generated from coulomb/repo-seed
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
2.4 KiB
2.4 KiB
OpenBao Production Verification — 2026-06-17
Workplan: WARDEN-WP-0007-T01
Endpoint: https://bao.coulomb.social
Operator: codex (automated probe, no secrets recorded)
Health probe
curl -s "https://bao.coulomb.social/v1/sys/health" | python3 -m json.tool
Result (2026-06-17):
| Field | Value |
|---|---|
initialized |
true |
sealed |
false |
standby |
false |
version |
2.5.4 |
cluster_name |
vault-cluster-ebe7da39 |
replication_performance_mode |
primary |
OpenBao is reachable, initialized, and unsealed. Suitable as the production
platform secrets endpoint for ops-warden backend: vault.
Authenticated API (blocked without token)
curl -s -o /dev/null -w "%{http_code}" "https://bao.coulomb.social/v1/sys/mounts"
Result: HTTP 403 (expected without X-Vault-Token).
Full SSH engine verification (bao secrets list, role TTL alignment, live
warden sign) requires a scoped operator token with permission to:
- List mounts and confirm
ssh/engine is enabled - Read
ssh/roles/{adm,agt,atm}-roleTTL limits - Call
POST /v1/ssh/sign/<role>for each actor type
See wiki/OpenBaoSshEngineChecklist.md for the step-by-step checklist.
Blockers for end-to-end warden sign
| Blocker | Owner | Notes |
|---|---|---|
No ~/.config/warden/warden.yaml on dev workstation |
Operator | Point vault.addr at https://bao.coulomb.social |
No scoped VAULT_TOKEN in session |
Operator | OIDC login via KeyCape / bao login |
| SSH engine roles may not be provisioned | railiance-platform |
Run checklist in wiki/OpenBaoSshEngineChecklist.md |
flex-auth policy package for ssh-certificate |
flex-auth |
Out of scope for WP-0007; gate is opt-in |
Recommended next operator steps
- Create production
warden.yamlwithbackend: vaultandvault.addr. - Export short-lived
VAULT_TOKENafter OIDC login. - Run
wiki/OpenBaoSshEngineChecklist.mditems 1–6. - Test:
warden sign <actor> --pubkey <path>against a known inventory actor. - Enable
policy.enabled: trueonly after flex-authssh-certificatepolicies exist.
See also
wiki/OpsWardenConfig.md— production config exampleswiki/OpenBaoSshEngineChecklist.md— SSH engine validationwiki/PolicyGatedSigning.md— opt-in flex-auth gate (implemented WP-0007)