Drop the "operational access desk" framing (and the rejected "coach"
metaphor) for plain language: ops-warden issues short-lived SSH certs and
routes every other credential need to its owner. SSH is the only lane it
executes.
Adds WARDEN-WP-0010/0011/0012 with a pointer-layer routing catalog that
points at owner docs rather than restating them, enforced structurally
(non-SSH entries carrying a steps block fail CI). Drops the scope-creep-prone
`check` command; hides unshipped-path scenarios as draft.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
SCOPE.md now documents where we are (R3 production sign), INTENT criteria
status, maturity vector, and workplan landscape. Add reassessment history;
point INTENT evolution notes at latest assessment.
Mark WP-0008 finished and move to archived/. Spin flex-auth production gate
to WARDEN-WP-0009. Update SCOPE and reassessment history for R3 reliability.
- Post-WP-0007 reassessment and SCOPE/README updates
- AGENTS.md + workplan-convention task status canon migration
- examples/warden.production.example.yaml for production OpenBao
- Archive WP-0004 through WP-0007 to workplans/archived/260617-*
- WP-0008 T1/T3/T4 done; T2/T5 wait on operator/flex-auth
Add policy.py client that calls flex-auth /v1/check before sign/issue when
policy.enabled is true. Record policy_decision_id in signatures.log. Default
off preserves existing inventory-only behavior. Document production OpenBao
health probe and update config/wiki references.
Add ops-warden INTENT as operational access steward for NetKingdom
security (route credential lanes, align docs, issue SSH certs only).
Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment,
and open WARDEN-WP-0006 for routing runbooks and platform alignment.
Document OpenBao as the platform production secrets service while keeping
the vault-compatible warden.yaml config shape. Update OpsWardenConfig,
SCOPE, and CertCommandInterface cross-references.
Update SCOPE and README to reflect the shipped warden CLI, fill agent
rules for stack/architecture/boundary, archive finished workplans
0001–0003, and register WP-0004 in State Hub.
T1 — TTL max enforcement:
- models.py: MAX_TTL_HOURS policy constant
- ca.py: _enforce_ttl() raises CAError when spec.ttl_hours > type max
- Called at top of LocalCA.sign() and VaultCA.sign()
- scorecard.py: check_ttl_policy() — flags certs with issued TTL > type max
- run_scorecard() now returns 5 checks
T2 — Stale cert cleanup:
- ca.py: _evict_cert() removes existing cert before writing new one (no accumulation)
- cli.py: warden cleanup [actor] [--dry-run] command
- check_no_stale_certs detail suggests 'warden cleanup' when stale certs found
T3 — Outgoing signatures log:
- ca.py: _append_signature_log() writes JSONL to state_dir/signatures.log
- Called after every successful sign() in LocalCA and VaultCA
- cli.py: warden log [actor] [--last N] [--json] command
- parse_cert_metadata now also returns valid_from (needed for TTL policy check)
61 tests passing, ruff clean.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
