This example is the flex-auth side of ops-warden's opt-in pre-sign gate. When policy.enabled: true, ops-warden calls POST /v1/check before signing or issuing an SSH certificate.

Files:

protected_system_manifest.yaml declares the ops-warden protected system, ssh-certificate resource type, and sign action.
resource_manifest.yaml declares fixture SSH certificate actor resources and non-secret policy attributes such as allowed principals and TTL maxima.
subject_manifest.yaml declares non-secret fixture actors for adm, agt, and atm signing paths.
registry_snapshot.json is the combined local registry used by the CLI and service examples.
policy_package.md is the Rego-in-Markdown policy package.
policy_fixtures.yaml contains allow and deny expectations for package validation.
check_request_*.json files are ops-warden-shaped /v1/check requests.

Run locally:

flex-auth validate --kind protected-system --file examples/ops-warden/protected_system_manifest.yaml
flex-auth validate --kind resource-manifest --file examples/ops-warden/resource_manifest.yaml
flex-auth validate --kind subject-manifest --file examples/ops-warden/subject_manifest.yaml
flex-auth load-registry --file examples/ops-warden/registry_snapshot.json
flex-auth test-policy --file examples/ops-warden/policy_package.md
flex-auth check --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --request examples/ops-warden/check_request_allow_adm.json

The fixture public-key fingerprints are examples only. Do not put real keys, OpenBao tokens, or private signing material in these files.