feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)

Add policy.py client that calls flex-auth /v1/check before sign/issue when
policy.enabled is true. Record policy_decision_id in signatures.log. Default
off preserves existing inventory-only behavior. Document production OpenBao
health probe and update config/wiki references.
This commit is contained in:
2026-06-17 08:37:14 +02:00
parent 1865e0744e
commit 8e9383a33a
11 changed files with 552 additions and 71 deletions

View File

@@ -0,0 +1,75 @@
# OpenBao Production Verification — 2026-06-17
**Workplan:** WARDEN-WP-0007-T01
**Endpoint:** `https://bao.coulomb.social`
**Operator:** codex (automated probe, no secrets recorded)
---
## Health probe
```bash
curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool
```
**Result (2026-06-17):**
| Field | Value |
| --- | --- |
| `initialized` | `true` |
| `sealed` | `false` |
| `standby` | `false` |
| `version` | `2.5.4` |
| `cluster_name` | `vault-cluster-ebe7da39` |
| `replication_performance_mode` | `primary` |
OpenBao is **reachable, initialized, and unsealed**. Suitable as the production
platform secrets endpoint for ops-warden `backend: vault`.
---
## Authenticated API (blocked without token)
```bash
curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts"
```
**Result:** HTTP `403` (expected without `X-Vault-Token`).
Full SSH engine verification (`bao secrets list`, role TTL alignment, live
`warden sign`) requires a **scoped operator token** with permission to:
1. List mounts and confirm `ssh/` engine is enabled
2. Read `ssh/roles/{adm,agt,atm}-role` TTL limits
3. Call `POST /v1/ssh/sign/<role>` for each actor type
See `wiki/OpenBaoSshEngineChecklist.md` for the step-by-step checklist.
---
## Blockers for end-to-end `warden sign`
| Blocker | Owner | Notes |
| --- | --- | --- |
| No `~/.config/warden/warden.yaml` on dev workstation | Operator | Point `vault.addr` at `https://bao.coulomb.social` |
| No scoped `VAULT_TOKEN` in session | Operator | OIDC login via KeyCape / `bao login` |
| SSH engine roles may not be provisioned | `railiance-platform` | Run checklist in `wiki/OpenBaoSshEngineChecklist.md` |
| flex-auth policy package for `ssh-certificate` | `flex-auth` | Out of scope for WP-0007; gate is opt-in |
---
## Recommended next operator steps
1. Create production `warden.yaml` with `backend: vault` and `vault.addr`.
2. Export short-lived `VAULT_TOKEN` after OIDC login.
3. Run `wiki/OpenBaoSshEngineChecklist.md` items 16.
4. Test: `warden sign <actor> --pubkey <path>` against a known inventory actor.
5. Enable `policy.enabled: true` only after flex-auth `ssh-certificate` policies exist.
---
## See also
- `wiki/OpsWardenConfig.md` — production config examples
- `wiki/OpenBaoSshEngineChecklist.md` — SSH engine validation
- `wiki/PolicyGatedSigning.md` — opt-in flex-auth gate (implemented WP-0007)