generated from coulomb/repo-seed
feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
This commit is contained in:
@@ -5,7 +5,7 @@ from dataclasses import dataclass, field
|
||||
from datetime import datetime
|
||||
from enum import Enum
|
||||
from pathlib import Path
|
||||
from typing import List
|
||||
from typing import List, Optional
|
||||
|
||||
|
||||
class ActorType(str, Enum):
|
||||
@@ -52,6 +52,7 @@ class CertSpec:
|
||||
ttl_hours: int
|
||||
principals: List[str]
|
||||
identity: str = "" # defaults to actor_name if empty
|
||||
policy_decision_id: Optional[str] = None
|
||||
|
||||
def __post_init__(self) -> None:
|
||||
if not self.identity:
|
||||
|
||||
Reference in New Issue
Block a user