Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
3.0 KiB
flex-auth Policy Gate — Production Registry Smoke (WARDEN-WP-0009 T02)
Date: 2026-06-23
Workplan: WARDEN-WP-0009 T02
Operator: codex (non-secret evidence only)
Production registry slice
Built from ~/.config/warden/inventory.yaml (matches examples/inventory.seed.yaml):
| Artifact | Path |
|---|---|
| Registry snapshot | registry/flex-auth/production_registry_snapshot.json |
| Generator | scripts/build_flex_auth_registry.py |
| Smoke runner | scripts/policy_gate_production_smoke.sh |
flex-auth load-registry validation: 4 actors, 3 groups, 4 relationships.
Registered actors:
| Actor | Type | max_ttl_hours | Principals |
|---|---|---|---|
agt-state-hub-bridge |
agt | 24 | agt-task-bridge |
agt-codex-interhub-bootstrap |
agt | 2 | agt-interhub-bootstrap |
adm-example |
adm | 48 | adm-full |
atm-backup-daily |
atm | 8 | atm-backup-daily |
Regenerate after inventory changes:
python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \
-o registry/flex-auth/production_registry_snapshot.json
Deploy the snapshot to the production flex-auth runtime (flex-auth serve or
future in-cluster deployment). Policy package path:
~/flex-auth/examples/ops-warden/policy_package.md.
Smoke results (production inventory + registry)
flex-auth served locally with the production registry; warden sign used real
inventory actors and policy.enabled: true.
Allow path — agt-state-hub-bridge
| Check | Result |
|---|---|
warden sign agt-state-hub-bridge |
Pass (exit 0) |
signatures.log policy_decision_id |
decision:032b096c433ad80c |
signatures.log actor |
agt-state-hub-bridge |
Deny path — TTL above registry max (fail_closed: true)
| Check | Result |
|---|---|
warden sign agt-state-hub-bridge --ttl 999 |
Fail (exit 1) |
| flex-auth reason | ttl_out_of_bounds |
| Cert issued | No |
OpenBao-backed smoke (operator follow-up)
Attempted backend: vault against https://bao.coulomb.social with
policy.enabled: true. Blocked: VAULT_TOKEN in session returned HTTP 403
(permission denied). Baseline warden sign without policy gate fails the same
way — token refresh required before vault-backed policy smoke.
When a scoped warden-sign token is available:
export VAULT_TOKEN="<scoped-token>" # never commit or paste in chat
SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh
Then enable production warden.yaml:
policy:
enabled: true
flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080 # or reachable URL
fail_closed: true
Keep policy.enabled: false until flex-auth is reachable at flex_auth_url from
the workstation running warden sign — fail_closed: true blocks all signs when
flex-auth is down.
See also
history/2026-06-23-flex-auth-policy-gate-local-smoke.md— template registry smokewiki/PolicyGatedSigning.md— rollout sequence~/flex-auth/docs/ops-warden-policy-gate-handoff.md