chore(WP-0008): finish and archive production SSH path closeout

Mark WP-0008 finished and move to archived/. Spin flex-auth production gate
to WARDEN-WP-0009. Update SCOPE and reassessment history for R3 reliability.

SCOPE.md

@@ -66,11 +66,15 @@ Vault-compatible SSH secrets engine API, production).
 - `policy_decision_id` in `signatures.log` when gate allows
 - Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
 
-### Active (WARDEN-WP-0008)
+### Shipped (WARDEN-WP-0008)
 
-- End-to-end production OpenBao `warden sign` verification on Railiance (T2 — operator)
+- Production OpenBao `warden sign` verified on Railiance (2026-06-18)
 - `examples/warden.production.example.yaml` — production config template
-- NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)
+- State Hub task-status canon in agent docs; WP-0004–0007 archived
+
+### Wait (WARDEN-WP-0009)
+
+- flex-auth `ssh-certificate` policies + `policy.enabled: true` production enablement
 
 ---
 
@@ -115,8 +119,9 @@ Vault-compatible SSH secrets engine API, production).
 - **Registry:** `capability.security.ssh-certificate-issuance` published
 - **INTENT:** operational access steward (2026-06-17)
 - **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
-- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign
-- **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout
+- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign (`policy.enabled` off in prod)
+- **Production SSH path:** WP-0008 complete — OpenBao sign verified 2026-06-18
+- **Next:** WP-0009 — flex-auth policy gate production (blocked on flex-auth policies)
 - **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md`
 
 ---