coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
941501c590b7ab0e4a81ee2f97d7ef25af7e8294
flex-auth/docs/workplan-planning-map.md
tegwick 941501c590
Some checks are pending
CI / Build and Test (push) Waiting to run
Details
CI / Lint (push) Waiting to run
Details
FLEX-WP-0007: production registry fixture, tests, and sync runbook 
Add production_registry_snapshot.json from ops-warden inventory with CI
coverage for real actors, IAM subject binding, ttl_out_of_bounds, and
unknown_actor_resource. Extend serve contract tests with /healthz and
publish the registry sync contract for operator deployment.
2026-06-24 14:52:35 +02:00

4.9 KiB
Raw Blame History

Flex-Auth Workplan Planning Map

Date: 2026-06-23

Purpose

This document captures the current sequencing view for flex-auth workplans.

Priority Scale

Priority Meaning
P0 Current mainline implementation work.
P1 Next integration work once core contracts exist.
P2 Delegated/backend expansion after core shape stabilizes.
complete Finished foundation or completed decision work.

Current Ordering

Workplan Priority Status Depends On Current View
FLEX-WP-0001 complete done none Repo intent, boundaries, and authorization landscape research are complete.
FLEX-WP-0005 complete done FLEX-WP-0001 Foundations and Topaz alignment are complete: ADR-001/002/003, Go skeleton, FlexAuthResourceManifest schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification.
FLEX-WP-0002 complete completed FLEX-WP-0001, FLEX-WP-0005 Standalone policy-as-code core is complete: schemas, local registry, CARING profile/descriptors, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests.
FLEX-WP-0003 complete completed FLEX-WP-0002 Markitect consumer integration and first CARING benchmark are complete: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs.
FLEX-WP-0004 complete completed FLEX-WP-0002, FLEX-WP-0005 Delegated PDP and directory adapter boundary work is complete: Topaz adapter shape, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation.
FLEX-WP-0006 complete finished FLEX-WP-0002, FLEX-WP-0005 Ops-warden unblocker is complete: flex-auth publishes ssh-certificate / sign policies, fixtures, and /v1/check smoke evidence for the opt-in pre-sign gate shipped in ops-warden WARDEN-WP-0007 and tracked for production in WARDEN-WP-0009.
FLEX-WP-0007 P0 blocked FLEX-WP-0006 Repo-side production registry fixture, sync contract, runtime command, healthz coverage, and real actor/IAM tests are implemented. Operator deployment and OpenBao smoke remain blocked on reachable runtime selection and scoped VAULT_TOKEN refresh.

Dependency Notes

FLEX-WP-0005 is inserted between 0001 and 0002 per the pre-implementation assessment in docs/pre-implementation-assessment.md. It pulls forward the decisions the original 0002 left implicit (language, policy format, evaluator alignment) and runs the Topaz mapping spike before the core's schemas and check API are written.

docs/caring-architecture-blueprint.md adds the 2026-05-17 CARING refinement: CARING remains the semantic standard, while flex-auth becomes the practical reference implementation for descriptors, conformance findings, decision metadata, explain output, and exposure-event audit records. This refinement changes the shape of FLEX-WP-0002 but does not add a new predecessor workplan.

FLEX-WP-0002 comes after 0005 so the standalone evaluator embeds the OPA Rego library and produces decision envelopes shaped to match the delegated-mode envelopes added later. It now also pins the executable CARING profile in the same schema slice.

FLEX-WP-0003 follows the core. Markitect has already completed its side of the contract in MKTT-WP-0014; flex-auth pins the manifest in FLEX-WP-0005 T03 and implements the service-side registry and decision behavior in 0003. It also becomes the first consumer benchmark for proving local roles and resource semantics can map cleanly into CARING dimensions.

FLEX-WP-0004 waits for the standalone core for the same reason as before, but its Topaz evaluation task moved to 0005 T04; this workplan now implements the Topaz adapter against the spike's output. Delegated adapters must preserve flex-auth's CARING descriptor and conformance fields even when backend-native role semantics differ.

FLEX-WP-0006 was the cross-repo integration unblocker for ops-warden. ops-warden already implements the opt-in policy call (policy.enabled: true) and production OpenBao signing works without the gate. flex-auth now publishes the protected-system manifest, ssh-certificate / sign policy package, allow/deny fixtures, and POST /v1/check evidence that ops-warden can use before enabling policy.enabled in production.

State Hub Mirror

Native State Hub dependency edges:

  • FLEX-WP-0005 -> FLEX-WP-0001
  • FLEX-WP-0002 -> FLEX-WP-0005
  • FLEX-WP-0002 -> FLEX-WP-0001 (preserved)
  • FLEX-WP-0003 -> FLEX-WP-0002
  • FLEX-WP-0004 -> FLEX-WP-0002
  • FLEX-WP-0004 -> FLEX-WP-0005 (Topaz adapter consumes the spike)
  • FLEX-WP-0006 -> FLEX-WP-0002
  • FLEX-WP-0006 -> FLEX-WP-0005
  • ops-warden: WARDEN-WP-0009 finished (caller + registry smoke). Production policy.enabled: true waits for FLEX-WP-0007 (reachable flex-auth runtime).
  • FLEX-WP-0007 -> FLEX-WP-0006
Reference in New Issue View Git Blame Copy Permalink