generated from coulomb/repo-seed
Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08
Document the railiance-platform credential broker as the owner-native path for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates so warden route find ranks the broker lane first; manual export remains a documented fallback only.
This commit is contained in:
@@ -86,6 +86,7 @@ run the owner's tool as the caller and preserve owner custody.
|
||||
| Catalog `id` | What ops-warden answers | What the worker does next |
|
||||
| --- | --- | --- |
|
||||
| `ssh-cert-host-access` | **Issues** the cert (`warden sign`) | Use the cert / wire it into `cert_command` |
|
||||
| `ops-warden-warden-sign-token` | "railiance-platform broker owns the `warden-sign` lease — use `credential exec`" | `railiance-platform/scripts/credential.py exec --grant ops-warden/warden-sign` (see playbook) |
|
||||
| `openbao-api-key` | "OpenBao owns this — here is the path/command shape" | Call OpenBao directly, or use `warden access --fetch/--exec` as yourself when the lane is `exec_capable` |
|
||||
| `flex-auth-policy-check` | "flex-auth decides — here is the policy doc" | Query flex-auth / embed the PEP |
|
||||
| `key-cape-oidc-login` | "key-cape / Keycloak owns identity" | Authenticate via IAM Profile, or use the `warden access` login lane as yourself |
|
||||
@@ -113,6 +114,7 @@ value; the owner remains OpenBao, key-cape, flex-auth, or the routed subsystem.
|
||||
|
||||
| Request | Correct path |
|
||||
| --- | --- |
|
||||
| "`VAULT_TOKEN` for ops-warden production sign / policy-gate smoke" | `railiance-platform` credential broker — `warden route show ops-warden-warden-sign-token` |
|
||||
| "Populate `OPENROUTER_API_KEY` for llm-connect" | Operator → OpenBao/K8s Secret in `activity-core` namespace |
|
||||
| "Store Inter-Hub admin key for bootstrap" | Operator → OpenBao or `IHUB_OPERATOR_KEY_FILE` (`CUST-WP-0049`) |
|
||||
| "Give me Vault root token" | Break-glass ceremony → `railiance-platform/docs/openbao.md` |
|
||||
|
||||
Reference in New Issue
Block a user