generated from coulomb/repo-seed
workplan: add WARDEN-WP-0008 production SSH path and stewardship closeout
Establish follow-up after WP-0007: E2E OpenBao sign verification, post-policy reassessment, task-status canon migration, and archive hygiene. Refresh SCOPE to reflect shipped policy gate and active WP-0008.
This commit is contained in:
21
SCOPE.md
21
SCOPE.md
@@ -58,13 +58,20 @@ Vault-compatible SSH secrets engine API, production).
|
||||
- `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy
|
||||
- `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml`
|
||||
- `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
|
||||
- `wiki/PolicyGatedSigning.md` — flex-auth integration design (not implemented)
|
||||
- `wiki/PolicyGatedSigning.md` — flex-auth integration design
|
||||
|
||||
### Planned (follow-up)
|
||||
### Shipped (WARDEN-WP-0007)
|
||||
|
||||
- flex-auth policy hook implementation (WARDEN-WP-0007, proposed)
|
||||
- Live production OpenBao SSH engine verification on Railiance
|
||||
- NK-WP-0009 SSH tutorial joint with net-kingdom
|
||||
- Opt-in flex-auth policy gate before `warden sign` / `warden issue` (`policy.enabled`)
|
||||
- `policy_decision_id` in `signatures.log` when gate allows
|
||||
- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
|
||||
|
||||
### Planned (WARDEN-WP-0008)
|
||||
|
||||
- End-to-end production OpenBao `warden sign` verification on Railiance
|
||||
- Post-WP-0007 INTENT/SCOPE reassessment and archive hygiene
|
||||
- State Hub task status canon in `AGENTS.md`
|
||||
- NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)
|
||||
|
||||
---
|
||||
|
||||
@@ -109,7 +116,9 @@ Vault-compatible SSH secrets engine API, production).
|
||||
- **Registry:** `capability.security.ssh-certificate-issuance` published
|
||||
- **INTENT:** operational access steward (2026-06-17)
|
||||
- **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
|
||||
- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md`
|
||||
- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign
|
||||
- **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout
|
||||
- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` (pre-WP-0007)
|
||||
|
||||
---
|
||||
|
||||
|
||||
@@ -0,0 +1,140 @@
|
||||
---
|
||||
id: WARDEN-WP-0008
|
||||
type: workplan
|
||||
title: "Production SSH Path and Stewardship Closeout"
|
||||
domain: custodian
|
||||
repo: ops-warden
|
||||
status: ready
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 8
|
||||
created: "2026-06-17"
|
||||
updated: "2026-06-17"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout
|
||||
|
||||
**Scope:** Close the reliability gap left after WARDEN-WP-0007 — prove the
|
||||
production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for
|
||||
the shipped flex-auth policy gate, adapt repo docs to State Hub task-status
|
||||
canon, and archive finished workplans.
|
||||
|
||||
**Out of scope:** OpenBao cluster deploy or SSH engine bootstrap (operator /
|
||||
`railiance-platform`), flex-auth policy package authoring, NK-WP-0009 joint
|
||||
tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter
|
||||
API keys — route to OpenBao per `wiki/CredentialRouting.md`).
|
||||
|
||||
---
|
||||
|
||||
## Goal
|
||||
|
||||
Move ops-warden from **documented + code-shipped** (WP-0006/0007) to
|
||||
**production-verified SSH issuance** with up-to-date stewardship canon:
|
||||
|
||||
1. A scoped operator can run `warden sign` against `https://bao.coulomb.social`
|
||||
and record non-secret evidence.
|
||||
2. `SCOPE.md` and reassessment history reflect WP-0007 policy gate as implemented.
|
||||
3. Agent/workplan docs use State Hub task lifecycle (`wait` / `todo` / `progress`
|
||||
/ `done` / `cancel`).
|
||||
4. Finished workplans WP-0004–0007 are archived under `workplans/archived/`.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Post-WP-0007 INTENT/SCOPE reassessment
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0008-T01
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R?)
|
||||
- [ ] Update `SCOPE.md` — policy gate implemented, WP-0007 done, WP-0008 active
|
||||
- [ ] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README
|
||||
|
||||
### T2 — Production OpenBao end-to-end sign verification
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0008-T02
|
||||
status: todo
|
||||
priority: high
|
||||
```
|
||||
|
||||
- [ ] Operator provides scoped `VAULT_TOKEN` (not in Git/chat/logs)
|
||||
- [ ] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
|
||||
- [ ] Run `warden sign` + `warden status` + `warden log` against production OpenBao
|
||||
- [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
|
||||
- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
|
||||
|
||||
**Blocked until:** scoped token + SSH roles on Railiance OpenBao.
|
||||
|
||||
### T3 — State Hub task status canon migration
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0008-T03
|
||||
status: todo
|
||||
priority: medium
|
||||
```
|
||||
|
||||
- [ ] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
|
||||
- [ ] Update `.claude/rules/workplan-convention.md` task block examples
|
||||
- [ ] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
|
||||
- [ ] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)
|
||||
|
||||
### T4 — Production config example and archive hygiene
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0008-T04
|
||||
status: todo
|
||||
priority: medium
|
||||
```
|
||||
|
||||
- [ ] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
|
||||
- [ ] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
|
||||
- [ ] `make fix-consistency REPO=ops-warden` after archive
|
||||
|
||||
### T5 — flex-auth policy gate production readiness (coordination)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0008-T05
|
||||
status: wait
|
||||
priority: low
|
||||
```
|
||||
|
||||
- [ ] Confirm flex-auth `ssh-certificate` resource policies exist (flex-auth owner)
|
||||
- [ ] Document enablement procedure for `policy.enabled: true` in production
|
||||
- [ ] Smoke test policy deny/allow with `fail_closed: true` (non-secret evidence)
|
||||
|
||||
**Blocked until:** flex-auth policy package for SSH signing.
|
||||
|
||||
---
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [ ] Post-WP-0007 reassessment on file; SCOPE current
|
||||
- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
|
||||
- [ ] AGENTS.md uses canonical task statuses
|
||||
- [ ] WP-0004–0007 archived; hub consistency pass
|
||||
- [ ] Production example config committed (no secrets)
|
||||
|
||||
---
|
||||
|
||||
## Dependencies
|
||||
|
||||
| Dependency | Owner | Blocks |
|
||||
| --- | --- | --- |
|
||||
| Scoped OpenBao token + SSH roles | Operator / railiance-platform | T2 |
|
||||
| flex-auth ssh-certificate policies | flex-auth | T5 |
|
||||
| NK-WP-0009 SSH tutorial | net-kingdom + ops-warden | — (parallel track) |
|
||||
|
||||
---
|
||||
|
||||
## See also
|
||||
|
||||
- `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007)
|
||||
- `history/2026-06-17-intent-scope-reassessment.md` — pre-policy-gate assessment
|
||||
- `wiki/OpenBaoSshEngineChecklist.md`
|
||||
- `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007)
|
||||
Reference in New Issue
Block a user