Refine security blocker posture review
This commit is contained in:
@@ -15,8 +15,12 @@ repo runbooks.
|
||||
- Do not put secrets in Git, State Hub, workplans, shell history, or chat.
|
||||
- Use the current ops-warden source CLI for routing if the installed `warden`
|
||||
lacks `route` commands: `cd /home/worsch/ops-warden && uv run warden route ...`.
|
||||
- `ops-warden` executes SSH certificate issuance only. It does not vend API
|
||||
keys, OpenBao tokens, SMTP passwords, OIDC logins, or database credentials.
|
||||
- `ops-warden` directly issues SSH certificates. For non-SSH needs it may
|
||||
route, advise, or proxy an `exec_capable` lane through `warden access` as the
|
||||
caller, but it does not own custody, mint values, or store secrets.
|
||||
- Classify credential blockers by environment posture and workload maturity:
|
||||
dev/test work should use synthetic contract doubles; production real-value
|
||||
work needs owner custody, policy gates where required, and non-secret evidence.
|
||||
- OpenBao/API credentials route to `railiance-platform`; interactive identity
|
||||
routes to `key-cape`; tunnels route to `ops-bridge`; host principal and
|
||||
force-command deployment routes to `railiance-infra`.
|
||||
@@ -25,14 +29,36 @@ repo runbooks.
|
||||
|
||||
## Route Records
|
||||
|
||||
| Route id | Owner | Scope | Warden executes? | Reference |
|
||||
| Route id | Owner | Scope | ops-warden role | Reference |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| `openbao-api-key` | `railiance-platform` | API keys, DB credentials, provider tokens, OpenBao KV/dynamic leases | No | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `inter-hub-bootstrap-ssh` | `ops-warden` + `railiance-infra` | Inter-Hub bootstrap SSH envelope and force-command pattern | No | `wiki/InterHubBootstrapAccessLane.md#worker-checklist` |
|
||||
| `ssh-cert-host-access` | `ops-warden` | Short-lived SSH cert signing for host reachability | Yes | `wiki/AccessRouting.md#issue-vs-route` |
|
||||
| `railiance-infra-principals` | `railiance-infra` | Host SSH principal files and force-command deployment | No | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `key-cape-oidc-login` | `key-cape` | Interactive login, OIDC, MFA, JWT/authentication | No | `wiki/CredentialRouting.md#quick-decision-tree` |
|
||||
| `ops-bridge-tunnel` | `ops-bridge` | SSH tunnels and port forwards | No | `wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist` |
|
||||
| `openbao-api-key` | `railiance-platform` | API keys, DB credentials, provider tokens, OpenBao KV/dynamic leases | Assist: route; proxy only as caller when `exec_capable`; custody stays OpenBao | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `inter-hub-bootstrap-ssh` | `ops-warden` + `railiance-infra` | Inter-Hub bootstrap SSH envelope and force-command pattern | Assist envelope; issue SSH cert only if remote host reachability is used | `wiki/InterHubBootstrapAccessLane.md#worker-checklist` |
|
||||
| `ssh-cert-host-access` | `ops-warden` | Short-lived SSH cert signing for host reachability | Issue SSH certs directly | `wiki/AccessRouting.md#issue-vs-route` |
|
||||
| `railiance-infra-principals` | `railiance-infra` | Host SSH principal files and force-command deployment | Route only | `wiki/CredentialRouting.md#routing-table` |
|
||||
| `key-cape-oidc-login` | `key-cape` | Interactive login, OIDC, MFA, JWT/authentication | Assist login lane when `exec_capable`; identity stays key-cape | `wiki/CredentialRouting.md#quick-decision-tree` |
|
||||
| `ops-bridge-tunnel` | `ops-bridge` | SSH tunnels and port forwards | Route; supply `cert_command` pattern when needed | `wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist` |
|
||||
|
||||
## Security-Stage and Maturity Triage
|
||||
|
||||
Use ops-warden `wiki/WorkloadSecurityPosture.md` to split vague IT-security
|
||||
blockers into concrete outcomes.
|
||||
|
||||
| Classifier | CUST-WP-0051 interpretation |
|
||||
| --- | --- |
|
||||
| Dev/test posture only | Not blocked on production secrets. Use synthetic contract doubles or generated test values. |
|
||||
| Prod posture with real values | Owner custody and policy gates are required. Record only route id, path/version, decision id, populated-key count, or smoke id. |
|
||||
| Workload maturity below secret requirement | Real blocker until the workload matures, the secret is reclassified, or the design avoids that secret. |
|
||||
| Route exists and lane is `exec_capable` | `warden access --fetch/--exec` may remove manual copy/paste as a blocker by proxying the owning tool as the caller. |
|
||||
| Unseal, break-glass, issuer custody unresolved | Operator ceremony/design blocker; do not bypass with Codex-visible values. |
|
||||
|
||||
Current read:
|
||||
|
||||
| Gate family | Posture/maturity read |
|
||||
| --- | --- |
|
||||
| Inter-Hub / ops-hub runtime keys | Production real-value gate; implementation can proceed with route evidence, but live smoke waits on OpenBao/operator custody. |
|
||||
| activity-core to issue-core | Production service credential gate; the blocker is `ISSUE_CORE_API_KEY` injection/evidence, not repo-side contract work. |
|
||||
| OpenBao unseal / issuer profile | M3-style operator ceremony; remains a hard operator-design gate. |
|
||||
| Forgejo SMTP/package/runner migration | Production credential and recovery-readiness gate; use OpenBao/key-cape/ops-bridge routes, then record non-secret drill evidence. |
|
||||
|
||||
## Live Gates
|
||||
|
||||
|
||||
Reference in New Issue
Block a user