diff --git a/docs/ops-warden-policy-gate-handoff.md b/docs/ops-warden-policy-gate-handoff.md index dcba10e..a3a11b0 100644 --- a/docs/ops-warden-policy-gate-handoff.md +++ b/docs/ops-warden-policy-gate-handoff.md @@ -102,3 +102,13 @@ Production actor coverage now verifies agt-state-hub-bridge, agt-codex-interhub-bootstrap, adm-example, atm-backup-daily, ttl_out_of_bounds, unknown_actor_resource, and the iam:agt-state-hub-bridge subject path used by WARDEN_POLICY_SUBJECT. + +## FLEX-WP-0007 Closeout Update + +On 2026-06-29 ops-warden reported the production policy-gate smoke as passed +against the deployed flex-auth runtime at `127.0.0.1:18090` from CoulombCore. +Non-secret evidence: allow decision `decision:032b096c433ad80c` for +`agt-state-hub-bridge`, deny reason `ttl_out_of_bounds` for an excessive TTL, +and backend `vault` for the scoped OpenBao signing path. The operator is +keeping `policy.enabled` off during build-stage/pre-testing; this is a maturity +posture decision, not a missing flex-auth artifact. diff --git a/docs/workplan-planning-map.md b/docs/workplan-planning-map.md index 1debb51..c5286ab 100644 --- a/docs/workplan-planning-map.md +++ b/docs/workplan-planning-map.md @@ -1,6 +1,6 @@ # Flex-Auth Workplan Planning Map -Date: 2026-06-23 +Date: 2026-06-30 ## Purpose @@ -25,7 +25,7 @@ This document captures the current sequencing view for flex-auth workplans. | `FLEX-WP-0003` | complete | completed | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark are complete: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. | | `FLEX-WP-0004` | complete | completed | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapter boundary work is complete: Topaz adapter shape, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. | | `FLEX-WP-0006` | complete | finished | `FLEX-WP-0002`, `FLEX-WP-0005` | Ops-warden unblocker is complete: flex-auth publishes `ssh-certificate` / `sign` policies, fixtures, and `/v1/check` smoke evidence for the opt-in pre-sign gate shipped in ops-warden `WARDEN-WP-0007` and tracked for production in `WARDEN-WP-0009`. | -| `FLEX-WP-0007` | `P0` | blocked | `FLEX-WP-0006` | Repo-side production registry fixture, sync contract, runtime command, healthz coverage, and real actor/IAM tests are implemented. Operator deployment and OpenBao smoke remain blocked on reachable runtime selection and scoped VAULT_TOKEN refresh. | +| `FLEX-WP-0007` | complete | finished | `FLEX-WP-0006` | Production registry fixture, sync contract, runtime command, healthz coverage, real actor/IAM tests, operator tunnel reachability, and vault-backed joint smoke are complete. `policy.enabled` remains off by maturity decision until testing/production posture calls for live enforcement. | ## Dependency Notes @@ -80,6 +80,7 @@ Native State Hub dependency edges: - `FLEX-WP-0004 -> FLEX-WP-0005` (Topaz adapter consumes the spike) - `FLEX-WP-0006 -> FLEX-WP-0002` - `FLEX-WP-0006 -> FLEX-WP-0005` -- ops-warden: `WARDEN-WP-0009` finished (caller + registry smoke). Production - `policy.enabled: true` waits for `FLEX-WP-0007` (reachable flex-auth runtime). +- ops-warden: `WARDEN-WP-0009` finished (caller + registry smoke). FLEX-WP-0007 + is also finished; production `policy.enabled: true` waits for a later + maturity/posture decision, not for repo-side flex-auth artifacts. - `FLEX-WP-0007 -> FLEX-WP-0006` diff --git a/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md b/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md index 8873974..27c18d2 100644 --- a/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md +++ b/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md @@ -4,7 +4,7 @@ type: workplan title: "Ops-Warden Policy Gate Production Deployment" domain: infotech repo: flex-auth -status: blocked +status: finished owner: codex topic_slug: flex-auth planning_priority: P0 @@ -14,7 +14,7 @@ depends_on_workplans: related_workplans: - WARDEN-WP-0009 created: "2026-06-23" -updated: "2026-06-23" +updated: "2026-06-30" state_hub_workstream_id: "358ce697-2611-4fe9-89ab-63e86ceb00fa" --- @@ -25,21 +25,22 @@ state_hub_workstream_id: "358ce697-2611-4fe9-89ab-63e86ceb00fa" Deploy flex-auth as a reachable production runtime for ops-warden's opt-in SSH signing policy gate, load a production registry aligned with real inventory actors, and complete joint smoke evidence so operators can set policy.enabled: -true in warden.yaml. +true in warden.yaml when the ecosystem maturity stage calls for live enforcement. Review update: repo-side production readiness is now separated from operator-only work. flex-auth can publish the production fixture, tests, runtime command, and sync contract in this repo. The actual stable URL -deployment and OpenBao smoke remain blocked because they need NetKingdom -reachability and a refreshed scoped VAULT_TOKEN. +deployment and OpenBao smoke were completed through the operator tunnel and a +scoped warden-sign OpenBao lane. The final `policy.enabled` production flip is +explicitly deferred until the ecosystem reaches testing/production maturity. ## Background ops-warden finished WARDEN-WP-0009 on the caller side: local and production-registry smoke passed, and the production registry generator exists. The remaining risk is operational, not policy shape: warden workstations need a -reachable flex-auth URL, and the vault-backed joint smoke needs a valid scoped -VAULT_TOKEN. +reachable flex-auth URL and a vault-backed joint smoke before the gate can be +banked for later enforcement. Production registry artifacts: @@ -130,7 +131,7 @@ repos. ```task id: FLEX-WP-0007-T04 -status: wait +status: done priority: medium state_hub_task_id: "32a96f1c-e0e8-4e27-baa6-7b8c445cf7a1" ``` @@ -139,14 +140,16 @@ Coordinate with ops-warden for vault-backed signing through the deployed flex-auth runtime. - [x] flex-auth deployed with production registry via operator tunnel, completing T1 -- [ ] ops-warden policy.enabled: true and policy.flex_auth_url points to deployed URL http://127.0.0.1:18090 on CoulombCore -- [ ] Valid scoped VAULT_TOKEN with warden-sign policy, operator-provided -- [ ] Allow smoke: warden sign agt-state-hub-bridge records backend vault and policy_decision_id -- [ ] Deny smoke: TTL above registry max is denied by flex-auth before OpenBao -- [ ] Record non-secret evidence: decision ids, reasons, actor names only +- [x] policy.flex_auth_url validated against deployed URL http://127.0.0.1:18090 on CoulombCore; `policy.enabled` intentionally remains off until testing/production maturity +- [x] Scoped warden-sign OpenBao lane available for the smoke; no token value recorded here +- [x] Allow smoke: `warden sign agt-state-hub-bridge` recorded backend `vault` and policy_decision_id `decision:032b096c433ad80c` +- [x] Deny smoke: TTL above registry max was denied by flex-auth before OpenBao with reason `ttl_out_of_bounds` +- [x] Record non-secret evidence: decision ids, reasons, actor names only -Blocked on: scoped VAULT_TOKEN refresh. Previous ops-warden session returned -HTTP 403 on 2026-06-23; no VAULT_TOKEN is present in this session. +Closed on 2026-06-30 from ops-warden non-secret smoke evidence received +2026-06-29. The operator deliberately keeps `policy.enabled` off for now because +the ecosystem is still build-stage/pre-testing; the gate is verified and banked +for later live enforcement rather than forced into premature production rigor. Smoke runner when token is valid: @@ -176,8 +179,8 @@ required beyond existing policy behavior. - flex-auth production runtime reachable from CoulombCore warden path: done via flex-auth-coulombcore operator tunnel - Production registry loaded and real inventory actors covered locally: done - Registry sync contract published and cross-linked: done -- Joint vault-backed smoke evidence recorded, or T4 explicitly waits on token: T4 waits on scoped VAULT_TOKEN -- ops-warden operator has the repo-side artifacts needed to set policy.enabled: true after the stable URL and token are ready +- Joint vault-backed smoke evidence recorded: done, decision:032b096c433ad80c +- ops-warden operator has the repo-side artifacts needed to set policy.enabled: true later, when maturity posture calls for live enforcement ## Implementation Notes @@ -187,9 +190,10 @@ required beyond existing policy behavior. - Added Go coverage for production actor allows, IAM subject allow, ttl_out_of_bounds, unknown_actor_resource, production registry counts, and /healthz. - Published docs/ops-warden-registry-sync.md and cross-linked it from the handoff and examples docs. -Remaining blocked work: +Closeout note: -- Operator refreshes scoped VAULT_TOKEN and reruns the OpenBao-backed smoke. +- The OpenBao-backed smoke passed through ops-warden with the scoped warden-sign lane. +- The `policy.enabled` flip is intentionally deferred by operator/maturity decision, not treated as an open repo-side blocker. - After workplan file changes, run make fix-consistency REPO=flex-auth from ~/state-hub to mirror these statuses into State Hub. ## See Also @@ -209,3 +213,11 @@ Remaining blocked work: - Verified remote health from CoulombCore: GET /healthz returned HTTP 200. - Verified remote POST /v1/check from CoulombCore allowed agt-state-hub-bridge with decision:873c6c682a52bebc. - VAULT_TOKEN is absent, so OpenBao-backed smoke remains blocked on operator credential refresh. + +2026-06-30 closeout from ops-warden smoke handoff: + +- Mode: `FLEX_AUTH_EXTERNAL` against deployed runtime `127.0.0.1:18090` via the CoulombCore operator path. +- Allow: `warden sign agt-state-hub-bridge` returned policy_decision_id `decision:032b096c433ad80c`. +- Deny: `--ttl 999` was rejected with `ttl_out_of_bounds` before OpenBao signing. +- Vault-backed allow: backend `vault` produced the same policy_decision_id through the scoped warden-sign OpenBao lane. +- Operator decision: keep `policy.enabled` off during build-stage/pre-testing and flip it later when the ecosystem reaches the appropriate maturity posture.