Skip to content

Warden — Features

Coming soon

Warden is not yet released. Draft feature set. Ships in every edition of the Naftiko Fleet, with fleet-wide distribution and audit-grade features layered in Standard and Enterprise.

Policy & decisions

Feature Description
Policy as code Rego (OPA-compatible) plus a higher-level DSL for common patterns
Attribute-based Decisions consider caller identity, capability, operation, time, environment, request body
Decision caching Per-session caching for sub-millisecond latency
Sidecar or remote Deploy as a sidecar to Ikanos or as a centralized service
Dry-run mode Evaluate policies without enforcing — for safe rollout

Identity & trust

Feature Description
MCP trust propagation Forward caller identity from MCP through every chained call
OIDC integration Validate tokens from Keycloak, Auth0, Okta, Azure AD
OAuth 2.1 DCR, PKCE, refresh tokens, audience binding
mTLS Mutual TLS between fleet components
Just-in-time access Time-boxed elevation for sensitive operations

Audit & compliance

Feature Description
Tamper-evident log Hash-chained audit records
Replay Re-evaluate past decisions against draft policies
Compliance reports Pre-built SOC 2, ISO 27001, HIPAA, GDPR templates
Export Stream to SIEM (Splunk, Elastic, Datadog) via syslog/HTTP
PII redaction Configurable redaction of sensitive fields in logs

Operations

Feature Description
Hot reload Policy updates without Ikanos restart
Policy testing Unit tests for Rego; integration tests against recorded traffic
Web console Read-only inspection of decisions, audit log, policy graph
CLI Apply, test, replay, diff policies
Skipper integration Fleet-wide policy distribution and version pinning

See Roadmap for delivery sequence.