coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2778bb9f710f2bb5bdddbc4c546cf33e1ee504b4
ops-warden/README.md
tegwick ac2efa1262 feat(WP-0011): warden route lookup CLI over the pointer catalog 
Add a read-only `warden route` command group (list/show/find) that reads
registry/routing/catalog.yaml and tells a worker which subsystem owns a need
and which wiki/canon doc to follow. ops-warden still executes exactly one lane
(SSH); routed entries return a pointer and never call any subsystem.

- src/warden/routing/: models.py + catalog.py loader; enforces the
  no-double-source rule (non-SSH entries with steps/cert_command fail validation),
  dup-id and schema checks.
- route list (active-only unless --all, --tag), route show (SSH appends steps +
  cert pattern; routed ends with "next action on <owner> — see <wiki_ref>"),
  route find (keyword ranking, --json).
- tests/test_routing.py: load/validation, find ranking, CLI JSON shapes, plus a
  drift guard (every wiki_ref anchor resolves; every entry has a reviewed date).
- Docs: wiki/AccessRouting.md CLI section, README quick reference, SCOPE A3 -> A4.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 21:07:13 +02:00

87 lines
2.9 KiB
Markdown
Raw Blame History

# ops-warden
SSH Certificate Authority and certificate lifecycle manager for the ops fleet.
Signs short-lived certs for `adm` / `agt` / `atm` actors and exposes the
`cert_command` interface consumed by `ops-bridge` and other tooling.
See `INTENT.md` for direction, `SCOPE.md` for current implementation, and
`wiki/AccessManagementDirective.md` for SSH policy. ops-warden issues SSH certs
and routes every other credential need to its owner — see `wiki/AccessRouting.md`.
Latest gap analysis: `history/2026-06-17-post-wp0007-reassessment.md`.
## Install
```bash
uv sync
uv tool install .
```
Or run without installing:
```bash
uv run warden --help
```
## Quick start (local backend)
```bash
# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""
# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard
```
Production uses the `vault` backend against OpenBao or HashiCorp Vault (Vault-compatible
SSH secrets engine API). Template: `examples/warden.production.example.yaml`.
See `wiki/OpsWardenConfig.md` and `wiki/OpenBaoSshEngineChecklist.md`.
## Routing lookup (`warden route`)
ops-warden issues SSH certs and **routes** every other credential need to its
owner. The `route` command group is a read-only lookup over the pointer catalog
(`registry/routing/catalog.yaml`) — it never calls another subsystem or returns
secrets.
```bash
warden route list [--all] [--json] # scenarios (active-only unless --all)
warden route show <id> [--json] # owner + wiki/canon pointers; SSH adds steps
warden route find "issue an api key" # rank scenarios by keyword overlap
```
Full role and examples: `wiki/AccessRouting.md`.
## Development
```bash
uv sync
uv run pytest # unit tests (integration excluded)
uv run pytest -m integration # requires ssh-keygen in PATH
uv run ruff check .
```
## Key paths
| Path | Purpose |
|------|---------|
| `~/.config/warden/warden.yaml` | Backend and CA/Vault settings |
| `~/.config/warden/inventory.yaml` | Actor → principals registry |
| `~/.local/state/warden/` | Signed certs, keys, `signatures.log` |
## Documentation
- `INTENT.md` — operational access steward mission (NetKingdom-aligned)
- `wiki/CredentialRouting.md` — which subsystem for each credential type
- `wiki/NetKingdomSecurityMap.md` — platform security component map
- `wiki/ActorInventoryPatterns.md` — standard adm/agt/atm actor patterns
- `wiki/OpsWardenConfig.md` — configuration reference
- `wiki/CertCommandInterface.md``cert_command` contract for callers
- `wiki/InterHubBootstrapAccessLane.md` — short-lived cert envelope for bootstrap tasks
## Workplans
Active and proposed work lives in `workplans/`. Finished plans are archived under
`workplans/archived/`.
Reference in New Issue View Git Blame Copy Permalink