Files
ops-warden/history/2026-06-23-flex-auth-policy-gate-local-smoke.md
tegwick 90007c2cda feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
2026-06-24 12:44:32 +02:00

70 lines
2.3 KiB
Markdown

# flex-auth Policy Gate — Local Smoke (WARDEN-WP-0009)
**Date:** 2026-06-23
**Workplan:** WARDEN-WP-0009 T01 closeout + T02 local smoke
**flex-auth delivery:** FLEX-WP-0006 (`docs/ops-warden-policy-gate-handoff.md`)
---
## Unblock
flex-auth published the `ssh-certificate` / `sign` policy package and ops-warden
handoff on 2026-06-23. WARDEN-WP-0009 T01 is complete; T2 local smoke below.
Production enablement still requires deploying a **production registry slice**
with real inventory actors (see `wiki/PolicyGatedSigning.md`).
---
## flex-auth assets confirmed
| Asset | Path (flex-auth repo) |
| --- | --- |
| Policy package | `examples/ops-warden/policy_package.md` |
| Fixtures | `examples/ops-warden/policy_fixtures.yaml` |
| Registry snapshot | `examples/ops-warden/registry_snapshot.json` |
| Handoff | `docs/ops-warden-policy-gate-handoff.md` |
Example registry actors (`platform-steward`, `ci-deploy-agent`, `backup-automation`)
are **templates**. Production actors such as `agt-state-hub-bridge` must be
registered in the deployed flex-auth registry before `policy.enabled: true`.
---
## Local smoke (ops-warden + flex-auth)
**Setup:** `backend: local`, `policy.enabled: true`, `fail_closed: true`,
flex-auth `serve` with ops-warden policy package and a smoke registry that adds
`agt-policy-smoke` (ops-warden naming-compliant clone of the `agt` fixture).
### Allow path
| Check | Result |
| --- | --- |
| `warden sign agt-policy-smoke` | Pass (exit 0) |
| `signatures.log` `policy_decision_id` | `decision:78bc882eca883f29` |
| `signatures.log` `backend` | `local` |
### Deny path (`fail_closed: true`)
| Check | Result |
| --- | --- |
| `warden sign agt-state-hub-bridge` (not in flex-auth registry) | Fail (exit 1) |
| CLI reason surfaced | `unknown_actor_resource` |
| Cert issued | No |
---
## Production remaining (T2)
1. Deploy flex-auth registry + policy package to production flex-auth runtime.
2. Register production inventory actors (`agt-state-hub-bridge`, `adm-*`, `atm-*`).
3. Set `policy.flex_auth_url` and `policy.enabled: true` in production `warden.yaml`.
4. Repeat allow/deny smoke against OpenBao-backed `warden sign`; capture
`policy_decision_id` in `signatures.log` (non-secret evidence only).
---
## See also
- `wiki/PolicyGatedSigning.md` — bindings, rollout, handoff link
- `workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md`