Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
2.3 KiB
flex-auth Policy Gate — Local Smoke (WARDEN-WP-0009)
Date: 2026-06-23
Workplan: WARDEN-WP-0009 T01 closeout + T02 local smoke
flex-auth delivery: FLEX-WP-0006 (docs/ops-warden-policy-gate-handoff.md)
Unblock
flex-auth published the ssh-certificate / sign policy package and ops-warden
handoff on 2026-06-23. WARDEN-WP-0009 T01 is complete; T2 local smoke below.
Production enablement still requires deploying a production registry slice
with real inventory actors (see wiki/PolicyGatedSigning.md).
flex-auth assets confirmed
| Asset | Path (flex-auth repo) |
|---|---|
| Policy package | examples/ops-warden/policy_package.md |
| Fixtures | examples/ops-warden/policy_fixtures.yaml |
| Registry snapshot | examples/ops-warden/registry_snapshot.json |
| Handoff | docs/ops-warden-policy-gate-handoff.md |
Example registry actors (platform-steward, ci-deploy-agent, backup-automation)
are templates. Production actors such as agt-state-hub-bridge must be
registered in the deployed flex-auth registry before policy.enabled: true.
Local smoke (ops-warden + flex-auth)
Setup: backend: local, policy.enabled: true, fail_closed: true,
flex-auth serve with ops-warden policy package and a smoke registry that adds
agt-policy-smoke (ops-warden naming-compliant clone of the agt fixture).
Allow path
| Check | Result |
|---|---|
warden sign agt-policy-smoke |
Pass (exit 0) |
signatures.log policy_decision_id |
decision:78bc882eca883f29 |
signatures.log backend |
local |
Deny path (fail_closed: true)
| Check | Result |
|---|---|
warden sign agt-state-hub-bridge (not in flex-auth registry) |
Fail (exit 1) |
| CLI reason surfaced | unknown_actor_resource |
| Cert issued | No |
Production remaining (T2)
- Deploy flex-auth registry + policy package to production flex-auth runtime.
- Register production inventory actors (
agt-state-hub-bridge,adm-*,atm-*). - Set
policy.flex_auth_urlandpolicy.enabled: truein productionwarden.yaml. - Repeat allow/deny smoke against OpenBao-backed
warden sign; capturepolicy_decision_idinsignatures.log(non-secret evidence only).
See also
wiki/PolicyGatedSigning.md— bindings, rollout, handoff linkworkplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md