tegwick
90007c2cda
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
3.8 KiB
ops-bridge Tunnel — cert_command Migration
Date: 2026-06-24
Workplan: WARDEN-WP-0013 T3
Catalog: ops-bridge-tunnel
Migrate an ops-bridge tunnel from static SSH keys to short-lived warden-signed
certificates via the cert_command contract (wiki/CertCommandInterface.md).
ops-warden documents the migration; ops-bridge owns tunnel config changes.
Prerequisites
- Actor registered in
~/.config/warden/inventory.yaml(seewiki/ActorInventoryPatterns.md) - Actor keypair on disk (
ssh_keyprivate,.pubfor signing) - Production
warden.yamlwithbackend: vaultand valid scopedVAULT_TOKEN - Host trusts warden/OpenBao CA (
railiance-infrabootstrap-ssh-ca) - Host principal allows the actor's principals (
railiance-infrassh_principals.yaml)
Pilot tunnel: agt-state-hub-bridge
| Field | Value |
|---|---|
| Actor | agt-state-hub-bridge |
| Type | agt |
| Principals | agt-task-bridge |
| TTL | 24 h |
| Private key | ~/.ssh/agt-state-hub-bridge_ed25519 |
| Public key | ~/.ssh/agt-state-hub-bridge_ed25519.pub |
| cert_command | warden sign agt-state-hub-bridge --pubkey ~/.ssh/agt-state-hub-bridge_ed25519.pub |
Pre-migration smoke (operator workstation)
export VAULT_TOKEN="<scoped-warden-sign-token>" # never commit or paste in chat
warden status agt-state-hub-bridge
warden sign agt-state-hub-bridge --pubkey ~/.ssh/agt-state-hub-bridge_ed25519.pub | head -1
Confirm exit 0 and cert line starts with ssh-ed25519-cert-v01@openssh.com.
Migration checklist
1. Inventory and signing path
- Actor exists:
warden inventory listshowsagt-state-hub-bridge warden signsucceeds with production OpenBao backendsignatures.logrecords the sign (~/.local/state/warden/signatures.log)
2. ops-bridge tunnel config
Edit ~/.config/bridge/tunnels.yaml (ops-bridge repo owns schema; example below):
tunnels:
state-hub-coulombcore:
host: coulombcore
remote_port: 8001
local_port: 8000
ssh_user: agt-state-hub-bridge
ssh_key: ~/.ssh/agt-state-hub-bridge_ed25519
actor: agt-state-hub-bridge
cert_command: "warden sign agt-state-hub-bridge --pubkey ~/.ssh/agt-state-hub-bridge_ed25519.pub"
cert_commanduses the public key path (warden reads pubkey, writes cert to stdout)ssh_usermatches the certificate identity / host expectation- Remove or disable static-key-only fallback once cert path is verified
3. Host-side verification
- Principal
agt-task-bridgepresent inrailiance-infrassh_principals.yamlfor target host - Run
scripts/check_principals_drift.pyif inventoryhostssection documents allowed principals
4. Tunnel smoke
# ops-bridge (from ops-bridge repo)
bridge status state-hub-coulombcore
bridge up state-hub-coulombcore
- Tunnel establishes without static cert file on disk
- Re-run
bridge upafter cert TTL expires —cert_commandre-issues automatically
5. Policy gate (optional, after FLEX-WP-0007)
When policy.enabled: true, confirm signatures.log includes policy_decision_id
on tunnel-driven signs. See wiki/PolicyGatedSigning.md.
Rollback
Keep the static key path until cert_command smoke passes. To roll back:
- Remove
cert_commandfrom tunnel config - Restore prior static-key or
CertificateFileworkflow - Document rollback in ops-bridge session notes (not in git secrets)
Static-key tunnels (legacy)
Tunnels using agt-claude-* or other long-lived keys are out of scope for this
pilot. Migrate per-tunnel when ops-bridge owner prioritizes them.
See also
wiki/CertCommandInterface.mdwiki/OpsWardenConfig.md— cert_command examplewiki/playbooks/operator-openbao-token-hygiene.mdwarden route show ops-bridge-tunnel --json