# ops-warden routing catalog — POINTER LAYER # # This file is a machine-readable index of NetKingdom credential needs. It tells a # worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT # a second copy of any subsystem's procedure. # # No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md): # - For any subsystem ops-warden does not own, an entry carries identifiers + # pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords. # - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on # entries with `warden_executes: true` — i.e. the SSH certificate lane, the one # lane ops-warden owns. # - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps` # block, and checks that every `wiki_ref` anchor resolves to a real section. # - No secret material in this file, ever. # # Field reference: # id kebab-case stable identifier (lookup key) # title human-readable need # need_keywords tokens for `warden route find` keyword matching # owner_repo repo/subsystem that owns the procedure # subsystem platform component a worker acts on # warden_executes true only for the SSH lane; false everywhere else # wiki_ref anchor into an in-repo wiki section (authoritative restatement) # canon_ref upstream net-kingdom doc the wiki section tracks # reviewed date this pointer was last checked against canon (YYYY-MM-DD) # status active (surfaced by default) | draft (hidden unless --all) # steps ONLY when warden_executes: true # cert_command ONLY when warden_executes: true version: 1 entries: - id: ssh-cert-host-access title: Short-lived SSH certificate for host / ops reachability need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops] owner_repo: ops-warden subsystem: ops-warden warden_executes: true wiki_ref: wiki/AccessRouting.md#issue-vs-route canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path reviewed: "2026-06-18" status: active cert_command: "warden sign --pubkey " steps: - "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md." - "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production." - "Sign: `warden sign --pubkey ` — cert is written to stdout (the cert_command contract)." - "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys." - id: openbao-api-key title: API key, DB credential, or dynamic lease need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential] owner_repo: railiance-platform subsystem: OpenBao warden_executes: false wiki_ref: wiki/CredentialRouting.md#routing-table canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-18" status: active - id: flex-auth-policy-check title: Authorization decision — may this actor perform this action need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision] owner_repo: flex-auth subsystem: flex-auth warden_executes: false wiki_ref: wiki/CredentialRouting.md#quick-decision-tree canon_ref: net-kingdom/docs/responsibility-map.md reviewed: "2026-06-18" status: active - id: key-cape-oidc-login title: Interactive login, OIDC token, or MFA need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate] owner_repo: key-cape subsystem: key-cape / Keycloak warden_executes: false wiki_ref: wiki/CredentialRouting.md#quick-decision-tree canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md reviewed: "2026-06-18" status: active - id: ops-bridge-tunnel title: SSH tunnel or port forward need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel] owner_repo: ops-bridge subsystem: ops-bridge warden_executes: false wiki_ref: wiki/CredentialRouting.md#routing-table canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path reviewed: "2026-06-18" status: active - id: railiance-infra-principals title: Host SSH principal file or force-command deployment need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible] owner_repo: railiance-infra subsystem: railiance-infra warden_executes: false wiki_ref: wiki/CredentialRouting.md#routing-table canon_ref: net-kingdom/docs/responsibility-map.md reviewed: "2026-06-18" status: active - id: activity-core-issue-sink title: activity-core IssueSink → issue-core REST emission need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink] owner_repo: activity-core subsystem: activity-core + issue-core warden_executes: false wiki_ref: wiki/playbooks/activity-core-issue-sink.md#worker-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-18" status: active # --- draft: owner path not yet shipped; hidden from default lookup --- - id: issue-core-ingestion-api-key title: issue-core ingestion API key (OpenBao path TBD) need_keywords: [issue-core, ingestion, api, key, openbao] owner_repo: railiance-platform subsystem: OpenBao warden_executes: false wiki_ref: wiki/CredentialRouting.md#routing-table canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-18" status: draft