ops-warden/wiki/NetKingdomSecurityMap.md

# NetKingdom Security Map (ops-warden view)

Date: 2026-06-17

Condensed literacy guide for ops-warden stewards and development workers.
Canonical source remains `net-kingdom/docs/platform-identity-security-architecture.md`.

ops-warden **implements** the operational SSH lane and **documents** how the
other lanes connect.

---

## Planes

```text
Bootstrap plane     railiance-infra, railiance-cluster, net-kingdom bootstrap
Platform control    key-cape, flex-auth, OpenBao, Topaz, railiance-platform
Tenant plane        railiance-apps, coulomb workloads, future tenants
Operational access  ops-warden (SSH certs), ops-bridge (tunnels)
```

---

## Component map

| Component | Answers | Credential types | ops-warden |
| --- | --- | --- | --- |
| **key-cape** | Who are you? (lightweight IAM) | OIDC tokens, MFA | Route — do not issue |
| **Keycloak** | Who are you? (expanded IAM) | OIDC/SAML federation | Route — do not issue |
| **privacyIDEA** | MFA / step-up | OTP, hardware tokens | Route — do not issue |
| **flex-auth** | May you do this action? | Policy decisions, audit envelopes | Future SSH pre-sign; route today |
| **Topaz** | PDP runtime for flex-auth | Authorization evaluations | Route — do not issue |
| **OpenBao** | Runtime secret authority | API keys, DB creds, leases, K8s auth | SSH engine **signing backend** only |
| **ops-warden** | SSH ops access | Short-lived SSH certificates | **Own and issue** |
| **ops-bridge** | Tunnel transport | Uses certs via cert_command | Consumer |
| **railiance-infra** | Host enforcement | auth_principals, sshd | Route — deploy hosts |
| **railiance-platform** | Platform deploy | OpenBao, Postgres, ingress | Route — do not deploy from warden |

---

## Credential lanes (summary)

| Lane | Owner | Lifetime | Worker entrypoint |
| --- | --- | --- | --- |
| Identity | key-cape / Keycloak | Session / token TTL | Login / OIDC |
| Authorization | flex-auth | Per request | Policy API / embedded PEP |
| Runtime secrets | OpenBao | Lease-bound | `bao` CLI, K8s ESO, app integration |
| SSH operational | ops-warden | adm 48h / agt 24h / atm 8h | `warden sign` |
| Tunnel | ops-bridge | Session | `bridge` + cert_command |

Full routing: `wiki/CredentialRouting.md`.

---

## Trust flow (simplified)

```text
Worker request
    -> Identity?        key-cape / Keycloak
    -> Authorized?      flex-auth
    -> Secret material? OpenBao
    -> SSH cert?        ops-warden
    -> Tunnel?          ops-bridge (cert from warden)
    -> Host accepts?    railiance-infra principals
```

OpenBao does **not** replace identity or authorization. flex-auth decides;
OpenBao stores/issues; ops-warden signs SSH certs when host reachability is
the need.

---

## NetKingdom documents to watch

| Document | Why ops-warden cares |
| --- | --- |
| `platform-identity-security-architecture.md` | Planes, secret path, SSH path |
| `responsibility-map.md` | Operational SSH dependency section |
| `platform-identity-security-architecture.md` | Operational SSH Path section |
| `platform-root-custody.md` | OpenBao ceremony — not warden's job |
| `object-storage-sts-credential-vending.md` | S3 creds — never warden |
| `canon/standards/iam-profile_v0.2.md` | Claims for future policy-gated sign |

When these change, update ops-warden wiki and `wiki/CredentialRouting.md`.

---

## Recursive platform rule

Tenant admins (including `tenant:coulomb`) must not gain platform-root
authority. ops-warden SSH actors should use **narrow principals** for agent
and automation work — not platform-admin equivalents on hosts.

---

## See also

- `INTENT.md`
- `wiki/CredentialRouting.md`
- `wiki/PolicyGatedSigning.md` (future flex-auth hook)
- `net-kingdom/docs/platform-identity-security-architecture.md`