# Credential and access routing **Audience:** Codex, Claude Code, Grok, and custodian agents that call **llm-connect** for inference. Run this check **before** requesting secrets, API keys, SSH access, login tokens, or database passwords — in any repo, not only `ops-warden`. ops-warden **issues SSH certificates** (`warden sign`, `cert_command`) **and is the operator access front door** for every other credential need. For `exec_capable` lanes (OpenBao reads, key-cape login) `warden access --fetch/--exec` **proxies the fetch as you** — it runs the owner's tool with your identity and streams the value to you; ops-warden holds, caches, and logs nothing. For non-exec lanes it points you at the owner. **Do not** `POST /messages/` to `ops-warden` expecting a secret *value* — a State Hub reply is always a pointer. The **value comes from the CLI front door** (`warden access`), run with **your** identity, never from the inbox. ### Lookup (do this first) ```bash warden route find "" --json # who owns it (pointer) warden access "" --json # how to get it (handoff) ``` `warden access` is the operator front door (WARDEN-WP-0014): it renders the owner, auth method, path template, command skeleton, and policy-gate status for any need. For `exec_capable` lanes it can **proxy the fetch as you** (`--fetch`/`--exec`) — it runs the owner's tool with **your** identity and streams the value to you; ops-warden never holds, caches, or logs the value. See `wiki/OperatorAccessAssist.md`. Requires the `warden` CLI from `~/ops-warden` (`uv tool install .` or `uv run warden`). | Agent runtime | How to orient | | --- | --- | | **Codex / Grok** (shell, HTTP State Hub) | `warden route` commands above; inbox `to_agent=ops-warden` is for coordination, not secret vending | | **Claude Code** (MCP when available) | `get_domain_summary("custodian")` for workstreams; **still** use `warden route` for credential ownership | | **llm-connect** (inference service) | Never put secret retrieval in prompts; route custody to OpenBao/operator paths surfaced by `warden route` | ### Quick routing table | I need… | Owner | ops-warden role | | --- | --- | --- | | SSH cert (`adm`/`agt`/`atm`) | ops-warden | **Issue** — `warden sign` | | API key, DB password, provider token | OpenBao (`railiance-platform`) | **Assist** — `warden access --fetch/--exec` proxies as you; OpenBao keeps custody | | Login / OIDC / MFA | key-cape / Keycloak | **Assist** — `warden access --fetch` runs the login as you | | Authorization decision | flex-auth | Route only | | activity-core → issue-core emission | activity-core + issue-core | Route — `warden route show activity-core-issue-sink` | | SSH tunnel | ops-bridge (+ `cert_command` from warden) | Route only | ### Anti-patterns (do not do these) - `POST /messages/` to `ops-warden` asking for `ISSUE_CORE_API_KEY`, `OPENROUTER_API_KEY`, etc. - Inventing `warden secret`, `warden login`, `warden bao`, `warden tunnel` — they do not exist - Pasting secrets into Git, State Hub, workplans, logs, or chat - Treating `warden access --fetch` as a *secret store*. It is a transparent conduit using **your** identity — it holds nothing. ops-warden as a **standing broker** (its own secret-read token, a cache of fetched values) is forbidden; runtime secret custody stays in OpenBao, authorization in flex-auth. ### Other capabilities (reuse-surface) Non-credential capabilities are usually discovered through **reuse-surface** federation (`reuse-surface` registry / `capability.*` indexes). Credential routing is inlined in every repo's agent instructions because it is high-frequency, high-risk, and easy to get wrong. **Canon:** `~/ops-warden/wiki/CredentialRouting.md` · catalog `~/ops-warden/registry/routing/catalog.yaml`