--- id: WARDEN-WP-0009 type: workplan title: "flex-auth Policy Gate Production Readiness" domain: custodian repo: ops-warden status: wait owner: codex topic_slug: custodian planning_priority: low planning_order: 9 created: "2026-06-18" updated: "2026-06-18" state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9" --- # WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness **Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`) in production after flex-auth publishes `ssh-certificate` resource policies. **Out of scope:** flex-auth policy package authoring (flex-auth owner); OpenBao SSH engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2). **Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout). --- ## Tasks ### T1 — flex-auth policy package confirmation ```task id: WARDEN-WP-0009-T01 status: wait priority: medium state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2" ``` - [ ] Confirm flex-auth policies for resource type `ssh-certificate` exist - [ ] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths - [ ] Coordinate with flex-auth owner on deny/allow test fixtures **Blocked until:** flex-auth publishes ssh-certificate policies. ### T2 — Production enablement and smoke ```task id: WARDEN-WP-0009-T02 status: wait priority: medium state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029" ``` - [ ] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`) - [ ] Smoke test allow path — `signatures.log` includes `policy_decision_id` - [ ] Smoke test deny path with `fail_closed: true` (non-secret evidence) --- ## See also - `wiki/PolicyGatedSigning.md` — gate flow and config (shipped WP-0007) - `examples/warden.production.example.yaml` — `policy.enabled: false` default - `history/2026-06-17-openbao-production-verify.md` — production sign evidence