feat(WARDEN-WP-0020): T4 scheduling tick + T5 SCOPE — worker complete

T4 — scripts/worker-tick.sh: scheduled tick for the conservative worker. flock concurrency
guard; short-lived kubectl port-forward to llm-connect (or LLM_CONNECT_URL, or rule-brain
fallback). Ships disabled; header documents the cron entry. Schedules the conservative tier
only (never auto-send).

T5 — SCOPE records `warden worker` as an implemented capability: conservative triage
default, full-auto opt-in, llm-connect brain, the four guardrails, schedulable tick.

WARDEN-WP-0020 finished: the autonomous coordination worker — T1 scaffold, T2 llm-connect
brain, T3 guarded executor, conservative tier (Option A), T4 scheduling, T5 docs. 245 tests,
lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-30 00:41:04 +02:00
parent d0261ebb52
commit 22c5bd1bbb
3 changed files with 61 additions and 7 deletions

View File

@@ -136,6 +136,11 @@ for the rest.
- `warden issue` and `ops-ssh-wrapper` (local backend; vault uses sign-only)
- ops-bridge cert_command readiness gate (`scripts/check_tunnel_cert_readiness.py`,
WP-0016) — read-only preflight + opt-in offline contract smoke
- Coordination worker (`warden worker`, WP-0020) — autonomous triage of ops-warden's
State Hub inbox via llm-connect. **Conservative by default** (triage + drafted replies,
sends nothing); `--full-auto` opt-in. Four guardrails (fixed charter, action allowlist,
no-secret invariant, dry-run/audit) enforced regardless of the brain. Schedulable via
`scripts/worker-tick.sh` (ships disabled)
- Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope
### Stewardship (documentation and alignment)