feat(WP-0008): reassessment, task-status canon, archive hygiene

- Post-WP-0007 reassessment and SCOPE/README updates
- AGENTS.md + workplan-convention task status canon migration
- examples/warden.production.example.yaml for production OpenBao
- Archive WP-0004 through WP-0007 to workplans/archived/260617-*
- WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
This commit is contained in:
2026-06-17 23:51:12 +02:00
parent 7e739a426d
commit e0adc10896
11 changed files with 159 additions and 40 deletions

View File

@@ -0,0 +1,93 @@
---
id: WARDEN-WP-0004
type: workplan
title: "OpsWarden Repo Hygiene and Hub Sync"
domain: custodian
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
created: "2026-06-17"
updated: "2026-06-17"
state_hub_workstream_id: "3c4b6e68-550a-4fc6-a804-95f1f68936c3"
---
# WARDEN-WP-0004 — Repo Hygiene and Hub Sync
**Scope:** Bring repo orientation docs and agent rules in line with the shipped
`warden` CLI (WARDEN-WP-0001 through 0003 complete). Archive finished workplans
and sync State Hub.
**Out of scope:** OpenBao doc alignment (WARDEN-WP-0005), capability registry
publish, task-status canon migration in AGENTS.md.
---
## Goal
After this workplan, a new agent session can orient from accurate local files
without reading stale "planned / scaffolding only" language, and State Hub
reflects archived workplan status.
---
## Tasks
### T1 — Update orientation docs
```task
id: WARDEN-WP-0004-T01
status: done
priority: high
state_hub_task_id: "f9d3926c-8637-411c-a477-2960b754704c"
```
- [x] `SCOPE.md` Current State reflects shipped CLI (v0.1.0, workplans 00010003 done)
- [x] `README.md` replaces repo-seed template with install, config, and dev commands
### T2 — Fill agent rules
```task
id: WARDEN-WP-0004-T02
status: done
priority: medium
state_hub_task_id: "86c764a5-62fc-45fe-a8d2-332d6554a976"
```
- [x] `.claude/rules/stack-and-commands.md` — stack and `uv` dev commands
- [x] `.claude/rules/architecture.md` — module layout and data flow
- [x] `.claude/rules/repo-boundary.md` — adjacent repo ownership
### T3 — Archive finished workplans
```task
id: WARDEN-WP-0004-T03
status: done
priority: medium
state_hub_task_id: "d3e54e63-ce98-4632-bc08-0e2667f19f12"
```
- [x] Move WARDEN-WP-0001/0002/0003 to `workplans/archived/` with date prefix
- [x] Set frontmatter `status: archived` on moved files
### T4 — Sync State Hub
```task
id: WARDEN-WP-0004-T04
status: done
priority: medium
state_hub_task_id: "51729695-262f-4fe4-9c38-f99ee046d32a"
```
- [x] Run `make fix-consistency REPO=ops-warden` from state-hub
- [x] Verify `.custodian-brief.md` reflects archived workstreams
---
## Acceptance Criteria
- [x] `SCOPE.md` no longer says "planned" or "scaffolding only"
- [x] `README.md` documents `uv sync`, `uv run pytest`, and `warden --help`
- [x] Agent rules have no empty TODO blocks for stack, architecture, or boundary
- [x] Only WARDEN-WP-0004 remains in `workplans/` root (archived plans moved)
- [x] `make fix-consistency REPO=ops-warden` completes without error

View File

@@ -0,0 +1,63 @@
---
id: WARDEN-WP-0005
type: workplan
title: "OpsWarden OpenBao-First Documentation Alignment"
domain: custodian
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
created: "2026-06-17"
updated: "2026-06-17"
state_hub_workstream_id: "57f6ebf8-0ef3-4686-9a73-3f9d38288be9"
---
# WARDEN-WP-0005 — OpenBao-First Documentation Alignment
**Scope:** Update ops-warden documentation so production guidance names OpenBao
as the platform secrets service while preserving the existing `backend: vault`
config surface (Vault-compatible SSH secrets engine API). No code changes.
**Out of scope:** VaultCA backend rewrite, OpenBao SSH engine deployment in
`railiance-platform`, AccessManagementDirective canon updates.
**Reference:** `RAIL-PL-WP-0002` — Railiance standardizes on OpenBao; ops-warden
follow-up noted 2026-05-17.
---
## Tasks
### T1 — OpsWardenConfig.md
```task
id: WARDEN-WP-0005-T01
status: done
priority: high
state_hub_task_id: "bbbc4dda-9634-4c04-86e5-94b96c021b43"
```
- [x] OpenBao-first production section with Railiance URLs and `bao` CLI examples
- [x] Explain `backend: vault` / `vault:` keys as Vault-compatible API abstraction
- [x] Link to `railiance-platform/docs/openbao.md`
### T2 — Cross-reference updates
```task
id: WARDEN-WP-0005-T02
status: done
priority: medium
state_hub_task_id: "6391cb82-896e-405a-a59b-36640e6480ba"
```
- [x] `SCOPE.md` Core Idea and In Scope — OpenBao-first, Vault-compatible
- [x] `wiki/CertCommandInterface.md` — caller-agnostic wording includes OpenBao
---
## Acceptance Criteria
- [x] Production config example uses OpenBao (`bao.coulomb.social` or in-cluster URL)
- [x] No reader is told HashiCorp Vault is the platform standard
- [x] `backend: vault` config shape unchanged (code compatibility preserved)
- [x] `uv run pytest` still passes (docs-only change)

View File

@@ -0,0 +1,138 @@
---
id: WARDEN-WP-0006
type: workplan
title: "NetKingdom Alignment and Operational Access Stewardship"
domain: custodian
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 6
created: "2026-06-17"
updated: "2026-06-17"
state_hub_workstream_id: "a5c9f24b-1ad4-46da-bc8e-b99897f8e302"
---
# WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship
**Scope:** Close gaps identified in `history/2026-06-17-intent-scope-assessment.md`
between INTENT (operational access steward for NetKingdom security) and SCOPE
(shipped SSH CLI only). Documentation and alignment first; code changes limited
to optional CLI ergonomics.
**Out of scope:** flex-auth integration implementation, OpenBao cluster deploy,
universal credential broker, net-kingdom INTENT.md rewrite.
---
## Goal
After this workplan, a development worker or agent can:
1. Read ops-warden material and know **which NetKingdom subsystem** handles each
credential type.
2. Obtain **SSH certs** via documented actor patterns and production OpenBao path.
3. Find ops-warden recognized in **NetKingdom responsibility/platform** docs as
the operational SSH credential authority.
---
## Tasks
### T1 — Credential routing runbook
```task
id: WARDEN-WP-0006-T01
status: done
priority: high
state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899"
```
- [x] `wiki/CredentialRouting.md` with decision tree and anti-examples
- [x] Linked from SCOPE, INTENT, README
### T2 — Actor inventory patterns
```task
id: WARDEN-WP-0006-T02
status: done
priority: high
state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608"
```
- [x] `wiki/ActorInventoryPatterns.md`
- [x] `examples/inventory.seed.yaml`
### T3 — NetKingdom cross-links (ops-warden side)
```task
id: WARDEN-WP-0006-T03
status: done
priority: high
state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e"
```
- [x] `wiki/NetKingdomSecurityMap.md`
- [x] Registry capability stewardship summary
- [x] `.claude/rules/repo-boundary.md` routing table
### T4 — NetKingdom canon patch (coordination)
```task
id: WARDEN-WP-0006-T04
status: done
priority: medium
state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321"
```
- [x] `net-kingdom/docs/responsibility-map.md` — Operational SSH dependency
- [x] `net-kingdom/docs/platform-identity-security-architecture.md` — Operational SSH Path
### T5 — OpenBao SSH engine operational checklist
```task
id: WARDEN-WP-0006-T05
status: done
priority: medium
state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938"
```
- [x] `wiki/OpenBaoSshEngineChecklist.md`
### T6 — Policy-gated signing design (design only)
```task
id: WARDEN-WP-0006-T06
status: done
priority: low
state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1"
```
- [x] `wiki/PolicyGatedSigning.md`
### T7 — Re-assess INTENT ↔ SCOPE
```task
id: WARDEN-WP-0006-T07
status: done
priority: medium
state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a"
```
- [x] `history/2026-06-17-intent-scope-reassessment.md`
- [x] SCOPE.md Current State updated
- [x] `make fix-consistency REPO=ops-warden`
---
## Acceptance Criteria
- [x] `wiki/CredentialRouting.md` exists and is linked from README/SCOPE
- [x] `wiki/ActorInventoryPatterns.md` exists
- [x] `wiki/NetKingdomSecurityMap.md` exists
- [x] NetKingdom responsibility-map recognizes ops-warden SSH lane (T4)
- [x] OpenBao SSH checklist documented (T5)
- [x] Policy-gated signing design drafted (T6)
- [x] INTENT ↔ SCOPE re-assessment recorded (T7)
- [x] `reuse-surface validate --root .` passes

View File

@@ -0,0 +1,86 @@
---
id: WARDEN-WP-0007
type: workplan
title: "Policy Gate and Production OpenBao Verification"
domain: custodian
repo: ops-warden
status: archived
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 7
created: "2026-06-17"
updated: "2026-06-17"
state_hub_workstream_id: "3718ac07-2fa2-47d0-a02a-c9a7b83a5ba9"
---
# WARDEN-WP-0007 — Policy Gate and Production OpenBao Verification
**Scope:** Record production OpenBao reachability evidence; implement opt-in
flex-auth policy gate before `warden sign` / `warden issue` per
`wiki/PolicyGatedSigning.md`.
**Out of scope:** flex-auth policy package authoring, OpenBao SSH engine mount
on Railiance (operator), identity claim requirement (v2.1).
---
## Tasks
### T1 — Production OpenBao verification evidence
```task
id: WARDEN-WP-0007-T01
status: done
priority: high
state_hub_task_id: "344540ad-5912-4118-b406-450b96e13c40"
```
- [x] Probe `https://bao.coulomb.social/v1/sys/health`
- [x] Document results in `history/2026-06-17-openbao-production-verify.md`
- [x] Note blockers for full `warden sign` (scoped token, SSH engine roles)
### T2 — Policy config and flex-auth client
```task
id: WARDEN-WP-0007-T02
status: done
priority: high
state_hub_task_id: "05424ddf-5fe9-43a1-a2f8-c47235a012c8"
```
- [x] `PolicyConfig` in `config.py` (`policy.enabled`, `flex_auth_url`, `fail_closed`)
- [x] `policy.py` — POST `/v1/check`, pubkey fingerprint, CAError on deny
### T3 — Wire policy gate into sign/issue
```task
id: WARDEN-WP-0007-T03
status: done
priority: high
state_hub_task_id: "f5ae8e6e-8cce-4526-b18c-0452a135af49"
```
- [x] Call policy check before `ca.sign()` when enabled
- [x] Store `policy_decision_id` in `signatures.log`
### T4 — Tests and docs
```task
id: WARDEN-WP-0007-T04
status: done
priority: medium
state_hub_task_id: "ea921d56-033b-4619-8032-61af7992e610"
```
- [x] `tests/test_policy.py`
- [x] Update `wiki/OpsWardenConfig.md`, `wiki/PolicyGatedSigning.md`
---
## Acceptance Criteria
- [x] Production health evidence recorded (non-secret)
- [x] `policy.enabled: false` default — no behavior change
- [x] `policy.enabled: true` calls flex-auth; deny blocks sign
- [x] All unit tests pass