Enterprise access control refinement and flex-auth delegation

docs/enterprise-access-control-integration.md

@@ -315,6 +315,18 @@ Instead:
    deployment needs stronger central policy.
 6. Persist decisions before using this for production agent memory or exports.
 
+## flex-auth Boundary
+
+The preferred long-term shape is a separate `flex-auth` service/repo under the
+NetKingdom authorization umbrella. In that model, Markitect remains a resource
+consumer and policy enforcement point. flex-auth owns the central resource
+registry, enterprise group/role/scope mapping, external PDP adapters, and
+durable decision logs.
+
+The product survey, Keycloak/Entra analysis, and boundary recommendation now
+live in the sibling `flex-auth` repo:
+`flex-auth/docs/flex-auth-authorization-registry-research.md`.
+
 ## Sources
 
 - OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html

docs/workplan-planning-map.md

@@ -38,7 +38,7 @@ and descriptions mirror the operational view.
 | `MKTT-WP-0005` | complete | done | `MKTT-WP-0003`, `MKTT-WP-0004` | Runtime context, form state, dynamic rules, workflow integration, and provider-neutral assessment boundary are complete. |
 | `MKTT-WP-0011` | complete | done | `MKTT-WP-0003`; task-level triggers: `MKTT-WP-0010-T001`, `MKTT-WP-0010-T005` | Markdown dataflow workflow layer is complete: workflow standard, source collectors, binding model, deterministic steps, assisted boundary, safe outputs, CLI, docs, and examples. |
 | `MKTT-WP-0009` | complete | done | `MKTT-WP-0006` | Access-controlled knowledge gateway is complete: local labels, trust zones, path rules, policy-aware cache query/search, decisions, diagnostics, and external adapter boundaries. |
-| `MKTT-WP-0014` | P2 | todo | `MKTT-WP-0009` | Enterprise IAM access-control integration: NetKingdom/key-cape-compatible identity claims, directory group resolution, policy maps, durable decision logs, and external PDP examples. |
+| `MKTT-WP-0014` | P2 | todo | `MKTT-WP-0009` | Markitect-side enterprise IAM access-control integration: NetKingdom/key-cape-compatible identity claims, flex-auth resource/policy contract, directory group resolution, decision-log sink, and external PDP request examples. |
 | `MKTT-WP-0012` | P3 | todo | `MKTT-WP-0004`, `MKTT-WP-0010`, `MKTT-WP-0011` | Future Quarkdown-inspired document function layer: reusable Markdown-native function calls over processors, references, contracts, workflows, and later assisted steps. |
 | `MKTT-WP-0008` | P3 | todo | `MKTT-WP-0006`, `MKTT-WP-0007`, `MKTT-WP-0009` | Agent working-memory cache after backend and policy floor are available. |
 
@@ -75,8 +75,11 @@ operations deserve author-facing function syntax. It should remain optional and
 capability-gated, especially before assisted, external, file, or network
 functions are allowed.
 
-`MKTT-WP-0014` captures enterprise IAM integration for the access-control
-gateway. It should follow `MKTT-WP-0009` and can run before or alongside
+`MKTT-WP-0014` captures Markitect-side enterprise IAM integration for the
+access-control gateway. Central authorization administration should live in the
+future `flex-auth` repo/service; Markitect should provide resource registration,
+policy request, decision, diagnostics, and local development adapter contracts.
+It should follow `MKTT-WP-0009` and can run before or alongside
 security-sensitive context memory work. It does not block local `MKTT-WP-0008`
 research, but it should gate production deployment of reactivatable agent
 context packages in enterprise environments.