docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog

Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues short-lived SSH certificates and routes every other credential need to the subsystem that owns it — no desk metaphor, one execution lane. - wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns - registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1 draft). No-double-source rule enforced structurally — authored steps/cert_command only on the warden_executes:true SSH entry; every wiki_ref anchor resolves - wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note - INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing; SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI - WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 20:44:53 +02:00
parent b9c8eadcfd
commit ffc2722006
12 changed files with 338 additions and 46 deletions
--- a/registry/routing/catalog.yaml
+++ b/registry/routing/catalog.yaml
@@ -0,0 +1,116 @@
+# ops-warden routing catalog — POINTER LAYER
+#
+# This file is a machine-readable index of NetKingdom credential needs. It tells a
+# worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT
+# a second copy of any subsystem's procedure.
+#
+# No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md):
+#   - For any subsystem ops-warden does not own, an entry carries identifiers +
+#     pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords.
+#   - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on
+#     entries with `warden_executes: true` — i.e. the SSH certificate lane, the one
+#     lane ops-warden owns.
+#   - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps`
+#     block, and checks that every `wiki_ref` anchor resolves to a real section.
+#   - No secret material in this file, ever.
+#
+# Field reference:
+#   id              kebab-case stable identifier (lookup key)
+#   title           human-readable need
+#   need_keywords   tokens for `warden route find` keyword matching
+#   owner_repo      repo/subsystem that owns the procedure
+#   subsystem       platform component a worker acts on
+#   warden_executes true only for the SSH lane; false everywhere else
+#   wiki_ref        anchor into an in-repo wiki section (authoritative restatement)
+#   canon_ref       upstream net-kingdom doc the wiki section tracks
+#   reviewed        date this pointer was last checked against canon (YYYY-MM-DD)
+#   status          active (surfaced by default) | draft (hidden unless --all)
+#   steps           ONLY when warden_executes: true
+#   cert_command    ONLY when warden_executes: true
+
+version: 1
+
+entries:
+  - id: ssh-cert-host-access
+    title: Short-lived SSH certificate for host / ops reachability
+    need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops]
+    owner_repo: ops-warden
+    subsystem: ops-warden
+    warden_executes: true
+    wiki_ref: wiki/AccessRouting.md#issue-vs-route
+    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
+    reviewed: "2026-06-18"
+    status: active
+    cert_command: "warden sign <actor> --pubkey <path>"
+    steps:
+      - "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md."
+      - "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production."
+      - "Sign: `warden sign <actor> --pubkey <path>` — cert is written to stdout (the cert_command contract)."
+      - "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys."
+
+  - id: openbao-api-key
+    title: API key, DB credential, or dynamic lease
+    need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential]
+    owner_repo: railiance-platform
+    subsystem: OpenBao
+    warden_executes: false
+    wiki_ref: wiki/CredentialRouting.md#routing-table
+    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
+    reviewed: "2026-06-18"
+    status: active
+
+  - id: flex-auth-policy-check
+    title: Authorization decision — may this actor perform this action
+    need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision]
+    owner_repo: flex-auth
+    subsystem: flex-auth
+    warden_executes: false
+    wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
+    canon_ref: net-kingdom/docs/responsibility-map.md
+    reviewed: "2026-06-18"
+    status: active
+
+  - id: key-cape-oidc-login
+    title: Interactive login, OIDC token, or MFA
+    need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate]
+    owner_repo: key-cape
+    subsystem: key-cape / Keycloak
+    warden_executes: false
+    wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
+    canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md
+    reviewed: "2026-06-18"
+    status: active
+
+  - id: ops-bridge-tunnel
+    title: SSH tunnel or port forward
+    need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel]
+    owner_repo: ops-bridge
+    subsystem: ops-bridge
+    warden_executes: false
+    wiki_ref: wiki/CredentialRouting.md#routing-table
+    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
+    reviewed: "2026-06-18"
+    status: active
+
+  - id: railiance-infra-principals
+    title: Host SSH principal file or force-command deployment
+    need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible]
+    owner_repo: railiance-infra
+    subsystem: railiance-infra
+    warden_executes: false
+    wiki_ref: wiki/CredentialRouting.md#routing-table
+    canon_ref: net-kingdom/docs/responsibility-map.md
+    reviewed: "2026-06-18"
+    status: active
+
+  # --- draft: owner path not yet shipped; hidden from default lookup ---
+  - id: issue-core-ingestion-api-key
+    title: issue-core ingestion API key (OpenBao path TBD)
+    need_keywords: [issue-core, ingestion, api, key, openbao]
+    owner_repo: railiance-platform
+    subsystem: OpenBao
+    warden_executes: false
+    wiki_ref: wiki/CredentialRouting.md#routing-table
+    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
+    reviewed: "2026-06-18"
+    status: draft