# INTENT ↔ SCOPE Gap Analysis — Post WP-0009 / WP-0011 **Date:** 2026-06-24 **Author:** codex **Trigger:** WARDEN-WP-0009 archived; WP-0010/0011 done; policy gate + routing shipped. **Prior assessments:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`, `history/2026-06-18-access-routing-intent-shift-assessment.md` --- ## 1. Executive summary ops-warden is a **production-capable SSH CA** with **structured credential routing** (`warden route`) and a **shipped, opt-in flex-auth policy gate** (registry + smoke complete; production flip waits flex-auth runtime deploy). INTENT's SSH issuance mission is **met in production**. The largest remaining INTENT gap is **ops-bridge consumer integration** — `cert_command` contract exists but live tunnels still use static keys. Secondary gaps are **operator hygiene**, **inventory ↔ infra principals alignment**, **routing playbook depth** (WP-0012), and **cross-repo coordination** (flex-auth FLEX-WP-0007, net-kingdom NK-WP-0009). **Vector movement:** `D5 / A4 / C4 / R3` → **`D5 / A4 / C4 / R3`** (unchanged level; policy-gate readiness improves C4 substance without changing the label until prod flip) | Dimension | Was | Now | Notes | | --- | --- | --- | --- | | Discovery | D5 | D5 | Catalog + `warden route` + wiki | | Availability | A4 | A4 | Routing CLI shipped (WP-0011) | | Completeness | C4 | C4 | Policy registry smoke done; prod `policy.enabled` off | | Reliability | R3 | R3 | OpenBao sign verified; cert_command not on live tunnels | --- ## 2. Deliverables since 2026-06-18 | Workplan | Deliverable | Status | | --- | --- | --- | | WP-0009 | flex-auth policy package confirmed; production registry + smoke | Archived | | WP-0010 | Access routing charter + pointer catalog | Archived 2026-06-24 | | WP-0011 | `warden route` CLI + catalog tests | Archived 2026-06-24 | | WP-0013 | Production integration closeout (playbooks, drift, archive) | Finished 2026-06-24 | | FLEX-WP-0006 | flex-auth policy package + handoff | flex-auth finished | | FLEX-WP-0007 | flex-auth production deploy (draft) | flex-auth proposed | --- ## 3. INTENT success criteria | # | Criterion | Status | Evidence / gap | | --- | --- | --- | --- | | 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, wikis | | 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log` | | 3 | ops-bridge integrates via stable `cert_command` | **Partial** | Contract shipped; tunnels static-key | | 4 | NetKingdom evolution reflected in docs | **Met** | NK cross-links, routing charter | | 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer layer only | **Score: 4 met, 1 partial** — partial is ops-bridge production adoption. --- ## 4. INTENT mission pillars | Pillar | Status | Gap | | --- | --- | --- | | 1. Know NetKingdom security model | Strong | — | | 2. Route workers to correct subsystem | Strong | WP-0012 playbooks deepen scenarios | | 3. Align runbooks with canon | Strong | Reassessment + archive hygiene due | | 4. Issue short-lived SSH certs | **Production** | — | | 5. Audit SSH signing | Strong | Policy `policy_decision_id` when gate on | --- ## 5. Remaining gaps (prioritized) | Prio | Gap | Owner | ops-warden action | Track | | --- | --- | --- | --- | --- | | **P1** | ops-bridge `cert_command` on production tunnels | ops-bridge + ops-warden | Migration playbook + pilot evidence | **WARDEN-WP-0013** T3 | | **P2** | Operator token hygiene (root → scoped `warden-sign`) | Operator + ops-warden | Runbook in wiki | **WARDEN-WP-0013** T4 | | **P3** | Principals drift (inventory ↔ railiance-infra) | ops-warden + infra | Drift check doc/script | **WARDEN-WP-0013** T5 | | **P4** | Routing scenario playbooks incomplete | ops-warden | Expand catalog + wiki playbooks | **WARDEN-WP-0012** (ready) | | **P5** | flex-auth production runtime | flex-auth | Coordinate; operator flip checklist | **FLEX-WP-0007** + WP-0013 T6 | | **P6** | Vault-backed policy gate joint smoke | flex-auth + operator | Run when `VAULT_TOKEN` valid | FLEX-WP-0007 T4 | | **P7** | Archive hygiene (WP-0010, WP-0011) | ops-warden | Move to `workplans/archived/` | **WARDEN-WP-0013** T2 | | **P8** | NK-WP-0009 joint SSH tutorial | net-kingdom | Coordinate only | Parallel | | **P9** | Policy v2.1 identity claims for `adm` | ops-warden + flex-auth | Design only | Future | --- ## 6. Workplan recommendation **WARDEN-WP-0013 — Production Integration & Stewardship Closeout** (new): - T1: This reassessment + SCOPE refresh - T2: Archive WP-0010 and WP-0011 - T3: ops-bridge `cert_command` migration playbook (pilot `agt-state-hub-bridge`) - T4: Operator OpenBao token hygiene runbook - T5: Principals inventory drift check - T6: Policy gate production enablement checklist (coordinate FLEX-WP-0007) **WARDEN-WP-0012 — Routing Scenario Playbooks** (promote `backlog` → `ready`): - Dependencies WP-0010/0011 shipped; start when bandwidth allows - Complements WP-0013 (routing depth vs SSH integration closeout) **Out of scope for new ops-warden WPs:** - flex-auth runtime deployment (FLEX-WP-0007) - ops-bridge tunnel config changes (ops-bridge executes; ops-warden documents) --- ## 7. Maturity target (post WP-0013 + WP-0012) | Dimension | Target | Unlock | | --- | --- | --- | | C4 → C4+ | cert_command pilot documented | WP-0013 T3 | | R3 → R4 | Live tunnel uses warden-signed cert | ops-bridge + WP-0013 evidence | | D5 | More active catalog playbooks | WP-0012 | --- ## See also - `workplans/WARDEN-WP-0013-production-integration-and-stewardship-closeout.md` - `workplans/WARDEN-WP-0012-routing-scenario-playbooks.md` - `SCOPE.md`