Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08

Document the railiance-platform credential broker as the owner-native path
for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates
so warden route find ranks the broker lane first; manual export remains a
documented fallback only.
This commit is contained in:
2026-07-01 23:16:38 +02:00
parent c96b27051f
commit 0c1082059b
7 changed files with 217 additions and 16 deletions

View File

@@ -48,6 +48,27 @@ entries:
- "Sign: `warden sign <actor> --pubkey <path>` — cert is written to stdout (the cert_command contract)."
- "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys."
- id: ops-warden-warden-sign-token
title: Scoped OpenBao token for ops-warden SSH signing (warden-sign)
need_keywords: [vault_token, vault, token, warden-sign, warden, ops-warden, signing, sign, smoke, flex-auth, credential, broker, lease, openbao, ssh, production]
owner_repo: railiance-platform
subsystem: OpenBao credential broker
warden_executes: false
wiki_ref: wiki/playbooks/ops-warden-warden-sign-token.md#worker-checklist
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
reviewed: "2026-07-01"
status: active
# Concrete broker lane — RAILIANCE-WP-0005 pilot (live 2026-07-01):
# credential exec injects VAULT_TOKEN only into the child process; ops-warden
# issues SSH certs and never mints or holds OpenBao tokens.
auth_method: "railiance-platform credential broker (issuer via OPENBAO_TOKEN_FILE for apply; child tokens via grant)"
path_template: "credential-grants/catalog.yaml grant ops-warden/warden-sign"
fetch_command: "scripts/credential.py request --grant ops-warden/warden-sign --purpose ops-warden-sign --ttl 15m"
policy_ref: "flex-auth optional preflight per grant catalog"
exec_owner: railiance-platform
exec_command: "scripts/credential.py exec --grant ops-warden/warden-sign --ttl 15m -- <cmd>"
pointer_command: "make credential-exec-ops-warden-smoke"
- id: openbao-api-key
title: API key, DB credential, or dynamic lease
need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential, npm, npm_auth_token, registry]