generated from coulomb/repo-seed
Drop the "operational access desk" framing (and the rejected "coach" metaphor) for plain language: ops-warden issues short-lived SSH certs and routes every other credential need to its owner. SSH is the only lane it executes. Adds WARDEN-WP-0010/0011/0012 with a pointer-layer routing catalog that points at owner docs rather than restating them, enforced structurally (non-SSH entries carrying a steps block fail CI). Drops the scope-creep-prone `check` command; hides unshipped-path scenarios as draft. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
106 lines
4.4 KiB
Markdown
106 lines
4.4 KiB
Markdown
# Decision Record — Sharpen "steward" into "issue SSH, route the rest"
|
|
|
|
**Date:** 2026-06-18
|
|
**Author:** codex
|
|
**Status:** Accepted. Feeds WARDEN-WP-0010 T1.
|
|
**Supersedes:** the earlier "operations security coach" draft (rejected — see below).
|
|
|
|
---
|
|
|
|
## 1. The decision
|
|
|
|
Keep ops-warden's mission exactly as it is in production and sharpen only the
|
|
wording: **ops-warden issues short-lived SSH certificates and routes every other
|
|
credential need to the subsystem that owns it.** Add a small machine-readable
|
|
routing catalog and a `warden route` lookup CLI so agents stop re-deriving routing
|
|
from wiki prose.
|
|
|
|
This is **wording plus a thin lookup surface**, not a new security lane. SSH
|
|
issuance stays the only thing ops-warden executes.
|
|
|
|
| | Before | After |
|
|
| --- | --- | --- |
|
|
| Framing | "operational access steward / desk" | "issues SSH certs; routes the rest to its owner" |
|
|
| Non-SSH creds | document paths in wiki | same wiki + structured catalog pointing at it |
|
|
| Lookup | grep the wiki | `warden route find/show` |
|
|
| Foreign APIs | not owned | explicitly not proxied or restated |
|
|
|
|
Maturity moves **Availability A3 → A4** (structured lookup for agents). Completeness
|
|
and Reliability for the SSH lane are unchanged — nothing here ships new signing code.
|
|
|
|
---
|
|
|
|
## 2. Why not "coach"
|
|
|
|
An earlier draft framed this as an "operations security coach." Rejected:
|
|
|
|
- **Overpromises.** What is built is a routing directory — lookup, not pedagogy.
|
|
"Coach" implies teaching and an ongoing relationship the CLI does not deliver,
|
|
which feeds the "agent stops at the lookup and never learns the subsystem"
|
|
failure mode.
|
|
- **Generic / collision-prone** across other custodian domains.
|
|
- **No new metaphor needed.** "Steward who issues SSH and routes the rest" is
|
|
already accurate and harder to misread as a wrapping service.
|
|
|
|
Command verb is `warden route` (concrete), not `warden coach`.
|
|
|
|
---
|
|
|
|
## 3. The double-source-of-truth trap, and how we avoid it
|
|
|
|
A routing catalog risks becoming a hand-maintained fork of net-kingdom's
|
|
responsibility map. A stale-but-authoritative-looking catalog is **worse** than
|
|
wiki prose, because an agent trusts structured output and will not second-guess it.
|
|
|
|
**Rule (binding on WP-0010 T3 / enforced by WP-0011 T5):** the catalog is a
|
|
*pointer layer*. For any subsystem ops-warden does not own, an entry carries only
|
|
identifiers + `owner_repo` + `wiki_ref` (in-repo authoritative section) +
|
|
`canon_ref` (upstream net-kingdom doc) — **no restated procedure**. Procedure is
|
|
authored in exactly one place per need: the wiki section it points to. ops-warden
|
|
authors `steps` for exactly one lane — SSH issuance — because it owns it.
|
|
|
|
This is enforced structurally, not by process: a CI test fails any non-SSH entry
|
|
that carries a `steps` block, and checks every `wiki_ref` anchor resolves. We do
|
|
not rely on a quarterly human review to catch drift.
|
|
|
|
---
|
|
|
|
## 4. Other tightenings applied
|
|
|
|
- **Dropped `warden coach check`.** Highest scope-creep risk, thin value (`warden
|
|
status` already covers SSH local preconditions). SSH precondition hints fold into
|
|
`warden route show` instead.
|
|
- **No agent-visible stubs for unshipped paths.** Scenarios whose owning repo has
|
|
not shipped a real path stay `status: draft` and are hidden from default
|
|
lookup (WP-0012 anti-stale rule).
|
|
|
|
---
|
|
|
|
## 5. Guardrails (non-negotiable)
|
|
|
|
1. **One execution lane** — only SSH cert issuance in ops-warden code.
|
|
2. **No secret material** in catalog, CLI output, logs, or history.
|
|
3. **No foreign API wrappers** — beyond the existing opt-in SSH pre-sign gate.
|
|
4. **No restated procedure** for subsystems ops-warden does not own — pointers only.
|
|
5. **Canon supremacy** — wiki tracks net-kingdom; ops-warden never overrides it.
|
|
|
|
---
|
|
|
|
## 6. Failing signals (watch for these)
|
|
|
|
- Feature requests cluster on `warden secret` / `warden bao` / `warden login`.
|
|
- A catalog entry grows a `steps` block for a non-SSH subsystem.
|
|
- `wiki_ref` anchors rot without CI failure.
|
|
- Operators bypass OpenBao "because warden is easier" — but warden cannot help.
|
|
|
|
---
|
|
|
|
## 7. References
|
|
|
|
- `INTENT.md`, `SCOPE.md` — pre-update wording
|
|
- `workplans/WARDEN-WP-0010-access-routing-charter.md`
|
|
- `workplans/WARDEN-WP-0011-routing-guide-cli.md`
|
|
- `workplans/WARDEN-WP-0012-routing-scenario-playbooks.md`
|
|
- `history/2026-06-18-post-wp0008-intent-scope-reassessment.md` — prior gap analysis
|
|
- `wiki/CredentialRouting.md`, `wiki/NetKingdomSecurityMap.md`
|