coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4be3cd4ba23eafff22947fc4e071f6dba831ac6
ops-warden/workplans/WARDEN-WP-0010-access-routing-charter.md
tegwick ffc2722006 docs(WP-0010): sharpen mission to "issue SSH, route the rest" + pointer catalog 
Implements WARDEN-WP-0010 (charter + pointer catalog). ops-warden issues
short-lived SSH certificates and routes every other credential need to the
subsystem that owns it — no desk metaphor, one execution lane.

- wiki/AccessRouting.md: role/boundary, issue-vs-route matrix, anti-patterns
- registry/routing/catalog.yaml: machine-readable pointer layer (6 active + 1
  draft). No-double-source rule enforced structurally — authored steps/cert_command
  only on the warden_executes:true SSH entry; every wiki_ref anchor resolves
- wiki/CredentialRouting.md: catalog-keyed index + no-duplicate-interfaces note
- INTENT/SCOPE/AGENTS/repo-boundary/capability: aligned to the new framing;
  SCOPE notes A3 -> A4 lands with WP-0011 warden route CLI
- WP-0011/0012 + WP-0010: state_hub id writeback; WP-0010 marked done

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-18 20:44:53 +02:00

172 lines
6.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: WARDEN-WP-0010
type: workplan
title: "Access Routing — Charter and Pointer Catalog"
domain: custodian
repo: ops-warden
status: done
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 10
created: "2026-06-18"
updated: "2026-06-18"
state_hub_workstream_id: "e93de9fd-0192-4d02-bb7c-5e859fb76b9b"
---
# WARDEN-WP-0010 — Access Routing — Charter and Pointer Catalog
**Scope:** Sharpen the existing steward framing so it cannot be misread as a desk
API that wraps every subsystem. ops-warden **issues SSH certificates** and
**points workers to the owning subsystem** for everything else. This workplan
updates INTENT/SCOPE wording and adds a machine-readable routing catalog that is
a **pointer layer**, not a second copy of NetKingdom canon.
**Not a new security lane.** This is wording + a thin lookup surface. SSH issuance
remains the only thing ops-warden executes. Maturity moves Availability A3 → A4
(structured lookup for agents); Completeness and Reliability for SSH are unchanged.
**Out of scope:** Secret-vending, OIDC, policy PDP, tunnel, or host-hardening code
in this repo; flex-auth policy packages (WARDEN-WP-0009); any universal broker.
**Depends on:** WARDEN-WP-0006 stewardship canon (routing wiki, security map) — shipped.
**Feeds:** WARDEN-WP-0011 (routing CLI over the catalog).
---
## Principles (target)
1. **Point, don't proxy** — Name the owner and the doc; do not wrap a foreign API
unless the answer is an SSH certificate.
2. **Direct interaction** — Workers (humans, agents, CI, operators) call OpenBao,
key-cape, flex-auth, ops-bridge, and railiance repos themselves.
3. **One source of truth** — Routing procedure for non-SSH needs lives in the wiki
(aligned to net-kingdom canon) and upstream canon, **not** restated in the
catalog. The catalog carries identifiers and pointers only. ops-warden authors
procedure for exactly one lane: SSH certificate issuance, which it owns.
4. **Same truth, two shapes** — Humans read the wiki; agents read the catalog. The
catalog references wiki sections by anchor so they cannot drift apart.
---
## No-double-source rule (binding on T3)
The catalog must not contain step-by-step procedure for any subsystem ops-warden
does not own. For non-SSH scenarios an entry carries:
- `owner_repo`, `subsystem` — who to talk to
- `wiki_ref` — anchor into an in-repo wiki section (the authoritative restatement)
- `canon_ref` — upstream net-kingdom doc the wiki section tracks
- `need_keywords`, `title`, `id` — lookup metadata
- `warden_executes: false`
Only `warden_executes: true` (SSH) entries may carry an authored `steps` block and
the `cert_command` pattern — because that is the lane ops-warden owns. A CI test
(WP-0011 T5) enforces this structurally: non-SSH entries with a `steps` block fail.
---
## Tasks
### T1 — INTENT wording
```task
id: WARDEN-WP-0010-T01
status: done
priority: high
state_hub_task_id: "589081a6-d1f5-47b4-bec0-e82d9c3444f4"
```
- [x] `INTENT.md` — keep "operational access steward"; replaced the "operational
access **desk**" phrasing with plain "issues SSH certs and routes everything
else to its owner." Removed metaphors implying a wrapping service.
- [x] Non-goals: added "duplicating or restating another subsystem's procedure."
- [x] Cross-linked this workplan from the assessment note.
> SCOPE.md (A3 → A4 plain statement + "issue vs route" table) is handled as a
> deliberate manual step **after** the loop retires, not as a ralph task.
### T2 — Routing-role wiki page
```task
id: WARDEN-WP-0010-T02
status: done
priority: high
state_hub_task_id: "9ac333f7-5fc4-4fa2-82f3-d5ece8ff0d92"
```
- [x] Create `wiki/AccessRouting.md` — what ops-warden answers (where + who owns
it), what it executes (SSH only), anti-patterns (no `warden secret`,
`warden login`, `warden policy`), and audience notes.
- [x] Include the **issue-vs-route** matrix (subsystem × ops-warden role × who acts).
- [x] Link from README, `CredentialRouting.md`, `NetKingdomSecurityMap.md`.
### T3 — Pointer catalog schema + seed
```task
id: WARDEN-WP-0010-T03
status: done
priority: high
state_hub_task_id: "59e0f480-694a-482a-b35e-b7bc4930aa41"
```
- [x] Define `registry/routing/catalog.yaml` per the **No-double-source rule** above:
`id`, `title`, `need_keywords`, `owner_repo`, `subsystem`, `warden_executes`,
`wiki_ref`, `canon_ref`, `reviewed` (date), `status` (active|draft); plus
`steps` + `cert_command` **only** when `warden_executes: true`.
- [x] Seed from existing WP-0006 scenarios: SSH cert (executes), OpenBao API key,
flex-auth policy, key-cape OIDC, ops-bridge tunnel, railiance-infra principals.
- [x] Add `issue-core-ingestion-api-key` as `status: draft` (owner path TBD by
railiance-platform) — draft entries are not surfaced by default lookup.
- [x] Validated: 6 active + 1 draft, no non-SSH `steps`, every `wiki_ref` anchor resolves.
### T4 — Routing index in CredentialRouting.md
```task
id: WARDEN-WP-0010-T04
status: done
priority: medium
state_hub_task_id: "aabd28c0-db2d-4267-be98-95be272c687d"
```
- [x] Add a playbook index table to `wiki/CredentialRouting.md` keyed to catalog `id`.
- [x] Add "what ops-warden answers vs what the worker does next on the owner system"
examples — without restating the owner's procedure.
- [x] Refresh the duplicate-interface anti-examples section (points at canonical
anti-pattern table; not restated).
### T5 — Registry and repo-boundary alignment
```task
id: WARDEN-WP-0010-T05
status: done
priority: medium
state_hub_task_id: "3335a689-922c-4319-98d0-4263ab13790b"
```
- [x] Update `registry/capabilities/capability.security.ssh-certificate-issuance.md`
— note routing lookup in discovery; target availability notes the routing CLI.
- [x] Update `.claude/rules/repo-boundary.md` and `AGENTS.md` one-liner (no new
metaphor — "issues SSH certs; routes other credential needs to their owner").
- [x] Extend the existing capability entry rather than minting a second capability.
---
## Acceptance
- A reader of INTENT + `wiki/AccessRouting.md` understands ops-warden **issues** SSH
certs and **routes** everything else, with no implication it proxies any API.
- `registry/routing/catalog.yaml` exists with ≥6 active scenarios; every non-SSH
entry has `wiki_ref` + `canon_ref` and **no** authored `steps`.
- No new secret-storage or foreign-API code.
---
## See also
- `INTENT.md` · `SCOPE.md`
- `history/2026-06-18-access-routing-intent-shift-assessment.md` — decision record
- `WARDEN-WP-0011` — routing CLI
- `WARDEN-WP-0012` — scenario playbook expansion (backlog)
Reference in New Issue View Git Blame Copy Permalink