Add July INTENT↔SCOPE gap analysis and WARDEN-WP-0023 alignment closeout

Persist the 2026-07-01 assessment, register the alignment workplan with
tasks for INTENT refresh, production integration coordination, broker UX,
and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
This commit is contained in:
2026-07-01 23:27:14 +02:00
parent 2581eafa69
commit f47d632d8e
4 changed files with 406 additions and 22 deletions

View File

@@ -17,7 +17,7 @@ access guidance aligned with NetKingdom canon.
---
## Where we are (2026-06-27)
## Where we are (2026-07-01)
ops-warden **issues short-lived SSH certificates and routes every other credential
need to the subsystem that owns it.** SSH signing is **production-verified** on
@@ -33,6 +33,14 @@ NetKingdom security map, machine-readable pointer catalog
handoffs for every catalog need and can proxy `exec_capable` lanes as the caller,
without taking custody of values.
**Owner-native exec lanes** are documented in the catalog (WP-00170019 plus
cross-repo stewardship): provisioned secret-exec routes to **secrets-engine**
(`whynot-design-npm-publish`, production-exercised); scoped OpenBao tokens for
ops-warden signing route to the **railiance-platform credential broker**
(`ops-warden-warden-sign-token`, RAILIANCE-WP-0005 T08, live 2026-07-01). ops-warden
points at the owner's front door — it does not mint OpenBao tokens or run
`credential.py` itself.
**Workload security posture** is shipped (WP-0015, all tasks done): dev/test/prod
environment posture, M0-M3 workload maturity, the secret-flow lattice, and blocker
triage language (T1); machine-readable descriptors + `warden policy list|show` (T2);
@@ -64,7 +72,9 @@ ops-warden executes exactly one lane with its own authority and routes/assists t
| Need | Subsystem | ops-warden role |
| --- | --- | --- |
| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) |
| Scoped `VAULT_TOKEN` for warden-sign / policy-gate smoke | railiance-platform credential broker | Route — owner-native `credential exec`; ops-warden does not mint |
| API key / DB cred / dynamic lease | OpenBao | Assist — route; proxy as caller only for `exec_capable` lanes |
| Provisioned secret-exec (e.g. npm publish) | secrets-engine (+ OpenBao custody) | Route — primary `secrets-engine exec`; `warden access` as fallback |
| "May I perform action X?" | flex-auth | Route — point at policy; consume decisions where configured |
| Login / OIDC / MFA | key-cape / Keycloak | Assist — route; proxy `login` lane when `exec_capable` |
| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` |
@@ -73,7 +83,8 @@ ops-warden executes exactly one lane with its own authority and routes/assists t
Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer**
it never restates an owner's procedure (authored `steps` exist only for the SSH lane).
Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
Gap analysis: `history/2026-07-01-intent-scope-gap-analysis.md` (current);
`history/2026-06-24-intent-scope-gap-analysis.md` (prior);
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` (SSH lane);
`history/2026-06-18-access-routing-intent-shift-assessment.md` (routing charter).
@@ -90,14 +101,14 @@ Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
| Non-SSH secrets stay out of ops-warden | Met |
| Workload posture / maturity model for secret-flow blockers | Met — two-axis standard + descriptors + conformance checker + dev doubles (WP-0015) |
**Maturity vector:** `D5 / A5 / C5 / R3` (Discovery / Availability / Completeness / Reliability)
**Maturity vector:** `D5 / A5 / C5 / R4` (Discovery / Availability / Completeness / Reliability)
| Dimension | Level | Meaning today |
| --- | --- | --- |
| D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links |
| A5 | Availability | CLI + `warden route` + `warden access` advisory & proxy front door + `warden policy` + opt-in policy gate + agent `--json` |
| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate. Open items are external: flex-auth prod flip + ops-bridge live cutover |
| R3 | Reliability | Live OpenBao sign evidence on Railiance |
| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate, two owner-native exec routes documented (secrets-engine npm, credential broker warden-sign). Open items are external: flex-auth prod flip + ops-bridge live cutover |
| R4 | Reliability | Live OpenBao sign + credential-broker policy-gate smoke evidence on Railiance (2026-07-01) |
---
@@ -144,6 +155,11 @@ for the rest.
`warden worker drafts | approve <id>` + `worker status`; one-command kill switch
(`wiki/playbooks/scheduled-worker.md`)
- Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope
- **warden-sign token routing** (RAILIANCE-WP-0005 T08): catalog id
`ops-warden-warden-sign-token` and playbook
`wiki/playbooks/ops-warden-warden-sign-token.md` — routes `VAULT_TOKEN` needs to
`railiance-platform/scripts/credential.py exec --grant ops-warden/warden-sign`
(preferred over manual `export VAULT_TOKEN`)
### Stewardship (documentation and alignment)
@@ -175,15 +191,18 @@ for the rest.
### Active / ready
_None open._ All ops-warden workplans are finished; the remaining distance is in other
repos' lanes (see Known gaps).
| WP | Focus | Status |
| --- | --- | --- |
| WP-0022 | Unified audit trail + `warden activity` | `ready` |
| WP-0023 | INTENTSCOPE alignment closeout | `ready` |
Remaining production distance is also in other repos' lanes (see Known gaps).
### Known gaps (not ops-warden workplans)
| Gap | Owner | Notes |
| --- | --- | --- |
| flex-auth production runtime + registry deploy | flex-auth | **FLEX-WP-0007** — unblocks `policy.enabled: true` |
| Vault-backed policy gate joint smoke | flex-auth + operator | Needs valid scoped `VAULT_TOKEN` |
| ops-bridge `cert_command` on live tunnels | ops-bridge | Playbook + readiness gate shipped (WP-0016); pilot cutover handed off, awaiting ops-bridge |
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `scripts/check_principals_drift.py` — operator runs periodically |
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
@@ -193,9 +212,11 @@ repos' lanes (see Known gaps).
## Out of Scope
- **Issuing or custodying** non-SSH secrets (API keys, DB creds, S3 STS,
Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden
documents paths and may proxy caller-authenticated `exec_capable` lanes only
- **Issuing or custodying** non-SSH secrets (API keys, DB creds, OpenBao tokens,
S3 STS, Inter-Hub keys) → OpenBao / railiance-platform credential broker /
secrets-engine with flex-auth policy where required; ops-warden documents paths,
routes to owner-native exec front doors, and may proxy caller-authenticated
`exec_capable` lanes only
- Identity / OIDC / MFA → key-cape, Keycloak
- Authorization policy decisions → flex-auth
- flex-auth runtime deployment and secret-flow lattice enforcement → flex-auth
@@ -211,6 +232,9 @@ repos' lanes (see Known gaps).
## Relevant When
- Issuing or refreshing an **SSH cert** for `adm`/`agt`/`atm`
- A worker needs a **scoped `VAULT_TOKEN`** for production `warden sign` or the
flex-auth policy-gate smoke — route to `ops-warden-warden-sign-token`, then run
`credential exec` in `railiance-platform` (no manual token paste)
- A dev worker needs to know **where to get credentials** in the NetKingdom stack
- An agent needs **`warden route find`** instead of re-deriving routing from wiki prose
- `ops-bridge` needs a `cert_command` for a tunnel
@@ -225,7 +249,8 @@ repos' lanes (see Known gaps).
## Not Relevant When
- Storing or vending **API keys or runtime secrets** (→ OpenBao)
- Storing or vending **API keys, OpenBao tokens, or runtime secrets** (→ OpenBao /
railiance-platform broker / secrets-engine)
- Policy decisions on resource access (→ flex-auth)
- Managing tunnels without SSH cert issuance (→ ops-bridge)
- Static-key-only legacy access (ops-bridge static key mode)
@@ -243,13 +268,19 @@ repos' lanes (see Known gaps).
conformance checker, dev doubles); canon landing owner-driven
- **ops-bridge cert_command:** WP-0016 shipped to pilot-ready (readiness gate +
offline contract smoke + handoff); live cutover is ops-bridge's
- **Access front door:** WP-0017 discoverability + WP-0018 first concrete lane
- **Access front door:** WP-0017 discoverability + WP-0018 first concrete secret lane
(`whynot-design-npm-publish`), **production-exercised** — whynot-design published
`@whynot/design@0.4.0` through the conduit. WP-0019 routes provisioned secret-exec
lanes to **secrets-engine** (`secrets-engine exec`), proxy as transparent fallback
- **warden-sign broker routing:** catalog `ops-warden-warden-sign-token` +
`wiki/playbooks/ops-warden-warden-sign-token.md` (RAILIANCE-WP-0005 T08) — live
`make credential-exec-ops-warden-smoke` proven 2026-07-01; manual `export VAULT_TOKEN`
documented as fallback only
- **Active work:** none open in ops-warden; remaining distance is other repos' lanes
- **Integration docs:** cert_command migration, token hygiene, principals drift (`wiki/playbooks/`)
- **Latest assessment:** `history/2026-06-24-intent-scope-gap-analysis.md`
- **Integration docs:** cert_command migration, token hygiene (broker-first), principals
drift (`wiki/playbooks/`)
- **Latest assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
- **Active workplans:** WP-0022 (audit), WP-0023 (INTENTSCOPE closeout)
---
@@ -317,11 +348,12 @@ title: Operator access front door (caller-identity fetch proxy)
description: warden access is the operator front door for any NetKingdom credential need.
It renders the owner, auth method, path, and policy status, and for exec_capable lanes
(OpenBao secret reads, key-cape OIDC login) proxies the fetch as the caller — running
the owner's tool with the caller's identity and streaming the value to them. ops-warden
takes no custody: it holds, caches, and logs no secret value (transparent conduit, not a
broker). Use this to obtain an API key, DB credential, npm token, or login — not a State
Hub message.
keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing]
the owner's tool with the caller's identity and streaming the value to them. For
owner-native lanes (secrets-engine exec, railiance-platform credential broker) it routes
to the owner's front door instead of proxying. ops-warden takes no custody — transparent
conduit, not a broker. Use this to discover how to obtain an API key, DB credential,
npm token, warden-sign lease, or login — not a State Hub message.
keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing, warden-sign, vault_token, credential-broker]
```
---
@@ -342,8 +374,12 @@ keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, l
| `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate + registry rollout |
| `wiki/AccessManagementDirective.md` | SSH actor model |
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
| `wiki/playbooks/ops-warden-warden-sign-token.md` | Scoped `VAULT_TOKEN` via credential broker (preferred path) |
| `wiki/playbooks/operator-openbao-token-hygiene.md` | Manual token fallback and hygiene rules |
| `wiki/CertCommandInterface.md` | cert_command contract |
| `history/2026-06-24-intent-scope-gap-analysis.md` | Current gap analysis + WP-0013 |
| `history/2026-07-01-intent-scope-gap-analysis.md` | Current INTENT↔SCOPE gap analysis |
| `workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md` | Alignment closeout plan |
| `history/2026-06-24-intent-scope-gap-analysis.md` | Prior gap analysis |
| `history/2026-06-27-workload-security-posture-charter.md` | WP-0015 posture/conformance charter |
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | SSH lane gap analysis |
| `history/2026-06-18-access-routing-intent-shift-assessment.md` | Routing charter decision |