Warden¶
Warden is the policy and governance plane of the Naftiko Fleet — the component that decides who can call what capability operation, when, and under which conditions, across an entire fleet.
Why Warden¶
Once capabilities expose dozens of MCP tools and REST endpoints to AI agents and human callers, basic authentication is no longer enough. You need fine-grained, attribute-based, auditable authorization that:
- Applies the same policy across every capability in the fleet
- Adjusts to caller context (user, agent, time, environment)
- Evolves without redeploying capabilities
- Produces a complete audit trail of every decision
Warden delivers that as a dedicated policy engine alongside Ikanos.
What it does¶
| Capability | Description |
|---|---|
| Policy as code | OPA/Rego or a higher-level DSL — version-controlled, reviewable |
| Identity propagation | Trust chains across MCP, REST, and Skill calls |
| Just-in-time access | Time-boxed elevation for sensitive operations |
| Audit log | Tamper-evident record of every authorization decision |
| Policy testing | Replay historical traffic against draft policies before rollout |
| Compliance reports | Pre-built reports for SOC 2, ISO 27001, HIPAA, GDPR |
How it integrates¶
Ikanos delegates authorization decisions to Warden via a sidecar or a remote endpoint. Decisions are sub-millisecond and cached per-session.
Editions¶
Warden is included in every edition of the Naftiko Fleet:
| Edition | What you get | License |
|---|---|---|
| Community | Local policy evaluation (Rego), decision API | Naftiko Fleet Freeware EULA |
| Standard | Team-shared policy bundles, dry-run analytics, decision history | Naftiko Commercial License |
| Enterprise | Fleet-wide policy distribution, immutable audit, regulated-environment integrations (SOC 2 / ISO 27001), signed policy bundles | Naftiko Commercial License |
See Fleet → License for the full picture.