generated from coulomb/repo-seed
WARDEN-WP-0006: NetKingdom stewardship docs and alignment
Add credential routing, actor patterns, security map, OpenBao SSH checklist, and policy-gated signing design. Update registry and SCOPE; record INTENT↔SCOPE reassessment (C3 completeness).
This commit is contained in:
@@ -11,7 +11,23 @@ This repo owns **ops-warden** only. It does not own:
|
||||
| State Hub service code and consistency tooling | `state-hub` |
|
||||
| Workstream coordination across custodian domain | `the-custodian` |
|
||||
| Human admin SSH key generation | self-service (`ssh-keygen`) |
|
||||
| Identity / OIDC / MFA | `key-cape`, Keycloak |
|
||||
| Authorization policy | `flex-auth` |
|
||||
| Runtime secrets (non-SSH) | OpenBao |
|
||||
|
||||
ops-warden issues **short-lived SSH certificates** only. It is not a general
|
||||
secrets manager and must not store long-lived API keys in Git, State Hub, or
|
||||
workplans.
|
||||
## NetKingdom credential routing (quick reference)
|
||||
|
||||
| Worker need | Route to | ops-warden |
|
||||
|-------------|----------|------------|
|
||||
| SSH cert for host/ops access | ops-warden | Issue (`warden sign`) |
|
||||
| API key / DB cred / lease | OpenBao | Document only — `wiki/CredentialRouting.md` |
|
||||
| May I perform action X? | flex-auth | Design: `wiki/PolicyGatedSigning.md` |
|
||||
| Login / MFA / OIDC | key-cape / Keycloak | Document only |
|
||||
| SSH tunnel | ops-bridge | cert_command consumer |
|
||||
| Host principals | railiance-infra | Document only |
|
||||
|
||||
Full map: `wiki/NetKingdomSecurityMap.md`.
|
||||
|
||||
ops-warden issues **short-lived SSH certificates** and maintains **operational
|
||||
access stewardship docs**. It is not a general secrets manager and must not
|
||||
store long-lived API keys in Git, State Hub, workplans, logs, or chat.
|
||||
Reference in New Issue
Block a user