flex-auth asked ops-warden to help close FLEX-WP-0007 T4 (joint OpenBao + policy-gate
production smoke) against their deployed runtime (reachable on CoulombCore via the
flex-auth-coulombcore tunnel at 127.0.0.1:18090). The smoke previously spawned its own
local flex-auth, so it never exercised the deployed runtime.
Add FLEX_AUTH_EXTERNAL=1 to scripts/policy_gate_production_smoke.sh: skip the local
serve/load-registry and run the allow/deny/vault paths against the already-running
flex-auth, with a /healthz precheck that fails fast with a tunnel-up hint. Verified the
committed production_registry_snapshot.json is current vs inventory (4 actors). Recorded
in ADHOC-2026-06-29.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Close ops-warden's side of the last Partial INTENT criterion (ops-bridge integrates
via a stable cert_command). The migration playbook and contract already existed; what
was missing was an automated readiness gate before touching tunnel config.
T1 — scripts/check_tunnel_cert_readiness.py: read-only preflight that asserts the
cert_command path is ready without signing — config/backend, actor inventory + TTL
within type max, pubkey exists/parses/not-private, principals present, and optional
host-principal deployment (mirrors check_principals_drift). Exit 0/1/2.
T2 — opt-in --sign-smoke: runs the cert_command against the local backend and validates
identity/principals/TTL of the emitted cert; refuses a vault backend. Window measured
from the cert's own valid_from->valid_before so it's timezone-robust (fixes a CEST
off-by-2h artifact). integration-marked test + a vault-refusal unit test.
T3 — playbook now leads with Step 0 readiness gate; ops-bridge handoff message sent.
T4 — SCOPE INTENT row: Partial -> Pilot-ready; known-gaps + SSH-lane list updated.
9 unit + 1 integration test, 209 default passing, lint clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Finish the Workload Security Posture workplan (all five tasks done).
T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.
T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.
T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).
16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
