Files
ops-warden/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md
tegwick 091ab1fa65 plan(WARDEN-WP-0015): register Secret Lifecycle Tiering workplan
Proposed workplan for the dev→test→prod secret-posture ladder and
ops-warden's conformance-steward role (author + checks, not enforcement).
Authoritative standard lands in net-kingdom canon; ops-warden ships tier
descriptors, a conformance checker, and the dev-tier contract-double
library (the "fake bao" pattern generalized). Registered in State Hub
(workstream 99f4a0e1, 5 tasks); awaiting review before implementation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 17:37:23 +02:00

7.4 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated state_hub_workstream_id
WARDEN-WP-0015 workplan Secret Lifecycle Tiering — policy + conformance stewardship infotech ops-warden proposed codex custodian high 15 2026-06-27 2026-06-27 99f4a0e1-853c-456f-8aa7-8ff0f318ea65

WARDEN-WP-0015 — Secret Lifecycle Tiering (policy + conformance)

Scope: Establish a NetKingdom standard for how secrets are managed across the dev → test → prod lifecycle, and make ops-warden the conformance steward for it. The standard defines three credential-posture tiers with identical contracts and deliberately divergent security posture, plus the phase-change ceremonies between them. ops-warden authors the ops-security slice of the standard, ships machine-readable tier descriptors and a conformance checker, and provides a dev-tier contract-double fixture library (the generalization of the "fake bao" pattern).

Decisions locked (2026-06-27):

  • Authoritative standard lives in net-kingdom canon (docs/), next to openbao-unseal-custody-models.md and responsibility-map.md. ops-warden authors the ops-security slice and carries a pointer + conformance tooling.
  • ops-warden role = author + conformance checks (machine-readable descriptors, drift/conformance checkers, dev-tier doubles). Not runtime enforcement.

Hard boundary (responsibility-map, ~line 154): ops-warden "must not become a universal secret broker — runtime secrets remain OpenBao; authorization remains flex-auth." This WP keeps ops-warden as policy author + conformance verifier only. OpenBao holds the secrets; flex-auth makes allow/deny decisions.

Cross-repo note: T1 authors content destined for net-kingdom canon. ops-warden drafts it; landing it in net-kingdom is a coordinated change through net-kingdom's own process (inbox/PR), not a unilateral write from this repo.

Depends on / relates to: WARDEN-WP-0014 (the warden access proxy is the tier-aware fetch surface; its caller-identity/transit guardrails are tier-prod-compatible).

Status: proposed — awaiting Bernd's review before implementation.


The model (refined, to be encoded by this WP)

R1 — Contract parity, posture divergence. The interface is identical at every tier; only the backend's security posture changes. Automation written once runs at all three tiers unchanged. (This is why contract doubles work.)

R2 — Promote topology, regenerate material. Secret values are never promoted up the ladder. Only the structure (paths, policy shape, names, the secret tree) is promoted; values are generated fresh at each tier. Test conveniences (reuse, single-unseal) are quarantined in test by construction.

R3 — Dev touches no real data, ever. An insecure personal mock store in dev is sanctioned iff dev uses only synthetic/fixture data. Absolute invariant.

R4 — Phase-changes are ceremonies, not copies. test→prod is a gated checklist (regenerate secrets, switch unseal model, enable break-glass, human sign-off), referencing the existing net-kingdom security-bootstrap-* and unseal-custody docs — not duplicating them.

Tier descriptor matrix (encoded in registry/policy):

dev test prod
backend mock / contract double OpenBao -dev (single-unseal) OpenBao sealed (Shamir 3-of-5)
real values forbidden (synthetic) generated, reuse allowed generated fresh, reuse forbidden
unseal n/a single key / auto 3-of-5 + break-glass
human-in-loop never never required (break-glass)
real user/business data never never allowed
audit optional on full, tamper-evident

Tasks

T1 — Author the Secret Lifecycle Tiering standard (canon-bound)

id: WARDEN-WP-0015-T01
status: todo
priority: high
state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
  • Draft secret-lifecycle-tiering.md (R1R4 + tier matrix + phase-change gates), cross-linking openbao-unseal-custody-models.md, responsibility-map.md, platform-root-custody.md, and the security-bootstrap-* ceremony series.
  • Stage the draft in ops-warden (history/ or wiki/) and open a coordination request to net-kingdom to land it as authoritative canon (cross-repo).
  • Encode ops-warden's role explicitly: author + conformance, not enforcement/custody.

T2 — Machine-readable tier descriptors

id: WARDEN-WP-0015-T02
status: todo
priority: high
state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
  • registry/policy/secret-lifecycle-tiers.yaml — the tier matrix as data (backend, value-policy, unseal model, human-in-loop, data-class, audit-level).
  • Loader + validation (mirror routing/catalog.py rigor; no secret material).
  • Optional warden policy show|list lookup (mirrors warden route).

T3 — Conformance checker

id: WARDEN-WP-0015-T03
status: todo
priority: high
state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09"
  • scripts/check_secret_tier_conformance.py — given a tier + an environment descriptor, assert posture matches the standard (e.g. prod must be sealed + Shamir; dev must have no real-value paths). Drift-style report, like check_principals_drift.py. Read-only; operator runs it.
  • Surface conformance status; never read or print a secret value.

T4 — Dev-tier contract-double fixture library

id: WARDEN-WP-0015-T04
status: todo
priority: medium
state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45"
  • Generalize "fake bao": ship hermetic dev-tier doubles for routed subsystems (bao, key-cape login) honoring each contract (argv/stdout/exit) with synthetic values only — enabling fully offline dev/test of access flows.
  • Document the pattern in the standard (R1) as the sanctioned dev backend.

T5 — INTENT/SCOPE alignment

id: WARDEN-WP-0015-T05
status: todo
priority: medium
state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
  • Update INTENT.md: ops-warden stewards security-policy conformance of the infrastructure (authoring the ops-security tiering standard + conformance checks + dev doubles), scoped explicitly to author+check — not enforcement or custody.
  • SCOPE: add the tiering policy + conformance surface; note the net-kingdom canon home; bump the maturity vector where warranted.
  • history/2026-06-27-secret-lifecycle-tiering-charter.md — decision record.

Acceptance

  • A coherent dev→test→prod standard exists in net-kingdom canon (R1R4 + tier matrix + phase-change ceremonies), authored by ops-warden, landed via net-kingdom coordination.
  • ops-warden ships tier descriptors + a read-only conformance checker + dev-tier doubles.
  • No secret material in any descriptor, checker, fixture, doc, or log.
  • ops-warden's role is documented as author+conformance; OpenBao custody and flex-auth authorization boundaries are explicitly preserved (responsibility-map honored).
  • INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement.

See also

  • WARDEN-WP-0014 (operator access assist; the tier-aware fetch surface)
  • net-kingdom/docs/openbao-unseal-custody-models.md, responsibility-map.md, platform-root-custody.md, security-bootstrap-*
  • flex-auth (runtime-enforceable tier rules, if any, as a follow-up)