generated from coulomb/repo-seed
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
127 lines
5.6 KiB
Markdown
127 lines
5.6 KiB
Markdown
# INTENT ↔ SCOPE Gap Analysis — Post WP-0009 / WP-0011
|
|
|
|
**Date:** 2026-06-24
|
|
**Author:** codex
|
|
**Trigger:** WARDEN-WP-0009 archived; WP-0010/0011 done; policy gate + routing shipped.
|
|
**Prior assessments:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`,
|
|
`history/2026-06-18-access-routing-intent-shift-assessment.md`
|
|
|
|
---
|
|
|
|
## 1. Executive summary
|
|
|
|
ops-warden is a **production-capable SSH CA** with **structured credential routing**
|
|
(`warden route`) and a **shipped, opt-in flex-auth policy gate** (registry + smoke
|
|
complete; production flip waits flex-auth runtime deploy).
|
|
|
|
INTENT's SSH issuance mission is **met in production**. The largest remaining INTENT
|
|
gap is **ops-bridge consumer integration** — `cert_command` contract exists but live
|
|
tunnels still use static keys. Secondary gaps are **operator hygiene**, **inventory ↔
|
|
infra principals alignment**, **routing playbook depth** (WP-0012), and **cross-repo
|
|
coordination** (flex-auth FLEX-WP-0007, net-kingdom NK-WP-0009).
|
|
|
|
**Vector movement:** `D5 / A4 / C4 / R3` → **`D5 / A4 / C4 / R3`** (unchanged level;
|
|
policy-gate readiness improves C4 substance without changing the label until prod flip)
|
|
|
|
| Dimension | Was | Now | Notes |
|
|
| --- | --- | --- | --- |
|
|
| Discovery | D5 | D5 | Catalog + `warden route` + wiki |
|
|
| Availability | A4 | A4 | Routing CLI shipped (WP-0011) |
|
|
| Completeness | C4 | C4 | Policy registry smoke done; prod `policy.enabled` off |
|
|
| Reliability | R3 | R3 | OpenBao sign verified; cert_command not on live tunnels |
|
|
|
|
---
|
|
|
|
## 2. Deliverables since 2026-06-18
|
|
|
|
| Workplan | Deliverable | Status |
|
|
| --- | --- | --- |
|
|
| WP-0009 | flex-auth policy package confirmed; production registry + smoke | Archived |
|
|
| WP-0010 | Access routing charter + pointer catalog | Archived 2026-06-24 |
|
|
| WP-0011 | `warden route` CLI + catalog tests | Archived 2026-06-24 |
|
|
| WP-0013 | Production integration closeout (playbooks, drift, archive) | Finished 2026-06-24 |
|
|
| FLEX-WP-0006 | flex-auth policy package + handoff | flex-auth finished |
|
|
| FLEX-WP-0007 | flex-auth production deploy (draft) | flex-auth proposed |
|
|
|
|
---
|
|
|
|
## 3. INTENT success criteria
|
|
|
|
| # | Criterion | Status | Evidence / gap |
|
|
| --- | --- | --- | --- |
|
|
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, wikis |
|
|
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log` |
|
|
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | Contract shipped; tunnels static-key |
|
|
| 4 | NetKingdom evolution reflected in docs | **Met** | NK cross-links, routing charter |
|
|
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer layer only |
|
|
|
|
**Score: 4 met, 1 partial** — partial is ops-bridge production adoption.
|
|
|
|
---
|
|
|
|
## 4. INTENT mission pillars
|
|
|
|
| Pillar | Status | Gap |
|
|
| --- | --- | --- |
|
|
| 1. Know NetKingdom security model | Strong | — |
|
|
| 2. Route workers to correct subsystem | Strong | WP-0012 playbooks deepen scenarios |
|
|
| 3. Align runbooks with canon | Strong | Reassessment + archive hygiene due |
|
|
| 4. Issue short-lived SSH certs | **Production** | — |
|
|
| 5. Audit SSH signing | Strong | Policy `policy_decision_id` when gate on |
|
|
|
|
---
|
|
|
|
## 5. Remaining gaps (prioritized)
|
|
|
|
| Prio | Gap | Owner | ops-warden action | Track |
|
|
| --- | --- | --- | --- | --- |
|
|
| **P1** | ops-bridge `cert_command` on production tunnels | ops-bridge + ops-warden | Migration playbook + pilot evidence | **WARDEN-WP-0013** T3 |
|
|
| **P2** | Operator token hygiene (root → scoped `warden-sign`) | Operator + ops-warden | Runbook in wiki | **WARDEN-WP-0013** T4 |
|
|
| **P3** | Principals drift (inventory ↔ railiance-infra) | ops-warden + infra | Drift check doc/script | **WARDEN-WP-0013** T5 |
|
|
| **P4** | Routing scenario playbooks incomplete | ops-warden | Expand catalog + wiki playbooks | **WARDEN-WP-0012** (ready) |
|
|
| **P5** | flex-auth production runtime | flex-auth | Coordinate; operator flip checklist | **FLEX-WP-0007** + WP-0013 T6 |
|
|
| **P6** | Vault-backed policy gate joint smoke | flex-auth + operator | Run when `VAULT_TOKEN` valid | FLEX-WP-0007 T4 |
|
|
| **P7** | Archive hygiene (WP-0010, WP-0011) | ops-warden | Move to `workplans/archived/` | **WARDEN-WP-0013** T2 |
|
|
| **P8** | NK-WP-0009 joint SSH tutorial | net-kingdom | Coordinate only | Parallel |
|
|
| **P9** | Policy v2.1 identity claims for `adm` | ops-warden + flex-auth | Design only | Future |
|
|
|
|
---
|
|
|
|
## 6. Workplan recommendation
|
|
|
|
**WARDEN-WP-0013 — Production Integration & Stewardship Closeout** (new):
|
|
|
|
- T1: This reassessment + SCOPE refresh
|
|
- T2: Archive WP-0010 and WP-0011
|
|
- T3: ops-bridge `cert_command` migration playbook (pilot `agt-state-hub-bridge`)
|
|
- T4: Operator OpenBao token hygiene runbook
|
|
- T5: Principals inventory drift check
|
|
- T6: Policy gate production enablement checklist (coordinate FLEX-WP-0007)
|
|
|
|
**WARDEN-WP-0012 — Routing Scenario Playbooks** (promote `backlog` → `ready`):
|
|
|
|
- Dependencies WP-0010/0011 shipped; start when bandwidth allows
|
|
- Complements WP-0013 (routing depth vs SSH integration closeout)
|
|
|
|
**Out of scope for new ops-warden WPs:**
|
|
|
|
- flex-auth runtime deployment (FLEX-WP-0007)
|
|
- ops-bridge tunnel config changes (ops-bridge executes; ops-warden documents)
|
|
|
|
---
|
|
|
|
## 7. Maturity target (post WP-0013 + WP-0012)
|
|
|
|
| Dimension | Target | Unlock |
|
|
| --- | --- | --- |
|
|
| C4 → C4+ | cert_command pilot documented | WP-0013 T3 |
|
|
| R3 → R4 | Live tunnel uses warden-signed cert | ops-bridge + WP-0013 evidence |
|
|
| D5 | More active catalog playbooks | WP-0012 |
|
|
|
|
---
|
|
|
|
## See also
|
|
|
|
- `workplans/WARDEN-WP-0013-production-integration-and-stewardship-closeout.md`
|
|
- `workplans/WARDEN-WP-0012-routing-scenario-playbooks.md`
|
|
- `SCOPE.md` |