generated from coulomb/repo-seed
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
99 lines
3.0 KiB
Markdown
99 lines
3.0 KiB
Markdown
# flex-auth Policy Gate — Production Registry Smoke (WARDEN-WP-0009 T02)
|
|
|
|
**Date:** 2026-06-23
|
|
**Workplan:** WARDEN-WP-0009 T02
|
|
**Operator:** codex (non-secret evidence only)
|
|
|
|
---
|
|
|
|
## Production registry slice
|
|
|
|
Built from `~/.config/warden/inventory.yaml` (matches `examples/inventory.seed.yaml`):
|
|
|
|
| Artifact | Path |
|
|
| --- | --- |
|
|
| Registry snapshot | `registry/flex-auth/production_registry_snapshot.json` |
|
|
| Generator | `scripts/build_flex_auth_registry.py` |
|
|
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
|
|
|
|
`flex-auth load-registry` validation: **4 actors**, 3 groups, 4 relationships.
|
|
|
|
Registered actors:
|
|
|
|
| Actor | Type | max_ttl_hours | Principals |
|
|
| --- | --- | --- | --- |
|
|
| `agt-state-hub-bridge` | agt | 24 | `agt-task-bridge` |
|
|
| `agt-codex-interhub-bootstrap` | agt | 2 | `agt-interhub-bootstrap` |
|
|
| `adm-example` | adm | 48 | `adm-full` |
|
|
| `atm-backup-daily` | atm | 8 | `atm-backup-daily` |
|
|
|
|
Regenerate after inventory changes:
|
|
|
|
```bash
|
|
python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \
|
|
-o registry/flex-auth/production_registry_snapshot.json
|
|
```
|
|
|
|
Deploy the snapshot to the production flex-auth runtime (`flex-auth serve` or
|
|
future in-cluster deployment). Policy package path:
|
|
`~/flex-auth/examples/ops-warden/policy_package.md`.
|
|
|
|
---
|
|
|
|
## Smoke results (production inventory + registry)
|
|
|
|
flex-auth served locally with the production registry; `warden sign` used real
|
|
inventory actors and `policy.enabled: true`.
|
|
|
|
### Allow path — `agt-state-hub-bridge`
|
|
|
|
| Check | Result |
|
|
| --- | --- |
|
|
| `warden sign agt-state-hub-bridge` | Pass (exit 0) |
|
|
| `signatures.log` `policy_decision_id` | `decision:032b096c433ad80c` |
|
|
| `signatures.log` `actor` | `agt-state-hub-bridge` |
|
|
|
|
### Deny path — TTL above registry max (`fail_closed: true`)
|
|
|
|
| Check | Result |
|
|
| --- | --- |
|
|
| `warden sign agt-state-hub-bridge --ttl 999` | Fail (exit 1) |
|
|
| flex-auth reason | `ttl_out_of_bounds` |
|
|
| Cert issued | No |
|
|
|
|
---
|
|
|
|
## OpenBao-backed smoke (operator follow-up)
|
|
|
|
Attempted `backend: vault` against `https://bao.coulomb.social` with
|
|
`policy.enabled: true`. **Blocked:** `VAULT_TOKEN` in session returned HTTP 403
|
|
(`permission denied`). Baseline `warden sign` without policy gate fails the same
|
|
way — token refresh required before vault-backed policy smoke.
|
|
|
|
When a scoped `warden-sign` token is available:
|
|
|
|
```bash
|
|
export VAULT_TOKEN="<scoped-token>" # never commit or paste in chat
|
|
SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh
|
|
```
|
|
|
|
Then enable production `warden.yaml`:
|
|
|
|
```yaml
|
|
policy:
|
|
enabled: true
|
|
flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080 # or reachable URL
|
|
fail_closed: true
|
|
```
|
|
|
|
Keep `policy.enabled: false` until flex-auth is reachable at `flex_auth_url` from
|
|
the workstation running `warden sign` — `fail_closed: true` blocks all signs when
|
|
flex-auth is down.
|
|
|
|
---
|
|
|
|
## See also
|
|
|
|
- `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` — template registry smoke
|
|
- `wiki/PolicyGatedSigning.md` — rollout sequence
|
|
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md` |