SCOPE.md now documents where we are (R3 production sign), INTENT criteria status, maturity vector, and workplan landscape. Add reassessment history; point INTENT evolution notes at latest assessment.
5.2 KiB
INTENT ↔ SCOPE Reassessment — Post WP-0008
Date: 2026-06-18
Author: codex
Trigger: WARDEN-WP-0008 finished — production OpenBao sign verified, workplan archived.
Prior assessment: history/2026-06-17-post-wp0007-reassessment.md
1. Executive summary
WARDEN-WP-0008 closed the production SSH path gap: OpenBao SSH engine live on
Railiance, host CA trust on CoulombCore + Railiance01, and warden sign smoke
against https://bao.coulomb.social with scoped warden-sign policy token.
Stewardship canon (routing, inventory patterns, OpenBao checklist, task-status
migration) and archive hygiene are complete.
The repository now matches INTENT for the SSH issuance lane in production.
Remaining distance to INTENT is integration breadth (ops-bridge cert_command
on live tunnels), authorization depth (flex-auth policies + policy.enabled),
and operational maturity (token hygiene, principals sync, optional tutorials).
Vector movement: D5/A3/C4/R2 → D5/A3/C4/R3
| Dimension | Was | Now | Notes |
|---|---|---|---|
| Discovery | D5 | D5 | Routing + security map + NK cross-links |
| Availability | A3 | A3 | CLI + opt-in policy gate; no desk API |
| Completeness | C4 | C4 | SSH lane prod-verified; flex-auth policies external |
| Reliability | R2 | R3 | Live warden sign evidence on Railiance OpenBao |
2. Deliverables (WP-0008)
| Task | Deliverable | Status |
|---|---|---|
| T1 | Post-WP-0007 reassessment, SCOPE update | Done |
| T2 | Production warden sign + verify history |
Done |
| T3 | AGENTS.md task-status canon | Done |
| T4 | examples/warden.production.example.yaml, archive WP-0004–0007 |
Done |
| T5 | flex-auth production gate | Cancelled → WARDEN-WP-0009 |
3. INTENT.md success criteria
| # | Criterion | Status | Evidence / gap |
|---|---|---|---|
| 1 | Worker knows which subsystem for each credential type | Met | wiki/CredentialRouting.md, wiki/NetKingdomSecurityMap.md |
| 2 | SSH access short-lived, inventoried, audited | Met (prod) | OpenBao sign + signatures.log; host principals via railiance-infra |
| 3 | ops-bridge integrates via stable cert_command | Partial | Contract shipped; live tunnels still static-key (agt-claude-*) |
| 4 | NetKingdom evolution reflected in ops-warden docs | Met | NK canon links; NET-WP-0020 / WP-0008 cross-repo evidence |
| 5 | Non-SSH secrets stay out of ops-warden | Met | Routing docs only; no secret storage in repo |
Score: 4 met, 1 partial — partial is ops-bridge production adoption, not ops-warden code gap.
4. INTENT mission pillars (§ The Mission)
| Pillar | Status | Notes |
|---|---|---|
| 1. Know NetKingdom security model | Strong | Wiki + registry + NK patches (WP-0006) |
| 2. Route workers to correct subsystem | Strong | CredentialRouting operational |
| 3. Align runbooks with canon | Strong | OpenBao checklist, PolicyGatedSigning, production example |
| 4. Issue short-lived SSH certs | Production | backend: vault verified 2026-06-18 |
| 5. Audit SSH signing / compliance | Tooling ready | signatures.log, scorecard; prod cadence not scheduled |
5. Remaining gaps (prioritized)
| Prio | Gap | Owner | Track |
|---|---|---|---|
| P1 | flex-auth ssh-certificate policies + prod gate |
flex-auth + ops-warden | WARDEN-WP-0009 (wait) |
| P2 | ops-bridge cert_command on production tunnels |
ops-bridge (+ ops-warden doc) | Proposed WARDEN-WP-0010 |
| P3 | Operator token hygiene (root → OIDC + warden-sign) |
Operator | Ad hoc or WP-0010 T2 |
| P4 | Principals inventory sync (warden ↔ railiance-infra) | ops-warden + railiance-infra | Proposed WP-0010 or ad hoc |
| P5 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination |
| P6 | Actor key lifecycle (warden issue, roster automation) |
ops-warden | Future WP when attended lanes scale |
| P7 | Policy v2.1 — identity claims for adm signs |
ops-warden + flex-auth | Design only (PolicyGatedSigning.md) |
6. Workplan recommendation
Keep WARDEN-WP-0009 as-is — blocked on flex-auth policy package.
Propose WARDEN-WP-0010 — Production SSH Integration Closeout when ready:
- T1: Document ops-bridge
cert_commandmigration foragt-state-hub-bridge(pilot tunnel) - T2: Operator token runbook — OIDC login,
warden-signtoken, root retirement - T3: Principals drift check —
inventory.yamlhosts↔railiance-infra/ssh_principals.yaml - T4: Optional cert_command smoke evidence in verify history
Defer WP-0010 creation until flex-auth path is clearer or ops-bridge signals tunnel migration priority.
Ad hoc only: token rotation, single-tunnel cert_command pilot — no workplan unless multi-phase.
7. Where we are (one paragraph)
ops-warden is a production-capable SSH certificate authority for the NetKingdom
adm/agt/atm model, with OpenBao as the Railiance signing backend and
documented stewardship for every other credential lane. INTENT's core SSH mission
is achieved; the steward desk is documentation-first with a shipped, verified CLI.
Next maturity steps are authorization (flex-auth), consumer integration (ops-bridge),
and operational hygiene — not new signing features.