coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
407cd2e1f40c943cb14dc3708eb475378db4960c
ops-warden/README.md
tegwick ffc2722006 docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog 
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 20:44:53 +02:00

2.4 KiB
Raw Blame History

ops-warden

SSH Certificate Authority and certificate lifecycle manager for the ops fleet. Signs short-lived certs for adm / agt / atm actors and exposes the cert_command interface consumed by ops-bridge and other tooling.

See INTENT.md for direction, SCOPE.md for current implementation, and wiki/AccessManagementDirective.md for SSH policy. ops-warden issues SSH certs and routes every other credential need to its owner — see wiki/AccessRouting.md. Latest gap analysis: history/2026-06-17-post-wp0007-reassessment.md.

Install

uv sync
uv tool install .

Or run without installing:

uv run warden --help

Quick start (local backend)

# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""

# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard

Production uses the vault backend against OpenBao or HashiCorp Vault (Vault-compatible SSH secrets engine API). Template: examples/warden.production.example.yaml. See wiki/OpsWardenConfig.md and wiki/OpenBaoSshEngineChecklist.md.

Development

uv sync
uv run pytest              # unit tests (integration excluded)
uv run pytest -m integration   # requires ssh-keygen in PATH
uv run ruff check .

Key paths

Path Purpose
~/.config/warden/warden.yaml Backend and CA/Vault settings
~/.config/warden/inventory.yaml Actor → principals registry
~/.local/state/warden/ Signed certs, keys, signatures.log

Documentation

  • INTENT.md — operational access steward mission (NetKingdom-aligned)
  • wiki/CredentialRouting.md — which subsystem for each credential type
  • wiki/NetKingdomSecurityMap.md — platform security component map
  • wiki/ActorInventoryPatterns.md — standard adm/agt/atm actor patterns
  • wiki/OpsWardenConfig.md — configuration reference
  • wiki/CertCommandInterface.mdcert_command contract for callers
  • wiki/InterHubBootstrapAccessLane.md — short-lived cert envelope for bootstrap tasks

Workplans

Active and proposed work lives in workplans/. Finished plans are archived under workplans/archived/.

Reference in New Issue View Git Blame Copy Permalink