From e0adc1089678cc6def63f65c36d7953d3c71b151 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 17 Jun 2026 23:51:12 +0200 Subject: [PATCH] feat(WP-0008): reassessment, task-status canon, archive hygiene - Post-WP-0007 reassessment and SCOPE/README updates - AGENTS.md + workplan-convention task status canon migration - examples/warden.production.example.yaml for production OpenBao - Archive WP-0004 through WP-0007 to workplans/archived/260617-* - WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth --- .claude/rules/workplan-convention.md | 20 ++++++ AGENTS.md | 11 +-- README.md | 7 +- SCOPE.md | 16 ++--- examples/warden.production.example.yaml | 25 +++++++ .../2026-06-17-post-wp0007-reassessment.md | 69 +++++++++++++++++++ ...ction-ssh-path-and-stewardship-closeout.md | 43 ++++++------ ...RDEN-WP-0004-repo-hygiene-and-hub-sync.md} | 2 +- ...7-WARDEN-WP-0005-openbao-doc-alignment.md} | 2 +- ...ngdom-alignment-and-access-stewardship.md} | 2 +- ...0007-policy-gate-and-production-verify.md} | 2 +- 11 files changed, 159 insertions(+), 40 deletions(-) create mode 100644 examples/warden.production.example.yaml create mode 100644 history/2026-06-17-post-wp0007-reassessment.md rename workplans/{WARDEN-WP-0004-repo-hygiene-and-hub-sync.md => archived/260617-WARDEN-WP-0004-repo-hygiene-and-hub-sync.md} (99%) rename workplans/{WARDEN-WP-0005-openbao-doc-alignment.md => archived/260617-WARDEN-WP-0005-openbao-doc-alignment.md} (99%) rename workplans/{WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md => archived/260617-WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md} (99%) rename workplans/{WARDEN-WP-0007-policy-gate-and-production-verify.md => archived/260617-WARDEN-WP-0007-policy-gate-and-production-verify.md} (99%) diff --git a/.claude/rules/workplan-convention.md b/.claude/rules/workplan-convention.md index 24b4c94..eb48e85 100644 --- a/.claude/rules/workplan-convention.md +++ b/.claude/rules/workplan-convention.md @@ -25,4 +25,24 @@ Ecosystem todos from other agents arrive as `[repo:ops-warden]` hub tasks — visible at session start. Pick one up by creating the workplan file, then registering the workstream. +**Task block format** (one per `##` section in workplan files): + +``` +## Task Title + +```task +id: WARDEN-WP-NNNN-T01 +status: wait | todo | progress | done | cancel +priority: high | medium | low +state_hub_task_id: "" # written by fix-consistency — do not edit +``` + +Task description text. +``` + +Canonical task statuses (State Hub InfoTechCanon): `wait`, `todo`, `progress`, +`done`, `cancel`. Use `wait` for tasks blocked on external dependencies (not +`blocked` — that alias maps to `wait` during migration). Progression: +`todo` → `progress` → `done`. + diff --git a/AGENTS.md b/AGENTS.md index ef9a107..59aa8e4 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -63,8 +63,9 @@ Omit `workstream_id` / `task_id` when not applicable. ```bash curl -s -X PATCH "http://127.0.0.1:8000/tasks/" \ -H "Content-Type: application/json" \ - -d '{"status": "in_progress"}' -# values: todo | in_progress | done | blocked + -d '{"status": "progress"}' +# canonical values: wait | todo | progress | done | cancel +# migration aliases (accepted during transition): blocked→wait, in_progress→progress ``` ### Flag a task for human review @@ -146,7 +147,7 @@ derived health labels, not frontmatter statuses. ` ` `task id: OPS-WP-NNNN-T01 -status: todo | in_progress | done | blocked +status: wait | todo | progress | done | cancel priority: high | medium | low state_hub_task_id: "" # written by fix-consistency — do not edit ` ` ` @@ -154,7 +155,9 @@ state_hub_task_id: "" # written by fix-consistency — do not edit Task description text. ``` -Status progression: `todo` → `in_progress` → `done` (or `blocked`) +Task status progression: `todo` → `progress` → `done` (or `wait` when blocked on +external dependency, `cancel` when dropped). Workplan/workstream frontmatter +statuses are separate and still include `blocked`. To create a new workplan: 1. Write the file following the format above diff --git a/README.md b/README.md index b0912ec..f29fb31 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,8 @@ Signs short-lived certs for `adm` / `agt` / `atm` actors and exposes the `cert_command` interface consumed by `ops-bridge` and other tooling. See `INTENT.md` for direction, `SCOPE.md` for current implementation, and -`wiki/AccessManagementDirective.md` for SSH policy. Gap analysis: -`history/2026-06-17-intent-scope-assessment.md`. +`wiki/AccessManagementDirective.md` for SSH policy. Latest gap analysis: +`history/2026-06-17-post-wp0007-reassessment.md`. ## Install @@ -35,7 +35,8 @@ warden scorecard ``` Production uses the `vault` backend against OpenBao or HashiCorp Vault (Vault-compatible -SSH secrets engine API). See `wiki/OpsWardenConfig.md`. +SSH secrets engine API). Template: `examples/warden.production.example.yaml`. +See `wiki/OpsWardenConfig.md` and `wiki/OpenBaoSshEngineChecklist.md`. ## Development diff --git a/SCOPE.md b/SCOPE.md index 1b98a31..7b8e3eb 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -58,7 +58,7 @@ Vault-compatible SSH secrets engine API, production). - `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy - `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml` - `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify -- `wiki/PolicyGatedSigning.md` — flex-auth integration design +- `wiki/PolicyGatedSigning.md` — flex-auth integration (opt-in, WP-0007) ### Shipped (WARDEN-WP-0007) @@ -66,11 +66,10 @@ Vault-compatible SSH secrets engine API, production). - `policy_decision_id` in `signatures.log` when gate allows - Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`) -### Planned (WARDEN-WP-0008) +### Active (WARDEN-WP-0008) -- End-to-end production OpenBao `warden sign` verification on Railiance -- Post-WP-0007 INTENT/SCOPE reassessment and archive hygiene -- State Hub task status canon in `AGENTS.md` +- End-to-end production OpenBao `warden sign` verification on Railiance (T2 — operator) +- `examples/warden.production.example.yaml` — production config template - NK-WP-0009 SSH tutorial joint with net-kingdom (parallel) --- @@ -118,7 +117,7 @@ Vault-compatible SSH secrets engine API, production). - **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist - **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign - **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout -- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` (pre-WP-0007) +- **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md` --- @@ -157,7 +156,7 @@ Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operato | `ops-bridge` | Primary cert_command consumer | | `railiance-infra` | Host-side SSH principals and hardening | | `railiance-platform` | OpenBao deployment and platform secrets | -| `flex-auth` | Authorization; future pre-sign policy gate | +| `flex-auth` | Authorization; opt-in pre-sign policy gate (`policy.enabled`) | | `key-cape` | Identity / IAM Profile lightweight mode | | `state-hub` | Workstream registry | @@ -184,7 +183,8 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v | `SCOPE.md` | What is implemented today (this file) | | `wiki/CredentialRouting.md` | Which subsystem for each credential need | | `wiki/NetKingdomSecurityMap.md` | Platform security component map | -| `history/2026-06-17-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE assessment | +| `history/2026-06-17-post-wp0007-reassessment.md` | Latest INTENT ↔ SCOPE assessment | +| `examples/warden.production.example.yaml` | Production warden.yaml template | | `wiki/AccessManagementDirective.md` | SSH actor model | | `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao | | `wiki/CertCommandInterface.md` | cert_command contract | diff --git a/examples/warden.production.example.yaml b/examples/warden.production.example.yaml new file mode 100644 index 0000000..80a9fbc --- /dev/null +++ b/examples/warden.production.example.yaml @@ -0,0 +1,25 @@ +# Non-secret production template — copy to ~/.config/warden/warden.yaml +# Never commit tokens or CA private keys. See wiki/OpsWardenConfig.md + +backend: vault + +vault: + addr: https://bao.coulomb.social + mount: ssh + role_map: + adm: adm-role + agt: agt-role + atm: atm-role + token_env: VAULT_TOKEN + +inventory_path: ~/.config/warden/inventory.yaml +state_dir: ~/.local/state/warden + +# Opt-in flex-auth gate — keep false until ssh-certificate policies exist +policy: + enabled: false + flex_auth_url: http://127.0.0.1:8080 + fail_closed: true + tenant: tenant:platform + subject_env: WARDEN_POLICY_SUBJECT + system: ops-warden \ No newline at end of file diff --git a/history/2026-06-17-post-wp0007-reassessment.md b/history/2026-06-17-post-wp0007-reassessment.md new file mode 100644 index 0000000..d6317f7 --- /dev/null +++ b/history/2026-06-17-post-wp0007-reassessment.md @@ -0,0 +1,69 @@ +# INTENT ↔ SCOPE Reassessment — Post WP-0007 + +**Date:** 2026-06-17 +**Author:** codex +**Trigger:** WARDEN-WP-0007 complete; WARDEN-WP-0008 T1. +**Prior assessment:** `history/2026-06-17-intent-scope-reassessment.md` + +--- + +## 1. Executive summary + +WARDEN-WP-0007 shipped the **opt-in flex-auth policy gate** (`policy.py`, +`policy.enabled` in `warden.yaml`) and recorded **production OpenBao health** +evidence (initialized, unsealed, v2.5.4). Signing behavior is unchanged when +the gate is off (default). Production end-to-end `warden sign` against the SSH +engine remains operator-verified — tracked in WARDEN-WP-0008 T2. + +**Vector movement:** `D5/A3/C3/R2` → **`D5/A3/C4/R2`** + +| Dimension | Was | Now | Notes | +| --- | --- | --- | --- | +| Discovery | D5 | D5 | Unchanged | +| Availability | A3 | A3 | CLI + opt-in policy gate | +| Completeness | C3 | **C4** | Policy gate coded; flex-auth policies external | +| Reliability | R2 | R2 | Health probe yes; live sign pending operator token | + +--- + +## 2. Deliverables (WP-0007) + +| Task | Deliverable | Status | +| --- | --- | --- | +| T1 | `history/2026-06-17-openbao-production-verify.md` | Done (health) | +| T2 | `PolicyConfig`, `policy.py` | Done | +| T3 | CLI wire-in, `policy_decision_id` in log | Done | +| T4 | `tests/test_policy.py`, wiki updates | Done | + +--- + +## 3. Success criteria (INTENT.md) — updated + +| Criterion | Was | Now | +| --- | --- | --- | +| Worker knows which subsystem for each credential type | Yes | Yes | +| SSH access short-lived, inventoried, audited | Yes | **Yes** — + optional flex-auth correlation id | +| ops-bridge integrates via cert_command | Yes | Yes | +| NetKingdom evolution reflected in ops-warden docs | Yes | Yes | +| Non-SSH secrets stay out of ops-warden | Yes | Yes | + +**Score: 5 yes** (live production sign is reliability, not INTENT criterion gap) + +--- + +## 4. Remaining gaps (WP-0008) + +| Prio | Gap | Owner | Task | +| --- | --- | --- | --- | +| P1 | Production `warden sign` not executed | Operator | WP-0008 T2 | +| P2 | flex-auth `ssh-certificate` policies | flex-auth | WP-0008 T5 | +| P3 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel | +| P4 | Task status canon in agent docs | ops-warden | WP-0008 T3 (done) | + +--- + +## 5. Recommendation + +- **Completeness C4:** SSH lane + stewardship docs + opt-in policy gate shipped. +- **Reliability R2→R3** when WP-0008 T2 records successful production sign evidence. +- Keep `policy.enabled: false` in production until flex-auth policies exist (T5). \ No newline at end of file diff --git a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md index a6bb50e..178e243 100644 --- a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md +++ b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md @@ -4,7 +4,7 @@ type: workplan title: "Production SSH Path and Stewardship Closeout" domain: custodian repo: ops-warden -status: ready +status: active owner: codex topic_slug: custodian planning_priority: high @@ -48,20 +48,20 @@ Move ops-warden from **documented + code-shipped** (WP-0006/0007) to ```task id: WARDEN-WP-0008-T01 -status: todo +status: done priority: high state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72" ``` -- [ ] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R?) -- [ ] Update `SCOPE.md` — policy gate implemented, WP-0007 done, WP-0008 active -- [ ] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README +- [x] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R2) +- [x] Update `SCOPE.md` — policy gate implemented, WP-0008 active +- [x] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README ### T2 — Production OpenBao end-to-end sign verification ```task id: WARDEN-WP-0008-T02 -status: todo +status: wait priority: high state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c" ``` @@ -72,34 +72,34 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c" - [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md` - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only) -**Blocked until:** scoped token + SSH roles on Railiance OpenBao. +**Blocked until:** scoped token + SSH roles on Railiance OpenBao. Operator guide in session notes. ### T3 — State Hub task status canon migration ```task id: WARDEN-WP-0008-T03 -status: todo +status: done priority: medium state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903" ``` -- [ ] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`) -- [ ] Update `.claude/rules/workplan-convention.md` task block examples -- [ ] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved -- [ ] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation) +- [x] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`) +- [x] Update `.claude/rules/workplan-convention.md` task block examples +- [x] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved +- [x] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation) ### T4 — Production config example and archive hygiene ```task id: WARDEN-WP-0008-T04 -status: todo +status: done priority: medium state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697" ``` -- [ ] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off) -- [ ] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md` -- [ ] `make fix-consistency REPO=ops-warden` after archive +- [x] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off) +- [x] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md` +- [x] `make fix-consistency REPO=ops-warden` after archive ### T5 — flex-auth policy gate production readiness (coordination) @@ -120,11 +120,11 @@ state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000" ## Acceptance Criteria -- [ ] Post-WP-0007 reassessment on file; SCOPE current +- [x] Post-WP-0007 reassessment on file; SCOPE current - [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged -- [ ] AGENTS.md uses canonical task statuses -- [ ] WP-0004–0007 archived; hub consistency pass -- [ ] Production example config committed (no secrets) +- [x] AGENTS.md uses canonical task statuses +- [x] WP-0004–0007 archived; hub consistency pass +- [x] Production example config committed (no secrets) --- @@ -141,6 +141,7 @@ state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000" ## See also - `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007) -- `history/2026-06-17-intent-scope-reassessment.md` — pre-policy-gate assessment +- `history/2026-06-17-post-wp0007-reassessment.md` — latest assessment +- `examples/warden.production.example.yaml` — operator config template - `wiki/OpenBaoSshEngineChecklist.md` - `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007) \ No newline at end of file diff --git a/workplans/WARDEN-WP-0004-repo-hygiene-and-hub-sync.md b/workplans/archived/260617-WARDEN-WP-0004-repo-hygiene-and-hub-sync.md similarity index 99% rename from workplans/WARDEN-WP-0004-repo-hygiene-and-hub-sync.md rename to workplans/archived/260617-WARDEN-WP-0004-repo-hygiene-and-hub-sync.md index 93cedf8..911948e 100644 --- a/workplans/WARDEN-WP-0004-repo-hygiene-and-hub-sync.md +++ b/workplans/archived/260617-WARDEN-WP-0004-repo-hygiene-and-hub-sync.md @@ -4,7 +4,7 @@ type: workplan title: "OpsWarden Repo Hygiene and Hub Sync" domain: custodian repo: ops-warden -status: finished +status: archived owner: codex topic_slug: custodian created: "2026-06-17" diff --git a/workplans/WARDEN-WP-0005-openbao-doc-alignment.md b/workplans/archived/260617-WARDEN-WP-0005-openbao-doc-alignment.md similarity index 99% rename from workplans/WARDEN-WP-0005-openbao-doc-alignment.md rename to workplans/archived/260617-WARDEN-WP-0005-openbao-doc-alignment.md index 34334a0..9f92860 100644 --- a/workplans/WARDEN-WP-0005-openbao-doc-alignment.md +++ b/workplans/archived/260617-WARDEN-WP-0005-openbao-doc-alignment.md @@ -4,7 +4,7 @@ type: workplan title: "OpsWarden OpenBao-First Documentation Alignment" domain: custodian repo: ops-warden -status: finished +status: archived owner: codex topic_slug: custodian created: "2026-06-17" diff --git a/workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md b/workplans/archived/260617-WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md similarity index 99% rename from workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md rename to workplans/archived/260617-WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md index 9d12ba8..1496995 100644 --- a/workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md +++ b/workplans/archived/260617-WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md @@ -4,7 +4,7 @@ type: workplan title: "NetKingdom Alignment and Operational Access Stewardship" domain: custodian repo: ops-warden -status: finished +status: archived owner: codex topic_slug: custodian planning_priority: high diff --git a/workplans/WARDEN-WP-0007-policy-gate-and-production-verify.md b/workplans/archived/260617-WARDEN-WP-0007-policy-gate-and-production-verify.md similarity index 99% rename from workplans/WARDEN-WP-0007-policy-gate-and-production-verify.md rename to workplans/archived/260617-WARDEN-WP-0007-policy-gate-and-production-verify.md index 947b23b..9506043 100644 --- a/workplans/WARDEN-WP-0007-policy-gate-and-production-verify.md +++ b/workplans/archived/260617-WARDEN-WP-0007-policy-gate-and-production-verify.md @@ -4,7 +4,7 @@ type: workplan title: "Policy Gate and Production OpenBao Verification" domain: custodian repo: ops-warden -status: finished +status: archived owner: codex topic_slug: custodian planning_priority: high