## Repo boundary This repo owns **ops-warden** only. It does not own: | Concern | Owner | |---------|-------| | Tunnel lifecycle, `cert_command` wiring in tunnels | `ops-bridge` | | Host SSH principal files, force-command wrappers | `railiance-infra` | | Vault/OpenBao cluster deployment and unseal ceremony | `railiance-platform` | | Inter-Hub operator API keys, provider API keys (e.g. OpenRouter) | OpenBao / operator secret store | | State Hub service code and consistency tooling | `state-hub` | | Workstream coordination across custodian domain | `the-custodian` | | Human admin SSH key generation | self-service (`ssh-keygen`) | | Identity / OIDC / MFA | `key-cape`, Keycloak | | Authorization policy | `flex-auth` | | Runtime secrets (non-SSH) | OpenBao | ## NetKingdom credential routing (quick reference) | Worker need | Route to | ops-warden | |-------------|----------|------------| | SSH cert for host/ops access | ops-warden | Issue (`warden sign`) | | API key / DB cred / lease | OpenBao | Document only — `wiki/CredentialRouting.md` | | May I perform action X? | flex-auth | Design: `wiki/PolicyGatedSigning.md` | | Login / MFA / OIDC | key-cape / Keycloak | Document only | | SSH tunnel | ops-bridge | cert_command consumer | | Host principals | railiance-infra | Document only | Full map: `wiki/NetKingdomSecurityMap.md`. ops-warden issues **short-lived SSH certificates** and maintains **operational access stewardship docs**. It is not a general secrets manager and must not store long-lived API keys in Git, State Hub, workplans, logs, or chat.