generated from coulomb/repo-seed
feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
This commit is contained in:
@@ -0,0 +1,81 @@
|
||||
---
|
||||
id: WARDEN-WP-0007
|
||||
type: workplan
|
||||
title: "Policy Gate and Production OpenBao Verification"
|
||||
domain: custodian
|
||||
repo: ops-warden
|
||||
status: finished
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 7
|
||||
created: "2026-06-17"
|
||||
updated: "2026-06-17"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification
|
||||
|
||||
**Scope:** Record production OpenBao reachability evidence; implement opt-in
|
||||
flex-auth policy gate before `warden sign` / `warden issue` per
|
||||
`wiki/PolicyGatedSigning.md`.
|
||||
|
||||
**Out of scope:** flex-auth policy package authoring, OpenBao SSH engine mount
|
||||
on Railiance (operator), identity claim requirement (v2.1).
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Production OpenBao verification evidence
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T01
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [x] Probe `https://bao.coulomb.social/v1/sys/health`
|
||||
- [x] Document results in `history/2026-06-17-openbao-production-verify.md`
|
||||
- [x] Note blockers for full `warden sign` (scoped token, SSH engine roles)
|
||||
|
||||
### T2 — Policy config and flex-auth client
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T02
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [x] `PolicyConfig` in `config.py` (`policy.enabled`, `flex_auth_url`, `fail_closed`)
|
||||
- [x] `policy.py` — POST `/v1/check`, pubkey fingerprint, CAError on deny
|
||||
|
||||
### T3 — Wire policy gate into sign/issue
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T03
|
||||
status: done
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [x] Call policy check before `ca.sign()` when enabled
|
||||
- [x] Store `policy_decision_id` in `signatures.log`
|
||||
|
||||
### T4 — Tests and docs
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T04
|
||||
status: done
|
||||
priority: medium
|
||||
```
|
||||
|
||||
- [x] `tests/test_policy.py`
|
||||
- [x] Update `wiki/OpsWardenConfig.md`, `wiki/PolicyGatedSigning.md`
|
||||
|
||||
---
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [x] Production health evidence recorded (non-secret)
|
||||
- [x] `policy.enabled: false` default — no behavior change
|
||||
- [x] `policy.enabled: true` calls flex-auth; deny blocks sign
|
||||
- [x] All unit tests pass
|
||||
Reference in New Issue
Block a user