FLEX-WP-0006: implement ops-warden signing gate policy

examples/ops-warden/protected_system_manifest.yaml

@@ -0,0 +1,36 @@
+id: ops-warden
+name: Ops Warden
+resource_types:
+  - name: ssh-certificate
+    scope_level: Resource
+    planes:
+      - Identity
+      - Secret
+      - Audit
+    metadata:
+      description: Short-lived SSH certificate signing request.
+actions:
+  - name: sign
+    capabilities:
+      - Use
+      - Operate
+      - Audit
+    planes:
+      - Identity
+      - Secret
+      - Audit
+    exposure_modes:
+      - Metadata
+    metadata:
+      required_context:
+        - principals
+        - actor_type
+        - pubkey_fingerprint
+        - ttl_hours
+caring_profiles:
+  - caring-0.4.0-rc2
+metadata:
+  flex_auth_contract: protected-system-v0
+  ops_warden_policy_gate: v2
+  policy_enabled_config: policy.enabled
+  tenant: tenant:platform