workplan: add WARDEN-WP-0008 production SSH path and stewardship closeout

Establish follow-up after WP-0007: E2E OpenBao sign verification, post-policy reassessment, task-status canon migration, and archive hygiene. Refresh SCOPE to reflect shipped policy gate and active WP-0008.
2026-06-17 23:34:13 +02:00
parent 64cacedefd
commit bdd532d835
2 changed files with 155 additions and 6 deletions
--- a/SCOPE.md
+++ b/SCOPE.md
@@ -58,13 +58,20 @@ Vault-compatible SSH secrets engine API, production).
 - `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy
 - `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml`
 - `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
- `wiki/PolicyGatedSigning.md` — flex-auth integration design (not implemented)
+- `wiki/PolicyGatedSigning.md` — flex-auth integration design

-### Planned (follow-up)
+### Shipped (WARDEN-WP-0007)

- flex-auth policy hook implementation (WARDEN-WP-0007, proposed)
- Live production OpenBao SSH engine verification on Railiance
- NK-WP-0009 SSH tutorial joint with net-kingdom
+- Opt-in flex-auth policy gate before `warden sign` / `warden issue` (`policy.enabled`)
+- `policy_decision_id` in `signatures.log` when gate allows
+- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
+
+### Planned (WARDEN-WP-0008)
+
+- End-to-end production OpenBao `warden sign` verification on Railiance
+- Post-WP-0007 INTENT/SCOPE reassessment and archive hygiene
+- State Hub task status canon in `AGENTS.md`
+- NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)

 ---

@@ -109,7 +116,9 @@ Vault-compatible SSH secrets engine API, production).
 - **Registry:** `capability.security.ssh-certificate-issuance` published
 - **INTENT:** operational access steward (2026-06-17)
 - **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md`
+- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign
+- **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout
+- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` (pre-WP-0007)

 ---