generated from coulomb/repo-seed
Add credential routing, actor patterns, security map, OpenBao SSH checklist, and policy-gated signing design. Update registry and SCOPE; record INTENT↔SCOPE reassessment (C3 completeness).
138 lines
3.5 KiB
Markdown
138 lines
3.5 KiB
Markdown
---
|
|
id: WARDEN-WP-0006
|
|
type: workplan
|
|
title: "NetKingdom Alignment and Operational Access Stewardship"
|
|
domain: custodian
|
|
repo: ops-warden
|
|
status: finished
|
|
owner: codex
|
|
topic_slug: custodian
|
|
planning_priority: high
|
|
planning_order: 6
|
|
created: "2026-06-17"
|
|
updated: "2026-06-17"
|
|
state_hub_workstream_id: "a5c9f24b-1ad4-46da-bc8e-b99897f8e302"
|
|
---
|
|
|
|
# WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship
|
|
|
|
**Scope:** Close gaps identified in `history/2026-06-17-intent-scope-assessment.md`
|
|
between INTENT (operational access steward for NetKingdom security) and SCOPE
|
|
(shipped SSH CLI only). Documentation and alignment first; code changes limited
|
|
to optional CLI ergonomics.
|
|
|
|
**Out of scope:** flex-auth integration implementation, OpenBao cluster deploy,
|
|
universal credential broker, net-kingdom INTENT.md rewrite.
|
|
|
|
---
|
|
|
|
## Goal
|
|
|
|
After this workplan, a development worker or agent can:
|
|
|
|
1. Read ops-warden material and know **which NetKingdom subsystem** handles each
|
|
credential type.
|
|
2. Obtain **SSH certs** via documented actor patterns and production OpenBao path.
|
|
3. Find ops-warden recognized in **NetKingdom responsibility/platform** docs as
|
|
the operational SSH credential authority.
|
|
|
|
---
|
|
|
|
## Tasks
|
|
|
|
### T1 — Credential routing runbook
|
|
|
|
```task
|
|
id: WARDEN-WP-0006-T01
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899"
|
|
```
|
|
|
|
- [x] `wiki/CredentialRouting.md` with decision tree and anti-examples
|
|
- [x] Linked from SCOPE, INTENT, README
|
|
|
|
### T2 — Actor inventory patterns
|
|
|
|
```task
|
|
id: WARDEN-WP-0006-T02
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608"
|
|
```
|
|
|
|
- [x] `wiki/ActorInventoryPatterns.md`
|
|
- [x] `examples/inventory.seed.yaml`
|
|
|
|
### T3 — NetKingdom cross-links (ops-warden side)
|
|
|
|
```task
|
|
id: WARDEN-WP-0006-T03
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e"
|
|
```
|
|
|
|
- [x] `wiki/NetKingdomSecurityMap.md`
|
|
- [x] Registry capability stewardship summary
|
|
- [x] `.claude/rules/repo-boundary.md` routing table
|
|
|
|
### T4 — NetKingdom canon patch (coordination)
|
|
|
|
```task
|
|
id: WARDEN-WP-0006-T04
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321"
|
|
```
|
|
|
|
- [x] `net-kingdom/docs/responsibility-map.md` — Operational SSH dependency
|
|
- [x] `net-kingdom/docs/platform-identity-security-architecture.md` — Operational SSH Path
|
|
|
|
### T5 — OpenBao SSH engine operational checklist
|
|
|
|
```task
|
|
id: WARDEN-WP-0006-T05
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938"
|
|
```
|
|
|
|
- [x] `wiki/OpenBaoSshEngineChecklist.md`
|
|
|
|
### T6 — Policy-gated signing design (design only)
|
|
|
|
```task
|
|
id: WARDEN-WP-0006-T06
|
|
status: done
|
|
priority: low
|
|
state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1"
|
|
```
|
|
|
|
- [x] `wiki/PolicyGatedSigning.md`
|
|
|
|
### T7 — Re-assess INTENT ↔ SCOPE
|
|
|
|
```task
|
|
id: WARDEN-WP-0006-T07
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a"
|
|
```
|
|
|
|
- [x] `history/2026-06-17-intent-scope-reassessment.md`
|
|
- [x] SCOPE.md Current State updated
|
|
- [x] `make fix-consistency REPO=ops-warden`
|
|
|
|
---
|
|
|
|
## Acceptance Criteria
|
|
|
|
- [x] `wiki/CredentialRouting.md` exists and is linked from README/SCOPE
|
|
- [x] `wiki/ActorInventoryPatterns.md` exists
|
|
- [x] `wiki/NetKingdomSecurityMap.md` exists
|
|
- [x] NetKingdom responsibility-map recognizes ops-warden SSH lane (T4)
|
|
- [x] OpenBao SSH checklist documented (T5)
|
|
- [x] Policy-gated signing design drafted (T6)
|
|
- [x] INTENT ↔ SCOPE re-assessment recorded (T7)
|
|
- [x] `reuse-surface validate --root .` passes |