generated from coulomb/repo-seed
Add unified metadata-only audit.jsonl with secret-material guard, instrument sign/access/worker paths, and expose warden activity CLI. Surface broker hint when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production integration checklists plus catalog lane promotion playbook.
222 lines
7.2 KiB
Markdown
222 lines
7.2 KiB
Markdown
---
|
||
id: WARDEN-WP-0023
|
||
type: workplan
|
||
title: "INTENT–SCOPE Alignment Closeout"
|
||
domain: infotech
|
||
repo: ops-warden
|
||
status: finished
|
||
owner: codex
|
||
topic_slug: custodian
|
||
planning_priority: high
|
||
planning_order: 23
|
||
created: "2026-07-01"
|
||
updated: "2026-07-01"
|
||
depends_on_workplans:
|
||
- WARDEN-WP-0022
|
||
state_hub_workstream_id: "7bad1ec4-a7c2-4980-b8f9-49a7f5408574"
|
||
---
|
||
|
||
# WARDEN-WP-0023 — INTENT–SCOPE Alignment Closeout
|
||
|
||
## Goal
|
||
|
||
Close the July 2026 INTENT↔SCOPE gaps that ops-warden can address directly: sync
|
||
aspirational docs with shipped capabilities, coordinate the remaining production
|
||
integration blockers (flex-auth flip, ops-bridge cutover), improve daily operator
|
||
UX for broker-backed signing, and establish a repeatable catalog promotion cadence.
|
||
|
||
Audit implementation stays in **WARDEN-WP-0022**; this workplan sequences and
|
||
surrounds it.
|
||
|
||
**Assessment:** `history/2026-07-01-intent-scope-gap-analysis.md`
|
||
|
||
## Boundary
|
||
|
||
- ops-warden does **not** deploy flex-auth, flip ops-bridge tunnels, or implement
|
||
the credential broker — it documents, coordinates, and routes.
|
||
- Production cutover evidence is captured here; execution remains with owning repos.
|
||
|
||
---
|
||
|
||
## Tasks
|
||
|
||
### T01 — Persist gap analysis
|
||
|
||
```task
|
||
id: WARDEN-WP-0023-T01
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "52485c90-87fe-40b1-9db5-a51ebb957dd5"
|
||
```
|
||
|
||
Write and link `history/2026-07-01-intent-scope-gap-analysis.md` with success
|
||
criteria matrix, mission pillars, prioritized gaps, and workplan recommendation.
|
||
|
||
Acceptance:
|
||
|
||
- History file exists and is referenced from SCOPE and this workplan.
|
||
- State Hub progress note logged for the assessment.
|
||
|
||
**2026-07-01:** Assessment written at
|
||
`history/2026-07-01-intent-scope-gap-analysis.md`.
|
||
|
||
### T02 — Refresh INTENT.md
|
||
|
||
```task
|
||
id: WARDEN-WP-0023-T02
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "9a9b3631-8948-45af-ace1-c19ee74ace4d"
|
||
```
|
||
|
||
Update `INTENT.md` so the aspirational doc reflects shipped reality without
|
||
becoming a second SCOPE:
|
||
|
||
- Mission pillar #2: assist layer (`warden access`) and owner-native exec routing
|
||
(secrets-engine, railiance-platform credential broker).
|
||
- NetKingdom literacy table: add secrets-engine and credential broker rows.
|
||
- Credential flow diagram: broker vs secrets-engine vs OpenBao proxy vs SSH issue.
|
||
- flex-auth: caller-side policy gate shipped; production flip external (FLEX-WP-0007).
|
||
- Workload posture stewardship and coordination worker as steward capabilities.
|
||
- Evolution notes pointer to July gap analysis.
|
||
|
||
Acceptance:
|
||
|
||
- INTENT still describes direction, not implementation inventory.
|
||
- No contradiction with SCOPE 2026-07-01 boundary (ops-warden does not mint tokens).
|
||
|
||
**2026-07-01:** INTENT.md updated.
|
||
|
||
### T03 — Production integration coordination pack
|
||
|
||
```task
|
||
id: WARDEN-WP-0023-T03
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "26f23798-494b-45fc-baa8-af27bdffa038"
|
||
```
|
||
|
||
Prepare operator/coordination artifacts for the two P1 external gaps:
|
||
|
||
1. **flex-auth production flip** — checklist in `wiki/PolicyGatedSigning.md` or a
|
||
short playbook section: prerequisites, `policy.enabled: true` steps, rollback,
|
||
joint smoke with `credential-exec-ops-warden-smoke`, FLEX-WP-0007 cross-link.
|
||
2. **ops-bridge live cutover** — evidence template (non-secret): tunnel id, readiness
|
||
gate output, first warden-signed connection timestamp, pointer to
|
||
`wiki/playbooks/ops-bridge-tunnel-cert.md`.
|
||
|
||
Optionally post State Hub coordination messages to `flex-auth` and `ops-bridge`
|
||
agents with pointers only (no secrets).
|
||
|
||
Acceptance:
|
||
|
||
- A human operator can run the flip/cutover checklists without re-deriving steps.
|
||
- Evidence fields are defined; completion is recorded via State Hub progress when done.
|
||
|
||
**2026-07-01:** Rollback section added to `wiki/PolicyGatedSigning.md`; live cutover
|
||
evidence template added to `wiki/playbooks/ops-bridge-tunnel-cert.md`.
|
||
|
||
### T04 — `warden sign` broker hint when `VAULT_TOKEN` unset
|
||
|
||
```task
|
||
id: WARDEN-WP-0023-T04
|
||
status: done
|
||
priority: medium
|
||
state_hub_task_id: "85e324f9-273d-4740-a202-9c4e8fb122ae"
|
||
```
|
||
|
||
When `backend: vault` and `VAULT_TOKEN` (or configured `token_env`) is missing,
|
||
emit a structured hint pointing at `ops-warden-warden-sign-token` and the
|
||
`railiance-platform` `credential exec` command — not a generic error only.
|
||
|
||
Acceptance:
|
||
|
||
- Unit test covers the hint text (catalog id + exec shape, no secret placeholders).
|
||
- Manual `export VAULT_TOKEN` remains documented as fallback in playbooks.
|
||
|
||
**2026-07-01:** `src/warden/vault_hints.py` + `tests/test_vault.py`.
|
||
|
||
### T05 — Catalog draft-lane promotion checklist
|
||
|
||
```task
|
||
id: WARDEN-WP-0023-T05
|
||
status: done
|
||
priority: medium
|
||
state_hub_task_id: "82608692-2845-41e1-a498-90ed53780748"
|
||
```
|
||
|
||
Document the promotion criteria for `registry/routing/catalog.yaml` entries from
|
||
`draft` → `active` (concrete path, owner confirmation, `resolvable` or
|
||
`exec_owner` native exec, playbook with `#worker-checklist`, tests). Add to
|
||
`wiki/CredentialRouting.md` or a short `wiki/playbooks/catalog-lane-promotion.md`.
|
||
|
||
If any draft lane has owner-confirmed concrete paths during this WP, promote one
|
||
as a worked example (issue-core, OpenRouter, STS, or database — whichever is ready).
|
||
|
||
Acceptance:
|
||
|
||
- Checklist is reviewable by humans and agents.
|
||
- At least one promotion example or explicit “none ready yet” note in the workplan.
|
||
|
||
**2026-07-01:** `wiki/playbooks/catalog-lane-promotion.md` — worked example
|
||
`ops-warden-warden-sign-token`; four draft lanes explicitly not ready.
|
||
|
||
### T06 — SCOPE and workplan consistency
|
||
|
||
```task
|
||
id: WARDEN-WP-0023-T06
|
||
status: done
|
||
priority: medium
|
||
state_hub_task_id: "79ca7b9a-554e-4952-9393-a29b100f6190"
|
||
```
|
||
|
||
Fix SCOPE inconsistencies noted in the July assessment:
|
||
|
||
- “All workplans finished” → acknowledge WP-0022/0023 as active/ready.
|
||
- Latest gap analysis pointer → `history/2026-07-01-intent-scope-gap-analysis.md`.
|
||
- Link WP-0023 from Getting Oriented.
|
||
|
||
Acceptance:
|
||
|
||
- SCOPE and gap analysis cross-link correctly.
|
||
- Uncommitted SCOPE edits from 2026-07-01 broker routing are committed with this WP.
|
||
|
||
**2026-07-01:** SCOPE.md updated.
|
||
|
||
### T07 — Sequence WP-0022 audit implementation
|
||
|
||
```task
|
||
id: WARDEN-WP-0023-T07
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "1f3b3b33-974e-49bf-be4a-9d50b702c2a4"
|
||
```
|
||
|
||
Promote `WARDEN-WP-0022` from `proposed` to `ready` (or `active` when T02–T06 allow
|
||
bandwidth). Ensure dependency is explicit; log State Hub note that WP-0022 is the
|
||
implementation vehicle for INTENT pillar 6 (observable gatekeeping).
|
||
|
||
Acceptance:
|
||
|
||
- WP-0022 frontmatter status updated.
|
||
- WP-0023 `depends_on_workplans` includes WP-0022.
|
||
- Hub consistency run syncs both workplans.
|
||
|
||
**2026-07-01:** WP-0022 implemented and both workplans marked `finished`.
|
||
|
||
---
|
||
|
||
## Exit criteria
|
||
|
||
- July gap analysis is the canonical reassessment (linked from SCOPE).
|
||
- INTENT.md no longer understates assist, posture, worker, or owner-native exec.
|
||
- Production integration checklists exist for flex-auth flip and ops-bridge cutover.
|
||
- `warden sign` surfaces the broker path when vault backend lacks a token.
|
||
- Catalog promotion cadence is documented; WP-0022 is queued for implementation.
|
||
|
||
## See also
|
||
|
||
- `history/2026-07-01-intent-scope-gap-analysis.md`
|
||
- `WARDEN-WP-0022-audit-trail-and-activity.md`
|
||
- `wiki/playbooks/ops-warden-warden-sign-token.md`
|
||
- `~/flex-auth/workplans/FLEX-WP-0007-ops-warden-policy-gate-production-deployment.md` |