chore(WP-0008): finish and archive production SSH path closeout

Mark WP-0008 finished and move to archived/. Spin flex-auth production gate
to WARDEN-WP-0009. Update SCOPE and reassessment history for R3 reliability.

SCOPE.md

@@ -66,11 +66,15 @@ Vault-compatible SSH secrets engine API, production).
 - `policy_decision_id` in `signatures.log` when gate allows
 - Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
 
-### Active (WARDEN-WP-0008)
+### Shipped (WARDEN-WP-0008)
 
-- End-to-end production OpenBao `warden sign` verification on Railiance (T2 — operator)
+- Production OpenBao `warden sign` verified on Railiance (2026-06-18)
 - `examples/warden.production.example.yaml` — production config template
-- NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)
+- State Hub task-status canon in agent docs; WP-0004–0007 archived
+
+### Wait (WARDEN-WP-0009)
+
+- flex-auth `ssh-certificate` policies + `policy.enabled: true` production enablement
 
 ---
 
@@ -115,8 +119,9 @@ Vault-compatible SSH secrets engine API, production).
 - **Registry:** `capability.security.ssh-certificate-issuance` published
 - **INTENT:** operational access steward (2026-06-17)
 - **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
-- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign
-- **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout
+- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign (`policy.enabled` off in prod)
+- **Production SSH path:** WP-0008 complete — OpenBao sign verified 2026-06-18
+- **Next:** WP-0009 — flex-auth policy gate production (blocked on flex-auth policies)
 - **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md`
 
 ---

history/2026-06-17-openbao-production-verify.md

@@ -125,7 +125,8 @@ roles, and `warden-sign` policy **not yet applied** (no operator token in sessio
 `public_key` export; roles need `allow_user_key_ids=true` for ops-warden `key_id`
 embedding. Script fixes committed to `railiance-platform`.
 
-**WP-0008 T2:** production sign path verified. flex-auth gate (T5) remains future work.
+**WP-0008:** closed 2026-06-18 — production sign path verified. flex-auth production
+enablement continues in WP-0009.
 
 ---
 

history/2026-06-17-post-wp0007-reassessment.md

@@ -51,19 +51,20 @@ engine remains operator-verified — tracked in WARDEN-WP-0008 T2.
 
 ---
 
-## 4. Remaining gaps (WP-0008)
+## 4. Remaining gaps (post WP-0008 closeout, 2026-06-18)
 
 | Prio | Gap | Owner | Task |
 | --- | --- | --- | --- |
-| P1 | Production `warden sign` not executed | Operator | WP-0008 T2 |
-| P2 | flex-auth `ssh-certificate` policies | flex-auth | WP-0008 T5 |
-| P3 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel |
-| P4 | Task status canon in agent docs | ops-warden | WP-0008 T3 (done) |
+| P1 | flex-auth `ssh-certificate` policies | flex-auth | WP-0009 |
+| P2 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel |
+| P3 | ops-bridge `cert_command` on live tunnels | ops-bridge | Deferred |
+
+WP-0008 closed: production sign verified; stewardship canon and archive hygiene done.
 
 ---
 
 ## 5. Recommendation
 
 - **Completeness C4:** SSH lane + stewardship docs + opt-in policy gate shipped.
-- **Reliability R2→R3** when WP-0008 T2 records successful production sign evidence.
-- Keep `policy.enabled: false` in production until flex-auth policies exist (T5).
+- **Reliability R3:** production `warden sign` evidence on file (2026-06-18).
+- Keep `policy.enabled: false` in production until flex-auth policies exist (WP-0009).

workplans/WARDEN-WP-0009-flex-auth-policy-gate-production.md

@@ -0,0 +1,65 @@
+---
+id: WARDEN-WP-0009
+type: workplan
+title: "flex-auth Policy Gate Production Readiness"
+domain: custodian
+repo: ops-warden
+status: wait
+owner: codex
+topic_slug: custodian
+planning_priority: low
+planning_order: 9
+created: "2026-06-18"
+updated: "2026-06-18"
+state_hub_workstream_id: "9213b262-e2f5-480e-a5bc-56635d5eb4c9"
+---
+
+# WARDEN-WP-0009 — flex-auth Policy Gate Production Readiness
+
+**Scope:** Enable and verify the opt-in flex-auth pre-sign gate (`policy.enabled`)
+in production after flex-auth publishes `ssh-certificate` resource policies.
+
+**Out of scope:** flex-auth policy package authoring (flex-auth owner); OpenBao SSH
+engine and host CA (complete — NET-WP-0020 T5 / WP-0008 T2).
+
+**Spun out from:** WARDEN-WP-0008 T5 (2026-06-18 closeout).
+
+---
+
+## Tasks
+
+### T1 — flex-auth policy package confirmation
+
+```task
+id: WARDEN-WP-0009-T01
+status: wait
+priority: medium
+state_hub_task_id: "f988ed2e-0f63-4e89-abc4-183a7f23ddc2"
+```
+
+- [ ] Confirm flex-auth policies for resource type `ssh-certificate` exist
+- [ ] Document tenant/subject bindings for `adm` / `agt` / `atm` sign paths
+- [ ] Coordinate with flex-auth owner on deny/allow test fixtures
+
+**Blocked until:** flex-auth publishes ssh-certificate policies.
+
+### T2 — Production enablement and smoke
+
+```task
+id: WARDEN-WP-0009-T02
+status: wait
+priority: medium
+state_hub_task_id: "9d0fabc2-10ef-426d-a3d2-d4970d377029"
+```
+
+- [ ] Document operator steps to set `policy.enabled: true` (see `wiki/PolicyGatedSigning.md`)
+- [ ] Smoke test allow path — `signatures.log` includes `policy_decision_id`
+- [ ] Smoke test deny path with `fail_closed: true` (non-secret evidence)
+
+---
+
+## See also
+
+- `wiki/PolicyGatedSigning.md` — gate flow and config (shipped WP-0007)
+- `examples/warden.production.example.yaml` — `policy.enabled: false` default
+- `history/2026-06-17-openbao-production-verify.md` — production sign evidence

workplans/archived/260618-WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Production SSH Path and Stewardship Closeout"
 domain: custodian
 repo: ops-warden
-status: active
+status: finished
 owner: codex
 topic_slug: custodian
 planning_priority: high
@@ -70,7 +70,9 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
 - [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
 - [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao
 - [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
-- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
+- [ ] Optional: cert_command smoke via ops-bridge tunnel — deferred; tunnels still
+  static-key mode (`agt-claude-*`); wire when ops-bridge adopts `cert_command` for
+  `agt-state-hub-bridge`
 
 ### T3 — State Hub task status canon migration
 
@@ -103,29 +105,33 @@ state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
 
 ```task
 id: WARDEN-WP-0008-T05
-status: wait
+status: cancel
 priority: low
 state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
 ```
 
-- [ ] Confirm flex-auth `ssh-certificate` resource policies exist (flex-auth owner)
-- [ ] Document enablement procedure for `policy.enabled: true` in production
-- [ ] Smoke test policy deny/allow with `fail_closed: true` (non-secret evidence)
-
-**Blocked until:** flex-auth policy package for SSH signing.
+Spun out to **WARDEN-WP-0009** (flex-auth owner dependency). ops-warden gate code
+and docs shipped in WP-0007; production enablement waits on flex-auth policies.
 
 ---
 
 ## Acceptance Criteria
 
 - [x] Post-WP-0007 reassessment on file; SCOPE current
-- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
+- [x] Production `warden sign` evidence recorded (`history/2026-06-17-openbao-production-verify.md`)
 - [x] AGENTS.md uses canonical task statuses
 - [x] WP-0004–0007 archived; hub consistency pass
 - [x] Production example config committed (no secrets)
 
 ---
 
+## Closeout (2026-06-18)
+
+T1–T4 and T2 complete. T5 cancelled — continued in WARDEN-WP-0009. Optional
+ops-bridge `cert_command` smoke deferred until tunnel configs adopt warden signing.
+
+---
+
 ## Dependencies
 
 | Dependency | Owner | Blocks |