generated from coulomb/repo-seed
Persist the 2026-07-01 assessment, register the alignment workplan with tasks for INTENT refresh, production integration coordination, broker UX, and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
135 lines
6.1 KiB
Markdown
135 lines
6.1 KiB
Markdown
# INTENT ↔ SCOPE Gap Analysis — Post RAILIANCE-WP-0005 T08
|
||
|
||
**Date:** 2026-07-01
|
||
**Author:** codex
|
||
**Trigger:** RAILIANCE-WP-0005 broker lane live (`ops-warden-warden-sign-token`, T08);
|
||
`credential-exec-ops-warden-smoke` proven; SCOPE refreshed to 2026-07-01.
|
||
**Prior assessments:** `history/2026-06-24-intent-scope-gap-analysis.md`,
|
||
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||
|
||
**Workplan:** `WARDEN-WP-0023-intent-scope-alignment-closeout.md`
|
||
|
||
---
|
||
|
||
## 1. Executive summary
|
||
|
||
ops-warden is **aligned with INTENT** on its core mission: issue SSH certs, route
|
||
every other credential need, and stay out of secret custody. The repository has
|
||
**grown past what `INTENT.md` describes** — assist layer, owner-native exec routing,
|
||
workload posture, and the coordination worker are shipped but not fully reflected
|
||
in the aspirational doc.
|
||
|
||
The largest **real** gaps are **production integration** (flex-auth runtime flip,
|
||
ops-bridge live `cert_command`) and **audit coherence** (scattered logs; WP-0022
|
||
proposed). The former is mostly other repos; the latter is the best in-repo next
|
||
implementation.
|
||
|
||
**Vector movement:** `D5 / A5 / C5 / R4` (SCOPE 2026-07-01) — up from
|
||
`D5 / A4 / C4 / R3` (June 2024) on completeness and reliability substance.
|
||
|
||
| Dimension | Jun 2024 | Jul 2026 | Notes |
|
||
| --- | --- | --- | --- |
|
||
| Discovery | D5 | D5 | Catalog + playbooks + owner-native lanes |
|
||
| Availability | A4 | A5 | `warden access`, worker, posture CLI |
|
||
| Completeness | C4 | C5 | Two concrete owner-native routes; broker live |
|
||
| Reliability | R3 | R4 | Sign + broker policy-gate smoke evidence |
|
||
|
||
---
|
||
|
||
## 2. Deliverables since 2026-06-24
|
||
|
||
| Workplan / cross-repo | Deliverable | Status |
|
||
| --- | --- | --- |
|
||
| WP-0014–0016 | Access assist, front-door discoverability, cert_command pilot gate | Finished |
|
||
| WP-0017–0019 | secrets-engine primary routing; whynot-design lane active | Finished |
|
||
| WP-0020–0021 | `warden worker` + scheduled tick | Finished |
|
||
| RAILIANCE-WP-0005 T08 | `ops-warden-warden-sign-token` catalog + playbook; live broker smoke | Done (platform) |
|
||
| WP-0022 | Unified audit + `warden activity` | Proposed |
|
||
| FLEX-WP-0007 | flex-auth production deploy | External — still open |
|
||
|
||
---
|
||
|
||
## 3. INTENT success criteria
|
||
|
||
| # | Criterion | Status | Evidence / gap |
|
||
| --- | --- | --- | --- |
|
||
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, playbooks; draft lanes remain template |
|
||
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; unified audit pending WP-0022 |
|
||
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | WP-0016 pilot-ready; live tunnels still static-key |
|
||
| 4 | NetKingdom evolution reflected in docs | **Met** | SCOPE/wiki current; **INTENT.md stale** |
|
||
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer + owner-native exec; no custody |
|
||
| 6 | Blockers classifiable by posture/maturity | **Met (repo)** | WP-0015; canon landing external |
|
||
|
||
**Score: 5 met, 1 partial** — partial is ops-bridge production adoption (unchanged
|
||
structurally; VAULT_TOKEN blocker cleared via broker routing).
|
||
|
||
---
|
||
|
||
## 4. INTENT mission pillars
|
||
|
||
| Pillar | Status | Gap |
|
||
| --- | --- | --- |
|
||
| 1. Know NetKingdom security model | Strong | INTENT table omits secrets-engine, credential broker |
|
||
| 2. Route, and assist | Strong | INTENT flow diagram still flat “OpenBao documented” |
|
||
| 3. Steward workload posture | Shipped | Runtime enforcement = flex-auth |
|
||
| 4. Align runbooks with canon | Strong | Broker-first token hygiene live |
|
||
| 5. Issue short-lived SSH certs | Production | — |
|
||
| 6. Audit SSH signing | Partial | WP-0022 — fragmented logs today |
|
||
|
||
---
|
||
|
||
## 5. Where SCOPE exceeds INTENT (doc drift, not implementation gap)
|
||
|
||
- `warden access` transparent proxy (WP-0014)
|
||
- Owner-native exec routing — secrets-engine, credential broker (WP-0017–0019, T08)
|
||
- Coordination worker (WP-0020/0021)
|
||
- Workload posture conformance (WP-0015)
|
||
- flex-auth policy gate **caller shipped**; INTENT still says “future hook”
|
||
|
||
---
|
||
|
||
## 6. Remaining gaps (prioritized)
|
||
|
||
| Prio | Gap | Owner | ops-warden action | Track |
|
||
| --- | --- | --- | --- | --- |
|
||
| **P1** | flex-auth production runtime (`policy.enabled: true`) | flex-auth | Coordination checklist + smoke evidence | **FLEX-WP-0007** |
|
||
| **P1** | ops-bridge live `cert_command` cutover | ops-bridge | Evidence template + handoff follow-up | WP-0016 follow-on |
|
||
| **P2** | Unified audit trail | ops-warden | Implement WP-0022 | **WARDEN-WP-0022** |
|
||
| **P2** | INTENT.md refresh | ops-warden | Align aspirational doc with shipped model | **WARDEN-WP-0023** T02 |
|
||
| **P3** | `warden sign` missing-token UX | ops-warden | Hint `credential exec` path | **WARDEN-WP-0023** T04 |
|
||
| **P3** | Draft catalog lanes | ops-warden + owners | Promotion checklist as lanes concrete | **WARDEN-WP-0023** T05 |
|
||
| **P4** | Principals drift | ops-warden + infra | Periodic `check_principals_drift.py` | Ongoing |
|
||
| **P4** | Posture canon landing | net-kingdom | Coordination only | WP-0015 T5 |
|
||
|
||
---
|
||
|
||
## 7. Workplan recommendation
|
||
|
||
**WARDEN-WP-0023 — INTENT–SCOPE alignment closeout** (new, `ready`):
|
||
|
||
- T01: This assessment (persisted)
|
||
- T02: Refresh `INTENT.md`
|
||
- T03: Production integration coordination pack (flex-auth + ops-bridge)
|
||
- T04: `warden sign` broker hint when `VAULT_TOKEN` unset
|
||
- T05: Catalog draft-lane promotion checklist
|
||
- T06: SCOPE cross-link and workplan-status consistency
|
||
- T07: Promote WP-0022 to `ready` and sequence audit implementation
|
||
|
||
**WARDEN-WP-0022** remains the implementation vehicle for unified audit (P2).
|
||
|
||
**Out of scope for new ops-warden implementation:**
|
||
|
||
- flex-auth runtime deployment (FLEX-WP-0007)
|
||
- ops-bridge tunnel config changes
|
||
- OpenBao token minting / credential broker implementation (railiance-platform)
|
||
|
||
---
|
||
|
||
## 8. Maturity target (post WP-0023 + WP-0022 + external P1)
|
||
|
||
| Dimension | Target | Unlock |
|
||
| --- | --- | --- |
|
||
| R4 → R5 | Live tunnel uses warden-signed cert | ops-bridge cutover evidence |
|
||
| R4 → R5 | Policy gate on in production | FLEX-WP-0007 + operator flip |
|
||
| Audit pillar | Single `warden activity` view | WP-0022 |
|
||
| INTENT sync | Aspirational doc matches SCOPE | WP-0023 T02 | |