enterprise/flex-auth integration layer

docs/access-control-policy-gateway.md

@@ -109,6 +109,19 @@ mkt cache query 'sections[heading=Decision]' \
   --subject public-agent
 ```
 
+Map NetKingdom/key-cape-style claims into a Markitect policy subject:
+
+```text
+mkt policy subject examples/policy/netkingdom-claims.yaml \
+  --policy-map examples/policy/enterprise-policy-map.yaml
+```
+
+Inspect a Markitect resource manifest intended for flex-auth registration:
+
+```text
+mkt policy resource-manifest examples/policy/flex-auth-resource-manifest.yaml
+```
+
 JSON and YAML outputs include:
 
 - `policy`: mode, subject, action, allowed, denied, redacted, audit counts
@@ -155,6 +168,21 @@ Identity and directory integration use these provider-neutral boundaries:
   to `PolicySubject` labels, trust zones, and allowed actions.
 - `DecisionLogStore` persists durable audit records for policy decisions.
 
+The Markitect-side enterprise helpers provide deterministic local
+implementations:
+
+- `NetKingdomIdentityClaimsAdapter` validates required IAM-profile claims,
+  issuer, audience, token lifetime, local-production issuer safety, roles, and
+  scopes for trusted claims or explicit JWT fixtures.
+- `StaticDirectoryGroupResolver` records group overage/freshness for tests and
+  development.
+- `EnterprisePolicyMap` and `LocalEnterprisePolicyMapper` translate groups,
+  roles, and scopes into `PolicySubject` labels, trust zones, and actions.
+- `FlexAuthResourceManifest` describes Markitect knowledge resources that a
+  future flex-auth service can register.
+- `LocalDecisionLogStore` is a JSONL development sink; durable enterprise audit
+  remains flex-auth scope.
+
 Relationship policies use `RelationshipPolicyAdapter`:
 
 ```text

docs/enterprise-access-control-integration.md

@@ -155,6 +155,26 @@ assurance metadata before any authorization decision is made. The core package
 now exposes protocol/data boundaries for this without taking a dependency on
 Keycloak, Entra, LDAP, SCIM, OpenFGA, OPA, or Cedar client libraries.
 
+The current Markitect-side implementation provides deterministic local
+building blocks:
+
+- `NetKingdomIdentityClaimsAdapter` validates required IAM-profile claims,
+  issuer, audience, token timestamps, roles/scopes, and production rejection of
+  local development issuers for already trusted claims or explicit JWT fixtures.
+- `EnterprisePolicyMap` and `LocalEnterprisePolicyMapper` map groups, roles,
+  and scopes into `PolicySubject` labels, trust zones, actions, and diagnostic
+  attributes.
+- `StaticDirectoryGroupResolver` models group freshness and overage without a
+  live directory dependency.
+- `FlexAuthResourceManifest` describes Markitect knowledge resources for
+  future flex-auth registration.
+- `LocalDecisionLogStore` provides a JSONL development/test sink for decision
+  records.
+
+Live OIDC discovery, JWKS signature verification, directory synchronization,
+central policy administration, and durable enterprise audit should be provided
+by flex-auth/key-cape-facing adapters rather than Markitect core.
+
 ## Canonical Subject Mapping
 
 Recommended normalized shape:
@@ -209,6 +229,13 @@ trust_zones:
     required_groups: [/markitect/readers]
 ```
 
+Command-line subject mapping:
+
+```text
+mkt policy subject examples/policy/netkingdom-claims.yaml \
+  --policy-map examples/policy/enterprise-policy-map.yaml
+```
+
 ## Data/Object Mapping
 
 Markdown remains the source-friendly object labeling layer:
@@ -222,6 +249,23 @@ policy:
 ---
 ```
 
+A Markitect knowledge base can publish an explicit flex-auth resource manifest:
+
+```yaml
+id: markitect-example-knowledge-base
+system: markitect-tool
+actions: [read, query, search, package, export]
+resources:
+  - id: knowledge-base:markitect-example
+    type: knowledge_base
+  - id: document:internal-note
+    type: document
+    parent: knowledge-base:markitect-example
+    path: examples/policy/private/internal-note.md
+    labels: [internal]
+    trust_zone: internal
+```
+
 For enterprise environments, object metadata should eventually include:
 
 - content labels/classification

docs/workflow-definition-standard.md

@@ -272,6 +272,15 @@ permissions:
     write: [out]
   network: false
   assisted_generation: false
+  policy:
+    subject_from_token: examples/policy/netkingdom-claims.yaml
+    policy_map: examples/policy/enterprise-policy-map.yaml
+    required_assurance:
+      mfa: true
+    emergency_justification: INC-123
+    decision_log: .markitect/policy-decisions.jsonl
+  flex_auth:
+    resource_manifest: examples/policy/flex-auth-resource-manifest.yaml
 responsibilities:
   human:
     approves_outputs: true

docs/workplan-planning-map.md

@@ -38,7 +38,7 @@ and descriptions mirror the operational view.
 | `MKTT-WP-0005` | complete | done | `MKTT-WP-0003`, `MKTT-WP-0004` | Runtime context, form state, dynamic rules, workflow integration, and provider-neutral assessment boundary are complete. |
 | `MKTT-WP-0011` | complete | done | `MKTT-WP-0003`; task-level triggers: `MKTT-WP-0010-T001`, `MKTT-WP-0010-T005` | Markdown dataflow workflow layer is complete: workflow standard, source collectors, binding model, deterministic steps, assisted boundary, safe outputs, CLI, docs, and examples. |
 | `MKTT-WP-0009` | complete | done | `MKTT-WP-0006` | Access-controlled knowledge gateway is complete: local labels, trust zones, path rules, policy-aware cache query/search, decisions, diagnostics, and external adapter boundaries. |
-| `MKTT-WP-0014` | P2 | todo | `MKTT-WP-0009` | Markitect-side enterprise IAM access-control integration: NetKingdom/key-cape-compatible identity claims, flex-auth resource/policy contract, directory group resolution, decision-log sink, and external PDP request examples. |
+| `MKTT-WP-0014` | complete | done | `MKTT-WP-0009` | Markitect-side enterprise IAM access-control integration is complete: NetKingdom/key-cape-compatible identity claims, flex-auth resource/policy contract, directory group resolution fixtures, decision-log sink, workflow declarations, CLI commands, and external PDP request examples. |
 | `MKTT-WP-0012` | P3 | todo | `MKTT-WP-0004`, `MKTT-WP-0010`, `MKTT-WP-0011` | Future Quarkdown-inspired document function layer: reusable Markdown-native function calls over processors, references, contracts, workflows, and later assisted steps. |
 | `MKTT-WP-0008` | P3 | todo | `MKTT-WP-0006`, `MKTT-WP-0007`, `MKTT-WP-0009` | Agent working-memory cache after backend and policy floor are available. |
 
@@ -75,14 +75,13 @@ operations deserve author-facing function syntax. It should remain optional and
 capability-gated, especially before assisted, external, file, or network
 functions are allowed.
 
-`MKTT-WP-0014` captures Markitect-side enterprise IAM integration for the
-access-control gateway. Central authorization administration should live in the
-future `flex-auth` repo/service; Markitect should provide resource registration,
-policy request, decision, diagnostics, and local development adapter contracts.
-It should follow `MKTT-WP-0009` and can run before or alongside
-security-sensitive context memory work. It does not block local `MKTT-WP-0008`
-research, but it should gate production deployment of reactivatable agent
-context packages in enterprise environments.
+`MKTT-WP-0014` completed Markitect-side enterprise IAM integration for the
+access-control gateway. Central authorization administration remains
+`flex-auth` scope; Markitect now provides resource registration, policy
+request, decision, diagnostics, local development adapter contracts, workflow
+declarations, and CLI inspection/mapping commands. Production deployment of
+reactivatable agent context packages should still wait for a flex-auth-backed
+enterprise policy service or equivalent.
 
 ## State Hub Mirror