coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: recognize ops-warden operational SSH credential lane

Browse Source 
Add Operational SSH Path to platform architecture and move ops-warden
from out-of-scope to operational SSH dependency in responsibility-map.
Aligns with ops-warden WARDEN-WP-0006 stewardship work.
This commit is contained in:
Bernd Worsch
2026-06-17 08:22:45 +02:00
parent c5688acd92
commit da9debf431
2 changed files with 52 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/responsibility-map.md
View File

@@ -133,6 +133,28 @@ their intent and do not appear in the resource map above.
- `railiance-fabric` — tooling NetKingdom uses to provide an interface
- `ops-bridge` — tunnel/transport tooling
- `ops-warden` — operational SSH certificate authority and access-routing
stewardship (see Operational SSH dependency below)
---
## Operational SSH dependency (`ops-warden`)
NetKingdom does not orchestrate ops-warden resources the way it orchestrates
identity or OpenBao mounts, but the platform **depends** on ops-warden for the
operational SSH credential lane:
| | |
| --- | --- |
| **Resources held** | SSH actor inventory, signing policy (TTL/principals), cert-side audit (`signatures.log`) |
| **Repo owns** | `warden` CLI, cert_command contract, ops-ssh-wrapper, stewardship runbooks |
| **NetKingdom orchestrates** | Alignment with IAM actor model (`adm`/`agt`/`atm`); credential-routing canon so workers reach OpenBao/flex-auth/key-cape for non-SSH needs; NK-WP-0009 tutorial linkage |
ops-warden is **post-minimal-bring-up** for platform bootstrap but **in scope**
for ongoing dev-worker and agent SSH access. It must not become a universal
secret broker — runtime secrets remain OpenBao; authorization remains flex-auth.
Canon: `ops-warden/INTENT.md`, `ops-warden/wiki/CredentialRouting.md`.
---
@@ -143,8 +165,6 @@ Recorded so the scoping decision is explicit and revisitable:
- `artifact-store` — artifact/object-storage **service** consumed by
applications (platform-level storage is held by `railiance-platform`)
- `railiance-apps` — applications
- `ops-warden` — operational SSH-credential tooling (post-setup, not part
of minimal bring-up)
- `railiance-enablement` — developer/CI tooling
- all other domain repositories (application/business capabilities)