Drop the "operational access desk" framing (and the rejected "coach" metaphor) for plain language: ops-warden issues short-lived SSH certs and routes every other credential need to its owner. SSH is the only lane it executes. Adds WARDEN-WP-0010/0011/0012 with a pointer-layer routing catalog that points at owner docs rather than restating them, enforced structurally (non-SSH entries carrying a steps block fail CI). Drops the scope-creep-prone `check` command; hides unshipped-path scenarios as draft. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
4.3 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated |
|---|---|---|---|---|---|---|---|---|---|---|---|
| WARDEN-WP-0012 | workplan | Routing Scenario Playbooks | custodian | ops-warden | backlog | codex | custodian | medium | 12 | 2026-06-18 | 2026-06-18 |
WARDEN-WP-0012 — Routing Scenario Playbooks
Scope: Grow the routing catalog and wiki playbooks for high-frequency NetKingdom access scenarios. Each wiki playbook restates what the worker does on the owning system and tracks an upstream canon doc; the catalog only points at it. ops-warden authors procedure only for the SSH lane.
Out of scope: Implementing custody in ops-warden; creating OpenBao paths in railiance-platform (coordinate only); authoring flex-auth policy; restating an owner's procedure inside the catalog.
Depends on: WARDEN-WP-0010 (charter + catalog schema), WARDEN-WP-0011 (routing CLI).
Status: backlog — start after WP-0010 T3 and WP-0011 T2 ship.
Anti-stale rule
A scenario is added to the catalog as status: active only when its owning repo's
path actually exists and a wiki_ref is written. Until then it stays status: draft and is hidden from default warden route find/list. We do not seed
agent-visible entries for paths that owners have not shipped — a confident-looking
pointer to a non-existent path is worse than no entry.
Scenario backlog
| Catalog id | Routing focus | Executing owner | Gate |
|---|---|---|---|
issue-core-ingestion-api-key |
OpenBao KV path, K8s injection, rotation | railiance-platform + issue-core | path exists |
activity-core-issue-sink |
ISSUE_CORE_URL + consumer key custody |
activity-core + issue-core | path exists |
inter-hub-bootstrap-ssh |
SSH envelope + on-host wrapper reads OpenBao | ops-warden SSH + railiance-infra | ready (SSH lane) |
openrouter-llm-connect |
OpenBao → K8s Secret in activity-core | railiance-platform | path exists |
object-storage-sts |
NK-WP-0007 vending path | net-kingdom + flex-auth + OpenBao | canon exists |
ops-bridge-tunnel-cert |
cert_command vs static-key migration | ops-bridge | coordinate |
human-oidc-login |
key-cape / Keycloak IAM Profile | key-cape | canon exists |
flex-auth-resource-check |
Policy decision before sensitive action | flex-auth | canon exists |
host-principal-deploy |
auth_principals sync | railiance-infra | canon exists |
Tasks
T1 — issue-core ingestion key playbook
id: WARDEN-WP-0012-T01
status: todo
priority: high
- Coordinate with railiance-platform to canonicalize the OpenBao path first.
- Then write
wiki/playbooks/issue-core-ingestion-api-key.md(prerequisites, ESO pattern, rotation, privileged-read policy) and promote the catalog entry fromdrafttoactivewith awiki_ref.
T2 — Inter-Hub and bootstrap lanes
id: WARDEN-WP-0012-T02
status: todo
priority: medium
- Align
wiki/InterHubBootstrapAccessLane.mdwith the catalog id. - Document attended vs unattended bootstrap branches.
- Cross-link flex-auth and OpenBao expectations (pointers, not restated steps).
T3 — ops-bridge tunnel migration
id: WARDEN-WP-0012-T03
status: todo
priority: medium
- Playbook: static-key →
cert_commandmigration checklist. - Pilot tunnel notes (
agt-state-hub-bridge) — coordinate with ops-bridge.
T4 — Platform secret scenarios (LLM, STS, DB)
id: WARDEN-WP-0012-T04
status: todo
priority: low
- Playbooks for OpenRouter, object-storage STS, DB dynamic creds.
- Each ends with an owner-repo action; no warden secret code; pointers to canon.
T5 — Drift review cadence
id: WARDEN-WP-0012-T05
status: todo
priority: low
- Document a review cadence against net-kingdom canon.
warden route list --stalekeyed off thereviewed:date field.- Process note in
wiki/AccessRouting.md.
Acceptance
- Every active catalog entry has a
wiki_refto an existing section; no active entry points at a path its owner has not shipped (those staydraft). warden route findresolves common agent queries without wiki grep.- Playbooks and catalog contain no secret material — only owners, pointers, checklists.
See also
WARDEN-WP-0010,WARDEN-WP-0011wiki/CredentialRouting.mdhistory/2026-06-18-post-wp0008-intent-scope-reassessment.md