ops-warden/workplans/WARDEN-WP-0005-openbao-doc-alignment.md

id, type, title, domain, repo, status, owner, topic_slug, created, updated, state_hub_workstream_id

id	type	title	domain	repo	status	owner	topic_slug	created	updated	state_hub_workstream_id
WARDEN-WP-0005	workplan	OpsWarden OpenBao-First Documentation Alignment	custodian	ops-warden	finished	codex	custodian	2026-06-17	2026-06-17	57f6ebf8-0ef3-4686-9a73-3f9d38288be9

WARDEN-WP-0005 — OpenBao-First Documentation Alignment

Scope: Update ops-warden documentation so production guidance names OpenBao as the platform secrets service while preserving the existing backend: vault config surface (Vault-compatible SSH secrets engine API). No code changes.

Out of scope: VaultCA backend rewrite, OpenBao SSH engine deployment in railiance-platform, AccessManagementDirective canon updates.

Reference: RAIL-PL-WP-0002 — Railiance standardizes on OpenBao; ops-warden follow-up noted 2026-05-17.

---

Tasks

T1 — OpsWardenConfig.md

id: WARDEN-WP-0005-T01
status: done
priority: high
state_hub_task_id: "bbbc4dda-9634-4c04-86e5-94b96c021b43"

• OpenBao-first production section with Railiance URLs and bao CLI examples
• Explain backend: vault / vault: keys as Vault-compatible API abstraction
• Link to railiance-platform/docs/openbao.md

T2 — Cross-reference updates

id: WARDEN-WP-0005-T02
status: done
priority: medium
state_hub_task_id: "6391cb82-896e-405a-a59b-36640e6480ba"

• SCOPE.md Core Idea and In Scope — OpenBao-first, Vault-compatible
• wiki/CertCommandInterface.md — caller-agnostic wording includes OpenBao

---

Acceptance Criteria

• Production config example uses OpenBao (bao.coulomb.social or in-cluster URL)
• No reader is told HashiCorp Vault is the platform standard
• backend: vault config shape unchanged (code compatibility preserved)
• uv run pytest still passes (docs-only change)