coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
46cb1a5f0cec5efd745d74c42febf87839fa7bca
ops-warden/registry/capabilities/capability.security.ssh-certificate-issuance.md
tegwick ffc2722006 docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog 
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 20:44:53 +02:00

5.1 KiB
Raw Blame History

id, name, summary, owner, status, domain, tags, maturity, external_evidence, discovery, availability, relations, consumer_guidance
id name summary owner status domain tags maturity external_evidence discovery availability relations consumer_guidance
capability.security.ssh-certificate-issuance SSH Certificate Issuance Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface; steward operational access routing across NetKingdom security lanes. ops-warden draft helix_forge
ssh
certificate
ca
ops-warden
openbao
security
discovery availability
current target confidence rationale
D4 D5 medium SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command contract are documented; production OpenBao integration is documented but engine deployment lives in railiance-platform. A machine-readable routing catalog (registry/routing/catalog.yaml) and wiki/AccessRouting.md make the "issue SSH, route the rest" boundary discoverable.
current target confidence rationale
A3 A5 medium Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and other callers integrate via cert_command without backend-specific branching. A `warden route` lookup over the pointer catalog (WARDEN-WP-0011) will move routing discovery from wiki prose to a structured surface for agents (A3 -> A4).
completeness reliability
level name confidence basis satisfied_expectations broken_expectations out_of_scope_expectations
C3 Functional Core medium scope_vs_intent_and_consumer_expectations
local and OpenBao/Vault-compatible signing backends
TTL policy enforcement per actor type
principals inventory and cert-side scorecard
signatures audit log and stale-cert cleanup
cert_command stdout contract for ops-bridge
host-side principal deployment not owned here
OpenBao SSH engine mount not deployed from this repo
long-lived API key custody
tunnel lifecycle management
Vault/OpenBao cluster operations
level name confidence basis known_reliability_risks
R2 Tolerable medium consumer_quality_signals
production signing depends on OpenBao availability and token policy
local backend requires protected CA key handling by operators
intent includes excludes assumptions use_cases research_memos
Give the ops fleet short-lived SSH credentials for humans, agents, and automations without static keys, through a single cert_command surface that callers can rely on regardless of CA backend; route non-SSH credential needs to the correct NetKingdom subsystems (OpenBao, flex-auth, key-cape).
certificate signing for adm, agt, and atm actors
actor principals inventory and TTL policy
cert_command interface (`warden sign`)
cert-side compliance scorecard and signatures log
ops-ssh-wrapper for automatic cert acquisition
NetKingdom credential routing and alignment documentation
machine-readable routing pointer catalog (registry/routing/catalog.yaml)
tunnel lifecycle
host /etc/ssh/auth_principals deployment
OpenBao or Vault cluster setup
long-lived secret storage
callers supply actor public keys; humans self-issue admin keys
production platform uses OpenBao with Vault-compatible SSH engine API
ops-bridge tunnel cert_command
Inter-Hub bootstrap short-lived agent access
ops-warden/SCOPE.md
ops-warden/wiki/CertCommandInterface.md
ops-warden/wiki/OpsWardenConfig.md
ops-warden/wiki/AccessRouting.md
current_level target_level current_artifacts target_artifacts consumption_modes
A3 A5
ops-warden/src/warden/
ops-warden/wiki/CertCommandInterface.md
ops-warden/wiki/OpsWardenConfig.md
packaged ops-warden release with documented OpenBao role bootstrap
`warden route` lookup CLI over the pointer catalog (WARDEN-WP-0011)
CLI
cert_command subprocess
depends_on supports related_to
recommended_for not_recommended_for known_limitations
issuing short-lived SSH certs for ops-bridge tunnels
agent or automation access with TTL-bound principals
checking cert-side compliance before rotation windows
orienting dev workers on which NetKingdom subsystem owns each credential type
storing OpenRouter or Inter-Hub API keys
replacing OpenBao deployment or host SSH hardening playbooks
static-key-only legacy access (use ops-bridge static key mode instead)
VaultCA backend config key remains backend: vault for API compatibility
host-side scorecard checks live in railiance-infra

SSH Certificate Issuance

ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates, maintains the actor inventory, and exposes warden sign as the cert_command contract for ops-bridge and other callers.

Production environments point the vault-compatible backend at OpenBao; labs use the local ssh-keygen CA backend without platform dependencies.

Reference in New Issue View Git Blame Copy Permalink