Files
ops-warden/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md
tegwick 091ab1fa65 plan(WARDEN-WP-0015): register Secret Lifecycle Tiering workplan
Proposed workplan for the dev→test→prod secret-posture ladder and
ops-warden's conformance-steward role (author + checks, not enforcement).
Authoritative standard lands in net-kingdom canon; ops-warden ships tier
descriptors, a conformance checker, and the dev-tier contract-double
library (the "fake bao" pattern generalized). Registered in State Hub
(workstream 99f4a0e1, 5 tasks); awaiting review before implementation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 17:37:23 +02:00

179 lines
7.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: WARDEN-WP-0015
type: workplan
title: "Secret Lifecycle Tiering — policy + conformance stewardship"
domain: infotech
repo: ops-warden
status: proposed
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 15
created: "2026-06-27"
updated: "2026-06-27"
state_hub_workstream_id: "99f4a0e1-853c-456f-8aa7-8ff0f318ea65"
---
# WARDEN-WP-0015 — Secret Lifecycle Tiering (policy + conformance)
**Scope:** Establish a NetKingdom standard for how secrets are managed across the
**dev → test → prod** lifecycle, and make ops-warden the **conformance steward** for it.
The standard defines three credential-posture tiers with identical *contracts* and
deliberately divergent *security posture*, plus the phase-change ceremonies between
them. ops-warden authors the ops-security slice of the standard, ships
machine-readable tier descriptors and a conformance checker, and provides a dev-tier
**contract-double** fixture library (the generalization of the "fake bao" pattern).
**Decisions locked (2026-06-27):**
- Authoritative standard lives in **net-kingdom canon** (`docs/`), next to
`openbao-unseal-custody-models.md` and `responsibility-map.md`. ops-warden authors
the ops-security slice and carries a pointer + conformance tooling.
- ops-warden role = **author + conformance checks** (machine-readable descriptors,
drift/conformance checkers, dev-tier doubles). **Not** runtime enforcement.
**Hard boundary (responsibility-map, ~line 154):** ops-warden "must not become a
universal secret broker — runtime secrets remain OpenBao; authorization remains
flex-auth." This WP keeps ops-warden as policy author + conformance verifier only.
OpenBao holds the secrets; flex-auth makes allow/deny decisions.
**Cross-repo note:** T1 authors content destined for **net-kingdom** canon. ops-warden
drafts it; landing it in net-kingdom is a coordinated change through net-kingdom's own
process (inbox/PR), not a unilateral write from this repo.
**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the tier-aware
fetch surface; its caller-identity/transit guardrails are tier-prod-compatible).
**Status:** `proposed` — awaiting Bernd's review before implementation.
---
## The model (refined, to be encoded by this WP)
**R1 — Contract parity, posture divergence.** The interface is identical at every
tier; only the backend's security posture changes. Automation written once runs at all
three tiers unchanged. (This is why contract doubles work.)
**R2 — Promote topology, regenerate material.** Secret *values* are never promoted up
the ladder. Only the *structure* (paths, policy shape, names, the secret tree) is
promoted; values are generated fresh at each tier. Test conveniences (reuse,
single-unseal) are quarantined in test by construction.
**R3 — Dev touches no real data, ever.** An insecure personal mock store in dev is
sanctioned *iff* dev uses only synthetic/fixture data. Absolute invariant.
**R4 — Phase-changes are ceremonies, not copies.** test→prod is a gated checklist
(regenerate secrets, switch unseal model, enable break-glass, human sign-off),
referencing the existing net-kingdom `security-bootstrap-*` and unseal-custody docs —
not duplicating them.
**Tier descriptor matrix (encoded in registry/policy):**
| | dev | test | prod |
| --- | --- | --- | --- |
| backend | mock / contract double | OpenBao `-dev` (single-unseal) | OpenBao sealed (Shamir 3-of-5) |
| real values | forbidden (synthetic) | generated, reuse allowed | generated fresh, reuse forbidden |
| unseal | n/a | single key / auto | 3-of-5 + break-glass |
| human-in-loop | never | never | required (break-glass) |
| real user/business data | never | never | allowed |
| audit | optional | on | full, tamper-evident |
---
## Tasks
### T1 — Author the Secret Lifecycle Tiering standard (canon-bound)
```task
id: WARDEN-WP-0015-T01
status: todo
priority: high
state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
```
- [ ] Draft `secret-lifecycle-tiering.md` (R1R4 + tier matrix + phase-change gates),
cross-linking `openbao-unseal-custody-models.md`, `responsibility-map.md`,
`platform-root-custody.md`, and the `security-bootstrap-*` ceremony series.
- [ ] Stage the draft in ops-warden (`history/` or `wiki/`) and open a coordination
request to **net-kingdom** to land it as authoritative canon (cross-repo).
- [ ] Encode ops-warden's role explicitly: author + conformance, not enforcement/custody.
### T2 — Machine-readable tier descriptors
```task
id: WARDEN-WP-0015-T02
status: todo
priority: high
state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
```
- [ ] `registry/policy/secret-lifecycle-tiers.yaml` — the tier matrix as data
(backend, value-policy, unseal model, human-in-loop, data-class, audit-level).
- [ ] Loader + validation (mirror `routing/catalog.py` rigor; no secret material).
- [ ] Optional `warden policy show|list` lookup (mirrors `warden route`).
### T3 — Conformance checker
```task
id: WARDEN-WP-0015-T03
status: todo
priority: high
state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09"
```
- [ ] `scripts/check_secret_tier_conformance.py` — given a tier + an environment
descriptor, assert posture matches the standard (e.g. prod must be sealed +
Shamir; dev must have no real-value paths). Drift-style report, like
`check_principals_drift.py`. Read-only; operator runs it.
- [ ] Surface conformance status; never read or print a secret value.
### T4 — Dev-tier contract-double fixture library
```task
id: WARDEN-WP-0015-T04
status: todo
priority: medium
state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45"
```
- [ ] Generalize "fake bao": ship hermetic dev-tier doubles for routed subsystems
(bao, key-cape login) honoring each contract (argv/stdout/exit) with synthetic
values only — enabling fully offline dev/test of access flows.
- [ ] Document the pattern in the standard (R1) as the sanctioned dev backend.
### T5 — INTENT/SCOPE alignment
```task
id: WARDEN-WP-0015-T05
status: todo
priority: medium
state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
```
- [ ] Update `INTENT.md`: ops-warden stewards **security-policy conformance** of the
infrastructure (authoring the ops-security tiering standard + conformance checks +
dev doubles), scoped explicitly to author+check — **not** enforcement or custody.
- [ ] SCOPE: add the tiering policy + conformance surface; note the net-kingdom canon
home; bump the maturity vector where warranted.
- [ ] `history/2026-06-27-secret-lifecycle-tiering-charter.md` — decision record.
---
## Acceptance
- A coherent dev→test→prod standard exists in net-kingdom canon (R1R4 + tier matrix +
phase-change ceremonies), authored by ops-warden, landed via net-kingdom coordination.
- ops-warden ships tier descriptors + a read-only conformance checker + dev-tier doubles.
- No secret material in any descriptor, checker, fixture, doc, or log.
- ops-warden's role is documented as author+conformance; OpenBao custody and flex-auth
authorization boundaries are explicitly preserved (responsibility-map honored).
- INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement.
---
## See also
- `WARDEN-WP-0014` (operator access assist; the tier-aware fetch surface)
- `net-kingdom/docs/openbao-unseal-custody-models.md`, `responsibility-map.md`,
`platform-root-custody.md`, `security-bootstrap-*`
- `flex-auth` (runtime-enforceable tier rules, if any, as a follow-up)