coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles

Browse Source 
Finish the Workload Security Posture workplan (all five tasks done).

T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.

T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.

T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).

16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-27 19:30:30 +02:00
parent 177e36d5a9
commit 41a55c95b0
10 changed files with 611 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
wiki/WorkloadSecurityPosture.md
View File

@@ -20,7 +20,11 @@ every tier (so automation and the `warden access` proxy run unchanged); only the
backend's security posture changes.
**R1 — Contract parity, posture divergence.** Identical interface at every tier; only
posture changes. This is why dev-tier contract doubles ("fake bao") work.
posture changes. This is why dev-tier contract doubles ("fake bao") work. ops-warden
ships the sanctioned `dev` backend as a library: `warden.doubles.materialize_doubles()`
writes hermetic stand-ins for the routed subsystems (OpenBao, key-cape login) that honor
each contract (argv/stdout/exit) and emit **synthetic values only** (every value is
`synthetic-` prefixed), so access flows run fully offline in dev/test.
**R2 — Promote topology, regenerate material.** Secret *values* are never promoted up
the ladder; only *structure* (paths, policy shape, names). Values are generated fresh
per tier. Test conveniences (reuse, single-unseal) stay quarantined in test.
@@ -115,7 +119,7 @@ whether the secret may flow at all.
| --- | --- | --- |
| Generic `WorkloadMaturityLevel` concept + the secret-flow lattice | **info-tech-canon** (DevSecOps / Landscape; reuses Data Model `DataClassification`, Security Model criticality) | Contribute; do not fork |
| NetKingdom M0M3 security **requirements** + env-posture ceremonies | **net-kingdom canon** (beside `openbao-unseal-custody-models.md`, `responsibility-map.md`) | Author the ops-security slice |
| Machine-readable descriptors + conformance checker + dev doubles | **ops-warden** (`registry/policy/`, `scripts/`) | Own (WP-0015 T2T4) |
| Machine-readable descriptors (`registry/policy/security-posture.yaml`, `warden policy`) + read-only conformance checker (`scripts/check_secret_posture_conformance.py`) + dev doubles (`warden.doubles`) | **ops-warden** | Own (WP-0015 T2T4) |
| Runtime enforcement of the lattice | **flex-auth** | Route; do not enforce here |
---