Add July INTENT↔SCOPE gap analysis and WARDEN-WP-0023 alignment closeout

Persist the 2026-07-01 assessment, register the alignment workplan with
tasks for INTENT refresh, production integration coordination, broker UX,
and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
This commit is contained in:
2026-07-01 23:27:14 +02:00
parent 2581eafa69
commit f47d632d8e
4 changed files with 406 additions and 22 deletions

View File

@@ -0,0 +1,135 @@
# INTENT ↔ SCOPE Gap Analysis — Post RAILIANCE-WP-0005 T08
**Date:** 2026-07-01
**Author:** codex
**Trigger:** RAILIANCE-WP-0005 broker lane live (`ops-warden-warden-sign-token`, T08);
`credential-exec-ops-warden-smoke` proven; SCOPE refreshed to 2026-07-01.
**Prior assessments:** `history/2026-06-24-intent-scope-gap-analysis.md`,
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
**Workplan:** `WARDEN-WP-0023-intent-scope-alignment-closeout.md`
---
## 1. Executive summary
ops-warden is **aligned with INTENT** on its core mission: issue SSH certs, route
every other credential need, and stay out of secret custody. The repository has
**grown past what `INTENT.md` describes** — assist layer, owner-native exec routing,
workload posture, and the coordination worker are shipped but not fully reflected
in the aspirational doc.
The largest **real** gaps are **production integration** (flex-auth runtime flip,
ops-bridge live `cert_command`) and **audit coherence** (scattered logs; WP-0022
proposed). The former is mostly other repos; the latter is the best in-repo next
implementation.
**Vector movement:** `D5 / A5 / C5 / R4` (SCOPE 2026-07-01) — up from
`D5 / A4 / C4 / R3` (June 2024) on completeness and reliability substance.
| Dimension | Jun 2024 | Jul 2026 | Notes |
| --- | --- | --- | --- |
| Discovery | D5 | D5 | Catalog + playbooks + owner-native lanes |
| Availability | A4 | A5 | `warden access`, worker, posture CLI |
| Completeness | C4 | C5 | Two concrete owner-native routes; broker live |
| Reliability | R3 | R4 | Sign + broker policy-gate smoke evidence |
---
## 2. Deliverables since 2026-06-24
| Workplan / cross-repo | Deliverable | Status |
| --- | --- | --- |
| WP-00140016 | Access assist, front-door discoverability, cert_command pilot gate | Finished |
| WP-00170019 | secrets-engine primary routing; whynot-design lane active | Finished |
| WP-00200021 | `warden worker` + scheduled tick | Finished |
| RAILIANCE-WP-0005 T08 | `ops-warden-warden-sign-token` catalog + playbook; live broker smoke | Done (platform) |
| WP-0022 | Unified audit + `warden activity` | Proposed |
| FLEX-WP-0007 | flex-auth production deploy | External — still open |
---
## 3. INTENT success criteria
| # | Criterion | Status | Evidence / gap |
| --- | --- | --- | --- |
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, playbooks; draft lanes remain template |
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; unified audit pending WP-0022 |
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | WP-0016 pilot-ready; live tunnels still static-key |
| 4 | NetKingdom evolution reflected in docs | **Met** | SCOPE/wiki current; **INTENT.md stale** |
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer + owner-native exec; no custody |
| 6 | Blockers classifiable by posture/maturity | **Met (repo)** | WP-0015; canon landing external |
**Score: 5 met, 1 partial** — partial is ops-bridge production adoption (unchanged
structurally; VAULT_TOKEN blocker cleared via broker routing).
---
## 4. INTENT mission pillars
| Pillar | Status | Gap |
| --- | --- | --- |
| 1. Know NetKingdom security model | Strong | INTENT table omits secrets-engine, credential broker |
| 2. Route, and assist | Strong | INTENT flow diagram still flat “OpenBao documented” |
| 3. Steward workload posture | Shipped | Runtime enforcement = flex-auth |
| 4. Align runbooks with canon | Strong | Broker-first token hygiene live |
| 5. Issue short-lived SSH certs | Production | — |
| 6. Audit SSH signing | Partial | WP-0022 — fragmented logs today |
---
## 5. Where SCOPE exceeds INTENT (doc drift, not implementation gap)
- `warden access` transparent proxy (WP-0014)
- Owner-native exec routing — secrets-engine, credential broker (WP-00170019, T08)
- Coordination worker (WP-0020/0021)
- Workload posture conformance (WP-0015)
- flex-auth policy gate **caller shipped**; INTENT still says “future hook”
---
## 6. Remaining gaps (prioritized)
| Prio | Gap | Owner | ops-warden action | Track |
| --- | --- | --- | --- | --- |
| **P1** | flex-auth production runtime (`policy.enabled: true`) | flex-auth | Coordination checklist + smoke evidence | **FLEX-WP-0007** |
| **P1** | ops-bridge live `cert_command` cutover | ops-bridge | Evidence template + handoff follow-up | WP-0016 follow-on |
| **P2** | Unified audit trail | ops-warden | Implement WP-0022 | **WARDEN-WP-0022** |
| **P2** | INTENT.md refresh | ops-warden | Align aspirational doc with shipped model | **WARDEN-WP-0023** T02 |
| **P3** | `warden sign` missing-token UX | ops-warden | Hint `credential exec` path | **WARDEN-WP-0023** T04 |
| **P3** | Draft catalog lanes | ops-warden + owners | Promotion checklist as lanes concrete | **WARDEN-WP-0023** T05 |
| **P4** | Principals drift | ops-warden + infra | Periodic `check_principals_drift.py` | Ongoing |
| **P4** | Posture canon landing | net-kingdom | Coordination only | WP-0015 T5 |
---
## 7. Workplan recommendation
**WARDEN-WP-0023 — INTENTSCOPE alignment closeout** (new, `ready`):
- T01: This assessment (persisted)
- T02: Refresh `INTENT.md`
- T03: Production integration coordination pack (flex-auth + ops-bridge)
- T04: `warden sign` broker hint when `VAULT_TOKEN` unset
- T05: Catalog draft-lane promotion checklist
- T06: SCOPE cross-link and workplan-status consistency
- T07: Promote WP-0022 to `ready` and sequence audit implementation
**WARDEN-WP-0022** remains the implementation vehicle for unified audit (P2).
**Out of scope for new ops-warden implementation:**
- flex-auth runtime deployment (FLEX-WP-0007)
- ops-bridge tunnel config changes
- OpenBao token minting / credential broker implementation (railiance-platform)
---
## 8. Maturity target (post WP-0023 + WP-0022 + external P1)
| Dimension | Target | Unlock |
| --- | --- | --- |
| R4 → R5 | Live tunnel uses warden-signed cert | ops-bridge cutover evidence |
| R4 → R5 | Policy gate on in production | FLEX-WP-0007 + operator flip |
| Audit pillar | Single `warden activity` view | WP-0022 |
| INTENT sync | Aspirational doc matches SCOPE | WP-0023 T02 |