# Non-secret production template — copy to ~/.config/warden/warden.yaml
# Never commit tokens or CA private keys. See wiki/OpsWardenConfig.md

backend: vault

vault:
  addr: https://bao.coulomb.social
  mount: ssh
  role_map:
    adm: adm-role
    agt: agt-role
    atm: atm-role
  token_env: VAULT_TOKEN

inventory_path: ~/.config/warden/inventory.yaml
state_dir: ~/.local/state/warden

# Opt-in flex-auth gate — keep false until ssh-certificate policies exist
policy:
  enabled: false
  flex_auth_url: http://127.0.0.1:8080
  fail_closed: true
  tenant: tenant:platform
  subject_env: WARDEN_POLICY_SUBJECT
  system: ops-warden