# ops-warden routing catalog — POINTER LAYER # # This file is a machine-readable index of NetKingdom credential needs. It tells a # worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT # a second copy of any subsystem's procedure. # # No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md): # - For any subsystem ops-warden does not own, an entry carries identifiers + # pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords. # - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on # entries with `warden_executes: true` — i.e. the SSH certificate lane, the one # lane ops-warden owns. # - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps` # block, and checks that every `wiki_ref` anchor resolves to a real section. # - No secret material in this file, ever. # # Field reference: # id kebab-case stable identifier (lookup key) # title human-readable need # need_keywords tokens for `warden route find` keyword matching # owner_repo repo/subsystem that owns the procedure # subsystem platform component a worker acts on # warden_executes true only for the SSH lane; false everywhere else # wiki_ref anchor into an in-repo wiki section (authoritative restatement) # canon_ref upstream net-kingdom doc the wiki section tracks # reviewed date this pointer was last checked against canon (YYYY-MM-DD) # status active (surfaced by default) | draft (hidden unless --all) # steps ONLY when warden_executes: true # cert_command ONLY when warden_executes: true version: 1 entries: - id: ssh-cert-host-access title: Short-lived SSH certificate for host / ops reachability need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops] owner_repo: ops-warden subsystem: ops-warden warden_executes: true wiki_ref: wiki/AccessRouting.md#issue-vs-route canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path reviewed: "2026-06-18" status: active cert_command: "warden sign --pubkey " steps: - "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md." - "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production." - "Sign: `warden sign --pubkey ` — cert is written to stdout (the cert_command contract)." - "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys." - id: openbao-api-key title: API key, DB credential, or dynamic lease need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential, npm, npm_auth_token, registry] owner_repo: railiance-platform subsystem: OpenBao warden_executes: false wiki_ref: wiki/CredentialRouting.md#routing-table canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-27" status: active # Structured handoff (WP-0014) — reference example. Templates only, no values. # ops-warden does not own this secret; it advises and (exec_capable) proxies the # fetch *as the caller* via `warden access`, never holding or persisting the value. auth_method: "key-cape OIDC → bao login -method=oidc role=" path_template: "platform/workloads///" fetch_command: "bao kv get -field= " policy_ref: "flex-auth check secret.read:" exec_capable: true - id: whynot-design-npm-publish title: whynot-design npm publish token (@whynot/design → coulomb Gitea registry) need_keywords: [whynot-design, whynot, npm, publish, npm_auth_token, gitea, registry, coulomb, package] owner_repo: railiance-platform subsystem: OpenBao warden_executes: false wiki_ref: wiki/playbooks/whynot-design-npm-publish.md#worker-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-29" status: active # Concrete, owner-confirmed lane — railiance-platform CCR-2026-0001 (commit 8f617fc): # status=active, access_frontdoor.readiness=ready, resolvable=true; positive fetch # passed and negative (non-whynot) login denied. Zero-placeholder fetch: an automated # caller can `warden access whynot-design-npm-publish --exec -- npm publish` directly. # The path was corrected to the `coulomb` tenant — the whynot-design/whynot-design/… # form is superseded; do not reintroduce it. auth_method: "bao login -method=oidc -path=netkingdom role=whynot-design-workload-kv-read" path_template: "platform/workloads/coulomb/whynot-design/npm-publish" fetch_command: "bao kv get -field=NPM_AUTH_TOKEN platform/workloads/coulomb/whynot-design/npm-publish" policy_ref: "flex-auth check secret.read:whynot-design" exec_capable: true lane: secret - id: flex-auth-policy-check title: Authorization decision — may this actor perform this action need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision] owner_repo: flex-auth subsystem: flex-auth warden_executes: false wiki_ref: wiki/CredentialRouting.md#quick-decision-tree canon_ref: net-kingdom/docs/responsibility-map.md reviewed: "2026-06-18" status: active - id: key-cape-oidc-login title: Interactive login, OIDC token, or MFA need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate, signin] owner_repo: key-cape subsystem: key-cape / Keycloak warden_executes: false wiki_ref: wiki/CredentialRouting.md#quick-decision-tree canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md reviewed: "2026-06-27" status: active # Login lane (WP-0014 T4) — interactive auth bootstrap, not a secret read. No # secret-read gate (you have no identity yet) and no caller-auth precheck (the # point is to obtain one). warden runs it interactively as the caller and never # captures the resulting token — the owner tool writes it to the caller's store. lane: login auth_method: "browser OIDC via key-cape / Keycloak" fetch_command: "bao login -method=oidc role=" exec_capable: true - id: ops-bridge-tunnel title: SSH tunnel or port forward need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel, cert_command] owner_repo: ops-bridge subsystem: ops-bridge warden_executes: false wiki_ref: wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path reviewed: "2026-06-24" status: active - id: railiance-infra-principals title: Host SSH principal file or force-command deployment need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible] owner_repo: railiance-infra subsystem: railiance-infra warden_executes: false wiki_ref: wiki/CredentialRouting.md#routing-table canon_ref: net-kingdom/docs/responsibility-map.md reviewed: "2026-06-18" status: active - id: inter-hub-bootstrap-ssh title: Inter-Hub bootstrap SSH envelope need_keywords: [inter-hub, interhub, bootstrap, ops-hub, agt-interhub-bootstrap, envelope, force-command, CUST-WP-0049] owner_repo: ops-warden subsystem: ops-warden + railiance-infra warden_executes: false wiki_ref: wiki/InterHubBootstrapAccessLane.md#worker-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path reviewed: "2026-06-24" status: active - id: activity-core-issue-sink title: activity-core IssueSink → issue-core REST emission need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink] owner_repo: activity-core subsystem: activity-core + issue-core warden_executes: false wiki_ref: wiki/playbooks/activity-core-issue-sink.md#worker-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-18" status: active # --- draft: owner path not yet shipped; hidden from default lookup --- - id: issue-core-ingestion-api-key title: issue-core ingestion API key (OpenBao KV + ESO) need_keywords: [issue-core, ingestion, api, key, openbao, issue_core_api_key, eso, external-secrets] owner_repo: railiance-platform subsystem: OpenBao + issue-core + activity-core warden_executes: false wiki_ref: wiki/playbooks/issue-core-ingestion-api-key.md#worker-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-24" status: draft - id: openrouter-llm-connect title: OpenRouter API key for llm-connect in activity-core need_keywords: [openrouter, llm, llm-connect, api, key, activity-core, gemini, provider, openrouter_api_key] owner_repo: railiance-platform subsystem: OpenBao + activity-core warden_executes: false wiki_ref: wiki/playbooks/openrouter-llm-connect.md#worker-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-24" status: draft - id: object-storage-sts title: Object-storage STS / temporary S3 credentials need_keywords: [s3, sts, object-storage, minio, artifact-store, temporary, credentials, bucket, vending] owner_repo: net-kingdom subsystem: flex-auth + OpenBao + artifact-store warden_executes: false wiki_ref: wiki/playbooks/object-storage-sts.md#worker-checklist canon_ref: net-kingdom/docs/object-storage-sts-credential-vending.md reviewed: "2026-06-24" status: draft - id: database-dynamic-credentials title: Database dynamic credentials (OpenBao secrets engine) need_keywords: [database, db, postgres, cnpg, dynamic, credentials, password, lease, openbao] owner_repo: railiance-platform subsystem: OpenBao warden_executes: false wiki_ref: wiki/playbooks/database-dynamic-credentials.md#worker-checklist canon_ref: net-kingdom/docs/platform-identity-security-architecture.md reviewed: "2026-06-24" status: draft