# OpenBao Production Verification — 2026-06-17 **Workplan:** WARDEN-WP-0007-T01 **Endpoint:** `https://bao.coulomb.social` **Operator:** codex (automated probe, no secrets recorded) --- ## Health probe ```bash curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool ``` **Result (2026-06-17):** | Field | Value | | --- | --- | | `initialized` | `true` | | `sealed` | `false` | | `standby` | `false` | | `version` | `2.5.4` | | `cluster_name` | `vault-cluster-ebe7da39` | | `replication_performance_mode` | `primary` | OpenBao is **reachable, initialized, and unsealed**. Suitable as the production platform secrets endpoint for ops-warden `backend: vault`. --- ## Authenticated API (blocked without token) ```bash curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts" ``` **Result:** HTTP `403` (expected without `X-Vault-Token`). Full SSH engine verification (`bao secrets list`, role TTL alignment, live `warden sign`) requires a **scoped operator token** with permission to: 1. List mounts and confirm `ssh/` engine is enabled 2. Read `ssh/roles/{adm,agt,atm}-role` TTL limits 3. Call `POST /v1/ssh/sign/` for each actor type See `wiki/OpenBaoSshEngineChecklist.md` for the step-by-step checklist. --- ## Blockers for end-to-end `warden sign` | Blocker | Owner | Notes | | --- | --- | --- | | No `~/.config/warden/warden.yaml` on dev workstation | Operator | Point `vault.addr` at `https://bao.coulomb.social` | | No scoped `VAULT_TOKEN` in session | Operator | OIDC login via KeyCape / `bao login` | | SSH engine roles may not be provisioned | `railiance-platform` | Run checklist in `wiki/OpenBaoSshEngineChecklist.md` | | flex-auth policy package for `ssh-certificate` | `flex-auth` | Out of scope for WP-0007; gate is opt-in | --- ## Recommended next operator steps 1. Create production `warden.yaml` with `backend: vault` and `vault.addr`. 2. Export short-lived `VAULT_TOKEN` after OIDC login. 3. Run `wiki/OpenBaoSshEngineChecklist.md` items 1–6. 4. Test: `warden sign --pubkey ` against a known inventory actor. 5. Enable `policy.enabled: true` only after flex-auth `ssh-certificate` policies exist. --- ## See also - `wiki/OpsWardenConfig.md` — production config examples - `wiki/OpenBaoSshEngineChecklist.md` — SSH engine validation - `wiki/PolicyGatedSigning.md` — opt-in flex-auth gate (implemented WP-0007)