Add ops-warden-warden-sign-token routing lane for RAILIANCE-WP-0005 T08

Document the railiance-platform credential broker as the owner-native path
for scoped VAULT_TOKEN needs. Add catalog entry, playbook, and doc updates
so warden route find ranks the broker lane first; manual export remains a
documented fallback only.
This commit is contained in:
2026-07-01 23:16:38 +02:00
parent c96b27051f
commit 0c1082059b
7 changed files with 217 additions and 16 deletions

View File

@@ -114,22 +114,30 @@ paths.
### Authentication
Export a token with permission to sign against the mapped roles:
**Preferred:** use the railiance-platform credential broker so `VAULT_TOKEN` is
injected only into the child process (no manual export):
```bash
# After OIDC login or policy-issued token (OpenBao CLI)
export VAULT_TOKEN="<short-lived-token>"
# Or HashiCorp Vault CLI against a Vault-compatible endpoint
vault login
cd ~/railiance-platform
scripts/credential.py exec --grant ops-warden/warden-sign --ttl 15m -- \
warden sign <actor> --pubkey <path>
```
`warden` reads the token from the env var named in `vault.token_env` (default
`VAULT_TOKEN`). OpenBao uses the same header; you do not need a separate
`BAO_TOKEN` unless you configure `token_env` that way.
`warden route show ops-warden-warden-sign-token` ·
`wiki/playbooks/ops-warden-warden-sign-token.md`.
See `wiki/playbooks/operator-openbao-token-hygiene.md` for scoped `warden-sign`
tokens, OIDC routing, and HTTP 403 recovery.
**Manual fallback** — export a scoped token for the current shell only:
```bash
export VAULT_TOKEN="<short-lived-warden-sign-token>"
```
`warden` reads the env var named in `vault.token_env` (default `VAULT_TOKEN`).
OpenBao uses the same header; you do not need a separate `BAO_TOKEN` unless you
configure `token_env` that way.
See `wiki/playbooks/operator-openbao-token-hygiene.md` for hygiene rules, OIDC
routing, and HTTP 403 recovery.
On failure, `warden sign` suggests falling back to `--backend local` only for
lab recovery — not as a production substitute.