generated from coulomb/repo-seed
FLEX-WP-0007: production registry fixture, tests, and sync runbook
Add production_registry_snapshot.json from ops-warden inventory with CI coverage for real actors, IAM subject binding, ttl_out_of_bounds, and unknown_actor_resource. Extend serve contract tests with /healthz and publish the registry sync contract for operator deployment.
This commit is contained in:
@@ -80,3 +80,25 @@ integration, host documentation, and signatures.log production evidence.
|
||||
|
||||
No SSH private keys, OpenBao tokens, database credentials, or real public-key
|
||||
material are stored in these fixtures.
|
||||
|
||||
|
||||
## FLEX-WP-0007 Production Update
|
||||
|
||||
Additional published assets:
|
||||
|
||||
- Production registry fixture: examples/ops-warden/production_registry_snapshot.json
|
||||
- Registry sync runbook: docs/ops-warden-registry-sync.md
|
||||
|
||||
Production runtime command:
|
||||
|
||||
flex-auth serve --addr 0.0.0.0:8080 --registry examples/ops-warden/production_registry_snapshot.json --policy examples/ops-warden/policy_package.md --log /var/log/flex-auth/ops-warden-decisions.jsonl
|
||||
|
||||
Use http://flex-auth.flex-auth.svc.cluster.local:8080 when cluster DNS is
|
||||
reachable from warden workstations. Otherwise use the approved operator tunnel
|
||||
or ingress URL. Always pre-flight GET /healthz from the same workstation before
|
||||
enabling policy.enabled with fail_closed true.
|
||||
|
||||
Production actor coverage now verifies agt-state-hub-bridge,
|
||||
agt-codex-interhub-bootstrap, adm-example, atm-backup-daily, ttl_out_of_bounds,
|
||||
unknown_actor_resource, and the iam:agt-state-hub-bridge subject path used by
|
||||
WARDEN_POLICY_SUBJECT.
|
||||
|
||||
Reference in New Issue
Block a user