From f47d632d8e4cf1df5d1a7474664b4167352b0b41 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 1 Jul 2026 23:27:14 +0200 Subject: [PATCH] =?UTF-8?q?Add=20July=20INTENT=E2=86=94SCOPE=20gap=20analy?= =?UTF-8?q?sis=20and=20WARDEN-WP-0023=20alignment=20closeout?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Persist the 2026-07-01 assessment, register the alignment workplan with tasks for INTENT refresh, production integration coordination, broker UX, and catalog promotion. Promote WP-0022 to ready and update SCOPE links. --- SCOPE.md | 78 +++++-- .../2026-07-01-intent-scope-gap-analysis.md | 135 ++++++++++++ ...WARDEN-WP-0022-audit-trail-and-activity.md | 7 +- ...WP-0023-intent-scope-alignment-closeout.md | 208 ++++++++++++++++++ 4 files changed, 406 insertions(+), 22 deletions(-) create mode 100644 history/2026-07-01-intent-scope-gap-analysis.md create mode 100644 workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md diff --git a/SCOPE.md b/SCOPE.md index 77e4385..9903751 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -17,7 +17,7 @@ access guidance aligned with NetKingdom canon. --- -## Where we are (2026-06-27) +## Where we are (2026-07-01) ops-warden **issues short-lived SSH certificates and routes every other credential need to the subsystem that owns it.** SSH signing is **production-verified** on @@ -33,6 +33,14 @@ NetKingdom security map, machine-readable pointer catalog handoffs for every catalog need and can proxy `exec_capable` lanes as the caller, without taking custody of values. +**Owner-native exec lanes** are documented in the catalog (WP-0017–0019 plus +cross-repo stewardship): provisioned secret-exec routes to **secrets-engine** +(`whynot-design-npm-publish`, production-exercised); scoped OpenBao tokens for +ops-warden signing route to the **railiance-platform credential broker** +(`ops-warden-warden-sign-token`, RAILIANCE-WP-0005 T08, live 2026-07-01). ops-warden +points at the owner's front door — it does not mint OpenBao tokens or run +`credential.py` itself. + **Workload security posture** is shipped (WP-0015, all tasks done): dev/test/prod environment posture, M0-M3 workload maturity, the secret-flow lattice, and blocker triage language (T1); machine-readable descriptors + `warden policy list|show` (T2); @@ -64,7 +72,9 @@ ops-warden executes exactly one lane with its own authority and routes/assists t | Need | Subsystem | ops-warden role | | --- | --- | --- | | SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) | +| Scoped `VAULT_TOKEN` for warden-sign / policy-gate smoke | railiance-platform credential broker | Route — owner-native `credential exec`; ops-warden does not mint | | API key / DB cred / dynamic lease | OpenBao | Assist — route; proxy as caller only for `exec_capable` lanes | +| Provisioned secret-exec (e.g. npm publish) | secrets-engine (+ OpenBao custody) | Route — primary `secrets-engine exec`; `warden access` as fallback | | "May I perform action X?" | flex-auth | Route — point at policy; consume decisions where configured | | Login / OIDC / MFA | key-cape / Keycloak | Assist — route; proxy `login` lane when `exec_capable` | | SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` | @@ -73,7 +83,8 @@ ops-warden executes exactly one lane with its own authority and routes/assists t Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer** — it never restates an owner's procedure (authored `steps` exist only for the SSH lane). -Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current); +Gap analysis: `history/2026-07-01-intent-scope-gap-analysis.md` (current); +`history/2026-06-24-intent-scope-gap-analysis.md` (prior); `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` (SSH lane); `history/2026-06-18-access-routing-intent-shift-assessment.md` (routing charter). @@ -90,14 +101,14 @@ Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current); | Non-SSH secrets stay out of ops-warden | Met | | Workload posture / maturity model for secret-flow blockers | Met — two-axis standard + descriptors + conformance checker + dev doubles (WP-0015) | -**Maturity vector:** `D5 / A5 / C5 / R3` (Discovery / Availability / Completeness / Reliability) +**Maturity vector:** `D5 / A5 / C5 / R4` (Discovery / Availability / Completeness / Reliability) | Dimension | Level | Meaning today | | --- | --- | --- | | D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links | | A5 | Availability | CLI + `warden route` + `warden access` advisory & proxy front door + `warden policy` + opt-in policy gate + agent `--json` | -| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate. Open items are external: flex-auth prod flip + ops-bridge live cutover | -| R3 | Reliability | Live OpenBao sign evidence on Railiance | +| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate, two owner-native exec routes documented (secrets-engine npm, credential broker warden-sign). Open items are external: flex-auth prod flip + ops-bridge live cutover | +| R4 | Reliability | Live OpenBao sign + credential-broker policy-gate smoke evidence on Railiance (2026-07-01) | --- @@ -144,6 +155,11 @@ for the rest. `warden worker drafts | approve ` + `worker status`; one-command kill switch (`wiki/playbooks/scheduled-worker.md`) - Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope +- **warden-sign token routing** (RAILIANCE-WP-0005 T08): catalog id + `ops-warden-warden-sign-token` and playbook + `wiki/playbooks/ops-warden-warden-sign-token.md` — routes `VAULT_TOKEN` needs to + `railiance-platform/scripts/credential.py exec --grant ops-warden/warden-sign` + (preferred over manual `export VAULT_TOKEN`) ### Stewardship (documentation and alignment) @@ -175,15 +191,18 @@ for the rest. ### Active / ready -_None open._ All ops-warden workplans are finished; the remaining distance is in other -repos' lanes (see Known gaps). +| WP | Focus | Status | +| --- | --- | --- | +| WP-0022 | Unified audit trail + `warden activity` | `ready` | +| WP-0023 | INTENT–SCOPE alignment closeout | `ready` | + +Remaining production distance is also in other repos' lanes (see Known gaps). ### Known gaps (not ops-warden workplans) | Gap | Owner | Notes | | --- | --- | --- | | flex-auth production runtime + registry deploy | flex-auth | **FLEX-WP-0007** — unblocks `policy.enabled: true` | -| Vault-backed policy gate joint smoke | flex-auth + operator | Needs valid scoped `VAULT_TOKEN` | | ops-bridge `cert_command` on live tunnels | ops-bridge | Playbook + readiness gate shipped (WP-0016); pilot cutover handed off, awaiting ops-bridge | | Principals sync warden ↔ railiance-infra | ops-warden + infra | `scripts/check_principals_drift.py` — operator runs periodically | | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track | @@ -193,9 +212,11 @@ repos' lanes (see Known gaps). ## Out of Scope -- **Issuing or custodying** non-SSH secrets (API keys, DB creds, S3 STS, - Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden - documents paths and may proxy caller-authenticated `exec_capable` lanes only +- **Issuing or custodying** non-SSH secrets (API keys, DB creds, OpenBao tokens, + S3 STS, Inter-Hub keys) → OpenBao / railiance-platform credential broker / + secrets-engine with flex-auth policy where required; ops-warden documents paths, + routes to owner-native exec front doors, and may proxy caller-authenticated + `exec_capable` lanes only - Identity / OIDC / MFA → key-cape, Keycloak - Authorization policy decisions → flex-auth - flex-auth runtime deployment and secret-flow lattice enforcement → flex-auth @@ -211,6 +232,9 @@ repos' lanes (see Known gaps). ## Relevant When - Issuing or refreshing an **SSH cert** for `adm`/`agt`/`atm` +- A worker needs a **scoped `VAULT_TOKEN`** for production `warden sign` or the + flex-auth policy-gate smoke — route to `ops-warden-warden-sign-token`, then run + `credential exec` in `railiance-platform` (no manual token paste) - A dev worker needs to know **where to get credentials** in the NetKingdom stack - An agent needs **`warden route find`** instead of re-deriving routing from wiki prose - `ops-bridge` needs a `cert_command` for a tunnel @@ -225,7 +249,8 @@ repos' lanes (see Known gaps). ## Not Relevant When -- Storing or vending **API keys or runtime secrets** (→ OpenBao) +- Storing or vending **API keys, OpenBao tokens, or runtime secrets** (→ OpenBao / + railiance-platform broker / secrets-engine) - Policy decisions on resource access (→ flex-auth) - Managing tunnels without SSH cert issuance (→ ops-bridge) - Static-key-only legacy access (ops-bridge static key mode) @@ -243,13 +268,19 @@ repos' lanes (see Known gaps). conformance checker, dev doubles); canon landing owner-driven - **ops-bridge cert_command:** WP-0016 shipped to pilot-ready (readiness gate + offline contract smoke + handoff); live cutover is ops-bridge's -- **Access front door:** WP-0017 discoverability + WP-0018 first concrete lane +- **Access front door:** WP-0017 discoverability + WP-0018 first concrete secret lane (`whynot-design-npm-publish`), **production-exercised** — whynot-design published `@whynot/design@0.4.0` through the conduit. WP-0019 routes provisioned secret-exec lanes to **secrets-engine** (`secrets-engine exec`), proxy as transparent fallback +- **warden-sign broker routing:** catalog `ops-warden-warden-sign-token` + + `wiki/playbooks/ops-warden-warden-sign-token.md` (RAILIANCE-WP-0005 T08) — live + `make credential-exec-ops-warden-smoke` proven 2026-07-01; manual `export VAULT_TOKEN` + documented as fallback only - **Active work:** none open in ops-warden; remaining distance is other repos' lanes -- **Integration docs:** cert_command migration, token hygiene, principals drift (`wiki/playbooks/`) -- **Latest assessment:** `history/2026-06-24-intent-scope-gap-analysis.md` +- **Integration docs:** cert_command migration, token hygiene (broker-first), principals + drift (`wiki/playbooks/`) +- **Latest assessment:** `history/2026-07-01-intent-scope-gap-analysis.md` +- **Active workplans:** WP-0022 (audit), WP-0023 (INTENT–SCOPE closeout) --- @@ -317,11 +348,12 @@ title: Operator access front door (caller-identity fetch proxy) description: warden access is the operator front door for any NetKingdom credential need. It renders the owner, auth method, path, and policy status, and for exec_capable lanes (OpenBao secret reads, key-cape OIDC login) proxies the fetch as the caller — running - the owner's tool with the caller's identity and streaming the value to them. ops-warden - takes no custody: it holds, caches, and logs no secret value (transparent conduit, not a - broker). Use this to obtain an API key, DB credential, npm token, or login — not a State - Hub message. -keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing] + the owner's tool with the caller's identity and streaming the value to them. For + owner-native lanes (secrets-engine exec, railiance-platform credential broker) it routes + to the owner's front door instead of proxying. ops-warden takes no custody — transparent + conduit, not a broker. Use this to discover how to obtain an API key, DB credential, + npm token, warden-sign lease, or login — not a State Hub message. +keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing, warden-sign, vault_token, credential-broker] ``` --- @@ -342,8 +374,12 @@ keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, l | `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate + registry rollout | | `wiki/AccessManagementDirective.md` | SSH actor model | | `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao | +| `wiki/playbooks/ops-warden-warden-sign-token.md` | Scoped `VAULT_TOKEN` via credential broker (preferred path) | +| `wiki/playbooks/operator-openbao-token-hygiene.md` | Manual token fallback and hygiene rules | | `wiki/CertCommandInterface.md` | cert_command contract | -| `history/2026-06-24-intent-scope-gap-analysis.md` | Current gap analysis + WP-0013 | +| `history/2026-07-01-intent-scope-gap-analysis.md` | Current INTENT↔SCOPE gap analysis | +| `workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md` | Alignment closeout plan | +| `history/2026-06-24-intent-scope-gap-analysis.md` | Prior gap analysis | | `history/2026-06-27-workload-security-posture-charter.md` | WP-0015 posture/conformance charter | | `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | SSH lane gap analysis | | `history/2026-06-18-access-routing-intent-shift-assessment.md` | Routing charter decision | diff --git a/history/2026-07-01-intent-scope-gap-analysis.md b/history/2026-07-01-intent-scope-gap-analysis.md new file mode 100644 index 0000000..29fdc04 --- /dev/null +++ b/history/2026-07-01-intent-scope-gap-analysis.md @@ -0,0 +1,135 @@ +# INTENT ↔ SCOPE Gap Analysis — Post RAILIANCE-WP-0005 T08 + +**Date:** 2026-07-01 +**Author:** codex +**Trigger:** RAILIANCE-WP-0005 broker lane live (`ops-warden-warden-sign-token`, T08); +`credential-exec-ops-warden-smoke` proven; SCOPE refreshed to 2026-07-01. +**Prior assessments:** `history/2026-06-24-intent-scope-gap-analysis.md`, +`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` + +**Workplan:** `WARDEN-WP-0023-intent-scope-alignment-closeout.md` + +--- + +## 1. Executive summary + +ops-warden is **aligned with INTENT** on its core mission: issue SSH certs, route +every other credential need, and stay out of secret custody. The repository has +**grown past what `INTENT.md` describes** — assist layer, owner-native exec routing, +workload posture, and the coordination worker are shipped but not fully reflected +in the aspirational doc. + +The largest **real** gaps are **production integration** (flex-auth runtime flip, +ops-bridge live `cert_command`) and **audit coherence** (scattered logs; WP-0022 +proposed). The former is mostly other repos; the latter is the best in-repo next +implementation. + +**Vector movement:** `D5 / A5 / C5 / R4` (SCOPE 2026-07-01) — up from +`D5 / A4 / C4 / R3` (June 2024) on completeness and reliability substance. + +| Dimension | Jun 2024 | Jul 2026 | Notes | +| --- | --- | --- | --- | +| Discovery | D5 | D5 | Catalog + playbooks + owner-native lanes | +| Availability | A4 | A5 | `warden access`, worker, posture CLI | +| Completeness | C4 | C5 | Two concrete owner-native routes; broker live | +| Reliability | R3 | R4 | Sign + broker policy-gate smoke evidence | + +--- + +## 2. Deliverables since 2026-06-24 + +| Workplan / cross-repo | Deliverable | Status | +| --- | --- | --- | +| WP-0014–0016 | Access assist, front-door discoverability, cert_command pilot gate | Finished | +| WP-0017–0019 | secrets-engine primary routing; whynot-design lane active | Finished | +| WP-0020–0021 | `warden worker` + scheduled tick | Finished | +| RAILIANCE-WP-0005 T08 | `ops-warden-warden-sign-token` catalog + playbook; live broker smoke | Done (platform) | +| WP-0022 | Unified audit + `warden activity` | Proposed | +| FLEX-WP-0007 | flex-auth production deploy | External — still open | + +--- + +## 3. INTENT success criteria + +| # | Criterion | Status | Evidence / gap | +| --- | --- | --- | --- | +| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, playbooks; draft lanes remain template | +| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; unified audit pending WP-0022 | +| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | WP-0016 pilot-ready; live tunnels still static-key | +| 4 | NetKingdom evolution reflected in docs | **Met** | SCOPE/wiki current; **INTENT.md stale** | +| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer + owner-native exec; no custody | +| 6 | Blockers classifiable by posture/maturity | **Met (repo)** | WP-0015; canon landing external | + +**Score: 5 met, 1 partial** — partial is ops-bridge production adoption (unchanged +structurally; VAULT_TOKEN blocker cleared via broker routing). + +--- + +## 4. INTENT mission pillars + +| Pillar | Status | Gap | +| --- | --- | --- | +| 1. Know NetKingdom security model | Strong | INTENT table omits secrets-engine, credential broker | +| 2. Route, and assist | Strong | INTENT flow diagram still flat “OpenBao documented” | +| 3. Steward workload posture | Shipped | Runtime enforcement = flex-auth | +| 4. Align runbooks with canon | Strong | Broker-first token hygiene live | +| 5. Issue short-lived SSH certs | Production | — | +| 6. Audit SSH signing | Partial | WP-0022 — fragmented logs today | + +--- + +## 5. Where SCOPE exceeds INTENT (doc drift, not implementation gap) + +- `warden access` transparent proxy (WP-0014) +- Owner-native exec routing — secrets-engine, credential broker (WP-0017–0019, T08) +- Coordination worker (WP-0020/0021) +- Workload posture conformance (WP-0015) +- flex-auth policy gate **caller shipped**; INTENT still says “future hook” + +--- + +## 6. Remaining gaps (prioritized) + +| Prio | Gap | Owner | ops-warden action | Track | +| --- | --- | --- | --- | --- | +| **P1** | flex-auth production runtime (`policy.enabled: true`) | flex-auth | Coordination checklist + smoke evidence | **FLEX-WP-0007** | +| **P1** | ops-bridge live `cert_command` cutover | ops-bridge | Evidence template + handoff follow-up | WP-0016 follow-on | +| **P2** | Unified audit trail | ops-warden | Implement WP-0022 | **WARDEN-WP-0022** | +| **P2** | INTENT.md refresh | ops-warden | Align aspirational doc with shipped model | **WARDEN-WP-0023** T02 | +| **P3** | `warden sign` missing-token UX | ops-warden | Hint `credential exec` path | **WARDEN-WP-0023** T04 | +| **P3** | Draft catalog lanes | ops-warden + owners | Promotion checklist as lanes concrete | **WARDEN-WP-0023** T05 | +| **P4** | Principals drift | ops-warden + infra | Periodic `check_principals_drift.py` | Ongoing | +| **P4** | Posture canon landing | net-kingdom | Coordination only | WP-0015 T5 | + +--- + +## 7. Workplan recommendation + +**WARDEN-WP-0023 — INTENT–SCOPE alignment closeout** (new, `ready`): + +- T01: This assessment (persisted) +- T02: Refresh `INTENT.md` +- T03: Production integration coordination pack (flex-auth + ops-bridge) +- T04: `warden sign` broker hint when `VAULT_TOKEN` unset +- T05: Catalog draft-lane promotion checklist +- T06: SCOPE cross-link and workplan-status consistency +- T07: Promote WP-0022 to `ready` and sequence audit implementation + +**WARDEN-WP-0022** remains the implementation vehicle for unified audit (P2). + +**Out of scope for new ops-warden implementation:** + +- flex-auth runtime deployment (FLEX-WP-0007) +- ops-bridge tunnel config changes +- OpenBao token minting / credential broker implementation (railiance-platform) + +--- + +## 8. Maturity target (post WP-0023 + WP-0022 + external P1) + +| Dimension | Target | Unlock | +| --- | --- | --- | +| R4 → R5 | Live tunnel uses warden-signed cert | ops-bridge cutover evidence | +| R4 → R5 | Policy gate on in production | FLEX-WP-0007 + operator flip | +| Audit pillar | Single `warden activity` view | WP-0022 | +| INTENT sync | Aspirational doc matches SCOPE | WP-0023 T02 | \ No newline at end of file diff --git a/workplans/WARDEN-WP-0022-audit-trail-and-activity.md b/workplans/WARDEN-WP-0022-audit-trail-and-activity.md index 4b0fa8e..e9f8d26 100644 --- a/workplans/WARDEN-WP-0022-audit-trail-and-activity.md +++ b/workplans/WARDEN-WP-0022-audit-trail-and-activity.md @@ -4,13 +4,14 @@ type: workplan title: "Audit trail + `warden activity` — one place to see what ops-warden did" domain: infotech repo: ops-warden -status: proposed +status: ready owner: claude topic_slug: custodian planning_priority: high planning_order: 22 created: "2026-07-01" updated: "2026-07-01" +state_hub_workstream_id: "fc8afa28-68a7-4250-a19e-9754829f0cd5" --- # WARDEN-WP-0022 — Audit trail + `warden activity` @@ -47,6 +48,7 @@ needs the State Hub + tunnels to be login-independent (State Hub → railiance01 id: WARDEN-WP-0022-T01 status: todo priority: high +state_hub_task_id: "7f8f768a-4c62-4096-bad8-912cea0f35a7" ``` - [ ] `src/warden/audit.py`: append-only JSONL at `state_dir/audit.jsonl`. Common event @@ -62,6 +64,7 @@ priority: high id: WARDEN-WP-0022-T02 status: todo priority: high +state_hub_task_id: "e7ae4037-ca79-4557-81f0-bfb8478ff647" ``` - [ ] Emit an audit event from each ops-warden action: `warden sign` (cert issued — @@ -77,6 +80,7 @@ priority: high id: WARDEN-WP-0022-T03 status: todo priority: high +state_hub_task_id: "4439bdd8-1461-47df-8b0b-048df7384a68" ``` - [ ] `warden activity [--days N] [--kind sign|access|worker] [--json] [--hub]` — a single @@ -90,6 +94,7 @@ priority: high id: WARDEN-WP-0022-T04 status: todo priority: medium +state_hub_task_id: "bdfb8703-7a79-43e7-913b-19d61722f164" ``` - [ ] Tests: audit append/read/rotation, the secret-material guard rejects values, the diff --git a/workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md b/workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md new file mode 100644 index 0000000..968e2af --- /dev/null +++ b/workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md @@ -0,0 +1,208 @@ +--- +id: WARDEN-WP-0023 +type: workplan +title: "INTENT–SCOPE Alignment Closeout" +domain: infotech +repo: ops-warden +status: ready +owner: codex +topic_slug: custodian +planning_priority: high +planning_order: 23 +created: "2026-07-01" +updated: "2026-07-01" +depends_on_workplans: + - WARDEN-WP-0022 +state_hub_workstream_id: "7bad1ec4-a7c2-4980-b8f9-49a7f5408574" +--- + +# WARDEN-WP-0023 — INTENT–SCOPE Alignment Closeout + +## Goal + +Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync +aspirational docs with shipped capabilities, coordinate the remaining production +integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator +UX for broker-backed signing, and establish a repeatable catalog promotion cadence. + +Audit implementation stays in **WARDEN-WP-0022**; this workplan sequences and +surrounds it. + +**Assessment:** `history/2026-07-01-intent-scope-gap-analysis.md` + +## Boundary + +- ops-warden does **not** deploy flex-auth, flip ops-bridge tunnels, or implement + the credential broker — it documents, coordinates, and routes. +- Production cutover evidence is captured here; execution remains with owning repos. + +--- + +## Tasks + +### T01 — Persist gap analysis + +```task +id: WARDEN-WP-0023-T01 +status: done +priority: high +state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5" +``` + +Write and link `history/2026-07-01-intent-scope-gap-analysis.md` with success +criteria matrix, mission pillars, prioritized gaps, and workplan recommendation. + +Acceptance: + +- History file exists and is referenced from SCOPE and this workplan. +- State Hub progress note logged for the assessment. + +**2026-07-01:** Assessment written at +`history/2026-07-01-intent-scope-gap-analysis.md`. + +### T02 — Refresh INTENT.md + +```task +id: WARDEN-WP-0023-T02 +status: todo +priority: high +state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d" +``` + +Update `INTENT.md` so the aspirational doc reflects shipped reality without +becoming a second SCOPE: + +- Mission pillar #2: assist layer (`warden access`) and owner-native exec routing + (secrets-engine, railiance-platform credential broker). +- NetKingdom literacy table: add secrets-engine and credential broker rows. +- Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue. +- flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007). +- Workload posture stewardship and coordination worker as steward capabilities. +- Evolution notes pointer to July gap analysis. + +Acceptance: + +- INTENT still describes direction, not implementation inventory. +- No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens). + +### T03 — Production integration coordination pack + +```task +id: WARDEN-WP-0023-T03 +status: todo +priority: high +state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038" +``` + +Prepare operator/coordination artifacts for the two P1 external gaps: + +1. **flex-auth production flip** — checklist in `wiki/PolicyGatedSigning.md` or a + short playbook section: prerequisites, `policy.enabled: true` steps, rollback, + joint smoke with `credential-exec-ops-warden-smoke`, FLEX-WP-0007 cross-link. +2. **ops-bridge live cutover** — evidence template (non-secret): tunnel id, readiness + gate output, first warden-signed connection timestamp, pointer to + `wiki/playbooks/ops-bridge-tunnel-cert.md`. + +Optionally post State Hub coordination messages to `flex-auth` and `ops-bridge` +agents with pointers only (no secrets). + +Acceptance: + +- A human operator can run the flip/cutover checklists without re-deriving steps. +- Evidence fields are defined; completion is recorded via State Hub progress when done. + +### T04 — `warden sign` broker hint when `VAULT_TOKEN` unset + +```task +id: WARDEN-WP-0023-T04 +status: todo +priority: medium +state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae" +``` + +When `backend: vault` and `VAULT_TOKEN` (or configured `token_env`) is missing, +emit a structured hint pointing at `ops-warden-warden-sign-token` and the +`railiance-platform` `credential exec` command — not a generic error only. + +Acceptance: + +- Unit test covers the hint text (catalog id + exec shape, no secret placeholders). +- Manual `export VAULT_TOKEN` remains documented as fallback in playbooks. + +### T05 — Catalog draft-lane promotion checklist + +```task +id: WARDEN-WP-0023-T05 +status: todo +priority: medium +state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748" +``` + +Document the promotion criteria for `registry/routing/catalog.yaml` entries from +`draft` → `active` (concrete path, owner confirmation, `resolvable` or +`exec_owner` native exec, playbook with `#worker-checklist`, tests). Add to +`wiki/CredentialRouting.md` or a short `wiki/playbooks/catalog-lane-promotion.md`. + +If any draft lane has owner-confirmed concrete paths during this WP, promote one +as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready). + +Acceptance: + +- Checklist is reviewable by humans and agents. +- At least one promotion example or explicit “none ready yet” note in the workplan. + +### T06 — SCOPE and workplan consistency + +```task +id: WARDEN-WP-0023-T06 +status: todo +priority: medium +state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190" +``` + +Fix SCOPE inconsistencies noted in the July assessment: + +- “All workplans finished” → acknowledge WP-0022/0023 as active/ready. +- Latest gap analysis pointer → `history/2026-07-01-intent-scope-gap-analysis.md`. +- Link WP-0023 from Getting Oriented. + +Acceptance: + +- SCOPE and gap analysis cross-link correctly. +- Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP. + +### T07 — Sequence WP-0022 audit implementation + +```task +id: WARDEN-WP-0023-T07 +status: todo +priority: high +state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4" +``` + +Promote `WARDEN-WP-0022` from `proposed` to `ready` (or `active` when T02–T06 allow +bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the +implementation vehicle for INTENT pillar 6 (observable gatekeeping). + +Acceptance: + +- WP-0022 frontmatter status updated. +- WP-0023 `depends_on_workplans` includes WP-0022. +- Hub consistency run syncs both workplans. + +--- + +## Exit criteria + +- July gap analysis is the canonical reassessment (linked from SCOPE). +- INTENT.md no longer understates assist, posture, worker, or owner-native exec. +- Production integration checklists exist for flex-auth flip and ops-bridge cutover. +- `warden sign` surfaces the broker path when vault backend lacks a token. +- Catalog promotion cadence is documented; WP-0022 is queued for implementation. + +## See also + +- `history/2026-07-01-intent-scope-gap-analysis.md` +- `WARDEN-WP-0022-audit-trail-and-activity.md` +- `wiki/playbooks/ops-warden-warden-sign-token.md` +- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md` \ No newline at end of file