Close ops-warden policy gate deployment

2026-06-30 00:52:56 +02:00
parent 8124367e1d
commit 339c35e876
3 changed files with 46 additions and 23 deletions
--- a/docs/ops-warden-policy-gate-handoff.md
+++ b/docs/ops-warden-policy-gate-handoff.md
@@ -102,3 +102,13 @@ Production actor coverage now verifies agt-state-hub-bridge,
 agt-codex-interhub-bootstrap, adm-example, atm-backup-daily, ttl_out_of_bounds,
 unknown_actor_resource, and the iam:agt-state-hub-bridge subject path used by
 WARDEN_POLICY_SUBJECT.
+
+## FLEX-WP-0007 Closeout Update
+
+On 2026-06-29 ops-warden reported the production policy-gate smoke as passed
+against the deployed flex-auth runtime at `127.0.0.1:18090` from CoulombCore.
+Non-secret evidence: allow decision `decision:032b096c433ad80c` for
+`agt-state-hub-bridge`, deny reason `ttl_out_of_bounds` for an excessive TTL,
+and backend `vault` for the scoped OpenBao signing path. The operator is
+keeping `policy.enabled` off during build-stage/pre-testing; this is a maturity
+posture decision, not a missing flex-auth artifact.
--- a/docs/workplan-planning-map.md
+++ b/docs/workplan-planning-map.md
@@ -1,6 +1,6 @@
 # Flex-Auth Workplan Planning Map

-Date: 2026-06-23
+Date: 2026-06-30

 ## Purpose

@@ -25,7 +25,7 @@ This document captures the current sequencing view for flex-auth workplans.
 | `FLEX-WP-0003` | complete | completed | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark are complete: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
 | `FLEX-WP-0004` | complete | completed | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapter boundary work is complete: Topaz adapter shape, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
 | `FLEX-WP-0006` | complete | finished | `FLEX-WP-0002`, `FLEX-WP-0005` | Ops-warden unblocker is complete: flex-auth publishes `ssh-certificate` / `sign` policies, fixtures, and `/v1/check` smoke evidence for the opt-in pre-sign gate shipped in ops-warden `WARDEN-WP-0007` and tracked for production in `WARDEN-WP-0009`. |
-| `FLEX-WP-0007` | `P0` | blocked | `FLEX-WP-0006` | Repo-side production registry fixture, sync contract, runtime command, healthz coverage, and real actor/IAM tests are implemented. Operator deployment and OpenBao smoke remain blocked on reachable runtime selection and scoped VAULT_TOKEN refresh. |
+| `FLEX-WP-0007` | complete | finished | `FLEX-WP-0006` | Production registry fixture, sync contract, runtime command, healthz coverage, real actor/IAM tests, operator tunnel reachability, and vault-backed joint smoke are complete. `policy.enabled` remains off by maturity decision until testing/production posture calls for live enforcement. |

 ## Dependency Notes

@@ -80,6 +80,7 @@ Native State Hub dependency edges:
 - `FLEX-WP-0004 -> FLEX-WP-0005` (Topaz adapter consumes the spike)
 - `FLEX-WP-0006 -> FLEX-WP-0002`
 - `FLEX-WP-0006 -> FLEX-WP-0005`
- ops-warden: `WARDEN-WP-0009` finished (caller + registry smoke). Production
-  `policy.enabled: true` waits for `FLEX-WP-0007` (reachable flex-auth runtime).
+- ops-warden: `WARDEN-WP-0009` finished (caller + registry smoke). FLEX-WP-0007
+  is also finished; production `policy.enabled: true` waits for a later
+  maturity/posture decision, not for repo-side flex-auth artifacts.
 - `FLEX-WP-0007 -> FLEX-WP-0006`
--- a/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md
+++ b/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md
@@ -4,7 +4,7 @@ type: workplan
 title: "Ops-Warden Policy Gate Production Deployment"
 domain: infotech
 repo: flex-auth
-status: blocked
+status: finished
 owner: codex
 topic_slug: flex-auth
 planning_priority: P0
@@ -14,7 +14,7 @@ depends_on_workplans:
 related_workplans:
  - WARDEN-WP-0009
 created: "2026-06-23"
-updated: "2026-06-23"
+updated: "2026-06-30"
 state_hub_workstream_id: "358ce697-2611-4fe9-89ab-63e86ceb00fa"
 ---

@@ -25,21 +25,22 @@ state_hub_workstream_id: "358ce697-2611-4fe9-89ab-63e86ceb00fa"
 Deploy flex-auth as a reachable production runtime for ops-warden's opt-in SSH
 signing policy gate, load a production registry aligned with real inventory
 actors, and complete joint smoke evidence so operators can set policy.enabled:
-true in warden.yaml.
+true in warden.yaml when the ecosystem maturity stage calls for live enforcement.

 Review update: repo-side production readiness is now separated from
 operator-only work. flex-auth can publish the production fixture, tests,
 runtime command, and sync contract in this repo. The actual stable URL
-deployment and OpenBao smoke remain blocked because they need NetKingdom
-reachability and a refreshed scoped VAULT_TOKEN.
+deployment and OpenBao smoke were completed through the operator tunnel and a
+scoped warden-sign OpenBao lane. The final `policy.enabled` production flip is
+explicitly deferred until the ecosystem reaches testing/production maturity.

 ## Background

 ops-warden finished WARDEN-WP-0009 on the caller side: local and
 production-registry smoke passed, and the production registry generator exists.
 The remaining risk is operational, not policy shape: warden workstations need a
-reachable flex-auth URL, and the vault-backed joint smoke needs a valid scoped
-VAULT_TOKEN.
+reachable flex-auth URL and a vault-backed joint smoke before the gate can be
+banked for later enforcement.

 Production registry artifacts:

@@ -130,7 +131,7 @@ repos.

 ```task
 id: FLEX-WP-0007-T04
-status: wait
+status: done
 priority: medium
 state_hub_task_id: "32a96f1c-e0e8-4e27-baa6-7b8c445cf7a1"
 ```
@@ -139,14 +140,16 @@ Coordinate with ops-warden for vault-backed signing through the deployed
 flex-auth runtime.

 - [x] flex-auth deployed with production registry via operator tunnel, completing T1
- [ ] ops-warden policy.enabled: true and policy.flex_auth_url points to deployed URL http://127.0.0.1:18090 on CoulombCore
- [ ] Valid scoped VAULT_TOKEN with warden-sign policy, operator-provided
- [ ] Allow smoke: warden sign agt-state-hub-bridge records backend vault and policy_decision_id
- [ ] Deny smoke: TTL above registry max is denied by flex-auth before OpenBao
- [ ] Record non-secret evidence: decision ids, reasons, actor names only
+- [x] policy.flex_auth_url validated against deployed URL http://127.0.0.1:18090 on CoulombCore; `policy.enabled` intentionally remains off until testing/production maturity
+- [x] Scoped warden-sign OpenBao lane available for the smoke; no token value recorded here
+- [x] Allow smoke: `warden sign agt-state-hub-bridge` recorded backend `vault` and policy_decision_id `decision:032b096c433ad80c`
+- [x] Deny smoke: TTL above registry max was denied by flex-auth before OpenBao with reason `ttl_out_of_bounds`
+- [x] Record non-secret evidence: decision ids, reasons, actor names only

-Blocked on: scoped VAULT_TOKEN refresh. Previous ops-warden session returned
-HTTP 403 on 2026-06-23; no VAULT_TOKEN is present in this session.
+Closed on 2026-06-30 from ops-warden non-secret smoke evidence received
+2026-06-29. The operator deliberately keeps `policy.enabled` off for now because
+the ecosystem is still build-stage/pre-testing; the gate is verified and banked
+for later live enforcement rather than forced into premature production rigor.

 Smoke runner when token is valid:

@@ -176,8 +179,8 @@ required beyond existing policy behavior.
 - flex-auth production runtime reachable from CoulombCore warden path: done via flex-auth-coulombcore operator tunnel
 - Production registry loaded and real inventory actors covered locally: done
 - Registry sync contract published and cross-linked: done
- Joint vault-backed smoke evidence recorded, or T4 explicitly waits on token: T4 waits on scoped VAULT_TOKEN
- ops-warden operator has the repo-side artifacts needed to set policy.enabled: true after the stable URL and token are ready
+- Joint vault-backed smoke evidence recorded: done, decision:032b096c433ad80c
+- ops-warden operator has the repo-side artifacts needed to set policy.enabled: true later, when maturity posture calls for live enforcement

 ## Implementation Notes

@@ -187,9 +190,10 @@ required beyond existing policy behavior.
 - Added Go coverage for production actor allows, IAM subject allow, ttl_out_of_bounds, unknown_actor_resource, production registry counts, and /healthz.
 - Published docs/ops-warden-registry-sync.md and cross-linked it from the handoff and examples docs.

-Remaining blocked work:
+Closeout note:

- Operator refreshes scoped VAULT_TOKEN and reruns the OpenBao-backed smoke.
+- The OpenBao-backed smoke passed through ops-warden with the scoped warden-sign lane.
+- The `policy.enabled` flip is intentionally deferred by operator/maturity decision, not treated as an open repo-side blocker.
 - After workplan file changes, run make fix-consistency REPO=flex-auth from ~/state-hub to mirror these statuses into State Hub.

 ## See Also
@@ -209,3 +213,11 @@ Remaining blocked work:
 - Verified remote health from CoulombCore: GET /healthz returned HTTP 200.
 - Verified remote POST /v1/check from CoulombCore allowed agt-state-hub-bridge with decision:873c6c682a52bebc.
 - VAULT_TOKEN is absent, so OpenBao-backed smoke remains blocked on operator credential refresh.
+
+2026-06-30 closeout from ops-warden smoke handoff:
+
+- Mode: `FLEX_AUTH_EXTERNAL` against deployed runtime `127.0.0.1:18090` via the CoulombCore operator path.
+- Allow: `warden sign agt-state-hub-bridge` returned policy_decision_id `decision:032b096c433ad80c`.
+- Deny: `--ttl 999` was rejected with `ttl_out_of_bounds` before OpenBao signing.
+- Vault-backed allow: backend `vault` produced the same policy_decision_id through the scoped warden-sign OpenBao lane.
+- Operator decision: keep `policy.enabled` off during build-stage/pre-testing and flip it later when the ecosystem reaches the appropriate maturity posture.