ops-warden/workplans/WARDEN-WP-0005-openbao-doc-alignment.md

---
id: WARDEN-WP-0005
type: workplan
title: "OpsWarden OpenBao-First Documentation Alignment"
domain: custodian
repo: ops-warden
status: finished
owner: codex
topic_slug: custodian
created: "2026-06-17"
updated: "2026-06-17"
state_hub_workstream_id: "57f6ebf8-0ef3-4686-9a73-3f9d38288be9"
---

# WARDEN-WP-0005 — OpenBao-First Documentation Alignment

**Scope:** Update ops-warden documentation so production guidance names OpenBao
as the platform secrets service while preserving the existing `backend: vault`
config surface (Vault-compatible SSH secrets engine API). No code changes.

**Out of scope:** VaultCA backend rewrite, OpenBao SSH engine deployment in
`railiance-platform`, AccessManagementDirective canon updates.

**Reference:** `RAIL-PL-WP-0002` — Railiance standardizes on OpenBao; ops-warden
follow-up noted 2026-05-17.

---

## Tasks

### T1 — OpsWardenConfig.md

```task
id: WARDEN-WP-0005-T01
status: done
priority: high
state_hub_task_id: "bbbc4dda-9634-4c04-86e5-94b96c021b43"
```

- [x] OpenBao-first production section with Railiance URLs and `bao` CLI examples
- [x] Explain `backend: vault` / `vault:` keys as Vault-compatible API abstraction
- [x] Link to `railiance-platform/docs/openbao.md`

### T2 — Cross-reference updates

```task
id: WARDEN-WP-0005-T02
status: done
priority: medium
state_hub_task_id: "6391cb82-896e-405a-a59b-36640e6480ba"
```

- [x] `SCOPE.md` Core Idea and In Scope — OpenBao-first, Vault-compatible
- [x] `wiki/CertCommandInterface.md` — caller-agnostic wording includes OpenBao

---

## Acceptance Criteria

- [x] Production config example uses OpenBao (`bao.coulomb.social` or in-cluster URL)
- [x] No reader is told HashiCorp Vault is the platform standard
- [x] `backend: vault` config shape unchanged (code compatibility preserved)
- [x] `uv run pytest` still passes (docs-only change)