Files
ops-warden/workplans/ADHOC-2026-06-29.md
tegwick 50ab78392f feat(smoke): joint-smoke mode against deployed flex-auth (assist FLEX-WP-0007 T4)
flex-auth asked ops-warden to help close FLEX-WP-0007 T4 (joint OpenBao + policy-gate
production smoke) against their deployed runtime (reachable on CoulombCore via the
flex-auth-coulombcore tunnel at 127.0.0.1:18090). The smoke previously spawned its own
local flex-auth, so it never exercised the deployed runtime.

Add FLEX_AUTH_EXTERNAL=1 to scripts/policy_gate_production_smoke.sh: skip the local
serve/load-registry and run the allow/deny/vault paths against the already-running
flex-auth, with a /healthz precheck that fails fast with a tunnel-up hint. Verified the
committed production_registry_snapshot.json is current vs inventory (4 actors). Recorded
in ADHOC-2026-06-29.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 00:40:20 +02:00

1.6 KiB

id, type, title, domain, repo, status, owner, topic_slug, created, updated
id type title domain repo status owner topic_slug created updated
ADHOC-2026-06-29 workplan Ad Hoc Tasks — 2026-06-29 infotech ops-warden finished claude custodian 2026-06-29 2026-06-29

Ad Hoc Tasks — 2026-06-29

T01 — Joint-smoke mode for the deployed flex-auth (assist FLEX-WP-0007 T4)

id: ADHOC-2026-06-29-T01
status: done
priority: medium

flex-auth (msg ea00620b) asked ops-warden to help close FLEX-WP-0007 T4 (joint OpenBao

  • policy-gate production smoke). Their deployed runtime is reachable on CoulombCore via the flex-auth-coulombcore tunnel at 127.0.0.1:18090, but policy_gate_production_smoke.sh spawned its own local flex-auth binary — so it never exercised the deployed runtime.
  • Added FLEX_AUTH_EXTERNAL=1 mode to scripts/policy_gate_production_smoke.sh: skips the local serve/load-registry and runs the allow/deny/vault paths against the already-running deployed flex-auth, with a /healthz precheck that fails fast with a "is the flex-auth-coulombcore tunnel up?" hint (verified: clean exit 2 when down).
  • Verified the committed production_registry_snapshot.json is current (rebuilt from ~/.config/warden/inventory.yaml, diff-clean; 4 actors).
  • Answered flex-auth's three questions and handed the operator the exact CoulombCore runbook (see reply). Remaining T4 steps are operator-gated and cannot run from the workstation: mint a scoped VAULT_TOKEN (ops-warden holds no standing token by design), run the joint smoke on CoulombCore, then flip policy.enabled: true.