generated from coulomb/repo-seed
Publish SSH certificate issuance capability registry entry
Add capability.security.ssh-certificate-issuance to the federation index with maturity vector D4/A3/C3/R2 and validated registry metadata.
This commit is contained in:
@@ -0,0 +1,127 @@
|
|||||||
|
---
|
||||||
|
id: capability.security.ssh-certificate-issuance
|
||||||
|
name: SSH Certificate Issuance
|
||||||
|
summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface.
|
||||||
|
owner: ops-warden
|
||||||
|
status: draft
|
||||||
|
domain: helix_forge
|
||||||
|
tags:
|
||||||
|
- ssh
|
||||||
|
- certificate
|
||||||
|
- ca
|
||||||
|
- ops-warden
|
||||||
|
- openbao
|
||||||
|
- security
|
||||||
|
|
||||||
|
maturity:
|
||||||
|
discovery:
|
||||||
|
current: D4
|
||||||
|
target: D5
|
||||||
|
confidence: medium
|
||||||
|
rationale: >
|
||||||
|
SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command
|
||||||
|
contract are documented; production OpenBao integration is documented but
|
||||||
|
engine deployment lives in railiance-platform.
|
||||||
|
availability:
|
||||||
|
current: A3
|
||||||
|
target: A5
|
||||||
|
confidence: medium
|
||||||
|
rationale: >
|
||||||
|
Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and
|
||||||
|
other callers integrate via cert_command without backend-specific branching.
|
||||||
|
|
||||||
|
external_evidence:
|
||||||
|
completeness:
|
||||||
|
level: C3
|
||||||
|
name: Functional Core
|
||||||
|
confidence: medium
|
||||||
|
basis: scope_vs_intent_and_consumer_expectations
|
||||||
|
satisfied_expectations:
|
||||||
|
- local and OpenBao/Vault-compatible signing backends
|
||||||
|
- TTL policy enforcement per actor type
|
||||||
|
- principals inventory and cert-side scorecard
|
||||||
|
- signatures audit log and stale-cert cleanup
|
||||||
|
- cert_command stdout contract for ops-bridge
|
||||||
|
broken_expectations:
|
||||||
|
- host-side principal deployment not owned here
|
||||||
|
- OpenBao SSH engine mount not deployed from this repo
|
||||||
|
out_of_scope_expectations:
|
||||||
|
- long-lived API key custody
|
||||||
|
- tunnel lifecycle management
|
||||||
|
- Vault/OpenBao cluster operations
|
||||||
|
reliability:
|
||||||
|
level: R2
|
||||||
|
name: Tolerable
|
||||||
|
confidence: medium
|
||||||
|
basis: consumer_quality_signals
|
||||||
|
known_reliability_risks:
|
||||||
|
- production signing depends on OpenBao availability and token policy
|
||||||
|
- local backend requires protected CA key handling by operators
|
||||||
|
|
||||||
|
discovery:
|
||||||
|
intent: >
|
||||||
|
Give the ops fleet short-lived SSH credentials for humans, agents, and
|
||||||
|
automations without static keys, through a single cert_command surface that
|
||||||
|
callers can rely on regardless of CA backend.
|
||||||
|
includes:
|
||||||
|
- certificate signing for adm, agt, and atm actors
|
||||||
|
- actor principals inventory and TTL policy
|
||||||
|
- cert_command interface (`warden sign`)
|
||||||
|
- cert-side compliance scorecard and signatures log
|
||||||
|
- ops-ssh-wrapper for automatic cert acquisition
|
||||||
|
excludes:
|
||||||
|
- tunnel lifecycle
|
||||||
|
- host /etc/ssh/auth_principals deployment
|
||||||
|
- OpenBao or Vault cluster setup
|
||||||
|
- long-lived secret storage
|
||||||
|
assumptions:
|
||||||
|
- callers supply actor public keys; humans self-issue admin keys
|
||||||
|
- production platform uses OpenBao with Vault-compatible SSH engine API
|
||||||
|
use_cases:
|
||||||
|
- ops-bridge tunnel cert_command
|
||||||
|
- Inter-Hub bootstrap short-lived agent access
|
||||||
|
research_memos:
|
||||||
|
- ops-warden/SCOPE.md
|
||||||
|
- ops-warden/wiki/CertCommandInterface.md
|
||||||
|
- ops-warden/wiki/OpsWardenConfig.md
|
||||||
|
|
||||||
|
availability:
|
||||||
|
current_level: A3
|
||||||
|
target_level: A5
|
||||||
|
current_artifacts:
|
||||||
|
- ops-warden/src/warden/
|
||||||
|
- ops-warden/wiki/CertCommandInterface.md
|
||||||
|
- ops-warden/wiki/OpsWardenConfig.md
|
||||||
|
target_artifacts:
|
||||||
|
- packaged ops-warden release with documented OpenBao role bootstrap
|
||||||
|
consumption_modes:
|
||||||
|
- CLI
|
||||||
|
- cert_command subprocess
|
||||||
|
|
||||||
|
relations:
|
||||||
|
depends_on: []
|
||||||
|
supports: []
|
||||||
|
related_to: []
|
||||||
|
|
||||||
|
consumer_guidance:
|
||||||
|
recommended_for:
|
||||||
|
- issuing short-lived SSH certs for ops-bridge tunnels
|
||||||
|
- agent or automation access with TTL-bound principals
|
||||||
|
- checking cert-side compliance before rotation windows
|
||||||
|
not_recommended_for:
|
||||||
|
- storing OpenRouter or Inter-Hub API keys
|
||||||
|
- replacing OpenBao deployment or host SSH hardening playbooks
|
||||||
|
- static-key-only legacy access (use ops-bridge static key mode instead)
|
||||||
|
known_limitations:
|
||||||
|
- "VaultCA backend config key remains backend: vault for API compatibility"
|
||||||
|
- host-side scorecard checks live in railiance-infra
|
||||||
|
---
|
||||||
|
|
||||||
|
# SSH Certificate Issuance
|
||||||
|
|
||||||
|
ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates,
|
||||||
|
maintains the actor inventory, and exposes `warden sign` as the cert_command
|
||||||
|
contract for ops-bridge and other callers.
|
||||||
|
|
||||||
|
Production environments point the vault-compatible backend at OpenBao; labs use
|
||||||
|
the local ssh-keygen CA backend without platform dependencies.
|
||||||
@@ -1,4 +1,23 @@
|
|||||||
version: 1
|
version: 1
|
||||||
updated: '2026-06-16'
|
updated: '2026-06-17'
|
||||||
domain: helix_forge
|
domain: helix_forge
|
||||||
capabilities: []
|
capabilities:
|
||||||
|
- id: capability.security.ssh-certificate-issuance
|
||||||
|
name: SSH Certificate Issuance
|
||||||
|
summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors
|
||||||
|
through a stable cert_command CLI interface.
|
||||||
|
vector: D4 / A3 / C3 / R2
|
||||||
|
domain: helix_forge
|
||||||
|
status: draft
|
||||||
|
owner: ops-warden
|
||||||
|
path: registry/capabilities/capability.security.ssh-certificate-issuance.md
|
||||||
|
tags:
|
||||||
|
- ssh
|
||||||
|
- certificate
|
||||||
|
- ca
|
||||||
|
- ops-warden
|
||||||
|
- openbao
|
||||||
|
- security
|
||||||
|
consumption_modes:
|
||||||
|
- CLI
|
||||||
|
- cert_command subprocess
|
||||||
Reference in New Issue
Block a user