chore(workplans): sync BRIDGE-WP-0004 and WARDEN-WP-0001 tasks to state hub

Both workplans had been registered as active workstreams but tasks were
never ingested — the markdown checkbox format was invisible to the
consistency checker, which requires task code blocks. Activated both
workplans (draft→active) and added task blocks with state_hub_task_id
for all 19 tasks (9 + 10).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

workplans/WARDEN-WP-0001-initial-implementation.md

@@ -4,7 +4,7 @@ type: workplan
 title: "OpsWarden Initial Implementation"
 domain: custodian
 repo: ops-warden
-status: draft
+status: active
 owner: Bernd
 topic_slug: custodian
 created: "2026-03-28"
@@ -91,6 +91,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 ## Tasks
 
 ### T1 — Repository bootstrap
+
+```task
+id: WARDEN-WP-0001-T1
+state_hub_task_id: 6d643e9d-5e97-4224-9d82-87267b5ba6bc
+status: todo
+priority: high
+```
+
 - [ ] Create `ops-warden` repo; copy CLAUDE.md template from `ops-bridge`; add
       `workplans/WARDEN-WP-0001-initial-implementation.md` (this file)
 - [ ] Write `SCOPE.md` (see template in §SCOPE below)
@@ -99,6 +107,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] Create state-hub workstream for this workplan
 
 ### T2 — Models and config
+
+```task
+id: WARDEN-WP-0001-T2
+state_hub_task_id: c66fc65a-0b16-4ba2-9e70-a83d875572ec
+status: todo
+priority: high
+```
+
 - [ ] `models.py`: `ActorType` enum (`adm | agt | atm`); `CertSpec` (actor_name, pubkey_path,
       ttl_hours, principals); `CertRecord` (identity, valid_before, cert_path, signed_at)
 - [ ] `config.py`: load `~/.config/warden/warden.yaml`; required fields: `backend`,
@@ -107,6 +123,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] Validate actor name prefix matches `ActorType` (`adm-*`, `agt-*`, `atm-*`)
 
 ### T3 — LocalCA backend
+
+```task
+id: WARDEN-WP-0001-T3
+state_hub_task_id: a5a41e58-1c6d-42a9-9b11-2088f17c29b5
+status: todo
+priority: high
+```
+
 - [ ] `ca.py`: `LocalCA.sign(spec: CertSpec) -> CertRecord`
       - Calls `ssh-keygen -s <ca_key> -I <identity> -n <principals> -V +<ttl>h <pubkey>`
       - Parses `ssh-keygen -L -f <cert>` output to extract `Valid before`, `Key ID`,
@@ -118,6 +142,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
       actors that do not bring their own key
 
 ### T4 — VaultCA backend
+
+```task
+id: WARDEN-WP-0001-T4
+state_hub_task_id: b2067ee6-c9ce-423b-9d60-0d28069fb304
+status: todo
+priority: medium
+```
+
 - [ ] `vault.py`: `VaultCA.sign(spec: CertSpec) -> CertRecord`
       - `POST /v1/ssh/sign/<role>` with `public_key`, `valid_principals`, `ttl`
       - Parse response `signed_key` field; write to state dir; extract metadata via
@@ -126,6 +158,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] Graceful error message when Vault is unreachable (with `--backend local` fallback hint)
 
 ### T5 — Principals inventory
+
+```task
+id: WARDEN-WP-0001-T5
+state_hub_task_id: 6d13f8cd-1850-44c9-b769-b21250348319
+status: todo
+priority: high
+```
+
 - [ ] `inventory.py`: load/save `inventory.yaml` (format mirrors §4.1 of directive):
       ```yaml
       actors:
@@ -145,6 +185,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] `warden inventory remove <actor-name>`
 
 ### T6 — CLI commands
+
+```task
+id: WARDEN-WP-0001-T6
+state_hub_task_id: 656a4615-92bb-4b5d-9406-e86d24fa15d0
+status: todo
+priority: high
+```
+
 - [ ] `warden sign <actor-name> --pubkey <path>` — sign existing pubkey; write cert to
       stdout (the `cert_command` interface for ops-bridge)
 - [ ] `warden issue <actor-name>` — generate keypair + sign; output JSON with
@@ -155,6 +203,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] `warden inventory <subcommand>` (list / add / remove)
 
 ### T7 — Scorecard runner
+
+```task
+id: WARDEN-WP-0001-T7
+state_hub_task_id: 7818bcc5-f40e-4793-b117-d36f653ffeed
+status: todo
+priority: medium
+```
+
 - [ ] `scorecard.py`: implement each §5 row as a named check function returning
       `CheckResult(name, passed, detail)`
 - [ ] Checks in scope for `ops-warden` (local checks, not host-side):
@@ -167,6 +223,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] `warden scorecard --json` for machine-readable output
 
 ### T8 — ops-ssh-wrapper script
+
+```task
+id: WARDEN-WP-0001-T8
+state_hub_task_id: e9c28152-5785-4995-83a5-439985ed3db9
+status: todo
+priority: medium
+```
+
 - [ ] Ship `scripts/ops-ssh-wrapper` (the Python snippet from §4.1, hardened):
       - Reads `WARDEN_ACTOR` and `SSH_PUBKEY` env vars
       - Calls `warden sign $WARDEN_ACTOR --pubkey $SSH_PUBKEY`
@@ -174,6 +238,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] Install as part of `uv tool install` entry points
 
 ### T9 — Tests
+
+```task
+id: WARDEN-WP-0001-T9
+state_hub_task_id: 950139ab-cc17-4f1d-9a17-d5744e402ddf
+status: todo
+priority: high
+```
+
 - [ ] Unit tests for `LocalCA` (mock `ssh-keygen` subprocess)
 - [ ] Unit tests for inventory YAML round-trip
 - [ ] Unit tests for actor name prefix validation
@@ -181,6 +253,14 @@ Writes the signed certificate to stdout (the cert text). Exits non-zero on failu
 - [ ] Scorecard unit tests (mock cert records)
 
 ### T10 — Documentation
+
+```task
+id: WARDEN-WP-0001-T10
+state_hub_task_id: 271d6759-e359-41ce-80e4-76c574634a87
+status: todo
+priority: medium
+```
+
 - [ ] `SCOPE.md` (see below)
 - [ ] `wiki/AccessManagementDirective.md` — copy from `ops-bridge/wiki/`
 - [ ] `wiki/OpsWardenConfig.md` — annotated `warden.yaml` reference