coulomb/ops-warden
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e8bb46903366599fa93091b00a1693a033c7a4ed
ops-warden/history/2026-06-27-workload-security-posture-charter.md

2.1 KiB
Raw Blame History

Workload Security Posture Charter

Date: 2026-06-27 Workplan: WARDEN-WP-0015

Decision

ops-warden will steward the NetKingdom workload security posture model as an author-and-conformance surface, not as runtime enforcement or secret custody. The model has two orthogonal axes:

  • environment posture: dev, test, prod secret-store posture;
  • workload maturity: M0 through M3, describing whether a workload may receive increasingly sensitive secrets/data.

The axes combine in a secret-flow lattice. A real secret may flow only when the workload is in prod posture, the workload maturity meets the secret's required_maturity, and the maturity meets the floor implied by the secret's data classification.

Boundary

This expands ops-warden's stewardship role without expanding secret custody:

  • OpenBao holds secret values.
  • flex-auth makes allow/deny decisions and is the eventual runtime enforcement point for the lattice.
  • key-cape/Keycloak establish identity.
  • CARING governs access semantics.
  • ops-warden issues SSH certificates, routes/assists other credential lanes, and checks conformance evidence.

warden access from WP-0014 remains valid under this model because it is a transparent conduit: it runs the owning tool as the caller, does not hold a standing credential, does not persist values, and records metadata-only audit evidence.

Why it matters

The model turns vague IT-security blockers into named outcomes:

  • dev/test work can proceed with synthetic contract doubles rather than waiting for production secrets;
  • production work with real values must name owner custody, policy gate, posture, maturity, and non-secret evidence;
  • maturity below a secret's requirement remains a real blocker until the workload or design changes;
  • operator ceremonies such as prod OpenBao unseal and issuer custody remain hard gates and must not be bypassed with agent-visible secret values.

Follow-up

WARDEN-WP-0015 continues with the read-only conformance checker, dev-tier contract doubles, and coordinated canon landing in net-kingdom and info-tech-canon.

Reference in New Issue View Git Blame Copy Permalink