coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
77bcd55ddb88822d351c48d2d3b818e0b560e123
flex-auth/docs/ops-warden-policy-gate-handoff.md
tegwick 0fde95a87c
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
FLEX-WP-0006: implement ops-warden signing gate policy
2026-06-23 21:17:42 +02:00

2.9 KiB
Raw Blame History

Ops-Warden Policy Gate Handoff

Date: 2026-06-23 Workplan: FLEX-WP-0006 Ops-warden unblocker: WARDEN-WP-0009 T01

Published flex-auth assets

  • Policy package: examples/ops-warden/policy_package.md
  • Policy fixtures: examples/ops-warden/policy_fixtures.yaml
  • Combined registry fixture: examples/ops-warden/registry_snapshot.json
  • Protected-system manifest: examples/ops-warden/protected_system_manifest.yaml
  • Resource manifest: examples/ops-warden/resource_manifest.yaml
  • Subject manifest: examples/ops-warden/subject_manifest.yaml
  • Service request fixtures: examples/ops-warden/check_request_*.json

Local service command

flex-auth serve --addr 127.0.0.1:8080 --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --log /tmp/flex-auth-ops-warden-decisions.jsonl

Ops-warden can point policy.flex_auth_url at that base URL for local smoke. Production should keep policy.fail_closed true unless an explicit break-glass procedure exists.

Fixture coverage

Allow fixtures:

  • fixture:ops-warden-adm-sign-allow
  • fixture:ops-warden-agt-sign-allow
  • fixture:ops-warden-atm-sign-allow

Deny fixtures:

  • fixture:ops-warden-unknown-subject-deny
  • fixture:ops-warden-actor-type-mismatch-deny
  • fixture:ops-warden-ttl-above-max-deny
  • fixture:ops-warden-disallowed-principal-deny
  • fixture:ops-warden-missing-fingerprint-deny

Non-secret smoke evidence

CLI validation on 2026-06-23:

  • protected-system manifest: valid
  • resource manifest: valid
  • subject manifest: valid
  • registry snapshot: loaded 1 system, 1 resource manifest, 3 subjects, 3 groups, 3 relationships, and 1 tenant
  • policy package: valid with 8 passing fixtures

Local /v1/check service smoke on 2026-06-23:

  • allow request: effect allow, reason signing_policy_matched, decision id decision:706efe49f68d9ef1
  • deny request: effect deny, reason ttl_out_of_bounds, decision id decision:b69bdc25a988f367
  • GET /v1/check: HTTP 405
  • malformed POST /v1/check: HTTP 400
  • decision log contained both decision ids

Production sequence for ops-warden

  1. Deploy the flex-auth registry and policy package above to the selected flex-auth runtime.
  2. Configure ops-warden policy.flex_auth_url to the flex-auth base URL.
  3. Set policy.enabled: true.
  4. Keep policy.tenant as tenant:platform unless a tenant-specific policy package is introduced.
  5. Run one allow-path sign smoke and confirm signatures.log includes policy_decision_id.
  6. Run one deny-path smoke with fail_closed true and preserve only non-secret evidence.

Ownership boundary

flex-auth owns the authorization decision for the signing request. ops-warden continues to own actor inventory, SSH CA operation, OpenBao SSH engine integration, host documentation, and signatures.log production evidence.

No SSH private keys, OpenBao tokens, database credentials, or real public-key material are stored in these fixtures.

Reference in New Issue View Git Blame Copy Permalink