docs: align architecture and scope with AccessManagementDirective

Expands architecture constraints and SCOPE.md to reflect the three-actor
vocabulary (adm/agt/atm), two credential modes (static key + cert_command),
and ops-warden boundary. Adds directive wiki doc and two new workplans
(BRIDGE-WP-0004 directive alignment, WARDEN-WP-0001 ops-warden bootstrap).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-28 00:59:38 +00:00
parent 75a559780e
commit f3a7236c5d
5 changed files with 773 additions and 15 deletions

View File

@@ -17,11 +17,18 @@ The catalog layout follows: `opscatalog/domains/<domain>/{domain.yaml,
targets/, bridges/, docs/}`.
Key design constraints:
- OpsBridge owns lifecycle management only; it does not own identity/credentials
- OpsBridge owns lifecycle management only; it does not own credential issuance or CA
operations (those belong to `ops-warden`)
- Each tunnel is identified by name (e.g. `state-hub-coulombcore`); names used
in config, CLI args, and log filenames must stay consistent
- Actor attribution (human operator vs. automation agent) is tracked per bridge
for audit log traceability (FRS §5.7)
- Actor attribution is tracked per bridge using the three-actor vocabulary from the
AccessManagementDirective: `adm` (human), `agt` (LLM agent), `atm` (automation);
actor names must carry the matching prefix (`adm-*`, `agt-*`, `atm-*`) (FRS §5.7)
- Two credential modes are first-class and must remain independently functional:
1. **Static key mode** (default) — `ssh_key` only; no TTL, no cert logic
2. **cert_command mode** — a pluggable shell command that issues a CA-signed cert
before each SSH launch; TTL parsed from the cert; pre-emptive refresh ~5 min
before expiry; `cert_identity` logged in every `BRIDGE_CONNECTED` event
Specification docs are in `wiki/`: PRD (`OpsBridgePrd.md`), FRS
(`OpsBridgeFrs.md`), and OpsCatalog spec (`OpsCatalogSpecification.md`).