feat: close WP-0009/WP-0013 production integration stewardship strand

Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
2026-06-24 12:44:32 +02:00
parent 1778b169da
commit 90007c2cda
24 changed files with 2192 additions and 121 deletions

View File

@@ -1,65 +0,0 @@
---
id: WARDEN-WP-0009
type: workplan
title: "flex-auth Policy Gate Production Readiness"
domain: infotech
repo: ops-warden
status: blocked
owner: codex
topic_slug: custodian
planning_priority: low
planning_order: 9
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
---
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
in production after flex-auth publishes `ssh-certificate` resource policies.
**Out of scope:** flex-auth policy package authoring (flex-auth owner); OpenBao SSH
engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2).
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
---
## Tasks
### T1 — flex-auth policy package confirmation
```task
id: WARDEN-WP-0009-T01
status: wait
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
```
- [ ] Confirm flex-auth policies for resource type `ssh-certificate` exist
- [ ] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
- [ ] Coordinate with flex-auth owner on deny/allow test fixtures
**Blocked until:** flex-auth publishes ssh-certificate policies.
### T2 — Production enablement and smoke
```task
id: WARDEN-WP-0009-T02
status: wait
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
```
- [ ] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
- [ ] Smoke test allow path — `signatures.log` includes `policy_decision_id`
- [ ] Smoke test deny path with `fail_closed: true` (non-secret evidence)
---
## See also
- `wiki/PolicyGatedSigning.md` — gate flow and config (shipped WP-0007)
- `examples/warden.production.example.yaml``policy.enabled: false` default
- `history/2026-06-17-openbao-production-verify.md` — production sign evidence

View File

@@ -4,13 +4,13 @@ type: workplan
title: "Routing Scenario Playbooks"
domain: infotech
repo: ops-warden
status: backlog
status: ready
owner: codex
topic_slug: custodian
planning_priority: medium
planning_order: 12
created: "2026-06-18"
updated: "2026-06-18"
updated: "2026-06-24"
state_hub_workstream_id: "a7e712a0-02f8-4f83-944e-6b207e77bc4c"
---
@@ -27,7 +27,7 @@ owner's procedure inside the catalog.
**Depends on:** WARDEN-WP-0010 (charter + catalog schema), WARDEN-WP-0011 (routing CLI).
**Status:** `backlog` — start after WP-0010 T3 and WP-0011 T2 ship.
**Status:** `ready` WP-0010 and WP-0011 shipped; parallel to WP-0013 integration closeout.
---

View File

@@ -0,0 +1,95 @@
---
id: WARDEN-WP-0009
type: workplan
title: "flex-auth Policy Gate Production Readiness"
domain: infotech
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: low
planning_order: 9
created: "2026-06-18"
updated: "2026-06-23"
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
---
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
in production after flex-auth publishes `ssh-certificate` resource policies.
**Out of scope:** flex-auth policy package authoring (flex-auth owner — delivered
FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020
T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth
`FLEX-WP-0007`).
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
---
## Tasks
### T1 — flex-auth policy package confirmation
```task
id: WARDEN-WP-0009-T01
status: done
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
```
- [x] Confirm flex-auth policies for resource type `ssh-certificate` exist
- [x] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
- [x] Coordinate with flex-auth owner on deny/allow test fixtures
### T2 — Production enablement and smoke
```task
id: WARDEN-WP-0009-T02
status: done
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
```
- [x] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
- [x] Local smoke — allow/deny paths with `policy_decision_id` / `ttl_out_of_bounds`
- [x] Production registry slice from inventory (`registry/flex-auth/production_registry_snapshot.json`)
- [x] Production registry smoke — allow `agt-state-hub-bridge` (`decision:032b096c433ad80c`)
- [x] Production registry smoke — deny `--ttl 999` (`ttl_out_of_bounds`)
---
## Deliverables
| Artifact | Path |
| --- | --- |
| Registry builder | `scripts/build_flex_auth_registry.py` |
| Production registry | `registry/flex-auth/production_registry_snapshot.json` |
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
| Local smoke evidence | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` |
| Production smoke evidence | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` |
| flex-auth pickup brief | `history/2026-06-23-flex-auth-production-pickup-suggestion.md` |
---
## Closeout (2026-06-23)
T1T2 complete. ops-warden caller side and production-registry smoke verified.
Production `policy.enabled: true` flip deferred until flex-auth runtime is
reachable — tracked in flex-auth `FLEX-WP-0007`, not this workplan.
**Operator follow-up (FLEX-WP-0007):**
- Deploy registry + policy package to in-cluster flex-auth; set `policy.flex_auth_url`
- Refresh scoped `VAULT_TOKEN` and run `SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh`
- Set `policy.enabled: true` in `~/.config/warden/warden.yaml` when flex-auth is reachable
---
## See also
- `wiki/PolicyGatedSigning.md`
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
- `examples/warden.production.example.yaml`

View File

@@ -4,13 +4,13 @@ type: workplan
title: "Access Routing — Charter and Pointer Catalog"
domain: infotech
repo: ops-warden
status: done
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 10
created: "2026-06-18"
updated: "2026-06-18"
updated: "2026-06-24"
state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b"
---
@@ -169,3 +169,8 @@ state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b"
- `history/2026-06-18-access-routing-intent-shift-assessment.md` — decision record
- `WARDEN-WP-0011` — routing CLI
- `WARDEN-WP-0012` — scenario playbook expansion (backlog)
---
## Closeout (2026-06-24)
Archived during WARDEN-WP-0013 T2. All tasks complete.

View File

@@ -4,13 +4,13 @@ type: workplan
title: "Routing Lookup CLI"
domain: infotech
repo: ops-warden
status: done
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 11
created: "2026-06-18"
updated: "2026-06-18"
updated: "2026-06-24"
state_hub_workstream_id: "0a520f8e-01b4-48f1-9af3-2f3f69fd0672"
---
@@ -154,3 +154,8 @@ state_hub_task_id: "bf848375-eca7-4116-bb1d-fb7df6395c70"
- `WARDEN-WP-0010` — charter and catalog schema
- `WARDEN-WP-0012` — expanded per-scenario playbooks
- `history/2026-06-17-intent-scope-assessment.md` — prior `warden guide` proposal (P4)
---
## Closeout (2026-06-24)
Archived during WARDEN-WP-0013 T2. All tasks complete.

View File

@@ -0,0 +1,202 @@
---
id: WARDEN-WP-0013
type: workplan
title: "Production Integration & Stewardship Closeout"
domain: infotech
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 13
depends_on_workplans:
- WARDEN-WP-0008
- WARDEN-WP-0009
- WARDEN-WP-0010
- WARDEN-WP-0011
related_workplans:
- WARDEN-WP-0012
- FLEX-WP-0007
created: "2026-06-24"
updated: "2026-06-24"
state_hub_workstream_id: "4678c41a-c1d0-48cd-9988-4ea0380e8258"
---
# WARDEN-WP-0013 — Production Integration & Stewardship Closeout
## Purpose
Close the remaining **ops-warden-owned** gaps after policy gate and routing shipped:
refresh INTENT/SCOPE canon, archive finished workplans, document ops-bridge
`cert_command` migration, operator OpenBao token hygiene, principals drift checks,
and the policy-gate production flip checklist.
This workplan addresses the deferred **Production SSH Integration Closeout** strand
from `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` §6, updated for
post-WP-0009 state.
**Gap analysis:** `history/2026-06-24-intent-scope-gap-analysis.md`
## Scope
- Post-WP-0009 reassessment and SCOPE alignment
- Archive hygiene for WP-0010 and WP-0011
- ops-bridge `cert_command` migration documentation (pilot `agt-state-hub-bridge`)
- Operator runbook for scoped OpenBao tokens (no root in `VAULT_TOKEN`)
- Principals drift check between warden inventory and railiance-infra
- Policy gate production enablement checklist (coordinate FLEX-WP-0007)
## Out of scope
- flex-auth runtime deployment (flex-auth **FLEX-WP-0007**)
- ops-bridge tunnel config changes in the ops-bridge repo (coordinate only)
- Routing scenario playbook expansion (**WARDEN-WP-0012** — parallel track)
- OpenBao cluster deploy, flex-auth policy authoring, NK-WP-0009 tutorial
- Implementing secret vending or foreign API proxies
## Ownership boundary
| Concern | Owner |
| --- | --- |
| cert_command migration playbook | ops-warden (doc); ops-bridge (tunnel config) |
| OpenBao token hygiene runbook | ops-warden (doc); operator (execution) |
| Principals drift | ops-warden (check doc/script); railiance-infra (host deploy) |
| `policy.enabled: true` flip | operator (after FLEX-WP-0007) |
---
## T1 — Post-gap reassessment and SCOPE refresh
```task
id: WARDEN-WP-0013-T01
status: done
priority: high
state_hub_task_id: "de46f9a2-bf11-4651-a23c-430c63f396c8"
```
- [x] Write `history/2026-06-24-intent-scope-gap-analysis.md`
- [x] Update `SCOPE.md` active workplan table (WP-0013, WP-0012 ready)
- [x] Note maturity vector and partial INTENT criterion (ops-bridge) in SCOPE
**Acceptance:** Gap analysis on file; SCOPE reflects 2026-06-24 repo state.
---
## T2 — Archive hygiene (WP-0010, WP-0011)
```task
id: WARDEN-WP-0013-T02
status: done
priority: medium
state_hub_task_id: "1b35321d-63ad-40da-a1aa-0b66190a0733"
```
- [x] Move `WARDEN-WP-0010-access-routing-charter.md` to
`workplans/archived/260624-WARDEN-WP-0010-access-routing-charter.md`
- [x] Move `WARDEN-WP-0011-routing-guide-cli.md` to
`workplans/archived/260624-WARDEN-WP-0011-routing-guide-cli.md`
- [x] Set frontmatter `status: archived` on both; add closeout notes
- [x] Operator runs `make fix-consistency REPO=ops-warden` from `~/state-hub`
**Acceptance:** Only WP-0012 (ready) and WP-0013 (active when started) remain in
`workplans/` root; hub synced.
---
## T3 — ops-bridge cert_command migration playbook
```task
id: WARDEN-WP-0013-T03
status: done
priority: high
state_hub_task_id: "ad8588b2-9ae9-4f94-bd77-8025851a38f5"
```
- [x] Write `wiki/playbooks/ops-bridge-tunnel-cert.md` — static-key → `cert_command`
migration checklist for tunnel configs
- [x] Document pilot tunnel `agt-state-hub-bridge`: actor, pubkey path, cert_command
string, inventory prerequisites
- [x] Upgrade catalog entry `ops-bridge-tunnel` `wiki_ref` to the new playbook
- [x] Coordinate with ops-bridge owner for pilot tunnel config change (State Hub message)
- [ ] Record non-secret smoke evidence when pilot completes (`history/` entry — pending ops-bridge)
**Acceptance:** Playbook exists; catalog points at it; pilot steps documented even
if ops-bridge execution is pending.
**Unlocks:** INTENT success criterion #3 moves from partial toward met.
---
## T4 — Operator OpenBao token hygiene runbook
```task
id: WARDEN-WP-0013-T04
status: done
priority: medium
state_hub_task_id: "5cb35829-32eb-4d59-97a1-f4d92ce8e239"
```
- [x] Add `wiki/playbooks/operator-openbao-token-hygiene.md` covering scoped tokens,
`VAULT_TOKEN` session pattern, OIDC route, HTTP 403 recovery
- [x] Cross-link from `wiki/OpsWardenConfig.md` and production example yaml
**Acceptance:** Operator can follow runbook without asking ops-warden for token values.
---
## T5 — Principals inventory drift check
```task
id: WARDEN-WP-0013-T05
status: done
priority: medium
state_hub_task_id: "4025cd32-89f8-42c3-b1e8-eaf78497d91f"
```
- [x] `scripts/check_principals_drift.py` compares inventory `hosts` vs
`railiance-infra/ansible/inventory/ssh_principals.yaml`
- [x] Script notes flex-auth registry regeneration via `build_flex_auth_registry.py`
- [x] Tests in `tests/test_principals_drift.py`
**Acceptance:** Drift check runnable or documented; no secret material in script output.
---
## T6 — Policy gate production enablement checklist
```task
id: WARDEN-WP-0013-T06
status: done
priority: medium
state_hub_task_id: "51663f65-79cb-4108-87c8-9721f9476259"
```
- [x] Operator checklist in `wiki/PolicyGatedSigning.md` § Production rollout
- [x] Cross-link FLEX-WP-0007 and pickup brief
- [x] Explicit: keep `policy.enabled: false` until flex-auth reachable
**Acceptance:** Operator checklist is sequential and references cross-repo owners;
no ops-warden code changes required for flex-auth deploy.
---
## Exit criteria
- Gap analysis and SCOPE current
- WP-0010 and WP-0011 archived
- ops-bridge cert_command playbook + catalog upgrade
- Operator token hygiene runbook
- Principals drift procedure
- Policy gate production flip checklist (coordinate FLEX-WP-0007)
## Parallel track
**WARDEN-WP-0012** (routing scenario playbooks) — promoted to `ready`; start when
P1 integration doc bandwidth allows or in parallel if staffed.
## See also
- `history/2026-06-24-intent-scope-gap-analysis.md`
- `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
- `wiki/CertCommandInterface.md`
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`