Refine security blocker posture review
This commit is contained in:
@@ -15,8 +15,12 @@ repo runbooks.
|
||||
- Do not put secrets in Git, State Hub, workplans, shell history, or chat.
|
||||
- Use the current ops-warden source CLI for routing if the installed `warden`
|
||||
lacks `route` commands: `cd /home/worsch/ops-warden && uv run warden route ...`.
|
||||
- `ops-warden` executes SSH certificate issuance only. It does not vend API
|
||||
keys, OpenBao tokens, SMTP passwords, OIDC logins, or database credentials.
|
||||
- `ops-warden` directly issues SSH certificates. For non-SSH needs it may
|
||||
route, advise, or proxy an `exec_capable` lane through `warden access` as the
|
||||
caller, but it does not own custody, mint values, or store secrets.
|
||||
- Classify credential blockers by environment posture and workload maturity:
|
||||
dev/test work should use synthetic contract doubles; production real-value
|
||||
work needs owner custody, policy gates where required, and non-secret evidence.
|
||||
- OpenBao/API credentials route to `railiance-platform`; interactive identity
|
||||
routes to `key-cape`; tunnels route to `ops-bridge`; host principal and
|
||||
force-command deployment routes to `railiance-infra`.
|
||||
@@ -25,14 +29,36 @@ repo runbooks.
|
||||
|
||||
## Route Records
|
||||
|
||||
| Route id | Owner | Scope | Warden executes? | Reference |
|
||||
| Route id | Owner | Scope | ops-warden role | Reference |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| `openbao-api-key` | `railiance-platform` | API keys, DB credentials, provider tokens, OpenBao KV/dynamic leases | No | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `inter-hub-bootstrap-ssh` | `ops-warden` + `railiance-infra` | Inter-Hub bootstrap SSH envelope and force-command pattern | No | `wiki/InterHubBootstrapAccessLane.md#worker-checklist` |
|
||||
| `ssh-cert-host-access` | `ops-warden` | Short-lived SSH cert signing for host reachability | Yes | `wiki/AccessRouting.md#issue-vs-route` |
|
||||
| `railiance-infra-principals` | `railiance-infra` | Host SSH principal files and force-command deployment | No | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `key-cape-oidc-login` | `key-cape` | Interactive login, OIDC, MFA, JWT/authentication | No | `wiki/CredentialRouting.md#quick-decision-tree` |
|
||||
| `ops-bridge-tunnel` | `ops-bridge` | SSH tunnels and port forwards | No | `wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist` |
|
||||
| `openbao-api-key` | `railiance-platform` | API keys, DB credentials, provider tokens, OpenBao KV/dynamic leases | Assist: route; proxy only as caller when `exec_capable`; custody stays OpenBao | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `inter-hub-bootstrap-ssh` | `ops-warden` + `railiance-infra` | Inter-Hub bootstrap SSH envelope and force-command pattern | Assist envelope; issue SSH cert only if remote host reachability is used | `wiki/InterHubBootstrapAccessLane.md#worker-checklist` |
|
||||
| `ssh-cert-host-access` | `ops-warden` | Short-lived SSH cert signing for host reachability | Issue SSH certs directly | `wiki/AccessRouting.md#issue-vs-route` |
|
||||
| `railiance-infra-principals` | `railiance-infra` | Host SSH principal files and force-command deployment | Route only | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `key-cape-oidc-login` | `key-cape` | Interactive login, OIDC, MFA, JWT/authentication | Assist login lane when `exec_capable`; identity stays key-cape | `wiki/CredentialRouting.md#quick-decision-tree` |
|
||||
| `ops-bridge-tunnel` | `ops-bridge` | SSH tunnels and port forwards | Route; supply `cert_command` pattern when needed | `wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist` |
|
||||
|
||||
## Security-Stage and Maturity Triage
|
||||
|
||||
Use ops-warden `wiki/WorkloadSecurityPosture.md` to split vague IT-security
|
||||
blockers into concrete outcomes.
|
||||
|
||||
| Classifier | CUST-WP-0051 interpretation |
|
||||
| --- | --- |
|
||||
| Dev/test posture only | Not blocked on production secrets. Use synthetic contract doubles or generated test values. |
|
||||
| Prod posture with real values | Owner custody and policy gates are required. Record only route id, path/version, decision id, populated-key count, or smoke id. |
|
||||
| Workload maturity below secret requirement | Real blocker until the workload matures, the secret is reclassified, or the design avoids that secret. |
|
||||
| Route exists and lane is `exec_capable` | `warden access --fetch/--exec` may remove manual copy/paste as a blocker by proxying the owning tool as the caller. |
|
||||
| Unseal, break-glass, issuer custody unresolved | Operator ceremony/design blocker; do not bypass with Codex-visible values. |
|
||||
|
||||
Current read:
|
||||
|
||||
| Gate family | Posture/maturity read |
|
||||
| --- | --- |
|
||||
| Inter-Hub / ops-hub runtime keys | Production real-value gate; implementation can proceed with route evidence, but live smoke waits on OpenBao/operator custody. |
|
||||
| activity-core to issue-core | Production service credential gate; the blocker is `ISSUE_CORE_API_KEY` injection/evidence, not repo-side contract work. |
|
||||
| OpenBao unseal / issuer profile | M3-style operator ceremony; remains a hard operator-design gate. |
|
||||
| Forgejo SMTP/package/runner migration | Production credential and recovery-readiness gate; use OpenBao/key-cape/ops-bridge routes, then record non-secret drill evidence. |
|
||||
|
||||
## Live Gates
|
||||
|
||||
|
||||
@@ -50,7 +50,13 @@ Hygiene status:
|
||||
## Blocker Board
|
||||
|
||||
No live credential, access, or approval gate is unowned. Do not ask
|
||||
`ops-warden` for secret values; use the route catalog and the owning subsystem.
|
||||
`ops-warden` for secret values; use the route catalog, the `warden access`
|
||||
assist/proxy surface where the catalog lane allows it, and the owning subsystem.
|
||||
|
||||
For credential-related blockers, classify the environment posture and workload
|
||||
maturity first. Dev/test work can use synthetic contract doubles; production
|
||||
real-value work needs owner custody, policy gates where applicable, and
|
||||
non-secret evidence. See `docs/ops-warden-secret-posture-review.md`.
|
||||
|
||||
| Gate | Owner/route | Non-secret evidence to collect | Next action |
|
||||
| --- | --- | --- | --- |
|
||||
|
||||
42
docs/ops-warden-secret-posture-review.md
Normal file
42
docs/ops-warden-secret-posture-review.md
Normal file
@@ -0,0 +1,42 @@
|
||||
# ops-warden Secret Posture Review
|
||||
|
||||
Date: 2026-06-27
|
||||
Owner: the-custodian coordination; ops-warden owns the source standard.
|
||||
|
||||
## Review Outcome
|
||||
|
||||
ops-warden is moving from a simple "SSH certs plus route pointers" surface to a
|
||||
more useful access and conformance steward:
|
||||
|
||||
- it still directly issues only the SSH certificate lane;
|
||||
- it routes other credential needs to their owning subsystem;
|
||||
- `warden access` may advise or proxy `exec_capable` lanes as the caller, without
|
||||
storing values or becoming a secret broker;
|
||||
- WARDEN-WP-0015 adds workload security posture: `dev/test/prod` environment
|
||||
posture plus `M0-M3` workload maturity and a secret-flow lattice.
|
||||
|
||||
This helps CUST-WP-0051 because a security blocker can now be classified instead
|
||||
of left as a generic "credentials needed" stop.
|
||||
|
||||
## Blocker Refinement Rules
|
||||
|
||||
| Situation | CUST-WP-0051 action |
|
||||
| --- | --- |
|
||||
| Dev/test implementation needs a credential-shaped dependency | Use synthetic contract doubles; do not wait for production secrets. |
|
||||
| Production smoke needs a real value | Route to the owner, collect non-secret evidence, and keep the value out of Codex-visible surfaces. |
|
||||
| Route is `exec_capable` | Prefer `warden access --fetch/--exec` as the caller over copy/paste handling. |
|
||||
| Workload maturity is below the secret requirement | Keep the blocker; resolve by maturity advancement, policy/design change, or avoiding the secret. |
|
||||
| OpenBao unseal, break-glass, or issuer custody is unresolved | Keep as operator ceremony/design blocker. |
|
||||
|
||||
## Current CUST-WP-0051 Read
|
||||
|
||||
| Gate | Refined blocker |
|
||||
| --- | --- |
|
||||
| Ops-hub runtime `OPS_HUB_KEY` | Production real-value custody gate; implementation is not blocked, live smoke is. |
|
||||
| Inter-Hub ops-hub bootstrap | Access/custody gate with an attended execution path; no need to request secret values from ops-warden. |
|
||||
| activity-core -> issue-core | Production API key injection/evidence gate; route is known through `activity-core-issue-sink`. |
|
||||
| OpenBao unseal/helper | M3-style ceremony gate; operator design remains required. |
|
||||
| Forgejo production migration | Production readiness gate spanning credentials, recovery drills, and cutover approval. |
|
||||
|
||||
Evidence stays non-secret: route id, owner, posture, maturity, policy decision id,
|
||||
OpenBao path/version, populated-key count, smoke id, token accessor, or drill id.
|
||||
@@ -155,6 +155,12 @@ targets, fallback decisions, and pickup order. Route lookup was verified through
|
||||
`/home/worsch/ops-warden` using `uv run warden route show ... --json` because
|
||||
the globally installed `warden` lacks the `route` subcommand.
|
||||
|
||||
Refined 2026-06-27: added `docs/ops-warden-secret-posture-review.md` and updated
|
||||
the unblock board/checkpoint to consume ops-warden's `warden access` assist
|
||||
boundary plus WARDEN-WP-0015 environment-posture/workload-maturity triage. This
|
||||
turns vague IT-security blockers into dev/test doubles, owner-routed production
|
||||
custody gates, or real maturity/posture violations.
|
||||
|
||||
## Task: Close The Ops-Hub Inter-Hub Evidence Lane
|
||||
|
||||
```task
|
||||
|
||||
Reference in New Issue
Block a user