Files
ops-warden/workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md
tegwick ca1eaf3350 Define INTENT, refresh SCOPE, and plan NetKingdom stewardship
Add ops-warden INTENT as operational access steward for NetKingdom
security (route credential lanes, align docs, issue SSH certs only).
Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment,
and open WARDEN-WP-0006 for routing runbooks and platform alignment.
2026-06-17 08:20:32 +02:00

5.8 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
WARDEN-WP-0006 workplan NetKingdom Alignment and Operational Access Stewardship custodian ops-warden ready codex custodian high 6 2026-06-17 2026-06-17 a5c9f24b-1ad4-46da-bc8e-b99897f8e302

WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship

Scope: Close gaps identified in history/2026-06-17-intent-scope-assessment.md between INTENT (operational access steward for NetKingdom security) and SCOPE (shipped SSH CLI only). Documentation and alignment first; code changes limited to optional CLI ergonomics.

Out of scope: flex-auth integration implementation, OpenBao cluster deploy, universal credential broker, net-kingdom INTENT.md rewrite.

References:

  • INTENT.md, SCOPE.md, history/2026-06-17-intent-scope-assessment.md
  • net-kingdom/docs/platform-identity-security-architecture.md
  • net-kingdom/docs/responsibility-map.md
  • NK-WP-0009 (SSH tutorial, net-kingdom)

Goal

After this workplan, a development worker or agent can:

  1. Read ops-warden material and know which NetKingdom subsystem handles each credential type.
  2. Obtain SSH certs via documented actor patterns and production OpenBao path.
  3. Find ops-warden recognized in NetKingdom responsibility/platform docs as the operational SSH credential authority.

Tasks

T1 — Credential routing runbook

id: WARDEN-WP-0006-T01
status: todo
priority: high
state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899"

Create wiki/CredentialRouting.md:

  • Decision tree: SSH vs runtime secret vs identity vs authorization vs tunnel
  • Per-subsystem links (OpenBao, flex-auth, key-cape, ops-bridge, railiance-infra)
  • Explicit “do not ask ops-warden for API keys” examples
  • Link from SCOPE.md, INTENT.md, README.md

Done when: A worker with no prior context can route a credential request in under two minutes using this page alone.

T2 — Actor inventory patterns

id: WARDEN-WP-0006-T02
status: todo
priority: high
state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608"

Create wiki/ActorInventoryPatterns.md with standard patterns:

  • Tunnel agents (agt-*-bridge)
  • Kaizen / codex agents (agt-codex-*)
  • CI automations (atm-*)
  • Human admins (adm-*)
  • TTL and principal narrowing guidance

Optional: examples/inventory.seed.yaml (non-secret, Git-safe template).

Done when: Adding a new dev worker actor does not require inventing naming from scratch.

id: WARDEN-WP-0006-T03
status: todo
priority: high
state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e"
  • Add wiki/NetKingdomSecurityMap.md — condensed literacy table from INTENT
  • Update registry/capabilities/capability.security.ssh-certificate-issuance.md summary to mention stewardship/routing
  • Update .claude/rules/repo-boundary.md with NetKingdom routing table

Done when: ops-warden docs stand alone for NetKingdom operational access orientation without reading net-kingdom first (but link to canon).

T4 — NetKingdom canon patch (coordination)

id: WARDEN-WP-0006-T04
status: todo
priority: medium
state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321"

Coordinate updates in net-kingdom (separate commit/PR there):

  • docs/responsibility-map.md — move ops-warden from pure out-of-scope to operational SSH credential dependency
  • docs/platform-identity-security-architecture.md — add Operational SSH Path (ops-warden → ops-bridge → hosts)

Done when: NetKingdom canon names ops-wardens lane; ops-warden wiki links back to the updated sections.

Note: Requires net-kingdom repo write access; may need needs_human if blocked on review.

T5 — OpenBao SSH engine operational checklist

id: WARDEN-WP-0006-T05
status: todo
priority: medium
state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938"

Create wiki/OpenBaoSshEngineChecklist.md:

  • Prerequisites (OpenBao initialized/unsealed per railiance-platform)
  • Role creation commands (from OpsWardenConfig)
  • Token policy expectations (no root token in warden workflows)
  • Verification: warden sign against production endpoint
  • Failure modes and fallback boundaries

Done when: Operator can verify production SSH signing path without reconstructing steps from multiple repos.

T6 — Policy-gated signing design (design only)

id: WARDEN-WP-0006-T06
status: todo
priority: low
state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1"

Create wiki/PolicyGatedSigning.md:

  • flex-auth decision before warden sign — proposed flow
  • Claims needed from IAM Profile
  • What stays inventory-based in v1 vs policy-based in v2
  • Explicit non-implementation in this workplan

Done when: Reviewable design exists; no code dependency.

T7 — Re-assess INTENT ↔ SCOPE

id: WARDEN-WP-0006-T07
status: todo
priority: medium
state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a"

After T1T5 complete:

  • Update history/2026-06-17-intent-scope-assessment.md or add history/YYYYMMDD-intent-scope-reassessment.md
  • Refresh SCOPE.md Current State and completeness notes
  • Run make fix-consistency REPO=ops-warden

Done when: Completeness target C3+ documented with evidence.


Acceptance Criteria

  • wiki/CredentialRouting.md exists and is linked from README/SCOPE
  • wiki/ActorInventoryPatterns.md exists
  • wiki/NetKingdomSecurityMap.md exists
  • NetKingdom responsibility-map recognizes ops-warden SSH lane (T4)
  • OpenBao SSH checklist documented (T5)
  • Policy-gated signing design drafted (T6)
  • INTENT ↔ SCOPE re-assessment recorded (T7)
  • reuse-surface validate --root . passes if registry entry changed