docs(WP-0008): T2 production sign verification passed (2026-06-18)

Record live OpenBao SSH engine apply, host CA bootstrap, and warden sign smoke.
2026-06-18 01:18:57 +02:00
parent 2d0f47324d
commit fdc8ecfc8b
2 changed files with 30 additions and 13 deletions
--- a/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
+++ b/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
@@ -61,21 +61,17 @@ state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"

 ```task
 id: WARDEN-WP-0008-T02
-status: wait
+status: done
 priority: high
 state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
 ```

- [ ] Operator provides scoped `VAULT_TOKEN` (not in Git/chat/logs)
- [ ] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
- [ ] Run `warden sign` + `warden status` + `warden log` against production OpenBao
- [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
+- [x] Operator provides scoped `VAULT_TOKEN` (warden-sign policy token)
+- [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
+- [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao
+- [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
 - [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)

-**Blocked until:** Operator runs NET-WP-0020 T5 live apply (`make openbao-configure-ssh`,
-`make bootstrap-ssh-ca`). Automation artifacts ready 2026-06-18; cluster still
-missing `ssh/` mount. See `history/2026-06-17-openbao-production-verify.md`.
-
 ### T3 — State Hub task status canon migration

 ```task