coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Clarify workload secret posture stewardship

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-27 18:22:09 +02:00
parent 32ae4f6851
commit 177e36d5a9
6 changed files with 178 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
INTENT.md
View File

@@ -10,8 +10,8 @@
## One-liner
**Operational access steward for the NetKingdom security model — knows the platform
credential lanes, keeps them aligned, and issues short-lived SSH certificates where
that lane belongs to ops-warden.**
credential lanes, keeps workload posture conformance aligned, and issues short-lived
SSH certificates where that lane belongs to ops-warden.**
---
@@ -28,6 +28,8 @@ That stack is easy to misuse:
- wrong subsystem chosen for a credential need (OpenBao vs warden vs key-cape)
- drift between NetKingdom architecture canon and what operators actually run
- ad hoc rediscovery of bootstrap and custody rules every time a worker needs access
- unclear security blockers because dev/test/prod posture and workload maturity are
not named before someone asks for real credentials
**ops-warden exists so operational access has a custodian-domain home** that
understands NetKingdom security infrastructure, routes workers to the right
@@ -54,14 +56,19 @@ owns one lane and points at the rest:
lanes — proxies the fetch *as the caller* (a transparent, policy-gated, audited
conduit that holds, caches, and logs **nothing**). This is the assist layer, not a
broker: custody stays in OpenBao, authorization in flex-auth.
3. **Align** runbooks, wiki, inventory patterns, and scorecard checks with
3. **Steward workload security posture conformance.** Author the ops-security slice
for environment posture (`dev/test/prod`) and workload maturity (`M0-M3`), then
ship descriptors and read-only checks that identify whether a secret-flow blocker
is real, owner-routed, or removable with a contract double. Runtime enforcement
remains flex-auth; custody remains OpenBao.
4. **Align** runbooks, wiki, inventory patterns, and scorecard checks with
NetKingdom canon as the platform evolves (OpenBao-first, flex-auth policy,
key-cape IAM Profile, railiance deployment layers).
4. **Issue** short-lived SSH certificates for `adm` / `agt` / `atm` actors when
5. **Issue** short-lived SSH certificates for `adm` / `agt` / `atm` actors when
host or ops reachability requires the SSH lane — via `warden sign`,
`cert_command`, and `ops-ssh-wrapper`. This is the **only** lane ops-warden
executes.
5. **Audit** SSH signing operations and cert-side compliance so gatekeeping is
executes with its own authority.
6. **Audit** SSH signing operations and cert-side compliance so gatekeeping is
observable, not tribal knowledge.
---
@@ -98,6 +105,8 @@ Canonical references:
- Actor inventory, TTL/principal policy, cert-side scorecard, signatures log
- `cert_command` contract and `ops-ssh-wrapper` automation surface
- Keeping ops-warden docs and patterns aligned with NetKingdom security evolution
- Workload Security Posture draft, conformance descriptors/checks, and dev-tier
contract-double guidance for secret-flow readiness
### ops-warden instructs but does not own
@@ -208,12 +217,15 @@ ops-warden is succeeding when:
4. NetKingdom security evolution (OpenBao, IAM Profile, bootstrap lanes) is
reflected in ops-warden docs within the same maintenance cycle.
5. Non-SSH secrets remain **out of ops-warden storage** — only documented paths.
6. Security blockers can be classified by environment posture, workload maturity,
owner route, and non-secret evidence instead of by vague credential risk.
---
## Non-goals
- Universal credential broker for all secret types
- Runtime enforcement of the workload secret-flow lattice (flex-auth owns that)
- Replacing OpenBao, flex-auth, key-cape, or railiance deployment ownership
- Storing Inter-Hub, LLM provider, or other long-lived API keys
- Host-side SSH configuration deployment
@@ -232,7 +244,8 @@ flex-auth integration design, and NetKingdom cross-links — without collapsing
platform boundaries.
See `wiki/CredentialRouting.md` for worker-facing routing,
`wiki/WorkloadSecurityPosture.md` for the posture/maturity conformance model,
`wiki/NetKingdomSecurityMap.md` for component literacy,
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` for the latest
gap analysis (production SSH path verified), and archived workplans WP-00060008
for stewardship and production closeout execution.
for stewardship and production closeout execution.