feat(WP-0008): reassessment, task-status canon, archive hygiene

- Post-WP-0007 reassessment and SCOPE/README updates
- AGENTS.md + workplan-convention task status canon migration
- examples/warden.production.example.yaml for production OpenBao
- Archive WP-0004 through WP-0007 to workplans/archived/260617-*
- WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
This commit is contained in:
2026-06-17 23:51:12 +02:00
parent 7e739a426d
commit e0adc10896
11 changed files with 159 additions and 40 deletions

View File

@@ -58,7 +58,7 @@ Vault-compatible SSH secrets engine API, production).
- `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy
- `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml`
- `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
- `wiki/PolicyGatedSigning.md` — flex-auth integration design
- `wiki/PolicyGatedSigning.md` — flex-auth integration (opt-in, WP-0007)
### Shipped (WARDEN-WP-0007)
@@ -66,11 +66,10 @@ Vault-compatible SSH secrets engine API, production).
- `policy_decision_id` in `signatures.log` when gate allows
- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
### Planned (WARDEN-WP-0008)
### Active (WARDEN-WP-0008)
- End-to-end production OpenBao `warden sign` verification on Railiance
- Post-WP-0007 INTENT/SCOPE reassessment and archive hygiene
- State Hub task status canon in `AGENTS.md`
- End-to-end production OpenBao `warden sign` verification on Railiance (T2 — operator)
- `examples/warden.production.example.yaml` — production config template
- NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)
---
@@ -118,7 +117,7 @@ Vault-compatible SSH secrets engine API, production).
- **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign
- **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout
- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` (pre-WP-0007)
- **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md`
---
@@ -157,7 +156,7 @@ Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operato
| `ops-bridge` | Primary cert_command consumer |
| `railiance-infra` | Host-side SSH principals and hardening |
| `railiance-platform` | OpenBao deployment and platform secrets |
| `flex-auth` | Authorization; future pre-sign policy gate |
| `flex-auth` | Authorization; opt-in pre-sign policy gate (`policy.enabled`) |
| `key-cape` | Identity / IAM Profile lightweight mode |
| `state-hub` | Workstream registry |
@@ -184,7 +183,8 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
| `SCOPE.md` | What is implemented today (this file) |
| `wiki/CredentialRouting.md` | Which subsystem for each credential need |
| `wiki/NetKingdomSecurityMap.md` | Platform security component map |
| `history/2026-06-17-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE assessment |
| `history/2026-06-17-post-wp0007-reassessment.md` | Latest INTENT ↔ SCOPE assessment |
| `examples/warden.production.example.yaml` | Production warden.yaml template |
| `wiki/AccessManagementDirective.md` | SSH actor model |
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
| `wiki/CertCommandInterface.md` | cert_command contract |