Persist the 2026-07-01 assessment, register the alignment workplan with tasks for INTENT refresh, production integration coordination, broker UX, and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
6.1 KiB
INTENT ↔ SCOPE Gap Analysis — Post RAILIANCE-WP-0005 T08
Date: 2026-07-01
Author: codex
Trigger: RAILIANCE-WP-0005 broker lane live (ops-warden-warden-sign-token, T08);
credential-exec-ops-warden-smoke proven; SCOPE refreshed to 2026-07-01.
Prior assessments: history/2026-06-24-intent-scope-gap-analysis.md,
history/2026-06-18-post-wp0008-intent-scope-reassessment.md
Workplan: WARDEN-WP-0023-intent-scope-alignment-closeout.md
1. Executive summary
ops-warden is aligned with INTENT on its core mission: issue SSH certs, route
every other credential need, and stay out of secret custody. The repository has
grown past what INTENT.md describes — assist layer, owner-native exec routing,
workload posture, and the coordination worker are shipped but not fully reflected
in the aspirational doc.
The largest real gaps are production integration (flex-auth runtime flip,
ops-bridge live cert_command) and audit coherence (scattered logs; WP-0022
proposed). The former is mostly other repos; the latter is the best in-repo next
implementation.
Vector movement: D5 / A5 / C5 / R4 (SCOPE 2026-07-01) — up from
D5 / A4 / C4 / R3 (June 2024) on completeness and reliability substance.
| Dimension | Jun 2024 | Jul 2026 | Notes |
|---|---|---|---|
| Discovery | D5 | D5 | Catalog + playbooks + owner-native lanes |
| Availability | A4 | A5 | warden access, worker, posture CLI |
| Completeness | C4 | C5 | Two concrete owner-native routes; broker live |
| Reliability | R3 | R4 | Sign + broker policy-gate smoke evidence |
2. Deliverables since 2026-06-24
| Workplan / cross-repo | Deliverable | Status |
|---|---|---|
| WP-0014–0016 | Access assist, front-door discoverability, cert_command pilot gate | Finished |
| WP-0017–0019 | secrets-engine primary routing; whynot-design lane active | Finished |
| WP-0020–0021 | warden worker + scheduled tick |
Finished |
| RAILIANCE-WP-0005 T08 | ops-warden-warden-sign-token catalog + playbook; live broker smoke |
Done (platform) |
| WP-0022 | Unified audit + warden activity |
Proposed |
| FLEX-WP-0007 | flex-auth production deploy | External — still open |
3. INTENT success criteria
| # | Criterion | Status | Evidence / gap |
|---|---|---|---|
| 1 | Worker knows which subsystem for each credential type | Met | warden route, catalog, playbooks; draft lanes remain template |
| 2 | SSH access short-lived, inventoried, audited | Met (prod) | OpenBao sign + signatures.log; unified audit pending WP-0022 |
| 3 | ops-bridge integrates via stable cert_command |
Partial | WP-0016 pilot-ready; live tunnels still static-key |
| 4 | NetKingdom evolution reflected in docs | Met | SCOPE/wiki current; INTENT.md stale |
| 5 | Non-SSH secrets stay out of ops-warden | Met | Pointer + owner-native exec; no custody |
| 6 | Blockers classifiable by posture/maturity | Met (repo) | WP-0015; canon landing external |
Score: 5 met, 1 partial — partial is ops-bridge production adoption (unchanged structurally; VAULT_TOKEN blocker cleared via broker routing).
4. INTENT mission pillars
| Pillar | Status | Gap |
|---|---|---|
| 1. Know NetKingdom security model | Strong | INTENT table omits secrets-engine, credential broker |
| 2. Route, and assist | Strong | INTENT flow diagram still flat “OpenBao documented” |
| 3. Steward workload posture | Shipped | Runtime enforcement = flex-auth |
| 4. Align runbooks with canon | Strong | Broker-first token hygiene live |
| 5. Issue short-lived SSH certs | Production | — |
| 6. Audit SSH signing | Partial | WP-0022 — fragmented logs today |
5. Where SCOPE exceeds INTENT (doc drift, not implementation gap)
warden accesstransparent proxy (WP-0014)- Owner-native exec routing — secrets-engine, credential broker (WP-0017–0019, T08)
- Coordination worker (WP-0020/0021)
- Workload posture conformance (WP-0015)
- flex-auth policy gate caller shipped; INTENT still says “future hook”
6. Remaining gaps (prioritized)
| Prio | Gap | Owner | ops-warden action | Track |
|---|---|---|---|---|
| P1 | flex-auth production runtime (policy.enabled: true) |
flex-auth | Coordination checklist + smoke evidence | FLEX-WP-0007 |
| P1 | ops-bridge live cert_command cutover |
ops-bridge | Evidence template + handoff follow-up | WP-0016 follow-on |
| P2 | Unified audit trail | ops-warden | Implement WP-0022 | WARDEN-WP-0022 |
| P2 | INTENT.md refresh | ops-warden | Align aspirational doc with shipped model | WARDEN-WP-0023 T02 |
| P3 | warden sign missing-token UX |
ops-warden | Hint credential exec path |
WARDEN-WP-0023 T04 |
| P3 | Draft catalog lanes | ops-warden + owners | Promotion checklist as lanes concrete | WARDEN-WP-0023 T05 |
| P4 | Principals drift | ops-warden + infra | Periodic check_principals_drift.py |
Ongoing |
| P4 | Posture canon landing | net-kingdom | Coordination only | WP-0015 T5 |
7. Workplan recommendation
WARDEN-WP-0023 — INTENT–SCOPE alignment closeout (new, ready):
- T01: This assessment (persisted)
- T02: Refresh
INTENT.md - T03: Production integration coordination pack (flex-auth + ops-bridge)
- T04:
warden signbroker hint whenVAULT_TOKENunset - T05: Catalog draft-lane promotion checklist
- T06: SCOPE cross-link and workplan-status consistency
- T07: Promote WP-0022 to
readyand sequence audit implementation
WARDEN-WP-0022 remains the implementation vehicle for unified audit (P2).
Out of scope for new ops-warden implementation:
- flex-auth runtime deployment (FLEX-WP-0007)
- ops-bridge tunnel config changes
- OpenBao token minting / credential broker implementation (railiance-platform)
8. Maturity target (post WP-0023 + WP-0022 + external P1)
| Dimension | Target | Unlock |
|---|---|---|
| R4 → R5 | Live tunnel uses warden-signed cert | ops-bridge cutover evidence |
| R4 → R5 | Policy gate on in production | FLEX-WP-0007 + operator flip |
| Audit pillar | Single warden activity view |
WP-0022 |
| INTENT sync | Aspirational doc matches SCOPE | WP-0023 T02 |