Add July INTENT↔SCOPE gap analysis and WARDEN-WP-0023 alignment closeout

Persist the 2026-07-01 assessment, register the alignment workplan with
tasks for INTENT refresh, production integration coordination, broker UX,
and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
This commit is contained in:
2026-07-01 23:27:14 +02:00
parent 2581eafa69
commit f47d632d8e
4 changed files with 406 additions and 22 deletions

View File

@@ -4,13 +4,14 @@ type: workplan
title: "Audit trail + `warden activity` — one place to see what ops-warden did"
domain: infotech
repo: ops-warden
status: proposed
status: ready
owner: claude
topic_slug: custodian
planning_priority: high
planning_order: 22
created: "2026-07-01"
updated: "2026-07-01"
state_hub_workstream_id: "fc8afa28-68a7-4250-a19e-9754829f0cd5"
---
# WARDEN-WP-0022 — Audit trail + `warden activity`
@@ -47,6 +48,7 @@ needs the State Hub + tunnels to be login-independent (State Hub → railiance01
id: WARDEN-WP-0022-T01
status: todo
priority: high
state_hub_task_id: "7f8f768a-4c62-4096-bad8-912cea0f35a7"
```
- [ ] `src/warden/audit.py`: append-only JSONL at `state_dir/audit.jsonl`. Common event
@@ -62,6 +64,7 @@ priority: high
id: WARDEN-WP-0022-T02
status: todo
priority: high
state_hub_task_id: "e7ae4037-ca79-4557-81f0-bfb8478ff647"
```
- [ ] Emit an audit event from each ops-warden action: `warden sign` (cert issued —
@@ -77,6 +80,7 @@ priority: high
id: WARDEN-WP-0022-T03
status: todo
priority: high
state_hub_task_id: "4439bdd8-1461-47df-8b0b-048df7384a68"
```
- [ ] `warden activity [--days N] [--kind sign|access|worker] [--json] [--hub]` — a single
@@ -90,6 +94,7 @@ priority: high
id: WARDEN-WP-0022-T04
status: todo
priority: medium
state_hub_task_id: "bdfb8703-7a79-43e7-913b-19d61722f164"
```
- [ ] Tests: audit append/read/rotation, the secret-material guard rejects values, the

View File

@@ -0,0 +1,208 @@
---
id: WARDEN-WP-0023
type: workplan
title: "INTENTSCOPE Alignment Closeout"
domain: infotech
repo: ops-warden
status: ready
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 23
created: "2026-07-01"
updated: "2026-07-01"
depends_on_workplans:
- WARDEN-WP-0022
state_hub_workstream_id: "7bad1ec4-a7c2-4980-b8f9-49a7f5408574"
---
# WARDEN-WP-0023 — INTENTSCOPE Alignment Closeout
## Goal
Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync
aspirational docs with shipped capabilities, coordinate the remaining production
integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator
UX for broker-backed signing, and establish a repeatable catalog promotion cadence.
Audit implementation stays in **WARDEN-WP-0022**; this workplan sequences and
surrounds it.
**Assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
## Boundary
- ops-warden does **not** deploy flex-auth, flip ops-bridge tunnels, or implement
the credential broker — it documents, coordinates, and routes.
- Production cutover evidence is captured here; execution remains with owning repos.
---
## Tasks
### T01 — Persist gap analysis
```task
id: WARDEN-WP-0023-T01
status: done
priority: high
state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5"
```
Write and link `history/2026-07-01-intent-scope-gap-analysis.md` with success
criteria matrix, mission pillars, prioritized gaps, and workplan recommendation.
Acceptance:
- History file exists and is referenced from SCOPE and this workplan.
- State Hub progress note logged for the assessment.
**2026-07-01:** Assessment written at
`history/2026-07-01-intent-scope-gap-analysis.md`.
### T02 — Refresh INTENT.md
```task
id: WARDEN-WP-0023-T02
status: todo
priority: high
state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d"
```
Update `INTENT.md` so the aspirational doc reflects shipped reality without
becoming a second SCOPE:
- Mission pillar #2: assist layer (`warden access`) and owner-native exec routing
(secrets-engine, railiance-platform credential broker).
- NetKingdom literacy table: add secrets-engine and credential broker rows.
- Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue.
- flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007).
- Workload posture stewardship and coordination worker as steward capabilities.
- Evolution notes pointer to July gap analysis.
Acceptance:
- INTENT still describes direction, not implementation inventory.
- No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens).
### T03 — Production integration coordination pack
```task
id: WARDEN-WP-0023-T03
status: todo
priority: high
state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038"
```
Prepare operator/coordination artifacts for the two P1 external gaps:
1. **flex-auth production flip** — checklist in `wiki/PolicyGatedSigning.md` or a
short playbook section: prerequisites, `policy.enabled: true` steps, rollback,
joint smoke with `credential-exec-ops-warden-smoke`, FLEX-WP-0007 cross-link.
2. **ops-bridge live cutover** — evidence template (non-secret): tunnel id, readiness
gate output, first warden-signed connection timestamp, pointer to
`wiki/playbooks/ops-bridge-tunnel-cert.md`.
Optionally post State Hub coordination messages to `flex-auth` and `ops-bridge`
agents with pointers only (no secrets).
Acceptance:
- A human operator can run the flip/cutover checklists without re-deriving steps.
- Evidence fields are defined; completion is recorded via State Hub progress when done.
### T04 — `warden sign` broker hint when `VAULT_TOKEN` unset
```task
id: WARDEN-WP-0023-T04
status: todo
priority: medium
state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae"
```
When `backend: vault` and `VAULT_TOKEN` (or configured `token_env`) is missing,
emit a structured hint pointing at `ops-warden-warden-sign-token` and the
`railiance-platform` `credential exec` command — not a generic error only.
Acceptance:
- Unit test covers the hint text (catalog id + exec shape, no secret placeholders).
- Manual `export VAULT_TOKEN` remains documented as fallback in playbooks.
### T05 — Catalog draft-lane promotion checklist
```task
id: WARDEN-WP-0023-T05
status: todo
priority: medium
state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748"
```
Document the promotion criteria for `registry/routing/catalog.yaml` entries from
`draft``active` (concrete path, owner confirmation, `resolvable` or
`exec_owner` native exec, playbook with `#worker-checklist`, tests). Add to
`wiki/CredentialRouting.md` or a short `wiki/playbooks/catalog-lane-promotion.md`.
If any draft lane has owner-confirmed concrete paths during this WP, promote one
as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready).
Acceptance:
- Checklist is reviewable by humans and agents.
- At least one promotion example or explicit “none ready yet” note in the workplan.
### T06 — SCOPE and workplan consistency
```task
id: WARDEN-WP-0023-T06
status: todo
priority: medium
state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190"
```
Fix SCOPE inconsistencies noted in the July assessment:
- “All workplans finished” → acknowledge WP-0022/0023 as active/ready.
- Latest gap analysis pointer → `history/2026-07-01-intent-scope-gap-analysis.md`.
- Link WP-0023 from Getting Oriented.
Acceptance:
- SCOPE and gap analysis cross-link correctly.
- Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP.
### T07 — Sequence WP-0022 audit implementation
```task
id: WARDEN-WP-0023-T07
status: todo
priority: high
state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4"
```
Promote `WARDEN-WP-0022` from `proposed` to `ready` (or `active` when T02T06 allow
bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the
implementation vehicle for INTENT pillar 6 (observable gatekeeping).
Acceptance:
- WP-0022 frontmatter status updated.
- WP-0023 `depends_on_workplans` includes WP-0022.
- Hub consistency run syncs both workplans.
---
## Exit criteria
- July gap analysis is the canonical reassessment (linked from SCOPE).
- INTENT.md no longer understates assist, posture, worker, or owner-native exec.
- Production integration checklists exist for flex-auth flip and ops-bridge cutover.
- `warden sign` surfaces the broker path when vault backend lacks a token.
- Catalog promotion cadence is documented; WP-0022 is queued for implementation.
## See also
- `history/2026-07-01-intent-scope-gap-analysis.md`
- `WARDEN-WP-0022-audit-trail-and-activity.md`
- `wiki/playbooks/ops-warden-warden-sign-token.md`
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`