--- id: WARDEN-WP-0005 type: workplan title: "OpsWarden OpenBao-First Documentation Alignment" domain: custodian repo: ops-warden status: finished owner: codex topic_slug: custodian created: "2026-06-17" updated: "2026-06-17" state_hub_workstream_id: "57f6ebf8-0ef3-4686-9a73-3f9d38288be9" --- # WARDEN-WP-0005 — OpenBao-First Documentation Alignment **Scope:** Update ops-warden documentation so production guidance names OpenBao as the platform secrets service while preserving the existing `backend: vault` config surface (Vault-compatible SSH secrets engine API). No code changes. **Out of scope:** VaultCA backend rewrite, OpenBao SSH engine deployment in `railiance-platform`, AccessManagementDirective canon updates. **Reference:** `RAIL-PL-WP-0002` — Railiance standardizes on OpenBao; ops-warden follow-up noted 2026-05-17. --- ## Tasks ### T1 — OpsWardenConfig.md ```task id: WARDEN-WP-0005-T01 status: done priority: high state_hub_task_id: "bbbc4dda-9634-4c04-86e5-94b96c021b43" ``` - [x] OpenBao-first production section with Railiance URLs and `bao` CLI examples - [x] Explain `backend: vault` / `vault:` keys as Vault-compatible API abstraction - [x] Link to `railiance-platform/docs/openbao.md` ### T2 — Cross-reference updates ```task id: WARDEN-WP-0005-T02 status: done priority: medium state_hub_task_id: "6391cb82-896e-405a-a59b-36640e6480ba" ``` - [x] `SCOPE.md` Core Idea and In Scope — OpenBao-first, Vault-compatible - [x] `wiki/CertCommandInterface.md` — caller-agnostic wording includes OpenBao --- ## Acceptance Criteria - [x] Production config example uses OpenBao (`bao.coulomb.social` or in-cluster URL) - [x] No reader is told HashiCorp Vault is the platform standard - [x] `backend: vault` config shape unchanged (code compatibility preserved) - [x] `uv run pytest` still passes (docs-only change)