generated from coulomb/repo-seed
98 lines
2.7 KiB
Markdown
98 lines
2.7 KiB
Markdown
---
|
|
id: FLEX-WP-0001
|
|
type: workplan
|
|
title: "Repo Intent and Authorization Architecture Baseline"
|
|
domain: netkingdom
|
|
status: done
|
|
owner: flex-auth
|
|
topic_slug: flex-auth
|
|
planning_priority: complete
|
|
planning_order: 10
|
|
created: "2026-05-04"
|
|
updated: "2026-05-04"
|
|
state_hub_workstream_id: "4dbefd19-bb7d-405c-9a50-e7dbd11cf4d9"
|
|
---
|
|
|
|
# FLEX-WP-0001: Repo Intent and Authorization Architecture Baseline
|
|
|
|
## Purpose
|
|
|
|
Fixate flex-auth as the NetKingdom-side policy-as-code authorization registry
|
|
and control plane, distinct from key-cape identity and from protected systems
|
|
such as Markitect.
|
|
|
|
## Implementation Summary
|
|
|
|
Completed the initial project baseline:
|
|
|
|
- `INTENT.md` defines purpose, scope, responsibility boundaries, design
|
|
principles, core concepts, standalone/delegated modes, first consumer, and
|
|
non-goals.
|
|
- `docs/flex-auth-authorization-registry-research.md` captures product and
|
|
component research across Keycloak Authorization Services, Entra, Topaz,
|
|
OpenFGA, SpiceDB, OPA/OPAL, Cedar, Cerbos, Casbin, Oso, and related
|
|
authorization patterns.
|
|
- `README.md` points newcomers at intent and research.
|
|
- The repo has been registered in State Hub under the NetKingdom authorization
|
|
area.
|
|
|
|
## P1.1 - Define project intent
|
|
|
|
```task
|
|
id: FLEX-WP-0001-T001
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "5af30b01-ea72-4f87-b74e-a595fd3a5bd7"
|
|
```
|
|
|
|
Define flex-auth as a policy-as-code authorization registry and control plane
|
|
that can run standalone or coordinate with Topaz, OpenFGA, SpiceDB, OPA, Cedar,
|
|
Keycloak Authorization Services, Entra/Graph, and directory systems.
|
|
|
|
## P1.2 - Define responsibility boundaries
|
|
|
|
```task
|
|
id: FLEX-WP-0001-T002
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "145ec0ec-130a-4209-9028-1ae06e3664e3"
|
|
```
|
|
|
|
Capture boundaries:
|
|
|
|
- key-cape/NetKingdom owns identity.
|
|
- flex-auth owns authorization registry, policy packages, relationships,
|
|
decision logging, and PDP coordination.
|
|
- protected systems own enforcement.
|
|
|
|
## P1.3 - Capture open-source and enterprise landscape
|
|
|
|
```task
|
|
id: FLEX-WP-0001-T003
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "c52a9e3e-e264-418d-b462-d5a9d6e22b30"
|
|
```
|
|
|
|
Document relevant concepts and lessons from current authorization tools and
|
|
enterprise IAM patterns.
|
|
|
|
## P1.4 - Establish first-consumer architecture
|
|
|
|
```task
|
|
id: FLEX-WP-0001-T004
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "7756c4c5-598a-4894-9352-6e7145cb3522"
|
|
```
|
|
|
|
Use Markitect as the first concrete protected-system consumer while keeping
|
|
the flex-auth model generic enough for other systems.
|
|
|
|
## Exit Criteria
|
|
|
|
- Repository purpose is explicit.
|
|
- Boundaries are clear enough to prevent identity and protected-system logic
|
|
from creeping into flex-auth.
|
|
- Initial research informs implementation workplans.
|