Files
ops-warden/history/2026-06-18-post-wp0008-intent-scope-reassessment.md
tegwick 41da950e1a docs: post-WP-0008 INTENT↔SCOPE reassessment and gap snapshot
SCOPE.md now documents where we are (R3 production sign), INTENT criteria
status, maturity vector, and workplan landscape. Add reassessment history;
point INTENT evolution notes at latest assessment.
2026-06-18 01:36:23 +02:00

5.2 KiB
Raw Blame History

INTENT ↔ SCOPE Reassessment — Post WP-0008

Date: 2026-06-18
Author: codex
Trigger: WARDEN-WP-0008 finished — production OpenBao sign verified, workplan archived.
Prior assessment: history/2026-06-17-post-wp0007-reassessment.md


1. Executive summary

WARDEN-WP-0008 closed the production SSH path gap: OpenBao SSH engine live on Railiance, host CA trust on CoulombCore + Railiance01, and warden sign smoke against https://bao.coulomb.social with scoped warden-sign policy token. Stewardship canon (routing, inventory patterns, OpenBao checklist, task-status migration) and archive hygiene are complete.

The repository now matches INTENT for the SSH issuance lane in production. Remaining distance to INTENT is integration breadth (ops-bridge cert_command on live tunnels), authorization depth (flex-auth policies + policy.enabled), and operational maturity (token hygiene, principals sync, optional tutorials).

Vector movement: D5/A3/C4/R2D5/A3/C4/R3

Dimension Was Now Notes
Discovery D5 D5 Routing + security map + NK cross-links
Availability A3 A3 CLI + opt-in policy gate; no desk API
Completeness C4 C4 SSH lane prod-verified; flex-auth policies external
Reliability R2 R3 Live warden sign evidence on Railiance OpenBao

2. Deliverables (WP-0008)

Task Deliverable Status
T1 Post-WP-0007 reassessment, SCOPE update Done
T2 Production warden sign + verify history Done
T3 AGENTS.md task-status canon Done
T4 examples/warden.production.example.yaml, archive WP-00040007 Done
T5 flex-auth production gate Cancelled → WARDEN-WP-0009

3. INTENT.md success criteria

# Criterion Status Evidence / gap
1 Worker knows which subsystem for each credential type Met wiki/CredentialRouting.md, wiki/NetKingdomSecurityMap.md
2 SSH access short-lived, inventoried, audited Met (prod) OpenBao sign + signatures.log; host principals via railiance-infra
3 ops-bridge integrates via stable cert_command Partial Contract shipped; live tunnels still static-key (agt-claude-*)
4 NetKingdom evolution reflected in ops-warden docs Met NK canon links; NET-WP-0020 / WP-0008 cross-repo evidence
5 Non-SSH secrets stay out of ops-warden Met Routing docs only; no secret storage in repo

Score: 4 met, 1 partial — partial is ops-bridge production adoption, not ops-warden code gap.


4. INTENT mission pillars (§ The Mission)

Pillar Status Notes
1. Know NetKingdom security model Strong Wiki + registry + NK patches (WP-0006)
2. Route workers to correct subsystem Strong CredentialRouting operational
3. Align runbooks with canon Strong OpenBao checklist, PolicyGatedSigning, production example
4. Issue short-lived SSH certs Production backend: vault verified 2026-06-18
5. Audit SSH signing / compliance Tooling ready signatures.log, scorecard; prod cadence not scheduled

5. Remaining gaps (prioritized)

Prio Gap Owner Track
P1 flex-auth ssh-certificate policies + prod gate flex-auth + ops-warden WARDEN-WP-0009 (wait)
P2 ops-bridge cert_command on production tunnels ops-bridge (+ ops-warden doc) Proposed WARDEN-WP-0010
P3 Operator token hygiene (root → OIDC + warden-sign) Operator Ad hoc or WP-0010 T2
P4 Principals inventory sync (warden ↔ railiance-infra) ops-warden + railiance-infra Proposed WP-0010 or ad hoc
P5 NK-WP-0009 joint SSH tutorial net-kingdom Parallel coordination
P6 Actor key lifecycle (warden issue, roster automation) ops-warden Future WP when attended lanes scale
P7 Policy v2.1 — identity claims for adm signs ops-warden + flex-auth Design only (PolicyGatedSigning.md)

6. Workplan recommendation

Keep WARDEN-WP-0009 as-is — blocked on flex-auth policy package.

Propose WARDEN-WP-0010 — Production SSH Integration Closeout when ready:

  • T1: Document ops-bridge cert_command migration for agt-state-hub-bridge (pilot tunnel)
  • T2: Operator token runbook — OIDC login, warden-sign token, root retirement
  • T3: Principals drift check — inventory.yaml hostsrailiance-infra/ssh_principals.yaml
  • T4: Optional cert_command smoke evidence in verify history

Defer WP-0010 creation until flex-auth path is clearer or ops-bridge signals tunnel migration priority.

Ad hoc only: token rotation, single-tunnel cert_command pilot — no workplan unless multi-phase.


7. Where we are (one paragraph)

ops-warden is a production-capable SSH certificate authority for the NetKingdom adm/agt/atm model, with OpenBao as the Railiance signing backend and documented stewardship for every other credential lane. INTENT's core SSH mission is achieved; the steward desk is documentation-first with a shipped, verified CLI. Next maturity steps are authorization (flex-auth), consumer integration (ops-bridge), and operational hygiene — not new signing features.