Add ops-warden INTENT as operational access steward for NetKingdom security (route credential lanes, align docs, issue SSH certs only). Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment, and open WARDEN-WP-0006 for routing runbooks and platform alignment.
5.8 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0006 | workplan | NetKingdom Alignment and Operational Access Stewardship | custodian | ops-warden | ready | codex | custodian | high | 6 | 2026-06-17 | 2026-06-17 | a5c9f24b-1ad4-46da-bc8e-b99897f8e302 |
WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship
Scope: Close gaps identified in history/2026-06-17-intent-scope-assessment.md
between INTENT (operational access steward for NetKingdom security) and SCOPE
(shipped SSH CLI only). Documentation and alignment first; code changes limited
to optional CLI ergonomics.
Out of scope: flex-auth integration implementation, OpenBao cluster deploy, universal credential broker, net-kingdom INTENT.md rewrite.
References:
INTENT.md,SCOPE.md,history/2026-06-17-intent-scope-assessment.mdnet-kingdom/docs/platform-identity-security-architecture.mdnet-kingdom/docs/responsibility-map.mdNK-WP-0009(SSH tutorial, net-kingdom)
Goal
After this workplan, a development worker or agent can:
- Read ops-warden material and know which NetKingdom subsystem handles each credential type.
- Obtain SSH certs via documented actor patterns and production OpenBao path.
- Find ops-warden recognized in NetKingdom responsibility/platform docs as the operational SSH credential authority.
Tasks
T1 — Credential routing runbook
id: WARDEN-WP-0006-T01
status: todo
priority: high
state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899"
Create wiki/CredentialRouting.md:
- Decision tree: SSH vs runtime secret vs identity vs authorization vs tunnel
- Per-subsystem links (OpenBao, flex-auth, key-cape, ops-bridge, railiance-infra)
- Explicit “do not ask ops-warden for API keys” examples
- Link from
SCOPE.md,INTENT.md,README.md
Done when: A worker with no prior context can route a credential request in under two minutes using this page alone.
T2 — Actor inventory patterns
id: WARDEN-WP-0006-T02
status: todo
priority: high
state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608"
Create wiki/ActorInventoryPatterns.md with standard patterns:
- Tunnel agents (
agt-*-bridge) - Kaizen / codex agents (
agt-codex-*) - CI automations (
atm-*) - Human admins (
adm-*) - TTL and principal narrowing guidance
Optional: examples/inventory.seed.yaml (non-secret, Git-safe template).
Done when: Adding a new dev worker actor does not require inventing naming from scratch.
T3 — NetKingdom cross-links (ops-warden side)
id: WARDEN-WP-0006-T03
status: todo
priority: high
state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e"
- Add
wiki/NetKingdomSecurityMap.md— condensed literacy table from INTENT - Update
registry/capabilities/capability.security.ssh-certificate-issuance.mdsummary to mention stewardship/routing - Update
.claude/rules/repo-boundary.mdwith NetKingdom routing table
Done when: ops-warden docs stand alone for NetKingdom operational access orientation without reading net-kingdom first (but link to canon).
T4 — NetKingdom canon patch (coordination)
id: WARDEN-WP-0006-T04
status: todo
priority: medium
state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321"
Coordinate updates in net-kingdom (separate commit/PR there):
docs/responsibility-map.md— move ops-warden from pure out-of-scope to operational SSH credential dependencydocs/platform-identity-security-architecture.md— add Operational SSH Path (ops-warden → ops-bridge → hosts)
Done when: NetKingdom canon names ops-warden’s lane; ops-warden wiki links back to the updated sections.
Note: Requires net-kingdom repo write access; may need needs_human if
blocked on review.
T5 — OpenBao SSH engine operational checklist
id: WARDEN-WP-0006-T05
status: todo
priority: medium
state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938"
Create wiki/OpenBaoSshEngineChecklist.md:
- Prerequisites (OpenBao initialized/unsealed per railiance-platform)
- Role creation commands (from OpsWardenConfig)
- Token policy expectations (no root token in warden workflows)
- Verification:
warden signagainst production endpoint - Failure modes and fallback boundaries
Done when: Operator can verify production SSH signing path without reconstructing steps from multiple repos.
T6 — Policy-gated signing design (design only)
id: WARDEN-WP-0006-T06
status: todo
priority: low
state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1"
Create wiki/PolicyGatedSigning.md:
- flex-auth decision before
warden sign— proposed flow - Claims needed from IAM Profile
- What stays inventory-based in v1 vs policy-based in v2
- Explicit non-implementation in this workplan
Done when: Reviewable design exists; no code dependency.
T7 — Re-assess INTENT ↔ SCOPE
id: WARDEN-WP-0006-T07
status: todo
priority: medium
state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a"
After T1–T5 complete:
- Update
history/2026-06-17-intent-scope-assessment.mdor addhistory/YYYYMMDD-intent-scope-reassessment.md - Refresh SCOPE.md Current State and completeness notes
- Run
make fix-consistency REPO=ops-warden
Done when: Completeness target C3+ documented with evidence.
Acceptance Criteria
wiki/CredentialRouting.mdexists and is linked from README/SCOPEwiki/ActorInventoryPatterns.mdexistswiki/NetKingdomSecurityMap.mdexists- NetKingdom responsibility-map recognizes ops-warden SSH lane (T4)
- OpenBao SSH checklist documented (T5)
- Policy-gated signing design drafted (T6)
- INTENT ↔ SCOPE re-assessment recorded (T7)
reuse-surface validate --root .passes if registry entry changed