coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
41a55c95b042d9f2ed37b2ab6c68e0bf89a61b07
ops-warden/examples/posture-conformance.example.yaml
tegwick 41a55c95b0 feat(WARDEN-WP-0015): T3 conformance checker + T4 dev-tier contract doubles 
Finish the Workload Security Posture workplan (all five tasks done).

T3 — scripts/check_secret_posture_conformance.py: read-only checker that asserts
env-posture conformance (backend/unseal/real_values per tier) and evaluates the
secret-flow lattice via posture.can_deliver. Metadata-only manifest, no secret
values, exit 0/1/2. examples/posture-conformance.example.yaml as the reference.

T4 — src/warden/doubles.py: generalizes "fake bao" into materialize_doubles() —
hermetic, synthetic-only (synthetic- prefix) stand-ins for bao/key-cape honoring
each argv/stdout/exit contract, for fully offline dev/test access flows. Documented
as the sanctioned dev backend in WorkloadSecurityPosture.md R1.

T5 — INTENT/SCOPE/wiki aligned; canon landing in net-kingdom/info-tech-canon left
owner-driven (tracked via coordination messages).

16 new tests, 200 passing, ruff clean. Archived WP-0012/0014/0015 to
workplans/archived/ with 260627- prefix.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 19:30:30 +02:00

42 lines
1.5 KiB
YAML
Raw Blame History

# Example target manifest for scripts/check_secret_posture_conformance.py (WP-0015 T3).
#
# A *metadata-only* description of workloads, the observed posture of each
# environment's secret store, and the secret flows being requested. It carries NO
# secret values — only ids, postures, maturities, required_maturity, and data class.
# The checker compares this against registry/policy/security-posture.yaml and the
# secret-flow lattice, and reports conformance + lattice violations. Read-only.
# Observed posture of each environment's secret store. The checker asserts these
# match the standard env_postures descriptor (backend / unseal / real_values).
environments:
dev:
backend: mock-or-contract-double
real_values: forbidden
unseal: n/a
prod:
backend: openbao-sealed-shamir
real_values: generated-fresh-no-reuse
unseal: shamir-3-of-5-break-glass
# Workloads and the trust we attribute to each (env posture + maturity level).
workloads:
- id: activity-core-triage
env_posture: prod
maturity: M2
- id: dev-sandbox
env_posture: dev
maturity: M0
# Secret flows being requested. Each is evaluated against the lattice for its
# target workload. required_maturity / dataclass are the secret's *requirements*,
# never the value.
secret_requests:
- secret: openrouter-api-key
to_workload: activity-core-triage
required_maturity: M2
dataclass: confidential
- secret: regulated-export-cred
to_workload: dev-sandbox # expected DENY: dev posture + M0 < M3
required_maturity: M3
dataclass: restricted
Reference in New Issue View Git Blame Copy Permalink