# INTENT ↔ SCOPE State Assessment — ops-warden **Date:** 2026-06-17 **Author:** codex **Trigger:** INTENT.md established; SCOPE.md refreshed to reflect stewardship mission alongside SSH CLI implementation. **Follow-up workplan:** `workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md` --- ## 1. Executive summary ops-warden **ships a complete SSH CA CLI** (v0.1.0, 100 unit tests, OpenBao-first docs, federation capability published). The new **INTENT** reframes the repo as an **operational access steward** for the NetKingdom security model: knowledgeable about platform credential lanes, routing workers to the right subsystems, keeping guidance aligned — while **issuing only SSH certificates** directly. **Alignment:** strong on the **SSH implementation lane**; weak on the **stewardship and NetKingdom integration** lane declared in INTENT. **Self-assessed vector (product):** `D4 / A3 / C2 / R2` | Dimension | Level | Rationale | | --- | --- | --- | | Discovery (D) | D4 | SSH lane well documented; stewardship/routing canon immature | | Availability (A) | A3 | Installable CLI + cert_command; no desk API or policy gate | | Completeness (C) | C2 | SSH core works; INTENT stewardship largely undelivered | | Reliability (R) | R2 | Good test coverage; production OpenBao SSH path not verified end-to-end | --- ## 2. Delivery snapshot | Area | State (2026-06-17) | | --- | --- | | SSH CLI | `warden sign/issue/status/scorecard/cleanup/log/inventory` | | Backends | `local` + `vault` (OpenBao-compatible API) | | Tests | 100 unit + integration marker suite | | Wiki | AccessManagementDirective, OpsWardenConfig, CertCommandInterface, InterHubBootstrapAccessLane | | Registry | `capability.security.ssh-certificate-issuance` (D4/A3/C3/R2 in entry) | | INTENT.md | **New** — stewardship + NetKingdom literacy | | NetKingdom cross-links | Minimal in SCOPE; responsibility-map still lists ops-warden out-of-scope | | Credential routing runbook | **Missing** — no single “which subsystem?” guide in wiki | | flex-auth pre-sign hook | **Not designed or implemented** | | Production OpenBao SSH engine | Documented; live mount/roles unverified from this repo | | Standard agent inventory templates | **Missing** — only example actors in docs | --- ## 3. INTENT alignment ### Aligned | INTENT expectation | SCOPE evidence | | --- | --- | | Issue short-lived SSH certs for adm/agt/atm | Full CLI, TTL policy, scorecard, signatures log | | Stable cert_command for consumers | `wiki/CertCommandInterface.md`, ops-bridge integration contract | | Do not store long-lived API secrets | Repo boundary, InterHub runbook, CUST-WP-0049 non-goals | | OpenBao as production SSH signing backend | `wiki/OpsWardenConfig.md` (WP-0005) | | Auditable SSH gatekeeping | `signatures.log`, scorecard checks | | Actor attribution model | AccessManagementDirective alignment, ActorType enum | ### Partial | INTENT expectation | Gap | | --- | --- | | Know NetKingdom security infrastructure | INTENT tables exist; no mirrored wiki summary or kept-in-sync process | | Route workers to correct subsystem | Scattered across SCOPE/repo-boundary; no `wiki/CredentialRouting.md` | | Keep guidance aligned with NetKingdom canon | No subscription to net-kingdom doc changes; responsibility-map outdated | | Operational access desk for dev workers | CLI-only; no guided flow or agent-facing routing surface | | flex-auth policy before SSH sign | Inventory allow-list only; no authorization integration | | Observable stewardship | SSH audit yes; routing/alignment maintenance not tracked | ### Not started (INTENT evolution) | INTENT expectation | Notes | | --- | --- | | NetKingdom responsibility-map recognition | ops-warden still “out of scope” in net-kingdom map | | Platform architecture diagram includes ops-warden SSH path | Not in `platform-identity-security-architecture.md` | | NK-WP-0009 SSH tutorial linkage | Planned in net-kingdom, not wired to ops-warden | | Policy-gated issuance | Future phase; needs design doc | | MCP/HTTP cert request for agents | Future; CLI sufficient for now | --- ## 4. Success criteria scorecard (from INTENT.md) | Criterion | Verdict | | --- | --- | | Worker knows which subsystem for each credential type | **No** — no canonical routing runbook | | SSH access short-lived, inventoried, audited | **Yes (tooling)** — production inventory discipline pending | | ops-bridge integrates via cert_command | **Yes (contract)** — live tunnel matrix not verified here | | NetKingdom evolution reflected in ops-warden docs | **Partial** — OpenBao done; no ongoing sync process | | Non-SSH secrets stay out of ops-warden | **Yes** — boundaries documented | **Score: 2 yes, 2 partial, 1 no** --- ## 5. Completeness and reliability ### Completeness vs INTENT — **C2 (Partial)** The central SSH use case is implemented. The new stewardship mission — NetKingdom literacy, routing, alignment maintenance — is **declared in INTENT and SCOPE but not yet operationalized** in wiki, net-kingdom cross-links, or worker-facing runbooks. **Satisfied expectations:** - SSH certificate issuance end-to-end (local backend) - cert_command contract - OpenBao-first production documentation **Broken / missing expectations:** - No credential routing guide for dev workers - No NetKingdom alignment workstream execution - No flex-auth integration path **Out of scope (correctly excluded):** - OpenBao cluster operations - flex-auth policy authoring - Object-storage STS vending ### Reliability vs INTENT — **R2 (Tolerable)** Strong unit tests and scorecard for cert-side checks. Production reliance on OpenBao SSH engine and multi-worker inventory patterns not yet demonstrated. Consumers must expect manual operator steps for non-SSH credentials. --- ## 6. Open gaps (prioritized) | Prio | Gap | Suggested outcome | | --- | --- | --- | | P1 | Credential routing runbook | `wiki/CredentialRouting.md` — decision tree for workers | | P1 | NetKingdom cross-link patch | PR/note in net-kingdom responsibility-map + platform doc SSH path | | P2 | Standard inventory templates | `wiki/ActorInventoryPatterns.md` + example `inventory.yaml` seed | | P2 | OpenBao SSH engine ops checklist | Verify/mount roles; link railiance-platform procedures | | P3 | flex-auth pre-sign design | `wiki/PolicyGatedSigning.md` — design only, no code yet | | P3 | Registry capability update | Reflect stewardship in capability entry summary | | P4 | Agent-facing routing | Evaluate `warden guide` CLI or doc-only desk page | | P4 | NK-WP-0009 coordination | Joint tutorial: short-lived SSH for agents | Captured in **WARDEN-WP-0006**. --- ## 7. Recommendations 1. **Execute WARDEN-WP-0006** in order: routing runbook → NetKingdom cross-links → inventory templates → OpenBao ops checklist. 2. **Keep SSH CLI stable** — stewardship work is docs/alignment first; defer flex-auth code until design is reviewed. 3. **Coordinate net-kingdom** — small responsibility-map update is a dependency for INTENT success criterion #4. 4. **Re-assess after WP-0006** — target C3/C4 completeness if routing runbook and NetKingdom links land. --- ## 8. Document map | File | Role | | --- | --- | | `INTENT.md` | Aspirational steward + SSH authority mission | | `SCOPE.md` | Current implementation and planned stewardship scope | | This file | Gap analysis snapshot | | `workplans/WARDEN-WP-0006-*.md` | Execution plan |