From 189b436b27d6275236fda6dba85acbfb1b96e63f Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 4 May 2026 18:14:33 +0200 Subject: [PATCH] Refinement of flex-auth boundry and delegation --- docs/enterprise-access-control-integration.md | 9 +++++++++ ...4-enterprise-iam-access-control-integration.md | 15 +++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/docs/enterprise-access-control-integration.md b/docs/enterprise-access-control-integration.md index 19b52ad..8695619 100644 --- a/docs/enterprise-access-control-integration.md +++ b/docs/enterprise-access-control-integration.md @@ -371,6 +371,15 @@ The product survey, Keycloak/Entra analysis, and boundary recommendation now live in the sibling `flex-auth` repo: `flex-auth/docs/flex-auth-authorization-registry-research.md`. +Implementation follow-up is tracked there: + +- `FLEX-WP-0002`: standalone policy-as-code core and check APIs. +- `FLEX-WP-0003`: flex-auth service-side Markitect consumer integration. +- `FLEX-WP-0004`: delegated PDP and directory adapters. + +Markitect should not implement a live flex-auth service client until +`FLEX-WP-0003` stabilizes the resource-registration and check/batch_check API. + ## Sources - OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html diff --git a/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md b/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md index a5e02a7..32a0ce0 100644 --- a/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md +++ b/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md @@ -278,3 +278,18 @@ This workplan should be picked up before using Markitect context caches for production agent memory in enterprise settings. It does not need to block local research on `MKTT-WP-0008`, but it should gate production deployment of reactivatable cross-document context packages. + +Follow-up implementation now belongs primarily in the sibling `flex-auth` +repo: + +- `FLEX-WP-0002` implements the standalone policy-as-code core, resource + registry, check APIs, explanations, and local decision logs. +- `FLEX-WP-0003` implements the flex-auth service-side Markitect consumer + integration. +- `FLEX-WP-0004` implements delegated PDP and directory adapters. + +Markitect should add a live `FlexAuthPolicyAdapter` only after flex-auth has a +stable check/batch_check/resource-registration API. Until then, Markitect's +side is intentionally limited to local deterministic fixtures, resource +manifests, request/decision contracts, CLI inspection, workflow declarations, +and enforcement boundaries.