coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Close ops-warden policy gate deployment
Some checks are pending
CI / Build and Test (push) Waiting to run
Details
CI / Lint (push) Waiting to run
Details

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-30 00:52:56 +02:00
parent 8124367e1d
commit 339c35e876
3 changed files with 46 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
docs/ops-warden-policy-gate-handoff.md
View File

@@ -102,3 +102,13 @@ Production actor coverage now verifies agt-state-hub-bridge,
agt-codex-interhub-bootstrap, adm-example, atm-backup-daily, ttl_out_of_bounds,
unknown_actor_resource, and the iam:agt-state-hub-bridge subject path used by
WARDEN_POLICY_SUBJECT.
## FLEX-WP-0007 Closeout Update
On 2026-06-29 ops-warden reported the production policy-gate smoke as passed
against the deployed flex-auth runtime at `127.0.0.1:18090` from CoulombCore.
Non-secret evidence: allow decision `decision:032b096c433ad80c` for
`agt-state-hub-bridge`, deny reason `ttl_out_of_bounds` for an excessive TTL,
and backend `vault` for the scoped OpenBao signing path. The operator is
keeping `policy.enabled` off during build-stage/pre-testing; this is a maturity
posture decision, not a missing flex-auth artifact.

9
docs/workplan-planning-map.md
View File

@@ -1,6 +1,6 @@
# Flex-Auth Workplan Planning Map
Date: 2026-06-23
Date: 2026-06-30
## Purpose
@@ -25,7 +25,7 @@ This document captures the current sequencing view for flex-auth workplans.
| `FLEX-WP-0003` | complete | completed | `FLEX-WP-0002` | Markitect consumer integration and first CARING benchmark are complete: resource namespace, manifest import, action vocabulary, descriptor fixtures, decision fixtures, integration docs. |
| `FLEX-WP-0004` | complete | completed | `FLEX-WP-0002`, `FLEX-WP-0005` | Delegated PDP and directory adapter boundary work is complete: Topaz adapter shape, OpenFGA/SpiceDB, OPA/Cedar, Keycloak Authorization Services, Entra/Graph/SCIM, CARING envelope preservation. |
| `FLEX-WP-0006` | complete | finished | `FLEX-WP-0002`, `FLEX-WP-0005` | Ops-warden unblocker is complete: flex-auth publishes `ssh-certificate` / `sign` policies, fixtures, and `/v1/check` smoke evidence for the opt-in pre-sign gate shipped in ops-warden `WARDEN-WP-0007` and tracked for production in `WARDEN-WP-0009`. |
| `FLEX-WP-0007` | `P0` | blocked | `FLEX-WP-0006` | Repo-side production registry fixture, sync contract, runtime command, healthz coverage, and real actor/IAM tests are implemented. Operator deployment and OpenBao smoke remain blocked on reachable runtime selection and scoped VAULT_TOKEN refresh. |
| `FLEX-WP-0007` | complete | finished | `FLEX-WP-0006` | Production registry fixture, sync contract, runtime command, healthz coverage, real actor/IAM tests, operator tunnel reachability, and vault-backed joint smoke are complete. `policy.enabled` remains off by maturity decision until testing/production posture calls for live enforcement. |
## Dependency Notes
@@ -80,6 +80,7 @@ Native State Hub dependency edges:
- `FLEX-WP-0004 -> FLEX-WP-0005` (Topaz adapter consumes the spike)
- `FLEX-WP-0006 -> FLEX-WP-0002`
- `FLEX-WP-0006 -> FLEX-WP-0005`
- ops-warden: `WARDEN-WP-0009` finished (caller + registry smoke). Production
`policy.enabled: true` waits for `FLEX-WP-0007` (reachable flex-auth runtime).
- ops-warden: `WARDEN-WP-0009` finished (caller + registry smoke). FLEX-WP-0007
is also finished; production `policy.enabled: true` waits for a later
maturity/posture decision, not for repo-side flex-auth artifacts.
- `FLEX-WP-0007 -> FLEX-WP-0006`