generated from coulomb/repo-seed
SCOPE.md now documents where we are (R3 production sign), INTENT criteria status, maturity vector, and workplan landscape. Add reassessment history; point INTENT evolution notes at latest assessment.
110 lines
5.2 KiB
Markdown
110 lines
5.2 KiB
Markdown
# INTENT ↔ SCOPE Reassessment — Post WP-0008
|
||
|
||
**Date:** 2026-06-18
|
||
**Author:** codex
|
||
**Trigger:** WARDEN-WP-0008 finished — production OpenBao sign verified, workplan archived.
|
||
**Prior assessment:** `history/2026-06-17-post-wp0007-reassessment.md`
|
||
|
||
---
|
||
|
||
## 1. Executive summary
|
||
|
||
WARDEN-WP-0008 closed the **production SSH path** gap: OpenBao SSH engine live on
|
||
Railiance, host CA trust on CoulombCore + Railiance01, and `warden sign` smoke
|
||
against `https://bao.coulomb.social` with scoped `warden-sign` policy token.
|
||
Stewardship canon (routing, inventory patterns, OpenBao checklist, task-status
|
||
migration) and archive hygiene are complete.
|
||
|
||
The repository now matches INTENT for the **SSH issuance lane in production**.
|
||
Remaining distance to INTENT is **integration breadth** (ops-bridge cert_command
|
||
on live tunnels), **authorization depth** (flex-auth policies + `policy.enabled`),
|
||
and **operational maturity** (token hygiene, principals sync, optional tutorials).
|
||
|
||
**Vector movement:** `D5/A3/C4/R2` → **`D5/A3/C4/R3`**
|
||
|
||
| Dimension | Was | Now | Notes |
|
||
| --- | --- | --- | --- |
|
||
| Discovery | D5 | D5 | Routing + security map + NK cross-links |
|
||
| Availability | A3 | A3 | CLI + opt-in policy gate; no desk API |
|
||
| Completeness | C4 | C4 | SSH lane prod-verified; flex-auth policies external |
|
||
| Reliability | R2 | **R3** | Live `warden sign` evidence on Railiance OpenBao |
|
||
|
||
---
|
||
|
||
## 2. Deliverables (WP-0008)
|
||
|
||
| Task | Deliverable | Status |
|
||
| --- | --- | --- |
|
||
| T1 | Post-WP-0007 reassessment, SCOPE update | Done |
|
||
| T2 | Production `warden sign` + verify history | Done |
|
||
| T3 | AGENTS.md task-status canon | Done |
|
||
| T4 | `examples/warden.production.example.yaml`, archive WP-0004–0007 | Done |
|
||
| T5 | flex-auth production gate | Cancelled → **WARDEN-WP-0009** |
|
||
|
||
---
|
||
|
||
## 3. INTENT.md success criteria
|
||
|
||
| # | Criterion | Status | Evidence / gap |
|
||
| --- | --- | --- | --- |
|
||
| 1 | Worker knows which subsystem for each credential type | **Met** | `wiki/CredentialRouting.md`, `wiki/NetKingdomSecurityMap.md` |
|
||
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log`; host principals via railiance-infra |
|
||
| 3 | ops-bridge integrates via stable cert_command | **Partial** | Contract shipped; live tunnels still static-key (`agt-claude-*`) |
|
||
| 4 | NetKingdom evolution reflected in ops-warden docs | **Met** | NK canon links; NET-WP-0020 / WP-0008 cross-repo evidence |
|
||
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Routing docs only; no secret storage in repo |
|
||
|
||
**Score: 4 met, 1 partial** — partial is ops-bridge production adoption, not ops-warden code gap.
|
||
|
||
---
|
||
|
||
## 4. INTENT mission pillars (§ The Mission)
|
||
|
||
| Pillar | Status | Notes |
|
||
| --- | --- | --- |
|
||
| 1. Know NetKingdom security model | Strong | Wiki + registry + NK patches (WP-0006) |
|
||
| 2. Route workers to correct subsystem | Strong | CredentialRouting operational |
|
||
| 3. Align runbooks with canon | Strong | OpenBao checklist, PolicyGatedSigning, production example |
|
||
| 4. Issue short-lived SSH certs | **Production** | `backend: vault` verified 2026-06-18 |
|
||
| 5. Audit SSH signing / compliance | Tooling ready | `signatures.log`, scorecard; prod cadence not scheduled |
|
||
|
||
---
|
||
|
||
## 5. Remaining gaps (prioritized)
|
||
|
||
| Prio | Gap | Owner | Track |
|
||
| --- | --- | --- | --- |
|
||
| P1 | flex-auth `ssh-certificate` policies + prod gate | flex-auth + ops-warden | **WARDEN-WP-0009** (`wait`) |
|
||
| P2 | ops-bridge `cert_command` on production tunnels | ops-bridge (+ ops-warden doc) | Proposed **WARDEN-WP-0010** |
|
||
| P3 | Operator token hygiene (root → OIDC + `warden-sign`) | Operator | Ad hoc or WP-0010 T2 |
|
||
| P4 | Principals inventory sync (warden ↔ railiance-infra) | ops-warden + railiance-infra | Proposed WP-0010 or ad hoc |
|
||
| P5 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination |
|
||
| P6 | Actor key lifecycle (`warden issue`, roster automation) | ops-warden | Future WP when attended lanes scale |
|
||
| P7 | Policy v2.1 — identity claims for `adm` signs | ops-warden + flex-auth | Design only (`PolicyGatedSigning.md`) |
|
||
|
||
---
|
||
|
||
## 6. Workplan recommendation
|
||
|
||
**Keep WARDEN-WP-0009** as-is — blocked on flex-auth policy package.
|
||
|
||
**Propose WARDEN-WP-0010 — Production SSH Integration Closeout** when ready:
|
||
|
||
- T1: Document ops-bridge `cert_command` migration for `agt-state-hub-bridge` (pilot tunnel)
|
||
- T2: Operator token runbook — OIDC login, `warden-sign` token, root retirement
|
||
- T3: Principals drift check — `inventory.yaml` `hosts` ↔ `railiance-infra/ssh_principals.yaml`
|
||
- T4: Optional cert_command smoke evidence in verify history
|
||
|
||
Defer WP-0010 creation until flex-auth path is clearer or ops-bridge signals tunnel migration priority.
|
||
|
||
**Ad hoc only:** token rotation, single-tunnel cert_command pilot — no workplan unless multi-phase.
|
||
|
||
---
|
||
|
||
## 7. Where we are (one paragraph)
|
||
|
||
ops-warden is a **production-capable SSH certificate authority** for the NetKingdom
|
||
`adm`/`agt`/`atm` model, with OpenBao as the Railiance signing backend and
|
||
documented stewardship for every other credential lane. INTENT's core SSH mission
|
||
is achieved; the steward desk is documentation-first with a shipped, verified CLI.
|
||
Next maturity steps are authorization (flex-auth), consumer integration (ops-bridge),
|
||
and operational hygiene — not new signing features. |