tegwick
ca1eaf3350
Add ops-warden INTENT as operational access steward for NetKingdom security (route credential lanes, align docs, issue SSH certs only). Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment, and open WARDEN-WP-0006 for routing runbooks and platform alignment.
7.3 KiB
INTENT ↔ SCOPE State Assessment — ops-warden
Date: 2026-06-17
Author: codex
Trigger: INTENT.md established; SCOPE.md refreshed to reflect stewardship
mission alongside SSH CLI implementation.
Follow-up workplan: workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md
1. Executive summary
ops-warden ships a complete SSH CA CLI (v0.1.0, 100 unit tests, OpenBao-first docs, federation capability published). The new INTENT reframes the repo as an operational access steward for the NetKingdom security model: knowledgeable about platform credential lanes, routing workers to the right subsystems, keeping guidance aligned — while issuing only SSH certificates directly.
Alignment: strong on the SSH implementation lane; weak on the stewardship and NetKingdom integration lane declared in INTENT.
Self-assessed vector (product): D4 / A3 / C2 / R2
| Dimension | Level | Rationale |
|---|---|---|
| Discovery (D) | D4 | SSH lane well documented; stewardship/routing canon immature |
| Availability (A) | A3 | Installable CLI + cert_command; no desk API or policy gate |
| Completeness (C) | C2 | SSH core works; INTENT stewardship largely undelivered |
| Reliability (R) | R2 | Good test coverage; production OpenBao SSH path not verified end-to-end |
2. Delivery snapshot
| Area | State (2026-06-17) |
|---|---|
| SSH CLI | warden sign/issue/status/scorecard/cleanup/log/inventory |
| Backends | local + vault (OpenBao-compatible API) |
| Tests | 100 unit + integration marker suite |
| Wiki | AccessManagementDirective, OpsWardenConfig, CertCommandInterface, InterHubBootstrapAccessLane |
| Registry | capability.security.ssh-certificate-issuance (D4/A3/C3/R2 in entry) |
| INTENT.md | New — stewardship + NetKingdom literacy |
| NetKingdom cross-links | Minimal in SCOPE; responsibility-map still lists ops-warden out-of-scope |
| Credential routing runbook | Missing — no single “which subsystem?” guide in wiki |
| flex-auth pre-sign hook | Not designed or implemented |
| Production OpenBao SSH engine | Documented; live mount/roles unverified from this repo |
| Standard agent inventory templates | Missing — only example actors in docs |
3. INTENT alignment
Aligned
| INTENT expectation | SCOPE evidence |
|---|---|
| Issue short-lived SSH certs for adm/agt/atm | Full CLI, TTL policy, scorecard, signatures log |
| Stable cert_command for consumers | wiki/CertCommandInterface.md, ops-bridge integration contract |
| Do not store long-lived API secrets | Repo boundary, InterHub runbook, CUST-WP-0049 non-goals |
| OpenBao as production SSH signing backend | wiki/OpsWardenConfig.md (WP-0005) |
| Auditable SSH gatekeeping | signatures.log, scorecard checks |
| Actor attribution model | AccessManagementDirective alignment, ActorType enum |
Partial
| INTENT expectation | Gap |
|---|---|
| Know NetKingdom security infrastructure | INTENT tables exist; no mirrored wiki summary or kept-in-sync process |
| Route workers to correct subsystem | Scattered across SCOPE/repo-boundary; no wiki/CredentialRouting.md |
| Keep guidance aligned with NetKingdom canon | No subscription to net-kingdom doc changes; responsibility-map outdated |
| Operational access desk for dev workers | CLI-only; no guided flow or agent-facing routing surface |
| flex-auth policy before SSH sign | Inventory allow-list only; no authorization integration |
| Observable stewardship | SSH audit yes; routing/alignment maintenance not tracked |
Not started (INTENT evolution)
| INTENT expectation | Notes |
|---|---|
| NetKingdom responsibility-map recognition | ops-warden still “out of scope” in net-kingdom map |
| Platform architecture diagram includes ops-warden SSH path | Not in platform-identity-security-architecture.md |
| NK-WP-0009 SSH tutorial linkage | Planned in net-kingdom, not wired to ops-warden |
| Policy-gated issuance | Future phase; needs design doc |
| MCP/HTTP cert request for agents | Future; CLI sufficient for now |
4. Success criteria scorecard (from INTENT.md)
| Criterion | Verdict |
|---|---|
| Worker knows which subsystem for each credential type | No — no canonical routing runbook |
| SSH access short-lived, inventoried, audited | Yes (tooling) — production inventory discipline pending |
| ops-bridge integrates via cert_command | Yes (contract) — live tunnel matrix not verified here |
| NetKingdom evolution reflected in ops-warden docs | Partial — OpenBao done; no ongoing sync process |
| Non-SSH secrets stay out of ops-warden | Yes — boundaries documented |
Score: 2 yes, 2 partial, 1 no
5. Completeness and reliability
Completeness vs INTENT — C2 (Partial)
The central SSH use case is implemented. The new stewardship mission — NetKingdom literacy, routing, alignment maintenance — is declared in INTENT and SCOPE but not yet operationalized in wiki, net-kingdom cross-links, or worker-facing runbooks.
Satisfied expectations:
- SSH certificate issuance end-to-end (local backend)
- cert_command contract
- OpenBao-first production documentation
Broken / missing expectations:
- No credential routing guide for dev workers
- No NetKingdom alignment workstream execution
- No flex-auth integration path
Out of scope (correctly excluded):
- OpenBao cluster operations
- flex-auth policy authoring
- Object-storage STS vending
Reliability vs INTENT — R2 (Tolerable)
Strong unit tests and scorecard for cert-side checks. Production reliance on OpenBao SSH engine and multi-worker inventory patterns not yet demonstrated. Consumers must expect manual operator steps for non-SSH credentials.
6. Open gaps (prioritized)
| Prio | Gap | Suggested outcome |
|---|---|---|
| P1 | Credential routing runbook | wiki/CredentialRouting.md — decision tree for workers |
| P1 | NetKingdom cross-link patch | PR/note in net-kingdom responsibility-map + platform doc SSH path |
| P2 | Standard inventory templates | wiki/ActorInventoryPatterns.md + example inventory.yaml seed |
| P2 | OpenBao SSH engine ops checklist | Verify/mount roles; link railiance-platform procedures |
| P3 | flex-auth pre-sign design | wiki/PolicyGatedSigning.md — design only, no code yet |
| P3 | Registry capability update | Reflect stewardship in capability entry summary |
| P4 | Agent-facing routing | Evaluate warden guide CLI or doc-only desk page |
| P4 | NK-WP-0009 coordination | Joint tutorial: short-lived SSH for agents |
Captured in WARDEN-WP-0006.
7. Recommendations
- Execute WARDEN-WP-0006 in order: routing runbook → NetKingdom cross-links → inventory templates → OpenBao ops checklist.
- Keep SSH CLI stable — stewardship work is docs/alignment first; defer flex-auth code until design is reviewed.
- Coordinate net-kingdom — small responsibility-map update is a dependency for INTENT success criterion #4.
- Re-assess after WP-0006 — target C3/C4 completeness if routing runbook and NetKingdom links land.
8. Document map
| File | Role |
|---|---|
INTENT.md |
Aspirational steward + SSH authority mission |
SCOPE.md |
Current implementation and planned stewardship scope |
| This file | Gap analysis snapshot |
workplans/WARDEN-WP-0006-*.md |
Execution plan |