tegwick
55120ec20a
Pre-implementation assessment and boundary review
(docs/pre-implementation-assessment.md) lead to three ADRs:
- ADR-001 Go + repo skeleton
- ADR-002 Rego-in-Markdown policy package format
- ADR-003 Topaz-aligned MVP (Topaz spike moves into foundations)
New workplan FLEX-WP-0005 (Foundations and Topaz Alignment) is inserted
between WP-0001 (done) and WP-0002 (core). WP-0002 pins Rego-in-Markdown
for P2.3; WP-0004 P4.1 refocused from Topaz evaluation to Topaz adapter.
Go skeleton at repo root: cmd/flex-auth + internal/{registry,policy,
decision,audit,adapters} + pkg/api + Makefile + .golangci.yml + GitHub
Actions CI. make ci green locally; bin/flex-auth --version works.
INTENT/SCOPE cite the NetKingdom IAM Profile and add the ops-warden /
ops-bridge disjoint-surface clarifications.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2.8 KiB
Flex-Auth Workplan Planning Map
Date: 2026-05-15
Purpose
This document captures the current sequencing view for flex-auth workplans.
Priority Scale
| Priority | Meaning |
|---|---|
P0 |
Current mainline implementation work. |
P1 |
Next integration work once core contracts exist. |
P2 |
Delegated/backend expansion after core shape stabilizes. |
complete |
Finished foundation or completed decision work. |
Current Ordering
| Workplan | Priority | Status | Depends On | Current View |
|---|---|---|---|---|
FLEX-WP-0001 |
complete | done | none | Repo intent, boundaries, and authorization landscape research are complete. |
FLEX-WP-0005 |
P0 | todo | FLEX-WP-0001 |
Foundations and Topaz alignment: ADR-001/002/003, Go skeleton, FlexAuthResourceManifest schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification. |
FLEX-WP-0002 |
P0 | blocked | FLEX-WP-0001, FLEX-WP-0005 |
Standalone policy-as-code core: schemas, local registry, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
FLEX-WP-0003 |
P1 | blocked | FLEX-WP-0002 |
Markitect consumer integration: resource namespace, manifest import, action vocabulary, decision fixtures, integration docs. |
FLEX-WP-0004 |
P2 | blocked | FLEX-WP-0002, FLEX-WP-0005 |
Delegated PDP and directory adapters: Topaz adapter implementation (evaluation already done in 0005), OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM. |
Dependency Notes
FLEX-WP-0005 is inserted between 0001 and 0002 per the
pre-implementation assessment in docs/pre-implementation-assessment.md.
It pulls forward the decisions the original 0002 left implicit (language,
policy format, evaluator alignment) and runs the Topaz mapping spike
before the core's schemas and check API are written.
FLEX-WP-0002 comes after 0005 so the standalone evaluator embeds the
OPA Rego library and produces decision envelopes shaped to match the
delegated-mode envelopes added later.
FLEX-WP-0003 follows the core. Markitect has already completed its
side of the contract in MKTT-WP-0014; flex-auth pins the manifest in
FLEX-WP-0005 T03 and implements the service-side registry and decision
behavior in 0003.
FLEX-WP-0004 waits for the standalone core for the same reason as
before, but its Topaz evaluation task moved to 0005 T04; this workplan
now implements the Topaz adapter against the spike's output.
State Hub Mirror
Native State Hub dependency edges:
FLEX-WP-0005 -> FLEX-WP-0001FLEX-WP-0002 -> FLEX-WP-0005FLEX-WP-0002 -> FLEX-WP-0001(preserved)FLEX-WP-0003 -> FLEX-WP-0002FLEX-WP-0004 -> FLEX-WP-0002FLEX-WP-0004 -> FLEX-WP-0005(Topaz adapter consumes the spike)