generated from coulomb/repo-seed
Clarify workload secret posture stewardship
This commit is contained in:
53
history/2026-06-27-workload-security-posture-charter.md
Normal file
53
history/2026-06-27-workload-security-posture-charter.md
Normal file
@@ -0,0 +1,53 @@
|
||||
# Workload Security Posture Charter
|
||||
|
||||
Date: 2026-06-27
|
||||
Workplan: WARDEN-WP-0015
|
||||
|
||||
## Decision
|
||||
|
||||
ops-warden will steward the NetKingdom workload security posture model as an
|
||||
author-and-conformance surface, not as runtime enforcement or secret custody. The
|
||||
model has two orthogonal axes:
|
||||
|
||||
- environment posture: `dev`, `test`, `prod` secret-store posture;
|
||||
- workload maturity: `M0` through `M3`, describing whether a workload may receive
|
||||
increasingly sensitive secrets/data.
|
||||
|
||||
The axes combine in a secret-flow lattice. A real secret may flow only when the
|
||||
workload is in prod posture, the workload maturity meets the secret's
|
||||
`required_maturity`, and the maturity meets the floor implied by the secret's data
|
||||
classification.
|
||||
|
||||
## Boundary
|
||||
|
||||
This expands ops-warden's stewardship role without expanding secret custody:
|
||||
|
||||
- OpenBao holds secret values.
|
||||
- flex-auth makes allow/deny decisions and is the eventual runtime enforcement point
|
||||
for the lattice.
|
||||
- key-cape/Keycloak establish identity.
|
||||
- CARING governs access semantics.
|
||||
- ops-warden issues SSH certificates, routes/assists other credential lanes, and
|
||||
checks conformance evidence.
|
||||
|
||||
`warden access` from WP-0014 remains valid under this model because it is a
|
||||
transparent conduit: it runs the owning tool as the caller, does not hold a standing
|
||||
credential, does not persist values, and records metadata-only audit evidence.
|
||||
|
||||
## Why it matters
|
||||
|
||||
The model turns vague IT-security blockers into named outcomes:
|
||||
|
||||
- dev/test work can proceed with synthetic contract doubles rather than waiting for
|
||||
production secrets;
|
||||
- production work with real values must name owner custody, policy gate, posture,
|
||||
maturity, and non-secret evidence;
|
||||
- maturity below a secret's requirement remains a real blocker until the workload or
|
||||
design changes;
|
||||
- operator ceremonies such as prod OpenBao unseal and issuer custody remain hard
|
||||
gates and must not be bypassed with agent-visible secret values.
|
||||
|
||||
## Follow-up
|
||||
|
||||
WARDEN-WP-0015 continues with the read-only conformance checker, dev-tier contract
|
||||
doubles, and coordinated canon landing in net-kingdom and info-tech-canon.
|
||||
Reference in New Issue
Block a user