Files
ops-warden/history/2026-06-17-intent-scope-reassessment.md
tegwick 1865e0744e WARDEN-WP-0006: NetKingdom stewardship docs and alignment
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
2026-06-17 08:22:45 +02:00

2.8 KiB
Raw Blame History

INTENT ↔ SCOPE Reassessment — ops-warden

Date: 2026-06-17
Author: codex
Trigger: WARDEN-WP-0006 complete (T1T7).
Prior assessment: history/2026-06-17-intent-scope-assessment.md


1. Executive summary

WARDEN-WP-0006 closed the primary stewardship documentation gaps. ops-warden now has worker-facing credential routing, NetKingdom security literacy, actor inventory patterns, OpenBao SSH verification checklist, and flex-auth integration design. NetKingdom canon updated (responsibility-map, platform architecture Operational SSH Path).

Vector movement: D4/A3/C2/R2D5/A3/C3/R2

Dimension Was Now Notes
Discovery D4 D5 Routing + security map + NK canon cross-links
Availability A3 A3 CLI unchanged; no desk API yet
Completeness C2 C3 Stewardship operationalized in wiki; policy gate not coded
Reliability R2 R2 Production OpenBao sign still operator-verified, not CI-proven

2. Deliverables (WP-0006)

Task Deliverable Status
T1 wiki/CredentialRouting.md Done
T2 wiki/ActorInventoryPatterns.md, examples/inventory.seed.yaml Done
T3 wiki/NetKingdomSecurityMap.md, registry, repo-boundary Done
T4 net-kingdom responsibility-map + platform SSH path Done
T5 wiki/OpenBaoSshEngineChecklist.md Done
T6 wiki/PolicyGatedSigning.md Done (design)
T7 This reassessment Done

3. Success criteria (INTENT.md) — updated

Criterion Was Now
Worker knows which subsystem for each credential type No Yeswiki/CredentialRouting.md
SSH access short-lived, inventoried, audited Yes (tooling) Yes — + patterns seed
ops-bridge integrates via cert_command Yes (contract) Yes
NetKingdom evolution reflected in ops-warden docs Partial Yes — NK canon patched + security map
Non-SSH secrets stay out of ops-warden Yes Yes

Score: 4 yes, 1 unchanged (live tunnel matrix)


4. Remaining gaps (next work)

Prio Gap Proposed work
P1 Production OpenBao SSH sign not executed in CI Operator run checklist on Railiance; log evidence
P2 flex-auth pre-sign not implemented WARDEN-WP-0007 from wiki/PolicyGatedSigning.md
P3 NK-WP-0009 tutorial not joint Coordinate net-kingdom SSH tutorial
P4 Optional warden guide CLI Ad hoc if doc-only routing insufficient

5. Recommendation

Mark WARDEN-WP-0006 finished. Open WARDEN-WP-0007 when ready for flex-auth integration or production OpenBao verification milestone.

Completeness C3 is justified: central stewardship use case (routing + alignment) works; SSH issuance was already C3; policy gate remains bounded known gap.