FLEX-WP-0007: production registry fixture, tests, and sync runbook

Add production_registry_snapshot.json from ops-warden inventory with CI coverage for real actors, IAM subject binding, ttl_out_of_bounds, and unknown_actor_resource. Extend serve contract tests with /healthz and publish the registry sync contract for operator deployment.
2026-06-24 14:52:35 +02:00
parent fae0f00a69
commit 941501c590
7 changed files with 981 additions and 3 deletions
--- a/examples/ops-warden/README.md
+++ b/examples/ops-warden/README.md
@@ -32,3 +32,18 @@ flex-auth check --registry examples/ops-warden/registry_snapshot.json --policy e

 The fixture public-key fingerprints are examples only. Do not put real keys,
 OpenBao tokens, or private signing material in these files.
+
+
+## Production Registry Fixture
+
+production_registry_snapshot.json is a non-secret fixture generated by
+ops-warden for FLEX-WP-0007 coverage. It mirrors the current production actor
+names used by ops-warden inventory and should be refreshed when that inventory
+changes.
+
+Validate both registries locally:
+
+    flex-auth load-registry --file examples/ops-warden/registry_snapshot.json
+    flex-auth load-registry --file examples/ops-warden/production_registry_snapshot.json
+
+The production sync contract is documented in docs/ops-warden-registry-sync.md.
--- a/examples/ops-warden/production_registry_snapshot.json
+++ b/examples/ops-warden/production_registry_snapshot.json
@@ -0,0 +1,450 @@
+{
+  "systems": [
+    {
+      "id": "ops-warden",
+      "name": "Ops Warden",
+      "resource_types": [
+        {
+          "name": "ssh-certificate",
+          "scope_level": "Resource",
+          "planes": [
+            "Identity",
+            "Secret",
+            "Audit"
+          ],
+          "metadata": {
+            "description": "Short-lived SSH certificate signing request."
+          }
+        }
+      ],
+      "actions": [
+        {
+          "name": "sign",
+          "capabilities": [
+            "Use",
+            "Operate",
+            "Audit"
+          ],
+          "planes": [
+            "Identity",
+            "Secret",
+            "Audit"
+          ],
+          "exposure_modes": [
+            "Metadata"
+          ],
+          "metadata": {
+            "required_context": [
+              "principals",
+              "actor_type",
+              "pubkey_fingerprint",
+              "ttl_hours"
+            ]
+          }
+        }
+      ],
+      "caring_profiles": [
+        "caring-0.4.0-rc2"
+      ],
+      "metadata": {
+        "flex_auth_contract": "protected-system-v0",
+        "ops_warden_policy_gate": "v2",
+        "policy_enabled_config": "policy.enabled",
+        "tenant": "tenant:platform"
+      }
+    }
+  ],
+  "resource_manifests": [
+    {
+      "id": "ops-warden-ssh-certificates",
+      "system": "ops-warden",
+      "resources": [
+        {
+          "id": "ssh-cert:actor/adm-example",
+          "type": "ssh-certificate",
+          "labels": [
+            "ssh-signing",
+            "adm"
+          ],
+          "trust_zone": "platform",
+          "owner": "team:platform-security",
+          "attributes": {
+            "actor_id": "adm-example",
+            "actor_type": "adm",
+            "allowed_subjects": [
+              "adm-example",
+              "iam:adm-example"
+            ],
+            "allowed_principals": [
+              "adm-full"
+            ],
+            "max_ttl_hours": 48
+          }
+        },
+        {
+          "id": "ssh-cert:actor/agt-codex-interhub-bootstrap",
+          "type": "ssh-certificate",
+          "labels": [
+            "ssh-signing",
+            "agt"
+          ],
+          "trust_zone": "platform",
+          "owner": "team:platform-security",
+          "attributes": {
+            "actor_id": "agt-codex-interhub-bootstrap",
+            "actor_type": "agt",
+            "allowed_subjects": [
+              "agt-codex-interhub-bootstrap",
+              "iam:agt-codex-interhub-bootstrap"
+            ],
+            "allowed_principals": [
+              "agt-interhub-bootstrap"
+            ],
+            "max_ttl_hours": 2
+          }
+        },
+        {
+          "id": "ssh-cert:actor/agt-state-hub-bridge",
+          "type": "ssh-certificate",
+          "labels": [
+            "ssh-signing",
+            "agt"
+          ],
+          "trust_zone": "platform",
+          "owner": "team:platform-security",
+          "attributes": {
+            "actor_id": "agt-state-hub-bridge",
+            "actor_type": "agt",
+            "allowed_subjects": [
+              "agt-state-hub-bridge",
+              "iam:agt-state-hub-bridge"
+            ],
+            "allowed_principals": [
+              "agt-task-bridge"
+            ],
+            "max_ttl_hours": 24
+          }
+        },
+        {
+          "id": "ssh-cert:actor/atm-backup-daily",
+          "type": "ssh-certificate",
+          "labels": [
+            "ssh-signing",
+            "atm"
+          ],
+          "trust_zone": "platform",
+          "owner": "team:platform-security",
+          "attributes": {
+            "actor_id": "atm-backup-daily",
+            "actor_type": "atm",
+            "allowed_subjects": [
+              "atm-backup-daily",
+              "iam:atm-backup-daily"
+            ],
+            "allowed_principals": [
+              "atm-backup-daily"
+            ],
+            "max_ttl_hours": 8
+          }
+        }
+      ],
+      "actions": [
+        "sign"
+      ],
+      "caring_profile": "caring-0.4.0-rc2",
+      "metadata": {
+        "flex_auth_contract": "resource-registration-v0",
+        "tenant": "tenant:platform"
+      }
+    }
+  ],
+  "tenants": [
+    {
+      "id": "tenant:platform",
+      "name": "Platform Tenant"
+    }
+  ],
+  "subjects": [
+    {
+      "id": "adm-example",
+      "type": "Agent",
+      "display_name": "Example human operator \u2014 replace with per-person adm-* actors",
+      "organization_relation": "ServiceProvider",
+      "roles": [
+        "Operator"
+      ],
+      "groups": [
+        "group:ops-warden-admins"
+      ],
+      "tenant": "tenant:platform",
+      "metadata": {
+        "actor_type": "adm"
+      }
+    },
+    {
+      "id": "agt-codex-interhub-bootstrap",
+      "type": "Agent",
+      "display_name": "Short-lived agent access for attended Inter-Hub bootstrap",
+      "organization_relation": "ServiceProvider",
+      "roles": [
+        "Operator"
+      ],
+      "groups": [
+        "group:ops-warden-agents"
+      ],
+      "tenant": "tenant:platform",
+      "metadata": {
+        "actor_type": "agt"
+      }
+    },
+    {
+      "id": "agt-state-hub-bridge",
+      "type": "Agent",
+      "display_name": "ops-bridge tunnel agent for state-hub",
+      "organization_relation": "ServiceProvider",
+      "roles": [
+        "Operator"
+      ],
+      "groups": [
+        "group:ops-warden-agents"
+      ],
+      "tenant": "tenant:platform",
+      "metadata": {
+        "actor_type": "agt"
+      }
+    },
+    {
+      "id": "atm-backup-daily",
+      "type": "Automation",
+      "display_name": "Example nightly automation actor",
+      "organization_relation": "ServiceProvider",
+      "roles": [
+        "Operator"
+      ],
+      "groups": [
+        "group:ops-warden-automations"
+      ],
+      "tenant": "tenant:platform",
+      "metadata": {
+        "actor_type": "atm"
+      }
+    }
+  ],
+  "groups": [
+    {
+      "id": "group:ops-warden-admins",
+      "display_name": "Ops Warden Admins",
+      "members": [
+        "adm-example"
+      ],
+      "tenant": "tenant:platform"
+    },
+    {
+      "id": "group:ops-warden-agents",
+      "display_name": "Ops Warden Agents",
+      "members": [
+        "agt-codex-interhub-bootstrap",
+        "agt-state-hub-bridge"
+      ],
+      "tenant": "tenant:platform"
+    },
+    {
+      "id": "group:ops-warden-automations",
+      "display_name": "Ops Warden Automations",
+      "members": [
+        "atm-backup-daily"
+      ],
+      "tenant": "tenant:platform"
+    }
+  ],
+  "relationships": [
+    {
+      "id": "rel:adm-example-sign-adm-example",
+      "system": "ops-warden",
+      "subject": "group:ops-warden-admins",
+      "relation": "signer",
+      "object": "ssh-cert:actor/adm-example",
+      "tenant": "tenant:platform",
+      "conditions": [
+        "TimeLimited",
+        "Logged"
+      ],
+      "caring": {
+        "id": "descriptor:ops-warden-adm-signer",
+        "profile": "caring-0.4.0-rc2",
+        "subject_type": "Group",
+        "organization_relation": "ServiceProvider",
+        "canonical_role": "Operator",
+        "scope": {
+          "level": "Resource",
+          "id": "ssh-cert:actor/adm-example",
+          "tenant": "tenant:platform",
+          "resource": "ssh-cert:actor/adm-example"
+        },
+        "planes": [
+          "Identity",
+          "Secret",
+          "Audit"
+        ],
+        "capabilities": [
+          "Use",
+          "Operate",
+          "Audit"
+        ],
+        "exposure_modes": [
+          "Metadata"
+        ],
+        "conditions": [
+          "TimeLimited",
+          "Logged"
+        ],
+        "restrictions": [
+          "PrivilegeEscalationBlocked",
+          "SecretAccessBlocked"
+        ],
+        "access_path": "mediated"
+      }
+    },
+    {
+      "id": "rel:agt-codex-interhub-bootstrap-sign-agt-codex-interhub-bootstrap",
+      "system": "ops-warden",
+      "subject": "group:ops-warden-agents",
+      "relation": "signer",
+      "object": "ssh-cert:actor/agt-codex-interhub-bootstrap",
+      "tenant": "tenant:platform",
+      "conditions": [
+        "TimeLimited",
+        "Logged"
+      ],
+      "caring": {
+        "id": "descriptor:ops-warden-agt-signer",
+        "profile": "caring-0.4.0-rc2",
+        "subject_type": "Group",
+        "organization_relation": "ServiceProvider",
+        "canonical_role": "Operator",
+        "scope": {
+          "level": "Resource",
+          "id": "ssh-cert:actor/agt-codex-interhub-bootstrap",
+          "tenant": "tenant:platform",
+          "resource": "ssh-cert:actor/agt-codex-interhub-bootstrap"
+        },
+        "planes": [
+          "Identity",
+          "Secret",
+          "Audit"
+        ],
+        "capabilities": [
+          "Use",
+          "Operate",
+          "Audit"
+        ],
+        "exposure_modes": [
+          "Metadata"
+        ],
+        "conditions": [
+          "TimeLimited",
+          "Logged"
+        ],
+        "restrictions": [
+          "PrivilegeEscalationBlocked",
+          "SecretAccessBlocked"
+        ],
+        "access_path": "mediated"
+      }
+    },
+    {
+      "id": "rel:agt-state-hub-bridge-sign-agt-state-hub-bridge",
+      "system": "ops-warden",
+      "subject": "group:ops-warden-agents",
+      "relation": "signer",
+      "object": "ssh-cert:actor/agt-state-hub-bridge",
+      "tenant": "tenant:platform",
+      "conditions": [
+        "TimeLimited",
+        "Logged"
+      ],
+      "caring": {
+        "id": "descriptor:ops-warden-agt-signer",
+        "profile": "caring-0.4.0-rc2",
+        "subject_type": "Group",
+        "organization_relation": "ServiceProvider",
+        "canonical_role": "Operator",
+        "scope": {
+          "level": "Resource",
+          "id": "ssh-cert:actor/agt-state-hub-bridge",
+          "tenant": "tenant:platform",
+          "resource": "ssh-cert:actor/agt-state-hub-bridge"
+        },
+        "planes": [
+          "Identity",
+          "Secret",
+          "Audit"
+        ],
+        "capabilities": [
+          "Use",
+          "Operate",
+          "Audit"
+        ],
+        "exposure_modes": [
+          "Metadata"
+        ],
+        "conditions": [
+          "TimeLimited",
+          "Logged"
+        ],
+        "restrictions": [
+          "PrivilegeEscalationBlocked",
+          "SecretAccessBlocked"
+        ],
+        "access_path": "mediated"
+      }
+    },
+    {
+      "id": "rel:atm-backup-daily-sign-atm-backup-daily",
+      "system": "ops-warden",
+      "subject": "group:ops-warden-automations",
+      "relation": "signer",
+      "object": "ssh-cert:actor/atm-backup-daily",
+      "tenant": "tenant:platform",
+      "conditions": [
+        "TimeLimited",
+        "Logged"
+      ],
+      "caring": {
+        "id": "descriptor:ops-warden-atm-signer",
+        "profile": "caring-0.4.0-rc2",
+        "subject_type": "Group",
+        "organization_relation": "ServiceProvider",
+        "canonical_role": "Operator",
+        "scope": {
+          "level": "Resource",
+          "id": "ssh-cert:actor/atm-backup-daily",
+          "tenant": "tenant:platform",
+          "resource": "ssh-cert:actor/atm-backup-daily"
+        },
+        "planes": [
+          "Identity",
+          "Secret",
+          "Audit"
+        ],
+        "capabilities": [
+          "Use",
+          "Operate",
+          "Audit"
+        ],
+        "exposure_modes": [
+          "Metadata"
+        ],
+        "conditions": [
+          "TimeLimited",
+          "Logged"
+        ],
+        "restrictions": [
+          "PrivilegeEscalationBlocked",
+          "SecretAccessBlocked"
+        ],
+        "access_path": "mediated"
+      }
+    }
+  ]
+}