From f787e09a1b4f20fb08ea086912451698b35f781a Mon Sep 17 00:00:00 2001 From: tegwick Date: Sat, 27 Jun 2026 18:00:50 +0200 Subject: [PATCH] plan(WARDEN-WP-0015): rescope to two-axis Workload Security Posture MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Folds the workload-maturity axis into WP-0015. The model is now two orthogonal axes — environment posture (dev/test/prod, how the secret store is secured) and workload maturity (M0-M3, how trusted a workload is to receive secrets/classified data) — unified by a secret-flow lattice (deliver only if posture==prod AND workload.maturity >= secret.required_maturity). "Critical secrets must not flow to workloads below maturity M" is the no-write-down case. Layering: generic WorkloadMaturityLevel + lattice → info-tech-canon (reusing its DataClassification / DevSecOps gates / Security criticality / CARING); NetKingdom M0-M3 requirements → net-kingdom canon. ops-warden authors + checks conformance, not enforcement. Still proposed. Co-Authored-By: Claude Opus 4.8 --- ...WARDEN-WP-0015-secret-lifecycle-tiering.md | 184 +++++++++++------- 1 file changed, 113 insertions(+), 71 deletions(-) diff --git a/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md b/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md index 1345b2a..78cb29c 100644 --- a/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md +++ b/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md @@ -1,7 +1,7 @@ --- id: WARDEN-WP-0015 type: workplan -title: "Secret Lifecycle Tiering — policy + conformance stewardship" +title: "Workload Security Posture — env posture × maturity + conformance" domain: infotech repo: ops-warden status: proposed @@ -14,74 +14,107 @@ updated: "2026-06-27" state_hub_workstream_id: "99f4a0e1-853c-456f-8aa7-8ff0f318ea65" --- -# WARDEN-WP-0015 — Secret Lifecycle Tiering (policy + conformance) +# WARDEN-WP-0015 — Workload Security Posture (two-axis) + conformance -**Scope:** Establish a NetKingdom standard for how secrets are managed across the -**dev → test → prod** lifecycle, and make ops-warden the **conformance steward** for it. -The standard defines three credential-posture tiers with identical *contracts* and -deliberately divergent *security posture*, plus the phase-change ceremonies between -them. ops-warden authors the ops-security slice of the standard, ships -machine-readable tier descriptors and a conformance checker, and provides a dev-tier -**contract-double** fixture library (the generalization of the "fake bao" pattern). +**Scope:** Establish a NetKingdom standard for IT-security posture across **two +orthogonal axes**, and make ops-warden the **conformance steward** for it: + +- **Axis A — Environment posture** (`dev → test → prod`): how the *secret store* is + secured (mock / OpenBao `-dev` / sealed). Identical contracts, divergent posture. +- **Axis B — Workload maturity** (`M0 → M3`): how *trusted* a workload is to receive + secrets and handle classified data (PoC → alpha/early-access → beta/GA → critical). + +The axes combine in a **secret-flow lattice**: a secret may be delivered to a workload +only if the workload's posture *and* maturity meet the secret's requirements. ops-warden +authors the ops-security slice, ships machine-readable descriptors + a conformance +checker (incl. the lattice check), and the dev-tier **contract-double** fixture library +(the "fake bao" pattern generalized). **Decisions locked (2026-06-27):** -- Authoritative standard lives in **net-kingdom canon** (`docs/`), next to - `openbao-unseal-custody-models.md` and `responsibility-map.md`. ops-warden authors - the ops-security slice and carries a pointer + conformance tooling. -- ops-warden role = **author + conformance checks** (machine-readable descriptors, - drift/conformance checkers, dev-tier doubles). **Not** runtime enforcement. +- Two-axis model folded into this WP (was "Secret Lifecycle Tiering", env posture only). +- Authoritative **NetKingdom requirements** (M0–M3 table, secret-flow gates, env-posture + ceremonies) live in **net-kingdom canon**; the **generic `WorkloadMaturityLevel` + concept + lattice** is contributed to **info-tech-canon** (DevSecOps/Landscape), + reusing its governed `DataClassification`. ops-warden authors the ops-security slice + + conformance tooling. +- ops-warden role = **author + conformance checks**, **not** runtime enforcement. + +**Reuse, don't reinvent (info-tech-canon already defines the primitives):** +`DataClassification` (`confidential`/`restricted`…) in the Data Model; promotion / +quality gates / policy gates / `DeploymentVerification` + progressive delivery in the +DevSecOps Model; asset/business **criticality** in the Security Model; access semantics +in the CARING Access Governance Standard. This WP **assembles** these into a named +maturity ladder + flow rule; it does not fork them. **Hard boundary (responsibility-map, ~line 154):** ops-warden "must not become a universal secret broker — runtime secrets remain OpenBao; authorization remains -flex-auth." This WP keeps ops-warden as policy author + conformance verifier only. -OpenBao holds the secrets; flex-auth makes allow/deny decisions. +flex-auth." ops-warden = policy author + conformance verifier only. OpenBao holds the +secrets; flex-auth makes allow/deny decisions; CARING governs access semantics. -**Cross-repo note:** T1 authors content destined for **net-kingdom** canon. ops-warden -drafts it; landing it in net-kingdom is a coordinated change through net-kingdom's own -process (inbox/PR), not a unilateral write from this repo. +**Cross-repo note:** T1/T5 author content destined for **net-kingdom** and +**info-tech-canon**. ops-warden drafts; landing it is coordinated through each repo's +own process (inbox/PR), not a unilateral write from here. -**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the tier-aware -fetch surface; its caller-identity/transit guardrails are tier-prod-compatible). +**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the +posture-aware fetch surface; its caller-identity/transit guardrails are prod-compatible). **Status:** `proposed` — awaiting Bernd's review before implementation. --- -## The model (refined, to be encoded by this WP) +## The model (to be encoded by this WP) -**R1 — Contract parity, posture divergence.** The interface is identical at every -tier; only the backend's security posture changes. Automation written once runs at all -three tiers unchanged. (This is why contract doubles work.) +### Axis A — Environment posture (the secret store) +**R1 — Contract parity, posture divergence.** Identical interface at every tier; only +the backend's security posture changes. Automation written once runs at all tiers +unchanged (this is why contract doubles work). **R2 — Promote topology, regenerate material.** Secret *values* are never promoted up -the ladder. Only the *structure* (paths, policy shape, names, the secret tree) is -promoted; values are generated fresh at each tier. Test conveniences (reuse, -single-unseal) are quarantined in test by construction. - -**R3 — Dev touches no real data, ever.** An insecure personal mock store in dev is -sanctioned *iff* dev uses only synthetic/fixture data. Absolute invariant. - +the ladder; only *structure* (paths, policy shape, names). Values are generated fresh +per tier. Test conveniences (reuse, single-unseal) are quarantined in test. +**R3 — Dev touches no real data, ever.** Insecure personal mock store is sanctioned +*iff* dev uses only synthetic data. Absolute. **R4 — Phase-changes are ceremonies, not copies.** test→prod is a gated checklist -(regenerate secrets, switch unseal model, enable break-glass, human sign-off), -referencing the existing net-kingdom `security-bootstrap-*` and unseal-custody docs — -not duplicating them. - -**Tier descriptor matrix (encoded in registry/policy):** +referencing net-kingdom `security-bootstrap-*` / unseal-custody docs. | | dev | test | prod | | --- | --- | --- | --- | | backend | mock / contract double | OpenBao `-dev` (single-unseal) | OpenBao sealed (Shamir 3-of-5) | | real values | forbidden (synthetic) | generated, reuse allowed | generated fresh, reuse forbidden | | unseal | n/a | single key / auto | 3-of-5 + break-glass | -| human-in-loop | never | never | required (break-glass) | | real user/business data | never | never | allowed | | audit | optional | on | full, tamper-evident | +### Axis B — Workload maturity (the trust to receive secrets/data) + +**Production is a posture, not a maturity.** A workload can be prod-posture yet low +maturity (alpha with friendly customers). Maturity gates *which secrets and data +classes* a prod workload may touch. + +| Level | Phase | Max DataClassification | Promotion gate (reuses DevSecOps gates) | +| --- | --- | --- | --- | +| **M0** | Experimental / PoC | synthetic only | — | +| **M1** | Alpha / early-access | low-criticality, loss-acceptable; no confidential/restricted | friendly-customer scope, basic SLO, data-handling note | +| **M2** | Beta / GA | up to `confidential`; SLOs; audited | security review, SLO history, on-call, incident runbooks | +| **M3** | Critical / regulated | `restricted`; break-glass; compliance | pen-test, 3-of-5 custody, human-in-loop, compliance audit | + +### The combined rule (secret-flow lattice) + +``` +deliver(secret → workload) permitted only if + workload.env_posture == prod # Axis A +AND workload.maturity >= secret.required_maturity # Axis B (no-write-down) +AND workload.maturity >= required_maturity(dataclass(secret)) +``` + +"Critical secrets must not be transferred to workloads below maturity M" is exactly +this no-write-down constraint. Checkable by ops-warden; enforceable by flex-auth. + --- ## Tasks -### T1 — Author the Secret Lifecycle Tiering standard (canon-bound) +### T1 — Author the two-axis Workload Security Posture standard (canon-bound) ```task id: WARDEN-WP-0015-T01 @@ -90,14 +123,18 @@ priority: high state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f" ``` -- [ ] Draft `secret-lifecycle-tiering.md` (R1–R4 + tier matrix + phase-change gates), - cross-linking `openbao-unseal-custody-models.md`, `responsibility-map.md`, - `platform-root-custody.md`, and the `security-bootstrap-*` ceremony series. -- [ ] Stage the draft in ops-warden (`history/` or `wiki/`) and open a coordination - request to **net-kingdom** to land it as authoritative canon (cross-repo). -- [ ] Encode ops-warden's role explicitly: author + conformance, not enforcement/custody. +- [ ] Draft the standard: Axis A (R1–R4 + env-posture matrix + phase-change ceremonies) + and Axis B (M0–M3 ladder + promotion gates) unified by the secret-flow lattice. +- [ ] Layer it: generic `WorkloadMaturityLevel` + lattice → **info-tech-canon** + contribution (DevSecOps/Landscape, reusing `DataClassification`); NetKingdom M0–M3 + security requirements + env-posture ceremonies → **net-kingdom canon**. +- [ ] Cross-link `openbao-unseal-custody-models.md`, `responsibility-map.md`, + `platform-root-custody.md`, `security-bootstrap-*`, and the info-tech-canon + Security / DevSecOps / Data / CARING models. Stage drafts in ops-warden; open + coordination requests to net-kingdom and info-tech-canon to land them. +- [ ] Encode ops-warden's role: author + conformance, not enforcement/custody. -### T2 — Machine-readable tier descriptors +### T2 — Machine-readable posture descriptors (both axes) ```task id: WARDEN-WP-0015-T02 @@ -106,12 +143,13 @@ priority: high state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a" ``` -- [ ] `registry/policy/secret-lifecycle-tiers.yaml` — the tier matrix as data - (backend, value-policy, unseal model, human-in-loop, data-class, audit-level). +- [ ] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy, + unseal, data-class, audit) **and** maturity levels (M0–M3, max DataClassification, + promotion-gate criteria), plus per-secret `required_maturity` tagging convention. - [ ] Loader + validation (mirror `routing/catalog.py` rigor; no secret material). - [ ] Optional `warden policy show|list` lookup (mirrors `warden route`). -### T3 — Conformance checker +### T3 — Conformance checker (incl. secret-flow lattice) ```task id: WARDEN-WP-0015-T03 @@ -120,11 +158,11 @@ priority: high state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09" ``` -- [ ] `scripts/check_secret_tier_conformance.py` — given a tier + an environment - descriptor, assert posture matches the standard (e.g. prod must be sealed + - Shamir; dev must have no real-value paths). Drift-style report, like - `check_principals_drift.py`. Read-only; operator runs it. -- [ ] Surface conformance status; never read or print a secret value. +- [ ] `scripts/check_secret_posture_conformance.py` — assert env-posture matches the + standard (prod sealed + Shamir; dev no real-value paths) **and** evaluate the + lattice: flag any secret whose `required_maturity` exceeds a target workload's + maturity. Drift-style report, like `check_principals_drift.py`. Read-only. +- [ ] Surface conformance + lattice violations; never read or print a secret value. ### T4 — Dev-tier contract-double fixture library @@ -135,12 +173,12 @@ priority: medium state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45" ``` -- [ ] Generalize "fake bao": ship hermetic dev-tier doubles for routed subsystems - (bao, key-cape login) honoring each contract (argv/stdout/exit) with synthetic - values only — enabling fully offline dev/test of access flows. +- [ ] Generalize "fake bao": hermetic dev-tier doubles for routed subsystems (bao, + key-cape login) honoring each contract (argv/stdout/exit) with synthetic values + only — fully offline dev/test of access flows. - [ ] Document the pattern in the standard (R1) as the sanctioned dev backend. -### T5 — INTENT/SCOPE alignment +### T5 — INTENT/SCOPE alignment + canon contributions ```task id: WARDEN-WP-0015-T05 @@ -149,30 +187,34 @@ priority: medium state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b" ``` -- [ ] Update `INTENT.md`: ops-warden stewards **security-policy conformance** of the - infrastructure (authoring the ops-security tiering standard + conformance checks + - dev doubles), scoped explicitly to author+check — **not** enforcement or custody. -- [ ] SCOPE: add the tiering policy + conformance surface; note the net-kingdom canon - home; bump the maturity vector where warranted. -- [ ] `history/2026-06-27-secret-lifecycle-tiering-charter.md` — decision record. +- [ ] `INTENT.md`: ops-warden stewards **security-policy conformance** of the + infrastructure (authoring the two-axis posture standard + conformance checks + dev + doubles), scoped to author+check — **not** enforcement or custody. +- [ ] SCOPE: add the posture policy + conformance surface; note the net-kingdom / + info-tech-canon homes; bump the maturity vector where warranted. +- [ ] Track the info-tech-canon contribution (generic `WorkloadMaturityLevel`) and the + net-kingdom requirements landing to closure. +- [ ] `history/2026-06-27-workload-security-posture-charter.md` — decision record. --- ## Acceptance -- A coherent dev→test→prod standard exists in net-kingdom canon (R1–R4 + tier matrix + - phase-change ceremonies), authored by ops-warden, landed via net-kingdom coordination. -- ops-warden ships tier descriptors + a read-only conformance checker + dev-tier doubles. +- A coherent two-axis standard exists: generic concept in info-tech-canon, NetKingdom + M0–M3 + env-posture requirements in net-kingdom canon, authored by ops-warden. +- ops-warden ships posture descriptors + a read-only conformance checker (incl. the + secret-flow lattice) + dev-tier doubles. - No secret material in any descriptor, checker, fixture, doc, or log. -- ops-warden's role is documented as author+conformance; OpenBao custody and flex-auth - authorization boundaries are explicitly preserved (responsibility-map honored). +- ops-warden's role is documented as author+conformance; OpenBao custody, flex-auth + authorization, and CARING access boundaries are explicitly preserved. - INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement. --- ## See also -- `WARDEN-WP-0014` (operator access assist; the tier-aware fetch surface) +- `WARDEN-WP-0014` (operator access assist; the posture-aware fetch surface) - `net-kingdom/docs/openbao-unseal-custody-models.md`, `responsibility-map.md`, `platform-root-custody.md`, `security-bootstrap-*` -- `flex-auth` (runtime-enforceable tier rules, if any, as a follow-up) +- `info-tech-canon` Security / DevSecOps / Data Models + CARING Access Governance +- `flex-auth` (runtime enforcement of the lattice, as a follow-up)