diff --git a/docs/credential-custody-unblock-board.md b/docs/credential-custody-unblock-board.md
index 98edd9e..9cec769 100644
--- a/docs/credential-custody-unblock-board.md
+++ b/docs/credential-custody-unblock-board.md
@@ -15,8 +15,12 @@ repo runbooks.
 - Do not put secrets in Git, State Hub, workplans, shell history, or chat.
 - Use the current ops-warden source CLI for routing if the installed `warden`
   lacks `route` commands: `cd /home/worsch/ops-warden && uv run warden route ...`.
-- `ops-warden` executes SSH certificate issuance only. It does not vend API
-  keys, OpenBao tokens, SMTP passwords, OIDC logins, or database credentials.
+- `ops-warden` directly issues SSH certificates. For non-SSH needs it may
+  route, advise, or proxy an `exec_capable` lane through `warden access` as the
+  caller, but it does not own custody, mint values, or store secrets.
+- Classify credential blockers by environment posture and workload maturity:
+  dev/test work should use synthetic contract doubles; production real-value
+  work needs owner custody, policy gates where required, and non-secret evidence.
 - OpenBao/API credentials route to `railiance-platform`; interactive identity
   routes to `key-cape`; tunnels route to `ops-bridge`; host principal and
   force-command deployment routes to `railiance-infra`.
@@ -25,14 +29,36 @@ repo runbooks.
 
 ## Route Records
 
-| Route id | Owner | Scope | Warden executes? | Reference |
+| Route id | Owner | Scope | ops-warden role | Reference |
 | --- | --- | --- | --- | --- |
-| `openbao-api-key` | `railiance-platform` | API keys, DB credentials, provider tokens, OpenBao KV/dynamic leases | No | `wiki/CredentialRouting.md#routing-table` |
-| `inter-hub-bootstrap-ssh` | `ops-warden` + `railiance-infra` | Inter-Hub bootstrap SSH envelope and force-command pattern | No | `wiki/InterHubBootstrapAccessLane.md#worker-checklist` |
-| `ssh-cert-host-access` | `ops-warden` | Short-lived SSH cert signing for host reachability | Yes | `wiki/AccessRouting.md#issue-vs-route` |
-| `railiance-infra-principals` | `railiance-infra` | Host SSH principal files and force-command deployment | No | `wiki/CredentialRouting.md#routing-table` |
-| `key-cape-oidc-login` | `key-cape` | Interactive login, OIDC, MFA, JWT/authentication | No | `wiki/CredentialRouting.md#quick-decision-tree` |
-| `ops-bridge-tunnel` | `ops-bridge` | SSH tunnels and port forwards | No | `wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist` |
+| `openbao-api-key` | `railiance-platform` | API keys, DB credentials, provider tokens, OpenBao KV/dynamic leases | Assist: route; proxy only as caller when `exec_capable`; custody stays OpenBao | `wiki/CredentialRouting.md#routing-table` |
+| `inter-hub-bootstrap-ssh` | `ops-warden` + `railiance-infra` | Inter-Hub bootstrap SSH envelope and force-command pattern | Assist envelope; issue SSH cert only if remote host reachability is used | `wiki/InterHubBootstrapAccessLane.md#worker-checklist` |
+| `ssh-cert-host-access` | `ops-warden` | Short-lived SSH cert signing for host reachability | Issue SSH certs directly | `wiki/AccessRouting.md#issue-vs-route` |
+| `railiance-infra-principals` | `railiance-infra` | Host SSH principal files and force-command deployment | Route only | `wiki/CredentialRouting.md#routing-table` |
+| `key-cape-oidc-login` | `key-cape` | Interactive login, OIDC, MFA, JWT/authentication | Assist login lane when `exec_capable`; identity stays key-cape | `wiki/CredentialRouting.md#quick-decision-tree` |
+| `ops-bridge-tunnel` | `ops-bridge` | SSH tunnels and port forwards | Route; supply `cert_command` pattern when needed | `wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist` |
+
+## Security-Stage and Maturity Triage
+
+Use ops-warden `wiki/WorkloadSecurityPosture.md` to split vague IT-security
+blockers into concrete outcomes.
+
+| Classifier | CUST-WP-0051 interpretation |
+| --- | --- |
+| Dev/test posture only | Not blocked on production secrets. Use synthetic contract doubles or generated test values. |
+| Prod posture with real values | Owner custody and policy gates are required. Record only route id, path/version, decision id, populated-key count, or smoke id. |
+| Workload maturity below secret requirement | Real blocker until the workload matures, the secret is reclassified, or the design avoids that secret. |
+| Route exists and lane is `exec_capable` | `warden access --fetch/--exec` may remove manual copy/paste as a blocker by proxying the owning tool as the caller. |
+| Unseal, break-glass, issuer custody unresolved | Operator ceremony/design blocker; do not bypass with Codex-visible values. |
+
+Current read:
+
+| Gate family | Posture/maturity read |
+| --- | --- |
+| Inter-Hub / ops-hub runtime keys | Production real-value gate; implementation can proceed with route evidence, but live smoke waits on OpenBao/operator custody. |
+| activity-core to issue-core | Production service credential gate; the blocker is `ISSUE_CORE_API_KEY` injection/evidence, not repo-side contract work. |
+| OpenBao unseal / issuer profile | M3-style operator ceremony; remains a hard operator-design gate. |
+| Forgejo SMTP/package/runner migration | Production credential and recovery-readiness gate; use OpenBao/key-cape/ops-bridge routes, then record non-secret drill evidence. |
 
 ## Live Gates
 
diff --git a/docs/infrastructure-stabilization-pickup-checkpoint.md b/docs/infrastructure-stabilization-pickup-checkpoint.md
index a5ba2f4..1b1de16 100644
--- a/docs/infrastructure-stabilization-pickup-checkpoint.md
+++ b/docs/infrastructure-stabilization-pickup-checkpoint.md
@@ -50,7 +50,13 @@ Hygiene status:
 ## Blocker Board
 
 No live credential, access, or approval gate is unowned. Do not ask
-`ops-warden` for secret values; use the route catalog and the owning subsystem.
+`ops-warden` for secret values; use the route catalog, the `warden access`
+assist/proxy surface where the catalog lane allows it, and the owning subsystem.
+
+For credential-related blockers, classify the environment posture and workload
+maturity first. Dev/test work can use synthetic contract doubles; production
+real-value work needs owner custody, policy gates where applicable, and
+non-secret evidence. See `docs/ops-warden-secret-posture-review.md`.
 
 | Gate | Owner/route | Non-secret evidence to collect | Next action |
 | --- | --- | --- | --- |
diff --git a/docs/ops-warden-secret-posture-review.md b/docs/ops-warden-secret-posture-review.md
new file mode 100644
index 0000000..6ae5824
--- /dev/null
+++ b/docs/ops-warden-secret-posture-review.md
@@ -0,0 +1,42 @@
+# ops-warden Secret Posture Review
+
+Date: 2026-06-27
+Owner: the-custodian coordination; ops-warden owns the source standard.
+
+## Review Outcome
+
+ops-warden is moving from a simple "SSH certs plus route pointers" surface to a
+more useful access and conformance steward:
+
+- it still directly issues only the SSH certificate lane;
+- it routes other credential needs to their owning subsystem;
+- `warden access` may advise or proxy `exec_capable` lanes as the caller, without
+  storing values or becoming a secret broker;
+- WARDEN-WP-0015 adds workload security posture: `dev/test/prod` environment
+  posture plus `M0-M3` workload maturity and a secret-flow lattice.
+
+This helps CUST-WP-0051 because a security blocker can now be classified instead
+of left as a generic "credentials needed" stop.
+
+## Blocker Refinement Rules
+
+| Situation | CUST-WP-0051 action |
+| --- | --- |
+| Dev/test implementation needs a credential-shaped dependency | Use synthetic contract doubles; do not wait for production secrets. |
+| Production smoke needs a real value | Route to the owner, collect non-secret evidence, and keep the value out of Codex-visible surfaces. |
+| Route is `exec_capable` | Prefer `warden access --fetch/--exec` as the caller over copy/paste handling. |
+| Workload maturity is below the secret requirement | Keep the blocker; resolve by maturity advancement, policy/design change, or avoiding the secret. |
+| OpenBao unseal, break-glass, or issuer custody is unresolved | Keep as operator ceremony/design blocker. |
+
+## Current CUST-WP-0051 Read
+
+| Gate | Refined blocker |
+| --- | --- |
+| Ops-hub runtime `OPS_HUB_KEY` | Production real-value custody gate; implementation is not blocked, live smoke is. |
+| Inter-Hub ops-hub bootstrap | Access/custody gate with an attended execution path; no need to request secret values from ops-warden. |
+| activity-core -> issue-core | Production API key injection/evidence gate; route is known through `activity-core-issue-sink`. |
+| OpenBao unseal/helper | M3-style ceremony gate; operator design remains required. |
+| Forgejo production migration | Production readiness gate spanning credentials, recovery drills, and cutover approval. |
+
+Evidence stays non-secret: route id, owner, posture, maturity, policy decision id,
+OpenBao path/version, populated-key count, smoke id, token accessor, or drill id.
diff --git a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md
index 6295155..1f33e94 100644
--- a/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md
+++ b/workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md
@@ -155,6 +155,12 @@ targets, fallback decisions, and pickup order. Route lookup was verified through
 `/home/worsch/ops-warden` using `uv run warden route show ... --json` because
 the globally installed `warden` lacks the `route` subcommand.
 
+Refined 2026-06-27: added `docs/ops-warden-secret-posture-review.md` and updated
+the unblock board/checkpoint to consume ops-warden's `warden access` assist
+boundary plus WARDEN-WP-0015 environment-posture/workload-maturity triage. This
+turns vague IT-security blockers into dev/test doubles, owner-routed production
+custody gates, or real maturity/posture violations.
+
 ## Task: Close The Ops-Hub Inter-Hub Evidence Lane
 
 ```task