feat(WP-0011): warden route lookup CLI over the pointer catalog

Add a read-only `warden route` command group (list/show/find) that reads
registry/routing/catalog.yaml and tells a worker which subsystem owns a need
and which wiki/canon doc to follow. ops-warden still executes exactly one lane
(SSH); routed entries return a pointer and never call any subsystem.

- src/warden/routing/: models.py + catalog.py loader; enforces the
  no-double-source rule (non-SSH entries with steps/cert_command fail validation),
  dup-id and schema checks.
- route list (active-only unless --all, --tag), route show (SSH appends steps +
  cert pattern; routed ends with "next action on <owner> — see <wiki_ref>"),
  route find (keyword ranking, --json).
- tests/test_routing.py: load/validation, find ranking, CLI JSON shapes, plus a
  drift guard (every wiki_ref anchor resolves; every entry has a reviewed date).
- Docs: wiki/AccessRouting.md CLI section, README quick reference, SCOPE A3 -> A4.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

README.md

@@ -39,6 +39,21 @@ Production uses the `vault` backend against OpenBao or HashiCorp Vault (Vault-co
 SSH secrets engine API). Template: `examples/warden.production.example.yaml`.
 See `wiki/OpsWardenConfig.md` and `wiki/OpenBaoSshEngineChecklist.md`.
 
+## Routing lookup (`warden route`)
+
+ops-warden issues SSH certs and **routes** every other credential need to its
+owner. The `route` command group is a read-only lookup over the pointer catalog
+(`registry/routing/catalog.yaml`) — it never calls another subsystem or returns
+secrets.
+
+```bash
+warden route list [--all] [--json]        # scenarios (active-only unless --all)
+warden route show <id> [--json]           # owner + wiki/canon pointers; SSH adds steps
+warden route find "issue an api key"      # rank scenarios by keyword overlap
+```
+
+Full role and examples: `wiki/AccessRouting.md`.
+
 ## Development
 
 ```bash