generated from coulomb/repo-seed
Mark WP-0008 finished and move to archived/. Spin flex-auth production gate to WARDEN-WP-0009. Update SCOPE and reassessment history for R3 reliability.
2.5 KiB
2.5 KiB
INTENT ↔ SCOPE Reassessment — Post WP-0007
Date: 2026-06-17
Author: codex
Trigger: WARDEN-WP-0007 complete; WARDEN-WP-0008 T1.
Prior assessment: history/2026-06-17-intent-scope-reassessment.md
1. Executive summary
WARDEN-WP-0007 shipped the opt-in flex-auth policy gate (policy.py,
policy.enabled in warden.yaml) and recorded production OpenBao health
evidence (initialized, unsealed, v2.5.4). Signing behavior is unchanged when
the gate is off (default). Production end-to-end warden sign against the SSH
engine remains operator-verified — tracked in WARDEN-WP-0008 T2.
Vector movement: D5/A3/C3/R2 → D5/A3/C4/R2
| Dimension | Was | Now | Notes |
|---|---|---|---|
| Discovery | D5 | D5 | Unchanged |
| Availability | A3 | A3 | CLI + opt-in policy gate |
| Completeness | C3 | C4 | Policy gate coded; flex-auth policies external |
| Reliability | R2 | R2 | Health probe yes; live sign pending operator token |
2. Deliverables (WP-0007)
| Task | Deliverable | Status |
|---|---|---|
| T1 | history/2026-06-17-openbao-production-verify.md |
Done (health) |
| T2 | PolicyConfig, policy.py |
Done |
| T3 | CLI wire-in, policy_decision_id in log |
Done |
| T4 | tests/test_policy.py, wiki updates |
Done |
3. Success criteria (INTENT.md) — updated
| Criterion | Was | Now |
|---|---|---|
| Worker knows which subsystem for each credential type | Yes | Yes |
| SSH access short-lived, inventoried, audited | Yes | Yes — + optional flex-auth correlation id |
| ops-bridge integrates via cert_command | Yes | Yes |
| NetKingdom evolution reflected in ops-warden docs | Yes | Yes |
| Non-SSH secrets stay out of ops-warden | Yes | Yes |
Score: 5 yes (live production sign is reliability, not INTENT criterion gap)
4. Remaining gaps (post WP-0008 closeout, 2026-06-18)
| Prio | Gap | Owner | Task |
|---|---|---|---|
| P1 | flex-auth ssh-certificate policies |
flex-auth | WP-0009 |
| P2 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel |
| P3 | ops-bridge cert_command on live tunnels |
ops-bridge | Deferred |
WP-0008 closed: production sign verified; stewardship canon and archive hygiene done.
5. Recommendation
- Completeness C4: SSH lane + stewardship docs + opt-in policy gate shipped.
- Reliability R3: production
warden signevidence on file (2026-06-18). - Keep
policy.enabled: falsein production until flex-auth policies exist (WP-0009).