tegwick
bd335ec724
secrets-engine (SECRETS-WP-0003) shipped a native secret-exec front door (`secrets-engine route/exec`, decision e6381a56) and asked ops-warden to route to it. Bernd's call: route-primary, proxy-fallback — surface the secrets-engine exec as the primary path for owned lanes, keep `warden access --exec` as a transparent fallback. T1 — RouteEntry gains exec_owner/exec_command/pointer_command (+ has_native_exec), screened for secret material like the other handoff fields. whynot-design-npm-publish points its native exec at secrets-engine. `warden access` renders Primary (secrets-engine exec) + Fallback (warden proxy); route/access JSON gain the fields and a native-exec-aware next_action. Tests added; 217 pass, lint clean. T2 — credential-routing.md adds secrets-engine as the secret-exec owner (route primary, proxy fallback); SCOPE adds secrets-engine to Related Repos and records the npm lane as production-exercised (@whynot/design@0.4.0); playbook leads with secrets-engine exec and fixes the fallback one-liner (--field NPM_AUTH_TOKEN, --no-policy) per whynot-design. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
ops-warden
SSH Certificate Authority and certificate lifecycle manager for the ops fleet.
Signs short-lived certs for adm / agt / atm actors and exposes the
cert_command interface consumed by ops-bridge and other tooling.
See INTENT.md for direction, SCOPE.md for current implementation, and
wiki/AccessManagementDirective.md for SSH policy. ops-warden issues SSH certs
and routes every other credential need to its owner — see wiki/AccessRouting.md.
Latest gap analysis: history/2026-06-17-post-wp0007-reassessment.md.
Install
uv sync
uv tool install .
Or run without installing:
uv run warden --help
Quick start (local backend)
# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""
# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard
Production uses the vault backend against OpenBao or HashiCorp Vault (Vault-compatible
SSH secrets engine API). Template: examples/warden.production.example.yaml.
See wiki/OpsWardenConfig.md and wiki/OpenBaoSshEngineChecklist.md.
Routing lookup (warden route)
ops-warden issues SSH certs and routes every other credential need to its
owner. The route command group is a read-only lookup over the pointer catalog
(registry/routing/catalog.yaml) — it never calls another subsystem or returns
secrets.
warden route list [--all] [--json] # scenarios (active-only unless --all)
warden route list --stale [--stale-days 90] [--all] # past review cadence
warden route show <id> [--json] # owner + wiki/canon pointers; SSH adds steps
warden route find "issue an api key" # rank scenarios by keyword overlap
Full role and examples: wiki/AccessRouting.md.
Development
uv sync
uv run pytest # unit tests (integration excluded)
uv run pytest -m integration # requires ssh-keygen in PATH
uv run ruff check .
Key paths
| Path | Purpose |
|---|---|
~/.config/warden/warden.yaml |
Backend and CA/Vault settings |
~/.config/warden/inventory.yaml |
Actor → principals registry |
~/.local/state/warden/ |
Signed certs, keys, signatures.log |
Documentation
INTENT.md— operational access steward mission (NetKingdom-aligned)wiki/CredentialRouting.md— which subsystem for each credential typewiki/NetKingdomSecurityMap.md— platform security component mapwiki/ActorInventoryPatterns.md— standard adm/agt/atm actor patternswiki/OpsWardenConfig.md— configuration referencewiki/CertCommandInterface.md—cert_commandcontract for callerswiki/InterHubBootstrapAccessLane.md— short-lived cert envelope for bootstrap tasks
Workplans
Active and proposed work lives in workplans/. Finished plans are archived under
workplans/archived/.