generated from coulomb/repo-seed
FLEX-WP-0006: implement ops-warden signing gate policy
This commit is contained in:
82
docs/ops-warden-policy-gate-handoff.md
Normal file
82
docs/ops-warden-policy-gate-handoff.md
Normal file
@@ -0,0 +1,82 @@
|
||||
# Ops-Warden Policy Gate Handoff
|
||||
|
||||
Date: 2026-06-23
|
||||
Workplan: FLEX-WP-0006
|
||||
Ops-warden unblocker: WARDEN-WP-0009 T01
|
||||
|
||||
## Published flex-auth assets
|
||||
|
||||
- Policy package: examples/ops-warden/policy_package.md
|
||||
- Policy fixtures: examples/ops-warden/policy_fixtures.yaml
|
||||
- Combined registry fixture: examples/ops-warden/registry_snapshot.json
|
||||
- Protected-system manifest: examples/ops-warden/protected_system_manifest.yaml
|
||||
- Resource manifest: examples/ops-warden/resource_manifest.yaml
|
||||
- Subject manifest: examples/ops-warden/subject_manifest.yaml
|
||||
- Service request fixtures: examples/ops-warden/check_request_*.json
|
||||
|
||||
## Local service command
|
||||
|
||||
flex-auth serve --addr 127.0.0.1:8080 --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --log /tmp/flex-auth-ops-warden-decisions.jsonl
|
||||
|
||||
Ops-warden can point policy.flex_auth_url at that base URL for local smoke.
|
||||
Production should keep policy.fail_closed true unless an explicit break-glass
|
||||
procedure exists.
|
||||
|
||||
## Fixture coverage
|
||||
|
||||
Allow fixtures:
|
||||
|
||||
- fixture:ops-warden-adm-sign-allow
|
||||
- fixture:ops-warden-agt-sign-allow
|
||||
- fixture:ops-warden-atm-sign-allow
|
||||
|
||||
Deny fixtures:
|
||||
|
||||
- fixture:ops-warden-unknown-subject-deny
|
||||
- fixture:ops-warden-actor-type-mismatch-deny
|
||||
- fixture:ops-warden-ttl-above-max-deny
|
||||
- fixture:ops-warden-disallowed-principal-deny
|
||||
- fixture:ops-warden-missing-fingerprint-deny
|
||||
|
||||
## Non-secret smoke evidence
|
||||
|
||||
CLI validation on 2026-06-23:
|
||||
|
||||
- protected-system manifest: valid
|
||||
- resource manifest: valid
|
||||
- subject manifest: valid
|
||||
- registry snapshot: loaded 1 system, 1 resource manifest, 3 subjects,
|
||||
3 groups, 3 relationships, and 1 tenant
|
||||
- policy package: valid with 8 passing fixtures
|
||||
|
||||
Local /v1/check service smoke on 2026-06-23:
|
||||
|
||||
- allow request: effect allow, reason signing_policy_matched,
|
||||
decision id decision:706efe49f68d9ef1
|
||||
- deny request: effect deny, reason ttl_out_of_bounds,
|
||||
decision id decision:b69bdc25a988f367
|
||||
- GET /v1/check: HTTP 405
|
||||
- malformed POST /v1/check: HTTP 400
|
||||
- decision log contained both decision ids
|
||||
|
||||
## Production sequence for ops-warden
|
||||
|
||||
1. Deploy the flex-auth registry and policy package above to the selected
|
||||
flex-auth runtime.
|
||||
2. Configure ops-warden policy.flex_auth_url to the flex-auth base URL.
|
||||
3. Set policy.enabled: true.
|
||||
4. Keep policy.tenant as tenant:platform unless a tenant-specific policy package
|
||||
is introduced.
|
||||
5. Run one allow-path sign smoke and confirm signatures.log includes
|
||||
policy_decision_id.
|
||||
6. Run one deny-path smoke with fail_closed true and preserve only non-secret
|
||||
evidence.
|
||||
|
||||
## Ownership boundary
|
||||
|
||||
flex-auth owns the authorization decision for the signing request. ops-warden
|
||||
continues to own actor inventory, SSH CA operation, OpenBao SSH engine
|
||||
integration, host documentation, and signatures.log production evidence.
|
||||
|
||||
No SSH private keys, OpenBao tokens, database credentials, or real public-key
|
||||
material are stored in these fixtures.
|
||||
@@ -1,6 +1,6 @@
|
||||
# Flex-Auth Workplan Planning Map
|
||||
|
||||
Date: 2026-05-17
|
||||
Date: 2026-06-23
|
||||
|
||||
## Purpose
|
||||
|
||||
@@ -21,9 +21,10 @@ This document captures the current sequencing view for flex-auth workplans.
|
||||
| --- | --- | --- | --- | --- |
|
||||
| `FLEX-WP-0001` | complete | done | none | Repo intent, boundaries, and authorization landscape research are complete. |
|
||||
| `FLEX-WP-0005` | complete | done | `FLEX-WP-0001` | Foundations and Topaz alignment are complete: ADR-001/002/003, Go skeleton, `FlexAuthResourceManifest` schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification. |
|
||||
| `FLEX-WP-0002` | P0 | ready | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core: schemas, local registry, CARING profile/descriptors, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
|
||||
| `FLEX-WP-0003` | P1 | blocked | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
|
||||
| `FLEX-WP-0004` | P2 | blocked | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapters: Topaz adapter implementation (evaluation already done in `0005`), OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
|
||||
| `FLEX-WP-0002` | complete | completed | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core is complete: schemas, local registry, CARING profile/descriptors, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
|
||||
| `FLEX-WP-0003` | complete | completed | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark are complete: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
|
||||
| `FLEX-WP-0004` | complete | completed | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapter boundary work is complete: Topaz adapter shape, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
|
||||
| `FLEX-WP-0006` | complete | finished | `FLEX-WP-0002`, `FLEX-WP-0005` | Ops-warden unblocker is complete: flex-auth publishes `ssh-certificate` / `sign` policies, fixtures, and `/v1/check` smoke evidence for the opt-in pre-sign gate shipped in ops-warden `WARDEN-WP-0007` and tracked for production in `WARDEN-WP-0009`. |
|
||||
|
||||
## Dependency Notes
|
||||
|
||||
@@ -58,6 +59,14 @@ now implements the Topaz adapter against the spike's output.
|
||||
Delegated adapters must preserve flex-auth's CARING descriptor and
|
||||
conformance fields even when backend-native role semantics differ.
|
||||
|
||||
`FLEX-WP-0006` was the cross-repo integration unblocker for
|
||||
ops-warden. ops-warden already implements the opt-in policy call
|
||||
(`policy.enabled: true`) and production OpenBao signing works without the
|
||||
gate. flex-auth now publishes the protected-system manifest,
|
||||
`ssh-certificate` / `sign` policy package, allow/deny fixtures, and
|
||||
`POST /v1/check` evidence that ops-warden can use before enabling
|
||||
`policy.enabled` in production.
|
||||
|
||||
## State Hub Mirror
|
||||
|
||||
Native State Hub dependency edges:
|
||||
@@ -68,3 +77,7 @@ Native State Hub dependency edges:
|
||||
- `FLEX-WP-0003 -> FLEX-WP-0002`
|
||||
- `FLEX-WP-0004 -> FLEX-WP-0002`
|
||||
- `FLEX-WP-0004 -> FLEX-WP-0005` (Topaz adapter consumes the spike)
|
||||
- `FLEX-WP-0006 -> FLEX-WP-0002`
|
||||
- `FLEX-WP-0006 -> FLEX-WP-0005`
|
||||
- ops-warden: `WARDEN-WP-0009` waits for `FLEX-WP-0006` output before
|
||||
production enablement of `policy.enabled`.
|
||||
|
||||
Reference in New Issue
Block a user