# flex-auth Policy Gate — Production Registry Smoke (WARDEN-WP-0009 T02) **Date:** 2026-06-23 **Workplan:** WARDEN-WP-0009 T02 **Operator:** codex (non-secret evidence only) --- ## Production registry slice Built from `~/.config/warden/inventory.yaml` (matches `examples/inventory.seed.yaml`): | Artifact | Path | | --- | --- | | Registry snapshot | `registry/flex-auth/production_registry_snapshot.json` | | Generator | `scripts/build_flex_auth_registry.py` | | Smoke runner | `scripts/policy_gate_production_smoke.sh` | `flex-auth load-registry` validation: **4 actors**, 3 groups, 4 relationships. Registered actors: | Actor | Type | max_ttl_hours | Principals | | --- | --- | --- | --- | | `agt-state-hub-bridge` | agt | 24 | `agt-task-bridge` | | `agt-codex-interhub-bootstrap` | agt | 2 | `agt-interhub-bootstrap` | | `adm-example` | adm | 48 | `adm-full` | | `atm-backup-daily` | atm | 8 | `atm-backup-daily` | Regenerate after inventory changes: ```bash python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \ -o registry/flex-auth/production_registry_snapshot.json ``` Deploy the snapshot to the production flex-auth runtime (`flex-auth serve` or future in-cluster deployment). Policy package path: `~/flex-auth/examples/ops-warden/policy_package.md`. --- ## Smoke results (production inventory + registry) flex-auth served locally with the production registry; `warden sign` used real inventory actors and `policy.enabled: true`. ### Allow path — `agt-state-hub-bridge` | Check | Result | | --- | --- | | `warden sign agt-state-hub-bridge` | Pass (exit 0) | | `signatures.log` `policy_decision_id` | `decision:032b096c433ad80c` | | `signatures.log` `actor` | `agt-state-hub-bridge` | ### Deny path — TTL above registry max (`fail_closed: true`) | Check | Result | | --- | --- | | `warden sign agt-state-hub-bridge --ttl 999` | Fail (exit 1) | | flex-auth reason | `ttl_out_of_bounds` | | Cert issued | No | --- ## OpenBao-backed smoke (operator follow-up) Attempted `backend: vault` against `https://bao.coulomb.social` with `policy.enabled: true`. **Blocked:** `VAULT_TOKEN` in session returned HTTP 403 (`permission denied`). Baseline `warden sign` without policy gate fails the same way — token refresh required before vault-backed policy smoke. When a scoped `warden-sign` token is available: ```bash export VAULT_TOKEN="" # never commit or paste in chat SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh ``` Then enable production `warden.yaml`: ```yaml policy: enabled: true flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080 # or reachable URL fail_closed: true ``` Keep `policy.enabled: false` until flex-auth is reachable at `flex_auth_url` from the workstation running `warden sign` — `fail_closed: true` blocks all signs when flex-auth is down. --- ## See also - `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` — template registry smoke - `wiki/PolicyGatedSigning.md` — rollout sequence - `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`