Add a warded ops role for bounded live operations #817
Open
opened 2026-07-09 16:56:13 +00:00 by coilyco-ops
·
3 comments
No Branch/Tag specified
main
issue-1082
issue-1460
issue-1459-daemonless-alias
issue-1454
issue-1453
issue-1301
issue-1443
issue-1283
issue-1447
release
issue-1166
issue-1139
issue-1307
issue-1308
issue-1309
issue-1435
issue-1430
issue-1428
issue-1388
issue-1420
issue-1422
issue-1423
issue-1417
issue-1408
issue-1335
issue-1412
issue-1411
issue-1402
issue-1403
issue-1402-scoop-best-effort
issue-1336
issue-1334
issue-1393
issue-1338
issue-1397
issue-1392
issue-1339
issue-1340
issue-1300
issue-1288
issue-1304
issue-1270
issue-1381
issue-1244
issue-1227
issue-1380
issue-996
issue-1016
issue-1375
issue-1371
issue-1372
issue-1370
issue-1364
issue-1175
issue-1234
issue-1360
issue-1358
issue-1353
issue-1242
issue-1346
issue-1347
issue-1342
issue-1321
issue-1073-rebased
issue-1237-friction-events
issue-1320
issue-1344
issue-1073
issue-1275
issue-1332-replacement
issue-1296
issue-1330-replacement
issue-1224-rebased
issue-1323
issue-993
issue-1243
issue-871
issue-1298
issue-1315
issue-1312
issue-1314
issue-1313
issue-1310
issue-1282
issue-1224
issue-1173
issue-1000
issue-1007
issue-1281
issue-1011
issue-1006-recovery-note
issue-998
issue-1221
issue-1240
issue-1170
issue-1239
issue-1172
issue-1168
issue-1174
issue-1201
issue-1112
issue-1179
issue-1246
issue-1247
issue-1245
issue-1050
issue-1105
issue-1041
issue-1120
issue-1197
issue-1111
issue-1225
issue-1196
issue-1171
issue-1194
issue-1203
issue-1198
issue-1202
issue-1200
issue-1213
issue-1205
issue-1207
issue-1209
issue-1206
issue-1195
issue-1191
issue-1188
issue-1180
issue-1147
issue-1149
issue-1134
issue-1143
issue-1145
issue-1140
issue-1094
issue-1129
issue-1142
stash/agentic-os-image-default-rename
fix/test-env-isolation
docs/features-two-stage-release
fix/promote-server-scheme
fix/smartdefaults-error-source
feat/two-stage-release
issue-1086
fix/placeholder-sentinels
fix/migrate-off-cli-guard-dispatch
fix/test-yml-duplicate-main-gate
issue-1014-landing-fix
issue-911-pr
issue-1109
issue-1008
issue-999
issue-861
issue-1074
issue-1076
issue-1049
issue-1039
issue-994
issue-991
issue-1020
issue-1067
issue-913
issue-982
issue-1034
issue-1005
issue-1031
issue-990
issue-1062
issue-995
issue-1057
issue-905
issue-911
issue-1042
issue-1021
issue-1009
issue-1014
issue-1001
issue-978
issue-985
issue-950
issue-979
issue-977
issue-971
issue-935
issue-970
issue-969
issue-956
issue-965
issue-964
issue-962-restore-readme
issue-951
issue-958-container-config-guard
issue-704
issue-697
issue-896
issue-885
issue-876
issue-895
issue-893
issue-940
issue-923
issue-942
issue-952
issue-952-director
issue-936
issue-937
issue-931
issue-924
issue-920
issue-635
issue-903
issue-892
issue-874
issue-879
issue-890
issue-910
issue-875
issue-897
issue-894
issue-637
issue-842
issue-834
issue-860
issue-541
issue-723
issue-830-github-authoritative
issue-853
issue-634
issue-845
issue-846
issue-843
issue-496
issue-832
issue-777
issue-778
issue-836
issue-700
issue-695
issue-124-share-parser
issue-671
issue-722
issue-694
issue-824
issue-640
issue-735
issue-641
issue-642
issue-818
issue-812
issue-733-clean
issue-804
issue-805
issue-803
issue-735-remove-director-consult
issue-797
issue-801
issue-795
issue-791
issue-790
issue-787
issue-780
issue-737-defer-signoz
issue-732
issue-737-signoz-deferred
issue-734
issue-736
issue-744
issue-769
issue-767
issue-760
issue-763
ward-salvage/ward-c6aa5da9
ward-salvage/ward-94dd7346
issue-729
ward-salvage/ward-58aa3fe3
issue-733
ward-salvage/ward-ff6c509f
ward-salvage/ward-e80f0460
issue-737
ward-salvage/ward-3e2e4760
issue-731
ward-salvage/ward-649addd7
ward-salvage/ward-890e4d29
ward-salvage/ward-645b750b
ward-salvage/ward-bf851a72
ward-salvage/ward-98c8652f
ward-salvage/ward-bb10b620
issue-724
ward-salvage/ward-1ee9be1c
ward-salvage/ward-d18595f6
issue-124
ward-salvage/ward-5f914692
ward-salvage/ward-6ca05cbd
ward-salvage/ward-14f676cf
ward-salvage/ward-de811c20
ward-salvage/ward-eba3e824
ward-salvage/ward-16eb4ad0
ward-salvage/ward-c58e9c43
ward-salvage/ward-7487270b
v0.769.0
v0.768.0
v0.767.0
v0.766.0
v0.765.0
v0.764.0
v0.763.0
v0.762.0
v0.761.0
v0.760.0
v0.759.0
v0.758.0
v0.757.0
v0.756.0
v0.755.0
v0.754.0
v0.753.0
v0.752.0
v0.751.0
v0.750.0
v0.749.0
v0.748.0
v0.747.0
v0.746.0
v0.745.0
v0.744.0
v0.743.0
v0.742.0
v0.741.0
v0.740.0
v0.739.0
v0.738.0
v0.737.0
v0.736.0
v0.735.0
v0.734.0
v0.733.0
v0.732.0
v0.731.0
v0.730.0
v0.729.0
v0.728.0
v0.727.0
v0.726.0
v0.725.0
v0.724.0
v0.723.0
v0.722.0
v0.721.0
v0.720.0
v0.719.0
v0.718.0
v0.717.0
v0.716.0
v0.715.0
v0.714.0
v0.713.0
v0.712.0
v0.711.0
v0.710.0
v0.709.0
v0.708.0
v0.707.0
v0.706.0
v0.705.0
v0.704.0
v0.703.0
v0.702.0
v0.701.0
v0.700.0
v0.699.0
v0.698.0
v0.697.0
v0.696.0
v0.695.0
v0.694.0
v0.693.0
v0.692.0
v0.691.0
v0.690.0
v0.689.0
v0.688.0
v0.687.0
v0.686.0
v0.685.0
v0.684.0
v0.683.0
v0.682.0
v0.681.0
v0.680.0
v0.679.0
v0.678.0
v0.677.0
v0.676.0
v0.675.0
v0.674.0
v0.673.0
v0.672.0
v0.671.0
v0.670.0
v0.669.0
v0.668.0
v0.667.0
v0.666.0
v0.665.0
v0.664.0
v0.663.0
v0.662.0
v0.661.0
v0.660.0
v0.659.0
v0.658.0
v0.657.0
v0.656.0
v0.655.0
v0.654.0
v0.653.0
v0.652.0
v0.651.0
v0.650.0
v0.649.0
v0.648.0
v0.647.0
v0.646.0
v0.645.0
v0.644.0
v0.643.0
v0.642.0
v0.641.0
v0.640.0
v0.639.0
v0.638.0
v0.637.0
v0.636.0
v0.635.0
v0.634.0
v0.633.0
v0.632.0
v0.631.0
v0.630.0
v0.629.0
v0.628.0
v0.627.0
v0.626.0
v0.625.0
v0.624.0
v0.623.0
v0.622.0
v0.621.0
v0.620.0
v0.619.0
v0.618.0
v0.617.0
v0.616.0
v0.615.0
v0.614.0
v0.613.0
v0.612.0
v0.611.0
v0.610.0
v0.609.0
v0.608.0
v0.607.0
v0.606.0
v0.605.0
v0.604.0
v0.603.0
v0.602.0
v0.601.0
v0.600.0
v0.599.0
v0.598.0
v0.597.0
v0.596.0
v0.595.0
v0.594.0
v0.593.0
v0.592.0
v0.591.0
v0.590.0
v0.589.0
v0.588.0
v0.587.0
v0.586.0
v0.585.0
v0.584.0
v0.583.0
v0.582.0
v0.581.0
v0.580.0
v0.579.0
v0.578.0
v0.577.0
v0.576.0
v0.575.0
v0.574.0
v0.573.0
v0.572.0
v0.571.0
v0.570.0
v0.569.0
v0.568.0
v0.567.0
v0.566.0
v0.565.0
v0.564.0
v0.563.0
v0.562.0
v0.561.0
v0.560.0
v0.559.0
v0.558.0
v0.557.0
v0.556.0
v0.555.0
v0.554.0
v0.553.0
v0.552.0
v0.551.0
v0.550.0
v0.549.0
v0.548.0
v0.547.0
v0.546.0
v0.545.0
v0.544.0
v0.543.0
v0.542.0
v0.541.0
v0.540.0
v0.539.0
v0.538.0
v0.537.0
v0.536.0
v0.535.0
v0.534.0
v0.533.0
v0.532.0
v0.531.0
v0.530.0
v0.529.0
v0.528.0
v0.527.0
v0.526.0
v0.525.0
v0.524.0
v0.523.0
v0.522.0
v0.521.0
v0.520.0
v0.519.0
v0.518.0
v0.517.0
v0.516.0
v0.515.0
v0.514.0
v0.513.0
v0.512.0
v0.511.0
v0.510.0
v0.509.0
v0.508.0
v0.507.0
v0.506.0
v0.505.0
v0.504.0
v0.503.0
v0.502.0
v0.501.0
v0.500.0
v0.499.0
v0.498.0
v0.497.0
v0.496.0
v0.495.0
v0.494.0
v0.493.0
v0.492.0
v0.491.0
v0.490.0
v0.489.0
v0.488.0
v0.487.0
v0.486.0
v0.485.0
v0.484.0
v0.483.0
v0.482.0
v0.481.0
v0.480.0
v0.479.0
v0.478.0
v0.477.0
v0.476.0
v0.475.0
v0.474.0
v0.473.0
v0.472.0
v0.471.0
v0.470.0
v0.469.0
v0.468.0
v0.467.0
v0.466.0
v0.465.0
v0.464.0
v0.463.0
v0.462.0
v0.461.0
v0.460.0
v0.459.0
v0.458.0
v0.457.0
v0.456.0
v0.455.0
v0.454.0
v0.453.0
v0.452.0
v0.451.0
v0.450.0
v0.449.0
v0.448.0
v0.447.0
v0.446.0
v0.445.0
v0.444.0
v0.443.0
v0.442.0
v0.441.0
v0.440.0
v0.439.0
v0.438.0
v0.437.0
v0.436.0
v0.435.0
v0.434.0
v0.433.0
v0.432.0
v0.431.0
v0.430.0
v0.429.0
v0.428.0
v0.427.0
v0.426.0
v0.425.0
v0.424.0
v0.423.0
v0.422.0
v0.421.0
v0.420.0
v0.419.0
v0.418.0
v0.417.0
v0.416.0
v0.415.0
v0.414.0
v0.413.0
v0.412.0
v0.411.0
v0.410.0
v0.409.0
v0.408.0
v0.407.0
v0.406.0
v0.405.0
v0.404.0
v0.403.0
v0.402.0
v0.401.0
v0.400.0
v0.399.0
v0.398.0
v0.397.0
v0.396.0
v0.395.0
v0.394.0
v0.393.0
v0.392.0
v0.391.0
v0.390.0
v0.389.0
v0.388.0
v0.387.0
v0.386.0
v0.385.0
v0.384.0
v0.383.0
v0.382.0
v0.381.0
v0.380.0
v0.379.0
v0.378.0
v0.377.0
v0.376.0
v0.375.0
v0.374.0
v0.373.0
v0.372.0
v0.371.0
v0.370.0
v0.369.0
v0.368.0
v0.367.0
v0.366.0
v0.365.0
v0.364.0
v0.363.0
v0.362.0
v0.361.0
v0.360.0
v0.359.0
v0.358.0
v0.357.0
v0.356.0
v0.355.0
v0.354.0
v0.353.0
v0.352.0
v0.351.0
v0.350.0
v0.349.0
v0.348.0
v0.347.0
v0.346.0
v0.345.0
v0.344.0
v0.343.0
v0.342.0
v0.341.0
v0.340.0
v0.339.0
v0.338.0
v0.337.0
v0.336.0
v0.335.0
v0.334.0
v0.333.0
v0.332.0
v0.331.0
v0.330.0
v0.329.0
v0.328.0
v0.327.0
v0.326.0
v0.325.0
v0.324.0
v0.323.0
v0.322.0
v0.321.0
v0.320.0
v0.319.0
v0.318.0
v0.317.0
v0.316.0
v0.315.0
v0.314.0
v0.313.0
v0.312.0
v0.311.0
v0.310.0
v0.309.0
v0.308.0
v0.307.0
v0.306.0
v0.305.0
v0.304.0
v0.303.0
v0.302.0
v0.301.0
v0.300.0
v0.299.0
v0.298.0
v0.297.0
v0.296.0
v0.295.0
v0.294.0
v0.293.0
v0.292.0
v0.291.0
v0.290.0
v0.289.0
v0.288.0
v0.287.0
v0.286.0
v0.285.0
v0.284.0
v0.283.0
v0.282.0
v0.281.0
v0.280.0
v0.279.0
v0.278.0
v0.277.0
v0.276.0
v0.275.0
v0.274.0
v0.273.0
v0.272.0
v0.271.0
v0.270.0
v0.269.0
v0.268.0
v0.267.0
v0.266.0
v0.265.0
v0.264.0
v0.263.0
v0.262.0
v0.261.0
v0.260.0
v0.259.0
v0.258.0
v0.257.0
v0.256.0
v0.255.0
v0.254.0
v0.253.0
v0.252.0
v0.251.0
v0.250.0
v0.249.0
v0.248.0
v0.247.0
v0.246.0
v0.245.0
v0.244.0
v0.243.0
v0.242.0
v0.241.0
v0.240.0
v0.239.0
v0.238.0
v0.237.0
v0.236.0
v0.235.0
v0.234.0
v0.233.0
v0.232.0
v0.231.0
v0.230.0
v0.229.0
v0.228.0
v0.227.0
v0.226.0
v0.225.0
v0.224.0
v0.223.0
v0.222.0
v0.221.0
v0.220.0
v0.219.0
v0.218.0
v0.217.0
v0.216.0
v0.215.0
v0.214.0
v0.213.0
v0.212.0
v0.211.0
v0.210.0
v0.209.0
v0.208.0
v0.207.0
v0.206.0
v0.205.0
v0.204.0
v0.203.0
v0.202.0
v0.201.0
v0.200.0
v0.199.0
v0.198.0
v0.197.0
v0.196.0
v0.195.0
v0.194.0
v0.193.0
v0.192.0
v0.191.0
v0.190.0
v0.189.0
v0.188.0
v0.187.0
v0.186.0
v0.185.0
v0.184.0
v0.183.0
v0.182.0
v0.181.0
v0.180.0
v0.179.0
v0.178.0
v0.177.0
v0.176.0
v0.175.0
v0.174.0
v0.173.0
v0.172.0
v0.171.0
v0.170.0
v0.169.0
v0.168.0
v0.167.0
v0.166.0
v0.165.0
v0.164.0
v0.163.0
v0.162.0
v0.161.0
v0.160.0
v0.159.0
v0.158.0
v0.157.0
v0.156.0
v0.155.0
v0.154.0
v0.153.0
v0.152.0
v0.151.0
v0.150.0
v0.149.0
v0.148.0
v0.147.0
v0.146.0
v0.145.0
v0.144.0
v0.143.0
v0.142.0
v0.141.0
v0.140.0
v0.139.0
v0.138.0
v0.137.0
v0.136.0
v0.135.0
v0.134.0
v0.133.0
v0.132.0
v0.131.0
v0.130.0
v0.129.0
v0.128.0
v0.127.0
v0.126.0
v0.125.0
v0.124.0
v0.123.0
v0.122.0
v0.121.0
v0.120.0
v0.119.0
v0.118.0
v0.117.0
v0.116.0
v0.115.0
v0.114.0
v0.113.0
v0.112.0
v0.111.0
v0.110.0
v0.109.0
v0.108.0
v0.107.0
v0.106.0
v0.105.0
v0.104.0
v0.103.0
v0.102.0
v0.101.0
v0.100.0
v0.99.0
v0.98.0
v0.97.0
v0.96.0
v0.95.0
v0.94.0
v0.93.0
v0.92.0
v0.91.0
v0.90.0
v0.89.0
v0.88.0
v0.87.0
v0.86.0
v0.85.0
v0.84.0
v0.83.0
v0.82.0
v0.81.0
v0.80.0
v0.79.0
v0.78.0
v0.77.0
v0.76.0
v0.75.0
v0.74.0
v0.73.0
v0.72.0
v0.71.0
v0.70.0
v0.69.0
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.0
v0.61.0
v0.60.0
v0.59.0
v0.58.0
v0.57.0
v0.56.0
v0.55.0
v0.54.0
v0.53.0
v0.52.0
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.0
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.0
v0.30.0
v0.29.0
v0.28.0
v0.27.0
v0.26.0
v0.25.0
v0.24.0
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.0
v0.18.0
v0.17.0
v0.16.0
v0.15.0
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.0
v0.8.0
v0.7.0
v0.6.0
v0.5.8
v0.5.7
v0.5.6
v0.5.5
v0.5.4
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels
burndown-2026-06
Backlog burndown June 2026
pressure-test
Cold-read release pressure-test findings and coordination
sunday-sprint
Burn-down by Sunday 2026-06-07
coherence-core
Core review set for the warded control plane coherence milestone. These issues form the release spine; adjacent milestone issues are stretch or supporting work.
consult
A human decision, design, or external action must happen first. Fail-closed default for unlabeled/low-confidence.
headless
Agent can take it from open issue to merged change with no human in the loop. The auto-burndown queue.
interactive
Agent does the work but pauses at a human checkpoint mid-flight (design choice, destructive step, human-only verification).
P0
now / blocking / urgent
P1
next / important
P2
backlog / will do
P3
someday / low
P4
icebox / frozen / reopen if it becomes real
No labels
burndown-2026-06
pressure-test
sunday-sprint
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/ward#817
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context from deploy director surface on 2026-07-09. ser8 is now the canonical ops/o11y plane, with deploy owning the service manifests and warded agents increasingly needing to inspect live state without pretending that an engineer role is the right shape.
Recommendation: add a warded ops role rather than widening engineer/advisor. The role should be live-observe first, bounded-mutate second. It should fit ser8 and o11y work where the agent needs tailnet, kube contexts, SSM reads, and observability panes, while preserving hard fences around destructive actions.
Initial scope:
Non-goals:
Design questions:
Deploy-side references to read before design: coilyco-bridge/deploy docs/o11y.md, docs/o11y-sources.md, services/ser8-observability/docs/ser8-k3s.md, services/ser8-observability/docs/ser8-signoz.md, and services/fleet-reachability/docs/gatus.md.
🔎 ward agent advisor
ward agent advisor --harness codexran a one-shot standard research pass on this question:Recommendation
Add
opsas a first-classwardedstartup role, not as a hidden guardfile profile ondirectororadvisor.The reason is structural, not cosmetic:
wardalready models behavior at the role layer and permissions at the guardfile layer.advisoris explicitly answer-only and comment/fanout oriented.directoris a backlog supervisor that dispatchesengineerwork and owns the drain surface.opslane has a different contract: inspect live state first, take tightly bounded reversible actions second, then report evidence and file/dispatch repo work when the fix belongs in code.That is role-shaped behavior, not just a different permission bundle.
A good v1 shape is:
warded ops <ref>for issue-bound live investigation.directorcan learn to dispatchopsfor issues labeled or triaged as operational. That should be a follow-up, not the first slice.What the repo already says
The current repo already points toward this split:
docs/agent.mddefines a startup-role roster:engineer,director,advisor,qa.directorandadvisoralready carry the live-observe set through role wiring in.ward/ward-kdl/ward-kdl.fleet.kdl.ser8is now the canonical ops/o11y plane, with:ser8:30428ser8:30808ser8andkai-serverSo the issue is not whether a live-ops surface is needed. It is whether ward should represent it explicitly. The answer is yes.
Advisory design
1. Make
opsa startup roleRecommended behavior contract:
opsfiles and dispatches implementation work instead of editing code itself.Why not a director profile:
2. Split observe from mutate in the surfaced verbs, not just in the prompt
This is the biggest implementation risk.
Today the existing guardfiles are too broad to reuse unchanged for a "live-observe first" role:
ward-kdl ops awsincludes reads, but alsossm put-parameter,s3 cp, ands3 sync.ward-kdl ops kubectlincludes reads, but alsoapply,scale,rollout restart, androllout undo.ward-kdl ops signozalready includes both read-like query paths and mutating paths such as pipeline/dashboard/rule create/edit.If
opssimply inherits those guardfiles, the role will not actually be bounded the way the issue asks.Recommended pattern:
ward-kdl-read/ward-kdl-write/ward-kdl-adminsplit already used for Forgejo and SigNoz.opsa read-first default bundle.That keeps the safety property in the compiled surface, not in agent obedience alone.
3. Prefer purpose-built operator verbs over generic raw tooling for mutations
The issue body already hints at the right principle: reversible live actions should go through explicit
ward/ward-kdlverbs.That argues against exposing generic mutation-heavy tools as the main write path.
For v1, prefer verbs like these over broad
kubectl applyor ad hochelmuse:rollout restartfor a named workloadrollout status/rollout history/rollout undoforce-sync-secretwrapper modeled ondeploy/scripts/force-sync-secret.shtemplate,diff,list,status,get values,get manifestThis gives the audit log a stable intent vocabulary and avoids turning
opsinto "engineer with kube access".Recommended v1 verb set
Safe to include in v1
These fit the "live-observe first, bounded-mutate second" brief well:
kubectl get,describe,logs,events,top,config current-context,config get-contextskubectl rollout restartkubectl rollout statuskubectl rollout historykubectl rollout undohelm templatehelm diffor equivalent previewhelm list,helm status,helm get values,helm get manifestDefer from v1
These are either too broad, insufficiently audited, or conflict with the current design intent:
kubectl applykubectl scaleAnswers to the issue's design questions
Should
opsbe a startup role or a guardfile profile?Recommendation: startup role.
Keep the internal implementation as role -> guardfile bundles, but expose
opsas a first-class role besideengineer/director/advisor/qa.That gives ward a clean place for:
What mutation verbs are safe for v1?
Recommended yes:
Recommended no for v1:
kubectl applyRationale:
rollout restartandrollout undoare operationally common, scoped, and reversible.helm diff/templateare read-only and align with the brief.force-sync-secretalready has a concrete deploy-side operational model.How should ops report evidence back to an issue?
Use a structured markdown comment with fixed sections.
Recommended shape:
ward/ward-kdlcommands runnoneor the explicit bounded mutation performedresolved operationally,needs human follow-up, orfile + dispatch implementation workRules worth baking into the prompt/docs:
Gaps the issue should account for
These are the concrete holes between the desired role and the current repo state:
awsandkubectlsurfaces are too broad to reuse unchanged for an observe-first role.Risks
opsis not clearly no-code, it will drift into engineer territory.opsreuses current broad guardfiles, the safety model will be mostly social, not compiled.kubectl/awsmutations make it harder to tell intent from logs than purpose-built ops verbs do.Final recommendation
Post back on the issue with this direction:
warded opsas a new startup role.Researched and posted automatically by
ward agent advisor --harness codex(ward#179). This is one-shot research, not a carried change - verify before acting on it.— Codex, via
ward agentI think the way we do this is via downgrading director / engineer / advisor / qa to ward KDL "read" tier, and having ops be the only one we gets "write"
Except... director and engineer need simple writes like issue status...
So we probably need to do pre-work around the ward KDL security tiers they maybe well here, its just that their names are off
And doing THAT probably wants us to swap ward KDL to be aos released
Appraisal after the advisor answer and Kai's follow-up:
The advisor is directionally right that
opsis role-shaped behavior, not just a hidden profile. Its strongest point is the role contract: live investigation, bounded reversible action, evidence report, then file or dispatch repo work. That should stay.Kai's follow-up catches the deeper prerequisite: the current tier names and bundles are not quite the security model we want. The real split is not simply read/write/admin per API. It is role capability posture:
director,engineer,advisor, andqamostly need observe plus issue-thread writes.engineeralso needs git/repo writes inside its owned feature container, but that is different from live ops mutation.directorneeds dispatch and issue status/comment writes, but not cluster mutation.opsis the first role that should intentionally receive live operational write verbs.So the next slice should not be "add
opsand point it at existing write guardfiles." The next slice should be a tier taxonomy pass that separates:That means the advisor's proposed
opsv1 is a good destination, but its implementation should depend on this tier cleanup. Otherwiseopswill inherit today's broadaws,kubectl, orsignozsurfaces and the safety story will be mostly prompt discipline.On "swap ward KDL to be aos released": that looks mostly done or at least already tracked by ward#503. The aos docs say the coilyco ward-spec bundle is authored in aos and overlaid into ward release builds as of the 2026-07-07 cutover. I would treat that as a dependency check, not a new design direction. The still-open architectural sibling is ward#721, which says KDL should remain edge-surface authoring and not become ward core's runtime control plane.
Recommended dependency chain:
warded opsas a first-class role using the cleaned tier model: observe by default, forge coordination writes where needed, and only tiny live-ops writes.opsuntil the standalone role and tier fences have held up.Bottom line: keep the advisor's role recommendation, but accept Kai's correction that tier cleanup comes first.
opsshould be the role that proves the new tier model, not the role that papers over the old one.