Warden¶

Coming soon

Warden is not yet released. This page is a draft of the planned design.

Warden is the policy and governance plane of the Naftiko Fleet — the component that decides who can call what capability operation, when, and under which conditions, across an entire fleet.

Available in every edition

Warden ships in every edition of the Naftiko Fleet. The Community edition includes a local policy engine and Rego authoring under Apache 2.0. Standard adds team-shared policy bundles and dry-run analytics. Enterprise layers fleet-wide policy distribution, immutable audit trails, and regulated-environment integrations on top.

Why Warden¶

Once capabilities expose dozens of MCP tools and REST endpoints to AI agents and human callers, basic authentication is no longer enough. You need fine-grained, attribute-based, auditable authorization that:

Applies the same policy across every capability in the fleet
Adjusts to caller context (user, agent, time, environment)
Evolves without redeploying capabilities
Produces a complete audit trail of every decision

Warden delivers that as a dedicated policy engine alongside Ikanos.

What it does¶

Capability	Description
Policy as code	OPA/Rego or a higher-level DSL — version-controlled, reviewable
Identity propagation	Trust chains across MCP, REST, and Skill calls
Just-in-time access	Time-boxed elevation for sensitive operations
Audit log	Tamper-evident record of every authorization decision
Policy testing	Replay historical traffic against draft policies before rollout
Compliance reports	Pre-built reports for SOC 2, ISO 27001, HIPAA, GDPR

How it integrates¶

   Caller ──► Ikanos ──► (consult) ──► Warden ──► decision
                                              │
                                              ▼
                                          audit log

Ikanos delegates authorization decisions to Warden via a sidecar or a remote endpoint. Decisions are sub-millisecond and cached per-session.

Editions¶

Warden is included in every edition of the Naftiko Fleet:

Edition	What you get	License
Community	Local policy evaluation (Rego), decision API	Naftiko Fleet Freeware EULA
Standard	Team-shared policy bundles, dry-run analytics, decision history	Naftiko Commercial License
Enterprise	Fleet-wide policy distribution, immutable audit, regulated-environment integrations (SOC 2 / ISO 27001), signed policy bundles	Naftiko Commercial License

See Fleet → License for the full picture.