feat(WP-0008): reassessment, task-status canon, archive hygiene

- Post-WP-0007 reassessment and SCOPE/README updates - AGENTS.md + workplan-convention task status canon migration - examples/warden.production.example.yaml for production OpenBao - Archive WP-0004 through WP-0007 to workplans/archived/260617-* - WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
2026-06-17 23:51:12 +02:00
parent 7e739a426d
commit e0adc10896
11 changed files with 159 additions and 40 deletions
--- a/.claude/rules/workplan-convention.md
+++ b/.claude/rules/workplan-convention.md
@@ -25,4 +25,24 @@ Ecosystem todos from other agents arrive as `[repo:ops-warden]` hub tasks —
 visible at session start. Pick one up by creating the workplan file, then registering
 the workstream.

+**Task block format** (one per `##` section in workplan files):
+
+```
+## Task Title
+
+```task
+id: WARDEN-WP-NNNN-T01
+status: wait | todo | progress | done | cancel
+priority: high | medium | low
+state_hub_task_id: "<uuid>"   # written by fix-consistency — do not edit
+```
+
+Task description text.
+```
+
+Canonical task statuses (State Hub InfoTechCanon): `wait`, `todo`, `progress`,
+`done`, `cancel`. Use `wait` for tasks blocked on external dependencies (not
+`blocked` — that alias maps to `wait` during migration). Progression:
+`todo` → `progress` → `done`.
+
 <!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here -->
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -63,8 +63,9 @@ Omit `workstream_id` / `task_id` when not applicable.
 ```bash
 curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
  -H "Content-Type: application/json" \
-  -d '{"status": "in_progress"}'
-# values: todo | in_progress | done | blocked
+  -d '{"status": "progress"}'
+# canonical values: wait | todo | progress | done | cancel
+# migration aliases (accepted during transition): blocked→wait, in_progress→progress
 ```

 ### Flag a task for human review
@@ -146,7 +147,7 @@ derived health labels, not frontmatter statuses.

 ` ` `task
 id: OPS-WP-NNNN-T01
-status: todo | in_progress | done | blocked
+status: wait | todo | progress | done | cancel
 priority: high | medium | low
 state_hub_task_id: "<uuid>"         # written by fix-consistency — do not edit
 ` ` `
@@ -154,7 +155,9 @@ state_hub_task_id: "<uuid>"         # written by fix-consistency — do not edit
 Task description text.
 ```

-Status progression: `todo` → `in_progress` → `done` (or `blocked`)
+Task status progression: `todo` → `progress` → `done` (or `wait` when blocked on
+external dependency, `cancel` when dropped). Workplan/workstream frontmatter
+statuses are separate and still include `blocked`.

 To create a new workplan:
 1. Write the file following the format above
--- a/README.md
+++ b/README.md
@@ -5,8 +5,8 @@ Signs short-lived certs for `adm` / `agt` / `atm` actors and exposes the
 `cert_command` interface consumed by `ops-bridge` and other tooling.

 See `INTENT.md` for direction, `SCOPE.md` for current implementation, and
-`wiki/AccessManagementDirective.md` for SSH policy. Gap analysis:
-`history/2026-06-17-intent-scope-assessment.md`.
+`wiki/AccessManagementDirective.md` for SSH policy. Latest gap analysis:
+`history/2026-06-17-post-wp0007-reassessment.md`.

 ## Install

@@ -35,7 +35,8 @@ warden scorecard
 ```

 Production uses the `vault` backend against OpenBao or HashiCorp Vault (Vault-compatible
-SSH secrets engine API). See `wiki/OpsWardenConfig.md`.
+SSH secrets engine API). Template: `examples/warden.production.example.yaml`.
+See `wiki/OpsWardenConfig.md` and `wiki/OpenBaoSshEngineChecklist.md`.

 ## Development

--- a/SCOPE.md
+++ b/SCOPE.md
@@ -58,7 +58,7 @@ Vault-compatible SSH secrets engine API, production).
 - `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy
 - `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml`
 - `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
- `wiki/PolicyGatedSigning.md` — flex-auth integration design
+- `wiki/PolicyGatedSigning.md` — flex-auth integration (opt-in, WP-0007)

 ### Shipped (WARDEN-WP-0007)

@@ -66,11 +66,10 @@ Vault-compatible SSH secrets engine API, production).
 - `policy_decision_id` in `signatures.log` when gate allows
 - Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)

-### Planned (WARDEN-WP-0008)
+### Active (WARDEN-WP-0008)

- End-to-end production OpenBao `warden sign` verification on Railiance
- Post-WP-0007 INTENT/SCOPE reassessment and archive hygiene
- State Hub task status canon in `AGENTS.md`
+- End-to-end production OpenBao `warden sign` verification on Railiance (T2 — operator)
+- `examples/warden.production.example.yaml` — production config template
 - NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)

 ---
@@ -118,7 +117,7 @@ Vault-compatible SSH secrets engine API, production).
 - **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
 - **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign
 - **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout
- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` (pre-WP-0007)
+- **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md`

 ---

@@ -157,7 +156,7 @@ Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operato
 | `ops-bridge` | Primary cert_command consumer |
 | `railiance-infra` | Host-side SSH principals and hardening |
 | `railiance-platform` | OpenBao deployment and platform secrets |
-| `flex-auth` | Authorization; future pre-sign policy gate |
+| `flex-auth` | Authorization; opt-in pre-sign policy gate (`policy.enabled`) |
 | `key-cape` | Identity / IAM Profile lightweight mode |
 | `state-hub` | Workstream registry |

@@ -184,7 +183,8 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
 | `SCOPE.md` | What is implemented today (this file) |
 | `wiki/CredentialRouting.md` | Which subsystem for each credential need |
 | `wiki/NetKingdomSecurityMap.md` | Platform security component map |
-| `history/2026-06-17-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE assessment |
+| `history/2026-06-17-post-wp0007-reassessment.md` | Latest INTENT ↔ SCOPE assessment |
+| `examples/warden.production.example.yaml` | Production warden.yaml template |
 | `wiki/AccessManagementDirective.md` | SSH actor model |
 | `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
 | `wiki/CertCommandInterface.md` | cert_command contract |
--- a/examples/warden.production.example.yaml
+++ b/examples/warden.production.example.yaml
@@ -0,0 +1,25 @@
+# Non-secret production template — copy to ~/.config/warden/warden.yaml
+# Never commit tokens or CA private keys. See wiki/OpsWardenConfig.md
+
+backend: vault
+
+vault:
+  addr: https://bao.coulomb.social
+  mount: ssh
+  role_map:
+    adm: adm-role
+    agt: agt-role
+    atm: atm-role
+  token_env: VAULT_TOKEN
+
+inventory_path: ~/.config/warden/inventory.yaml
+state_dir: ~/.local/state/warden
+
+# Opt-in flex-auth gate — keep false until ssh-certificate policies exist
+policy:
+  enabled: false
+  flex_auth_url: http://127.0.0.1:8080
+  fail_closed: true
+  tenant: tenant:platform
+  subject_env: WARDEN_POLICY_SUBJECT
+  system: ops-warden
--- a/history/2026-06-17-post-wp0007-reassessment.md
+++ b/history/2026-06-17-post-wp0007-reassessment.md
@@ -0,0 +1,69 @@
+# INTENT ↔ SCOPE Reassessment — Post WP-0007
+
+**Date:** 2026-06-17  
+**Author:** codex  
+**Trigger:** WARDEN-WP-0007 complete; WARDEN-WP-0008 T1.  
+**Prior assessment:** `history/2026-06-17-intent-scope-reassessment.md`
+
+---
+
+## 1. Executive summary
+
+WARDEN-WP-0007 shipped the **opt-in flex-auth policy gate** (`policy.py`,
+`policy.enabled` in `warden.yaml`) and recorded **production OpenBao health**
+evidence (initialized, unsealed, v2.5.4). Signing behavior is unchanged when
+the gate is off (default). Production end-to-end `warden sign` against the SSH
+engine remains operator-verified — tracked in WARDEN-WP-0008 T2.
+
+**Vector movement:** `D5/A3/C3/R2` → **`D5/A3/C4/R2`**
+
+| Dimension | Was | Now | Notes |
+| --- | --- | --- | --- |
+| Discovery | D5 | D5 | Unchanged |
+| Availability | A3 | A3 | CLI + opt-in policy gate |
+| Completeness | C3 | **C4** | Policy gate coded; flex-auth policies external |
+| Reliability | R2 | R2 | Health probe yes; live sign pending operator token |
+
+---
+
+## 2. Deliverables (WP-0007)
+
+| Task | Deliverable | Status |
+| --- | --- | --- |
+| T1 | `history/2026-06-17-openbao-production-verify.md` | Done (health) |
+| T2 | `PolicyConfig`, `policy.py` | Done |
+| T3 | CLI wire-in, `policy_decision_id` in log | Done |
+| T4 | `tests/test_policy.py`, wiki updates | Done |
+
+---
+
+## 3. Success criteria (INTENT.md) — updated
+
+| Criterion | Was | Now |
+| --- | --- | --- |
+| Worker knows which subsystem for each credential type | Yes | Yes |
+| SSH access short-lived, inventoried, audited | Yes | **Yes** — + optional flex-auth correlation id |
+| ops-bridge integrates via cert_command | Yes | Yes |
+| NetKingdom evolution reflected in ops-warden docs | Yes | Yes |
+| Non-SSH secrets stay out of ops-warden | Yes | Yes |
+
+**Score: 5 yes** (live production sign is reliability, not INTENT criterion gap)
+
+---
+
+## 4. Remaining gaps (WP-0008)
+
+| Prio | Gap | Owner | Task |
+| --- | --- | --- | --- |
+| P1 | Production `warden sign` not executed | Operator | WP-0008 T2 |
+| P2 | flex-auth `ssh-certificate` policies | flex-auth | WP-0008 T5 |
+| P3 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel |
+| P4 | Task status canon in agent docs | ops-warden | WP-0008 T3 (done) |
+
+---
+
+## 5. Recommendation
+
+- **Completeness C4:** SSH lane + stewardship docs + opt-in policy gate shipped.
+- **Reliability R2→R3** when WP-0008 T2 records successful production sign evidence.
+- Keep `policy.enabled: false` in production until flex-auth policies exist (T5).
--- a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
+++ b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
@@ -4,7 +4,7 @@ type: workplan
 title: "Production SSH Path and Stewardship Closeout"
 domain: custodian
 repo: ops-warden
-status: ready
+status: active
 owner: codex
 topic_slug: custodian
 planning_priority: high
@@ -48,20 +48,20 @@ Move ops-warden from **documented + code-shipped** (WP-0006/0007) to

 ```task
 id: WARDEN-WP-0008-T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
 ```

- [ ] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R?)
- [ ] Update `SCOPE.md` — policy gate implemented, WP-0007 done, WP-0008 active
- [ ] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README
+- [x] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R2)
+- [x] Update `SCOPE.md` — policy gate implemented, WP-0008 active
+- [x] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README

 ### T2 — Production OpenBao end-to-end sign verification

 ```task
 id: WARDEN-WP-0008-T02
-status: todo
+status: wait
 priority: high
 state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
 ```
@@ -72,34 +72,34 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
 - [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
 - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)

-**Blocked until:** scoped token + SSH roles on Railiance OpenBao.
+**Blocked until:** scoped token + SSH roles on Railiance OpenBao. Operator guide in session notes.

 ### T3 — State Hub task status canon migration

 ```task
 id: WARDEN-WP-0008-T03
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903"
 ```

- [ ] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
- [ ] Update `.claude/rules/workplan-convention.md` task block examples
- [ ] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
- [ ] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)
+- [x] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
+- [x] Update `.claude/rules/workplan-convention.md` task block examples
+- [x] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
+- [x] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)

 ### T4 — Production config example and archive hygiene

 ```task
 id: WARDEN-WP-0008-T04
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
 ```

- [ ] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
- [ ] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
- [ ] `make fix-consistency REPO=ops-warden` after archive
+- [x] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
+- [x] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
+- [x] `make fix-consistency REPO=ops-warden` after archive

 ### T5 — flex-auth policy gate production readiness (coordination)

@@ -120,11 +120,11 @@ state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"

 ## Acceptance Criteria

- [ ] Post-WP-0007 reassessment on file; SCOPE current
+- [x] Post-WP-0007 reassessment on file; SCOPE current
 - [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
- [ ] AGENTS.md uses canonical task statuses
- [ ] WP-0004–0007 archived; hub consistency pass
- [ ] Production example config committed (no secrets)
+- [x] AGENTS.md uses canonical task statuses
+- [x] WP-0004–0007 archived; hub consistency pass
+- [x] Production example config committed (no secrets)

 ---

@@ -141,6 +141,7 @@ state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
 ## See also

 - `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007)
- `history/2026-06-17-intent-scope-reassessment.md` — pre-policy-gate assessment
+- `history/2026-06-17-post-wp0007-reassessment.md` — latest assessment
+- `examples/warden.production.example.yaml` — operator config template
 - `wiki/OpenBaoSshEngineChecklist.md`
 - `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007)
--- a/workplans/archived/260617-WARDEN-WP-0004-repo-hygiene-and-hub-sync.md
+++ b/workplans/archived/260617-WARDEN-WP-0004-repo-hygiene-and-hub-sync.md
@@ -4,7 +4,7 @@ type: workplan
 title: "OpsWarden Repo Hygiene and Hub Sync"
 domain: custodian
 repo: ops-warden
-status: finished
+status: archived
 owner: codex
 topic_slug: custodian
 created: "2026-06-17"
--- a/workplans/archived/260617-WARDEN-WP-0005-openbao-doc-alignment.md
+++ b/workplans/archived/260617-WARDEN-WP-0005-openbao-doc-alignment.md
@@ -4,7 +4,7 @@ type: workplan
 title: "OpsWarden OpenBao-First Documentation Alignment"
 domain: custodian
 repo: ops-warden
-status: finished
+status: archived
 owner: codex
 topic_slug: custodian
 created: "2026-06-17"
--- a/workplans/archived/260617-WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md
+++ b/workplans/archived/260617-WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md
@@ -4,7 +4,7 @@ type: workplan
 title: "NetKingdom Alignment and Operational Access Stewardship"
 domain: custodian
 repo: ops-warden
-status: finished
+status: archived
 owner: codex
 topic_slug: custodian
 planning_priority: high
--- a/workplans/archived/260617-WARDEN-WP-0007-policy-gate-and-production-verify.md
+++ b/workplans/archived/260617-WARDEN-WP-0007-policy-gate-and-production-verify.md
@@ -4,7 +4,7 @@ type: workplan
 title: "Policy Gate and Production OpenBao Verification"
 domain: custodian
 repo: ops-warden
-status: finished
+status: archived
 owner: codex
 topic_slug: custodian
 planning_priority: high