From ffc2722006d89d3ec1cc2de2c5707fceb339b295 Mon Sep 17 00:00:00 2001 From: tegwick Date: Thu, 18 Jun 2026 20:44:53 +0200 Subject: [PATCH] docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues short-lived SSH certificates and routes every other credential need to the subsystem that owns it — no desk metaphor, one execution lane. - wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns - registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1 draft). No-double-source rule enforced structurally — authored steps/cert_command only on the warden_executes:true SSH entry; every wiki_ref anchor resolves - wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note - INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing; SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI - WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done Co-Authored-By: Claude Opus 4.8 --- .claude/rules/repo-boundary.md | 11 +- AGENTS.md | 2 +- README.md | 5 +- SCOPE.md | 51 ++++++-- ...ility.security.ssh-certificate-issuance.md | 9 +- registry/routing/catalog.yaml | 116 ++++++++++++++++++ wiki/AccessRouting.md | 89 ++++++++++++++ wiki/CredentialRouting.md | 29 +++++ wiki/NetKingdomSecurityMap.md | 1 + .../WARDEN-WP-0010-access-routing-charter.md | 59 +++++---- workplans/WARDEN-WP-0011-routing-guide-cli.md | 6 + ...RDEN-WP-0012-routing-scenario-playbooks.md | 6 + 12 files changed, 338 insertions(+), 46 deletions(-) create mode 100644 registry/routing/catalog.yaml create mode 100644 wiki/AccessRouting.md diff --git a/.claude/rules/repo-boundary.md b/.claude/rules/repo-boundary.md index 3a1e360..ff66c8d 100644 --- a/.claude/rules/repo-boundary.md +++ b/.claude/rules/repo-boundary.md @@ -26,8 +26,11 @@ This repo owns **ops-warden** only. It does not own: | SSH tunnel | ops-bridge | cert_command consumer | | Host principals | railiance-infra | Document only | -Full map: `wiki/NetKingdomSecurityMap.md`. +Full map: `wiki/NetKingdomSecurityMap.md`. Role and boundary: `wiki/AccessRouting.md`. +Machine-readable pointer catalog: `registry/routing/catalog.yaml`. -ops-warden issues **short-lived SSH certificates** and maintains **operational -access stewardship docs**. It is not a general secrets manager and must not -store long-lived API keys in Git, State Hub, workplans, logs, or chat. \ No newline at end of file +ops-warden **issues short-lived SSH certificates** (the one lane it executes) and +**routes every other credential need to its owner** via stewardship docs and the +pointer catalog. It is not a general secrets manager and must not store long-lived +API keys in Git, State Hub, workplans, logs, or chat. Routing material **points at** +the owner's docs — it never restates or forks another subsystem's procedure. \ No newline at end of file diff --git a/AGENTS.md b/AGENTS.md index 59aa8e4..1274220 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -2,7 +2,7 @@ ## Repo Identity -**Purpose:** SSH CA and certificate lifecycle manager — signs short-lived certs for adm/agt/atm actors; provides the cert_command interface consumed by ops-bridge. +**Purpose:** Issues short-lived SSH certs for adm/agt/atm actors (the one lane it executes) and routes every other credential need to its owner; provides the cert_command interface consumed by ops-bridge. **Domain:** custodian **Repo slug:** ops-warden diff --git a/README.md b/README.md index f29fb31..965f20d 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,9 @@ Signs short-lived certs for `adm` / `agt` / `atm` actors and exposes the `cert_command` interface consumed by `ops-bridge` and other tooling. See `INTENT.md` for direction, `SCOPE.md` for current implementation, and -`wiki/AccessManagementDirective.md` for SSH policy. Latest gap analysis: -`history/2026-06-17-post-wp0007-reassessment.md`. +`wiki/AccessManagementDirective.md` for SSH policy. ops-warden issues SSH certs +and routes every other credential need to its owner — see `wiki/AccessRouting.md`. +Latest gap analysis: `history/2026-06-17-post-wp0007-reassessment.md`. ## Install diff --git a/SCOPE.md b/SCOPE.md index b4f9528..b363a3c 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -17,17 +17,35 @@ aligned with NetKingdom canon. ## Where we are (2026-06-18) -ops-warden is **production-verified for SSH signing** on Railiance OpenBao -(`warden sign` against `https://bao.coulomb.social`, host CA trust deployed). -The steward desk — routing wiki, NetKingdom security map, inventory patterns, -OpenBao checklist — is operational. The opt-in flex-auth pre-sign gate is -**coded but off in production** until flex-auth publishes `ssh-certificate` -policies (WARDEN-WP-0009). +ops-warden **issues short-lived SSH certificates and routes every other credential +need to the subsystem that owns it.** SSH signing is **production-verified** on +Railiance OpenBao (`warden sign` against `https://bao.coulomb.social`, host CA trust +deployed). The routing material — `wiki/AccessRouting.md`, the credential routing +wiki, NetKingdom security map, and a machine-readable pointer catalog +(`registry/routing/catalog.yaml`, WARDEN-WP-0010) — is operational. The opt-in +flex-auth pre-sign gate is **coded but off in production** until flex-auth publishes +`ssh-certificate` policies (WARDEN-WP-0009). **INTENT alignment:** SSH issuance mission met in production. Remaining distance is integration breadth (ops-bridge `cert_command` on live tunnels), authorization depth (flex-auth), and operator hygiene — not missing signing code. +### Issue vs route + +ops-warden executes exactly one lane and points at the owner for the rest. + +| Need | Subsystem | ops-warden role | +| --- | --- | --- | +| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) | +| API key / DB cred / dynamic lease | OpenBao | Route — point at path | +| "May I perform action X?" | flex-auth | Route — point at policy | +| Login / OIDC / MFA | key-cape / Keycloak | Route — point at IAM Profile | +| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` | +| Host principal deployment | railiance-infra | Route — point at Ansible | + +Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer** — +it never restates an owner's procedure (authored `steps` exist only for the SSH lane). + Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` --- @@ -46,8 +64,8 @@ Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Dimension | Level | Meaning today | | --- | --- | --- | -| D5 | Discovery | Routing + security map + NK canon cross-links | -| A3 | Availability | CLI + opt-in policy gate; no desk API | +| D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links | +| A3 | Availability | CLI + opt-in policy gate + machine-readable routing catalog; `warden route` lookup (A4) lands with WARDEN-WP-0011 | | C4 | Completeness | SSH lane prod-verified; flex-auth policies external | | R3 | Reliability | Live OpenBao sign evidence on Railiance | @@ -60,9 +78,10 @@ Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` `cert_command` interface for ops-bridge. Production path uses OpenBao SSH engine (`backend: vault`). -**Direction (INTENT):** custodian-domain desk that routes dev workers to key-cape, -flex-auth, OpenBao, ops-bridge, and railiance components — implementing only the -SSH certificate lane directly. +**Direction (INTENT):** issue short-lived SSH certificates and route dev workers to +key-cape, flex-auth, OpenBao, ops-bridge, and railiance components for everything +else — implementing only the SSH certificate lane directly, pointing at the owner +for the rest. --- @@ -93,12 +112,15 @@ SSH certificate lane directly. | WP-0006 | Credential routing, security map, inventory patterns, OpenBao checklist | | WP-0007 | Opt-in flex-auth policy gate (`policy.enabled`) | | WP-0008 | Production sign verification, stewardship closeout, archive hygiene | +| WP-0010 | "Issue SSH, route the rest" wording + `wiki/AccessRouting.md` + pointer catalog | ### Active / wait | WP | Status | Focus | | --- | --- | --- | | **WP-0009** | `wait` | flex-auth `ssh-certificate` policies + `policy.enabled` production smoke | +| **WP-0011** | `ready` | `warden route` lookup CLI over the pointer catalog (A3 → A4) | +| **WP-0012** | `backlog` | Routing scenario playbooks (draft until owner paths ship) | ### Known gaps (not yet workplanned) @@ -109,8 +131,9 @@ SSH certificate lane directly. | Principals sync warden ↔ railiance-infra | ops-warden + infra | `inventory.yaml` hosts vs `ssh_principals.yaml` | | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track | -See reassessment §6 for **proposed WARDEN-WP-0010** (integration closeout) when -ops-bridge tunnel migration or token runbook becomes priority. +The integration-closeout strand (ops-bridge tunnel migration, token runbook) from +reassessment §6 is not yet workplanned; WARDEN-WP-0010 was used for the access-routing +charter instead. Open a new WP when tunnel migration becomes priority. --- @@ -219,7 +242,9 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v | `INTENT.md` | Why ops-warden exists and where it is going | | `SCOPE.md` | What is implemented today (this file) | | `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE gap analysis | +| `wiki/AccessRouting.md` | What ops-warden issues vs routes (role and boundary) | | `wiki/CredentialRouting.md` | Which subsystem for each credential need | +| `registry/routing/catalog.yaml` | Machine-readable routing pointer catalog | | `wiki/NetKingdomSecurityMap.md` | Platform security component map | | `examples/warden.production.example.yaml` | Production warden.yaml template | | `wiki/AccessManagementDirective.md` | SSH actor model | diff --git a/registry/capabilities/capability.security.ssh-certificate-issuance.md b/registry/capabilities/capability.security.ssh-certificate-issuance.md index 0a0e10b..d62d348 100644 --- a/registry/capabilities/capability.security.ssh-certificate-issuance.md +++ b/registry/capabilities/capability.security.ssh-certificate-issuance.md @@ -21,7 +21,9 @@ maturity: rationale: > SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command contract are documented; production OpenBao integration is documented but - engine deployment lives in railiance-platform. + engine deployment lives in railiance-platform. A machine-readable routing + catalog (registry/routing/catalog.yaml) and wiki/AccessRouting.md make the + "issue SSH, route the rest" boundary discoverable. availability: current: A3 target: A5 @@ -29,6 +31,8 @@ maturity: rationale: > Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and other callers integrate via cert_command without backend-specific branching. + A `warden route` lookup over the pointer catalog (WARDEN-WP-0011) will move + routing discovery from wiki prose to a structured surface for agents (A3 -> A4). external_evidence: completeness: @@ -71,6 +75,7 @@ discovery: - cert-side compliance scorecard and signatures log - ops-ssh-wrapper for automatic cert acquisition - NetKingdom credential routing and alignment documentation + - machine-readable routing pointer catalog (registry/routing/catalog.yaml) excludes: - tunnel lifecycle - host /etc/ssh/auth_principals deployment @@ -86,6 +91,7 @@ discovery: - ops-warden/SCOPE.md - ops-warden/wiki/CertCommandInterface.md - ops-warden/wiki/OpsWardenConfig.md + - ops-warden/wiki/AccessRouting.md availability: current_level: A3 @@ -96,6 +102,7 @@ availability: - ops-warden/wiki/OpsWardenConfig.md target_artifacts: - packaged ops-warden release with documented OpenBao role bootstrap + - "`warden route` lookup CLI over the pointer catalog (WARDEN-WP-0011)" consumption_modes: - CLI - cert_command subprocess diff --git a/registry/routing/catalog.yaml b/registry/routing/catalog.yaml new file mode 100644 index 0000000..711c532 --- /dev/null +++ b/registry/routing/catalog.yaml @@ -0,0 +1,116 @@ +# ops-warden routing catalog — POINTER LAYER +# +# This file is a machine-readable index of NetKingdom credential needs. It tells a +# worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT +# a second copy of any subsystem's procedure. +# +# No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md): +# - For any subsystem ops-warden does not own, an entry carries identifiers + +# pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords. +# - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on +# entries with `warden_executes: true` — i.e. the SSH certificate lane, the one +# lane ops-warden owns. +# - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps` +# block, and checks that every `wiki_ref` anchor resolves to a real section. +# - No secret material in this file, ever. +# +# Field reference: +# id kebab-case stable identifier (lookup key) +# title human-readable need +# need_keywords tokens for `warden route find` keyword matching +# owner_repo repo/subsystem that owns the procedure +# subsystem platform component a worker acts on +# warden_executes true only for the SSH lane; false everywhere else +# wiki_ref anchor into an in-repo wiki section (authoritative restatement) +# canon_ref upstream net-kingdom doc the wiki section tracks +# reviewed date this pointer was last checked against canon (YYYY-MM-DD) +# status active (surfaced by default) | draft (hidden unless --all) +# steps ONLY when warden_executes: true +# cert_command ONLY when warden_executes: true + +version: 1 + +entries: + - id: ssh-cert-host-access + title: Short-lived SSH certificate for host / ops reachability + need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops] + owner_repo: ops-warden + subsystem: ops-warden + warden_executes: true + wiki_ref: wiki/AccessRouting.md#issue-vs-route + canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path + reviewed: "2026-06-18" + status: active + cert_command: "warden sign --pubkey " + steps: + - "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md." + - "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production." + - "Sign: `warden sign --pubkey ` — cert is written to stdout (the cert_command contract)." + - "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys." + + - id: openbao-api-key + title: API key, DB credential, or dynamic lease + need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential] + owner_repo: railiance-platform + subsystem: OpenBao + warden_executes: false + wiki_ref: wiki/CredentialRouting.md#routing-table + canon_ref: net-kingdom/docs/platform-identity-security-architecture.md + reviewed: "2026-06-18" + status: active + + - id: flex-auth-policy-check + title: Authorization decision — may this actor perform this action + need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision] + owner_repo: flex-auth + subsystem: flex-auth + warden_executes: false + wiki_ref: wiki/CredentialRouting.md#quick-decision-tree + canon_ref: net-kingdom/docs/responsibility-map.md + reviewed: "2026-06-18" + status: active + + - id: key-cape-oidc-login + title: Interactive login, OIDC token, or MFA + need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate] + owner_repo: key-cape + subsystem: key-cape / Keycloak + warden_executes: false + wiki_ref: wiki/CredentialRouting.md#quick-decision-tree + canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md + reviewed: "2026-06-18" + status: active + + - id: ops-bridge-tunnel + title: SSH tunnel or port forward + need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel] + owner_repo: ops-bridge + subsystem: ops-bridge + warden_executes: false + wiki_ref: wiki/CredentialRouting.md#routing-table + canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path + reviewed: "2026-06-18" + status: active + + - id: railiance-infra-principals + title: Host SSH principal file or force-command deployment + need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible] + owner_repo: railiance-infra + subsystem: railiance-infra + warden_executes: false + wiki_ref: wiki/CredentialRouting.md#routing-table + canon_ref: net-kingdom/docs/responsibility-map.md + reviewed: "2026-06-18" + status: active + + # --- draft: owner path not yet shipped; hidden from default lookup --- + - id: issue-core-ingestion-api-key + title: issue-core ingestion API key (OpenBao path TBD) + need_keywords: [issue-core, ingestion, api, key, openbao] + owner_repo: railiance-platform + subsystem: OpenBao + warden_executes: false + wiki_ref: wiki/CredentialRouting.md#routing-table + canon_ref: net-kingdom/docs/platform-identity-security-architecture.md + reviewed: "2026-06-18" + status: draft diff --git a/wiki/AccessRouting.md b/wiki/AccessRouting.md new file mode 100644 index 0000000..83b37b8 --- /dev/null +++ b/wiki/AccessRouting.md @@ -0,0 +1,89 @@ +# Access Routing — what ops-warden answers + +Date: 2026-06-18 + +ops-warden **issues short-lived SSH certificates** and **routes every other +credential need to the subsystem that owns it.** This page states that role +plainly so it cannot be misread as a desk that wraps the platform. + +- **What ops-warden executes:** the SSH certificate lane only (`warden sign`, + `cert_command`, `ops-ssh-wrapper`). +- **What ops-warden answers:** *where* a credential need belongs and *who owns it* — + pointing at the owner's docs, never restating their procedure. +- **What ops-warden never does:** vend API keys, log you in, decide policy, open + tunnels, or deploy hosts. + +For the worker-facing decision tree see `CredentialRouting.md`; for component +literacy see `NetKingdomSecurityMap.md`. This page is the steward's statement of +**role and boundary**. + +--- + +## Issue vs route + +| Need | Subsystem | ops-warden role | Who acts | +| --- | --- | --- | --- | +| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) | ops-warden signs; worker uses cert | +| API key / DB cred / dynamic lease | OpenBao | Route — point at path | Worker calls OpenBao | +| "May I perform action X?" | flex-auth (+ Topaz PDP) | Route — point at policy | Worker/PEP calls flex-auth | +| Login / OIDC token / MFA | key-cape / Keycloak | Route — point at IAM Profile | Worker authenticates | +| Object-storage STS / S3 creds | net-kingdom + flex-auth + OpenBao | Route — point at vending path | Worker follows NK-WP-0007 | +| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` | ops-bridge opens tunnel | +| Host principal / force-command | railiance-infra | Route — point at Ansible | infra deploys host | +| OpenBao cluster init / unseal | railiance-platform | Route — point at ceremony | platform operates | + +Only the first row is something ops-warden **executes**. Every other row is a +**pointer**: ops-warden names the owner and the doc, and the worker acts on the +owning system directly. + +--- + +## Anti-patterns (not coming to ops-warden) + +These commands do **not** exist and will **not** be added — they belong to other +subsystems. If you find yourself wanting one, you are on the wrong desk: + +| Tempting command | Why it's wrong | Right path | +| --- | --- | --- | +| `warden secret` / `warden bao` | ops-warden does not store or vend secrets | OpenBao | +| `warden login` | ops-warden does not establish identity | key-cape / Keycloak | +| `warden policy` | ops-warden does not decide authorization | flex-auth | +| `warden tunnel` | ops-warden does not manage transport | ops-bridge | + +ops-warden authors step-by-step procedure for exactly one lane — SSH issuance — +because it owns it. For everything else it carries a **pointer**, not a fork of +the owner's runbook. See the no-double-source rule in +`workplans/WARDEN-WP-0010-access-routing-charter.md`. + +--- + +## Audience notes + +- **Human operators** read this page and `CredentialRouting.md` to choose the + right subsystem, then follow that subsystem's own docs. +- **Agents / CI** will read the machine-readable routing catalog + (`registry/routing/catalog.yaml`, surfaced via `warden route` — WARDEN-WP-0011) + so routing does not have to be re-derived from wiki prose each session. +- **Same truth, two shapes:** humans read the wiki; agents read the catalog. The + catalog references wiki sections by anchor so the two cannot drift apart. + +--- + +## How this stays aligned + +NetKingdom security architecture is canonical in `net-kingdom`. ops-warden tracks +it: when canon changes, the wiki section is updated and the catalog pointer +(`wiki_ref` + `canon_ref`) follows. ops-warden never overrides canon and never +silently forks it. + +Report drift via a custodian workplan or a State Hub message to `ops-warden`. + +--- + +## See also + +- `CredentialRouting.md` — worker decision tree and routing table +- `NetKingdomSecurityMap.md` — component literacy +- `INTENT.md` — steward mission ("issue SSH, route the rest") +- `workplans/WARDEN-WP-0010-access-routing-charter.md` — charter + no-double-source rule +- `net-kingdom/docs/platform-identity-security-architecture.md` — platform canon diff --git a/wiki/CredentialRouting.md b/wiki/CredentialRouting.md index 4b16912..ad61669 100644 --- a/wiki/CredentialRouting.md +++ b/wiki/CredentialRouting.md @@ -70,6 +70,28 @@ stop if you landed on "NEVER ops-warden" for non-SSH secrets. --- +## Routing catalog index + +These needs are also carried in the machine-readable pointer catalog +(`registry/routing/catalog.yaml`, surfaced via `warden route` — WARDEN-WP-0011). +The catalog is a **pointer layer**: it names the owner and links the doc, it does +not restate the owner's procedure. Only the SSH row is something ops-warden +executes. + +| Catalog `id` | What ops-warden answers | What the worker does next | +| --- | --- | --- | +| `ssh-cert-host-access` | **Issues** the cert (`warden sign`) | Use the cert / wire it into `cert_command` | +| `openbao-api-key` | "OpenBao owns this — here is the path" | Call OpenBao on the owning system | +| `flex-auth-policy-check` | "flex-auth decides — here is the policy doc" | Query flex-auth / embed the PEP | +| `key-cape-oidc-login` | "key-cape / Keycloak owns identity" | Authenticate via IAM Profile | +| `ops-bridge-tunnel` | "ops-bridge owns transport — supply a `cert_command`" | Open the tunnel with ops-bridge | +| `railiance-infra-principals` | "railiance-infra deploys host principals" | Run the infra Ansible | + +ops-warden answers *where + who*; the worker acts on the owning system. ops-warden +never performs the non-SSH step on the worker's behalf. + +--- + ## Examples — do NOT ask ops-warden | Request | Correct path | @@ -80,6 +102,12 @@ stop if you landed on "NEVER ops-warden" for non-SSH secrets. | "S3 credentials for artifact upload" | NK-WP-0007 / artifact-store consumer path | | "JWT for my app" | key-cape / Keycloak IAM Profile | +**No duplicate interfaces.** Commands like `warden secret`, `warden login`, +`warden policy`, or `warden tunnel` do not exist and will not be added — each +belongs to another subsystem. The canonical anti-pattern table lives in +`wiki/AccessRouting.md#anti-patterns-not-coming-to-ops-warden`; it is not +restated here. + --- ## Examples — ops-warden IS correct @@ -134,6 +162,7 @@ Report drift via custodian workplan or State Hub message to `ops-warden`. ## See also - `INTENT.md` — steward mission +- `wiki/AccessRouting.md` — what ops-warden issues vs routes (role and boundary) - `wiki/NetKingdomSecurityMap.md` — component literacy - `wiki/ActorInventoryPatterns.md` — actor naming - `wiki/OpenBaoSshEngineChecklist.md` — production SSH signing verify diff --git a/wiki/NetKingdomSecurityMap.md b/wiki/NetKingdomSecurityMap.md index 2019919..5bf2a0f 100644 --- a/wiki/NetKingdomSecurityMap.md +++ b/wiki/NetKingdomSecurityMap.md @@ -96,6 +96,7 @@ and automation work — not platform-admin equivalents on hosts. ## See also - `INTENT.md` +- `wiki/AccessRouting.md` — issue-vs-route role and boundary - `wiki/CredentialRouting.md` - `wiki/PolicyGatedSigning.md` (future flex-auth hook) - `net-kingdom/docs/platform-identity-security-architecture.md` \ No newline at end of file diff --git a/workplans/WARDEN-WP-0010-access-routing-charter.md b/workplans/WARDEN-WP-0010-access-routing-charter.md index 69349bd..22fceeb 100644 --- a/workplans/WARDEN-WP-0010-access-routing-charter.md +++ b/workplans/WARDEN-WP-0010-access-routing-charter.md @@ -4,13 +4,14 @@ type: workplan title: "Access Routing — Charter and Pointer Catalog" domain: custodian repo: ops-warden -status: ready +status: done owner: codex topic_slug: custodian planning_priority: high planning_order: 10 created: "2026-06-18" updated: "2026-06-18" +state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b" --- # WARDEN-WP-0010 — Access Routing — Charter and Pointer Catalog @@ -68,79 +69,87 @@ the `cert_command` pattern — because that is the lane ops-warden owns. A CI te ## Tasks -### T1 — INTENT and SCOPE wording +### T1 — INTENT wording ```task id: WARDEN-WP-0010-T01 -status: todo +status: done priority: high +state_hub_task_id: "589081a6-d1f5-47b4-bec0-e82d9c3444f4" ``` -- [ ] `INTENT.md` — keep "operational access steward"; replace the "operational +- [x] `INTENT.md` — keep "operational access steward"; replaced the "operational access **desk**" phrasing with plain "issues SSH certs and routes everything - else to its owner." Drop any metaphor that implies a wrapping service. -- [ ] `SCOPE.md` — state the A3 → A4 move plainly: "structured routing lookup for - agents; execution unchanged." Add the coach-free "issue vs route" table. -- [ ] Non-goals: add "duplicating or restating another subsystem's procedure." -- [ ] Cross-link this workplan from the assessment note. + else to its owner." Removed metaphors implying a wrapping service. +- [x] Non-goals: added "duplicating or restating another subsystem's procedure." +- [x] Cross-linked this workplan from the assessment note. + +> SCOPE.md (A3 → A4 plain statement + "issue vs route" table) is handled as a +> deliberate manual step **after** the loop retires, not as a ralph task. ### T2 — Routing-role wiki page ```task id: WARDEN-WP-0010-T02 -status: todo +status: done priority: high +state_hub_task_id: "9ac333f7-5fc4-4fa2-82f3-d5ece8ff0d92" ``` -- [ ] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns +- [x] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns it), what it executes (SSH only), anti-patterns (no `warden secret`, `warden login`, `warden policy`), and audience notes. -- [ ] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts). -- [ ] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`. +- [x] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts). +- [x] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`. ### T3 — Pointer catalog schema + seed ```task id: WARDEN-WP-0010-T03 -status: todo +status: done priority: high +state_hub_task_id: "59e0f480-694a-482a-b35e-b7bc4930aa41" ``` -- [ ] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above: +- [x] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above: `id`, `title`, `need_keywords`, `owner_repo`, `subsystem`, `warden_executes`, `wiki_ref`, `canon_ref`, `reviewed` (date), `status` (active|draft); plus `steps` + `cert_command` **only** when `warden_executes: true`. -- [ ] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key, +- [x] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key, flex-auth policy, key-cape OIDC, ops-bridge tunnel, railiance-infra principals. -- [ ] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by +- [x] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by railiance-platform) — draft entries are not surfaced by default lookup. +- [x] Validated: 6 active + 1 draft, no non-SSH `steps`, every `wiki_ref` anchor resolves. ### T4 — Routing index in CredentialRouting.md ```task id: WARDEN-WP-0010-T04 -status: todo +status: done priority: medium +state_hub_task_id: "aabd28c0-db2d-4267-be98-95be272c687d" ``` -- [ ] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`. -- [ ] Add "what ops-warden answers vs what the worker does next on the owner system" +- [x] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`. +- [x] Add "what ops-warden answers vs what the worker does next on the owner system" examples — without restating the owner's procedure. -- [ ] Refresh the duplicate-interface anti-examples section. +- [x] Refresh the duplicate-interface anti-examples section (points at canonical + anti-pattern table; not restated). ### T5 — Registry and repo-boundary alignment ```task id: WARDEN-WP-0010-T05 -status: todo +status: done priority: medium +state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b" ``` -- [ ] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md` +- [x] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md` — note routing lookup in discovery; target availability notes the routing CLI. -- [ ] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new +- [x] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new metaphor — "issues SSH certs; routes other credential needs to their owner"). -- [ ] Extend the existing capability entry rather than minting a second capability. +- [x] Extend the existing capability entry rather than minting a second capability. --- diff --git a/workplans/WARDEN-WP-0011-routing-guide-cli.md b/workplans/WARDEN-WP-0011-routing-guide-cli.md index 9cd82c6..8fb57ff 100644 --- a/workplans/WARDEN-WP-0011-routing-guide-cli.md +++ b/workplans/WARDEN-WP-0011-routing-guide-cli.md @@ -11,6 +11,7 @@ planning_priority: high planning_order: 11 created: "2026-06-18" updated: "2026-06-18" +state_hub_workstream_id: "0a520f8e-01b4-48f1-9af3-2f3f69fd0672" --- # WARDEN-WP-0011 — Routing Lookup CLI @@ -70,6 +71,7 @@ foreign subsystems. SSH precondition hints live inside `show` instead. id: WARDEN-WP-0011-T01 status: todo priority: high +state_hub_task_id: "55b8422c-ad3c-4084-9e00-acaa4c360906" ``` - [ ] Add `src/warden/routing/` package: `models.py`, `catalog.py`. @@ -83,6 +85,7 @@ priority: high id: WARDEN-WP-0011-T02 status: todo priority: high +state_hub_task_id: "60b679c5-79bd-4186-b5a6-ac576931f06c" ``` - [ ] Register `route` Typer sub-app on the main CLI. @@ -97,6 +100,7 @@ priority: high id: WARDEN-WP-0011-T03 status: todo priority: high +state_hub_task_id: "d307701f-0117-44f0-80fd-ca6f7ae06f42" ``` - [ ] Tokenize query; match against `need_keywords`, `title`, `id`. @@ -109,6 +113,7 @@ priority: high id: WARDEN-WP-0011-T04 status: todo priority: high +state_hub_task_id: "00a76e0f-8ab6-4f9a-ac6a-00eae633342c" ``` - [ ] `tests/test_routing.py` — catalog load, no-double-source validation rejects a @@ -122,6 +127,7 @@ priority: high id: WARDEN-WP-0011-T05 status: todo priority: high +state_hub_task_id: "bf848375-eca7-4116-bb1d-fb7df6395c70" ``` - [ ] CI/test: every `wiki_ref` anchor resolves to an existing in-repo wiki section; diff --git a/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md b/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md index 7aee23e..7a4b0a2 100644 --- a/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md +++ b/workplans/WARDEN-WP-0012-routing-scenario-playbooks.md @@ -11,6 +11,7 @@ planning_priority: medium planning_order: 12 created: "2026-06-18" updated: "2026-06-18" +state_hub_workstream_id: "a7e712a0-02f8-4f83-944e-6b207e77bc4c" --- # WARDEN-WP-0012 — Routing Scenario Playbooks @@ -64,6 +65,7 @@ pointer to a non-existent path is worse than no entry. id: WARDEN-WP-0012-T01 status: todo priority: high +state_hub_task_id: "830bb512-0288-4dba-9dd4-ccfd28a4921f" ``` - [ ] Coordinate with railiance-platform to canonicalize the OpenBao path first. @@ -77,6 +79,7 @@ priority: high id: WARDEN-WP-0012-T02 status: todo priority: medium +state_hub_task_id: "7726a703-6e00-4e49-9380-ed3fb3268827" ``` - [ ] Align `wiki/InterHubBootstrapAccessLane.md` with the catalog id. @@ -89,6 +92,7 @@ priority: medium id: WARDEN-WP-0012-T03 status: todo priority: medium +state_hub_task_id: "9fb397f0-0abb-48f5-bb62-7e77edae93bb" ``` - [ ] Playbook: static-key → `cert_command` migration checklist. @@ -100,6 +104,7 @@ priority: medium id: WARDEN-WP-0012-T04 status: todo priority: low +state_hub_task_id: "edcf4ed7-f18d-4a92-a42d-8cc7ca0ab792" ``` - [ ] Playbooks for OpenRouter, object-storage STS, DB dynamic creds. @@ -111,6 +116,7 @@ priority: low id: WARDEN-WP-0012-T05 status: todo priority: low +state_hub_task_id: "db98d655-8551-487b-9413-41bf97fc06e1" ``` - [ ] Document a review cadence against net-kingdom canon.