feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles

Finish the Workload Security Posture workplan (all five tasks done).

T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.

T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.

T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).

16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

SCOPE.md

@@ -31,11 +31,12 @@ NetKingdom security map, machine-readable pointer catalog
 handoffs for every catalog need and can proxy `exec_capable` lanes as the caller,
 without taking custody of values.
 
-**Workload security posture** is drafted (WP-0015 T1): dev/test/prod environment
-posture, M0-M3 workload maturity, the secret-flow lattice, and blocker triage
-language. Machine-readable descriptors and `warden policy list|show` shipped in
-WP-0015 T2; the read-only conformance checker and dev contract doubles remain
-WP-0015 follow-up tasks.
+**Workload security posture** is shipped (WP-0015, all tasks done): dev/test/prod
+environment posture, M0-M3 workload maturity, the secret-flow lattice, and blocker
+triage language (T1); machine-readable descriptors + `warden policy list|show` (T2);
+the read-only conformance checker `scripts/check_secret_posture_conformance.py` (T3);
+and the dev-tier contract-double library `warden.doubles` (T4). Canon landing in
+net-kingdom / info-tech-canon is owner-driven (tracked via coordination messages, T5).
 
 **Policy gate** is shipped on the caller side (WP-0007) with production registry
 and smoke evidence (WP-0009 archived). flex-auth published the `ssh-certificate`
@@ -77,7 +78,7 @@ Gap analysis: `history/2026-06-24-intent-scope-gap-analysis.md` (current);
 | ops-bridge integrates via stable `cert_command` | **Partial** — contract yes; tunnels still static-key |
 | NetKingdom evolution reflected in docs | Met |
 | Non-SSH secrets stay out of ops-warden | Met |
-| Workload posture / maturity model for secret-flow blockers | Drafted (WP-0015 T1); conformance tooling pending |
+| Workload posture / maturity model for secret-flow blockers | Met — two-axis standard + descriptors + conformance checker + dev doubles (WP-0015) |
 
 **Maturity vector:** `D5 / A5 / C4 / R3` (Discovery / Availability / Completeness / Reliability)
 
@@ -132,8 +133,9 @@ for the rest.
 - Capability registry entry for SSH certificate issuance
 - Routing pointer catalog (`registry/routing/catalog.yaml`)
 - Keeping ops access patterns consistent with `net-kingdom` platform architecture
-- Workload Security Posture draft (`wiki/WorkloadSecurityPosture.md`) and planned
-  machine-readable posture descriptors, conformance checks, and dev-tier doubles
+- Workload Security Posture standard (`wiki/WorkloadSecurityPosture.md`),
+  machine-readable posture descriptors (`registry/policy/security-posture.yaml`),
+  the read-only conformance checker, and the dev-tier contract-double library
 
 ### Shipped workplans (archived)
 
@@ -146,14 +148,15 @@ for the rest.
 | WP-0009 | flex-auth registry + policy smoke; pickup brief for FLEX-WP-0007 |
 | WP-0010 | Access routing charter + pointer catalog |
 | WP-0011 | `warden route` lookup CLI |
+| WP-0012 | Routing scenario playbooks (catalog + wiki expansion) |
 | WP-0013 | Production integration closeout — cert_command playbook, token hygiene, principals drift |
+| WP-0014 | Operator access assist — `warden access` advisory + proxy front door |
+| WP-0015 | Workload security posture — two-axis standard, descriptors, conformance checker, dev doubles |
 
 ### Active / ready
 
-| WP | Status | Focus |
-| --- | --- | --- |
-| **WP-0012** | `active` | Routing scenario playbooks (catalog + wiki expansion) |
-| **WP-0015** | `active` | Workload security posture: env posture, maturity, conformance, dev doubles |
+_None open._ All ops-warden workplans are finished; the remaining distance is in other
+repos' lanes (see Known gaps).
 
 ### Known gaps (not ops-warden workplans)
 
@@ -164,7 +167,7 @@ for the rest.
 | ops-bridge `cert_command` on live tunnels | ops-bridge | Playbook shipped (`wiki/playbooks/ops-bridge-tunnel-cert.md`); pilot pending |
 | Principals sync warden ↔ railiance-infra | ops-warden + infra | `scripts/check_principals_drift.py` — operator runs periodically |
 | NK-WP-0009 joint SSH tutorial | net-kingdom | Parallel coordination track |
-| WP-0015 conformance checker/dev doubles | ops-warden | T3-T4 pending; canon landing tracked in T5 |
+| WP-0015 canon landing (generic `WorkloadMaturityLevel` + M0-M3 requirements) | net-kingdom + info-tech-canon | ops-warden drafted + offered (coordination msgs); owner-driven landing |
 
 ---
 
@@ -216,8 +219,9 @@ for the rest.
 - **Access routing:** WP-0010 + WP-0011 shipped (`warden route`, pointer catalog)
 - **Policy gate:** caller shipped (WP-0007); registry + smoke complete (WP-0009 archived).
   `policy.enabled: false` until flex-auth reachable (`FLEX-WP-0007`)
-- **Active work:** WP-0012 (routing playbooks — T2/T3 done) and WP-0015
-  (workload posture T1/T2 done, T5 in progress; checker/dev doubles pending)
+- **Workload posture:** WP-0015 shipped (standard, descriptors, `warden policy`,
+  conformance checker, dev doubles); canon landing owner-driven
+- **Active work:** none open in ops-warden; remaining distance is other repos' lanes
 - **Integration docs:** cert_command migration, token hygiene, principals drift (`wiki/playbooks/`)
 - **Latest assessment:** `history/2026-06-24-intent-scope-gap-analysis.md`