docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog

Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

workplans/WARDEN-WP-0010-access-routing-charter.md

@@ -4,13 +4,14 @@ type: workplan
 title: "Access Routing — Charter and Pointer Catalog"
 domain: custodian
 repo: ops-warden
-status: ready
+status: done
 owner: codex
 topic_slug: custodian
 planning_priority: high
 planning_order: 10
 created: "2026-06-18"
 updated: "2026-06-18"
+state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b"
 ---
 
 # WARDEN-WP-0010 — Access Routing — Charter and Pointer Catalog
@@ -68,79 +69,87 @@ the `cert_command` pattern — because that is the lane ops-warden owns. A CI te
 
 ## Tasks
 
-### T1 — INTENT and SCOPE wording
+### T1 — INTENT wording
 
 ```task
 id: WARDEN-WP-0010-T01
-status: todo
+status: done
 priority: high
+state_hub_task_id: "589081a6-d1f5-47b4-bec0-e82d9c3444f4"
 ```
 
-- [ ] `INTENT.md` — keep "operational access steward"; replace the "operational
+- [x] `INTENT.md` — keep "operational access steward"; replaced the "operational
       access **desk**" phrasing with plain "issues SSH certs and routes everything
-      else to its owner." Drop any metaphor that implies a wrapping service.
-- [ ] `SCOPE.md` — state the A3 → A4 move plainly: "structured routing lookup for
-      agents; execution unchanged." Add the coach-free "issue vs route" table.
-- [ ] Non-goals: add "duplicating or restating another subsystem's procedure."
-- [ ] Cross-link this workplan from the assessment note.
+      else to its owner." Removed metaphors implying a wrapping service.
+- [x] Non-goals: added "duplicating or restating another subsystem's procedure."
+- [x] Cross-linked this workplan from the assessment note.
+
+> SCOPE.md (A3 → A4 plain statement + "issue vs route" table) is handled as a
+> deliberate manual step **after** the loop retires, not as a ralph task.
 
 ### T2 — Routing-role wiki page
 
 ```task
 id: WARDEN-WP-0010-T02
-status: todo
+status: done
 priority: high
+state_hub_task_id: "9ac333f7-5fc4-4fa2-82f3-d5ece8ff0d92"
 ```
 
-- [ ] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns
+- [x] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns
       it), what it executes (SSH only), anti-patterns (no `warden secret`,
       `warden login`, `warden policy`), and audience notes.
-- [ ] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts).
-- [ ] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`.
+- [x] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts).
+- [x] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`.
 
 ### T3 — Pointer catalog schema + seed
 
 ```task
 id: WARDEN-WP-0010-T03
-status: todo
+status: done
 priority: high
+state_hub_task_id: "59e0f480-694a-482a-b35e-b7bc4930aa41"
 ```
 
-- [ ] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above:
+- [x] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above:
       `id`, `title`, `need_keywords`, `owner_repo`, `subsystem`, `warden_executes`,
       `wiki_ref`, `canon_ref`, `reviewed` (date), `status` (active|draft); plus
       `steps` + `cert_command` **only** when `warden_executes: true`.
-- [ ] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key,
+- [x] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key,
       flex-auth policy, key-cape OIDC, ops-bridge tunnel, railiance-infra principals.
-- [ ] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by
+- [x] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by
       railiance-platform) — draft entries are not surfaced by default lookup.
+- [x] Validated: 6 active + 1 draft, no non-SSH `steps`, every `wiki_ref` anchor resolves.
 
 ### T4 — Routing index in CredentialRouting.md
 
 ```task
 id: WARDEN-WP-0010-T04
-status: todo
+status: done
 priority: medium
+state_hub_task_id: "aabd28c0-db2d-4267-be98-95be272c687d"
 ```
 
-- [ ] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`.
-- [ ] Add "what ops-warden answers vs what the worker does next on the owner system"
+- [x] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`.
+- [x] Add "what ops-warden answers vs what the worker does next on the owner system"
       examples — without restating the owner's procedure.
-- [ ] Refresh the duplicate-interface anti-examples section.
+- [x] Refresh the duplicate-interface anti-examples section (points at canonical
+      anti-pattern table; not restated).
 
 ### T5 — Registry and repo-boundary alignment
 
 ```task
 id: WARDEN-WP-0010-T05
-status: todo
+status: done
 priority: medium
+state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b"
 ```
 
-- [ ] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
+- [x] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
       — note routing lookup in discovery; target availability notes the routing CLI.
-- [ ] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new
+- [x] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new
       metaphor — "issues SSH certs; routes other credential needs to their owner").
-- [ ] Extend the existing capability entry rather than minting a second capability.
+- [x] Extend the existing capability entry rather than minting a second capability.
 
 ---
 

workplans/WARDEN-WP-0011-routing-guide-cli.md

@@ -11,6 +11,7 @@ planning_priority: high
 planning_order: 11
 created: "2026-06-18"
 updated: "2026-06-18"
+state_hub_workstream_id: "0a520f8e-01b4-48f1-9af3-2f3f69fd0672"
 ---
 
 # WARDEN-WP-0011 — Routing Lookup CLI
@@ -70,6 +71,7 @@ foreign subsystems. SSH precondition hints live inside `show` instead.
 id: WARDEN-WP-0011-T01
 status: todo
 priority: high
+state_hub_task_id: "55b8422c-ad3c-4084-9e00-acaa4c360906"
 ```
 
 - [ ] Add `src/warden/routing/` package: `models.py`, `catalog.py`.
@@ -83,6 +85,7 @@ priority: high
 id: WARDEN-WP-0011-T02
 status: todo
 priority: high
+state_hub_task_id: "60b679c5-79bd-4186-b5a6-ac576931f06c"
 ```
 
 - [ ] Register `route` Typer sub-app on the main CLI.
@@ -97,6 +100,7 @@ priority: high
 id: WARDEN-WP-0011-T03
 status: todo
 priority: high
+state_hub_task_id: "d307701f-0117-44f0-80fd-ca6f7ae06f42"
 ```
 
 - [ ] Tokenize query; match against `need_keywords`, `title`, `id`.
@@ -109,6 +113,7 @@ priority: high
 id: WARDEN-WP-0011-T04
 status: todo
 priority: high
+state_hub_task_id: "00a76e0f-8ab6-4f9a-ac6a-00eae633342c"
 ```
 
 - [ ] `tests/test_routing.py` — catalog load, no-double-source validation rejects a
@@ -122,6 +127,7 @@ priority: high
 id: WARDEN-WP-0011-T05
 status: todo
 priority: high
+state_hub_task_id: "bf848375-eca7-4116-bb1d-fb7df6395c70"
 ```
 
 - [ ] CI/test: every `wiki_ref` anchor resolves to an existing in-repo wiki section;

workplans/WARDEN-WP-0012-routing-scenario-playbooks.md

@@ -11,6 +11,7 @@ planning_priority: medium
 planning_order: 12
 created: "2026-06-18"
 updated: "2026-06-18"
+state_hub_workstream_id: "a7e712a0-02f8-4f83-944e-6b207e77bc4c"
 ---
 
 # WARDEN-WP-0012 — Routing Scenario Playbooks
@@ -64,6 +65,7 @@ pointer to a non-existent path is worse than no entry.
 id: WARDEN-WP-0012-T01
 status: todo
 priority: high
+state_hub_task_id: "830bb512-0288-4dba-9dd4-ccfd28a4921f"
 ```
 
 - [ ] Coordinate with railiance-platform to canonicalize the OpenBao path first.
@@ -77,6 +79,7 @@ priority: high
 id: WARDEN-WP-0012-T02
 status: todo
 priority: medium
+state_hub_task_id: "7726a703-6e00-4e49-9380-ed3fb3268827"
 ```
 
 - [ ] Align `wiki/InterHubBootstrapAccessLane.md` with the catalog id.
@@ -89,6 +92,7 @@ priority: medium
 id: WARDEN-WP-0012-T03
 status: todo
 priority: medium
+state_hub_task_id: "9fb397f0-0abb-48f5-bb62-7e77edae93bb"
 ```
 
 - [ ] Playbook: static-key → `cert_command` migration checklist.
@@ -100,6 +104,7 @@ priority: medium
 id: WARDEN-WP-0012-T04
 status: todo
 priority: low
+state_hub_task_id: "edcf4ed7-f18d-4a92-a42d-8cc7ca0ab792"
 ```
 
 - [ ] Playbooks for OpenRouter, object-storage STS, DB dynamic creds.
@@ -111,6 +116,7 @@ priority: low
 id: WARDEN-WP-0012-T05
 status: todo
 priority: low
+state_hub_task_id: "db98d655-8551-487b-9413-41bf97fc06e1"
 ```
 
 - [ ] Document a review cadence against net-kingdom canon.