Files
ops-warden/workplans/WARDEN-WP-0008-production-ssh-path-and-stewardship-closeout.md
tegwick fdc8ecfc8b docs(WP-0008): T2 production sign verification passed (2026-06-18)
Record live OpenBao SSH engine apply, host CA bootstrap, and warden sign smoke.
2026-06-18 01:18:57 +02:00

145 lines
4.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: WARDEN-WP-0008
type: workplan
title: "Production SSH Path and Stewardship Closeout"
domain: custodian
repo: ops-warden
status: active
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 8
created: "2026-06-17"
updated: "2026-06-18"
state_hub_workstream_id: "a174963a-4ff1-4565-b19f-896cd4ff14a0"
---
# WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout
**Scope:** Close the reliability gap left after WARDEN-WP-0007 — prove the
production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for
the shipped flex-auth policy gate, adapt repo docs to State Hub task-status
canon, and archive finished workplans.
**Out of scope:** OpenBao cluster deploy or SSH engine bootstrap (operator /
`railiance-platform`), flex-auth policy package authoring, NK-WP-0009 joint
tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter
API keys — route to OpenBao per `wiki/CredentialRouting.md`).
---
## Goal
Move ops-warden from **documented + code-shipped** (WP-0006/0007) to
**production-verified SSH issuance** with up-to-date stewardship canon:
1. A scoped operator can run `warden sign` against `https://bao.coulomb.social`
and record non-secret evidence.
2. `SCOPE.md` and reassessment history reflect WP-0007 policy gate as implemented.
3. Agent/workplan docs use State Hub task lifecycle (`wait` / `todo` / `progress`
/ `done` / `cancel`).
4. Finished workplans WP-00040007 are archived under `workplans/archived/`.
---
## Tasks
### T1 — Post-WP-0007 INTENT/SCOPE reassessment
```task
id: WARDEN-WP-0008-T01
status: done
priority: high
state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
```
- [x] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R2)
- [x] Update `SCOPE.md` — policy gate implemented, WP-0008 active
- [x] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README
### T2 — Production OpenBao end-to-end sign verification
```task
id: WARDEN-WP-0008-T02
status: done
priority: high
state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
```
- [x] Operator provides scoped `VAULT_TOKEN` (warden-sign policy token)
- [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
- [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao
- [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
### T3 — State Hub task status canon migration
```task
id: WARDEN-WP-0008-T03
status: done
priority: medium
state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903"
```
- [x] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
- [x] Update `.claude/rules/workplan-convention.md` task block examples
- [x] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
- [x] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)
### T4 — Production config example and archive hygiene
```task
id: WARDEN-WP-0008-T04
status: done
priority: medium
state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
```
- [x] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
- [x] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
- [x] `make fix-consistency REPO=ops-warden` after archive
### T5 — flex-auth policy gate production readiness (coordination)
```task
id: WARDEN-WP-0008-T05
status: wait
priority: low
state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
```
- [ ] Confirm flex-auth `ssh-certificate` resource policies exist (flex-auth owner)
- [ ] Document enablement procedure for `policy.enabled: true` in production
- [ ] Smoke test policy deny/allow with `fail_closed: true` (non-secret evidence)
**Blocked until:** flex-auth policy package for SSH signing.
---
## Acceptance Criteria
- [x] Post-WP-0007 reassessment on file; SCOPE current
- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
- [x] AGENTS.md uses canonical task statuses
- [x] WP-00040007 archived; hub consistency pass
- [x] Production example config committed (no secrets)
---
## Dependencies
| Dependency | Owner | Blocks |
| --- | --- | --- |
| OpenBao SSH engine + host CA automation | NET-WP-0020 / railiance-* | T2 |
| flex-auth ssh-certificate policies | flex-auth | T5 |
| NK-WP-0009 SSH tutorial | net-kingdom + ops-warden | — (parallel track) |
---
## See also
- `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007)
- `history/2026-06-17-post-wp0007-reassessment.md` — latest assessment
- `examples/warden.production.example.yaml` — operator config template
- `wiki/OpenBaoSshEngineChecklist.md`
- `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007)