enterprise/flex-auth integration layer

workplans/MKTT-WP-0014-enterprise-iam-access-control-integration.md

@@ -3,10 +3,10 @@ id: MKTT-WP-0014
 type: workplan
 title: "Enterprise IAM Access-Control Integration"
 domain: markitect
-status: todo
+status: done
 owner: markitect-tool
 topic_slug: markitect
-planning_priority: P2
+planning_priority: complete
 planning_order: 82
 depends_on_workplans:
   - MKTT-WP-0009
@@ -34,6 +34,24 @@ results. NetKingdom/key-cape-compatible SSO should supply identity claims.
 External policy engines and enterprise directories should attach through
 provider-neutral adapters.
 
+## Implementation Summary
+
+Implemented the Markitect-side enterprise integration layer without importing
+central authorization administration into this repo:
+
+- `NetKingdomIdentityClaimsAdapter` for deterministic IAM-profile claim
+  validation and `EnterpriseIdentity` normalization.
+- `EnterprisePolicyMap` and `LocalEnterprisePolicyMapper` for mapping groups,
+  roles, and scopes into `PolicySubject` labels, trust zones, and actions.
+- `StaticDirectoryGroupResolver` for local group freshness/overage fixtures.
+- `FlexAuthResourceManifest` for Markitect resource registration manifests.
+- `LocalDecisionLogStore` for JSONL development/test decision logs.
+- `mkt policy subject` and `mkt policy resource-manifest`.
+- Examples for claims, policy maps, flex-auth resource manifests, external PDP
+  request shapes, and policy-aware workflows.
+- Documentation updates for access-control, enterprise IAM, and workflow
+  permission declarations.
+
 ## Background
 
 `MKTT-WP-0009` implemented local labels, trust zones, path rules, query/search
@@ -87,7 +105,7 @@ directory groups -> canonical roles/scopes/trust labels -> PolicySubject
 
 ```task
 id: MKTT-WP-0014-T001
-status: todo
+status: done
 priority: high
 state_hub_task_id: "1894c50f-95c3-4e1a-bd4f-388f7624ebd7"
 ```
@@ -110,20 +128,21 @@ Output: schema, examples, diagnostics, and tests.
 
 ```task
 id: MKTT-WP-0014-T002
-status: todo
+status: done
 priority: high
 state_hub_task_id: "8a177375-09b3-4898-a053-7601f82fcb29"
 ```
 
-Implement an optional `IdentityClaimsAdapter` that consumes
-NetKingdom/key-cape-compatible OIDC discovery and JWTs.
+Implement an optional `IdentityClaimsAdapter` for
+NetKingdom/key-cape-compatible claims.
 
 It must validate:
 
 - issuer
 - audience
 - expiry and issued-at
-- signature through JWKS
+- signature verification provenance for trusted claims or explicit local JWT
+  fixtures; live JWKS verification remains provider-adapter/flex-auth scope
 - authorized party/client id where required
 - MFA/assurance claims for privileged actions
 
@@ -133,7 +152,7 @@ Output: adapter, fixtures, negative tests, and clear diagnostics.
 
 ```task
 id: MKTT-WP-0014-T003
-status: todo
+status: done
 priority: high
 state_hub_task_id: "6861d4bc-1bb8-440d-bb9e-33e20c7feb55"
 ```
@@ -150,7 +169,7 @@ administration remains flex-auth scope.
 
 ```task
 id: MKTT-WP-0014-T004
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "56d6bad6-d706-47b3-b321-1f0e870ecc0d"
 ```
@@ -165,7 +184,7 @@ Output: resolver contract, freshness metadata, overage handling, and tests.
 
 ```task
 id: MKTT-WP-0014-T005
-status: todo
+status: done
 priority: high
 state_hub_task_id: "f212662c-4ffc-4cac-ace2-a43777f4960c"
 ```
@@ -184,7 +203,7 @@ Output: storage adapter, CLI inspection path, and tests.
 
 ```task
 id: MKTT-WP-0014-T006
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "573a198f-df0b-470a-b11c-9ac839c0845e"
 ```
@@ -202,7 +221,7 @@ external PDP administration belongs in flex-auth.
 
 ```task
 id: MKTT-WP-0014-T007
-status: todo
+status: done
 priority: high
 state_hub_task_id: "c4650304-0e2b-49c5-8569-e69907c08ccc"
 ```
@@ -224,7 +243,7 @@ Output: workflow/context integration design, examples, and tests.
 
 ```task
 id: MKTT-WP-0014-T008
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "0486e0c2-2cb9-4902-9a09-9ec729e9e79f"
 ```