From 48cb6c8c80e85e7ee8b887bd3b704b5abbbf584b Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 4 May 2026 17:12:45 +0200 Subject: [PATCH] Enterprise access control refinement and flex-auth delegation --- docs/enterprise-access-control-integration.md | 12 +++++ docs/workplan-planning-map.md | 9 ++-- ...terprise-iam-access-control-integration.md | 45 ++++++++++++++----- 3 files changed, 52 insertions(+), 14 deletions(-) diff --git a/docs/enterprise-access-control-integration.md b/docs/enterprise-access-control-integration.md index 1c06d16..2148f35 100644 --- a/docs/enterprise-access-control-integration.md +++ b/docs/enterprise-access-control-integration.md @@ -315,6 +315,18 @@ Instead: deployment needs stronger central policy. 6. Persist decisions before using this for production agent memory or exports. +## flex-auth Boundary + +The preferred long-term shape is a separate `flex-auth` service/repo under the +NetKingdom authorization umbrella. In that model, Markitect remains a resource +consumer and policy enforcement point. flex-auth owns the central resource +registry, enterprise group/role/scope mapping, external PDP adapters, and +durable decision logs. + +The product survey, Keycloak/Entra analysis, and boundary recommendation now +live in the sibling `flex-auth` repo: +`flex-auth/docs/flex-auth-authorization-registry-research.md`. + ## Sources - OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html diff --git a/docs/workplan-planning-map.md b/docs/workplan-planning-map.md index 39ba3e9..8e338d0 100644 --- a/docs/workplan-planning-map.md +++ b/docs/workplan-planning-map.md @@ -38,7 +38,7 @@ and descriptions mirror the operational view. | `MKTT-WP-0005` | complete | done | `MKTT-WP-0003`, `MKTT-WP-0004` | Runtime context, form state, dynamic rules, workflow integration, and provider-neutral assessment boundary are complete. | | `MKTT-WP-0011` | complete | done | `MKTT-WP-0003`; task-level triggers: `MKTT-WP-0010-T001`, `MKTT-WP-0010-T005` | Markdown dataflow workflow layer is complete: workflow standard, source collectors, binding model, deterministic steps, assisted boundary, safe outputs, CLI, docs, and examples. | | `MKTT-WP-0009` | complete | done | `MKTT-WP-0006` | Access-controlled knowledge gateway is complete: local labels, trust zones, path rules, policy-aware cache query/search, decisions, diagnostics, and external adapter boundaries. | -| `MKTT-WP-0014` | P2 | todo | `MKTT-WP-0009` | Enterprise IAM access-control integration: NetKingdom/key-cape-compatible identity claims, directory group resolution, policy maps, durable decision logs, and external PDP examples. | +| `MKTT-WP-0014` | P2 | todo | `MKTT-WP-0009` | Markitect-side enterprise IAM access-control integration: NetKingdom/key-cape-compatible identity claims, flex-auth resource/policy contract, directory group resolution, decision-log sink, and external PDP request examples. | | `MKTT-WP-0012` | P3 | todo | `MKTT-WP-0004`, `MKTT-WP-0010`, `MKTT-WP-0011` | Future Quarkdown-inspired document function layer: reusable Markdown-native function calls over processors, references, contracts, workflows, and later assisted steps. | | `MKTT-WP-0008` | P3 | todo | `MKTT-WP-0006`, `MKTT-WP-0007`, `MKTT-WP-0009` | Agent working-memory cache after backend and policy floor are available. | @@ -75,8 +75,11 @@ operations deserve author-facing function syntax. It should remain optional and capability-gated, especially before assisted, external, file, or network functions are allowed. -`MKTT-WP-0014` captures enterprise IAM integration for the access-control -gateway. It should follow `MKTT-WP-0009` and can run before or alongside +`MKTT-WP-0014` captures Markitect-side enterprise IAM integration for the +access-control gateway. Central authorization administration should live in the +future `flex-auth` repo/service; Markitect should provide resource registration, +policy request, decision, diagnostics, and local development adapter contracts. +It should follow `MKTT-WP-0009` and can run before or alongside security-sensitive context memory work. It does not block local `MKTT-WP-0008` research, but it should gate production deployment of reactivatable agent context packages in enterprise environments. diff --git a/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md b/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md index f05a400..f2f28da 100644 --- a/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md +++ b/workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md @@ -56,7 +56,10 @@ Initial provider-neutral interfaces now exist in - `EnterprisePolicyMapper` - `DecisionLogStore` -Documentation: `docs/enterprise-access-control-integration.md`. +Documentation: + +- `docs/enterprise-access-control-integration.md` +- sibling `flex-auth/docs/flex-auth-authorization-registry-research.md` ## Decision @@ -65,6 +68,14 @@ Markitect should keep accepting normalized `PolicySubject` and `PolicyObject` models, while enterprise adapters handle token verification, group freshness, claim mapping, durable decision logs, and external PDP calls. +Boundary refinement: central enterprise authorization administration should +live in a separate `flex-auth` repo/service under the NetKingdom authorization +umbrella. Markitect-side WP-0014 work should implement the narrow integration +contract: resource registration, policy requests, decision envelopes, local +fixtures, diagnostics, and adapters. It should not grow into the central +resource registry, policy administration UI/API, enterprise directory sync, or +global audit store. + Do not map raw AD/LDAP/Entra group names directly to Markitect privileges. Always map: @@ -72,7 +83,7 @@ Always map: directory groups -> canonical roles/scopes/trust labels -> PolicySubject ``` -## P14.1 - Define enterprise policy map schema +## P14.1 - Define flex-auth resource and policy contract ```task id: MKTT-WP-0014-T001 @@ -81,9 +92,17 @@ priority: high state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7" ``` -Define the mapping file that translates enterprise groups, roles, scopes, -tenants, assurance levels, and emergency rules into Markitect labels, trust -zones, allowed actions, and object constraints. +Define the Markitect-facing contract for flex-auth integration: + +- resource registration manifests +- action vocabulary +- label and trust-zone metadata +- policy request and decision envelopes +- subject mapping expectations +- local fixtures for development + +Do not define the central enterprise rule administration schema inside +Markitect. That belongs in flex-auth. Output: schema, examples, diagnostics, and tests. @@ -123,8 +142,9 @@ Implement `EnterprisePolicyMapper` over the policy map schema. It should map verified identity claims and resolved groups into gateway-ready `PolicySubject` objects. -Output: mapper, examples, and tests for roles, scopes, groups, trust zones, -tenancy, and emergency access. +Output: mapper/adapter examples and tests for roles, scopes, groups, trust +zones, tenancy, and emergency access. Central group-to-resource policy +administration remains flex-auth scope. ## P14.4 - Add directory group resolution boundary @@ -141,7 +161,7 @@ adapter hooks for SCIM, Microsoft Graph, LDAP, and Keycloak. Output: resolver contract, freshness metadata, overage handling, and tests. -## P14.5 - Persist decision logs +## P14.5 - Add decision log sink and flex-auth audit adapter ```task id: MKTT-WP-0014-T005 @@ -150,8 +170,10 @@ priority: high state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c" ``` -Implement a durable `DecisionLogStore` for policy decisions from query, search, -context packages, workflows, exports, and assisted prompt assembly. +Implement the Markitect-side `DecisionLogStore` sink for policy decisions from +query, search, context packages, workflows, exports, and assisted prompt +assembly. The durable enterprise audit store should live in flex-auth; local +Markitect storage should remain a development/testing fallback. Decision logs should record subject id, token hash, action, object id, policy version, decision effect, reason, redaction status, and provenance. @@ -173,7 +195,8 @@ Provide reference adapters or documented examples for: `RelationshipPolicyAdapter` - OPA/Rego or Cedar-style rule checks through `RulePolicyAdapter` -Output: examples, adapter stubs, and policy request/decision fixtures. +Output: examples, adapter stubs, and policy request/decision fixtures. Full +external PDP administration belongs in flex-auth. ## P14.7 - Integrate policy identity into workflows and context packages