Files
ops-warden/workplans/WARDEN-WP-0023-intent-scope-alignment-closeout.md
tegwick d6088e4e16 Implement WP-0022 audit trail and WP-0023 INTENT–SCOPE closeout
Add unified metadata-only audit.jsonl with secret-material guard, instrument
sign/access/worker paths, and expose warden activity CLI. Surface broker hint
when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production
integration checklists plus catalog lane promotion playbook.
2026-07-01 23:32:38 +02:00

222 lines
7.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: WARDEN-WP-0023
type: workplan
title: "INTENTSCOPE Alignment Closeout"
domain: infotech
repo: ops-warden
status: finished
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 23
created: "2026-07-01"
updated: "2026-07-01"
depends_on_workplans:
- WARDEN-WP-0022
state_hub_workstream_id: "7bad1ec4-a7c2-4980-b8f9-49a7f5408574"
---
# WARDEN-WP-0023 — INTENTSCOPE Alignment Closeout
## Goal
Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync
aspirational docs with shipped capabilities, coordinate the remaining production
integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator
UX for broker-backed signing, and establish a repeatable catalog promotion cadence.
Audit implementation stays in **WARDEN-WP-0022**; this workplan sequences and
surrounds it.
**Assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
## Boundary
- ops-warden does **not** deploy flex-auth, flip ops-bridge tunnels, or implement
the credential broker — it documents, coordinates, and routes.
- Production cutover evidence is captured here; execution remains with owning repos.
---
## Tasks
### T01 — Persist gap analysis
```task
id: WARDEN-WP-0023-T01
status: done
priority: high
state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5"
```
Write and link `history/2026-07-01-intent-scope-gap-analysis.md` with success
criteria matrix, mission pillars, prioritized gaps, and workplan recommendation.
Acceptance:
- History file exists and is referenced from SCOPE and this workplan.
- State Hub progress note logged for the assessment.
**2026-07-01:** Assessment written at
`history/2026-07-01-intent-scope-gap-analysis.md`.
### T02 — Refresh INTENT.md
```task
id: WARDEN-WP-0023-T02
status: done
priority: high
state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d"
```
Update `INTENT.md` so the aspirational doc reflects shipped reality without
becoming a second SCOPE:
- Mission pillar #2: assist layer (`warden access`) and owner-native exec routing
(secrets-engine, railiance-platform credential broker).
- NetKingdom literacy table: add secrets-engine and credential broker rows.
- Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue.
- flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007).
- Workload posture stewardship and coordination worker as steward capabilities.
- Evolution notes pointer to July gap analysis.
Acceptance:
- INTENT still describes direction, not implementation inventory.
- No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens).
**2026-07-01:** INTENT.md updated.
### T03 — Production integration coordination pack
```task
id: WARDEN-WP-0023-T03
status: done
priority: high
state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038"
```
Prepare operator/coordination artifacts for the two P1 external gaps:
1. **flex-auth production flip** — checklist in `wiki/PolicyGatedSigning.md` or a
short playbook section: prerequisites, `policy.enabled: true` steps, rollback,
joint smoke with `credential-exec-ops-warden-smoke`, FLEX-WP-0007 cross-link.
2. **ops-bridge live cutover** — evidence template (non-secret): tunnel id, readiness
gate output, first warden-signed connection timestamp, pointer to
`wiki/playbooks/ops-bridge-tunnel-cert.md`.
Optionally post State Hub coordination messages to `flex-auth` and `ops-bridge`
agents with pointers only (no secrets).
Acceptance:
- A human operator can run the flip/cutover checklists without re-deriving steps.
- Evidence fields are defined; completion is recorded via State Hub progress when done.
**2026-07-01:** Rollback section added to `wiki/PolicyGatedSigning.md`; live cutover
evidence template added to `wiki/playbooks/ops-bridge-tunnel-cert.md`.
### T04 — `warden sign` broker hint when `VAULT_TOKEN` unset
```task
id: WARDEN-WP-0023-T04
status: done
priority: medium
state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae"
```
When `backend: vault` and `VAULT_TOKEN` (or configured `token_env`) is missing,
emit a structured hint pointing at `ops-warden-warden-sign-token` and the
`railiance-platform` `credential exec` command — not a generic error only.
Acceptance:
- Unit test covers the hint text (catalog id + exec shape, no secret placeholders).
- Manual `export VAULT_TOKEN` remains documented as fallback in playbooks.
**2026-07-01:** `src/warden/vault_hints.py` + `tests/test_vault.py`.
### T05 — Catalog draft-lane promotion checklist
```task
id: WARDEN-WP-0023-T05
status: done
priority: medium
state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748"
```
Document the promotion criteria for `registry/routing/catalog.yaml` entries from
`draft``active` (concrete path, owner confirmation, `resolvable` or
`exec_owner` native exec, playbook with `#worker-checklist`, tests). Add to
`wiki/CredentialRouting.md` or a short `wiki/playbooks/catalog-lane-promotion.md`.
If any draft lane has owner-confirmed concrete paths during this WP, promote one
as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready).
Acceptance:
- Checklist is reviewable by humans and agents.
- At least one promotion example or explicit “none ready yet” note in the workplan.
**2026-07-01:** `wiki/playbooks/catalog-lane-promotion.md` — worked example
`ops-warden-warden-sign-token`; four draft lanes explicitly not ready.
### T06 — SCOPE and workplan consistency
```task
id: WARDEN-WP-0023-T06
status: done
priority: medium
state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190"
```
Fix SCOPE inconsistencies noted in the July assessment:
- “All workplans finished” → acknowledge WP-0022/0023 as active/ready.
- Latest gap analysis pointer → `history/2026-07-01-intent-scope-gap-analysis.md`.
- Link WP-0023 from Getting Oriented.
Acceptance:
- SCOPE and gap analysis cross-link correctly.
- Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP.
**2026-07-01:** SCOPE.md updated.
### T07 — Sequence WP-0022 audit implementation
```task
id: WARDEN-WP-0023-T07
status: done
priority: high
state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4"
```
Promote `WARDEN-WP-0022` from `proposed` to `ready` (or `active` when T02T06 allow
bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the
implementation vehicle for INTENT pillar 6 (observable gatekeeping).
Acceptance:
- WP-0022 frontmatter status updated.
- WP-0023 `depends_on_workplans` includes WP-0022.
- Hub consistency run syncs both workplans.
**2026-07-01:** WP-0022 implemented and both workplans marked `finished`.
---
## Exit criteria
- July gap analysis is the canonical reassessment (linked from SCOPE).
- INTENT.md no longer understates assist, posture, worker, or owner-native exec.
- Production integration checklists exist for flex-auth flip and ops-bridge cutover.
- `warden sign` surfaces the broker path when vault backend lacks a token.
- Catalog promotion cadence is documented; WP-0022 is queued for implementation.
## See also
- `history/2026-07-01-intent-scope-gap-analysis.md`
- `WARDEN-WP-0022-audit-trail-and-activity.md`
- `wiki/playbooks/ops-warden-warden-sign-token.md`
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md`