Workplan updates

docs/workplan-planning-map.md

@@ -76,12 +76,26 @@ capability-gated, especially before assisted, external, file, or network
 functions are allowed.
 
 `MKTT-WP-0014` completed Markitect-side enterprise IAM integration for the
-access-control gateway. Central authorization administration remains
-`flex-auth` scope; Markitect now provides resource registration, policy
+access-control gateway. Central authorization administration remains optional
+external-service scope; Markitect now provides resource registration, policy
 request, decision, diagnostics, local development adapter contracts, workflow
-declarations, and CLI inspection/mapping commands. Production deployment of
-reactivatable agent context packages should still wait for a flex-auth-backed
-enterprise policy service or equivalent.
+declarations, and CLI inspection/mapping commands. Remaining Markitect
+workplans should depend only on Markitect-local contracts and adapter
+protocols. A live flex-auth service can improve enterprise deployment, central
+policy administration, and durable audit, but it is not a prerequisite for the
+document function layer or local agent context packages.
+
+`MKTT-WP-0012` and `MKTT-WP-0008` are the remaining Markitect workplans. Their
+policy posture should be:
+
+- use `AccessPolicyGateway`, `PolicySubject`, `PolicyObject`, and
+  `PolicyDecision` as local contracts
+- support local label policy and deterministic test fixtures first
+- treat flex-auth, OpenFGA, OPA, Cedar, Keycloak, Entra, and other external
+  systems as optional adapters
+- never make external IAM or authorization services required for core Markdown
+  parsing, deterministic functions, workflows, cache queries, or context
+  package lifecycle
 
 ## State Hub Mirror