generated from coulomb/repo-seed
feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
@@ -1,65 +0,0 @@
|
||||
---
|
||||
id: WARDEN-WP-0009
|
||||
type: workplan
|
||||
title: "flex-auth Policy Gate Production Readiness"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: blocked
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: low
|
||||
planning_order: 9
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-18"
|
||||
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
|
||||
|
||||
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
|
||||
in production after flex-auth publishes `ssh-certificate` resource policies.
|
||||
|
||||
**Out of scope:** flex-auth policy package authoring (flex-auth owner); OpenBao SSH
|
||||
engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2).
|
||||
|
||||
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — flex-auth policy package confirmation
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0009-T01
|
||||
status: wait
|
||||
priority: medium
|
||||
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
|
||||
```
|
||||
|
||||
- [ ] Confirm flex-auth policies for resource type `ssh-certificate` exist
|
||||
- [ ] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
|
||||
- [ ] Coordinate with flex-auth owner on deny/allow test fixtures
|
||||
|
||||
**Blocked until:** flex-auth publishes ssh-certificate policies.
|
||||
|
||||
### T2 — Production enablement and smoke
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0009-T02
|
||||
status: wait
|
||||
priority: medium
|
||||
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
|
||||
```
|
||||
|
||||
- [ ] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
|
||||
- [ ] Smoke test allow path — `signatures.log` includes `policy_decision_id`
|
||||
- [ ] Smoke test deny path with `fail_closed: true` (non-secret evidence)
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/PolicyGatedSigning.md` — gate flow and config (shipped WP-0007)
|
||||
- `examples/warden.production.example.yaml` — `policy.enabled: false` default
|
||||
- `history/2026-06-17-openbao-production-verify.md` — production sign evidence
|
||||
@@ -4,13 +4,13 @@ type: workplan
|
||||
title: "Routing Scenario Playbooks"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: backlog
|
||||
status: ready
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: medium
|
||||
planning_order: 12
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-18"
|
||||
updated: "2026-06-24"
|
||||
state_hub_workstream_id: "a7e712a0-02f8-4f83-944e-6b207e77bc4c"
|
||||
---
|
||||
|
||||
@@ -27,7 +27,7 @@ owner's procedure inside the catalog.
|
||||
|
||||
**Depends on:** WARDEN-WP-0010 (charter + catalog schema), WARDEN-WP-0011 (routing CLI).
|
||||
|
||||
**Status:** `backlog` — start after WP-0010 T3 and WP-0011 T2 ship.
|
||||
**Status:** `ready` — WP-0010 and WP-0011 shipped; parallel to WP-0013 integration closeout.
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -0,0 +1,95 @@
|
||||
---
|
||||
id: WARDEN-WP-0009
|
||||
type: workplan
|
||||
title: "flex-auth Policy Gate Production Readiness"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: low
|
||||
planning_order: 9
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-23"
|
||||
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
|
||||
|
||||
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
|
||||
in production after flex-auth publishes `ssh-certificate` resource policies.
|
||||
|
||||
**Out of scope:** flex-auth policy package authoring (flex-auth owner — delivered
|
||||
FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020
|
||||
T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth
|
||||
`FLEX-WP-0007`).
|
||||
|
||||
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — flex-auth policy package confirmation
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0009-T01
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
|
||||
```
|
||||
|
||||
- [x] Confirm flex-auth policies for resource type `ssh-certificate` exist
|
||||
- [x] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
|
||||
- [x] Coordinate with flex-auth owner on deny/allow test fixtures
|
||||
|
||||
### T2 — Production enablement and smoke
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0009-T02
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
|
||||
```
|
||||
|
||||
- [x] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
|
||||
- [x] Local smoke — allow/deny paths with `policy_decision_id` / `ttl_out_of_bounds`
|
||||
- [x] Production registry slice from inventory (`registry/flex-auth/production_registry_snapshot.json`)
|
||||
- [x] Production registry smoke — allow `agt-state-hub-bridge` (`decision:032b096c433ad80c`)
|
||||
- [x] Production registry smoke — deny `--ttl 999` (`ttl_out_of_bounds`)
|
||||
|
||||
---
|
||||
|
||||
## Deliverables
|
||||
|
||||
| Artifact | Path |
|
||||
| --- | --- |
|
||||
| Registry builder | `scripts/build_flex_auth_registry.py` |
|
||||
| Production registry | `registry/flex-auth/production_registry_snapshot.json` |
|
||||
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
|
||||
| Local smoke evidence | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` |
|
||||
| Production smoke evidence | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` |
|
||||
| flex-auth pickup brief | `history/2026-06-23-flex-auth-production-pickup-suggestion.md` |
|
||||
|
||||
---
|
||||
|
||||
## Closeout (2026-06-23)
|
||||
|
||||
T1–T2 complete. ops-warden caller side and production-registry smoke verified.
|
||||
Production `policy.enabled: true` flip deferred until flex-auth runtime is
|
||||
reachable — tracked in flex-auth `FLEX-WP-0007`, not this workplan.
|
||||
|
||||
**Operator follow-up (FLEX-WP-0007):**
|
||||
|
||||
- Deploy registry + policy package to in-cluster flex-auth; set `policy.flex_auth_url`
|
||||
- Refresh scoped `VAULT_TOKEN` and run `SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh`
|
||||
- Set `policy.enabled: true` in `~/.config/warden/warden.yaml` when flex-auth is reachable
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/PolicyGatedSigning.md`
|
||||
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`
|
||||
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
|
||||
- `examples/warden.production.example.yaml`
|
||||
@@ -4,13 +4,13 @@ type: workplan
|
||||
title: "Access Routing — Charter and Pointer Catalog"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: done
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 10
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-18"
|
||||
updated: "2026-06-24"
|
||||
state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b"
|
||||
---
|
||||
|
||||
@@ -169,3 +169,8 @@ state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b"
|
||||
- `history/2026-06-18-access-routing-intent-shift-assessment.md` — decision record
|
||||
- `WARDEN-WP-0011` — routing CLI
|
||||
- `WARDEN-WP-0012` — scenario playbook expansion (backlog)
|
||||
---
|
||||
|
||||
## Closeout (2026-06-24)
|
||||
|
||||
Archived during WARDEN-WP-0013 T2. All tasks complete.
|
||||
@@ -4,13 +4,13 @@ type: workplan
|
||||
title: "Routing Lookup CLI"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: done
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 11
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-18"
|
||||
updated: "2026-06-24"
|
||||
state_hub_workstream_id: "0a520f8e-01b4-48f1-9af3-2f3f69fd0672"
|
||||
---
|
||||
|
||||
@@ -154,3 +154,8 @@ state_hub_task_id: "bf848375-eca7-4116-bb1d-fb7df6395c70"
|
||||
- `WARDEN-WP-0010` — charter and catalog schema
|
||||
- `WARDEN-WP-0012` — expanded per-scenario playbooks
|
||||
- `history/2026-06-17-intent-scope-assessment.md` — prior `warden guide` proposal (P4)
|
||||
---
|
||||
|
||||
## Closeout (2026-06-24)
|
||||
|
||||
Archived during WARDEN-WP-0013 T2. All tasks complete.
|
||||
@@ -0,0 +1,202 @@
|
||||
---
|
||||
id: WARDEN-WP-0013
|
||||
type: workplan
|
||||
title: "Production Integration & Stewardship Closeout"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 13
|
||||
depends_on_workplans:
|
||||
- WARDEN-WP-0008
|
||||
- WARDEN-WP-0009
|
||||
- WARDEN-WP-0010
|
||||
- WARDEN-WP-0011
|
||||
related_workplans:
|
||||
- WARDEN-WP-0012
|
||||
- FLEX-WP-0007
|
||||
created: "2026-06-24"
|
||||
updated: "2026-06-24"
|
||||
state_hub_workstream_id: "4678c41a-c1d0-48cd-9988-4ea0380e8258"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0013 — Production Integration & Stewardship Closeout
|
||||
|
||||
## Purpose
|
||||
|
||||
Close the remaining **ops-warden-owned** gaps after policy gate and routing shipped:
|
||||
refresh INTENT/SCOPE canon, archive finished workplans, document ops-bridge
|
||||
`cert_command` migration, operator OpenBao token hygiene, principals drift checks,
|
||||
and the policy-gate production flip checklist.
|
||||
|
||||
This workplan addresses the deferred **Production SSH Integration Closeout** strand
|
||||
from `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` §6, updated for
|
||||
post-WP-0009 state.
|
||||
|
||||
**Gap analysis:** `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
|
||||
## Scope
|
||||
|
||||
- Post-WP-0009 reassessment and SCOPE alignment
|
||||
- Archive hygiene for WP-0010 and WP-0011
|
||||
- ops-bridge `cert_command` migration documentation (pilot `agt-state-hub-bridge`)
|
||||
- Operator runbook for scoped OpenBao tokens (no root in `VAULT_TOKEN`)
|
||||
- Principals drift check between warden inventory and railiance-infra
|
||||
- Policy gate production enablement checklist (coordinate FLEX-WP-0007)
|
||||
|
||||
## Out of scope
|
||||
|
||||
- flex-auth runtime deployment (flex-auth **FLEX-WP-0007**)
|
||||
- ops-bridge tunnel config changes in the ops-bridge repo (coordinate only)
|
||||
- Routing scenario playbook expansion (**WARDEN-WP-0012** — parallel track)
|
||||
- OpenBao cluster deploy, flex-auth policy authoring, NK-WP-0009 tutorial
|
||||
- Implementing secret vending or foreign API proxies
|
||||
|
||||
## Ownership boundary
|
||||
|
||||
| Concern | Owner |
|
||||
| --- | --- |
|
||||
| cert_command migration playbook | ops-warden (doc); ops-bridge (tunnel config) |
|
||||
| OpenBao token hygiene runbook | ops-warden (doc); operator (execution) |
|
||||
| Principals drift | ops-warden (check doc/script); railiance-infra (host deploy) |
|
||||
| `policy.enabled: true` flip | operator (after FLEX-WP-0007) |
|
||||
|
||||
---
|
||||
|
||||
## T1 — Post-gap reassessment and SCOPE refresh
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "de46f9a2-bf11-4651-a23c-430c63f396c8"
|
||||
```
|
||||
|
||||
- [x] Write `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
- [x] Update `SCOPE.md` active workplan table (WP-0013, WP-0012 ready)
|
||||
- [x] Note maturity vector and partial INTENT criterion (ops-bridge) in SCOPE
|
||||
|
||||
**Acceptance:** Gap analysis on file; SCOPE reflects 2026-06-24 repo state.
|
||||
|
||||
---
|
||||
|
||||
## T2 — Archive hygiene (WP-0010, WP-0011)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T02
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "1b35321d-63ad-40da-a1aa-0b66190a0733"
|
||||
```
|
||||
|
||||
- [x] Move `WARDEN-WP-0010-access-routing-charter.md` to
|
||||
`workplans/archived/260624-WARDEN-WP-0010-access-routing-charter.md`
|
||||
- [x] Move `WARDEN-WP-0011-routing-guide-cli.md` to
|
||||
`workplans/archived/260624-WARDEN-WP-0011-routing-guide-cli.md`
|
||||
- [x] Set frontmatter `status: archived` on both; add closeout notes
|
||||
- [x] Operator runs `make fix-consistency REPO=ops-warden` from `~/state-hub`
|
||||
|
||||
**Acceptance:** Only WP-0012 (ready) and WP-0013 (active when started) remain in
|
||||
`workplans/` root; hub synced.
|
||||
|
||||
---
|
||||
|
||||
## T3 — ops-bridge cert_command migration playbook
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T03
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "ad8588b2-9ae9-4f94-bd77-8025851a38f5"
|
||||
```
|
||||
|
||||
- [x] Write `wiki/playbooks/ops-bridge-tunnel-cert.md` — static-key → `cert_command`
|
||||
migration checklist for tunnel configs
|
||||
- [x] Document pilot tunnel `agt-state-hub-bridge`: actor, pubkey path, cert_command
|
||||
string, inventory prerequisites
|
||||
- [x] Upgrade catalog entry `ops-bridge-tunnel` `wiki_ref` to the new playbook
|
||||
- [x] Coordinate with ops-bridge owner for pilot tunnel config change (State Hub message)
|
||||
- [ ] Record non-secret smoke evidence when pilot completes (`history/` entry — pending ops-bridge)
|
||||
|
||||
**Acceptance:** Playbook exists; catalog points at it; pilot steps documented even
|
||||
if ops-bridge execution is pending.
|
||||
|
||||
**Unlocks:** INTENT success criterion #3 moves from partial toward met.
|
||||
|
||||
---
|
||||
|
||||
## T4 — Operator OpenBao token hygiene runbook
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T04
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "5cb35829-32eb-4d59-97a1-f4d92ce8e239"
|
||||
```
|
||||
|
||||
- [x] Add `wiki/playbooks/operator-openbao-token-hygiene.md` covering scoped tokens,
|
||||
`VAULT_TOKEN` session pattern, OIDC route, HTTP 403 recovery
|
||||
- [x] Cross-link from `wiki/OpsWardenConfig.md` and production example yaml
|
||||
|
||||
**Acceptance:** Operator can follow runbook without asking ops-warden for token values.
|
||||
|
||||
---
|
||||
|
||||
## T5 — Principals inventory drift check
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T05
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "4025cd32-89f8-42c3-b1e8-eaf78497d91f"
|
||||
```
|
||||
|
||||
- [x] `scripts/check_principals_drift.py` compares inventory `hosts` vs
|
||||
`railiance-infra/ansible/inventory/ssh_principals.yaml`
|
||||
- [x] Script notes flex-auth registry regeneration via `build_flex_auth_registry.py`
|
||||
- [x] Tests in `tests/test_principals_drift.py`
|
||||
|
||||
**Acceptance:** Drift check runnable or documented; no secret material in script output.
|
||||
|
||||
---
|
||||
|
||||
## T6 — Policy gate production enablement checklist
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T06
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "51663f65-79cb-4108-87c8-9721f9476259"
|
||||
```
|
||||
|
||||
- [x] Operator checklist in `wiki/PolicyGatedSigning.md` § Production rollout
|
||||
- [x] Cross-link FLEX-WP-0007 and pickup brief
|
||||
- [x] Explicit: keep `policy.enabled: false` until flex-auth reachable
|
||||
|
||||
**Acceptance:** Operator checklist is sequential and references cross-repo owners;
|
||||
no ops-warden code changes required for flex-auth deploy.
|
||||
|
||||
---
|
||||
|
||||
## Exit criteria
|
||||
|
||||
- Gap analysis and SCOPE current
|
||||
- WP-0010 and WP-0011 archived
|
||||
- ops-bridge cert_command playbook + catalog upgrade
|
||||
- Operator token hygiene runbook
|
||||
- Principals drift procedure
|
||||
- Policy gate production flip checklist (coordinate FLEX-WP-0007)
|
||||
|
||||
## Parallel track
|
||||
|
||||
**WARDEN-WP-0012** (routing scenario playbooks) — promoted to `ready`; start when
|
||||
P1 integration doc bandwidth allows or in parallel if staffed.
|
||||
|
||||
## See also
|
||||
|
||||
- `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
- `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
- `wiki/CertCommandInterface.md`
|
||||
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
|
||||
Reference in New Issue
Block a user