coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4be3cd4ba23eafff22947fc4e071f6dba831ac6
ops-warden/registry/capabilities/capability.security.ssh-certificate-issuance.md
tegwick ffc2722006 docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog 
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 20:44:53 +02:00

137 lines
5.1 KiB
Markdown
Raw Blame History

---
id: capability.security.ssh-certificate-issuance
name: SSH Certificate Issuance
summary: Issue short-lived CA-signed SSH certificates for adm, agt, and atm actors through a stable cert_command CLI interface; steward operational access routing across NetKingdom security lanes.
owner: ops-warden
status: draft
domain: helix_forge
tags:
- ssh
- certificate
- ca
- ops-warden
- openbao
- security
maturity:
discovery:
current: D4
target: D5
confidence: medium
rationale: >
SCOPE, AccessManagementDirective alignment, config runbooks, and cert_command
contract are documented; production OpenBao integration is documented but
engine deployment lives in railiance-platform. A machine-readable routing
catalog (registry/routing/catalog.yaml) and wiki/AccessRouting.md make the
"issue SSH, route the rest" boundary discoverable.
availability:
current: A3
target: A5
confidence: medium
rationale: >
Installable `warden` CLI and `ops-ssh-wrapper` entry points; ops-bridge and
other callers integrate via cert_command without backend-specific branching.
A `warden route` lookup over the pointer catalog (WARDEN-WP-0011) will move
routing discovery from wiki prose to a structured surface for agents (A3 -> A4).
external_evidence:
completeness:
level: C3
name: Functional Core
confidence: medium
basis: scope_vs_intent_and_consumer_expectations
satisfied_expectations:
- local and OpenBao/Vault-compatible signing backends
- TTL policy enforcement per actor type
- principals inventory and cert-side scorecard
- signatures audit log and stale-cert cleanup
- cert_command stdout contract for ops-bridge
broken_expectations:
- host-side principal deployment not owned here
- OpenBao SSH engine mount not deployed from this repo
out_of_scope_expectations:
- long-lived API key custody
- tunnel lifecycle management
- Vault/OpenBao cluster operations
reliability:
level: R2
name: Tolerable
confidence: medium
basis: consumer_quality_signals
known_reliability_risks:
- production signing depends on OpenBao availability and token policy
- local backend requires protected CA key handling by operators
discovery:
intent: >
Give the ops fleet short-lived SSH credentials for humans, agents, and
automations without static keys, through a single cert_command surface that
callers can rely on regardless of CA backend; route non-SSH credential needs
to the correct NetKingdom subsystems (OpenBao, flex-auth, key-cape).
includes:
- certificate signing for adm, agt, and atm actors
- actor principals inventory and TTL policy
- cert_command interface (`warden sign`)
- cert-side compliance scorecard and signatures log
- ops-ssh-wrapper for automatic cert acquisition
- NetKingdom credential routing and alignment documentation
- machine-readable routing pointer catalog (registry/routing/catalog.yaml)
excludes:
- tunnel lifecycle
- host /etc/ssh/auth_principals deployment
- OpenBao or Vault cluster setup
- long-lived secret storage
assumptions:
- callers supply actor public keys; humans self-issue admin keys
- production platform uses OpenBao with Vault-compatible SSH engine API
use_cases:
- ops-bridge tunnel cert_command
- Inter-Hub bootstrap short-lived agent access
research_memos:
- ops-warden/SCOPE.md
- ops-warden/wiki/CertCommandInterface.md
- ops-warden/wiki/OpsWardenConfig.md
- ops-warden/wiki/AccessRouting.md
availability:
current_level: A3
target_level: A5
current_artifacts:
- ops-warden/src/warden/
- ops-warden/wiki/CertCommandInterface.md
- ops-warden/wiki/OpsWardenConfig.md
target_artifacts:
- packaged ops-warden release with documented OpenBao role bootstrap
- "`warden route` lookup CLI over the pointer catalog (WARDEN-WP-0011)"
consumption_modes:
- CLI
- cert_command subprocess
relations:
depends_on: []
supports: []
related_to: []
consumer_guidance:
recommended_for:
- issuing short-lived SSH certs for ops-bridge tunnels
- agent or automation access with TTL-bound principals
- checking cert-side compliance before rotation windows
- orienting dev workers on which NetKingdom subsystem owns each credential type
not_recommended_for:
- storing OpenRouter or Inter-Hub API keys
- replacing OpenBao deployment or host SSH hardening playbooks
- static-key-only legacy access (use ops-bridge static key mode instead)
known_limitations:
- "VaultCA backend config key remains backend: vault for API compatibility"
- host-side scorecard checks live in railiance-infra
---
# SSH Certificate Issuance
ops-warden is the custodian-domain SSH CA tool. It signs short-lived certificates,
maintains the actor inventory, and exposes `warden sign` as the cert_command
contract for ops-bridge and other callers.
Production environments point the vault-compatible backend at OpenBao; labs use
the local ssh-keygen CA backend without platform dependencies.
Reference in New Issue View Git Blame Copy Permalink