# Non-secret production template — copy to ~/.config/warden/warden.yaml
# Never commit tokens or CA private keys. See wiki/OpsWardenConfig.md

backend: vault

vault:
  addr: https://bao.coulomb.social
  mount: ssh
  role_map:
    adm: adm-role
    agt: agt-role
    atm: atm-role
  token_env: VAULT_TOKEN

inventory_path: ~/.config/warden/inventory.yaml
state_dir: ~/.local/state/warden

# Opt-in flex-auth gate — enable only when flex-auth is reachable at flex_auth_url.
# Registry: registry/flex-auth/production_registry_snapshot.json (build from inventory).
# See wiki/PolicyGatedSigning.md (operator checklist) and wiki/playbooks/operator-openbao-token-hygiene.md
policy:
  enabled: false
  flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080
  fail_closed: true
  tenant: tenant:platform
  subject_env: WARDEN_POLICY_SUBJECT
  system: ops-warden