generated from coulomb/repo-seed
feat: close WP-0009/WP-0013 production integration stewardship strand
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
@@ -0,0 +1,95 @@
|
||||
---
|
||||
id: WARDEN-WP-0009
|
||||
type: workplan
|
||||
title: "flex-auth Policy Gate Production Readiness"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: low
|
||||
planning_order: 9
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-23"
|
||||
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
|
||||
|
||||
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
|
||||
in production after flex-auth publishes `ssh-certificate` resource policies.
|
||||
|
||||
**Out of scope:** flex-auth policy package authoring (flex-auth owner — delivered
|
||||
FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020
|
||||
T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth
|
||||
`FLEX-WP-0007`).
|
||||
|
||||
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — flex-auth policy package confirmation
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0009-T01
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
|
||||
```
|
||||
|
||||
- [x] Confirm flex-auth policies for resource type `ssh-certificate` exist
|
||||
- [x] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
|
||||
- [x] Coordinate with flex-auth owner on deny/allow test fixtures
|
||||
|
||||
### T2 — Production enablement and smoke
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0009-T02
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
|
||||
```
|
||||
|
||||
- [x] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
|
||||
- [x] Local smoke — allow/deny paths with `policy_decision_id` / `ttl_out_of_bounds`
|
||||
- [x] Production registry slice from inventory (`registry/flex-auth/production_registry_snapshot.json`)
|
||||
- [x] Production registry smoke — allow `agt-state-hub-bridge` (`decision:032b096c433ad80c`)
|
||||
- [x] Production registry smoke — deny `--ttl 999` (`ttl_out_of_bounds`)
|
||||
|
||||
---
|
||||
|
||||
## Deliverables
|
||||
|
||||
| Artifact | Path |
|
||||
| --- | --- |
|
||||
| Registry builder | `scripts/build_flex_auth_registry.py` |
|
||||
| Production registry | `registry/flex-auth/production_registry_snapshot.json` |
|
||||
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
|
||||
| Local smoke evidence | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` |
|
||||
| Production smoke evidence | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` |
|
||||
| flex-auth pickup brief | `history/2026-06-23-flex-auth-production-pickup-suggestion.md` |
|
||||
|
||||
---
|
||||
|
||||
## Closeout (2026-06-23)
|
||||
|
||||
T1–T2 complete. ops-warden caller side and production-registry smoke verified.
|
||||
Production `policy.enabled: true` flip deferred until flex-auth runtime is
|
||||
reachable — tracked in flex-auth `FLEX-WP-0007`, not this workplan.
|
||||
|
||||
**Operator follow-up (FLEX-WP-0007):**
|
||||
|
||||
- Deploy registry + policy package to in-cluster flex-auth; set `policy.flex_auth_url`
|
||||
- Refresh scoped `VAULT_TOKEN` and run `SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh`
|
||||
- Set `policy.enabled: true` in `~/.config/warden/warden.yaml` when flex-auth is reachable
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `wiki/PolicyGatedSigning.md`
|
||||
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`
|
||||
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
|
||||
- `examples/warden.production.example.yaml`
|
||||
@@ -0,0 +1,176 @@
|
||||
---
|
||||
id: WARDEN-WP-0010
|
||||
type: workplan
|
||||
title: "Access Routing — Charter and Pointer Catalog"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 10
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-24"
|
||||
state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0010 — Access Routing — Charter and Pointer Catalog
|
||||
|
||||
**Scope:** Sharpen the existing steward framing so it cannot be misread as a desk
|
||||
API that wraps every subsystem. ops-warden **issues SSH certificates** and
|
||||
**points workers to the owning subsystem** for everything else. This workplan
|
||||
updates INTENT/SCOPE wording and adds a machine-readable routing catalog that is
|
||||
a **pointer layer**, not a second copy of NetKingdom canon.
|
||||
|
||||
**Not a new security lane.** This is wording + a thin lookup surface. SSH issuance
|
||||
remains the only thing ops-warden executes. Maturity moves Availability A3 → A4
|
||||
(structured lookup for agents); Completeness and Reliability for SSH are unchanged.
|
||||
|
||||
**Out of scope:** Secret-vending, OIDC, policy PDP, tunnel, or host-hardening code
|
||||
in this repo; flex-auth policy packages (WARDEN-WP-0009); any universal broker.
|
||||
|
||||
**Depends on:** WARDEN-WP-0006 stewardship canon (routing wiki, security map) — shipped.
|
||||
|
||||
**Feeds:** WARDEN-WP-0011 (routing CLI over the catalog).
|
||||
|
||||
---
|
||||
|
||||
## Principles (target)
|
||||
|
||||
1. **Point, don't proxy** — Name the owner and the doc; do not wrap a foreign API
|
||||
unless the answer is an SSH certificate.
|
||||
2. **Direct interaction** — Workers (humans, agents, CI, operators) call OpenBao,
|
||||
key-cape, flex-auth, ops-bridge, and railiance repos themselves.
|
||||
3. **One source of truth** — Routing procedure for non-SSH needs lives in the wiki
|
||||
(aligned to net-kingdom canon) and upstream canon, **not** restated in the
|
||||
catalog. The catalog carries identifiers and pointers only. ops-warden authors
|
||||
procedure for exactly one lane: SSH certificate issuance, which it owns.
|
||||
4. **Same truth, two shapes** — Humans read the wiki; agents read the catalog. The
|
||||
catalog references wiki sections by anchor so they cannot drift apart.
|
||||
|
||||
---
|
||||
|
||||
## No-double-source rule (binding on T3)
|
||||
|
||||
The catalog must not contain step-by-step procedure for any subsystem ops-warden
|
||||
does not own. For non-SSH scenarios an entry carries:
|
||||
|
||||
- `owner_repo`, `subsystem` — who to talk to
|
||||
- `wiki_ref` — anchor into an in-repo wiki section (the authoritative restatement)
|
||||
- `canon_ref` — upstream net-kingdom doc the wiki section tracks
|
||||
- `need_keywords`, `title`, `id` — lookup metadata
|
||||
- `warden_executes: false`
|
||||
|
||||
Only `warden_executes: true` (SSH) entries may carry an authored `steps` block and
|
||||
the `cert_command` pattern — because that is the lane ops-warden owns. A CI test
|
||||
(WP-0011 T5) enforces this structurally: non-SSH entries with a `steps` block fail.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — INTENT wording
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0010-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "589081a6-d1f5-47b4-bec0-e82d9c3444f4"
|
||||
```
|
||||
|
||||
- [x] `INTENT.md` — keep "operational access steward"; replaced the "operational
|
||||
access **desk**" phrasing with plain "issues SSH certs and routes everything
|
||||
else to its owner." Removed metaphors implying a wrapping service.
|
||||
- [x] Non-goals: added "duplicating or restating another subsystem's procedure."
|
||||
- [x] Cross-linked this workplan from the assessment note.
|
||||
|
||||
> SCOPE.md (A3 → A4 plain statement + "issue vs route" table) is handled as a
|
||||
> deliberate manual step **after** the loop retires, not as a ralph task.
|
||||
|
||||
### T2 — Routing-role wiki page
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0010-T02
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "9ac333f7-5fc4-4fa2-82f3-d5ece8ff0d92"
|
||||
```
|
||||
|
||||
- [x] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns
|
||||
it), what it executes (SSH only), anti-patterns (no `warden secret`,
|
||||
`warden login`, `warden policy`), and audience notes.
|
||||
- [x] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts).
|
||||
- [x] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`.
|
||||
|
||||
### T3 — Pointer catalog schema + seed
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0010-T03
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "59e0f480-694a-482a-b35e-b7bc4930aa41"
|
||||
```
|
||||
|
||||
- [x] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above:
|
||||
`id`, `title`, `need_keywords`, `owner_repo`, `subsystem`, `warden_executes`,
|
||||
`wiki_ref`, `canon_ref`, `reviewed` (date), `status` (active|draft); plus
|
||||
`steps` + `cert_command` **only** when `warden_executes: true`.
|
||||
- [x] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key,
|
||||
flex-auth policy, key-cape OIDC, ops-bridge tunnel, railiance-infra principals.
|
||||
- [x] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by
|
||||
railiance-platform) — draft entries are not surfaced by default lookup.
|
||||
- [x] Validated: 6 active + 1 draft, no non-SSH `steps`, every `wiki_ref` anchor resolves.
|
||||
|
||||
### T4 — Routing index in CredentialRouting.md
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0010-T04
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "aabd28c0-db2d-4267-be98-95be272c687d"
|
||||
```
|
||||
|
||||
- [x] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`.
|
||||
- [x] Add "what ops-warden answers vs what the worker does next on the owner system"
|
||||
examples — without restating the owner's procedure.
|
||||
- [x] Refresh the duplicate-interface anti-examples section (points at canonical
|
||||
anti-pattern table; not restated).
|
||||
|
||||
### T5 — Registry and repo-boundary alignment
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0010-T05
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b"
|
||||
```
|
||||
|
||||
- [x] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
|
||||
— note routing lookup in discovery; target availability notes the routing CLI.
|
||||
- [x] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new
|
||||
metaphor — "issues SSH certs; routes other credential needs to their owner").
|
||||
- [x] Extend the existing capability entry rather than minting a second capability.
|
||||
|
||||
---
|
||||
|
||||
## Acceptance
|
||||
|
||||
- A reader of INTENT + `wiki/AccessRouting.md` understands ops-warden **issues** SSH
|
||||
certs and **routes** everything else, with no implication it proxies any API.
|
||||
- `registry/routing/catalog.yaml` exists with ≥6 active scenarios; every non-SSH
|
||||
entry has `wiki_ref` + `canon_ref` and **no** authored `steps`.
|
||||
- No new secret-storage or foreign-API code.
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `INTENT.md` · `SCOPE.md`
|
||||
- `history/2026-06-18-access-routing-intent-shift-assessment.md` — decision record
|
||||
- `WARDEN-WP-0011` — routing CLI
|
||||
- `WARDEN-WP-0012` — scenario playbook expansion (backlog)
|
||||
---
|
||||
|
||||
## Closeout (2026-06-24)
|
||||
|
||||
Archived during WARDEN-WP-0013 T2. All tasks complete.
|
||||
161
workplans/archived/260624-WARDEN-WP-0011-routing-guide-cli.md
Normal file
161
workplans/archived/260624-WARDEN-WP-0011-routing-guide-cli.md
Normal file
@@ -0,0 +1,161 @@
|
||||
---
|
||||
id: WARDEN-WP-0011
|
||||
type: workplan
|
||||
title: "Routing Lookup CLI"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 11
|
||||
created: "2026-06-18"
|
||||
updated: "2026-06-24"
|
||||
state_hub_workstream_id: "0a520f8e-01b4-48f1-9af3-2f3f69fd0672"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0011 — Routing Lookup CLI
|
||||
|
||||
**Scope:** A `warden route` command group that reads the pointer catalog and tells
|
||||
a worker which subsystem owns a need, what the prerequisites are, and which
|
||||
wiki/canon doc to follow **on that system**. ops-warden does not call OpenBao,
|
||||
flex-auth, or key-cape on the worker's behalf.
|
||||
|
||||
**Out of scope:** HTTP API; live probes against any subsystem; secret generation or
|
||||
retrieval; a separate health/precondition command (see "Dropped" below); replacing
|
||||
subsystem CLIs.
|
||||
|
||||
**Depends on:** WARDEN-WP-0010 T3 (catalog schema + seed).
|
||||
|
||||
**Unlocks:** Agents run `warden route show <id> --json` instead of re-deriving
|
||||
routing from wiki prose each session.
|
||||
|
||||
---
|
||||
|
||||
## Target CLI
|
||||
|
||||
```text
|
||||
warden route list [--json] [--tag <tag>]
|
||||
warden route show <id> [--json]
|
||||
warden route find <query> [--json] # keyword match against need_keywords
|
||||
```
|
||||
|
||||
`list`/`find` show only `status: active` entries by default (`--all` includes draft).
|
||||
|
||||
### Behaviour
|
||||
|
||||
| Command | Does | Does not |
|
||||
| --- | --- | --- |
|
||||
| `list` / `show` | Return owner, wiki/canon pointers, `warden_executes`, anti-patterns | Return secret material |
|
||||
| `find` | Rank scenarios by keyword overlap | Invoke any external API |
|
||||
|
||||
When `warden_executes: true` (SSH), `show` appends the catalog's authored `steps`
|
||||
and the `warden sign` / `cert_command` pattern, plus a local precondition hint
|
||||
("actor in inventory? backend configured? run `warden status`"). For all other
|
||||
scenarios `show` ends with **"next action on `<owner_repo>` — see `<wiki_ref>`"**
|
||||
and never implies warden performed anything.
|
||||
|
||||
### Dropped: separate `check` command
|
||||
|
||||
The earlier draft had `warden coach check`. Cut. For SSH, `warden status` already
|
||||
covers local preconditions; duplicating it invites scope creep toward probing
|
||||
foreign subsystems. SSH precondition hints live inside `show` instead.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Catalog loader and models
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0011-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "55b8422c-ad3c-4084-9e00-acaa4c360906"
|
||||
```
|
||||
|
||||
- [x] Add `src/warden/routing/` package: `models.py`, `catalog.py`.
|
||||
- [x] Load and validate `registry/routing/catalog.yaml`.
|
||||
- [x] Enforce the no-double-source rule: non-SSH entries with a `steps` block are a
|
||||
validation error. Clear errors for missing file, schema violations, dup `id`.
|
||||
|
||||
### T2 — `warden route list` and `show`
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0011-T02
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "60b679c5-79bd-4186-b5a6-ac576931f06c"
|
||||
```
|
||||
|
||||
- [x] Register `route` Typer sub-app on the main CLI.
|
||||
- [x] `list` — Rich table + `--json` array of summaries; active-only unless `--all`.
|
||||
- [x] `show` — owner, prerequisites, pointers (`wiki_ref`, `canon_ref`),
|
||||
`warden_executes`, anti-patterns; SSH entries also append `steps` + cert pattern.
|
||||
- [x] Exit 1 with a `find` hint when `show` id is unknown.
|
||||
|
||||
### T3 — `warden route find`
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0011-T03
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "d307701f-0117-44f0-80fd-ca6f7ae06f42"
|
||||
```
|
||||
|
||||
- [x] Tokenize query; match against `need_keywords`, `title`, `id`.
|
||||
- [x] Rank, show top matches (default 5); `--json` for agents.
|
||||
- [x] Fixtures: "issue core api key", "ssh tunnel", "openrouter key".
|
||||
|
||||
### T4 — Tests
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0011-T04
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "00a76e0f-8ab6-4f9a-ac6a-00eae633342c"
|
||||
```
|
||||
|
||||
- [x] `tests/test_routing.py` — catalog load, no-double-source validation rejects a
|
||||
non-SSH `steps` block, find ranking, show JSON shape, SSH `show` includes cert
|
||||
pattern.
|
||||
- [x] No integration test requires a live subsystem.
|
||||
|
||||
### T5 — Doc consistency + drift guard
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0011-T05
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "bf848375-eca7-4116-bb1d-fb7df6395c70"
|
||||
```
|
||||
|
||||
- [x] CI/test: every `wiki_ref` anchor resolves to an existing in-repo wiki section;
|
||||
every entry has a `reviewed` date.
|
||||
- [x] `wiki/AccessRouting.md` — CLI section with agent-oriented examples.
|
||||
- [x] README — `warden route --help` quick reference.
|
||||
- [x] Bump SCOPE availability note A3 → A4 on ship.
|
||||
|
||||
---
|
||||
|
||||
## Acceptance
|
||||
|
||||
- `uv run warden route find "issue core api key"` returns the draft scenario only
|
||||
with `--all`, and never a generated key.
|
||||
- `uv run warden route show ssh-cert-host-access --json` includes
|
||||
`warden_executes: true` and the cert_command pattern.
|
||||
- A non-SSH catalog entry carrying a `steps` block fails `test_routing.py`.
|
||||
- `uv run pytest tests/test_routing.py` passes with no live-subsystem dependency.
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `WARDEN-WP-0010` — charter and catalog schema
|
||||
- `WARDEN-WP-0012` — expanded per-scenario playbooks
|
||||
- `history/2026-06-17-intent-scope-assessment.md` — prior `warden guide` proposal (P4)
|
||||
---
|
||||
|
||||
## Closeout (2026-06-24)
|
||||
|
||||
Archived during WARDEN-WP-0013 T2. All tasks complete.
|
||||
@@ -0,0 +1,202 @@
|
||||
---
|
||||
id: WARDEN-WP-0013
|
||||
type: workplan
|
||||
title: "Production Integration & Stewardship Closeout"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 13
|
||||
depends_on_workplans:
|
||||
- WARDEN-WP-0008
|
||||
- WARDEN-WP-0009
|
||||
- WARDEN-WP-0010
|
||||
- WARDEN-WP-0011
|
||||
related_workplans:
|
||||
- WARDEN-WP-0012
|
||||
- FLEX-WP-0007
|
||||
created: "2026-06-24"
|
||||
updated: "2026-06-24"
|
||||
state_hub_workstream_id: "4678c41a-c1d0-48cd-9988-4ea0380e8258"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0013 — Production Integration & Stewardship Closeout
|
||||
|
||||
## Purpose
|
||||
|
||||
Close the remaining **ops-warden-owned** gaps after policy gate and routing shipped:
|
||||
refresh INTENT/SCOPE canon, archive finished workplans, document ops-bridge
|
||||
`cert_command` migration, operator OpenBao token hygiene, principals drift checks,
|
||||
and the policy-gate production flip checklist.
|
||||
|
||||
This workplan addresses the deferred **Production SSH Integration Closeout** strand
|
||||
from `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` §6, updated for
|
||||
post-WP-0009 state.
|
||||
|
||||
**Gap analysis:** `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
|
||||
## Scope
|
||||
|
||||
- Post-WP-0009 reassessment and SCOPE alignment
|
||||
- Archive hygiene for WP-0010 and WP-0011
|
||||
- ops-bridge `cert_command` migration documentation (pilot `agt-state-hub-bridge`)
|
||||
- Operator runbook for scoped OpenBao tokens (no root in `VAULT_TOKEN`)
|
||||
- Principals drift check between warden inventory and railiance-infra
|
||||
- Policy gate production enablement checklist (coordinate FLEX-WP-0007)
|
||||
|
||||
## Out of scope
|
||||
|
||||
- flex-auth runtime deployment (flex-auth **FLEX-WP-0007**)
|
||||
- ops-bridge tunnel config changes in the ops-bridge repo (coordinate only)
|
||||
- Routing scenario playbook expansion (**WARDEN-WP-0012** — parallel track)
|
||||
- OpenBao cluster deploy, flex-auth policy authoring, NK-WP-0009 tutorial
|
||||
- Implementing secret vending or foreign API proxies
|
||||
|
||||
## Ownership boundary
|
||||
|
||||
| Concern | Owner |
|
||||
| --- | --- |
|
||||
| cert_command migration playbook | ops-warden (doc); ops-bridge (tunnel config) |
|
||||
| OpenBao token hygiene runbook | ops-warden (doc); operator (execution) |
|
||||
| Principals drift | ops-warden (check doc/script); railiance-infra (host deploy) |
|
||||
| `policy.enabled: true` flip | operator (after FLEX-WP-0007) |
|
||||
|
||||
---
|
||||
|
||||
## T1 — Post-gap reassessment and SCOPE refresh
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "de46f9a2-bf11-4651-a23c-430c63f396c8"
|
||||
```
|
||||
|
||||
- [x] Write `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
- [x] Update `SCOPE.md` active workplan table (WP-0013, WP-0012 ready)
|
||||
- [x] Note maturity vector and partial INTENT criterion (ops-bridge) in SCOPE
|
||||
|
||||
**Acceptance:** Gap analysis on file; SCOPE reflects 2026-06-24 repo state.
|
||||
|
||||
---
|
||||
|
||||
## T2 — Archive hygiene (WP-0010, WP-0011)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T02
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "1b35321d-63ad-40da-a1aa-0b66190a0733"
|
||||
```
|
||||
|
||||
- [x] Move `WARDEN-WP-0010-access-routing-charter.md` to
|
||||
`workplans/archived/260624-WARDEN-WP-0010-access-routing-charter.md`
|
||||
- [x] Move `WARDEN-WP-0011-routing-guide-cli.md` to
|
||||
`workplans/archived/260624-WARDEN-WP-0011-routing-guide-cli.md`
|
||||
- [x] Set frontmatter `status: archived` on both; add closeout notes
|
||||
- [x] Operator runs `make fix-consistency REPO=ops-warden` from `~/state-hub`
|
||||
|
||||
**Acceptance:** Only WP-0012 (ready) and WP-0013 (active when started) remain in
|
||||
`workplans/` root; hub synced.
|
||||
|
||||
---
|
||||
|
||||
## T3 — ops-bridge cert_command migration playbook
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T03
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "ad8588b2-9ae9-4f94-bd77-8025851a38f5"
|
||||
```
|
||||
|
||||
- [x] Write `wiki/playbooks/ops-bridge-tunnel-cert.md` — static-key → `cert_command`
|
||||
migration checklist for tunnel configs
|
||||
- [x] Document pilot tunnel `agt-state-hub-bridge`: actor, pubkey path, cert_command
|
||||
string, inventory prerequisites
|
||||
- [x] Upgrade catalog entry `ops-bridge-tunnel` `wiki_ref` to the new playbook
|
||||
- [x] Coordinate with ops-bridge owner for pilot tunnel config change (State Hub message)
|
||||
- [ ] Record non-secret smoke evidence when pilot completes (`history/` entry — pending ops-bridge)
|
||||
|
||||
**Acceptance:** Playbook exists; catalog points at it; pilot steps documented even
|
||||
if ops-bridge execution is pending.
|
||||
|
||||
**Unlocks:** INTENT success criterion #3 moves from partial toward met.
|
||||
|
||||
---
|
||||
|
||||
## T4 — Operator OpenBao token hygiene runbook
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T04
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "5cb35829-32eb-4d59-97a1-f4d92ce8e239"
|
||||
```
|
||||
|
||||
- [x] Add `wiki/playbooks/operator-openbao-token-hygiene.md` covering scoped tokens,
|
||||
`VAULT_TOKEN` session pattern, OIDC route, HTTP 403 recovery
|
||||
- [x] Cross-link from `wiki/OpsWardenConfig.md` and production example yaml
|
||||
|
||||
**Acceptance:** Operator can follow runbook without asking ops-warden for token values.
|
||||
|
||||
---
|
||||
|
||||
## T5 — Principals inventory drift check
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T05
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "4025cd32-89f8-42c3-b1e8-eaf78497d91f"
|
||||
```
|
||||
|
||||
- [x] `scripts/check_principals_drift.py` compares inventory `hosts` vs
|
||||
`railiance-infra/ansible/inventory/ssh_principals.yaml`
|
||||
- [x] Script notes flex-auth registry regeneration via `build_flex_auth_registry.py`
|
||||
- [x] Tests in `tests/test_principals_drift.py`
|
||||
|
||||
**Acceptance:** Drift check runnable or documented; no secret material in script output.
|
||||
|
||||
---
|
||||
|
||||
## T6 — Policy gate production enablement checklist
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0013-T06
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "51663f65-79cb-4108-87c8-9721f9476259"
|
||||
```
|
||||
|
||||
- [x] Operator checklist in `wiki/PolicyGatedSigning.md` § Production rollout
|
||||
- [x] Cross-link FLEX-WP-0007 and pickup brief
|
||||
- [x] Explicit: keep `policy.enabled: false` until flex-auth reachable
|
||||
|
||||
**Acceptance:** Operator checklist is sequential and references cross-repo owners;
|
||||
no ops-warden code changes required for flex-auth deploy.
|
||||
|
||||
---
|
||||
|
||||
## Exit criteria
|
||||
|
||||
- Gap analysis and SCOPE current
|
||||
- WP-0010 and WP-0011 archived
|
||||
- ops-bridge cert_command playbook + catalog upgrade
|
||||
- Operator token hygiene runbook
|
||||
- Principals drift procedure
|
||||
- Policy gate production flip checklist (coordinate FLEX-WP-0007)
|
||||
|
||||
## Parallel track
|
||||
|
||||
**WARDEN-WP-0012** (routing scenario playbooks) — promoted to `ready`; start when
|
||||
P1 integration doc bandwidth allows or in parallel if staffed.
|
||||
|
||||
## See also
|
||||
|
||||
- `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
- `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
- `wiki/CertCommandInterface.md`
|
||||
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
|
||||
Reference in New Issue
Block a user