Clarify workload secret posture stewardship

This commit is contained in:
2026-06-27 18:22:09 +02:00
parent 32ae4f6851
commit 177e36d5a9
6 changed files with 178 additions and 48 deletions

View File

@@ -0,0 +1,53 @@
# Workload Security Posture Charter
Date: 2026-06-27
Workplan: WARDEN-WP-0015
## Decision
ops-warden will steward the NetKingdom workload security posture model as an
author-and-conformance surface, not as runtime enforcement or secret custody. The
model has two orthogonal axes:
- environment posture: `dev`, `test`, `prod` secret-store posture;
- workload maturity: `M0` through `M3`, describing whether a workload may receive
increasingly sensitive secrets/data.
The axes combine in a secret-flow lattice. A real secret may flow only when the
workload is in prod posture, the workload maturity meets the secret's
`required_maturity`, and the maturity meets the floor implied by the secret's data
classification.
## Boundary
This expands ops-warden's stewardship role without expanding secret custody:
- OpenBao holds secret values.
- flex-auth makes allow/deny decisions and is the eventual runtime enforcement point
for the lattice.
- key-cape/Keycloak establish identity.
- CARING governs access semantics.
- ops-warden issues SSH certificates, routes/assists other credential lanes, and
checks conformance evidence.
`warden access` from WP-0014 remains valid under this model because it is a
transparent conduit: it runs the owning tool as the caller, does not hold a standing
credential, does not persist values, and records metadata-only audit evidence.
## Why it matters
The model turns vague IT-security blockers into named outcomes:
- dev/test work can proceed with synthetic contract doubles rather than waiting for
production secrets;
- production work with real values must name owner custody, policy gate, posture,
maturity, and non-secret evidence;
- maturity below a secret's requirement remains a real blocker until the workload or
design changes;
- operator ceremonies such as prod OpenBao unseal and issuer custody remain hard
gates and must not be bypassed with agent-visible secret values.
## Follow-up
WARDEN-WP-0015 continues with the read-only conformance checker, dev-tier contract
doubles, and coordinated canon landing in net-kingdom and info-tech-canon.