plan(WARDEN-WP-0015): rescope to two-axis Workload Security Posture

Folds the workload-maturity axis into WP-0015. The model is now two
orthogonal axes — environment posture (dev/test/prod, how the secret
store is secured) and workload maturity (M0-M3, how trusted a workload
is to receive secrets/classified data) — unified by a secret-flow
lattice (deliver only if posture==prod AND workload.maturity >=
secret.required_maturity). "Critical secrets must not flow to workloads
below maturity M" is the no-write-down case.

Layering: generic WorkloadMaturityLevel + lattice → info-tech-canon
(reusing its DataClassification / DevSecOps gates / Security criticality
/ CARING); NetKingdom M0-M3 requirements → net-kingdom canon. ops-warden
authors + checks conformance, not enforcement. Still proposed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md

@@ -1,7 +1,7 @@
 ---
 id: WARDEN-WP-0015
 type: workplan
-title: "Secret Lifecycle Tiering — policy + conformance stewardship"
+title: "Workload Security Posture — env posture × maturity + conformance"
 domain: infotech
 repo: ops-warden
 status: proposed
@@ -14,74 +14,107 @@ updated: "2026-06-27"
 state_hub_workstream_id: "99f4a0e1-853c-456f-8aa7-8ff0f318ea65"
 ---
 
-# WARDEN-WP-0015 — Secret Lifecycle Tiering (policy + conformance)
+# WARDEN-WP-0015 — Workload Security Posture (two-axis) + conformance
 
-**Scope:** Establish a NetKingdom standard for how secrets are managed across the
-**dev → test → prod** lifecycle, and make ops-warden the **conformance steward** for it.
-The standard defines three credential-posture tiers with identical *contracts* and
-deliberately divergent *security posture*, plus the phase-change ceremonies between
-them. ops-warden authors the ops-security slice of the standard, ships
-machine-readable tier descriptors and a conformance checker, and provides a dev-tier
-**contract-double** fixture library (the generalization of the "fake bao" pattern).
+**Scope:** Establish a NetKingdom standard for IT-security posture across **two
+orthogonal axes**, and make ops-warden the **conformance steward** for it:
+
+- **Axis A — Environment posture** (`dev → test → prod`): how the *secret store* is
+  secured (mock / OpenBao `-dev` / sealed). Identical contracts, divergent posture.
+- **Axis B — Workload maturity** (`M0 → M3`): how *trusted* a workload is to receive
+  secrets and handle classified data (PoC → alpha/early-access → beta/GA → critical).
+
+The axes combine in a **secret-flow lattice**: a secret may be delivered to a workload
+only if the workload's posture *and* maturity meet the secret's requirements. ops-warden
+authors the ops-security slice, ships machine-readable descriptors + a conformance
+checker (incl. the lattice check), and the dev-tier **contract-double** fixture library
+(the "fake bao" pattern generalized).
 
 **Decisions locked (2026-06-27):**
-- Authoritative standard lives in **net-kingdom canon** (`docs/`), next to
-  `openbao-unseal-custody-models.md` and `responsibility-map.md`. ops-warden authors
-  the ops-security slice and carries a pointer + conformance tooling.
-- ops-warden role = **author + conformance checks** (machine-readable descriptors,
-  drift/conformance checkers, dev-tier doubles). **Not** runtime enforcement.
+- Two-axis model folded into this WP (was "Secret Lifecycle Tiering", env posture only).
+- Authoritative **NetKingdom requirements** (M0–M3 table, secret-flow gates, env-posture
+  ceremonies) live in **net-kingdom canon**; the **generic `WorkloadMaturityLevel`
+  concept + lattice** is contributed to **info-tech-canon** (DevSecOps/Landscape),
+  reusing its governed `DataClassification`. ops-warden authors the ops-security slice +
+  conformance tooling.
+- ops-warden role = **author + conformance checks**, **not** runtime enforcement.
+
+**Reuse, don't reinvent (info-tech-canon already defines the primitives):**
+`DataClassification` (`confidential`/`restricted`…) in the Data Model; promotion /
+quality gates / policy gates / `DeploymentVerification` + progressive delivery in the
+DevSecOps Model; asset/business **criticality** in the Security Model; access semantics
+in the CARING Access Governance Standard. This WP **assembles** these into a named
+maturity ladder + flow rule; it does not fork them.
 
 **Hard boundary (responsibility-map, ~line 154):** ops-warden "must not become a
 universal secret broker — runtime secrets remain OpenBao; authorization remains
-flex-auth." This WP keeps ops-warden as policy author + conformance verifier only.
-OpenBao holds the secrets; flex-auth makes allow/deny decisions.
+flex-auth." ops-warden = policy author + conformance verifier only. OpenBao holds the
+secrets; flex-auth makes allow/deny decisions; CARING governs access semantics.
 
-**Cross-repo note:** T1 authors content destined for **net-kingdom** canon. ops-warden
-drafts it; landing it in net-kingdom is a coordinated change through net-kingdom's own
-process (inbox/PR), not a unilateral write from this repo.
+**Cross-repo note:** T1/T5 author content destined for **net-kingdom** and
+**info-tech-canon**. ops-warden drafts; landing it is coordinated through each repo's
+own process (inbox/PR), not a unilateral write from here.
 
-**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the tier-aware
-fetch surface; its caller-identity/transit guardrails are tier-prod-compatible).
+**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the
+posture-aware fetch surface; its caller-identity/transit guardrails are prod-compatible).
 
 **Status:** `proposed` — awaiting Bernd's review before implementation.
 
 ---
 
-## The model (refined, to be encoded by this WP)
+## The model (to be encoded by this WP)
 
-**R1 — Contract parity, posture divergence.** The interface is identical at every
-tier; only the backend's security posture changes. Automation written once runs at all
-three tiers unchanged. (This is why contract doubles work.)
+### Axis A — Environment posture (the secret store)
 
+**R1 — Contract parity, posture divergence.** Identical interface at every tier; only
+the backend's security posture changes. Automation written once runs at all tiers
+unchanged (this is why contract doubles work).
 **R2 — Promote topology, regenerate material.** Secret *values* are never promoted up
-the ladder. Only the *structure* (paths, policy shape, names, the secret tree) is
-promoted; values are generated fresh at each tier. Test conveniences (reuse,
-single-unseal) are quarantined in test by construction.
-
-**R3 — Dev touches no real data, ever.** An insecure personal mock store in dev is
-sanctioned *iff* dev uses only synthetic/fixture data. Absolute invariant.
-
+the ladder; only *structure* (paths, policy shape, names). Values are generated fresh
+per tier. Test conveniences (reuse, single-unseal) are quarantined in test.
+**R3 — Dev touches no real data, ever.** Insecure personal mock store is sanctioned
+*iff* dev uses only synthetic data. Absolute.
 **R4 — Phase-changes are ceremonies, not copies.** test→prod is a gated checklist
-(regenerate secrets, switch unseal model, enable break-glass, human sign-off),
-referencing the existing net-kingdom `security-bootstrap-*` and unseal-custody docs —
-not duplicating them.
-
-**Tier descriptor matrix (encoded in registry/policy):**
+referencing net-kingdom `security-bootstrap-*` / unseal-custody docs.
 
 | | dev | test | prod |
 | --- | --- | --- | --- |
 | backend | mock / contract double | OpenBao `-dev` (single-unseal) | OpenBao sealed (Shamir 3-of-5) |
 | real values | forbidden (synthetic) | generated, reuse allowed | generated fresh, reuse forbidden |
 | unseal | n/a | single key / auto | 3-of-5 + break-glass |
-| human-in-loop | never | never | required (break-glass) |
 | real user/business data | never | never | allowed |
 | audit | optional | on | full, tamper-evident |
 
+### Axis B — Workload maturity (the trust to receive secrets/data)
+
+**Production is a posture, not a maturity.** A workload can be prod-posture yet low
+maturity (alpha with friendly customers). Maturity gates *which secrets and data
+classes* a prod workload may touch.
+
+| Level | Phase | Max DataClassification | Promotion gate (reuses DevSecOps gates) |
+| --- | --- | --- | --- |
+| **M0** | Experimental / PoC | synthetic only | — |
+| **M1** | Alpha / early-access | low-criticality, loss-acceptable; no confidential/restricted | friendly-customer scope, basic SLO, data-handling note |
+| **M2** | Beta / GA | up to `confidential`; SLOs; audited | security review, SLO history, on-call, incident runbooks |
+| **M3** | Critical / regulated | `restricted`; break-glass; compliance | pen-test, 3-of-5 custody, human-in-loop, compliance audit |
+
+### The combined rule (secret-flow lattice)
+
+```
+deliver(secret → workload) permitted only if
+    workload.env_posture == prod                       # Axis A
+AND workload.maturity     >= secret.required_maturity   # Axis B (no-write-down)
+AND workload.maturity     >= required_maturity(dataclass(secret))
+```
+
+"Critical secrets must not be transferred to workloads below maturity M" is exactly
+this no-write-down constraint. Checkable by ops-warden; enforceable by flex-auth.
+
 ---
 
 ## Tasks
 
-### T1 — Author the Secret Lifecycle Tiering standard (canon-bound)
+### T1 — Author the two-axis Workload Security Posture standard (canon-bound)
 
 ```task
 id: WARDEN-WP-0015-T01
@@ -90,14 +123,18 @@ priority: high
 state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
 ```
 
-- [ ] Draft `secret-lifecycle-tiering.md` (R1–R4 + tier matrix + phase-change gates),
-      cross-linking `openbao-unseal-custody-models.md`, `responsibility-map.md`,
-      `platform-root-custody.md`, and the `security-bootstrap-*` ceremony series.
-- [ ] Stage the draft in ops-warden (`history/` or `wiki/`) and open a coordination
-      request to **net-kingdom** to land it as authoritative canon (cross-repo).
-- [ ] Encode ops-warden's role explicitly: author + conformance, not enforcement/custody.
+- [ ] Draft the standard: Axis A (R1–R4 + env-posture matrix + phase-change ceremonies)
+      and Axis B (M0–M3 ladder + promotion gates) unified by the secret-flow lattice.
+- [ ] Layer it: generic `WorkloadMaturityLevel` + lattice → **info-tech-canon**
+      contribution (DevSecOps/Landscape, reusing `DataClassification`); NetKingdom M0–M3
+      security requirements + env-posture ceremonies → **net-kingdom canon**.
+- [ ] Cross-link `openbao-unseal-custody-models.md`, `responsibility-map.md`,
+      `platform-root-custody.md`, `security-bootstrap-*`, and the info-tech-canon
+      Security / DevSecOps / Data / CARING models. Stage drafts in ops-warden; open
+      coordination requests to net-kingdom and info-tech-canon to land them.
+- [ ] Encode ops-warden's role: author + conformance, not enforcement/custody.
 
-### T2 — Machine-readable tier descriptors
+### T2 — Machine-readable posture descriptors (both axes)
 
 ```task
 id: WARDEN-WP-0015-T02
@@ -106,12 +143,13 @@ priority: high
 state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
 ```
 
-- [ ] `registry/policy/secret-lifecycle-tiers.yaml` — the tier matrix as data
-      (backend, value-policy, unseal model, human-in-loop, data-class, audit-level).
+- [ ] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy,
+      unseal, data-class, audit) **and** maturity levels (M0–M3, max DataClassification,
+      promotion-gate criteria), plus per-secret `required_maturity` tagging convention.
 - [ ] Loader + validation (mirror `routing/catalog.py` rigor; no secret material).
 - [ ] Optional `warden policy show|list` lookup (mirrors `warden route`).
 
-### T3 — Conformance checker
+### T3 — Conformance checker (incl. secret-flow lattice)
 
 ```task
 id: WARDEN-WP-0015-T03
@@ -120,11 +158,11 @@ priority: high
 state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09"
 ```
 
-- [ ] `scripts/check_secret_tier_conformance.py` — given a tier + an environment
-      descriptor, assert posture matches the standard (e.g. prod must be sealed +
-      Shamir; dev must have no real-value paths). Drift-style report, like
-      `check_principals_drift.py`. Read-only; operator runs it.
-- [ ] Surface conformance status; never read or print a secret value.
+- [ ] `scripts/check_secret_posture_conformance.py` — assert env-posture matches the
+      standard (prod sealed + Shamir; dev no real-value paths) **and** evaluate the
+      lattice: flag any secret whose `required_maturity` exceeds a target workload's
+      maturity. Drift-style report, like `check_principals_drift.py`. Read-only.
+- [ ] Surface conformance + lattice violations; never read or print a secret value.
 
 ### T4 — Dev-tier contract-double fixture library
 
@@ -135,12 +173,12 @@ priority: medium
 state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45"
 ```
 
-- [ ] Generalize "fake bao": ship hermetic dev-tier doubles for routed subsystems
-      (bao, key-cape login) honoring each contract (argv/stdout/exit) with synthetic
-      values only — enabling fully offline dev/test of access flows.
+- [ ] Generalize "fake bao": hermetic dev-tier doubles for routed subsystems (bao,
+      key-cape login) honoring each contract (argv/stdout/exit) with synthetic values
+      only — fully offline dev/test of access flows.
 - [ ] Document the pattern in the standard (R1) as the sanctioned dev backend.
 
-### T5 — INTENT/SCOPE alignment
+### T5 — INTENT/SCOPE alignment + canon contributions
 
 ```task
 id: WARDEN-WP-0015-T05
@@ -149,30 +187,34 @@ priority: medium
 state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
 ```
 
-- [ ] Update `INTENT.md`: ops-warden stewards **security-policy conformance** of the
-      infrastructure (authoring the ops-security tiering standard + conformance checks +
-      dev doubles), scoped explicitly to author+check — **not** enforcement or custody.
-- [ ] SCOPE: add the tiering policy + conformance surface; note the net-kingdom canon
-      home; bump the maturity vector where warranted.
-- [ ] `history/2026-06-27-secret-lifecycle-tiering-charter.md` — decision record.
+- [ ] `INTENT.md`: ops-warden stewards **security-policy conformance** of the
+      infrastructure (authoring the two-axis posture standard + conformance checks + dev
+      doubles), scoped to author+check — **not** enforcement or custody.
+- [ ] SCOPE: add the posture policy + conformance surface; note the net-kingdom /
+      info-tech-canon homes; bump the maturity vector where warranted.
+- [ ] Track the info-tech-canon contribution (generic `WorkloadMaturityLevel`) and the
+      net-kingdom requirements landing to closure.
+- [ ] `history/2026-06-27-workload-security-posture-charter.md` — decision record.
 
 ---
 
 ## Acceptance
 
-- A coherent dev→test→prod standard exists in net-kingdom canon (R1–R4 + tier matrix +
-  phase-change ceremonies), authored by ops-warden, landed via net-kingdom coordination.
-- ops-warden ships tier descriptors + a read-only conformance checker + dev-tier doubles.
+- A coherent two-axis standard exists: generic concept in info-tech-canon, NetKingdom
+  M0–M3 + env-posture requirements in net-kingdom canon, authored by ops-warden.
+- ops-warden ships posture descriptors + a read-only conformance checker (incl. the
+  secret-flow lattice) + dev-tier doubles.
 - No secret material in any descriptor, checker, fixture, doc, or log.
-- ops-warden's role is documented as author+conformance; OpenBao custody and flex-auth
-  authorization boundaries are explicitly preserved (responsibility-map honored).
+- ops-warden's role is documented as author+conformance; OpenBao custody, flex-auth
+  authorization, and CARING access boundaries are explicitly preserved.
 - INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement.
 
 ---
 
 ## See also
 
-- `WARDEN-WP-0014` (operator access assist; the tier-aware fetch surface)
+- `WARDEN-WP-0014` (operator access assist; the posture-aware fetch surface)
 - `net-kingdom/docs/openbao-unseal-custody-models.md`, `responsibility-map.md`,
   `platform-root-custody.md`, `security-bootstrap-*`
-- `flex-auth` (runtime-enforceable tier rules, if any, as a follow-up)
+- `info-tech-canon` Security / DevSecOps / Data Models + CARING Access Governance
+- `flex-auth` (runtime enforcement of the lattice, as a follow-up)