generated from coulomb/repo-seed
Add policy.py client that calls flex-auth /v1/check before sign/issue when policy.enabled is true. Record policy_decision_id in signatures.log. Default off preserves existing inventory-only behavior. Document production OpenBao health probe and update config/wiki references.
1.9 KiB
1.9 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated |
|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0007 | workplan | Policy Gate and Production OpenBao Verification | custodian | ops-warden | finished | codex | custodian | high | 7 | 2026-06-17 | 2026-06-17 |
WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification
Scope: Record production OpenBao reachability evidence; implement opt-in
flex-auth policy gate before warden sign / warden issue per
wiki/PolicyGatedSigning.md.
Out of scope: flex-auth policy package authoring, OpenBao SSH engine mount on Railiance (operator), identity claim requirement (v2.1).
Tasks
T1 — Production OpenBao verification evidence
id: WARDEN-WP-0007-T01
status: done
priority: high
- Probe
https://bao.coulomb.social/v1/sys/health - Document results in
history/2026-06-17-openbao-production-verify.md - Note blockers for full
warden sign(scoped token, SSH engine roles)
T2 — Policy config and flex-auth client
id: WARDEN-WP-0007-T02
status: done
priority: high
PolicyConfiginconfig.py(policy.enabled,flex_auth_url,fail_closed)policy.py— POST/v1/check, pubkey fingerprint, CAError on deny
T3 — Wire policy gate into sign/issue
id: WARDEN-WP-0007-T03
status: done
priority: high
- Call policy check before
ca.sign()when enabled - Store
policy_decision_idinsignatures.log
T4 — Tests and docs
id: WARDEN-WP-0007-T04
status: done
priority: medium
tests/test_policy.py- Update
wiki/OpsWardenConfig.md,wiki/PolicyGatedSigning.md
Acceptance Criteria
- Production health evidence recorded (non-secret)
policy.enabled: falsedefault — no behavior changepolicy.enabled: truecalls flex-auth; deny blocks sign- All unit tests pass