generated from coulomb/repo-seed
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
95 lines
3.2 KiB
Markdown
95 lines
3.2 KiB
Markdown
---
|
||
id: WARDEN-WP-0009
|
||
type: workplan
|
||
title: "flex-auth Policy Gate Production Readiness"
|
||
domain: infotech
|
||
repo: ops-warden
|
||
status: archived
|
||
owner: codex
|
||
topic_slug: custodian
|
||
planning_priority: low
|
||
planning_order: 9
|
||
created: "2026-06-18"
|
||
updated: "2026-06-23"
|
||
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
|
||
---
|
||
|
||
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
|
||
|
||
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
|
||
in production after flex-auth publishes `ssh-certificate` resource policies.
|
||
|
||
**Out of scope:** flex-auth policy package authoring (flex-auth owner — delivered
|
||
FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020
|
||
T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth
|
||
`FLEX-WP-0007`).
|
||
|
||
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
|
||
|
||
---
|
||
|
||
## Tasks
|
||
|
||
### T1 — flex-auth policy package confirmation
|
||
|
||
```task
|
||
id: WARDEN-WP-0009-T01
|
||
status: done
|
||
priority: medium
|
||
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
|
||
```
|
||
|
||
- [x] Confirm flex-auth policies for resource type `ssh-certificate` exist
|
||
- [x] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
|
||
- [x] Coordinate with flex-auth owner on deny/allow test fixtures
|
||
|
||
### T2 — Production enablement and smoke
|
||
|
||
```task
|
||
id: WARDEN-WP-0009-T02
|
||
status: done
|
||
priority: medium
|
||
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
|
||
```
|
||
|
||
- [x] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
|
||
- [x] Local smoke — allow/deny paths with `policy_decision_id` / `ttl_out_of_bounds`
|
||
- [x] Production registry slice from inventory (`registry/flex-auth/production_registry_snapshot.json`)
|
||
- [x] Production registry smoke — allow `agt-state-hub-bridge` (`decision:032b096c433ad80c`)
|
||
- [x] Production registry smoke — deny `--ttl 999` (`ttl_out_of_bounds`)
|
||
|
||
---
|
||
|
||
## Deliverables
|
||
|
||
| Artifact | Path |
|
||
| --- | --- |
|
||
| Registry builder | `scripts/build_flex_auth_registry.py` |
|
||
| Production registry | `registry/flex-auth/production_registry_snapshot.json` |
|
||
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
|
||
| Local smoke evidence | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` |
|
||
| Production smoke evidence | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` |
|
||
| flex-auth pickup brief | `history/2026-06-23-flex-auth-production-pickup-suggestion.md` |
|
||
|
||
---
|
||
|
||
## Closeout (2026-06-23)
|
||
|
||
T1–T2 complete. ops-warden caller side and production-registry smoke verified.
|
||
Production `policy.enabled: true` flip deferred until flex-auth runtime is
|
||
reachable — tracked in flex-auth `FLEX-WP-0007`, not this workplan.
|
||
|
||
**Operator follow-up (FLEX-WP-0007):**
|
||
|
||
- Deploy registry + policy package to in-cluster flex-auth; set `policy.flex_auth_url`
|
||
- Refresh scoped `VAULT_TOKEN` and run `SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh`
|
||
- Set `policy.enabled: true` in `~/.config/warden/warden.yaml` when flex-auth is reachable
|
||
|
||
---
|
||
|
||
## See also
|
||
|
||
- `wiki/PolicyGatedSigning.md`
|
||
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`
|
||
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
|
||
- `examples/warden.production.example.yaml` |