Files
ops-warden/history/2026-06-18-post-wp0008-intent-scope-reassessment.md
tegwick 41da950e1a docs: post-WP-0008 INTENT↔SCOPE reassessment and gap snapshot
SCOPE.md now documents where we are (R3 production sign), INTENT criteria
status, maturity vector, and workplan landscape. Add reassessment history;
point INTENT evolution notes at latest assessment.
2026-06-18 01:36:23 +02:00

110 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# INTENT ↔ SCOPE Reassessment — Post WP-0008
**Date:** 2026-06-18
**Author:** codex
**Trigger:** WARDEN-WP-0008 finished — production OpenBao sign verified, workplan archived.
**Prior assessment:** `history/2026-06-17-post-wp0007-reassessment.md`
---
## 1. Executive summary
WARDEN-WP-0008 closed the **production SSH path** gap: OpenBao SSH engine live on
Railiance, host CA trust on CoulombCore + Railiance01, and `warden sign` smoke
against `https://bao.coulomb.social` with scoped `warden-sign` policy token.
Stewardship canon (routing, inventory patterns, OpenBao checklist, task-status
migration) and archive hygiene are complete.
The repository now matches INTENT for the **SSH issuance lane in production**.
Remaining distance to INTENT is **integration breadth** (ops-bridge cert_command
on live tunnels), **authorization depth** (flex-auth policies + `policy.enabled`),
and **operational maturity** (token hygiene, principals sync, optional tutorials).
**Vector movement:** `D5/A3/C4/R2`**`D5/A3/C4/R3`**
| Dimension | Was | Now | Notes |
| --- | --- | --- | --- |
| Discovery | D5 | D5 | Routing + security map + NK cross-links |
| Availability | A3 | A3 | CLI + opt-in policy gate; no desk API |
| Completeness | C4 | C4 | SSH lane prod-verified; flex-auth policies external |
| Reliability | R2 | **R3** | Live `warden sign` evidence on Railiance OpenBao |
---
## 2. Deliverables (WP-0008)
| Task | Deliverable | Status |
| --- | --- | --- |
| T1 | Post-WP-0007 reassessment, SCOPE update | Done |
| T2 | Production `warden sign` + verify history | Done |
| T3 | AGENTS.md task-status canon | Done |
| T4 | `examples/warden.production.example.yaml`, archive WP-00040007 | Done |
| T5 | flex-auth production gate | Cancelled → **WARDEN-WP-0009** |
---
## 3. INTENT.md success criteria
| # | Criterion | Status | Evidence / gap |
| --- | --- | --- | --- |
| 1 | Worker knows which subsystem for each credential type | **Met** | `wiki/CredentialRouting.md`, `wiki/NetKingdomSecurityMap.md` |
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; host principals via railiance-infra |
| 3 | ops-bridge integrates via stable cert_command | **Partial** | Contract shipped; live tunnels still static-key (`agt-claude-*`) |
| 4 | NetKingdom evolution reflected in ops-warden docs | **Met** | NK canon links; NET-WP-0020 / WP-0008 cross-repo evidence |
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Routing docs only; no secret storage in repo |
**Score: 4 met, 1 partial** — partial is ops-bridge production adoption, not ops-warden code gap.
---
## 4. INTENT mission pillars (§ The Mission)
| Pillar | Status | Notes |
| --- | --- | --- |
| 1. Know NetKingdom security model | Strong | Wiki + registry + NK patches (WP-0006) |
| 2. Route workers to correct subsystem | Strong | CredentialRouting operational |
| 3. Align runbooks with canon | Strong | OpenBao checklist, PolicyGatedSigning, production example |
| 4. Issue short-lived SSH certs | **Production** | `backend: vault` verified 2026-06-18 |
| 5. Audit SSH signing / compliance | Tooling ready | `signatures.log`, scorecard; prod cadence not scheduled |
---
## 5. Remaining gaps (prioritized)
| Prio | Gap | Owner | Track |
| --- | --- | --- | --- |
| P1 | flex-auth `ssh-certificate` policies + prod gate | flex-auth + ops-warden | **WARDEN-WP-0009** (`wait`) |
| P2 | ops-bridge `cert_command` on production tunnels | ops-bridge (+ ops-warden doc) | Proposed **WARDEN-WP-0010** |
| P3 | Operator token hygiene (root → OIDC + `warden-sign`) | Operator | Ad hoc or WP-0010 T2 |
| P4 | Principals inventory sync (warden ↔ railiance-infra) | ops-warden + railiance-infra | Proposed WP-0010 or ad hoc |
| P5 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination |
| P6 | Actor key lifecycle (`warden issue`, roster automation) | ops-warden | Future WP when attended lanes scale |
| P7 | Policy v2.1 — identity claims for `adm` signs | ops-warden + flex-auth | Design only (`PolicyGatedSigning.md`) |
---
## 6. Workplan recommendation
**Keep WARDEN-WP-0009** as-is — blocked on flex-auth policy package.
**Propose WARDEN-WP-0010 — Production SSH Integration Closeout** when ready:
- T1: Document ops-bridge `cert_command` migration for `agt-state-hub-bridge` (pilot tunnel)
- T2: Operator token runbook — OIDC login, `warden-sign` token, root retirement
- T3: Principals drift check — `inventory.yaml` `hosts``railiance-infra/ssh_principals.yaml`
- T4: Optional cert_command smoke evidence in verify history
Defer WP-0010 creation until flex-auth path is clearer or ops-bridge signals tunnel migration priority.
**Ad hoc only:** token rotation, single-tunnel cert_command pilot — no workplan unless multi-phase.
---
## 7. Where we are (one paragraph)
ops-warden is a **production-capable SSH certificate authority** for the NetKingdom
`adm`/`agt`/`atm` model, with OpenBao as the Railiance signing backend and
documented stewardship for every other credential lane. INTENT's core SSH mission
is achieved; the steward desk is documentation-first with a shipped, verified CLI.
Next maturity steps are authorization (flex-auth), consumer integration (ops-bridge),
and operational hygiene — not new signing features.