From bdd532d8356fb93d30220dbd70006ca60f904d96 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 17 Jun 2026 23:34:13 +0200 Subject: [PATCH] workplan: add WARDEN-WP-0008 production SSH path and stewardship closeout Establish follow-up after WP-0007: E2E OpenBao sign verification, post-policy reassessment, task-status canon migration, and archive hygiene. Refresh SCOPE to reflect shipped policy gate and active WP-0008. --- SCOPE.md | 21 ++- ...ction-ssh-path-and-stewardship-closeout.md | 140 ++++++++++++++++++ 2 files changed, 155 insertions(+), 6 deletions(-) create mode 100644 workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md diff --git a/SCOPE.md b/SCOPE.md index 4dbb32e..1b98a31 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -58,13 +58,20 @@ Vault-compatible SSH secrets engine API, production). - `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy - `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml` - `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify -- `wiki/PolicyGatedSigning.md` — flex-auth integration design (not implemented) +- `wiki/PolicyGatedSigning.md` — flex-auth integration design -### Planned (follow-up) +### Shipped (WARDEN-WP-0007) -- flex-auth policy hook implementation (WARDEN-WP-0007, proposed) -- Live production OpenBao SSH engine verification on Railiance -- NK-WP-0009 SSH tutorial joint with net-kingdom +- Opt-in flex-auth policy gate before `warden sign` / `warden issue` (`policy.enabled`) +- `policy_decision_id` in `signatures.log` when gate allows +- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`) + +### Planned (WARDEN-WP-0008) + +- End-to-end production OpenBao `warden sign` verification on Railiance +- Post-WP-0007 INTENT/SCOPE reassessment and archive hygiene +- State Hub task status canon in `AGENTS.md` +- NK-WP-0009 SSH tutorial joint with net-kingdom (parallel) --- @@ -109,7 +116,9 @@ Vault-compatible SSH secrets engine API, production). - **Registry:** `capability.security.ssh-certificate-issuance` published - **INTENT:** operational access steward (2026-06-17) - **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist -- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` +- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign +- **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout +- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` (pre-WP-0007) --- diff --git a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md new file mode 100644 index 0000000..c76f7b0 --- /dev/null +++ b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md @@ -0,0 +1,140 @@ +--- +id: WARDEN-WP-0008 +type: workplan +title: "Production SSH Path and Stewardship Closeout" +domain: custodian +repo: ops-warden +status: ready +owner: codex +topic_slug: custodian +planning_priority: high +planning_order: 8 +created: "2026-06-17" +updated: "2026-06-17" +--- + +# WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout + +**Scope:** Close the reliability gap left after WARDEN-WP-0007 — prove the +production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for +the shipped flex-auth policy gate, adapt repo docs to State Hub task-status +canon, and archive finished workplans. + +**Out of scope:** OpenBao cluster deploy or SSH engine bootstrap (operator / +`railiance-platform`), flex-auth policy package authoring, NK-WP-0009 joint +tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter +API keys — route to OpenBao per `wiki/CredentialRouting.md`). + +--- + +## Goal + +Move ops-warden from **documented + code-shipped** (WP-0006/0007) to +**production-verified SSH issuance** with up-to-date stewardship canon: + +1. A scoped operator can run `warden sign` against `https://bao.coulomb.social` + and record non-secret evidence. +2. `SCOPE.md` and reassessment history reflect WP-0007 policy gate as implemented. +3. Agent/workplan docs use State Hub task lifecycle (`wait` / `todo` / `progress` + / `done` / `cancel`). +4. Finished workplans WP-0004–0007 are archived under `workplans/archived/`. + +--- + +## Tasks + +### T1 — Post-WP-0007 INTENT/SCOPE reassessment + +```task +id: WARDEN-WP-0008-T01 +status: todo +priority: high +``` + +- [ ] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R?) +- [ ] Update `SCOPE.md` — policy gate implemented, WP-0007 done, WP-0008 active +- [ ] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README + +### T2 — Production OpenBao end-to-end sign verification + +```task +id: WARDEN-WP-0008-T02 +status: todo +priority: high +``` + +- [ ] Operator provides scoped `VAULT_TOKEN` (not in Git/chat/logs) +- [ ] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md` +- [ ] Run `warden sign` + `warden status` + `warden log` against production OpenBao +- [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md` +- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only) + +**Blocked until:** scoped token + SSH roles on Railiance OpenBao. + +### T3 — State Hub task status canon migration + +```task +id: WARDEN-WP-0008-T03 +status: todo +priority: medium +``` + +- [ ] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`) +- [ ] Update `.claude/rules/workplan-convention.md` task block examples +- [ ] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved +- [ ] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation) + +### T4 — Production config example and archive hygiene + +```task +id: WARDEN-WP-0008-T04 +status: todo +priority: medium +``` + +- [ ] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off) +- [ ] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md` +- [ ] `make fix-consistency REPO=ops-warden` after archive + +### T5 — flex-auth policy gate production readiness (coordination) + +```task +id: WARDEN-WP-0008-T05 +status: wait +priority: low +``` + +- [ ] Confirm flex-auth `ssh-certificate` resource policies exist (flex-auth owner) +- [ ] Document enablement procedure for `policy.enabled: true` in production +- [ ] Smoke test policy deny/allow with `fail_closed: true` (non-secret evidence) + +**Blocked until:** flex-auth policy package for SSH signing. + +--- + +## Acceptance Criteria + +- [ ] Post-WP-0007 reassessment on file; SCOPE current +- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged +- [ ] AGENTS.md uses canonical task statuses +- [ ] WP-0004–0007 archived; hub consistency pass +- [ ] Production example config committed (no secrets) + +--- + +## Dependencies + +| Dependency | Owner | Blocks | +| --- | --- | --- | +| Scoped OpenBao token + SSH roles | Operator / railiance-platform | T2 | +| flex-auth ssh-certificate policies | flex-auth | T5 | +| NK-WP-0009 SSH tutorial | net-kingdom + ops-warden | — (parallel track) | + +--- + +## See also + +- `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007) +- `history/2026-06-17-intent-scope-reassessment.md` — pre-policy-gate assessment +- `wiki/OpenBaoSshEngineChecklist.md` +- `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007) \ No newline at end of file