Files
ops-warden/history/2026-06-23-flex-auth-policy-gate-local-smoke.md
tegwick 90007c2cda feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
2026-06-24 12:44:32 +02:00

2.3 KiB

flex-auth Policy Gate — Local Smoke (WARDEN-WP-0009)

Date: 2026-06-23
Workplan: WARDEN-WP-0009 T01 closeout + T02 local smoke
flex-auth delivery: FLEX-WP-0006 (docs/ops-warden-policy-gate-handoff.md)


Unblock

flex-auth published the ssh-certificate / sign policy package and ops-warden handoff on 2026-06-23. WARDEN-WP-0009 T01 is complete; T2 local smoke below. Production enablement still requires deploying a production registry slice with real inventory actors (see wiki/PolicyGatedSigning.md).


flex-auth assets confirmed

Asset Path (flex-auth repo)
Policy package examples/ops-warden/policy_package.md
Fixtures examples/ops-warden/policy_fixtures.yaml
Registry snapshot examples/ops-warden/registry_snapshot.json
Handoff docs/ops-warden-policy-gate-handoff.md

Example registry actors (platform-steward, ci-deploy-agent, backup-automation) are templates. Production actors such as agt-state-hub-bridge must be registered in the deployed flex-auth registry before policy.enabled: true.


Local smoke (ops-warden + flex-auth)

Setup: backend: local, policy.enabled: true, fail_closed: true, flex-auth serve with ops-warden policy package and a smoke registry that adds agt-policy-smoke (ops-warden naming-compliant clone of the agt fixture).

Allow path

Check Result
warden sign agt-policy-smoke Pass (exit 0)
signatures.log policy_decision_id decision:78bc882eca883f29
signatures.log backend local

Deny path (fail_closed: true)

Check Result
warden sign agt-state-hub-bridge (not in flex-auth registry) Fail (exit 1)
CLI reason surfaced unknown_actor_resource
Cert issued No

Production remaining (T2)

  1. Deploy flex-auth registry + policy package to production flex-auth runtime.
  2. Register production inventory actors (agt-state-hub-bridge, adm-*, atm-*).
  3. Set policy.flex_auth_url and policy.enabled: true in production warden.yaml.
  4. Repeat allow/deny smoke against OpenBao-backed warden sign; capture policy_decision_id in signatures.log (non-secret evidence only).

See also

  • wiki/PolicyGatedSigning.md — bindings, rollout, handoff link
  • workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md