Finish the Workload Security Posture workplan (all five tasks done).
T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.
T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.
T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).
16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Drafts the standard at wiki/WorkloadSecurityPosture.md: Axis A (env
posture dev/test/prod, R1-R4 + matrix + ceremonies), Axis B (workload
maturity M0-M3 + promotion gates, reusing info-tech-canon
DataClassification/DevSecOps gates), unified by the secret-flow lattice
(deliver only if env_posture==prod AND workload.maturity >=
secret.required_maturity). Includes the canon-layering table and the
preserved OpenBao/flex-auth/CARING boundaries.
Coordination opened to net-kingdom (NK M0-M3 requirements) and
info-tech-canon (generic WorkloadMaturityLevel concept). WP-0015 active,
foundation-first; canon landing tracked in T5.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
