--- id: WARDEN-WP-0009 type: workplan title: "flex-auth Policy Gate Production Readiness" domain: infotech repo: ops-warden status: archived owner: codex topic_slug: custodian planning_priority: low planning_order: 9 created: "2026-06-18" updated: "2026-06-23" state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9" --- # WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness **Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`) in production after flex-auth publishes `ssh-certificate` resource policies. **Out of scope:** flex-auth policy package authoring (flex-auth owner — delivered FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth `FLEX-WP-0007`). **Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout). --- ## Tasks ### T1 — flex-auth policy package confirmation ```task id: WARDEN-WP-0009-T01 status: done priority: medium state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2" ``` - [x] Confirm flex-auth policies for resource type `ssh-certificate` exist - [x] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths - [x] Coordinate with flex-auth owner on deny/allow test fixtures ### T2 — Production enablement and smoke ```task id: WARDEN-WP-0009-T02 status: done priority: medium state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029" ``` - [x] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`) - [x] Local smoke — allow/deny paths with `policy_decision_id` / `ttl_out_of_bounds` - [x] Production registry slice from inventory (`registry/flex-auth/production_registry_snapshot.json`) - [x] Production registry smoke — allow `agt-state-hub-bridge` (`decision:032b096c433ad80c`) - [x] Production registry smoke — deny `--ttl 999` (`ttl_out_of_bounds`) --- ## Deliverables | Artifact | Path | | --- | --- | | Registry builder | `scripts/build_flex_auth_registry.py` | | Production registry | `registry/flex-auth/production_registry_snapshot.json` | | Smoke runner | `scripts/policy_gate_production_smoke.sh` | | Local smoke evidence | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` | | Production smoke evidence | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` | | flex-auth pickup brief | `history/2026-06-23-flex-auth-production-pickup-suggestion.md` | --- ## Closeout (2026-06-23) T1–T2 complete. ops-warden caller side and production-registry smoke verified. Production `policy.enabled: true` flip deferred until flex-auth runtime is reachable — tracked in flex-auth `FLEX-WP-0007`, not this workplan. **Operator follow-up (FLEX-WP-0007):** - Deploy registry + policy package to in-cluster flex-auth; set `policy.flex_auth_url` - Refresh scoped `VAULT_TOKEN` and run `SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh` - Set `policy.enabled: true` in `~/.config/warden/warden.yaml` when flex-auth is reachable --- ## See also - `wiki/PolicyGatedSigning.md` - `~/flex-auth/docs/ops-warden-policy-gate-handoff.md` - `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md` - `examples/warden.production.example.yaml`