect action vocabulary: `read`, `query`, `search`, `package`,
  `activate_context`, `export`, `workflow_run`, and `admin`.
- Markitect-compatible decision fixtures and contract tests.
- Integration documentation for publish, check, enforce, record, and explain
  flows.

### Future Delegated Mode

- Adapter boundaries for relationship PDPs such as OpenFGA and SpiceDB.
- Adapter boundaries for rule PDPs such as OPA/Rego and Cedar.
- Topaz evaluation as the first delegated-backend candidate.
- Keycloak Authorization Services adapter path for Keycloak-centric
  deployments.
- Directory and group resolver patterns for Entra/Graph, SCIM, LDAP, and
  Keycloak APIs.
- Operations documentation for caching, consistency, failure modes, and
  fail-open/fail-closed behavior.

## 6. Out of Scope

- Acting as an identity provider.
- Replacing key-cape, NetKingdom SSO, Keycloak, Entra, or other identity
  providers.
- Owning login, MFA, PKCE, token issuance, token lifecycle, OIDC discovery, or
  canonical IAM profile behavior.
- Making protected systems passive; they remain responsible for enforcement.
- Embedding Markitect-specific policy administration into flex-auth's generic
  model.
- Treating identity-provider roles, scopes, or groups as final
  resource-specific authorization by themselves.
- Forcing all deployments to use Topaz, OpenFGA, SpiceDB, OPA, Cedar,
  Keycloak Authorization Services, Entra, or any other single backend.
- Providing backlog, sprint, or task execution details beyond the existing
  workplans.
- Defining detailed technical architecture, database schema internals, service
  framework choices, or deployment manifests in this PRD.

## 7. Functional Requirements

### FR1. Protected-System Registration

flex-auth must let a protected system declare its identity, ownership, resource
namespaces, action vocabulary, and integration metadata in a registered
manifest.

### FR2. Resource Registration

flex-auth must accept resource manifests that describe resource identity,
namespace, hierarchy, owner metadata, policy labels, trust zones, and relevant
provenance.

### FR3. Subject and Relationship Registration

flex-auth must represent authorization-relevant subjects and relationships,
including humans, service accounts, groups, teams, tenants, roles, emergency
principals, subject-resource relations, and resource-resource relations.

### FR4. Policy Package Validation

flex-auth must load policy packages with metadata, fixtures, test cases,
version information, and activation metadata, and must reject invalid packages
with useful diagnostics.

### FR5. Policy Package Testing

flex-auth must support policy fixtures and test cases so policy authors can
verify expected decisions before activation.

### FR6. Authorization Checks

flex-auth must provide `check(subject, action, resource, context)` returning a
decision envelope with effect, reason, policy version, matched rule,
obligations, diagnostics, and provenance.

### FR7. Batch Authorization Checks

flex-auth must provide `batch_check(subject, action, resources, context)` for
query/search workflows where multiple resources must be evaluated together.

### FR8. Allowed Resource Listing

flex-auth must provide `list_allowed(subject, action, resource_type, filters,
context)` for workflows that need to discover resources a subject can access.

### FR9. Decision Explanation

flex-auth must provide `explain(decision_id)` so developers, policy authors,
and operators can understand why a decision was produced.

### FR10. Decision Recording

flex-auth must record decisions with compact, durable metadata, always
including denies, redactions, exports, and emergency actions.

### FR11. Markitect Compatibility

flex-auth must represent Markitect resource manifests, resource hierarchy,
action vocabulary, and decision shapes without making Markitect the only
consumer model.

### FR12. Delegated Backend Readiness

flex-auth must preserve a stable protected-system-facing contract when
authorization evaluation is later delegated to external PDP or directory
systems.

## 8. Non-Functional Requirements

### NFR1. Implementation Independence

Product contracts must be expressed in backend-neutral vocabulary. External PDP
engines are adapters, not product definitions.

### NFR2. Explainability

Denied, redacted, stale, partial, uncertain, audit-only, and not-applicable
decisions must produce useful diagnostics.

### NFR3. Local Usefulness

Standalone mode must be useful for development, smaller deployments, and
integration tests before delegated integrations are available.

### NFR4. Reviewability

Policies must be versioned, testable, and suitable for code review.

### NFR5. Auditability

Decision records must include policy version and enough provenance to support
diagnostics and audit export.

### NFR6. Backend Portability

The product must not require protected systems to change contracts when a PDP
backend changes.

### NFR7. Operational Clarity

Failure modes, caching behavior, consistency, stale directory data, group
overage, and fail-open/fail-closed behavior must be explicit.

### NFR8. Ownership Clarity

flex-auth must preserve clear boundaries between identity ownership,
authorization ownership, and protected-system enforcement ownership.

## 9. Assumptions and Dependencies

- Identity claims come from key-cape, NetKingdom SSO, Keycloak, Entra, or
  compatible identity systems.
- Protected systems are able to extract resource metadata and enforce
  decisions locally.
- Markitect remains the first concrete consumer for shaping realistic resource
  and workflow needs.
- Delegated backends should be introduced only after standalone request,
  decision, registry, and audit vocabulary are stable.
- Directory group membership can be stale, incomplete, or oversized for tokens;
  freshness and source metadata are therefore product requirements.
- This repo currently contains planning and documentation artifacts, not an
  implemented service.

## 10. Success Criteria

### MVP Success

- flex-auth can run standalone for local development.
- Protected systems, resources, subjects, relationships, and policy packages
  can be validated and loaded.
- `check`, `batch_check`, `list_allowed`, and `explain` are available.
- Decision envelopes are stable and include actionable diagnostics.
- Local decision logs record required high-value events.
- CLI workflows cover validation, loading, policy testing, checking, batch
  checking, and explaining.
- Tests and examples cover representative local users, groups, teams,
  resources, inheritance, and policy fixtures.

### First Consumer Success

- Markitect resource manifests can be imported.
- Markitect action vocabulary is represented.
- Markitect-compatible decisions are produced for allow, deny, redact, and
  audit-denied cases.
- Markitect integration docs cover publish, check, enforce, record, and explain
  flows.
- The integration remains generic enough for another protected system to reuse
  the same flex-auth model.

### Expansion Success

- Topaz has a clear MVP recommendation or rejection.
- Relationship PDP and rule PDP adapter contracts are documented and tested at
  their boundaries.
- Keycloak Authorization Services, Entra/Graph, SCIM, LDAP, and Keycloak API
  resolver paths are documented with explicit freshness and failure behavior.
- Protected-system APIs remain stable as delegated mode is introduced.

## 11. Product Constraints

- flex-auth must not collapse identity and authorization into one concern.
- flex-auth must not let the first Markitect integration narrow the generic
  protected-system model.
- flex-auth must keep policy behavior inspectable rather than relying on opaque
  administrative toggles.
- flex-auth must treat roles, scopes, groups, tenants, claims, relationships,
  and context as authorization inputs, not as automatic final decisions.
- flex-auth must be useful before enterprise infrastructure is available.
- flex-auth must make uncertainty visible instead of silently hiding stale or
  partial authorization data.

## 12. Traceability

This PRD is grounded in the current repository material:

- `INTENT.md`
- `docs/flex-auth-authorization-registry-research.md`
- `docs/workplan-planning-map.md`
- `workplans/FLEX-WP-0001-repo-intent-and-architecture-baseline.md`
- `workplans/FLEX-WP-0002-standalone-policy-as-code-core.md`
- `workplans/FLEX-WP-0003-markitect-consumer-integration.md`
- `workplans/FLEX-WP-0004-delegated-pdp-and-directory-adapters.md`
- `.custodian-brief.md`

Downstream technical specifications, ADRs, schemas, backlog items, tests, and
implementation tasks should derive from this document without treating it as a
technical design.