Implement WP-0022 audit trail and WP-0023 INTENT–SCOPE closeout

Add unified metadata-only audit.jsonl with secret-material guard, instrument
sign/access/worker paths, and expose warden activity CLI. Surface broker hint
when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production
integration checklists plus catalog lane promotion playbook.
This commit is contained in:
2026-07-01 23:32:38 +02:00
parent f47d632d8e
commit d6088e4e16
18 changed files with 875 additions and 59 deletions

View File

@@ -54,8 +54,11 @@ owns one lane and points at the rest:
restating them. Beyond pointing, **assist**: the `warden access` front door renders
the exact auth method, path, and command for any need and — for `exec_capable`
lanes — proxies the fetch *as the caller* (a transparent, policy-gated, audited
conduit that holds, caches, and logs **nothing**). This is the assist layer, not a
broker: custody stays in OpenBao, authorization in flex-auth.
conduit that holds, caches, and logs **nothing**). For **owner-native exec** lanes
(secrets-engine `exec`, railiance-platform `credential exec`) ops-warden routes to
the owner's front door — it does not mint tokens or run the owner's tool itself.
This is the assist layer, not a universal broker: custody stays in OpenBao /
secrets-engine / the platform broker; authorization in flex-auth.
3. **Steward workload security posture conformance.** Author the ops-security slice
for environment posture (`dev/test/prod`) and workload maturity (`M0-M3`), then
ship descriptors and read-only checks that identify whether a secret-flow blocker
@@ -68,8 +71,9 @@ owns one lane and points at the rest:
host or ops reachability requires the SSH lane — via `warden sign`,
`cert_command`, and `ops-ssh-wrapper`. This is the **only** lane ops-warden
executes with its own authority.
6. **Audit** SSH signing operations and cert-side compliance so gatekeeping is
observable, not tribal knowledge.
6. **Audit** every ops-warden action — SSH signs, access proxy handoffs, worker
coordination ticks — in one metadata-only trail (`warden activity`) so
gatekeeping is observable, not tribal knowledge.
---
@@ -81,12 +85,14 @@ ops-warden should be fluent in the platform architecture documented in
| Plane / component | Role in access | ops-warden relationship |
| --- | --- | --- |
| **key-cape / Keycloak** | Identity — who is the actor, MFA, IAM Profile claims | Instruct identity path; do not re-implement OIDC |
| **flex-auth + Topaz** | Authorization — may this actor perform this action | Future policy gate before SSH issuance; document integration |
| **OpenBao** | Runtime secrets — API keys, dynamic creds, leases, audit | Instruct secret custody paths; SSH engine is signing backend only |
| **flex-auth + Topaz** | Authorization — may this actor perform this action | Caller-side policy gate shipped (opt-in); production flip is flex-auth's |
| **OpenBao** | Runtime secrets — API keys, dynamic creds, leases, audit | Instruct custody paths; SSH engine is signing backend only; proxy reads as caller when `exec_capable` |
| **secrets-engine** | Owner-native secret-exec (`secrets-engine exec`) | Route provisioned exec lanes (e.g. npm publish); ops-warden does not hold tokens |
| **railiance-platform** (credential broker) | Scoped lease grants (`credential exec`) | Route `warden-sign` token needs; ops-warden does not mint OpenBao tokens |
| **ops-warden** | Operational SSH certificates — short-lived host access | **Own and issue** this lane |
| **ops-bridge** | Tunnel transport — consumes certs via `cert_command` | Primary consumer; document integration |
| **railiance-infra** | Host principals, force-command, SSH hardening | Instruct host-side deployment; do not own Ansible |
| **railiance-platform** | OpenBao/K8s/platform service deployment | Instruct production endpoints; do not deploy clusters |
| **railiance-platform** (deploy) | OpenBao/K8s/platform service deployment | Instruct production endpoints; do not deploy clusters |
Canonical references:
@@ -102,11 +108,13 @@ Canonical references:
- NetKingdom-aligned **operational SSH access** guidance and stewardship
- **SSH certificate issuance** for registered `adm` / `agt` / `atm` actors
- Actor inventory, TTL/principal policy, cert-side scorecard, signatures log
- Actor inventory, TTL/principal policy, cert-side scorecard, unified audit trail
- `cert_command` contract and `ops-ssh-wrapper` automation surface
- Keeping ops-warden docs and patterns aligned with NetKingdom security evolution
- Workload Security Posture draft, conformance descriptors/checks, and dev-tier
- Workload Security Posture standard, conformance descriptors/checks, and dev-tier
contract-double guidance for secret-flow readiness
- Coordination worker stewardship — triage ops-warden's State Hub inbox with
conservative defaults (draft-only unless `--full-auto`)
### ops-warden instructs but does not own
@@ -158,8 +166,9 @@ scorecard checks, inventory patterns, and future policy-integration hooks.
### 6. Observable gatekeeping
Every successful SSH sign is auditable (`signatures.log`). Compliance checks
(scorecard) make cert-side policy violations visible before they become incidents.
Every ops-warden action appends metadata-only audit events; `warden activity`
answers *what happened recently* in one command. Compliance checks (scorecard) make
cert-side policy violations visible before they become incidents.
---
@@ -169,23 +178,31 @@ Every successful SSH sign is auditable (`signatures.log`). Compliance checks
Development worker needs access
|
v
ops-warden (issue SSH; route the rest)
ops-warden (issue SSH; route / assist the rest)
|
+-- SSH host / ops reachability? ----> warden sign / cert_command
+-- SSH host / ops reachability? --------> warden sign / cert_command
| (OpenBao SSH engine; scoped token via credential broker)
|
+-- Runtime API / platform secret? --> OpenBao path (documented)
+-- Owner-native secret exec? -----------> secrets-engine exec
| (e.g. npm publish) or railiance-platform credential exec
|
+-- Authorization required? ---------> flex-auth decision (future hook)
+-- Generic API / DB / provider secret? -> OpenBao path
| (warden access proxies as caller when exec_capable)
|
+-- Identity / MFA required? --------> key-cape / Keycloak path
+-- Authorization required? ------------> flex-auth decision
| (caller-side gate on sign + access when policy.enabled)
|
+-- Tunnel only? --------------------> ops-bridge + cert_command
+-- Identity / MFA required? -------------> key-cape / Keycloak path
|
+-- Tunnel only? ------------------------> ops-bridge + cert_command
```
The steward role spans documentation, runbooks, the SSH CLI, the machine-readable
routing catalog with `warden route` lookup, policy-gated issuance, and — since
WARDEN-WP-0014 — the `warden access` assist layer that advises and (for `exec_capable`
lanes) proxies non-SSH fetches as the caller without holding the value.
routing catalog with `warden route` lookup, policy-gated issuance, workload posture
conformance, the coordination worker, unified audit (`warden activity`), and — since
WARDEN-WP-0014 — the `warden access` assist layer that advises, routes owner-native
exec lanes, and (for generic `exec_capable` lanes) proxies fetches as the caller
without holding the value.
---
@@ -246,6 +263,8 @@ platform boundaries.
See `wiki/CredentialRouting.md` for worker-facing routing,
`wiki/WorkloadSecurityPosture.md` for the posture/maturity conformance model,
`wiki/NetKingdomSecurityMap.md` for component literacy,
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` for the latest
gap analysis (production SSH path verified), and archived workplans WP-00060008
for stewardship and production closeout execution.
`wiki/AuditTrail.md` for the unified activity log,
`history/2026-07-01-intent-scope-gap-analysis.md` for the latest gap analysis,
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` for the SSH lane
reassessment, and archived workplans WP-00060008 for stewardship and production
closeout execution.