Files
ops-warden/history/2026-06-17-intent-scope-assessment.md
tegwick ca1eaf3350 Define INTENT, refresh SCOPE, and plan NetKingdom stewardship
Add ops-warden INTENT as operational access steward for NetKingdom
security (route credential lanes, align docs, issue SSH certs only).
Refresh SCOPE for stewardship scope, persist INTENT↔SCOPE gap assessment,
and open WARDEN-WP-0006 for routing runbooks and platform alignment.
2026-06-17 08:20:32 +02:00

172 lines
7.3 KiB
Markdown

# INTENT ↔ SCOPE State Assessment — ops-warden
**Date:** 2026-06-17
**Author:** codex
**Trigger:** INTENT.md established; SCOPE.md refreshed to reflect stewardship
mission alongside SSH CLI implementation.
**Follow-up workplan:** `workplans/WARDEN-WP-0006-netkingdom-alignment-and-access-stewardship.md`
---
## 1. Executive summary
ops-warden **ships a complete SSH CA CLI** (v0.1.0, 100 unit tests, OpenBao-first
docs, federation capability published). The new **INTENT** reframes the repo as an
**operational access steward** for the NetKingdom security model: knowledgeable
about platform credential lanes, routing workers to the right subsystems, keeping
guidance aligned — while **issuing only SSH certificates** directly.
**Alignment:** strong on the **SSH implementation lane**; weak on the **stewardship
and NetKingdom integration** lane declared in INTENT.
**Self-assessed vector (product):** `D4 / A3 / C2 / R2`
| Dimension | Level | Rationale |
| --- | --- | --- |
| Discovery (D) | D4 | SSH lane well documented; stewardship/routing canon immature |
| Availability (A) | A3 | Installable CLI + cert_command; no desk API or policy gate |
| Completeness (C) | C2 | SSH core works; INTENT stewardship largely undelivered |
| Reliability (R) | R2 | Good test coverage; production OpenBao SSH path not verified end-to-end |
---
## 2. Delivery snapshot
| Area | State (2026-06-17) |
| --- | --- |
| SSH CLI | `warden sign/issue/status/scorecard/cleanup/log/inventory` |
| Backends | `local` + `vault` (OpenBao-compatible API) |
| Tests | 100 unit + integration marker suite |
| Wiki | AccessManagementDirective, OpsWardenConfig, CertCommandInterface, InterHubBootstrapAccessLane |
| Registry | `capability.security.ssh-certificate-issuance` (D4/A3/C3/R2 in entry) |
| INTENT.md | **New** — stewardship + NetKingdom literacy |
| NetKingdom cross-links | Minimal in SCOPE; responsibility-map still lists ops-warden out-of-scope |
| Credential routing runbook | **Missing** — no single “which subsystem?” guide in wiki |
| flex-auth pre-sign hook | **Not designed or implemented** |
| Production OpenBao SSH engine | Documented; live mount/roles unverified from this repo |
| Standard agent inventory templates | **Missing** — only example actors in docs |
---
## 3. INTENT alignment
### Aligned
| INTENT expectation | SCOPE evidence |
| --- | --- |
| Issue short-lived SSH certs for adm/agt/atm | Full CLI, TTL policy, scorecard, signatures log |
| Stable cert_command for consumers | `wiki/CertCommandInterface.md`, ops-bridge integration contract |
| Do not store long-lived API secrets | Repo boundary, InterHub runbook, CUST-WP-0049 non-goals |
| OpenBao as production SSH signing backend | `wiki/OpsWardenConfig.md` (WP-0005) |
| Auditable SSH gatekeeping | `signatures.log`, scorecard checks |
| Actor attribution model | AccessManagementDirective alignment, ActorType enum |
### Partial
| INTENT expectation | Gap |
| --- | --- |
| Know NetKingdom security infrastructure | INTENT tables exist; no mirrored wiki summary or kept-in-sync process |
| Route workers to correct subsystem | Scattered across SCOPE/repo-boundary; no `wiki/CredentialRouting.md` |
| Keep guidance aligned with NetKingdom canon | No subscription to net-kingdom doc changes; responsibility-map outdated |
| Operational access desk for dev workers | CLI-only; no guided flow or agent-facing routing surface |
| flex-auth policy before SSH sign | Inventory allow-list only; no authorization integration |
| Observable stewardship | SSH audit yes; routing/alignment maintenance not tracked |
### Not started (INTENT evolution)
| INTENT expectation | Notes |
| --- | --- |
| NetKingdom responsibility-map recognition | ops-warden still “out of scope” in net-kingdom map |
| Platform architecture diagram includes ops-warden SSH path | Not in `platform-identity-security-architecture.md` |
| NK-WP-0009 SSH tutorial linkage | Planned in net-kingdom, not wired to ops-warden |
| Policy-gated issuance | Future phase; needs design doc |
| MCP/HTTP cert request for agents | Future; CLI sufficient for now |
---
## 4. Success criteria scorecard (from INTENT.md)
| Criterion | Verdict |
| --- | --- |
| Worker knows which subsystem for each credential type | **No** — no canonical routing runbook |
| SSH access short-lived, inventoried, audited | **Yes (tooling)** — production inventory discipline pending |
| ops-bridge integrates via cert_command | **Yes (contract)** — live tunnel matrix not verified here |
| NetKingdom evolution reflected in ops-warden docs | **Partial** — OpenBao done; no ongoing sync process |
| Non-SSH secrets stay out of ops-warden | **Yes** — boundaries documented |
**Score: 2 yes, 2 partial, 1 no**
---
## 5. Completeness and reliability
### Completeness vs INTENT — **C2 (Partial)**
The central SSH use case is implemented. The new stewardship mission — NetKingdom
literacy, routing, alignment maintenance — is **declared in INTENT and SCOPE but
not yet operationalized** in wiki, net-kingdom cross-links, or worker-facing runbooks.
**Satisfied expectations:**
- SSH certificate issuance end-to-end (local backend)
- cert_command contract
- OpenBao-first production documentation
**Broken / missing expectations:**
- No credential routing guide for dev workers
- No NetKingdom alignment workstream execution
- No flex-auth integration path
**Out of scope (correctly excluded):**
- OpenBao cluster operations
- flex-auth policy authoring
- Object-storage STS vending
### Reliability vs INTENT — **R2 (Tolerable)**
Strong unit tests and scorecard for cert-side checks. Production reliance on
OpenBao SSH engine and multi-worker inventory patterns not yet demonstrated.
Consumers must expect manual operator steps for non-SSH credentials.
---
## 6. Open gaps (prioritized)
| Prio | Gap | Suggested outcome |
| --- | --- | --- |
| P1 | Credential routing runbook | `wiki/CredentialRouting.md` — decision tree for workers |
| P1 | NetKingdom cross-link patch | PR/note in net-kingdom responsibility-map + platform doc SSH path |
| P2 | Standard inventory templates | `wiki/ActorInventoryPatterns.md` + example `inventory.yaml` seed |
| P2 | OpenBao SSH engine ops checklist | Verify/mount roles; link railiance-platform procedures |
| P3 | flex-auth pre-sign design | `wiki/PolicyGatedSigning.md` — design only, no code yet |
| P3 | Registry capability update | Reflect stewardship in capability entry summary |
| P4 | Agent-facing routing | Evaluate `warden guide` CLI or doc-only desk page |
| P4 | NK-WP-0009 coordination | Joint tutorial: short-lived SSH for agents |
Captured in **WARDEN-WP-0006**.
---
## 7. Recommendations
1. **Execute WARDEN-WP-0006** in order: routing runbook → NetKingdom
cross-links → inventory templates → OpenBao ops checklist.
2. **Keep SSH CLI stable** — stewardship work is docs/alignment first; defer
flex-auth code until design is reviewed.
3. **Coordinate net-kingdom** — small responsibility-map update is a
dependency for INTENT success criterion #4.
4. **Re-assess after WP-0006** — target C3/C4 completeness if routing runbook
and NetKingdom links land.
---
## 8. Document map
| File | Role |
| --- | --- |
| `INTENT.md` | Aspirational steward + SSH authority mission |
| `SCOPE.md` | Current implementation and planned stewardship scope |
| This file | Gap analysis snapshot |
| `workplans/WARDEN-WP-0006-*.md` | Execution plan |