# Narrow policy for ops-warden SSH signing (Vault/OpenBao SSH secrets engine). # Bind to dedicated tokens or Kubernetes auth roles — not platform-admin. path "ssh/sign/adm-role" { capabilities = ["create", "update"] } path "ssh/sign/agt-role" { capabilities = ["create", "update"] } path "ssh/sign/atm-role" { capabilities = ["create", "update"] } path "ssh/roles" { capabilities = ["list", "read"] }