feat(WARDEN-WP-0015): T2 — machine-readable posture descriptors + warden policy

Adds registry/policy/security-posture.yaml (Axis A env postures, Axis B
maturity levels M0-M3, dataclass_floor, lattice rule — no secret
material) and src/warden/posture.py: typed loader with validation
(unique/contiguous ranks, floor references known levels) and the pure
can_deliver() lattice helper (no-write-down: prod posture + workload
maturity >= secret required_maturity + dataclass floor). New `warden
policy list|show` read-only lookup mirroring `warden route`.
tests/test_posture.py covers load, the allow/deny lattice matrix,
validation rejections, and CLI. 184 passed, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-27 18:10:54 +02:00
parent a54403b9d7
commit 0812d7303d
5 changed files with 498 additions and 5 deletions

View File

@@ -139,16 +139,20 @@ state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
```task
id: WARDEN-WP-0015-T02
status: todo
status: done
priority: high
state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
```
- [ ] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy,
- [x] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy,
unseal, data-class, audit) **and** maturity levels (M0M3, max DataClassification,
promotion-gate criteria), plus per-secret `required_maturity` tagging convention.
- [ ] Loader + validation (mirror `routing/catalog.py` rigor; no secret material).
- [ ] Optional `warden policy show|list` lookup (mirrors `warden route`).
promotion gates), `dataclass_floor` mapping, and the lattice rule. No secret material.
- [x] Loader + validation in `src/warden/posture.py` (mirrors `routing/catalog.py`):
unique/contiguous ranks, dataclass_floor references known levels, lattice env
posture exists. Includes the pure `can_deliver` lattice helper (reused by T3).
- [x] `warden policy list|show` lookup (mirrors `warden route`; `--json`).
- [x] Tests: `tests/test_posture.py` (load, lattice allow/deny matrix, validation
rejections, CLI). 184 pass, lint clean.
### T3 — Conformance checker (incl. secret-flow lattice)