| capability.security.ssh-certificate-issuance |
SSH Certificate Issuance |
Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface; steward operational access routing across NetKingdom security lanes. |
ops-warden |
draft |
helix_forge |
| ssh |
| certificate |
| ca |
| ops-warden |
| openbao |
| security |
|
| discovery |
availability |
| current |
target |
confidence |
rationale |
| D4 |
D5 |
medium |
SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command contract are documented; production OpenBao integration is documented but engine deployment lives in railiance-platform.
|
|
| current |
target |
confidence |
rationale |
| A3 |
A5 |
medium |
Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and other callers integrate via cert_command without backend-specific branching.
|
|
|
| completeness |
reliability |
| level |
name |
confidence |
basis |
satisfied_expectations |
broken_expectations |
out_of_scope_expectations |
| C3 |
Functional Core |
medium |
scope_vs_intent_and_consumer_expectations |
| local and OpenBao/Vault-compatible signing backends |
| TTL policy enforcement per actor type |
| principals inventory and cert-side scorecard |
| signatures audit log and stale-cert cleanup |
| cert_command stdout contract for ops-bridge |
|
| host-side principal deployment not owned here |
| OpenBao SSH engine mount not deployed from this repo |
|
| long-lived API key custody |
| tunnel lifecycle management |
| Vault/OpenBao cluster operations |
|
|
| level |
name |
confidence |
basis |
known_reliability_risks |
| R2 |
Tolerable |
medium |
consumer_quality_signals |
| production signing depends on OpenBao availability and token policy |
| local backend requires protected CA key handling by operators |
|
|
|
| intent |
includes |
excludes |
assumptions |
use_cases |
research_memos |
| Give the ops fleet short-lived SSH credentials for humans, agents, and automations without static keys, through a single cert_command surface that callers can rely on regardless of CA backend; route non-SSH credential needs to the correct NetKingdom subsystems (OpenBao, flex-auth, key-cape).
|
| certificate signing for adm, agt, and atm actors |
| actor principals inventory and TTL policy |
| cert_command interface (`warden sign`) |
| cert-side compliance scorecard and signatures log |
| ops-ssh-wrapper for automatic cert acquisition |
| NetKingdom credential routing and alignment documentation |
|
| tunnel lifecycle |
| host /etc/ssh/auth_principals deployment |
| OpenBao or Vault cluster setup |
| long-lived secret storage |
|
| callers supply actor public keys; humans self-issue admin keys |
| production platform uses OpenBao with Vault-compatible SSH engine API |
|
| ops-bridge tunnel cert_command |
| Inter-Hub bootstrap short-lived agent access |
|
| ops-warden/SCOPE.md |
| ops-warden/wiki/CertCommandInterface.md |
| ops-warden/wiki/OpsWardenConfig.md |
|
|
| current_level |
target_level |
current_artifacts |
target_artifacts |
consumption_modes |
| A3 |
A5 |
| ops-warden/src/warden/ |
| ops-warden/wiki/CertCommandInterface.md |
| ops-warden/wiki/OpsWardenConfig.md |
|
| packaged ops-warden release with documented OpenBao role bootstrap |
|
| CLI |
| cert_command subprocess |
|
|
| depends_on |
supports |
related_to |
|
|
|
|
|
| recommended_for |
not_recommended_for |
known_limitations |
| issuing short-lived SSH certs for ops-bridge tunnels |
| agent or automation access with TTL-bound principals |
| checking cert-side compliance before rotation windows |
| orienting dev workers on which NetKingdom subsystem owns each credential type |
|
| storing OpenRouter or Inter-Hub API keys |
| replacing OpenBao deployment or host SSH hardening playbooks |
| static-key-only legacy access (use ops-bridge static key mode instead) |
|
| VaultCA backend config key remains backend: vault for API compatibility |
| host-side scorecard checks live in railiance-infra |
|
|
tegwick
1865e0744e