feat(WP-0008): reassessment, task-status canon, archive hygiene

- Post-WP-0007 reassessment and SCOPE/README updates
- AGENTS.md + workplan-convention task status canon migration
- examples/warden.production.example.yaml for production OpenBao
- Archive WP-0004 through WP-0007 to workplans/archived/260617-*
- WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
This commit is contained in:
2026-06-17 23:51:12 +02:00
parent 7e739a426d
commit e0adc10896
11 changed files with 159 additions and 40 deletions

View File

@@ -25,4 +25,24 @@ Ecosystem todos from other agents arrive as `[repo:ops-warden]` hub tasks —
visible at session start. Pick one up by creating the workplan file, then registering visible at session start. Pick one up by creating the workplan file, then registering
the workstream. the workstream.
**Task block format** (one per `##` section in workplan files):
```
## Task Title
```task
id: WARDEN-WP-NNNN-T01
status: wait | todo | progress | done | cancel
priority: high | medium | low
state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit
```
Task description text.
```
Canonical task statuses (State Hub InfoTechCanon): `wait`, `todo`, `progress`,
`done`, `cancel`. Use `wait` for tasks blocked on external dependencies (not
`blocked` — that alias maps to `wait` during migration). Progression:
`todo` → `progress` → `done`.
<!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here --> <!-- Ralph Loop rules and HEUREKA sequence: ~/.claude/CLAUDE.md — do not duplicate here -->

View File

@@ -63,8 +63,9 @@ Omit `workstream_id` / `task_id` when not applicable.
```bash ```bash
curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \ curl -s -X PATCH "http://127.0.0.1:8000/tasks/<task_id>" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d '{"status": "in_progress"}' -d '{"status": "progress"}'
# values: todo | in_progress | done | blocked # canonical values: wait | todo | progress | done | cancel
# migration aliases (accepted during transition): blocked→wait, in_progress→progress
``` ```
### Flag a task for human review ### Flag a task for human review
@@ -146,7 +147,7 @@ derived health labels, not frontmatter statuses.
` ` `task ` ` `task
id: OPS-WP-NNNN-T01 id: OPS-WP-NNNN-T01
status: todo | in_progress | done | blocked status: wait | todo | progress | done | cancel
priority: high | medium | low priority: high | medium | low
state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit
` ` ` ` ` `
@@ -154,7 +155,9 @@ state_hub_task_id: "<uuid>" # written by fix-consistency — do not edit
Task description text. Task description text.
``` ```
Status progression: `todo` → `in_progress` → `done` (or `blocked`) Task status progression: `todo` → `progress` → `done` (or `wait` when blocked on
external dependency, `cancel` when dropped). Workplan/workstream frontmatter
statuses are separate and still include `blocked`.
To create a new workplan: To create a new workplan:
1. Write the file following the format above 1. Write the file following the format above

View File

@@ -5,8 +5,8 @@ Signs short-lived certs for `adm` / `agt` / `atm` actors and exposes the
`cert_command` interface consumed by `ops-bridge` and other tooling. `cert_command` interface consumed by `ops-bridge` and other tooling.
See `INTENT.md` for direction, `SCOPE.md` for current implementation, and See `INTENT.md` for direction, `SCOPE.md` for current implementation, and
`wiki/AccessManagementDirective.md` for SSH policy. Gap analysis: `wiki/AccessManagementDirective.md` for SSH policy. Latest gap analysis:
`history/2026-06-17-intent-scope-assessment.md`. `history/2026-06-17-post-wp0007-reassessment.md`.
## Install ## Install
@@ -35,7 +35,8 @@ warden scorecard
``` ```
Production uses the `vault` backend against OpenBao or HashiCorp Vault (Vault-compatible Production uses the `vault` backend against OpenBao or HashiCorp Vault (Vault-compatible
SSH secrets engine API). See `wiki/OpsWardenConfig.md`. SSH secrets engine API). Template: `examples/warden.production.example.yaml`.
See `wiki/OpsWardenConfig.md` and `wiki/OpenBaoSshEngineChecklist.md`.
## Development ## Development

View File

@@ -58,7 +58,7 @@ Vault-compatible SSH secrets engine API, production).
- `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy - `wiki/NetKingdomSecurityMap.md` — NetKingdom component literacy
- `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml` - `wiki/ActorInventoryPatterns.md` + `examples/inventory.seed.yaml`
- `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify - `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
- `wiki/PolicyGatedSigning.md` — flex-auth integration design - `wiki/PolicyGatedSigning.md` — flex-auth integration (opt-in, WP-0007)
### Shipped (WARDEN-WP-0007) ### Shipped (WARDEN-WP-0007)
@@ -66,11 +66,10 @@ Vault-compatible SSH secrets engine API, production).
- `policy_decision_id` in `signatures.log` when gate allows - `policy_decision_id` in `signatures.log` when gate allows
- Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`) - Production OpenBao health evidence (`history/2026-06-17-openbao-production-verify.md`)
### Planned (WARDEN-WP-0008) ### Active (WARDEN-WP-0008)
- End-to-end production OpenBao `warden sign` verification on Railiance - End-to-end production OpenBao `warden sign` verification on Railiance (T2 — operator)
- Post-WP-0007 INTENT/SCOPE reassessment and archive hygiene - `examples/warden.production.example.yaml` — production config template
- State Hub task status canon in `AGENTS.md`
- NK-WP-0009 SSH tutorial joint with net-kingdom (parallel) - NK-WP-0009 SSH tutorial joint with net-kingdom (parallel)
--- ---
@@ -118,7 +117,7 @@ Vault-compatible SSH secrets engine API, production).
- **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist - **Stewardship docs:** WP-0006 complete — routing, inventory patterns, OpenBao checklist
- **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign - **Policy gate:** WP-0007 complete — opt-in flex-auth pre-sign
- **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout - **Active workplan:** WP-0008 — production SSH path verification and stewardship closeout
- **Gap reassessment:** `history/2026-06-17-intent-scope-reassessment.md` (pre-WP-0007) - **Gap reassessment:** `history/2026-06-17-post-wp0007-reassessment.md`
--- ---
@@ -157,7 +156,7 @@ Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operato
| `ops-bridge` | Primary cert_command consumer | | `ops-bridge` | Primary cert_command consumer |
| `railiance-infra` | Host-side SSH principals and hardening | | `railiance-infra` | Host-side SSH principals and hardening |
| `railiance-platform` | OpenBao deployment and platform secrets | | `railiance-platform` | OpenBao deployment and platform secrets |
| `flex-auth` | Authorization; future pre-sign policy gate | | `flex-auth` | Authorization; opt-in pre-sign policy gate (`policy.enabled`) |
| `key-cape` | Identity / IAM Profile lightweight mode | | `key-cape` | Identity / IAM Profile lightweight mode |
| `state-hub` | Workstream registry | | `state-hub` | Workstream registry |
@@ -184,7 +183,8 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
| `SCOPE.md` | What is implemented today (this file) | | `SCOPE.md` | What is implemented today (this file) |
| `wiki/CredentialRouting.md` | Which subsystem for each credential need | | `wiki/CredentialRouting.md` | Which subsystem for each credential need |
| `wiki/NetKingdomSecurityMap.md` | Platform security component map | | `wiki/NetKingdomSecurityMap.md` | Platform security component map |
| `history/2026-06-17-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE assessment | | `history/2026-06-17-post-wp0007-reassessment.md` | Latest INTENT ↔ SCOPE assessment |
| `examples/warden.production.example.yaml` | Production warden.yaml template |
| `wiki/AccessManagementDirective.md` | SSH actor model | | `wiki/AccessManagementDirective.md` | SSH actor model |
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao | | `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
| `wiki/CertCommandInterface.md` | cert_command contract | | `wiki/CertCommandInterface.md` | cert_command contract |

View File

@@ -0,0 +1,25 @@
# Non-secret production template — copy to ~/.config/warden/warden.yaml
# Never commit tokens or CA private keys. See wiki/OpsWardenConfig.md
backend: vault
vault:
addr: https://bao.coulomb.social
mount: ssh
role_map:
adm: adm-role
agt: agt-role
atm: atm-role
token_env: VAULT_TOKEN
inventory_path: ~/.config/warden/inventory.yaml
state_dir: ~/.local/state/warden
# Opt-in flex-auth gate — keep false until ssh-certificate policies exist
policy:
enabled: false
flex_auth_url: http://127.0.0.1:8080
fail_closed: true
tenant: tenant:platform
subject_env: WARDEN_POLICY_SUBJECT
system: ops-warden

View File

@@ -0,0 +1,69 @@
# INTENT ↔ SCOPE Reassessment — Post WP-0007
**Date:** 2026-06-17
**Author:** codex
**Trigger:** WARDEN-WP-0007 complete; WARDEN-WP-0008 T1.
**Prior assessment:** `history/2026-06-17-intent-scope-reassessment.md`
---
## 1. Executive summary
WARDEN-WP-0007 shipped the **opt-in flex-auth policy gate** (`policy.py`,
`policy.enabled` in `warden.yaml`) and recorded **production OpenBao health**
evidence (initialized, unsealed, v2.5.4). Signing behavior is unchanged when
the gate is off (default). Production end-to-end `warden sign` against the SSH
engine remains operator-verified — tracked in WARDEN-WP-0008 T2.
**Vector movement:** `D5/A3/C3/R2`**`D5/A3/C4/R2`**
| Dimension | Was | Now | Notes |
| --- | --- | --- | --- |
| Discovery | D5 | D5 | Unchanged |
| Availability | A3 | A3 | CLI + opt-in policy gate |
| Completeness | C3 | **C4** | Policy gate coded; flex-auth policies external |
| Reliability | R2 | R2 | Health probe yes; live sign pending operator token |
---
## 2. Deliverables (WP-0007)
| Task | Deliverable | Status |
| --- | --- | --- |
| T1 | `history/2026-06-17-openbao-production-verify.md` | Done (health) |
| T2 | `PolicyConfig`, `policy.py` | Done |
| T3 | CLI wire-in, `policy_decision_id` in log | Done |
| T4 | `tests/test_policy.py`, wiki updates | Done |
---
## 3. Success criteria (INTENT.md) — updated
| Criterion | Was | Now |
| --- | --- | --- |
| Worker knows which subsystem for each credential type | Yes | Yes |
| SSH access short-lived, inventoried, audited | Yes | **Yes** — + optional flex-auth correlation id |
| ops-bridge integrates via cert_command | Yes | Yes |
| NetKingdom evolution reflected in ops-warden docs | Yes | Yes |
| Non-SSH secrets stay out of ops-warden | Yes | Yes |
**Score: 5 yes** (live production sign is reliability, not INTENT criterion gap)
---
## 4. Remaining gaps (WP-0008)
| Prio | Gap | Owner | Task |
| --- | --- | --- | --- |
| P1 | Production `warden sign` not executed | Operator | WP-0008 T2 |
| P2 | flex-auth `ssh-certificate` policies | flex-auth | WP-0008 T5 |
| P3 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel |
| P4 | Task status canon in agent docs | ops-warden | WP-0008 T3 (done) |
---
## 5. Recommendation
- **Completeness C4:** SSH lane + stewardship docs + opt-in policy gate shipped.
- **Reliability R2→R3** when WP-0008 T2 records successful production sign evidence.
- Keep `policy.enabled: false` in production until flex-auth policies exist (T5).

View File

@@ -4,7 +4,7 @@ type: workplan
title: "Production SSH Path and Stewardship Closeout" title: "Production SSH Path and Stewardship Closeout"
domain: custodian domain: custodian
repo: ops-warden repo: ops-warden
status: ready status: active
owner: codex owner: codex
topic_slug: custodian topic_slug: custodian
planning_priority: high planning_priority: high
@@ -48,20 +48,20 @@ Move ops-warden from **documented + code-shipped** (WP-0006/0007) to
```task ```task
id: WARDEN-WP-0008-T01 id: WARDEN-WP-0008-T01
status: todo status: done
priority: high priority: high
state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72" state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
``` ```
- [ ] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R?) - [x] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R2)
- [ ] Update `SCOPE.md` — policy gate implemented, WP-0007 done, WP-0008 active - [x] Update `SCOPE.md` — policy gate implemented, WP-0008 active
- [ ] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README - [x] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README
### T2 — Production OpenBao end-to-end sign verification ### T2 — Production OpenBao end-to-end sign verification
```task ```task
id: WARDEN-WP-0008-T02 id: WARDEN-WP-0008-T02
status: todo status: wait
priority: high priority: high
state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c" state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
``` ```
@@ -72,34 +72,34 @@ state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
- [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md` - [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only) - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
**Blocked until:** scoped token + SSH roles on Railiance OpenBao. **Blocked until:** scoped token + SSH roles on Railiance OpenBao. Operator guide in session notes.
### T3 — State Hub task status canon migration ### T3 — State Hub task status canon migration
```task ```task
id: WARDEN-WP-0008-T03 id: WARDEN-WP-0008-T03
status: todo status: done
priority: medium priority: medium
state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903" state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903"
``` ```
- [ ] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`) - [x] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
- [ ] Update `.claude/rules/workplan-convention.md` task block examples - [x] Update `.claude/rules/workplan-convention.md` task block examples
- [ ] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved - [x] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
- [ ] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation) - [x] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)
### T4 — Production config example and archive hygiene ### T4 — Production config example and archive hygiene
```task ```task
id: WARDEN-WP-0008-T04 id: WARDEN-WP-0008-T04
status: todo status: done
priority: medium priority: medium
state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697" state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
``` ```
- [ ] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off) - [x] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
- [ ] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md` - [x] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
- [ ] `make fix-consistency REPO=ops-warden` after archive - [x] `make fix-consistency REPO=ops-warden` after archive
### T5 — flex-auth policy gate production readiness (coordination) ### T5 — flex-auth policy gate production readiness (coordination)
@@ -120,11 +120,11 @@ state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
## Acceptance Criteria ## Acceptance Criteria
- [ ] Post-WP-0007 reassessment on file; SCOPE current - [x] Post-WP-0007 reassessment on file; SCOPE current
- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged - [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
- [ ] AGENTS.md uses canonical task statuses - [x] AGENTS.md uses canonical task statuses
- [ ] WP-00040007 archived; hub consistency pass - [x] WP-00040007 archived; hub consistency pass
- [ ] Production example config committed (no secrets) - [x] Production example config committed (no secrets)
--- ---
@@ -141,6 +141,7 @@ state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
## See also ## See also
- `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007) - `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007)
- `history/2026-06-17-intent-scope-reassessment.md`pre-policy-gate assessment - `history/2026-06-17-post-wp0007-reassessment.md`latest assessment
- `examples/warden.production.example.yaml` — operator config template
- `wiki/OpenBaoSshEngineChecklist.md` - `wiki/OpenBaoSshEngineChecklist.md`
- `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007) - `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007)

View File

@@ -4,7 +4,7 @@ type: workplan
title: "OpsWarden Repo Hygiene and Hub Sync" title: "OpsWarden Repo Hygiene and Hub Sync"
domain: custodian domain: custodian
repo: ops-warden repo: ops-warden
status: finished status: archived
owner: codex owner: codex
topic_slug: custodian topic_slug: custodian
created: "2026-06-17" created: "2026-06-17"

View File

@@ -4,7 +4,7 @@ type: workplan
title: "OpsWarden OpenBao-First Documentation Alignment" title: "OpsWarden OpenBao-First Documentation Alignment"
domain: custodian domain: custodian
repo: ops-warden repo: ops-warden
status: finished status: archived
owner: codex owner: codex
topic_slug: custodian topic_slug: custodian
created: "2026-06-17" created: "2026-06-17"

View File

@@ -4,7 +4,7 @@ type: workplan
title: "NetKingdom Alignment and Operational Access Stewardship" title: "NetKingdom Alignment and Operational Access Stewardship"
domain: custodian domain: custodian
repo: ops-warden repo: ops-warden
status: finished status: archived
owner: codex owner: codex
topic_slug: custodian topic_slug: custodian
planning_priority: high planning_priority: high

View File

@@ -4,7 +4,7 @@ type: workplan
title: "Policy Gate and Production OpenBao Verification" title: "Policy Gate and Production OpenBao Verification"
domain: custodian domain: custodian
repo: ops-warden repo: ops-warden
status: finished status: archived
owner: codex owner: codex
topic_slug: custodian topic_slug: custodian
planning_priority: high planning_priority: high