WARDEN-WP-0006: NetKingdom stewardship docs and alignment

Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
This commit is contained in:
2026-06-17 08:22:45 +02:00
parent 5ae3821b88
commit 1865e0744e
14 changed files with 879 additions and 108 deletions

View File

@@ -0,0 +1,74 @@
# INTENT ↔ SCOPE Reassessment — ops-warden
**Date:** 2026-06-17
**Author:** codex
**Trigger:** WARDEN-WP-0006 complete (T1T7).
**Prior assessment:** `history/2026-06-17-intent-scope-assessment.md`
---
## 1. Executive summary
WARDEN-WP-0006 closed the primary **stewardship documentation gaps**. ops-warden
now has worker-facing credential routing, NetKingdom security literacy, actor
inventory patterns, OpenBao SSH verification checklist, and flex-auth integration
design. NetKingdom canon updated (`responsibility-map`, platform architecture
Operational SSH Path).
**Vector movement:** `D4/A3/C2/R2`**`D5/A3/C3/R2`**
| Dimension | Was | Now | Notes |
| --- | --- | --- | --- |
| Discovery | D4 | **D5** | Routing + security map + NK canon cross-links |
| Availability | A3 | A3 | CLI unchanged; no desk API yet |
| Completeness | C2 | **C3** | Stewardship operationalized in wiki; policy gate not coded |
| Reliability | R2 | R2 | Production OpenBao sign still operator-verified, not CI-proven |
---
## 2. Deliverables (WP-0006)
| Task | Deliverable | Status |
| --- | --- | --- |
| T1 | `wiki/CredentialRouting.md` | Done |
| T2 | `wiki/ActorInventoryPatterns.md`, `examples/inventory.seed.yaml` | Done |
| T3 | `wiki/NetKingdomSecurityMap.md`, registry, repo-boundary | Done |
| T4 | net-kingdom responsibility-map + platform SSH path | Done |
| T5 | `wiki/OpenBaoSshEngineChecklist.md` | Done |
| T6 | `wiki/PolicyGatedSigning.md` | Done (design) |
| T7 | This reassessment | Done |
---
## 3. Success criteria (INTENT.md) — updated
| Criterion | Was | Now |
| --- | --- | --- |
| Worker knows which subsystem for each credential type | No | **Yes**`wiki/CredentialRouting.md` |
| SSH access short-lived, inventoried, audited | Yes (tooling) | **Yes** — + patterns seed |
| ops-bridge integrates via cert_command | Yes (contract) | Yes |
| NetKingdom evolution reflected in ops-warden docs | Partial | **Yes** — NK canon patched + security map |
| Non-SSH secrets stay out of ops-warden | Yes | Yes |
**Score: 4 yes, 1 unchanged (live tunnel matrix)**
---
## 4. Remaining gaps (next work)
| Prio | Gap | Proposed work |
| --- | --- | --- |
| P1 | Production OpenBao SSH sign not executed in CI | Operator run checklist on Railiance; log evidence |
| P2 | flex-auth pre-sign not implemented | WARDEN-WP-0007 from `wiki/PolicyGatedSigning.md` |
| P3 | NK-WP-0009 tutorial not joint | Coordinate net-kingdom SSH tutorial |
| P4 | Optional `warden guide` CLI | Ad hoc if doc-only routing insufficient |
---
## 5. Recommendation
Mark **WARDEN-WP-0006 finished**. Open **WARDEN-WP-0007** when ready for
flex-auth integration or production OpenBao verification milestone.
**Completeness C3** is justified: central stewardship use case (routing + alignment)
works; SSH issuance was already C3; policy gate remains bounded known gap.