generated from coulomb/repo-seed
feat(WP-0008): reassessment, task-status canon, archive hygiene
- Post-WP-0007 reassessment and SCOPE/README updates - AGENTS.md + workplan-convention task status canon migration - examples/warden.production.example.yaml for production OpenBao - Archive WP-0004 through WP-0007 to workplans/archived/260617-* - WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
This commit is contained in:
@@ -0,0 +1,93 @@
|
||||
---
|
||||
id: WARDEN-WP-0004
|
||||
type: workplan
|
||||
title: "OpsWarden Repo Hygiene and Hub Sync"
|
||||
domain: custodian
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
created: "2026-06-17"
|
||||
updated: "2026-06-17"
|
||||
state_hub_workstream_id: "3c4b6e68-550a-4fc6-a804-95f1f68936c3"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0004 — Repo Hygiene and Hub Sync
|
||||
|
||||
**Scope:** Bring repo orientation docs and agent rules in line with the shipped
|
||||
`warden` CLI (WARDEN-WP-0001 through 0003 complete). Archive finished workplans
|
||||
and sync State Hub.
|
||||
|
||||
**Out of scope:** OpenBao doc alignment (WARDEN-WP-0005), capability registry
|
||||
publish, task-status canon migration in AGENTS.md.
|
||||
|
||||
---
|
||||
|
||||
## Goal
|
||||
|
||||
After this workplan, a new agent session can orient from accurate local files
|
||||
without reading stale "planned / scaffolding only" language, and State Hub
|
||||
reflects archived workplan status.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Update orientation docs
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0004-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "f9d3926c-8637-411c-a477-2960b754704c"
|
||||
```
|
||||
|
||||
- [x] `SCOPE.md` Current State reflects shipped CLI (v0.1.0, workplans 0001–0003 done)
|
||||
- [x] `README.md` replaces repo-seed template with install, config, and dev commands
|
||||
|
||||
### T2 — Fill agent rules
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0004-T02
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "86c764a5-62fc-45fe-a8d2-332d6554a976"
|
||||
```
|
||||
|
||||
- [x] `.claude/rules/stack-and-commands.md` — stack and `uv` dev commands
|
||||
- [x] `.claude/rules/architecture.md` — module layout and data flow
|
||||
- [x] `.claude/rules/repo-boundary.md` — adjacent repo ownership
|
||||
|
||||
### T3 — Archive finished workplans
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0004-T03
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "d3e54e63-ce98-4632-bc08-0e2667f19f12"
|
||||
```
|
||||
|
||||
- [x] Move WARDEN-WP-0001/0002/0003 to `workplans/archived/` with date prefix
|
||||
- [x] Set frontmatter `status: archived` on moved files
|
||||
|
||||
### T4 — Sync State Hub
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0004-T04
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "51729695-262f-4fe4-9c38-f99ee046d32a"
|
||||
```
|
||||
|
||||
- [x] Run `make fix-consistency REPO=ops-warden` from state-hub
|
||||
- [x] Verify `.custodian-brief.md` reflects archived workstreams
|
||||
|
||||
---
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [x] `SCOPE.md` no longer says "planned" or "scaffolding only"
|
||||
- [x] `README.md` documents `uv sync`, `uv run pytest`, and `warden --help`
|
||||
- [x] Agent rules have no empty TODO blocks for stack, architecture, or boundary
|
||||
- [x] Only WARDEN-WP-0004 remains in `workplans/` root (archived plans moved)
|
||||
- [x] `make fix-consistency REPO=ops-warden` completes without error
|
||||
@@ -0,0 +1,63 @@
|
||||
---
|
||||
id: WARDEN-WP-0005
|
||||
type: workplan
|
||||
title: "OpsWarden OpenBao-First Documentation Alignment"
|
||||
domain: custodian
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
created: "2026-06-17"
|
||||
updated: "2026-06-17"
|
||||
state_hub_workstream_id: "57f6ebf8-0ef3-4686-9a73-3f9d38288be9"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0005 — OpenBao-First Documentation Alignment
|
||||
|
||||
**Scope:** Update ops-warden documentation so production guidance names OpenBao
|
||||
as the platform secrets service while preserving the existing `backend: vault`
|
||||
config surface (Vault-compatible SSH secrets engine API). No code changes.
|
||||
|
||||
**Out of scope:** VaultCA backend rewrite, OpenBao SSH engine deployment in
|
||||
`railiance-platform`, AccessManagementDirective canon updates.
|
||||
|
||||
**Reference:** `RAIL-PL-WP-0002` — Railiance standardizes on OpenBao; ops-warden
|
||||
follow-up noted 2026-05-17.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — OpsWardenConfig.md
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0005-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "bbbc4dda-9634-4c04-86e5-94b96c021b43"
|
||||
```
|
||||
|
||||
- [x] OpenBao-first production section with Railiance URLs and `bao` CLI examples
|
||||
- [x] Explain `backend: vault` / `vault:` keys as Vault-compatible API abstraction
|
||||
- [x] Link to `railiance-platform/docs/openbao.md`
|
||||
|
||||
### T2 — Cross-reference updates
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0005-T02
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "6391cb82-896e-405a-a59b-36640e6480ba"
|
||||
```
|
||||
|
||||
- [x] `SCOPE.md` Core Idea and In Scope — OpenBao-first, Vault-compatible
|
||||
- [x] `wiki/CertCommandInterface.md` — caller-agnostic wording includes OpenBao
|
||||
|
||||
---
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [x] Production config example uses OpenBao (`bao.coulomb.social` or in-cluster URL)
|
||||
- [x] No reader is told HashiCorp Vault is the platform standard
|
||||
- [x] `backend: vault` config shape unchanged (code compatibility preserved)
|
||||
- [x] `uv run pytest` still passes (docs-only change)
|
||||
@@ -0,0 +1,138 @@
|
||||
---
|
||||
id: WARDEN-WP-0006
|
||||
type: workplan
|
||||
title: "NetKingdom Alignment and Operational Access Stewardship"
|
||||
domain: custodian
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 6
|
||||
created: "2026-06-17"
|
||||
updated: "2026-06-17"
|
||||
state_hub_workstream_id: "a5c9f24b-1ad4-46da-bc8e-b99897f8e302"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship
|
||||
|
||||
**Scope:** Close gaps identified in `history/2026-06-17-intent-scope-assessment.md`
|
||||
between INTENT (operational access steward for NetKingdom security) and SCOPE
|
||||
(shipped SSH CLI only). Documentation and alignment first; code changes limited
|
||||
to optional CLI ergonomics.
|
||||
|
||||
**Out of scope:** flex-auth integration implementation, OpenBao cluster deploy,
|
||||
universal credential broker, net-kingdom INTENT.md rewrite.
|
||||
|
||||
---
|
||||
|
||||
## Goal
|
||||
|
||||
After this workplan, a development worker or agent can:
|
||||
|
||||
1. Read ops-warden material and know **which NetKingdom subsystem** handles each
|
||||
credential type.
|
||||
2. Obtain **SSH certs** via documented actor patterns and production OpenBao path.
|
||||
3. Find ops-warden recognized in **NetKingdom responsibility/platform** docs as
|
||||
the operational SSH credential authority.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Credential routing runbook
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899"
|
||||
```
|
||||
|
||||
- [x] `wiki/CredentialRouting.md` with decision tree and anti-examples
|
||||
- [x] Linked from SCOPE, INTENT, README
|
||||
|
||||
### T2 — Actor inventory patterns
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T02
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608"
|
||||
```
|
||||
|
||||
- [x] `wiki/ActorInventoryPatterns.md`
|
||||
- [x] `examples/inventory.seed.yaml`
|
||||
|
||||
### T3 — NetKingdom cross-links (ops-warden side)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T03
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e"
|
||||
```
|
||||
|
||||
- [x] `wiki/NetKingdomSecurityMap.md`
|
||||
- [x] Registry capability stewardship summary
|
||||
- [x] `.claude/rules/repo-boundary.md` routing table
|
||||
|
||||
### T4 — NetKingdom canon patch (coordination)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T04
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321"
|
||||
```
|
||||
|
||||
- [x] `net-kingdom/docs/responsibility-map.md` — Operational SSH dependency
|
||||
- [x] `net-kingdom/docs/platform-identity-security-architecture.md` — Operational SSH Path
|
||||
|
||||
### T5 — OpenBao SSH engine operational checklist
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T05
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938"
|
||||
```
|
||||
|
||||
- [x] `wiki/OpenBaoSshEngineChecklist.md`
|
||||
|
||||
### T6 — Policy-gated signing design (design only)
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T06
|
||||
status: done
|
||||
priority: low
|
||||
state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1"
|
||||
```
|
||||
|
||||
- [x] `wiki/PolicyGatedSigning.md`
|
||||
|
||||
### T7 — Re-assess INTENT ↔ SCOPE
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0006-T07
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a"
|
||||
```
|
||||
|
||||
- [x] `history/2026-06-17-intent-scope-reassessment.md`
|
||||
- [x] SCOPE.md Current State updated
|
||||
- [x] `make fix-consistency REPO=ops-warden`
|
||||
|
||||
---
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [x] `wiki/CredentialRouting.md` exists and is linked from README/SCOPE
|
||||
- [x] `wiki/ActorInventoryPatterns.md` exists
|
||||
- [x] `wiki/NetKingdomSecurityMap.md` exists
|
||||
- [x] NetKingdom responsibility-map recognizes ops-warden SSH lane (T4)
|
||||
- [x] OpenBao SSH checklist documented (T5)
|
||||
- [x] Policy-gated signing design drafted (T6)
|
||||
- [x] INTENT ↔ SCOPE re-assessment recorded (T7)
|
||||
- [x] `reuse-surface validate --root .` passes
|
||||
@@ -0,0 +1,86 @@
|
||||
---
|
||||
id: WARDEN-WP-0007
|
||||
type: workplan
|
||||
title: "Policy Gate and Production OpenBao Verification"
|
||||
domain: custodian
|
||||
repo: ops-warden
|
||||
status: archived
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 7
|
||||
created: "2026-06-17"
|
||||
updated: "2026-06-17"
|
||||
state_hub_workstream_id: "3718ac07-2fa2-47d0-a02a-c9a7b83a5ba9"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification
|
||||
|
||||
**Scope:** Record production OpenBao reachability evidence; implement opt-in
|
||||
flex-auth policy gate before `warden sign` / `warden issue` per
|
||||
`wiki/PolicyGatedSigning.md`.
|
||||
|
||||
**Out of scope:** flex-auth policy package authoring, OpenBao SSH engine mount
|
||||
on Railiance (operator), identity claim requirement (v2.1).
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T1 — Production OpenBao verification evidence
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "344540ad-5912-4118-b406-450b96e13c40"
|
||||
```
|
||||
|
||||
- [x] Probe `https://bao.coulomb.social/v1/sys/health`
|
||||
- [x] Document results in `history/2026-06-17-openbao-production-verify.md`
|
||||
- [x] Note blockers for full `warden sign` (scoped token, SSH engine roles)
|
||||
|
||||
### T2 — Policy config and flex-auth client
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T02
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "05424ddf-5fe9-43a1-a2f8-c47235a012c8"
|
||||
```
|
||||
|
||||
- [x] `PolicyConfig` in `config.py` (`policy.enabled`, `flex_auth_url`, `fail_closed`)
|
||||
- [x] `policy.py` — POST `/v1/check`, pubkey fingerprint, CAError on deny
|
||||
|
||||
### T3 — Wire policy gate into sign/issue
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T03
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "f5ae8e6e-8cce-4526-b18c-0452a135af49"
|
||||
```
|
||||
|
||||
- [x] Call policy check before `ca.sign()` when enabled
|
||||
- [x] Store `policy_decision_id` in `signatures.log`
|
||||
|
||||
### T4 — Tests and docs
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0007-T04
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "ea921d56-033b-4619-8032-61af7992e610"
|
||||
```
|
||||
|
||||
- [x] `tests/test_policy.py`
|
||||
- [x] Update `wiki/OpsWardenConfig.md`, `wiki/PolicyGatedSigning.md`
|
||||
|
||||
---
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- [x] Production health evidence recorded (non-secret)
|
||||
- [x] `policy.enabled: false` default — no behavior change
|
||||
- [x] `policy.enabled: true` calls flex-auth; deny blocks sign
|
||||
- [x] All unit tests pass
|
||||
Reference in New Issue
Block a user