tegwick
ac2efa1262
Add a read-only `warden route` command group (list/show/find) that reads registry/routing/catalog.yaml and tells a worker which subsystem owns a need and which wiki/canon doc to follow. ops-warden still executes exactly one lane (SSH); routed entries return a pointer and never call any subsystem. - src/warden/routing/: models.py + catalog.py loader; enforces the no-double-source rule (non-SSH entries with steps/cert_command fail validation), dup-id and schema checks. - route list (active-only unless --all, --tag), route show (SSH appends steps + cert pattern; routed ends with "next action on <owner> — see <wiki_ref>"), route find (keyword ranking, --json). - tests/test_routing.py: load/validation, find ranking, CLI JSON shapes, plus a drift guard (every wiki_ref anchor resolves; every entry has a reviewed date). - Docs: wiki/AccessRouting.md CLI section, README quick reference, SCOPE A3 -> A4. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ops-warden
SSH Certificate Authority and certificate lifecycle manager for the ops fleet.
Signs short-lived certs for adm / agt / atm actors and exposes the
cert_command interface consumed by ops-bridge and other tooling.
See INTENT.md for direction, SCOPE.md for current implementation, and
wiki/AccessManagementDirective.md for SSH policy. ops-warden issues SSH certs
and routes every other credential need to its owner — see wiki/AccessRouting.md.
Latest gap analysis: history/2026-06-17-post-wp0007-reassessment.md.
Install
uv sync
uv tool install .
Or run without installing:
uv run warden --help
Quick start (local backend)
# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""
# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard
Production uses the vault backend against OpenBao or HashiCorp Vault (Vault-compatible
SSH secrets engine API). Template: examples/warden.production.example.yaml.
See wiki/OpsWardenConfig.md and wiki/OpenBaoSshEngineChecklist.md.
Routing lookup (warden route)
ops-warden issues SSH certs and routes every other credential need to its
owner. The route command group is a read-only lookup over the pointer catalog
(registry/routing/catalog.yaml) — it never calls another subsystem or returns
secrets.
warden route list [--all] [--json] # scenarios (active-only unless --all)
warden route show <id> [--json] # owner + wiki/canon pointers; SSH adds steps
warden route find "issue an api key" # rank scenarios by keyword overlap
Full role and examples: wiki/AccessRouting.md.
Development
uv sync
uv run pytest # unit tests (integration excluded)
uv run pytest -m integration # requires ssh-keygen in PATH
uv run ruff check .
Key paths
| Path | Purpose |
|---|---|
~/.config/warden/warden.yaml |
Backend and CA/Vault settings |
~/.config/warden/inventory.yaml |
Actor → principals registry |
~/.local/state/warden/ |
Signed certs, keys, signatures.log |
Documentation
INTENT.md— operational access steward mission (NetKingdom-aligned)wiki/CredentialRouting.md— which subsystem for each credential typewiki/NetKingdomSecurityMap.md— platform security component mapwiki/ActorInventoryPatterns.md— standard adm/agt/atm actor patternswiki/OpsWardenConfig.md— configuration referencewiki/CertCommandInterface.md—cert_commandcontract for callerswiki/InterHubBootstrapAccessLane.md— short-lived cert envelope for bootstrap tasks
Workplans
Active and proposed work lives in workplans/. Finished plans are archived under
workplans/archived/.