feat: close WP-0009/WP-0013 production integration stewardship strand

Ship flex-auth policy gate registry and smoke evidence, archive WP-0009
through WP-0013, and add integration docs: ops-bridge cert_command
migration playbook, operator OpenBao token hygiene, principals drift
check script, and 2026-06-24 INTENT/SCOPE gap analysis.
This commit is contained in:
2026-06-24 12:44:32 +02:00
parent 1778b169da
commit 90007c2cda
24 changed files with 2192 additions and 121 deletions

View File

@@ -0,0 +1,95 @@
---
id: WARDEN-WP-0009
type: workplan
title: "flex-auth Policy Gate Production Readiness"
domain: infotech
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: low
planning_order: 9
created: "2026-06-18"
updated: "2026-06-23"
state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
---
# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
in production after flex-auth publishes `ssh-certificate` resource policies.
**Out of scope:** flex-auth policy package authoring (flex-auth owner — delivered
FLEX-WP-0006 2026-06-23); OpenBao SSH engine and host CA (complete — NET-WP-0020
T5 / WP-0008 T2); in-cluster flex-auth deployment (continued in flex-auth
`FLEX-WP-0007`).
**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
---
## Tasks
### T1 — flex-auth policy package confirmation
```task
id: WARDEN-WP-0009-T01
status: done
priority: medium
state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
```
- [x] Confirm flex-auth policies for resource type `ssh-certificate` exist
- [x] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
- [x] Coordinate with flex-auth owner on deny/allow test fixtures
### T2 — Production enablement and smoke
```task
id: WARDEN-WP-0009-T02
status: done
priority: medium
state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
```
- [x] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
- [x] Local smoke — allow/deny paths with `policy_decision_id` / `ttl_out_of_bounds`
- [x] Production registry slice from inventory (`registry/flex-auth/production_registry_snapshot.json`)
- [x] Production registry smoke — allow `agt-state-hub-bridge` (`decision:032b096c433ad80c`)
- [x] Production registry smoke — deny `--ttl 999` (`ttl_out_of_bounds`)
---
## Deliverables
| Artifact | Path |
| --- | --- |
| Registry builder | `scripts/build_flex_auth_registry.py` |
| Production registry | `registry/flex-auth/production_registry_snapshot.json` |
| Smoke runner | `scripts/policy_gate_production_smoke.sh` |
| Local smoke evidence | `history/2026-06-23-flex-auth-policy-gate-local-smoke.md` |
| Production smoke evidence | `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` |
| flex-auth pickup brief | `history/2026-06-23-flex-auth-production-pickup-suggestion.md` |
---
## Closeout (2026-06-23)
T1T2 complete. ops-warden caller side and production-registry smoke verified.
Production `policy.enabled: true` flip deferred until flex-auth runtime is
reachable — tracked in flex-auth `FLEX-WP-0007`, not this workplan.
**Operator follow-up (FLEX-WP-0007):**
- Deploy registry + policy package to in-cluster flex-auth; set `policy.flex_auth_url`
- Refresh scoped `VAULT_TOKEN` and run `SMOKE_VAULT=1 ./scripts/policy_gate_production_smoke.sh`
- Set `policy.enabled: true` in `~/.config/warden/warden.yaml` when flex-auth is reachable
---
## See also
- `wiki/PolicyGatedSigning.md`
- `~/flex-auth/docs/ops-warden-policy-gate-handoff.md`
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
- `examples/warden.production.example.yaml`

View File

@@ -0,0 +1,176 @@
---
id: WARDEN-WP-0010
type: workplan
title: "Access Routing — Charter and Pointer Catalog"
domain: infotech
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 10
created: "2026-06-18"
updated: "2026-06-24"
state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b"
---
# WARDEN-WP-0010 — Access Routing — Charter and Pointer Catalog
**Scope:** Sharpen the existing steward framing so it cannot be misread as a desk
API that wraps every subsystem. ops-warden **issues SSH certificates** and
**points workers to the owning subsystem** for everything else. This workplan
updates INTENT/SCOPE wording and adds a machine-readable routing catalog that is
a **pointer layer**, not a second copy of NetKingdom canon.
**Not a new security lane.** This is wording + a thin lookup surface. SSH issuance
remains the only thing ops-warden executes. Maturity moves Availability A3 → A4
(structured lookup for agents); Completeness and Reliability for SSH are unchanged.
**Out of scope:** Secret-vending, OIDC, policy PDP, tunnel, or host-hardening code
in this repo; flex-auth policy packages (WARDEN-WP-0009); any universal broker.
**Depends on:** WARDEN-WP-0006 stewardship canon (routing wiki, security map) — shipped.
**Feeds:** WARDEN-WP-0011 (routing CLI over the catalog).
---
## Principles (target)
1. **Point, don't proxy** — Name the owner and the doc; do not wrap a foreign API
unless the answer is an SSH certificate.
2. **Direct interaction** — Workers (humans, agents, CI, operators) call OpenBao,
key-cape, flex-auth, ops-bridge, and railiance repos themselves.
3. **One source of truth** — Routing procedure for non-SSH needs lives in the wiki
(aligned to net-kingdom canon) and upstream canon, **not** restated in the
catalog. The catalog carries identifiers and pointers only. ops-warden authors
procedure for exactly one lane: SSH certificate issuance, which it owns.
4. **Same truth, two shapes** — Humans read the wiki; agents read the catalog. The
catalog references wiki sections by anchor so they cannot drift apart.
---
## No-double-source rule (binding on T3)
The catalog must not contain step-by-step procedure for any subsystem ops-warden
does not own. For non-SSH scenarios an entry carries:
- `owner_repo`, `subsystem` — who to talk to
- `wiki_ref` — anchor into an in-repo wiki section (the authoritative restatement)
- `canon_ref` — upstream net-kingdom doc the wiki section tracks
- `need_keywords`, `title`, `id` — lookup metadata
- `warden_executes: false`
Only `warden_executes: true` (SSH) entries may carry an authored `steps` block and
the `cert_command` pattern — because that is the lane ops-warden owns. A CI test
(WP-0011 T5) enforces this structurally: non-SSH entries with a `steps` block fail.
---
## Tasks
### T1 — INTENT wording
```task
id: WARDEN-WP-0010-T01
status: done
priority: high
state_hub_task_id: "589081a6-d1f5-47b4-bec0-e82d9c3444f4"
```
- [x] `INTENT.md` — keep "operational access steward"; replaced the "operational
access **desk**" phrasing with plain "issues SSH certs and routes everything
else to its owner." Removed metaphors implying a wrapping service.
- [x] Non-goals: added "duplicating or restating another subsystem's procedure."
- [x] Cross-linked this workplan from the assessment note.
> SCOPE.md (A3 → A4 plain statement + "issue vs route" table) is handled as a
> deliberate manual step **after** the loop retires, not as a ralph task.
### T2 — Routing-role wiki page
```task
id: WARDEN-WP-0010-T02
status: done
priority: high
state_hub_task_id: "9ac333f7-5fc4-4fa2-82f3-d5ece8ff0d92"
```
- [x] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns
it), what it executes (SSH only), anti-patterns (no `warden secret`,
`warden login`, `warden policy`), and audience notes.
- [x] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts).
- [x] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`.
### T3 — Pointer catalog schema + seed
```task
id: WARDEN-WP-0010-T03
status: done
priority: high
state_hub_task_id: "59e0f480-694a-482a-b35e-b7bc4930aa41"
```
- [x] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above:
`id`, `title`, `need_keywords`, `owner_repo`, `subsystem`, `warden_executes`,
`wiki_ref`, `canon_ref`, `reviewed` (date), `status` (active|draft); plus
`steps` + `cert_command` **only** when `warden_executes: true`.
- [x] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key,
flex-auth policy, key-cape OIDC, ops-bridge tunnel, railiance-infra principals.
- [x] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by
railiance-platform) — draft entries are not surfaced by default lookup.
- [x] Validated: 6 active + 1 draft, no non-SSH `steps`, every `wiki_ref` anchor resolves.
### T4 — Routing index in CredentialRouting.md
```task
id: WARDEN-WP-0010-T04
status: done
priority: medium
state_hub_task_id: "aabd28c0-db2d-4267-be98-95be272c687d"
```
- [x] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`.
- [x] Add "what ops-warden answers vs what the worker does next on the owner system"
examples — without restating the owner's procedure.
- [x] Refresh the duplicate-interface anti-examples section (points at canonical
anti-pattern table; not restated).
### T5 — Registry and repo-boundary alignment
```task
id: WARDEN-WP-0010-T05
status: done
priority: medium
state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b"
```
- [x] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
— note routing lookup in discovery; target availability notes the routing CLI.
- [x] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new
metaphor — "issues SSH certs; routes other credential needs to their owner").
- [x] Extend the existing capability entry rather than minting a second capability.
---
## Acceptance
- A reader of INTENT + `wiki/AccessRouting.md` understands ops-warden **issues** SSH
certs and **routes** everything else, with no implication it proxies any API.
- `registry/routing/catalog.yaml` exists with ≥6 active scenarios; every non-SSH
entry has `wiki_ref` + `canon_ref` and **no** authored `steps`.
- No new secret-storage or foreign-API code.
---
## See also
- `INTENT.md` · `SCOPE.md`
- `history/2026-06-18-access-routing-intent-shift-assessment.md` — decision record
- `WARDEN-WP-0011` — routing CLI
- `WARDEN-WP-0012` — scenario playbook expansion (backlog)
---
## Closeout (2026-06-24)
Archived during WARDEN-WP-0013 T2. All tasks complete.

View File

@@ -0,0 +1,161 @@
---
id: WARDEN-WP-0011
type: workplan
title: "Routing Lookup CLI"
domain: infotech
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 11
created: "2026-06-18"
updated: "2026-06-24"
state_hub_workstream_id: "0a520f8e-01b4-48f1-9af3-2f3f69fd0672"
---
# WARDEN-WP-0011 — Routing Lookup CLI
**Scope:** A `warden route` command group that reads the pointer catalog and tells
a worker which subsystem owns a need, what the prerequisites are, and which
wiki/canon doc to follow **on that system**. ops-warden does not call OpenBao,
flex-auth, or key-cape on the worker's behalf.
**Out of scope:** HTTP API; live probes against any subsystem; secret generation or
retrieval; a separate health/precondition command (see "Dropped" below); replacing
subsystem CLIs.
**Depends on:** WARDEN-WP-0010 T3 (catalog schema + seed).
**Unlocks:** Agents run `warden route show <id> --json` instead of re-deriving
routing from wiki prose each session.
---
## Target CLI
```text
warden route list [--json] [--tag <tag>]
warden route show <id> [--json]
warden route find <query> [--json] # keyword match against need_keywords
```
`list`/`find` show only `status: active` entries by default (`--all` includes draft).
### Behaviour
| Command | Does | Does not |
| --- | --- | --- |
| `list` / `show` | Return owner, wiki/canon pointers, `warden_executes`, anti-patterns | Return secret material |
| `find` | Rank scenarios by keyword overlap | Invoke any external API |
When `warden_executes: true` (SSH), `show` appends the catalog's authored `steps`
and the `warden sign` / `cert_command` pattern, plus a local precondition hint
("actor in inventory? backend configured? run `warden status`"). For all other
scenarios `show` ends with **"next action on `<owner_repo>` — see `<wiki_ref>`"**
and never implies warden performed anything.
### Dropped: separate `check` command
The earlier draft had `warden coach check`. Cut. For SSH, `warden status` already
covers local preconditions; duplicating it invites scope creep toward probing
foreign subsystems. SSH precondition hints live inside `show` instead.
---
## Tasks
### T1 — Catalog loader and models
```task
id: WARDEN-WP-0011-T01
status: done
priority: high
state_hub_task_id: "55b8422c-ad3c-4084-9e00-acaa4c360906"
```
- [x] Add `src/warden/routing/` package: `models.py`, `catalog.py`.
- [x] Load and validate `registry/routing/catalog.yaml`.
- [x] Enforce the no-double-source rule: non-SSH entries with a `steps` block are a
validation error. Clear errors for missing file, schema violations, dup `id`.
### T2 — `warden route list` and `show`
```task
id: WARDEN-WP-0011-T02
status: done
priority: high
state_hub_task_id: "60b679c5-79bd-4186-b5a6-ac576931f06c"
```
- [x] Register `route` Typer sub-app on the main CLI.
- [x] `list` — Rich table + `--json` array of summaries; active-only unless `--all`.
- [x] `show` — owner, prerequisites, pointers (`wiki_ref`, `canon_ref`),
`warden_executes`, anti-patterns; SSH entries also append `steps` + cert pattern.
- [x] Exit 1 with a `find` hint when `show` id is unknown.
### T3 — `warden route find`
```task
id: WARDEN-WP-0011-T03
status: done
priority: high
state_hub_task_id: "d307701f-0117-44f0-80fd-ca6f7ae06f42"
```
- [x] Tokenize query; match against `need_keywords`, `title`, `id`.
- [x] Rank, show top matches (default 5); `--json` for agents.
- [x] Fixtures: "issue core api key", "ssh tunnel", "openrouter key".
### T4 — Tests
```task
id: WARDEN-WP-0011-T04
status: done
priority: high
state_hub_task_id: "00a76e0f-8ab6-4f9a-ac6a-00eae633342c"
```
- [x] `tests/test_routing.py` — catalog load, no-double-source validation rejects a
non-SSH `steps` block, find ranking, show JSON shape, SSH `show` includes cert
pattern.
- [x] No integration test requires a live subsystem.
### T5 — Doc consistency + drift guard
```task
id: WARDEN-WP-0011-T05
status: done
priority: high
state_hub_task_id: "bf848375-eca7-4116-bb1d-fb7df6395c70"
```
- [x] CI/test: every `wiki_ref` anchor resolves to an existing in-repo wiki section;
every entry has a `reviewed` date.
- [x] `wiki/AccessRouting.md` — CLI section with agent-oriented examples.
- [x] README — `warden route --help` quick reference.
- [x] Bump SCOPE availability note A3 → A4 on ship.
---
## Acceptance
- `uv run warden route find "issue core api key"` returns the draft scenario only
with `--all`, and never a generated key.
- `uv run warden route show ssh-cert-host-access --json` includes
`warden_executes: true` and the cert_command pattern.
- A non-SSH catalog entry carrying a `steps` block fails `test_routing.py`.
- `uv run pytest tests/test_routing.py` passes with no live-subsystem dependency.
---
## See also
- `WARDEN-WP-0010` — charter and catalog schema
- `WARDEN-WP-0012` — expanded per-scenario playbooks
- `history/2026-06-17-intent-scope-assessment.md` — prior `warden guide` proposal (P4)
---
## Closeout (2026-06-24)
Archived during WARDEN-WP-0013 T2. All tasks complete.

View File

@@ -0,0 +1,202 @@
---
id: WARDEN-WP-0013
type: workplan
title: "Production Integration & Stewardship Closeout"
domain: infotech
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 13
depends_on_workplans:
- WARDEN-WP-0008
- WARDEN-WP-0009
- WARDEN-WP-0010
- WARDEN-WP-0011
related_workplans:
- WARDEN-WP-0012
- FLEX-WP-0007
created: "2026-06-24"
updated: "2026-06-24"
state_hub_workstream_id: "4678c41a-c1d0-48cd-9988-4ea0380e8258"
---
# WARDEN-WP-0013 — Production Integration & Stewardship Closeout
## Purpose
Close the remaining **ops-warden-owned** gaps after policy gate and routing shipped:
refresh INTENT/SCOPE canon, archive finished workplans, document ops-bridge
`cert_command` migration, operator OpenBao token hygiene, principals drift checks,
and the policy-gate production flip checklist.
This workplan addresses the deferred **Production SSH Integration Closeout** strand
from `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` §6, updated for
post-WP-0009 state.
**Gap analysis:** `history/2026-06-24-intent-scope-gap-analysis.md`
## Scope
- Post-WP-0009 reassessment and SCOPE alignment
- Archive hygiene for WP-0010 and WP-0011
- ops-bridge `cert_command` migration documentation (pilot `agt-state-hub-bridge`)
- Operator runbook for scoped OpenBao tokens (no root in `VAULT_TOKEN`)
- Principals drift check between warden inventory and railiance-infra
- Policy gate production enablement checklist (coordinate FLEX-WP-0007)
## Out of scope
- flex-auth runtime deployment (flex-auth **FLEX-WP-0007**)
- ops-bridge tunnel config changes in the ops-bridge repo (coordinate only)
- Routing scenario playbook expansion (**WARDEN-WP-0012** — parallel track)
- OpenBao cluster deploy, flex-auth policy authoring, NK-WP-0009 tutorial
- Implementing secret vending or foreign API proxies
## Ownership boundary
| Concern | Owner |
| --- | --- |
| cert_command migration playbook | ops-warden (doc); ops-bridge (tunnel config) |
| OpenBao token hygiene runbook | ops-warden (doc); operator (execution) |
| Principals drift | ops-warden (check doc/script); railiance-infra (host deploy) |
| `policy.enabled: true` flip | operator (after FLEX-WP-0007) |
---
## T1 — Post-gap reassessment and SCOPE refresh
```task
id: WARDEN-WP-0013-T01
status: done
priority: high
state_hub_task_id: "de46f9a2-bf11-4651-a23c-430c63f396c8"
```
- [x] Write `history/2026-06-24-intent-scope-gap-analysis.md`
- [x] Update `SCOPE.md` active workplan table (WP-0013, WP-0012 ready)
- [x] Note maturity vector and partial INTENT criterion (ops-bridge) in SCOPE
**Acceptance:** Gap analysis on file; SCOPE reflects 2026-06-24 repo state.
---
## T2 — Archive hygiene (WP-0010, WP-0011)
```task
id: WARDEN-WP-0013-T02
status: done
priority: medium
state_hub_task_id: "1b35321d-63ad-40da-a1aa-0b66190a0733"
```
- [x] Move `WARDEN-WP-0010-access-routing-charter.md` to
`workplans/archived/260624-WARDEN-WP-0010-access-routing-charter.md`
- [x] Move `WARDEN-WP-0011-routing-guide-cli.md` to
`workplans/archived/260624-WARDEN-WP-0011-routing-guide-cli.md`
- [x] Set frontmatter `status: archived` on both; add closeout notes
- [x] Operator runs `make fix-consistency REPO=ops-warden` from `~/state-hub`
**Acceptance:** Only WP-0012 (ready) and WP-0013 (active when started) remain in
`workplans/` root; hub synced.
---
## T3 — ops-bridge cert_command migration playbook
```task
id: WARDEN-WP-0013-T03
status: done
priority: high
state_hub_task_id: "ad8588b2-9ae9-4f94-bd77-8025851a38f5"
```
- [x] Write `wiki/playbooks/ops-bridge-tunnel-cert.md` — static-key → `cert_command`
migration checklist for tunnel configs
- [x] Document pilot tunnel `agt-state-hub-bridge`: actor, pubkey path, cert_command
string, inventory prerequisites
- [x] Upgrade catalog entry `ops-bridge-tunnel` `wiki_ref` to the new playbook
- [x] Coordinate with ops-bridge owner for pilot tunnel config change (State Hub message)
- [ ] Record non-secret smoke evidence when pilot completes (`history/` entry — pending ops-bridge)
**Acceptance:** Playbook exists; catalog points at it; pilot steps documented even
if ops-bridge execution is pending.
**Unlocks:** INTENT success criterion #3 moves from partial toward met.
---
## T4 — Operator OpenBao token hygiene runbook
```task
id: WARDEN-WP-0013-T04
status: done
priority: medium
state_hub_task_id: "5cb35829-32eb-4d59-97a1-f4d92ce8e239"
```
- [x] Add `wiki/playbooks/operator-openbao-token-hygiene.md` covering scoped tokens,
`VAULT_TOKEN` session pattern, OIDC route, HTTP 403 recovery
- [x] Cross-link from `wiki/OpsWardenConfig.md` and production example yaml
**Acceptance:** Operator can follow runbook without asking ops-warden for token values.
---
## T5 — Principals inventory drift check
```task
id: WARDEN-WP-0013-T05
status: done
priority: medium
state_hub_task_id: "4025cd32-89f8-42c3-b1e8-eaf78497d91f"
```
- [x] `scripts/check_principals_drift.py` compares inventory `hosts` vs
`railiance-infra/ansible/inventory/ssh_principals.yaml`
- [x] Script notes flex-auth registry regeneration via `build_flex_auth_registry.py`
- [x] Tests in `tests/test_principals_drift.py`
**Acceptance:** Drift check runnable or documented; no secret material in script output.
---
## T6 — Policy gate production enablement checklist
```task
id: WARDEN-WP-0013-T06
status: done
priority: medium
state_hub_task_id: "51663f65-79cb-4108-87c8-9721f9476259"
```
- [x] Operator checklist in `wiki/PolicyGatedSigning.md` § Production rollout
- [x] Cross-link FLEX-WP-0007 and pickup brief
- [x] Explicit: keep `policy.enabled: false` until flex-auth reachable
**Acceptance:** Operator checklist is sequential and references cross-repo owners;
no ops-warden code changes required for flex-auth deploy.
---
## Exit criteria
- Gap analysis and SCOPE current
- WP-0010 and WP-0011 archived
- ops-bridge cert_command playbook + catalog upgrade
- Operator token hygiene runbook
- Principals drift procedure
- Policy gate production flip checklist (coordinate FLEX-WP-0007)
## Parallel track
**WARDEN-WP-0012** (routing scenario playbooks) — promoted to `ready`; start when
P1 integration doc bandwidth allows or in parallel if staffed.
## See also
- `history/2026-06-24-intent-scope-gap-analysis.md`
- `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
- `wiki/CertCommandInterface.md`
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`