generated from coulomb/repo-seed
feat(WARDEN-WP-0017): make the access front door discoverable (not SSH-only)
WP-0014 made ops-warden the operator access front door (warden access --fetch/--exec proxies an exec_capable secret as the caller), but every discovery surface still told the pre-WP-0014 "SSH certs only, pointer not key" story — so agents like whynot-design never found the proxy and concluded they had to message ops-warden for a token value. Messaging/discoverability only; the conduit security model is unchanged (no custody, no broker). T1 — CLI: `warden route` table warden column is now three-valued (issue/assist/route); route + access JSON gain warden_role + exec_capable and a proxy-aware next_action; `warden access` closing line leads with "ops-warden can fetch this for you as the caller" for exec_capable lanes (route-only lanes keep "owner vends"). T2 — .claude/rules/credential-routing.md reframed (lead + routing table role column); SCOPE one-liner + a second capability block for the access front door. T3 — registered the State Hub capability "Operator access front door (caller-identity fetch proxy)" (the hub had no ops-warden security capability at all); messaged whynot-design the corrected `warden access "npm auth token" --fetch/--exec` path. 210 tests pass, lint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
23
SCOPE.md
23
SCOPE.md
@@ -8,10 +8,12 @@
|
||||
|
||||
## One-liner
|
||||
|
||||
Operational access steward for the NetKingdom security model — issues short-lived
|
||||
SSH certificates for `adm`/`agt`/`atm` actors, documents how to obtain other
|
||||
credential types from the right platform subsystems, stewards workload security
|
||||
posture conformance, and keeps ops access guidance aligned with NetKingdom canon.
|
||||
Operational access steward and **front door** for the NetKingdom security model — issues
|
||||
short-lived SSH certificates for `adm`/`agt`/`atm` actors, and for every other credential
|
||||
need is the operator front door (`warden access`): routes to the owning subsystem and, for
|
||||
`exec_capable` lanes (OpenBao reads, key-cape login), **proxies the fetch as the caller**
|
||||
without taking custody. Also stewards workload security posture conformance and keeps ops
|
||||
access guidance aligned with NetKingdom canon.
|
||||
|
||||
---
|
||||
|
||||
@@ -297,6 +299,19 @@ description: Issues short-lived CA-signed SSH certificates for adm/agt/atm actor
|
||||
keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, vault, netkingdom]
|
||||
```
|
||||
|
||||
```capability
|
||||
type: security
|
||||
title: Operator access front door (caller-identity fetch proxy)
|
||||
description: warden access is the operator front door for any NetKingdom credential need.
|
||||
It renders the owner, auth method, path, and policy status, and for exec_capable lanes
|
||||
(OpenBao secret reads, key-cape OIDC login) proxies the fetch as the caller — running
|
||||
the owner's tool with the caller's identity and streaming the value to them. ops-warden
|
||||
takes no custody: it holds, caches, and logs no secret value (transparent conduit, not a
|
||||
broker). Use this to obtain an API key, DB credential, npm token, or login — not a State
|
||||
Hub message.
|
||||
keywords: [access, credential, secret, npm, token, api-key, openbao, key-cape, login, proxy, fetch, exec, warden-access, front-door, routing]
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Getting Oriented
|
||||
|
||||
Reference in New Issue
Block a user