tegwick
90007c2cda
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
5.6 KiB
INTENT ↔ SCOPE Gap Analysis — Post WP-0009 / WP-0011
Date: 2026-06-24
Author: codex
Trigger: WARDEN-WP-0009 archived; WP-0010/0011 done; policy gate + routing shipped.
Prior assessments: history/2026-06-18-post-wp0008-intent-scope-reassessment.md,
history/2026-06-18-access-routing-intent-shift-assessment.md
1. Executive summary
ops-warden is a production-capable SSH CA with structured credential routing
(warden route) and a shipped, opt-in flex-auth policy gate (registry + smoke
complete; production flip waits flex-auth runtime deploy).
INTENT's SSH issuance mission is met in production. The largest remaining INTENT
gap is ops-bridge consumer integration — cert_command contract exists but live
tunnels still use static keys. Secondary gaps are operator hygiene, inventory ↔
infra principals alignment, routing playbook depth (WP-0012), and cross-repo
coordination (flex-auth FLEX-WP-0007, net-kingdom NK-WP-0009).
Vector movement: D5 / A4 / C4 / R3 → D5 / A4 / C4 / R3 (unchanged level;
policy-gate readiness improves C4 substance without changing the label until prod flip)
| Dimension | Was | Now | Notes |
|---|---|---|---|
| Discovery | D5 | D5 | Catalog + warden route + wiki |
| Availability | A4 | A4 | Routing CLI shipped (WP-0011) |
| Completeness | C4 | C4 | Policy registry smoke done; prod policy.enabled off |
| Reliability | R3 | R3 | OpenBao sign verified; cert_command not on live tunnels |
2. Deliverables since 2026-06-18
| Workplan | Deliverable | Status |
|---|---|---|
| WP-0009 | flex-auth policy package confirmed; production registry + smoke | Archived |
| WP-0010 | Access routing charter + pointer catalog | Archived 2026-06-24 |
| WP-0011 | warden route CLI + catalog tests |
Archived 2026-06-24 |
| WP-0013 | Production integration closeout (playbooks, drift, archive) | Finished 2026-06-24 |
| FLEX-WP-0006 | flex-auth policy package + handoff | flex-auth finished |
| FLEX-WP-0007 | flex-auth production deploy (draft) | flex-auth proposed |
3. INTENT success criteria
| # | Criterion | Status | Evidence / gap |
|---|---|---|---|
| 1 | Worker knows which subsystem for each credential type | Met | warden route, catalog, wikis |
| 2 | SSH access short-lived, inventoried, audited | Met (prod) | OpenBao sign + signatures.log |
| 3 | ops-bridge integrates via stable cert_command |
Partial | Contract shipped; tunnels static-key |
| 4 | NetKingdom evolution reflected in docs | Met | NK cross-links, routing charter |
| 5 | Non-SSH secrets stay out of ops-warden | Met | Pointer layer only |
Score: 4 met, 1 partial — partial is ops-bridge production adoption.
4. INTENT mission pillars
| Pillar | Status | Gap |
|---|---|---|
| 1. Know NetKingdom security model | Strong | — |
| 2. Route workers to correct subsystem | Strong | WP-0012 playbooks deepen scenarios |
| 3. Align runbooks with canon | Strong | Reassessment + archive hygiene due |
| 4. Issue short-lived SSH certs | Production | — |
| 5. Audit SSH signing | Strong | Policy policy_decision_id when gate on |
5. Remaining gaps (prioritized)
| Prio | Gap | Owner | ops-warden action | Track |
|---|---|---|---|---|
| P1 | ops-bridge cert_command on production tunnels |
ops-bridge + ops-warden | Migration playbook + pilot evidence | WARDEN-WP-0013 T3 |
| P2 | Operator token hygiene (root → scoped warden-sign) |
Operator + ops-warden | Runbook in wiki | WARDEN-WP-0013 T4 |
| P3 | Principals drift (inventory ↔ railiance-infra) | ops-warden + infra | Drift check doc/script | WARDEN-WP-0013 T5 |
| P4 | Routing scenario playbooks incomplete | ops-warden | Expand catalog + wiki playbooks | WARDEN-WP-0012 (ready) |
| P5 | flex-auth production runtime | flex-auth | Coordinate; operator flip checklist | FLEX-WP-0007 + WP-0013 T6 |
| P6 | Vault-backed policy gate joint smoke | flex-auth + operator | Run when VAULT_TOKEN valid |
FLEX-WP-0007 T4 |
| P7 | Archive hygiene (WP-0010, WP-0011) | ops-warden | Move to workplans/archived/ |
WARDEN-WP-0013 T2 |
| P8 | NK-WP-0009 joint SSH tutorial | net-kingdom | Coordinate only | Parallel |
| P9 | Policy v2.1 identity claims for adm |
ops-warden + flex-auth | Design only | Future |
6. Workplan recommendation
WARDEN-WP-0013 — Production Integration & Stewardship Closeout (new):
- T1: This reassessment + SCOPE refresh
- T2: Archive WP-0010 and WP-0011
- T3: ops-bridge
cert_commandmigration playbook (pilotagt-state-hub-bridge) - T4: Operator OpenBao token hygiene runbook
- T5: Principals inventory drift check
- T6: Policy gate production enablement checklist (coordinate FLEX-WP-0007)
WARDEN-WP-0012 — Routing Scenario Playbooks (promote backlog → ready):
- Dependencies WP-0010/0011 shipped; start when bandwidth allows
- Complements WP-0013 (routing depth vs SSH integration closeout)
Out of scope for new ops-warden WPs:
- flex-auth runtime deployment (FLEX-WP-0007)
- ops-bridge tunnel config changes (ops-bridge executes; ops-warden documents)
7. Maturity target (post WP-0013 + WP-0012)
| Dimension | Target | Unlock |
|---|---|---|
| C4 → C4+ | cert_command pilot documented | WP-0013 T3 |
| R3 → R4 | Live tunnel uses warden-signed cert | ops-bridge + WP-0013 evidence |
| D5 | More active catalog playbooks | WP-0012 |
See also
workplans/WARDEN-WP-0013-production-integration-and-stewardship-closeout.mdworkplans/WARDEN-WP-0012-routing-scenario-playbooks.mdSCOPE.md