generated from coulomb/repo-seed
Clarify workload secret posture stewardship
This commit is contained in:
51
SCOPE.md
51
SCOPE.md
@@ -10,12 +10,12 @@
|
||||
|
||||
Operational access steward for the NetKingdom security model — issues short-lived
|
||||
SSH certificates for `adm`/`agt`/`atm` actors, documents how to obtain other
|
||||
credential types from the right platform subsystems, and keeps ops access guidance
|
||||
aligned with NetKingdom canon.
|
||||
credential types from the right platform subsystems, stewards workload security
|
||||
posture conformance, and keeps ops access guidance aligned with NetKingdom canon.
|
||||
|
||||
---
|
||||
|
||||
## Where we are (2026-06-24)
|
||||
## Where we are (2026-06-27)
|
||||
|
||||
ops-warden **issues short-lived SSH certificates and routes every other credential
|
||||
need to the subsystem that owns it.** SSH signing is **production-verified** on
|
||||
@@ -27,6 +27,16 @@ NetKingdom security map, machine-readable pointer catalog
|
||||
(`registry/routing/catalog.yaml`, WP-0010), and `warden route` lookup CLI
|
||||
(`list`/`show`/`find`, `--json`, WP-0011).
|
||||
|
||||
**Operator access assist** is shipped (WP-0014): `warden access` gives advisory
|
||||
handoffs for every catalog need and can proxy `exec_capable` lanes as the caller,
|
||||
without taking custody of values.
|
||||
|
||||
**Workload security posture** is drafted (WP-0015 T1): dev/test/prod environment
|
||||
posture, M0-M3 workload maturity, the secret-flow lattice, and blocker triage
|
||||
language. Machine-readable descriptors and `warden policy list|show` shipped in
|
||||
WP-0015 T2; the read-only conformance checker and dev contract doubles remain
|
||||
WP-0015 follow-up tasks.
|
||||
|
||||
**Policy gate** is shipped on the caller side (WP-0007) with production registry
|
||||
and smoke evidence (WP-0009 archived). flex-auth published the `ssh-certificate`
|
||||
policy package (FLEX-WP-0006). `policy.enabled` remains **false** in production
|
||||
@@ -38,14 +48,14 @@ runtime deployment (not ops-warden code), and operator hygiene.
|
||||
|
||||
### Issue vs route
|
||||
|
||||
ops-warden executes exactly one lane and points at the owner for the rest.
|
||||
ops-warden executes exactly one lane with its own authority and routes/assists the rest.
|
||||
|
||||
| Need | Subsystem | ops-warden role |
|
||||
| --- | --- | --- |
|
||||
| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) |
|
||||
| API key / DB cred / dynamic lease | OpenBao | Route — point at path |
|
||||
| "May I perform action X?" | flex-auth | Route — point at policy |
|
||||
| Login / OIDC / MFA | key-cape / Keycloak | Route — point at IAM Profile |
|
||||
| API key / DB cred / dynamic lease | OpenBao | Assist — route; proxy as caller only for `exec_capable` lanes |
|
||||
| "May I perform action X?" | flex-auth | Route — point at policy; consume decisions where configured |
|
||||
| Login / OIDC / MFA | key-cape / Keycloak | Assist — route; proxy `login` lane when `exec_capable` |
|
||||
| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` |
|
||||
| Host principal deployment | railiance-infra | Route — point at Ansible |
|
||||
|
||||
@@ -67,6 +77,7 @@ Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
|
||||
| ops-bridge integrates via stable `cert_command` | **Partial** — contract yes; tunnels still static-key |
|
||||
| NetKingdom evolution reflected in docs | Met |
|
||||
| Non-SSH secrets stay out of ops-warden | Met |
|
||||
| Workload posture / maturity model for secret-flow blockers | Drafted (WP-0015 T1); conformance tooling pending |
|
||||
|
||||
**Maturity vector:** `D5 / A5 / C4 / R3` (Discovery / Availability / Completeness / Reliability)
|
||||
|
||||
@@ -121,6 +132,8 @@ for the rest.
|
||||
- Capability registry entry for SSH certificate issuance
|
||||
- Routing pointer catalog (`registry/routing/catalog.yaml`)
|
||||
- Keeping ops access patterns consistent with `net-kingdom` platform architecture
|
||||
- Workload Security Posture draft (`wiki/WorkloadSecurityPosture.md`) and planned
|
||||
machine-readable posture descriptors, conformance checks, and dev-tier doubles
|
||||
|
||||
### Shipped workplans (archived)
|
||||
|
||||
@@ -140,6 +153,7 @@ for the rest.
|
||||
| WP | Status | Focus |
|
||||
| --- | --- | --- |
|
||||
| **WP-0012** | `active` | Routing scenario playbooks (catalog + wiki expansion) |
|
||||
| **WP-0015** | `active` | Workload security posture: env posture, maturity, conformance, dev doubles |
|
||||
|
||||
### Known gaps (not ops-warden workplans)
|
||||
|
||||
@@ -150,16 +164,19 @@ for the rest.
|
||||
| ops-bridge `cert_command` on live tunnels | ops-bridge | Playbook shipped (`wiki/playbooks/ops-bridge-tunnel-cert.md`); pilot pending |
|
||||
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `scripts/check_principals_drift.py` — operator runs periodically |
|
||||
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
|
||||
| WP-0015 conformance checker/dev doubles | ops-warden | T3-T4 pending; canon landing tracked in T5 |
|
||||
|
||||
---
|
||||
|
||||
## Out of Scope
|
||||
|
||||
- **Issuing** non-SSH secrets (API keys, DB creds, S3 STS, Inter-Hub keys) → OpenBao
|
||||
with flex-auth policy where required; ops-warden documents paths only
|
||||
- **Issuing or custodying** non-SSH secrets (API keys, DB creds, S3 STS,
|
||||
Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden
|
||||
documents paths and may proxy caller-authenticated `exec_capable` lanes only
|
||||
- Identity / OIDC / MFA → key-cape, Keycloak
|
||||
- Authorization policy decisions → flex-auth
|
||||
- flex-auth runtime deployment → flex-auth (`FLEX-WP-0007`)
|
||||
- flex-auth runtime deployment and secret-flow lattice enforcement → flex-auth
|
||||
(`FLEX-WP-0007` and follow-ups)
|
||||
- Tunnel lifecycle → `ops-bridge`
|
||||
- Host principal deployment → `railiance-infra`
|
||||
- OpenBao / Vault cluster deployment → `railiance-platform`
|
||||
@@ -178,6 +195,8 @@ for the rest.
|
||||
- Inter-Hub or bootstrap tasks need a **short-lived agent SSH envelope**
|
||||
- Checking cert-side compliance (scorecard)
|
||||
- Enabling or testing the opt-in flex-auth policy gate
|
||||
- Classifying whether a credential blocker is a dev/test double, owner-routed prod
|
||||
gate, or maturity/posture violation
|
||||
|
||||
---
|
||||
|
||||
@@ -197,7 +216,8 @@ for the rest.
|
||||
- **Access routing:** WP-0010 + WP-0011 shipped (`warden route`, pointer catalog)
|
||||
- **Policy gate:** caller shipped (WP-0007); registry + smoke complete (WP-0009 archived).
|
||||
`policy.enabled: false` until flex-auth reachable (`FLEX-WP-0007`)
|
||||
- **Active work:** WP-0012 (routing playbooks — T2/T3 done)
|
||||
- **Active work:** WP-0012 (routing playbooks — T2/T3 done) and WP-0015
|
||||
(workload posture T1/T2 done, T5 in progress; checker/dev doubles pending)
|
||||
- **Integration docs:** cert_command migration, token hygiene, principals drift (`wiki/playbooks/`)
|
||||
- **Latest assessment:** `history/2026-06-24-intent-scope-gap-analysis.md`
|
||||
|
||||
@@ -228,7 +248,10 @@ Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operato
|
||||
- `cert_command`: shell command returning a cert on stdout
|
||||
- `inventory.yaml`: actor → principals + TTL registry
|
||||
- `LocalCA` / `VaultCA`: signing backends (`backend: local` | `vault`)
|
||||
- Pointer catalog: `registry/routing/catalog.yaml` — subsystem ownership lookup only
|
||||
- Pointer catalog: `registry/routing/catalog.yaml` — subsystem ownership lookup plus
|
||||
secret-free `warden access` handoff metadata
|
||||
- Workload Security Posture: env posture (`dev/test/prod`) plus maturity (`M0-M3`)
|
||||
used to decide whether a secret may flow to a workload
|
||||
|
||||
---
|
||||
|
||||
@@ -268,6 +291,7 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
|
||||
| `wiki/AccessRouting.md` | What ops-warden issues vs routes vs assists (role and boundary) |
|
||||
| `wiki/OperatorAccessAssist.md` | `warden access` front door + conduit-vs-broker boundary + guardrails |
|
||||
| `wiki/CredentialRouting.md` | Which subsystem for each credential need |
|
||||
| `wiki/WorkloadSecurityPosture.md` | Secret-store posture, workload maturity, and blocker triage |
|
||||
| `registry/routing/catalog.yaml` | Machine-readable routing pointer catalog |
|
||||
| `wiki/NetKingdomSecurityMap.md` | Platform security component map |
|
||||
| `examples/warden.production.example.yaml` | Production warden.yaml template |
|
||||
@@ -276,7 +300,8 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
|
||||
| `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao |
|
||||
| `wiki/CertCommandInterface.md` | cert_command contract |
|
||||
| `history/2026-06-24-intent-scope-gap-analysis.md` | Current gap analysis + WP-0013 |
|
||||
| `history/2026-06-27-workload-security-posture-charter.md` | WP-0015 posture/conformance charter |
|
||||
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | SSH lane gap analysis |
|
||||
| `history/2026-06-18-access-routing-intent-shift-assessment.md` | Routing charter decision |
|
||||
| `history/2026-06-23-flex-auth-policy-gate-production-smoke.md` | Policy gate smoke evidence |
|
||||
| `net-kingdom/docs/platform-identity-security-architecture.md` | Platform security canon |
|
||||
| `net-kingdom/docs/platform-identity-security-architecture.md` | Platform security canon |
|
||||
|
||||
Reference in New Issue
Block a user