coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(WP-0008): finish and archive production SSH path closeout

Browse Source 
Mark WP-0008 finished and move to archived/. Spin flex-auth production gate
to WARDEN-WP-0009. Update SCOPE and reassessment history for R3 reliability.
This commit is contained in:
Bernd Worsch
2026-06-18 01:28:49 +02:00
parent da1b6695c4
commit a6a943fc3e
5 changed files with 100 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
workplans/archived/260618-WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md Normal file
View File

@@ -0,0 +1,151 @@
---
id: WARDEN-WP-0008
type: workplan
title: "Production SSH Path and Stewardship Closeout"
domain: custodian
repo: ops-warden
status: finished
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 8
created: "2026-06-17"
updated: "2026-06-18"
state_hub_workstream_id: "a174963a-4ff1-4565-b19f-896cd4ff14a0"
---
# WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout
**Scope:** Close the reliability gap left after WARDEN-WP-0007 — prove the
production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for
the shipped flex-auth policy gate, adapt repo docs to State Hub task-status
canon, and archive finished workplans.
**Out of scope:** OpenBao cluster deploy or SSH engine bootstrap (operator /
`railiance-platform`), flex-auth policy package authoring, NK-WP-0009 joint
tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter
API keys — route to OpenBao per `wiki/CredentialRouting.md`).
---
## Goal
Move ops-warden from **documented + code-shipped** (WP-0006/0007) to
**production-verified SSH issuance** with up-to-date stewardship canon:
1. A scoped operator can run `warden sign` against `https://bao.coulomb.social`
and record non-secret evidence.
2. `SCOPE.md` and reassessment history reflect WP-0007 policy gate as implemented.
3. Agent/workplan docs use State Hub task lifecycle (`wait` / `todo` / `progress`
/ `done` / `cancel`).
4. Finished workplans WP-00040007 are archived under `workplans/archived/`.
---
## Tasks
### T1 — Post-WP-0007 INTENT/SCOPE reassessment
```task
id: WARDEN-WP-0008-T01
status: done
priority: high
state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
```
- [x] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R2)
- [x] Update `SCOPE.md` — policy gate implemented, WP-0008 active
- [x] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README
### T2 — Production OpenBao end-to-end sign verification
```task
id: WARDEN-WP-0008-T02
status: done
priority: high
state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
```
- [x] Operator provides scoped `VAULT_TOKEN` (warden-sign policy token)
- [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
- [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao
- [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
- [ ] Optional: cert_command smoke via ops-bridge tunnel — deferred; tunnels still
static-key mode (`agt-claude-*`); wire when ops-bridge adopts `cert_command` for
`agt-state-hub-bridge`
### T3 — State Hub task status canon migration
```task
id: WARDEN-WP-0008-T03
status: done
priority: medium
state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903"
```
- [x] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
- [x] Update `.claude/rules/workplan-convention.md` task block examples
- [x] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
- [x] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)
### T4 — Production config example and archive hygiene
```task
id: WARDEN-WP-0008-T04
status: done
priority: medium
state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
```
- [x] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
- [x] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
- [x] `make fix-consistency REPO=ops-warden` after archive
### T5 — flex-auth policy gate production readiness (coordination)
```task
id: WARDEN-WP-0008-T05
status: cancel
priority: low
state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
```
Spun out to **WARDEN-WP-0009** (flex-auth owner dependency). ops-warden gate code
and docs shipped in WP-0007; production enablement waits on flex-auth policies.
---
## Acceptance Criteria
- [x] Post-WP-0007 reassessment on file; SCOPE current
- [x] Production `warden sign` evidence recorded (`history/2026-06-17-openbao-production-verify.md`)
- [x] AGENTS.md uses canonical task statuses
- [x] WP-00040007 archived; hub consistency pass
- [x] Production example config committed (no secrets)
---
## Closeout (2026-06-18)
T1T4 and T2 complete. T5 cancelled — continued in WARDEN-WP-0009. Optional
ops-bridge `cert_command` smoke deferred until tunnel configs adopt warden signing.
---
## Dependencies
| Dependency | Owner | Blocks |
| --- | --- | --- |
| OpenBao SSH engine + host CA automation | NET-WP-0020 / railiance-* | T2 |
| flex-auth ssh-certificate policies | flex-auth | T5 |
| NK-WP-0009 SSH tutorial | net-kingdom + ops-warden | — (parallel track) |
---
## See also
- `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007)
- `history/2026-06-17-post-wp0007-reassessment.md` — latest assessment
- `examples/warden.production.example.yaml` — operator config template
- `wiki/OpenBaoSshEngineChecklist.md`
- `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007)