Files
ops-warden/history/2026-06-23-flex-auth-policy-gate-production-smoke.md
tegwick 90007c2cda feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
2026-06-24 12:44:32 +02:00

99 lines
3.0 KiB
Markdown

# flex-auth Policy Gate — Production Registry Smoke (WARDEN-WP-0009 T02)
**Date:** 2026-06-23
**Workplan:** WARDEN-WP-0009 T02
**Operator:** codex (non-secret evidence only)
---
## Production registry slice
Built from `~/.config/warden/inventory.yaml` (matches `examples/inventory.seed.yaml`):
| Artifact | Path |
| --- | --- |
| Registry snapshot | `registry/flex-auth/production_registry_snapshot.json` |
| Generator | `scripts/build_flex_auth_registry.py` |
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
`flex-auth load-registry` validation: **4 actors**, 3 groups, 4 relationships.
Registered actors:
| Actor | Type | max_ttl_hours | Principals |
| --- | --- | --- | --- |
| `agt-state-hub-bridge` | agt | 24 | `agt-task-bridge` |
| `agt-codex-interhub-bootstrap` | agt | 2 | `agt-interhub-bootstrap` |
| `adm-example` | adm | 48 | `adm-full` |
| `atm-backup-daily` | atm | 8 | `atm-backup-daily` |
Regenerate after inventory changes:
```bash
python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \
-o registry/flex-auth/production_registry_snapshot.json
```
Deploy the snapshot to the production flex-auth runtime (`flex-auth serve` or
future in-cluster deployment). Policy package path:
`~/flex-auth/examples/ops-warden/policy_package.md`.
---
## Smoke results (production inventory + registry)
flex-auth served locally with the production registry; `warden sign` used real
inventory actors and `policy.enabled: true`.
### Allow path — `agt-state-hub-bridge`
| Check | Result |
| --- | --- |
| `warden sign agt-state-hub-bridge` | Pass (exit 0) |
| `signatures.log` `policy_decision_id` | `decision:032b096c433ad80c` |
| `signatures.log` `actor` | `agt-state-hub-bridge` |
### Deny path — TTL above registry max (`fail_closed: true`)
| Check | Result |
| --- | --- |
| `warden sign agt-state-hub-bridge --ttl 999` | Fail (exit 1) |
| flex-auth reason | `ttl_out_of_bounds` |
| Cert issued | No |
---
## OpenBao-backed smoke (operator follow-up)
Attempted `backend: vault` against `https://bao.coulomb.social` with
`policy.enabled: true`. **Blocked:** `VAULT_TOKEN` in session returned HTTP 403
(`permission denied`). Baseline `warden sign` without policy gate fails the same
way — token refresh required before vault-backed policy smoke.
When a scoped `warden-sign` token is available:
```bash
export VAULT_TOKEN="<scoped-token>" # never commit or paste in chat
SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh
```
Then enable production `warden.yaml`:
```yaml
policy:
enabled: true
flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080 # or reachable URL
fail_closed: true
```
Keep `policy.enabled: false` until flex-auth is reachable at `flex_auth_url` from
the workstation running `warden sign``fail_closed: true` blocks all signs when
flex-auth is down.
---
## See also
- `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` — template registry smoke
- `wiki/PolicyGatedSigning.md` — rollout sequence
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`