Files
ops-warden/history/2026-06-17-intent-scope-reassessment.md
tegwick 1865e0744e WARDEN-WP-0006: NetKingdom stewardship docs and alignment
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
2026-06-17 08:22:45 +02:00

74 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# INTENT ↔ SCOPE Reassessment — ops-warden
**Date:** 2026-06-17
**Author:** codex
**Trigger:** WARDEN-WP-0006 complete (T1T7).
**Prior assessment:** `history/2026-06-17-intent-scope-assessment.md`
---
## 1. Executive summary
WARDEN-WP-0006 closed the primary **stewardship documentation gaps**. ops-warden
now has worker-facing credential routing, NetKingdom security literacy, actor
inventory patterns, OpenBao SSH verification checklist, and flex-auth integration
design. NetKingdom canon updated (`responsibility-map`, platform architecture
Operational SSH Path).
**Vector movement:** `D4/A3/C2/R2`**`D5/A3/C3/R2`**
| Dimension | Was | Now | Notes |
| --- | --- | --- | --- |
| Discovery | D4 | **D5** | Routing + security map + NK canon cross-links |
| Availability | A3 | A3 | CLI unchanged; no desk API yet |
| Completeness | C2 | **C3** | Stewardship operationalized in wiki; policy gate not coded |
| Reliability | R2 | R2 | Production OpenBao sign still operator-verified, not CI-proven |
---
## 2. Deliverables (WP-0006)
| Task | Deliverable | Status |
| --- | --- | --- |
| T1 | `wiki/CredentialRouting.md` | Done |
| T2 | `wiki/ActorInventoryPatterns.md`, `examples/inventory.seed.yaml` | Done |
| T3 | `wiki/NetKingdomSecurityMap.md`, registry, repo-boundary | Done |
| T4 | net-kingdom responsibility-map + platform SSH path | Done |
| T5 | `wiki/OpenBaoSshEngineChecklist.md` | Done |
| T6 | `wiki/PolicyGatedSigning.md` | Done (design) |
| T7 | This reassessment | Done |
---
## 3. Success criteria (INTENT.md) — updated
| Criterion | Was | Now |
| --- | --- | --- |
| Worker knows which subsystem for each credential type | No | **Yes**`wiki/CredentialRouting.md` |
| SSH access short-lived, inventoried, audited | Yes (tooling) | **Yes** — + patterns seed |
| ops-bridge integrates via cert_command | Yes (contract) | Yes |
| NetKingdom evolution reflected in ops-warden docs | Partial | **Yes** — NK canon patched + security map |
| Non-SSH secrets stay out of ops-warden | Yes | Yes |
**Score: 4 yes, 1 unchanged (live tunnel matrix)**
---
## 4. Remaining gaps (next work)
| Prio | Gap | Proposed work |
| --- | --- | --- |
| P1 | Production OpenBao SSH sign not executed in CI | Operator run checklist on Railiance; log evidence |
| P2 | flex-auth pre-sign not implemented | WARDEN-WP-0007 from `wiki/PolicyGatedSigning.md` |
| P3 | NK-WP-0009 tutorial not joint | Coordinate net-kingdom SSH tutorial |
| P4 | Optional `warden guide` CLI | Ad hoc if doc-only routing insufficient |
---
## 5. Recommendation
Mark **WARDEN-WP-0006 finished**. Open **WARDEN-WP-0007** when ready for
flex-auth integration or production OpenBao verification milestone.
**Completeness C3** is justified: central stewardship use case (routing + alignment)
works; SSH issuance was already C3; policy gate remains bounded known gap.