generated from coulomb/repo-seed
docs(WP-0010): rewire INTENT to "issue SSH, route the rest"; add access-routing plan
Drop the "operational access desk" framing (and the rejected "coach" metaphor) for plain language: ops-warden issues short-lived SSH certs and routes every other credential need to its owner. SSH is the only lane it executes. Adds WARDEN-WP-0010/0011/0012 with a pointer-layer routing catalog that points at owner docs rather than restating them, enforced structurally (non-SSH entries carrying a steps block fail CI). Drops the scope-creep-prone `check` command; hides unshipped-path scenarios as draft. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
21
INTENT.md
21
INTENT.md
@@ -40,18 +40,23 @@ short-lived certificate lane** it owns.
|
||||
|
||||
> *Where we are going.*
|
||||
|
||||
ops-warden aims to become the **operational access desk** for the ops fleet:
|
||||
ops-warden **issues short-lived SSH certificates and routes every other credential
|
||||
need to the subsystem that owns it.** It is not a desk that wraps the platform; it
|
||||
owns one lane and points at the rest:
|
||||
|
||||
1. **Know** the NetKingdom security model — identity, authorization, secrets,
|
||||
SSH access, tunnels, bootstrap custody, and tenant/platform boundaries.
|
||||
2. **Route** workers to the correct subsystem for each credential type instead
|
||||
of becoming a universal secret vending machine.
|
||||
of becoming a universal secret vending machine — through the wiki and a
|
||||
machine-readable routing catalog that *points at* the owner's docs rather than
|
||||
restating them.
|
||||
3. **Align** runbooks, wiki, inventory patterns, and scorecard checks with
|
||||
NetKingdom canon as the platform evolves (OpenBao-first, flex-auth policy,
|
||||
key-cape IAM Profile, railiance deployment layers).
|
||||
4. **Issue** short-lived SSH certificates for `adm` / `agt` / `atm` actors when
|
||||
host or ops reachability requires the SSH lane — via `warden sign`,
|
||||
`cert_command`, and `ops-ssh-wrapper`.
|
||||
`cert_command`, and `ops-ssh-wrapper`. This is the **only** lane ops-warden
|
||||
executes.
|
||||
5. **Audit** SSH signing operations and cert-side compliance so gatekeeping is
|
||||
observable, not tribal knowledge.
|
||||
|
||||
@@ -151,7 +156,7 @@ Every successful SSH sign is auditable (`signatures.log`). Compliance checks
|
||||
Development worker needs access
|
||||
|
|
||||
v
|
||||
ops-warden (steward / desk)
|
||||
ops-warden (issue SSH; route the rest)
|
||||
|
|
||||
+-- SSH host / ops reachability? ----> warden sign / cert_command
|
||||
|
|
||||
@@ -164,9 +169,9 @@ ops-warden (steward / desk)
|
||||
+-- Tunnel only? --------------------> ops-bridge + cert_command
|
||||
```
|
||||
|
||||
Today the **steward desk** is primarily documentation, runbooks, and the
|
||||
implemented SSH CLI. Routing automation and policy-gated issuance are intentional
|
||||
follow-ups, not current promises.
|
||||
Today the steward role is primarily documentation, runbooks, and the implemented
|
||||
SSH CLI. The machine-readable routing catalog and `warden route` lookup, plus
|
||||
policy-gated issuance, are intentional follow-ups, not current promises.
|
||||
|
||||
---
|
||||
|
||||
@@ -207,6 +212,8 @@ ops-warden is succeeding when:
|
||||
- Replacing OpenBao, flex-auth, key-cape, or railiance deployment ownership
|
||||
- Storing Inter-Hub, LLM provider, or other long-lived API keys
|
||||
- Host-side SSH configuration deployment
|
||||
- **Duplicating or restating another subsystem's procedure** — routing material
|
||||
points at the owner's docs; it does not fork them
|
||||
- SSO / Teleport at scale (trigger per Access Management Directive §6.2)
|
||||
|
||||
---
|
||||
|
||||
Reference in New Issue
Block a user