WARDEN-WP-0006: NetKingdom stewardship docs and alignment

Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
This commit is contained in:
2026-06-17 08:22:45 +02:00
parent 5ae3821b88
commit 1865e0744e
14 changed files with 879 additions and 108 deletions

View File

@@ -11,7 +11,23 @@ This repo owns **ops-warden** only. It does not own:
| State Hub service code and consistency tooling | `state-hub` |
| Workstream coordination across custodian domain | `the-custodian` |
| Human admin SSH key generation | self-service (`ssh-keygen`) |
| Identity / OIDC / MFA | `key-cape`, Keycloak |
| Authorization policy | `flex-auth` |
| Runtime secrets (non-SSH) | OpenBao |
ops-warden issues **short-lived SSH certificates** only. It is not a general
secrets manager and must not store long-lived API keys in Git, State Hub, or
workplans.
## NetKingdom credential routing (quick reference)
| Worker need | Route to | ops-warden |
|-------------|----------|------------|
| SSH cert for host/ops access | ops-warden | Issue (`warden sign`) |
| API key / DB cred / lease | OpenBao | Document only — `wiki/CredentialRouting.md` |
| May I perform action X? | flex-auth | Design: `wiki/PolicyGatedSigning.md` |
| Login / MFA / OIDC | key-cape / Keycloak | Document only |
| SSH tunnel | ops-bridge | cert_command consumer |
| Host principals | railiance-infra | Document only |
Full map: `wiki/NetKingdomSecurityMap.md`.
ops-warden issues **short-lived SSH certificates** and maintains **operational
access stewardship docs**. It is not a general secrets manager and must not
store long-lived API keys in Git, State Hub, workplans, logs, or chat.