feat: close WP-0009/WP-0013 production integration stewardship strand

Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
2026-06-24 12:44:32 +02:00
parent 1778b169da
commit 90007c2cda
24 changed files with 2192 additions and 121 deletions

View File

@@ -0,0 +1,70 @@
# flex-auth Policy Gate — Local Smoke (WARDEN-WP-0009)
**Date:** 2026-06-23
**Workplan:** WARDEN-WP-0009 T01 closeout + T02 local smoke
**flex-auth delivery:** FLEX-WP-0006 (`docs/ops-warden-policy-gate-handoff.md`)
---
## Unblock
flex-auth published the `ssh-certificate` / `sign` policy package and ops-warden
handoff on 2026-06-23. WARDEN-WP-0009 T01 is complete; T2 local smoke below.
Production enablement still requires deploying a **production registry slice**
with real inventory actors (see `wiki/PolicyGatedSigning.md`).
---
## flex-auth assets confirmed
| Asset | Path (flex-auth repo) |
| --- | --- |
| Policy package | `examples/ops-warden/policy_package.md` |
| Fixtures | `examples/ops-warden/policy_fixtures.yaml` |
| Registry snapshot | `examples/ops-warden/registry_snapshot.json` |
| Handoff | `docs/ops-warden-policy-gate-handoff.md` |
Example registry actors (`platform-steward`, `ci-deploy-agent`, `backup-automation`)
are **templates**. Production actors such as `agt-state-hub-bridge` must be
registered in the deployed flex-auth registry before `policy.enabled: true`.
---
## Local smoke (ops-warden + flex-auth)
**Setup:** `backend: local`, `policy.enabled: true`, `fail_closed: true`,
flex-auth `serve` with ops-warden policy package and a smoke registry that adds
`agt-policy-smoke` (ops-warden naming-compliant clone of the `agt` fixture).
### Allow path
| Check | Result |
| --- | --- |
| `warden sign agt-policy-smoke` | Pass (exit 0) |
| `signatures.log` `policy_decision_id` | `decision:78bc882eca883f29` |
| `signatures.log` `backend` | `local` |
### Deny path (`fail_closed: true`)
| Check | Result |
| --- | --- |
| `warden sign agt-state-hub-bridge` (not in flex-auth registry) | Fail (exit 1) |
| CLI reason surfaced | `unknown_actor_resource` |
| Cert issued | No |
---
## Production remaining (T2)
1. Deploy flex-auth registry + policy package to production flex-auth runtime.
2. Register production inventory actors (`agt-state-hub-bridge`, `adm-*`, `atm-*`).
3. Set `policy.flex_auth_url` and `policy.enabled: true` in production `warden.yaml`.
4. Repeat allow/deny smoke against OpenBao-backed `warden sign`; capture
`policy_decision_id` in `signatures.log` (non-secret evidence only).
---
## See also
- `wiki/PolicyGatedSigning.md` — bindings, rollout, handoff link
- `workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md`

View File

@@ -0,0 +1,99 @@
# flex-auth Policy Gate — Production Registry Smoke (WARDEN-WP-0009 T02)
**Date:** 2026-06-23
**Workplan:** WARDEN-WP-0009 T02
**Operator:** codex (non-secret evidence only)
---
## Production registry slice
Built from `~/.config/warden/inventory.yaml` (matches `examples/inventory.seed.yaml`):
| Artifact | Path |
| --- | --- |
| Registry snapshot | `registry/flex-auth/production_registry_snapshot.json` |
| Generator | `scripts/build_flex_auth_registry.py` |
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
`flex-auth load-registry` validation: **4 actors**, 3 groups, 4 relationships.
Registered actors:
| Actor | Type | max_ttl_hours | Principals |
| --- | --- | --- | --- |
| `agt-state-hub-bridge` | agt | 24 | `agt-task-bridge` |
| `agt-codex-interhub-bootstrap` | agt | 2 | `agt-interhub-bootstrap` |
| `adm-example` | adm | 48 | `adm-full` |
| `atm-backup-daily` | atm | 8 | `atm-backup-daily` |
Regenerate after inventory changes:
```bash
python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \
-o registry/flex-auth/production_registry_snapshot.json
```
Deploy the snapshot to the production flex-auth runtime (`flex-auth serve` or
future in-cluster deployment). Policy package path:
`~/flex-auth/examples/ops-warden/policy_package.md`.
---
## Smoke results (production inventory + registry)
flex-auth served locally with the production registry; `warden sign` used real
inventory actors and `policy.enabled: true`.
### Allow path — `agt-state-hub-bridge`
| Check | Result |
| --- | --- |
| `warden sign agt-state-hub-bridge` | Pass (exit 0) |
| `signatures.log` `policy_decision_id` | `decision:032b096c433ad80c` |
| `signatures.log` `actor` | `agt-state-hub-bridge` |
### Deny path — TTL above registry max (`fail_closed: true`)
| Check | Result |
| --- | --- |
| `warden sign agt-state-hub-bridge --ttl 999` | Fail (exit 1) |
| flex-auth reason | `ttl_out_of_bounds` |
| Cert issued | No |
---
## OpenBao-backed smoke (operator follow-up)
Attempted `backend: vault` against `https://bao.coulomb.social` with
`policy.enabled: true`. **Blocked:** `VAULT_TOKEN` in session returned HTTP 403
(`permission denied`). Baseline `warden sign` without policy gate fails the same
way — token refresh required before vault-backed policy smoke.
When a scoped `warden-sign` token is available:
```bash
export VAULT_TOKEN="<scoped-token>" # never commit or paste in chat
SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh
```
Then enable production `warden.yaml`:
```yaml
policy:
enabled: true
flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080 # or reachable URL
fail_closed: true
```
Keep `policy.enabled: false` until flex-auth is reachable at `flex_auth_url` from
the workstation running `warden sign``fail_closed: true` blocks all signs when
flex-auth is down.
---
## See also
- `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` — template registry smoke
- `wiki/PolicyGatedSigning.md` — rollout sequence
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`

View File

@@ -0,0 +1,189 @@
# flex-auth Pickup Suggestion — Ops-Warden Policy Gate Production
**Date:** 2026-06-23
**From:** ops-warden (`WARDEN-WP-0009` finished)
**For:** flex-auth owner
**Prior delivery:** `FLEX-WP-0006` (policy package, template registry, handoff doc)
---
## Summary
ops-warden closed **WARDEN-WP-0009**. The caller side (`policy.enabled`,
`POST /v1/check`, `policy_decision_id` in `signatures.log`) is verified.
flex-auth **policy authoring** for the gate contract is done.
What remains is **flex-auth production runtime + registry operations** so
operators can set `policy.enabled: true` on workstations running `warden sign`
without local `flex-auth serve` hacks.
---
## What ops-warden already proved
| Evidence | Location |
| --- | --- |
| Template registry + policy smoke | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` |
| Production inventory registry smoke | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` |
| Production registry artifact | `registry/flex-auth/production_registry_snapshot.json` |
| Registry generator | `scripts/build_flex_auth_registry.py` |
| Joint smoke runner | `scripts/policy_gate_production_smoke.sh` |
Production-registry allow smoke (real actor `agt-state-hub-bridge`):
- `policy_decision_id: decision:032b096c433ad80c`
- Deny: `ttl_out_of_bounds` with `fail_closed: true`
OpenBao-backed sign + policy gate is **not yet joint-verified** — scoped
`VAULT_TOKEN` returned HTTP 403 in this session (ops-warden operator task).
---
## Gaps flex-auth should pick up
### 1. Production runtime deployment (P0)
**Problem:** No reachable flex-auth endpoint from the operator workstation.
Probe from WSL: `flex-auth.flex-auth.svc.cluster.local:8080` does not resolve;
`127.0.0.1:8080` is not running. ops-warden cannot enable `policy.enabled`
with `fail_closed: true` until flex-auth is up.
**Suggestion for flex-auth:**
- Deploy `flex-auth serve` (or equivalent) to a **stable production URL**
reachable from machines that run `warden sign`.
- Document the canonical URL for `policy.flex_auth_url` (cluster DNS, tunnel,
or ingress — whichever matches NetKingdom operator access patterns).
- Expose **`GET /healthz`** (already in code) in runbooks; ops-warden operators
will use it as a pre-flight before enabling the gate.
**Acceptance:** Operator can `curl <flex_auth_url>/healthz` from the warden
workstation and get HTTP 200.
---
### 2. Load production registry, not only template fixtures (P0)
**Problem:** `examples/ops-warden/registry_snapshot.json` uses **template**
actors (`platform-steward`, `ci-deploy-agent`, `backup-automation`). Production
inventory uses **different names** (`agt-state-hub-bridge`, etc.). Signing with
`policy.enabled: true` denies unregistered actors (`unknown_actor_resource`).
**Suggestion for flex-auth:**
- Adopt ops-warden's production registry snapshot as the **initial production
load target**, or ingest equivalent manifests under `examples/ops-warden/`
generated from real inventory.
- Document operator steps:
```bash
# ops-warden (regenerate when inventory changes)
python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \
-o registry/flex-auth/production_registry_snapshot.json
# flex-auth (load into runtime)
flex-auth load-registry --file <path-to-production_registry_snapshot.json>
flex-auth serve --registry <snapshot> --policy examples/ops-warden/policy_package.md ...
```
- Add **fixture or integration tests** using production actor names
(`agt-state-hub-bridge`, `adm-example`, `atm-backup-daily`) so CI catches
registry drift.
**Acceptance:** `POST /v1/check` allows `agt-state-hub-bridge` / `sign` against
the deployed production registry without ops-warden-local registry patching.
---
### 3. Registry sync contract (P1)
**Problem:** ops-warden owns `inventory.yaml`; flex-auth owns authorization
registry. Today sync is manual: regenerate JSON, reload flex-auth.
**Suggestion for flex-auth:**
- Publish a short **sync contract** doc:
- **ops-warden owns:** actor names, types, principals, TTL defaults
- **flex-auth owns:** `allowed_subjects`, `max_ttl_hours`, relationships,
policy package
- **Trigger:** inventory add/change → regenerate snapshot → flex-auth reload
- Optional later: `flex-auth validate` target for ops-warden-generated snapshots;
or HTTP reload endpoint for registry updates without restart.
**Acceptance:** Documented two-repo workflow; no ambiguity on who updates what
when a new `agt-*` actor is added.
---
### 4. Joint production smoke with OpenBao (P1)
**Problem:** Policy gate smoke used `backend: local` or local flex-auth. Full
production path is `warden sign` → flex-auth → OpenBao SSH engine.
**Suggestion for flex-auth:**
- Coordinate one **joint smoke session** with ops-warden once:
- flex-auth deployed with production registry
- ops-warden `policy.enabled: true`, valid `VAULT_TOKEN`
- Allow: `warden sign agt-state-hub-bridge` → `signatures.log` has
`backend: vault` and `policy_decision_id`
- Deny: e.g. `--ttl` above max → flex-auth deny before OpenBao call
- Record non-secret evidence (decision ids, reasons, actor names only).
**Acceptance:** Shared history entry or flex-auth handoff update with vault-backed
evidence mirroring ops-warden's local smoke format.
---
### 5. IAM subject binding in production (P2)
**Problem:** Policy allows `subject.id` = actor name or `iam:<actor>`. Production
may set `WARDEN_POLICY_SUBJECT` from key-cape/IAM profile `sub`.
**Suggestion for flex-auth:**
- Confirm production registry `allowed_subjects` covers expected IAM subs for
each actor (or document that actor-name fallback is the production default
until IAM mapping is wired).
- Add one fixture for `WARDEN_POLICY_SUBJECT` / `iam:agt-state-hub-bridge` if
that path is intended in prod.
**Acceptance:** Documented subject-id strategy for SSH sign gate in production.
---
## Proposed flex-auth workplan (draft)
**Title:** `FLEX-WP-0007 — Ops-Warden Policy Gate Production Deployment`
**Priority:** P0
**Depends on:** `FLEX-WP-0006`, ops-warden `WARDEN-WP-0009` (finished)
| Task | Summary |
| --- | --- |
| T1 | Deploy flex-auth runtime; document production `flex_auth_url` + `/healthz` |
| T2 | Load production registry snapshot; verify allow/deny for real inventory actors |
| T3 | Publish registry sync contract with ops-warden (`inventory.yaml` → snapshot) |
| T4 | Joint OpenBao + policy gate smoke with ops-warden (non-secret evidence) |
| T5 | IAM subject binding notes / fixtures for `WARDEN_POLICY_SUBJECT` (if needed) |
---
## Ownership boundary (unchanged)
| Concern | Owner |
| --- | --- |
| Policy package + PDP decision | flex-auth |
| Actor inventory + TTL/principal defaults | ops-warden |
| SSH CA / OpenBao signing | ops-warden |
| Production registry **content** for SSH actors | joint — ops-warden generates from inventory; flex-auth hosts and evaluates |
| `policy.enabled` flip | ops-warden operator (after flex-auth reachable) |
---
## References
| Doc | Repo |
| --- | --- |
| `docs/ops-warden-policy-gate-handoff.md` | flex-auth |
| `workplans/FLEX-WP-0006-ops-warden-ssh-signing-policy-gate.md` | flex-auth |
| `wiki/PolicyGatedSigning.md` | ops-warden |
| `workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md` | ops-warden |
| `registry/flex-auth/production_registry_snapshot.json` | ops-warden |

View File

@@ -0,0 +1,127 @@
# INTENT ↔ SCOPE Gap Analysis — Post WP-0009 / WP-0011
**Date:** 2026-06-24
**Author:** codex
**Trigger:** WARDEN-WP-0009 archived; WP-0010/0011 done; policy gate + routing shipped.
**Prior assessments:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`,
`history/2026-06-18-access-routing-intent-shift-assessment.md`
---
## 1. Executive summary
ops-warden is a **production-capable SSH CA** with **structured credential routing**
(`warden route`) and a **shipped, opt-in flex-auth policy gate** (registry + smoke
complete; production flip waits flex-auth runtime deploy).
INTENT's SSH issuance mission is **met in production**. The largest remaining INTENT
gap is **ops-bridge consumer integration**`cert_command` contract exists but live
tunnels still use static keys. Secondary gaps are **operator hygiene**, **inventory ↔
infra principals alignment**, **routing playbook depth** (WP-0012), and **cross-repo
coordination** (flex-auth FLEX-WP-0007, net-kingdom NK-WP-0009).
**Vector movement:** `D5 / A4 / C4 / R3`**`D5 / A4 / C4 / R3`** (unchanged level;
policy-gate readiness improves C4 substance without changing the label until prod flip)
| Dimension | Was | Now | Notes |
| --- | --- | --- | --- |
| Discovery | D5 | D5 | Catalog + `warden route` + wiki |
| Availability | A4 | A4 | Routing CLI shipped (WP-0011) |
| Completeness | C4 | C4 | Policy registry smoke done; prod `policy.enabled` off |
| Reliability | R3 | R3 | OpenBao sign verified; cert_command not on live tunnels |
---
## 2. Deliverables since 2026-06-18
| Workplan | Deliverable | Status |
| --- | --- | --- |
| WP-0009 | flex-auth policy package confirmed; production registry + smoke | Archived |
| WP-0010 | Access routing charter + pointer catalog | Archived 2026-06-24 |
| WP-0011 | `warden route` CLI + catalog tests | Archived 2026-06-24 |
| WP-0013 | Production integration closeout (playbooks, drift, archive) | Finished 2026-06-24 |
| FLEX-WP-0006 | flex-auth policy package + handoff | flex-auth finished |
| FLEX-WP-0007 | flex-auth production deploy (draft) | flex-auth proposed |
---
## 3. INTENT success criteria
| # | Criterion | Status | Evidence / gap |
| --- | --- | --- | --- |
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, wikis |
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log` |
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | Contract shipped; tunnels static-key |
| 4 | NetKingdom evolution reflected in docs | **Met** | NK cross-links, routing charter |
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer layer only |
**Score: 4 met, 1 partial** — partial is ops-bridge production adoption.
---
## 4. INTENT mission pillars
| Pillar | Status | Gap |
| --- | --- | --- |
| 1. Know NetKingdom security model | Strong | — |
| 2. Route workers to correct subsystem | Strong | WP-0012 playbooks deepen scenarios |
| 3. Align runbooks with canon | Strong | Reassessment + archive hygiene due |
| 4. Issue short-lived SSH certs | **Production** | — |
| 5. Audit SSH signing | Strong | Policy `policy_decision_id` when gate on |
---
## 5. Remaining gaps (prioritized)
| Prio | Gap | Owner | ops-warden action | Track |
| --- | --- | --- | --- | --- |
| **P1** | ops-bridge `cert_command` on production tunnels | ops-bridge + ops-warden | Migration playbook + pilot evidence | **WARDEN-WP-0013** T3 |
| **P2** | Operator token hygiene (root → scoped `warden-sign`) | Operator + ops-warden | Runbook in wiki | **WARDEN-WP-0013** T4 |
| **P3** | Principals drift (inventory ↔ railiance-infra) | ops-warden + infra | Drift check doc/script | **WARDEN-WP-0013** T5 |
| **P4** | Routing scenario playbooks incomplete | ops-warden | Expand catalog + wiki playbooks | **WARDEN-WP-0012** (ready) |
| **P5** | flex-auth production runtime | flex-auth | Coordinate; operator flip checklist | **FLEX-WP-0007** + WP-0013 T6 |
| **P6** | Vault-backed policy gate joint smoke | flex-auth + operator | Run when `VAULT_TOKEN` valid | FLEX-WP-0007 T4 |
| **P7** | Archive hygiene (WP-0010, WP-0011) | ops-warden | Move to `workplans/archived/` | **WARDEN-WP-0013** T2 |
| **P8** | NK-WP-0009 joint SSH tutorial | net-kingdom | Coordinate only | Parallel |
| **P9** | Policy v2.1 identity claims for `adm` | ops-warden + flex-auth | Design only | Future |
---
## 6. Workplan recommendation
**WARDEN-WP-0013 — Production Integration & Stewardship Closeout** (new):
- T1: This reassessment + SCOPE refresh
- T2: Archive WP-0010 and WP-0011
- T3: ops-bridge `cert_command` migration playbook (pilot `agt-state-hub-bridge`)
- T4: Operator OpenBao token hygiene runbook
- T5: Principals inventory drift check
- T6: Policy gate production enablement checklist (coordinate FLEX-WP-0007)
**WARDEN-WP-0012 — Routing Scenario Playbooks** (promote `backlog``ready`):
- Dependencies WP-0010/0011 shipped; start when bandwidth allows
- Complements WP-0013 (routing depth vs SSH integration closeout)
**Out of scope for new ops-warden WPs:**
- flex-auth runtime deployment (FLEX-WP-0007)
- ops-bridge tunnel config changes (ops-bridge executes; ops-warden documents)
---
## 7. Maturity target (post WP-0013 + WP-0012)
| Dimension | Target | Unlock |
| --- | --- | --- |
| C4 → C4+ | cert_command pilot documented | WP-0013 T3 |
| R3 → R4 | Live tunnel uses warden-signed cert | ops-bridge + WP-0013 evidence |
| D5 | More active catalog playbooks | WP-0012 |
---
## See also
- `workplans/WARDEN-WP-0013-production-integration-and-stewardship-closeout.md`
- `workplans/WARDEN-WP-0012-routing-scenario-playbooks.md`
- `SCOPE.md`

View File

@@ -0,0 +1,33 @@
# ops-bridge cert_command Pilot — Coordination Note
**Date:** 2026-06-24
**Workplan:** WARDEN-WP-0013 T3
**Playbook:** `wiki/playbooks/ops-bridge-tunnel-cert.md`
## Status
ops-warden shipped the migration playbook and upgraded catalog entry `ops-bridge-tunnel`.
Pilot tunnel **`agt-state-hub-bridge`** is documented with actor, key paths, and
`cert_command` string.
**Execution owner:** ops-bridge (tunnel config in `~/.config/bridge/tunnels.yaml`).
## Request to ops-bridge
Apply `cert_command` to the `state-hub-coulombcore` tunnel per the playbook migration
checklist. ops-warden will record smoke evidence in `history/` when the pilot completes
(non-secret: tunnel up/down, cert re-issue after TTL).
## Pre-requisites (operator)
- Scoped `VAULT_TOKEN` for production OpenBao sign (`wiki/playbooks/operator-openbao-token-hygiene.md`)
- `warden sign agt-state-hub-bridge` succeeds before tunnel config change
## Evidence pending
| Check | Status |
| --- | --- |
| Playbook on file | Done |
| Catalog `wiki_ref` | Done |
| ops-bridge tunnel config updated | Pending |
| `bridge up` smoke | Pending |