From 091ab1fa65d523711cd2f4325e66db59daf52d96 Mon Sep 17 00:00:00 2001 From: tegwick Date: Sat, 27 Jun 2026 17:37:23 +0200 Subject: [PATCH] plan(WARDEN-WP-0015): register Secret Lifecycle Tiering workplan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Proposed workplan for the dev→test→prod secret-posture ladder and ops-warden's conformance-steward role (author + checks, not enforcement). Authoritative standard lands in net-kingdom canon; ops-warden ships tier descriptors, a conformance checker, and the dev-tier contract-double library (the "fake bao" pattern generalized). Registered in State Hub (workstream 99f4a0e1, 5 tasks); awaiting review before implementation. Co-Authored-By: Claude Opus 4.8 --- ...WARDEN-WP-0015-secret-lifecycle-tiering.md | 178 ++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md diff --git a/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md b/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md new file mode 100644 index 0000000..1345b2a --- /dev/null +++ b/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md @@ -0,0 +1,178 @@ +--- +id: WARDEN-WP-0015 +type: workplan +title: "Secret Lifecycle Tiering — policy + conformance stewardship" +domain: infotech +repo: ops-warden +status: proposed +owner: codex +topic_slug: custodian +planning_priority: high +planning_order: 15 +created: "2026-06-27" +updated: "2026-06-27" +state_hub_workstream_id: "99f4a0e1-853c-456f-8aa7-8ff0f318ea65" +--- + +# WARDEN-WP-0015 — Secret Lifecycle Tiering (policy + conformance) + +**Scope:** Establish a NetKingdom standard for how secrets are managed across the +**dev → test → prod** lifecycle, and make ops-warden the **conformance steward** for it. +The standard defines three credential-posture tiers with identical *contracts* and +deliberately divergent *security posture*, plus the phase-change ceremonies between +them. ops-warden authors the ops-security slice of the standard, ships +machine-readable tier descriptors and a conformance checker, and provides a dev-tier +**contract-double** fixture library (the generalization of the "fake bao" pattern). + +**Decisions locked (2026-06-27):** +- Authoritative standard lives in **net-kingdom canon** (`docs/`), next to + `openbao-unseal-custody-models.md` and `responsibility-map.md`. ops-warden authors + the ops-security slice and carries a pointer + conformance tooling. +- ops-warden role = **author + conformance checks** (machine-readable descriptors, + drift/conformance checkers, dev-tier doubles). **Not** runtime enforcement. + +**Hard boundary (responsibility-map, ~line 154):** ops-warden "must not become a +universal secret broker — runtime secrets remain OpenBao; authorization remains +flex-auth." This WP keeps ops-warden as policy author + conformance verifier only. +OpenBao holds the secrets; flex-auth makes allow/deny decisions. + +**Cross-repo note:** T1 authors content destined for **net-kingdom** canon. ops-warden +drafts it; landing it in net-kingdom is a coordinated change through net-kingdom's own +process (inbox/PR), not a unilateral write from this repo. + +**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the tier-aware +fetch surface; its caller-identity/transit guardrails are tier-prod-compatible). + +**Status:** `proposed` — awaiting Bernd's review before implementation. + +--- + +## The model (refined, to be encoded by this WP) + +**R1 — Contract parity, posture divergence.** The interface is identical at every +tier; only the backend's security posture changes. Automation written once runs at all +three tiers unchanged. (This is why contract doubles work.) + +**R2 — Promote topology, regenerate material.** Secret *values* are never promoted up +the ladder. Only the *structure* (paths, policy shape, names, the secret tree) is +promoted; values are generated fresh at each tier. Test conveniences (reuse, +single-unseal) are quarantined in test by construction. + +**R3 — Dev touches no real data, ever.** An insecure personal mock store in dev is +sanctioned *iff* dev uses only synthetic/fixture data. Absolute invariant. + +**R4 — Phase-changes are ceremonies, not copies.** test→prod is a gated checklist +(regenerate secrets, switch unseal model, enable break-glass, human sign-off), +referencing the existing net-kingdom `security-bootstrap-*` and unseal-custody docs — +not duplicating them. + +**Tier descriptor matrix (encoded in registry/policy):** + +| | dev | test | prod | +| --- | --- | --- | --- | +| backend | mock / contract double | OpenBao `-dev` (single-unseal) | OpenBao sealed (Shamir 3-of-5) | +| real values | forbidden (synthetic) | generated, reuse allowed | generated fresh, reuse forbidden | +| unseal | n/a | single key / auto | 3-of-5 + break-glass | +| human-in-loop | never | never | required (break-glass) | +| real user/business data | never | never | allowed | +| audit | optional | on | full, tamper-evident | + +--- + +## Tasks + +### T1 — Author the Secret Lifecycle Tiering standard (canon-bound) + +```task +id: WARDEN-WP-0015-T01 +status: todo +priority: high +state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f" +``` + +- [ ] Draft `secret-lifecycle-tiering.md` (R1–R4 + tier matrix + phase-change gates), + cross-linking `openbao-unseal-custody-models.md`, `responsibility-map.md`, + `platform-root-custody.md`, and the `security-bootstrap-*` ceremony series. +- [ ] Stage the draft in ops-warden (`history/` or `wiki/`) and open a coordination + request to **net-kingdom** to land it as authoritative canon (cross-repo). +- [ ] Encode ops-warden's role explicitly: author + conformance, not enforcement/custody. + +### T2 — Machine-readable tier descriptors + +```task +id: WARDEN-WP-0015-T02 +status: todo +priority: high +state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a" +``` + +- [ ] `registry/policy/secret-lifecycle-tiers.yaml` — the tier matrix as data + (backend, value-policy, unseal model, human-in-loop, data-class, audit-level). +- [ ] Loader + validation (mirror `routing/catalog.py` rigor; no secret material). +- [ ] Optional `warden policy show|list` lookup (mirrors `warden route`). + +### T3 — Conformance checker + +```task +id: WARDEN-WP-0015-T03 +status: todo +priority: high +state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09" +``` + +- [ ] `scripts/check_secret_tier_conformance.py` — given a tier + an environment + descriptor, assert posture matches the standard (e.g. prod must be sealed + + Shamir; dev must have no real-value paths). Drift-style report, like + `check_principals_drift.py`. Read-only; operator runs it. +- [ ] Surface conformance status; never read or print a secret value. + +### T4 — Dev-tier contract-double fixture library + +```task +id: WARDEN-WP-0015-T04 +status: todo +priority: medium +state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45" +``` + +- [ ] Generalize "fake bao": ship hermetic dev-tier doubles for routed subsystems + (bao, key-cape login) honoring each contract (argv/stdout/exit) with synthetic + values only — enabling fully offline dev/test of access flows. +- [ ] Document the pattern in the standard (R1) as the sanctioned dev backend. + +### T5 — INTENT/SCOPE alignment + +```task +id: WARDEN-WP-0015-T05 +status: todo +priority: medium +state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b" +``` + +- [ ] Update `INTENT.md`: ops-warden stewards **security-policy conformance** of the + infrastructure (authoring the ops-security tiering standard + conformance checks + + dev doubles), scoped explicitly to author+check — **not** enforcement or custody. +- [ ] SCOPE: add the tiering policy + conformance surface; note the net-kingdom canon + home; bump the maturity vector where warranted. +- [ ] `history/2026-06-27-secret-lifecycle-tiering-charter.md` — decision record. + +--- + +## Acceptance + +- A coherent dev→test→prod standard exists in net-kingdom canon (R1–R4 + tier matrix + + phase-change ceremonies), authored by ops-warden, landed via net-kingdom coordination. +- ops-warden ships tier descriptors + a read-only conformance checker + dev-tier doubles. +- No secret material in any descriptor, checker, fixture, doc, or log. +- ops-warden's role is documented as author+conformance; OpenBao custody and flex-auth + authorization boundaries are explicitly preserved (responsibility-map honored). +- INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement. + +--- + +## See also + +- `WARDEN-WP-0014` (operator access assist; the tier-aware fetch surface) +- `net-kingdom/docs/openbao-unseal-custody-models.md`, `responsibility-map.md`, + `platform-root-custody.md`, `security-bootstrap-*` +- `flex-auth` (runtime-enforceable tier rules, if any, as a follow-up)