Add unified metadata-only audit.jsonl with secret-material guard, instrument sign/access/worker paths, and expose warden activity CLI. Surface broker hint when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production integration checklists plus catalog lane promotion playbook.
7.2 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on_workplans, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | depends_on_workplans | state_hub_workstream_id | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0023 | workplan | INTENT–SCOPE Alignment Closeout | infotech | ops-warden | finished | codex | custodian | high | 23 | 2026-07-01 | 2026-07-01 |
|
7bad1ec4-a7c2-4980-b8f9-49a7f5408574 |
WARDEN-WP-0023 — INTENT–SCOPE Alignment Closeout
Goal
Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync aspirational docs with shipped capabilities, coordinate the remaining production integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator UX for broker-backed signing, and establish a repeatable catalog promotion cadence.
Audit implementation stays in WARDEN-WP-0022; this workplan sequences and surrounds it.
Assessment: history/2026-07-01-intent-scope-gap-analysis.md
Boundary
- ops-warden does not deploy flex-auth, flip ops-bridge tunnels, or implement the credential broker — it documents, coordinates, and routes.
- Production cutover evidence is captured here; execution remains with owning repos.
Tasks
T01 — Persist gap analysis
id: WARDEN-WP-0023-T01
status: done
priority: high
state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5"
Write and link history/2026-07-01-intent-scope-gap-analysis.md with success
criteria matrix, mission pillars, prioritized gaps, and workplan recommendation.
Acceptance:
- History file exists and is referenced from SCOPE and this workplan.
- State Hub progress note logged for the assessment.
2026-07-01: Assessment written at
history/2026-07-01-intent-scope-gap-analysis.md.
T02 — Refresh INTENT.md
id: WARDEN-WP-0023-T02
status: done
priority: high
state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d"
Update INTENT.md so the aspirational doc reflects shipped reality without
becoming a second SCOPE:
- Mission pillar #2: assist layer (
warden access) and owner-native exec routing (secrets-engine, railiance-platform credential broker). - NetKingdom literacy table: add secrets-engine and credential broker rows.
- Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue.
- flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007).
- Workload posture stewardship and coordination worker as steward capabilities.
- Evolution notes pointer to July gap analysis.
Acceptance:
- INTENT still describes direction, not implementation inventory.
- No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens).
2026-07-01: INTENT.md updated.
T03 — Production integration coordination pack
id: WARDEN-WP-0023-T03
status: done
priority: high
state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038"
Prepare operator/coordination artifacts for the two P1 external gaps:
- flex-auth production flip — checklist in
wiki/PolicyGatedSigning.mdor a short playbook section: prerequisites,policy.enabled: truesteps, rollback, joint smoke withcredential-exec-ops-warden-smoke, FLEX-WP-0007 cross-link. - ops-bridge live cutover — evidence template (non-secret): tunnel id, readiness
gate output, first warden-signed connection timestamp, pointer to
wiki/playbooks/ops-bridge-tunnel-cert.md.
Optionally post State Hub coordination messages to flex-auth and ops-bridge
agents with pointers only (no secrets).
Acceptance:
- A human operator can run the flip/cutover checklists without re-deriving steps.
- Evidence fields are defined; completion is recorded via State Hub progress when done.
2026-07-01: Rollback section added to wiki/PolicyGatedSigning.md; live cutover
evidence template added to wiki/playbooks/ops-bridge-tunnel-cert.md.
T04 — warden sign broker hint when VAULT_TOKEN unset
id: WARDEN-WP-0023-T04
status: done
priority: medium
state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae"
When backend: vault and VAULT_TOKEN (or configured token_env) is missing,
emit a structured hint pointing at ops-warden-warden-sign-token and the
railiance-platform credential exec command — not a generic error only.
Acceptance:
- Unit test covers the hint text (catalog id + exec shape, no secret placeholders).
- Manual
export VAULT_TOKENremains documented as fallback in playbooks.
2026-07-01: src/warden/vault_hints.py + tests/test_vault.py.
T05 — Catalog draft-lane promotion checklist
id: WARDEN-WP-0023-T05
status: done
priority: medium
state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748"
Document the promotion criteria for registry/routing/catalog.yaml entries from
draft → active (concrete path, owner confirmation, resolvable or
exec_owner native exec, playbook with #worker-checklist, tests). Add to
wiki/CredentialRouting.md or a short wiki/playbooks/catalog-lane-promotion.md.
If any draft lane has owner-confirmed concrete paths during this WP, promote one as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready).
Acceptance:
- Checklist is reviewable by humans and agents.
- At least one promotion example or explicit “none ready yet” note in the workplan.
2026-07-01: wiki/playbooks/catalog-lane-promotion.md — worked example
ops-warden-warden-sign-token; four draft lanes explicitly not ready.
T06 — SCOPE and workplan consistency
id: WARDEN-WP-0023-T06
status: done
priority: medium
state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190"
Fix SCOPE inconsistencies noted in the July assessment:
- “All workplans finished” → acknowledge WP-0022/0023 as active/ready.
- Latest gap analysis pointer →
history/2026-07-01-intent-scope-gap-analysis.md. - Link WP-0023 from Getting Oriented.
Acceptance:
- SCOPE and gap analysis cross-link correctly.
- Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP.
2026-07-01: SCOPE.md updated.
T07 — Sequence WP-0022 audit implementation
id: WARDEN-WP-0023-T07
status: done
priority: high
state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4"
Promote WARDEN-WP-0022 from proposed to ready (or active when T02–T06 allow
bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the
implementation vehicle for INTENT pillar 6 (observable gatekeeping).
Acceptance:
- WP-0022 frontmatter status updated.
- WP-0023
depends_on_workplansincludes WP-0022. - Hub consistency run syncs both workplans.
2026-07-01: WP-0022 implemented and both workplans marked finished.
Exit criteria
- July gap analysis is the canonical reassessment (linked from SCOPE).
- INTENT.md no longer understates assist, posture, worker, or owner-native exec.
- Production integration checklists exist for flex-auth flip and ops-bridge cutover.
warden signsurfaces the broker path when vault backend lacks a token.- Catalog promotion cadence is documented; WP-0022 is queued for implementation.
See also
history/2026-07-01-intent-scope-gap-analysis.mdWARDEN-WP-0022-audit-trail-and-activity.mdwiki/playbooks/ops-warden-warden-sign-token.md~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md