Files
ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
tegwick bdd532d835 workplan: add WARDEN-WP-0008 production SSH path and stewardship closeout
Establish follow-up after WP-0007: E2E OpenBao sign verification, post-policy
reassessment, task-status canon migration, and archive hygiene. Refresh SCOPE
to reflect shipped policy gate and active WP-0008.
2026-06-17 23:34:13 +02:00

140 lines
4.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: WARDEN-WP-0008
type: workplan
title: "Production SSH Path and Stewardship Closeout"
domain: custodian
repo: ops-warden
status: ready
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 8
created: "2026-06-17"
updated: "2026-06-17"
---
# WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout
**Scope:** Close the reliability gap left after WARDEN-WP-0007 — prove the
production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for
the shipped flex-auth policy gate, adapt repo docs to State Hub task-status
canon, and archive finished workplans.
**Out of scope:** OpenBao cluster deploy or SSH engine bootstrap (operator /
`railiance-platform`), flex-auth policy package authoring, NK-WP-0009 joint
tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter
API keys — route to OpenBao per `wiki/CredentialRouting.md`).
---
## Goal
Move ops-warden from **documented + code-shipped** (WP-0006/0007) to
**production-verified SSH issuance** with up-to-date stewardship canon:
1. A scoped operator can run `warden sign` against `https://bao.coulomb.social`
and record non-secret evidence.
2. `SCOPE.md` and reassessment history reflect WP-0007 policy gate as implemented.
3. Agent/workplan docs use State Hub task lifecycle (`wait` / `todo` / `progress`
/ `done` / `cancel`).
4. Finished workplans WP-00040007 are archived under `workplans/archived/`.
---
## Tasks
### T1 — Post-WP-0007 INTENT/SCOPE reassessment
```task
id: WARDEN-WP-0008-T01
status: todo
priority: high
```
- [ ] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R?)
- [ ] Update `SCOPE.md` — policy gate implemented, WP-0007 done, WP-0008 active
- [ ] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README
### T2 — Production OpenBao end-to-end sign verification
```task
id: WARDEN-WP-0008-T02
status: todo
priority: high
```
- [ ] Operator provides scoped `VAULT_TOKEN` (not in Git/chat/logs)
- [ ] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
- [ ] Run `warden sign` + `warden status` + `warden log` against production OpenBao
- [ ] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
**Blocked until:** scoped token + SSH roles on Railiance OpenBao.
### T3 — State Hub task status canon migration
```task
id: WARDEN-WP-0008-T03
status: todo
priority: medium
```
- [ ] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
- [ ] Update `.claude/rules/workplan-convention.md` task block examples
- [ ] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
- [ ] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)
### T4 — Production config example and archive hygiene
```task
id: WARDEN-WP-0008-T04
status: todo
priority: medium
```
- [ ] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
- [ ] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
- [ ] `make fix-consistency REPO=ops-warden` after archive
### T5 — flex-auth policy gate production readiness (coordination)
```task
id: WARDEN-WP-0008-T05
status: wait
priority: low
```
- [ ] Confirm flex-auth `ssh-certificate` resource policies exist (flex-auth owner)
- [ ] Document enablement procedure for `policy.enabled: true` in production
- [ ] Smoke test policy deny/allow with `fail_closed: true` (non-secret evidence)
**Blocked until:** flex-auth policy package for SSH signing.
---
## Acceptance Criteria
- [ ] Post-WP-0007 reassessment on file; SCOPE current
- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
- [ ] AGENTS.md uses canonical task statuses
- [ ] WP-00040007 archived; hub consistency pass
- [ ] Production example config committed (no secrets)
---
## Dependencies
| Dependency | Owner | Blocks |
| --- | --- | --- |
| Scoped OpenBao token + SSH roles | Operator / railiance-platform | T2 |
| flex-auth ssh-certificate policies | flex-auth | T5 |
| NK-WP-0009 SSH tutorial | net-kingdom + ops-warden | — (parallel track) |
---
## See also
- `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007)
- `history/2026-06-17-intent-scope-reassessment.md` — pre-policy-gate assessment
- `wiki/OpenBaoSshEngineChecklist.md`
- `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007)