# Example target manifest for scripts/check_secret_posture_conformance.py (WP-0015 T3).
#
# A *metadata-only* description of workloads, the observed posture of each
# environment's secret store, and the secret flows being requested. It carries NO
# secret values — only ids, postures, maturities, required_maturity, and data class.
# The checker compares this against registry/policy/security-posture.yaml and the
# secret-flow lattice, and reports conformance + lattice violations. Read-only.

# Observed posture of each environment's secret store. The checker asserts these
# match the standard env_postures descriptor (backend / unseal / real_values).
environments:
  dev:
    backend: mock-or-contract-double
    real_values: forbidden
    unseal: n/a
  prod:
    backend: openbao-sealed-shamir
    real_values: generated-fresh-no-reuse
    unseal: shamir-3-of-5-break-glass

# Workloads and the trust we attribute to each (env posture + maturity level).
workloads:
  - id: activity-core-triage
    env_posture: prod
    maturity: M2
  - id: dev-sandbox
    env_posture: dev
    maturity: M0

# Secret flows being requested. Each is evaluated against the lattice for its
# target workload. required_maturity / dataclass are the secret's *requirements*,
# never the value.
secret_requests:
  - secret: openrouter-api-key
    to_workload: activity-core-triage
    required_maturity: M2
    dataclass: confidential
  - secret: regulated-export-cred
    to_workload: dev-sandbox          # expected DENY: dev posture + M0 < M3
    required_maturity: M3
    dataclass: restricted