Enterprise access control refinement and flex-auth delegation

docs/enterprise-access-control-integration.md

@@ -315,6 +315,18 @@ Instead:
    deployment needs stronger central policy.
 6. Persist decisions before using this for production agent memory or exports.
 
+## flex-auth Boundary
+
+The preferred long-term shape is a separate `flex-auth` service/repo under the
+NetKingdom authorization umbrella. In that model, Markitect remains a resource
+consumer and policy enforcement point. flex-auth owns the central resource
+registry, enterprise group/role/scope mapping, external PDP adapters, and
+durable decision logs.
+
+The product survey, Keycloak/Entra analysis, and boundary recommendation now
+live in the sibling `flex-auth` repo:
+`flex-auth/docs/flex-auth-authorization-registry-research.md`.
+
 ## Sources
 
 - OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html

docs/workplan-planning-map.md

@@ -38,7 +38,7 @@ and descriptions mirror the operational view.
 | `MKTT-WP-0005` | complete | done | `MKTT-WP-0003`, `MKTT-WP-0004` | Runtime context, form state, dynamic rules, workflow integration, and provider-neutral assessment boundary are complete. |
 | `MKTT-WP-0011` | complete | done | `MKTT-WP-0003`; task-level triggers: `MKTT-WP-0010-T001`, `MKTT-WP-0010-T005` | Markdown dataflow workflow layer is complete: workflow standard, source collectors, binding model, deterministic steps, assisted boundary, safe outputs, CLI, docs, and examples. |
 | `MKTT-WP-0009` | complete | done | `MKTT-WP-0006` | Access-controlled knowledge gateway is complete: local labels, trust zones, path rules, policy-aware cache query/search, decisions, diagnostics, and external adapter boundaries. |
-| `MKTT-WP-0014` | P2 | todo | `MKTT-WP-0009` | Enterprise IAM access-control integration: NetKingdom/key-cape-compatible identity claims, directory group resolution, policy maps, durable decision logs, and external PDP examples. |
+| `MKTT-WP-0014` | P2 | todo | `MKTT-WP-0009` | Markitect-side enterprise IAM access-control integration: NetKingdom/key-cape-compatible identity claims, flex-auth resource/policy contract, directory group resolution, decision-log sink, and external PDP request examples. |
 | `MKTT-WP-0012` | P3 | todo | `MKTT-WP-0004`, `MKTT-WP-0010`, `MKTT-WP-0011` | Future Quarkdown-inspired document function layer: reusable Markdown-native function calls over processors, references, contracts, workflows, and later assisted steps. |
 | `MKTT-WP-0008` | P3 | todo | `MKTT-WP-0006`, `MKTT-WP-0007`, `MKTT-WP-0009` | Agent working-memory cache after backend and policy floor are available. |
 
@@ -75,8 +75,11 @@ operations deserve author-facing function syntax. It should remain optional and
 capability-gated, especially before assisted, external, file, or network
 functions are allowed.
 
-`MKTT-WP-0014` captures enterprise IAM integration for the access-control
+`MKTT-WP-0014` captures Markitect-side enterprise IAM integration for the
-gateway. It should follow `MKTT-WP-0009` and can run before or alongside
+access-control gateway. Central authorization administration should live in the
+future `flex-auth` repo/service; Markitect should provide resource registration,
+policy request, decision, diagnostics, and local development adapter contracts.
+It should follow `MKTT-WP-0009` and can run before or alongside
 security-sensitive context memory work. It does not block local `MKTT-WP-0008`
 research, but it should gate production deployment of reactivatable agent
 context packages in enterprise environments.

workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md

@@ -56,7 +56,10 @@ Initial provider-neutral interfaces now exist in
 - `EnterprisePolicyMapper`
 - `DecisionLogStore`
 
-Documentation: `docs/enterprise-access-control-integration.md`.
+Documentation:
+
+- `docs/enterprise-access-control-integration.md`
+- sibling `flex-auth/docs/flex-auth-authorization-registry-research.md`
 
 ## Decision
 
@@ -65,6 +68,14 @@ Markitect should keep accepting normalized `PolicySubject` and `PolicyObject`
 models, while enterprise adapters handle token verification, group freshness,
 claim mapping, durable decision logs, and external PDP calls.
 
+Boundary refinement: central enterprise authorization administration should
+live in a separate `flex-auth` repo/service under the NetKingdom authorization
+umbrella. Markitect-side WP-0014 work should implement the narrow integration
+contract: resource registration, policy requests, decision envelopes, local
+fixtures, diagnostics, and adapters. It should not grow into the central
+resource registry, policy administration UI/API, enterprise directory sync, or
+global audit store.
+
 Do not map raw AD/LDAP/Entra group names directly to Markitect privileges.
 Always map:
 
@@ -72,7 +83,7 @@ Always map:
 directory groups -> canonical roles/scopes/trust labels -> PolicySubject
 ```
 
-## P14.1 - Define enterprise policy map schema
+## P14.1 - Define flex-auth resource and policy contract
 
 ```task
 id: MKTT-WP-0014-T001
@@ -81,9 +92,17 @@ priority: high
 state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7"
 ```
 
-Define the mapping file that translates enterprise groups, roles, scopes,
+Define the Markitect-facing contract for flex-auth integration:
-tenants, assurance levels, and emergency rules into Markitect labels, trust
+
-zones, allowed actions, and object constraints.
+- resource registration manifests
+- action vocabulary
+- label and trust-zone metadata
+- policy request and decision envelopes
+- subject mapping expectations
+- local fixtures for development
+
+Do not define the central enterprise rule administration schema inside
+Markitect. That belongs in flex-auth.
 
 Output: schema, examples, diagnostics, and tests.
 
@@ -123,8 +142,9 @@ Implement `EnterprisePolicyMapper` over the policy map schema. It should map
 verified identity claims and resolved groups into gateway-ready
 `PolicySubject` objects.
 
-Output: mapper, examples, and tests for roles, scopes, groups, trust zones,
+Output: mapper/adapter examples and tests for roles, scopes, groups, trust
-tenancy, and emergency access.
+zones, tenancy, and emergency access. Central group-to-resource policy
+administration remains flex-auth scope.
 
 ## P14.4 - Add directory group resolution boundary
 
@@ -141,7 +161,7 @@ adapter hooks for SCIM, Microsoft Graph, LDAP, and Keycloak.
 
 Output: resolver contract, freshness metadata, overage handling, and tests.
 
-## P14.5 - Persist decision logs
+## P14.5 - Add decision log sink and flex-auth audit adapter
 
 ```task
 id: MKTT-WP-0014-T005
@@ -150,8 +170,10 @@ priority: high
 state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c"
 ```
 
-Implement a durable `DecisionLogStore` for policy decisions from query, search,
+Implement the Markitect-side `DecisionLogStore` sink for policy decisions from
-context packages, workflows, exports, and assisted prompt assembly.
+query, search, context packages, workflows, exports, and assisted prompt
+assembly. The durable enterprise audit store should live in flex-auth; local
+Markitect storage should remain a development/testing fallback.
 
 Decision logs should record subject id, token hash, action, object id, policy
 version, decision effect, reason, redaction status, and provenance.
@@ -173,7 +195,8 @@ Provide reference adapters or documented examples for:
   `RelationshipPolicyAdapter`
 - OPA/Rego or Cedar-style rule checks through `RulePolicyAdapter`
 
-Output: examples, adapter stubs, and policy request/decision fixtures.
+Output: examples, adapter stubs, and policy request/decision fixtures. Full
+external PDP administration belongs in flex-auth.
 
 ## P14.7 - Integrate policy identity into workflows and context packages