generated from coulomb/repo-seed
Define INTENT, refresh SCOPE, and plan NetKingdom stewardship
Add ops-warden INTENT as operational access steward for NetKingdom security (route credential lanes, align docs, issue SSH certs only). Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment, and open WARDEN-WP-0006 for routing runbooks and platform alignment.
This commit is contained in:
@@ -0,0 +1,197 @@
|
||||
---
|
||||
id: WARDEN-WP-0006
|
||||
type: workplan
|
||||
title: "NetKingdom Alignment and Operational Access Stewardship"
|
||||
domain: custodian
|
||||
repo: ops-warden
|
||||
status: ready
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 6
|
||||
created: "2026-06-17"
|
||||
updated: "2026-06-17"
|
||||
state_hub_workstream_id: "a5c9f24b-1ad4-46da-bc8e-b99897f8e302"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship
|
||||
|
||||
**Scope:** Close gaps identified in `history/2026-06-17-intent-scope-assessment.md`
|
||||
between INTENT (operational access steward for NetKingdom security) and SCOPE
|
||||
(shipped SSH CLI only). Documentation and alignment first; code changes limited
|
||||
to optional CLI ergonomics.
|
||||
|
||||
**Out of scope:** flex-auth integration implementation, OpenBao cluster deploy,
|
||||
universal credential broker, net-kingdom INTENT.md rewrite.
|
||||
|
||||
**References:**
|
||||
|
||||
- `INTENT.md`, `SCOPE.md`, `history/2026-06-17-intent-scope-assessment.md`
|
||||
- `net-kingdom/docs/platform-identity-security-architecture.md`
|
||||
- `net-kingdom/docs/responsibility-map.md`
|
||||
- `NK-WP-0009` (SSH tutorial, net-kingdom)
|
||||
|
||||
---
|
||||
|
||||
## Goal
|
||||
|
||||
After this workplan, a development worker or agent can:
|
||||
|
||||
1. Read ops-warden material and know **which NetKingdom subsystem** handles each
|
||||
credential type.
|
||||
2. Obtain **SSH certs** via documented actor patterns and production OpenBao path.
|
||||
3. Find ops-warden recognized in **NetKingdom responsibility/platform** docs as
|
||||
the operational SSH credential authority.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Credential routing runbook
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T01
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899"
|
||||
```
|
||||
|
||||
Create `wiki/CredentialRouting.md`:
|
||||
|
||||
- Decision tree: SSH vs runtime secret vs identity vs authorization vs tunnel
|
||||
- Per-subsystem links (OpenBao, flex-auth, key-cape, ops-bridge, railiance-infra)
|
||||
- Explicit “do not ask ops-warden for API keys” examples
|
||||
- Link from `SCOPE.md`, `INTENT.md`, `README.md`
|
||||
|
||||
**Done when:** A worker with no prior context can route a credential request in
|
||||
under two minutes using this page alone.
|
||||
|
||||
### T2 — Actor inventory patterns
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T02
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608"
|
||||
```
|
||||
|
||||
Create `wiki/ActorInventoryPatterns.md` with standard patterns:
|
||||
|
||||
- Tunnel agents (`agt-*-bridge`)
|
||||
- Kaizen / codex agents (`agt-codex-*`)
|
||||
- CI automations (`atm-*`)
|
||||
- Human admins (`adm-*`)
|
||||
- TTL and principal narrowing guidance
|
||||
|
||||
Optional: `examples/inventory.seed.yaml` (non-secret, Git-safe template).
|
||||
|
||||
**Done when:** Adding a new dev worker actor does not require inventing naming
|
||||
from scratch.
|
||||
|
||||
### T3 — NetKingdom cross-links (ops-warden side)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T03
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e"
|
||||
```
|
||||
|
||||
- Add `wiki/NetKingdomSecurityMap.md` — condensed literacy table from INTENT
|
||||
- Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
|
||||
summary to mention stewardship/routing
|
||||
- Update `.claude/rules/repo-boundary.md` with NetKingdom routing table
|
||||
|
||||
**Done when:** ops-warden docs stand alone for NetKingdom operational access
|
||||
orientation without reading net-kingdom first (but link to canon).
|
||||
|
||||
### T4 — NetKingdom canon patch (coordination)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T04
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321"
|
||||
```
|
||||
|
||||
Coordinate updates in `net-kingdom` (separate commit/PR there):
|
||||
|
||||
- `docs/responsibility-map.md` — move ops-warden from pure out-of-scope to
|
||||
**operational SSH credential dependency**
|
||||
- `docs/platform-identity-security-architecture.md` — add Operational SSH Path
|
||||
(ops-warden → ops-bridge → hosts)
|
||||
|
||||
**Done when:** NetKingdom canon names ops-warden’s lane; ops-warden wiki links
|
||||
back to the updated sections.
|
||||
|
||||
**Note:** Requires `net-kingdom` repo write access; may need `needs_human` if
|
||||
blocked on review.
|
||||
|
||||
### T5 — OpenBao SSH engine operational checklist
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T05
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938"
|
||||
```
|
||||
|
||||
Create `wiki/OpenBaoSshEngineChecklist.md`:
|
||||
|
||||
- Prerequisites (OpenBao initialized/unsealed per railiance-platform)
|
||||
- Role creation commands (from OpsWardenConfig)
|
||||
- Token policy expectations (no root token in warden workflows)
|
||||
- Verification: `warden sign` against production endpoint
|
||||
- Failure modes and fallback boundaries
|
||||
|
||||
**Done when:** Operator can verify production SSH signing path without
|
||||
reconstructing steps from multiple repos.
|
||||
|
||||
### T6 — Policy-gated signing design (design only)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T06
|
||||
status: todo
|
||||
priority: low
|
||||
state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1"
|
||||
```
|
||||
|
||||
Create `wiki/PolicyGatedSigning.md`:
|
||||
|
||||
- flex-auth decision before `warden sign` — proposed flow
|
||||
- Claims needed from IAM Profile
|
||||
- What stays inventory-based in v1 vs policy-based in v2
|
||||
- Explicit non-implementation in this workplan
|
||||
|
||||
**Done when:** Reviewable design exists; no code dependency.
|
||||
|
||||
### T7 — Re-assess INTENT ↔ SCOPE
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T07
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a"
|
||||
```
|
||||
|
||||
After T1–T5 complete:
|
||||
|
||||
- Update `history/2026-06-17-intent-scope-assessment.md` or add
|
||||
`history/YYYYMMDD-intent-scope-reassessment.md`
|
||||
- Refresh SCOPE.md Current State and completeness notes
|
||||
- Run `make fix-consistency REPO=ops-warden`
|
||||
|
||||
**Done when:** Completeness target C3+ documented with evidence.
|
||||
|
||||
---
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [ ] `wiki/CredentialRouting.md` exists and is linked from README/SCOPE
|
||||
- [ ] `wiki/ActorInventoryPatterns.md` exists
|
||||
- [ ] `wiki/NetKingdomSecurityMap.md` exists
|
||||
- [ ] NetKingdom responsibility-map recognizes ops-warden SSH lane (T4)
|
||||
- [ ] OpenBao SSH checklist documented (T5)
|
||||
- [ ] Policy-gated signing design drafted (T6)
|
||||
- [ ] INTENT ↔ SCOPE re-assessment recorded (T7)
|
||||
- [ ] `reuse-surface validate --root .` passes if registry entry changed
|
||||
Reference in New Issue
Block a user