generated from coulomb/repo-seed
Implement WP-0022 audit trail and WP-0023 INTENT–SCOPE closeout
Add unified metadata-only audit.jsonl with secret-material guard, instrument sign/access/worker paths, and expose warden activity CLI. Surface broker hint when VAULT_TOKEN is unset, refresh INTENT/SCOPE docs, and add production integration checklists plus catalog lane promotion playbook.
This commit is contained in:
65
INTENT.md
65
INTENT.md
@@ -54,8 +54,11 @@ owns one lane and points at the rest:
|
||||
restating them. Beyond pointing, **assist**: the `warden access` front door renders
|
||||
the exact auth method, path, and command for any need and — for `exec_capable`
|
||||
lanes — proxies the fetch *as the caller* (a transparent, policy-gated, audited
|
||||
conduit that holds, caches, and logs **nothing**). This is the assist layer, not a
|
||||
broker: custody stays in OpenBao, authorization in flex-auth.
|
||||
conduit that holds, caches, and logs **nothing**). For **owner-native exec** lanes
|
||||
(secrets-engine `exec`, railiance-platform `credential exec`) ops-warden routes to
|
||||
the owner's front door — it does not mint tokens or run the owner's tool itself.
|
||||
This is the assist layer, not a universal broker: custody stays in OpenBao /
|
||||
secrets-engine / the platform broker; authorization in flex-auth.
|
||||
3. **Steward workload security posture conformance.** Author the ops-security slice
|
||||
for environment posture (`dev/test/prod`) and workload maturity (`M0-M3`), then
|
||||
ship descriptors and read-only checks that identify whether a secret-flow blocker
|
||||
@@ -68,8 +71,9 @@ owns one lane and points at the rest:
|
||||
host or ops reachability requires the SSH lane — via `warden sign`,
|
||||
`cert_command`, and `ops-ssh-wrapper`. This is the **only** lane ops-warden
|
||||
executes with its own authority.
|
||||
6. **Audit** SSH signing operations and cert-side compliance so gatekeeping is
|
||||
observable, not tribal knowledge.
|
||||
6. **Audit** every ops-warden action — SSH signs, access proxy handoffs, worker
|
||||
coordination ticks — in one metadata-only trail (`warden activity`) so
|
||||
gatekeeping is observable, not tribal knowledge.
|
||||
|
||||
---
|
||||
|
||||
@@ -81,12 +85,14 @@ ops-warden should be fluent in the platform architecture documented in
|
||||
| Plane / component | Role in access | ops-warden relationship |
|
||||
| --- | --- | --- |
|
||||
| **key-cape / Keycloak** | Identity — who is the actor, MFA, IAM Profile claims | Instruct identity path; do not re-implement OIDC |
|
||||
| **flex-auth + Topaz** | Authorization — may this actor perform this action | Future policy gate before SSH issuance; document integration |
|
||||
| **OpenBao** | Runtime secrets — API keys, dynamic creds, leases, audit | Instruct secret custody paths; SSH engine is signing backend only |
|
||||
| **flex-auth + Topaz** | Authorization — may this actor perform this action | Caller-side policy gate shipped (opt-in); production flip is flex-auth's |
|
||||
| **OpenBao** | Runtime secrets — API keys, dynamic creds, leases, audit | Instruct custody paths; SSH engine is signing backend only; proxy reads as caller when `exec_capable` |
|
||||
| **secrets-engine** | Owner-native secret-exec (`secrets-engine exec`) | Route provisioned exec lanes (e.g. npm publish); ops-warden does not hold tokens |
|
||||
| **railiance-platform** (credential broker) | Scoped lease grants (`credential exec`) | Route `warden-sign` token needs; ops-warden does not mint OpenBao tokens |
|
||||
| **ops-warden** | Operational SSH certificates — short-lived host access | **Own and issue** this lane |
|
||||
| **ops-bridge** | Tunnel transport — consumes certs via `cert_command` | Primary consumer; document integration |
|
||||
| **railiance-infra** | Host principals, force-command, SSH hardening | Instruct host-side deployment; do not own Ansible |
|
||||
| **railiance-platform** | OpenBao/K8s/platform service deployment | Instruct production endpoints; do not deploy clusters |
|
||||
| **railiance-platform** (deploy) | OpenBao/K8s/platform service deployment | Instruct production endpoints; do not deploy clusters |
|
||||
|
||||
Canonical references:
|
||||
|
||||
@@ -102,11 +108,13 @@ Canonical references:
|
||||
|
||||
- NetKingdom-aligned **operational SSH access** guidance and stewardship
|
||||
- **SSH certificate issuance** for registered `adm` / `agt` / `atm` actors
|
||||
- Actor inventory, TTL/principal policy, cert-side scorecard, signatures log
|
||||
- Actor inventory, TTL/principal policy, cert-side scorecard, unified audit trail
|
||||
- `cert_command` contract and `ops-ssh-wrapper` automation surface
|
||||
- Keeping ops-warden docs and patterns aligned with NetKingdom security evolution
|
||||
- Workload Security Posture draft, conformance descriptors/checks, and dev-tier
|
||||
- Workload Security Posture standard, conformance descriptors/checks, and dev-tier
|
||||
contract-double guidance for secret-flow readiness
|
||||
- Coordination worker stewardship — triage ops-warden's State Hub inbox with
|
||||
conservative defaults (draft-only unless `--full-auto`)
|
||||
|
||||
### ops-warden instructs but does not own
|
||||
|
||||
@@ -158,8 +166,9 @@ scorecard checks, inventory patterns, and future policy-integration hooks.
|
||||
|
||||
### 6. Observable gatekeeping
|
||||
|
||||
Every successful SSH sign is auditable (`signatures.log`). Compliance checks
|
||||
(scorecard) make cert-side policy violations visible before they become incidents.
|
||||
Every ops-warden action appends metadata-only audit events; `warden activity`
|
||||
answers *what happened recently* in one command. Compliance checks (scorecard) make
|
||||
cert-side policy violations visible before they become incidents.
|
||||
|
||||
---
|
||||
|
||||
@@ -169,23 +178,31 @@ Every successful SSH sign is auditable (`signatures.log`). Compliance checks
|
||||
Development worker needs access
|
||||
|
|
||||
v
|
||||
ops-warden (issue SSH; route the rest)
|
||||
ops-warden (issue SSH; route / assist the rest)
|
||||
|
|
||||
+-- SSH host / ops reachability? ----> warden sign / cert_command
|
||||
+-- SSH host / ops reachability? --------> warden sign / cert_command
|
||||
| (OpenBao SSH engine; scoped token via credential broker)
|
||||
|
|
||||
+-- Runtime API / platform secret? --> OpenBao path (documented)
|
||||
+-- Owner-native secret exec? -----------> secrets-engine exec
|
||||
| (e.g. npm publish) or railiance-platform credential exec
|
||||
|
|
||||
+-- Authorization required? ---------> flex-auth decision (future hook)
|
||||
+-- Generic API / DB / provider secret? -> OpenBao path
|
||||
| (warden access proxies as caller when exec_capable)
|
||||
|
|
||||
+-- Identity / MFA required? --------> key-cape / Keycloak path
|
||||
+-- Authorization required? ------------> flex-auth decision
|
||||
| (caller-side gate on sign + access when policy.enabled)
|
||||
|
|
||||
+-- Tunnel only? --------------------> ops-bridge + cert_command
|
||||
+-- Identity / MFA required? -------------> key-cape / Keycloak path
|
||||
|
|
||||
+-- Tunnel only? ------------------------> ops-bridge + cert_command
|
||||
```
|
||||
|
||||
The steward role spans documentation, runbooks, the SSH CLI, the machine-readable
|
||||
routing catalog with `warden route` lookup, policy-gated issuance, and — since
|
||||
WARDEN-WP-0014 — the `warden access` assist layer that advises and (for `exec_capable`
|
||||
lanes) proxies non-SSH fetches as the caller without holding the value.
|
||||
routing catalog with `warden route` lookup, policy-gated issuance, workload posture
|
||||
conformance, the coordination worker, unified audit (`warden activity`), and — since
|
||||
WARDEN-WP-0014 — the `warden access` assist layer that advises, routes owner-native
|
||||
exec lanes, and (for generic `exec_capable` lanes) proxies fetches as the caller
|
||||
without holding the value.
|
||||
|
||||
---
|
||||
|
||||
@@ -246,6 +263,8 @@ platform boundaries.
|
||||
See `wiki/CredentialRouting.md` for worker-facing routing,
|
||||
`wiki/WorkloadSecurityPosture.md` for the posture/maturity conformance model,
|
||||
`wiki/NetKingdomSecurityMap.md` for component literacy,
|
||||
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` for the latest
|
||||
gap analysis (production SSH path verified), and archived workplans WP-0006–0008
|
||||
for stewardship and production closeout execution.
|
||||
`wiki/AuditTrail.md` for the unified activity log,
|
||||
`history/2026-07-01-intent-scope-gap-analysis.md` for the latest gap analysis,
|
||||
`history/2026-06-18-post-wp0008-intent-scope-reassessment.md` for the SSH lane
|
||||
reassessment, and archived workplans WP-0006–0008 for stewardship and production
|
||||
closeout execution.
|
||||
|
||||
Reference in New Issue
Block a user