ops-warden/workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md

---
id: WARDEN-WP-0009
type: workplan
title: "flex-auth Policy Gate Production Readiness"
domain: custodian
repo: ops-warden
status: wait
owner: codex
topic_slug: custodian
planning_priority: low
planning_order: 9
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
---

# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness

**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
in production after flex-auth publishes `ssh-certificate` resource policies.

**Out of scope:** flex-auth policy package authoring (flex-auth owner); OpenBao SSH
engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2).

**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).

---

## Tasks

### T1 — flex-auth policy package confirmation

```task
id: WARDEN-WP-0009-T01
status: wait
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
```

- [ ] Confirm flex-auth policies for resource type `ssh-certificate` exist
- [ ] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
- [ ] Coordinate with flex-auth owner on deny/allow test fixtures

**Blocked until:** flex-auth publishes ssh-certificate policies.

### T2 — Production enablement and smoke

```task
id: WARDEN-WP-0009-T02
status: wait
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
```

- [ ] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
- [ ] Smoke test allow path — `signatures.log` includes `policy_decision_id`
- [ ] Smoke test deny path with `fail_closed: true` (non-secret evidence)

---

## See also

- `wiki/PolicyGatedSigning.md` — gate flow and config (shipped WP-0007)
- `examples/warden.production.example.yaml` — `policy.enabled: false` default
- `history/2026-06-17-openbao-production-verify.md` — production sign evidence