generated from coulomb/repo-seed
tegwick
1c3d1b4d52
Adds a lane: secret|login field to RouteEntry. The login lane is an interactive auth bootstrap: it skips the caller-auth precheck (no token yet — that's the point) and the secret-read gate (it establishes the identity the gate needs), runs the owner's login command interactively as the caller via inherited stdio, and rejects --exec. The token stays in the caller's own store; warden never captures it (G2 holds). Audited as action: login. key-cape-oidc-login populated as the reference login entry. Advisory proxy hint updated now that T3 has shipped. 172 passed, lint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
188 lines
9.0 KiB
YAML
188 lines
9.0 KiB
YAML
# ops-warden routing catalog — POINTER LAYER
|
|
#
|
|
# This file is a machine-readable index of NetKingdom credential needs. It tells a
|
|
# worker WHICH subsystem owns a need and WHERE the authoritative doc is. It is NOT
|
|
# a second copy of any subsystem's procedure.
|
|
#
|
|
# No-double-source rule (binding — see workplans/WARDEN-WP-0010-access-routing-charter.md):
|
|
# - For any subsystem ops-warden does not own, an entry carries identifiers +
|
|
# pointers ONLY: owner_repo, subsystem, wiki_ref, canon_ref, need_keywords.
|
|
# - Authored procedure (a `steps:` block and `cert_command:`) is allowed ONLY on
|
|
# entries with `warden_executes: true` — i.e. the SSH certificate lane, the one
|
|
# lane ops-warden owns.
|
|
# - A CI/test (WARDEN-WP-0011 T5) FAILS any non-SSH entry that carries a `steps`
|
|
# block, and checks that every `wiki_ref` anchor resolves to a real section.
|
|
# - No secret material in this file, ever.
|
|
#
|
|
# Field reference:
|
|
# id kebab-case stable identifier (lookup key)
|
|
# title human-readable need
|
|
# need_keywords tokens for `warden route find` keyword matching
|
|
# owner_repo repo/subsystem that owns the procedure
|
|
# subsystem platform component a worker acts on
|
|
# warden_executes true only for the SSH lane; false everywhere else
|
|
# wiki_ref anchor into an in-repo wiki section (authoritative restatement)
|
|
# canon_ref upstream net-kingdom doc the wiki section tracks
|
|
# reviewed date this pointer was last checked against canon (YYYY-MM-DD)
|
|
# status active (surfaced by default) | draft (hidden unless --all)
|
|
# steps ONLY when warden_executes: true
|
|
# cert_command ONLY when warden_executes: true
|
|
|
|
version: 1
|
|
|
|
entries:
|
|
- id: ssh-cert-host-access
|
|
title: Short-lived SSH certificate for host / ops reachability
|
|
need_keywords: [ssh, certificate, cert, host, access, sign, adm, agt, atm, reachability, ops]
|
|
owner_repo: ops-warden
|
|
subsystem: ops-warden
|
|
warden_executes: true
|
|
wiki_ref: wiki/AccessRouting.md#issue-vs-route
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
cert_command: "warden sign <actor> --pubkey <path>"
|
|
steps:
|
|
- "Confirm the actor is in inventory (`warden inventory list`); add with `warden inventory add` if not — see wiki/ActorInventoryPatterns.md."
|
|
- "Confirm the backend is configured (`warden status`) — local CA for labs, vault for production."
|
|
- "Sign: `warden sign <actor> --pubkey <path>` — cert is written to stdout (the cert_command contract)."
|
|
- "TTL is enforced per actor type: adm 48h / agt 24h / atm 8h. No long-lived keys."
|
|
|
|
- id: openbao-api-key
|
|
title: API key, DB credential, or dynamic lease
|
|
need_keywords: [api, key, secret, database, db, password, token, lease, openbao, vault, kv, dynamic, credential, npm, npm_auth_token, registry]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#routing-table
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-27"
|
|
status: active
|
|
# Structured handoff (WP-0014) — reference example. Templates only, no values.
|
|
# ops-warden does not own this secret; it advises and (exec_capable) proxies the
|
|
# fetch *as the caller* via `warden access`, never holding or persisting the value.
|
|
auth_method: "key-cape OIDC → bao login -method=oidc role=<domain>"
|
|
path_template: "platform/workloads/<domain>/<workload>/<bundle>"
|
|
fetch_command: "bao kv get -field=<FIELD> <path_template>"
|
|
policy_ref: "flex-auth check secret.read:<domain>"
|
|
exec_capable: true
|
|
|
|
- id: flex-auth-policy-check
|
|
title: Authorization decision — may this actor perform this action
|
|
need_keywords: [authorization, policy, permission, allow, deny, may, flex-auth, topaz, pdp, decision]
|
|
owner_repo: flex-auth
|
|
subsystem: flex-auth
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
|
|
canon_ref: net-kingdom/docs/responsibility-map.md
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
|
|
- id: key-cape-oidc-login
|
|
title: Interactive login, OIDC token, or MFA
|
|
need_keywords: [login, oidc, identity, mfa, token, jwt, sso, keycloak, key-cape, iam, claims, authenticate, signin]
|
|
owner_repo: key-cape
|
|
subsystem: key-cape / Keycloak
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#quick-decision-tree
|
|
canon_ref: net-kingdom/docs/canon/standards/iam-profile_v0.2.md
|
|
reviewed: "2026-06-27"
|
|
status: active
|
|
# Login lane (WP-0014 T4) — interactive auth bootstrap, not a secret read. No
|
|
# secret-read gate (you have no identity yet) and no caller-auth precheck (the
|
|
# point is to obtain one). warden runs it interactively as the caller and never
|
|
# captures the resulting token — the owner tool writes it to the caller's store.
|
|
lane: login
|
|
auth_method: "browser OIDC via key-cape / Keycloak"
|
|
fetch_command: "bao login -method=oidc role=<domain>"
|
|
exec_capable: true
|
|
|
|
- id: ops-bridge-tunnel
|
|
title: SSH tunnel or port forward
|
|
need_keywords: [tunnel, port, forward, bridge, ops-bridge, reverse, transport, ssh-tunnel, cert_command]
|
|
owner_repo: ops-bridge
|
|
subsystem: ops-bridge
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
|
|
reviewed: "2026-06-24"
|
|
status: active
|
|
|
|
- id: railiance-infra-principals
|
|
title: Host SSH principal file or force-command deployment
|
|
need_keywords: [principal, auth_principals, force-command, host, sshd, hardening, railiance-infra, ansible]
|
|
owner_repo: railiance-infra
|
|
subsystem: railiance-infra
|
|
warden_executes: false
|
|
wiki_ref: wiki/CredentialRouting.md#routing-table
|
|
canon_ref: net-kingdom/docs/responsibility-map.md
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
|
|
- id: inter-hub-bootstrap-ssh
|
|
title: Inter-Hub bootstrap SSH envelope
|
|
need_keywords: [inter-hub, interhub, bootstrap, ops-hub, agt-interhub-bootstrap, envelope, force-command, CUST-WP-0049]
|
|
owner_repo: ops-warden
|
|
subsystem: ops-warden + railiance-infra
|
|
warden_executes: false
|
|
wiki_ref: wiki/InterHubBootstrapAccessLane.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md#operational-ssh-path
|
|
reviewed: "2026-06-24"
|
|
status: active
|
|
|
|
- id: activity-core-issue-sink
|
|
title: activity-core IssueSink → issue-core REST emission
|
|
need_keywords: [activity-core, issue-sink, issue-core, emission, issue_core_url, issue_core_api_key, tasks, ingest, rest, issuesink]
|
|
owner_repo: activity-core
|
|
subsystem: activity-core + issue-core
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/activity-core-issue-sink.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-18"
|
|
status: active
|
|
|
|
# --- draft: owner path not yet shipped; hidden from default lookup ---
|
|
- id: issue-core-ingestion-api-key
|
|
title: issue-core ingestion API key (OpenBao KV + ESO)
|
|
need_keywords: [issue-core, ingestion, api, key, openbao, issue_core_api_key, eso, external-secrets]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao + issue-core + activity-core
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/issue-core-ingestion-api-key.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-24"
|
|
status: draft
|
|
|
|
- id: openrouter-llm-connect
|
|
title: OpenRouter API key for llm-connect in activity-core
|
|
need_keywords: [openrouter, llm, llm-connect, api, key, activity-core, gemini, provider, openrouter_api_key]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao + activity-core
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/openrouter-llm-connect.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-24"
|
|
status: draft
|
|
|
|
- id: object-storage-sts
|
|
title: Object-storage STS / temporary S3 credentials
|
|
need_keywords: [s3, sts, object-storage, minio, artifact-store, temporary, credentials, bucket, vending]
|
|
owner_repo: net-kingdom
|
|
subsystem: flex-auth + OpenBao + artifact-store
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/object-storage-sts.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/object-storage-sts-credential-vending.md
|
|
reviewed: "2026-06-24"
|
|
status: draft
|
|
|
|
- id: database-dynamic-credentials
|
|
title: Database dynamic credentials (OpenBao secrets engine)
|
|
need_keywords: [database, db, postgres, cnpg, dynamic, credentials, password, lease, openbao]
|
|
owner_repo: railiance-platform
|
|
subsystem: OpenBao
|
|
warden_executes: false
|
|
wiki_ref: wiki/playbooks/database-dynamic-credentials.md#worker-checklist
|
|
canon_ref: net-kingdom/docs/platform-identity-security-architecture.md
|
|
reviewed: "2026-06-24"
|
|
status: draft
|