This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
ops-warden/workplans/WARDEN-WP-0007-policy-gate-and-production-verify.md

2.2 KiB

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
WARDEN-WP-0007 workplan Policy Gate and Production OpenBao Verification custodian ops-warden finished codex custodian high 7 2026-06-17 2026-06-17 3718ac07-2fa2-47d0-a02a-c9a7b83a5ba9

WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification

Scope: Record production OpenBao reachability evidence; implement opt-in flex-auth policy gate before warden sign / warden issue per wiki/PolicyGatedSigning.md.

Out of scope: flex-auth policy package authoring, OpenBao SSH engine mount on Railiance (operator), identity claim requirement (v2.1).


Tasks

T1 — Production OpenBao verification evidence

id: WARDEN-WP-0007-T01
status: done
priority: high
state_hub_task_id: "344540ad-5912-4118-b406-450b96e13c40"
  • Probe https://bao.coulomb.social/v1/sys/health
  • Document results in history/2026-06-17-openbao-production-verify.md
  • Note blockers for full warden sign (scoped token, SSH engine roles)

T2 — Policy config and flex-auth client

id: WARDEN-WP-0007-T02
status: done
priority: high
state_hub_task_id: "05424ddf-5fe9-43a1-a2f8-c47235a012c8"
  • PolicyConfig in config.py (policy.enabled, flex_auth_url, fail_closed)
  • policy.py — POST /v1/check, pubkey fingerprint, CAError on deny

T3 — Wire policy gate into sign/issue

id: WARDEN-WP-0007-T03
status: done
priority: high
state_hub_task_id: "f5ae8e6e-8cce-4526-b18c-0452a135af49"
  • Call policy check before ca.sign() when enabled
  • Store policy_decision_id in signatures.log

T4 — Tests and docs

id: WARDEN-WP-0007-T04
status: done
priority: medium
state_hub_task_id: "ea921d56-033b-4619-8032-61af7992e610"
  • tests/test_policy.py
  • Update wiki/OpsWardenConfig.md, wiki/PolicyGatedSigning.md

Acceptance Criteria

  • Production health evidence recorded (non-secret)
  • policy.enabled: false default — no behavior change
  • policy.enabled: true calls flex-auth; deny blocks sign
  • All unit tests pass