This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
ops-warden/workplans/WARDEN-WP-0007-policy-gate-and-production-verify.md
tegwick 8e9383a33a feat: opt-in flex-auth policy gate and OpenBao verify (WP-0007)
Add policy.py client that calls flex-auth /v1/check before sign/issue when
policy.enabled is true. Record policy_decision_id in signatures.log. Default
off preserves existing inventory-only behavior. Document production OpenBao
health probe and update config/wiki references.
2026-06-17 08:37:14 +02:00

1.9 KiB

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated
id type title domain repo status owner topic_slug planning_priority planning_order created updated
WARDEN-WP-0007 workplan Policy Gate and Production OpenBao Verification custodian ops-warden finished codex custodian high 7 2026-06-17 2026-06-17

WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification

Scope: Record production OpenBao reachability evidence; implement opt-in flex-auth policy gate before warden sign / warden issue per wiki/PolicyGatedSigning.md.

Out of scope: flex-auth policy package authoring, OpenBao SSH engine mount on Railiance (operator), identity claim requirement (v2.1).


Tasks

T1 — Production OpenBao verification evidence

id: WARDEN-WP-0007-T01
status: done
priority: high
  • Probe https://bao.coulomb.social/v1/sys/health
  • Document results in history/2026-06-17-openbao-production-verify.md
  • Note blockers for full warden sign (scoped token, SSH engine roles)

T2 — Policy config and flex-auth client

id: WARDEN-WP-0007-T02
status: done
priority: high
  • PolicyConfig in config.py (policy.enabled, flex_auth_url, fail_closed)
  • policy.py — POST /v1/check, pubkey fingerprint, CAError on deny

T3 — Wire policy gate into sign/issue

id: WARDEN-WP-0007-T03
status: done
priority: high
  • Call policy check before ca.sign() when enabled
  • Store policy_decision_id in signatures.log

T4 — Tests and docs

id: WARDEN-WP-0007-T04
status: done
priority: medium
  • tests/test_policy.py
  • Update wiki/OpsWardenConfig.md, wiki/PolicyGatedSigning.md

Acceptance Criteria

  • Production health evidence recorded (non-secret)
  • policy.enabled: false default — no behavior change
  • policy.enabled: true calls flex-auth; deny blocks sign
  • All unit tests pass