coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: post-WP-0008 INTENT↔SCOPE reassessment and gap snapshot

Browse Source 
SCOPE.md now documents where we are (R3 production sign), INTENT criteria
status, maturity vector, and workplan landscape. Add reassessment history;
point INTENT evolution notes at latest assessment.
This commit is contained in:
Bernd Worsch
2026-06-18 01:36:23 +02:00
parent a6a943fc3e
commit 41da950e1a
3 changed files with 186 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
INTENT.md
View File

@@ -221,6 +221,6 @@ platform boundaries.
See `wiki/CredentialRouting.md` for worker-facing routing,
`wiki/NetKingdomSecurityMap.md` for component literacy,
`history/2026-06-17-intent-scope-assessment.md` for the initial gap analysis,
and `workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md`
for stewardship execution.
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` for the latest
gap analysis (production SSH path verified), and archived workplans WP-00060008
for stewardship and production closeout execution.

114
SCOPE.md
View File

@@ -2,7 +2,6 @@
> This file helps you quickly understand what this repository is about,
> when it is relevant, and when it is not.
> It is intentionally lightweight and may be incomplete.
> Aspirational direction lives in `INTENT.md`.
---
@@ -16,19 +15,54 @@ aligned with NetKingdom canon.
---
## Where we are (2026-06-18)
ops-warden is **production-verified for SSH signing** on Railiance OpenBao
(`warden sign` against `https://bao.coulomb.social`, host CA trust deployed).
The steward desk — routing wiki, NetKingdom security map, inventory patterns,
OpenBao checklist — is operational. The opt-in flex-auth pre-sign gate is
**coded but off in production** until flex-auth publishes `ssh-certificate`
policies (WARDEN-WP-0009).
**INTENT alignment:** SSH issuance mission met in production. Remaining distance
is integration breadth (ops-bridge `cert_command` on live tunnels), authorization
depth (flex-auth), and operator hygiene — not missing signing code.
Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
---
## INTENT gap snapshot
| INTENT success criterion | Status |
| --- | --- |
| Worker knows which subsystem for each credential type | Met |
| SSH short-lived, inventoried, audited | Met (production) |
| ops-bridge integrates via stable `cert_command` | **Partial** — contract yes; tunnels still static-key |
| NetKingdom evolution reflected in docs | Met |
| Non-SSH secrets stay out of ops-warden | Met |
**Maturity vector:** `D5 / A3 / C4 / R3` (Discovery / Availability / Completeness / Reliability)
| Dimension | Level | Meaning today |
| --- | --- | --- |
| D5 | Discovery | Routing + security map + NK canon cross-links |
| A3 | Availability | CLI + opt-in policy gate; no desk API |
| C4 | Completeness | SSH lane prod-verified; flex-auth policies external |
| R3 | Reliability | Live OpenBao sign evidence on Railiance |
---
## Core Idea
**Today:** implements the SSH certificate lane from `wiki/AccessManagementDirective.md`
§§15 — CA signing, actor inventory, TTL policy, cert-side scorecard, and the
`cert_command` interface for ops-bridge.
`cert_command` interface for ops-bridge. Production path uses OpenBao SSH engine
(`backend: vault`).
**Direction (INTENT):** become the custodian-domain desk that understands NetKingdom
identity, authorization, secrets, and SSH lanes — routing dev workers to key-cape,
flex-auth, OpenBao, ops-bridge, and railiance components instead of centralizing
all secrets here.
Signing backends: `local` (ssh-keygen, labs) and `vault` (OpenBao or other
Vault-compatible SSH secrets engine API, production).
**Direction (INTENT):** custodian-domain desk that routes dev workers to key-cape,
flex-auth, OpenBao, ops-bridge, and railiance components — implementing only the
SSH certificate lane directly.
---
@@ -37,12 +71,12 @@ Vault-compatible SSH secrets engine API, production).
### Implemented (SSH lane)
- Local CA backend (`ssh-keygen -s`)
- OpenBao / Vault-compatible SSH engine backend
- OpenBao / Vault-compatible SSH engine backend (**production-verified**)
- Actor identity registry (`inventory.yaml`)
- `cert_command`: `warden sign <actor> --pubkey <path>` → cert on stdout
- TTL enforcement per `ActorType` (`adm` 48 h, `agt` 24 h, `atm` 8 h)
- `warden status`, cleanup, scorecard, signatures log
- `warden issue` and `ops-ssh-wrapper`
- `warden issue` and `ops-ssh-wrapper` (local backend; vault uses sign-only)
- Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope
### Stewardship (documentation and alignment)
@@ -52,29 +86,31 @@ Vault-compatible SSH secrets engine API, production).
- Capability registry entry for SSH certificate issuance
- Keeping ops access patterns consistent with `net-kingdom` platform architecture
### Stewardship (shipped WP-0006)
### Shipped workplans
- `wiki/CredentialRouting.md` — credential type → subsystem routing
- `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy
- `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml`
- `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
- `wiki/PolicyGatedSigning.md` — flex-auth integration (opt-in, WP-0007)
| WP | Focus |
| --- | --- |
| WP-0006 | Credential routing, security map, inventory patterns, OpenBao checklist |
| WP-0007 | Opt-in flex-auth policy gate (`policy.enabled`) |
| WP-0008 | Production sign verification, stewardship closeout, archive hygiene |
### Shipped (WARDEN-WP-0007)
### Active / wait
- Opt-in flex-auth policy gate before `warden sign` / `warden issue` (`policy.enabled`)
- `policy_decision_id` in `signatures.log` when gate allows
- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
| WP | Status | Focus |
| --- | --- | --- |
| **WP-0009** | `wait` | flex-auth `ssh-certificate` policies + `policy.enabled` production smoke |
### Shipped (WARDEN-WP-0008)
### Known gaps (not yet workplanned)
- Production OpenBao `warden sign` verified on Railiance (2026-06-18)
- `examples/warden.production.example.yaml` — production config template
- State Hub task-status canon in agent docs; WP-00040007 archived
| Gap | Owner | Notes |
| --- | --- | --- |
| ops-bridge `cert_command` on live tunnels | ops-bridge | Tunnels use `agt-claude-*` static keys today |
| Operator token hygiene | Operator | Prefer OIDC + `warden-sign`; retire root from shell profile |
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `inventory.yaml` hosts vs `ssh_principals.yaml` |
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
### Wait (WARDEN-WP-0009)
- flex-auth `ssh-certificate` policies + `policy.enabled: true` production enablement
See reassessment §6 for **proposed WARDEN-WP-0010** (integration closeout) when
ops-bridge tunnel migration or token runbook becomes priority.
---
@@ -114,15 +150,11 @@ Vault-compatible SSH secrets engine API, production).
## Current State
- **SSH CLI:** shipped v0.1.0 (WARDEN-WP-00010003)
- **Docs:** OpenBao-first config (WARDEN-WP-0005), Inter-Hub bootstrap runbook
- **Registry:** `capability.security.ssh-certificate-issuance` published
- **INTENT:** operational access steward (2026-06-17)
- **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign (`policy.enabled` off in prod)
- **Production SSH path:** WP-0008 complete — OpenBao sign verified 2026-06-18
- **Next:** WP-0009 — flex-auth policy gate production (blocked on flex-auth policies)
- **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md`
- **SSH CLI:** v0.1.0 — local + OpenBao backends
- **Production sign:** verified 2026-06-18 (`history/2026-06-17-openbao-production-verify.md`)
- **Policy gate:** shipped, `policy.enabled: false` in prod until WP-0009
- **Active workplan:** WP-0009 (wait — flex-auth)
- **Latest assessment:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
---
@@ -137,8 +169,8 @@ key-cape / Keycloak identity claims
→ railiance-* deployment and host enforcement
```
Upstream: CA key (local file or OpenBao SSH engine). Actor inventory in Git or
operator config.
Upstream: OpenBao SSH engine (production) or local CA (labs). Actor inventory in
operator config or Git-tracked patterns.
Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operators.
@@ -186,12 +218,12 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
| --- | --- |
| `INTENT.md` | Why ops-warden exists and where it is going |
| `SCOPE.md` | What is implemented today (this file) |
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE gap analysis |
| `wiki/CredentialRouting.md` | Which subsystem for each credential need |
| `wiki/NetKingdomSecurityMap.md` | Platform security component map |
| `history/2026-06-17-post-wp0007-reassessment.md` | Latest INTENT ↔ SCOPE assessment |
| `examples/warden.production.example.yaml` | Production warden.yaml template |
| `wiki/AccessManagementDirective.md` | SSH actor model |
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
| `wiki/CertCommandInterface.md` | cert_command contract |
| `wiki/InterHubBootstrapAccessLane.md` | Bootstrap SSH envelope |
| `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate |
| `net-kingdom/docs/platform-identity-security-architecture.md` | Platform security canon |

110
history/2026-06-18-post-wp0008-intent-scope-reassessment.md Normal file
View File

@@ -0,0 +1,110 @@
# INTENT ↔ SCOPE Reassessment — Post WP-0008
**Date:** 2026-06-18
**Author:** codex
**Trigger:** WARDEN-WP-0008 finished — production OpenBao sign verified, workplan archived.
**Prior assessment:** `history/2026-06-17-post-wp0007-reassessment.md`
---
## 1. Executive summary
WARDEN-WP-0008 closed the **production SSH path** gap: OpenBao SSH engine live on
Railiance, host CA trust on CoulombCore + Railiance01, and `warden sign` smoke
against `https://bao.coulomb.social` with scoped `warden-sign` policy token.
Stewardship canon (routing, inventory patterns, OpenBao checklist, task-status
migration) and archive hygiene are complete.
The repository now matches INTENT for the **SSH issuance lane in production**.
Remaining distance to INTENT is **integration breadth** (ops-bridge cert_command
on live tunnels), **authorization depth** (flex-auth policies + `policy.enabled`),
and **operational maturity** (token hygiene, principals sync, optional tutorials).
**Vector movement:** `D5/A3/C4/R2`**`D5/A3/C4/R3`**
| Dimension | Was | Now | Notes |
| --- | --- | --- | --- |
| Discovery | D5 | D5 | Routing + security map + NK cross-links |
| Availability | A3 | A3 | CLI + opt-in policy gate; no desk API |
| Completeness | C4 | C4 | SSH lane prod-verified; flex-auth policies external |
| Reliability | R2 | **R3** | Live `warden sign` evidence on Railiance OpenBao |
---
## 2. Deliverables (WP-0008)
| Task | Deliverable | Status |
| --- | --- | --- |
| T1 | Post-WP-0007 reassessment, SCOPE update | Done |
| T2 | Production `warden sign` + verify history | Done |
| T3 | AGENTS.md task-status canon | Done |
| T4 | `examples/warden.production.example.yaml`, archive WP-00040007 | Done |
| T5 | flex-auth production gate | Cancelled → **WARDEN-WP-0009** |
---
## 3. INTENT.md success criteria
| # | Criterion | Status | Evidence / gap |
| --- | --- | --- | --- |
| 1 | Worker knows which subsystem for each credential type | **Met** | `wiki/CredentialRouting.md`, `wiki/NetKingdomSecurityMap.md` |
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; host principals via railiance-infra |
| 3 | ops-bridge integrates via stable cert_command | **Partial** | Contract shipped; live tunnels still static-key (`agt-claude-*`) |
| 4 | NetKingdom evolution reflected in ops-warden docs | **Met** | NK canon links; NET-WP-0020 / WP-0008 cross-repo evidence |
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Routing docs only; no secret storage in repo |
**Score: 4 met, 1 partial** — partial is ops-bridge production adoption, not ops-warden code gap.
---
## 4. INTENT mission pillars (§ The Mission)
| Pillar | Status | Notes |
| --- | --- | --- |
| 1. Know NetKingdom security model | Strong | Wiki + registry + NK patches (WP-0006) |
| 2. Route workers to correct subsystem | Strong | CredentialRouting operational |
| 3. Align runbooks with canon | Strong | OpenBao checklist, PolicyGatedSigning, production example |
| 4. Issue short-lived SSH certs | **Production** | `backend: vault` verified 2026-06-18 |
| 5. Audit SSH signing / compliance | Tooling ready | `signatures.log`, scorecard; prod cadence not scheduled |
---
## 5. Remaining gaps (prioritized)
| Prio | Gap | Owner | Track |
| --- | --- | --- | --- |
| P1 | flex-auth `ssh-certificate` policies + prod gate | flex-auth + ops-warden | **WARDEN-WP-0009** (`wait`) |
| P2 | ops-bridge `cert_command` on production tunnels | ops-bridge (+ ops-warden doc) | Proposed **WARDEN-WP-0010** |
| P3 | Operator token hygiene (root → OIDC + `warden-sign`) | Operator | Ad hoc or WP-0010 T2 |
| P4 | Principals inventory sync (warden ↔ railiance-infra) | ops-warden + railiance-infra | Proposed WP-0010 or ad hoc |
| P5 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination |
| P6 | Actor key lifecycle (`warden issue`, roster automation) | ops-warden | Future WP when attended lanes scale |
| P7 | Policy v2.1 — identity claims for `adm` signs | ops-warden + flex-auth | Design only (`PolicyGatedSigning.md`) |
---
## 6. Workplan recommendation
**Keep WARDEN-WP-0009** as-is — blocked on flex-auth policy package.
**Propose WARDEN-WP-0010 — Production SSH Integration Closeout** when ready:
- T1: Document ops-bridge `cert_command` migration for `agt-state-hub-bridge` (pilot tunnel)
- T2: Operator token runbook — OIDC login, `warden-sign` token, root retirement
- T3: Principals drift check — `inventory.yaml` `hosts``railiance-infra/ssh_principals.yaml`
- T4: Optional cert_command smoke evidence in verify history
Defer WP-0010 creation until flex-auth path is clearer or ops-bridge signals tunnel migration priority.
**Ad hoc only:** token rotation, single-tunnel cert_command pilot — no workplan unless multi-phase.
---
## 7. Where we are (one paragraph)
ops-warden is a **production-capable SSH certificate authority** for the NetKingdom
`adm`/`agt`/`atm` model, with OpenBao as the Railiance signing backend and
documented stewardship for every other credential lane. INTENT's core SSH mission
is achieved; the steward desk is documentation-first with a shipped, verified CLI.
Next maturity steps are authorization (flex-auth), consumer integration (ops-bridge),
and operational hygiene — not new signing features.