generated from coulomb/repo-seed
Add July INTENT↔SCOPE gap analysis and WARDEN-WP-0023 alignment closeout
Persist the 2026-07-01 assessment, register the alignment workplan with tasks for INTENT refresh, production integration coordination, broker UX, and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
This commit is contained in:
78
SCOPE.md
78
SCOPE.md
@@ -17,7 +17,7 @@ access guidance aligned with NetKingdom canon.
|
||||
|
||||
---
|
||||
|
||||
## Where we are (2026-06-27)
|
||||
## Where we are (2026-07-01)
|
||||
|
||||
ops-warden **issues short-lived SSH certificates and routes every other credential
|
||||
need to the subsystem that owns it.** SSH signing is **production-verified** on
|
||||
@@ -33,6 +33,14 @@ NetKingdom security map, machine-readable pointer catalog
|
||||
handoffs for every catalog need and can proxy `exec_capable` lanes as the caller,
|
||||
without taking custody of values.
|
||||
|
||||
**Owner-native exec lanes** are documented in the catalog (WP-0017–0019 plus
|
||||
cross-repo stewardship): provisioned secret-exec routes to **secrets-engine**
|
||||
(`whynot-design-npm-publish`, production-exercised); scoped OpenBao tokens for
|
||||
ops-warden signing route to the **railiance-platform credential broker**
|
||||
(`ops-warden-warden-sign-token`, RAILIANCE-WP-0005 T08, live 2026-07-01). ops-warden
|
||||
points at the owner's front door — it does not mint OpenBao tokens or run
|
||||
`credential.py` itself.
|
||||
|
||||
**Workload security posture** is shipped (WP-0015, all tasks done): dev/test/prod
|
||||
environment posture, M0-M3 workload maturity, the secret-flow lattice, and blocker
|
||||
triage language (T1); machine-readable descriptors + `warden policy list|show` (T2);
|
||||
@@ -64,7 +72,9 @@ ops-warden executes exactly one lane with its own authority and routes/assists t
|
||||
| Need | Subsystem | ops-warden role |
|
||||
| --- | --- | --- |
|
||||
| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) |
|
||||
| Scoped `VAULT_TOKEN` for warden-sign / policy-gate smoke | railiance-platform credential broker | Route — owner-native `credential exec`; ops-warden does not mint |
|
||||
| API key / DB cred / dynamic lease | OpenBao | Assist — route; proxy as caller only for `exec_capable` lanes |
|
||||
| Provisioned secret-exec (e.g. npm publish) | secrets-engine (+ OpenBao custody) | Route — primary `secrets-engine exec`; `warden access` as fallback |
|
||||
| "May I perform action X?" | flex-auth | Route — point at policy; consume decisions where configured |
|
||||
| Login / OIDC / MFA | key-cape / Keycloak | Assist — route; proxy `login` lane when `exec_capable` |
|
||||
| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` |
|
||||
@@ -73,7 +83,8 @@ ops-warden executes exactly one lane with its own authority and routes/assists t
|
||||
Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer** —
|
||||
it never restates an owner's procedure (authored `steps` exist only for the SSH lane).
|
||||
|
||||
Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
|
||||
Gap analysis: `history/2026-07-01-intent-scope-gap-analysis.md` (current);
|
||||
`history/2026-06-24-intent-scope-gap-analysis.md` (prior);
|
||||
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` (SSH lane);
|
||||
`history/2026-06-18-access-routing-intent-shift-assessment.md` (routing charter).
|
||||
|
||||
@@ -90,14 +101,14 @@ Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
|
||||
| Non-SSH secrets stay out of ops-warden | Met |
|
||||
| Workload posture / maturity model for secret-flow blockers | Met — two-axis standard + descriptors + conformance checker + dev doubles (WP-0015) |
|
||||
|
||||
**Maturity vector:** `D5 / A5 / C5 / R3` (Discovery / Availability / Completeness / Reliability)
|
||||
**Maturity vector:** `D5 / A5 / C5 / R4` (Discovery / Availability / Completeness / Reliability)
|
||||
|
||||
| Dimension | Level | Meaning today |
|
||||
| --- | --- | --- |
|
||||
| D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links |
|
||||
| A5 | Availability | CLI + `warden route` + `warden access` advisory & proxy front door + `warden policy` + opt-in policy gate + agent `--json` |
|
||||
| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate. Open items are external: flex-auth prod flip + ops-bridge live cutover |
|
||||
| R3 | Reliability | Live OpenBao sign evidence on Railiance |
|
||||
| C5 | Completeness | All ops-warden lanes shipped — SSH (prod), routing, access assist, posture conformance, cert_command pilot gate, two owner-native exec routes documented (secrets-engine npm, credential broker warden-sign). Open items are external: flex-auth prod flip + ops-bridge live cutover |
|
||||
| R4 | Reliability | Live OpenBao sign + credential-broker policy-gate smoke evidence on Railiance (2026-07-01) |
|
||||
|
||||
---
|
||||
|
||||
@@ -144,6 +155,11 @@ for the rest.
|
||||
`warden worker drafts | approve <id>` + `worker status`; one-command kill switch
|
||||
(`wiki/playbooks/scheduled-worker.md`)
|
||||
- Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope
|
||||
- **warden-sign token routing** (RAILIANCE-WP-0005 T08): catalog id
|
||||
`ops-warden-warden-sign-token` and playbook
|
||||
`wiki/playbooks/ops-warden-warden-sign-token.md` — routes `VAULT_TOKEN` needs to
|
||||
`railiance-platform/scripts/credential.py exec --grant ops-warden/warden-sign`
|
||||
(preferred over manual `export VAULT_TOKEN`)
|
||||
|
||||
### Stewardship (documentation and alignment)
|
||||
|
||||
@@ -175,15 +191,18 @@ for the rest.
|
||||
|
||||
### Active / ready
|
||||
|
||||
_None open._ All ops-warden workplans are finished; the remaining distance is in other
|
||||
repos' lanes (see Known gaps).
|
||||
| WP | Focus | Status |
|
||||
| --- | --- | --- |
|
||||
| WP-0022 | Unified audit trail + `warden activity` | `ready` |
|
||||
| WP-0023 | INTENT–SCOPE alignment closeout | `ready` |
|
||||
|
||||
Remaining production distance is also in other repos' lanes (see Known gaps).
|
||||
|
||||
### Known gaps (not ops-warden workplans)
|
||||
|
||||
| Gap | Owner | Notes |
|
||||
| --- | --- | --- |
|
||||
| flex-auth production runtime + registry deploy | flex-auth | **FLEX-WP-0007** — unblocks `policy.enabled: true` |
|
||||
| Vault-backed policy gate joint smoke | flex-auth + operator | Needs valid scoped `VAULT_TOKEN` |
|
||||
| ops-bridge `cert_command` on live tunnels | ops-bridge | Playbook + readiness gate shipped (WP-0016); pilot cutover handed off, awaiting ops-bridge |
|
||||
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `scripts/check_principals_drift.py` — operator runs periodically |
|
||||
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
|
||||
@@ -193,9 +212,11 @@ repos' lanes (see Known gaps).
|
||||
|
||||
## Out of Scope
|
||||
|
||||
- **Issuing or custodying** non-SSH secrets (API keys, DB creds, S3 STS,
|
||||
Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden
|
||||
documents paths and may proxy caller-authenticated `exec_capable` lanes only
|
||||
- **Issuing or custodying** non-SSH secrets (API keys, DB creds, OpenBao tokens,
|
||||
S3 STS, Inter-Hub keys) → OpenBao / railiance-platform credential broker /
|
||||
secrets-engine with flex-auth policy where required; ops-warden documents paths,
|
||||
routes to owner-native exec front doors, and may proxy caller-authenticated
|
||||
`exec_capable` lanes only
|
||||
- Identity / OIDC / MFA → key-cape, Keycloak
|
||||
- Authorization policy decisions → flex-auth
|
||||
- flex-auth runtime deployment and secret-flow lattice enforcement → flex-auth
|
||||
@@ -211,6 +232,9 @@ repos' lanes (see Known gaps).
|
||||
## Relevant When
|
||||
|
||||
- Issuing or refreshing an **SSH cert** for `adm`/`agt`/`atm`
|
||||
- A worker needs a **scoped `VAULT_TOKEN`** for production `warden sign` or the
|
||||
flex-auth policy-gate smoke — route to `ops-warden-warden-sign-token`, then run
|
||||
`credential exec` in `railiance-platform` (no manual token paste)
|
||||
- A dev worker needs to know **where to get credentials** in the NetKingdom stack
|
||||
- An agent needs **`warden route find`** instead of re-deriving routing from wiki prose
|
||||
- `ops-bridge` needs a `cert_command` for a tunnel
|
||||
@@ -225,7 +249,8 @@ repos' lanes (see Known gaps).
|
||||
|
||||
## Not Relevant When
|
||||
|
||||
- Storing or vending **API keys or runtime secrets** (→ OpenBao)
|
||||
- Storing or vending **API keys, OpenBao tokens, or runtime secrets** (→ OpenBao /
|
||||
railiance-platform broker / secrets-engine)
|
||||
- Policy decisions on resource access (→ flex-auth)
|
||||
- Managing tunnels without SSH cert issuance (→ ops-bridge)
|
||||
- Static-key-only legacy access (ops-bridge static key mode)
|
||||
@@ -243,13 +268,19 @@ repos' lanes (see Known gaps).
|
||||
conformance checker, dev doubles); canon landing owner-driven
|
||||
- **ops-bridge cert_command:** WP-0016 shipped to pilot-ready (readiness gate +
|
||||
offline contract smoke + handoff); live cutover is ops-bridge's
|
||||
- **Access front door:** WP-0017 discoverability + WP-0018 first concrete lane
|
||||
- **Access front door:** WP-0017 discoverability + WP-0018 first concrete secret lane
|
||||
(`whynot-design-npm-publish`), **production-exercised** — whynot-design published
|
||||
`@whynot/design@0.4.0` through the conduit. WP-0019 routes provisioned secret-exec
|
||||
lanes to **secrets-engine** (`secrets-engine exec`), proxy as transparent fallback
|
||||
- **warden-sign broker routing:** catalog `ops-warden-warden-sign-token` +
|
||||
`wiki/playbooks/ops-warden-warden-sign-token.md` (RAILIANCE-WP-0005 T08) — live
|
||||
`make credential-exec-ops-warden-smoke` proven 2026-07-01; manual `export VAULT_TOKEN`
|
||||
documented as fallback only
|
||||
- **Active work:** none open in ops-warden; remaining distance is other repos' lanes
|
||||
- **Integration docs:** cert_command migration, token hygiene, principals drift (`wiki/playbooks/`)
|
||||
- **Latest assessment:** `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
- **Integration docs:** cert_command migration, token hygiene (broker-first), principals
|
||||
drift (`wiki/playbooks/`)
|
||||
- **Latest assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
|
||||
- **Active workplans:** WP-0022 (audit), WP-0023 (INTENT–SCOPE closeout)
|
||||
|
||||
---
|
||||
|
||||
@@ -317,11 +348,12 @@ title: Operator access front door (caller-identity fetch proxy)
|
||||
description: warden access is the operator front door for any NetKingdom credential need.
|
||||
It renders the owner, auth method, path, and policy status, and for exec_capable lanes
|
||||
(OpenBao secret reads, key-cape OIDC login) proxies the fetch as the caller — running
|
||||
the owner's tool with the caller's identity and streaming the value to them. ops-warden
|
||||
takes no custody: it holds, caches, and logs no secret value (transparent conduit, not a
|
||||
broker). Use this to obtain an API key, DB credential, npm token, or login — not a State
|
||||
Hub message.
|
||||
keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing]
|
||||
the owner's tool with the caller's identity and streaming the value to them. For
|
||||
owner-native lanes (secrets-engine exec, railiance-platform credential broker) it routes
|
||||
to the owner's front door instead of proxying. ops-warden takes no custody — transparent
|
||||
conduit, not a broker. Use this to discover how to obtain an API key, DB credential,
|
||||
npm token, warden-sign lease, or login — not a State Hub message.
|
||||
keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing, warden-sign, vault_token, credential-broker]
|
||||
```
|
||||
|
||||
---
|
||||
@@ -342,8 +374,12 @@ keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, l
|
||||
| `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate + registry rollout |
|
||||
| `wiki/AccessManagementDirective.md` | SSH actor model |
|
||||
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
|
||||
| `wiki/playbooks/ops-warden-warden-sign-token.md` | Scoped `VAULT_TOKEN` via credential broker (preferred path) |
|
||||
| `wiki/playbooks/operator-openbao-token-hygiene.md` | Manual token fallback and hygiene rules |
|
||||
| `wiki/CertCommandInterface.md` | cert_command contract |
|
||||
| `history/2026-06-24-intent-scope-gap-analysis.md` | Current gap analysis + WP-0013 |
|
||||
| `history/2026-07-01-intent-scope-gap-analysis.md` | Current INTENT↔SCOPE gap analysis |
|
||||
| `workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md` | Alignment closeout plan |
|
||||
| `history/2026-06-24-intent-scope-gap-analysis.md` | Prior gap analysis |
|
||||
| `history/2026-06-27-workload-security-posture-charter.md` | WP-0015 posture/conformance charter |
|
||||
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | SSH lane gap analysis |
|
||||
| `history/2026-06-18-access-routing-intent-shift-assessment.md` | Routing charter decision |
|
||||
|
||||
Reference in New Issue
Block a user