generated from coulomb/repo-seed
145 lines
4.8 KiB
Markdown
145 lines
4.8 KiB
Markdown
---
|
||
id: WARDEN-WP-0008
|
||
type: workplan
|
||
title: "Production SSH Path and Stewardship Closeout"
|
||
domain: custodian
|
||
repo: ops-warden
|
||
status: active
|
||
owner: codex
|
||
topic_slug: custodian
|
||
planning_priority: high
|
||
planning_order: 8
|
||
created: "2026-06-17"
|
||
updated: "2026-06-18"
|
||
state_hub_workstream_id: "a174963a-4ff1-4565-b19f-896cd4ff14a0"
|
||
---
|
||
|
||
# WARDEN-WP-0008 — Production SSH Path and Stewardship Closeout
|
||
|
||
**Scope:** Close the reliability gap left after WARDEN-WP-0007 — prove the
|
||
production OpenBao SSH signing path end-to-end, refresh INTENT/SCOPE canon for
|
||
the shipped flex-auth policy gate, adapt repo docs to State Hub task-status
|
||
canon, and archive finished workplans.
|
||
|
||
**Out of scope:** OpenBao cluster deploy or SSH engine bootstrap (operator /
|
||
`railiance-platform`), flex-auth policy package authoring, NK-WP-0009 joint
|
||
tutorial (coordinate separately), populating non-SSH secrets (e.g. OpenRouter
|
||
API keys — route to OpenBao per `wiki/CredentialRouting.md`).
|
||
|
||
---
|
||
|
||
## Goal
|
||
|
||
Move ops-warden from **documented + code-shipped** (WP-0006/0007) to
|
||
**production-verified SSH issuance** with up-to-date stewardship canon:
|
||
|
||
1. A scoped operator can run `warden sign` against `https://bao.coulomb.social`
|
||
and record non-secret evidence.
|
||
2. `SCOPE.md` and reassessment history reflect WP-0007 policy gate as implemented.
|
||
3. Agent/workplan docs use State Hub task lifecycle (`wait` / `todo` / `progress`
|
||
/ `done` / `cancel`).
|
||
4. Finished workplans WP-0004–0007 are archived under `workplans/archived/`.
|
||
|
||
---
|
||
|
||
## Tasks
|
||
|
||
### T1 — Post-WP-0007 INTENT/SCOPE reassessment
|
||
|
||
```task
|
||
id: WARDEN-WP-0008-T01
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "05379da4-79d0-4742-8638-9e9565cccf72"
|
||
```
|
||
|
||
- [x] Write `history/2026-06-17-post-wp0007-reassessment.md` (vector D5/A3/C4/R2)
|
||
- [x] Update `SCOPE.md` — policy gate implemented, WP-0008 active
|
||
- [x] Resolve remaining `PolicyGatedSigning.md (not implemented)` references in SCOPE/README
|
||
|
||
### T2 — Production OpenBao end-to-end sign verification
|
||
|
||
```task
|
||
id: WARDEN-WP-0008-T02
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "b1a1831d-b2b3-4204-95f6-04dc7f29f67c"
|
||
```
|
||
|
||
- [x] Operator provides scoped `VAULT_TOKEN` (warden-sign policy token)
|
||
- [x] Confirm SSH engine mounted and roles per `wiki/OpenBaoSshEngineChecklist.md`
|
||
- [x] Run `warden sign` + `warden status` + `warden log` against production OpenBao
|
||
- [x] Append pass/fail evidence to `history/2026-06-17-openbao-production-verify.md`
|
||
- [ ] Optional: cert_command smoke via ops-bridge tunnel (non-secret summary only)
|
||
|
||
### T3 — State Hub task status canon migration
|
||
|
||
```task
|
||
id: WARDEN-WP-0008-T03
|
||
status: done
|
||
priority: medium
|
||
state_hub_task_id: "876827c4-4a86-4e58-9a1f-ac87045dc903"
|
||
```
|
||
|
||
- [x] Update `AGENTS.md` task status values and examples (`progress`, `wait`, `cancel`)
|
||
- [x] Update `.claude/rules/workplan-convention.md` task block examples
|
||
- [x] Mark state-hub interface change `649102a2-4373-4621-9848-cc257e67c262` resolved
|
||
- [x] Reply to inbox message `c4072e5a-2afb-44ba-bfa2-7d4cb9979c6e` (read + note adaptation)
|
||
|
||
### T4 — Production config example and archive hygiene
|
||
|
||
```task
|
||
id: WARDEN-WP-0008-T04
|
||
status: done
|
||
priority: medium
|
||
state_hub_task_id: "75b9f366-3d7a-419d-98ad-bc10ab90a697"
|
||
```
|
||
|
||
- [x] Add `examples/warden.production.example.yaml` (no secrets; OpenBao addr + policy off)
|
||
- [x] Archive finished workplans → `workplans/archived/260617-WARDEN-WP-000{4,5,6,7}-*.md`
|
||
- [x] `make fix-consistency REPO=ops-warden` after archive
|
||
|
||
### T5 — flex-auth policy gate production readiness (coordination)
|
||
|
||
```task
|
||
id: WARDEN-WP-0008-T05
|
||
status: wait
|
||
priority: low
|
||
state_hub_task_id: "03b412a5-5b99-42df-a154-733dd4156000"
|
||
```
|
||
|
||
- [ ] Confirm flex-auth `ssh-certificate` resource policies exist (flex-auth owner)
|
||
- [ ] Document enablement procedure for `policy.enabled: true` in production
|
||
- [ ] Smoke test policy deny/allow with `fail_closed: true` (non-secret evidence)
|
||
|
||
**Blocked until:** flex-auth policy package for SSH signing.
|
||
|
||
---
|
||
|
||
## Acceptance Criteria
|
||
|
||
- [x] Post-WP-0007 reassessment on file; SCOPE current
|
||
- [ ] Production `warden sign` evidence recorded OR explicit operator blocker logged
|
||
- [x] AGENTS.md uses canonical task statuses
|
||
- [x] WP-0004–0007 archived; hub consistency pass
|
||
- [x] Production example config committed (no secrets)
|
||
|
||
---
|
||
|
||
## Dependencies
|
||
|
||
| Dependency | Owner | Blocks |
|
||
| --- | --- | --- |
|
||
| OpenBao SSH engine + host CA automation | NET-WP-0020 / railiance-* | T2 |
|
||
| flex-auth ssh-certificate policies | flex-auth | T5 |
|
||
| NK-WP-0009 SSH tutorial | net-kingdom + ops-warden | — (parallel track) |
|
||
|
||
---
|
||
|
||
## See also
|
||
|
||
- `history/2026-06-17-openbao-production-verify.md` — health probe (WP-0007)
|
||
- `history/2026-06-17-post-wp0007-reassessment.md` — latest assessment
|
||
- `examples/warden.production.example.yaml` — operator config template
|
||
- `wiki/OpenBaoSshEngineChecklist.md`
|
||
- `wiki/PolicyGatedSigning.md` — opt-in gate (implemented WP-0007) |