coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d6cef89fb793b71b3e82afbd03e743dc2c65d80f
ops-warden/registry/policy/security-posture.yaml
tegwick 0812d7303d feat(WARDEN-WP-0015): T2 — machine-readable posture descriptors + warden policy 
Adds registry/policy/security-posture.yaml (Axis A env postures, Axis B
maturity levels M0-M3, dataclass_floor, lattice rule — no secret
material) and src/warden/posture.py: typed loader with validation
(unique/contiguous ranks, floor references known levels) and the pure
can_deliver() lattice helper (no-write-down: prod posture + workload
maturity >= secret required_maturity + dataclass floor). New `warden
policy list|show` read-only lookup mirroring `warden route`.
tests/test_posture.py covers load, the allow/deny lattice matrix,
validation rejections, and CLI. 184 passed, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 18:10:54 +02:00

74 lines
2.4 KiB
YAML
Raw Blame History

# NetKingdom Workload Security Posture — machine-readable descriptors
# WARDEN-WP-0015 T2. Authoritative prose: wiki/WorkloadSecurityPosture.md (pending
# promotion to net-kingdom + info-tech-canon canon).
#
# Rules:
# - No secret material in this file, ever (it is git-tracked and agent-visible).
# - DataClassification names are REUSED from the info-tech-canon Data Model.
# - This is a descriptor/data layer; runtime enforcement is flex-auth's.
version: 1
# --- Axis A — environment posture (how the secret store is secured) ----------
env_postures:
- id: dev
rank: 0
backend: mock-or-contract-double
real_values: forbidden # synthetic only
unseal: n/a
real_user_data: never
audit: optional
- id: test
rank: 1
backend: openbao-dev-single-unseal
real_values: generated-reuse-allowed
unseal: single-key-or-auto
real_user_data: never
audit: "on"
- id: prod
rank: 2
backend: openbao-sealed-shamir
real_values: generated-fresh-no-reuse
unseal: shamir-3-of-5-break-glass
real_user_data: allowed
audit: full-tamper-evident
# --- Axis B — workload maturity (how trusted a workload is) -------------------
maturity_levels:
- id: M0
rank: 0
phase: experimental-poc
max_dataclass: synthetic
promotion_gate: []
- id: M1
rank: 1
phase: alpha-early-access
max_dataclass: internal
promotion_gate: [friendly-customer-scope, basic-slo, data-handling-note]
- id: M2
rank: 2
phase: beta-ga
max_dataclass: confidential
promotion_gate: [security-review, slo-history, on-call, incident-runbooks]
- id: M3
rank: 3
phase: critical-regulated
max_dataclass: restricted
promotion_gate: [pen-test, shamir-3-of-5-custody, human-in-loop-ops, compliance-audit]
# --- Data-class floor — minimum maturity to handle each DataClassification ----
# required_maturity(dataclass). DataClassification names reused from info-tech-canon.
dataclass_floor:
synthetic: M0
internal: M1
confidential: M2
restricted: M3
# --- Secret-flow lattice (informational; enforced by T3 checker + flex-auth) --
# deliver(secret -> workload) permitted iff:
# workload.env_posture == prod
# and rank(workload.maturity) >= rank(secret.required_maturity)
# and rank(workload.maturity) >= rank(dataclass_floor[dataclass(secret)])
lattice:
requires_env_posture: prod
rule: no-write-down
Reference in New Issue View Git Blame Copy Permalink