# SCOPE > This file helps you quickly understand what this repository is about, > when it is relevant, and when it is not. > Aspirational direction lives in `INTENT.md`. --- ## One-liner Operational access steward for the NetKingdom security model — issues short-lived SSH certificates for `adm`/`agt`/`atm` actors, documents how to obtain other credential types from the right platform subsystems, and keeps ops access guidance aligned with NetKingdom canon. --- ## Where we are (2026-06-18) ops-warden **issues short-lived SSH certificates and routes every other credential need to the subsystem that owns it.** SSH signing is **production-verified** on Railiance OpenBao (`warden sign` against `https://bao.coulomb.social`, host CA trust deployed). The routing material — `wiki/AccessRouting.md`, the credential routing wiki, NetKingdom security map, a machine-readable pointer catalog (`registry/routing/catalog.yaml`, WARDEN-WP-0010), and the `warden route` lookup CLI over it (`list`/`show`/`find`, WARDEN-WP-0011) — is operational. The opt-in flex-auth pre-sign gate is **coded but off in production** until flex-auth publishes `ssh-certificate` policies (WARDEN-WP-0009). **INTENT alignment:** SSH issuance mission met in production. Remaining distance is integration breadth (ops-bridge `cert_command` on live tunnels), authorization depth (flex-auth), and operator hygiene — not missing signing code. ### Issue vs route ops-warden executes exactly one lane and points at the owner for the rest. | Need | Subsystem | ops-warden role | | --- | --- | --- | | SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) | | API key / DB cred / dynamic lease | OpenBao | Route — point at path | | "May I perform action X?" | flex-auth | Route — point at policy | | Login / OIDC / MFA | key-cape / Keycloak | Route — point at IAM Profile | | SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` | | Host principal deployment | railiance-infra | Route — point at Ansible | Full role and boundary: `wiki/AccessRouting.md`. The catalog is a **pointer layer** — it never restates an owner's procedure (authored `steps` exist only for the SSH lane). Full gap analysis: `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` --- ## INTENT gap snapshot | INTENT success criterion | Status | | --- | --- | | Worker knows which subsystem for each credential type | Met | | SSH short-lived, inventoried, audited | Met (production) | | ops-bridge integrates via stable `cert_command` | **Partial** — contract yes; tunnels still static-key | | NetKingdom evolution reflected in docs | Met | | Non-SSH secrets stay out of ops-warden | Met | **Maturity vector:** `D5 / A4 / C4 / R3` (Discovery / Availability / Completeness / Reliability) | Dimension | Level | Meaning today | | --- | --- | --- | | D5 | Discovery | Routing wiki + security map + pointer catalog + NK canon cross-links | | A4 | Availability | CLI + opt-in policy gate + `warden route` lookup over the machine-readable catalog (`list`/`show`/`find`, `--json` for agents) | | C4 | Completeness | SSH lane prod-verified; flex-auth policies external | | R3 | Reliability | Live OpenBao sign evidence on Railiance | --- ## Core Idea **Today:** implements the SSH certificate lane from `wiki/AccessManagementDirective.md` §§1–5 — CA signing, actor inventory, TTL policy, cert-side scorecard, and the `cert_command` interface for ops-bridge. Production path uses OpenBao SSH engine (`backend: vault`). **Direction (INTENT):** issue short-lived SSH certificates and route dev workers to key-cape, flex-auth, OpenBao, ops-bridge, and railiance components for everything else — implementing only the SSH certificate lane directly, pointing at the owner for the rest. --- ## In Scope ### Implemented (SSH lane) - Local CA backend (`ssh-keygen -s`) - OpenBao / Vault-compatible SSH engine backend (**production-verified**) - Actor identity registry (`inventory.yaml`) - `cert_command`: `warden sign --pubkey ` → cert on stdout - TTL enforcement per `ActorType` (`adm` 48 h, `agt` 24 h, `atm` 8 h) - `warden status`, cleanup, scorecard, signatures log - `warden route` lookup CLI (`list`/`show`/`find`, `--json`) over the pointer catalog - `warden issue` and `ops-ssh-wrapper` (local backend; vault uses sign-only) - Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope ### Stewardship (documentation and alignment) - NetKingdom security routing guidance — which subsystem owns which credential type - Wiki and config references aligned with OpenBao-first platform standard - Capability registry entry for SSH certificate issuance - Keeping ops access patterns consistent with `net-kingdom` platform architecture ### Shipped workplans | WP | Focus | | --- | --- | | WP-0006 | Credential routing, security map, inventory patterns, OpenBao checklist | | WP-0007 | Opt-in flex-auth policy gate (`policy.enabled`) | | WP-0008 | Production sign verification, stewardship closeout, archive hygiene | | WP-0010 | "Issue SSH, route the rest" wording + `wiki/AccessRouting.md` + pointer catalog | | WP-0011 | `warden route` lookup CLI (`list`/`show`/`find`) over the pointer catalog (A3 → A4) | ### Active / wait | WP | Status | Focus | | --- | --- | --- | | **WP-0009** | `blocked` | flex-auth `ssh-certificate` policies + `policy.enabled` production smoke | | **WP-0012** | `backlog` | Routing scenario playbooks (draft until owner paths ship) | ### Known gaps (not yet workplanned) | Gap | Owner | Notes | | --- | --- | --- | | ops-bridge `cert_command` on live tunnels | ops-bridge | Tunnels use `agt-claude-*` static keys today | | Operator token hygiene | Operator | Prefer OIDC + `warden-sign`; retire root from shell profile | | Principals sync warden ↔ railiance-infra | ops-warden + infra | `inventory.yaml` hosts vs `ssh_principals.yaml` | | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track | The integration-closeout strand (ops-bridge tunnel migration, token runbook) from reassessment §6 is not yet workplanned; WARDEN-WP-0010 was used for the access-routing charter instead. Open a new WP when tunnel migration becomes priority. --- ## Out of Scope - **Issuing** non-SSH secrets (API keys, DB creds, S3 STS, Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden documents paths only - Identity / OIDC / MFA → key-cape, Keycloak - Authorization policy decisions → flex-auth - Tunnel lifecycle → `ops-bridge` - Host principal deployment → `railiance-infra` - OpenBao / Vault cluster deployment → `railiance-platform` - Human admin SSH key generation (self-service `ssh-keygen`) - Session recording, SIEM, SSO / Teleport at scale --- ## Relevant When - Issuing or refreshing an **SSH cert** for `adm`/`agt`/`atm` - A dev worker needs to know **where to get credentials** in the NetKingdom stack - `ops-bridge` needs a `cert_command` for a tunnel - Adding actors to the principals inventory - Inter-Hub or bootstrap tasks need a **short-lived agent SSH envelope** - Checking cert-side compliance (scorecard) --- ## Not Relevant When - Storing or vending **API keys or runtime secrets** (→ OpenBao) - Policy decisions on resource access (→ flex-auth) - Managing tunnels without SSH cert issuance (→ ops-bridge) - Static-key-only legacy access (ops-bridge static key mode) --- ## Current State - **SSH CLI:** v0.1.0 — local + OpenBao backends - **Production sign:** verified 2026-06-18 (`history/2026-06-17-openbao-production-verify.md`) - **Policy gate:** shipped, `policy.enabled: false` in prod until WP-0009 - **Active workplan:** WP-0009 (wait — flex-auth) - **Latest assessment:** `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` --- ## How It Fits (NetKingdom) ```text key-cape / Keycloak identity claims → flex-auth authorization decisions → OpenBao runtime secrets & dynamic credentials → ops-warden SSH certs + operational access guidance → ops-bridge tunnel transport (cert_command consumer) → railiance-* deployment and host enforcement ``` Upstream: OpenBao SSH engine (production) or local CA (labs). Actor inventory in operator config or Git-tracked patterns. Downstream: `ops-bridge` (primary), kaizen agents, CI automations, human operators. --- ## Terminology - `ActorType`: `adm` | `agt` | `atm` - `cert_command`: shell command returning a cert on stdout - `inventory.yaml`: actor → principals + TTL registry - `LocalCA` / `VaultCA`: signing backends (`backend: local` | `vault`) --- ## Related Repositories | Repo | Relationship | | --- | --- | | `net-kingdom` | Canonical security architecture; ops-warden aligns to it | | `ops-bridge` | Primary cert_command consumer | | `railiance-infra` | Host-side SSH principals and hardening | | `railiance-platform` | OpenBao deployment and platform secrets | | `flex-auth` | Authorization; opt-in pre-sign policy gate (`policy.enabled`) | | `key-cape` | Identity / IAM Profile lightweight mode | | `state-hub` | Workstream registry | --- ## Provided Capabilities ```capability type: security title: SSH certificate issuance description: Issues short-lived CA-signed SSH certificates for adm/agt/atm actors via a pluggable cert_command interface; documents NetKingdom operational access routing; supports local CA and OpenBao/Vault-compatible SSH engine backends. keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, vault, netkingdom] ``` --- ## Getting Oriented | Read first | Purpose | | --- | --- | | `INTENT.md` | Why ops-warden exists and where it is going | | `SCOPE.md` | What is implemented today (this file) | | `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` | Latest INTENT ↔ SCOPE gap analysis | | `wiki/AccessRouting.md` | What ops-warden issues vs routes (role and boundary) | | `wiki/CredentialRouting.md` | Which subsystem for each credential need | | `registry/routing/catalog.yaml` | Machine-readable routing pointer catalog | | `wiki/NetKingdomSecurityMap.md` | Platform security component map | | `examples/warden.production.example.yaml` | Production warden.yaml template | | `wiki/AccessManagementDirective.md` | SSH actor model | | `wiki/OpsWardenConfig.md` | warden.yaml and OpenBao | | `wiki/CertCommandInterface.md` | cert_command contract | | `wiki/PolicyGatedSigning.md` | flex-auth opt-in gate | | `net-kingdom/docs/platform-identity-security-architecture.md` | Platform security canon |