--- id: WARDEN-WP-0023 type: workplan title: "INTENT–SCOPE Alignment Closeout" domain: infotech repo: ops-warden status: finished owner: codex topic_slug: custodian planning_priority: high planning_order: 23 created: "2026-07-01" updated: "2026-07-01" depends_on_workplans: - WARDEN-WP-0022 state_hub_workstream_id: "7bad1ec4-a7c2-4980-b8f9-49a7f5408574" --- # WARDEN-WP-0023 — INTENT–SCOPE Alignment Closeout ## Goal Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync aspirational docs with shipped capabilities, coordinate the remaining production integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator UX for broker-backed signing, and establish a repeatable catalog promotion cadence. Audit implementation stays in **WARDEN-WP-0022**; this workplan sequences and surrounds it. **Assessment:** `history/2026-07-01-intent-scope-gap-analysis.md` ## Boundary - ops-warden does **not** deploy flex-auth, flip ops-bridge tunnels, or implement the credential broker — it documents, coordinates, and routes. - Production cutover evidence is captured here; execution remains with owning repos. --- ## Tasks ### T01 — Persist gap analysis ```task id: WARDEN-WP-0023-T01 status: done priority: high state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5" ``` Write and link `history/2026-07-01-intent-scope-gap-analysis.md` with success criteria matrix, mission pillars, prioritized gaps, and workplan recommendation. Acceptance: - History file exists and is referenced from SCOPE and this workplan. - State Hub progress note logged for the assessment. **2026-07-01:** Assessment written at `history/2026-07-01-intent-scope-gap-analysis.md`. ### T02 — Refresh INTENT.md ```task id: WARDEN-WP-0023-T02 status: done priority: high state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d" ``` Update `INTENT.md` so the aspirational doc reflects shipped reality without becoming a second SCOPE: - Mission pillar #2: assist layer (`warden access`) and owner-native exec routing (secrets-engine, railiance-platform credential broker). - NetKingdom literacy table: add secrets-engine and credential broker rows. - Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue. - flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007). - Workload posture stewardship and coordination worker as steward capabilities. - Evolution notes pointer to July gap analysis. Acceptance: - INTENT still describes direction, not implementation inventory. - No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens). **2026-07-01:** INTENT.md updated. ### T03 — Production integration coordination pack ```task id: WARDEN-WP-0023-T03 status: done priority: high state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038" ``` Prepare operator/coordination artifacts for the two P1 external gaps: 1. **flex-auth production flip** — checklist in `wiki/PolicyGatedSigning.md` or a short playbook section: prerequisites, `policy.enabled: true` steps, rollback, joint smoke with `credential-exec-ops-warden-smoke`, FLEX-WP-0007 cross-link. 2. **ops-bridge live cutover** — evidence template (non-secret): tunnel id, readiness gate output, first warden-signed connection timestamp, pointer to `wiki/playbooks/ops-bridge-tunnel-cert.md`. Optionally post State Hub coordination messages to `flex-auth` and `ops-bridge` agents with pointers only (no secrets). Acceptance: - A human operator can run the flip/cutover checklists without re-deriving steps. - Evidence fields are defined; completion is recorded via State Hub progress when done. **2026-07-01:** Rollback section added to `wiki/PolicyGatedSigning.md`; live cutover evidence template added to `wiki/playbooks/ops-bridge-tunnel-cert.md`. ### T04 — `warden sign` broker hint when `VAULT_TOKEN` unset ```task id: WARDEN-WP-0023-T04 status: done priority: medium state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae" ``` When `backend: vault` and `VAULT_TOKEN` (or configured `token_env`) is missing, emit a structured hint pointing at `ops-warden-warden-sign-token` and the `railiance-platform` `credential exec` command — not a generic error only. Acceptance: - Unit test covers the hint text (catalog id + exec shape, no secret placeholders). - Manual `export VAULT_TOKEN` remains documented as fallback in playbooks. **2026-07-01:** `src/warden/vault_hints.py` + `tests/test_vault.py`. ### T05 — Catalog draft-lane promotion checklist ```task id: WARDEN-WP-0023-T05 status: done priority: medium state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748" ``` Document the promotion criteria for `registry/routing/catalog.yaml` entries from `draft` → `active` (concrete path, owner confirmation, `resolvable` or `exec_owner` native exec, playbook with `#worker-checklist`, tests). Add to `wiki/CredentialRouting.md` or a short `wiki/playbooks/catalog-lane-promotion.md`. If any draft lane has owner-confirmed concrete paths during this WP, promote one as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready). Acceptance: - Checklist is reviewable by humans and agents. - At least one promotion example or explicit “none ready yet” note in the workplan. **2026-07-01:** `wiki/playbooks/catalog-lane-promotion.md` — worked example `ops-warden-warden-sign-token`; four draft lanes explicitly not ready. ### T06 — SCOPE and workplan consistency ```task id: WARDEN-WP-0023-T06 status: done priority: medium state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190" ``` Fix SCOPE inconsistencies noted in the July assessment: - “All workplans finished” → acknowledge WP-0022/0023 as active/ready. - Latest gap analysis pointer → `history/2026-07-01-intent-scope-gap-analysis.md`. - Link WP-0023 from Getting Oriented. Acceptance: - SCOPE and gap analysis cross-link correctly. - Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP. **2026-07-01:** SCOPE.md updated. ### T07 — Sequence WP-0022 audit implementation ```task id: WARDEN-WP-0023-T07 status: done priority: high state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4" ``` Promote `WARDEN-WP-0022` from `proposed` to `ready` (or `active` when T02–T06 allow bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the implementation vehicle for INTENT pillar 6 (observable gatekeeping). Acceptance: - WP-0022 frontmatter status updated. - WP-0023 `depends_on_workplans` includes WP-0022. - Hub consistency run syncs both workplans. **2026-07-01:** WP-0022 implemented and both workplans marked `finished`. --- ## Exit criteria - July gap analysis is the canonical reassessment (linked from SCOPE). - INTENT.md no longer understates assist, posture, worker, or owner-native exec. - Production integration checklists exist for flex-auth flip and ops-bridge cutover. - `warden sign` surfaces the broker path when vault backend lacks a token. - Catalog promotion cadence is documented; WP-0022 is queued for implementation. ## See also - `history/2026-07-01-intent-scope-gap-analysis.md` - `WARDEN-WP-0022-audit-trail-and-activity.md` - `wiki/playbooks/ops-warden-warden-sign-token.md` - `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`