--- id: WARDEN-WP-0007 type: workplan title: "Policy Gate and Production OpenBao Verification" domain: custodian repo: ops-warden status: finished owner: codex topic_slug: custodian planning_priority: high planning_order: 7 created: "2026-06-17" updated: "2026-06-17" state_hub_workstream_id: "3718ac07-2fa2-47d0-a02a-c9a7b83a5ba9" --- # WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification **Scope:** Record production OpenBao reachability evidence; implement opt-in flex-auth policy gate before `warden sign` / `warden issue` per `wiki/PolicyGatedSigning.md`. **Out of scope:** flex-auth policy package authoring, OpenBao SSH engine mount on Railiance (operator), identity claim requirement (v2.1). --- ## Tasks ### T1 — Production OpenBao verification evidence ```task id: WARDEN-WP-0007-T01 status: done priority: high state_hub_task_id: "344540ad-5912-4118-b406-450b96e13c40" ``` - [x] Probe `https://bao.coulomb.social/v1/sys/health` - [x] Document results in `history/2026-06-17-openbao-production-verify.md` - [x] Note blockers for full `warden sign` (scoped token, SSH engine roles) ### T2 — Policy config and flex-auth client ```task id: WARDEN-WP-0007-T02 status: done priority: high state_hub_task_id: "05424ddf-5fe9-43a1-a2f8-c47235a012c8" ``` - [x] `PolicyConfig` in `config.py` (`policy.enabled`, `flex_auth_url`, `fail_closed`) - [x] `policy.py` — POST `/v1/check`, pubkey fingerprint, CAError on deny ### T3 — Wire policy gate into sign/issue ```task id: WARDEN-WP-0007-T03 status: done priority: high state_hub_task_id: "f5ae8e6e-8cce-4526-b18c-0452a135af49" ``` - [x] Call policy check before `ca.sign()` when enabled - [x] Store `policy_decision_id` in `signatures.log` ### T4 — Tests and docs ```task id: WARDEN-WP-0007-T04 status: done priority: medium state_hub_task_id: "ea921d56-033b-4619-8032-61af7992e610" ``` - [x] `tests/test_policy.py` - [x] Update `wiki/OpsWardenConfig.md`, `wiki/PolicyGatedSigning.md` --- ## Acceptance Criteria - [x] Production health evidence recorded (non-secret) - [x] `policy.enabled: false` default — no behavior change - [x] `policy.enabled: true` calls flex-auth; deny blocks sign - [x] All unit tests pass