generated from coulomb/repo-seed
4.8 KiB
4.8 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0008 | workplan | Production SSH Path and Stewardship Closeout | custodian | ops-warden | active | codex | custodian | high | 8 | 2026-06-17 | 2026-06-18 | a174963a-4ff1-4565-b19f-896cd4ff14a0 |
WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout
Scope: Close the reliability gap left after WARDEN-WP-0007 — prove the production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for the shipped flex-auth policy gate, adapt repo docs to State Hub task-status canon, and archive finished workplans.
Out of scope: OpenBao cluster deploy or SSH engine bootstrap (operator /
railiance-platform), flex-auth policy package authoring, NK-WP-0009 joint
tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter
API keys — route to OpenBao per wiki/CredentialRouting.md).
Goal
Move ops-warden from documented + code-shipped (WP-0006/0007) to production-verified SSH issuance with up-to-date stewardship canon:
- A scoped operator can run
warden signagainsthttps://bao.coulomb.socialand record non-secret evidence. SCOPE.mdand reassessment history reflect WP-0007 policy gate as implemented.- Agent/workplan docs use State Hub task lifecycle (
wait/todo/progress/done/cancel). - Finished workplans WP-0004–0007 are archived under
workplans/archived/.
Tasks
T1 — Post-WP-0007 INTENT/SCOPE reassessment
id: WARDEN-WP-0008-T01
status: done
priority: high
state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
- Write
history/2026-06-17-post-wp0007-reassessment.md(vector D5/A3/C4/R2) - Update
SCOPE.md— policy gate implemented, WP-0008 active - Resolve remaining
PolicyGatedSigning.md (not implemented)references in SCOPE/README
T2 — Production OpenBao end-to-end sign verification
id: WARDEN-WP-0008-T02
status: done
priority: high
state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
- Operator provides scoped
VAULT_TOKEN(warden-sign policy token) - Confirm SSH engine mounted and roles per
wiki/OpenBaoSshEngineChecklist.md - Run
warden sign+warden status+warden logagainst production OpenBao - Append pass/fail evidence to
history/2026-06-17-openbao-production-verify.md - Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
T3 — State Hub task status canon migration
id: WARDEN-WP-0008-T03
status: done
priority: medium
state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903"
- Update
AGENTS.mdtask status values and examples (progress,wait,cancel) - Update
.claude/rules/workplan-convention.mdtask block examples - Mark state-hub interface change
649102a2-4373-4621-9848-cc257e67c262resolved - Reply to inbox message
c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e(read + note adaptation)
T4 — Production config example and archive hygiene
id: WARDEN-WP-0008-T04
status: done
priority: medium
state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
- Add
examples/warden.production.example.yaml(no secrets; OpenBao addr + policy off) - Archive finished workplans →
workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md make fix-consistency REPO=ops-wardenafter archive
T5 — flex-auth policy gate production readiness (coordination)
id: WARDEN-WP-0008-T05
status: wait
priority: low
state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
- Confirm flex-auth
ssh-certificateresource policies exist (flex-auth owner) - Document enablement procedure for
policy.enabled: truein production - Smoke test policy deny/allow with
fail_closed: true(non-secret evidence)
Blocked until: flex-auth policy package for SSH signing.
Acceptance Criteria
- Post-WP-0007 reassessment on file; SCOPE current
- Production
warden signevidence recorded OR explicit operator blocker logged - AGENTS.md uses canonical task statuses
- WP-0004–0007 archived; hub consistency pass
- Production example config committed (no secrets)
Dependencies
| Dependency | Owner | Blocks |
|---|---|---|
| OpenBao SSH engine + host CA automation | NET-WP-0020 / railiance-* | T2 |
| flex-auth ssh-certificate policies | flex-auth | T5 |
| NK-WP-0009 SSH tutorial | net-kingdom + ops-warden | — (parallel track) |
See also
history/2026-06-17-openbao-production-verify.md— health probe (WP-0007)history/2026-06-17-post-wp0007-reassessment.md— latest assessmentexamples/warden.production.example.yaml— operator config templatewiki/OpenBaoSshEngineChecklist.mdwiki/PolicyGatedSigning.md— opt-in gate (implemented WP-0007)