ops-warden/workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id

id	type	title	domain	repo	status	owner	topic_slug	planning_priority	planning_order	created	updated	state_hub_workstream_id
WARDEN-WP-0009	workplan	flex-auth Policy Gate Production Readiness	custodian	ops-warden	wait	codex	custodian	low	9	2026-06-18	2026-06-18	9213b262-e2f5-480e-a5bc-56635d5eb4c9

WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness

Scope: Enable and verify the opt-in flex-auth pre-sign gate (policy.enabled) in production after flex-auth publishes ssh-certificate resource policies.

Out of scope: flex-auth policy package authoring (flex-auth owner); OpenBao SSH engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2).

Spun out from: WARDEN-WP-0008 T5 (2026-06-18 closeout).

---

Tasks

T1 — flex-auth policy package confirmation

id: WARDEN-WP-0009-T01
status: wait
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"

• Confirm flex-auth policies for resource type ssh-certificate exist
• Document tenant/subject bindings for adm / agt / atm sign paths
• Coordinate with flex-auth owner on deny/allow test fixtures

Blocked until: flex-auth publishes ssh-certificate policies.

T2 — Production enablement and smoke

id: WARDEN-WP-0009-T02
status: wait
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"

• Document operator steps to set policy.enabled: true (see wiki/PolicyGatedSigning.md)
• Smoke test allow path — signatures.log includes policy_decision_id
• Smoke test deny path with fail_closed: true (non-secret evidence)

---

See also

• wiki/PolicyGatedSigning.md — gate flow and config (shipped WP-0007)
• examples/warden.production.example.yaml — policy.enabled: false default
• history/2026-06-17-openbao-production-verify.md — production sign evidence