Drafts the standard at wiki/WorkloadSecurityPosture.md: Axis A (env
posture dev/test/prod, R1-R4 + matrix + ceremonies), Axis B (workload
maturity M0-M3 + promotion gates, reusing info-tech-canon
DataClassification/DevSecOps gates), unified by the secret-flow lattice
(deliver only if env_posture==prod AND workload.maturity >=
secret.required_maturity). Includes the canon-layering table and the
preserved OpenBao/flex-auth/CARING boundaries.
Coordination opened to net-kingdom (NK M0-M3 requirements) and
info-tech-canon (generic WorkloadMaturityLevel concept). WP-0015 active,
foundation-first; canon landing tracked in T5.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Folds the workload-maturity axis into WP-0015. The model is now two
orthogonal axes — environment posture (dev/test/prod, how the secret
store is secured) and workload maturity (M0-M3, how trusted a workload
is to receive secrets/classified data) — unified by a secret-flow
lattice (deliver only if posture==prod AND workload.maturity >=
secret.required_maturity). "Critical secrets must not flow to workloads
below maturity M" is the no-write-down case.
Layering: generic WorkloadMaturityLevel + lattice → info-tech-canon
(reusing its DataClassification / DevSecOps gates / Security criticality
/ CARING); NetKingdom M0-M3 requirements → net-kingdom canon. ops-warden
authors + checks conformance, not enforcement. Still proposed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Proposed workplan for the dev→test→prod secret-posture ladder and
ops-warden's conformance-steward role (author + checks, not enforcement).
Authoritative standard lands in net-kingdom canon; ops-warden ships tier
descriptors, a conformance checker, and the dev-tier contract-double
library (the "fake bao" pattern generalized). Registered in State Hub
(workstream 99f4a0e1, 5 tasks); awaiting review before implementation.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>