Files
ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
tegwick fdc8ecfc8b docs(WP-0008): T2 production sign verification passed (2026-06-18)
Record live OpenBao SSH engine apply, host CA bootstrap, and warden sign smoke.
2026-06-18 01:18:57 +02:00

4.8 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
WARDEN-WP-0008 workplan Production SSH Path and Stewardship Closeout custodian ops-warden active codex custodian high 8 2026-06-17 2026-06-18 a174963a-4ff1-4565-b19f-896cd4ff14a0

WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout

Scope: Close the reliability gap left after WARDEN-WP-0007 — prove the production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for the shipped flex-auth policy gate, adapt repo docs to State Hub task-status canon, and archive finished workplans.

Out of scope: OpenBao cluster deploy or SSH engine bootstrap (operator / railiance-platform), flex-auth policy package authoring, NK-WP-0009 joint tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter API keys — route to OpenBao per wiki/CredentialRouting.md).


Goal

Move ops-warden from documented + code-shipped (WP-0006/0007) to production-verified SSH issuance with up-to-date stewardship canon:

  1. A scoped operator can run warden sign against https://bao.coulomb.social and record non-secret evidence.
  2. SCOPE.md and reassessment history reflect WP-0007 policy gate as implemented.
  3. Agent/workplan docs use State Hub task lifecycle (wait / todo / progress / done / cancel).
  4. Finished workplans WP-00040007 are archived under workplans/archived/.

Tasks

T1 — Post-WP-0007 INTENT/SCOPE reassessment

id: WARDEN-WP-0008-T01
status: done
priority: high
state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
  • Write history/2026-06-17-post-wp0007-reassessment.md (vector D5/A3/C4/R2)
  • Update SCOPE.md — policy gate implemented, WP-0008 active
  • Resolve remaining PolicyGatedSigning.md (not implemented) references in SCOPE/README

T2 — Production OpenBao end-to-end sign verification

id: WARDEN-WP-0008-T02
status: done
priority: high
state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
  • Operator provides scoped VAULT_TOKEN (warden-sign policy token)
  • Confirm SSH engine mounted and roles per wiki/OpenBaoSshEngineChecklist.md
  • Run warden sign + warden status + warden log against production OpenBao
  • Append pass/fail evidence to history/2026-06-17-openbao-production-verify.md
  • Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)

T3 — State Hub task status canon migration

id: WARDEN-WP-0008-T03
status: done
priority: medium
state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903"
  • Update AGENTS.md task status values and examples (progress, wait, cancel)
  • Update .claude/rules/workplan-convention.md task block examples
  • Mark state-hub interface change 649102a2-4373-4621-9848-cc257e67c262 resolved
  • Reply to inbox message c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e (read + note adaptation)

T4 — Production config example and archive hygiene

id: WARDEN-WP-0008-T04
status: done
priority: medium
state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
  • Add examples/warden.production.example.yaml (no secrets; OpenBao addr + policy off)
  • Archive finished workplans → workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md
  • make fix-consistency REPO=ops-warden after archive

T5 — flex-auth policy gate production readiness (coordination)

id: WARDEN-WP-0008-T05
status: wait
priority: low
state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
  • Confirm flex-auth ssh-certificate resource policies exist (flex-auth owner)
  • Document enablement procedure for policy.enabled: true in production
  • Smoke test policy deny/allow with fail_closed: true (non-secret evidence)

Blocked until: flex-auth policy package for SSH signing.


Acceptance Criteria

  • Post-WP-0007 reassessment on file; SCOPE current
  • Production warden sign evidence recorded OR explicit operator blocker logged
  • AGENTS.md uses canonical task statuses
  • WP-00040007 archived; hub consistency pass
  • Production example config committed (no secrets)

Dependencies

Dependency Owner Blocks
OpenBao SSH engine + host CA automation NET-WP-0020 / railiance-* T2
flex-auth ssh-certificate policies flex-auth T5
NK-WP-0009 SSH tutorial net-kingdom + ops-warden — (parallel track)

See also

  • history/2026-06-17-openbao-production-verify.md — health probe (WP-0007)
  • history/2026-06-17-post-wp0007-reassessment.md — latest assessment
  • examples/warden.production.example.yaml — operator config template
  • wiki/OpenBaoSshEngineChecklist.md
  • wiki/PolicyGatedSigning.md — opt-in gate (implemented WP-0007)