enterprise/flex-auth integration layer

docs/access-control-policy-gateway.md

@@ -109,6 +109,19 @@ mkt cache query 'sections[heading=Decision]' \
   --subject public-agent
 ```
 
+Map NetKingdom/key-cape-style claims into a Markitect policy subject:
+
+```text
+mkt policy subject examples/policy/netkingdom-claims.yaml \
+  --policy-map examples/policy/enterprise-policy-map.yaml
+```
+
+Inspect a Markitect resource manifest intended for flex-auth registration:
+
+```text
+mkt policy resource-manifest examples/policy/flex-auth-resource-manifest.yaml
+```
+
 JSON and YAML outputs include:
 
 - `policy`: mode, subject, action, allowed, denied, redacted, audit counts
@@ -155,6 +168,21 @@ Identity and directory integration use these provider-neutral boundaries:
   to `PolicySubject` labels, trust zones, and allowed actions.
 - `DecisionLogStore` persists durable audit records for policy decisions.
 
+The Markitect-side enterprise helpers provide deterministic local
+implementations:
+
+- `NetKingdomIdentityClaimsAdapter` validates required IAM-profile claims,
+  issuer, audience, token lifetime, local-production issuer safety, roles, and
+  scopes for trusted claims or explicit JWT fixtures.
+- `StaticDirectoryGroupResolver` records group overage/freshness for tests and
+  development.
+- `EnterprisePolicyMap` and `LocalEnterprisePolicyMapper` translate groups,
+  roles, and scopes into `PolicySubject` labels, trust zones, and actions.
+- `FlexAuthResourceManifest` describes Markitect knowledge resources that a
+  future flex-auth service can register.
+- `LocalDecisionLogStore` is a JSONL development sink; durable enterprise audit
+  remains flex-auth scope.
+
 Relationship policies use `RelationshipPolicyAdapter`:
 
 ```text