Files
ops-warden/workplans/WARDEN-WP-0015-secret-lifecycle-tiering.md
tegwick 0812d7303d feat(WARDEN-WP-0015): T2 — machine-readable posture descriptors + warden policy
Adds registry/policy/security-posture.yaml (Axis A env postures, Axis B
maturity levels M0-M3, dataclass_floor, lattice rule — no secret
material) and src/warden/posture.py: typed loader with validation
(unique/contiguous ranks, floor references known levels) and the pure
can_deliver() lattice helper (no-write-down: prod posture + workload
maturity >= secret required_maturity + dataclass floor). New `warden
policy list|show` read-only lookup mirroring `warden route`.
tests/test_posture.py covers load, the allow/deny lattice matrix,
validation rejections, and CLI. 184 passed, lint clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 18:10:54 +02:00

226 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
id: WARDEN-WP-0015
type: workplan
title: "Workload Security Posture — env posture × maturity + conformance"
domain: infotech
repo: ops-warden
status: active
owner: codex
topic_slug: custodian
planning_priority: high
planning_order: 15
created: "2026-06-27"
updated: "2026-06-27"
state_hub_workstream_id: "99f4a0e1-853c-456f-8aa7-8ff0f318ea65"
---
# WARDEN-WP-0015 — Workload Security Posture (two-axis) + conformance
**Scope:** Establish a NetKingdom standard for IT-security posture across **two
orthogonal axes**, and make ops-warden the **conformance steward** for it:
- **Axis A — Environment posture** (`dev → test → prod`): how the *secret store* is
secured (mock / OpenBao `-dev` / sealed). Identical contracts, divergent posture.
- **Axis B — Workload maturity** (`M0 → M3`): how *trusted* a workload is to receive
secrets and handle classified data (PoC → alpha/early-access → beta/GA → critical).
The axes combine in a **secret-flow lattice**: a secret may be delivered to a workload
only if the workload's posture *and* maturity meet the secret's requirements. ops-warden
authors the ops-security slice, ships machine-readable descriptors + a conformance
checker (incl. the lattice check), and the dev-tier **contract-double** fixture library
(the "fake bao" pattern generalized).
**Decisions locked (2026-06-27):**
- Two-axis model folded into this WP (was "Secret Lifecycle Tiering", env posture only).
- Authoritative **NetKingdom requirements** (M0M3 table, secret-flow gates, env-posture
ceremonies) live in **net-kingdom canon**; the **generic `WorkloadMaturityLevel`
concept + lattice** is contributed to **info-tech-canon** (DevSecOps/Landscape),
reusing its governed `DataClassification`. ops-warden authors the ops-security slice +
conformance tooling.
- ops-warden role = **author + conformance checks**, **not** runtime enforcement.
**Reuse, don't reinvent (info-tech-canon already defines the primitives):**
`DataClassification` (`confidential`/`restricted`…) in the Data Model; promotion /
quality gates / policy gates / `DeploymentVerification` + progressive delivery in the
DevSecOps Model; asset/business **criticality** in the Security Model; access semantics
in the CARING Access Governance Standard. This WP **assembles** these into a named
maturity ladder + flow rule; it does not fork them.
**Hard boundary (responsibility-map, ~line 154):** ops-warden "must not become a
universal secret broker — runtime secrets remain OpenBao; authorization remains
flex-auth." ops-warden = policy author + conformance verifier only. OpenBao holds the
secrets; flex-auth makes allow/deny decisions; CARING governs access semantics.
**Cross-repo note:** T1/T5 author content destined for **net-kingdom** and
**info-tech-canon**. ops-warden drafts; landing it is coordinated through each repo's
own process (inbox/PR), not a unilateral write from here.
**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the
posture-aware fetch surface; its caller-identity/transit guardrails are prod-compatible).
**Status:** `proposed` — awaiting Bernd's review before implementation.
---
## The model (to be encoded by this WP)
### Axis A — Environment posture (the secret store)
**R1 — Contract parity, posture divergence.** Identical interface at every tier; only
the backend's security posture changes. Automation written once runs at all tiers
unchanged (this is why contract doubles work).
**R2 — Promote topology, regenerate material.** Secret *values* are never promoted up
the ladder; only *structure* (paths, policy shape, names). Values are generated fresh
per tier. Test conveniences (reuse, single-unseal) are quarantined in test.
**R3 — Dev touches no real data, ever.** Insecure personal mock store is sanctioned
*iff* dev uses only synthetic data. Absolute.
**R4 — Phase-changes are ceremonies, not copies.** test→prod is a gated checklist
referencing net-kingdom `security-bootstrap-*` / unseal-custody docs.
| | dev | test | prod |
| --- | --- | --- | --- |
| backend | mock / contract double | OpenBao `-dev` (single-unseal) | OpenBao sealed (Shamir 3-of-5) |
| real values | forbidden (synthetic) | generated, reuse allowed | generated fresh, reuse forbidden |
| unseal | n/a | single key / auto | 3-of-5 + break-glass |
| real user/business data | never | never | allowed |
| audit | optional | on | full, tamper-evident |
### Axis B — Workload maturity (the trust to receive secrets/data)
**Production is a posture, not a maturity.** A workload can be prod-posture yet low
maturity (alpha with friendly customers). Maturity gates *which secrets and data
classes* a prod workload may touch.
| Level | Phase | Max DataClassification | Promotion gate (reuses DevSecOps gates) |
| --- | --- | --- | --- |
| **M0** | Experimental / PoC | synthetic only | — |
| **M1** | Alpha / early-access | low-criticality, loss-acceptable; no confidential/restricted | friendly-customer scope, basic SLO, data-handling note |
| **M2** | Beta / GA | up to `confidential`; SLOs; audited | security review, SLO history, on-call, incident runbooks |
| **M3** | Critical / regulated | `restricted`; break-glass; compliance | pen-test, 3-of-5 custody, human-in-loop, compliance audit |
### The combined rule (secret-flow lattice)
```
deliver(secret → workload) permitted only if
workload.env_posture == prod # Axis A
AND workload.maturity >= secret.required_maturity # Axis B (no-write-down)
AND workload.maturity >= required_maturity(dataclass(secret))
```
"Critical secrets must not be transferred to workloads below maturity M" is exactly
this no-write-down constraint. Checkable by ops-warden; enforceable by flex-auth.
---
## Tasks
### T1 — Author the two-axis Workload Security Posture standard (canon-bound)
```task
id: WARDEN-WP-0015-T01
status: done
priority: high
state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
```
- [x] Drafted the standard: Axis A (R1R4 + env-posture matrix + phase-change ceremonies)
and Axis B (M0M3 ladder + promotion gates) unified by the secret-flow lattice —
`wiki/WorkloadSecurityPosture.md`.
- [x] Layered it: doc marks the generic `WorkloadMaturityLevel` + lattice → **info-tech-canon**
(reusing `DataClassification`) and the NetKingdom M0M3 requirements + env-posture
ceremonies → **net-kingdom canon**, with a canon-layering table.
- [x] Cross-linked the unseal/bootstrap/responsibility canon + info-tech-canon
Security/DevSecOps/Data/CARING models. Staged in ops-warden; **coordination
opened** to net-kingdom (msg 8d6f8d83) and info-tech-canon (msg ca07b085).
- [x] Encoded ops-warden's role: author + conformance, not enforcement/custody.
- Note: canon **landing** in the two repos is owner-driven; tracked to closure in T5.
### T2 — Machine-readable posture descriptors (both axes)
```task
id: WARDEN-WP-0015-T02
status: done
priority: high
state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
```
- [x] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy,
unseal, data-class, audit) **and** maturity levels (M0M3, max DataClassification,
promotion gates), `dataclass_floor` mapping, and the lattice rule. No secret material.
- [x] Loader + validation in `src/warden/posture.py` (mirrors `routing/catalog.py`):
unique/contiguous ranks, dataclass_floor references known levels, lattice env
posture exists. Includes the pure `can_deliver` lattice helper (reused by T3).
- [x] `warden policy list|show` lookup (mirrors `warden route`; `--json`).
- [x] Tests: `tests/test_posture.py` (load, lattice allow/deny matrix, validation
rejections, CLI). 184 pass, lint clean.
### T3 — Conformance checker (incl. secret-flow lattice)
```task
id: WARDEN-WP-0015-T03
status: todo
priority: high
state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09"
```
- [ ] `scripts/check_secret_posture_conformance.py` — assert env-posture matches the
standard (prod sealed + Shamir; dev no real-value paths) **and** evaluate the
lattice: flag any secret whose `required_maturity` exceeds a target workload's
maturity. Drift-style report, like `check_principals_drift.py`. Read-only.
- [ ] Surface conformance + lattice violations; never read or print a secret value.
### T4 — Dev-tier contract-double fixture library
```task
id: WARDEN-WP-0015-T04
status: todo
priority: medium
state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45"
```
- [ ] Generalize "fake bao": hermetic dev-tier doubles for routed subsystems (bao,
key-cape login) honoring each contract (argv/stdout/exit) with synthetic values
only — fully offline dev/test of access flows.
- [ ] Document the pattern in the standard (R1) as the sanctioned dev backend.
### T5 — INTENT/SCOPE alignment + canon contributions
```task
id: WARDEN-WP-0015-T05
status: todo
priority: medium
state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
```
- [ ] `INTENT.md`: ops-warden stewards **security-policy conformance** of the
infrastructure (authoring the two-axis posture standard + conformance checks + dev
doubles), scoped to author+check — **not** enforcement or custody.
- [ ] SCOPE: add the posture policy + conformance surface; note the net-kingdom /
info-tech-canon homes; bump the maturity vector where warranted.
- [ ] Track the info-tech-canon contribution (generic `WorkloadMaturityLevel`) and the
net-kingdom requirements landing to closure.
- [ ] `history/2026-06-27-workload-security-posture-charter.md` — decision record.
---
## Acceptance
- A coherent two-axis standard exists: generic concept in info-tech-canon, NetKingdom
M0M3 + env-posture requirements in net-kingdom canon, authored by ops-warden.
- ops-warden ships posture descriptors + a read-only conformance checker (incl. the
secret-flow lattice) + dev-tier doubles.
- No secret material in any descriptor, checker, fixture, doc, or log.
- ops-warden's role is documented as author+conformance; OpenBao custody, flex-auth
authorization, and CARING access boundaries are explicitly preserved.
- INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement.
---
## See also
- `WARDEN-WP-0014` (operator access assist; the posture-aware fetch surface)
- `net-kingdom/docs/openbao-unseal-custody-models.md`, `responsibility-map.md`,
`platform-root-custody.md`, `security-bootstrap-*`
- `info-tech-canon` Security / DevSecOps / Data Models + CARING Access Governance
- `flex-auth` (runtime enforcement of the lattice, as a follow-up)