Files
ops-warden/workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md
tegwick d6088e4e16 Implement WP-0022 audit trail and WP-0023 INTENT–SCOPE closeout
Add unified metadata-only audit.jsonl with secret-material guard, instrument
sign/access/worker paths, and expose warden activity CLI. Surface broker hint
when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production
integration checklists plus catalog lane promotion playbook.
2026-07-01 23:32:38 +02:00

7.2 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on_workplans, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated depends_on_workplans state_hub_workstream_id
WARDEN-WP-0023 workplan INTENTSCOPE Alignment Closeout infotech ops-warden finished codex custodian high 23 2026-07-01 2026-07-01
WARDEN-WP-0022
7bad1ec4-a7c2-4980-b8f9-49a7f5408574

WARDEN-WP-0023 — INTENTSCOPE Alignment Closeout

Goal

Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync aspirational docs with shipped capabilities, coordinate the remaining production integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator UX for broker-backed signing, and establish a repeatable catalog promotion cadence.

Audit implementation stays in WARDEN-WP-0022; this workplan sequences and surrounds it.

Assessment: history/2026-07-01-intent-scope-gap-analysis.md

Boundary

  • ops-warden does not deploy flex-auth, flip ops-bridge tunnels, or implement the credential broker — it documents, coordinates, and routes.
  • Production cutover evidence is captured here; execution remains with owning repos.

Tasks

T01 — Persist gap analysis

id: WARDEN-WP-0023-T01
status: done
priority: high
state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5"

Write and link history/2026-07-01-intent-scope-gap-analysis.md with success criteria matrix, mission pillars, prioritized gaps, and workplan recommendation.

Acceptance:

  • History file exists and is referenced from SCOPE and this workplan.
  • State Hub progress note logged for the assessment.

2026-07-01: Assessment written at history/2026-07-01-intent-scope-gap-analysis.md.

T02 — Refresh INTENT.md

id: WARDEN-WP-0023-T02
status: done
priority: high
state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d"

Update INTENT.md so the aspirational doc reflects shipped reality without becoming a second SCOPE:

  • Mission pillar #2: assist layer (warden access) and owner-native exec routing (secrets-engine, railiance-platform credential broker).
  • NetKingdom literacy table: add secrets-engine and credential broker rows.
  • Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue.
  • flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007).
  • Workload posture stewardship and coordination worker as steward capabilities.
  • Evolution notes pointer to July gap analysis.

Acceptance:

  • INTENT still describes direction, not implementation inventory.
  • No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens).

2026-07-01: INTENT.md updated.

T03 — Production integration coordination pack

id: WARDEN-WP-0023-T03
status: done
priority: high
state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038"

Prepare operator/coordination artifacts for the two P1 external gaps:

  1. flex-auth production flip — checklist in wiki/PolicyGatedSigning.md or a short playbook section: prerequisites, policy.enabled: true steps, rollback, joint smoke with credential-exec-ops-warden-smoke, FLEX-WP-0007 cross-link.
  2. ops-bridge live cutover — evidence template (non-secret): tunnel id, readiness gate output, first warden-signed connection timestamp, pointer to wiki/playbooks/ops-bridge-tunnel-cert.md.

Optionally post State Hub coordination messages to flex-auth and ops-bridge agents with pointers only (no secrets).

Acceptance:

  • A human operator can run the flip/cutover checklists without re-deriving steps.
  • Evidence fields are defined; completion is recorded via State Hub progress when done.

2026-07-01: Rollback section added to wiki/PolicyGatedSigning.md; live cutover evidence template added to wiki/playbooks/ops-bridge-tunnel-cert.md.

T04 — warden sign broker hint when VAULT_TOKEN unset

id: WARDEN-WP-0023-T04
status: done
priority: medium
state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae"

When backend: vault and VAULT_TOKEN (or configured token_env) is missing, emit a structured hint pointing at ops-warden-warden-sign-token and the railiance-platform credential exec command — not a generic error only.

Acceptance:

  • Unit test covers the hint text (catalog id + exec shape, no secret placeholders).
  • Manual export VAULT_TOKEN remains documented as fallback in playbooks.

2026-07-01: src/warden/vault_hints.py + tests/test_vault.py.

T05 — Catalog draft-lane promotion checklist

id: WARDEN-WP-0023-T05
status: done
priority: medium
state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748"

Document the promotion criteria for registry/routing/catalog.yaml entries from draftactive (concrete path, owner confirmation, resolvable or exec_owner native exec, playbook with #worker-checklist, tests). Add to wiki/CredentialRouting.md or a short wiki/playbooks/catalog-lane-promotion.md.

If any draft lane has owner-confirmed concrete paths during this WP, promote one as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready).

Acceptance:

  • Checklist is reviewable by humans and agents.
  • At least one promotion example or explicit “none ready yet” note in the workplan.

2026-07-01: wiki/playbooks/catalog-lane-promotion.md — worked example ops-warden-warden-sign-token; four draft lanes explicitly not ready.

T06 — SCOPE and workplan consistency

id: WARDEN-WP-0023-T06
status: done
priority: medium
state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190"

Fix SCOPE inconsistencies noted in the July assessment:

  • “All workplans finished” → acknowledge WP-0022/0023 as active/ready.
  • Latest gap analysis pointer → history/2026-07-01-intent-scope-gap-analysis.md.
  • Link WP-0023 from Getting Oriented.

Acceptance:

  • SCOPE and gap analysis cross-link correctly.
  • Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP.

2026-07-01: SCOPE.md updated.

T07 — Sequence WP-0022 audit implementation

id: WARDEN-WP-0023-T07
status: done
priority: high
state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4"

Promote WARDEN-WP-0022 from proposed to ready (or active when T02T06 allow bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the implementation vehicle for INTENT pillar 6 (observable gatekeeping).

Acceptance:

  • WP-0022 frontmatter status updated.
  • WP-0023 depends_on_workplans includes WP-0022.
  • Hub consistency run syncs both workplans.

2026-07-01: WP-0022 implemented and both workplans marked finished.


Exit criteria

  • July gap analysis is the canonical reassessment (linked from SCOPE).
  • INTENT.md no longer understates assist, posture, worker, or owner-native exec.
  • Production integration checklists exist for flex-auth flip and ops-bridge cutover.
  • warden sign surfaces the broker path when vault backend lacks a token.
  • Catalog promotion cadence is documented; WP-0022 is queued for implementation.

See also

  • history/2026-07-01-intent-scope-gap-analysis.md
  • WARDEN-WP-0022-audit-trail-and-activity.md
  • wiki/playbooks/ops-warden-warden-sign-token.md
  • ~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md