generated from coulomb/repo-seed
Add CARING Kubernetes RBAC benchmark
This commit is contained in:
@@ -0,0 +1,33 @@
|
||||
---
|
||||
id: agent-brief/benchmark-caring-kubernetes-rbac-access-descriptors
|
||||
artifact_id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
source_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||
source_kind: access-descriptor-set
|
||||
generated: true
|
||||
---
|
||||
|
||||
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||
|
||||
# Agent Brief: Kubernetes RBAC CARING Access Descriptors
|
||||
|
||||
- Artifact ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
|
||||
- Kind: `access-descriptor-set`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||
- Full source: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
|
||||
|
||||
## Retrieval Hints
|
||||
|
||||
Imports and anchors:
|
||||
- `model/access-control`
|
||||
- `model/devsecops`
|
||||
- `model/security`
|
||||
- `standard/caring`
|
||||
|
||||
## Owned Concepts
|
||||
|
||||
- `Kubernetes RBAC CARING Access Descriptors`
|
||||
|
||||
## Related Distinctions
|
||||
|
||||
No common distinction is anchored directly on this artifact.
|
||||
@@ -0,0 +1,29 @@
|
||||
---
|
||||
id: agent-brief/benchmark-caring-kubernetes-rbac-caring-mapping
|
||||
artifact_id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||
source_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||
source_kind: caring-mapping
|
||||
generated: true
|
||||
---
|
||||
|
||||
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||
|
||||
# Agent Brief: Kubernetes RBAC To CARING Mapping
|
||||
|
||||
- Artifact ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
|
||||
- Kind: `caring-mapping`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||
- Full source: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
|
||||
|
||||
## Retrieval Hints
|
||||
|
||||
No imports or anchors recorded.
|
||||
|
||||
## Owned Concepts
|
||||
|
||||
- `Kubernetes RBAC To CARING Mapping`
|
||||
|
||||
## Related Distinctions
|
||||
|
||||
No common distinction is anchored directly on this artifact.
|
||||
@@ -0,0 +1,29 @@
|
||||
---
|
||||
id: agent-brief/benchmark-caring-kubernetes-rbac-findings
|
||||
artifact_id: benchmark/caring/kubernetes-rbac/findings
|
||||
source_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||
source_kind: benchmark-findings
|
||||
generated: true
|
||||
---
|
||||
|
||||
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||
|
||||
# Agent Brief: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||
|
||||
- Artifact ID: `benchmark/caring/kubernetes-rbac/findings`
|
||||
- Kind: `benchmark-findings`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||
- Full source: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
|
||||
|
||||
## Retrieval Hints
|
||||
|
||||
No imports or anchors recorded.
|
||||
|
||||
## Owned Concepts
|
||||
|
||||
- `Kubernetes RBAC Benchmark Findings And Canon Pressure`
|
||||
|
||||
## Related Distinctions
|
||||
|
||||
No common distinction is anchored directly on this artifact.
|
||||
@@ -0,0 +1,29 @@
|
||||
---
|
||||
id: agent-brief/benchmark-caring-kubernetes-rbac-native-concepts
|
||||
artifact_id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||
source_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||
source_kind: native-concept-map
|
||||
generated: true
|
||||
---
|
||||
|
||||
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||
|
||||
# Agent Brief: Kubernetes RBAC Native Concept Map
|
||||
|
||||
- Artifact ID: `benchmark/caring/kubernetes-rbac/native-concepts`
|
||||
- Kind: `native-concept-map`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||
- Full source: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
|
||||
|
||||
## Retrieval Hints
|
||||
|
||||
No imports or anchors recorded.
|
||||
|
||||
## Owned Concepts
|
||||
|
||||
- `Kubernetes RBAC Native Concept Map`
|
||||
|
||||
## Related Distinctions
|
||||
|
||||
No common distinction is anchored directly on this artifact.
|
||||
31
infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md
Normal file
31
infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md
Normal file
@@ -0,0 +1,31 @@
|
||||
---
|
||||
id: agent-brief/benchmark-caring-kubernetes-rbac
|
||||
artifact_id: benchmark/caring/kubernetes-rbac
|
||||
source_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||
source_kind: benchmark-workspace
|
||||
generated: true
|
||||
---
|
||||
|
||||
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||
|
||||
# Agent Brief: CARING Kubernetes RBAC Benchmark
|
||||
|
||||
- Artifact ID: `benchmark/caring/kubernetes-rbac`
|
||||
- Kind: `benchmark-workspace`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||
- Full source: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
|
||||
|
||||
## Retrieval Hints
|
||||
|
||||
Imports and anchors:
|
||||
- `standard/caring`
|
||||
- `standard/tagging`
|
||||
|
||||
## Owned Concepts
|
||||
|
||||
- `CARING Kubernetes RBAC Benchmark`
|
||||
|
||||
## Related Distinctions
|
||||
|
||||
No common distinction is anchored directly on this artifact.
|
||||
@@ -5,8 +5,8 @@
|
||||
This brief summarizes the current canon service surface for agents.
|
||||
|
||||
- Infospace slug: `canon`
|
||||
- Artifact count: 49
|
||||
- Retrieval index items: 49
|
||||
- Artifact count: 54
|
||||
- Retrieval index items: 54
|
||||
- Primary confidence command: `make validate`
|
||||
- Refresh generated indexes and views with: `make index`
|
||||
- Refresh agent briefs and interface templates with: `make agent-briefs`
|
||||
|
||||
@@ -43,8 +43,195 @@
|
||||
}
|
||||
],
|
||||
"infospace": "canon",
|
||||
"item_count": 49,
|
||||
"item_count": 54,
|
||||
"items": [
|
||||
{
|
||||
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
|
||||
"id": "benchmark/caring/kubernetes-rbac",
|
||||
"imports": [
|
||||
"standard/caring",
|
||||
"standard/tagging"
|
||||
],
|
||||
"kind": "benchmark-workspace",
|
||||
"owned_concepts": [
|
||||
"CARING Kubernetes RBAC Benchmark"
|
||||
],
|
||||
"relationships": [
|
||||
{
|
||||
"target": "standard/caring",
|
||||
"type": "conforms_to"
|
||||
},
|
||||
{
|
||||
"target": "model/access-control",
|
||||
"type": "stress_tests"
|
||||
},
|
||||
{
|
||||
"target": "model/governance",
|
||||
"type": "stress_tests"
|
||||
},
|
||||
{
|
||||
"target": "model/security",
|
||||
"type": "stress_tests"
|
||||
},
|
||||
{
|
||||
"target": "model/devsecops",
|
||||
"type": "stress_tests"
|
||||
},
|
||||
{
|
||||
"target": "model/network",
|
||||
"type": "stress_tests"
|
||||
},
|
||||
{
|
||||
"target": "model/observability",
|
||||
"type": "stress_tests"
|
||||
},
|
||||
{
|
||||
"target": "standard/tagging",
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
|
||||
"summary": "Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.",
|
||||
"title": "CARING Kubernetes RBAC Benchmark",
|
||||
"warnings": []
|
||||
},
|
||||
{
|
||||
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
|
||||
"id": "benchmark/caring/kubernetes-rbac/access-descriptors",
|
||||
"imports": [
|
||||
"model/access-control",
|
||||
"model/devsecops",
|
||||
"model/security",
|
||||
"standard/caring"
|
||||
],
|
||||
"kind": "access-descriptor-set",
|
||||
"owned_concepts": [
|
||||
"Kubernetes RBAC CARING Access Descriptors"
|
||||
],
|
||||
"relationships": [
|
||||
{
|
||||
"target": "benchmark/caring/kubernetes-rbac",
|
||||
"type": "part_of"
|
||||
},
|
||||
{
|
||||
"target": "standard/caring",
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"target": "model/access-control",
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"target": "model/security",
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"target": "model/devsecops",
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
|
||||
"summary": "Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.",
|
||||
"title": "Kubernetes RBAC CARING Access Descriptors",
|
||||
"warnings": []
|
||||
},
|
||||
{
|
||||
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
|
||||
"id": "benchmark/caring/kubernetes-rbac/caring-mapping",
|
||||
"imports": [],
|
||||
"kind": "caring-mapping",
|
||||
"owned_concepts": [
|
||||
"Kubernetes RBAC To CARING Mapping"
|
||||
],
|
||||
"relationships": [
|
||||
{
|
||||
"target": "benchmark/caring/kubernetes-rbac",
|
||||
"type": "part_of"
|
||||
},
|
||||
{
|
||||
"target": "standard/caring",
|
||||
"type": "maps"
|
||||
},
|
||||
{
|
||||
"target": "model/access-control",
|
||||
"type": "maps"
|
||||
},
|
||||
{
|
||||
"target": "model/governance",
|
||||
"type": "maps"
|
||||
},
|
||||
{
|
||||
"target": "model/security",
|
||||
"type": "maps"
|
||||
}
|
||||
],
|
||||
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
|
||||
"summary": "Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.",
|
||||
"title": "Kubernetes RBAC To CARING Mapping",
|
||||
"warnings": []
|
||||
},
|
||||
{
|
||||
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
|
||||
"id": "benchmark/caring/kubernetes-rbac/findings",
|
||||
"imports": [],
|
||||
"kind": "benchmark-findings",
|
||||
"owned_concepts": [
|
||||
"Kubernetes RBAC Benchmark Findings And Canon Pressure"
|
||||
],
|
||||
"relationships": [
|
||||
{
|
||||
"target": "benchmark/caring/kubernetes-rbac",
|
||||
"type": "part_of"
|
||||
},
|
||||
{
|
||||
"target": "standard/caring",
|
||||
"type": "proposes"
|
||||
},
|
||||
{
|
||||
"target": "model/governance",
|
||||
"type": "proposes"
|
||||
},
|
||||
{
|
||||
"target": "model/security",
|
||||
"type": "proposes"
|
||||
}
|
||||
],
|
||||
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
|
||||
"summary": "Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.",
|
||||
"title": "Kubernetes RBAC Benchmark Findings And Canon Pressure",
|
||||
"warnings": []
|
||||
},
|
||||
{
|
||||
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
|
||||
"id": "benchmark/caring/kubernetes-rbac/native-concepts",
|
||||
"imports": [],
|
||||
"kind": "native-concept-map",
|
||||
"owned_concepts": [
|
||||
"Kubernetes RBAC Native Concept Map"
|
||||
],
|
||||
"relationships": [
|
||||
{
|
||||
"target": "benchmark/caring/kubernetes-rbac",
|
||||
"type": "part_of"
|
||||
},
|
||||
{
|
||||
"target": "standard/caring",
|
||||
"type": "maps"
|
||||
},
|
||||
{
|
||||
"target": "model/access-control",
|
||||
"type": "maps"
|
||||
},
|
||||
{
|
||||
"target": "model/landscape",
|
||||
"type": "maps"
|
||||
}
|
||||
],
|
||||
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
|
||||
"summary": "Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.",
|
||||
"title": "Kubernetes RBAC Native Concept Map",
|
||||
"warnings": []
|
||||
},
|
||||
{
|
||||
"canonical_path": "evaluations/repo-scoping/canon-benefit-analysis.yaml",
|
||||
"id": "comparison/repo-scoping/canon-benefit-analysis",
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
Schema: `info-tech-canon.retrieval-index.v1`
|
||||
Infospace: `canon`
|
||||
Items: **49**
|
||||
Items: **54**
|
||||
|
||||
## Common Distinctions
|
||||
|
||||
@@ -15,6 +15,56 @@ Items: **49**
|
||||
|
||||
## Items
|
||||
|
||||
### CARING Kubernetes RBAC Benchmark
|
||||
|
||||
- ID: `benchmark/caring/kubernetes-rbac`
|
||||
- Kind: `benchmark-workspace`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
|
||||
- Imports and anchors: `standard/caring`, `standard/tagging`
|
||||
- Owned concepts: `CARING Kubernetes RBAC Benchmark`
|
||||
|
||||
### Kubernetes RBAC CARING Access Descriptors
|
||||
|
||||
- ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
|
||||
- Kind: `access-descriptor-set`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
|
||||
- Imports and anchors: `model/access-control`, `model/devsecops`, `model/security`, `standard/caring`
|
||||
- Owned concepts: `Kubernetes RBAC CARING Access Descriptors`
|
||||
|
||||
### Kubernetes RBAC To CARING Mapping
|
||||
|
||||
- ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
|
||||
- Kind: `caring-mapping`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
|
||||
- Imports and anchors: none
|
||||
- Owned concepts: `Kubernetes RBAC To CARING Mapping`
|
||||
|
||||
### Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||
|
||||
- ID: `benchmark/caring/kubernetes-rbac/findings`
|
||||
- Kind: `benchmark-findings`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
|
||||
- Imports and anchors: none
|
||||
- Owned concepts: `Kubernetes RBAC Benchmark Findings And Canon Pressure`
|
||||
|
||||
### Kubernetes RBAC Native Concept Map
|
||||
|
||||
- ID: `benchmark/caring/kubernetes-rbac/native-concepts`
|
||||
- Kind: `native-concept-map`
|
||||
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
|
||||
- Imports and anchors: none
|
||||
- Owned concepts: `Kubernetes RBAC Native Concept Map`
|
||||
|
||||
### Repo Scoping Canon Benefit Analysis
|
||||
|
||||
- ID: `comparison/repo-scoping/canon-benefit-analysis`
|
||||
|
||||
@@ -1,7 +1,124 @@
|
||||
schema: info-tech-canon.retrieval-index.v1
|
||||
infospace: canon
|
||||
item_count: 49
|
||||
item_count: 54
|
||||
items:
|
||||
- id: benchmark/caring/kubernetes-rbac
|
||||
kind: benchmark-workspace
|
||||
title: CARING Kubernetes RBAC Benchmark
|
||||
canonical_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||
summary: 'Benchmark workspace definition and review criteria: CARING Kubernetes
|
||||
RBAC Benchmark.'
|
||||
owned_concepts:
|
||||
- CARING Kubernetes RBAC Benchmark
|
||||
imports:
|
||||
- standard/caring
|
||||
- standard/tagging
|
||||
relationships:
|
||||
- type: conforms_to
|
||||
target: standard/caring
|
||||
- type: stress_tests
|
||||
target: model/access-control
|
||||
- type: stress_tests
|
||||
target: model/governance
|
||||
- type: stress_tests
|
||||
target: model/security
|
||||
- type: stress_tests
|
||||
target: model/devsecops
|
||||
- type: stress_tests
|
||||
target: model/network
|
||||
- type: stress_tests
|
||||
target: model/observability
|
||||
- type: uses
|
||||
target: standard/tagging
|
||||
warnings: []
|
||||
- id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
kind: access-descriptor-set
|
||||
title: Kubernetes RBAC CARING Access Descriptors
|
||||
canonical_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||
summary: 'Structured CARING access descriptor set: Kubernetes RBAC CARING Access
|
||||
Descriptors.'
|
||||
owned_concepts:
|
||||
- Kubernetes RBAC CARING Access Descriptors
|
||||
imports:
|
||||
- model/access-control
|
||||
- model/devsecops
|
||||
- model/security
|
||||
- standard/caring
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: uses
|
||||
target: standard/caring
|
||||
- type: uses
|
||||
target: model/access-control
|
||||
- type: uses
|
||||
target: model/security
|
||||
- type: uses
|
||||
target: model/devsecops
|
||||
warnings: []
|
||||
- id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||
kind: caring-mapping
|
||||
title: Kubernetes RBAC To CARING Mapping
|
||||
canonical_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||
summary: 'Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.'
|
||||
owned_concepts:
|
||||
- Kubernetes RBAC To CARING Mapping
|
||||
imports: []
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: maps
|
||||
target: standard/caring
|
||||
- type: maps
|
||||
target: model/access-control
|
||||
- type: maps
|
||||
target: model/governance
|
||||
- type: maps
|
||||
target: model/security
|
||||
warnings: []
|
||||
- id: benchmark/caring/kubernetes-rbac/findings
|
||||
kind: benchmark-findings
|
||||
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||
canonical_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||
summary: 'Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark
|
||||
Findings And Canon Pressure.'
|
||||
owned_concepts:
|
||||
- Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||
imports: []
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: proposes
|
||||
target: standard/caring
|
||||
- type: proposes
|
||||
target: model/governance
|
||||
- type: proposes
|
||||
target: model/security
|
||||
warnings: []
|
||||
- id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||
kind: native-concept-map
|
||||
title: Kubernetes RBAC Native Concept Map
|
||||
canonical_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||
summary: 'Native source concept map for assimilation or benchmark work: Kubernetes
|
||||
RBAC Native Concept Map.'
|
||||
owned_concepts:
|
||||
- Kubernetes RBAC Native Concept Map
|
||||
imports: []
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: maps
|
||||
target: standard/caring
|
||||
- type: maps
|
||||
target: model/access-control
|
||||
- type: maps
|
||||
target: model/landscape
|
||||
warnings: []
|
||||
- id: comparison/repo-scoping/canon-benefit-analysis
|
||||
kind: benefit-analysis
|
||||
title: Repo Scoping Canon Benefit Analysis
|
||||
|
||||
@@ -242,6 +242,98 @@ artifacts:
|
||||
target: model/task
|
||||
- type: imports
|
||||
target: standard/tagging
|
||||
- id: benchmark/caring/kubernetes-rbac
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||
kind: benchmark-workspace
|
||||
title: CARING Kubernetes RBAC Benchmark
|
||||
provenance:
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||
placement_workplan: ITC-WP-0010
|
||||
relationships:
|
||||
- type: conforms_to
|
||||
target: standard/caring
|
||||
- type: stress_tests
|
||||
target: model/access-control
|
||||
- type: stress_tests
|
||||
target: model/governance
|
||||
- type: stress_tests
|
||||
target: model/security
|
||||
- type: stress_tests
|
||||
target: model/devsecops
|
||||
- type: stress_tests
|
||||
target: model/network
|
||||
- type: stress_tests
|
||||
target: model/observability
|
||||
- type: uses
|
||||
target: standard/tagging
|
||||
- id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||
kind: native-concept-map
|
||||
title: Kubernetes RBAC Native Concept Map
|
||||
provenance:
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||
placement_workplan: ITC-WP-0010
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: maps
|
||||
target: standard/caring
|
||||
- type: maps
|
||||
target: model/access-control
|
||||
- type: maps
|
||||
target: model/landscape
|
||||
- id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||
kind: caring-mapping
|
||||
title: Kubernetes RBAC To CARING Mapping
|
||||
provenance:
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||
placement_workplan: ITC-WP-0010
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: maps
|
||||
target: standard/caring
|
||||
- type: maps
|
||||
target: model/access-control
|
||||
- type: maps
|
||||
target: model/governance
|
||||
- type: maps
|
||||
target: model/security
|
||||
- id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||
kind: access-descriptor-set
|
||||
title: Kubernetes RBAC CARING Access Descriptors
|
||||
provenance:
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||
placement_workplan: ITC-WP-0010
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: uses
|
||||
target: standard/caring
|
||||
- type: uses
|
||||
target: model/access-control
|
||||
- type: uses
|
||||
target: model/security
|
||||
- type: uses
|
||||
target: model/devsecops
|
||||
- id: benchmark/caring/kubernetes-rbac/findings
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||
kind: benchmark-findings
|
||||
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||
provenance:
|
||||
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||
placement_workplan: ITC-WP-0010
|
||||
relationships:
|
||||
- type: part_of
|
||||
target: benchmark/caring/kubernetes-rbac
|
||||
- type: proposes
|
||||
target: standard/caring
|
||||
- type: proposes
|
||||
target: model/governance
|
||||
- type: proposes
|
||||
target: model/security
|
||||
- id: profile/small-saas
|
||||
path: profiles/small-saas/profile.yaml
|
||||
kind: profile
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
root: infospace
|
||||
file_count: 131
|
||||
file_count: 142
|
||||
files:
|
||||
- path: README.md
|
||||
directory: .
|
||||
@@ -7,6 +7,21 @@ files:
|
||||
- path: agent/README.md
|
||||
directory: agent
|
||||
name: README.md
|
||||
- path: agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md
|
||||
directory: agent/briefs
|
||||
name: benchmark-caring-kubernetes-rbac-access-descriptors.md
|
||||
- path: agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md
|
||||
directory: agent/briefs
|
||||
name: benchmark-caring-kubernetes-rbac-caring-mapping.md
|
||||
- path: agent/briefs/benchmark-caring-kubernetes-rbac-findings.md
|
||||
directory: agent/briefs
|
||||
name: benchmark-caring-kubernetes-rbac-findings.md
|
||||
- path: agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md
|
||||
directory: agent/briefs
|
||||
name: benchmark-caring-kubernetes-rbac-native-concepts.md
|
||||
- path: agent/briefs/benchmark-caring-kubernetes-rbac.md
|
||||
directory: agent/briefs
|
||||
name: benchmark-caring-kubernetes-rbac.md
|
||||
- path: agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md
|
||||
directory: agent/briefs
|
||||
name: comparison-repo-scoping-canon-benefit-analysis.md
|
||||
@@ -361,6 +376,24 @@ files:
|
||||
- path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
|
||||
directory: standards/caring
|
||||
name: InfoTechCanonCaringAccessGovernanceStandard.md
|
||||
- path: standards/caring/benchmarks/kubernetes-rbac/README.md
|
||||
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||
name: README.md
|
||||
- path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||
name: access-descriptors.yaml
|
||||
- path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||
name: benchmark.yaml
|
||||
- path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||
name: caring-mapping.yaml
|
||||
- path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||
name: findings-and-canon-pressure.yaml
|
||||
- path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||
name: native-concepts.yaml
|
||||
- path: standards/tagging/InfoTechCanonTaggingStandard.md
|
||||
directory: standards/tagging
|
||||
name: InfoTechCanonTaggingStandard.md
|
||||
|
||||
@@ -1,5 +1,25 @@
|
||||
concept_count: 74
|
||||
concept_count: 79
|
||||
concepts:
|
||||
- concept: CARING Kubernetes RBAC Benchmark
|
||||
owner: benchmark/caring/kubernetes-rbac
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||
source: artifact_title
|
||||
- concept: Kubernetes RBAC CARING Access Descriptors
|
||||
owner: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||
source: artifact_title
|
||||
- concept: Kubernetes RBAC To CARING Mapping
|
||||
owner: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||
source: artifact_title
|
||||
- concept: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||
owner: benchmark/caring/kubernetes-rbac/findings
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||
source: artifact_title
|
||||
- concept: Kubernetes RBAC Native Concept Map
|
||||
owner: benchmark/caring/kubernetes-rbac/native-concepts
|
||||
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||
source: artifact_title
|
||||
- concept: Repo Scoping Canon Benefit Analysis
|
||||
owner: comparison/repo-scoping/canon-benefit-analysis
|
||||
path: evaluations/repo-scoping/canon-benefit-analysis.yaml
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
artifacts:
|
||||
- benchmark/caring/kubernetes-rbac
|
||||
- benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
- benchmark/caring/kubernetes-rbac/caring-mapping
|
||||
- benchmark/caring/kubernetes-rbac/findings
|
||||
- benchmark/caring/kubernetes-rbac/native-concepts
|
||||
- comparison/repo-scoping/canon-benefit-analysis
|
||||
- comparison/repo-scoping/consumer-workplan-brief
|
||||
- comparison/repo-scoping/extension-candidates
|
||||
@@ -49,6 +54,68 @@ artifacts:
|
||||
- standard/caring
|
||||
- standard/tagging
|
||||
rows:
|
||||
- artifact: benchmark/caring/kubernetes-rbac
|
||||
targets:
|
||||
model/access-control:
|
||||
- stress_tests
|
||||
model/devsecops:
|
||||
- stress_tests
|
||||
model/governance:
|
||||
- stress_tests
|
||||
model/network:
|
||||
- stress_tests
|
||||
model/observability:
|
||||
- stress_tests
|
||||
model/security:
|
||||
- stress_tests
|
||||
standard/caring:
|
||||
- conforms_to
|
||||
standard/tagging:
|
||||
- uses
|
||||
- artifact: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
targets:
|
||||
benchmark/caring/kubernetes-rbac:
|
||||
- part_of
|
||||
model/access-control:
|
||||
- uses
|
||||
model/devsecops:
|
||||
- uses
|
||||
model/security:
|
||||
- uses
|
||||
standard/caring:
|
||||
- uses
|
||||
- artifact: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||
targets:
|
||||
benchmark/caring/kubernetes-rbac:
|
||||
- part_of
|
||||
model/access-control:
|
||||
- maps
|
||||
model/governance:
|
||||
- maps
|
||||
model/security:
|
||||
- maps
|
||||
standard/caring:
|
||||
- maps
|
||||
- artifact: benchmark/caring/kubernetes-rbac/findings
|
||||
targets:
|
||||
benchmark/caring/kubernetes-rbac:
|
||||
- part_of
|
||||
model/governance:
|
||||
- proposes
|
||||
model/security:
|
||||
- proposes
|
||||
standard/caring:
|
||||
- proposes
|
||||
- artifact: benchmark/caring/kubernetes-rbac/native-concepts
|
||||
targets:
|
||||
benchmark/caring/kubernetes-rbac:
|
||||
- part_of
|
||||
model/access-control:
|
||||
- maps
|
||||
model/landscape:
|
||||
- maps
|
||||
standard/caring:
|
||||
- maps
|
||||
- artifact: comparison/repo-scoping/canon-benefit-analysis
|
||||
targets:
|
||||
comparison/repo-scoping/report:
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
---
|
||||
id: benchmark/caring/kubernetes-rbac/readme
|
||||
title: CARING Kubernetes RBAC Benchmark Workspace
|
||||
status: candidate
|
||||
created_by_workplan: ITC-WP-0010
|
||||
---
|
||||
|
||||
# CARING Kubernetes RBAC Benchmark
|
||||
|
||||
This workspace analyzes Kubernetes RBAC as a CARING benchmark, not as a
|
||||
shortcut profile. It is designed to stress access-governance orthogonality
|
||||
across Access Control, Organization, Governance, Security, Landscape,
|
||||
DevSecOps, Network, Observability, Task, and Tagging.
|
||||
|
||||
The benchmark keeps Kubernetes native constructs separate from CARING meaning:
|
||||
|
||||
- `Role` and `ClusterRole` are rule bundles or capability profiles, not
|
||||
automatically CARING canonical roles.
|
||||
- `RoleBinding` and `ClusterRoleBinding` are grants or assignments.
|
||||
- `ServiceAccount` is a service subject and a workload identity anchor.
|
||||
- `Namespace` is a useful scope signal, but it is not automatically a tenant
|
||||
boundary.
|
||||
|
||||
Indexed benchmark artifacts:
|
||||
|
||||
- `benchmark.yaml`
|
||||
- `native-concepts.yaml`
|
||||
- `caring-mapping.yaml`
|
||||
- `access-descriptors.yaml`
|
||||
- `findings-and-canon-pressure.yaml`
|
||||
@@ -0,0 +1,164 @@
|
||||
id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
title: Kubernetes RBAC CARING Access Descriptors
|
||||
status: candidate
|
||||
benchmark: benchmark/caring/kubernetes-rbac
|
||||
descriptor_classes:
|
||||
- declared_access
|
||||
- effective_access
|
||||
- derived_capability
|
||||
- induced_access
|
||||
descriptors:
|
||||
- id: descriptor/namespace-pod-reader/declared
|
||||
case_id: namespace-pod-reader
|
||||
descriptor_class: declared_access
|
||||
subject: serviceaccount:tenant-a:report-viewer
|
||||
organization_relation: customer-operated-service
|
||||
canonical_role: Viewer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- get pods
|
||||
- list pods
|
||||
- watch pods
|
||||
exposure_mode: metadata-and-runtime-state
|
||||
lifecycle_state: steady-state-observation
|
||||
conditions:
|
||||
- bound by RoleBinding in namespace tenant-a
|
||||
restrictions:
|
||||
- no pod mutation
|
||||
- no secret read
|
||||
- namespace is not accepted as tenant boundary without additional evidence
|
||||
native_evidence:
|
||||
- Role/report-viewer
|
||||
- RoleBinding/report-viewer-binding
|
||||
- ServiceAccount/report-viewer
|
||||
- id: descriptor/workload-creator/declared
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: declared_access
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- create pods
|
||||
- get pods
|
||||
- delete pods
|
||||
exposure_mode: workload-specification-control
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- bound by RoleBinding in namespace tenant-a
|
||||
restrictions:
|
||||
- no direct secret get/list/watch declared
|
||||
native_evidence:
|
||||
- Role/job-runner
|
||||
- RoleBinding/job-runner-binding
|
||||
- ServiceAccount/job-runner
|
||||
- id: descriptor/workload-creator/effective
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: effective_access
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- create workload
|
||||
- select pod service account
|
||||
- influence mounted volumes
|
||||
- execute container image
|
||||
exposure_mode: mediated-runtime-execution
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- pod admission and service-account mount behavior determine actual reach
|
||||
restrictions:
|
||||
- effective access must be checked against admission policy and service-account permissions
|
||||
native_evidence:
|
||||
- create pods verb
|
||||
- pod spec serviceAccountName
|
||||
- projected service account token behavior
|
||||
- id: descriptor/workload-creator/derived
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: derived_capability
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- execute arbitrary workload image
|
||||
- use mounted service account identity
|
||||
- read mounted runtime inputs
|
||||
exposure_mode: derived-execution-and-identity-use
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- derived from create pods permission
|
||||
restrictions:
|
||||
- must be bounded by admission controls, image policy, and service-account selection rules
|
||||
native_evidence:
|
||||
- Role/job-runner create pods
|
||||
- id: descriptor/workload-creator/induced
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: induced_access
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Secret
|
||||
capabilities:
|
||||
- potential secret exposure through mounted volumes
|
||||
- potential token exposure through mounted identity
|
||||
exposure_mode: induced-secret-and-identity-exposure
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- induced path exists only when workload can mount or reach sensitive material
|
||||
restrictions:
|
||||
- classify as candidate finding until manifests, admission, and secret references are reviewed
|
||||
native_evidence:
|
||||
- pod volume mounts
|
||||
- service account token projection
|
||||
- secret references in pod spec
|
||||
- id: descriptor/cluster-secret-reader/declared
|
||||
case_id: cluster-secret-reader
|
||||
descriptor_class: declared_access
|
||||
subject: serviceaccount:platform:inventory
|
||||
organization_relation: platform-service-provider
|
||||
canonical_role: Auditor
|
||||
scope: cluster
|
||||
plane: Secret
|
||||
capabilities:
|
||||
- get secrets
|
||||
- list secrets
|
||||
- watch secrets
|
||||
exposure_mode: sensitive-data-read
|
||||
lifecycle_state: operational-inventory
|
||||
conditions:
|
||||
- bound by ClusterRoleBinding
|
||||
restrictions:
|
||||
- requires governance review and audit evidence
|
||||
native_evidence:
|
||||
- ClusterRole/secret-reader
|
||||
- ClusterRoleBinding/inventory-secret-reader
|
||||
- ServiceAccount/inventory
|
||||
- id: descriptor/namespace-boundary/review
|
||||
case_id: namespace-as-tenant-boundary
|
||||
descriptor_class: effective_access
|
||||
subject: tenant-boundary-claim:tenant-a
|
||||
organization_relation: platform-provider
|
||||
canonical_role: Governor
|
||||
scope: namespace:tenant-a
|
||||
plane: Policy
|
||||
capabilities:
|
||||
- claim tenant isolation
|
||||
- review access and runtime boundaries
|
||||
exposure_mode: governance-claim
|
||||
lifecycle_state: design-review
|
||||
conditions:
|
||||
- claim must be supported by access, network, runtime, data, and governance evidence
|
||||
restrictions:
|
||||
- namespace alone is insufficient evidence
|
||||
native_evidence:
|
||||
- Namespace/tenant-a
|
||||
- RoleBinding set
|
||||
- NetworkPolicy set
|
||||
- ResourceQuota set
|
||||
@@ -0,0 +1,102 @@
|
||||
id: benchmark/caring/kubernetes-rbac
|
||||
title: CARING Kubernetes RBAC Benchmark
|
||||
status: candidate
|
||||
standard: standard/caring
|
||||
created_by_workplan: ITC-WP-0010
|
||||
purpose: Stress-test CARING descriptor shape against Kubernetes RBAC without treating Kubernetes native names as canon roles.
|
||||
source_corpus:
|
||||
- id: kubernetes-rbac-reference
|
||||
title: Kubernetes RBAC Reference
|
||||
source_type: vendor-documentation
|
||||
url: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
||||
role: primary-native-model-reference
|
||||
- id: kubernetes-service-account-concepts
|
||||
title: Kubernetes Service Accounts
|
||||
source_type: vendor-documentation
|
||||
url: https://kubernetes.io/docs/concepts/security/service-accounts/
|
||||
role: workload-identity-reference
|
||||
- id: local-caring-standard
|
||||
title: InfoTechCanon CARING Access Governance Standard
|
||||
source_type: canon-standard
|
||||
path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
|
||||
role: descriptor-vocabulary
|
||||
cases:
|
||||
- id: namespace-pod-reader
|
||||
title: Namespace-Scoped Pod Reader
|
||||
native_objects:
|
||||
- Role
|
||||
- RoleBinding
|
||||
- ServiceAccount
|
||||
- Namespace
|
||||
stress_focus:
|
||||
- declared-access
|
||||
- scope-mapping
|
||||
- native-role-warning
|
||||
expected_outputs:
|
||||
- Role maps to a scoped capability profile over get/list/watch pods.
|
||||
- RoleBinding maps to a grant from subject to capability profile.
|
||||
- Namespace is recorded as Kubernetes scope, not tenant boundary.
|
||||
- id: workload-creator-derived-execution
|
||||
title: Workload Creator With Derived Execution Capability
|
||||
native_objects:
|
||||
- Role
|
||||
- RoleBinding
|
||||
- ServiceAccount
|
||||
- Pod
|
||||
- Secret
|
||||
stress_focus:
|
||||
- declared-access
|
||||
- effective-access
|
||||
- derived-capability
|
||||
- induced-access
|
||||
expected_outputs:
|
||||
- Create pod is declared as workload creation access.
|
||||
- Execute workload is derived from the ability to create pods.
|
||||
- Mounted service-account and secret exposure are induced access candidates.
|
||||
- id: cluster-secret-reader
|
||||
title: ClusterRole Secret Reader
|
||||
native_objects:
|
||||
- ClusterRole
|
||||
- ClusterRoleBinding
|
||||
- ServiceAccount
|
||||
- Secret
|
||||
stress_focus:
|
||||
- cluster-scope
|
||||
- exposure-mode
|
||||
- governance-review
|
||||
expected_outputs:
|
||||
- ClusterRole maps to cluster-scoped data exposure capability.
|
||||
- ClusterRoleBinding broadens scope beyond a namespace.
|
||||
- Secret read access produces security and governance findings.
|
||||
- id: namespace-as-tenant-boundary
|
||||
title: Namespace Used As Tenant Boundary Claim
|
||||
native_objects:
|
||||
- Namespace
|
||||
- Role
|
||||
- RoleBinding
|
||||
- NetworkPolicy
|
||||
- ResourceQuota
|
||||
stress_focus:
|
||||
- tenant-boundary-warning
|
||||
- cross-model-evidence
|
||||
- review-criteria
|
||||
expected_outputs:
|
||||
- Namespace alone cannot prove tenant isolation.
|
||||
- Tenant-boundary claim requires access, network, data, runtime, and governance evidence.
|
||||
- Missing evidence creates a canon pressure finding instead of an approved boundary claim.
|
||||
expected_outputs:
|
||||
- Native concept map covering Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, Namespace, verbs, resources, and scopes.
|
||||
- CARING mapping that separates native role objects from canonical roles, capability profiles, grants, scopes, planes, and exposure modes.
|
||||
- Access descriptors that distinguish declared access, effective access, derived capability, and induced access.
|
||||
- Findings that identify gaps, conflicts, and proposed canon changes without changing standards silently.
|
||||
review_criteria:
|
||||
- id: descriptor-completeness
|
||||
criterion: Every benchmark case has at least one CARING access descriptor with subject, scope, plane, capabilities, exposure mode, lifecycle state, and native evidence.
|
||||
- id: native-role-warning
|
||||
criterion: Kubernetes Role and ClusterRole are never accepted as CARINGCanonicalRole without an explicit mapping rationale.
|
||||
- id: namespace-boundary-check
|
||||
criterion: Namespace isolation is treated as a claim requiring evidence, not as a tenant boundary by default.
|
||||
- id: effective-access-analysis
|
||||
criterion: Create or update workload permissions are reviewed for derived execution, mounted identity, secret, and volume exposure.
|
||||
- id: canon-pressure-routing
|
||||
criterion: Gaps become reviewable proposed changes, tasks, or open questions rather than immediate model changes.
|
||||
@@ -0,0 +1,79 @@
|
||||
id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||
title: Kubernetes RBAC To CARING Mapping
|
||||
status: candidate
|
||||
benchmark: benchmark/caring/kubernetes-rbac
|
||||
namespace_tenant_boundary_warning: true
|
||||
mappings:
|
||||
- native_concept: Role
|
||||
caring_dimension: capability_profile
|
||||
canon_targets:
|
||||
- standard/caring:CARINGCapabilityProfile
|
||||
- model/access-control:Permission
|
||||
- model/governance:Policy
|
||||
mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names.
|
||||
- native_concept: ClusterRole
|
||||
caring_dimension: capability_profile
|
||||
canon_targets:
|
||||
- standard/caring:CARINGCapabilityProfile
|
||||
- model/access-control:Permission
|
||||
- model/governance:Policy
|
||||
mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility.
|
||||
- native_concept: RoleBinding
|
||||
caring_dimension: declared_access
|
||||
canon_targets:
|
||||
- standard/caring:CARINGDeclaredAccessMap
|
||||
- model/access-control:Grant
|
||||
- model/governance:Decision
|
||||
mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace.
|
||||
- native_concept: ClusterRoleBinding
|
||||
caring_dimension: declared_access
|
||||
canon_targets:
|
||||
- standard/caring:CARINGDeclaredAccessMap
|
||||
- model/access-control:Grant
|
||||
- model/governance:Decision
|
||||
mapping_rule: Bind subject to a ClusterRole at cluster scope.
|
||||
- native_concept: ServiceAccount
|
||||
caring_dimension: subject
|
||||
canon_targets:
|
||||
- model/access-control:Subject
|
||||
- model/devsecops:WorkloadIdentity
|
||||
- model/organization:Service
|
||||
mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access.
|
||||
- native_concept: Namespace
|
||||
caring_dimension: scope
|
||||
canon_targets:
|
||||
- model/access-control:ResourceScope
|
||||
- model/landscape:RuntimeContainment
|
||||
- model/network:SegmentationContext
|
||||
mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary.
|
||||
- native_concept: Verb
|
||||
caring_dimension: capability
|
||||
canon_targets:
|
||||
- model/access-control:Action
|
||||
- standard/caring:CARINGCapabilityProfile
|
||||
mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences.
|
||||
- native_concept: Resource
|
||||
caring_dimension: scope
|
||||
canon_targets:
|
||||
- model/access-control:Resource
|
||||
- model/landscape:RuntimeResource
|
||||
- model/security:ExposureTarget
|
||||
mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane.
|
||||
- native_concept: Scope
|
||||
caring_dimension: scope
|
||||
canon_targets:
|
||||
- model/access-control:ResourceScope
|
||||
- model/landscape:LandscapeScope
|
||||
- model/governance:GovernanceScope
|
||||
mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets.
|
||||
analysis_rules:
|
||||
- id: native-role-warning
|
||||
rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale.
|
||||
- id: declared-to-effective
|
||||
rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access.
|
||||
- id: derived-workload-execution
|
||||
rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities.
|
||||
- id: secret-exposure
|
||||
rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review.
|
||||
- id: namespace-tenant-boundary
|
||||
rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership.
|
||||
@@ -0,0 +1,76 @@
|
||||
id: benchmark/caring/kubernetes-rbac/findings
|
||||
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||
status: candidate
|
||||
benchmark: benchmark/caring/kubernetes-rbac
|
||||
stable_findings:
|
||||
- id: finding/native-role-is-rule-bundle
|
||||
severity: high
|
||||
summary: Kubernetes Role and ClusterRole are native rule bundles, not automatically CARING canonical roles.
|
||||
canon_pressure:
|
||||
- Keep the native role warning visible in CARING validation.
|
||||
- Add benchmark assertions that reject direct Role to CARINGCanonicalRole mappings without rationale.
|
||||
- id: finding/namespace-not-tenant-boundary
|
||||
severity: high
|
||||
summary: Namespace is a useful scope signal but does not by itself prove tenant isolation.
|
||||
canon_pressure:
|
||||
- Treat tenant-boundary claims as reviewable evidence bundles across access, network, data, runtime, and governance.
|
||||
- Add a reusable tenant-boundary review pattern if this recurs in other benchmarks.
|
||||
- id: finding/workload-create-derives-execution
|
||||
severity: high
|
||||
summary: Workload creation permissions can derive runtime execution, mounted identity use, volume access, and secret exposure paths.
|
||||
canon_pressure:
|
||||
- Clarify ownership of DerivedCapability between CARING, Access Control, Security, and DevSecOps.
|
||||
- Add effective-access checks for workload-mediated permission paths.
|
||||
- id: finding/serviceaccount-is-service-subject
|
||||
severity: medium
|
||||
summary: ServiceAccount should map to a service subject and workload identity, not to a human actor or organization role.
|
||||
canon_pressure:
|
||||
- Strengthen subject and principal distinctions in access reviews.
|
||||
- Preserve actor, subject, principal, and workload identity as separate concepts.
|
||||
gaps:
|
||||
- id: gap/caring-access-descriptor-schema
|
||||
title: Machine-readable CARING descriptor schema
|
||||
description: The benchmark uses structured descriptors, but there is not yet a formal schema for CARINGAccessDescriptor.
|
||||
proposed_route: Create schema under a future CARING validation workplan.
|
||||
- id: gap/effective-access-calculus
|
||||
title: Effective access derivation rules
|
||||
description: The canon needs reusable derivation rules for workload creation, mounted identities, secrets, impersonation, bind, and escalate.
|
||||
proposed_route: Add validation rules after more benchmark cases are exercised.
|
||||
- id: gap/tenant-boundary-evidence-profile
|
||||
title: Tenant boundary evidence profile
|
||||
description: Namespace boundary claims need a reusable evidence profile spanning access, network, runtime, data, and governance controls.
|
||||
proposed_route: Candidate pattern or profile, not an immediate standard change.
|
||||
conflicts:
|
||||
- id: conflict/native-role-name
|
||||
summary: Kubernetes native Role conflicts with the everyday meaning of role and with CARINGCanonicalRole.
|
||||
resolution: Preserve native construct name and require explicit mapping to capability profile or canonical role.
|
||||
- id: conflict/scope-overload
|
||||
summary: Kubernetes namespace, resource scope, governance scope, tenant scope, and CARING scope can be conflated.
|
||||
resolution: Record scope facets separately and only approve tenant-boundary claims after evidence review.
|
||||
proposed_changes:
|
||||
- id: proposal/caring-descriptor-schema
|
||||
owner: standard/caring
|
||||
change_type: new-schema
|
||||
proposal: Add a CARING access descriptor schema with required fields for subject, organization relation, canonical role, scope, plane, capabilities, exposure mode, lifecycle state, restrictions, descriptor class, and native evidence.
|
||||
- id: proposal/kubernetes-rbac-validation-rules
|
||||
owner: standard/caring
|
||||
change_type: benchmark-validation
|
||||
proposal: Add CARING validation rules for native role warning, namespace tenant-boundary claims, workload-derived execution, and secret exposure.
|
||||
- id: proposal/tenant-boundary-review-pattern
|
||||
owner: model/governance
|
||||
change_type: new-pattern
|
||||
proposal: Add a review pattern for tenant-boundary claims that requires evidence from access control, network, runtime, data, security, and governance.
|
||||
- id: proposal/derived-capability-ownership
|
||||
owner: standard/caring
|
||||
change_type: open-question
|
||||
proposal: Decide whether DerivedCapability remains CARING-owned or becomes shared with Access Control and Security through a model profile.
|
||||
follow_up_tasks:
|
||||
- id: task/formalize-caring-descriptor-schema
|
||||
target_workplan: proposed
|
||||
summary: Create the CARING access descriptor schema and validate this benchmark against it.
|
||||
- id: task/add-kubernetes-rbac-case-corpus
|
||||
target_workplan: proposed
|
||||
summary: Add concrete Kubernetes YAML manifests for the four benchmark cases and expected parsed observations.
|
||||
- id: task/expand-effective-access-engine
|
||||
target_workplan: proposed
|
||||
summary: Prototype derivation rules for pod creation, service-account mounting, secrets, bind, escalate, and impersonate.
|
||||
@@ -0,0 +1,87 @@
|
||||
id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||
title: Kubernetes RBAC Native Concept Map
|
||||
status: candidate
|
||||
benchmark: benchmark/caring/kubernetes-rbac
|
||||
namespace_tenant_boundary_warning: true
|
||||
concepts:
|
||||
- native: Role
|
||||
category: rule-bundle
|
||||
native_scope: namespace
|
||||
caring_mapping: CARINGCapabilityProfile
|
||||
canon_mappings:
|
||||
- model/access-control:PermissionSet
|
||||
- model/governance:Policy
|
||||
notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole.
|
||||
- native: ClusterRole
|
||||
category: rule-bundle
|
||||
native_scope: cluster
|
||||
caring_mapping: CARINGCapabilityProfile
|
||||
canon_mappings:
|
||||
- model/access-control:PermissionSet
|
||||
- model/governance:Policy
|
||||
notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings.
|
||||
- native: RoleBinding
|
||||
category: assignment
|
||||
native_scope: namespace
|
||||
caring_mapping: CARINGDeclaredAccessMap
|
||||
canon_mappings:
|
||||
- model/access-control:Grant
|
||||
- model/governance:AssignmentDecision
|
||||
notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace.
|
||||
- native: ClusterRoleBinding
|
||||
category: assignment
|
||||
native_scope: cluster
|
||||
caring_mapping: CARINGDeclaredAccessMap
|
||||
canon_mappings:
|
||||
- model/access-control:Grant
|
||||
- model/governance:AssignmentDecision
|
||||
notes: A ClusterRoleBinding grants a ClusterRole across cluster scope.
|
||||
- native: ServiceAccount
|
||||
category: service-subject
|
||||
native_scope: namespace
|
||||
caring_mapping: Subject
|
||||
canon_mappings:
|
||||
- model/access-control:Subject
|
||||
- model/organization:Service
|
||||
- model/devsecops:WorkloadIdentity
|
||||
notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor.
|
||||
- native: Namespace
|
||||
category: scope-signal
|
||||
native_scope: namespace
|
||||
caring_mapping: Scope
|
||||
canon_mappings:
|
||||
- model/landscape:RuntimeContainment
|
||||
- model/access-control:ResourceScope
|
||||
- model/network:SegmentationContext
|
||||
notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence.
|
||||
- native: Verb
|
||||
category: action
|
||||
native_scope: rule
|
||||
caring_mapping: Capability
|
||||
canon_mappings:
|
||||
- model/access-control:Action
|
||||
- standard/caring:CARINGCapabilityProfile
|
||||
notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope.
|
||||
- native: Resource
|
||||
category: target
|
||||
native_scope: api-group
|
||||
caring_mapping: Scope
|
||||
canon_mappings:
|
||||
- model/access-control:Resource
|
||||
- model/landscape:RuntimeResource
|
||||
- model/data:ProtectedInformationAsset
|
||||
notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications.
|
||||
- native: Scope
|
||||
category: boundary
|
||||
native_scope: namespace-or-cluster
|
||||
caring_mapping: Scope
|
||||
canon_mappings:
|
||||
- model/access-control:ResourceScope
|
||||
- model/landscape:LandscapeScope
|
||||
- model/governance:GovernanceScope
|
||||
notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence.
|
||||
mapping_constraints:
|
||||
- Kubernetes native names are preserved as source semantics.
|
||||
- CARING canonical roles are assigned only after analyzing lifecycle responsibility posture.
|
||||
- Namespace tenancy is a reviewable claim, not a default mapping.
|
||||
- Effective access must include controller-mediated and workload-mediated paths where relevant.
|
||||
@@ -1,14 +1,14 @@
|
||||
{
|
||||
"details": {
|
||||
"artifact_count": 49,
|
||||
"relationship_count": 212
|
||||
"artifact_count": 54,
|
||||
"relationship_count": 238
|
||||
},
|
||||
"errors": [],
|
||||
"metrics": {
|
||||
"coherence_components": 1.0,
|
||||
"consistency_cycles": 0.0,
|
||||
"coverage_ratio": 1.0,
|
||||
"granularity_entropy": 3.6776822595640257,
|
||||
"granularity_entropy": 3.9972143235892474,
|
||||
"redundancy_ratio": 0.0
|
||||
},
|
||||
"ok": true,
|
||||
|
||||
@@ -2,10 +2,15 @@
|
||||
|
||||
# By Concept
|
||||
|
||||
Concept count: **74**
|
||||
Concept count: **79**
|
||||
|
||||
| Concept | Owner | Source |
|
||||
| --- | --- | --- |
|
||||
| CARING Kubernetes RBAC Benchmark | `benchmark/caring/kubernetes-rbac` | `artifact_title` |
|
||||
| Kubernetes RBAC CARING Access Descriptors | `benchmark/caring/kubernetes-rbac/access-descriptors` | `artifact_title` |
|
||||
| Kubernetes RBAC To CARING Mapping | `benchmark/caring/kubernetes-rbac/caring-mapping` | `artifact_title` |
|
||||
| Kubernetes RBAC Benchmark Findings And Canon Pressure | `benchmark/caring/kubernetes-rbac/findings` | `artifact_title` |
|
||||
| Kubernetes RBAC Native Concept Map | `benchmark/caring/kubernetes-rbac/native-concepts` | `artifact_title` |
|
||||
| Repo Scoping Canon Benefit Analysis | `comparison/repo-scoping/canon-benefit-analysis` | `artifact_title` |
|
||||
| Repo Scoping Consumer Workplan Brief | `comparison/repo-scoping/consumer-workplan-brief` | `artifact_title` |
|
||||
| Repo Scoping Canon Extension Candidates | `comparison/repo-scoping/extension-candidates` | `artifact_title` |
|
||||
|
||||
@@ -2,6 +2,13 @@
|
||||
|
||||
# By Mapping Target
|
||||
|
||||
## `benchmark/caring/kubernetes-rbac`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `part_of`
|
||||
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `part_of`
|
||||
- `benchmark/caring/kubernetes-rbac/findings` via `part_of`
|
||||
- `benchmark/caring/kubernetes-rbac/native-concepts` via `part_of`
|
||||
|
||||
## `comparison/repo-scoping/report`
|
||||
|
||||
- `comparison/repo-scoping/canon-benefit-analysis` via `part_of`
|
||||
@@ -57,6 +64,10 @@
|
||||
|
||||
## `model/access-control`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
|
||||
- `evaluation/user-engine` via `uses`
|
||||
- `evaluation/user-engine/questions` via `uses`
|
||||
- `evaluation/user-engine/small-saas-alignment` via `uses`
|
||||
@@ -80,6 +91,8 @@
|
||||
|
||||
## `model/devsecops`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||
- `conformance/railiance-fabric` via `uses`
|
||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||
@@ -90,6 +103,9 @@
|
||||
|
||||
## `model/governance`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
|
||||
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
|
||||
- `comparison/repo-scoping/extension-candidates` via `proposes`
|
||||
- `comparison/repo-scoping/frame` via `uses`
|
||||
@@ -121,6 +137,7 @@
|
||||
|
||||
## `model/landscape`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
|
||||
- `conformance/railiance-fabric` via `uses`
|
||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||
@@ -131,6 +148,7 @@
|
||||
|
||||
## `model/network`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||
- `conformance/railiance-fabric` via `uses`
|
||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||
@@ -141,6 +159,7 @@
|
||||
|
||||
## `model/observability`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||
- `conformance/railiance-fabric` via `uses`
|
||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||
@@ -184,6 +203,10 @@
|
||||
|
||||
## `model/security`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
|
||||
- `conformance/railiance-fabric` via `uses`
|
||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||
@@ -296,6 +319,11 @@
|
||||
|
||||
## `standard/caring`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `conforms_to`
|
||||
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
|
||||
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
|
||||
- `evaluation/user-engine` via `uses`
|
||||
- `evaluation/user-engine/interface-card-expectations` via `uses`
|
||||
- `kernel/itc-kernel-map` via `maps`
|
||||
@@ -304,6 +332,7 @@
|
||||
|
||||
## `standard/tagging`
|
||||
|
||||
- `benchmark/caring/kubernetes-rbac` via `uses`
|
||||
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
|
||||
- `conformance/railiance-fabric` via `uses`
|
||||
- `kernel/itc-kernel-map` via `maps`
|
||||
|
||||
@@ -2,54 +2,59 @@
|
||||
|
||||
# Import Matrix
|
||||
|
||||
| Artifact | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| `comparison/repo-scoping/canon-benefit-analysis` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` |
|
||||
| `comparison/repo-scoping/consumer-workplan-brief` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||
| `comparison/repo-scoping/extension-candidates` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | |
|
||||
| `comparison/repo-scoping/frame` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | |
|
||||
| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` |
|
||||
| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric/mapping-expectations` | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric/visualization-examples` | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | |
|
||||
| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||
| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | |
|
||||
| `evaluation/user-engine/questions` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | |
|
||||
| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | |
|
||||
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` |
|
||||
| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `model/access-control` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/data` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/devsecops` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
||||
| `model/governance` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/information-space` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/landscape` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/network` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
||||
| `model/observability` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `model/organization` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/purpose-demand-extension` | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `model/security` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/task` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `profile/small-saas` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` |
|
||||
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
|
||||
| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
|
||||
| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
|
||||
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
||||
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
|
||||
| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
|
||||
| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
|
||||
| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
|
||||
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
|
||||
| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
||||
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
|
||||
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
|
||||
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
|
||||
| `standard/caring` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` |
|
||||
| `standard/tagging` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | |
|
||||
| Artifact | `benchmark/caring/kubernetes-rbac` | `benchmark/caring/kubernetes-rbac/access-descriptors` | `benchmark/caring/kubernetes-rbac/caring-mapping` | `benchmark/caring/kubernetes-rbac/findings` | `benchmark/caring/kubernetes-rbac/native-concepts` | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| `benchmark/caring/kubernetes-rbac` | | | | | | | | | | | | | | | | | | | | | | | | | | `stress_tests` | | `stress_tests` | `stress_tests` | | | `stress_tests` | `stress_tests` | | | `stress_tests` | | | | | | | | | | | | | | | | | `conforms_to` | `uses` |
|
||||
| `benchmark/caring/kubernetes-rbac/access-descriptors` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `uses` | | | | | | | | `uses` | | | | | | | | | | | | | | | | | `uses` | |
|
||||
| `benchmark/caring/kubernetes-rbac/caring-mapping` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | | | | | | | `maps` | | | | | | | | | | | | | | | | | `maps` | |
|
||||
| `benchmark/caring/kubernetes-rbac/findings` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `proposes` | | | | | | | `proposes` | | | | | | | | | | | | | | | | | `proposes` | |
|
||||
| `benchmark/caring/kubernetes-rbac/native-concepts` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | `maps` | | | | | | | | | | | | | | | | | | | | | | `maps` | |
|
||||
| `comparison/repo-scoping/canon-benefit-analysis` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` |
|
||||
| `comparison/repo-scoping/consumer-workplan-brief` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||
| `comparison/repo-scoping/extension-candidates` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | |
|
||||
| `comparison/repo-scoping/frame` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | |
|
||||
| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` |
|
||||
| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric/mapping-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | |
|
||||
| `conformance/railiance-fabric/visualization-examples` | | | | | | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | |
|
||||
| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||
| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | |
|
||||
| `evaluation/user-engine/questions` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | |
|
||||
| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | |
|
||||
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` |
|
||||
| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `model/access-control` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/data` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/devsecops` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
||||
| `model/governance` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/information-space` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/landscape` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/network` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
||||
| `model/observability` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `model/organization` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/purpose-demand-extension` | | | | | | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `model/security` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `model/task` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||
| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||
| `profile/small-saas` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` |
|
||||
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
|
||||
| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
|
||||
| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
|
||||
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
||||
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
|
||||
| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
|
||||
| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
|
||||
| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
|
||||
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
|
||||
| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
||||
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
|
||||
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
|
||||
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
|
||||
| `standard/caring` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` |
|
||||
| `standard/tagging` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | |
|
||||
|
||||
@@ -3,12 +3,16 @@
|
||||
# Kernel Overview
|
||||
|
||||
- Infospace: `canon`
|
||||
- Artifacts: 49
|
||||
- Artifacts: 54
|
||||
|
||||
## Artifact Kinds
|
||||
|
||||
- `access-descriptor-set`: 1
|
||||
- `benchmark-findings`: 1
|
||||
- `benchmark-workspace`: 1
|
||||
- `benefit-analysis`: 1
|
||||
- `capture-criteria`: 1
|
||||
- `caring-mapping`: 1
|
||||
- `comparison-frame`: 1
|
||||
- `comparison-report`: 1
|
||||
- `concept-catalog`: 1
|
||||
@@ -24,6 +28,7 @@
|
||||
- `mapping-expectation`: 1
|
||||
- `model`: 11
|
||||
- `model-extension`: 1
|
||||
- `native-concept-map`: 1
|
||||
- `pattern`: 1
|
||||
- `profile`: 1
|
||||
- `profile-alignment`: 1
|
||||
@@ -36,7 +41,7 @@
|
||||
- `access_evidenced_by`: 1
|
||||
- `changes`: 1
|
||||
- `compares`: 1
|
||||
- `conforms_to`: 16
|
||||
- `conforms_to`: 17
|
||||
- `constrained_by`: 1
|
||||
- `deploys`: 1
|
||||
- `evaluates`: 2
|
||||
@@ -50,14 +55,15 @@
|
||||
- `instantiates`: 13
|
||||
- `introduces`: 1
|
||||
- `isolated_by`: 2
|
||||
- `maps`: 29
|
||||
- `maps`: 36
|
||||
- `member_of`: 1
|
||||
- `owned_by`: 3
|
||||
- `part_of`: 13
|
||||
- `part_of`: 17
|
||||
- `partitioned_for`: 2
|
||||
- `proposes`: 4
|
||||
- `proposes`: 7
|
||||
- `represented_by`: 1
|
||||
- `requires`: 13
|
||||
- `separates`: 2
|
||||
- `serves`: 2
|
||||
- `uses`: 79
|
||||
- `stress_tests`: 6
|
||||
- `uses`: 84
|
||||
|
||||
@@ -2,10 +2,15 @@
|
||||
|
||||
# Repository Tree
|
||||
|
||||
File count: **131**
|
||||
File count: **142**
|
||||
|
||||
- `README.md`
|
||||
- `agent/README.md`
|
||||
- `agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md`
|
||||
- `agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md`
|
||||
- `agent/briefs/benchmark-caring-kubernetes-rbac-findings.md`
|
||||
- `agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md`
|
||||
- `agent/briefs/benchmark-caring-kubernetes-rbac.md`
|
||||
- `agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md`
|
||||
- `agent/briefs/comparison-repo-scoping-consumer-workplan-brief.md`
|
||||
- `agent/briefs/comparison-repo-scoping-extension-candidates.md`
|
||||
@@ -124,6 +129,12 @@ File count: **131**
|
||||
- `schemas/standard.schema.yaml`
|
||||
- `schemas/workplan.schema.yaml`
|
||||
- `standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md`
|
||||
- `standards/caring/benchmarks/kubernetes-rbac/README.md`
|
||||
- `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||
- `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||
- `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||
- `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||
- `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||
- `standards/tagging/InfoTechCanonTaggingStandard.md`
|
||||
- `validation/README.md`
|
||||
- `validation/latest.json`
|
||||
|
||||
Reference in New Issue
Block a user