Close ops-warden's side of the last Partial INTENT criterion (ops-bridge integrates
via a stable cert_command). The migration playbook and contract already existed; what
was missing was an automated readiness gate before touching tunnel config.
T1 — scripts/check_tunnel_cert_readiness.py: read-only preflight that asserts the
cert_command path is ready without signing — config/backend, actor inventory + TTL
within type max, pubkey exists/parses/not-private, principals present, and optional
host-principal deployment (mirrors check_principals_drift). Exit 0/1/2.
T2 — opt-in --sign-smoke: runs the cert_command against the local backend and validates
identity/principals/TTL of the emitted cert; refuses a vault backend. Window measured
from the cert's own valid_from->valid_before so it's timezone-robust (fixes a CEST
off-by-2h artifact). integration-marked test + a vault-refusal unit test.
T3 — playbook now leads with Step 0 readiness gate; ops-bridge handoff message sent.
T4 — SCOPE INTENT row: Partial -> Pilot-ready; known-gaps + SSH-lane list updated.
9 unit + 1 integration test, 209 default passing, lint clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
issue-core flagged the installed `warden` lacked the `route` subcommand. Two causes:
1. uv reused a cached wheel (version stayed 0.1.0) so the installed warden.cli was
stale. Documented the cache-clean + --reinstall fix in ADHOC-2026-06-27.
2. Even rebuilt, route/access/policy were unusable outside a checkout because the
routing catalog + posture descriptors live in registry/ at repo root, outside the
package. Bundle registry/ into the wheel (hatch force-include -> warden/_registry)
and add a packaged-data fallback in find_catalog_path / find_posture_path after the
repo walk, so source runs still prefer the repo's registry/ (single source of truth).
Verified `warden route list` / `warden policy list` work from /tmp. 200 tests, lint clean.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
