coulomb/flex-auth
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f0d1afa2379c857bf6ab8029c8820f60f0833fc9
flex-auth/docs/ops-warden-policy-gate-handoff.md
tegwick 0fde95a87c
Some checks failed
CI / Build and Test (push) Has been cancelled
Details
CI / Lint (push) Has been cancelled
Details
FLEX-WP-0006: implement ops-warden signing gate policy
2026-06-23 21:17:42 +02:00

83 lines
2.9 KiB
Markdown
Raw Blame History

# Ops-Warden Policy Gate Handoff
Date: 2026-06-23
Workplan: FLEX-WP-0006
Ops-warden unblocker: WARDEN-WP-0009 T01
## Published flex-auth assets
- Policy package: examples/ops-warden/policy_package.md
- Policy fixtures: examples/ops-warden/policy_fixtures.yaml
- Combined registry fixture: examples/ops-warden/registry_snapshot.json
- Protected-system manifest: examples/ops-warden/protected_system_manifest.yaml
- Resource manifest: examples/ops-warden/resource_manifest.yaml
- Subject manifest: examples/ops-warden/subject_manifest.yaml
- Service request fixtures: examples/ops-warden/check_request_*.json
## Local service command
flex-auth serve --addr 127.0.0.1:8080 --registry examples/ops-warden/registry_snapshot.json --policy examples/ops-warden/policy_package.md --log /tmp/flex-auth-ops-warden-decisions.jsonl
Ops-warden can point policy.flex_auth_url at that base URL for local smoke.
Production should keep policy.fail_closed true unless an explicit break-glass
procedure exists.
## Fixture coverage
Allow fixtures:
- fixture:ops-warden-adm-sign-allow
- fixture:ops-warden-agt-sign-allow
- fixture:ops-warden-atm-sign-allow
Deny fixtures:
- fixture:ops-warden-unknown-subject-deny
- fixture:ops-warden-actor-type-mismatch-deny
- fixture:ops-warden-ttl-above-max-deny
- fixture:ops-warden-disallowed-principal-deny
- fixture:ops-warden-missing-fingerprint-deny
## Non-secret smoke evidence
CLI validation on 2026-06-23:
- protected-system manifest: valid
- resource manifest: valid
- subject manifest: valid
- registry snapshot: loaded 1 system, 1 resource manifest, 3 subjects,
3 groups, 3 relationships, and 1 tenant
- policy package: valid with 8 passing fixtures
Local /v1/check service smoke on 2026-06-23:
- allow request: effect allow, reason signing_policy_matched,
decision id decision:706efe49f68d9ef1
- deny request: effect deny, reason ttl_out_of_bounds,
decision id decision:b69bdc25a988f367
- GET /v1/check: HTTP 405
- malformed POST /v1/check: HTTP 400
- decision log contained both decision ids
## Production sequence for ops-warden
1. Deploy the flex-auth registry and policy package above to the selected
flex-auth runtime.
2. Configure ops-warden policy.flex_auth_url to the flex-auth base URL.
3. Set policy.enabled: true.
4. Keep policy.tenant as tenant:platform unless a tenant-specific policy package
is introduced.
5. Run one allow-path sign smoke and confirm signatures.log includes
policy_decision_id.
6. Run one deny-path smoke with fail_closed true and preserve only non-secret
evidence.
## Ownership boundary
flex-auth owns the authorization decision for the signing request. ops-warden
continues to own actor inventory, SSH CA operation, OpenBao SSH engine
integration, host documentation, and signatures.log production evidence.
No SSH private keys, OpenBao tokens, database credentials, or real public-key
material are stored in these fixtures.
Reference in New Issue View Git Blame Copy Permalink