From f493b0841f3adfea4b210730ecb1e77b2abac730 Mon Sep 17 00:00:00 2001 From: tegwick Date: Wed, 17 Jun 2026 08:06:00 +0200 Subject: [PATCH] Publish SSH certificate issuance capability registry entry Add capability.security.ssh-certificate-issuance to the federation index with maturity vector D4/A3/C3/R2 and validated registry metadata. --- registry/capabilities/.gitkeep | 0 ...ility.security.ssh-certificate-issuance.md | 127 ++++++++++++++++++ registry/indexes/capabilities.yaml | 23 +++- 3 files changed, 148 insertions(+), 2 deletions(-) delete mode 100644 registry/capabilities/.gitkeep create mode 100644 registry/capabilities/capability.security.ssh-certificate-issuance.md diff --git a/registry/capabilities/.gitkeep b/registry/capabilities/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/registry/capabilities/capability.security.ssh-certificate-issuance.md b/registry/capabilities/capability.security.ssh-certificate-issuance.md new file mode 100644 index 0000000..9c6a450 --- /dev/null +++ b/registry/capabilities/capability.security.ssh-certificate-issuance.md @@ -0,0 +1,127 @@ +--- +id: capability.security.ssh-certificate-issuance +name: SSH Certificate Issuance +summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface. +owner: ops-warden +status: draft +domain: helix_forge +tags: + - ssh + - certificate + - ca + - ops-warden + - openbao + - security + +maturity: + discovery: + current: D4 + target: D5 + confidence: medium + rationale: > + SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command + contract are documented; production OpenBao integration is documented but + engine deployment lives in railiance-platform. + availability: + current: A3 + target: A5 + confidence: medium + rationale: > + Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and + other callers integrate via cert_command without backend-specific branching. + +external_evidence: + completeness: + level: C3 + name: Functional Core + confidence: medium + basis: scope_vs_intent_and_consumer_expectations + satisfied_expectations: + - local and OpenBao/Vault-compatible signing backends + - TTL policy enforcement per actor type + - principals inventory and cert-side scorecard + - signatures audit log and stale-cert cleanup + - cert_command stdout contract for ops-bridge + broken_expectations: + - host-side principal deployment not owned here + - OpenBao SSH engine mount not deployed from this repo + out_of_scope_expectations: + - long-lived API key custody + - tunnel lifecycle management + - Vault/OpenBao cluster operations + reliability: + level: R2 + name: Tolerable + confidence: medium + basis: consumer_quality_signals + known_reliability_risks: + - production signing depends on OpenBao availability and token policy + - local backend requires protected CA key handling by operators + +discovery: + intent: > + Give the ops fleet short-lived SSH credentials for humans, agents, and + automations without static keys, through a single cert_command surface that + callers can rely on regardless of CA backend. + includes: + - certificate signing for adm, agt, and atm actors + - actor principals inventory and TTL policy + - cert_command interface (`warden sign`) + - cert-side compliance scorecard and signatures log + - ops-ssh-wrapper for automatic cert acquisition + excludes: + - tunnel lifecycle + - host /etc/ssh/auth_principals deployment + - OpenBao or Vault cluster setup + - long-lived secret storage + assumptions: + - callers supply actor public keys; humans self-issue admin keys + - production platform uses OpenBao with Vault-compatible SSH engine API + use_cases: + - ops-bridge tunnel cert_command + - Inter-Hub bootstrap short-lived agent access + research_memos: + - ops-warden/SCOPE.md + - ops-warden/wiki/CertCommandInterface.md + - ops-warden/wiki/OpsWardenConfig.md + +availability: + current_level: A3 + target_level: A5 + current_artifacts: + - ops-warden/src/warden/ + - ops-warden/wiki/CertCommandInterface.md + - ops-warden/wiki/OpsWardenConfig.md + target_artifacts: + - packaged ops-warden release with documented OpenBao role bootstrap + consumption_modes: + - CLI + - cert_command subprocess + +relations: + depends_on: [] + supports: [] + related_to: [] + +consumer_guidance: + recommended_for: + - issuing short-lived SSH certs for ops-bridge tunnels + - agent or automation access with TTL-bound principals + - checking cert-side compliance before rotation windows + not_recommended_for: + - storing OpenRouter or Inter-Hub API keys + - replacing OpenBao deployment or host SSH hardening playbooks + - static-key-only legacy access (use ops-bridge static key mode instead) + known_limitations: + - "VaultCA backend config key remains backend: vault for API compatibility" + - host-side scorecard checks live in railiance-infra +--- + +# SSH Certificate Issuance + +ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates, +maintains the actor inventory, and exposes `warden sign` as the cert_command +contract for ops-bridge and other callers. + +Production environments point the vault-compatible backend at OpenBao; labs use +the local ssh-keygen CA backend without platform dependencies. \ No newline at end of file diff --git a/registry/indexes/capabilities.yaml b/registry/indexes/capabilities.yaml index f944e47..7811a80 100644 --- a/registry/indexes/capabilities.yaml +++ b/registry/indexes/capabilities.yaml @@ -1,4 +1,23 @@ version: 1 -updated: '2026-06-16' +updated: '2026-06-17' domain: helix_forge -capabilities: [] +capabilities: +- id: capability.security.ssh-certificate-issuance + name: SSH Certificate Issuance + summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors + through a stable cert_command CLI interface. + vector: D4 / A3 / C3 / R2 + domain: helix_forge + status: draft + owner: ops-warden + path: registry/capabilities/capability.security.ssh-certificate-issuance.md + tags: + - ssh + - certificate + - ca + - ops-warden + - openbao + - security + consumption_modes: + - CLI + - cert_command subprocess \ No newline at end of file