--- id: WARDEN-WP-0006 type: workplan title: "NetKingdom Alignment and Operational Access Stewardship" domain: custodian repo: ops-warden status: ready owner: codex topic_slug: custodian planning_priority: high planning_order: 6 created: "2026-06-17" updated: "2026-06-17" state_hub_workstream_id: "a5c9f24b-1ad4-46da-bc8e-b99897f8e302" --- # WARDEN-WP-0006 — NetKingdom Alignment and Operational Access Stewardship **Scope:** Close gaps identified in `history/2026-06-17-intent-scope-assessment.md` between INTENT (operational access steward for NetKingdom security) and SCOPE (shipped SSH CLI only). Documentation and alignment first; code changes limited to optional CLI ergonomics. **Out of scope:** flex-auth integration implementation, OpenBao cluster deploy, universal credential broker, net-kingdom INTENT.md rewrite. **References:** - `INTENT.md`, `SCOPE.md`, `history/2026-06-17-intent-scope-assessment.md` - `net-kingdom/docs/platform-identity-security-architecture.md` - `net-kingdom/docs/responsibility-map.md` - `NK-WP-0009` (SSH tutorial, net-kingdom) --- ## Goal After this workplan, a development worker or agent can: 1. Read ops-warden material and know **which NetKingdom subsystem** handles each credential type. 2. Obtain **SSH certs** via documented actor patterns and production OpenBao path. 3. Find ops-warden recognized in **NetKingdom responsibility/platform** docs as the operational SSH credential authority. --- ## Tasks ### T1 — Credential routing runbook ```task id: WARDEN-WP-0006-T01 status: todo priority: high state_hub_task_id: "ffc6a0c2-4312-4584-be7a-c8411cb01899" ``` Create `wiki/CredentialRouting.md`: - Decision tree: SSH vs runtime secret vs identity vs authorization vs tunnel - Per-subsystem links (OpenBao, flex-auth, key-cape, ops-bridge, railiance-infra) - Explicit “do not ask ops-warden for API keys” examples - Link from `SCOPE.md`, `INTENT.md`, `README.md` **Done when:** A worker with no prior context can route a credential request in under two minutes using this page alone. ### T2 — Actor inventory patterns ```task id: WARDEN-WP-0006-T02 status: todo priority: high state_hub_task_id: "3816463d-7dfd-469d-9324-fd7880b50608" ``` Create `wiki/ActorInventoryPatterns.md` with standard patterns: - Tunnel agents (`agt-*-bridge`) - Kaizen / codex agents (`agt-codex-*`) - CI automations (`atm-*`) - Human admins (`adm-*`) - TTL and principal narrowing guidance Optional: `examples/inventory.seed.yaml` (non-secret, Git-safe template). **Done when:** Adding a new dev worker actor does not require inventing naming from scratch. ### T3 — NetKingdom cross-links (ops-warden side) ```task id: WARDEN-WP-0006-T03 status: todo priority: high state_hub_task_id: "f158366a-5746-48b8-acce-472dce8f925e" ``` - Add `wiki/NetKingdomSecurityMap.md` — condensed literacy table from INTENT - Update `registry/capabilities/capability.security.ssh-certificate-issuance.md` summary to mention stewardship/routing - Update `.claude/rules/repo-boundary.md` with NetKingdom routing table **Done when:** ops-warden docs stand alone for NetKingdom operational access orientation without reading net-kingdom first (but link to canon). ### T4 — NetKingdom canon patch (coordination) ```task id: WARDEN-WP-0006-T04 status: todo priority: medium state_hub_task_id: "e40e4395-8f01-4f79-a539-d0de8e427321" ``` Coordinate updates in `net-kingdom` (separate commit/PR there): - `docs/responsibility-map.md` — move ops-warden from pure out-of-scope to **operational SSH credential dependency** - `docs/platform-identity-security-architecture.md` — add Operational SSH Path (ops-warden → ops-bridge → hosts) **Done when:** NetKingdom canon names ops-warden’s lane; ops-warden wiki links back to the updated sections. **Note:** Requires `net-kingdom` repo write access; may need `needs_human` if blocked on review. ### T5 — OpenBao SSH engine operational checklist ```task id: WARDEN-WP-0006-T05 status: todo priority: medium state_hub_task_id: "a94e20a2-970b-4a0c-bd23-8510b841b938" ``` Create `wiki/OpenBaoSshEngineChecklist.md`: - Prerequisites (OpenBao initialized/unsealed per railiance-platform) - Role creation commands (from OpsWardenConfig) - Token policy expectations (no root token in warden workflows) - Verification: `warden sign` against production endpoint - Failure modes and fallback boundaries **Done when:** Operator can verify production SSH signing path without reconstructing steps from multiple repos. ### T6 — Policy-gated signing design (design only) ```task id: WARDEN-WP-0006-T06 status: todo priority: low state_hub_task_id: "b10a4b4d-bfa1-4f49-b6a5-f339f1e6a2e1" ``` Create `wiki/PolicyGatedSigning.md`: - flex-auth decision before `warden sign` — proposed flow - Claims needed from IAM Profile - What stays inventory-based in v1 vs policy-based in v2 - Explicit non-implementation in this workplan **Done when:** Reviewable design exists; no code dependency. ### T7 — Re-assess INTENT ↔ SCOPE ```task id: WARDEN-WP-0006-T07 status: todo priority: medium state_hub_task_id: "ef8b5c57-2343-4cfc-9fee-48db1e56f69a" ``` After T1–T5 complete: - Update `history/2026-06-17-intent-scope-assessment.md` or add `history/YYYYMMDD-intent-scope-reassessment.md` - Refresh SCOPE.md Current State and completeness notes - Run `make fix-consistency REPO=ops-warden` **Done when:** Completeness target C3+ documented with evidence. --- ## Acceptance Criteria - [ ] `wiki/CredentialRouting.md` exists and is linked from README/SCOPE - [ ] `wiki/ActorInventoryPatterns.md` exists - [ ] `wiki/NetKingdomSecurityMap.md` exists - [ ] NetKingdom responsibility-map recognizes ops-warden SSH lane (T4) - [ ] OpenBao SSH checklist documented (T5) - [ ] Policy-gated signing design drafted (T6) - [ ] INTENT ↔ SCOPE re-assessment recorded (T7) - [ ] `reuse-surface validate --root .` passes if registry entry changed