generated from coulomb/repo-seed
feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles
Finish the Workload Security Posture workplan (all five tasks done). T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts env-posture conformance (backend/unseal/real_values per tier) and evaluates the secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference. T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() — hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring each argv/stdout/exit contract, for fully offline dev/test access flows. Documented as the sanctioned dev backend in WorkloadSecurityPosture.md R1. T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left owner-driven (tracked via coordination messages). 16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to workplans/archived/ with 260627- prefix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
41
examples/posture-conformance.example.yaml
Normal file
41
examples/posture-conformance.example.yaml
Normal file
@@ -0,0 +1,41 @@
|
||||
# Example target manifest for scripts/check_secret_posture_conformance.py (WP-0015 T3).
|
||||
#
|
||||
# A *metadata-only* description of workloads, the observed posture of each
|
||||
# environment's secret store, and the secret flows being requested. It carries NO
|
||||
# secret values — only ids, postures, maturities, required_maturity, and data class.
|
||||
# The checker compares this against registry/policy/security-posture.yaml and the
|
||||
# secret-flow lattice, and reports conformance + lattice violations. Read-only.
|
||||
|
||||
# Observed posture of each environment's secret store. The checker asserts these
|
||||
# match the standard env_postures descriptor (backend / unseal / real_values).
|
||||
environments:
|
||||
dev:
|
||||
backend: mock-or-contract-double
|
||||
real_values: forbidden
|
||||
unseal: n/a
|
||||
prod:
|
||||
backend: openbao-sealed-shamir
|
||||
real_values: generated-fresh-no-reuse
|
||||
unseal: shamir-3-of-5-break-glass
|
||||
|
||||
# Workloads and the trust we attribute to each (env posture + maturity level).
|
||||
workloads:
|
||||
- id: activity-core-triage
|
||||
env_posture: prod
|
||||
maturity: M2
|
||||
- id: dev-sandbox
|
||||
env_posture: dev
|
||||
maturity: M0
|
||||
|
||||
# Secret flows being requested. Each is evaluated against the lattice for its
|
||||
# target workload. required_maturity / dataclass are the secret's *requirements*,
|
||||
# never the value.
|
||||
secret_requests:
|
||||
- secret: openrouter-api-key
|
||||
to_workload: activity-core-triage
|
||||
required_maturity: M2
|
||||
dataclass: confidential
|
||||
- secret: regulated-export-cred
|
||||
to_workload: dev-sandbox # expected DENY: dev posture + M0 < M3
|
||||
required_maturity: M3
|
||||
dataclass: restricted
|
||||
Reference in New Issue
Block a user