Complete WARDEN-WP-0012 routing scenario playbooks

Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect,
object-storage STS, and database dynamic credentials. Extend the routing catalog
with draft entries and implement `warden route list --stale` for quarterly drift
review. Document the review cadence in AccessRouting and mark the workplan finished.

wiki/AccessRouting.md

@@ -65,9 +65,10 @@ OpenBao, flex-auth, key-cape, or any other subsystem, and never returns secret
 material.
 
 ```bash
-warden route list [--json] [--all] [--tag <keyword>]   # active-only unless --all
-warden route show <id> [--json]                         # owner + pointers; SSH adds steps
-warden route find "<free text need>" [--json] [--all]   # rank by keyword overlap
+warden route list [--json] [--all] [--tag <keyword>]              # active-only unless --all
+warden route list --stale [--stale-days 90] [--all] [--json]    # past review cadence
+warden route show <id> [--json]                                 # owner + pointers; SSH adds steps
+warden route find "<free text need>" [--json] [--all]             # rank by keyword overlap
 ```
 
 Agent-oriented examples:
@@ -113,6 +114,46 @@ Report drift via a custodian workplan or a State Hub message to `ops-warden`.
 
 ---
 
+## Drift review cadence
+
+Every catalog entry carries a `reviewed:` date (`YYYY-MM-DD`) — the last time an
+ops-warden steward confirmed the pointer still matches net-kingdom canon and the
+owner repo's shipped path.
+
+| Cadence | Action |
+| --- | --- |
+| **Quarterly** (default 90 days) | Run `warden route list --stale` — reconcile every listed entry against canon |
+| **On canon change** | When net-kingdom security docs change, review affected `canon_ref` entries immediately |
+| **On owner ship** | When an owning repo merges a new OpenBao path or playbook, promote `draft` → `active` and bump `reviewed` |
+| **On agent confusion** | If `warden route find` misses a common query, add `need_keywords` or a playbook — do not restate owner procedure in the catalog |
+
+### Stale check (operators and agents)
+
+```bash
+# Entries not reviewed in the last 90 days (default threshold)
+warden route list --stale
+
+# Include draft scenarios in the stale report
+warden route list --stale --all
+
+# Custom threshold (e.g. monthly review)
+warden route list --stale --stale-days 30 --json
+```
+
+For each stale entry:
+
+1. Open `canon_ref` in net-kingdom — confirm ownership and vocabulary unchanged.
+2. Open `wiki_ref` in this repo — update the playbook section if canon moved.
+3. Confirm the owner path still exists (anti-stale rule: unshipped paths stay `draft`).
+4. Bump `reviewed:` in `registry/routing/catalog.yaml` to today's date.
+5. Run `uv run pytest tests/test_routing.py` — anchor resolution must still pass.
+
+CI enforces structural drift (every `wiki_ref` anchor resolves; no-double-source
+rule). The quarterly cadence catches **semantic** drift CI cannot detect — canon
+moved but anchors still resolve.
+
+---
+
 ## See also
 
 - `CredentialRouting.md` — worker decision tree and routing table