FLEX-WP-0006: implement ops-warden signing gate policy

docs/workplan-planning-map.md

@@ -1,6 +1,6 @@
 # Flex-Auth Workplan Planning Map
 
-Date: 2026-05-17
+Date: 2026-06-23
 
 ## Purpose
 
@@ -21,9 +21,10 @@ This document captures the current sequencing view for flex-auth workplans.
 | --- | --- | --- | --- | --- |
 | `FLEX-WP-0001` | complete | done | none | Repo intent, boundaries, and authorization landscape research are complete. |
 | `FLEX-WP-0005` | complete | done | `FLEX-WP-0001` | Foundations and Topaz alignment are complete: ADR-001/002/003, Go skeleton, `FlexAuthResourceManifest` schema pin, Topaz mapping spike, IAM Profile citation, ops-warden boundary clarification. |
-| `FLEX-WP-0002` | P0 | ready | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core: schemas, local registry, CARING profile/descriptors, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
-| `FLEX-WP-0003` | P1 | blocked | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
-| `FLEX-WP-0004` | P2 | blocked | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapters: Topaz adapter implementation (evaluation already done in `0005`), OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
+| `FLEX-WP-0002` | complete | completed | `FLEX-WP-0001`, `FLEX-WP-0005` | Standalone policy-as-code core is complete: schemas, local registry, CARING profile/descriptors, Rego-in-Markdown policy packages, check APIs, explanations, decision log, CLI/service skeleton, tests. |
+| `FLEX-WP-0003` | complete | completed | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark are complete: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
+| `FLEX-WP-0004` | complete | completed | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapter boundary work is complete: Topaz adapter shape, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
+| `FLEX-WP-0006` | complete | finished | `FLEX-WP-0002`, `FLEX-WP-0005` | Ops-warden unblocker is complete: flex-auth publishes `ssh-certificate` / `sign` policies, fixtures, and `/v1/check` smoke evidence for the opt-in pre-sign gate shipped in ops-warden `WARDEN-WP-0007` and tracked for production in `WARDEN-WP-0009`. |
 
 ## Dependency Notes
 
@@ -58,6 +59,14 @@ now implements the Topaz adapter against the spike's output.
 Delegated adapters must preserve flex-auth's CARING descriptor and
 conformance fields even when backend-native role semantics differ.
 
+`FLEX-WP-0006` was the cross-repo integration unblocker for
+ops-warden. ops-warden already implements the opt-in policy call
+(`policy.enabled: true`) and production OpenBao signing works without the
+gate. flex-auth now publishes the protected-system manifest,
+`ssh-certificate` / `sign` policy package, allow/deny fixtures, and
+`POST /v1/check` evidence that ops-warden can use before enabling
+`policy.enabled` in production.
+
 ## State Hub Mirror
 
 Native State Hub dependency edges:
@@ -68,3 +77,7 @@ Native State Hub dependency edges:
 - `FLEX-WP-0003 -> FLEX-WP-0002`
 - `FLEX-WP-0004 -> FLEX-WP-0002`
 - `FLEX-WP-0004 -> FLEX-WP-0005` (Topaz adapter consumes the spike)
+- `FLEX-WP-0006 -> FLEX-WP-0002`
+- `FLEX-WP-0006 -> FLEX-WP-0005`
+- ops-warden: `WARDEN-WP-0009` waits for `FLEX-WP-0006` output before
+  production enablement of `policy.enabled`.