generated from coulomb/repo-seed
feat(WARDEN-WP-0015): T2 — machine-readable posture descriptors + warden policy
Adds registry/policy/security-posture.yaml (Axis A env postures, Axis B maturity levels M0-M3, dataclass_floor, lattice rule — no secret material) and src/warden/posture.py: typed loader with validation (unique/contiguous ranks, floor references known levels) and the pure can_deliver() lattice helper (no-write-down: prod posture + workload maturity >= secret required_maturity + dataclass floor). New `warden policy list|show` read-only lookup mirroring `warden route`. tests/test_posture.py covers load, the allow/deny lattice matrix, validation rejections, and CLI. 184 passed, lint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -139,16 +139,20 @@ state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
|
||||
|
||||
```task
|
||||
id: WARDEN-WP-0015-T02
|
||||
status: todo
|
||||
status: done
|
||||
priority: high
|
||||
state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
|
||||
```
|
||||
|
||||
- [ ] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy,
|
||||
- [x] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy,
|
||||
unseal, data-class, audit) **and** maturity levels (M0–M3, max DataClassification,
|
||||
promotion-gate criteria), plus per-secret `required_maturity` tagging convention.
|
||||
- [ ] Loader + validation (mirror `routing/catalog.py` rigor; no secret material).
|
||||
- [ ] Optional `warden policy show|list` lookup (mirrors `warden route`).
|
||||
promotion gates), `dataclass_floor` mapping, and the lattice rule. No secret material.
|
||||
- [x] Loader + validation in `src/warden/posture.py` (mirrors `routing/catalog.py`):
|
||||
unique/contiguous ranks, dataclass_floor references known levels, lattice env
|
||||
posture exists. Includes the pure `can_deliver` lattice helper (reused by T3).
|
||||
- [x] `warden policy list|show` lookup (mirrors `warden route`; `--json`).
|
||||
- [x] Tests: `tests/test_posture.py` (load, lattice allow/deny matrix, validation
|
||||
rejections, CLI). 184 pass, lint clean.
|
||||
|
||||
### T3 — Conformance checker (incl. secret-flow lattice)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user