Files
ops-warden/workplans/archived/260623-WARDEN-WP-0009-flex-auth-policy-gate-production.md
tegwick 90007c2cda feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
2026-06-24 12:44:32 +02:00

3.2 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
WARDEN-WP-0009 workplan flex-auth Policy Gate Production Readiness infotech ops-warden archived codex custodian low 9 2026-06-18 2026-06-23 9213b262-e2f5-480e-a5bc-56635d5eb4c9

WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness

Scope: Enable and verify the opt-in flex-auth pre-sign gate (policy.enabled) in production after flex-auth publishes ssh-certificate resource policies.

Out of scope: flex-auth policy package authoring (flex-auth owner — delivered FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth FLEX-WP-0007).

Spun out from: WARDEN-WP-0008 T5 (2026-06-18 closeout).


Tasks

T1 — flex-auth policy package confirmation

id: WARDEN-WP-0009-T01
status: done
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
  • Confirm flex-auth policies for resource type ssh-certificate exist
  • Document tenant/subject bindings for adm / agt / atm sign paths
  • Coordinate with flex-auth owner on deny/allow test fixtures

T2 — Production enablement and smoke

id: WARDEN-WP-0009-T02
status: done
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
  • Document operator steps to set policy.enabled: true (see wiki/PolicyGatedSigning.md)
  • Local smoke — allow/deny paths with policy_decision_id / ttl_out_of_bounds
  • Production registry slice from inventory (registry/flex-auth/production_registry_snapshot.json)
  • Production registry smoke — allow agt-state-hub-bridge (decision:032b096c433ad80c)
  • Production registry smoke — deny --ttl 999 (ttl_out_of_bounds)

Deliverables

Artifact Path
Registry builder scripts/build_flex_auth_registry.py
Production registry registry/flex-auth/production_registry_snapshot.json
Smoke runner scripts/policy_gate_production_smoke.sh
Local smoke evidence history/2026-06-23-flex-auth-policy-gate-local-smoke.md
Production smoke evidence history/2026-06-23-flex-auth-policy-gate-production-smoke.md
flex-auth pickup brief history/2026-06-23-flex-auth-production-pickup-suggestion.md

Closeout (2026-06-23)

T1T2 complete. ops-warden caller side and production-registry smoke verified. Production policy.enabled: true flip deferred until flex-auth runtime is reachable — tracked in flex-auth FLEX-WP-0007, not this workplan.

Operator follow-up (FLEX-WP-0007):

  • Deploy registry + policy package to in-cluster flex-auth; set policy.flex_auth_url
  • Refresh scoped VAULT_TOKEN and run SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh
  • Set policy.enabled: true in ~/.config/warden/warden.yaml when flex-auth is reachable

See also

  • wiki/PolicyGatedSigning.md
  • ~/flex-auth/docs/ops-warden-policy-gate-handoff.md
  • ~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md
  • examples/warden.production.example.yaml