ops-warden/history/2026-06-24-intent-scope-gap-analysis.md

# INTENT ↔ SCOPE Gap Analysis — Post WP-0009 / WP-0011

**Date:** 2026-06-24  
**Author:** codex  
**Trigger:** WARDEN-WP-0009 archived; WP-0010/0011 done; policy gate + routing shipped.  
**Prior assessments:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`,
`history/2026-06-18-access-routing-intent-shift-assessment.md`

---

## 1. Executive summary

ops-warden is a **production-capable SSH CA** with **structured credential routing**
(`warden route`) and a **shipped, opt-in flex-auth policy gate** (registry + smoke
complete; production flip waits flex-auth runtime deploy).

INTENT's SSH issuance mission is **met in production**. The largest remaining INTENT
gap is **ops-bridge consumer integration** — `cert_command` contract exists but live
tunnels still use static keys. Secondary gaps are **operator hygiene**, **inventory ↔
infra principals alignment**, **routing playbook depth** (WP-0012), and **cross-repo
coordination** (flex-auth FLEX-WP-0007, net-kingdom NK-WP-0009).

**Vector movement:** `D5 / A4 / C4 / R3` → **`D5 / A4 / C4 / R3`** (unchanged level;
policy-gate readiness improves C4 substance without changing the label until prod flip)

| Dimension | Was | Now | Notes |
| --- | --- | --- | --- |
| Discovery | D5 | D5 | Catalog + `warden route` + wiki |
| Availability | A4 | A4 | Routing CLI shipped (WP-0011) |
| Completeness | C4 | C4 | Policy registry smoke done; prod `policy.enabled` off |
| Reliability | R3 | R3 | OpenBao sign verified; cert_command not on live tunnels |

---

## 2. Deliverables since 2026-06-18

| Workplan | Deliverable | Status |
| --- | --- | --- |
| WP-0009 | flex-auth policy package confirmed; production registry + smoke | Archived |
| WP-0010 | Access routing charter + pointer catalog | Archived 2026-06-24 |
| WP-0011 | `warden route` CLI + catalog tests | Archived 2026-06-24 |
| WP-0013 | Production integration closeout (playbooks, drift, archive) | Finished 2026-06-24 |
| FLEX-WP-0006 | flex-auth policy package + handoff | flex-auth finished |
| FLEX-WP-0007 | flex-auth production deploy (draft) | flex-auth proposed |

---

## 3. INTENT success criteria

| # | Criterion | Status | Evidence / gap |
| --- | --- | --- | --- |
| 1 | Worker knows which subsystem for each credential type | **Met** | `warden route`, catalog, wikis |
| 2 | SSH access short-lived, inventoried, audited | **Met (prod)** | OpenBao sign + `signatures.log` |
| 3 | ops-bridge integrates via stable `cert_command` | **Partial** | Contract shipped; tunnels static-key |
| 4 | NetKingdom evolution reflected in docs | **Met** | NK cross-links, routing charter |
| 5 | Non-SSH secrets stay out of ops-warden | **Met** | Pointer layer only |

**Score: 4 met, 1 partial** — partial is ops-bridge production adoption.

---

## 4. INTENT mission pillars

| Pillar | Status | Gap |
| --- | --- | --- |
| 1. Know NetKingdom security model | Strong | — |
| 2. Route workers to correct subsystem | Strong | WP-0012 playbooks deepen scenarios |
| 3. Align runbooks with canon | Strong | Reassessment + archive hygiene due |
| 4. Issue short-lived SSH certs | **Production** | — |
| 5. Audit SSH signing | Strong | Policy `policy_decision_id` when gate on |

---

## 5. Remaining gaps (prioritized)

| Prio | Gap | Owner | ops-warden action | Track |
| --- | --- | --- | --- | --- |
| **P1** | ops-bridge `cert_command` on production tunnels | ops-bridge + ops-warden | Migration playbook + pilot evidence | **WARDEN-WP-0013** T3 |
| **P2** | Operator token hygiene (root → scoped `warden-sign`) | Operator + ops-warden | Runbook in wiki | **WARDEN-WP-0013** T4 |
| **P3** | Principals drift (inventory ↔ railiance-infra) | ops-warden + infra | Drift check doc/script | **WARDEN-WP-0013** T5 |
| **P4** | Routing scenario playbooks incomplete | ops-warden | Expand catalog + wiki playbooks | **WARDEN-WP-0012** (ready) |
| **P5** | flex-auth production runtime | flex-auth | Coordinate; operator flip checklist | **FLEX-WP-0007** + WP-0013 T6 |
| **P6** | Vault-backed policy gate joint smoke | flex-auth + operator | Run when `VAULT_TOKEN` valid | FLEX-WP-0007 T4 |
| **P7** | Archive hygiene (WP-0010, WP-0011) | ops-warden | Move to `workplans/archived/` | **WARDEN-WP-0013** T2 |
| **P8** | NK-WP-0009 joint SSH tutorial | net-kingdom | Coordinate only | Parallel |
| **P9** | Policy v2.1 identity claims for `adm` | ops-warden + flex-auth | Design only | Future |

---

## 6. Workplan recommendation

**WARDEN-WP-0013 — Production Integration & Stewardship Closeout** (new):

- T1: This reassessment + SCOPE refresh
- T2: Archive WP-0010 and WP-0011
- T3: ops-bridge `cert_command` migration playbook (pilot `agt-state-hub-bridge`)
- T4: Operator OpenBao token hygiene runbook
- T5: Principals inventory drift check
- T6: Policy gate production enablement checklist (coordinate FLEX-WP-0007)

**WARDEN-WP-0012 — Routing Scenario Playbooks** (promote `backlog` → `ready`):

- Dependencies WP-0010/0011 shipped; start when bandwidth allows
- Complements WP-0013 (routing depth vs SSH integration closeout)

**Out of scope for new ops-warden WPs:**

- flex-auth runtime deployment (FLEX-WP-0007)
- ops-bridge tunnel config changes (ops-bridge executes; ops-warden documents)

---

## 7. Maturity target (post WP-0013 + WP-0012)

| Dimension | Target | Unlock |
| --- | --- | --- |
| C4 → C4+ | cert_command pilot documented | WP-0013 T3 |
| R3 → R4 | Live tunnel uses warden-signed cert | ops-bridge + WP-0013 evidence |
| D5 | More active catalog playbooks | WP-0012 |

---

## See also

- `workplans/WARDEN-WP-0013-production-integration-and-stewardship-closeout.md`
- `workplans/WARDEN-WP-0012-routing-scenario-playbooks.md`
- `SCOPE.md`