Files
ops-warden/history/2026-07-01-intent-scope-gap-analysis.md
tegwick f47d632d8e Add July INTENT↔SCOPE gap analysis and WARDEN-WP-0023 alignment closeout
Persist the 2026-07-01 assessment, register the alignment workplan with
tasks for INTENT refresh, production integration coordination, broker UX,
and catalog promotion. Promote WP-0022 to ready and update SCOPE links.
2026-07-01 23:27:14 +02:00

135 lines
6.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# INTENT ↔ SCOPE Gap Analysis — Post RAILIANCE-WP-0005 T08
**Date:** 2026-07-01
**Author:** codex
**Trigger:** RAILIANCE-WP-0005 broker lane live (`ops-warden-warden-sign-token`, T08);
`credential-exec-ops-warden-smoke` proven; SCOPE refreshed to 2026-07-01.
**Prior assessments:** `history/2026-06-24-intent-scope-gap-analysis.md`,
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
**Workplan:** `WARDEN-WP-0023-intent-scope-alignment-closeout.md`
---
## 1. Executive summary
ops-warden is **aligned with INTENT** on its core mission: issue SSH certs, route
every other credential need, and stay out of secret custody. The repository has
**grown past what `INTENT.md` describes** — assist layer, owner-native exec routing,
workload posture, and the coordination worker are shipped but not fully reflected
in the aspirational doc.
The largest **real** gaps are **production integration** (flex-auth runtime flip,
ops-bridge live `cert_command`) and **audit coherence** (scattered logs; WP-0022
proposed). The former is mostly other repos; the latter is the best in-repo next
implementation.
**Vector movement:** `D5 / A5 / C5 / R4` (SCOPE 2026-07-01) — up from
`D5 / A4 / C4 / R3` (June 2024) on completeness and reliability substance.
| Dimension | Jun 2024 | Jul 2026 | Notes |
| --- | --- | --- | --- |
| Discovery | D5 | D5 | Catalog + playbooks + owner-native lanes |
| Availability | A4 | A5 | `warden access`, worker, posture CLI |
| Completeness | C4 | C5 | Two concrete owner-native routes; broker live |
| Reliability | R3 | R4 | Sign + broker policy-gate smoke evidence |
---
## 2. Deliverables since 2026-06-24
| Workplan / cross-repo | Deliverable | Status |
| --- | --- | --- |
| WP-00140016 | Access assist, front-door discoverability, cert_command pilot gate | Finished |
| WP-00170019 | secrets-engine primary routing; whynot-design lane active | Finished |
| WP-00200021 | `warden worker` + scheduled tick | Finished |
| RAILIANCE-WP-0005 T08 | `ops-warden-warden-sign-token` catalog + playbook; live broker smoke | Done (platform) |
| WP-0022 | Unified audit + `warden activity` | Proposed |
| FLEX-WP-0007 | flex-auth production deploy | External — still open |
---
## 3. INTENT success criteria
| # | Criterion | Status | Evidence / gap |
| --- | --- | --- | --- |
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, playbooks; draft lanes remain template |
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; unified audit pending WP-0022 |
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | WP-0016 pilot-ready; live tunnels still static-key |
| 4 | NetKingdom evolution reflected in docs | **Met** | SCOPE/wiki current; **INTENT.md stale** |
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer + owner-native exec; no custody |
| 6 | Blockers classifiable by posture/maturity | **Met (repo)** | WP-0015; canon landing external |
**Score: 5 met, 1 partial** — partial is ops-bridge production adoption (unchanged
structurally; VAULT_TOKEN blocker cleared via broker routing).
---
## 4. INTENT mission pillars
| Pillar | Status | Gap |
| --- | --- | --- |
| 1. Know NetKingdom security model | Strong | INTENT table omits secrets-engine, credential broker |
| 2. Route, and assist | Strong | INTENT flow diagram still flat “OpenBao documented” |
| 3. Steward workload posture | Shipped | Runtime enforcement = flex-auth |
| 4. Align runbooks with canon | Strong | Broker-first token hygiene live |
| 5. Issue short-lived SSH certs | Production | — |
| 6. Audit SSH signing | Partial | WP-0022 — fragmented logs today |
---
## 5. Where SCOPE exceeds INTENT (doc drift, not implementation gap)
- `warden access` transparent proxy (WP-0014)
- Owner-native exec routing — secrets-engine, credential broker (WP-00170019, T08)
- Coordination worker (WP-0020/0021)
- Workload posture conformance (WP-0015)
- flex-auth policy gate **caller shipped**; INTENT still says “future hook”
---
## 6. Remaining gaps (prioritized)
| Prio | Gap | Owner | ops-warden action | Track |
| --- | --- | --- | --- | --- |
| **P1** | flex-auth production runtime (`policy.enabled: true`) | flex-auth | Coordination checklist + smoke evidence | **FLEX-WP-0007** |
| **P1** | ops-bridge live `cert_command` cutover | ops-bridge | Evidence template + handoff follow-up | WP-0016 follow-on |
| **P2** | Unified audit trail | ops-warden | Implement WP-0022 | **WARDEN-WP-0022** |
| **P2** | INTENT.md refresh | ops-warden | Align aspirational doc with shipped model | **WARDEN-WP-0023** T02 |
| **P3** | `warden sign` missing-token UX | ops-warden | Hint `credential exec` path | **WARDEN-WP-0023** T04 |
| **P3** | Draft catalog lanes | ops-warden + owners | Promotion checklist as lanes concrete | **WARDEN-WP-0023** T05 |
| **P4** | Principals drift | ops-warden + infra | Periodic `check_principals_drift.py` | Ongoing |
| **P4** | Posture canon landing | net-kingdom | Coordination only | WP-0015 T5 |
---
## 7. Workplan recommendation
**WARDEN-WP-0023 — INTENTSCOPE alignment closeout** (new, `ready`):
- T01: This assessment (persisted)
- T02: Refresh `INTENT.md`
- T03: Production integration coordination pack (flex-auth + ops-bridge)
- T04: `warden sign` broker hint when `VAULT_TOKEN` unset
- T05: Catalog draft-lane promotion checklist
- T06: SCOPE cross-link and workplan-status consistency
- T07: Promote WP-0022 to `ready` and sequence audit implementation
**WARDEN-WP-0022** remains the implementation vehicle for unified audit (P2).
**Out of scope for new ops-warden implementation:**
- flex-auth runtime deployment (FLEX-WP-0007)
- ops-bridge tunnel config changes
- OpenBao token minting / credential broker implementation (railiance-platform)
---
## 8. Maturity target (post WP-0023 + WP-0022 + external P1)
| Dimension | Target | Unlock |
| --- | --- | --- |
| R4 → R5 | Live tunnel uses warden-signed cert | ops-bridge cutover evidence |
| R4 → R5 | Policy gate on in production | FLEX-WP-0007 + operator flip |
| Audit pillar | Single `warden activity` view | WP-0022 |
| INTENT sync | Aspirational doc matches SCOPE | WP-0023 T02 |