coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
23 Commits 1 Branch 0 Tags
6c6d44a0d549fe2d794db67a283c1454cf20e016
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
tegwick 6c6d44a0d5 chore(consistency): sync task status from DB [auto] 
Updated by fix-consistency on 2026-06-17:
  - update .custodian-brief.md for ops-warden
2026-06-17 08:20:25 +02:00
.claude/rules
WARDEN-WP-0004: repo hygiene and hub sync
2026-06-17 07:33:49 +02:00
registry
Publish SSH certificate issuance capability registry entry
2026-06-17 08:06:00 +02:00
src/warden
feat(warden): WARDEN-WP-0003 — test coverage, permissions, status --state-dir
2026-05-15 17:05:38 +02:00
tests
feat(warden): WARDEN-WP-0003 — test coverage, permissions, status --state-dir
2026-05-15 17:05:38 +02:00
wiki
WARDEN-WP-0005: OpenBao-first documentation alignment
2026-06-17 07:36:13 +02:00
workplans
WARDEN-WP-0005: OpenBao-first documentation alignment
2026-06-17 07:36:13 +02:00
.custodian-brief.md
chore(consistency): sync task status from DB [auto]
2026-06-17 08:20:25 +02:00
.gitignore
chore: remove swap file, add *.swp to .gitignore
2026-05-15 15:53:58 +02:00
AGENTS.md
Refresh agent instruction files
2026-05-18 16:55:47 +02:00
CLAUDE.md
Refresh agent instruction files
2026-05-18 16:55:47 +02:00
LICENSE
Initial commit
2026-03-28 00:35:11 +00:00
pyproject.toml
feat(warden): WARDEN-WP-0003 — test coverage, permissions, status --state-dir
2026-05-15 17:05:38 +02:00
README.md
WARDEN-WP-0004: repo hygiene and hub sync
2026-06-17 07:33:49 +02:00
SCOPE.md
SCOPE: note published capability registry entry
2026-06-17 08:06:22 +02:00
uv.lock
feat(bootstrap): WARDEN-WP-0001 initial implementation — 42 tests passing
2026-05-15 13:27:49 +02:00

README.md

ops-warden

SSH Certificate Authority and certificate lifecycle manager for the ops fleet. Signs short-lived certs for adm / agt / atm actors and exposes the cert_command interface consumed by ops-bridge and other tooling.

See SCOPE.md for boundaries and wiki/AccessManagementDirective.md for policy.

Install

uv sync
uv tool install .

Or run without installing:

uv run warden --help

Quick start (local backend)

# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""

# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard

Production uses the vault backend against OpenBao or HashiCorp Vault (Vault-compatible SSH secrets engine API). See wiki/OpsWardenConfig.md.

Development

uv sync
uv run pytest              # unit tests (integration excluded)
uv run pytest -m integration   # requires ssh-keygen in PATH
uv run ruff check .

Key paths

Path Purpose
~/.config/warden/warden.yaml Backend and CA/Vault settings
~/.config/warden/inventory.yaml Actor → principals registry
~/.local/state/warden/ Signed certs, keys, signatures.log

Documentation

  • wiki/OpsWardenConfig.md — configuration reference
  • wiki/CertCommandInterface.mdcert_command contract for callers
  • wiki/InterHubBootstrapAccessLane.md — short-lived cert envelope for bootstrap tasks

Workplans

Active and proposed work lives in workplans/. Finished plans are archived under workplans/archived/.

Reference in New Issue View Git Blame Copy Permalink
Description
Operations credential management
Readme MIT-0 472 KiB
Languages
Python 100%