Files
ops-warden/.claude/rules/repo-boundary.md
tegwick 1865e0744e WARDEN-WP-0006: NetKingdom stewardship docs and alignment
Add credential routing, actor patterns, security map, OpenBao SSH
checklist, and policy-gated signing design. Update registry and SCOPE;
record INTENT↔SCOPE reassessment (C3 completeness).
2026-06-17 08:22:45 +02:00

1.5 KiB

Repo boundary

This repo owns ops-warden only. It does not own:

Concern Owner
Tunnel lifecycle, cert_command wiring in tunnels ops-bridge
Host SSH principal files, force-command wrappers railiance-infra
Vault/OpenBao cluster deployment and unseal ceremony railiance-platform
Inter-Hub operator API keys, provider API keys (e.g. OpenRouter) OpenBao / operator secret store
State Hub service code and consistency tooling state-hub
Workstream coordination across custodian domain the-custodian
Human admin SSH key generation self-service (ssh-keygen)
Identity / OIDC / MFA key-cape, Keycloak
Authorization policy flex-auth
Runtime secrets (non-SSH) OpenBao

NetKingdom credential routing (quick reference)

Worker need Route to ops-warden
SSH cert for host/ops access ops-warden Issue (warden sign)
API key / DB cred / lease OpenBao Document only — wiki/CredentialRouting.md
May I perform action X? flex-auth Design: wiki/PolicyGatedSigning.md
Login / MFA / OIDC key-cape / Keycloak Document only
SSH tunnel ops-bridge cert_command consumer
Host principals railiance-infra Document only

Full map: wiki/NetKingdomSecurityMap.md.

ops-warden issues short-lived SSH certificates and maintains operational access stewardship docs. It is not a general secrets manager and must not store long-lived API keys in Git, State Hub, workplans, logs, or chat.