feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)

Add policy.py client that calls flex-auth /v1/check before sign/issue when
policy.enabled is true. Record policy_decision_id in signatures.log. Default
off preserves existing inventory-only behavior. Document production OpenBao
health probe and update config/wiki references.
This commit is contained in:
2026-06-17 08:37:14 +02:00
parent 1865e0744e
commit 8e9383a33a
11 changed files with 552 additions and 71 deletions

View File

@@ -0,0 +1,81 @@
---
id: WARDEN-WP-0007
type: workplan
title: "Policy Gate and Production OpenBao Verification"
domain: custodian
repo: ops-warden
status: finished
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 7
created: "2026-06-17"
updated: "2026-06-17"
---
# WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification
**Scope:** Record production OpenBao reachability evidence; implement opt-in
flex-auth policy gate before `warden sign` / `warden issue` per
`wiki/PolicyGatedSigning.md`.
**Out of scope:** flex-auth policy package authoring, OpenBao SSH engine mount
on Railiance (operator), identity claim requirement (v2.1).
---
## Tasks
### T1 — Production OpenBao verification evidence
```task
id: WARDEN-WP-0007-T01
status: done
priority: high
```
- [x] Probe `https://bao.coulomb.social/v1/sys/health`
- [x] Document results in `history/2026-06-17-openbao-production-verify.md`
- [x] Note blockers for full `warden sign` (scoped token, SSH engine roles)
### T2 — Policy config and flex-auth client
```task
id: WARDEN-WP-0007-T02
status: done
priority: high
```
- [x] `PolicyConfig` in `config.py` (`policy.enabled`, `flex_auth_url`, `fail_closed`)
- [x] `policy.py` — POST `/v1/check`, pubkey fingerprint, CAError on deny
### T3 — Wire policy gate into sign/issue
```task
id: WARDEN-WP-0007-T03
status: done
priority: high
```
- [x] Call policy check before `ca.sign()` when enabled
- [x] Store `policy_decision_id` in `signatures.log`
### T4 — Tests and docs
```task
id: WARDEN-WP-0007-T04
status: done
priority: medium
```
- [x] `tests/test_policy.py`
- [x] Update `wiki/OpsWardenConfig.md`, `wiki/PolicyGatedSigning.md`
---
## Acceptance Criteria
- [x] Production health evidence recorded (non-secret)
- [x] `policy.enabled: false` default — no behavior change
- [x] `policy.enabled: true` calls flex-auth; deny blocks sign
- [x] All unit tests pass