Go to file

tegwick f787e09a1b plan(WARDEN-WP-0015): rescope to two-axis Workload Security Posture

Folds the workload-maturity axis into WP-0015. The model is now two
orthogonal axes — environment posture (dev/test/prod, how the secret
store is secured) and workload maturity (M0-M3, how trusted a workload
is to receive secrets/classified data) — unified by a secret-flow
lattice (deliver only if posture==prod AND workload.maturity >=
secret.required_maturity). "Critical secrets must not flow to workloads
below maturity M" is the no-write-down case.

Layering: generic WorkloadMaturityLevel + lattice → info-tech-canon
(reusing its DataClassification / DevSecOps gates / Security criticality
/ CARING); NetKingdom M0-M3 requirements → net-kingdom canon. ops-warden
authors + checks conformance, not enforcement. Still proposed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-27 18:00:50 +02:00

.claude/rules

docs(WARDEN-WP-0014): T5 — assist-layer docs, security model, INTENT/SCOPE

2026-06-27 17:35:57 +02:00

examples

feat: close WP-0009/WP-0013 production integration stewardship strand

2026-06-24 12:44:32 +02:00

history

docs(WARDEN-WP-0014): T5 — assist-layer docs, security model, INTENT/SCOPE

2026-06-27 17:35:57 +02:00

registry

feat(WARDEN-WP-0014): T4 — key-cape login orchestration lane

2026-06-27 17:31:55 +02:00

scripts

feat: close WP-0009/WP-0013 production integration stewardship strand

2026-06-24 12:44:32 +02:00

src/warden

feat(WARDEN-WP-0014): T4 — key-cape login orchestration lane

2026-06-27 17:31:55 +02:00

tests

feat(WARDEN-WP-0014): T4 — key-cape login orchestration lane

2026-06-27 17:31:55 +02:00

wiki

docs(WARDEN-WP-0014): T5 — assist-layer docs, security model, INTENT/SCOPE

2026-06-27 17:35:57 +02:00

workplans

plan(WARDEN-WP-0015): rescope to two-axis Workload Security Posture

2026-06-27 18:00:50 +02:00

.custodian-brief.md

chore(consistency): sync task status from DB [auto]

2026-06-27 17:36:33 +02:00

.gitignore

feat(WP-0011): warden route lookup CLI over the pointer catalog

2026-06-18 21:07:13 +02:00

.repo-classification.yaml

Mark .repo-classification.yaml human-reviewed (CUST-WP-0050 T02)

2026-06-22 11:40:44 +02:00

AGENTS.md

Normalize agent instructions and workplan frontmatter (STATE-WP-0067)

2026-06-22 23:16:27 +02:00

CLAUDE.md

Add credential routing instructions for all agent runtimes

2026-06-18 22:48:39 +02:00

INTENT.md

docs(WARDEN-WP-0014): T5 — assist-layer docs, security model, INTENT/SCOPE

2026-06-27 17:35:57 +02:00

LICENSE

Initial commit

2026-03-28 00:35:11 +00:00

pyproject.toml

feat(warden): WARDEN-WP-0003 — test coverage, permissions, status --state-dir

2026-05-15 17:05:38 +02:00

README.md

Complete WARDEN-WP-0012 routing scenario playbooks

2026-06-25 10:27:23 +02:00

SCOPE.md

docs(WARDEN-WP-0014): T5 — assist-layer docs, security model, INTENT/SCOPE

2026-06-27 17:35:57 +02:00

uv.lock

feat(bootstrap): WARDEN-WP-0001 initial implementation — 42 tests passing

2026-05-15 13:27:49 +02:00

README.md

ops-warden

SSH Certificate Authority and certificate lifecycle manager for the ops fleet. Signs short-lived certs for adm / agt / atm actors and exposes the cert_command interface consumed by ops-bridge and other tooling.

See INTENT.md for direction, SCOPE.md for current implementation, and wiki/AccessManagementDirective.md for SSH policy. ops-warden issues SSH certs and routes every other credential need to its owner — see wiki/AccessRouting.md. Latest gap analysis: history/2026-06-17-post-wp0007-reassessment.md.

Install

uv sync
uv tool install .

Or run without installing:

uv run warden --help

Quick start (local backend)

# One-time: generate a CA key (keep mode 600, never commit)
ssh-keygen -t ed25519 -f ~/.ssh/ops-ca-user -C "Ops SSH User CA" -N ""

# Configure warden (~/.config/warden/warden.yaml) — see wiki/OpsWardenConfig.md
warden inventory add agt-example --type agt --principal agt-example
warden sign agt-example --pubkey ~/.ssh/id_ed25519.pub
warden status agt-example
warden scorecard

Production uses the vault backend against OpenBao or HashiCorp Vault (Vault-compatible SSH secrets engine API). Template: examples/warden.production.example.yaml. See wiki/OpsWardenConfig.md and wiki/OpenBaoSshEngineChecklist.md.

Routing lookup (`warden route`)

ops-warden issues SSH certs and routes every other credential need to its owner. The route command group is a read-only lookup over the pointer catalog (registry/routing/catalog.yaml) — it never calls another subsystem or returns secrets.

warden route list [--all] [--json]                    # scenarios (active-only unless --all)
warden route list --stale [--stale-days 90] [--all]   # past review cadence
warden route show <id> [--json]                       # owner + wiki/canon pointers; SSH adds steps
warden route find "issue an api key"                  # rank scenarios by keyword overlap

Full role and examples: wiki/AccessRouting.md.

Development

uv sync
uv run pytest              # unit tests (integration excluded)
uv run pytest -m integration   # requires ssh-keygen in PATH
uv run ruff check .

Key paths

Path	Purpose
`~/.config/warden/warden.yaml`	Backend and CA/Vault settings
`~/.config/warden/inventory.yaml`	Actor → principals registry
`~/.local/state/warden/`	Signed certs, keys, `signatures.log`

Documentation

INTENT.md — operational access steward mission (NetKingdom-aligned)
wiki/CredentialRouting.md — which subsystem for each credential type
wiki/NetKingdomSecurityMap.md — platform security component map
wiki/ActorInventoryPatterns.md — standard adm/agt/atm actor patterns
wiki/OpsWardenConfig.md — configuration reference
wiki/CertCommandInterface.md — cert_command contract for callers
wiki/InterHubBootstrapAccessLane.md — short-lived cert envelope for bootstrap tasks

Workplans

Active and proposed work lives in workplans/. Finished plans are archived under workplans/archived/.

README.md

ops-warden

Install

Quick start (local backend)

Routing lookup (warden route)

Development

Key paths

Documentation

Workplans

Routing lookup (`warden route`)