generated from coulomb/repo-seed
Add July INTENT↔SCOPE gap analysis and WARDEN-WP-0023 alignment closeout
Persist the 2026-07-01 assessment, register the alignment workplan with tasks for INTENT refresh, production integration coordination, broker UX, and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
This commit is contained in:
78
SCOPE.md
78
SCOPE.md
@@ -17,7 +17,7 @@ access guidance aligned with NetKingdom canon.
|
||||
|
||||
---
|
||||
|
||||
## Where we are (2026-06-27)
|
||||
## Where we are (2026-07-01)
|
||||
|
||||
ops-warden **issues short-lived SSH certificates and routes every other credential
|
||||
need to the subsystem that owns it.** SSH signing is **production-verified** on
|
||||
@@ -33,6 +33,14 @@ NetKingdom security map, machine-readable pointer catalog
|
||||
handoffs for every catalog need and can proxy `exec_capable` lanes as the caller,
|
||||
without taking custody of values.
|
||||
|
||||
**Owner-native exec lanes** are documented in the catalog (WP-0017–0019 plus
|
||||
cross-repo stewardship): provisioned secret-exec routes to **secrets-engine**
|
||||
(`whynot-design-npm-publish`, production-exercised); scoped OpenBao tokens for
|
||||
ops-warden signing route to the **railiance-platform credential broker**
|
||||
(`ops-warden-warden-sign-token`, RAILIANCE-WP-0005 T08, live 2026-07-01). ops-warden
|
||||
points at the owner's front door — it does not mint OpenBao tokens or run
|
||||
`credential.py` itself.
|
||||
|
||||
**Workload security posture** is shipped (WP-0015, all tasks done): dev/test/prod
|
||||
environment posture, M0-M3 workload maturity, the secret-flow lattice, and blocker
|
||||
triage language (T1); machine-readable descriptors + `warden policy list|show` (T2);
|
||||
@@ -64,7 +72,9 @@ ops-warden executes exactly one lane with its own authority and routes/assists t
|
||||
| Need | Subsystem | ops-warden role |
|
||||
| --- | --- | --- |
|
||||
| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) |
|
||||
| Scoped `VAULT_TOKEN` for warden-sign / policy-gate smoke | railiance-platform credential broker | Route — owner-native `credential exec`; ops-warden does not mint |
|
||||
| API key / DB cred / dynamic lease | OpenBao | Assist — route; proxy as caller only for `exec_capable` lanes |
|
||||
| Provisioned secret-exec (e.g. npm publish) | secrets-engine (+ OpenBao custody) | Route — primary `secrets-engine exec`; `warden access` as fallback |
|
||||
| "May I perform action X?" | flex-auth | Route — point at policy; consume decisions where configured |
|
||||
| Login / OIDC / MFA | key-cape / Keycloak | Assist — route; proxy `login` lane when `exec_capable` |
|
||||
| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` |
|
||||
@@ -73,7 +83,8 @@ ops-warden executes exactly one lane with its own authority and routes/assists t
|
||||
Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer** —
|
||||
it never restates an owner's procedure (authored `steps` exist only for the SSH lane).
|
||||
|
||||
Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
|
||||
Gap analysis: `history/2026-07-01-intent-scope-gap-analysis.md` (current);
|
||||
`history/2026-06-24-intent-scope-gap-analysis.md` (prior);
|
||||
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` (SSH lane);
|
||||
`history/2026-06-18-access-routing-intent-shift-assessment.md` (routing charter).
|
||||
|
||||
@@ -90,14 +101,14 @@ Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
|
||||
| Non-SSH secrets stay out of ops-warden | Met |
|
||||
| Workload posture / maturity model for secret-flow blockers | Met — two-axis standard + descriptors + conformance checker + dev doubles (WP-0015) |
|
||||
|
||||
**Maturity vector:** `D5 / A5 / C5 / R3` (Discovery / Availability / Completeness / Reliability)
|
||||
**Maturity vector:** `D5 / A5 / C5 / R4` (Discovery / Availability / Completeness / Reliability)
|
||||
|
||||
| Dimension | Level | Meaning today |
|
||||
| --- | --- | --- |
|
||||
| D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links |
|
||||
| A5 | Availability | CLI + `warden route` + `warden access` advisory & proxy front door + `warden policy` + opt-in policy gate + agent `--json` |
|
||||
| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate. Open items are external: flex-auth prod flip + ops-bridge live cutover |
|
||||
| R3 | Reliability | Live OpenBao sign evidence on Railiance |
|
||||
| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate, two owner-native exec routes documented (secrets-engine npm, credential broker warden-sign). Open items are external: flex-auth prod flip + ops-bridge live cutover |
|
||||
| R4 | Reliability | Live OpenBao sign + credential-broker policy-gate smoke evidence on Railiance (2026-07-01) |
|
||||
|
||||
---
|
||||
|
||||
@@ -144,6 +155,11 @@ for the rest.
|
||||
`warden worker drafts | approve <id>` + `worker status`; one-command kill switch
|
||||
(`wiki/playbooks/scheduled-worker.md`)
|
||||
- Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope
|
||||
- **warden-sign token routing** (RAILIANCE-WP-0005 T08): catalog id
|
||||
`ops-warden-warden-sign-token` and playbook
|
||||
`wiki/playbooks/ops-warden-warden-sign-token.md` — routes `VAULT_TOKEN` needs to
|
||||
`railiance-platform/scripts/credential.py exec --grant ops-warden/warden-sign`
|
||||
(preferred over manual `export VAULT_TOKEN`)
|
||||
|
||||
### Stewardship (documentation and alignment)
|
||||
|
||||
@@ -175,15 +191,18 @@ for the rest.
|
||||
|
||||
### Active / ready
|
||||
|
||||
_None open._ All ops-warden workplans are finished; the remaining distance is in other
|
||||
repos' lanes (see Known gaps).
|
||||
| WP | Focus | Status |
|
||||
| --- | --- | --- |
|
||||
| WP-0022 | Unified audit trail + `warden activity` | `ready` |
|
||||
| WP-0023 | INTENT–SCOPE alignment closeout | `ready` |
|
||||
|
||||
Remaining production distance is also in other repos' lanes (see Known gaps).
|
||||
|
||||
### Known gaps (not ops-warden workplans)
|
||||
|
||||
| Gap | Owner | Notes |
|
||||
| --- | --- | --- |
|
||||
| flex-auth production runtime + registry deploy | flex-auth | **FLEX-WP-0007** — unblocks `policy.enabled: true` |
|
||||
| Vault-backed policy gate joint smoke | flex-auth + operator | Needs valid scoped `VAULT_TOKEN` |
|
||||
| ops-bridge `cert_command` on live tunnels | ops-bridge | Playbook + readiness gate shipped (WP-0016); pilot cutover handed off, awaiting ops-bridge |
|
||||
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `scripts/check_principals_drift.py` — operator runs periodically |
|
||||
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
|
||||
@@ -193,9 +212,11 @@ repos' lanes (see Known gaps).
|
||||
|
||||
## Out of Scope
|
||||
|
||||
- **Issuing or custodying** non-SSH secrets (API keys, DB creds, S3 STS,
|
||||
Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden
|
||||
documents paths and may proxy caller-authenticated `exec_capable` lanes only
|
||||
- **Issuing or custodying** non-SSH secrets (API keys, DB creds, OpenBao tokens,
|
||||
S3 STS, Inter-Hub keys) → OpenBao / railiance-platform credential broker /
|
||||
secrets-engine with flex-auth policy where required; ops-warden documents paths,
|
||||
routes to owner-native exec front doors, and may proxy caller-authenticated
|
||||
`exec_capable` lanes only
|
||||
- Identity / OIDC / MFA → key-cape, Keycloak
|
||||
- Authorization policy decisions → flex-auth
|
||||
- flex-auth runtime deployment and secret-flow lattice enforcement → flex-auth
|
||||
@@ -211,6 +232,9 @@ repos' lanes (see Known gaps).
|
||||
## Relevant When
|
||||
|
||||
- Issuing or refreshing an **SSH cert** for `adm`/`agt`/`atm`
|
||||
- A worker needs a **scoped `VAULT_TOKEN`** for production `warden sign` or the
|
||||
flex-auth policy-gate smoke — route to `ops-warden-warden-sign-token`, then run
|
||||
`credential exec` in `railiance-platform` (no manual token paste)
|
||||
- A dev worker needs to know **where to get credentials** in the NetKingdom stack
|
||||
- An agent needs **`warden route find`** instead of re-deriving routing from wiki prose
|
||||
- `ops-bridge` needs a `cert_command` for a tunnel
|
||||
@@ -225,7 +249,8 @@ repos' lanes (see Known gaps).
|
||||
|
||||
## Not Relevant When
|
||||
|
||||
- Storing or vending **API keys or runtime secrets** (→ OpenBao)
|
||||
- Storing or vending **API keys, OpenBao tokens, or runtime secrets** (→ OpenBao /
|
||||
railiance-platform broker / secrets-engine)
|
||||
- Policy decisions on resource access (→ flex-auth)
|
||||
- Managing tunnels without SSH cert issuance (→ ops-bridge)
|
||||
- Static-key-only legacy access (ops-bridge static key mode)
|
||||
@@ -243,13 +268,19 @@ repos' lanes (see Known gaps).
|
||||
conformance checker, dev doubles); canon landing owner-driven
|
||||
- **ops-bridge cert_command:** WP-0016 shipped to pilot-ready (readiness gate +
|
||||
offline contract smoke + handoff); live cutover is ops-bridge's
|
||||
- **Access front door:** WP-0017 discoverability + WP-0018 first concrete lane
|
||||
- **Access front door:** WP-0017 discoverability + WP-0018 first concrete secret lane
|
||||
(`whynot-design-npm-publish`), **production-exercised** — whynot-design published
|
||||
`@whynot/design@0.4.0` through the conduit. WP-0019 routes provisioned secret-exec
|
||||
lanes to **secrets-engine** (`secrets-engine exec`), proxy as transparent fallback
|
||||
- **warden-sign broker routing:** catalog `ops-warden-warden-sign-token` +
|
||||
`wiki/playbooks/ops-warden-warden-sign-token.md` (RAILIANCE-WP-0005 T08) — live
|
||||
`make credential-exec-ops-warden-smoke` proven 2026-07-01; manual `export VAULT_TOKEN`
|
||||
documented as fallback only
|
||||
- **Active work:** none open in ops-warden; remaining distance is other repos' lanes
|
||||
- **Integration docs:** cert_command migration, token hygiene, principals drift (`wiki/playbooks/`)
|
||||
- **Latest assessment:** `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
- **Integration docs:** cert_command migration, token hygiene (broker-first), principals
|
||||
drift (`wiki/playbooks/`)
|
||||
- **Latest assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
|
||||
- **Active workplans:** WP-0022 (audit), WP-0023 (INTENT–SCOPE closeout)
|
||||
|
||||
---
|
||||
|
||||
@@ -317,11 +348,12 @@ title: Operator access front door (caller-identity fetch proxy)
|
||||
description: warden access is the operator front door for any NetKingdom credential need.
|
||||
It renders the owner, auth method, path, and policy status, and for exec_capable lanes
|
||||
(OpenBao secret reads, key-cape OIDC login) proxies the fetch as the caller — running
|
||||
the owner's tool with the caller's identity and streaming the value to them. ops-warden
|
||||
takes no custody: it holds, caches, and logs no secret value (transparent conduit, not a
|
||||
broker). Use this to obtain an API key, DB credential, npm token, or login — not a State
|
||||
Hub message.
|
||||
keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing]
|
||||
the owner's tool with the caller's identity and streaming the value to them. For
|
||||
owner-native lanes (secrets-engine exec, railiance-platform credential broker) it routes
|
||||
to the owner's front door instead of proxying. ops-warden takes no custody — transparent
|
||||
conduit, not a broker. Use this to discover how to obtain an API key, DB credential,
|
||||
npm token, warden-sign lease, or login — not a State Hub message.
|
||||
keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing, warden-sign, vault_token, credential-broker]
|
||||
```
|
||||
|
||||
---
|
||||
@@ -342,8 +374,12 @@ keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, l
|
||||
| `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate + registry rollout |
|
||||
| `wiki/AccessManagementDirective.md` | SSH actor model |
|
||||
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
|
||||
| `wiki/playbooks/ops-warden-warden-sign-token.md` | Scoped `VAULT_TOKEN` via credential broker (preferred path) |
|
||||
| `wiki/playbooks/operator-openbao-token-hygiene.md` | Manual token fallback and hygiene rules |
|
||||
| `wiki/CertCommandInterface.md` | cert_command contract |
|
||||
| `history/2026-06-24-intent-scope-gap-analysis.md` | Current gap analysis + WP-0013 |
|
||||
| `history/2026-07-01-intent-scope-gap-analysis.md` | Current INTENT↔SCOPE gap analysis |
|
||||
| `workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md` | Alignment closeout plan |
|
||||
| `history/2026-06-24-intent-scope-gap-analysis.md` | Prior gap analysis |
|
||||
| `history/2026-06-27-workload-security-posture-charter.md` | WP-0015 posture/conformance charter |
|
||||
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | SSH lane gap analysis |
|
||||
| `history/2026-06-18-access-routing-intent-shift-assessment.md` | Routing charter decision |
|
||||
|
||||
135
history/2026-07-01-intent-scope-gap-analysis.md
Normal file
135
history/2026-07-01-intent-scope-gap-analysis.md
Normal file
@@ -0,0 +1,135 @@
|
||||
# INTENT ↔ SCOPE Gap Analysis — Post RAILIANCE-WP-0005 T08
|
||||
|
||||
**Date:** 2026-07-01
|
||||
**Author:** codex
|
||||
**Trigger:** RAILIANCE-WP-0005 broker lane live (`ops-warden-warden-sign-token`, T08);
|
||||
`credential-exec-ops-warden-smoke` proven; SCOPE refreshed to 2026-07-01.
|
||||
**Prior assessments:** `history/2026-06-24-intent-scope-gap-analysis.md`,
|
||||
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
|
||||
**Workplan:** `WARDEN-WP-0023-intent-scope-alignment-closeout.md`
|
||||
|
||||
---
|
||||
|
||||
## 1. Executive summary
|
||||
|
||||
ops-warden is **aligned with INTENT** on its core mission: issue SSH certs, route
|
||||
every other credential need, and stay out of secret custody. The repository has
|
||||
**grown past what `INTENT.md` describes** — assist layer, owner-native exec routing,
|
||||
workload posture, and the coordination worker are shipped but not fully reflected
|
||||
in the aspirational doc.
|
||||
|
||||
The largest **real** gaps are **production integration** (flex-auth runtime flip,
|
||||
ops-bridge live `cert_command`) and **audit coherence** (scattered logs; WP-0022
|
||||
proposed). The former is mostly other repos; the latter is the best in-repo next
|
||||
implementation.
|
||||
|
||||
**Vector movement:** `D5 / A5 / C5 / R4` (SCOPE 2026-07-01) — up from
|
||||
`D5 / A4 / C4 / R3` (June 2024) on completeness and reliability substance.
|
||||
|
||||
| Dimension | Jun 2024 | Jul 2026 | Notes |
|
||||
| --- | --- | --- | --- |
|
||||
| Discovery | D5 | D5 | Catalog + playbooks + owner-native lanes |
|
||||
| Availability | A4 | A5 | `warden access`, worker, posture CLI |
|
||||
| Completeness | C4 | C5 | Two concrete owner-native routes; broker live |
|
||||
| Reliability | R3 | R4 | Sign + broker policy-gate smoke evidence |
|
||||
|
||||
---
|
||||
|
||||
## 2. Deliverables since 2026-06-24
|
||||
|
||||
| Workplan / cross-repo | Deliverable | Status |
|
||||
| --- | --- | --- |
|
||||
| WP-0014–0016 | Access assist, front-door discoverability, cert_command pilot gate | Finished |
|
||||
| WP-0017–0019 | secrets-engine primary routing; whynot-design lane active | Finished |
|
||||
| WP-0020–0021 | `warden worker` + scheduled tick | Finished |
|
||||
| RAILIANCE-WP-0005 T08 | `ops-warden-warden-sign-token` catalog + playbook; live broker smoke | Done (platform) |
|
||||
| WP-0022 | Unified audit + `warden activity` | Proposed |
|
||||
| FLEX-WP-0007 | flex-auth production deploy | External — still open |
|
||||
|
||||
---
|
||||
|
||||
## 3. INTENT success criteria
|
||||
|
||||
| # | Criterion | Status | Evidence / gap |
|
||||
| --- | --- | --- | --- |
|
||||
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, playbooks; draft lanes remain template |
|
||||
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; unified audit pending WP-0022 |
|
||||
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | WP-0016 pilot-ready; live tunnels still static-key |
|
||||
| 4 | NetKingdom evolution reflected in docs | **Met** | SCOPE/wiki current; **INTENT.md stale** |
|
||||
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer + owner-native exec; no custody |
|
||||
| 6 | Blockers classifiable by posture/maturity | **Met (repo)** | WP-0015; canon landing external |
|
||||
|
||||
**Score: 5 met, 1 partial** — partial is ops-bridge production adoption (unchanged
|
||||
structurally; VAULT_TOKEN blocker cleared via broker routing).
|
||||
|
||||
---
|
||||
|
||||
## 4. INTENT mission pillars
|
||||
|
||||
| Pillar | Status | Gap |
|
||||
| --- | --- | --- |
|
||||
| 1. Know NetKingdom security model | Strong | INTENT table omits secrets-engine, credential broker |
|
||||
| 2. Route, and assist | Strong | INTENT flow diagram still flat “OpenBao documented” |
|
||||
| 3. Steward workload posture | Shipped | Runtime enforcement = flex-auth |
|
||||
| 4. Align runbooks with canon | Strong | Broker-first token hygiene live |
|
||||
| 5. Issue short-lived SSH certs | Production | — |
|
||||
| 6. Audit SSH signing | Partial | WP-0022 — fragmented logs today |
|
||||
|
||||
---
|
||||
|
||||
## 5. Where SCOPE exceeds INTENT (doc drift, not implementation gap)
|
||||
|
||||
- `warden access` transparent proxy (WP-0014)
|
||||
- Owner-native exec routing — secrets-engine, credential broker (WP-0017–0019, T08)
|
||||
- Coordination worker (WP-0020/0021)
|
||||
- Workload posture conformance (WP-0015)
|
||||
- flex-auth policy gate **caller shipped**; INTENT still says “future hook”
|
||||
|
||||
---
|
||||
|
||||
## 6. Remaining gaps (prioritized)
|
||||
|
||||
| Prio | Gap | Owner | ops-warden action | Track |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| **P1** | flex-auth production runtime (`policy.enabled: true`) | flex-auth | Coordination checklist + smoke evidence | **FLEX-WP-0007** |
|
||||
| **P1** | ops-bridge live `cert_command` cutover | ops-bridge | Evidence template + handoff follow-up | WP-0016 follow-on |
|
||||
| **P2** | Unified audit trail | ops-warden | Implement WP-0022 | **WARDEN-WP-0022** |
|
||||
| **P2** | INTENT.md refresh | ops-warden | Align aspirational doc with shipped model | **WARDEN-WP-0023** T02 |
|
||||
| **P3** | `warden sign` missing-token UX | ops-warden | Hint `credential exec` path | **WARDEN-WP-0023** T04 |
|
||||
| **P3** | Draft catalog lanes | ops-warden + owners | Promotion checklist as lanes concrete | **WARDEN-WP-0023** T05 |
|
||||
| **P4** | Principals drift | ops-warden + infra | Periodic `check_principals_drift.py` | Ongoing |
|
||||
| **P4** | Posture canon landing | net-kingdom | Coordination only | WP-0015 T5 |
|
||||
|
||||
---
|
||||
|
||||
## 7. Workplan recommendation
|
||||
|
||||
**WARDEN-WP-0023 — INTENT–SCOPE alignment closeout** (new, `ready`):
|
||||
|
||||
- T01: This assessment (persisted)
|
||||
- T02: Refresh `INTENT.md`
|
||||
- T03: Production integration coordination pack (flex-auth + ops-bridge)
|
||||
- T04: `warden sign` broker hint when `VAULT_TOKEN` unset
|
||||
- T05: Catalog draft-lane promotion checklist
|
||||
- T06: SCOPE cross-link and workplan-status consistency
|
||||
- T07: Promote WP-0022 to `ready` and sequence audit implementation
|
||||
|
||||
**WARDEN-WP-0022** remains the implementation vehicle for unified audit (P2).
|
||||
|
||||
**Out of scope for new ops-warden implementation:**
|
||||
|
||||
- flex-auth runtime deployment (FLEX-WP-0007)
|
||||
- ops-bridge tunnel config changes
|
||||
- OpenBao token minting / credential broker implementation (railiance-platform)
|
||||
|
||||
---
|
||||
|
||||
## 8. Maturity target (post WP-0023 + WP-0022 + external P1)
|
||||
|
||||
| Dimension | Target | Unlock |
|
||||
| --- | --- | --- |
|
||||
| R4 → R5 | Live tunnel uses warden-signed cert | ops-bridge cutover evidence |
|
||||
| R4 → R5 | Policy gate on in production | FLEX-WP-0007 + operator flip |
|
||||
| Audit pillar | Single `warden activity` view | WP-0022 |
|
||||
| INTENT sync | Aspirational doc matches SCOPE | WP-0023 T02 |
|
||||
@@ -4,13 +4,14 @@ type: workplan
|
||||
title: "Audit trail + `warden activity` — one place to see what ops-warden did"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: proposed
|
||||
status: ready
|
||||
owner: claude
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 22
|
||||
created: "2026-07-01"
|
||||
updated: "2026-07-01"
|
||||
state_hub_workstream_id: "fc8afa28-68a7-4250-a19e-9754829f0cd5"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0022 — Audit trail + `warden activity`
|
||||
@@ -47,6 +48,7 @@ needs the State Hub + tunnels to be login-independent (State Hub → railiance01
|
||||
id: WARDEN-WP-0022-T01
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "7f8f768a-4c62-4096-bad8-912cea0f35a7"
|
||||
```
|
||||
|
||||
- [ ] `src/warden/audit.py`: append-only JSONL at `state_dir/audit.jsonl`. Common event
|
||||
@@ -62,6 +64,7 @@ priority: high
|
||||
id: WARDEN-WP-0022-T02
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "e7ae4037-ca79-4557-81f0-bfb8478ff647"
|
||||
```
|
||||
|
||||
- [ ] Emit an audit event from each ops-warden action: `warden sign` (cert issued —
|
||||
@@ -77,6 +80,7 @@ priority: high
|
||||
id: WARDEN-WP-0022-T03
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "4439bdd8-1461-47df-8b0b-048df7384a68"
|
||||
```
|
||||
|
||||
- [ ] `warden activity [--days N] [--kind sign|access|worker] [--json] [--hub]` — a single
|
||||
@@ -90,6 +94,7 @@ priority: high
|
||||
id: WARDEN-WP-0022-T04
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "bdfb8703-7a79-43e7-913b-19d61722f164"
|
||||
```
|
||||
|
||||
- [ ] Tests: audit append/read/rotation, the secret-material guard rejects values, the
|
||||
|
||||
208
workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md
Normal file
208
workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md
Normal file
@@ -0,0 +1,208 @@
|
||||
---
|
||||
id: WARDEN-WP-0023
|
||||
type: workplan
|
||||
title: "INTENT–SCOPE Alignment Closeout"
|
||||
domain: infotech
|
||||
repo: ops-warden
|
||||
status: ready
|
||||
owner: codex
|
||||
topic_slug: custodian
|
||||
planning_priority: high
|
||||
planning_order: 23
|
||||
created: "2026-07-01"
|
||||
updated: "2026-07-01"
|
||||
depends_on_workplans:
|
||||
- WARDEN-WP-0022
|
||||
state_hub_workstream_id: "7bad1ec4-a7c2-4980-b8f9-49a7f5408574"
|
||||
---
|
||||
|
||||
# WARDEN-WP-0023 — INTENT–SCOPE Alignment Closeout
|
||||
|
||||
## Goal
|
||||
|
||||
Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync
|
||||
aspirational docs with shipped capabilities, coordinate the remaining production
|
||||
integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator
|
||||
UX for broker-backed signing, and establish a repeatable catalog promotion cadence.
|
||||
|
||||
Audit implementation stays in **WARDEN-WP-0022**; this workplan sequences and
|
||||
surrounds it.
|
||||
|
||||
**Assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
|
||||
|
||||
## Boundary
|
||||
|
||||
- ops-warden does **not** deploy flex-auth, flip ops-bridge tunnels, or implement
|
||||
the credential broker — it documents, coordinates, and routes.
|
||||
- Production cutover evidence is captured here; execution remains with owning repos.
|
||||
|
||||
---
|
||||
|
||||
## Tasks
|
||||
|
||||
### T01 — Persist gap analysis
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0023-T01
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5"
|
||||
```
|
||||
|
||||
Write and link `history/2026-07-01-intent-scope-gap-analysis.md` with success
|
||||
criteria matrix, mission pillars, prioritized gaps, and workplan recommendation.
|
||||
|
||||
Acceptance:
|
||||
|
||||
- History file exists and is referenced from SCOPE and this workplan.
|
||||
- State Hub progress note logged for the assessment.
|
||||
|
||||
**2026-07-01:** Assessment written at
|
||||
`history/2026-07-01-intent-scope-gap-analysis.md`.
|
||||
|
||||
### T02 — Refresh INTENT.md
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0023-T02
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d"
|
||||
```
|
||||
|
||||
Update `INTENT.md` so the aspirational doc reflects shipped reality without
|
||||
becoming a second SCOPE:
|
||||
|
||||
- Mission pillar #2: assist layer (`warden access`) and owner-native exec routing
|
||||
(secrets-engine, railiance-platform credential broker).
|
||||
- NetKingdom literacy table: add secrets-engine and credential broker rows.
|
||||
- Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue.
|
||||
- flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007).
|
||||
- Workload posture stewardship and coordination worker as steward capabilities.
|
||||
- Evolution notes pointer to July gap analysis.
|
||||
|
||||
Acceptance:
|
||||
|
||||
- INTENT still describes direction, not implementation inventory.
|
||||
- No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens).
|
||||
|
||||
### T03 — Production integration coordination pack
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0023-T03
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038"
|
||||
```
|
||||
|
||||
Prepare operator/coordination artifacts for the two P1 external gaps:
|
||||
|
||||
1. **flex-auth production flip** — checklist in `wiki/PolicyGatedSigning.md` or a
|
||||
short playbook section: prerequisites, `policy.enabled: true` steps, rollback,
|
||||
joint smoke with `credential-exec-ops-warden-smoke`, FLEX-WP-0007 cross-link.
|
||||
2. **ops-bridge live cutover** — evidence template (non-secret): tunnel id, readiness
|
||||
gate output, first warden-signed connection timestamp, pointer to
|
||||
`wiki/playbooks/ops-bridge-tunnel-cert.md`.
|
||||
|
||||
Optionally post State Hub coordination messages to `flex-auth` and `ops-bridge`
|
||||
agents with pointers only (no secrets).
|
||||
|
||||
Acceptance:
|
||||
|
||||
- A human operator can run the flip/cutover checklists without re-deriving steps.
|
||||
- Evidence fields are defined; completion is recorded via State Hub progress when done.
|
||||
|
||||
### T04 — `warden sign` broker hint when `VAULT_TOKEN` unset
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0023-T04
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae"
|
||||
```
|
||||
|
||||
When `backend: vault` and `VAULT_TOKEN` (or configured `token_env`) is missing,
|
||||
emit a structured hint pointing at `ops-warden-warden-sign-token` and the
|
||||
`railiance-platform` `credential exec` command — not a generic error only.
|
||||
|
||||
Acceptance:
|
||||
|
||||
- Unit test covers the hint text (catalog id + exec shape, no secret placeholders).
|
||||
- Manual `export VAULT_TOKEN` remains documented as fallback in playbooks.
|
||||
|
||||
### T05 — Catalog draft-lane promotion checklist
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0023-T05
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748"
|
||||
```
|
||||
|
||||
Document the promotion criteria for `registry/routing/catalog.yaml` entries from
|
||||
`draft` → `active` (concrete path, owner confirmation, `resolvable` or
|
||||
`exec_owner` native exec, playbook with `#worker-checklist`, tests). Add to
|
||||
`wiki/CredentialRouting.md` or a short `wiki/playbooks/catalog-lane-promotion.md`.
|
||||
|
||||
If any draft lane has owner-confirmed concrete paths during this WP, promote one
|
||||
as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready).
|
||||
|
||||
Acceptance:
|
||||
|
||||
- Checklist is reviewable by humans and agents.
|
||||
- At least one promotion example or explicit “none ready yet” note in the workplan.
|
||||
|
||||
### T06 — SCOPE and workplan consistency
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0023-T06
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190"
|
||||
```
|
||||
|
||||
Fix SCOPE inconsistencies noted in the July assessment:
|
||||
|
||||
- “All workplans finished” → acknowledge WP-0022/0023 as active/ready.
|
||||
- Latest gap analysis pointer → `history/2026-07-01-intent-scope-gap-analysis.md`.
|
||||
- Link WP-0023 from Getting Oriented.
|
||||
|
||||
Acceptance:
|
||||
|
||||
- SCOPE and gap analysis cross-link correctly.
|
||||
- Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP.
|
||||
|
||||
### T07 — Sequence WP-0022 audit implementation
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0023-T07
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4"
|
||||
```
|
||||
|
||||
Promote `WARDEN-WP-0022` from `proposed` to `ready` (or `active` when T02–T06 allow
|
||||
bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the
|
||||
implementation vehicle for INTENT pillar 6 (observable gatekeeping).
|
||||
|
||||
Acceptance:
|
||||
|
||||
- WP-0022 frontmatter status updated.
|
||||
- WP-0023 `depends_on_workplans` includes WP-0022.
|
||||
- Hub consistency run syncs both workplans.
|
||||
|
||||
---
|
||||
|
||||
## Exit criteria
|
||||
|
||||
- July gap analysis is the canonical reassessment (linked from SCOPE).
|
||||
- INTENT.md no longer understates assist, posture, worker, or owner-native exec.
|
||||
- Production integration checklists exist for flex-auth flip and ops-bridge cutover.
|
||||
- `warden sign` surfaces the broker path when vault backend lacks a token.
|
||||
- Catalog promotion cadence is documented; WP-0022 is queued for implementation.
|
||||
|
||||
## See also
|
||||
|
||||
- `history/2026-07-01-intent-scope-gap-analysis.md`
|
||||
- `WARDEN-WP-0022-audit-trail-and-activity.md`
|
||||
- `wiki/playbooks/ops-warden-warden-sign-token.md`
|
||||
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`
|
||||
Reference in New Issue
Block a user