generated from coulomb/repo-seed
feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
70
history/2026-06-23-flex-auth-policy-gate-local-smoke.md
Normal file
70
history/2026-06-23-flex-auth-policy-gate-local-smoke.md
Normal file
@@ -0,0 +1,70 @@
|
||||
# flex-auth Policy Gate — Local Smoke (WARDEN-WP-0009)
|
||||
|
||||
**Date:** 2026-06-23
|
||||
**Workplan:** WARDEN-WP-0009 T01 closeout + T02 local smoke
|
||||
**flex-auth delivery:** FLEX-WP-0006 (`docs/ops-warden-policy-gate-handoff.md`)
|
||||
|
||||
---
|
||||
|
||||
## Unblock
|
||||
|
||||
flex-auth published the `ssh-certificate` / `sign` policy package and ops-warden
|
||||
handoff on 2026-06-23. WARDEN-WP-0009 T01 is complete; T2 local smoke below.
|
||||
Production enablement still requires deploying a **production registry slice**
|
||||
with real inventory actors (see `wiki/PolicyGatedSigning.md`).
|
||||
|
||||
---
|
||||
|
||||
## flex-auth assets confirmed
|
||||
|
||||
| Asset | Path (flex-auth repo) |
|
||||
| --- | --- |
|
||||
| Policy package | `examples/ops-warden/policy_package.md` |
|
||||
| Fixtures | `examples/ops-warden/policy_fixtures.yaml` |
|
||||
| Registry snapshot | `examples/ops-warden/registry_snapshot.json` |
|
||||
| Handoff | `docs/ops-warden-policy-gate-handoff.md` |
|
||||
|
||||
Example registry actors (`platform-steward`, `ci-deploy-agent`, `backup-automation`)
|
||||
are **templates**. Production actors such as `agt-state-hub-bridge` must be
|
||||
registered in the deployed flex-auth registry before `policy.enabled: true`.
|
||||
|
||||
---
|
||||
|
||||
## Local smoke (ops-warden + flex-auth)
|
||||
|
||||
**Setup:** `backend: local`, `policy.enabled: true`, `fail_closed: true`,
|
||||
flex-auth `serve` with ops-warden policy package and a smoke registry that adds
|
||||
`agt-policy-smoke` (ops-warden naming-compliant clone of the `agt` fixture).
|
||||
|
||||
### Allow path
|
||||
|
||||
| Check | Result |
|
||||
| --- | --- |
|
||||
| `warden sign agt-policy-smoke` | Pass (exit 0) |
|
||||
| `signatures.log` `policy_decision_id` | `decision:78bc882eca883f29` |
|
||||
| `signatures.log` `backend` | `local` |
|
||||
|
||||
### Deny path (`fail_closed: true`)
|
||||
|
||||
| Check | Result |
|
||||
| --- | --- |
|
||||
| `warden sign agt-state-hub-bridge` (not in flex-auth registry) | Fail (exit 1) |
|
||||
| CLI reason surfaced | `unknown_actor_resource` |
|
||||
| Cert issued | No |
|
||||
|
||||
---
|
||||
|
||||
## Production remaining (T2)
|
||||
|
||||
1. Deploy flex-auth registry + policy package to production flex-auth runtime.
|
||||
2. Register production inventory actors (`agt-state-hub-bridge`, `adm-*`, `atm-*`).
|
||||
3. Set `policy.flex_auth_url` and `policy.enabled: true` in production `warden.yaml`.
|
||||
4. Repeat allow/deny smoke against OpenBao-backed `warden sign`; capture
|
||||
`policy_decision_id` in `signatures.log` (non-secret evidence only).
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/PolicyGatedSigning.md` — bindings, rollout, handoff link
|
||||
- `workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md`
|
||||
99
history/2026-06-23-flex-auth-policy-gate-production-smoke.md
Normal file
99
history/2026-06-23-flex-auth-policy-gate-production-smoke.md
Normal file
@@ -0,0 +1,99 @@
|
||||
# flex-auth Policy Gate — Production Registry Smoke (WARDEN-WP-0009 T02)
|
||||
|
||||
**Date:** 2026-06-23
|
||||
**Workplan:** WARDEN-WP-0009 T02
|
||||
**Operator:** codex (non-secret evidence only)
|
||||
|
||||
---
|
||||
|
||||
## Production registry slice
|
||||
|
||||
Built from `~/.config/warden/inventory.yaml` (matches `examples/inventory.seed.yaml`):
|
||||
|
||||
| Artifact | Path |
|
||||
| --- | --- |
|
||||
| Registry snapshot | `registry/flex-auth/production_registry_snapshot.json` |
|
||||
| Generator | `scripts/build_flex_auth_registry.py` |
|
||||
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
|
||||
|
||||
`flex-auth load-registry` validation: **4 actors**, 3 groups, 4 relationships.
|
||||
|
||||
Registered actors:
|
||||
|
||||
| Actor | Type | max_ttl_hours | Principals |
|
||||
| --- | --- | --- | --- |
|
||||
| `agt-state-hub-bridge` | agt | 24 | `agt-task-bridge` |
|
||||
| `agt-codex-interhub-bootstrap` | agt | 2 | `agt-interhub-bootstrap` |
|
||||
| `adm-example` | adm | 48 | `adm-full` |
|
||||
| `atm-backup-daily` | atm | 8 | `atm-backup-daily` |
|
||||
|
||||
Regenerate after inventory changes:
|
||||
|
||||
```bash
|
||||
python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \
|
||||
-o registry/flex-auth/production_registry_snapshot.json
|
||||
```
|
||||
|
||||
Deploy the snapshot to the production flex-auth runtime (`flex-auth serve` or
|
||||
future in-cluster deployment). Policy package path:
|
||||
`~/flex-auth/examples/ops-warden/policy_package.md`.
|
||||
|
||||
---
|
||||
|
||||
## Smoke results (production inventory + registry)
|
||||
|
||||
flex-auth served locally with the production registry; `warden sign` used real
|
||||
inventory actors and `policy.enabled: true`.
|
||||
|
||||
### Allow path — `agt-state-hub-bridge`
|
||||
|
||||
| Check | Result |
|
||||
| --- | --- |
|
||||
| `warden sign agt-state-hub-bridge` | Pass (exit 0) |
|
||||
| `signatures.log` `policy_decision_id` | `decision:032b096c433ad80c` |
|
||||
| `signatures.log` `actor` | `agt-state-hub-bridge` |
|
||||
|
||||
### Deny path — TTL above registry max (`fail_closed: true`)
|
||||
|
||||
| Check | Result |
|
||||
| --- | --- |
|
||||
| `warden sign agt-state-hub-bridge --ttl 999` | Fail (exit 1) |
|
||||
| flex-auth reason | `ttl_out_of_bounds` |
|
||||
| Cert issued | No |
|
||||
|
||||
---
|
||||
|
||||
## OpenBao-backed smoke (operator follow-up)
|
||||
|
||||
Attempted `backend: vault` against `https://bao.coulomb.social` with
|
||||
`policy.enabled: true`. **Blocked:** `VAULT_TOKEN` in session returned HTTP 403
|
||||
(`permission denied`). Baseline `warden sign` without policy gate fails the same
|
||||
way — token refresh required before vault-backed policy smoke.
|
||||
|
||||
When a scoped `warden-sign` token is available:
|
||||
|
||||
```bash
|
||||
export VAULT_TOKEN="<scoped-token>" # never commit or paste in chat
|
||||
SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh
|
||||
```
|
||||
|
||||
Then enable production `warden.yaml`:
|
||||
|
||||
```yaml
|
||||
policy:
|
||||
enabled: true
|
||||
flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080 # or reachable URL
|
||||
fail_closed: true
|
||||
```
|
||||
|
||||
Keep `policy.enabled: false` until flex-auth is reachable at `flex_auth_url` from
|
||||
the workstation running `warden sign` — `fail_closed: true` blocks all signs when
|
||||
flex-auth is down.
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` — template registry smoke
|
||||
- `wiki/PolicyGatedSigning.md` — rollout sequence
|
||||
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`
|
||||
189
history/2026-06-23-flex-auth-production-pickup-suggestion.md
Normal file
189
history/2026-06-23-flex-auth-production-pickup-suggestion.md
Normal file
@@ -0,0 +1,189 @@
|
||||
# flex-auth Pickup Suggestion — Ops-Warden Policy Gate Production
|
||||
|
||||
**Date:** 2026-06-23
|
||||
**From:** ops-warden (`WARDEN-WP-0009` finished)
|
||||
**For:** flex-auth owner
|
||||
**Prior delivery:** `FLEX-WP-0006` (policy package, template registry, handoff doc)
|
||||
|
||||
---
|
||||
|
||||
## Summary
|
||||
|
||||
ops-warden closed **WARDEN-WP-0009**. The caller side (`policy.enabled`,
|
||||
`POST /v1/check`, `policy_decision_id` in `signatures.log`) is verified.
|
||||
flex-auth **policy authoring** for the gate contract is done.
|
||||
|
||||
What remains is **flex-auth production runtime + registry operations** so
|
||||
operators can set `policy.enabled: true` on workstations running `warden sign`
|
||||
without local `flex-auth serve` hacks.
|
||||
|
||||
---
|
||||
|
||||
## What ops-warden already proved
|
||||
|
||||
| Evidence | Location |
|
||||
| --- | --- |
|
||||
| Template registry + policy smoke | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` |
|
||||
| Production inventory registry smoke | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` |
|
||||
| Production registry artifact | `registry/flex-auth/production_registry_snapshot.json` |
|
||||
| Registry generator | `scripts/build_flex_auth_registry.py` |
|
||||
| Joint smoke runner | `scripts/policy_gate_production_smoke.sh` |
|
||||
|
||||
Production-registry allow smoke (real actor `agt-state-hub-bridge`):
|
||||
|
||||
- `policy_decision_id: decision:032b096c433ad80c`
|
||||
- Deny: `ttl_out_of_bounds` with `fail_closed: true`
|
||||
|
||||
OpenBao-backed sign + policy gate is **not yet joint-verified** — scoped
|
||||
`VAULT_TOKEN` returned HTTP 403 in this session (ops-warden operator task).
|
||||
|
||||
---
|
||||
|
||||
## Gaps flex-auth should pick up
|
||||
|
||||
### 1. Production runtime deployment (P0)
|
||||
|
||||
**Problem:** No reachable flex-auth endpoint from the operator workstation.
|
||||
Probe from WSL: `flex-auth.flex-auth.svc.cluster.local:8080` does not resolve;
|
||||
`127.0.0.1:8080` is not running. ops-warden cannot enable `policy.enabled`
|
||||
with `fail_closed: true` until flex-auth is up.
|
||||
|
||||
**Suggestion for flex-auth:**
|
||||
|
||||
- Deploy `flex-auth serve` (or equivalent) to a **stable production URL**
|
||||
reachable from machines that run `warden sign`.
|
||||
- Document the canonical URL for `policy.flex_auth_url` (cluster DNS, tunnel,
|
||||
or ingress — whichever matches NetKingdom operator access patterns).
|
||||
- Expose **`GET /healthz`** (already in code) in runbooks; ops-warden operators
|
||||
will use it as a pre-flight before enabling the gate.
|
||||
|
||||
**Acceptance:** Operator can `curl <flex_auth_url>/healthz` from the warden
|
||||
workstation and get HTTP 200.
|
||||
|
||||
---
|
||||
|
||||
### 2. Load production registry, not only template fixtures (P0)
|
||||
|
||||
**Problem:** `examples/ops-warden/registry_snapshot.json` uses **template**
|
||||
actors (`platform-steward`, `ci-deploy-agent`, `backup-automation`). Production
|
||||
inventory uses **different names** (`agt-state-hub-bridge`, etc.). Signing with
|
||||
`policy.enabled: true` denies unregistered actors (`unknown_actor_resource`).
|
||||
|
||||
**Suggestion for flex-auth:**
|
||||
|
||||
- Adopt ops-warden's production registry snapshot as the **initial production
|
||||
load target**, or ingest equivalent manifests under `examples/ops-warden/`
|
||||
generated from real inventory.
|
||||
- Document operator steps:
|
||||
```bash
|
||||
# ops-warden (regenerate when inventory changes)
|
||||
python scripts/build_flex_auth_registry.py ~/.config/warden/inventory.yaml \
|
||||
-o registry/flex-auth/production_registry_snapshot.json
|
||||
|
||||
# flex-auth (load into runtime)
|
||||
flex-auth load-registry --file <path-to-production_registry_snapshot.json>
|
||||
flex-auth serve --registry <snapshot> --policy examples/ops-warden/policy_package.md ...
|
||||
```
|
||||
- Add **fixture or integration tests** using production actor names
|
||||
(`agt-state-hub-bridge`, `adm-example`, `atm-backup-daily`) so CI catches
|
||||
registry drift.
|
||||
|
||||
**Acceptance:** `POST /v1/check` allows `agt-state-hub-bridge` / `sign` against
|
||||
the deployed production registry without ops-warden-local registry patching.
|
||||
|
||||
---
|
||||
|
||||
### 3. Registry sync contract (P1)
|
||||
|
||||
**Problem:** ops-warden owns `inventory.yaml`; flex-auth owns authorization
|
||||
registry. Today sync is manual: regenerate JSON, reload flex-auth.
|
||||
|
||||
**Suggestion for flex-auth:**
|
||||
|
||||
- Publish a short **sync contract** doc:
|
||||
- **ops-warden owns:** actor names, types, principals, TTL defaults
|
||||
- **flex-auth owns:** `allowed_subjects`, `max_ttl_hours`, relationships,
|
||||
policy package
|
||||
- **Trigger:** inventory add/change → regenerate snapshot → flex-auth reload
|
||||
- Optional later: `flex-auth validate` target for ops-warden-generated snapshots;
|
||||
or HTTP reload endpoint for registry updates without restart.
|
||||
|
||||
**Acceptance:** Documented two-repo workflow; no ambiguity on who updates what
|
||||
when a new `agt-*` actor is added.
|
||||
|
||||
---
|
||||
|
||||
### 4. Joint production smoke with OpenBao (P1)
|
||||
|
||||
**Problem:** Policy gate smoke used `backend: local` or local flex-auth. Full
|
||||
production path is `warden sign` → flex-auth → OpenBao SSH engine.
|
||||
|
||||
**Suggestion for flex-auth:**
|
||||
|
||||
- Coordinate one **joint smoke session** with ops-warden once:
|
||||
- flex-auth deployed with production registry
|
||||
- ops-warden `policy.enabled: true`, valid `VAULT_TOKEN`
|
||||
- Allow: `warden sign agt-state-hub-bridge` → `signatures.log` has
|
||||
`backend: vault` and `policy_decision_id`
|
||||
- Deny: e.g. `--ttl` above max → flex-auth deny before OpenBao call
|
||||
- Record non-secret evidence (decision ids, reasons, actor names only).
|
||||
|
||||
**Acceptance:** Shared history entry or flex-auth handoff update with vault-backed
|
||||
evidence mirroring ops-warden's local smoke format.
|
||||
|
||||
---
|
||||
|
||||
### 5. IAM subject binding in production (P2)
|
||||
|
||||
**Problem:** Policy allows `subject.id` = actor name or `iam:<actor>`. Production
|
||||
may set `WARDEN_POLICY_SUBJECT` from key-cape/IAM profile `sub`.
|
||||
|
||||
**Suggestion for flex-auth:**
|
||||
|
||||
- Confirm production registry `allowed_subjects` covers expected IAM subs for
|
||||
each actor (or document that actor-name fallback is the production default
|
||||
until IAM mapping is wired).
|
||||
- Add one fixture for `WARDEN_POLICY_SUBJECT` / `iam:agt-state-hub-bridge` if
|
||||
that path is intended in prod.
|
||||
|
||||
**Acceptance:** Documented subject-id strategy for SSH sign gate in production.
|
||||
|
||||
---
|
||||
|
||||
## Proposed flex-auth workplan (draft)
|
||||
|
||||
**Title:** `FLEX-WP-0007 — Ops-Warden Policy Gate Production Deployment`
|
||||
**Priority:** P0
|
||||
**Depends on:** `FLEX-WP-0006`, ops-warden `WARDEN-WP-0009` (finished)
|
||||
|
||||
| Task | Summary |
|
||||
| --- | --- |
|
||||
| T1 | Deploy flex-auth runtime; document production `flex_auth_url` + `/healthz` |
|
||||
| T2 | Load production registry snapshot; verify allow/deny for real inventory actors |
|
||||
| T3 | Publish registry sync contract with ops-warden (`inventory.yaml` → snapshot) |
|
||||
| T4 | Joint OpenBao + policy gate smoke with ops-warden (non-secret evidence) |
|
||||
| T5 | IAM subject binding notes / fixtures for `WARDEN_POLICY_SUBJECT` (if needed) |
|
||||
|
||||
---
|
||||
|
||||
## Ownership boundary (unchanged)
|
||||
|
||||
| Concern | Owner |
|
||||
| --- | --- |
|
||||
| Policy package + PDP decision | flex-auth |
|
||||
| Actor inventory + TTL/principal defaults | ops-warden |
|
||||
| SSH CA / OpenBao signing | ops-warden |
|
||||
| Production registry **content** for SSH actors | joint — ops-warden generates from inventory; flex-auth hosts and evaluates |
|
||||
| `policy.enabled` flip | ops-warden operator (after flex-auth reachable) |
|
||||
|
||||
---
|
||||
|
||||
## References
|
||||
|
||||
| Doc | Repo |
|
||||
| --- | --- |
|
||||
| `docs/ops-warden-policy-gate-handoff.md` | flex-auth |
|
||||
| `workplans/FLEX-WP-0006-ops-warden-ssh-signing-policy-gate.md` | flex-auth |
|
||||
| `wiki/PolicyGatedSigning.md` | ops-warden |
|
||||
| `workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md` | ops-warden |
|
||||
| `registry/flex-auth/production_registry_snapshot.json` | ops-warden |
|
||||
127
history/2026-06-24-intent-scope-gap-analysis.md
Normal file
127
history/2026-06-24-intent-scope-gap-analysis.md
Normal file
@@ -0,0 +1,127 @@
|
||||
# INTENT ↔ SCOPE Gap Analysis — Post WP-0009 / WP-0011
|
||||
|
||||
**Date:** 2026-06-24
|
||||
**Author:** codex
|
||||
**Trigger:** WARDEN-WP-0009 archived; WP-0010/0011 done; policy gate + routing shipped.
|
||||
**Prior assessments:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`,
|
||||
`history/2026-06-18-access-routing-intent-shift-assessment.md`
|
||||
|
||||
---
|
||||
|
||||
## 1. Executive summary
|
||||
|
||||
ops-warden is a **production-capable SSH CA** with **structured credential routing**
|
||||
(`warden route`) and a **shipped, opt-in flex-auth policy gate** (registry + smoke
|
||||
complete; production flip waits flex-auth runtime deploy).
|
||||
|
||||
INTENT's SSH issuance mission is **met in production**. The largest remaining INTENT
|
||||
gap is **ops-bridge consumer integration** — `cert_command` contract exists but live
|
||||
tunnels still use static keys. Secondary gaps are **operator hygiene**, **inventory ↔
|
||||
infra principals alignment**, **routing playbook depth** (WP-0012), and **cross-repo
|
||||
coordination** (flex-auth FLEX-WP-0007, net-kingdom NK-WP-0009).
|
||||
|
||||
**Vector movement:** `D5 / A4 / C4 / R3` → **`D5 / A4 / C4 / R3`** (unchanged level;
|
||||
policy-gate readiness improves C4 substance without changing the label until prod flip)
|
||||
|
||||
| Dimension | Was | Now | Notes |
|
||||
| --- | --- | --- | --- |
|
||||
| Discovery | D5 | D5 | Catalog + `warden route` + wiki |
|
||||
| Availability | A4 | A4 | Routing CLI shipped (WP-0011) |
|
||||
| Completeness | C4 | C4 | Policy registry smoke done; prod `policy.enabled` off |
|
||||
| Reliability | R3 | R3 | OpenBao sign verified; cert_command not on live tunnels |
|
||||
|
||||
---
|
||||
|
||||
## 2. Deliverables since 2026-06-18
|
||||
|
||||
| Workplan | Deliverable | Status |
|
||||
| --- | --- | --- |
|
||||
| WP-0009 | flex-auth policy package confirmed; production registry + smoke | Archived |
|
||||
| WP-0010 | Access routing charter + pointer catalog | Archived 2026-06-24 |
|
||||
| WP-0011 | `warden route` CLI + catalog tests | Archived 2026-06-24 |
|
||||
| WP-0013 | Production integration closeout (playbooks, drift, archive) | Finished 2026-06-24 |
|
||||
| FLEX-WP-0006 | flex-auth policy package + handoff | flex-auth finished |
|
||||
| FLEX-WP-0007 | flex-auth production deploy (draft) | flex-auth proposed |
|
||||
|
||||
---
|
||||
|
||||
## 3. INTENT success criteria
|
||||
|
||||
| # | Criterion | Status | Evidence / gap |
|
||||
| --- | --- | --- | --- |
|
||||
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, wikis |
|
||||
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log` |
|
||||
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | Contract shipped; tunnels static-key |
|
||||
| 4 | NetKingdom evolution reflected in docs | **Met** | NK cross-links, routing charter |
|
||||
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer layer only |
|
||||
|
||||
**Score: 4 met, 1 partial** — partial is ops-bridge production adoption.
|
||||
|
||||
---
|
||||
|
||||
## 4. INTENT mission pillars
|
||||
|
||||
| Pillar | Status | Gap |
|
||||
| --- | --- | --- |
|
||||
| 1. Know NetKingdom security model | Strong | — |
|
||||
| 2. Route workers to correct subsystem | Strong | WP-0012 playbooks deepen scenarios |
|
||||
| 3. Align runbooks with canon | Strong | Reassessment + archive hygiene due |
|
||||
| 4. Issue short-lived SSH certs | **Production** | — |
|
||||
| 5. Audit SSH signing | Strong | Policy `policy_decision_id` when gate on |
|
||||
|
||||
---
|
||||
|
||||
## 5. Remaining gaps (prioritized)
|
||||
|
||||
| Prio | Gap | Owner | ops-warden action | Track |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| **P1** | ops-bridge `cert_command` on production tunnels | ops-bridge + ops-warden | Migration playbook + pilot evidence | **WARDEN-WP-0013** T3 |
|
||||
| **P2** | Operator token hygiene (root → scoped `warden-sign`) | Operator + ops-warden | Runbook in wiki | **WARDEN-WP-0013** T4 |
|
||||
| **P3** | Principals drift (inventory ↔ railiance-infra) | ops-warden + infra | Drift check doc/script | **WARDEN-WP-0013** T5 |
|
||||
| **P4** | Routing scenario playbooks incomplete | ops-warden | Expand catalog + wiki playbooks | **WARDEN-WP-0012** (ready) |
|
||||
| **P5** | flex-auth production runtime | flex-auth | Coordinate; operator flip checklist | **FLEX-WP-0007** + WP-0013 T6 |
|
||||
| **P6** | Vault-backed policy gate joint smoke | flex-auth + operator | Run when `VAULT_TOKEN` valid | FLEX-WP-0007 T4 |
|
||||
| **P7** | Archive hygiene (WP-0010, WP-0011) | ops-warden | Move to `workplans/archived/` | **WARDEN-WP-0013** T2 |
|
||||
| **P8** | NK-WP-0009 joint SSH tutorial | net-kingdom | Coordinate only | Parallel |
|
||||
| **P9** | Policy v2.1 identity claims for `adm` | ops-warden + flex-auth | Design only | Future |
|
||||
|
||||
---
|
||||
|
||||
## 6. Workplan recommendation
|
||||
|
||||
**WARDEN-WP-0013 — Production Integration & Stewardship Closeout** (new):
|
||||
|
||||
- T1: This reassessment + SCOPE refresh
|
||||
- T2: Archive WP-0010 and WP-0011
|
||||
- T3: ops-bridge `cert_command` migration playbook (pilot `agt-state-hub-bridge`)
|
||||
- T4: Operator OpenBao token hygiene runbook
|
||||
- T5: Principals inventory drift check
|
||||
- T6: Policy gate production enablement checklist (coordinate FLEX-WP-0007)
|
||||
|
||||
**WARDEN-WP-0012 — Routing Scenario Playbooks** (promote `backlog` → `ready`):
|
||||
|
||||
- Dependencies WP-0010/0011 shipped; start when bandwidth allows
|
||||
- Complements WP-0013 (routing depth vs SSH integration closeout)
|
||||
|
||||
**Out of scope for new ops-warden WPs:**
|
||||
|
||||
- flex-auth runtime deployment (FLEX-WP-0007)
|
||||
- ops-bridge tunnel config changes (ops-bridge executes; ops-warden documents)
|
||||
|
||||
---
|
||||
|
||||
## 7. Maturity target (post WP-0013 + WP-0012)
|
||||
|
||||
| Dimension | Target | Unlock |
|
||||
| --- | --- | --- |
|
||||
| C4 → C4+ | cert_command pilot documented | WP-0013 T3 |
|
||||
| R3 → R4 | Live tunnel uses warden-signed cert | ops-bridge + WP-0013 evidence |
|
||||
| D5 | More active catalog playbooks | WP-0012 |
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `workplans/WARDEN-WP-0013-production-integration-and-stewardship-closeout.md`
|
||||
- `workplans/WARDEN-WP-0012-routing-scenario-playbooks.md`
|
||||
- `SCOPE.md`
|
||||
@@ -0,0 +1,33 @@
|
||||
# ops-bridge cert_command Pilot — Coordination Note
|
||||
|
||||
**Date:** 2026-06-24
|
||||
**Workplan:** WARDEN-WP-0013 T3
|
||||
**Playbook:** `wiki/playbooks/ops-bridge-tunnel-cert.md`
|
||||
|
||||
## Status
|
||||
|
||||
ops-warden shipped the migration playbook and upgraded catalog entry `ops-bridge-tunnel`.
|
||||
Pilot tunnel **`agt-state-hub-bridge`** is documented with actor, key paths, and
|
||||
`cert_command` string.
|
||||
|
||||
**Execution owner:** ops-bridge (tunnel config in `~/.config/bridge/tunnels.yaml`).
|
||||
|
||||
## Request to ops-bridge
|
||||
|
||||
Apply `cert_command` to the `state-hub-coulombcore` tunnel per the playbook migration
|
||||
checklist. ops-warden will record smoke evidence in `history/` when the pilot completes
|
||||
(non-secret: tunnel up/down, cert re-issue after TTL).
|
||||
|
||||
## Pre-requisites (operator)
|
||||
|
||||
- Scoped `VAULT_TOKEN` for production OpenBao sign (`wiki/playbooks/operator-openbao-token-hygiene.md`)
|
||||
- `warden sign agt-state-hub-bridge` succeeds before tunnel config change
|
||||
|
||||
## Evidence pending
|
||||
|
||||
| Check | Status |
|
||||
| --- | --- |
|
||||
| Playbook on file | Done |
|
||||
| Catalog `wiki_ref` | Done |
|
||||
| ops-bridge tunnel config updated | Pending |
|
||||
| `bridge up` smoke | Pending |
|
||||
Reference in New Issue
Block a user