coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WARDEN-WP-0006: NetKingdom stewardship docs and alignment

Browse Source 
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
This commit is contained in:
Bernd Worsch
2026-06-17 08:22:45 +02:00
parent 5ae3821b88
commit 1865e0744e
14 changed files with 879 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
wiki/NetKingdomSecurityMap.md Normal file
View File

@@ -0,0 +1,101 @@
# NetKingdom Security Map (ops-warden view)
Date: 2026-06-17
Condensed literacy guide for ops-warden stewards and development workers.
Canonical source remains `net-kingdom/docs/platform-identity-security-architecture.md`.
ops-warden **implements** the operational SSH lane and **documents** how the
other lanes connect.
---
## Planes
```text
Bootstrap plane railiance-infra, railiance-cluster, net-kingdom bootstrap
Platform control key-cape, flex-auth, OpenBao, Topaz, railiance-platform
Tenant plane railiance-apps, coulomb workloads, future tenants
Operational access ops-warden (SSH certs), ops-bridge (tunnels)
```
---
## Component map
| Component | Answers | Credential types | ops-warden |
| --- | --- | --- | --- |
| **key-cape** | Who are you? (lightweight IAM) | OIDC tokens, MFA | Route — do not issue |
| **Keycloak** | Who are you? (expanded IAM) | OIDC/SAML federation | Route — do not issue |
| **privacyIDEA** | MFA / step-up | OTP, hardware tokens | Route — do not issue |
| **flex-auth** | May you do this action? | Policy decisions, audit envelopes | Future SSH pre-sign; route today |
| **Topaz** | PDP runtime for flex-auth | Authorization evaluations | Route — do not issue |
| **OpenBao** | Runtime secret authority | API keys, DB creds, leases, K8s auth | SSH engine **signing backend** only |
| **ops-warden** | SSH ops access | Short-lived SSH certificates | **Own and issue** |
| **ops-bridge** | Tunnel transport | Uses certs via cert_command | Consumer |
| **railiance-infra** | Host enforcement | auth_principals, sshd | Route — deploy hosts |
| **railiance-platform** | Platform deploy | OpenBao, Postgres, ingress | Route — do not deploy from warden |
---
## Credential lanes (summary)
| Lane | Owner | Lifetime | Worker entrypoint |
| --- | --- | --- | --- |
| Identity | key-cape / Keycloak | Session / token TTL | Login / OIDC |
| Authorization | flex-auth | Per request | Policy API / embedded PEP |
| Runtime secrets | OpenBao | Lease-bound | `bao` CLI, K8s ESO, app integration |
| SSH operational | ops-warden | adm 48h / agt 24h / atm 8h | `warden sign` |
| Tunnel | ops-bridge | Session | `bridge` + cert_command |
Full routing: `wiki/CredentialRouting.md`.
---
## Trust flow (simplified)
```text
Worker request
-> Identity? key-cape / Keycloak
-> Authorized? flex-auth
-> Secret material? OpenBao
-> SSH cert? ops-warden
-> Tunnel? ops-bridge (cert from warden)
-> Host accepts? railiance-infra principals
```
OpenBao does **not** replace identity or authorization. flex-auth decides;
OpenBao stores/issues; ops-warden signs SSH certs when host reachability is
the need.
---
## NetKingdom documents to watch
| Document | Why ops-warden cares |
| --- | --- |
| `platform-identity-security-architecture.md` | Planes, secret path, SSH path |
| `responsibility-map.md` | Operational SSH dependency section |
| `platform-identity-security-architecture.md` | Operational SSH Path section |
| `platform-root-custody.md` | OpenBao ceremony — not warden's job |
| `object-storage-sts-credential-vending.md` | S3 creds — never warden |
| `canon/standards/iam-profile_v0.2.md` | Claims for future policy-gated sign |
When these change, update ops-warden wiki and `wiki/CredentialRouting.md`.
---
## Recursive platform rule
Tenant admins (including `tenant:coulomb`) must not gain platform-root
authority. ops-warden SSH actors should use **narrow principals** for agent
and automation work — not platform-admin equivalents on hosts.
---
## See also
- `INTENT.md`
- `wiki/CredentialRouting.md`
- `wiki/PolicyGatedSigning.md` (future flex-auth hook)
- `net-kingdom/docs/platform-identity-security-architecture.md`