ops-warden/README.md

# ops-warden

SSH Certificate Authority and certificate lifecycle manager for the ops fleet.
Signs short-lived certs for `adm` / `agt` / `atm` actors and exposes the
`cert_command` interface consumed by `ops-bridge` and other tooling.

See `SCOPE.md` for boundaries and `wiki/AccessManagementDirective.md` for policy.

## Install

```bash
uv sync
uv tool install .
```

Or run without installing:

```bash
uv run warden --help
```

## Quick start (local backend)

```bash
# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""

# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard
```

Production uses the `vault` backend against OpenBao or HashiCorp Vault (Vault-compatible
SSH secrets engine API). See `wiki/OpsWardenConfig.md`.

## Development

```bash
uv sync
uv run pytest              # unit tests (integration excluded)
uv run pytest -m integration   # requires ssh-keygen in PATH
uv run ruff check .
```

## Key paths

| Path | Purpose |
|------|---------|
| `~/.config/warden/warden.yaml` | Backend and CA/Vault settings |
| `~/.config/warden/inventory.yaml` | Actor → principals registry |
| `~/.local/state/warden/` | Signed certs, keys, `signatures.log` |

## Documentation

- `wiki/OpsWardenConfig.md` — configuration reference
- `wiki/CertCommandInterface.md` — `cert_command` contract for callers
- `wiki/InterHubBootstrapAccessLane.md` — short-lived cert envelope for bootstrap tasks

## Workplans

Active and proposed work lives in `workplans/`. Finished plans are archived under
`workplans/archived/`.