coulomb/info-tech-canon
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CARING Kubernetes RBAC benchmark

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-23 06:53:30 +02:00
parent 3f510855ef
commit fb3ac750d5
32 changed files with 1688 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -99,3 +99,11 @@ current scope, future scope, consumer purposes, review decisions, evidence,
source observations, utility relationships, scope freshness, and SCOPE.md as an
interface profile. The pack is intended to seed the consumer-side repo-scoping
workplan while keeping proposed canon extensions reviewable.
## Benchmarks
CARING benchmark assets live under `infospace/standards/caring/benchmarks/`.
The first benchmark is `kubernetes-rbac`, which maps Kubernetes RBAC native
constructs into CARING descriptors and records canon pressure around native
roles, effective access, derived workload capabilities, induced secret exposure,
and the rule that a Namespace is not automatically a tenant boundary.

33
infospace/agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md Normal file
View File

@@ -0,0 +1,33 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-access-descriptors
artifact_id: benchmark/caring/kubernetes-rbac/access-descriptors
source_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
source_kind: access-descriptor-set
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC CARING Access Descriptors
- Artifact ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
- Kind: `access-descriptor-set`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
## Retrieval Hints
Imports and anchors:
- `model/access-control`
- `model/devsecops`
- `model/security`
- `standard/caring`
## Owned Concepts
- `Kubernetes RBAC CARING Access Descriptors`
## Related Distinctions
No common distinction is anchored directly on this artifact.

29
infospace/agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md Normal file
View File

@@ -0,0 +1,29 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-caring-mapping
artifact_id: benchmark/caring/kubernetes-rbac/caring-mapping
source_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
source_kind: caring-mapping
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC To CARING Mapping
- Artifact ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
- Kind: `caring-mapping`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
## Retrieval Hints
No imports or anchors recorded.
## Owned Concepts
- `Kubernetes RBAC To CARING Mapping`
## Related Distinctions
No common distinction is anchored directly on this artifact.

29
infospace/agent/briefs/benchmark-caring-kubernetes-rbac-findings.md Normal file
View File

@@ -0,0 +1,29 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-findings
artifact_id: benchmark/caring/kubernetes-rbac/findings
source_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
source_kind: benchmark-findings
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC Benchmark Findings And Canon Pressure
- Artifact ID: `benchmark/caring/kubernetes-rbac/findings`
- Kind: `benchmark-findings`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
## Retrieval Hints
No imports or anchors recorded.
## Owned Concepts
- `Kubernetes RBAC Benchmark Findings And Canon Pressure`
## Related Distinctions
No common distinction is anchored directly on this artifact.

29
infospace/agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md Normal file
View File

@@ -0,0 +1,29 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-native-concepts
artifact_id: benchmark/caring/kubernetes-rbac/native-concepts
source_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
source_kind: native-concept-map
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC Native Concept Map
- Artifact ID: `benchmark/caring/kubernetes-rbac/native-concepts`
- Kind: `native-concept-map`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
## Retrieval Hints
No imports or anchors recorded.
## Owned Concepts
- `Kubernetes RBAC Native Concept Map`
## Related Distinctions
No common distinction is anchored directly on this artifact.

31
infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md Normal file
View File

@@ -0,0 +1,31 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac
artifact_id: benchmark/caring/kubernetes-rbac
source_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
source_kind: benchmark-workspace
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: CARING Kubernetes RBAC Benchmark
- Artifact ID: `benchmark/caring/kubernetes-rbac`
- Kind: `benchmark-workspace`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
## Retrieval Hints
Imports and anchors:
- `standard/caring`
- `standard/tagging`
## Owned Concepts
- `CARING Kubernetes RBAC Benchmark`
## Related Distinctions
No common distinction is anchored directly on this artifact.

4
infospace/agent/global-agent-brief.md
View File

@@ -5,8 +5,8 @@
This brief summarizes the current canon service surface for agents.
- Infospace slug: `canon`
- Artifact count: 49
- Retrieval index items: 49
- Artifact count: 54
- Retrieval index items: 54
- Primary confidence command: `make validate`
- Refresh generated indexes and views with: `make index`
- Refresh agent briefs and interface templates with: `make agent-briefs`

189
infospace/agent/retrieval-index.json
View File

@@ -43,8 +43,195 @@
}
],
"infospace": "canon",
"item_count": 49,
"item_count": 54,
"items": [
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
"id": "benchmark/caring/kubernetes-rbac",
"imports": [
"standard/caring",
"standard/tagging"
],
"kind": "benchmark-workspace",
"owned_concepts": [
"CARING Kubernetes RBAC Benchmark"
],
"relationships": [
{
"target": "standard/caring",
"type": "conforms_to"
},
{
"target": "model/access-control",
"type": "stress_tests"
},
{
"target": "model/governance",
"type": "stress_tests"
},
{
"target": "model/security",
"type": "stress_tests"
},
{
"target": "model/devsecops",
"type": "stress_tests"
},
{
"target": "model/network",
"type": "stress_tests"
},
{
"target": "model/observability",
"type": "stress_tests"
},
{
"target": "standard/tagging",
"type": "uses"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
"summary": "Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.",
"title": "CARING Kubernetes RBAC Benchmark",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
"id": "benchmark/caring/kubernetes-rbac/access-descriptors",
"imports": [
"model/access-control",
"model/devsecops",
"model/security",
"standard/caring"
],
"kind": "access-descriptor-set",
"owned_concepts": [
"Kubernetes RBAC CARING Access Descriptors"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "uses"
},
{
"target": "model/access-control",
"type": "uses"
},
{
"target": "model/security",
"type": "uses"
},
{
"target": "model/devsecops",
"type": "uses"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
"summary": "Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.",
"title": "Kubernetes RBAC CARING Access Descriptors",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
"id": "benchmark/caring/kubernetes-rbac/caring-mapping",
"imports": [],
"kind": "caring-mapping",
"owned_concepts": [
"Kubernetes RBAC To CARING Mapping"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "maps"
},
{
"target": "model/access-control",
"type": "maps"
},
{
"target": "model/governance",
"type": "maps"
},
{
"target": "model/security",
"type": "maps"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
"summary": "Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.",
"title": "Kubernetes RBAC To CARING Mapping",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
"id": "benchmark/caring/kubernetes-rbac/findings",
"imports": [],
"kind": "benchmark-findings",
"owned_concepts": [
"Kubernetes RBAC Benchmark Findings And Canon Pressure"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "proposes"
},
{
"target": "model/governance",
"type": "proposes"
},
{
"target": "model/security",
"type": "proposes"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
"summary": "Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.",
"title": "Kubernetes RBAC Benchmark Findings And Canon Pressure",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
"id": "benchmark/caring/kubernetes-rbac/native-concepts",
"imports": [],
"kind": "native-concept-map",
"owned_concepts": [
"Kubernetes RBAC Native Concept Map"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "maps"
},
{
"target": "model/access-control",
"type": "maps"
},
{
"target": "model/landscape",
"type": "maps"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
"summary": "Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.",
"title": "Kubernetes RBAC Native Concept Map",
"warnings": []
},
{
"canonical_path": "evaluations/repo-scoping/canon-benefit-analysis.yaml",
"id": "comparison/repo-scoping/canon-benefit-analysis",

52
infospace/agent/retrieval-index.md
View File

@@ -4,7 +4,7 @@
Schema: `info-tech-canon.retrieval-index.v1`
Infospace: `canon`
Items: **49**
Items: **54**
## Common Distinctions
@@ -15,6 +15,56 @@ Items: **49**
## Items
### CARING Kubernetes RBAC Benchmark
- ID: `benchmark/caring/kubernetes-rbac`
- Kind: `benchmark-workspace`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
- Imports and anchors: `standard/caring`, `standard/tagging`
- Owned concepts: `CARING Kubernetes RBAC Benchmark`
### Kubernetes RBAC CARING Access Descriptors
- ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
- Kind: `access-descriptor-set`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
- Imports and anchors: `model/access-control`, `model/devsecops`, `model/security`, `standard/caring`
- Owned concepts: `Kubernetes RBAC CARING Access Descriptors`
### Kubernetes RBAC To CARING Mapping
- ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
- Kind: `caring-mapping`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
- Imports and anchors: none
- Owned concepts: `Kubernetes RBAC To CARING Mapping`
### Kubernetes RBAC Benchmark Findings And Canon Pressure
- ID: `benchmark/caring/kubernetes-rbac/findings`
- Kind: `benchmark-findings`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
- Imports and anchors: none
- Owned concepts: `Kubernetes RBAC Benchmark Findings And Canon Pressure`
### Kubernetes RBAC Native Concept Map
- ID: `benchmark/caring/kubernetes-rbac/native-concepts`
- Kind: `native-concept-map`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
- Imports and anchors: none
- Owned concepts: `Kubernetes RBAC Native Concept Map`
### Repo Scoping Canon Benefit Analysis
- ID: `comparison/repo-scoping/canon-benefit-analysis`

119
infospace/agent/retrieval-index.yaml
View File

@@ -1,7 +1,124 @@
schema: info-tech-canon.retrieval-index.v1
infospace: canon
item_count: 49
item_count: 54
items:
- id: benchmark/caring/kubernetes-rbac
kind: benchmark-workspace
title: CARING Kubernetes RBAC Benchmark
canonical_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
summary: 'Benchmark workspace definition and review criteria: CARING Kubernetes
RBAC Benchmark.'
owned_concepts:
- CARING Kubernetes RBAC Benchmark
imports:
- standard/caring
- standard/tagging
relationships:
- type: conforms_to
target: standard/caring
- type: stress_tests
target: model/access-control
- type: stress_tests
target: model/governance
- type: stress_tests
target: model/security
- type: stress_tests
target: model/devsecops
- type: stress_tests
target: model/network
- type: stress_tests
target: model/observability
- type: uses
target: standard/tagging
warnings: []
- id: benchmark/caring/kubernetes-rbac/access-descriptors
kind: access-descriptor-set
title: Kubernetes RBAC CARING Access Descriptors
canonical_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
summary: 'Structured CARING access descriptor set: Kubernetes RBAC CARING Access
Descriptors.'
owned_concepts:
- Kubernetes RBAC CARING Access Descriptors
imports:
- model/access-control
- model/devsecops
- model/security
- standard/caring
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: uses
target: standard/caring
- type: uses
target: model/access-control
- type: uses
target: model/security
- type: uses
target: model/devsecops
warnings: []
- id: benchmark/caring/kubernetes-rbac/caring-mapping
kind: caring-mapping
title: Kubernetes RBAC To CARING Mapping
canonical_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
summary: 'Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.'
owned_concepts:
- Kubernetes RBAC To CARING Mapping
imports: []
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/governance
- type: maps
target: model/security
warnings: []
- id: benchmark/caring/kubernetes-rbac/findings
kind: benchmark-findings
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
canonical_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
summary: 'Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark
Findings And Canon Pressure.'
owned_concepts:
- Kubernetes RBAC Benchmark Findings And Canon Pressure
imports: []
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: proposes
target: standard/caring
- type: proposes
target: model/governance
- type: proposes
target: model/security
warnings: []
- id: benchmark/caring/kubernetes-rbac/native-concepts
kind: native-concept-map
title: Kubernetes RBAC Native Concept Map
canonical_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
summary: 'Native source concept map for assimilation or benchmark work: Kubernetes
RBAC Native Concept Map.'
owned_concepts:
- Kubernetes RBAC Native Concept Map
imports: []
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/landscape
warnings: []
- id: comparison/repo-scoping/canon-benefit-analysis
kind: benefit-analysis
title: Repo Scoping Canon Benefit Analysis

92
infospace/artifacts/index.yaml
View File

@@ -242,6 +242,98 @@ artifacts:
target: model/task
- type: imports
target: standard/tagging
- id: benchmark/caring/kubernetes-rbac
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
kind: benchmark-workspace
title: CARING Kubernetes RBAC Benchmark
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: conforms_to
target: standard/caring
- type: stress_tests
target: model/access-control
- type: stress_tests
target: model/governance
- type: stress_tests
target: model/security
- type: stress_tests
target: model/devsecops
- type: stress_tests
target: model/network
- type: stress_tests
target: model/observability
- type: uses
target: standard/tagging
- id: benchmark/caring/kubernetes-rbac/native-concepts
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
kind: native-concept-map
title: Kubernetes RBAC Native Concept Map
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/landscape
- id: benchmark/caring/kubernetes-rbac/caring-mapping
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
kind: caring-mapping
title: Kubernetes RBAC To CARING Mapping
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/governance
- type: maps
target: model/security
- id: benchmark/caring/kubernetes-rbac/access-descriptors
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
kind: access-descriptor-set
title: Kubernetes RBAC CARING Access Descriptors
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: uses
target: standard/caring
- type: uses
target: model/access-control
- type: uses
target: model/security
- type: uses
target: model/devsecops
- id: benchmark/caring/kubernetes-rbac/findings
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
kind: benchmark-findings
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: proposes
target: standard/caring
- type: proposes
target: model/governance
- type: proposes
target: model/security
- id: profile/small-saas
path: profiles/small-saas/profile.yaml
kind: profile

35
infospace/indexes/artifact-tree.yaml
View File

@@ -1,5 +1,5 @@
root: infospace
file_count: 131
file_count: 142
files:
- path: README.md
directory: .
@@ -7,6 +7,21 @@ files:
- path: agent/README.md
directory: agent
name: README.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-access-descriptors.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-caring-mapping.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-findings.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-findings.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-native-concepts.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac.md
- path: agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md
directory: agent/briefs
name: comparison-repo-scoping-canon-benefit-analysis.md
@@ -361,6 +376,24 @@ files:
- path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
directory: standards/caring
name: InfoTechCanonCaringAccessGovernanceStandard.md
- path: standards/caring/benchmarks/kubernetes-rbac/README.md
directory: standards/caring/benchmarks/kubernetes-rbac
name: README.md
- path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: access-descriptors.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: benchmark.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: caring-mapping.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: findings-and-canon-pressure.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: native-concepts.yaml
- path: standards/tagging/InfoTechCanonTaggingStandard.md
directory: standards/tagging
name: InfoTechCanonTaggingStandard.md

22
infospace/indexes/concept-ownership.yaml
View File

@@ -1,5 +1,25 @@
concept_count: 74
concept_count: 79
concepts:
- concept: CARING Kubernetes RBAC Benchmark
owner: benchmark/caring/kubernetes-rbac
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
source: artifact_title
- concept: Kubernetes RBAC CARING Access Descriptors
owner: benchmark/caring/kubernetes-rbac/access-descriptors
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
source: artifact_title
- concept: Kubernetes RBAC To CARING Mapping
owner: benchmark/caring/kubernetes-rbac/caring-mapping
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
source: artifact_title
- concept: Kubernetes RBAC Benchmark Findings And Canon Pressure
owner: benchmark/caring/kubernetes-rbac/findings
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
source: artifact_title
- concept: Kubernetes RBAC Native Concept Map
owner: benchmark/caring/kubernetes-rbac/native-concepts
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
source: artifact_title
- concept: Repo Scoping Canon Benefit Analysis
owner: comparison/repo-scoping/canon-benefit-analysis
path: evaluations/repo-scoping/canon-benefit-analysis.yaml

67
infospace/indexes/import-matrix.yaml
View File

@@ -1,4 +1,9 @@
artifacts:
- benchmark/caring/kubernetes-rbac
- benchmark/caring/kubernetes-rbac/access-descriptors
- benchmark/caring/kubernetes-rbac/caring-mapping
- benchmark/caring/kubernetes-rbac/findings
- benchmark/caring/kubernetes-rbac/native-concepts
- comparison/repo-scoping/canon-benefit-analysis
- comparison/repo-scoping/consumer-workplan-brief
- comparison/repo-scoping/extension-candidates
@@ -49,6 +54,68 @@ artifacts:
- standard/caring
- standard/tagging
rows:
- artifact: benchmark/caring/kubernetes-rbac
targets:
model/access-control:
- stress_tests
model/devsecops:
- stress_tests
model/governance:
- stress_tests
model/network:
- stress_tests
model/observability:
- stress_tests
model/security:
- stress_tests
standard/caring:
- conforms_to
standard/tagging:
- uses
- artifact: benchmark/caring/kubernetes-rbac/access-descriptors
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/access-control:
- uses
model/devsecops:
- uses
model/security:
- uses
standard/caring:
- uses
- artifact: benchmark/caring/kubernetes-rbac/caring-mapping
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/access-control:
- maps
model/governance:
- maps
model/security:
- maps
standard/caring:
- maps
- artifact: benchmark/caring/kubernetes-rbac/findings
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/governance:
- proposes
model/security:
- proposes
standard/caring:
- proposes
- artifact: benchmark/caring/kubernetes-rbac/native-concepts
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/access-control:
- maps
model/landscape:
- maps
standard/caring:
- maps
- artifact: comparison/repo-scoping/canon-benefit-analysis
targets:
comparison/repo-scoping/report:

30
infospace/standards/caring/benchmarks/kubernetes-rbac/README.md Normal file
View File

@@ -0,0 +1,30 @@
---
id: benchmark/caring/kubernetes-rbac/readme
title: CARING Kubernetes RBAC Benchmark Workspace
status: candidate
created_by_workplan: ITC-WP-0010
---
# CARING Kubernetes RBAC Benchmark
This workspace analyzes Kubernetes RBAC as a CARING benchmark, not as a
shortcut profile. It is designed to stress access-governance orthogonality
across Access Control, Organization, Governance, Security, Landscape,
DevSecOps, Network, Observability, Task, and Tagging.
The benchmark keeps Kubernetes native constructs separate from CARING meaning:
- `Role` and `ClusterRole` are rule bundles or capability profiles, not
automatically CARING canonical roles.
- `RoleBinding` and `ClusterRoleBinding` are grants or assignments.
- `ServiceAccount` is a service subject and a workload identity anchor.
- `Namespace` is a useful scope signal, but it is not automatically a tenant
boundary.
Indexed benchmark artifacts:
- `benchmark.yaml`
- `native-concepts.yaml`
- `caring-mapping.yaml`
- `access-descriptors.yaml`
- `findings-and-canon-pressure.yaml`

164
infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml Normal file
View File

@@ -0,0 +1,164 @@
id: benchmark/caring/kubernetes-rbac/access-descriptors
title: Kubernetes RBAC CARING Access Descriptors
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
descriptor_classes:
- declared_access
- effective_access
- derived_capability
- induced_access
descriptors:
- id: descriptor/namespace-pod-reader/declared
case_id: namespace-pod-reader
descriptor_class: declared_access
subject: serviceaccount:tenant-a:report-viewer
organization_relation: customer-operated-service
canonical_role: Viewer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- get pods
- list pods
- watch pods
exposure_mode: metadata-and-runtime-state
lifecycle_state: steady-state-observation
conditions:
- bound by RoleBinding in namespace tenant-a
restrictions:
- no pod mutation
- no secret read
- namespace is not accepted as tenant boundary without additional evidence
native_evidence:
- Role/report-viewer
- RoleBinding/report-viewer-binding
- ServiceAccount/report-viewer
- id: descriptor/workload-creator/declared
case_id: workload-creator-derived-execution
descriptor_class: declared_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- create pods
- get pods
- delete pods
exposure_mode: workload-specification-control
lifecycle_state: job-execution
conditions:
- bound by RoleBinding in namespace tenant-a
restrictions:
- no direct secret get/list/watch declared
native_evidence:
- Role/job-runner
- RoleBinding/job-runner-binding
- ServiceAccount/job-runner
- id: descriptor/workload-creator/effective
case_id: workload-creator-derived-execution
descriptor_class: effective_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- create workload
- select pod service account
- influence mounted volumes
- execute container image
exposure_mode: mediated-runtime-execution
lifecycle_state: job-execution
conditions:
- pod admission and service-account mount behavior determine actual reach
restrictions:
- effective access must be checked against admission policy and service-account permissions
native_evidence:
- create pods verb
- pod spec serviceAccountName
- projected service account token behavior
- id: descriptor/workload-creator/derived
case_id: workload-creator-derived-execution
descriptor_class: derived_capability
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- execute arbitrary workload image
- use mounted service account identity
- read mounted runtime inputs
exposure_mode: derived-execution-and-identity-use
lifecycle_state: job-execution
conditions:
- derived from create pods permission
restrictions:
- must be bounded by admission controls, image policy, and service-account selection rules
native_evidence:
- Role/job-runner create pods
- id: descriptor/workload-creator/induced
case_id: workload-creator-derived-execution
descriptor_class: induced_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Secret
capabilities:
- potential secret exposure through mounted volumes
- potential token exposure through mounted identity
exposure_mode: induced-secret-and-identity-exposure
lifecycle_state: job-execution
conditions:
- induced path exists only when workload can mount or reach sensitive material
restrictions:
- classify as candidate finding until manifests, admission, and secret references are reviewed
native_evidence:
- pod volume mounts
- service account token projection
- secret references in pod spec
- id: descriptor/cluster-secret-reader/declared
case_id: cluster-secret-reader
descriptor_class: declared_access
subject: serviceaccount:platform:inventory
organization_relation: platform-service-provider
canonical_role: Auditor
scope: cluster
plane: Secret
capabilities:
- get secrets
- list secrets
- watch secrets
exposure_mode: sensitive-data-read
lifecycle_state: operational-inventory
conditions:
- bound by ClusterRoleBinding
restrictions:
- requires governance review and audit evidence
native_evidence:
- ClusterRole/secret-reader
- ClusterRoleBinding/inventory-secret-reader
- ServiceAccount/inventory
- id: descriptor/namespace-boundary/review
case_id: namespace-as-tenant-boundary
descriptor_class: effective_access
subject: tenant-boundary-claim:tenant-a
organization_relation: platform-provider
canonical_role: Governor
scope: namespace:tenant-a
plane: Policy
capabilities:
- claim tenant isolation
- review access and runtime boundaries
exposure_mode: governance-claim
lifecycle_state: design-review
conditions:
- claim must be supported by access, network, runtime, data, and governance evidence
restrictions:
- namespace alone is insufficient evidence
native_evidence:
- Namespace/tenant-a
- RoleBinding set
- NetworkPolicy set
- ResourceQuota set

102
infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml Normal file
View File

@@ -0,0 +1,102 @@
id: benchmark/caring/kubernetes-rbac
title: CARING Kubernetes RBAC Benchmark
status: candidate
standard: standard/caring
created_by_workplan: ITC-WP-0010
purpose: Stress-test CARING descriptor shape against Kubernetes RBAC without treating Kubernetes native names as canon roles.
source_corpus:
- id: kubernetes-rbac-reference
title: Kubernetes RBAC Reference
source_type: vendor-documentation
url: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
role: primary-native-model-reference
- id: kubernetes-service-account-concepts
title: Kubernetes Service Accounts
source_type: vendor-documentation
url: https://kubernetes.io/docs/concepts/security/service-accounts/
role: workload-identity-reference
- id: local-caring-standard
title: InfoTechCanon CARING Access Governance Standard
source_type: canon-standard
path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
role: descriptor-vocabulary
cases:
- id: namespace-pod-reader
title: Namespace-Scoped Pod Reader
native_objects:
- Role
- RoleBinding
- ServiceAccount
- Namespace
stress_focus:
- declared-access
- scope-mapping
- native-role-warning
expected_outputs:
- Role maps to a scoped capability profile over get/list/watch pods.
- RoleBinding maps to a grant from subject to capability profile.
- Namespace is recorded as Kubernetes scope, not tenant boundary.
- id: workload-creator-derived-execution
title: Workload Creator With Derived Execution Capability
native_objects:
- Role
- RoleBinding
- ServiceAccount
- Pod
- Secret
stress_focus:
- declared-access
- effective-access
- derived-capability
- induced-access
expected_outputs:
- Create pod is declared as workload creation access.
- Execute workload is derived from the ability to create pods.
- Mounted service-account and secret exposure are induced access candidates.
- id: cluster-secret-reader
title: ClusterRole Secret Reader
native_objects:
- ClusterRole
- ClusterRoleBinding
- ServiceAccount
- Secret
stress_focus:
- cluster-scope
- exposure-mode
- governance-review
expected_outputs:
- ClusterRole maps to cluster-scoped data exposure capability.
- ClusterRoleBinding broadens scope beyond a namespace.
- Secret read access produces security and governance findings.
- id: namespace-as-tenant-boundary
title: Namespace Used As Tenant Boundary Claim
native_objects:
- Namespace
- Role
- RoleBinding
- NetworkPolicy
- ResourceQuota
stress_focus:
- tenant-boundary-warning
- cross-model-evidence
- review-criteria
expected_outputs:
- Namespace alone cannot prove tenant isolation.
- Tenant-boundary claim requires access, network, data, runtime, and governance evidence.
- Missing evidence creates a canon pressure finding instead of an approved boundary claim.
expected_outputs:
- Native concept map covering Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, Namespace, verbs, resources, and scopes.
- CARING mapping that separates native role objects from canonical roles, capability profiles, grants, scopes, planes, and exposure modes.
- Access descriptors that distinguish declared access, effective access, derived capability, and induced access.
- Findings that identify gaps, conflicts, and proposed canon changes without changing standards silently.
review_criteria:
- id: descriptor-completeness
criterion: Every benchmark case has at least one CARING access descriptor with subject, scope, plane, capabilities, exposure mode, lifecycle state, and native evidence.
- id: native-role-warning
criterion: Kubernetes Role and ClusterRole are never accepted as CARINGCanonicalRole without an explicit mapping rationale.
- id: namespace-boundary-check
criterion: Namespace isolation is treated as a claim requiring evidence, not as a tenant boundary by default.
- id: effective-access-analysis
criterion: Create or update workload permissions are reviewed for derived execution, mounted identity, secret, and volume exposure.
- id: canon-pressure-routing
criterion: Gaps become reviewable proposed changes, tasks, or open questions rather than immediate model changes.

79
infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml Normal file
View File

@@ -0,0 +1,79 @@
id: benchmark/caring/kubernetes-rbac/caring-mapping
title: Kubernetes RBAC To CARING Mapping
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
namespace_tenant_boundary_warning: true
mappings:
- native_concept: Role
caring_dimension: capability_profile
canon_targets:
- standard/caring:CARINGCapabilityProfile
- model/access-control:Permission
- model/governance:Policy
mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names.
- native_concept: ClusterRole
caring_dimension: capability_profile
canon_targets:
- standard/caring:CARINGCapabilityProfile
- model/access-control:Permission
- model/governance:Policy
mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility.
- native_concept: RoleBinding
caring_dimension: declared_access
canon_targets:
- standard/caring:CARINGDeclaredAccessMap
- model/access-control:Grant
- model/governance:Decision
mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace.
- native_concept: ClusterRoleBinding
caring_dimension: declared_access
canon_targets:
- standard/caring:CARINGDeclaredAccessMap
- model/access-control:Grant
- model/governance:Decision
mapping_rule: Bind subject to a ClusterRole at cluster scope.
- native_concept: ServiceAccount
caring_dimension: subject
canon_targets:
- model/access-control:Subject
- model/devsecops:WorkloadIdentity
- model/organization:Service
mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access.
- native_concept: Namespace
caring_dimension: scope
canon_targets:
- model/access-control:ResourceScope
- model/landscape:RuntimeContainment
- model/network:SegmentationContext
mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary.
- native_concept: Verb
caring_dimension: capability
canon_targets:
- model/access-control:Action
- standard/caring:CARINGCapabilityProfile
mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences.
- native_concept: Resource
caring_dimension: scope
canon_targets:
- model/access-control:Resource
- model/landscape:RuntimeResource
- model/security:ExposureTarget
mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane.
- native_concept: Scope
caring_dimension: scope
canon_targets:
- model/access-control:ResourceScope
- model/landscape:LandscapeScope
- model/governance:GovernanceScope
mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets.
analysis_rules:
- id: native-role-warning
rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale.
- id: declared-to-effective
rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access.
- id: derived-workload-execution
rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities.
- id: secret-exposure
rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review.
- id: namespace-tenant-boundary
rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership.

76
infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml Normal file
View File

@@ -0,0 +1,76 @@
id: benchmark/caring/kubernetes-rbac/findings
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
stable_findings:
- id: finding/native-role-is-rule-bundle
severity: high
summary: Kubernetes Role and ClusterRole are native rule bundles, not automatically CARING canonical roles.
canon_pressure:
- Keep the native role warning visible in CARING validation.
- Add benchmark assertions that reject direct Role to CARINGCanonicalRole mappings without rationale.
- id: finding/namespace-not-tenant-boundary
severity: high
summary: Namespace is a useful scope signal but does not by itself prove tenant isolation.
canon_pressure:
- Treat tenant-boundary claims as reviewable evidence bundles across access, network, data, runtime, and governance.
- Add a reusable tenant-boundary review pattern if this recurs in other benchmarks.
- id: finding/workload-create-derives-execution
severity: high
summary: Workload creation permissions can derive runtime execution, mounted identity use, volume access, and secret exposure paths.
canon_pressure:
- Clarify ownership of DerivedCapability between CARING, Access Control, Security, and DevSecOps.
- Add effective-access checks for workload-mediated permission paths.
- id: finding/serviceaccount-is-service-subject
severity: medium
summary: ServiceAccount should map to a service subject and workload identity, not to a human actor or organization role.
canon_pressure:
- Strengthen subject and principal distinctions in access reviews.
- Preserve actor, subject, principal, and workload identity as separate concepts.
gaps:
- id: gap/caring-access-descriptor-schema
title: Machine-readable CARING descriptor schema
description: The benchmark uses structured descriptors, but there is not yet a formal schema for CARINGAccessDescriptor.
proposed_route: Create schema under a future CARING validation workplan.
- id: gap/effective-access-calculus
title: Effective access derivation rules
description: The canon needs reusable derivation rules for workload creation, mounted identities, secrets, impersonation, bind, and escalate.
proposed_route: Add validation rules after more benchmark cases are exercised.
- id: gap/tenant-boundary-evidence-profile
title: Tenant boundary evidence profile
description: Namespace boundary claims need a reusable evidence profile spanning access, network, runtime, data, and governance controls.
proposed_route: Candidate pattern or profile, not an immediate standard change.
conflicts:
- id: conflict/native-role-name
summary: Kubernetes native Role conflicts with the everyday meaning of role and with CARINGCanonicalRole.
resolution: Preserve native construct name and require explicit mapping to capability profile or canonical role.
- id: conflict/scope-overload
summary: Kubernetes namespace, resource scope, governance scope, tenant scope, and CARING scope can be conflated.
resolution: Record scope facets separately and only approve tenant-boundary claims after evidence review.
proposed_changes:
- id: proposal/caring-descriptor-schema
owner: standard/caring
change_type: new-schema
proposal: Add a CARING access descriptor schema with required fields for subject, organization relation, canonical role, scope, plane, capabilities, exposure mode, lifecycle state, restrictions, descriptor class, and native evidence.
- id: proposal/kubernetes-rbac-validation-rules
owner: standard/caring
change_type: benchmark-validation
proposal: Add CARING validation rules for native role warning, namespace tenant-boundary claims, workload-derived execution, and secret exposure.
- id: proposal/tenant-boundary-review-pattern
owner: model/governance
change_type: new-pattern
proposal: Add a review pattern for tenant-boundary claims that requires evidence from access control, network, runtime, data, security, and governance.
- id: proposal/derived-capability-ownership
owner: standard/caring
change_type: open-question
proposal: Decide whether DerivedCapability remains CARING-owned or becomes shared with Access Control and Security through a model profile.
follow_up_tasks:
- id: task/formalize-caring-descriptor-schema
target_workplan: proposed
summary: Create the CARING access descriptor schema and validate this benchmark against it.
- id: task/add-kubernetes-rbac-case-corpus
target_workplan: proposed
summary: Add concrete Kubernetes YAML manifests for the four benchmark cases and expected parsed observations.
- id: task/expand-effective-access-engine
target_workplan: proposed
summary: Prototype derivation rules for pod creation, service-account mounting, secrets, bind, escalate, and impersonate.

87
infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml Normal file
View File

@@ -0,0 +1,87 @@
id: benchmark/caring/kubernetes-rbac/native-concepts
title: Kubernetes RBAC Native Concept Map
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
namespace_tenant_boundary_warning: true
concepts:
- native: Role
category: rule-bundle
native_scope: namespace
caring_mapping: CARINGCapabilityProfile
canon_mappings:
- model/access-control:PermissionSet
- model/governance:Policy
notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole.
- native: ClusterRole
category: rule-bundle
native_scope: cluster
caring_mapping: CARINGCapabilityProfile
canon_mappings:
- model/access-control:PermissionSet
- model/governance:Policy
notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings.
- native: RoleBinding
category: assignment
native_scope: namespace
caring_mapping: CARINGDeclaredAccessMap
canon_mappings:
- model/access-control:Grant
- model/governance:AssignmentDecision
notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace.
- native: ClusterRoleBinding
category: assignment
native_scope: cluster
caring_mapping: CARINGDeclaredAccessMap
canon_mappings:
- model/access-control:Grant
- model/governance:AssignmentDecision
notes: A ClusterRoleBinding grants a ClusterRole across cluster scope.
- native: ServiceAccount
category: service-subject
native_scope: namespace
caring_mapping: Subject
canon_mappings:
- model/access-control:Subject
- model/organization:Service
- model/devsecops:WorkloadIdentity
notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor.
- native: Namespace
category: scope-signal
native_scope: namespace
caring_mapping: Scope
canon_mappings:
- model/landscape:RuntimeContainment
- model/access-control:ResourceScope
- model/network:SegmentationContext
notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence.
- native: Verb
category: action
native_scope: rule
caring_mapping: Capability
canon_mappings:
- model/access-control:Action
- standard/caring:CARINGCapabilityProfile
notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope.
- native: Resource
category: target
native_scope: api-group
caring_mapping: Scope
canon_mappings:
- model/access-control:Resource
- model/landscape:RuntimeResource
- model/data:ProtectedInformationAsset
notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications.
- native: Scope
category: boundary
native_scope: namespace-or-cluster
caring_mapping: Scope
canon_mappings:
- model/access-control:ResourceScope
- model/landscape:LandscapeScope
- model/governance:GovernanceScope
notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence.
mapping_constraints:
- Kubernetes native names are preserved as source semantics.
- CARING canonical roles are assigned only after analyzing lifecycle responsibility posture.
- Namespace tenancy is a reviewable claim, not a default mapping.
- Effective access must include controller-mediated and workload-mediated paths where relevant.

6
infospace/validation/latest.json
View File

@@ -1,14 +1,14 @@
{
"details": {
"artifact_count": 49,
"relationship_count": 212
"artifact_count": 54,
"relationship_count": 238
},
"errors": [],
"metrics": {
"coherence_components": 1.0,
"consistency_cycles": 0.0,
"coverage_ratio": 1.0,
"granularity_entropy": 3.6776822595640257,
"granularity_entropy": 3.9972143235892474,
"redundancy_ratio": 0.0
},
"ok": true,

7
infospace/views/by-concept.md
View File

@@ -2,10 +2,15 @@
# By Concept
Concept count: **74**
Concept count: **79**
| Concept | Owner | Source |
| --- | --- | --- |
| CARING Kubernetes RBAC Benchmark | `benchmark/caring/kubernetes-rbac` | `artifact_title` |
| Kubernetes RBAC CARING Access Descriptors | `benchmark/caring/kubernetes-rbac/access-descriptors` | `artifact_title` |
| Kubernetes RBAC To CARING Mapping | `benchmark/caring/kubernetes-rbac/caring-mapping` | `artifact_title` |
| Kubernetes RBAC Benchmark Findings And Canon Pressure | `benchmark/caring/kubernetes-rbac/findings` | `artifact_title` |
| Kubernetes RBAC Native Concept Map | `benchmark/caring/kubernetes-rbac/native-concepts` | `artifact_title` |
| Repo Scoping Canon Benefit Analysis | `comparison/repo-scoping/canon-benefit-analysis` | `artifact_title` |
| Repo Scoping Consumer Workplan Brief | `comparison/repo-scoping/consumer-workplan-brief` | `artifact_title` |
| Repo Scoping Canon Extension Candidates | `comparison/repo-scoping/extension-candidates` | `artifact_title` |

29
infospace/views/by-mapping-target.md
View File

@@ -2,6 +2,13 @@
# By Mapping Target
## `benchmark/caring/kubernetes-rbac`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `part_of`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `part_of`
- `benchmark/caring/kubernetes-rbac/findings` via `part_of`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `part_of`
## `comparison/repo-scoping/report`
- `comparison/repo-scoping/canon-benefit-analysis` via `part_of`
@@ -57,6 +64,10 @@
## `model/access-control`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
- `evaluation/user-engine` via `uses`
- `evaluation/user-engine/questions` via `uses`
- `evaluation/user-engine/small-saas-alignment` via `uses`
@@ -80,6 +91,8 @@
## `model/devsecops`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -90,6 +103,9 @@
## `model/governance`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
- `comparison/repo-scoping/extension-candidates` via `proposes`
- `comparison/repo-scoping/frame` via `uses`
@@ -121,6 +137,7 @@
## `model/landscape`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
- `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -131,6 +148,7 @@
## `model/network`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -141,6 +159,7 @@
## `model/observability`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -184,6 +203,10 @@
## `model/security`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
- `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -296,6 +319,11 @@
## `standard/caring`
- `benchmark/caring/kubernetes-rbac` via `conforms_to`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
- `evaluation/user-engine` via `uses`
- `evaluation/user-engine/interface-card-expectations` via `uses`
- `kernel/itc-kernel-map` via `maps`
@@ -304,6 +332,7 @@
## `standard/tagging`
- `benchmark/caring/kubernetes-rbac` via `uses`
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
- `conformance/railiance-fabric` via `uses`
- `kernel/itc-kernel-map` via `maps`

107
infospace/views/import-matrix.md
View File

@@ -2,54 +2,59 @@
# Import Matrix
| Artifact | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `comparison/repo-scoping/canon-benefit-analysis` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` |
| `comparison/repo-scoping/consumer-workplan-brief` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `comparison/repo-scoping/extension-candidates` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | |
| `comparison/repo-scoping/frame` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | |
| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | |
| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` |
| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/mapping-expectations` | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/visualization-examples` | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | |
| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | |
| `evaluation/user-engine/questions` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | |
| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | |
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` |
| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | |
| `model/access-control` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | |
| `model/data` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/devsecops` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
| `model/governance` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/information-space` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/landscape` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/network` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
| `model/observability` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `model/organization` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/purpose-demand-extension` | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `model/security` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/task` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | |
| `profile/small-saas` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` |
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
| `standard/caring` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` |
| `standard/tagging` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | |
| Artifact | `benchmark/caring/kubernetes-rbac` | `benchmark/caring/kubernetes-rbac/access-descriptors` | `benchmark/caring/kubernetes-rbac/caring-mapping` | `benchmark/caring/kubernetes-rbac/findings` | `benchmark/caring/kubernetes-rbac/native-concepts` | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `benchmark/caring/kubernetes-rbac` | | | | | | | | | | | | | | | | | | | | | | | | | | `stress_tests` | | `stress_tests` | `stress_tests` | | | `stress_tests` | `stress_tests` | | | `stress_tests` | | | | | | | | | | | | | | | | | `conforms_to` | `uses` |
| `benchmark/caring/kubernetes-rbac/access-descriptors` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `uses` | | | | | | | | `uses` | | | | | | | | | | | | | | | | | `uses` | |
| `benchmark/caring/kubernetes-rbac/caring-mapping` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | | | | | | | `maps` | | | | | | | | | | | | | | | | | `maps` | |
| `benchmark/caring/kubernetes-rbac/findings` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `proposes` | | | | | | | `proposes` | | | | | | | | | | | | | | | | | `proposes` | |
| `benchmark/caring/kubernetes-rbac/native-concepts` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | `maps` | | | | | | | | | | | | | | | | | | | | | | `maps` | |
| `comparison/repo-scoping/canon-benefit-analysis` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` |
| `comparison/repo-scoping/consumer-workplan-brief` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `comparison/repo-scoping/extension-candidates` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | |
| `comparison/repo-scoping/frame` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | |
| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | |
| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` |
| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/mapping-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/visualization-examples` | | | | | | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | |
| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | |
| `evaluation/user-engine/questions` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | |
| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | |
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` |
| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | |
| `model/access-control` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | |
| `model/data` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/devsecops` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
| `model/governance` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/information-space` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/landscape` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/network` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
| `model/observability` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `model/organization` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/purpose-demand-extension` | | | | | | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `model/security` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/task` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | |
| `profile/small-saas` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` |
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
| `standard/caring` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` |
| `standard/tagging` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | |

18
infospace/views/kernel-overview.md
View File

@@ -3,12 +3,16 @@
# Kernel Overview
- Infospace: `canon`
- Artifacts: 49
- Artifacts: 54
## Artifact Kinds
- `access-descriptor-set`: 1
- `benchmark-findings`: 1
- `benchmark-workspace`: 1
- `benefit-analysis`: 1
- `capture-criteria`: 1
- `caring-mapping`: 1
- `comparison-frame`: 1
- `comparison-report`: 1
- `concept-catalog`: 1
@@ -24,6 +28,7 @@
- `mapping-expectation`: 1
- `model`: 11
- `model-extension`: 1
- `native-concept-map`: 1
- `pattern`: 1
- `profile`: 1
- `profile-alignment`: 1
@@ -36,7 +41,7 @@
- `access_evidenced_by`: 1
- `changes`: 1
- `compares`: 1
- `conforms_to`: 16
- `conforms_to`: 17
- `constrained_by`: 1
- `deploys`: 1
- `evaluates`: 2
@@ -50,14 +55,15 @@
- `instantiates`: 13
- `introduces`: 1
- `isolated_by`: 2
- `maps`: 29
- `maps`: 36
- `member_of`: 1
- `owned_by`: 3
- `part_of`: 13
- `part_of`: 17
- `partitioned_for`: 2
- `proposes`: 4
- `proposes`: 7
- `represented_by`: 1
- `requires`: 13
- `separates`: 2
- `serves`: 2
- `uses`: 79
- `stress_tests`: 6
- `uses`: 84

13
infospace/views/repository-tree.md
View File

@@ -2,10 +2,15 @@
# Repository Tree
File count: **131**
File count: **142**
- `README.md`
- `agent/README.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-findings.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac.md`
- `agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md`
- `agent/briefs/comparison-repo-scoping-consumer-workplan-brief.md`
- `agent/briefs/comparison-repo-scoping-extension-candidates.md`
@@ -124,6 +129,12 @@ File count: **131**
- `schemas/standard.schema.yaml`
- `schemas/workplan.schema.yaml`
- `standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md`
- `standards/caring/benchmarks/kubernetes-rbac/README.md`
- `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- `standards/tagging/InfoTechCanonTaggingStandard.md`
- `validation/README.md`
- `validation/latest.json`

15
src/info_tech_canon/generation.py
View File

@@ -10,8 +10,12 @@ import yaml
GENERATED_NOTICE = "<!-- GENERATED by info_tech_canon; do not edit by hand. -->"
RETRIEVAL_ARTIFACT_KINDS = {
"access-descriptor-set",
"benefit-analysis",
"benchmark-findings",
"benchmark-workspace",
"capture-criteria",
"caring-mapping",
"comparison-frame",
"comparison-report",
"concept-catalog",
@@ -27,6 +31,7 @@ RETRIEVAL_ARTIFACT_KINDS = {
"mapping-expectation",
"model",
"model-extension",
"native-concept-map",
"pattern",
"profile-alignment",
"profile",
@@ -869,10 +874,18 @@ def _safe_id(value: str) -> str:
def _summary_for_artifact(artifact: Any) -> str:
if artifact.kind == "profile-artifact":
return f"Example artifact for the {artifact.provenance.get('profile', 'unknown')} profile: {artifact.title}."
if artifact.kind == "access-descriptor-set":
return f"Structured CARING access descriptor set: {artifact.title}."
if artifact.kind == "benefit-analysis":
return f"Consumer benefit analysis against canon surfaces: {artifact.title}."
if artifact.kind == "benchmark-findings":
return f"Benchmark findings, gaps, and canon pressure: {artifact.title}."
if artifact.kind == "benchmark-workspace":
return f"Benchmark workspace definition and review criteria: {artifact.title}."
if artifact.kind == "capture-criteria":
return f"Criteria for canonical entity and edge capture: {artifact.title}."
if artifact.kind == "caring-mapping":
return f"Native access model to CARING mapping: {artifact.title}."
if artifact.kind == "comparison-frame":
return f"Structured comparison questions and domains: {artifact.title}."
if artifact.kind == "comparison-report":
@@ -899,6 +912,8 @@ def _summary_for_artifact(artifact: Any) -> str:
return f"Expected mappings between consumer graph capture and canon surfaces: {artifact.title}."
if artifact.kind == "model-extension":
return f"Candidate extension to an existing canon model: {artifact.title}."
if artifact.kind == "native-concept-map":
return f"Native source concept map for assimilation or benchmark work: {artifact.title}."
if artifact.kind == "pattern":
return f"Reusable canon pattern: {artifact.title}."
if artifact.kind == "profile-alignment":

254
src/info_tech_canon/validation.py
View File

@@ -53,8 +53,12 @@ REQUIRED_SCHEMAS = (
)
RETRIEVAL_BRIEF_KINDS = {
"access-descriptor-set",
"benefit-analysis",
"benchmark-findings",
"benchmark-workspace",
"capture-criteria",
"caring-mapping",
"comparison-frame",
"comparison-report",
"concept-catalog",
@@ -69,6 +73,7 @@ RETRIEVAL_BRIEF_KINDS = {
"mapping-expectation",
"model",
"model-extension",
"native-concept-map",
"pattern",
"profile-alignment",
"profile",
@@ -243,6 +248,40 @@ REPO_SCOPING_REQUIRED_EXTENSION_CANDIDATES = {
"extension/scope-md-interface",
}
CARING_K8S_BENCHMARK_ARTIFACT_IDS = {
"benchmark/caring/kubernetes-rbac",
"benchmark/caring/kubernetes-rbac/access-descriptors",
"benchmark/caring/kubernetes-rbac/caring-mapping",
"benchmark/caring/kubernetes-rbac/findings",
"benchmark/caring/kubernetes-rbac/native-concepts",
}
CARING_K8S_REQUIRED_NATIVE_CONCEPTS = {
"Role",
"ClusterRole",
"RoleBinding",
"ClusterRoleBinding",
"ServiceAccount",
"Namespace",
"Verb",
"Resource",
"Scope",
}
CARING_K8S_REQUIRED_CASES = {
"namespace-pod-reader",
"workload-creator-derived-execution",
"cluster-secret-reader",
"namespace-as-tenant-boundary",
}
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES = {
"declared_access",
"effective_access",
"derived_capability",
"induced_access",
}
def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]:
errors: list[dict[str, Any]] = []
@@ -270,6 +309,11 @@ def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]:
context.infospace.artifacts,
errors,
)
_check_caring_kubernetes_rbac_benchmark_assets(
context.infospace_root,
context.infospace.artifacts,
errors,
)
_check_optional_assets(context.infospace_root, warnings)
return {"errors": errors, "warnings": warnings}
@@ -1167,6 +1211,216 @@ def _check_repo_scoping_comparison_assets(
)
def _check_caring_kubernetes_rbac_benchmark_assets(
infospace_root: Path,
artifacts: list[Any],
errors: list[dict[str, Any]],
) -> None:
artifact_ids = {artifact.id for artifact in artifacts}
for artifact_id in sorted(CARING_K8S_BENCHMARK_ARTIFACT_IDS - artifact_ids):
errors.append(
{
"code": "missing_caring_kubernetes_rbac_benchmark_artifact",
"artifact_id": artifact_id,
}
)
benchmark_root = infospace_root / "standards" / "caring" / "benchmarks" / "kubernetes-rbac"
if not benchmark_root.is_dir():
errors.append(
{
"code": "missing_caring_kubernetes_rbac_benchmark_workspace",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac",
}
)
return
benchmark = _read_yaml(benchmark_root / "benchmark.yaml", errors)
if isinstance(benchmark, dict):
for field in ("source_corpus", "expected_outputs", "review_criteria"):
items = benchmark.get(field) or []
if not isinstance(items, list) or not items:
errors.append(
{
"code": "missing_caring_kubernetes_benchmark_field",
"field": field,
}
)
cases = benchmark.get("cases") or []
if not isinstance(cases, list):
errors.append(
{
"code": "invalid_caring_kubernetes_benchmark_cases",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
}
)
else:
case_ids = {
str(case.get("id"))
for case in cases
if isinstance(case, dict) and case.get("id")
}
for case_id in sorted(CARING_K8S_REQUIRED_CASES - case_ids):
errors.append(
{
"code": "missing_caring_kubernetes_benchmark_case",
"case": case_id,
}
)
native = _read_yaml(benchmark_root / "native-concepts.yaml", errors)
if isinstance(native, dict):
if native.get("namespace_tenant_boundary_warning") is not True:
errors.append(
{
"code": "missing_caring_kubernetes_namespace_warning",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
}
)
concepts = native.get("concepts") or []
if not isinstance(concepts, list):
errors.append(
{
"code": "invalid_caring_kubernetes_native_concepts",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
}
)
else:
native_names = {
str(concept.get("native"))
for concept in concepts
if isinstance(concept, dict) and concept.get("native")
}
for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - native_names):
errors.append(
{
"code": "missing_caring_kubernetes_native_concept",
"concept": concept,
}
)
mapping = _read_yaml(benchmark_root / "caring-mapping.yaml", errors)
if isinstance(mapping, dict):
if mapping.get("namespace_tenant_boundary_warning") is not True:
errors.append(
{
"code": "missing_caring_kubernetes_mapping_namespace_warning",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
}
)
mappings = mapping.get("mappings") or []
if not isinstance(mappings, list):
errors.append(
{
"code": "invalid_caring_kubernetes_mappings",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
}
)
else:
mapped_names = {
str(item.get("native_concept"))
for item in mappings
if isinstance(item, dict) and item.get("native_concept")
}
for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - mapped_names):
errors.append(
{
"code": "missing_caring_kubernetes_mapping",
"concept": concept,
}
)
analysis_rules = mapping.get("analysis_rules") or []
if not isinstance(analysis_rules, list) or not analysis_rules:
errors.append(
{
"code": "missing_caring_kubernetes_analysis_rules",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
}
)
descriptors = _read_yaml(benchmark_root / "access-descriptors.yaml", errors)
if isinstance(descriptors, dict):
descriptor_classes = set(descriptors.get("descriptor_classes") or [])
for descriptor_class in sorted(
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - descriptor_classes
):
errors.append(
{
"code": "missing_caring_kubernetes_descriptor_class",
"descriptor_class": descriptor_class,
}
)
descriptor_items = descriptors.get("descriptors") or []
if not isinstance(descriptor_items, list):
errors.append(
{
"code": "invalid_caring_kubernetes_descriptors",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
}
)
else:
used_classes = {
str(item.get("descriptor_class"))
for item in descriptor_items
if isinstance(item, dict) and item.get("descriptor_class")
}
for descriptor_class in sorted(
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - used_classes
):
errors.append(
{
"code": "missing_caring_kubernetes_descriptor_example",
"descriptor_class": descriptor_class,
}
)
required_fields = (
"subject",
"scope",
"plane",
"capabilities",
"exposure_mode",
"lifecycle_state",
"native_evidence",
)
for item in descriptor_items:
if not isinstance(item, dict):
continue
for field in required_fields:
if not item.get(field):
errors.append(
{
"code": "incomplete_caring_kubernetes_descriptor",
"descriptor": item.get("id"),
"field": field,
}
)
findings = _read_yaml(benchmark_root / "findings-and-canon-pressure.yaml", errors)
if isinstance(findings, dict):
for field in ("stable_findings", "gaps", "conflicts", "proposed_changes"):
items = findings.get(field) or []
if not isinstance(items, list) or not items:
errors.append(
{
"code": "missing_caring_kubernetes_findings_field",
"field": field,
}
)
stable_findings = findings.get("stable_findings") or []
finding_ids = {
str(finding.get("id"))
for finding in stable_findings
if isinstance(finding, dict) and finding.get("id")
}
if "finding/namespace-not-tenant-boundary" not in finding_ids:
errors.append(
{
"code": "missing_caring_kubernetes_namespace_finding",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
}
)
def _artifact_paths_by_path(
infospace_root: Path,
errors: list[dict[str, Any]],

2
tests/test_cli.py
View File

@@ -11,7 +11,7 @@ def test_cli_inspect_emits_json(capsys) -> None:
assert exit_code == 0
payload = json.loads(capsys.readouterr().out)
assert payload["ok"] is True
assert payload["infospace"]["artifact_count"] == 49
assert payload["infospace"]["artifact_count"] == 54
def test_cli_missing_profile_uses_structured_error(capsys) -> None:

14
tests/test_service.py
View File

@@ -19,10 +19,14 @@ def test_inspect_canon_counts_artifact_kinds() -> None:
assert payload["ok"] is True
assert payload["infospace"]["slug"] == "canon"
assert payload["infospace"]["artifact_count"] == 49
assert payload["infospace"]["artifact_count"] == 54
assert payload["infospace"]["kinds"] == {
"access-descriptor-set": 1,
"benefit-analysis": 1,
"benchmark-findings": 1,
"benchmark-workspace": 1,
"capture-criteria": 1,
"caring-mapping": 1,
"comparison-frame": 1,
"comparison-report": 1,
"concept-catalog": 1,
@@ -38,6 +42,7 @@ def test_inspect_canon_counts_artifact_kinds() -> None:
"mapping-expectation": 1,
"model": 11,
"model-extension": 1,
"native-concept-map": 1,
"pattern": 1,
"profile-alignment": 1,
"profile": 1,
@@ -58,14 +63,14 @@ def test_validate_canon_passes_scaffold() -> None:
assert payload["ok"] is True
assert payload["errors"] == []
assert "warnings" in payload
assert payload["details"]["artifact_count"] == 49
assert payload["details"]["artifact_count"] == 54
def test_graph_exports_relationship_summary() -> None:
payload = artifact_graph()
assert payload["ok"] is True
assert payload["graph"]["node_count"] == 49
assert payload["graph"]["node_count"] == 54
assert payload["graph"]["edge_count"] > 15
@@ -115,6 +120,9 @@ def test_generators_write_expected_assets(tmp_path) -> None:
assert (
root / "agent" / "briefs" / "comparison-repo-scoping-report.md"
).is_file()
assert (
root / "agent" / "briefs" / "benchmark-caring-kubernetes-rbac.md"
).is_file()
assert (root / "agent" / "briefs" / "pattern-intent-scope-purposes.md").is_file()
assert (
root / "agent" / "templates" / "canon-interface-card.template.yaml"

23
workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "CARING Kubernetes RBAC Benchmark"
domain: canon
repo: info-tech-canon
status: proposed
status: finished
priority: medium
created: "2026-05-23"
updated: "2026-05-23"
@@ -33,7 +33,7 @@ Governance, Security, Network, DevSecOps, Observability, Task, and Tagging.
```task
id: ITC-WP-0010-T01
status: todo
status: done
priority: high
state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
```
@@ -45,7 +45,7 @@ state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
```task
id: ITC-WP-0010-T02
status: todo
status: done
priority: high
state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
```
@@ -58,7 +58,7 @@ state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
```task
id: ITC-WP-0010-T03
status: todo
status: done
priority: high
state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
```
@@ -71,7 +71,7 @@ state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
```task
id: ITC-WP-0010-T04
status: todo
status: done
priority: medium
state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
```
@@ -84,3 +84,16 @@ state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
- Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile.
- CARING descriptor shape is tested with practical examples.
- Benchmark findings produce explicit canon change proposals.
## Implementation Notes
- Created `infospace/standards/caring/benchmarks/kubernetes-rbac/` as a
distinct benchmark workspace.
- Added benchmark workspace, native concept map, CARING mapping, descriptor
set, and findings/canon-pressure artifacts.
- Registered all benchmark artifacts in the artifact index and retrieval
generation flow.
- Added structural validation for the benchmark corpus, Kubernetes RBAC native
concept coverage, namespace tenant-boundary warning, CARING descriptor
classes, and findings/proposals.
- Regenerated agent briefs, indexes, tree views, and validation output.

2
workplans/index.yaml
View File

@@ -136,7 +136,7 @@ workplans:
- id: ITC-WP-0010
title: CARING Kubernetes RBAC Benchmark
status: proposed
status: finished
priority: medium
path: workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md
depends_on: