Add platform-secret playbooks for issue-core ingestion, OpenRouter llm-connect, object-storage STS, and database dynamic credentials. Extend the routing catalog with draft entries and implement `warden route list --stale` for quarterly drift review. Document the review cadence in AccessRouting and mark the workplan finished.
5.0 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | state_hub_workstream_id |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0012 | workplan | Routing Scenario Playbooks | infotech | ops-warden | finished | codex | custodian | medium | 12 | 2026-06-18 | 2026-06-24 | a7e712a0-02f8-4f83-944e-6b207e77bc4c |
WARDEN-WP-0012 — Routing Scenario Playbooks
Scope: Grow the routing catalog and wiki playbooks for high-frequency NetKingdom access scenarios. Each wiki playbook restates what the worker does on the owning system and tracks an upstream canon doc; the catalog only points at it. ops-warden authors procedure only for the SSH lane.
Out of scope: Implementing custody in ops-warden; creating OpenBao paths in railiance-platform (coordinate only); authoring flex-auth policy; restating an owner's procedure inside the catalog.
Depends on: WARDEN-WP-0010 (charter + catalog schema), WARDEN-WP-0011 (routing CLI).
Status: finished — playbooks shipped; draft entries await owner path promotion.
Anti-stale rule
A scenario is added to the catalog as status: active only when its owning repo's
path actually exists and a wiki_ref is written. Until then it stays status: draft and is hidden from default warden route find/list. We do not seed
agent-visible entries for paths that owners have not shipped — a confident-looking
pointer to a non-existent path is worse than no entry.
Scenario backlog
| Catalog id | Routing focus | Executing owner | Gate |
|---|---|---|---|
issue-core-ingestion-api-key |
OpenBao KV path, K8s injection, rotation | railiance-platform + issue-core | path exists |
activity-core-issue-sink |
ISSUE_CORE_URL + consumer key custody |
activity-core + issue-core | path exists |
inter-hub-bootstrap-ssh |
SSH envelope + on-host wrapper reads OpenBao | ops-warden SSH + railiance-infra | ready (SSH lane) |
openrouter-llm-connect |
OpenBao → K8s Secret in activity-core | railiance-platform | path exists |
object-storage-sts |
NK-WP-0007 vending path | net-kingdom + flex-auth + OpenBao | canon exists |
ops-bridge-tunnel-cert |
cert_command vs static-key migration | ops-bridge | done (WP-0013) |
human-oidc-login |
key-cape / Keycloak IAM Profile | key-cape | canon exists |
flex-auth-resource-check |
Policy decision before sensitive action | flex-auth | canon exists |
host-principal-deploy |
auth_principals sync | railiance-infra | canon exists |
Tasks
T1 — issue-core ingestion key playbook
id: WARDEN-WP-0012-T01
status: done
priority: high
state_hub_task_id: "830bb512-0288-4dba-9dd4-ccfd28a4921f"
- Coordinate with railiance-platform to canonicalize the OpenBao path first.
(Documented expected path from
railiance-platform/docs/argocd-gitops.md; live KV path not yet shipped — promotion blocked per anti-stale rule.) - Then write
wiki/playbooks/issue-core-ingestion-api-key.md(prerequisites, ESO pattern, rotation, privileged-read policy) and promote the catalog entry fromdrafttoactivewith awiki_ref. (Playbook +wiki_refdone; staysdraftuntil path ships.)
T2 — Inter-Hub and bootstrap lanes
id: WARDEN-WP-0012-T02
status: done
priority: medium
state_hub_task_id: "7726a703-6e00-4e49-9380-ed3fb3268827"
- Align
wiki/InterHubBootstrapAccessLane.mdwith catalog idinter-hub-bootstrap-ssh - Document attended vs unattended bootstrap branches
- Cross-link flex-auth and OpenBao expectations (pointers, not restated steps)
- Promote catalog entry to
activewithwiki_ref
T3 — ops-bridge tunnel migration
id: WARDEN-WP-0012-T03
status: done
priority: medium
state_hub_task_id: "9fb397f0-0abb-48f5-bb62-7e77edae93bb"
- Playbook:
wiki/playbooks/ops-bridge-tunnel-cert.md(WARDEN-WP-0013) - Pilot tunnel
agt-state-hub-bridgedocumented; ops-bridge coordination sent
T4 — Platform secret scenarios (LLM, STS, DB)
id: WARDEN-WP-0012-T04
status: done
priority: low
state_hub_task_id: "edcf4ed7-f18d-4a92-a42d-8cc7ca0ab792"
- Playbooks for OpenRouter, object-storage STS, DB dynamic creds.
- Each ends with an owner-repo action; no warden secret code; pointers to canon.
T5 — Drift review cadence
id: WARDEN-WP-0012-T05
status: done
priority: low
state_hub_task_id: "db98d655-8551-487b-9413-41bf97fc06e1"
- Document a review cadence against net-kingdom canon.
warden route list --stalekeyed off thereviewed:date field.- Process note in
wiki/AccessRouting.md.
Acceptance
- Every active catalog entry has a
wiki_refto an existing section; no active entry points at a path its owner has not shipped (those staydraft). warden route findresolves common agent queries without wiki grep.- Playbooks and catalog contain no secret material — only owners, pointers, checklists.
See also
WARDEN-WP-0010,WARDEN-WP-0011wiki/CredentialRouting.mdhistory/2026-06-18-post-wp0008-intent-scope-reassessment.md