Files
ops-warden/history/2026-07-01-intent-scope-gap-analysis.md
tegwick f47d632d8e Add July INTENT↔SCOPE gap analysis and WARDEN-WP-0023 alignment closeout
Persist the 2026-07-01 assessment, register the alignment workplan with
tasks for INTENT refresh, production integration coordination, broker UX,
and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
2026-07-01 23:27:14 +02:00

6.1 KiB
Raw Blame History

INTENT ↔ SCOPE Gap Analysis — Post RAILIANCE-WP-0005 T08

Date: 2026-07-01
Author: codex
Trigger: RAILIANCE-WP-0005 broker lane live (ops-warden-warden-sign-token, T08); credential-exec-ops-warden-smoke proven; SCOPE refreshed to 2026-07-01.
Prior assessments: history/2026-06-24-intent-scope-gap-analysis.md, history/2026-06-18-post-wp0008-intent-scope-reassessment.md

Workplan: WARDEN-WP-0023-intent-scope-alignment-closeout.md


1. Executive summary

ops-warden is aligned with INTENT on its core mission: issue SSH certs, route every other credential need, and stay out of secret custody. The repository has grown past what INTENT.md describes — assist layer, owner-native exec routing, workload posture, and the coordination worker are shipped but not fully reflected in the aspirational doc.

The largest real gaps are production integration (flex-auth runtime flip, ops-bridge live cert_command) and audit coherence (scattered logs; WP-0022 proposed). The former is mostly other repos; the latter is the best in-repo next implementation.

Vector movement: D5 / A5 / C5 / R4 (SCOPE 2026-07-01) — up from D5 / A4 / C4 / R3 (June 2024) on completeness and reliability substance.

Dimension Jun 2024 Jul 2026 Notes
Discovery D5 D5 Catalog + playbooks + owner-native lanes
Availability A4 A5 warden access, worker, posture CLI
Completeness C4 C5 Two concrete owner-native routes; broker live
Reliability R3 R4 Sign + broker policy-gate smoke evidence

2. Deliverables since 2026-06-24

Workplan / cross-repo Deliverable Status
WP-00140016 Access assist, front-door discoverability, cert_command pilot gate Finished
WP-00170019 secrets-engine primary routing; whynot-design lane active Finished
WP-00200021 warden worker + scheduled tick Finished
RAILIANCE-WP-0005 T08 ops-warden-warden-sign-token catalog + playbook; live broker smoke Done (platform)
WP-0022 Unified audit + warden activity Proposed
FLEX-WP-0007 flex-auth production deploy External — still open

3. INTENT success criteria

# Criterion Status Evidence / gap
1 Worker knows which subsystem for each credential type Met warden route, catalog, playbooks; draft lanes remain template
2 SSH access short-lived, inventoried, audited Met (prod) OpenBao sign + signatures.log; unified audit pending WP-0022
3 ops-bridge integrates via stable cert_command Partial WP-0016 pilot-ready; live tunnels still static-key
4 NetKingdom evolution reflected in docs Met SCOPE/wiki current; INTENT.md stale
5 Non-SSH secrets stay out of ops-warden Met Pointer + owner-native exec; no custody
6 Blockers classifiable by posture/maturity Met (repo) WP-0015; canon landing external

Score: 5 met, 1 partial — partial is ops-bridge production adoption (unchanged structurally; VAULT_TOKEN blocker cleared via broker routing).


4. INTENT mission pillars

Pillar Status Gap
1. Know NetKingdom security model Strong INTENT table omits secrets-engine, credential broker
2. Route, and assist Strong INTENT flow diagram still flat “OpenBao documented”
3. Steward workload posture Shipped Runtime enforcement = flex-auth
4. Align runbooks with canon Strong Broker-first token hygiene live
5. Issue short-lived SSH certs Production
6. Audit SSH signing Partial WP-0022 — fragmented logs today

5. Where SCOPE exceeds INTENT (doc drift, not implementation gap)

  • warden access transparent proxy (WP-0014)
  • Owner-native exec routing — secrets-engine, credential broker (WP-00170019, T08)
  • Coordination worker (WP-0020/0021)
  • Workload posture conformance (WP-0015)
  • flex-auth policy gate caller shipped; INTENT still says “future hook”

6. Remaining gaps (prioritized)

Prio Gap Owner ops-warden action Track
P1 flex-auth production runtime (policy.enabled: true) flex-auth Coordination checklist + smoke evidence FLEX-WP-0007
P1 ops-bridge live cert_command cutover ops-bridge Evidence template + handoff follow-up WP-0016 follow-on
P2 Unified audit trail ops-warden Implement WP-0022 WARDEN-WP-0022
P2 INTENT.md refresh ops-warden Align aspirational doc with shipped model WARDEN-WP-0023 T02
P3 warden sign missing-token UX ops-warden Hint credential exec path WARDEN-WP-0023 T04
P3 Draft catalog lanes ops-warden + owners Promotion checklist as lanes concrete WARDEN-WP-0023 T05
P4 Principals drift ops-warden + infra Periodic check_principals_drift.py Ongoing
P4 Posture canon landing net-kingdom Coordination only WP-0015 T5

7. Workplan recommendation

WARDEN-WP-0023 — INTENTSCOPE alignment closeout (new, ready):

  • T01: This assessment (persisted)
  • T02: Refresh INTENT.md
  • T03: Production integration coordination pack (flex-auth + ops-bridge)
  • T04: warden sign broker hint when VAULT_TOKEN unset
  • T05: Catalog draft-lane promotion checklist
  • T06: SCOPE cross-link and workplan-status consistency
  • T07: Promote WP-0022 to ready and sequence audit implementation

WARDEN-WP-0022 remains the implementation vehicle for unified audit (P2).

Out of scope for new ops-warden implementation:

  • flex-auth runtime deployment (FLEX-WP-0007)
  • ops-bridge tunnel config changes
  • OpenBao token minting / credential broker implementation (railiance-platform)

8. Maturity target (post WP-0023 + WP-0022 + external P1)

Dimension Target Unlock
R4 → R5 Live tunnel uses warden-signed cert ops-bridge cutover evidence
R4 → R5 Policy gate on in production FLEX-WP-0007 + operator flip
Audit pillar Single warden activity view WP-0022
INTENT sync Aspirational doc matches SCOPE WP-0023 T02