Warden — FAQ¶

Is Warden an OPA fork?¶

No — Warden uses OPA's Rego language for policy authoring (so existing Rego expertise transfers), but is implemented independently with Fleet-native integration: MCP trust propagation, audit chaining, and Skipper-distributed policy bundles.

Can I use Warden with non-Naftiko services?¶

Yes. Warden speaks a standard HTTP decision protocol; any service that can make a decision call can ask Warden. The deepest integration is with Ikanos, where authorization hooks are first-class.

Do I need Warden for basic auth?¶

No. Ikanos handles bearer / API-key / Basic / Digest / OAuth 2.1 natively. Warden is for fine-grained authorization — who can call what operation under which conditions — beyond what authentication alone can express.

What's the performance cost?¶

Sub-millisecond per decision when sidecar-deployed, with per-session caching. Centralized mode adds network latency (typically 1-5ms intra-VPC).

Is the audit log tamper-proof?¶

Hash-chained — each record contains the hash of the previous record, so tampering is detectable. For full tamper-proof guarantees, ship the log to a write-once SIEM or to a blockchain anchor (post-1.0).

How is policy distributed across a fleet?¶

In standalone mode: file-system bundles loaded on startup or via hot reload. In Skipper-coordinated mode: Skipper signs bundles and pushes them to every Warden instance, with version-pinning per capability.

How is it licensed?¶

Warden ships in every edition of the Naftiko Fleet. The Community baseline (local policy evaluation, Rego authoring, decision API) is distributed under the Naftiko Fleet Freeware EULA — free for personal and internal business use. Standard premium features (team-shared bundles, dry-run analytics) are per-seat. Enterprise premium features (fleet-wide distribution, audit trail, regulated-environment integrations) are per-instance with SLA terms under the Naftiko Commercial License. See Fleet → License.

When will it ship?¶

See Roadmap. v0.1 preview is post-Ikanos GA.