Commit Graph

4 Commits

Author SHA1 Message Date
0812d7303d feat(WARDEN-WP-0015): T2 — machine-readable posture descriptors + warden policy
Adds registry/policy/security-posture.yaml (Axis A env postures, Axis B
maturity levels M0-M3, dataclass_floor, lattice rule — no secret
material) and src/warden/posture.py: typed loader with validation
(unique/contiguous ranks, floor references known levels) and the pure
can_deliver() lattice helper (no-write-down: prod posture + workload
maturity >= secret required_maturity + dataclass floor). New `warden
policy list|show` read-only lookup mirroring `warden route`.
tests/test_posture.py covers load, the allow/deny lattice matrix,
validation rejections, and CLI. 184 passed, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 18:10:54 +02:00
a54403b9d7 feat(WARDEN-WP-0015): T1 — author two-axis Workload Security Posture standard
Drafts the standard at wiki/WorkloadSecurityPosture.md: Axis A (env
posture dev/test/prod, R1-R4 + matrix + ceremonies), Axis B (workload
maturity M0-M3 + promotion gates, reusing info-tech-canon
DataClassification/DevSecOps gates), unified by the secret-flow lattice
(deliver only if env_posture==prod AND workload.maturity >=
secret.required_maturity). Includes the canon-layering table and the
preserved OpenBao/flex-auth/CARING boundaries.

Coordination opened to net-kingdom (NK M0-M3 requirements) and
info-tech-canon (generic WorkloadMaturityLevel concept). WP-0015 active,
foundation-first; canon landing tracked in T5.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 18:07:42 +02:00
f787e09a1b plan(WARDEN-WP-0015): rescope to two-axis Workload Security Posture
Folds the workload-maturity axis into WP-0015. The model is now two
orthogonal axes — environment posture (dev/test/prod, how the secret
store is secured) and workload maturity (M0-M3, how trusted a workload
is to receive secrets/classified data) — unified by a secret-flow
lattice (deliver only if posture==prod AND workload.maturity >=
secret.required_maturity). "Critical secrets must not flow to workloads
below maturity M" is the no-write-down case.

Layering: generic WorkloadMaturityLevel + lattice → info-tech-canon
(reusing its DataClassification / DevSecOps gates / Security criticality
/ CARING); NetKingdom M0-M3 requirements → net-kingdom canon. ops-warden
authors + checks conformance, not enforcement. Still proposed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 18:00:50 +02:00
091ab1fa65 plan(WARDEN-WP-0015): register Secret Lifecycle Tiering workplan
Proposed workplan for the dev→test→prod secret-posture ladder and
ops-warden's conformance-steward role (author + checks, not enforcement).
Authoritative standard lands in net-kingdom canon; ops-warden ships tier
descriptors, a conformance checker, and the dev-tier contract-double
library (the "fake bao" pattern generalized). Registered in State Hub
(workstream 99f4a0e1, 5 tasks); awaiting review before implementation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 17:37:23 +02:00