# NetKingdom Workload Security Posture — machine-readable descriptors
# WARDEN-WP-0015 T2. Authoritative prose: wiki/WorkloadSecurityPosture.md (pending
# promotion to net-kingdom + info-tech-canon canon).
#
# Rules:
#   - No secret material in this file, ever (it is git-tracked and agent-visible).
#   - DataClassification names are REUSED from the info-tech-canon Data Model.
#   - This is a descriptor/data layer; runtime enforcement is flex-auth's.
version: 1

# --- Axis A — environment posture (how the secret store is secured) ----------
env_postures:
  - id: dev
    rank: 0
    backend: mock-or-contract-double
    real_values: forbidden          # synthetic only
    unseal: n/a
    real_user_data: never
    audit: optional
  - id: test
    rank: 1
    backend: openbao-dev-single-unseal
    real_values: generated-reuse-allowed
    unseal: single-key-or-auto
    real_user_data: never
    audit: "on"
  - id: prod
    rank: 2
    backend: openbao-sealed-shamir
    real_values: generated-fresh-no-reuse
    unseal: shamir-3-of-5-break-glass
    real_user_data: allowed
    audit: full-tamper-evident

# --- Axis B — workload maturity (how trusted a workload is) -------------------
maturity_levels:
  - id: M0
    rank: 0
    phase: experimental-poc
    max_dataclass: synthetic
    promotion_gate: []
  - id: M1
    rank: 1
    phase: alpha-early-access
    max_dataclass: internal
    promotion_gate: [friendly-customer-scope, basic-slo, data-handling-note]
  - id: M2
    rank: 2
    phase: beta-ga
    max_dataclass: confidential
    promotion_gate: [security-review, slo-history, on-call, incident-runbooks]
  - id: M3
    rank: 3
    phase: critical-regulated
    max_dataclass: restricted
    promotion_gate: [pen-test, shamir-3-of-5-custody, human-in-loop-ops, compliance-audit]

# --- Data-class floor — minimum maturity to handle each DataClassification ----
# required_maturity(dataclass). DataClassification names reused from info-tech-canon.
dataclass_floor:
  synthetic: M0
  internal: M1
  confidential: M2
  restricted: M3

# --- Secret-flow lattice (informational; enforced by T3 checker + flex-auth) --
# deliver(secret -> workload) permitted iff:
#   workload.env_posture == prod
#   and rank(workload.maturity) >= rank(secret.required_maturity)
#   and rank(workload.maturity) >= rank(dataclass_floor[dataclass(secret)])
lattice:
  requires_env_posture: prod
  rule: no-write-down