coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e2d410de6ee74a85b1e596b9ff3be72f50b3f685
flex-auth/workplans/FLEX-WP-0004-delegated-pdp-and-directory-adapters.md
tegwick 55120ec20a Land foundations: assessment, ADR-001/002/003, FLEX-WP-0005, Go skeleton 
Pre-implementation assessment and boundary review
(docs/pre-implementation-assessment.md) lead to three ADRs:
- ADR-001 Go + repo skeleton
- ADR-002 Rego-in-Markdown policy package format
- ADR-003 Topaz-aligned MVP (Topaz spike moves into foundations)

New workplan FLEX-WP-0005 (Foundations and Topaz Alignment) is inserted
between WP-0001 (done) and WP-0002 (core). WP-0002 pins Rego-in-Markdown
for P2.3; WP-0004 P4.1 refocused from Topaz evaluation to Topaz adapter.

Go skeleton at repo root: cmd/flex-auth + internal/{registry,policy,
decision,audit,adapters} + pkg/api + Makefile + .golangci.yml + GitHub
Actions CI. make ci green locally; bin/flex-auth --version works.

INTENT/SCOPE cite the NetKingdom IAM Profile and add the ops-warden /
ops-bridge disjoint-surface clarifications.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-16 01:54:44 +02:00

154 lines
4.4 KiB
Markdown
Raw Blame History

---
id: FLEX-WP-0004
type: workplan
title: "Delegated PDP and Directory Adapters"
domain: netkingdom
status: todo
owner: flex-auth
topic_slug: flex-auth
planning_priority: P2
planning_order: 40
depends_on_workplans:
- FLEX-WP-0002
related_workplans:
- FLEX-WP-0003
created: "2026-05-04"
updated: "2026-05-15"
state_hub_workstream_id: "99a82976-d376-42b0-89cc-c44e01c0bec6"
---
# FLEX-WP-0004: Delegated PDP and Directory Adapters
## Purpose
Let flex-auth coordinate established authorization and directory systems while
remaining the stable control plane for protected systems.
The standalone core must work first. This workplan adds delegated backends and
provider examples after flex-auth's own request, decision, registry, and audit
vocabulary are stable.
> **Scope change (2026-05-15).** Per ADR-003 and the pre-implementation
> assessment, the Topaz *evaluation* moved to `FLEX-WP-0005 T04` so its
> output can shape the standalone core. This workplan now implements the
> Topaz *adapter* against that mapping; the standalone evaluator already
> speaks Rego, so adapter work focuses on directory delegation, wire
> protocol, and consistency metadata rather than re-deciding fit.
## P4.1 - Implement Topaz adapter
```task
id: FLEX-WP-0004-T001
status: todo
priority: high
state_hub_task_id: "9046418c-2b78-42c6-8bfa-76d6ed0050dd"
```
Implement the Topaz adapter behind flex-auth's stable PDP and directory
contracts. Consumes `docs/topaz-mapping-spike.md` produced in
`FLEX-WP-0005 T04`.
Scope:
- Wire-protocol selection (gRPC vs HTTP vs embedded library) with
rationale recorded.
- Directory delegation: flex-auth registry writes flow into Topaz
directory objects/relations; reads can be served from either side
with documented consistency semantics.
- Policy delegation: a flex-auth package (Rego-in-Markdown) is
decomposed and pushed to Topaz unchanged; decisions returned carry
the same envelope shape as standalone evaluation.
- Failure modes: Topaz unavailable, stale directory, partial result —
each produces a decision envelope that the standalone code path
could also have produced.
Output: adapter package under `internal/adapters/topaz/`, end-to-end
integration test using the `examples/topaz/` docker-compose from the
spike, and an operations note covering startup, health checks, and
fail-closed defaults.
## P4.2 - Add relationship PDP adapter boundary
```task
id: FLEX-WP-0004-T002
status: todo
priority: high
state_hub_task_id: "b77a0b70-b492-46ba-badf-8c2eebe006aa"
```
Define and implement adapter contracts for OpenFGA and SpiceDB-style checks:
- tuple/resource mapping
- inherited access
- batch/list operations
- consistency metadata
- error and stale-data diagnostics
## P4.3 - Add rule PDP adapter boundary
```task
id: FLEX-WP-0004-T003
status: todo
priority: high
state_hub_task_id: "4e4e5e45-c05a-4a31-8126-f0c7676b1e6c"
```
Define and implement adapter contracts for OPA/Rego and Cedar-style policies:
- principal/action/resource/context mapping
- policy package versioning
- test fixtures
- obligations and diagnostics
## P4.4 - Add Keycloak Authorization Services adapter path
```task
id: FLEX-WP-0004-T004
status: todo
priority: medium
state_hub_task_id: "8d3bbc28-985b-4dd7-9fb8-f9a858eb5a6b"
```
Document and spike Keycloak Authorization Services integration for
Keycloak-centric deployments without making Keycloak the only resource-policy
source of truth.
## P4.5 - Add Entra/Graph and SCIM group resolver adapters
```task
id: FLEX-WP-0004-T005
status: todo
priority: medium
state_hub_task_id: "4fc3fb91-8763-453e-8e54-36178cb11efd"
```
Implement directory group resolver patterns for:
- Microsoft Graph group overage
- SCIM provisioning
- LDAP/AD
- Keycloak admin API
Each resolver must expose freshness, source, and overage metadata.
## P4.6 - Add delegated-mode operations docs
```task
id: FLEX-WP-0004-T006
status: todo
priority: medium
state_hub_task_id: "491260f9-b4d7-46fe-8220-d358597db33a"
```
Document deployment, failure modes, caching, fail-closed/fail-open policy,
consistency, and audit behavior for delegated backends.
## Exit Criteria
- flex-auth can delegate decisions to at least one external PDP in a controlled
adapter shape.
- Directory group freshness and overage are explicit.
- Backend changes do not alter the protected-system-facing flex-auth API.
- Topaz/OpenFGA/OPA/Cedar/Keycloak/Entra tradeoffs are documented with
practical guidance.
Reference in New Issue View Git Blame Copy Permalink