Add small SaaS profile proof

This commit is contained in:
2026-05-23 04:26:28 +02:00
parent 79e4d10b68
commit 6351ebc627
40 changed files with 1696 additions and 54 deletions

View File

@@ -5,7 +5,7 @@
This brief summarizes the current canon service surface for agents.
- Infospace slug: `canon`
- Artifact count: 15
- Artifact count: 29
- Primary confidence command: `make validate`
- Refresh generated indexes and views with: `make index`

View File

@@ -224,3 +224,252 @@ artifacts:
target: model/task
- type: imports
target: standard/tagging
- id: profile/small-saas
path: profiles/small-saas/profile.yaml
kind: profile
title: Small SaaS System Profile
provenance:
source_path: infospace/profiles/small-saas/profile.yaml
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: conforms_to
target: kernel/itc-core
- type: requires
target: model/landscape
- type: requires
target: model/organization
- type: requires
target: model/governance
- type: requires
target: model/access-control
- type: requires
target: model/security
- type: requires
target: model/data
- type: requires
target: model/devsecops
- type: requires
target: model/network
- type: requires
target: model/observability
- type: requires
target: model/task
- type: requires
target: standard/tagging
- type: requires
target: standard/caring
- id: small-saas/service/billing-portal
path: profiles/small-saas/artifacts/service.billing-portal.yaml
kind: profile-artifact
title: Billing Portal Service
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/landscape
- type: part_of
target: small-saas/system/billing-system
- type: owned_by
target: small-saas/team/platform
- id: small-saas/system/billing-system
path: profiles/small-saas/artifacts/system.billing-system.yaml
kind: profile-artifact
title: Small SaaS Billing System
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/landscape
- type: serves
target: small-saas/tenant/acme
- type: serves
target: small-saas/tenant/globex
- id: small-saas/tenant/acme
path: profiles/small-saas/artifacts/tenant.acme.yaml
kind: profile-artifact
title: Acme Tenant
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/organization
- type: represented_by
target: small-saas/user/ada-admin
- type: isolated_by
target: small-saas/control/namespace-per-tenant
- id: small-saas/tenant/globex
path: profiles/small-saas/artifacts/tenant.globex.yaml
kind: profile-artifact
title: Globex Tenant
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/organization
- type: isolated_by
target: small-saas/control/namespace-per-tenant
- id: small-saas/user/ada-admin
path: profiles/small-saas/artifacts/user.ada-admin.yaml
kind: profile-artifact
title: Ada Admin
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/organization
- type: uses
target: model/access-control
- type: member_of
target: small-saas/team/platform
- type: has_access_under
target: small-saas/policy/tenant-isolation
- type: access_evidenced_by
target: small-saas/evidence/access-review-2026-05
- id: small-saas/team/platform
path: profiles/small-saas/artifacts/team.platform.yaml
kind: profile-artifact
title: Platform Team
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/organization
- id: small-saas/dataset/subscription-ledger
path: profiles/small-saas/artifacts/dataset.subscription-ledger.yaml
kind: profile-artifact
title: Subscription Ledger Dataset
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/data
- type: owned_by
target: small-saas/service/billing-portal
- type: partitioned_for
target: small-saas/tenant/acme
- type: partitioned_for
target: small-saas/tenant/globex
- type: governed_by
target: small-saas/policy/tenant-isolation
- id: small-saas/deployment/production
path: profiles/small-saas/artifacts/deployment.production.yaml
kind: profile-artifact
title: Production Deployment
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/devsecops
- type: uses
target: model/network
- type: deploys
target: small-saas/service/billing-portal
- type: separates
target: small-saas/tenant/acme
- type: separates
target: small-saas/tenant/globex
- type: implements
target: small-saas/control/namespace-per-tenant
- id: small-saas/task/onboard-tenant
path: profiles/small-saas/artifacts/task.onboard-tenant.yaml
kind: profile-artifact
title: Onboard Tenant
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/task
- type: owned_by
target: small-saas/team/platform
- type: changes
target: small-saas/tenant/acme
- type: governed_by
target: small-saas/policy/tenant-isolation
- id: small-saas/policy/tenant-isolation
path: profiles/small-saas/artifacts/policy.tenant-isolation.yaml
kind: profile-artifact
title: Tenant Isolation Policy
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/governance
- type: requires
target: small-saas/control/namespace-per-tenant
- type: evidenced_by
target: small-saas/evidence/access-review-2026-05
- id: small-saas/control/namespace-per-tenant
path: profiles/small-saas/artifacts/control.namespace-per-tenant.yaml
kind: profile-artifact
title: Namespace Per Tenant Control
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/security
- type: uses
target: standard/caring
- type: evidenced_by
target: small-saas/evidence/access-review-2026-05
- id: small-saas/evidence/access-review-2026-05
path: profiles/small-saas/artifacts/evidence.access-review-2026-05.yaml
kind: profile-artifact
title: Access Review 2026-05
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/observability
- id: small-saas/incident/cross-tenant-access-attempt
path: profiles/small-saas/artifacts/incident.cross-tenant-access-attempt.yaml
kind: profile-artifact
title: Cross-Tenant Access Attempt
provenance:
profile: small-saas
placement_workplan: ITC-WP-0004
relationships:
- type: instantiates
target: profile/small-saas
- type: uses
target: model/security
- type: constrained_by
target: small-saas/control/namespace-per-tenant
- type: evidenced_by
target: small-saas/evidence/access-review-2026-05

View File

@@ -0,0 +1,14 @@
# Small SaaS Example
This example is the first executable profile proof for InfoTechCanon. It
models a compact tenant-aware SaaS service with ownership, tenants, users,
access grants, data partitioning, deployment, governance policy, evidence, and
incident handling.
Useful commands:
```bash
PYTHONPATH=src python3 -m info_tech_canon profile inspect small-saas
PYTHONPATH=src python3 -m info_tech_canon profile validate small-saas
PYTHONPATH=src python3 -m info_tech_canon profile graph small-saas
```

View File

@@ -0,0 +1,29 @@
profile: small-saas
commands:
inspect:
argv:
- PYTHONPATH=src
- python3
- -m
- info_tech_canon
- profile
- inspect
- small-saas
validate:
argv:
- PYTHONPATH=src
- python3
- -m
- info_tech_canon
- profile
- validate
- small-saas
graph:
argv:
- PYTHONPATH=src
- python3
- -m
- info_tech_canon
- profile
- graph
- small-saas

View File

@@ -1,5 +1,5 @@
root: infospace
file_count: 50
file_count: 67
files:
- path: README.md
directory: .
@@ -19,6 +19,12 @@ files:
- path: examples/README.md
directory: examples
name: README.md
- path: examples/small-saas/README.md
directory: examples/small-saas
name: README.md
- path: examples/small-saas/demo-commands.yaml
directory: examples/small-saas
name: demo-commands.yaml
- path: indexes/README.md
directory: indexes
name: README.md
@@ -82,9 +88,54 @@ files:
- path: profiles/README.md
directory: profiles
name: README.md
- path: profiles/small-saas/artifacts/control.namespace-per-tenant.yaml
directory: profiles/small-saas/artifacts
name: control.namespace-per-tenant.yaml
- path: profiles/small-saas/artifacts/dataset.subscription-ledger.yaml
directory: profiles/small-saas/artifacts
name: dataset.subscription-ledger.yaml
- path: profiles/small-saas/artifacts/deployment.production.yaml
directory: profiles/small-saas/artifacts
name: deployment.production.yaml
- path: profiles/small-saas/artifacts/evidence.access-review-2026-05.yaml
directory: profiles/small-saas/artifacts
name: evidence.access-review-2026-05.yaml
- path: profiles/small-saas/artifacts/incident.cross-tenant-access-attempt.yaml
directory: profiles/small-saas/artifacts
name: incident.cross-tenant-access-attempt.yaml
- path: profiles/small-saas/artifacts/policy.tenant-isolation.yaml
directory: profiles/small-saas/artifacts
name: policy.tenant-isolation.yaml
- path: profiles/small-saas/artifacts/service.billing-portal.yaml
directory: profiles/small-saas/artifacts
name: service.billing-portal.yaml
- path: profiles/small-saas/artifacts/system.billing-system.yaml
directory: profiles/small-saas/artifacts
name: system.billing-system.yaml
- path: profiles/small-saas/artifacts/task.onboard-tenant.yaml
directory: profiles/small-saas/artifacts
name: task.onboard-tenant.yaml
- path: profiles/small-saas/artifacts/team.platform.yaml
directory: profiles/small-saas/artifacts
name: team.platform.yaml
- path: profiles/small-saas/artifacts/tenant.acme.yaml
directory: profiles/small-saas/artifacts
name: tenant.acme.yaml
- path: profiles/small-saas/artifacts/tenant.globex.yaml
directory: profiles/small-saas/artifacts
name: tenant.globex.yaml
- path: profiles/small-saas/artifacts/user.ada-admin.yaml
directory: profiles/small-saas/artifacts
name: user.ada-admin.yaml
- path: profiles/small-saas/profile.yaml
directory: profiles/small-saas
name: profile.yaml
- path: reports/scaffold-placement.md
directory: reports
name: scaffold-placement.md
- path: reports/small-saas-profile-proof.md
directory: reports
name: small-saas-profile-proof.md
- path: schemas/README.md
directory: schemas
name: README.md

View File

@@ -1,4 +1,4 @@
concept_count: 30
concept_count: 44
concepts:
- concept: InfoTechCanon Core
owner: kernel/itc-core
@@ -52,6 +52,62 @@ concepts:
owner: model/task
path: models/task/InfoTechCanonTaskModel.md
source: artifact_title
- concept: Small SaaS System Profile
owner: profile/small-saas
path: profiles/small-saas/profile.yaml
source: artifact_title
- concept: Namespace Per Tenant Control
owner: small-saas/control/namespace-per-tenant
path: profiles/small-saas/artifacts/control.namespace-per-tenant.yaml
source: artifact_title
- concept: Subscription Ledger Dataset
owner: small-saas/dataset/subscription-ledger
path: profiles/small-saas/artifacts/dataset.subscription-ledger.yaml
source: artifact_title
- concept: Production Deployment
owner: small-saas/deployment/production
path: profiles/small-saas/artifacts/deployment.production.yaml
source: artifact_title
- concept: Access Review 2026-05
owner: small-saas/evidence/access-review-2026-05
path: profiles/small-saas/artifacts/evidence.access-review-2026-05.yaml
source: artifact_title
- concept: Cross-Tenant Access Attempt
owner: small-saas/incident/cross-tenant-access-attempt
path: profiles/small-saas/artifacts/incident.cross-tenant-access-attempt.yaml
source: artifact_title
- concept: Tenant Isolation Policy
owner: small-saas/policy/tenant-isolation
path: profiles/small-saas/artifacts/policy.tenant-isolation.yaml
source: artifact_title
- concept: Billing Portal Service
owner: small-saas/service/billing-portal
path: profiles/small-saas/artifacts/service.billing-portal.yaml
source: artifact_title
- concept: Small SaaS Billing System
owner: small-saas/system/billing-system
path: profiles/small-saas/artifacts/system.billing-system.yaml
source: artifact_title
- concept: Onboard Tenant
owner: small-saas/task/onboard-tenant
path: profiles/small-saas/artifacts/task.onboard-tenant.yaml
source: artifact_title
- concept: Platform Team
owner: small-saas/team/platform
path: profiles/small-saas/artifacts/team.platform.yaml
source: artifact_title
- concept: Acme Tenant
owner: small-saas/tenant/acme
path: profiles/small-saas/artifacts/tenant.acme.yaml
source: artifact_title
- concept: Globex Tenant
owner: small-saas/tenant/globex
path: profiles/small-saas/artifacts/tenant.globex.yaml
source: artifact_title
- concept: Ada Admin
owner: small-saas/user/ada-admin
path: profiles/small-saas/artifacts/user.ada-admin.yaml
source: artifact_title
- concept: InfoTechCanon CARING Access Governance Standard
owner: standard/caring
path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md

View File

@@ -12,6 +12,20 @@ artifacts:
- model/organization
- model/security
- model/task
- profile/small-saas
- small-saas/control/namespace-per-tenant
- small-saas/dataset/subscription-ledger
- small-saas/deployment/production
- small-saas/evidence/access-review-2026-05
- small-saas/incident/cross-tenant-access-attempt
- small-saas/policy/tenant-isolation
- small-saas/service/billing-portal
- small-saas/system/billing-system
- small-saas/task/onboard-tenant
- small-saas/team/platform
- small-saas/tenant/acme
- small-saas/tenant/globex
- small-saas/user/ada-admin
- standard/caring
- standard/tagging
rows:
@@ -105,6 +119,170 @@ rows:
targets:
kernel/itc-core:
- conforms_to
- artifact: profile/small-saas
targets:
kernel/itc-core:
- conforms_to
model/access-control:
- requires
model/data:
- requires
model/devsecops:
- requires
model/governance:
- requires
model/landscape:
- requires
model/network:
- requires
model/observability:
- requires
model/organization:
- requires
model/security:
- requires
model/task:
- requires
standard/caring:
- requires
standard/tagging:
- requires
- artifact: small-saas/control/namespace-per-tenant
targets:
model/security:
- uses
profile/small-saas:
- instantiates
small-saas/evidence/access-review-2026-05:
- evidenced_by
standard/caring:
- uses
- artifact: small-saas/dataset/subscription-ledger
targets:
model/data:
- uses
profile/small-saas:
- instantiates
small-saas/policy/tenant-isolation:
- governed_by
small-saas/service/billing-portal:
- owned_by
small-saas/tenant/acme:
- partitioned_for
small-saas/tenant/globex:
- partitioned_for
- artifact: small-saas/deployment/production
targets:
model/devsecops:
- uses
model/network:
- uses
profile/small-saas:
- instantiates
small-saas/control/namespace-per-tenant:
- implements
small-saas/service/billing-portal:
- deploys
small-saas/tenant/acme:
- separates
small-saas/tenant/globex:
- separates
- artifact: small-saas/evidence/access-review-2026-05
targets:
model/observability:
- uses
profile/small-saas:
- instantiates
- artifact: small-saas/incident/cross-tenant-access-attempt
targets:
model/security:
- uses
profile/small-saas:
- instantiates
small-saas/control/namespace-per-tenant:
- constrained_by
small-saas/evidence/access-review-2026-05:
- evidenced_by
- artifact: small-saas/policy/tenant-isolation
targets:
model/governance:
- uses
profile/small-saas:
- instantiates
small-saas/control/namespace-per-tenant:
- requires
small-saas/evidence/access-review-2026-05:
- evidenced_by
- artifact: small-saas/service/billing-portal
targets:
model/landscape:
- uses
profile/small-saas:
- instantiates
small-saas/system/billing-system:
- part_of
small-saas/team/platform:
- owned_by
- artifact: small-saas/system/billing-system
targets:
model/landscape:
- uses
profile/small-saas:
- instantiates
small-saas/tenant/acme:
- serves
small-saas/tenant/globex:
- serves
- artifact: small-saas/task/onboard-tenant
targets:
model/task:
- uses
profile/small-saas:
- instantiates
small-saas/policy/tenant-isolation:
- governed_by
small-saas/team/platform:
- owned_by
small-saas/tenant/acme:
- changes
- artifact: small-saas/team/platform
targets:
model/organization:
- uses
profile/small-saas:
- instantiates
- artifact: small-saas/tenant/acme
targets:
model/organization:
- uses
profile/small-saas:
- instantiates
small-saas/control/namespace-per-tenant:
- isolated_by
small-saas/user/ada-admin:
- represented_by
- artifact: small-saas/tenant/globex
targets:
model/organization:
- uses
profile/small-saas:
- instantiates
small-saas/control/namespace-per-tenant:
- isolated_by
- artifact: small-saas/user/ada-admin
targets:
model/access-control:
- uses
model/organization:
- uses
profile/small-saas:
- instantiates
small-saas/evidence/access-review-2026-05:
- access_evidenced_by
small-saas/policy/tenant-isolation:
- has_access_under
small-saas/team/platform:
- member_of
- artifact: standard/caring
targets:
kernel/itc-core:

View File

@@ -0,0 +1,14 @@
id: small-saas/control/namespace-per-tenant
kind: control
title: Namespace Per Tenant Control
profile: small-saas
policy_id: small-saas/policy/tenant-isolation
claim: Every production tenant has a distinct runtime namespace and data partition.
control_type: preventive
evidence_ids:
- small-saas/evidence/access-review-2026-05
relationships:
- type: satisfies
target: small-saas/policy/tenant-isolation
- type: evidenced_by
target: small-saas/evidence/access-review-2026-05

View File

@@ -0,0 +1,21 @@
id: small-saas/dataset/subscription-ledger
kind: dataset
title: Subscription Ledger Dataset
profile: small-saas
owner_service: small-saas/service/billing-portal
classification: customer-confidential
tenant_scope: per-tenant
tenant_ids:
- small-saas/tenant/acme
- small-saas/tenant/globex
evidence_ids:
- small-saas/evidence/access-review-2026-05
relationships:
- type: owned_by
target: small-saas/service/billing-portal
- type: partitioned_for
target: small-saas/tenant/acme
- type: partitioned_for
target: small-saas/tenant/globex
- type: governed_by
target: small-saas/policy/tenant-isolation

View File

@@ -0,0 +1,22 @@
id: small-saas/deployment/production
kind: deployment
title: Production Deployment
profile: small-saas
service_id: small-saas/service/billing-portal
environment: production
namespace_strategy: namespace-per-tenant
tenant_namespaces:
small-saas/tenant/acme: tenant-acme
small-saas/tenant/globex: tenant-globex
network_exposure: public-ingress-authenticated
evidence_ids:
- small-saas/evidence/access-review-2026-05
relationships:
- type: deploys
target: small-saas/service/billing-portal
- type: separates
target: small-saas/tenant/acme
- type: separates
target: small-saas/tenant/globex
- type: implements
target: small-saas/control/namespace-per-tenant

View File

@@ -0,0 +1,18 @@
id: small-saas/evidence/access-review-2026-05
kind: evidence
title: Access Review 2026-05
profile: small-saas
evidence_type: review-record
date: "2026-05-23"
supports:
- small-saas/service/billing-portal
- small-saas/policy/tenant-isolation
- small-saas/control/namespace-per-tenant
- small-saas/incident/cross-tenant-access-attempt
relationships:
- type: supports
target: small-saas/policy/tenant-isolation
- type: supports
target: small-saas/control/namespace-per-tenant
- type: supports
target: small-saas/incident/cross-tenant-access-attempt

View File

@@ -0,0 +1,15 @@
id: small-saas/incident/cross-tenant-access-attempt
kind: incident
title: Cross-Tenant Access Attempt
profile: small-saas
status: resolved
tenant_id: small-saas/tenant/acme
control_ids:
- small-saas/control/namespace-per-tenant
evidence_ids:
- small-saas/evidence/access-review-2026-05
relationships:
- type: constrained_by
target: small-saas/control/namespace-per-tenant
- type: evidenced_by
target: small-saas/evidence/access-review-2026-05

View File

@@ -0,0 +1,15 @@
id: small-saas/policy/tenant-isolation
kind: policy
title: Tenant Isolation Policy
profile: small-saas
scope: service-and-data-plane
statement: Tenant requests, namespaces, access grants, and data partitions must not cross tenant boundaries.
control_ids:
- small-saas/control/namespace-per-tenant
evidence_ids:
- small-saas/evidence/access-review-2026-05
relationships:
- type: requires
target: small-saas/control/namespace-per-tenant
- type: evidenced_by
target: small-saas/evidence/access-review-2026-05

View File

@@ -0,0 +1,28 @@
id: small-saas/service/billing-portal
kind: service
title: Billing Portal Service
profile: small-saas
system_id: small-saas/system/billing-system
owner_team: small-saas/team/platform
runtime_deployment: small-saas/deployment/production
datasets:
- small-saas/dataset/subscription-ledger
controls:
- small-saas/control/namespace-per-tenant
policies:
- small-saas/policy/tenant-isolation
evidence_ids:
- small-saas/evidence/access-review-2026-05
relationships:
- type: part_of
target: small-saas/system/billing-system
- type: owned_by
target: small-saas/team/platform
- type: stores
target: small-saas/dataset/subscription-ledger
- type: deployed_as
target: small-saas/deployment/production
- type: governed_by
target: small-saas/policy/tenant-isolation
- type: protected_by
target: small-saas/control/namespace-per-tenant

View File

@@ -0,0 +1,17 @@
id: small-saas/system/billing-system
kind: system
title: Small SaaS Billing System
profile: small-saas
service_ids:
- small-saas/service/billing-portal
tenant_ids:
- small-saas/tenant/acme
- small-saas/tenant/globex
owner_team: small-saas/team/platform
relationships:
- type: includes
target: small-saas/service/billing-portal
- type: serves
target: small-saas/tenant/acme
- type: serves
target: small-saas/tenant/globex

View File

@@ -0,0 +1,16 @@
id: small-saas/task/onboard-tenant
kind: task
title: Onboard Tenant
profile: small-saas
owner_team: small-saas/team/platform
status: ready
target_tenant: small-saas/tenant/acme
evidence_ids:
- small-saas/evidence/access-review-2026-05
relationships:
- type: owned_by
target: small-saas/team/platform
- type: changes
target: small-saas/tenant/acme
- type: governed_by
target: small-saas/policy/tenant-isolation

View File

@@ -0,0 +1,14 @@
id: small-saas/team/platform
kind: team
title: Platform Team
profile: small-saas
owner_user: small-saas/user/ada-admin
responsibilities:
- service ownership
- tenant onboarding
- access review
relationships:
- type: owns
target: small-saas/service/billing-portal
- type: performs
target: small-saas/task/onboard-tenant

View File

@@ -0,0 +1,12 @@
id: small-saas/tenant/acme
kind: tenant
title: Acme Tenant
profile: small-saas
namespace: tenant-acme
data_partition: subscription-ledger:tenant=acme
primary_user: small-saas/user/ada-admin
relationships:
- type: represented_by
target: small-saas/user/ada-admin
- type: isolated_by
target: small-saas/control/namespace-per-tenant

View File

@@ -0,0 +1,9 @@
id: small-saas/tenant/globex
kind: tenant
title: Globex Tenant
profile: small-saas
namespace: tenant-globex
data_partition: subscription-ledger:tenant=globex
relationships:
- type: isolated_by
target: small-saas/control/namespace-per-tenant

View File

@@ -0,0 +1,19 @@
id: small-saas/user/ada-admin
kind: user
title: Ada Admin
profile: small-saas
person_type: human
teams:
- small-saas/team/platform
access_grants:
- role: tenant-admin
tenant_id: small-saas/tenant/acme
policy_id: small-saas/policy/tenant-isolation
evidence_id: small-saas/evidence/access-review-2026-05
relationships:
- type: member_of
target: small-saas/team/platform
- type: has_access_under
target: small-saas/policy/tenant-isolation
- type: access_evidenced_by
target: small-saas/evidence/access-review-2026-05

View File

@@ -0,0 +1,112 @@
id: small-saas
kind: profile
profile: small-saas
title: Small SaaS System Profile
scope: A compact tenant-aware SaaS service with users, teams, data, access, deployment, governance evidence, and incident handling.
status: proof
conformance_level: profile-proof
assumptions:
- The SaaS product has a single service boundary and two example tenants.
- Tenants are separated by namespace and data partitioning claims.
- User management is represented through users, teams, access grants, policies, controls, and evidence.
- Runtime concerns are represented by one production deployment.
required_standards:
- kernel/itc-core
- model/landscape
- model/organization
- model/governance
- model/task
- model/access-control
- model/security
- model/data
- model/devsecops
- model/network
- model/observability
- standard/tagging
- standard/caring
required_concepts:
service:
status: required
model: model/landscape
system:
status: required
model: model/landscape
tenant:
status: required
model: model/organization
user:
status: required
model: model/organization
team:
status: required
model: model/organization
dataset:
status: required
model: model/data
deployment:
status: required
model: model/devsecops
task:
status: required
model: model/task
policy:
status: required
model: model/governance
control:
status: required
model: model/security
evidence:
status: required
model: model/observability
incident:
status: required
model: model/security
optional_concepts:
billing-plan:
status: optional
model: model/data
notification:
status: optional
model: model/observability
out_of_scope:
- multi-region disaster recovery
- tenant-managed encryption keys
- marketplace billing integrations
artifact_ids:
- profile/small-saas
- small-saas/service/billing-portal
- small-saas/system/billing-system
- small-saas/tenant/acme
- small-saas/tenant/globex
- small-saas/user/ada-admin
- small-saas/team/platform
- small-saas/dataset/subscription-ledger
- small-saas/deployment/production
- small-saas/task/onboard-tenant
- small-saas/policy/tenant-isolation
- small-saas/control/namespace-per-tenant
- small-saas/evidence/access-review-2026-05
- small-saas/incident/cross-tenant-access-attempt
validation_rules:
required_artifact_kinds:
- service
- system
- tenant
- user
- team
- dataset
- deployment
- task
- policy
- control
- evidence
- incident
service_ownership: required
tenant_namespace_separation: required
user_management_trace: required
access_control_trace: required
governance_evidence: required
demo_commands:
- PYTHONPATH=src python3 -m info_tech_canon profile inspect small-saas
- PYTHONPATH=src python3 -m info_tech_canon profile validate small-saas
- PYTHONPATH=src python3 -m info_tech_canon profile graph small-saas

View File

@@ -0,0 +1,44 @@
# Small SaaS Profile Proof
**Workplan:** ITC-WP-0004
**Profile:** `small-saas`
**Status:** executable proof
## Purpose
The `small-saas` profile demonstrates that the canon can guide a practical
service shape before the larger CARING benchmark exists. It connects service
ownership, users, tenants, access, data, runtime, deployment, governance,
observability, and task tracking.
## Validation Surface
```bash
PYTHONPATH=src python3 -m info_tech_canon profile inspect small-saas
PYTHONPATH=src python3 -m info_tech_canon profile validate small-saas
PYTHONPATH=src python3 -m info_tech_canon profile graph small-saas
```
## Graph Slice
The profile graph includes the profile artifact, the small SaaS example
artifacts, and their direct canon anchors.
```mermaid
graph TD
profile_small_saas["profile/small-saas"] -->|conforms_to| core["kernel/itc-core"]
service["small-saas/service/billing-portal"] -->|part_of| system["small-saas/system/billing-system"]
service -->|owned_by| team["small-saas/team/platform"]
service -->|governed_by| policy["small-saas/policy/tenant-isolation"]
service -->|protected_by| control["small-saas/control/namespace-per-tenant"]
deployment["small-saas/deployment/production"] -->|separates| acme["small-saas/tenant/acme"]
deployment -->|separates| globex["small-saas/tenant/globex"]
user["small-saas/user/ada-admin"] -->|has_access_under| policy
policy -->|evidenced_by| evidence["small-saas/evidence/access-review-2026-05"]
incident["small-saas/incident/cross-tenant-access-attempt"] -->|constrained_by| control
```
## Result
The proof is suitable as a baseline for the upcoming `user-engine` evaluation
pack and for `railiance-fabric` entity/edge capture comparisons.

View File

@@ -1,14 +1,14 @@
{
"details": {
"artifact_count": 15,
"relationship_count": 45
"artifact_count": 29,
"relationship_count": 113
},
"errors": [],
"metrics": {
"coherence_components": 1.0,
"consistency_cycles": 0.0,
"coverage_ratio": 1.0,
"granularity_entropy": 1.103307408607834,
"granularity_entropy": 1.7490339557881076,
"redundancy_ratio": 0.0
},
"ok": true,
@@ -17,10 +17,6 @@
"code": "missing_optional_concepts_dir",
"path": "infospace/concepts"
},
{
"code": "empty_optional_collection",
"path": "infospace/profiles"
},
{
"code": "empty_optional_collection",
"path": "infospace/patterns"
@@ -32,10 +28,6 @@
{
"code": "empty_optional_collection",
"path": "infospace/assimilation"
},
{
"code": "empty_optional_collection",
"path": "infospace/examples"
}
]
}

View File

@@ -2,7 +2,7 @@
# By Concept
Concept count: **30**
Concept count: **44**
| Concept | Owner | Source |
| --- | --- | --- |
@@ -19,6 +19,20 @@ Concept count: **30**
| InfoTechCanon Organization Model | `model/organization` | `artifact_title` |
| InfoTechCanon Security Model | `model/security` | `artifact_title` |
| InfoTechCanon Task Model | `model/task` | `artifact_title` |
| Small SaaS System Profile | `profile/small-saas` | `artifact_title` |
| Namespace Per Tenant Control | `small-saas/control/namespace-per-tenant` | `artifact_title` |
| Subscription Ledger Dataset | `small-saas/dataset/subscription-ledger` | `artifact_title` |
| Production Deployment | `small-saas/deployment/production` | `artifact_title` |
| Access Review 2026-05 | `small-saas/evidence/access-review-2026-05` | `artifact_title` |
| Cross-Tenant Access Attempt | `small-saas/incident/cross-tenant-access-attempt` | `artifact_title` |
| Tenant Isolation Policy | `small-saas/policy/tenant-isolation` | `artifact_title` |
| Billing Portal Service | `small-saas/service/billing-portal` | `artifact_title` |
| Small SaaS Billing System | `small-saas/system/billing-system` | `artifact_title` |
| Onboard Tenant | `small-saas/task/onboard-tenant` | `artifact_title` |
| Platform Team | `small-saas/team/platform` | `artifact_title` |
| Acme Tenant | `small-saas/tenant/acme` | `artifact_title` |
| Globex Tenant | `small-saas/tenant/globex` | `artifact_title` |
| Ada Admin | `small-saas/user/ada-admin` | `artifact_title` |
| InfoTechCanon CARING Access Governance Standard | `standard/caring` | `artifact_title` |
| CARINGAccessDescriptor | `standard/caring` | `frontmatter.owned_concepts` |
| CARINGCanonicalRole | `standard/caring` | `frontmatter.owned_concepts` |

View File

@@ -16,6 +16,7 @@
- `model/organization` via `conforms_to`
- `model/security` via `conforms_to`
- `model/task` via `conforms_to`
- `profile/small-saas` via `conforms_to`
- `standard/caring` via `conforms_to`
- `standard/tagging` via `conforms_to`
@@ -23,16 +24,22 @@
- `kernel/itc-kernel-map` via `maps`
- `model/security` via `uses`
- `profile/small-saas` via `requires`
- `small-saas/user/ada-admin` via `uses`
- `standard/caring` via `imports`
## `model/data`
- `kernel/itc-kernel-map` via `maps`
- `profile/small-saas` via `requires`
- `small-saas/dataset/subscription-ledger` via `uses`
- `standard/caring` via `imports`
## `model/devsecops`
- `kernel/itc-kernel-map` via `maps`
- `profile/small-saas` via `requires`
- `small-saas/deployment/production` via `uses`
- `standard/caring` via `imports`
## `model/governance`
@@ -40,6 +47,8 @@
- `kernel/itc-kernel-map` via `maps`
- `model/access-control` via `uses`
- `model/data` via `uses`
- `profile/small-saas` via `requires`
- `small-saas/policy/tenant-isolation` via `uses`
- `standard/caring` via `imports`
## `model/information-space`
@@ -49,21 +58,33 @@
## `model/landscape`
- `kernel/itc-kernel-map` via `maps`
- `profile/small-saas` via `requires`
- `small-saas/service/billing-portal` via `uses`
- `small-saas/system/billing-system` via `uses`
## `model/network`
- `kernel/itc-kernel-map` via `maps`
- `profile/small-saas` via `requires`
- `small-saas/deployment/production` via `uses`
- `standard/caring` via `imports`
## `model/observability`
- `kernel/itc-kernel-map` via `maps`
- `profile/small-saas` via `requires`
- `small-saas/evidence/access-review-2026-05` via `uses`
- `standard/caring` via `imports`
## `model/organization`
- `kernel/itc-kernel-map` via `maps`
- `model/access-control` via `uses`
- `profile/small-saas` via `requires`
- `small-saas/team/platform` via `uses`
- `small-saas/tenant/acme` via `uses`
- `small-saas/tenant/globex` via `uses`
- `small-saas/user/ada-admin` via `uses`
- `standard/caring` via `imports`
## `model/security`
@@ -71,20 +92,97 @@
- `kernel/itc-kernel-map` via `maps`
- `model/devsecops` via `uses`
- `model/network` via `uses`
- `profile/small-saas` via `requires`
- `small-saas/control/namespace-per-tenant` via `uses`
- `small-saas/incident/cross-tenant-access-attempt` via `uses`
- `standard/caring` via `imports`
## `model/task`
- `kernel/itc-kernel-map` via `maps`
- `model/observability` via `uses`
- `profile/small-saas` via `requires`
- `small-saas/task/onboard-tenant` via `uses`
- `standard/caring` via `imports`
- `standard/tagging` via `imports`
## `profile/small-saas`
- `small-saas/control/namespace-per-tenant` via `instantiates`
- `small-saas/dataset/subscription-ledger` via `instantiates`
- `small-saas/deployment/production` via `instantiates`
- `small-saas/evidence/access-review-2026-05` via `instantiates`
- `small-saas/incident/cross-tenant-access-attempt` via `instantiates`
- `small-saas/policy/tenant-isolation` via `instantiates`
- `small-saas/service/billing-portal` via `instantiates`
- `small-saas/system/billing-system` via `instantiates`
- `small-saas/task/onboard-tenant` via `instantiates`
- `small-saas/team/platform` via `instantiates`
- `small-saas/tenant/acme` via `instantiates`
- `small-saas/tenant/globex` via `instantiates`
- `small-saas/user/ada-admin` via `instantiates`
## `small-saas/control/namespace-per-tenant`
- `small-saas/deployment/production` via `implements`
- `small-saas/incident/cross-tenant-access-attempt` via `constrained_by`
- `small-saas/policy/tenant-isolation` via `requires`
- `small-saas/tenant/acme` via `isolated_by`
- `small-saas/tenant/globex` via `isolated_by`
## `small-saas/evidence/access-review-2026-05`
- `small-saas/control/namespace-per-tenant` via `evidenced_by`
- `small-saas/incident/cross-tenant-access-attempt` via `evidenced_by`
- `small-saas/policy/tenant-isolation` via `evidenced_by`
- `small-saas/user/ada-admin` via `access_evidenced_by`
## `small-saas/policy/tenant-isolation`
- `small-saas/dataset/subscription-ledger` via `governed_by`
- `small-saas/task/onboard-tenant` via `governed_by`
- `small-saas/user/ada-admin` via `has_access_under`
## `small-saas/service/billing-portal`
- `small-saas/dataset/subscription-ledger` via `owned_by`
- `small-saas/deployment/production` via `deploys`
## `small-saas/system/billing-system`
- `small-saas/service/billing-portal` via `part_of`
## `small-saas/team/platform`
- `small-saas/service/billing-portal` via `owned_by`
- `small-saas/task/onboard-tenant` via `owned_by`
- `small-saas/user/ada-admin` via `member_of`
## `small-saas/tenant/acme`
- `small-saas/dataset/subscription-ledger` via `partitioned_for`
- `small-saas/deployment/production` via `separates`
- `small-saas/system/billing-system` via `serves`
- `small-saas/task/onboard-tenant` via `changes`
## `small-saas/tenant/globex`
- `small-saas/dataset/subscription-ledger` via `partitioned_for`
- `small-saas/deployment/production` via `separates`
- `small-saas/system/billing-system` via `serves`
## `small-saas/user/ada-admin`
- `small-saas/tenant/acme` via `represented_by`
## `standard/caring`
- `kernel/itc-kernel-map` via `maps`
- `profile/small-saas` via `requires`
- `small-saas/control/namespace-per-tenant` via `uses`
## `standard/tagging`
- `kernel/itc-kernel-map` via `maps`
- `profile/small-saas` via `requires`
- `standard/caring` via `imports`

View File

@@ -2,4 +2,6 @@
# By Profile
No profiles have been registered yet.
## small-saas
- Path: `profiles/small-saas/profile.yaml`

View File

@@ -2,20 +2,34 @@
# Import Matrix
| Artifact | `kernel/itc-core` | `kernel/itc-kernel-map` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/security` | `model/task` | `standard/caring` | `standard/tagging` |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `kernel/itc-core` | | | | | | | | | | | | | | | |
| `kernel/itc-kernel-map` | `maps` | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` |
| `model/access-control` | `conforms_to` | | | | | `uses` | | | | | `uses` | | | | |
| `model/data` | `conforms_to` | | | | | `uses` | | | | | | | | | |
| `model/devsecops` | `conforms_to` | | | | | | | | | | | `uses` | | | |
| `model/governance` | `conforms_to` | | | | | | | | | | | | | | |
| `model/information-space` | `conforms_to` | | | | | | | | | | | | | | |
| `model/landscape` | `conforms_to` | | | | | | | | | | | | | | |
| `model/network` | `conforms_to` | | | | | | | | | | | `uses` | | | |
| `model/observability` | `conforms_to` | | | | | | | | | | | | `uses` | | |
| `model/organization` | `conforms_to` | | | | | | | | | | | | | | |
| `model/security` | `conforms_to` | | `uses` | | | | | | | | | | | | |
| `model/task` | `conforms_to` | | | | | | | | | | | | | | |
| `standard/caring` | `conforms_to` | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | `imports` | `imports` | | `imports` |
| `standard/tagging` | `conforms_to` | | | | | | | | | | | | `imports` | | |
| Artifact | `kernel/itc-core` | `kernel/itc-kernel-map` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/security` | `model/task` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `kernel/itc-kernel-map` | `maps` | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | | | | | | | | | | | | | | `maps` | `maps` |
| `model/access-control` | `conforms_to` | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | |
| `model/data` | `conforms_to` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | |
| `model/devsecops` | `conforms_to` | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `model/governance` | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/information-space` | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/landscape` | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/network` | `conforms_to` | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `model/observability` | `conforms_to` | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | |
| `model/organization` | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/security` | `conforms_to` | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/task` | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `profile/small-saas` | `conforms_to` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | `requires` | `requires` | | | | | | | | | | | | | | | `requires` | `requires` |
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | `uses` | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
| `small-saas/dataset/subscription-ledger` | | | | `uses` | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
| `small-saas/deployment/production` | | | | | `uses` | | | | `uses` | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | `uses` | | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | `uses` | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/policy/tenant-isolation` | | | | | | `uses` | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/service/billing-portal` | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
| `small-saas/system/billing-system` | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | `uses` | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
| `small-saas/team/platform` | | | | | | | | | | | `uses` | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/tenant/acme` | | | | | | | | | | | `uses` | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
| `small-saas/tenant/globex` | | | | | | | | | | | `uses` | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
| `small-saas/user/ada-admin` | | | `uses` | | | | | | | | `uses` | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
| `standard/caring` | `conforms_to` | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | `imports` | `imports` | | | | | | | | | | | | | | | | `imports` |
| `standard/tagging` | `conforms_to` | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | |

View File

@@ -3,17 +3,37 @@
# Kernel Overview
- Infospace: `canon`
- Artifacts: 15
- Artifacts: 29
## Artifact Kinds
- `kernel`: 2
- `model`: 11
- `profile`: 1
- `profile-artifact`: 13
- `standard`: 2
## Relationship Types
- `conforms_to`: 13
- `access_evidenced_by`: 1
- `changes`: 1
- `conforms_to`: 14
- `constrained_by`: 1
- `deploys`: 1
- `evidenced_by`: 3
- `governed_by`: 2
- `has_access_under`: 1
- `implements`: 1
- `imports`: 11
- `instantiates`: 13
- `isolated_by`: 2
- `maps`: 14
- `uses`: 7
- `member_of`: 1
- `owned_by`: 3
- `part_of`: 1
- `partitioned_for`: 2
- `represented_by`: 1
- `requires`: 13
- `separates`: 2
- `serves`: 2
- `uses`: 23

View File

@@ -2,7 +2,7 @@
# Repository Tree
File count: **50**
File count: **67**
- `README.md`
- `agent/README.md`
@@ -10,6 +10,8 @@ File count: **50**
- `artifacts/index.yaml`
- `assimilation/README.md`
- `examples/README.md`
- `examples/small-saas/README.md`
- `examples/small-saas/demo-commands.yaml`
- `indexes/README.md`
- `indexes/artifact-tree.yaml`
- `indexes/concept-ownership.yaml`
@@ -31,7 +33,22 @@ File count: **50**
- `models/task/InfoTechCanonTaskModel.md`
- `patterns/README.md`
- `profiles/README.md`
- `profiles/small-saas/artifacts/control.namespace-per-tenant.yaml`
- `profiles/small-saas/artifacts/dataset.subscription-ledger.yaml`
- `profiles/small-saas/artifacts/deployment.production.yaml`
- `profiles/small-saas/artifacts/evidence.access-review-2026-05.yaml`
- `profiles/small-saas/artifacts/incident.cross-tenant-access-attempt.yaml`
- `profiles/small-saas/artifacts/policy.tenant-isolation.yaml`
- `profiles/small-saas/artifacts/service.billing-portal.yaml`
- `profiles/small-saas/artifacts/system.billing-system.yaml`
- `profiles/small-saas/artifacts/task.onboard-tenant.yaml`
- `profiles/small-saas/artifacts/team.platform.yaml`
- `profiles/small-saas/artifacts/tenant.acme.yaml`
- `profiles/small-saas/artifacts/tenant.globex.yaml`
- `profiles/small-saas/artifacts/user.ada-admin.yaml`
- `profiles/small-saas/profile.yaml`
- `reports/scaffold-placement.md`
- `reports/small-saas-profile-proof.md`
- `schemas/README.md`
- `schemas/agent-brief.schema.yaml`
- `schemas/assimilation.schema.yaml`