coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
941501c590b7ab0e4a81ee2f97d7ef25af7e8294
flex-auth/examples/ops-warden/README.md
tegwick 941501c590
Some checks are pending
CI / Build and Test (push) Waiting to run
Details
CI / Lint (push) Waiting to run
Details
FLEX-WP-0007: production registry fixture, tests, and sync runbook 
Add production_registry_snapshot.json from ops-warden inventory with CI
coverage for real actors, IAM subject binding, ttl_out_of_bounds, and
unknown_actor_resource. Extend serve contract tests with /healthz and
publish the registry sync contract for operator deployment.
2026-06-24 14:52:35 +02:00

2.2 KiB
Raw Blame History

Ops-Warden SSH Signing Policy Gate

This example is the flex-auth side of ops-warden's opt-in pre-sign gate. When policy.enabled: true, ops-warden calls POST /v1/check before signing or issuing an SSH certificate.

Files:

  • protected_system_manifest.yaml declares the ops-warden protected system, ssh-certificate resource type, and sign action.
  • resource_manifest.yaml declares fixture SSH certificate actor resources and non-secret policy attributes such as allowed principals and TTL maxima.
  • subject_manifest.yaml declares non-secret fixture actors for adm, agt, and atm signing paths.
  • registry_snapshot.json is the combined local registry used by the CLI and service examples.
  • policy_package.md is the Rego-in-Markdown policy package.
  • policy_fixtures.yaml contains allow and deny expectations for package validation.
  • check_request_*.json files are ops-warden-shaped /v1/check requests.

Run locally:

flex-auth validate --kind protected-system --file examples/ops-warden/protected_system_manifest.yaml
flex-auth validate --kind resource-manifest --file examples/ops-warden/resource_manifest.yaml
flex-auth validate --kind subject-manifest --file examples/ops-warden/subject_manifest.yaml
flex-auth load-registry --file examples/ops-warden/registry_snapshot.json
flex-auth test-policy --file examples/ops-warden/policy_package.md
flex-auth check --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --request examples/ops-warden/check_request_allow_adm.json

The fixture public-key fingerprints are examples only. Do not put real keys, OpenBao tokens, or private signing material in these files.

Production Registry Fixture

production_registry_snapshot.json is a non-secret fixture generated by ops-warden for FLEX-WP-0007 coverage. It mirrors the current production actor names used by ops-warden inventory and should be refreshed when that inventory changes.

Validate both registries locally:

flex-auth load-registry --file examples/ops-warden/registry_snapshot.json
flex-auth load-registry --file examples/ops-warden/production_registry_snapshot.json

The production sync contract is documented in docs/ops-warden-registry-sync.md.

Reference in New Issue View Git Blame Copy Permalink