generated from coulomb/repo-seed
Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08
Document the railiance-platform credential broker as the owner-native path for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates so warden route find ranks the broker lane first; manual export remains a documented fallback only.
This commit is contained in:
@@ -48,6 +48,27 @@ entries:
|
||||
- "Sign: `warden sign <actor> --pubkey <path>` — cert is written to stdout (the cert_command contract)."
|
||||
- "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys."
|
||||
|
||||
- id: ops-warden-warden-sign-token
|
||||
title: Scoped OpenBao token for ops-warden SSH signing (warden-sign)
|
||||
need_keywords: [vault_token, vault, token, warden-sign, warden, ops-warden, signing, sign, smoke, flex-auth, credential, broker, lease, openbao, ssh, production]
|
||||
owner_repo: railiance-platform
|
||||
subsystem: OpenBao credential broker
|
||||
warden_executes: false
|
||||
wiki_ref: wiki/playbooks/ops-warden-warden-sign-token.md#worker-checklist
|
||||
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
||||
reviewed: "2026-07-01"
|
||||
status: active
|
||||
# Concrete broker lane — RAILIANCE-WP-0005 pilot (live 2026-07-01):
|
||||
# credential exec injects VAULT_TOKEN only into the child process; ops-warden
|
||||
# issues SSH certs and never mints or holds OpenBao tokens.
|
||||
auth_method: "railiance-platform credential broker (issuer via OPENBAO_TOKEN_FILE for apply; child tokens via grant)"
|
||||
path_template: "credential-grants/catalog.yaml grant ops-warden/warden-sign"
|
||||
fetch_command: "scripts/credential.py request --grant ops-warden/warden-sign --purpose ops-warden-sign --ttl 15m"
|
||||
policy_ref: "flex-auth optional preflight per grant catalog"
|
||||
exec_owner: railiance-platform
|
||||
exec_command: "scripts/credential.py exec --grant ops-warden/warden-sign --ttl 15m -- <cmd>"
|
||||
pointer_command: "make credential-exec-ops-warden-smoke"
|
||||
|
||||
- id: openbao-api-key
|
||||
title: API key, DB credential, or dynamic lease
|
||||
need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential, npm, npm_auth_token, registry]
|
||||
|
||||
Reference in New Issue
Block a user