From 41da950e1a97b13f37aa84a07703c89cc96eb2f8 Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 18 Jun 2026 01:36:23 +0200 Subject: [PATCH] =?UTF-8?q?docs:=20post-WP-0008=20INTENT=E2=86=94SCOPE=20r?= =?UTF-8?q?eassessment=20and=20gap=20snapshot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SCOPE.md now documents where we are (R3 production sign), INTENT criteria status, maturity vector, and workplan landscape. Add reassessment history; point INTENT evolution notes at latest assessment. --- INTENT.md | 6 +- SCOPE.md | 114 +++++++++++------- ...8-post-wp0008-intent-scope-reassessment.md | 110 +++++++++++++++++ 3 files changed, 186 insertions(+), 44 deletions(-) create mode 100644 history/2026-06-18-post-wp0008-intent-scope-reassessment.md diff --git a/INTENT.md b/INTENT.md index 67032fc..4112aea 100644 --- a/INTENT.md +++ b/INTENT.md @@ -221,6 +221,6 @@ platform boundaries. See `wiki/CredentialRouting.md` for worker-facing routing, `wiki/NetKingdomSecurityMap.md` for component literacy, -`history/2026-06-17-intent-scope-assessment.md` for the initial gap analysis, -and `workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md` -for stewardship execution. \ No newline at end of file +`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` for the latest +gap analysis (production SSH path verified), and archived workplans WP-0006–0008 +for stewardship and production closeout execution. \ No newline at end of file diff --git a/SCOPE.md b/SCOPE.md index f6bd0a9..b4f9528 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -2,7 +2,6 @@ > This file helps you quickly understand what this repository is about, > when it is relevant, and when it is not. -> It is intentionally lightweight and may be incomplete. > Aspirational direction lives in `INTENT.md`. --- @@ -16,19 +15,54 @@ aligned with NetKingdom canon. --- +## Where we are (2026-06-18) + +ops-warden is **production-verified for SSH signing** on Railiance OpenBao +(`warden sign` against `https://bao.coulomb.social`, host CA trust deployed). +The steward desk — routing wiki, NetKingdom security map, inventory patterns, +OpenBao checklist — is operational. The opt-in flex-auth pre-sign gate is +**coded but off in production** until flex-auth publishes `ssh-certificate` +policies (WARDEN-WP-0009). + +**INTENT alignment:** SSH issuance mission met in production. Remaining distance +is integration breadth (ops-bridge `cert_command` on live tunnels), authorization +depth (flex-auth), and operator hygiene — not missing signing code. + +Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` + +--- + +## INTENT gap snapshot + +| INTENT success criterion | Status | +| --- | --- | +| Worker knows which subsystem for each credential type | Met | +| SSH short-lived, inventoried, audited | Met (production) | +| ops-bridge integrates via stable `cert_command` | **Partial** — contract yes; tunnels still static-key | +| NetKingdom evolution reflected in docs | Met | +| Non-SSH secrets stay out of ops-warden | Met | + +**Maturity vector:** `D5 / A3 / C4 / R3` (Discovery / Availability / Completeness / Reliability) + +| Dimension | Level | Meaning today | +| --- | --- | --- | +| D5 | Discovery | Routing + security map + NK canon cross-links | +| A3 | Availability | CLI + opt-in policy gate; no desk API | +| C4 | Completeness | SSH lane prod-verified; flex-auth policies external | +| R3 | Reliability | Live OpenBao sign evidence on Railiance | + +--- + ## Core Idea **Today:** implements the SSH certificate lane from `wiki/AccessManagementDirective.md` §§1–5 — CA signing, actor inventory, TTL policy, cert-side scorecard, and the -`cert_command` interface for ops-bridge. +`cert_command` interface for ops-bridge. Production path uses OpenBao SSH engine +(`backend: vault`). -**Direction (INTENT):** become the custodian-domain desk that understands NetKingdom -identity, authorization, secrets, and SSH lanes — routing dev workers to key-cape, -flex-auth, OpenBao, ops-bridge, and railiance components instead of centralizing -all secrets here. - -Signing backends: `local` (ssh-keygen, labs) and `vault` (OpenBao or other -Vault-compatible SSH secrets engine API, production). +**Direction (INTENT):** custodian-domain desk that routes dev workers to key-cape, +flex-auth, OpenBao, ops-bridge, and railiance components — implementing only the +SSH certificate lane directly. --- @@ -37,12 +71,12 @@ Vault-compatible SSH secrets engine API, production). ### Implemented (SSH lane) - Local CA backend (`ssh-keygen -s`) -- OpenBao / Vault-compatible SSH engine backend +- OpenBao / Vault-compatible SSH engine backend (**production-verified**) - Actor identity registry (`inventory.yaml`) - `cert_command`: `warden sign --pubkey ` → cert on stdout - TTL enforcement per `ActorType` (`adm` 48 h, `agt` 24 h, `atm` 8 h) - `warden status`, cleanup, scorecard, signatures log -- `warden issue` and `ops-ssh-wrapper` +- `warden issue` and `ops-ssh-wrapper` (local backend; vault uses sign-only) - Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope ### Stewardship (documentation and alignment) @@ -52,29 +86,31 @@ Vault-compatible SSH secrets engine API, production). - Capability registry entry for SSH certificate issuance - Keeping ops access patterns consistent with `net-kingdom` platform architecture -### Stewardship (shipped WP-0006) +### Shipped workplans -- `wiki/CredentialRouting.md` — credential type → subsystem routing -- `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy -- `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml` -- `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify -- `wiki/PolicyGatedSigning.md` — flex-auth integration (opt-in, WP-0007) +| WP | Focus | +| --- | --- | +| WP-0006 | Credential routing, security map, inventory patterns, OpenBao checklist | +| WP-0007 | Opt-in flex-auth policy gate (`policy.enabled`) | +| WP-0008 | Production sign verification, stewardship closeout, archive hygiene | -### Shipped (WARDEN-WP-0007) +### Active / wait -- Opt-in flex-auth policy gate before `warden sign` / `warden issue` (`policy.enabled`) -- `policy_decision_id` in `signatures.log` when gate allows -- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`) +| WP | Status | Focus | +| --- | --- | --- | +| **WP-0009** | `wait` | flex-auth `ssh-certificate` policies + `policy.enabled` production smoke | -### Shipped (WARDEN-WP-0008) +### Known gaps (not yet workplanned) -- Production OpenBao `warden sign` verified on Railiance (2026-06-18) -- `examples/warden.production.example.yaml` — production config template -- State Hub task-status canon in agent docs; WP-0004–0007 archived +| Gap | Owner | Notes | +| --- | --- | --- | +| ops-bridge `cert_command` on live tunnels | ops-bridge | Tunnels use `agt-claude-*` static keys today | +| Operator token hygiene | Operator | Prefer OIDC + `warden-sign`; retire root from shell profile | +| Principals sync warden ↔ railiance-infra | ops-warden + infra | `inventory.yaml` hosts vs `ssh_principals.yaml` | +| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track | -### Wait (WARDEN-WP-0009) - -- flex-auth `ssh-certificate` policies + `policy.enabled: true` production enablement +See reassessment §6 for **proposed WARDEN-WP-0010** (integration closeout) when +ops-bridge tunnel migration or token runbook becomes priority. --- @@ -114,15 +150,11 @@ Vault-compatible SSH secrets engine API, production). ## Current State -- **SSH CLI:** shipped v0.1.0 (WARDEN-WP-0001–0003) -- **Docs:** OpenBao-first config (WARDEN-WP-0005), Inter-Hub bootstrap runbook -- **Registry:** `capability.security.ssh-certificate-issuance` published -- **INTENT:** operational access steward (2026-06-17) -- **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist -- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign (`policy.enabled` off in prod) -- **Production SSH path:** WP-0008 complete — OpenBao sign verified 2026-06-18 -- **Next:** WP-0009 — flex-auth policy gate production (blocked on flex-auth policies) -- **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md` +- **SSH CLI:** v0.1.0 — local + OpenBao backends +- **Production sign:** verified 2026-06-18 (`history/2026-06-17-openbao-production-verify.md`) +- **Policy gate:** shipped, `policy.enabled: false` in prod until WP-0009 +- **Active workplan:** WP-0009 (wait — flex-auth) +- **Latest assessment:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` --- @@ -137,8 +169,8 @@ key-cape / Keycloak identity claims → railiance-* deployment and host enforcement ``` -Upstream: CA key (local file or OpenBao SSH engine). Actor inventory in Git or -operator config. +Upstream: OpenBao SSH engine (production) or local CA (labs). Actor inventory in +operator config or Git-tracked patterns. Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operators. @@ -186,12 +218,12 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v | --- | --- | | `INTENT.md` | Why ops-warden exists and where it is going | | `SCOPE.md` | What is implemented today (this file) | +| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE gap analysis | | `wiki/CredentialRouting.md` | Which subsystem for each credential need | | `wiki/NetKingdomSecurityMap.md` | Platform security component map | -| `history/2026-06-17-post-wp0007-reassessment.md` | Latest INTENT ↔ SCOPE assessment | | `examples/warden.production.example.yaml` | Production warden.yaml template | | `wiki/AccessManagementDirective.md` | SSH actor model | | `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao | | `wiki/CertCommandInterface.md` | cert_command contract | -| `wiki/InterHubBootstrapAccessLane.md` | Bootstrap SSH envelope | +| `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate | | `net-kingdom/docs/platform-identity-security-architecture.md` | Platform security canon | \ No newline at end of file diff --git a/history/2026-06-18-post-wp0008-intent-scope-reassessment.md b/history/2026-06-18-post-wp0008-intent-scope-reassessment.md new file mode 100644 index 0000000..115e573 --- /dev/null +++ b/history/2026-06-18-post-wp0008-intent-scope-reassessment.md @@ -0,0 +1,110 @@ +# INTENT ↔ SCOPE Reassessment — Post WP-0008 + +**Date:** 2026-06-18 +**Author:** codex +**Trigger:** WARDEN-WP-0008 finished — production OpenBao sign verified, workplan archived. +**Prior assessment:** `history/2026-06-17-post-wp0007-reassessment.md` + +--- + +## 1. Executive summary + +WARDEN-WP-0008 closed the **production SSH path** gap: OpenBao SSH engine live on +Railiance, host CA trust on CoulombCore + Railiance01, and `warden sign` smoke +against `https://bao.coulomb.social` with scoped `warden-sign` policy token. +Stewardship canon (routing, inventory patterns, OpenBao checklist, task-status +migration) and archive hygiene are complete. + +The repository now matches INTENT for the **SSH issuance lane in production**. +Remaining distance to INTENT is **integration breadth** (ops-bridge cert_command +on live tunnels), **authorization depth** (flex-auth policies + `policy.enabled`), +and **operational maturity** (token hygiene, principals sync, optional tutorials). + +**Vector movement:** `D5/A3/C4/R2` → **`D5/A3/C4/R3`** + +| Dimension | Was | Now | Notes | +| --- | --- | --- | --- | +| Discovery | D5 | D5 | Routing + security map + NK cross-links | +| Availability | A3 | A3 | CLI + opt-in policy gate; no desk API | +| Completeness | C4 | C4 | SSH lane prod-verified; flex-auth policies external | +| Reliability | R2 | **R3** | Live `warden sign` evidence on Railiance OpenBao | + +--- + +## 2. Deliverables (WP-0008) + +| Task | Deliverable | Status | +| --- | --- | --- | +| T1 | Post-WP-0007 reassessment, SCOPE update | Done | +| T2 | Production `warden sign` + verify history | Done | +| T3 | AGENTS.md task-status canon | Done | +| T4 | `examples/warden.production.example.yaml`, archive WP-0004–0007 | Done | +| T5 | flex-auth production gate | Cancelled → **WARDEN-WP-0009** | + +--- + +## 3. INTENT.md success criteria + +| # | Criterion | Status | Evidence / gap | +| --- | --- | --- | --- | +| 1 | Worker knows which subsystem for each credential type | **Met** | `wiki/CredentialRouting.md`, `wiki/NetKingdomSecurityMap.md` | +| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; host principals via railiance-infra | +| 3 | ops-bridge integrates via stable cert_command | **Partial** | Contract shipped; live tunnels still static-key (`agt-claude-*`) | +| 4 | NetKingdom evolution reflected in ops-warden docs | **Met** | NK canon links; NET-WP-0020 / WP-0008 cross-repo evidence | +| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Routing docs only; no secret storage in repo | + +**Score: 4 met, 1 partial** — partial is ops-bridge production adoption, not ops-warden code gap. + +--- + +## 4. INTENT mission pillars (§ The Mission) + +| Pillar | Status | Notes | +| --- | --- | --- | +| 1. Know NetKingdom security model | Strong | Wiki + registry + NK patches (WP-0006) | +| 2. Route workers to correct subsystem | Strong | CredentialRouting operational | +| 3. Align runbooks with canon | Strong | OpenBao checklist, PolicyGatedSigning, production example | +| 4. Issue short-lived SSH certs | **Production** | `backend: vault` verified 2026-06-18 | +| 5. Audit SSH signing / compliance | Tooling ready | `signatures.log`, scorecard; prod cadence not scheduled | + +--- + +## 5. Remaining gaps (prioritized) + +| Prio | Gap | Owner | Track | +| --- | --- | --- | --- | +| P1 | flex-auth `ssh-certificate` policies + prod gate | flex-auth + ops-warden | **WARDEN-WP-0009** (`wait`) | +| P2 | ops-bridge `cert_command` on production tunnels | ops-bridge (+ ops-warden doc) | Proposed **WARDEN-WP-0010** | +| P3 | Operator token hygiene (root → OIDC + `warden-sign`) | Operator | Ad hoc or WP-0010 T2 | +| P4 | Principals inventory sync (warden ↔ railiance-infra) | ops-warden + railiance-infra | Proposed WP-0010 or ad hoc | +| P5 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination | +| P6 | Actor key lifecycle (`warden issue`, roster automation) | ops-warden | Future WP when attended lanes scale | +| P7 | Policy v2.1 — identity claims for `adm` signs | ops-warden + flex-auth | Design only (`PolicyGatedSigning.md`) | + +--- + +## 6. Workplan recommendation + +**Keep WARDEN-WP-0009** as-is — blocked on flex-auth policy package. + +**Propose WARDEN-WP-0010 — Production SSH Integration Closeout** when ready: + +- T1: Document ops-bridge `cert_command` migration for `agt-state-hub-bridge` (pilot tunnel) +- T2: Operator token runbook — OIDC login, `warden-sign` token, root retirement +- T3: Principals drift check — `inventory.yaml` `hosts` ↔ `railiance-infra/ssh_principals.yaml` +- T4: Optional cert_command smoke evidence in verify history + +Defer WP-0010 creation until flex-auth path is clearer or ops-bridge signals tunnel migration priority. + +**Ad hoc only:** token rotation, single-tunnel cert_command pilot — no workplan unless multi-phase. + +--- + +## 7. Where we are (one paragraph) + +ops-warden is a **production-capable SSH certificate authority** for the NetKingdom +`adm`/`agt`/`atm` model, with OpenBao as the Railiance signing backend and +documented stewardship for every other credential lane. INTENT's core SSH mission +is achieved; the steward desk is documentation-first with a shipped, verified CLI. +Next maturity steps are authorization (flex-auth), consumer integration (ops-bridge), +and operational hygiene — not new signing features. \ No newline at end of file