coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog

Browse Source 
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-18 20:44:53 +02:00
parent b9c8eadcfd
commit ffc2722006
12 changed files with 338 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
registry/capabilities/capability.security.ssh-certificate-issuance.md
View File

@@ -21,7 +21,9 @@ maturity:
rationale: >
SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command
contract are documented; production OpenBao integration is documented but
engine deployment lives in railiance-platform.
engine deployment lives in railiance-platform. A machine-readable routing
catalog (registry/routing/catalog.yaml) and wiki/AccessRouting.md make the
"issue SSH, route the rest" boundary discoverable.
availability:
current: A3
target: A5
@@ -29,6 +31,8 @@ maturity:
rationale: >
Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and
other callers integrate via cert_command without backend-specific branching.
A `warden route` lookup over the pointer catalog (WARDEN-WP-0011) will move
routing discovery from wiki prose to a structured surface for agents (A3 -> A4).
external_evidence:
completeness:
@@ -71,6 +75,7 @@ discovery:
- cert-side compliance scorecard and signatures log
- ops-ssh-wrapper for automatic cert acquisition
- NetKingdom credential routing and alignment documentation
- machine-readable routing pointer catalog (registry/routing/catalog.yaml)
excludes:
- tunnel lifecycle
- host /etc/ssh/auth_principals deployment
@@ -86,6 +91,7 @@ discovery:
- ops-warden/SCOPE.md
- ops-warden/wiki/CertCommandInterface.md
- ops-warden/wiki/OpsWardenConfig.md
- ops-warden/wiki/AccessRouting.md
availability:
current_level: A3
@@ -96,6 +102,7 @@ availability:
- ops-warden/wiki/OpsWardenConfig.md
target_artifacts:
- packaged ops-warden release with documented OpenBao role bootstrap
- "`warden route` lookup CLI over the pointer catalog (WARDEN-WP-0011)"
consumption_modes:
- CLI
- cert_command subprocess