coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog

Browse Source 
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-18 20:44:53 +02:00
parent b9c8eadcfd
commit ffc2722006
12 changed files with 338 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.claude/rules/repo-boundary.md
View File

@@ -26,8 +26,11 @@ This repo owns **ops-warden** only. It does not own:
| SSH tunnel | ops-bridge | cert_command consumer |
| Host principals | railiance-infra | Document only |
Full map: `wiki/NetKingdomSecurityMap.md`.
Full map: `wiki/NetKingdomSecurityMap.md`. Role and boundary: `wiki/AccessRouting.md`.
Machine-readable pointer catalog: `registry/routing/catalog.yaml`.
ops-warden issues **short-lived SSH certificates** and maintains **operational
access stewardship docs**. It is not a general secrets manager and must not
store long-lived API keys in Git, State Hub, workplans, logs, or chat.
ops-warden **issues short-lived SSH certificates** (the one lane it executes) and
**routes every other credential need to its owner** via stewardship docs and the
pointer catalog. It is not a general secrets manager and must not store long-lived
API keys in Git, State Hub, workplans, logs, or chat. Routing material **points at**
the owner's docs — it never restates or forks another subsystem's procedure.

2
AGENTS.md
View File

@@ -2,7 +2,7 @@
## Repo Identity
**Purpose:** SSH CA and certificate lifecycle manager — signs short-lived certs for adm/agt/atm actors; provides the cert_command interface consumed by ops-bridge.
**Purpose:** Issues short-lived SSH certs for adm/agt/atm actors (the one lane it executes) and routes every other credential need to its owner; provides the cert_command interface consumed by ops-bridge.
**Domain:** custodian
**Repo slug:** ops-warden

5
README.md
View File

@@ -5,8 +5,9 @@ Signs short-lived certs for `adm` / `agt` / `atm` actors and exposes the
`cert_command` interface consumed by `ops-bridge` and other tooling.
See `INTENT.md` for direction, `SCOPE.md` for current implementation, and
`wiki/AccessManagementDirective.md` for SSH policy. Latest gap analysis:
`history/2026-06-17-post-wp0007-reassessment.md`.
`wiki/AccessManagementDirective.md` for SSH policy. ops-warden issues SSH certs
and routes every other credential need to its owner — see `wiki/AccessRouting.md`.
Latest gap analysis: `history/2026-06-17-post-wp0007-reassessment.md`.
## Install

51
SCOPE.md
View File

@@ -17,17 +17,35 @@ aligned with NetKingdom canon.
## Where we are (2026-06-18)
ops-warden is **production-verified for SSH signing** on Railiance OpenBao
(`warden sign` against `https://bao.coulomb.social`, host CA trust deployed).
The steward desk — routing wiki, NetKingdom security map, inventory patterns,
OpenBao checklist — is operational. The opt-in flex-auth pre-sign gate is
**coded but off in production** until flex-auth publishes `ssh-certificate`
policies (WARDEN-WP-0009).
ops-warden **issues short-lived SSH certificates and routes every other credential
need to the subsystem that owns it.** SSH signing is **production-verified** on
Railiance OpenBao (`warden sign` against `https://bao.coulomb.social`, host CA trust
deployed). The routing material — `wiki/AccessRouting.md`, the credential routing
wiki, NetKingdom security map, and a machine-readable pointer catalog
(`registry/routing/catalog.yaml`, WARDEN-WP-0010) — is operational. The opt-in
flex-auth pre-sign gate is **coded but off in production** until flex-auth publishes
`ssh-certificate` policies (WARDEN-WP-0009).
**INTENT alignment:** SSH issuance mission met in production. Remaining distance
is integration breadth (ops-bridge `cert_command` on live tunnels), authorization
depth (flex-auth), and operator hygiene — not missing signing code.
### Issue vs route
ops-warden executes exactly one lane and points at the owner for the rest.
| Need | Subsystem | ops-warden role |
| --- | --- | --- |
| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) |
| API key / DB cred / dynamic lease | OpenBao | Route — point at path |
| "May I perform action X?" | flex-auth | Route — point at policy |
| Login / OIDC / MFA | key-cape / Keycloak | Route — point at IAM Profile |
| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` |
| Host principal deployment | railiance-infra | Route — point at Ansible |
Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer**
it never restates an owner's procedure (authored `steps` exist only for the SSH lane).
Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
---
@@ -46,8 +64,8 @@ Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
| Dimension | Level | Meaning today |
| --- | --- | --- |
| D5 | Discovery | Routing + security map + NK canon cross-links |
| A3 | Availability | CLI + opt-in policy gate; no desk API |
| D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links |
| A3 | Availability | CLI + opt-in policy gate + machine-readable routing catalog; `warden route` lookup (A4) lands with WARDEN-WP-0011 |
| C4 | Completeness | SSH lane prod-verified; flex-auth policies external |
| R3 | Reliability | Live OpenBao sign evidence on Railiance |
@@ -60,9 +78,10 @@ Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
`cert_command` interface for ops-bridge. Production path uses OpenBao SSH engine
(`backend: vault`).
**Direction (INTENT):** custodian-domain desk that routes dev workers to key-cape,
flex-auth, OpenBao, ops-bridge, and railiance components — implementing only the
SSH certificate lane directly.
**Direction (INTENT):** issue short-lived SSH certificates and route dev workers to
key-cape, flex-auth, OpenBao, ops-bridge, and railiance components for everything
else — implementing only the SSH certificate lane directly, pointing at the owner
for the rest.
---
@@ -93,12 +112,15 @@ SSH certificate lane directly.
| WP-0006 | Credential routing, security map, inventory patterns, OpenBao checklist |
| WP-0007 | Opt-in flex-auth policy gate (`policy.enabled`) |
| WP-0008 | Production sign verification, stewardship closeout, archive hygiene |
| WP-0010 | "Issue SSH, route the rest" wording + `wiki/AccessRouting.md` + pointer catalog |
### Active / wait
| WP | Status | Focus |
| --- | --- | --- |
| **WP-0009** | `wait` | flex-auth `ssh-certificate` policies + `policy.enabled` production smoke |
| **WP-0011** | `ready` | `warden route` lookup CLI over the pointer catalog (A3 → A4) |
| **WP-0012** | `backlog` | Routing scenario playbooks (draft until owner paths ship) |
### Known gaps (not yet workplanned)
@@ -109,8 +131,9 @@ SSH certificate lane directly.
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `inventory.yaml` hosts vs `ssh_principals.yaml` |
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
See reassessment §6 for **proposed WARDEN-WP-0010** (integration closeout) when
ops-bridge tunnel migration or token runbook becomes priority.
The integration-closeout strand (ops-bridge tunnel migration, token runbook) from
reassessment §6 is not yet workplanned; WARDEN-WP-0010 was used for the access-routing
charter instead. Open a new WP when tunnel migration becomes priority.
---
@@ -219,7 +242,9 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
| `INTENT.md` | Why ops-warden exists and where it is going |
| `SCOPE.md` | What is implemented today (this file) |
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE gap analysis |
| `wiki/AccessRouting.md` | What ops-warden issues vs routes (role and boundary) |
| `wiki/CredentialRouting.md` | Which subsystem for each credential need |
| `registry/routing/catalog.yaml` | Machine-readable routing pointer catalog |
| `wiki/NetKingdomSecurityMap.md` | Platform security component map |
| `examples/warden.production.example.yaml` | Production warden.yaml template |
| `wiki/AccessManagementDirective.md` | SSH actor model |

9
registry/capabilities/capability.security.ssh-certificate-issuance.md
View File

@@ -21,7 +21,9 @@ maturity:
rationale: >
SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command
contract are documented; production OpenBao integration is documented but
engine deployment lives in railiance-platform.
engine deployment lives in railiance-platform. A machine-readable routing
catalog (registry/routing/catalog.yaml) and wiki/AccessRouting.md make the
"issue SSH, route the rest" boundary discoverable.
availability:
current: A3
target: A5
@@ -29,6 +31,8 @@ maturity:
rationale: >
Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and
other callers integrate via cert_command without backend-specific branching.
A `warden route` lookup over the pointer catalog (WARDEN-WP-0011) will move
routing discovery from wiki prose to a structured surface for agents (A3 -> A4).
external_evidence:
completeness:
@@ -71,6 +75,7 @@ discovery:
- cert-side compliance scorecard and signatures log
- ops-ssh-wrapper for automatic cert acquisition
- NetKingdom credential routing and alignment documentation
- machine-readable routing pointer catalog (registry/routing/catalog.yaml)
excludes:
- tunnel lifecycle
- host /etc/ssh/auth_principals deployment
@@ -86,6 +91,7 @@ discovery:
- ops-warden/SCOPE.md
- ops-warden/wiki/CertCommandInterface.md
- ops-warden/wiki/OpsWardenConfig.md
- ops-warden/wiki/AccessRouting.md
availability:
current_level: A3
@@ -96,6 +102,7 @@ availability:
- ops-warden/wiki/OpsWardenConfig.md
target_artifacts:
- packaged ops-warden release with documented OpenBao role bootstrap
- "`warden route` lookup CLI over the pointer catalog (WARDEN-WP-0011)"
consumption_modes:
- CLI
- cert_command subprocess

116
registry/routing/catalog.yaml Normal file
View File

@@ -0,0 +1,116 @@
# ops-warden routing catalog — POINTER LAYER
#
# This file is a machine-readable index of NetKingdom credential needs. It tells a
# worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT
# a second copy of any subsystem's procedure.
#
# No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md):
# - For any subsystem ops-warden does not own, an entry carries identifiers +
# pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords.
# - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on
# entries with `warden_executes: true` — i.e. the SSH certificate lane, the one
# lane ops-warden owns.
# - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps`
# block, and checks that every `wiki_ref` anchor resolves to a real section.
# - No secret material in this file, ever.
#
# Field reference:
# id kebab-case stable identifier (lookup key)
# title human-readable need
# need_keywords tokens for `warden route find` keyword matching
# owner_repo repo/subsystem that owns the procedure
# subsystem platform component a worker acts on
# warden_executes true only for the SSH lane; false everywhere else
# wiki_ref anchor into an in-repo wiki section (authoritative restatement)
# canon_ref upstream net-kingdom doc the wiki section tracks
# reviewed date this pointer was last checked against canon (YYYY-MM-DD)
# status active (surfaced by default) | draft (hidden unless --all)
# steps ONLY when warden_executes: true
# cert_command ONLY when warden_executes: true
version: 1
entries:
- id: ssh-cert-host-access
title: Short-lived SSH certificate for host / ops reachability
need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops]
owner_repo: ops-warden
subsystem: ops-warden
warden_executes: true
wiki_ref: wiki/AccessRouting.md#issue-vs-route
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
reviewed: "2026-06-18"
status: active
cert_command: "warden sign <actor> --pubkey <path>"
steps:
- "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md."
- "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production."
- "Sign: `warden sign <actor> --pubkey <path>` — cert is written to stdout (the cert_command contract)."
- "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys."
- id: openbao-api-key
title: API key, DB credential, or dynamic lease
need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential]
owner_repo: railiance-platform
subsystem: OpenBao
warden_executes: false
wiki_ref: wiki/CredentialRouting.md#routing-table
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
reviewed: "2026-06-18"
status: active
- id: flex-auth-policy-check
title: Authorization decision — may this actor perform this action
need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision]
owner_repo: flex-auth
subsystem: flex-auth
warden_executes: false
wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
canon_ref: net-kingdom/docs/responsibility-map.md
reviewed: "2026-06-18"
status: active
- id: key-cape-oidc-login
title: Interactive login, OIDC token, or MFA
need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate]
owner_repo: key-cape
subsystem: key-cape / Keycloak
warden_executes: false
wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md
reviewed: "2026-06-18"
status: active
- id: ops-bridge-tunnel
title: SSH tunnel or port forward
need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel]
owner_repo: ops-bridge
subsystem: ops-bridge
warden_executes: false
wiki_ref: wiki/CredentialRouting.md#routing-table
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
reviewed: "2026-06-18"
status: active
- id: railiance-infra-principals
title: Host SSH principal file or force-command deployment
need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible]
owner_repo: railiance-infra
subsystem: railiance-infra
warden_executes: false
wiki_ref: wiki/CredentialRouting.md#routing-table
canon_ref: net-kingdom/docs/responsibility-map.md
reviewed: "2026-06-18"
status: active
# --- draft: owner path not yet shipped; hidden from default lookup ---
- id: issue-core-ingestion-api-key
title: issue-core ingestion API key (OpenBao path TBD)
need_keywords: [issue-core, ingestion, api, key, openbao]
owner_repo: railiance-platform
subsystem: OpenBao
warden_executes: false
wiki_ref: wiki/CredentialRouting.md#routing-table
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
reviewed: "2026-06-18"
status: draft

89
wiki/AccessRouting.md Normal file
View File

@@ -0,0 +1,89 @@
# Access Routing — what ops-warden answers
Date: 2026-06-18
ops-warden **issues short-lived SSH certificates** and **routes every other
credential need to the subsystem that owns it.** This page states that role
plainly so it cannot be misread as a desk that wraps the platform.
- **What ops-warden executes:** the SSH certificate lane only (`warden sign`,
`cert_command`, `ops-ssh-wrapper`).
- **What ops-warden answers:** *where* a credential need belongs and *who owns it*
pointing at the owner's docs, never restating their procedure.
- **What ops-warden never does:** vend API keys, log you in, decide policy, open
tunnels, or deploy hosts.
For the worker-facing decision tree see `CredentialRouting.md`; for component
literacy see `NetKingdomSecurityMap.md`. This page is the steward's statement of
**role and boundary**.
---
## Issue vs route
| Need | Subsystem | ops-warden role | Who acts |
| --- | --- | --- | --- |
| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) | ops-warden signs; worker uses cert |
| API key / DB cred / dynamic lease | OpenBao | Route — point at path | Worker calls OpenBao |
| "May I perform action X?" | flex-auth (+ Topaz PDP) | Route — point at policy | Worker/PEP calls flex-auth |
| Login / OIDC token / MFA | key-cape / Keycloak | Route — point at IAM Profile | Worker authenticates |
| Object-storage STS / S3 creds | net-kingdom + flex-auth + OpenBao | Route — point at vending path | Worker follows NK-WP-0007 |
| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` | ops-bridge opens tunnel |
| Host principal / force-command | railiance-infra | Route — point at Ansible | infra deploys host |
| OpenBao cluster init / unseal | railiance-platform | Route — point at ceremony | platform operates |
Only the first row is something ops-warden **executes**. Every other row is a
**pointer**: ops-warden names the owner and the doc, and the worker acts on the
owning system directly.
---
## Anti-patterns (not coming to ops-warden)
These commands do **not** exist and will **not** be added — they belong to other
subsystems. If you find yourself wanting one, you are on the wrong desk:
| Tempting command | Why it's wrong | Right path |
| --- | --- | --- |
| `warden secret` / `warden bao` | ops-warden does not store or vend secrets | OpenBao |
| `warden login` | ops-warden does not establish identity | key-cape / Keycloak |
| `warden policy` | ops-warden does not decide authorization | flex-auth |
| `warden tunnel` | ops-warden does not manage transport | ops-bridge |
ops-warden authors step-by-step procedure for exactly one lane — SSH issuance —
because it owns it. For everything else it carries a **pointer**, not a fork of
the owner's runbook. See the no-double-source rule in
`workplans/WARDEN-WP-0010-access-routing-charter.md`.
---
## Audience notes
- **Human operators** read this page and `CredentialRouting.md` to choose the
right subsystem, then follow that subsystem's own docs.
- **Agents / CI** will read the machine-readable routing catalog
(`registry/routing/catalog.yaml`, surfaced via `warden route` — WARDEN-WP-0011)
so routing does not have to be re-derived from wiki prose each session.
- **Same truth, two shapes:** humans read the wiki; agents read the catalog. The
catalog references wiki sections by anchor so the two cannot drift apart.
---
## How this stays aligned
NetKingdom security architecture is canonical in `net-kingdom`. ops-warden tracks
it: when canon changes, the wiki section is updated and the catalog pointer
(`wiki_ref` + `canon_ref`) follows. ops-warden never overrides canon and never
silently forks it.
Report drift via a custodian workplan or a State Hub message to `ops-warden`.
---
## See also
- `CredentialRouting.md` — worker decision tree and routing table
- `NetKingdomSecurityMap.md` — component literacy
- `INTENT.md` — steward mission ("issue SSH, route the rest")
- `workplans/WARDEN-WP-0010-access-routing-charter.md` — charter + no-double-source rule
- `net-kingdom/docs/platform-identity-security-architecture.md` — platform canon

29
wiki/CredentialRouting.md
View File

@@ -70,6 +70,28 @@ stop if you landed on "NEVER ops-warden" for non-SSH secrets.
---
## Routing catalog index
These needs are also carried in the machine-readable pointer catalog
(`registry/routing/catalog.yaml`, surfaced via `warden route` — WARDEN-WP-0011).
The catalog is a **pointer layer**: it names the owner and links the doc, it does
not restate the owner's procedure. Only the SSH row is something ops-warden
executes.
| Catalog `id` | What ops-warden answers | What the worker does next |
| --- | --- | --- |
| `ssh-cert-host-access` | **Issues** the cert (`warden sign`) | Use the cert / wire it into `cert_command` |
| `openbao-api-key` | "OpenBao owns this — here is the path" | Call OpenBao on the owning system |
| `flex-auth-policy-check` | "flex-auth decides — here is the policy doc" | Query flex-auth / embed the PEP |
| `key-cape-oidc-login` | "key-cape / Keycloak owns identity" | Authenticate via IAM Profile |
| `ops-bridge-tunnel` | "ops-bridge owns transport — supply a `cert_command`" | Open the tunnel with ops-bridge |
| `railiance-infra-principals` | "railiance-infra deploys host principals" | Run the infra Ansible |
ops-warden answers *where + who*; the worker acts on the owning system. ops-warden
never performs the non-SSH step on the worker's behalf.
---
## Examples — do NOT ask ops-warden
| Request | Correct path |
@@ -80,6 +102,12 @@ stop if you landed on "NEVER ops-warden" for non-SSH secrets.
| "S3 credentials for artifact upload" | NK-WP-0007 / artifact-store consumer path |
| "JWT for my app" | key-cape / Keycloak IAM Profile |
**No duplicate interfaces.** Commands like `warden secret`, `warden login`,
`warden policy`, or `warden tunnel` do not exist and will not be added — each
belongs to another subsystem. The canonical anti-pattern table lives in
`wiki/AccessRouting.md#anti-patterns-not-coming-to-ops-warden`; it is not
restated here.
---
## Examples — ops-warden IS correct
@@ -134,6 +162,7 @@ Report drift via custodian workplan or State Hub message to `ops-warden`.
## See also
- `INTENT.md` — steward mission
- `wiki/AccessRouting.md` — what ops-warden issues vs routes (role and boundary)
- `wiki/NetKingdomSecurityMap.md` — component literacy
- `wiki/ActorInventoryPatterns.md` — actor naming
- `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify

1
wiki/NetKingdomSecurityMap.md
View File

@@ -96,6 +96,7 @@ and automation work — not platform-admin equivalents on hosts.
## See also
- `INTENT.md`
- `wiki/AccessRouting.md` — issue-vs-route role and boundary
- `wiki/CredentialRouting.md`
- `wiki/PolicyGatedSigning.md` (future flex-auth hook)
- `net-kingdom/docs/platform-identity-security-architecture.md`

59
workplans/WARDEN-WP-0010-access-routing-charter.md
View File

@@ -4,13 +4,14 @@ type: workplan
title: "Access Routing — Charter and Pointer Catalog"
domain: custodian
repo: ops-warden
status: ready
status: done
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 10
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b"
---
# WARDEN-WP-0010 — Access Routing — Charter and Pointer Catalog
@@ -68,79 +69,87 @@ the `cert_command` pattern — because that is the lane ops-warden owns. A CI te
## Tasks
### T1 — INTENT and SCOPE wording
### T1 — INTENT wording
```task
id: WARDEN-WP-0010-T01
status: todo
status: done
priority: high
state_hub_task_id: "589081a6-d1f5-47b4-bec0-e82d9c3444f4"
```
- [ ] `INTENT.md` — keep "operational access steward"; replace the "operational
- [x] `INTENT.md` — keep "operational access steward"; replaced the "operational
access **desk**" phrasing with plain "issues SSH certs and routes everything
else to its owner." Drop any metaphor that implies a wrapping service.
- [ ] `SCOPE.md` — state the A3 → A4 move plainly: "structured routing lookup for
agents; execution unchanged." Add the coach-free "issue vs route" table.
- [ ] Non-goals: add "duplicating or restating another subsystem's procedure."
- [ ] Cross-link this workplan from the assessment note.
else to its owner." Removed metaphors implying a wrapping service.
- [x] Non-goals: added "duplicating or restating another subsystem's procedure."
- [x] Cross-linked this workplan from the assessment note.
> SCOPE.md (A3 → A4 plain statement + "issue vs route" table) is handled as a
> deliberate manual step **after** the loop retires, not as a ralph task.
### T2 — Routing-role wiki page
```task
id: WARDEN-WP-0010-T02
status: todo
status: done
priority: high
state_hub_task_id: "9ac333f7-5fc4-4fa2-82f3-d5ece8ff0d92"
```
- [ ] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns
- [x] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns
it), what it executes (SSH only), anti-patterns (no `warden secret`,
`warden login`, `warden policy`), and audience notes.
- [ ] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts).
- [ ] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`.
- [x] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts).
- [x] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`.
### T3 — Pointer catalog schema + seed
```task
id: WARDEN-WP-0010-T03
status: todo
status: done
priority: high
state_hub_task_id: "59e0f480-694a-482a-b35e-b7bc4930aa41"
```
- [ ] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above:
- [x] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above:
`id`, `title`, `need_keywords`, `owner_repo`, `subsystem`, `warden_executes`,
`wiki_ref`, `canon_ref`, `reviewed` (date), `status` (active|draft); plus
`steps` + `cert_command` **only** when `warden_executes: true`.
- [ ] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key,
- [x] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key,
flex-auth policy, key-cape OIDC, ops-bridge tunnel, railiance-infra principals.
- [ ] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by
- [x] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by
railiance-platform) — draft entries are not surfaced by default lookup.
- [x] Validated: 6 active + 1 draft, no non-SSH `steps`, every `wiki_ref` anchor resolves.
### T4 — Routing index in CredentialRouting.md
```task
id: WARDEN-WP-0010-T04
status: todo
status: done
priority: medium
state_hub_task_id: "aabd28c0-db2d-4267-be98-95be272c687d"
```
- [ ] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`.
- [ ] Add "what ops-warden answers vs what the worker does next on the owner system"
- [x] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`.
- [x] Add "what ops-warden answers vs what the worker does next on the owner system"
examples — without restating the owner's procedure.
- [ ] Refresh the duplicate-interface anti-examples section.
- [x] Refresh the duplicate-interface anti-examples section (points at canonical
anti-pattern table; not restated).
### T5 — Registry and repo-boundary alignment
```task
id: WARDEN-WP-0010-T05
status: todo
status: done
priority: medium
state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b"
```
- [ ] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
- [x] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
— note routing lookup in discovery; target availability notes the routing CLI.
- [ ] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new
- [x] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new
metaphor — "issues SSH certs; routes other credential needs to their owner").
- [ ] Extend the existing capability entry rather than minting a second capability.
- [x] Extend the existing capability entry rather than minting a second capability.
---

6
workplans/WARDEN-WP-0011-routing-guide-cli.md
View File

@@ -11,6 +11,7 @@ planning_priority: high
planning_order: 11
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "0a520f8e-01b4-48f1-9af3-2f3f69fd0672"
---
# WARDEN-WP-0011 — Routing Lookup CLI
@@ -70,6 +71,7 @@ foreign subsystems. SSH precondition hints live inside `show` instead.
id: WARDEN-WP-0011-T01
status: todo
priority: high
state_hub_task_id: "55b8422c-ad3c-4084-9e00-acaa4c360906"
```
- [ ] Add `src/warden/routing/` package: `models.py`, `catalog.py`.
@@ -83,6 +85,7 @@ priority: high
id: WARDEN-WP-0011-T02
status: todo
priority: high
state_hub_task_id: "60b679c5-79bd-4186-b5a6-ac576931f06c"
```
- [ ] Register `route` Typer sub-app on the main CLI.
@@ -97,6 +100,7 @@ priority: high
id: WARDEN-WP-0011-T03
status: todo
priority: high
state_hub_task_id: "d307701f-0117-44f0-80fd-ca6f7ae06f42"
```
- [ ] Tokenize query; match against `need_keywords`, `title`, `id`.
@@ -109,6 +113,7 @@ priority: high
id: WARDEN-WP-0011-T04
status: todo
priority: high
state_hub_task_id: "00a76e0f-8ab6-4f9a-ac6a-00eae633342c"
```
- [ ] `tests/test_routing.py` — catalog load, no-double-source validation rejects a
@@ -122,6 +127,7 @@ priority: high
id: WARDEN-WP-0011-T05
status: todo
priority: high
state_hub_task_id: "bf848375-eca7-4116-bb1d-fb7df6395c70"
```
- [ ] CI/test: every `wiki_ref` anchor resolves to an existing in-repo wiki section;

6
workplans/WARDEN-WP-0012-routing-scenario-playbooks.md
View File

@@ -11,6 +11,7 @@ planning_priority: medium
planning_order: 12
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "a7e712a0-02f8-4f83-944e-6b207e77bc4c"
---
# WARDEN-WP-0012 — Routing Scenario Playbooks
@@ -64,6 +65,7 @@ pointer to a non-existent path is worse than no entry.
id: WARDEN-WP-0012-T01
status: todo
priority: high
state_hub_task_id: "830bb512-0288-4dba-9dd4-ccfd28a4921f"
```
- [ ] Coordinate with railiance-platform to canonicalize the OpenBao path first.
@@ -77,6 +79,7 @@ priority: high
id: WARDEN-WP-0012-T02
status: todo
priority: medium
state_hub_task_id: "7726a703-6e00-4e49-9380-ed3fb3268827"
```
- [ ] Align `wiki/InterHubBootstrapAccessLane.md` with the catalog id.
@@ -89,6 +92,7 @@ priority: medium
id: WARDEN-WP-0012-T03
status: todo
priority: medium
state_hub_task_id: "9fb397f0-0abb-48f5-bb62-7e77edae93bb"
```
- [ ] Playbook: static-key → `cert_command` migration checklist.
@@ -100,6 +104,7 @@ priority: medium
id: WARDEN-WP-0012-T04
status: todo
priority: low
state_hub_task_id: "edcf4ed7-f18d-4a92-a42d-8cc7ca0ab792"
```
- [ ] Playbooks for OpenRouter, object-storage STS, DB dynamic creds.
@@ -111,6 +116,7 @@ priority: low
id: WARDEN-WP-0012-T05
status: todo
priority: low
state_hub_task_id: "db98d655-8551-487b-9413-41bf97fc06e1"
```
- [ ] Document a review cadence against net-kingdom canon.