feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles

Finish the Workload Security Posture workplan (all five tasks done). T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts env-posture conformance (backend/unseal/real_values per tier) and evaluates the secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference. T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() — hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring each argv/stdout/exit contract, for fully offline dev/test access flows. Documented as the sanctioned dev backend in WorkloadSecurityPosture.md R1. T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left owner-driven (tracked via coordination messages). 16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to workplans/archived/ with 260627- prefix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 19:30:30 +02:00
parent 177e36d5a9
commit 41a55c95b0
10 changed files with 611 additions and 38 deletions
--- a/tests/test_posture_conformance.py
+++ b/tests/test_posture_conformance.py
@@ -0,0 +1,98 @@
+"""Tests for the read-only posture conformance checker (WP-0015 T3)."""
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+
+import pytest
+
+from warden.posture import load_posture
+
+# Load the script module by path (it lives under scripts/, not the package).
+_SCRIPT = Path(__file__).resolve().parent.parent / "scripts" / "check_secret_posture_conformance.py"
+_spec = importlib.util.spec_from_file_location("check_secret_posture_conformance", _SCRIPT)
+conformance = importlib.util.module_from_spec(_spec)
+_spec.loader.exec_module(conformance)
+
+
+@pytest.fixture
+def cat():
+    return load_posture()
+
+
+def test_example_manifest_reports_expected_deny(cat):
+    """The shipped example deliberately includes one denied flow (dev/M0 <- M3)."""
+    import yaml
+
+    manifest = yaml.safe_load(
+        (Path(__file__).resolve().parent.parent / "examples" / "posture-conformance.example.yaml").read_text()
+    )
+    violations = conformance.run(manifest, cat)
+    assert len(violations) == 1
+    assert "regulated-export-cred" in violations[0]
+    assert "DENIED" in violations[0]
+
+
+def test_fully_conformant_manifest_has_no_violations(cat):
+    manifest = {
+        "environments": {"prod": {"backend": "openbao-sealed-shamir"}},
+        "workloads": [{"id": "w1", "env_posture": "prod", "maturity": "M3"}],
+        "secret_requests": [
+            {"secret": "s1", "to_workload": "w1", "required_maturity": "M2", "dataclass": "confidential"}
+        ],
+    }
+    assert conformance.run(manifest, cat) == []
+
+
+def test_env_posture_mismatch_flagged(cat):
+    manifest = {"environments": {"prod": {"backend": "mock-or-contract-double"}}}
+    violations = conformance.run(manifest, cat)
+    assert any("backend" in v and "prod" in v for v in violations)
+
+
+def test_unknown_environment_flagged(cat):
+    violations = conformance.run({"environments": {"staging": {}}}, cat)
+    assert any("staging" in v for v in violations)
+
+
+def test_lattice_denies_non_prod_env(cat):
+    manifest = {
+        "workloads": [{"id": "w", "env_posture": "test", "maturity": "M3"}],
+        "secret_requests": [{"secret": "s", "to_workload": "w", "required_maturity": "M0"}],
+    }
+    violations = conformance.run(manifest, cat)
+    assert any("env posture" in v for v in violations)
+
+
+def test_missing_target_workload_flagged(cat):
+    manifest = {
+        "secret_requests": [{"secret": "s", "to_workload": "ghost", "required_maturity": "M0"}],
+    }
+    violations = conformance.run(manifest, cat)
+    assert any("ghost" in v for v in violations)
+
+
+def test_main_exit_codes(tmp_path, capsys):
+    import yaml
+
+    conformant = tmp_path / "ok.yaml"
+    conformant.write_text(
+        yaml.safe_dump(
+            {
+                "workloads": [{"id": "w", "env_posture": "prod", "maturity": "M3"}],
+                "secret_requests": [
+                    {"secret": "s", "to_workload": "w", "required_maturity": "M3", "dataclass": "restricted"}
+                ],
+            }
+        )
+    )
+    import sys
+
+    argv = sys.argv
+    try:
+        sys.argv = ["check", "--manifest", str(conformant)]
+        assert conformance.main() == 0
+        sys.argv = ["check", "--manifest", str(tmp_path / "missing.yaml")]
+        assert conformance.main() == 2
+    finally:
+        sys.argv = argv