generated from coulomb/repo-seed
feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
@@ -128,6 +128,9 @@ vault login
|
||||
`VAULT_TOKEN`). OpenBao uses the same header; you do not need a separate
|
||||
`BAO_TOKEN` unless you configure `token_env` that way.
|
||||
|
||||
See `wiki/playbooks/operator-openbao-token-hygiene.md` for scoped `warden-sign`
|
||||
tokens, OIDC routing, and HTTP 403 recovery.
|
||||
|
||||
On failure, `warden sign` suggests falling back to `--backend local` only for
|
||||
lab recovery — not as a production substitute.
|
||||
|
||||
@@ -272,4 +275,5 @@ tunnels:
|
||||
|
||||
`ops-bridge` runs `cert_command` before each SSH launch, captures stdout as the cert,
|
||||
and passes it alongside the private key via `ssh -i <key> -i <cert>`.
|
||||
See `wiki/CertCommandInterface.md` for the full contract.
|
||||
See `wiki/CertCommandInterface.md` for the full contract and
|
||||
`wiki/playbooks/ops-bridge-tunnel-cert.md` for static-key → cert_command migration.
|
||||
Reference in New Issue
Block a user