generated from coulomb/repo-seed
Implement WP-0022 audit trail and WP-0023 INTENT–SCOPE closeout
Add unified metadata-only audit.jsonl with secret-material guard, instrument sign/access/worker paths, and expose warden activity CLI. Surface broker hint when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production integration checklists plus catalog lane promotion playbook.
This commit is contained in:
33
SCOPE.md
33
SCOPE.md
@@ -59,9 +59,10 @@ contract smoke (`--sign-smoke`); the playbook leads with the gate and the pilot
|
||||
(`agt-state-hub-bridge`) is handed to ops-bridge. The live tunnel cutover is
|
||||
ops-bridge's to execute.
|
||||
|
||||
**INTENT alignment:** SSH issuance mission met in production. All ops-warden workplans
|
||||
are finished. Remaining distance is in other repos' lanes: ops-bridge running the
|
||||
cert_command pilot cutover, flex-auth runtime deployment (FLEX-WP-0007, unblocks
|
||||
**INTENT alignment:** SSH issuance mission met in production. ops-warden workplans
|
||||
through WP-0021 are finished; WP-0022 (audit) and WP-0023 (INTENT–SCOPE closeout)
|
||||
ship in July 2026. Remaining distance is in other repos' lanes: ops-bridge running
|
||||
the cert_command pilot cutover, flex-auth runtime deployment (FLEX-WP-0007, unblocks
|
||||
`policy.enabled: true`), and the owner-driven WP-0015 canon landing — plus ongoing
|
||||
operator hygiene.
|
||||
|
||||
@@ -159,7 +160,11 @@ for the rest.
|
||||
`ops-warden-warden-sign-token` and playbook
|
||||
`wiki/playbooks/ops-warden-warden-sign-token.md` — routes `VAULT_TOKEN` needs to
|
||||
`railiance-platform/scripts/credential.py exec --grant ops-warden/warden-sign`
|
||||
(preferred over manual `export VAULT_TOKEN`)
|
||||
(preferred over manual `export VAULT_TOKEN`); `warden sign` emits broker hint when
|
||||
token env is unset (WP-0023)
|
||||
- **Unified audit trail** (WP-0022): append-only `audit.jsonl`, secret-material guard,
|
||||
instrumentation on sign/access/worker paths, `warden activity` CLI merging legacy
|
||||
logs + optional State Hub notes (`wiki/AuditTrail.md`)
|
||||
|
||||
### Stewardship (documentation and alignment)
|
||||
|
||||
@@ -189,12 +194,12 @@ for the rest.
|
||||
| WP-0015 | Workload security posture — two-axis standard, descriptors, conformance checker, dev doubles |
|
||||
| WP-0016 | ops-bridge cert_command pilot — readiness gate (`check_tunnel_cert_readiness.py`) + handoff |
|
||||
|
||||
### Active / ready
|
||||
### Recently shipped (July 2026)
|
||||
|
||||
| WP | Focus | Status |
|
||||
| --- | --- | --- |
|
||||
| WP-0022 | Unified audit trail + `warden activity` | `ready` |
|
||||
| WP-0023 | INTENT–SCOPE alignment closeout | `ready` |
|
||||
| WP | Focus |
|
||||
| --- | --- |
|
||||
| WP-0022 | Unified audit trail + `warden activity` |
|
||||
| WP-0023 | INTENT–SCOPE alignment closeout |
|
||||
|
||||
Remaining production distance is also in other repos' lanes (see Known gaps).
|
||||
|
||||
@@ -276,11 +281,15 @@ Remaining production distance is also in other repos' lanes (see Known gaps).
|
||||
`wiki/playbooks/ops-warden-warden-sign-token.md` (RAILIANCE-WP-0005 T08) — live
|
||||
`make credential-exec-ops-warden-smoke` proven 2026-07-01; manual `export VAULT_TOKEN`
|
||||
documented as fallback only
|
||||
- **Active work:** none open in ops-warden; remaining distance is other repos' lanes
|
||||
- **Audit + activity:** WP-0022 shipped — `warden activity`, `wiki/AuditTrail.md`
|
||||
- **INTENT closeout:** WP-0023 shipped — INTENT refresh, production flip/cutover
|
||||
checklists, catalog promotion cadence, broker hint on missing `VAULT_TOKEN`
|
||||
- **Active work:** none open in ops-warden after WP-0022/0023; remaining distance is
|
||||
other repos' lanes
|
||||
- **Integration docs:** cert_command migration, token hygiene (broker-first), principals
|
||||
drift (`wiki/playbooks/`)
|
||||
- **Latest assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
|
||||
- **Active workplans:** WP-0022 (audit), WP-0023 (INTENT–SCOPE closeout)
|
||||
- **Latest workplans:** WP-0022 (audit), WP-0023 (INTENT–SCOPE closeout) — shipped July 2026
|
||||
|
||||
---
|
||||
|
||||
@@ -376,6 +385,8 @@ keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, l
|
||||
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
|
||||
| `wiki/playbooks/ops-warden-warden-sign-token.md` | Scoped `VAULT_TOKEN` via credential broker (preferred path) |
|
||||
| `wiki/playbooks/operator-openbao-token-hygiene.md` | Manual token fallback and hygiene rules |
|
||||
| `wiki/AuditTrail.md` | Unified metadata-only audit + `warden activity` |
|
||||
| `wiki/playbooks/catalog-lane-promotion.md` | draft → active catalog promotion checklist |
|
||||
| `wiki/CertCommandInterface.md` | cert_command contract |
|
||||
| `history/2026-07-01-intent-scope-gap-analysis.md` | Current INTENT↔SCOPE gap analysis |
|
||||
| `workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md` | Alignment closeout plan |
|
||||
|
||||
Reference in New Issue
Block a user