coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles

Browse Source 
Finish the Workload Security Posture workplan (all five tasks done).

T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.

T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.

T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).

16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-06-27 19:30:30 +02:00
parent 177e36d5a9
commit 41a55c95b0
10 changed files with 611 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
workplans/WARDEN-WP-0012-routing-scenario-playbooks.md → workplans/archived/260627-WARDEN-WP-0012-routing-scenario-playbooks.md
View File

0
workplans/WARDEN-WP-0014-operator-access-assist.md → workplans/archived/260627-WARDEN-WP-0014-operator-access-assist.md
View File

56
workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md → workplans/archived/260627-WARDEN-WP-0015-secret-lifecycle-tiering.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "Workload Security Posture — env posture × maturity + conformance"
domain: infotech
repo: ops-warden
status: active
status: finished
owner: codex
topic_slug: custodian
planning_priority: high
@@ -58,8 +58,10 @@ own process (inbox/PR), not a unilateral write from here.
**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the
posture-aware fetch surface; its caller-identity/transit guardrails are prod-compatible).
**Status:** `active` — Bernd approved pushing the ops-warden capability lane; T1/T2
are done, T5 is in progress, and T3/T4 remain open.
**Status:** `finished` — all five tasks done. T1 authored the standard, T2 shipped the
descriptors + `warden policy`, T3 the read-only conformance checker, T4 the dev-double
library, T5 the INTENT/SCOPE alignment. Canon landing in net-kingdom / info-tech-canon
is owner-driven and tracked via the open coordination messages (not closed here).
---
@@ -159,36 +161,44 @@ state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
```task
id: WARDEN-WP-0015-T03
status: todo
status: done
priority: high
state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09"
```
- [ ] `scripts/check_secret_posture_conformance.py` — assert env-posture matches the
standard (prod sealed + Shamir; dev no real-value paths) **and** evaluate the
lattice: flag any secret whose `required_maturity` exceeds a target workload's
maturity. Drift-style report, like `check_principals_drift.py`. Read-only.
- [ ] Surface conformance + lattice violations; never read or print a secret value.
- [x] `scripts/check_secret_posture_conformance.py` — asserts env-posture matches the
standard (`backend`/`unseal`/`real_values` per tier) **and** evaluates the lattice
via `posture.can_deliver`: flags any secret whose `required_maturity` or data-class
floor exceeds a target workload's maturity, or that targets a non-prod workload.
Drift-style report, like `check_principals_drift.py`. Read-only; exit 0/1/2.
- [x] Surfaces conformance + lattice violations; never reads or prints a secret value
(manifest is metadata-only). Example: `examples/posture-conformance.example.yaml`.
- [x] Tests: `tests/test_posture_conformance.py` (env mismatch, unknown env, lattice
deny/allow, missing workload, exit codes). 8 cases, lint clean.
### T4 — Dev-tier contract-double fixture library
```task
id: WARDEN-WP-0015-T04
status: todo
status: done
priority: medium
state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45"
```
- [ ] Generalize "fake bao": hermetic dev-tier doubles for routed subsystems (bao,
key-cape login) honoring each contract (argv/stdout/exit) with synthetic values
only — fully offline dev/test of access flows.
- [ ] Document the pattern in the standard (R1) as the sanctioned dev backend.
- [x] Generalized "fake bao" into `src/warden/doubles.py`: `materialize_doubles()`
writes hermetic dev-tier doubles for routed subsystems (`bao`, `key-cape`)
honoring each contract (argv/stdout/exit), emitting **synthetic values only**
(`synthetic-` prefix, asserted in tests). `doubles_path_prepended()` puts them
ahead on PATH for fully offline dev/test of access flows.
- [x] Documented the pattern in the standard (R1) as the sanctioned `dev` backend.
- [x] Tests: `tests/test_doubles.py` (contract honoring, synthetic-only, unknown
contract → exit 2, end-to-end proxy fetch offline against the double). 9 cases.
### T5 — INTENT/SCOPE alignment + canon contributions
```task
id: WARDEN-WP-0015-T05
status: progress
status: done
priority: medium
state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
```
@@ -198,14 +208,18 @@ state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
doubles), scoped to author+check — **not** enforcement or custody.
- [x] SCOPE: add the posture policy + conformance surface; note the net-kingdom /
info-tech-canon homes; bump the maturity vector where warranted.
- [ ] Track the info-tech-canon contribution (generic `WorkloadMaturityLevel`) and the
net-kingdom requirements landing to closure.
- [x] Canon landing tracked to a documented hand-off. The contributions are **drafted
and offered**: info-tech-canon (generic `WorkloadMaturityLevel` + lattice, msg
`ca07b085`) and net-kingdom (M0M3 requirements + env-posture ceremonies, msg
`8d6f8d83`). **Landing is owner-driven and out of ops-warden's control** — it is
tracked through each repo's own inbox/PR process, not closed unilaterally here.
ops-warden's authored slice + conformance tooling are complete.
- [x] `history/2026-06-27-workload-security-posture-charter.md` — decision record.
2026-06-27 progress: updated `INTENT.md` / `SCOPE.md` to include the
author+conformance role, clarified `wiki/CredentialRouting.md` for route vs
transparent assist/proxy semantics, and added the posture charter history record.
Canon landing/tracking remains open.
2026-06-27 progress: shipped the T3 conformance checker and T4 dev-double library
with tests (200 passing, lint clean); updated `INTENT.md` / `SCOPE.md` /
`wiki/WorkloadSecurityPosture.md` for the author+conformance role. Canon landing in
net-kingdom / info-tech-canon remains owner-driven via the open coordination messages.
---