# NetKingdom Security Map (ops-warden view) Date: 2026-06-17 Condensed literacy guide for ops-warden stewards and development workers. Canonical source remains `net-kingdom/docs/platform-identity-security-architecture.md`. ops-warden **implements** the operational SSH lane and **documents** how the other lanes connect. --- ## Planes ```text Bootstrap plane railiance-infra, railiance-cluster, net-kingdom bootstrap Platform control key-cape, flex-auth, OpenBao, Topaz, railiance-platform Tenant plane railiance-apps, coulomb workloads, future tenants Operational access ops-warden (SSH certs), ops-bridge (tunnels) ``` --- ## Component map | Component | Answers | Credential types | ops-warden | | --- | --- | --- | --- | | **key-cape** | Who are you? (lightweight IAM) | OIDC tokens, MFA | Route — do not issue | | **Keycloak** | Who are you? (expanded IAM) | OIDC/SAML federation | Route — do not issue | | **privacyIDEA** | MFA / step-up | OTP, hardware tokens | Route — do not issue | | **flex-auth** | May you do this action? | Policy decisions, audit envelopes | Future SSH pre-sign; route today | | **Topaz** | PDP runtime for flex-auth | Authorization evaluations | Route — do not issue | | **OpenBao** | Runtime secret authority | API keys, DB creds, leases, K8s auth | SSH engine **signing backend** only | | **ops-warden** | SSH ops access | Short-lived SSH certificates | **Own and issue** | | **ops-bridge** | Tunnel transport | Uses certs via cert_command | Consumer | | **railiance-infra** | Host enforcement | auth_principals, sshd | Route — deploy hosts | | **railiance-platform** | Platform deploy | OpenBao, Postgres, ingress | Route — do not deploy from warden | --- ## Credential lanes (summary) | Lane | Owner | Lifetime | Worker entrypoint | | --- | --- | --- | --- | | Identity | key-cape / Keycloak | Session / token TTL | Login / OIDC | | Authorization | flex-auth | Per request | Policy API / embedded PEP | | Runtime secrets | OpenBao | Lease-bound | `bao` CLI, K8s ESO, app integration | | SSH operational | ops-warden | adm 48h / agt 24h / atm 8h | `warden sign` | | Tunnel | ops-bridge | Session | `bridge` + cert_command | Full routing: `wiki/CredentialRouting.md`. --- ## Trust flow (simplified) ```text Worker request -> Identity? key-cape / Keycloak -> Authorized? flex-auth -> Secret material? OpenBao -> SSH cert? ops-warden -> Tunnel? ops-bridge (cert from warden) -> Host accepts? railiance-infra principals ``` OpenBao does **not** replace identity or authorization. flex-auth decides; OpenBao stores/issues; ops-warden signs SSH certs when host reachability is the need. --- ## NetKingdom documents to watch | Document | Why ops-warden cares | | --- | --- | | `platform-identity-security-architecture.md` | Planes, secret path, SSH path | | `responsibility-map.md` | Operational SSH dependency section | | `platform-identity-security-architecture.md` | Operational SSH Path section | | `platform-root-custody.md` | OpenBao ceremony — not warden's job | | `object-storage-sts-credential-vending.md` | S3 creds — never warden | | `canon/standards/iam-profile_v0.2.md` | Claims for future policy-gated sign | When these change, update ops-warden wiki and `wiki/CredentialRouting.md`. --- ## Recursive platform rule Tenant admins (including `tenant:coulomb`) must not gain platform-root authority. ops-warden SSH actors should use **narrow principals** for agent and automation work — not platform-admin equivalents on hosts. --- ## See also - `INTENT.md` - `wiki/AccessRouting.md` — issue-vs-route role and boundary - `wiki/CredentialRouting.md` - `wiki/PolicyGatedSigning.md` (future flex-auth hook) - `net-kingdom/docs/platform-identity-security-architecture.md`