feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles

Finish the Workload Security Posture workplan (all five tasks done).

T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.

T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.

T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).

16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/test_doubles.py

@@ -0,0 +1,114 @@
+"""Tests for the dev-tier contract-double fixture library (WP-0015 T4)."""
+from __future__ import annotations
+
+import subprocess
+
+import pytest
+
+from warden.doubles import (
+    SYNTHETIC_PREFIX,
+    available_doubles,
+    doubles_path_prepended,
+    materialize_doubles,
+)
+
+
+def test_available_doubles_includes_routed_subsystems():
+    names = available_doubles()
+    assert "bao" in names
+    assert "key-cape" in names
+
+
+def test_materialize_writes_executables(tmp_path):
+    paths = materialize_doubles(tmp_path)
+    assert set(paths) == set(available_doubles())
+    for p in paths.values():
+        assert p.exists()
+        import os
+
+        assert os.access(p, os.X_OK)
+
+
+def test_bao_kv_get_emits_synthetic_value(tmp_path):
+    materialize_doubles(tmp_path, ["bao"])
+    out = subprocess.run(
+        [str(tmp_path / "bao"), "kv", "get", "-field=NPM_AUTH_TOKEN", "platform/x/y"],
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+    value = out.stdout.strip()
+    assert value.startswith(SYNTHETIC_PREFIX)
+    assert "NPM_AUTH_TOKEN" in value
+
+
+def test_bao_login_emits_synthetic_token(tmp_path):
+    materialize_doubles(tmp_path, ["bao"])
+    out = subprocess.run(
+        [str(tmp_path / "bao"), "login", "-method=oidc"],
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+    assert out.stdout.strip().startswith(SYNTHETIC_PREFIX)
+
+
+def test_keycape_login_emits_synthetic_session(tmp_path):
+    materialize_doubles(tmp_path, ["key-cape"])
+    out = subprocess.run(
+        [str(tmp_path / "key-cape"), "login"],
+        capture_output=True,
+        text=True,
+        check=True,
+    )
+    assert out.stdout.strip().startswith(SYNTHETIC_PREFIX)
+
+
+def test_double_rejects_unknown_contract(tmp_path):
+    materialize_doubles(tmp_path, ["bao"])
+    out = subprocess.run(
+        [str(tmp_path / "bao"), "write", "secret/x"],
+        capture_output=True,
+        text=True,
+    )
+    assert out.returncode == 2
+
+
+def test_unknown_double_raises(tmp_path):
+    with pytest.raises(KeyError):
+        materialize_doubles(tmp_path, ["nonesuch"])
+
+
+def test_path_prepended_puts_doubles_first(tmp_path):
+    path = doubles_path_prepended(tmp_path, base_path="/usr/bin")
+    assert path.split(":")[0] == str(tmp_path)
+
+
+def test_proxy_fetch_runs_fully_offline_against_double(tmp_path):
+    """End-to-end: the proxy fetch lane resolves `bao` from the doubles dir."""
+    import os
+
+    materialize_doubles(tmp_path, ["bao"])
+    from warden.proxy import resolve_fetch_command
+    from warden.routing.models import RouteEntry
+
+    entry = RouteEntry(
+        id="openbao-api-key",
+        title="API key",
+        need_keywords=["npm"],
+        owner_repo="railiance-platform",
+        subsystem="OpenBao",
+        warden_executes=False,
+        wiki_ref="w",
+        canon_ref="c",
+        reviewed="2026-06-27",
+        status="active",
+        path_template="platform/x/y/z",
+        fetch_command="bao kv get -field=<FIELD> <path_template>",
+        exec_capable=True,
+    )
+    argv = resolve_fetch_command(entry, field="API_KEY", path="platform/x/y/z")
+    env = dict(os.environ, PATH=doubles_path_prepended(tmp_path))
+    # proxy_fetch inherits stdout; run it in a child so we can capture the stream.
+    result = subprocess.run(argv, capture_output=True, text=True, env=env, check=True)
+    assert result.stdout.strip().startswith(SYNTHETIC_PREFIX)

tests/test_posture_conformance.py

@@ -0,0 +1,98 @@
+"""Tests for the read-only posture conformance checker (WP-0015 T3)."""
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+
+import pytest
+
+from warden.posture import load_posture
+
+# Load the script module by path (it lives under scripts/, not the package).
+_SCRIPT = Path(__file__).resolve().parent.parent / "scripts" / "check_secret_posture_conformance.py"
+_spec = importlib.util.spec_from_file_location("check_secret_posture_conformance", _SCRIPT)
+conformance = importlib.util.module_from_spec(_spec)
+_spec.loader.exec_module(conformance)
+
+
+@pytest.fixture
+def cat():
+    return load_posture()
+
+
+def test_example_manifest_reports_expected_deny(cat):
+    """The shipped example deliberately includes one denied flow (dev/M0 <- M3)."""
+    import yaml
+
+    manifest = yaml.safe_load(
+        (Path(__file__).resolve().parent.parent / "examples" / "posture-conformance.example.yaml").read_text()
+    )
+    violations = conformance.run(manifest, cat)
+    assert len(violations) == 1
+    assert "regulated-export-cred" in violations[0]
+    assert "DENIED" in violations[0]
+
+
+def test_fully_conformant_manifest_has_no_violations(cat):
+    manifest = {
+        "environments": {"prod": {"backend": "openbao-sealed-shamir"}},
+        "workloads": [{"id": "w1", "env_posture": "prod", "maturity": "M3"}],
+        "secret_requests": [
+            {"secret": "s1", "to_workload": "w1", "required_maturity": "M2", "dataclass": "confidential"}
+        ],
+    }
+    assert conformance.run(manifest, cat) == []
+
+
+def test_env_posture_mismatch_flagged(cat):
+    manifest = {"environments": {"prod": {"backend": "mock-or-contract-double"}}}
+    violations = conformance.run(manifest, cat)
+    assert any("backend" in v and "prod" in v for v in violations)
+
+
+def test_unknown_environment_flagged(cat):
+    violations = conformance.run({"environments": {"staging": {}}}, cat)
+    assert any("staging" in v for v in violations)
+
+
+def test_lattice_denies_non_prod_env(cat):
+    manifest = {
+        "workloads": [{"id": "w", "env_posture": "test", "maturity": "M3"}],
+        "secret_requests": [{"secret": "s", "to_workload": "w", "required_maturity": "M0"}],
+    }
+    violations = conformance.run(manifest, cat)
+    assert any("env posture" in v for v in violations)
+
+
+def test_missing_target_workload_flagged(cat):
+    manifest = {
+        "secret_requests": [{"secret": "s", "to_workload": "ghost", "required_maturity": "M0"}],
+    }
+    violations = conformance.run(manifest, cat)
+    assert any("ghost" in v for v in violations)
+
+
+def test_main_exit_codes(tmp_path, capsys):
+    import yaml
+
+    conformant = tmp_path / "ok.yaml"
+    conformant.write_text(
+        yaml.safe_dump(
+            {
+                "workloads": [{"id": "w", "env_posture": "prod", "maturity": "M3"}],
+                "secret_requests": [
+                    {"secret": "s", "to_workload": "w", "required_maturity": "M3", "dataclass": "restricted"}
+                ],
+            }
+        )
+    )
+    import sys
+
+    argv = sys.argv
+    try:
+        sys.argv = ["check", "--manifest", str(conformant)]
+        assert conformance.main() == 0
+        sys.argv = ["check", "--manifest", str(tmp_path / "missing.yaml")]
+        assert conformance.main() == 2
+    finally:
+        sys.argv = argv