Normalize agent instructions and workplan frontmatter (STATE-WP-0067)

- Align agent files with on-disk workplan prefixes (infer from workplan ids)
- Set workplan domain to registered domain_slug; add topic_slug where applicable
- Repair frontmatter delimiter formatting; migrate legacy task status literals
- Regenerate AGENTS.md, CLAUDE.md, and .claude/rules from State Hub templates
This commit is contained in:
2026-06-22 23:16:27 +02:00
parent 46cb1a5f0c
commit 2207dc6b00
12 changed files with 49 additions and 153 deletions

View File

@@ -2,35 +2,7 @@
This repo owns **ops-warden** only. It does not own:
| Concern | Owner |
|---------|-------|
| Tunnel lifecycle, `cert_command` wiring in tunnels | `ops-bridge` |
| Host SSH principal files, force-command wrappers | `railiance-infra` |
| Vault/OpenBao cluster deployment and unseal ceremony | `railiance-platform` |
| Inter-Hub operator API keys, provider API keys (e.g. OpenRouter) | OpenBao / operator secret store |
| State Hub service code and consistency tooling | `state-hub` |
| Workstream coordination across custodian domain | `the-custodian` |
| Human admin SSH key generation | self-service (`ssh-keygen`) |
| Identity / OIDC / MFA | `key-cape`, Keycloak |
| Authorization policy | `flex-auth` |
| Runtime secrets (non-SSH) | OpenBao |
## NetKingdom credential routing (quick reference)
| Worker need | Route to | ops-warden |
|-------------|----------|------------|
| SSH cert for host/ops access | ops-warden | Issue (`warden sign`) |
| API key / DB cred / lease | OpenBao | Document only — `wiki/CredentialRouting.md` |
| May I perform action X? | flex-auth | Design: `wiki/PolicyGatedSigning.md` |
| Login / MFA / OIDC | key-cape / Keycloak | Document only |
| SSH tunnel | ops-bridge | cert_command consumer |
| Host principals | railiance-infra | Document only |
Full map: `wiki/NetKingdomSecurityMap.md`. Role and boundary: `wiki/AccessRouting.md`.
Machine-readable pointer catalog: `registry/routing/catalog.yaml`.
ops-warden **issues short-lived SSH certificates** (the one lane it executes) and
**routes every other credential need to its owner** via stewardship docs and the
pointer catalog. It is not a general secrets manager and must not store long-lived
API keys in Git, State Hub, workplans, logs, or chat. Routing material **points at**
the owner's docs — it never restates or forks another subsystem's procedure.
<!-- TODO: List what belongs in adjacent repos, e.g.:
- SSH key management → railiance-infra/
- State hub code → state-hub/
-->