Refinement of flex-auth boundry and delegation

This commit is contained in:
2026-05-04 18:14:33 +02:00
parent 6cb3b7b172
commit 189b436b27
2 changed files with 24 additions and 0 deletions

View File

@@ -371,6 +371,15 @@ The product survey, Keycloak/Entra analysis, and boundary recommendation now
live in the sibling `flex-auth` repo: live in the sibling `flex-auth` repo:
`flex-auth/docs/flex-auth-authorization-registry-research.md`. `flex-auth/docs/flex-auth-authorization-registry-research.md`.
Implementation follow-up is tracked there:
- `FLEX-WP-0002`: standalone policy-as-code core and check APIs.
- `FLEX-WP-0003`: flex-auth service-side Markitect consumer integration.
- `FLEX-WP-0004`: delegated PDP and directory adapters.
Markitect should not implement a live flex-auth service client until
`FLEX-WP-0003` stabilizes the resource-registration and check/batch_check API.
## Sources ## Sources
- OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html - OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html

View File

@@ -278,3 +278,18 @@ This workplan should be picked up before using Markitect context caches for
production agent memory in enterprise settings. It does not need to block local production agent memory in enterprise settings. It does not need to block local
research on `MKTT-WP-0008`, but it should gate production deployment of research on `MKTT-WP-0008`, but it should gate production deployment of
reactivatable cross-document context packages. reactivatable cross-document context packages.
Follow-up implementation now belongs primarily in the sibling `flex-auth`
repo:
- `FLEX-WP-0002` implements the standalone policy-as-code core, resource
registry, check APIs, explanations, and local decision logs.
- `FLEX-WP-0003` implements the flex-auth service-side Markitect consumer
integration.
- `FLEX-WP-0004` implements delegated PDP and directory adapters.
Markitect should add a live `FlexAuthPolicyAdapter` only after flex-auth has a
stable check/batch_check/resource-registration API. Until then, Markitect's
side is intentionally limited to local deterministic fixtures, resource
manifests, request/decision contracts, CLI inspection, workflow declarations,
and enforcement boundaries.