tegwick
41a55c95b0
Finish the Workload Security Posture workplan (all five tasks done). T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts env-posture conformance (backend/unseal/real_values per tier) and evaluates the secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference. T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() — hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring each argv/stdout/exit contract, for fully offline dev/test access flows. Documented as the sanctioned dev backend in WorkloadSecurityPosture.md R1. T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left owner-driven (tracked via coordination messages). 16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to workplans/archived/ with 260627- prefix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ops-warden
SSH Certificate Authority and certificate lifecycle manager for the ops fleet.
Signs short-lived certs for adm / agt / atm actors and exposes the
cert_command interface consumed by ops-bridge and other tooling.
See INTENT.md for direction, SCOPE.md for current implementation, and
wiki/AccessManagementDirective.md for SSH policy. ops-warden issues SSH certs
and routes every other credential need to its owner — see wiki/AccessRouting.md.
Latest gap analysis: history/2026-06-17-post-wp0007-reassessment.md.
Install
uv sync
uv tool install .
Or run without installing:
uv run warden --help
Quick start (local backend)
# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""
# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard
Production uses the vault backend against OpenBao or HashiCorp Vault (Vault-compatible
SSH secrets engine API). Template: examples/warden.production.example.yaml.
See wiki/OpsWardenConfig.md and wiki/OpenBaoSshEngineChecklist.md.
Routing lookup (warden route)
ops-warden issues SSH certs and routes every other credential need to its
owner. The route command group is a read-only lookup over the pointer catalog
(registry/routing/catalog.yaml) — it never calls another subsystem or returns
secrets.
warden route list [--all] [--json] # scenarios (active-only unless --all)
warden route list --stale [--stale-days 90] [--all] # past review cadence
warden route show <id> [--json] # owner + wiki/canon pointers; SSH adds steps
warden route find "issue an api key" # rank scenarios by keyword overlap
Full role and examples: wiki/AccessRouting.md.
Development
uv sync
uv run pytest # unit tests (integration excluded)
uv run pytest -m integration # requires ssh-keygen in PATH
uv run ruff check .
Key paths
| Path | Purpose |
|---|---|
~/.config/warden/warden.yaml |
Backend and CA/Vault settings |
~/.config/warden/inventory.yaml |
Actor → principals registry |
~/.local/state/warden/ |
Signed certs, keys, signatures.log |
Documentation
INTENT.md— operational access steward mission (NetKingdom-aligned)wiki/CredentialRouting.md— which subsystem for each credential typewiki/NetKingdomSecurityMap.md— platform security component mapwiki/ActorInventoryPatterns.md— standard adm/agt/atm actor patternswiki/OpsWardenConfig.md— configuration referencewiki/CertCommandInterface.md—cert_commandcontract for callerswiki/InterHubBootstrapAccessLane.md— short-lived cert envelope for bootstrap tasks
Workplans
Active and proposed work lives in workplans/. Finished plans are archived under
workplans/archived/.