generated from coulomb/repo-seed
docs: post-WP-0008 INTENT↔SCOPE reassessment and gap snapshot
SCOPE.md now documents where we are (R3 production sign), INTENT criteria status, maturity vector, and workplan landscape. Add reassessment history; point INTENT evolution notes at latest assessment.
This commit is contained in:
114
SCOPE.md
114
SCOPE.md
@@ -2,7 +2,6 @@
|
||||
|
||||
> This file helps you quickly understand what this repository is about,
|
||||
> when it is relevant, and when it is not.
|
||||
> It is intentionally lightweight and may be incomplete.
|
||||
> Aspirational direction lives in `INTENT.md`.
|
||||
|
||||
---
|
||||
@@ -16,19 +15,54 @@ aligned with NetKingdom canon.
|
||||
|
||||
---
|
||||
|
||||
## Where we are (2026-06-18)
|
||||
|
||||
ops-warden is **production-verified for SSH signing** on Railiance OpenBao
|
||||
(`warden sign` against `https://bao.coulomb.social`, host CA trust deployed).
|
||||
The steward desk — routing wiki, NetKingdom security map, inventory patterns,
|
||||
OpenBao checklist — is operational. The opt-in flex-auth pre-sign gate is
|
||||
**coded but off in production** until flex-auth publishes `ssh-certificate`
|
||||
policies (WARDEN-WP-0009).
|
||||
|
||||
**INTENT alignment:** SSH issuance mission met in production. Remaining distance
|
||||
is integration breadth (ops-bridge `cert_command` on live tunnels), authorization
|
||||
depth (flex-auth), and operator hygiene — not missing signing code.
|
||||
|
||||
Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
|
||||
---
|
||||
|
||||
## INTENT gap snapshot
|
||||
|
||||
| INTENT success criterion | Status |
|
||||
| --- | --- |
|
||||
| Worker knows which subsystem for each credential type | Met |
|
||||
| SSH short-lived, inventoried, audited | Met (production) |
|
||||
| ops-bridge integrates via stable `cert_command` | **Partial** — contract yes; tunnels still static-key |
|
||||
| NetKingdom evolution reflected in docs | Met |
|
||||
| Non-SSH secrets stay out of ops-warden | Met |
|
||||
|
||||
**Maturity vector:** `D5 / A3 / C4 / R3` (Discovery / Availability / Completeness / Reliability)
|
||||
|
||||
| Dimension | Level | Meaning today |
|
||||
| --- | --- | --- |
|
||||
| D5 | Discovery | Routing + security map + NK canon cross-links |
|
||||
| A3 | Availability | CLI + opt-in policy gate; no desk API |
|
||||
| C4 | Completeness | SSH lane prod-verified; flex-auth policies external |
|
||||
| R3 | Reliability | Live OpenBao sign evidence on Railiance |
|
||||
|
||||
---
|
||||
|
||||
## Core Idea
|
||||
|
||||
**Today:** implements the SSH certificate lane from `wiki/AccessManagementDirective.md`
|
||||
§§1–5 — CA signing, actor inventory, TTL policy, cert-side scorecard, and the
|
||||
`cert_command` interface for ops-bridge.
|
||||
`cert_command` interface for ops-bridge. Production path uses OpenBao SSH engine
|
||||
(`backend: vault`).
|
||||
|
||||
**Direction (INTENT):** become the custodian-domain desk that understands NetKingdom
|
||||
identity, authorization, secrets, and SSH lanes — routing dev workers to key-cape,
|
||||
flex-auth, OpenBao, ops-bridge, and railiance components instead of centralizing
|
||||
all secrets here.
|
||||
|
||||
Signing backends: `local` (ssh-keygen, labs) and `vault` (OpenBao or other
|
||||
Vault-compatible SSH secrets engine API, production).
|
||||
**Direction (INTENT):** custodian-domain desk that routes dev workers to key-cape,
|
||||
flex-auth, OpenBao, ops-bridge, and railiance components — implementing only the
|
||||
SSH certificate lane directly.
|
||||
|
||||
---
|
||||
|
||||
@@ -37,12 +71,12 @@ Vault-compatible SSH secrets engine API, production).
|
||||
### Implemented (SSH lane)
|
||||
|
||||
- Local CA backend (`ssh-keygen -s`)
|
||||
- OpenBao / Vault-compatible SSH engine backend
|
||||
- OpenBao / Vault-compatible SSH engine backend (**production-verified**)
|
||||
- Actor identity registry (`inventory.yaml`)
|
||||
- `cert_command`: `warden sign <actor> --pubkey <path>` → cert on stdout
|
||||
- TTL enforcement per `ActorType` (`adm` 48 h, `agt` 24 h, `atm` 8 h)
|
||||
- `warden status`, cleanup, scorecard, signatures log
|
||||
- `warden issue` and `ops-ssh-wrapper`
|
||||
- `warden issue` and `ops-ssh-wrapper` (local backend; vault uses sign-only)
|
||||
- Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope
|
||||
|
||||
### Stewardship (documentation and alignment)
|
||||
@@ -52,29 +86,31 @@ Vault-compatible SSH secrets engine API, production).
|
||||
- Capability registry entry for SSH certificate issuance
|
||||
- Keeping ops access patterns consistent with `net-kingdom` platform architecture
|
||||
|
||||
### Stewardship (shipped WP-0006)
|
||||
### Shipped workplans
|
||||
|
||||
- `wiki/CredentialRouting.md` — credential type → subsystem routing
|
||||
- `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy
|
||||
- `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml`
|
||||
- `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
|
||||
- `wiki/PolicyGatedSigning.md` — flex-auth integration (opt-in, WP-0007)
|
||||
| WP | Focus |
|
||||
| --- | --- |
|
||||
| WP-0006 | Credential routing, security map, inventory patterns, OpenBao checklist |
|
||||
| WP-0007 | Opt-in flex-auth policy gate (`policy.enabled`) |
|
||||
| WP-0008 | Production sign verification, stewardship closeout, archive hygiene |
|
||||
|
||||
### Shipped (WARDEN-WP-0007)
|
||||
### Active / wait
|
||||
|
||||
- Opt-in flex-auth policy gate before `warden sign` / `warden issue` (`policy.enabled`)
|
||||
- `policy_decision_id` in `signatures.log` when gate allows
|
||||
- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
|
||||
| WP | Status | Focus |
|
||||
| --- | --- | --- |
|
||||
| **WP-0009** | `wait` | flex-auth `ssh-certificate` policies + `policy.enabled` production smoke |
|
||||
|
||||
### Shipped (WARDEN-WP-0008)
|
||||
### Known gaps (not yet workplanned)
|
||||
|
||||
- Production OpenBao `warden sign` verified on Railiance (2026-06-18)
|
||||
- `examples/warden.production.example.yaml` — production config template
|
||||
- State Hub task-status canon in agent docs; WP-0004–0007 archived
|
||||
| Gap | Owner | Notes |
|
||||
| --- | --- | --- |
|
||||
| ops-bridge `cert_command` on live tunnels | ops-bridge | Tunnels use `agt-claude-*` static keys today |
|
||||
| Operator token hygiene | Operator | Prefer OIDC + `warden-sign`; retire root from shell profile |
|
||||
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `inventory.yaml` hosts vs `ssh_principals.yaml` |
|
||||
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
|
||||
|
||||
### Wait (WARDEN-WP-0009)
|
||||
|
||||
- flex-auth `ssh-certificate` policies + `policy.enabled: true` production enablement
|
||||
See reassessment §6 for **proposed WARDEN-WP-0010** (integration closeout) when
|
||||
ops-bridge tunnel migration or token runbook becomes priority.
|
||||
|
||||
---
|
||||
|
||||
@@ -114,15 +150,11 @@ Vault-compatible SSH secrets engine API, production).
|
||||
|
||||
## Current State
|
||||
|
||||
- **SSH CLI:** shipped v0.1.0 (WARDEN-WP-0001–0003)
|
||||
- **Docs:** OpenBao-first config (WARDEN-WP-0005), Inter-Hub bootstrap runbook
|
||||
- **Registry:** `capability.security.ssh-certificate-issuance` published
|
||||
- **INTENT:** operational access steward (2026-06-17)
|
||||
- **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
|
||||
- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign (`policy.enabled` off in prod)
|
||||
- **Production SSH path:** WP-0008 complete — OpenBao sign verified 2026-06-18
|
||||
- **Next:** WP-0009 — flex-auth policy gate production (blocked on flex-auth policies)
|
||||
- **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md`
|
||||
- **SSH CLI:** v0.1.0 — local + OpenBao backends
|
||||
- **Production sign:** verified 2026-06-18 (`history/2026-06-17-openbao-production-verify.md`)
|
||||
- **Policy gate:** shipped, `policy.enabled: false` in prod until WP-0009
|
||||
- **Active workplan:** WP-0009 (wait — flex-auth)
|
||||
- **Latest assessment:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
|
||||
---
|
||||
|
||||
@@ -137,8 +169,8 @@ key-cape / Keycloak identity claims
|
||||
→ railiance-* deployment and host enforcement
|
||||
```
|
||||
|
||||
Upstream: CA key (local file or OpenBao SSH engine). Actor inventory in Git or
|
||||
operator config.
|
||||
Upstream: OpenBao SSH engine (production) or local CA (labs). Actor inventory in
|
||||
operator config or Git-tracked patterns.
|
||||
|
||||
Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operators.
|
||||
|
||||
@@ -186,12 +218,12 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
|
||||
| --- | --- |
|
||||
| `INTENT.md` | Why ops-warden exists and where it is going |
|
||||
| `SCOPE.md` | What is implemented today (this file) |
|
||||
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE gap analysis |
|
||||
| `wiki/CredentialRouting.md` | Which subsystem for each credential need |
|
||||
| `wiki/NetKingdomSecurityMap.md` | Platform security component map |
|
||||
| `history/2026-06-17-post-wp0007-reassessment.md` | Latest INTENT ↔ SCOPE assessment |
|
||||
| `examples/warden.production.example.yaml` | Production warden.yaml template |
|
||||
| `wiki/AccessManagementDirective.md` | SSH actor model |
|
||||
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
|
||||
| `wiki/CertCommandInterface.md` | cert_command contract |
|
||||
| `wiki/InterHubBootstrapAccessLane.md` | Bootstrap SSH envelope |
|
||||
| `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate |
|
||||
| `net-kingdom/docs/platform-identity-security-architecture.md` | Platform security canon |
|
||||
Reference in New Issue
Block a user