feat(WP-0008): reassessment, task-status canon, archive hygiene

- Post-WP-0007 reassessment and SCOPE/README updates - AGENTS.md + workplan-convention task status canon migration - examples/warden.production.example.yaml for production OpenBao - Archive WP-0004 through WP-0007 to workplans/archived/260617-* - WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
2026-06-17 23:51:12 +02:00
parent 7e739a426d
commit e0adc10896
11 changed files with 159 additions and 40 deletions
--- a/examples/warden.production.example.yaml
+++ b/examples/warden.production.example.yaml
@@ -0,0 +1,25 @@
+# Non-secret production template — copy to ~/.config/warden/warden.yaml
+# Never commit tokens or CA private keys. See wiki/OpsWardenConfig.md
+
+backend: vault
+
+vault:
+  addr: https://bao.coulomb.social
+  mount: ssh
+  role_map:
+    adm: adm-role
+    agt: agt-role
+    atm: atm-role
+  token_env: VAULT_TOKEN
+
+inventory_path: ~/.config/warden/inventory.yaml
+state_dir: ~/.local/state/warden
+
+# Opt-in flex-auth gate — keep false until ssh-certificate policies exist
+policy:
+  enabled: false
+  flex_auth_url: http://127.0.0.1:8080
+  fail_closed: true
+  tenant: tenant:platform
+  subject_env: WARDEN_POLICY_SUBJECT
+  system: ops-warden