generated from coulomb/repo-seed
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
3.2 KiB
3.2 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0009 | workplan | flex-auth Policy Gate Production Readiness | infotech | ops-warden | archived | codex | custodian | low | 9 | 2026-06-18 | 2026-06-23 | 9213b262-e2f5-480e-a5bc-56635d5eb4c9 |
WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
Scope: Enable and verify the opt-in flex-auth pre-sign gate (policy.enabled)
in production after flex-auth publishes ssh-certificate resource policies.
Out of scope: flex-auth policy package authoring (flex-auth owner — delivered
FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020
T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth
FLEX-WP-0007).
Spun out from: WARDEN-WP-0008 T5 (2026-06-18 closeout).
Tasks
T1 — flex-auth policy package confirmation
id: WARDEN-WP-0009-T01
status: done
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
- Confirm flex-auth policies for resource type
ssh-certificateexist - Document tenant/subject bindings for
adm/agt/atmsign paths - Coordinate with flex-auth owner on deny/allow test fixtures
T2 — Production enablement and smoke
id: WARDEN-WP-0009-T02
status: done
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
- Document operator steps to set
policy.enabled: true(seewiki/PolicyGatedSigning.md) - Local smoke — allow/deny paths with
policy_decision_id/ttl_out_of_bounds - Production registry slice from inventory (
registry/flex-auth/production_registry_snapshot.json) - Production registry smoke — allow
agt-state-hub-bridge(decision:032b096c433ad80c) - Production registry smoke — deny
--ttl 999(ttl_out_of_bounds)
Deliverables
| Artifact | Path |
|---|---|
| Registry builder | scripts/build_flex_auth_registry.py |
| Production registry | registry/flex-auth/production_registry_snapshot.json |
| Smoke runner | scripts/policy_gate_production_smoke.sh |
| Local smoke evidence | history/2026-06-23-flex-auth-policy-gate-local-smoke.md |
| Production smoke evidence | history/2026-06-23-flex-auth-policy-gate-production-smoke.md |
| flex-auth pickup brief | history/2026-06-23-flex-auth-production-pickup-suggestion.md |
Closeout (2026-06-23)
T1–T2 complete. ops-warden caller side and production-registry smoke verified.
Production policy.enabled: true flip deferred until flex-auth runtime is
reachable — tracked in flex-auth FLEX-WP-0007, not this workplan.
Operator follow-up (FLEX-WP-0007):
- Deploy registry + policy package to in-cluster flex-auth; set
policy.flex_auth_url - Refresh scoped
VAULT_TOKENand runSMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh - Set
policy.enabled: truein~/.config/warden/warden.yamlwhen flex-auth is reachable
See also
wiki/PolicyGatedSigning.md~/flex-auth/docs/ops-warden-policy-gate-handoff.md~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.mdexamples/warden.production.example.yaml