ops-warden/registry/routing/catalog.yaml

# ops-warden routing catalog — POINTER LAYER
#
# This file is a machine-readable index of NetKingdom credential needs. It tells a
# worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT
# a second copy of any subsystem's procedure.
#
# No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md):
#   - For any subsystem ops-warden does not own, an entry carries identifiers +
#     pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords.
#   - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on
#     entries with `warden_executes: true` — i.e. the SSH certificate lane, the one
#     lane ops-warden owns.
#   - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps`
#     block, and checks that every `wiki_ref` anchor resolves to a real section.
#   - No secret material in this file, ever.
#
# Field reference:
#   id              kebab-case stable identifier (lookup key)
#   title           human-readable need
#   need_keywords   tokens for `warden route find` keyword matching
#   owner_repo      repo/subsystem that owns the procedure
#   subsystem       platform component a worker acts on
#   warden_executes true only for the SSH lane; false everywhere else
#   wiki_ref        anchor into an in-repo wiki section (authoritative restatement)
#   canon_ref       upstream net-kingdom doc the wiki section tracks
#   reviewed        date this pointer was last checked against canon (YYYY-MM-DD)
#   status          active (surfaced by default) | draft (hidden unless --all)
#   steps           ONLY when warden_executes: true
#   cert_command    ONLY when warden_executes: true

version: 1

entries:
  - id: ssh-cert-host-access
    title: Short-lived SSH certificate for host / ops reachability
    need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops]
    owner_repo: ops-warden
    subsystem: ops-warden
    warden_executes: true
    wiki_ref: wiki/AccessRouting.md#issue-vs-route
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
    reviewed: "2026-06-18"
    status: active
    cert_command: "warden sign <actor> --pubkey <path>"
    steps:
      - "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md."
      - "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production."
      - "Sign: `warden sign <actor> --pubkey <path>` — cert is written to stdout (the cert_command contract)."
      - "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys."

  - id: openbao-api-key
    title: API key, DB credential, or dynamic lease
    need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential]
    owner_repo: railiance-platform
    subsystem: OpenBao
    warden_executes: false
    wiki_ref: wiki/CredentialRouting.md#routing-table
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
    reviewed: "2026-06-18"
    status: active

  - id: flex-auth-policy-check
    title: Authorization decision — may this actor perform this action
    need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision]
    owner_repo: flex-auth
    subsystem: flex-auth
    warden_executes: false
    wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
    canon_ref: net-kingdom/docs/responsibility-map.md
    reviewed: "2026-06-18"
    status: active

  - id: key-cape-oidc-login
    title: Interactive login, OIDC token, or MFA
    need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate]
    owner_repo: key-cape
    subsystem: key-cape / Keycloak
    warden_executes: false
    wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
    canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md
    reviewed: "2026-06-18"
    status: active

  - id: ops-bridge-tunnel
    title: SSH tunnel or port forward
    need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel, cert_command]
    owner_repo: ops-bridge
    subsystem: ops-bridge
    warden_executes: false
    wiki_ref: wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
    reviewed: "2026-06-24"
    status: active

  - id: railiance-infra-principals
    title: Host SSH principal file or force-command deployment
    need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible]
    owner_repo: railiance-infra
    subsystem: railiance-infra
    warden_executes: false
    wiki_ref: wiki/CredentialRouting.md#routing-table
    canon_ref: net-kingdom/docs/responsibility-map.md
    reviewed: "2026-06-18"
    status: active

  - id: inter-hub-bootstrap-ssh
    title: Inter-Hub bootstrap SSH envelope
    need_keywords: [inter-hub, interhub, bootstrap, ops-hub, agt-interhub-bootstrap, envelope, force-command, CUST-WP-0049]
    owner_repo: ops-warden
    subsystem: ops-warden + railiance-infra
    warden_executes: false
    wiki_ref: wiki/InterHubBootstrapAccessLane.md#worker-checklist
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
    reviewed: "2026-06-24"
    status: active

  - id: activity-core-issue-sink
    title: activity-core IssueSink → issue-core REST emission
    need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink]
    owner_repo: activity-core
    subsystem: activity-core + issue-core
    warden_executes: false
    wiki_ref: wiki/playbooks/activity-core-issue-sink.md#worker-checklist
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
    reviewed: "2026-06-18"
    status: active

  # --- draft: owner path not yet shipped; hidden from default lookup ---
  - id: issue-core-ingestion-api-key
    title: issue-core ingestion API key (OpenBao KV + ESO)
    need_keywords: [issue-core, ingestion, api, key, openbao, issue_core_api_key, eso, external-secrets]
    owner_repo: railiance-platform
    subsystem: OpenBao + issue-core + activity-core
    warden_executes: false
    wiki_ref: wiki/playbooks/issue-core-ingestion-api-key.md#worker-checklist
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
    reviewed: "2026-06-24"
    status: draft

  - id: openrouter-llm-connect
    title: OpenRouter API key for llm-connect in activity-core
    need_keywords: [openrouter, llm, llm-connect, api, key, activity-core, gemini, provider, openrouter_api_key]
    owner_repo: railiance-platform
    subsystem: OpenBao + activity-core
    warden_executes: false
    wiki_ref: wiki/playbooks/openrouter-llm-connect.md#worker-checklist
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
    reviewed: "2026-06-24"
    status: draft

  - id: object-storage-sts
    title: Object-storage STS / temporary S3 credentials
    need_keywords: [s3, sts, object-storage, minio, artifact-store, temporary, credentials, bucket, vending]
    owner_repo: net-kingdom
    subsystem: flex-auth + OpenBao + artifact-store
    warden_executes: false
    wiki_ref: wiki/playbooks/object-storage-sts.md#worker-checklist
    canon_ref: net-kingdom/docs/object-storage-sts-credential-vending.md
    reviewed: "2026-06-24"
    status: draft

  - id: database-dynamic-credentials
    title: Database dynamic credentials (OpenBao secrets engine)
    need_keywords: [database, db, postgres, cnpg, dynamic, credentials, password, lease, openbao]
    owner_repo: railiance-platform
    subsystem: OpenBao
    warden_executes: false
    wiki_ref: wiki/playbooks/database-dynamic-credentials.md#worker-checklist
    canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
    reviewed: "2026-06-24"
    status: draft