coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(WP-0008): finish and archive production SSH path closeout

Browse Source 
Mark WP-0008 finished and move to archived/. Spin flex-auth production gate
to WARDEN-WP-0009. Update SCOPE and reassessment history for R3 reliability.
This commit is contained in:
Bernd Worsch
2026-06-18 01:28:49 +02:00
parent da1b6695c4
commit a6a943fc3e
5 changed files with 100 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md Normal file
View File

@@ -0,0 +1,65 @@
---
id: WARDEN-WP-0009
type: workplan
title: "flex-auth Policy Gate Production Readiness"
domain: custodian
repo: ops-warden
status: wait
owner: codex
topic_slug: custodian
planning_priority: low
planning_order: 9
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
---
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
in production after flex-auth publishes `ssh-certificate` resource policies.
**Out of scope:** flex-auth policy package authoring (flex-auth owner); OpenBao SSH
engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2).
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
---
## Tasks
### T1 — flex-auth policy package confirmation
```task
id: WARDEN-WP-0009-T01
status: wait
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
```
- [ ] Confirm flex-auth policies for resource type `ssh-certificate` exist
- [ ] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
- [ ] Coordinate with flex-auth owner on deny/allow test fixtures
**Blocked until:** flex-auth publishes ssh-certificate policies.
### T2 — Production enablement and smoke
```task
id: WARDEN-WP-0009-T02
status: wait
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
```
- [ ] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
- [ ] Smoke test allow path — `signatures.log` includes `policy_decision_id`
- [ ] Smoke test deny path with `fail_closed: true` (non-secret evidence)
---
## See also
- `wiki/PolicyGatedSigning.md` — gate flow and config (shipped WP-0007)
- `examples/warden.production.example.yaml``policy.enabled: false` default
- `history/2026-06-17-openbao-production-verify.md` — production sign evidence

24
workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md → workplans/archived/260618-WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "Production SSH Path and Stewardship Closeout"
domain: custodian
repo: ops-warden
status: active
status: finished
owner: codex
topic_slug: custodian
planning_priority: high
@@ -70,7 +70,9 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
- [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
- [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao
- [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
- [ ] Optional: cert_command smoke via ops-bridge tunnel — deferred; tunnels still
static-key mode (`agt-claude-*`); wire when ops-bridge adopts `cert_command` for
`agt-state-hub-bridge`
### T3 — State Hub task status canon migration
@@ -103,29 +105,33 @@ state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
```task
id: WARDEN-WP-0008-T05
status: wait
status: cancel
priority: low
state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
```
- [ ] Confirm flex-auth `ssh-certificate` resource policies exist (flex-auth owner)
- [ ] Document enablement procedure for `policy.enabled: true` in production
- [ ] Smoke test policy deny/allow with `fail_closed: true` (non-secret evidence)
**Blocked until:** flex-auth policy package for SSH signing.
Spun out to **WARDEN-WP-0009** (flex-auth owner dependency). ops-warden gate code
and docs shipped in WP-0007; production enablement waits on flex-auth policies.
---
## Acceptance Criteria
- [x] Post-WP-0007 reassessment on file; SCOPE current
- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
- [x] Production `warden sign` evidence recorded (`history/2026-06-17-openbao-production-verify.md`)
- [x] AGENTS.md uses canonical task statuses
- [x] WP-00040007 archived; hub consistency pass
- [x] Production example config committed (no secrets)
---
## Closeout (2026-06-18)
T1T4 and T2 complete. T5 cancelled — continued in WARDEN-WP-0009. Optional
ops-bridge `cert_command` smoke deferred until tunnel configs adopt warden signing.
---
## Dependencies
| Dependency | Owner | Blocks |