generated from coulomb/repo-seed
Add credential routing, actor patterns, security map, OpenBao SSH checklist, and policy-gated signing design. Update registry and SCOPE; record INTENT↔SCOPE reassessment (C3 completeness).
74 lines
2.8 KiB
Markdown
74 lines
2.8 KiB
Markdown
# INTENT ↔ SCOPE Reassessment — ops-warden
|
||
|
||
**Date:** 2026-06-17
|
||
**Author:** codex
|
||
**Trigger:** WARDEN-WP-0006 complete (T1–T7).
|
||
**Prior assessment:** `history/2026-06-17-intent-scope-assessment.md`
|
||
|
||
---
|
||
|
||
## 1. Executive summary
|
||
|
||
WARDEN-WP-0006 closed the primary **stewardship documentation gaps**. ops-warden
|
||
now has worker-facing credential routing, NetKingdom security literacy, actor
|
||
inventory patterns, OpenBao SSH verification checklist, and flex-auth integration
|
||
design. NetKingdom canon updated (`responsibility-map`, platform architecture
|
||
Operational SSH Path).
|
||
|
||
**Vector movement:** `D4/A3/C2/R2` → **`D5/A3/C3/R2`**
|
||
|
||
| Dimension | Was | Now | Notes |
|
||
| --- | --- | --- | --- |
|
||
| Discovery | D4 | **D5** | Routing + security map + NK canon cross-links |
|
||
| Availability | A3 | A3 | CLI unchanged; no desk API yet |
|
||
| Completeness | C2 | **C3** | Stewardship operationalized in wiki; policy gate not coded |
|
||
| Reliability | R2 | R2 | Production OpenBao sign still operator-verified, not CI-proven |
|
||
|
||
---
|
||
|
||
## 2. Deliverables (WP-0006)
|
||
|
||
| Task | Deliverable | Status |
|
||
| --- | --- | --- |
|
||
| T1 | `wiki/CredentialRouting.md` | Done |
|
||
| T2 | `wiki/ActorInventoryPatterns.md`, `examples/inventory.seed.yaml` | Done |
|
||
| T3 | `wiki/NetKingdomSecurityMap.md`, registry, repo-boundary | Done |
|
||
| T4 | net-kingdom responsibility-map + platform SSH path | Done |
|
||
| T5 | `wiki/OpenBaoSshEngineChecklist.md` | Done |
|
||
| T6 | `wiki/PolicyGatedSigning.md` | Done (design) |
|
||
| T7 | This reassessment | Done |
|
||
|
||
---
|
||
|
||
## 3. Success criteria (INTENT.md) — updated
|
||
|
||
| Criterion | Was | Now |
|
||
| --- | --- | --- |
|
||
| Worker knows which subsystem for each credential type | No | **Yes** — `wiki/CredentialRouting.md` |
|
||
| SSH access short-lived, inventoried, audited | Yes (tooling) | **Yes** — + patterns seed |
|
||
| ops-bridge integrates via cert_command | Yes (contract) | Yes |
|
||
| NetKingdom evolution reflected in ops-warden docs | Partial | **Yes** — NK canon patched + security map |
|
||
| Non-SSH secrets stay out of ops-warden | Yes | Yes |
|
||
|
||
**Score: 4 yes, 1 unchanged (live tunnel matrix)**
|
||
|
||
---
|
||
|
||
## 4. Remaining gaps (next work)
|
||
|
||
| Prio | Gap | Proposed work |
|
||
| --- | --- | --- |
|
||
| P1 | Production OpenBao SSH sign not executed in CI | Operator run checklist on Railiance; log evidence |
|
||
| P2 | flex-auth pre-sign not implemented | WARDEN-WP-0007 from `wiki/PolicyGatedSigning.md` |
|
||
| P3 | NK-WP-0009 tutorial not joint | Coordinate net-kingdom SSH tutorial |
|
||
| P4 | Optional `warden guide` CLI | Ad hoc if doc-only routing insufficient |
|
||
|
||
---
|
||
|
||
## 5. Recommendation
|
||
|
||
Mark **WARDEN-WP-0006 finished**. Open **WARDEN-WP-0007** when ready for
|
||
flex-auth integration or production OpenBao verification milestone.
|
||
|
||
**Completeness C3** is justified: central stewardship use case (routing + alignment)
|
||
works; SSH issuance was already C3; policy gate remains bounded known gap. |