Add credential routing, actor patterns, security map, OpenBao SSH checklist, and policy-gated signing design. Update registry and SCOPE; record INTENT↔SCOPE reassessment (C3 completeness).
2.8 KiB
INTENT ↔ SCOPE Reassessment — ops-warden
Date: 2026-06-17
Author: codex
Trigger: WARDEN-WP-0006 complete (T1–T7).
Prior assessment: history/2026-06-17-intent-scope-assessment.md
1. Executive summary
WARDEN-WP-0006 closed the primary stewardship documentation gaps. ops-warden
now has worker-facing credential routing, NetKingdom security literacy, actor
inventory patterns, OpenBao SSH verification checklist, and flex-auth integration
design. NetKingdom canon updated (responsibility-map, platform architecture
Operational SSH Path).
Vector movement: D4/A3/C2/R2 → D5/A3/C3/R2
| Dimension | Was | Now | Notes |
|---|---|---|---|
| Discovery | D4 | D5 | Routing + security map + NK canon cross-links |
| Availability | A3 | A3 | CLI unchanged; no desk API yet |
| Completeness | C2 | C3 | Stewardship operationalized in wiki; policy gate not coded |
| Reliability | R2 | R2 | Production OpenBao sign still operator-verified, not CI-proven |
2. Deliverables (WP-0006)
| Task | Deliverable | Status |
|---|---|---|
| T1 | wiki/CredentialRouting.md |
Done |
| T2 | wiki/ActorInventoryPatterns.md, examples/inventory.seed.yaml |
Done |
| T3 | wiki/NetKingdomSecurityMap.md, registry, repo-boundary |
Done |
| T4 | net-kingdom responsibility-map + platform SSH path | Done |
| T5 | wiki/OpenBaoSshEngineChecklist.md |
Done |
| T6 | wiki/PolicyGatedSigning.md |
Done (design) |
| T7 | This reassessment | Done |
3. Success criteria (INTENT.md) — updated
| Criterion | Was | Now |
|---|---|---|
| Worker knows which subsystem for each credential type | No | Yes — wiki/CredentialRouting.md |
| SSH access short-lived, inventoried, audited | Yes (tooling) | Yes — + patterns seed |
| ops-bridge integrates via cert_command | Yes (contract) | Yes |
| NetKingdom evolution reflected in ops-warden docs | Partial | Yes — NK canon patched + security map |
| Non-SSH secrets stay out of ops-warden | Yes | Yes |
Score: 4 yes, 1 unchanged (live tunnel matrix)
4. Remaining gaps (next work)
| Prio | Gap | Proposed work |
|---|---|---|
| P1 | Production OpenBao SSH sign not executed in CI | Operator run checklist on Railiance; log evidence |
| P2 | flex-auth pre-sign not implemented | WARDEN-WP-0007 from wiki/PolicyGatedSigning.md |
| P3 | NK-WP-0009 tutorial not joint | Coordinate net-kingdom SSH tutorial |
| P4 | Optional warden guide CLI |
Ad hoc if doc-only routing insufficient |
5. Recommendation
Mark WARDEN-WP-0006 finished. Open WARDEN-WP-0007 when ready for flex-auth integration or production OpenBao verification milestone.
Completeness C3 is justified: central stewardship use case (routing + alignment) works; SSH issuance was already C3; policy gate remains bounded known gap.