generated from coulomb/repo-seed
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
70 lines
2.3 KiB
Markdown
70 lines
2.3 KiB
Markdown
# flex-auth Policy Gate — Local Smoke (WARDEN-WP-0009)
|
|
|
|
**Date:** 2026-06-23
|
|
**Workplan:** WARDEN-WP-0009 T01 closeout + T02 local smoke
|
|
**flex-auth delivery:** FLEX-WP-0006 (`docs/ops-warden-policy-gate-handoff.md`)
|
|
|
|
---
|
|
|
|
## Unblock
|
|
|
|
flex-auth published the `ssh-certificate` / `sign` policy package and ops-warden
|
|
handoff on 2026-06-23. WARDEN-WP-0009 T01 is complete; T2 local smoke below.
|
|
Production enablement still requires deploying a **production registry slice**
|
|
with real inventory actors (see `wiki/PolicyGatedSigning.md`).
|
|
|
|
---
|
|
|
|
## flex-auth assets confirmed
|
|
|
|
| Asset | Path (flex-auth repo) |
|
|
| --- | --- |
|
|
| Policy package | `examples/ops-warden/policy_package.md` |
|
|
| Fixtures | `examples/ops-warden/policy_fixtures.yaml` |
|
|
| Registry snapshot | `examples/ops-warden/registry_snapshot.json` |
|
|
| Handoff | `docs/ops-warden-policy-gate-handoff.md` |
|
|
|
|
Example registry actors (`platform-steward`, `ci-deploy-agent`, `backup-automation`)
|
|
are **templates**. Production actors such as `agt-state-hub-bridge` must be
|
|
registered in the deployed flex-auth registry before `policy.enabled: true`.
|
|
|
|
---
|
|
|
|
## Local smoke (ops-warden + flex-auth)
|
|
|
|
**Setup:** `backend: local`, `policy.enabled: true`, `fail_closed: true`,
|
|
flex-auth `serve` with ops-warden policy package and a smoke registry that adds
|
|
`agt-policy-smoke` (ops-warden naming-compliant clone of the `agt` fixture).
|
|
|
|
### Allow path
|
|
|
|
| Check | Result |
|
|
| --- | --- |
|
|
| `warden sign agt-policy-smoke` | Pass (exit 0) |
|
|
| `signatures.log` `policy_decision_id` | `decision:78bc882eca883f29` |
|
|
| `signatures.log` `backend` | `local` |
|
|
|
|
### Deny path (`fail_closed: true`)
|
|
|
|
| Check | Result |
|
|
| --- | --- |
|
|
| `warden sign agt-state-hub-bridge` (not in flex-auth registry) | Fail (exit 1) |
|
|
| CLI reason surfaced | `unknown_actor_resource` |
|
|
| Cert issued | No |
|
|
|
|
---
|
|
|
|
## Production remaining (T2)
|
|
|
|
1. Deploy flex-auth registry + policy package to production flex-auth runtime.
|
|
2. Register production inventory actors (`agt-state-hub-bridge`, `adm-*`, `atm-*`).
|
|
3. Set `policy.flex_auth_url` and `policy.enabled: true` in production `warden.yaml`.
|
|
4. Repeat allow/deny smoke against OpenBao-backed `warden sign`; capture
|
|
`policy_decision_id` in `signatures.log` (non-secret evidence only).
|
|
|
|
---
|
|
|
|
## See also
|
|
|
|
- `wiki/PolicyGatedSigning.md` — bindings, rollout, handoff link
|
|
- `workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md` |