generated from coulomb/repo-seed
docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues short-lived SSH certificates and routes every other credential need to the subsystem that owns it — no desk metaphor, one execution lane. - wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns - registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1 draft). No-double-source rule enforced structurally — authored steps/cert_command only on the warden_executes:true SSH entry; every wiki_ref anchor resolves - wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note - INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing; SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI - WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
51
SCOPE.md
51
SCOPE.md
@@ -17,17 +17,35 @@ aligned with NetKingdom canon.
|
||||
|
||||
## Where we are (2026-06-18)
|
||||
|
||||
ops-warden is **production-verified for SSH signing** on Railiance OpenBao
|
||||
(`warden sign` against `https://bao.coulomb.social`, host CA trust deployed).
|
||||
The steward desk — routing wiki, NetKingdom security map, inventory patterns,
|
||||
OpenBao checklist — is operational. The opt-in flex-auth pre-sign gate is
|
||||
**coded but off in production** until flex-auth publishes `ssh-certificate`
|
||||
policies (WARDEN-WP-0009).
|
||||
ops-warden **issues short-lived SSH certificates and routes every other credential
|
||||
need to the subsystem that owns it.** SSH signing is **production-verified** on
|
||||
Railiance OpenBao (`warden sign` against `https://bao.coulomb.social`, host CA trust
|
||||
deployed). The routing material — `wiki/AccessRouting.md`, the credential routing
|
||||
wiki, NetKingdom security map, and a machine-readable pointer catalog
|
||||
(`registry/routing/catalog.yaml`, WARDEN-WP-0010) — is operational. The opt-in
|
||||
flex-auth pre-sign gate is **coded but off in production** until flex-auth publishes
|
||||
`ssh-certificate` policies (WARDEN-WP-0009).
|
||||
|
||||
**INTENT alignment:** SSH issuance mission met in production. Remaining distance
|
||||
is integration breadth (ops-bridge `cert_command` on live tunnels), authorization
|
||||
depth (flex-auth), and operator hygiene — not missing signing code.
|
||||
|
||||
### Issue vs route
|
||||
|
||||
ops-warden executes exactly one lane and points at the owner for the rest.
|
||||
|
||||
| Need | Subsystem | ops-warden role |
|
||||
| --- | --- | --- |
|
||||
| SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) |
|
||||
| API key / DB cred / dynamic lease | OpenBao | Route — point at path |
|
||||
| "May I perform action X?" | flex-auth | Route — point at policy |
|
||||
| Login / OIDC / MFA | key-cape / Keycloak | Route — point at IAM Profile |
|
||||
| SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` |
|
||||
| Host principal deployment | railiance-infra | Route — point at Ansible |
|
||||
|
||||
Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer** —
|
||||
it never restates an owner's procedure (authored `steps` exist only for the SSH lane).
|
||||
|
||||
Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
|
||||
---
|
||||
@@ -46,8 +64,8 @@ Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
|
||||
| Dimension | Level | Meaning today |
|
||||
| --- | --- | --- |
|
||||
| D5 | Discovery | Routing + security map + NK canon cross-links |
|
||||
| A3 | Availability | CLI + opt-in policy gate; no desk API |
|
||||
| D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links |
|
||||
| A3 | Availability | CLI + opt-in policy gate + machine-readable routing catalog; `warden route` lookup (A4) lands with WARDEN-WP-0011 |
|
||||
| C4 | Completeness | SSH lane prod-verified; flex-auth policies external |
|
||||
| R3 | Reliability | Live OpenBao sign evidence on Railiance |
|
||||
|
||||
@@ -60,9 +78,10 @@ Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md`
|
||||
`cert_command` interface for ops-bridge. Production path uses OpenBao SSH engine
|
||||
(`backend: vault`).
|
||||
|
||||
**Direction (INTENT):** custodian-domain desk that routes dev workers to key-cape,
|
||||
flex-auth, OpenBao, ops-bridge, and railiance components — implementing only the
|
||||
SSH certificate lane directly.
|
||||
**Direction (INTENT):** issue short-lived SSH certificates and route dev workers to
|
||||
key-cape, flex-auth, OpenBao, ops-bridge, and railiance components for everything
|
||||
else — implementing only the SSH certificate lane directly, pointing at the owner
|
||||
for the rest.
|
||||
|
||||
---
|
||||
|
||||
@@ -93,12 +112,15 @@ SSH certificate lane directly.
|
||||
| WP-0006 | Credential routing, security map, inventory patterns, OpenBao checklist |
|
||||
| WP-0007 | Opt-in flex-auth policy gate (`policy.enabled`) |
|
||||
| WP-0008 | Production sign verification, stewardship closeout, archive hygiene |
|
||||
| WP-0010 | "Issue SSH, route the rest" wording + `wiki/AccessRouting.md` + pointer catalog |
|
||||
|
||||
### Active / wait
|
||||
|
||||
| WP | Status | Focus |
|
||||
| --- | --- | --- |
|
||||
| **WP-0009** | `wait` | flex-auth `ssh-certificate` policies + `policy.enabled` production smoke |
|
||||
| **WP-0011** | `ready` | `warden route` lookup CLI over the pointer catalog (A3 → A4) |
|
||||
| **WP-0012** | `backlog` | Routing scenario playbooks (draft until owner paths ship) |
|
||||
|
||||
### Known gaps (not yet workplanned)
|
||||
|
||||
@@ -109,8 +131,9 @@ SSH certificate lane directly.
|
||||
| Principals sync warden ↔ railiance-infra | ops-warden + infra | `inventory.yaml` hosts vs `ssh_principals.yaml` |
|
||||
| NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
|
||||
|
||||
See reassessment §6 for **proposed WARDEN-WP-0010** (integration closeout) when
|
||||
ops-bridge tunnel migration or token runbook becomes priority.
|
||||
The integration-closeout strand (ops-bridge tunnel migration, token runbook) from
|
||||
reassessment §6 is not yet workplanned; WARDEN-WP-0010 was used for the access-routing
|
||||
charter instead. Open a new WP when tunnel migration becomes priority.
|
||||
|
||||
---
|
||||
|
||||
@@ -219,7 +242,9 @@ keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, v
|
||||
| `INTENT.md` | Why ops-warden exists and where it is going |
|
||||
| `SCOPE.md` | What is implemented today (this file) |
|
||||
| `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE gap analysis |
|
||||
| `wiki/AccessRouting.md` | What ops-warden issues vs routes (role and boundary) |
|
||||
| `wiki/CredentialRouting.md` | Which subsystem for each credential need |
|
||||
| `registry/routing/catalog.yaml` | Machine-readable routing pointer catalog |
|
||||
| `wiki/NetKingdomSecurityMap.md` | Platform security component map |
|
||||
| `examples/warden.production.example.yaml` | Production warden.yaml template |
|
||||
| `wiki/AccessManagementDirective.md` | SSH actor model |
|
||||
|
||||
Reference in New Issue
Block a user