Files
ops-warden/workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md
tegwick ca1eaf3350 Define INTENT, refresh SCOPE, and plan NetKingdom stewardship
Add ops-warden INTENT as operational access steward for NetKingdom
security (route credential lanes, align docs, issue SSH certs only).
Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment,
and open WARDEN-WP-0006 for routing runbooks and platform alignment.
2026-06-17 08:20:32 +02:00

197 lines
5.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: WARDEN-WP-0006
type: workplan
title: "NetKingdom Alignment and Operational Access Stewardship"
domain: custodian
repo: ops-warden
status: ready
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 6
created: "2026-06-17"
updated: "2026-06-17"
state_hub_workstream_id: "a5c9f24b-1ad4-46da-bc8e-b99897f8e302"
---
# WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship
**Scope:** Close gaps identified in `history/2026-06-17-intent-scope-assessment.md`
between INTENT (operational access steward for NetKingdom security) and SCOPE
(shipped SSH CLI only). Documentation and alignment first; code changes limited
to optional CLI ergonomics.
**Out of scope:** flex-auth integration implementation, OpenBao cluster deploy,
universal credential broker, net-kingdom INTENT.md rewrite.
**References:**
- `INTENT.md`, `SCOPE.md`, `history/2026-06-17-intent-scope-assessment.md`
- `net-kingdom/docs/platform-identity-security-architecture.md`
- `net-kingdom/docs/responsibility-map.md`
- `NK-WP-0009` (SSH tutorial, net-kingdom)
---
## Goal
After this workplan, a development worker or agent can:
1. Read ops-warden material and know **which NetKingdom subsystem** handles each
credential type.
2. Obtain **SSH certs** via documented actor patterns and production OpenBao path.
3. Find ops-warden recognized in **NetKingdom responsibility/platform** docs as
the operational SSH credential authority.
---
## Tasks
### T1 — Credential routing runbook
```task
id: WARDEN-WP-0006-T01
status: todo
priority: high
state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899"
```
Create `wiki/CredentialRouting.md`:
- Decision tree: SSH vs runtime secret vs identity vs authorization vs tunnel
- Per-subsystem links (OpenBao, flex-auth, key-cape, ops-bridge, railiance-infra)
- Explicit “do not ask ops-warden for API keys” examples
- Link from `SCOPE.md`, `INTENT.md`, `README.md`
**Done when:** A worker with no prior context can route a credential request in
under two minutes using this page alone.
### T2 — Actor inventory patterns
```task
id: WARDEN-WP-0006-T02
status: todo
priority: high
state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608"
```
Create `wiki/ActorInventoryPatterns.md` with standard patterns:
- Tunnel agents (`agt-*-bridge`)
- Kaizen / codex agents (`agt-codex-*`)
- CI automations (`atm-*`)
- Human admins (`adm-*`)
- TTL and principal narrowing guidance
Optional: `examples/inventory.seed.yaml` (non-secret, Git-safe template).
**Done when:** Adding a new dev worker actor does not require inventing naming
from scratch.
### T3 — NetKingdom cross-links (ops-warden side)
```task
id: WARDEN-WP-0006-T03
status: todo
priority: high
state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e"
```
- Add `wiki/NetKingdomSecurityMap.md` — condensed literacy table from INTENT
- Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
summary to mention stewardship/routing
- Update `.claude/rules/repo-boundary.md` with NetKingdom routing table
**Done when:** ops-warden docs stand alone for NetKingdom operational access
orientation without reading net-kingdom first (but link to canon).
### T4 — NetKingdom canon patch (coordination)
```task
id: WARDEN-WP-0006-T04
status: todo
priority: medium
state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321"
```
Coordinate updates in `net-kingdom` (separate commit/PR there):
- `docs/responsibility-map.md` — move ops-warden from pure out-of-scope to
**operational SSH credential dependency**
- `docs/platform-identity-security-architecture.md` — add Operational SSH Path
(ops-warden → ops-bridge → hosts)
**Done when:** NetKingdom canon names ops-wardens lane; ops-warden wiki links
back to the updated sections.
**Note:** Requires `net-kingdom` repo write access; may need `needs_human` if
blocked on review.
### T5 — OpenBao SSH engine operational checklist
```task
id: WARDEN-WP-0006-T05
status: todo
priority: medium
state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938"
```
Create `wiki/OpenBaoSshEngineChecklist.md`:
- Prerequisites (OpenBao initialized/unsealed per railiance-platform)
- Role creation commands (from OpsWardenConfig)
- Token policy expectations (no root token in warden workflows)
- Verification: `warden sign` against production endpoint
- Failure modes and fallback boundaries
**Done when:** Operator can verify production SSH signing path without
reconstructing steps from multiple repos.
### T6 — Policy-gated signing design (design only)
```task
id: WARDEN-WP-0006-T06
status: todo
priority: low
state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1"
```
Create `wiki/PolicyGatedSigning.md`:
- flex-auth decision before `warden sign` — proposed flow
- Claims needed from IAM Profile
- What stays inventory-based in v1 vs policy-based in v2
- Explicit non-implementation in this workplan
**Done when:** Reviewable design exists; no code dependency.
### T7 — Re-assess INTENT ↔ SCOPE
```task
id: WARDEN-WP-0006-T07
status: todo
priority: medium
state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a"
```
After T1T5 complete:
- Update `history/2026-06-17-intent-scope-assessment.md` or add
`history/YYYYMMDD-intent-scope-reassessment.md`
- Refresh SCOPE.md Current State and completeness notes
- Run `make fix-consistency REPO=ops-warden`
**Done when:** Completeness target C3+ documented with evidence.
---
## Acceptance Criteria
- [ ] `wiki/CredentialRouting.md` exists and is linked from README/SCOPE
- [ ] `wiki/ActorInventoryPatterns.md` exists
- [ ] `wiki/NetKingdomSecurityMap.md` exists
- [ ] NetKingdom responsibility-map recognizes ops-warden SSH lane (T4)
- [ ] OpenBao SSH checklist documented (T5)
- [ ] Policy-gated signing design drafted (T6)
- [ ] INTENT ↔ SCOPE re-assessment recorded (T7)
- [ ] `reuse-surface validate --root .` passes if registry entry changed