# flex-auth Policy Gate — Local Smoke (WARDEN-WP-0009) **Date:** 2026-06-23 **Workplan:** WARDEN-WP-0009 T01 closeout + T02 local smoke **flex-auth delivery:** FLEX-WP-0006 (`docs/ops-warden-policy-gate-handoff.md`) --- ## Unblock flex-auth published the `ssh-certificate` / `sign` policy package and ops-warden handoff on 2026-06-23. WARDEN-WP-0009 T01 is complete; T2 local smoke below. Production enablement still requires deploying a **production registry slice** with real inventory actors (see `wiki/PolicyGatedSigning.md`). --- ## flex-auth assets confirmed | Asset | Path (flex-auth repo) | | --- | --- | | Policy package | `examples/ops-warden/policy_package.md` | | Fixtures | `examples/ops-warden/policy_fixtures.yaml` | | Registry snapshot | `examples/ops-warden/registry_snapshot.json` | | Handoff | `docs/ops-warden-policy-gate-handoff.md` | Example registry actors (`platform-steward`, `ci-deploy-agent`, `backup-automation`) are **templates**. Production actors such as `agt-state-hub-bridge` must be registered in the deployed flex-auth registry before `policy.enabled: true`. --- ## Local smoke (ops-warden + flex-auth) **Setup:** `backend: local`, `policy.enabled: true`, `fail_closed: true`, flex-auth `serve` with ops-warden policy package and a smoke registry that adds `agt-policy-smoke` (ops-warden naming-compliant clone of the `agt` fixture). ### Allow path | Check | Result | | --- | --- | | `warden sign agt-policy-smoke` | Pass (exit 0) | | `signatures.log` `policy_decision_id` | `decision:78bc882eca883f29` | | `signatures.log` `backend` | `local` | ### Deny path (`fail_closed: true`) | Check | Result | | --- | --- | | `warden sign agt-state-hub-bridge` (not in flex-auth registry) | Fail (exit 1) | | CLI reason surfaced | `unknown_actor_resource` | | Cert issued | No | --- ## Production remaining (T2) 1. Deploy flex-auth registry + policy package to production flex-auth runtime. 2. Register production inventory actors (`agt-state-hub-bridge`, `adm-*`, `atm-*`). 3. Set `policy.flex_auth_url` and `policy.enabled: true` in production `warden.yaml`. 4. Repeat allow/deny smoke against OpenBao-backed `warden sign`; capture `policy_decision_id` in `signatures.log` (non-secret evidence only). --- ## See also - `wiki/PolicyGatedSigning.md` — bindings, rollout, handoff link - `workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md`