feat(WP-0012): add inter-hub-bootstrap-ssh catalog entry and align wiki

Promote Inter-Hub bootstrap lane to active catalog with worker checklist,
attended/unattended branches, and flex-auth/OpenBao pointers. Mark WP-0012
T2/T3 done; ops-bridge tunnel playbook shipped in prior WP-0013 commit.

SCOPE.md

@@ -136,7 +136,7 @@ for the rest.
 
 | WP | Status | Focus |
 | --- | --- | --- |
-| **WP-0012** | `ready` | Routing scenario playbooks (catalog + wiki expansion) |
+| **WP-0012** | `active` | Routing scenario playbooks (catalog + wiki expansion) |
 
 ### Known gaps (not ops-warden workplans)
 

registry/routing/catalog.yaml

@@ -103,6 +103,17 @@ entries:
     reviewed: "2026-06-18"
     status: active
 
+  - id: inter-hub-bootstrap-ssh
+    title: Inter-Hub bootstrap SSH envelope
+    need_keywords: [inter-hub, interhub, bootstrap, ops-hub, agt-interhub-bootstrap, envelope, force-command, CUST-WP-0049]
+    owner_repo: ops-warden
+    subsystem: ops-warden + railiance-infra
+    warden_executes: false
+    wiki_ref: wiki/InterHubBootstrapAccessLane.md#worker-checklist
+    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
+    reviewed: "2026-06-24"
+    status: active
+
   - id: activity-core-issue-sink
     title: activity-core IssueSink → issue-core REST emission
     need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink]

wiki/InterHubBootstrapAccessLane.md

@@ -1,6 +1,7 @@
 # Inter-Hub Bootstrap Access Lane
 
-Date: 2026-06-17
+Date: 2026-06-24 (catalog alignment)  
+Catalog id: `inter-hub-bootstrap-ssh` — `warden route show inter-hub-bootstrap-ssh --json`
 
 ## Purpose
 
@@ -52,22 +53,31 @@ Guidance:
 - Do not reuse human `adm` actors for agent-assisted bootstrap runs.
 - Remove or disable the actor after the bootstrap lane is no longer needed.
 
-## Execution Shape
+## Worker checklist
 
-The intended flow is:
+1. Confirm the bootstrap run is approved (`CUST-WP-0049` or equivalent workplan).
+2. Register or verify the narrow `agt` actor in inventory (`warden inventory list`).
+3. Sign a short-lived cert: `warden sign agt-codex-interhub-bootstrap --pubkey <path>`.
+4. Confirm host principal `agt-interhub-bootstrap` is deployed (`railiance-infra`
+   `ssh_principals.yaml`; optional drift check: `scripts/check_principals_drift.py`).
+5. Choose **attended** or **unattended** material access (below).
+6. Run via `ops-ssh-wrapper` or attended SSH; collect **non-secret** evidence only.
 
-1. Operator approves the production bootstrap run.
-2. ops-warden signs a short-lived cert for `agt-codex-interhub-bootstrap`.
-3. The target host accepts only the narrow `agt-interhub-bootstrap` principal.
-4. Host-side policy maps that principal to a force-command or wrapper that can
-   run only the Inter-Hub bootstrap routine.
-5. The wrapper reads the Inter-Hub operator key from OpenBao or an attended
-   `0600` temp file.
-6. The wrapper runs the repo-owned bootstrap command, for example
+For generic SSH issuance steps see catalog id `ssh-cert-host-access`.
+
+---
+
+## Attended bootstrap
+
+Use when host-side force-command / OpenBao read paths are not yet provisioned.
+
+1. Operator holds the Inter-Hub operator key in an attended `0600` temp file
+   (`IHUB_OPERATOR_KEY_FILE`) — never commit or paste in chat.
+2. ops-warden signs the bootstrap actor cert (step 3 above).
+3. Operator runs the repo-owned bootstrap command on the trusted host, for example
    `make interhub-bootstrap` in `ops-hub`.
-7. Any generated runtime key is stored back into OpenBao immediately.
-8. The wrapper prints non-secret evidence only: ids, status, timestamps, and
-   key prefixes.
+4. Operator stores any generated runtime key into OpenBao immediately.
+5. Record non-secret evidence in State Hub (ids, status, key prefixes).
 
 Example client-side wrapper use:
 
@@ -80,6 +90,37 @@ ops-ssh-wrapper ssh ops-bootstrap@<trusted-host> run-ops-hub-interhub-bootstrap
 The exact remote command and host account are environment-specific and should
 be provisioned by the deployment repo.
 
+---
+
+## Unattended bootstrap
+
+Use only after railiance-infra ships host-side controls (principals, force-command,
+wrapper).
+
+1. ops-warden signs the bootstrap actor cert.
+2. Target host accepts only the `agt-interhub-bootstrap` principal.
+3. Host-side wrapper reads the Inter-Hub operator key from OpenBao (see pointers
+   below) — ops-warden does not vend that key.
+4. Wrapper runs the approved bootstrap routine and writes the runtime key back
+   to OpenBao.
+5. Wrapper prints non-secret evidence only.
+
+Without force-command and OpenBao read paths, stay on the **attended** branch.
+
+---
+
+## flex-auth and OpenBao pointers
+
+ops-warden issues the SSH envelope only. Custody and authorization live elsewhere:
+
+| Need | Route | Notes |
+| --- | --- | --- |
+| Inter-Hub operator key read/write | `warden route show openbao-api-key --json` | railiance-platform owns paths |
+| Authorization before sensitive bootstrap | `warden route show flex-auth-policy-check --json` | flex-auth PDP when policy applies |
+| Host principal deploy | `warden route show railiance-infra-principals --json` | Ansible `ssh_principals.yaml` |
+
+Do not restate OpenBao path strings here — they change in `railiance-platform`.
+
 ## Host-Side Requirements
 
 Before this lane can be used in production, railiance-infra or the deployment

workplans/WARDEN-WP-0012-routing-scenario-playbooks.md

@@ -4,7 +4,7 @@ type: workplan
 title: "Routing Scenario Playbooks"
 domain: infotech
 repo: ops-warden
-status: ready
+status: active
 owner: codex
 topic_slug: custodian
 planning_priority: medium
@@ -27,7 +27,7 @@ owner's procedure inside the catalog.
 
 **Depends on:** WARDEN-WP-0010 (charter + catalog schema), WARDEN-WP-0011 (routing CLI).
 
-**Status:** `ready` — WP-0010 and WP-0011 shipped; parallel to WP-0013 integration closeout.
+**Status:** `active` — WP-0013 archived; T2/T3 in progress.
 
 ---
 
@@ -50,7 +50,7 @@ pointer to a non-existent path is worse than no entry.
 | `inter-hub-bootstrap-ssh` | SSH envelope + on-host wrapper reads OpenBao | ops-warden SSH + railiance-infra | ready (SSH lane) |
 | `openrouter-llm-connect` | OpenBao → K8s Secret in activity-core | railiance-platform | path exists |
 | `object-storage-sts` | NK-WP-0007 vending path | net-kingdom + flex-auth + OpenBao | canon exists |
-| `ops-bridge-tunnel-cert` | cert_command vs static-key migration | ops-bridge | coordinate |
+| `ops-bridge-tunnel-cert` | cert_command vs static-key migration | ops-bridge | done (WP-0013) |
 | `human-oidc-login` | key-cape / Keycloak IAM Profile | key-cape | canon exists |
 | `flex-auth-resource-check` | Policy decision before sensitive action | flex-auth | canon exists |
 | `host-principal-deploy` | auth_principals sync | railiance-infra | canon exists |
@@ -77,26 +77,27 @@ state_hub_task_id: "830bb512-0288-4dba-9dd4-ccfd28a4921f"
 
 ```task
 id: WARDEN-WP-0012-T02
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "7726a703-6e00-4e49-9380-ed3fb3268827"
 ```
 
-- [ ] Align `wiki/InterHubBootstrapAccessLane.md` with the catalog id.
-- [ ] Document attended vs unattended bootstrap branches.
-- [ ] Cross-link flex-auth and OpenBao expectations (pointers, not restated steps).
+- [x] Align `wiki/InterHubBootstrapAccessLane.md` with catalog id `inter-hub-bootstrap-ssh`
+- [x] Document attended vs unattended bootstrap branches
+- [x] Cross-link flex-auth and OpenBao expectations (pointers, not restated steps)
+- [x] Promote catalog entry to `active` with `wiki_ref`
 
 ### T3 — ops-bridge tunnel migration
 
 ```task
 id: WARDEN-WP-0012-T03
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "9fb397f0-0abb-48f5-bb62-7e77edae93bb"
 ```
 
-- [ ] Playbook: static-key → `cert_command` migration checklist.
-- [ ] Pilot tunnel notes (`agt-state-hub-bridge`) — coordinate with ops-bridge.
+- [x] Playbook: `wiki/playbooks/ops-bridge-tunnel-cert.md` (WARDEN-WP-0013)
+- [x] Pilot tunnel `agt-state-hub-bridge` documented; ops-bridge coordination sent
 
 ### T4 — Platform secret scenarios (LLM, STS, DB)