# Access Routing — what ops-warden answers Date: 2026-06-18 ops-warden **issues short-lived SSH certificates** and **routes every other credential need to the subsystem that owns it.** This page states that role plainly so it cannot be misread as a desk that wraps the platform. - **What ops-warden executes:** the SSH certificate lane only (`warden sign`, `cert_command`, `ops-ssh-wrapper`). - **What ops-warden answers:** *where* a credential need belongs and *who owns it* — pointing at the owner's docs, never restating their procedure. - **What ops-warden never does:** vend API keys, log you in, decide policy, open tunnels, or deploy hosts. For the worker-facing decision tree see `CredentialRouting.md`; for component literacy see `NetKingdomSecurityMap.md`. This page is the steward's statement of **role and boundary**. --- ## Issue vs route | Need | Subsystem | ops-warden role | Who acts | | --- | --- | --- | --- | | SSH cert for host/ops access (`adm`/`agt`/`atm`) | **ops-warden** | **Issue** (`warden sign`) | ops-warden signs; worker uses cert | | API key / DB cred / dynamic lease | OpenBao | Route — point at path | Worker calls OpenBao | | "May I perform action X?" | flex-auth (+ Topaz PDP) | Route — point at policy | Worker/PEP calls flex-auth | | Login / OIDC token / MFA | key-cape / Keycloak | Route — point at IAM Profile | Worker authenticates | | Object-storage STS / S3 creds | net-kingdom + flex-auth + OpenBao | Route — point at vending path | Worker follows NK-WP-0007 | | SSH tunnel / port forward | ops-bridge | Route — supply `cert_command` | ops-bridge opens tunnel | | Host principal / force-command | railiance-infra | Route — point at Ansible | infra deploys host | | OpenBao cluster init / unseal | railiance-platform | Route — point at ceremony | platform operates | Only the first row is something ops-warden **executes**. Every other row is a **pointer**: ops-warden names the owner and the doc, and the worker acts on the owning system directly. --- ## Anti-patterns (not coming to ops-warden) These commands do **not** exist and will **not** be added — they belong to other subsystems. If you find yourself wanting one, you are on the wrong desk: | Tempting command | Why it's wrong | Right path | | --- | --- | --- | | `warden secret` / `warden bao` | ops-warden does not store or vend secrets | OpenBao | | `warden login` | ops-warden does not establish identity | key-cape / Keycloak | | `warden policy` | ops-warden does not decide authorization | flex-auth | | `warden tunnel` | ops-warden does not manage transport | ops-bridge | ops-warden authors step-by-step procedure for exactly one lane — SSH issuance — because it owns it. For everything else it carries a **pointer**, not a fork of the owner's runbook. See the no-double-source rule in `workplans/WARDEN-WP-0010-access-routing-charter.md`. --- ## Audience notes - **Human operators** read this page and `CredentialRouting.md` to choose the right subsystem, then follow that subsystem's own docs. - **Agents / CI** will read the machine-readable routing catalog (`registry/routing/catalog.yaml`, surfaced via `warden route` — WARDEN-WP-0011) so routing does not have to be re-derived from wiki prose each session. - **Same truth, two shapes:** humans read the wiki; agents read the catalog. The catalog references wiki sections by anchor so the two cannot drift apart. --- ## How this stays aligned NetKingdom security architecture is canonical in `net-kingdom`. ops-warden tracks it: when canon changes, the wiki section is updated and the catalog pointer (`wiki_ref` + `canon_ref`) follows. ops-warden never overrides canon and never silently forks it. Report drift via a custodian workplan or a State Hub message to `ops-warden`. --- ## See also - `CredentialRouting.md` — worker decision tree and routing table - `NetKingdomSecurityMap.md` — component literacy - `INTENT.md` — steward mission ("issue SSH, route the rest") - `workplans/WARDEN-WP-0010-access-routing-charter.md` — charter + no-double-source rule - `net-kingdom/docs/platform-identity-security-architecture.md` — platform canon