Refine security blocker posture review
This commit is contained in:
42
docs/ops-warden-secret-posture-review.md
Normal file
42
docs/ops-warden-secret-posture-review.md
Normal file
@@ -0,0 +1,42 @@
|
||||
# ops-warden Secret Posture Review
|
||||
|
||||
Date: 2026-06-27
|
||||
Owner: the-custodian coordination; ops-warden owns the source standard.
|
||||
|
||||
## Review Outcome
|
||||
|
||||
ops-warden is moving from a simple "SSH certs plus route pointers" surface to a
|
||||
more useful access and conformance steward:
|
||||
|
||||
- it still directly issues only the SSH certificate lane;
|
||||
- it routes other credential needs to their owning subsystem;
|
||||
- `warden access` may advise or proxy `exec_capable` lanes as the caller, without
|
||||
storing values or becoming a secret broker;
|
||||
- WARDEN-WP-0015 adds workload security posture: `dev/test/prod` environment
|
||||
posture plus `M0-M3` workload maturity and a secret-flow lattice.
|
||||
|
||||
This helps CUST-WP-0051 because a security blocker can now be classified instead
|
||||
of left as a generic "credentials needed" stop.
|
||||
|
||||
## Blocker Refinement Rules
|
||||
|
||||
| Situation | CUST-WP-0051 action |
|
||||
| --- | --- |
|
||||
| Dev/test implementation needs a credential-shaped dependency | Use synthetic contract doubles; do not wait for production secrets. |
|
||||
| Production smoke needs a real value | Route to the owner, collect non-secret evidence, and keep the value out of Codex-visible surfaces. |
|
||||
| Route is `exec_capable` | Prefer `warden access --fetch/--exec` as the caller over copy/paste handling. |
|
||||
| Workload maturity is below the secret requirement | Keep the blocker; resolve by maturity advancement, policy/design change, or avoiding the secret. |
|
||||
| OpenBao unseal, break-glass, or issuer custody is unresolved | Keep as operator ceremony/design blocker. |
|
||||
|
||||
## Current CUST-WP-0051 Read
|
||||
|
||||
| Gate | Refined blocker |
|
||||
| --- | --- |
|
||||
| Ops-hub runtime `OPS_HUB_KEY` | Production real-value custody gate; implementation is not blocked, live smoke is. |
|
||||
| Inter-Hub ops-hub bootstrap | Access/custody gate with an attended execution path; no need to request secret values from ops-warden. |
|
||||
| activity-core -> issue-core | Production API key injection/evidence gate; route is known through `activity-core-issue-sink`. |
|
||||
| OpenBao unseal/helper | M3-style ceremony gate; operator design remains required. |
|
||||
| Forgejo production migration | Production readiness gate spanning credentials, recovery drills, and cutover approval. |
|
||||
|
||||
Evidence stays non-secret: route id, owner, posture, maturity, policy decision id,
|
||||
OpenBao path/version, populated-key count, smoke id, token accessor, or drill id.
|
||||
Reference in New Issue
Block a user