ops-warden/SCOPE.md

SCOPE

This file helps you quickly understand what this repository is about, when it is relevant, and when it is not. Aspirational direction lives in INTENT.md.

---

One-liner

Operational access steward for the NetKingdom security model — issues short-lived SSH certificates for adm/agt/atm actors, documents how to obtain other credential types from the right platform subsystems, and keeps ops access guidance aligned with NetKingdom canon.

---

Where we are (2026-06-18)

ops-warden issues short-lived SSH certificates and routes every other credential need to the subsystem that owns it. SSH signing is production-verified on Railiance OpenBao (warden sign against https://bao.coulomb.social, host CA trust deployed). The routing material — wiki/AccessRouting.md, the credential routing wiki, NetKingdom security map, and a machine-readable pointer catalog (registry/routing/catalog.yaml, WARDEN-WP-0010) — is operational. The opt-in flex-auth pre-sign gate is coded but off in production until flex-auth publishes ssh-certificate policies (WARDEN-WP-0009).

INTENT alignment: SSH issuance mission met in production. Remaining distance is integration breadth (ops-bridge cert_command on live tunnels), authorization depth (flex-auth), and operator hygiene — not missing signing code.

Issue vs route

ops-warden executes exactly one lane and points at the owner for the rest.

Need	Subsystem	ops-warden role
SSH cert for host/ops access (adm/agt/atm)	ops-warden	Issue (warden sign)
API key / DB cred / dynamic lease	OpenBao	Route — point at path
"May I perform action X?"	flex-auth	Route — point at policy
Login / OIDC / MFA	key-cape / Keycloak	Route — point at IAM Profile
SSH tunnel / port forward	ops-bridge	Route — supply cert_command
Host principal deployment	railiance-infra	Route — point at Ansible

Full role and boundary: wiki/AccessRouting.md. The catalog is a pointer layer — it never restates an owner's procedure (authored steps exist only for the SSH lane).

Full gap analysis: history/2026-06-18-post-wp0008-intent-scope-reassessment.md

---

INTENT gap snapshot

INTENT success criterion	Status
Worker knows which subsystem for each credential type	Met
SSH short-lived, inventoried, audited	Met (production)
ops-bridge integrates via stable cert_command	Partial — contract yes; tunnels still static-key
NetKingdom evolution reflected in docs	Met
Non-SSH secrets stay out of ops-warden	Met

Maturity vector: D5 / A3 / C4 / R3 (Discovery / Availability / Completeness / Reliability)

Dimension	Level	Meaning today
D5	Discovery	Routing wiki + security map + pointer catalog + NK canon cross-links
A3	Availability	CLI + opt-in policy gate + machine-readable routing catalog; warden route lookup (A4) lands with WARDEN-WP-0011
C4	Completeness	SSH lane prod-verified; flex-auth policies external
R3	Reliability	Live OpenBao sign evidence on Railiance

---

Core Idea

Today: implements the SSH certificate lane from wiki/AccessManagementDirective.md §§1–5 — CA signing, actor inventory, TTL policy, cert-side scorecard, and the cert_command interface for ops-bridge. Production path uses OpenBao SSH engine (backend: vault).

Direction (INTENT): issue short-lived SSH certificates and route dev workers to key-cape, flex-auth, OpenBao, ops-bridge, and railiance components for everything else — implementing only the SSH certificate lane directly, pointing at the owner for the rest.

---

In Scope

Implemented (SSH lane)

• Local CA backend (ssh-keygen -s)
• OpenBao / Vault-compatible SSH engine backend (production-verified)
• Actor identity registry (inventory.yaml)
• cert_command: warden sign <actor> --pubkey <path> → cert on stdout
• TTL enforcement per ActorType (adm 48 h, agt 24 h, atm 8 h)
• warden status, cleanup, scorecard, signatures log
• warden issue and ops-ssh-wrapper (local backend; vault uses sign-only)
• Runbooks for OpenBao config and Inter-Hub bootstrap SSH envelope

Stewardship (documentation and alignment)

• NetKingdom security routing guidance — which subsystem owns which credential type
• Wiki and config references aligned with OpenBao-first platform standard
• Capability registry entry for SSH certificate issuance
• Keeping ops access patterns consistent with net-kingdom platform architecture

Shipped workplans

WP	Focus
WP-0006	Credential routing, security map, inventory patterns, OpenBao checklist
WP-0007	Opt-in flex-auth policy gate (policy.enabled)
WP-0008	Production sign verification, stewardship closeout, archive hygiene
WP-0010	"Issue SSH, route the rest" wording + wiki/AccessRouting.md + pointer catalog

Active / wait

WP	Status	Focus
WP-0009	wait	flex-auth ssh-certificate policies + policy.enabled production smoke
WP-0011	ready	warden route lookup CLI over the pointer catalog (A3 → A4)
WP-0012	backlog	Routing scenario playbooks (draft until owner paths ship)

Known gaps (not yet workplanned)

Gap	Owner	Notes
ops-bridge cert_command on live tunnels	ops-bridge	Tunnels use agt-claude-* static keys today
Operator token hygiene	Operator	Prefer OIDC + warden-sign; retire root from shell profile
Principals sync warden ↔ railiance-infra	ops-warden + infra	inventory.yaml hosts vs ssh_principals.yaml
NK-WP-0009 joint SSH tutorial	net-kingdom	Parallel coordination track

The integration-closeout strand (ops-bridge tunnel migration, token runbook) from reassessment §6 is not yet workplanned; WARDEN-WP-0010 was used for the access-routing charter instead. Open a new WP when tunnel migration becomes priority.

---

Out of Scope

• Issuing non-SSH secrets (API keys, DB creds, S3 STS, Inter-Hub keys) → OpenBao with flex-auth policy where required; ops-warden documents paths only
• Identity / OIDC / MFA → key-cape, Keycloak
• Authorization policy decisions → flex-auth
• Tunnel lifecycle → ops-bridge
• Host principal deployment → railiance-infra
• OpenBao / Vault cluster deployment → railiance-platform
• Human admin SSH key generation (self-service ssh-keygen)
• Session recording, SIEM, SSO / Teleport at scale

---

Relevant When

• Issuing or refreshing an SSH cert for adm/agt/atm
• A dev worker needs to know where to get credentials in the NetKingdom stack
• ops-bridge needs a cert_command for a tunnel
• Adding actors to the principals inventory
• Inter-Hub or bootstrap tasks need a short-lived agent SSH envelope
• Checking cert-side compliance (scorecard)

---

Not Relevant When

• Storing or vending API keys or runtime secrets (→ OpenBao)
• Policy decisions on resource access (→ flex-auth)
• Managing tunnels without SSH cert issuance (→ ops-bridge)
• Static-key-only legacy access (ops-bridge static key mode)

---

Current State

• SSH CLI: v0.1.0 — local + OpenBao backends
• Production sign: verified 2026-06-18 (history/2026-06-17-openbao-production-verify.md)
• Policy gate: shipped, policy.enabled: false in prod until WP-0009
• Active workplan: WP-0009 (wait — flex-auth)
• Latest assessment: history/2026-06-18-post-wp0008-intent-scope-reassessment.md

---

How It Fits (NetKingdom)

key-cape / Keycloak     identity claims
        → flex-auth     authorization decisions
        → OpenBao       runtime secrets & dynamic credentials
        → ops-warden    SSH certs + operational access guidance
        → ops-bridge    tunnel transport (cert_command consumer)
        → railiance-*   deployment and host enforcement

Upstream: OpenBao SSH engine (production) or local CA (labs). Actor inventory in operator config or Git-tracked patterns.

Downstream: ops-bridge (primary), kaizen agents, CI automations, human operators.

---

Terminology

• ActorType: adm | agt | atm
• cert_command: shell command returning a cert on stdout
• inventory.yaml: actor → principals + TTL registry
• LocalCA / VaultCA: signing backends (backend: local | vault)

---

Related Repositories

Repo	Relationship
net-kingdom	Canonical security architecture; ops-warden aligns to it
ops-bridge	Primary cert_command consumer
railiance-infra	Host-side SSH principals and hardening
railiance-platform	OpenBao deployment and platform secrets
flex-auth	Authorization; opt-in pre-sign policy gate (policy.enabled)
key-cape	Identity / IAM Profile lightweight mode
state-hub	Workstream registry

---

Provided Capabilities

type: security
title: SSH certificate issuance
description: Issues short-lived CA-signed SSH certificates for adm/agt/atm actors via a
  pluggable cert_command interface; documents NetKingdom operational access routing;
  supports local CA and OpenBao/Vault-compatible SSH engine backends.
keywords: [ssh, certificate, ca, credential, warden, ops-warden, pki, openbao, vault, netkingdom]

---

Getting Oriented

Read first	Purpose
INTENT.md	Why ops-warden exists and where it is going
SCOPE.md	What is implemented today (this file)
history/2026-06-18-post-wp0008-intent-scope-reassessment.md	Latest INTENT ↔ SCOPE gap analysis
wiki/AccessRouting.md	What ops-warden issues vs routes (role and boundary)
wiki/CredentialRouting.md	Which subsystem for each credential need
registry/routing/catalog.yaml	Machine-readable routing pointer catalog
wiki/NetKingdomSecurityMap.md	Platform security component map
examples/warden.production.example.yaml	Production warden.yaml template
wiki/AccessManagementDirective.md	SSH actor model
wiki/OpsWardenConfig.md	warden.yaml and OpenBao
wiki/CertCommandInterface.md	cert_command contract
wiki/PolicyGatedSigning.md	flex-auth opt-in gate
net-kingdom/docs/platform-identity-security-architecture.md	Platform security canon