Refinement of flex-auth boundry and delegation

docs/enterprise-access-control-integration.md

@@ -371,6 +371,15 @@ The product survey, Keycloak/Entra analysis, and boundary recommendation now
 live in the sibling `flex-auth` repo:
 `flex-auth/docs/flex-auth-authorization-registry-research.md`.
 
+Implementation follow-up is tracked there:
+
+- `FLEX-WP-0002`: standalone policy-as-code core and check APIs.
+- `FLEX-WP-0003`: flex-auth service-side Markitect consumer integration.
+- `FLEX-WP-0004`: delegated PDP and directory adapters.
+
+Markitect should not implement a live flex-auth service client until
+`FLEX-WP-0003` stabilizes the resource-registration and check/batch_check API.
+
 ## Sources
 
 - OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html

workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md

@@ -278,3 +278,18 @@ This workplan should be picked up before using Markitect context caches for
 production agent memory in enterprise settings. It does not need to block local
 research on `MKTT-WP-0008`, but it should gate production deployment of
 reactivatable cross-document context packages.
+
+Follow-up implementation now belongs primarily in the sibling `flex-auth`
+repo:
+
+- `FLEX-WP-0002` implements the standalone policy-as-code core, resource
+  registry, check APIs, explanations, and local decision logs.
+- `FLEX-WP-0003` implements the flex-auth service-side Markitect consumer
+  integration.
+- `FLEX-WP-0004` implements delegated PDP and directory adapters.
+
+Markitect should add a live `FlexAuthPolicyAdapter` only after flex-auth has a
+stable check/batch_check/resource-registration API. Until then, Markitect's
+side is intentionally limited to local deterministic fixtures, resource
+manifests, request/decision contracts, CLI inspection, workflow declarations,
+and enforcement boundaries.