Publish SSH certificate issuance capability registry entry

Add capability.security.ssh-certificate-issuance to the federation index with maturity vector D4/A3/C3/R2 and validated registry metadata.
2026-06-17 08:06:00 +02:00
parent 15bf8cb543
commit f493b0841f
3 changed files with 148 additions and 2 deletions
--- a/registry/capabilities/.gitkeep
+++ b/registry/capabilities/.gitkeep
--- a/registry/capabilities/capability.security.ssh-certificate-issuance.md
+++ b/registry/capabilities/capability.security.ssh-certificate-issuance.md
@@ -0,0 +1,127 @@
+---
+id: capability.security.ssh-certificate-issuance
+name: SSH Certificate Issuance
+summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface.
+owner: ops-warden
+status: draft
+domain: helix_forge
+tags:
+  - ssh
+  - certificate
+  - ca
+  - ops-warden
+  - openbao
+  - security
+
+maturity:
+  discovery:
+    current: D4
+    target: D5
+    confidence: medium
+    rationale: >
+      SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command
+      contract are documented; production OpenBao integration is documented but
+      engine deployment lives in railiance-platform.
+  availability:
+    current: A3
+    target: A5
+    confidence: medium
+    rationale: >
+      Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and
+      other callers integrate via cert_command without backend-specific branching.
+
+external_evidence:
+  completeness:
+    level: C3
+    name: Functional Core
+    confidence: medium
+    basis: scope_vs_intent_and_consumer_expectations
+    satisfied_expectations:
+      - local and OpenBao/Vault-compatible signing backends
+      - TTL policy enforcement per actor type
+      - principals inventory and cert-side scorecard
+      - signatures audit log and stale-cert cleanup
+      - cert_command stdout contract for ops-bridge
+    broken_expectations:
+      - host-side principal deployment not owned here
+      - OpenBao SSH engine mount not deployed from this repo
+    out_of_scope_expectations:
+      - long-lived API key custody
+      - tunnel lifecycle management
+      - Vault/OpenBao cluster operations
+  reliability:
+    level: R2
+    name: Tolerable
+    confidence: medium
+    basis: consumer_quality_signals
+    known_reliability_risks:
+      - production signing depends on OpenBao availability and token policy
+      - local backend requires protected CA key handling by operators
+
+discovery:
+  intent: >
+    Give the ops fleet short-lived SSH credentials for humans, agents, and
+    automations without static keys, through a single cert_command surface that
+    callers can rely on regardless of CA backend.
+  includes:
+    - certificate signing for adm, agt, and atm actors
+    - actor principals inventory and TTL policy
+    - cert_command interface (`warden sign`)
+    - cert-side compliance scorecard and signatures log
+    - ops-ssh-wrapper for automatic cert acquisition
+  excludes:
+    - tunnel lifecycle
+    - host /etc/ssh/auth_principals deployment
+    - OpenBao or Vault cluster setup
+    - long-lived secret storage
+  assumptions:
+    - callers supply actor public keys; humans self-issue admin keys
+    - production platform uses OpenBao with Vault-compatible SSH engine API
+  use_cases:
+    - ops-bridge tunnel cert_command
+    - Inter-Hub bootstrap short-lived agent access
+  research_memos:
+    - ops-warden/SCOPE.md
+    - ops-warden/wiki/CertCommandInterface.md
+    - ops-warden/wiki/OpsWardenConfig.md
+
+availability:
+  current_level: A3
+  target_level: A5
+  current_artifacts:
+    - ops-warden/src/warden/
+    - ops-warden/wiki/CertCommandInterface.md
+    - ops-warden/wiki/OpsWardenConfig.md
+  target_artifacts:
+    - packaged ops-warden release with documented OpenBao role bootstrap
+  consumption_modes:
+    - CLI
+    - cert_command subprocess
+
+relations:
+  depends_on: []
+  supports: []
+  related_to: []
+
+consumer_guidance:
+  recommended_for:
+    - issuing short-lived SSH certs for ops-bridge tunnels
+    - agent or automation access with TTL-bound principals
+    - checking cert-side compliance before rotation windows
+  not_recommended_for:
+    - storing OpenRouter or Inter-Hub API keys
+    - replacing OpenBao deployment or host SSH hardening playbooks
+    - static-key-only legacy access (use ops-bridge static key mode instead)
+  known_limitations:
+    - "VaultCA backend config key remains backend: vault for API compatibility"
+    - host-side scorecard checks live in railiance-infra
+---
+
+# SSH Certificate Issuance
+
+ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates,
+maintains the actor inventory, and exposes `warden sign` as the cert_command
+contract for ops-bridge and other callers.
+
+Production environments point the vault-compatible backend at OpenBao; labs use
+the local ssh-keygen CA backend without platform dependencies.
--- a/registry/indexes/capabilities.yaml
+++ b/registry/indexes/capabilities.yaml
@@ -1,4 +1,23 @@
 version: 1
-updated: '2026-06-16'
+updated: '2026-06-17'
 domain: helix_forge
-capabilities: []
+capabilities:
+- id: capability.security.ssh-certificate-issuance
+  name: SSH Certificate Issuance
+  summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors
+    through a stable cert_command CLI interface.
+  vector: D4 / A3 / C3 / R2
+  domain: helix_forge
+  status: draft
+  owner: ops-warden
+  path: registry/capabilities/capability.security.ssh-certificate-issuance.md
+  tags:
+  - ssh
+  - certificate
+  - ca
+  - ops-warden
+  - openbao
+  - security
+  consumption_modes:
+  - CLI
+  - cert_command subprocess