8.2 KiB
8.2 KiB
Credential Custody Unblock Board
Created: 2026-06-27 Owner: the-custodian coordination; credential owners remain with their owning repos.
Purpose
This board collects the live credential and operator-access gates that block the infrastructure stabilization plan. It records routes and non-secret evidence only. It is not a secret store, approval record, or substitute for the owning repo runbooks.
Rules
- Do not put secrets in Git, State Hub, workplans, shell history, or chat.
- Use the current ops-warden source CLI for routing if the installed
wardenlacksroutecommands:cd /home/worsch/ops-warden && uv run warden route .... ops-wardendirectly issues SSH certificates. For non-SSH needs it may route, advise, or proxy anexec_capablelane throughwarden accessas the caller, but it does not own custody, mint values, or store secrets.- Classify credential blockers by environment posture and workload maturity: dev/test work should use synthetic contract doubles; production real-value work needs owner custody, policy gates where required, and non-secret evidence.
- OpenBao/API credentials route to
railiance-platform; interactive identity routes tokey-cape; tunnels route toops-bridge; host principal and force-command deployment routes torailiance-infra. - Evidence may include ids, prefixes, counts, decision ids, HTTP status, and smoke pass/fail. It must not include credential values.
Route Records
| Route id | Owner | Scope | ops-warden role | Reference |
|---|---|---|---|---|
openbao-api-key |
railiance-platform |
API keys, DB credentials, provider tokens, OpenBao KV/dynamic leases | Assist: route; proxy only as caller when exec_capable; custody stays OpenBao |
wiki/CredentialRouting.md#routing-table |
inter-hub-bootstrap-ssh |
ops-warden + railiance-infra |
Inter-Hub bootstrap SSH envelope and force-command pattern | Assist envelope; issue SSH cert only if remote host reachability is used | wiki/InterHubBootstrapAccessLane.md#worker-checklist |
ssh-cert-host-access |
ops-warden |
Short-lived SSH cert signing for host reachability | Issue SSH certs directly | wiki/AccessRouting.md#issue-vs-route |
railiance-infra-principals |
railiance-infra |
Host SSH principal files and force-command deployment | Route only | wiki/CredentialRouting.md#routing-table |
key-cape-oidc-login |
key-cape |
Interactive login, OIDC, MFA, JWT/authentication | Assist login lane when exec_capable; identity stays key-cape |
wiki/CredentialRouting.md#quick-decision-tree |
ops-bridge-tunnel |
ops-bridge |
SSH tunnels and port forwards | Route; supply cert_command pattern when needed |
wiki/playbooks/ops-bridge-tunnel-cert.md#migration-checklist |
Security-Stage and Maturity Triage
Use ops-warden wiki/WorkloadSecurityPosture.md to split vague IT-security
blockers into concrete outcomes.
| Classifier | CUST-WP-0051 interpretation |
|---|---|
| Dev/test posture only | Not blocked on production secrets. Use synthetic contract doubles or generated test values. |
| Prod posture with real values | Owner custody and policy gates are required. Record only route id, path/version, decision id, populated-key count, or smoke id. |
| Workload maturity below secret requirement | Real blocker until the workload matures, the secret is reclassified, or the design avoids that secret. |
Route exists and lane is exec_capable |
warden access --fetch/--exec may remove manual copy/paste as a blocker by proxying the owning tool as the caller. |
| Unseal, break-glass, issuer custody unresolved | Operator ceremony/design blocker; do not bypass with Codex-visible values. |
Current read:
| Gate family | Posture/maturity read |
|---|---|
| Inter-Hub / ops-hub runtime keys | Production real-value gate; implementation can proceed with route evidence, but live smoke waits on OpenBao/operator custody. |
| activity-core to issue-core | Production service credential gate; the blocker is ISSUE_CORE_API_KEY injection/evidence, not repo-side contract work. |
| OpenBao unseal / issuer profile | M3-style operator ceremony; remains a hard operator-design gate. |
| Forgejo SMTP/package/runner migration | Production credential and recovery-readiness gate; use OpenBao/key-cape/ops-bridge routes, then record non-secret drill evidence. |
Live Gates
| Gate | Blocking work | Owner and route | Expected execution host | Non-secret evidence | Fallback decision | Next action | Status |
|---|---|---|---|---|---|---|---|
| Inter-Hub ops-hub bootstrap | CUST-WP-0049-T06, unblocks CUST-WP-0047-T05 |
inter-hub-bootstrap-ssh for the envelope; openbao-api-key for operator/runtime key custody; ssh-cert-host-access only for cert signing if remote execution is used |
Local workstation with IHUB_OPERATOR_KEY_FILE, or trusted host with railiance-infra force-command wrapper |
Hub id, manifest id, widget count, runtime key prefix only, bootstrap smoke result, State Hub progress id | Prefer API helper. Use deployment-side migration/bootstrap only by explicit operator approval. Manual SQL remains last-resort and must be recorded as an exception. | Operator materializes Inter-Hub operator key through approved custody, runs the ops-hub helper, stores generated runtime key outside Git, removes temp files. | Ready for operator handoff |
| Ops-hub runtime evidence key | IHUB-WP-0022-T04, then IHUB-WP-0022-T07 |
openbao-api-key owned by railiance-platform / OpenBao |
Operator workstation, OpenBao UI/CLI session, or trusted cluster job; not a Codex-visible shell with printed values | OpenBao path/version or populated key count only, token exchange HTTP status, evidence submission smoke id | Attended one-time key file is acceptable only long enough to store in OpenBao and remove; no chat or State Hub transfer. | Store/provide OPS_HUB_KEY via OpenBao path, then run Inter-Hub submission smoke. |
Waiting on operator custody |
| OpenBao unseal and token automation | NET-WP-0020, related OpenBao token-grant and policy-gate blockers |
openbao-api-key for OpenBao issuer/token paths; railiance-infra-principals for host policy; ssh-cert-host-access for cert signing; key-cape-oidc-login for login/MFA |
OpenBao operator terminal, cluster-admin context, or trusted railiance-infra deployment path | Policy names, role names, token accessor only, decision ids, allow/deny smoke result | Keep attended ceremony path until auto-unseal/profile is explicitly approved. Do not invent warden secret or paste VAULT_TOKEN. |
Decide custody profile, apply narrow policy/role through approved issuer path, rerun smoke with non-secret evidence. | Needs operator design/approval |
| Forgejo production migration | RAIL-HO-WP-0005 T02/T06/T11/T12 |
openbao-api-key for SMTP/package/provider credentials; key-cape-oidc-login for login/MFA; ops-bridge-tunnel or ssh-cert-host-access only for host reachability |
Forgejo admin/browser session, railiance01 trusted host, or approved GitOps/deployment path | Decision record id, hostname/exposure choice, SMTP sender/domain alignment, password-reset smoke, backup/restore drill id, package pull smoke, cutover approval id | Keep Gitea as read-only rollback until stabilization passes; do not retire legacy Gitea without explicit approval. | Resolve production choices, store SMTP credentials through OpenBao, run recovery and migration drills, then request cutover approval. | Needs human production decisions |
Route Lookup Commands
cd /home/worsch/ops-warden
uv run warden route show openbao-api-key --json
uv run warden route show inter-hub-bootstrap-ssh --json
uv run warden route show ssh-cert-host-access --json
uv run warden route show railiance-infra-principals --json
uv run warden route show key-cape-oidc-login --json
uv run warden route show ops-bridge-tunnel --json
Pickup Order
- Inter-Hub ops-hub bootstrap, because it unlocks both the now-view and the activity-core evidence lane.
- Ops-hub runtime evidence key, because it is the immediate smoke gate after bootstrap.
- OpenBao custody profile, because several credential-helper and policy-gate blockers collapse once a narrow issuer path exists.
- Forgejo production decisions, because those require human design approval before execution can be responsibly automated.