coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

plan(WARDEN-WP-0015): register Secret Lifecycle Tiering workplan

Browse Source 
Proposed workplan for the dev→test→prod secret-posture ladder and
ops-warden's conformance-steward role (author + checks, not enforcement).
Authoritative standard lands in net-kingdom canon; ops-warden ships tier
descriptors, a conformance checker, and the dev-tier contract-double
library (the "fake bao" pattern generalized). Registered in State Hub
(workstream 99f4a0e1, 5 tasks); awaiting review before implementation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-27 17:37:23 +02:00
parent 652a898149
commit 091ab1fa65
1 changed files with 178 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md Normal file
View File

@@ -0,0 +1,178 @@
---
id: WARDEN-WP-0015
type: workplan
title: "Secret Lifecycle Tiering — policy + conformance stewardship"
domain: infotech
repo: ops-warden
status: proposed
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 15
created: "2026-06-27"
updated: "2026-06-27"
state_hub_workstream_id: "99f4a0e1-853c-456f-8aa7-8ff0f318ea65"
---
# WARDEN-WP-0015 — Secret Lifecycle Tiering (policy + conformance)
**Scope:** Establish a NetKingdom standard for how secrets are managed across the
**dev → test → prod** lifecycle, and make ops-warden the **conformance steward** for it.
The standard defines three credential-posture tiers with identical *contracts* and
deliberately divergent *security posture*, plus the phase-change ceremonies between
them. ops-warden authors the ops-security slice of the standard, ships
machine-readable tier descriptors and a conformance checker, and provides a dev-tier
**contract-double** fixture library (the generalization of the "fake bao" pattern).
**Decisions locked (2026-06-27):**
- Authoritative standard lives in **net-kingdom canon** (`docs/`), next to
`openbao-unseal-custody-models.md` and `responsibility-map.md`. ops-warden authors
the ops-security slice and carries a pointer + conformance tooling.
- ops-warden role = **author + conformance checks** (machine-readable descriptors,
drift/conformance checkers, dev-tier doubles). **Not** runtime enforcement.
**Hard boundary (responsibility-map, ~line 154):** ops-warden "must not become a
universal secret broker — runtime secrets remain OpenBao; authorization remains
flex-auth." This WP keeps ops-warden as policy author + conformance verifier only.
OpenBao holds the secrets; flex-auth makes allow/deny decisions.
**Cross-repo note:** T1 authors content destined for **net-kingdom** canon. ops-warden
drafts it; landing it in net-kingdom is a coordinated change through net-kingdom's own
process (inbox/PR), not a unilateral write from this repo.
**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the tier-aware
fetch surface; its caller-identity/transit guardrails are tier-prod-compatible).
**Status:** `proposed` — awaiting Bernd's review before implementation.
---
## The model (refined, to be encoded by this WP)
**R1 — Contract parity, posture divergence.** The interface is identical at every
tier; only the backend's security posture changes. Automation written once runs at all
three tiers unchanged. (This is why contract doubles work.)
**R2 — Promote topology, regenerate material.** Secret *values* are never promoted up
the ladder. Only the *structure* (paths, policy shape, names, the secret tree) is
promoted; values are generated fresh at each tier. Test conveniences (reuse,
single-unseal) are quarantined in test by construction.
**R3 — Dev touches no real data, ever.** An insecure personal mock store in dev is
sanctioned *iff* dev uses only synthetic/fixture data. Absolute invariant.
**R4 — Phase-changes are ceremonies, not copies.** test→prod is a gated checklist
(regenerate secrets, switch unseal model, enable break-glass, human sign-off),
referencing the existing net-kingdom `security-bootstrap-*` and unseal-custody docs —
not duplicating them.
**Tier descriptor matrix (encoded in registry/policy):**
| | dev | test | prod |
| --- | --- | --- | --- |
| backend | mock / contract double | OpenBao `-dev` (single-unseal) | OpenBao sealed (Shamir 3-of-5) |
| real values | forbidden (synthetic) | generated, reuse allowed | generated fresh, reuse forbidden |
| unseal | n/a | single key / auto | 3-of-5 + break-glass |
| human-in-loop | never | never | required (break-glass) |
| real user/business data | never | never | allowed |
| audit | optional | on | full, tamper-evident |
---
## Tasks
### T1 — Author the Secret Lifecycle Tiering standard (canon-bound)
```task
id: WARDEN-WP-0015-T01
status: todo
priority: high
state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
```
- [ ] Draft `secret-lifecycle-tiering.md` (R1R4 + tier matrix + phase-change gates),
cross-linking `openbao-unseal-custody-models.md`, `responsibility-map.md`,
`platform-root-custody.md`, and the `security-bootstrap-*` ceremony series.
- [ ] Stage the draft in ops-warden (`history/` or `wiki/`) and open a coordination
request to **net-kingdom** to land it as authoritative canon (cross-repo).
- [ ] Encode ops-warden's role explicitly: author + conformance, not enforcement/custody.
### T2 — Machine-readable tier descriptors
```task
id: WARDEN-WP-0015-T02
status: todo
priority: high
state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
```
- [ ] `registry/policy/secret-lifecycle-tiers.yaml` — the tier matrix as data
(backend, value-policy, unseal model, human-in-loop, data-class, audit-level).
- [ ] Loader + validation (mirror `routing/catalog.py` rigor; no secret material).
- [ ] Optional `warden policy show|list` lookup (mirrors `warden route`).
### T3 — Conformance checker
```task
id: WARDEN-WP-0015-T03
status: todo
priority: high
state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09"
```
- [ ] `scripts/check_secret_tier_conformance.py` — given a tier + an environment
descriptor, assert posture matches the standard (e.g. prod must be sealed +
Shamir; dev must have no real-value paths). Drift-style report, like
`check_principals_drift.py`. Read-only; operator runs it.
- [ ] Surface conformance status; never read or print a secret value.
### T4 — Dev-tier contract-double fixture library
```task
id: WARDEN-WP-0015-T04
status: todo
priority: medium
state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45"
```
- [ ] Generalize "fake bao": ship hermetic dev-tier doubles for routed subsystems
(bao, key-cape login) honoring each contract (argv/stdout/exit) with synthetic
values only — enabling fully offline dev/test of access flows.
- [ ] Document the pattern in the standard (R1) as the sanctioned dev backend.
### T5 — INTENT/SCOPE alignment
```task
id: WARDEN-WP-0015-T05
status: todo
priority: medium
state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
```
- [ ] Update `INTENT.md`: ops-warden stewards **security-policy conformance** of the
infrastructure (authoring the ops-security tiering standard + conformance checks +
dev doubles), scoped explicitly to author+check — **not** enforcement or custody.
- [ ] SCOPE: add the tiering policy + conformance surface; note the net-kingdom canon
home; bump the maturity vector where warranted.
- [ ] `history/2026-06-27-secret-lifecycle-tiering-charter.md` — decision record.
---
## Acceptance
- A coherent dev→test→prod standard exists in net-kingdom canon (R1R4 + tier matrix +
phase-change ceremonies), authored by ops-warden, landed via net-kingdom coordination.
- ops-warden ships tier descriptors + a read-only conformance checker + dev-tier doubles.
- No secret material in any descriptor, checker, fixture, doc, or log.
- ops-warden's role is documented as author+conformance; OpenBao custody and flex-auth
authorization boundaries are explicitly preserved (responsibility-map honored).
- INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement.
---
## See also
- `WARDEN-WP-0014` (operator access assist; the tier-aware fetch surface)
- `net-kingdom/docs/openbao-unseal-custody-models.md`, `responsibility-map.md`,
`platform-root-custody.md`, `security-bootstrap-*`
- `flex-auth` (runtime-enforceable tier rules, if any, as a follow-up)