coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
407cd2e1f40c943cb14dc3708eb475378db4960c
ops-warden/wiki/NetKingdomSecurityMap.md
tegwick ffc2722006 docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog 
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 20:44:53 +02:00

3.7 KiB
Raw Blame History

NetKingdom Security Map (ops-warden view)

Date: 2026-06-17

Condensed literacy guide for ops-warden stewards and development workers. Canonical source remains net-kingdom/docs/platform-identity-security-architecture.md.

ops-warden implements the operational SSH lane and documents how the other lanes connect.

Planes

Bootstrap plane     railiance-infra, railiance-cluster, net-kingdom bootstrap
Platform control    key-cape, flex-auth, OpenBao, Topaz, railiance-platform
Tenant plane        railiance-apps, coulomb workloads, future tenants
Operational access  ops-warden (SSH certs), ops-bridge (tunnels)

Component map

Component Answers Credential types ops-warden
key-cape Who are you? (lightweight IAM) OIDC tokens, MFA Route — do not issue
Keycloak Who are you? (expanded IAM) OIDC/SAML federation Route — do not issue
privacyIDEA MFA / step-up OTP, hardware tokens Route — do not issue
flex-auth May you do this action? Policy decisions, audit envelopes Future SSH pre-sign; route today
Topaz PDP runtime for flex-auth Authorization evaluations Route — do not issue
OpenBao Runtime secret authority API keys, DB creds, leases, K8s auth SSH engine signing backend only
ops-warden SSH ops access Short-lived SSH certificates Own and issue
ops-bridge Tunnel transport Uses certs via cert_command Consumer
railiance-infra Host enforcement auth_principals, sshd Route — deploy hosts
railiance-platform Platform deploy OpenBao, Postgres, ingress Route — do not deploy from warden

Credential lanes (summary)

Lane Owner Lifetime Worker entrypoint
Identity key-cape / Keycloak Session / token TTL Login / OIDC
Authorization flex-auth Per request Policy API / embedded PEP
Runtime secrets OpenBao Lease-bound bao CLI, K8s ESO, app integration
SSH operational ops-warden adm 48h / agt 24h / atm 8h warden sign
Tunnel ops-bridge Session bridge + cert_command

Full routing: wiki/CredentialRouting.md.

Trust flow (simplified)

Worker request
    -> Identity?        key-cape / Keycloak
    -> Authorized?      flex-auth
    -> Secret material? OpenBao
    -> SSH cert?        ops-warden
    -> Tunnel?          ops-bridge (cert from warden)
    -> Host accepts?    railiance-infra principals

OpenBao does not replace identity or authorization. flex-auth decides; OpenBao stores/issues; ops-warden signs SSH certs when host reachability is the need.

NetKingdom documents to watch

Document Why ops-warden cares
platform-identity-security-architecture.md Planes, secret path, SSH path
responsibility-map.md Operational SSH dependency section
platform-identity-security-architecture.md Operational SSH Path section
platform-root-custody.md OpenBao ceremony — not warden's job
object-storage-sts-credential-vending.md S3 creds — never warden
canon/standards/iam-profile_v0.2.md Claims for future policy-gated sign

When these change, update ops-warden wiki and wiki/CredentialRouting.md.

Recursive platform rule

Tenant admins (including tenant:coulomb) must not gain platform-root authority. ops-warden SSH actors should use narrow principals for agent and automation work — not platform-admin equivalents on hosts.

See also

  • INTENT.md
  • wiki/AccessRouting.md — issue-vs-route role and boundary
  • wiki/CredentialRouting.md
  • wiki/PolicyGatedSigning.md (future flex-auth hook)
  • net-kingdom/docs/platform-identity-security-architecture.md
Reference in New Issue View Git Blame Copy Permalink