Clarify workload secret posture stewardship

wiki/CredentialRouting.md

@@ -6,9 +6,12 @@ Use this page when a development worker (human, kaizen agent, CI job, or
 custodian tool) needs **access or credentials** and is unsure which subsystem
 owns the request.
 
-ops-warden maintains this routing guide. It **issues SSH certificates only**.
-For every other credential type, follow the routed path — do not paste secrets
-into Git, State Hub, agent chat, or workplans.
+ops-warden maintains this routing guide. It **issues SSH certificates directly**.
+For every other credential type, use the routed owner path. `warden access` may
+also **assist**: it renders the owner, auth method, path, and command shape and,
+for `exec_capable` catalog lanes, can proxy the owner's tool **as the caller**.
+That is a transparent conduit, not custody: do not paste secrets into Git,
+State Hub, agent chat, or workplans.
 
 ---
 
@@ -28,12 +31,12 @@ What do you need?
 +-- API key, DB password, provider token, K8s secret, dynamic lease
 |       -> OpenBao (after flex-auth approval where policy requires it)
 |          railiance-platform/docs/openbao.md
-|          NEVER ops-warden
+|          NEVER ops-warden as owner or store
 |
 +-- S3 / object-storage temporary credentials
 |       -> NK-WP-0007 vending path (flex-auth + OpenBao + storage STS)
 |          net-kingdom/docs/object-storage-sts-credential-vending.md
-|          NEVER ops-warden
+|          NEVER ops-warden as owner or store
 |
 +-- SSH certificate for host / ops reachability (adm/agt/atm)
 |       -> ops-warden (warden sign / cert_command)
@@ -49,7 +52,8 @@ What do you need?
 ```
 
 **Under two minutes:** match your need to a branch above, open the linked doc,
-stop if you landed on "NEVER ops-warden" for non-SSH secrets.
+and treat non-SSH branches as owner-routed work. `warden access` can advise or
+proxy an `exec_capable` lane, but it does not make ops-warden the owner of the value.
 
 ---
 
@@ -57,11 +61,11 @@ stop if you landed on "NEVER ops-warden" for non-SSH secrets.
 
 | I need… | Subsystem | ops-warden role |
 | --- | --- | --- |
-| Interactive login, OIDC token, MFA | key-cape / Keycloak | Document only — use IAM Profile |
-| "May I do X on resource Y?" | flex-auth (+ Topaz PDP) | Future pre-sign gate for SSH; document only today |
-| OpenRouter / LLM provider API key | OpenBao → K8s Secret | **Do not** ask ops-warden |
-| Inter-Hub operator / runtime API key | OpenBao or `0600` temp file | See `wiki/InterHubBootstrapAccessLane.md` |
-| Database or service password | OpenBao dynamic/KV | Document only |
+| Interactive login, OIDC token, MFA | key-cape / Keycloak | Assist: advise; proxy the `login` lane when the catalog entry is `exec_capable` |
+| "May I do X on resource Y?" | flex-auth (+ Topaz PDP) | Route; policy gate for SSH/access proxies where configured |
+| OpenRouter / LLM provider API key | OpenBao → K8s Secret | Assist: route; proxy only as caller when the catalog lane is `exec_capable` |
+| Inter-Hub operator / runtime API key | OpenBao or `0600` temp file | Assist: route/custody notes; see `wiki/InterHubBootstrapAccessLane.md` |
+| Database or service password | OpenBao dynamic/KV | Assist: route; proxy only as caller when the catalog lane is `exec_capable` |
 | Short-lived SSH cert for operator | ops-warden (`adm-*`) | **Issue** via `warden sign` |
 | Short-lived SSH cert for agent | ops-warden (`agt-*`) | **Issue** via `warden sign` / wrapper |
 | Short-lived SSH cert for CI/cron | ops-warden (`atm-*`) | **Issue** via `warden sign` / `warden issue` |
@@ -74,16 +78,17 @@ stop if you landed on "NEVER ops-warden" for non-SSH secrets.
 
 These needs are also carried in the machine-readable pointer catalog
 (`registry/routing/catalog.yaml`, surfaced via `warden route` — WARDEN-WP-0011).
-The catalog is a **pointer layer**: it names the owner and links the doc, it does
-not restate the owner's procedure. Only the SSH row is something ops-warden
-executes.
+The catalog is a **pointer-and-assist layer**: it names the owner, links the doc,
+and carries secret-free handoff templates for `warden access`. Only the SSH row is
+something ops-warden executes with its own authority. Non-SSH `exec_capable` rows
+run the owner's tool as the caller and preserve owner custody.
 
 | Catalog `id` | What ops-warden answers | What the worker does next |
 | --- | --- | --- |
 | `ssh-cert-host-access` | **Issues** the cert (`warden sign`) | Use the cert / wire it into `cert_command` |
-| `openbao-api-key` | "OpenBao owns this — here is the path" | Call OpenBao on the owning system |
+| `openbao-api-key` | "OpenBao owns this — here is the path/command shape" | Call OpenBao directly, or use `warden access --fetch/--exec` as yourself when the lane is `exec_capable` |
 | `flex-auth-policy-check` | "flex-auth decides — here is the policy doc" | Query flex-auth / embed the PEP |
-| `key-cape-oidc-login` | "key-cape / Keycloak owns identity" | Authenticate via IAM Profile |
+| `key-cape-oidc-login` | "key-cape / Keycloak owns identity" | Authenticate via IAM Profile, or use the `warden access` login lane as yourself |
 | `ops-bridge-tunnel` | "ops-bridge owns transport — supply a `cert_command`" | Open the tunnel with ops-bridge |
 | `railiance-infra-principals` | "railiance-infra deploys host principals" | Run the infra Ansible |
 | `activity-core-issue-sink` | "activity-core + issue-core own emission — pair `ISSUE_CORE_*` env vars" | See `wiki/playbooks/activity-core-issue-sink.md` |
@@ -98,12 +103,13 @@ executes.
 | `object-storage-sts` | NK-WP-0007 STS vending path | `wiki/playbooks/object-storage-sts.md` |
 | `database-dynamic-credentials` | OpenBao database secrets engine | `wiki/playbooks/database-dynamic-credentials.md` |
 
-ops-warden answers *where + who*; the worker acts on the owning system. ops-warden
-never performs the non-SSH step on the worker's behalf.
+ops-warden answers *where + who + how*. The worker still acts on the owning system.
+When `warden access` proxies a non-SSH lane, it does so as the caller and stores no
+value; the owner remains OpenBao, key-cape, flex-auth, or the routed subsystem.
 
 ---
 
-## Examples — do NOT ask ops-warden
+## Examples — do NOT ask ops-warden to own or vend
 
 | Request | Correct path |
 | --- | --- |
@@ -113,9 +119,11 @@ never performs the non-SSH step on the worker's behalf.
 | "S3 credentials for artifact upload" | NK-WP-0007 / artifact-store consumer path |
 | "JWT for my app" | key-cape / Keycloak IAM Profile |
 
-**No duplicate interfaces.** Commands like `warden secret`, `warden login`,
-`warden policy`, or `warden tunnel` do not exist and will not be added — each
-belongs to another subsystem. The canonical anti-pattern table lives in
+**No duplicate ownership.** Commands that would make warden a store, IdP, or
+transport owner — `warden secret`, `warden bao`, `warden login` as an identity
+service, or `warden tunnel` — do not exist. A future `warden policy` lookup, if
+added by WARDEN-WP-0015, is metadata/conformance only; flex-auth remains the PDP.
+The canonical anti-pattern table lives in
 `wiki/AccessRouting.md#anti-patterns-not-coming-to-ops-warden`; it is not
 restated here.
 
@@ -175,6 +183,7 @@ Report drift via custodian workplan or State Hub message to `ops-warden`.
 - `INTENT.md` — steward mission
 - `wiki/AccessRouting.md` — what ops-warden issues vs routes (role and boundary)
 - `wiki/NetKingdomSecurityMap.md` — component literacy
+- `wiki/WorkloadSecurityPosture.md` — dev/test/prod posture, M0-M3 maturity, and blocker triage
 - `wiki/ActorInventoryPatterns.md` — actor naming
 - `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify
-- `net-kingdom/docs/platform-identity-security-architecture.md` — platform canon
+- `net-kingdom/docs/platform-identity-security-architecture.md` — platform canon