generated from coulomb/repo-seed
Close ops-warden policy gate deployment
This commit is contained in:
@@ -4,7 +4,7 @@ type: workplan
|
||||
title: "Ops-Warden Policy Gate Production Deployment"
|
||||
domain: infotech
|
||||
repo: flex-auth
|
||||
status: blocked
|
||||
status: finished
|
||||
owner: codex
|
||||
topic_slug: flex-auth
|
||||
planning_priority: P0
|
||||
@@ -14,7 +14,7 @@ depends_on_workplans:
|
||||
related_workplans:
|
||||
- WARDEN-WP-0009
|
||||
created: "2026-06-23"
|
||||
updated: "2026-06-23"
|
||||
updated: "2026-06-30"
|
||||
state_hub_workstream_id: "358ce697-2611-4fe9-89ab-63e86ceb00fa"
|
||||
---
|
||||
|
||||
@@ -25,21 +25,22 @@ state_hub_workstream_id: "358ce697-2611-4fe9-89ab-63e86ceb00fa"
|
||||
Deploy flex-auth as a reachable production runtime for ops-warden's opt-in SSH
|
||||
signing policy gate, load a production registry aligned with real inventory
|
||||
actors, and complete joint smoke evidence so operators can set policy.enabled:
|
||||
true in warden.yaml.
|
||||
true in warden.yaml when the ecosystem maturity stage calls for live enforcement.
|
||||
|
||||
Review update: repo-side production readiness is now separated from
|
||||
operator-only work. flex-auth can publish the production fixture, tests,
|
||||
runtime command, and sync contract in this repo. The actual stable URL
|
||||
deployment and OpenBao smoke remain blocked because they need NetKingdom
|
||||
reachability and a refreshed scoped VAULT_TOKEN.
|
||||
deployment and OpenBao smoke were completed through the operator tunnel and a
|
||||
scoped warden-sign OpenBao lane. The final `policy.enabled` production flip is
|
||||
explicitly deferred until the ecosystem reaches testing/production maturity.
|
||||
|
||||
## Background
|
||||
|
||||
ops-warden finished WARDEN-WP-0009 on the caller side: local and
|
||||
production-registry smoke passed, and the production registry generator exists.
|
||||
The remaining risk is operational, not policy shape: warden workstations need a
|
||||
reachable flex-auth URL, and the vault-backed joint smoke needs a valid scoped
|
||||
VAULT_TOKEN.
|
||||
reachable flex-auth URL and a vault-backed joint smoke before the gate can be
|
||||
banked for later enforcement.
|
||||
|
||||
Production registry artifacts:
|
||||
|
||||
@@ -130,7 +131,7 @@ repos.
|
||||
|
||||
```task
|
||||
id: FLEX-WP-0007-T04
|
||||
status: wait
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "32a96f1c-e0e8-4e27-baa6-7b8c445cf7a1"
|
||||
```
|
||||
@@ -139,14 +140,16 @@ Coordinate with ops-warden for vault-backed signing through the deployed
|
||||
flex-auth runtime.
|
||||
|
||||
- [x] flex-auth deployed with production registry via operator tunnel, completing T1
|
||||
- [ ] ops-warden policy.enabled: true and policy.flex_auth_url points to deployed URL http://127.0.0.1:18090 on CoulombCore
|
||||
- [ ] Valid scoped VAULT_TOKEN with warden-sign policy, operator-provided
|
||||
- [ ] Allow smoke: warden sign agt-state-hub-bridge records backend vault and policy_decision_id
|
||||
- [ ] Deny smoke: TTL above registry max is denied by flex-auth before OpenBao
|
||||
- [ ] Record non-secret evidence: decision ids, reasons, actor names only
|
||||
- [x] policy.flex_auth_url validated against deployed URL http://127.0.0.1:18090 on CoulombCore; `policy.enabled` intentionally remains off until testing/production maturity
|
||||
- [x] Scoped warden-sign OpenBao lane available for the smoke; no token value recorded here
|
||||
- [x] Allow smoke: `warden sign agt-state-hub-bridge` recorded backend `vault` and policy_decision_id `decision:032b096c433ad80c`
|
||||
- [x] Deny smoke: TTL above registry max was denied by flex-auth before OpenBao with reason `ttl_out_of_bounds`
|
||||
- [x] Record non-secret evidence: decision ids, reasons, actor names only
|
||||
|
||||
Blocked on: scoped VAULT_TOKEN refresh. Previous ops-warden session returned
|
||||
HTTP 403 on 2026-06-23; no VAULT_TOKEN is present in this session.
|
||||
Closed on 2026-06-30 from ops-warden non-secret smoke evidence received
|
||||
2026-06-29. The operator deliberately keeps `policy.enabled` off for now because
|
||||
the ecosystem is still build-stage/pre-testing; the gate is verified and banked
|
||||
for later live enforcement rather than forced into premature production rigor.
|
||||
|
||||
Smoke runner when token is valid:
|
||||
|
||||
@@ -176,8 +179,8 @@ required beyond existing policy behavior.
|
||||
- flex-auth production runtime reachable from CoulombCore warden path: done via flex-auth-coulombcore operator tunnel
|
||||
- Production registry loaded and real inventory actors covered locally: done
|
||||
- Registry sync contract published and cross-linked: done
|
||||
- Joint vault-backed smoke evidence recorded, or T4 explicitly waits on token: T4 waits on scoped VAULT_TOKEN
|
||||
- ops-warden operator has the repo-side artifacts needed to set policy.enabled: true after the stable URL and token are ready
|
||||
- Joint vault-backed smoke evidence recorded: done, decision:032b096c433ad80c
|
||||
- ops-warden operator has the repo-side artifacts needed to set policy.enabled: true later, when maturity posture calls for live enforcement
|
||||
|
||||
## Implementation Notes
|
||||
|
||||
@@ -187,9 +190,10 @@ required beyond existing policy behavior.
|
||||
- Added Go coverage for production actor allows, IAM subject allow, ttl_out_of_bounds, unknown_actor_resource, production registry counts, and /healthz.
|
||||
- Published docs/ops-warden-registry-sync.md and cross-linked it from the handoff and examples docs.
|
||||
|
||||
Remaining blocked work:
|
||||
Closeout note:
|
||||
|
||||
- Operator refreshes scoped VAULT_TOKEN and reruns the OpenBao-backed smoke.
|
||||
- The OpenBao-backed smoke passed through ops-warden with the scoped warden-sign lane.
|
||||
- The `policy.enabled` flip is intentionally deferred by operator/maturity decision, not treated as an open repo-side blocker.
|
||||
- After workplan file changes, run make fix-consistency REPO=flex-auth from ~/state-hub to mirror these statuses into State Hub.
|
||||
|
||||
## See Also
|
||||
@@ -209,3 +213,11 @@ Remaining blocked work:
|
||||
- Verified remote health from CoulombCore: GET /healthz returned HTTP 200.
|
||||
- Verified remote POST /v1/check from CoulombCore allowed agt-state-hub-bridge with decision:873c6c682a52bebc.
|
||||
- VAULT_TOKEN is absent, so OpenBao-backed smoke remains blocked on operator credential refresh.
|
||||
|
||||
2026-06-30 closeout from ops-warden smoke handoff:
|
||||
|
||||
- Mode: `FLEX_AUTH_EXTERNAL` against deployed runtime `127.0.0.1:18090` via the CoulombCore operator path.
|
||||
- Allow: `warden sign agt-state-hub-bridge` returned policy_decision_id `decision:032b096c433ad80c`.
|
||||
- Deny: `--ttl 999` was rejected with `ttl_out_of_bounds` before OpenBao signing.
|
||||
- Vault-backed allow: backend `vault` produced the same policy_decision_id through the scoped warden-sign OpenBao lane.
|
||||
- Operator decision: keep `policy.enabled` off during build-stage/pre-testing and flip it later when the ecosystem reaches the appropriate maturity posture.
|
||||
|
||||
Reference in New Issue
Block a user