generated from coulomb/repo-seed
FLEX-WP-0006: implement ops-warden signing gate policy
This commit is contained in:
82
docs/ops-warden-policy-gate-handoff.md
Normal file
82
docs/ops-warden-policy-gate-handoff.md
Normal file
@@ -0,0 +1,82 @@
|
||||
# Ops-Warden Policy Gate Handoff
|
||||
|
||||
Date: 2026-06-23
|
||||
Workplan: FLEX-WP-0006
|
||||
Ops-warden unblocker: WARDEN-WP-0009 T01
|
||||
|
||||
## Published flex-auth assets
|
||||
|
||||
- Policy package: examples/ops-warden/policy_package.md
|
||||
- Policy fixtures: examples/ops-warden/policy_fixtures.yaml
|
||||
- Combined registry fixture: examples/ops-warden/registry_snapshot.json
|
||||
- Protected-system manifest: examples/ops-warden/protected_system_manifest.yaml
|
||||
- Resource manifest: examples/ops-warden/resource_manifest.yaml
|
||||
- Subject manifest: examples/ops-warden/subject_manifest.yaml
|
||||
- Service request fixtures: examples/ops-warden/check_request_*.json
|
||||
|
||||
## Local service command
|
||||
|
||||
flex-auth serve --addr 127.0.0.1:8080 --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --log /tmp/flex-auth-ops-warden-decisions.jsonl
|
||||
|
||||
Ops-warden can point policy.flex_auth_url at that base URL for local smoke.
|
||||
Production should keep policy.fail_closed true unless an explicit break-glass
|
||||
procedure exists.
|
||||
|
||||
## Fixture coverage
|
||||
|
||||
Allow fixtures:
|
||||
|
||||
- fixture:ops-warden-adm-sign-allow
|
||||
- fixture:ops-warden-agt-sign-allow
|
||||
- fixture:ops-warden-atm-sign-allow
|
||||
|
||||
Deny fixtures:
|
||||
|
||||
- fixture:ops-warden-unknown-subject-deny
|
||||
- fixture:ops-warden-actor-type-mismatch-deny
|
||||
- fixture:ops-warden-ttl-above-max-deny
|
||||
- fixture:ops-warden-disallowed-principal-deny
|
||||
- fixture:ops-warden-missing-fingerprint-deny
|
||||
|
||||
## Non-secret smoke evidence
|
||||
|
||||
CLI validation on 2026-06-23:
|
||||
|
||||
- protected-system manifest: valid
|
||||
- resource manifest: valid
|
||||
- subject manifest: valid
|
||||
- registry snapshot: loaded 1 system, 1 resource manifest, 3 subjects,
|
||||
3 groups, 3 relationships, and 1 tenant
|
||||
- policy package: valid with 8 passing fixtures
|
||||
|
||||
Local /v1/check service smoke on 2026-06-23:
|
||||
|
||||
- allow request: effect allow, reason signing_policy_matched,
|
||||
decision id decision:706efe49f68d9ef1
|
||||
- deny request: effect deny, reason ttl_out_of_bounds,
|
||||
decision id decision:b69bdc25a988f367
|
||||
- GET /v1/check: HTTP 405
|
||||
- malformed POST /v1/check: HTTP 400
|
||||
- decision log contained both decision ids
|
||||
|
||||
## Production sequence for ops-warden
|
||||
|
||||
1. Deploy the flex-auth registry and policy package above to the selected
|
||||
flex-auth runtime.
|
||||
2. Configure ops-warden policy.flex_auth_url to the flex-auth base URL.
|
||||
3. Set policy.enabled: true.
|
||||
4. Keep policy.tenant as tenant:platform unless a tenant-specific policy package
|
||||
is introduced.
|
||||
5. Run one allow-path sign smoke and confirm signatures.log includes
|
||||
policy_decision_id.
|
||||
6. Run one deny-path smoke with fail_closed true and preserve only non-secret
|
||||
evidence.
|
||||
|
||||
## Ownership boundary
|
||||
|
||||
flex-auth owns the authorization decision for the signing request. ops-warden
|
||||
continues to own actor inventory, SSH CA operation, OpenBao SSH engine
|
||||
integration, host documentation, and signatures.log production evidence.
|
||||
|
||||
No SSH private keys, OpenBao tokens, database credentials, or real public-key
|
||||
material are stored in these fixtures.
|
||||
Reference in New Issue
Block a user