coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WARDEN-WP-0006: NetKingdom stewardship docs and alignment

Browse Source 
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
This commit is contained in:
Bernd Worsch
2026-06-17 08:22:45 +02:00
parent 5ae3821b88
commit 1865e0744e
14 changed files with 879 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
registry/capabilities/capability.security.ssh-certificate-issuance.md
View File

@@ -1,7 +1,7 @@
---
id: capability.security.ssh-certificate-issuance
name: SSH Certificate Issuance
summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface.
summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface; steward operational access routing across NetKingdom security lanes.
owner: ops-warden
status: draft
domain: helix_forge
@@ -62,13 +62,15 @@ discovery:
intent: >
Give the ops fleet short-lived SSH credentials for humans, agents, and
automations without static keys, through a single cert_command surface that
callers can rely on regardless of CA backend.
callers can rely on regardless of CA backend; route non-SSH credential needs
to the correct NetKingdom subsystems (OpenBao, flex-auth, key-cape).
includes:
- certificate signing for adm, agt, and atm actors
- actor principals inventory and TTL policy
- cert_command interface (`warden sign`)
- cert-side compliance scorecard and signatures log
- ops-ssh-wrapper for automatic cert acquisition
- NetKingdom credential routing and alignment documentation
excludes:
- tunnel lifecycle
- host /etc/ssh/auth_principals deployment
@@ -108,6 +110,7 @@ consumer_guidance:
- issuing short-lived SSH certs for ops-bridge tunnels
- agent or automation access with TTL-bound principals
- checking cert-side compliance before rotation windows
- orienting dev workers on which NetKingdom subsystem owns each credential type
not_recommended_for:
- storing OpenRouter or Inter-Hub API keys
- replacing OpenBao deployment or host SSH hardening playbooks