generated from coulomb/repo-seed
Adds registry/policy/security-posture.yaml (Axis A env postures, Axis B maturity levels M0-M3, dataclass_floor, lattice rule — no secret material) and src/warden/posture.py: typed loader with validation (unique/contiguous ranks, floor references known levels) and the pure can_deliver() lattice helper (no-write-down: prod posture + workload maturity >= secret required_maturity + dataclass floor). New `warden policy list|show` read-only lookup mirroring `warden route`. tests/test_posture.py covers load, the allow/deny lattice matrix, validation rejections, and CLI. 184 passed, lint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
226 lines
10 KiB
Markdown
226 lines
10 KiB
Markdown
---
|
||
id: WARDEN-WP-0015
|
||
type: workplan
|
||
title: "Workload Security Posture — env posture × maturity + conformance"
|
||
domain: infotech
|
||
repo: ops-warden
|
||
status: active
|
||
owner: codex
|
||
topic_slug: custodian
|
||
planning_priority: high
|
||
planning_order: 15
|
||
created: "2026-06-27"
|
||
updated: "2026-06-27"
|
||
state_hub_workstream_id: "99f4a0e1-853c-456f-8aa7-8ff0f318ea65"
|
||
---
|
||
|
||
# WARDEN-WP-0015 — Workload Security Posture (two-axis) + conformance
|
||
|
||
**Scope:** Establish a NetKingdom standard for IT-security posture across **two
|
||
orthogonal axes**, and make ops-warden the **conformance steward** for it:
|
||
|
||
- **Axis A — Environment posture** (`dev → test → prod`): how the *secret store* is
|
||
secured (mock / OpenBao `-dev` / sealed). Identical contracts, divergent posture.
|
||
- **Axis B — Workload maturity** (`M0 → M3`): how *trusted* a workload is to receive
|
||
secrets and handle classified data (PoC → alpha/early-access → beta/GA → critical).
|
||
|
||
The axes combine in a **secret-flow lattice**: a secret may be delivered to a workload
|
||
only if the workload's posture *and* maturity meet the secret's requirements. ops-warden
|
||
authors the ops-security slice, ships machine-readable descriptors + a conformance
|
||
checker (incl. the lattice check), and the dev-tier **contract-double** fixture library
|
||
(the "fake bao" pattern generalized).
|
||
|
||
**Decisions locked (2026-06-27):**
|
||
- Two-axis model folded into this WP (was "Secret Lifecycle Tiering", env posture only).
|
||
- Authoritative **NetKingdom requirements** (M0–M3 table, secret-flow gates, env-posture
|
||
ceremonies) live in **net-kingdom canon**; the **generic `WorkloadMaturityLevel`
|
||
concept + lattice** is contributed to **info-tech-canon** (DevSecOps/Landscape),
|
||
reusing its governed `DataClassification`. ops-warden authors the ops-security slice +
|
||
conformance tooling.
|
||
- ops-warden role = **author + conformance checks**, **not** runtime enforcement.
|
||
|
||
**Reuse, don't reinvent (info-tech-canon already defines the primitives):**
|
||
`DataClassification` (`confidential`/`restricted`…) in the Data Model; promotion /
|
||
quality gates / policy gates / `DeploymentVerification` + progressive delivery in the
|
||
DevSecOps Model; asset/business **criticality** in the Security Model; access semantics
|
||
in the CARING Access Governance Standard. This WP **assembles** these into a named
|
||
maturity ladder + flow rule; it does not fork them.
|
||
|
||
**Hard boundary (responsibility-map, ~line 154):** ops-warden "must not become a
|
||
universal secret broker — runtime secrets remain OpenBao; authorization remains
|
||
flex-auth." ops-warden = policy author + conformance verifier only. OpenBao holds the
|
||
secrets; flex-auth makes allow/deny decisions; CARING governs access semantics.
|
||
|
||
**Cross-repo note:** T1/T5 author content destined for **net-kingdom** and
|
||
**info-tech-canon**. ops-warden drafts; landing it is coordinated through each repo's
|
||
own process (inbox/PR), not a unilateral write from here.
|
||
|
||
**Depends on / relates to:** WARDEN-WP-0014 (the `warden access` proxy is the
|
||
posture-aware fetch surface; its caller-identity/transit guardrails are prod-compatible).
|
||
|
||
**Status:** `proposed` — awaiting Bernd's review before implementation.
|
||
|
||
---
|
||
|
||
## The model (to be encoded by this WP)
|
||
|
||
### Axis A — Environment posture (the secret store)
|
||
|
||
**R1 — Contract parity, posture divergence.** Identical interface at every tier; only
|
||
the backend's security posture changes. Automation written once runs at all tiers
|
||
unchanged (this is why contract doubles work).
|
||
**R2 — Promote topology, regenerate material.** Secret *values* are never promoted up
|
||
the ladder; only *structure* (paths, policy shape, names). Values are generated fresh
|
||
per tier. Test conveniences (reuse, single-unseal) are quarantined in test.
|
||
**R3 — Dev touches no real data, ever.** Insecure personal mock store is sanctioned
|
||
*iff* dev uses only synthetic data. Absolute.
|
||
**R4 — Phase-changes are ceremonies, not copies.** test→prod is a gated checklist
|
||
referencing net-kingdom `security-bootstrap-*` / unseal-custody docs.
|
||
|
||
| | dev | test | prod |
|
||
| --- | --- | --- | --- |
|
||
| backend | mock / contract double | OpenBao `-dev` (single-unseal) | OpenBao sealed (Shamir 3-of-5) |
|
||
| real values | forbidden (synthetic) | generated, reuse allowed | generated fresh, reuse forbidden |
|
||
| unseal | n/a | single key / auto | 3-of-5 + break-glass |
|
||
| real user/business data | never | never | allowed |
|
||
| audit | optional | on | full, tamper-evident |
|
||
|
||
### Axis B — Workload maturity (the trust to receive secrets/data)
|
||
|
||
**Production is a posture, not a maturity.** A workload can be prod-posture yet low
|
||
maturity (alpha with friendly customers). Maturity gates *which secrets and data
|
||
classes* a prod workload may touch.
|
||
|
||
| Level | Phase | Max DataClassification | Promotion gate (reuses DevSecOps gates) |
|
||
| --- | --- | --- | --- |
|
||
| **M0** | Experimental / PoC | synthetic only | — |
|
||
| **M1** | Alpha / early-access | low-criticality, loss-acceptable; no confidential/restricted | friendly-customer scope, basic SLO, data-handling note |
|
||
| **M2** | Beta / GA | up to `confidential`; SLOs; audited | security review, SLO history, on-call, incident runbooks |
|
||
| **M3** | Critical / regulated | `restricted`; break-glass; compliance | pen-test, 3-of-5 custody, human-in-loop, compliance audit |
|
||
|
||
### The combined rule (secret-flow lattice)
|
||
|
||
```
|
||
deliver(secret → workload) permitted only if
|
||
workload.env_posture == prod # Axis A
|
||
AND workload.maturity >= secret.required_maturity # Axis B (no-write-down)
|
||
AND workload.maturity >= required_maturity(dataclass(secret))
|
||
```
|
||
|
||
"Critical secrets must not be transferred to workloads below maturity M" is exactly
|
||
this no-write-down constraint. Checkable by ops-warden; enforceable by flex-auth.
|
||
|
||
---
|
||
|
||
## Tasks
|
||
|
||
### T1 — Author the two-axis Workload Security Posture standard (canon-bound)
|
||
|
||
```task
|
||
id: WARDEN-WP-0015-T01
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "85aeb676-a593-4056-986a-db14d4c5209f"
|
||
```
|
||
|
||
- [x] Drafted the standard: Axis A (R1–R4 + env-posture matrix + phase-change ceremonies)
|
||
and Axis B (M0–M3 ladder + promotion gates) unified by the secret-flow lattice —
|
||
`wiki/WorkloadSecurityPosture.md`.
|
||
- [x] Layered it: doc marks the generic `WorkloadMaturityLevel` + lattice → **info-tech-canon**
|
||
(reusing `DataClassification`) and the NetKingdom M0–M3 requirements + env-posture
|
||
ceremonies → **net-kingdom canon**, with a canon-layering table.
|
||
- [x] Cross-linked the unseal/bootstrap/responsibility canon + info-tech-canon
|
||
Security/DevSecOps/Data/CARING models. Staged in ops-warden; **coordination
|
||
opened** to net-kingdom (msg 8d6f8d83) and info-tech-canon (msg ca07b085).
|
||
- [x] Encoded ops-warden's role: author + conformance, not enforcement/custody.
|
||
- Note: canon **landing** in the two repos is owner-driven; tracked to closure in T5.
|
||
|
||
### T2 — Machine-readable posture descriptors (both axes)
|
||
|
||
```task
|
||
id: WARDEN-WP-0015-T02
|
||
status: done
|
||
priority: high
|
||
state_hub_task_id: "011fb0af-154d-40f4-a03e-3172c325321a"
|
||
```
|
||
|
||
- [x] `registry/policy/security-posture.yaml` — env-posture tiers (backend, value-policy,
|
||
unseal, data-class, audit) **and** maturity levels (M0–M3, max DataClassification,
|
||
promotion gates), `dataclass_floor` mapping, and the lattice rule. No secret material.
|
||
- [x] Loader + validation in `src/warden/posture.py` (mirrors `routing/catalog.py`):
|
||
unique/contiguous ranks, dataclass_floor references known levels, lattice env
|
||
posture exists. Includes the pure `can_deliver` lattice helper (reused by T3).
|
||
- [x] `warden policy list|show` lookup (mirrors `warden route`; `--json`).
|
||
- [x] Tests: `tests/test_posture.py` (load, lattice allow/deny matrix, validation
|
||
rejections, CLI). 184 pass, lint clean.
|
||
|
||
### T3 — Conformance checker (incl. secret-flow lattice)
|
||
|
||
```task
|
||
id: WARDEN-WP-0015-T03
|
||
status: todo
|
||
priority: high
|
||
state_hub_task_id: "c1a0e987-19d0-478e-ac08-2dbe98e64e09"
|
||
```
|
||
|
||
- [ ] `scripts/check_secret_posture_conformance.py` — assert env-posture matches the
|
||
standard (prod sealed + Shamir; dev no real-value paths) **and** evaluate the
|
||
lattice: flag any secret whose `required_maturity` exceeds a target workload's
|
||
maturity. Drift-style report, like `check_principals_drift.py`. Read-only.
|
||
- [ ] Surface conformance + lattice violations; never read or print a secret value.
|
||
|
||
### T4 — Dev-tier contract-double fixture library
|
||
|
||
```task
|
||
id: WARDEN-WP-0015-T04
|
||
status: todo
|
||
priority: medium
|
||
state_hub_task_id: "e556fd2e-4e39-4c7d-bd94-b4330e4bef45"
|
||
```
|
||
|
||
- [ ] Generalize "fake bao": hermetic dev-tier doubles for routed subsystems (bao,
|
||
key-cape login) honoring each contract (argv/stdout/exit) with synthetic values
|
||
only — fully offline dev/test of access flows.
|
||
- [ ] Document the pattern in the standard (R1) as the sanctioned dev backend.
|
||
|
||
### T5 — INTENT/SCOPE alignment + canon contributions
|
||
|
||
```task
|
||
id: WARDEN-WP-0015-T05
|
||
status: todo
|
||
priority: medium
|
||
state_hub_task_id: "298c9b09-4a5a-41bf-a3bd-6c572385236b"
|
||
```
|
||
|
||
- [ ] `INTENT.md`: ops-warden stewards **security-policy conformance** of the
|
||
infrastructure (authoring the two-axis posture standard + conformance checks + dev
|
||
doubles), scoped to author+check — **not** enforcement or custody.
|
||
- [ ] SCOPE: add the posture policy + conformance surface; note the net-kingdom /
|
||
info-tech-canon homes; bump the maturity vector where warranted.
|
||
- [ ] Track the info-tech-canon contribution (generic `WorkloadMaturityLevel`) and the
|
||
net-kingdom requirements landing to closure.
|
||
- [ ] `history/2026-06-27-workload-security-posture-charter.md` — decision record.
|
||
|
||
---
|
||
|
||
## Acceptance
|
||
|
||
- A coherent two-axis standard exists: generic concept in info-tech-canon, NetKingdom
|
||
M0–M3 + env-posture requirements in net-kingdom canon, authored by ops-warden.
|
||
- ops-warden ships posture descriptors + a read-only conformance checker (incl. the
|
||
secret-flow lattice) + dev-tier doubles.
|
||
- No secret material in any descriptor, checker, fixture, doc, or log.
|
||
- ops-warden's role is documented as author+conformance; OpenBao custody, flex-auth
|
||
authorization, and CARING access boundaries are explicitly preserved.
|
||
- INTENT/SCOPE reflect the conformance-steward role without overclaiming enforcement.
|
||
|
||
---
|
||
|
||
## See also
|
||
|
||
- `WARDEN-WP-0014` (operator access assist; the posture-aware fetch surface)
|
||
- `net-kingdom/docs/openbao-unseal-custody-models.md`, `responsibility-map.md`,
|
||
`platform-root-custody.md`, `security-bootstrap-*`
|
||
- `info-tech-canon` Security / DevSecOps / Data Models + CARING Access Governance
|
||
- `flex-auth` (runtime enforcement of the lattice, as a follow-up)
|