Add CARING Kubernetes RBAC benchmark

This commit is contained in:
2026-05-23 06:53:30 +02:00
parent 3f510855ef
commit fb3ac750d5
32 changed files with 1688 additions and 79 deletions

View File

@@ -99,3 +99,11 @@ current scope, future scope, consumer purposes, review decisions, evidence,
source observations, utility relationships, scope freshness, and SCOPE.md as an source observations, utility relationships, scope freshness, and SCOPE.md as an
interface profile. The pack is intended to seed the consumer-side repo-scoping interface profile. The pack is intended to seed the consumer-side repo-scoping
workplan while keeping proposed canon extensions reviewable. workplan while keeping proposed canon extensions reviewable.
## Benchmarks
CARING benchmark assets live under `infospace/standards/caring/benchmarks/`.
The first benchmark is `kubernetes-rbac`, which maps Kubernetes RBAC native
constructs into CARING descriptors and records canon pressure around native
roles, effective access, derived workload capabilities, induced secret exposure,
and the rule that a Namespace is not automatically a tenant boundary.

View File

@@ -0,0 +1,33 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-access-descriptors
artifact_id: benchmark/caring/kubernetes-rbac/access-descriptors
source_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
source_kind: access-descriptor-set
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC CARING Access Descriptors
- Artifact ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
- Kind: `access-descriptor-set`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
## Retrieval Hints
Imports and anchors:
- `model/access-control`
- `model/devsecops`
- `model/security`
- `standard/caring`
## Owned Concepts
- `Kubernetes RBAC CARING Access Descriptors`
## Related Distinctions
No common distinction is anchored directly on this artifact.

View File

@@ -0,0 +1,29 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-caring-mapping
artifact_id: benchmark/caring/kubernetes-rbac/caring-mapping
source_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
source_kind: caring-mapping
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC To CARING Mapping
- Artifact ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
- Kind: `caring-mapping`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
## Retrieval Hints
No imports or anchors recorded.
## Owned Concepts
- `Kubernetes RBAC To CARING Mapping`
## Related Distinctions
No common distinction is anchored directly on this artifact.

View File

@@ -0,0 +1,29 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-findings
artifact_id: benchmark/caring/kubernetes-rbac/findings
source_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
source_kind: benchmark-findings
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC Benchmark Findings And Canon Pressure
- Artifact ID: `benchmark/caring/kubernetes-rbac/findings`
- Kind: `benchmark-findings`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
## Retrieval Hints
No imports or anchors recorded.
## Owned Concepts
- `Kubernetes RBAC Benchmark Findings And Canon Pressure`
## Related Distinctions
No common distinction is anchored directly on this artifact.

View File

@@ -0,0 +1,29 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac-native-concepts
artifact_id: benchmark/caring/kubernetes-rbac/native-concepts
source_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
source_kind: native-concept-map
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: Kubernetes RBAC Native Concept Map
- Artifact ID: `benchmark/caring/kubernetes-rbac/native-concepts`
- Kind: `native-concept-map`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
## Retrieval Hints
No imports or anchors recorded.
## Owned Concepts
- `Kubernetes RBAC Native Concept Map`
## Related Distinctions
No common distinction is anchored directly on this artifact.

View File

@@ -0,0 +1,31 @@
---
id: agent-brief/benchmark-caring-kubernetes-rbac
artifact_id: benchmark/caring/kubernetes-rbac
source_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
source_kind: benchmark-workspace
generated: true
---
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
# Agent Brief: CARING Kubernetes RBAC Benchmark
- Artifact ID: `benchmark/caring/kubernetes-rbac`
- Kind: `benchmark-workspace`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Full source: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
## Retrieval Hints
Imports and anchors:
- `standard/caring`
- `standard/tagging`
## Owned Concepts
- `CARING Kubernetes RBAC Benchmark`
## Related Distinctions
No common distinction is anchored directly on this artifact.

View File

@@ -5,8 +5,8 @@
This brief summarizes the current canon service surface for agents. This brief summarizes the current canon service surface for agents.
- Infospace slug: `canon` - Infospace slug: `canon`
- Artifact count: 49 - Artifact count: 54
- Retrieval index items: 49 - Retrieval index items: 54
- Primary confidence command: `make validate` - Primary confidence command: `make validate`
- Refresh generated indexes and views with: `make index` - Refresh generated indexes and views with: `make index`
- Refresh agent briefs and interface templates with: `make agent-briefs` - Refresh agent briefs and interface templates with: `make agent-briefs`

View File

@@ -43,8 +43,195 @@
} }
], ],
"infospace": "canon", "infospace": "canon",
"item_count": 49, "item_count": 54,
"items": [ "items": [
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
"id": "benchmark/caring/kubernetes-rbac",
"imports": [
"standard/caring",
"standard/tagging"
],
"kind": "benchmark-workspace",
"owned_concepts": [
"CARING Kubernetes RBAC Benchmark"
],
"relationships": [
{
"target": "standard/caring",
"type": "conforms_to"
},
{
"target": "model/access-control",
"type": "stress_tests"
},
{
"target": "model/governance",
"type": "stress_tests"
},
{
"target": "model/security",
"type": "stress_tests"
},
{
"target": "model/devsecops",
"type": "stress_tests"
},
{
"target": "model/network",
"type": "stress_tests"
},
{
"target": "model/observability",
"type": "stress_tests"
},
{
"target": "standard/tagging",
"type": "uses"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
"summary": "Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.",
"title": "CARING Kubernetes RBAC Benchmark",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
"id": "benchmark/caring/kubernetes-rbac/access-descriptors",
"imports": [
"model/access-control",
"model/devsecops",
"model/security",
"standard/caring"
],
"kind": "access-descriptor-set",
"owned_concepts": [
"Kubernetes RBAC CARING Access Descriptors"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "uses"
},
{
"target": "model/access-control",
"type": "uses"
},
{
"target": "model/security",
"type": "uses"
},
{
"target": "model/devsecops",
"type": "uses"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
"summary": "Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.",
"title": "Kubernetes RBAC CARING Access Descriptors",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
"id": "benchmark/caring/kubernetes-rbac/caring-mapping",
"imports": [],
"kind": "caring-mapping",
"owned_concepts": [
"Kubernetes RBAC To CARING Mapping"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "maps"
},
{
"target": "model/access-control",
"type": "maps"
},
{
"target": "model/governance",
"type": "maps"
},
{
"target": "model/security",
"type": "maps"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
"summary": "Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.",
"title": "Kubernetes RBAC To CARING Mapping",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
"id": "benchmark/caring/kubernetes-rbac/findings",
"imports": [],
"kind": "benchmark-findings",
"owned_concepts": [
"Kubernetes RBAC Benchmark Findings And Canon Pressure"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "proposes"
},
{
"target": "model/governance",
"type": "proposes"
},
{
"target": "model/security",
"type": "proposes"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
"summary": "Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.",
"title": "Kubernetes RBAC Benchmark Findings And Canon Pressure",
"warnings": []
},
{
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
"id": "benchmark/caring/kubernetes-rbac/native-concepts",
"imports": [],
"kind": "native-concept-map",
"owned_concepts": [
"Kubernetes RBAC Native Concept Map"
],
"relationships": [
{
"target": "benchmark/caring/kubernetes-rbac",
"type": "part_of"
},
{
"target": "standard/caring",
"type": "maps"
},
{
"target": "model/access-control",
"type": "maps"
},
{
"target": "model/landscape",
"type": "maps"
}
],
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
"summary": "Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.",
"title": "Kubernetes RBAC Native Concept Map",
"warnings": []
},
{ {
"canonical_path": "evaluations/repo-scoping/canon-benefit-analysis.yaml", "canonical_path": "evaluations/repo-scoping/canon-benefit-analysis.yaml",
"id": "comparison/repo-scoping/canon-benefit-analysis", "id": "comparison/repo-scoping/canon-benefit-analysis",

View File

@@ -4,7 +4,7 @@
Schema: `info-tech-canon.retrieval-index.v1` Schema: `info-tech-canon.retrieval-index.v1`
Infospace: `canon` Infospace: `canon`
Items: **49** Items: **54**
## Common Distinctions ## Common Distinctions
@@ -15,6 +15,56 @@ Items: **49**
## Items ## Items
### CARING Kubernetes RBAC Benchmark
- ID: `benchmark/caring/kubernetes-rbac`
- Kind: `benchmark-workspace`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
- Imports and anchors: `standard/caring`, `standard/tagging`
- Owned concepts: `CARING Kubernetes RBAC Benchmark`
### Kubernetes RBAC CARING Access Descriptors
- ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
- Kind: `access-descriptor-set`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
- Imports and anchors: `model/access-control`, `model/devsecops`, `model/security`, `standard/caring`
- Owned concepts: `Kubernetes RBAC CARING Access Descriptors`
### Kubernetes RBAC To CARING Mapping
- ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
- Kind: `caring-mapping`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
- Imports and anchors: none
- Owned concepts: `Kubernetes RBAC To CARING Mapping`
### Kubernetes RBAC Benchmark Findings And Canon Pressure
- ID: `benchmark/caring/kubernetes-rbac/findings`
- Kind: `benchmark-findings`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
- Imports and anchors: none
- Owned concepts: `Kubernetes RBAC Benchmark Findings And Canon Pressure`
### Kubernetes RBAC Native Concept Map
- ID: `benchmark/caring/kubernetes-rbac/native-concepts`
- Kind: `native-concept-map`
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
- Imports and anchors: none
- Owned concepts: `Kubernetes RBAC Native Concept Map`
### Repo Scoping Canon Benefit Analysis ### Repo Scoping Canon Benefit Analysis
- ID: `comparison/repo-scoping/canon-benefit-analysis` - ID: `comparison/repo-scoping/canon-benefit-analysis`

View File

@@ -1,7 +1,124 @@
schema: info-tech-canon.retrieval-index.v1 schema: info-tech-canon.retrieval-index.v1
infospace: canon infospace: canon
item_count: 49 item_count: 54
items: items:
- id: benchmark/caring/kubernetes-rbac
kind: benchmark-workspace
title: CARING Kubernetes RBAC Benchmark
canonical_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
summary: 'Benchmark workspace definition and review criteria: CARING Kubernetes
RBAC Benchmark.'
owned_concepts:
- CARING Kubernetes RBAC Benchmark
imports:
- standard/caring
- standard/tagging
relationships:
- type: conforms_to
target: standard/caring
- type: stress_tests
target: model/access-control
- type: stress_tests
target: model/governance
- type: stress_tests
target: model/security
- type: stress_tests
target: model/devsecops
- type: stress_tests
target: model/network
- type: stress_tests
target: model/observability
- type: uses
target: standard/tagging
warnings: []
- id: benchmark/caring/kubernetes-rbac/access-descriptors
kind: access-descriptor-set
title: Kubernetes RBAC CARING Access Descriptors
canonical_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
summary: 'Structured CARING access descriptor set: Kubernetes RBAC CARING Access
Descriptors.'
owned_concepts:
- Kubernetes RBAC CARING Access Descriptors
imports:
- model/access-control
- model/devsecops
- model/security
- standard/caring
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: uses
target: standard/caring
- type: uses
target: model/access-control
- type: uses
target: model/security
- type: uses
target: model/devsecops
warnings: []
- id: benchmark/caring/kubernetes-rbac/caring-mapping
kind: caring-mapping
title: Kubernetes RBAC To CARING Mapping
canonical_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
summary: 'Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.'
owned_concepts:
- Kubernetes RBAC To CARING Mapping
imports: []
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/governance
- type: maps
target: model/security
warnings: []
- id: benchmark/caring/kubernetes-rbac/findings
kind: benchmark-findings
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
canonical_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
summary: 'Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark
Findings And Canon Pressure.'
owned_concepts:
- Kubernetes RBAC Benchmark Findings And Canon Pressure
imports: []
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: proposes
target: standard/caring
- type: proposes
target: model/governance
- type: proposes
target: model/security
warnings: []
- id: benchmark/caring/kubernetes-rbac/native-concepts
kind: native-concept-map
title: Kubernetes RBAC Native Concept Map
canonical_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
summary: 'Native source concept map for assimilation or benchmark work: Kubernetes
RBAC Native Concept Map.'
owned_concepts:
- Kubernetes RBAC Native Concept Map
imports: []
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/landscape
warnings: []
- id: comparison/repo-scoping/canon-benefit-analysis - id: comparison/repo-scoping/canon-benefit-analysis
kind: benefit-analysis kind: benefit-analysis
title: Repo Scoping Canon Benefit Analysis title: Repo Scoping Canon Benefit Analysis

View File

@@ -242,6 +242,98 @@ artifacts:
target: model/task target: model/task
- type: imports - type: imports
target: standard/tagging target: standard/tagging
- id: benchmark/caring/kubernetes-rbac
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
kind: benchmark-workspace
title: CARING Kubernetes RBAC Benchmark
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: conforms_to
target: standard/caring
- type: stress_tests
target: model/access-control
- type: stress_tests
target: model/governance
- type: stress_tests
target: model/security
- type: stress_tests
target: model/devsecops
- type: stress_tests
target: model/network
- type: stress_tests
target: model/observability
- type: uses
target: standard/tagging
- id: benchmark/caring/kubernetes-rbac/native-concepts
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
kind: native-concept-map
title: Kubernetes RBAC Native Concept Map
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/landscape
- id: benchmark/caring/kubernetes-rbac/caring-mapping
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
kind: caring-mapping
title: Kubernetes RBAC To CARING Mapping
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: maps
target: standard/caring
- type: maps
target: model/access-control
- type: maps
target: model/governance
- type: maps
target: model/security
- id: benchmark/caring/kubernetes-rbac/access-descriptors
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
kind: access-descriptor-set
title: Kubernetes RBAC CARING Access Descriptors
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: uses
target: standard/caring
- type: uses
target: model/access-control
- type: uses
target: model/security
- type: uses
target: model/devsecops
- id: benchmark/caring/kubernetes-rbac/findings
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
kind: benchmark-findings
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
provenance:
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
placement_workplan: ITC-WP-0010
relationships:
- type: part_of
target: benchmark/caring/kubernetes-rbac
- type: proposes
target: standard/caring
- type: proposes
target: model/governance
- type: proposes
target: model/security
- id: profile/small-saas - id: profile/small-saas
path: profiles/small-saas/profile.yaml path: profiles/small-saas/profile.yaml
kind: profile kind: profile

View File

@@ -1,5 +1,5 @@
root: infospace root: infospace
file_count: 131 file_count: 142
files: files:
- path: README.md - path: README.md
directory: . directory: .
@@ -7,6 +7,21 @@ files:
- path: agent/README.md - path: agent/README.md
directory: agent directory: agent
name: README.md name: README.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-access-descriptors.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-caring-mapping.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-findings.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-findings.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac-native-concepts.md
- path: agent/briefs/benchmark-caring-kubernetes-rbac.md
directory: agent/briefs
name: benchmark-caring-kubernetes-rbac.md
- path: agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md - path: agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md
directory: agent/briefs directory: agent/briefs
name: comparison-repo-scoping-canon-benefit-analysis.md name: comparison-repo-scoping-canon-benefit-analysis.md
@@ -361,6 +376,24 @@ files:
- path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md - path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
directory: standards/caring directory: standards/caring
name: InfoTechCanonCaringAccessGovernanceStandard.md name: InfoTechCanonCaringAccessGovernanceStandard.md
- path: standards/caring/benchmarks/kubernetes-rbac/README.md
directory: standards/caring/benchmarks/kubernetes-rbac
name: README.md
- path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: access-descriptors.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: benchmark.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: caring-mapping.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: findings-and-canon-pressure.yaml
- path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
directory: standards/caring/benchmarks/kubernetes-rbac
name: native-concepts.yaml
- path: standards/tagging/InfoTechCanonTaggingStandard.md - path: standards/tagging/InfoTechCanonTaggingStandard.md
directory: standards/tagging directory: standards/tagging
name: InfoTechCanonTaggingStandard.md name: InfoTechCanonTaggingStandard.md

View File

@@ -1,5 +1,25 @@
concept_count: 74 concept_count: 79
concepts: concepts:
- concept: CARING Kubernetes RBAC Benchmark
owner: benchmark/caring/kubernetes-rbac
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
source: artifact_title
- concept: Kubernetes RBAC CARING Access Descriptors
owner: benchmark/caring/kubernetes-rbac/access-descriptors
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
source: artifact_title
- concept: Kubernetes RBAC To CARING Mapping
owner: benchmark/caring/kubernetes-rbac/caring-mapping
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
source: artifact_title
- concept: Kubernetes RBAC Benchmark Findings And Canon Pressure
owner: benchmark/caring/kubernetes-rbac/findings
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
source: artifact_title
- concept: Kubernetes RBAC Native Concept Map
owner: benchmark/caring/kubernetes-rbac/native-concepts
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
source: artifact_title
- concept: Repo Scoping Canon Benefit Analysis - concept: Repo Scoping Canon Benefit Analysis
owner: comparison/repo-scoping/canon-benefit-analysis owner: comparison/repo-scoping/canon-benefit-analysis
path: evaluations/repo-scoping/canon-benefit-analysis.yaml path: evaluations/repo-scoping/canon-benefit-analysis.yaml

View File

@@ -1,4 +1,9 @@
artifacts: artifacts:
- benchmark/caring/kubernetes-rbac
- benchmark/caring/kubernetes-rbac/access-descriptors
- benchmark/caring/kubernetes-rbac/caring-mapping
- benchmark/caring/kubernetes-rbac/findings
- benchmark/caring/kubernetes-rbac/native-concepts
- comparison/repo-scoping/canon-benefit-analysis - comparison/repo-scoping/canon-benefit-analysis
- comparison/repo-scoping/consumer-workplan-brief - comparison/repo-scoping/consumer-workplan-brief
- comparison/repo-scoping/extension-candidates - comparison/repo-scoping/extension-candidates
@@ -49,6 +54,68 @@ artifacts:
- standard/caring - standard/caring
- standard/tagging - standard/tagging
rows: rows:
- artifact: benchmark/caring/kubernetes-rbac
targets:
model/access-control:
- stress_tests
model/devsecops:
- stress_tests
model/governance:
- stress_tests
model/network:
- stress_tests
model/observability:
- stress_tests
model/security:
- stress_tests
standard/caring:
- conforms_to
standard/tagging:
- uses
- artifact: benchmark/caring/kubernetes-rbac/access-descriptors
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/access-control:
- uses
model/devsecops:
- uses
model/security:
- uses
standard/caring:
- uses
- artifact: benchmark/caring/kubernetes-rbac/caring-mapping
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/access-control:
- maps
model/governance:
- maps
model/security:
- maps
standard/caring:
- maps
- artifact: benchmark/caring/kubernetes-rbac/findings
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/governance:
- proposes
model/security:
- proposes
standard/caring:
- proposes
- artifact: benchmark/caring/kubernetes-rbac/native-concepts
targets:
benchmark/caring/kubernetes-rbac:
- part_of
model/access-control:
- maps
model/landscape:
- maps
standard/caring:
- maps
- artifact: comparison/repo-scoping/canon-benefit-analysis - artifact: comparison/repo-scoping/canon-benefit-analysis
targets: targets:
comparison/repo-scoping/report: comparison/repo-scoping/report:

View File

@@ -0,0 +1,30 @@
---
id: benchmark/caring/kubernetes-rbac/readme
title: CARING Kubernetes RBAC Benchmark Workspace
status: candidate
created_by_workplan: ITC-WP-0010
---
# CARING Kubernetes RBAC Benchmark
This workspace analyzes Kubernetes RBAC as a CARING benchmark, not as a
shortcut profile. It is designed to stress access-governance orthogonality
across Access Control, Organization, Governance, Security, Landscape,
DevSecOps, Network, Observability, Task, and Tagging.
The benchmark keeps Kubernetes native constructs separate from CARING meaning:
- `Role` and `ClusterRole` are rule bundles or capability profiles, not
automatically CARING canonical roles.
- `RoleBinding` and `ClusterRoleBinding` are grants or assignments.
- `ServiceAccount` is a service subject and a workload identity anchor.
- `Namespace` is a useful scope signal, but it is not automatically a tenant
boundary.
Indexed benchmark artifacts:
- `benchmark.yaml`
- `native-concepts.yaml`
- `caring-mapping.yaml`
- `access-descriptors.yaml`
- `findings-and-canon-pressure.yaml`

View File

@@ -0,0 +1,164 @@
id: benchmark/caring/kubernetes-rbac/access-descriptors
title: Kubernetes RBAC CARING Access Descriptors
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
descriptor_classes:
- declared_access
- effective_access
- derived_capability
- induced_access
descriptors:
- id: descriptor/namespace-pod-reader/declared
case_id: namespace-pod-reader
descriptor_class: declared_access
subject: serviceaccount:tenant-a:report-viewer
organization_relation: customer-operated-service
canonical_role: Viewer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- get pods
- list pods
- watch pods
exposure_mode: metadata-and-runtime-state
lifecycle_state: steady-state-observation
conditions:
- bound by RoleBinding in namespace tenant-a
restrictions:
- no pod mutation
- no secret read
- namespace is not accepted as tenant boundary without additional evidence
native_evidence:
- Role/report-viewer
- RoleBinding/report-viewer-binding
- ServiceAccount/report-viewer
- id: descriptor/workload-creator/declared
case_id: workload-creator-derived-execution
descriptor_class: declared_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- create pods
- get pods
- delete pods
exposure_mode: workload-specification-control
lifecycle_state: job-execution
conditions:
- bound by RoleBinding in namespace tenant-a
restrictions:
- no direct secret get/list/watch declared
native_evidence:
- Role/job-runner
- RoleBinding/job-runner-binding
- ServiceAccount/job-runner
- id: descriptor/workload-creator/effective
case_id: workload-creator-derived-execution
descriptor_class: effective_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- create workload
- select pod service account
- influence mounted volumes
- execute container image
exposure_mode: mediated-runtime-execution
lifecycle_state: job-execution
conditions:
- pod admission and service-account mount behavior determine actual reach
restrictions:
- effective access must be checked against admission policy and service-account permissions
native_evidence:
- create pods verb
- pod spec serviceAccountName
- projected service account token behavior
- id: descriptor/workload-creator/derived
case_id: workload-creator-derived-execution
descriptor_class: derived_capability
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- execute arbitrary workload image
- use mounted service account identity
- read mounted runtime inputs
exposure_mode: derived-execution-and-identity-use
lifecycle_state: job-execution
conditions:
- derived from create pods permission
restrictions:
- must be bounded by admission controls, image policy, and service-account selection rules
native_evidence:
- Role/job-runner create pods
- id: descriptor/workload-creator/induced
case_id: workload-creator-derived-execution
descriptor_class: induced_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Secret
capabilities:
- potential secret exposure through mounted volumes
- potential token exposure through mounted identity
exposure_mode: induced-secret-and-identity-exposure
lifecycle_state: job-execution
conditions:
- induced path exists only when workload can mount or reach sensitive material
restrictions:
- classify as candidate finding until manifests, admission, and secret references are reviewed
native_evidence:
- pod volume mounts
- service account token projection
- secret references in pod spec
- id: descriptor/cluster-secret-reader/declared
case_id: cluster-secret-reader
descriptor_class: declared_access
subject: serviceaccount:platform:inventory
organization_relation: platform-service-provider
canonical_role: Auditor
scope: cluster
plane: Secret
capabilities:
- get secrets
- list secrets
- watch secrets
exposure_mode: sensitive-data-read
lifecycle_state: operational-inventory
conditions:
- bound by ClusterRoleBinding
restrictions:
- requires governance review and audit evidence
native_evidence:
- ClusterRole/secret-reader
- ClusterRoleBinding/inventory-secret-reader
- ServiceAccount/inventory
- id: descriptor/namespace-boundary/review
case_id: namespace-as-tenant-boundary
descriptor_class: effective_access
subject: tenant-boundary-claim:tenant-a
organization_relation: platform-provider
canonical_role: Governor
scope: namespace:tenant-a
plane: Policy
capabilities:
- claim tenant isolation
- review access and runtime boundaries
exposure_mode: governance-claim
lifecycle_state: design-review
conditions:
- claim must be supported by access, network, runtime, data, and governance evidence
restrictions:
- namespace alone is insufficient evidence
native_evidence:
- Namespace/tenant-a
- RoleBinding set
- NetworkPolicy set
- ResourceQuota set

View File

@@ -0,0 +1,102 @@
id: benchmark/caring/kubernetes-rbac
title: CARING Kubernetes RBAC Benchmark
status: candidate
standard: standard/caring
created_by_workplan: ITC-WP-0010
purpose: Stress-test CARING descriptor shape against Kubernetes RBAC without treating Kubernetes native names as canon roles.
source_corpus:
- id: kubernetes-rbac-reference
title: Kubernetes RBAC Reference
source_type: vendor-documentation
url: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
role: primary-native-model-reference
- id: kubernetes-service-account-concepts
title: Kubernetes Service Accounts
source_type: vendor-documentation
url: https://kubernetes.io/docs/concepts/security/service-accounts/
role: workload-identity-reference
- id: local-caring-standard
title: InfoTechCanon CARING Access Governance Standard
source_type: canon-standard
path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
role: descriptor-vocabulary
cases:
- id: namespace-pod-reader
title: Namespace-Scoped Pod Reader
native_objects:
- Role
- RoleBinding
- ServiceAccount
- Namespace
stress_focus:
- declared-access
- scope-mapping
- native-role-warning
expected_outputs:
- Role maps to a scoped capability profile over get/list/watch pods.
- RoleBinding maps to a grant from subject to capability profile.
- Namespace is recorded as Kubernetes scope, not tenant boundary.
- id: workload-creator-derived-execution
title: Workload Creator With Derived Execution Capability
native_objects:
- Role
- RoleBinding
- ServiceAccount
- Pod
- Secret
stress_focus:
- declared-access
- effective-access
- derived-capability
- induced-access
expected_outputs:
- Create pod is declared as workload creation access.
- Execute workload is derived from the ability to create pods.
- Mounted service-account and secret exposure are induced access candidates.
- id: cluster-secret-reader
title: ClusterRole Secret Reader
native_objects:
- ClusterRole
- ClusterRoleBinding
- ServiceAccount
- Secret
stress_focus:
- cluster-scope
- exposure-mode
- governance-review
expected_outputs:
- ClusterRole maps to cluster-scoped data exposure capability.
- ClusterRoleBinding broadens scope beyond a namespace.
- Secret read access produces security and governance findings.
- id: namespace-as-tenant-boundary
title: Namespace Used As Tenant Boundary Claim
native_objects:
- Namespace
- Role
- RoleBinding
- NetworkPolicy
- ResourceQuota
stress_focus:
- tenant-boundary-warning
- cross-model-evidence
- review-criteria
expected_outputs:
- Namespace alone cannot prove tenant isolation.
- Tenant-boundary claim requires access, network, data, runtime, and governance evidence.
- Missing evidence creates a canon pressure finding instead of an approved boundary claim.
expected_outputs:
- Native concept map covering Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, Namespace, verbs, resources, and scopes.
- CARING mapping that separates native role objects from canonical roles, capability profiles, grants, scopes, planes, and exposure modes.
- Access descriptors that distinguish declared access, effective access, derived capability, and induced access.
- Findings that identify gaps, conflicts, and proposed canon changes without changing standards silently.
review_criteria:
- id: descriptor-completeness
criterion: Every benchmark case has at least one CARING access descriptor with subject, scope, plane, capabilities, exposure mode, lifecycle state, and native evidence.
- id: native-role-warning
criterion: Kubernetes Role and ClusterRole are never accepted as CARINGCanonicalRole without an explicit mapping rationale.
- id: namespace-boundary-check
criterion: Namespace isolation is treated as a claim requiring evidence, not as a tenant boundary by default.
- id: effective-access-analysis
criterion: Create or update workload permissions are reviewed for derived execution, mounted identity, secret, and volume exposure.
- id: canon-pressure-routing
criterion: Gaps become reviewable proposed changes, tasks, or open questions rather than immediate model changes.

View File

@@ -0,0 +1,79 @@
id: benchmark/caring/kubernetes-rbac/caring-mapping
title: Kubernetes RBAC To CARING Mapping
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
namespace_tenant_boundary_warning: true
mappings:
- native_concept: Role
caring_dimension: capability_profile
canon_targets:
- standard/caring:CARINGCapabilityProfile
- model/access-control:Permission
- model/governance:Policy
mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names.
- native_concept: ClusterRole
caring_dimension: capability_profile
canon_targets:
- standard/caring:CARINGCapabilityProfile
- model/access-control:Permission
- model/governance:Policy
mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility.
- native_concept: RoleBinding
caring_dimension: declared_access
canon_targets:
- standard/caring:CARINGDeclaredAccessMap
- model/access-control:Grant
- model/governance:Decision
mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace.
- native_concept: ClusterRoleBinding
caring_dimension: declared_access
canon_targets:
- standard/caring:CARINGDeclaredAccessMap
- model/access-control:Grant
- model/governance:Decision
mapping_rule: Bind subject to a ClusterRole at cluster scope.
- native_concept: ServiceAccount
caring_dimension: subject
canon_targets:
- model/access-control:Subject
- model/devsecops:WorkloadIdentity
- model/organization:Service
mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access.
- native_concept: Namespace
caring_dimension: scope
canon_targets:
- model/access-control:ResourceScope
- model/landscape:RuntimeContainment
- model/network:SegmentationContext
mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary.
- native_concept: Verb
caring_dimension: capability
canon_targets:
- model/access-control:Action
- standard/caring:CARINGCapabilityProfile
mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences.
- native_concept: Resource
caring_dimension: scope
canon_targets:
- model/access-control:Resource
- model/landscape:RuntimeResource
- model/security:ExposureTarget
mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane.
- native_concept: Scope
caring_dimension: scope
canon_targets:
- model/access-control:ResourceScope
- model/landscape:LandscapeScope
- model/governance:GovernanceScope
mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets.
analysis_rules:
- id: native-role-warning
rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale.
- id: declared-to-effective
rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access.
- id: derived-workload-execution
rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities.
- id: secret-exposure
rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review.
- id: namespace-tenant-boundary
rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership.

View File

@@ -0,0 +1,76 @@
id: benchmark/caring/kubernetes-rbac/findings
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
stable_findings:
- id: finding/native-role-is-rule-bundle
severity: high
summary: Kubernetes Role and ClusterRole are native rule bundles, not automatically CARING canonical roles.
canon_pressure:
- Keep the native role warning visible in CARING validation.
- Add benchmark assertions that reject direct Role to CARINGCanonicalRole mappings without rationale.
- id: finding/namespace-not-tenant-boundary
severity: high
summary: Namespace is a useful scope signal but does not by itself prove tenant isolation.
canon_pressure:
- Treat tenant-boundary claims as reviewable evidence bundles across access, network, data, runtime, and governance.
- Add a reusable tenant-boundary review pattern if this recurs in other benchmarks.
- id: finding/workload-create-derives-execution
severity: high
summary: Workload creation permissions can derive runtime execution, mounted identity use, volume access, and secret exposure paths.
canon_pressure:
- Clarify ownership of DerivedCapability between CARING, Access Control, Security, and DevSecOps.
- Add effective-access checks for workload-mediated permission paths.
- id: finding/serviceaccount-is-service-subject
severity: medium
summary: ServiceAccount should map to a service subject and workload identity, not to a human actor or organization role.
canon_pressure:
- Strengthen subject and principal distinctions in access reviews.
- Preserve actor, subject, principal, and workload identity as separate concepts.
gaps:
- id: gap/caring-access-descriptor-schema
title: Machine-readable CARING descriptor schema
description: The benchmark uses structured descriptors, but there is not yet a formal schema for CARINGAccessDescriptor.
proposed_route: Create schema under a future CARING validation workplan.
- id: gap/effective-access-calculus
title: Effective access derivation rules
description: The canon needs reusable derivation rules for workload creation, mounted identities, secrets, impersonation, bind, and escalate.
proposed_route: Add validation rules after more benchmark cases are exercised.
- id: gap/tenant-boundary-evidence-profile
title: Tenant boundary evidence profile
description: Namespace boundary claims need a reusable evidence profile spanning access, network, runtime, data, and governance controls.
proposed_route: Candidate pattern or profile, not an immediate standard change.
conflicts:
- id: conflict/native-role-name
summary: Kubernetes native Role conflicts with the everyday meaning of role and with CARINGCanonicalRole.
resolution: Preserve native construct name and require explicit mapping to capability profile or canonical role.
- id: conflict/scope-overload
summary: Kubernetes namespace, resource scope, governance scope, tenant scope, and CARING scope can be conflated.
resolution: Record scope facets separately and only approve tenant-boundary claims after evidence review.
proposed_changes:
- id: proposal/caring-descriptor-schema
owner: standard/caring
change_type: new-schema
proposal: Add a CARING access descriptor schema with required fields for subject, organization relation, canonical role, scope, plane, capabilities, exposure mode, lifecycle state, restrictions, descriptor class, and native evidence.
- id: proposal/kubernetes-rbac-validation-rules
owner: standard/caring
change_type: benchmark-validation
proposal: Add CARING validation rules for native role warning, namespace tenant-boundary claims, workload-derived execution, and secret exposure.
- id: proposal/tenant-boundary-review-pattern
owner: model/governance
change_type: new-pattern
proposal: Add a review pattern for tenant-boundary claims that requires evidence from access control, network, runtime, data, security, and governance.
- id: proposal/derived-capability-ownership
owner: standard/caring
change_type: open-question
proposal: Decide whether DerivedCapability remains CARING-owned or becomes shared with Access Control and Security through a model profile.
follow_up_tasks:
- id: task/formalize-caring-descriptor-schema
target_workplan: proposed
summary: Create the CARING access descriptor schema and validate this benchmark against it.
- id: task/add-kubernetes-rbac-case-corpus
target_workplan: proposed
summary: Add concrete Kubernetes YAML manifests for the four benchmark cases and expected parsed observations.
- id: task/expand-effective-access-engine
target_workplan: proposed
summary: Prototype derivation rules for pod creation, service-account mounting, secrets, bind, escalate, and impersonate.

View File

@@ -0,0 +1,87 @@
id: benchmark/caring/kubernetes-rbac/native-concepts
title: Kubernetes RBAC Native Concept Map
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
namespace_tenant_boundary_warning: true
concepts:
- native: Role
category: rule-bundle
native_scope: namespace
caring_mapping: CARINGCapabilityProfile
canon_mappings:
- model/access-control:PermissionSet
- model/governance:Policy
notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole.
- native: ClusterRole
category: rule-bundle
native_scope: cluster
caring_mapping: CARINGCapabilityProfile
canon_mappings:
- model/access-control:PermissionSet
- model/governance:Policy
notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings.
- native: RoleBinding
category: assignment
native_scope: namespace
caring_mapping: CARINGDeclaredAccessMap
canon_mappings:
- model/access-control:Grant
- model/governance:AssignmentDecision
notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace.
- native: ClusterRoleBinding
category: assignment
native_scope: cluster
caring_mapping: CARINGDeclaredAccessMap
canon_mappings:
- model/access-control:Grant
- model/governance:AssignmentDecision
notes: A ClusterRoleBinding grants a ClusterRole across cluster scope.
- native: ServiceAccount
category: service-subject
native_scope: namespace
caring_mapping: Subject
canon_mappings:
- model/access-control:Subject
- model/organization:Service
- model/devsecops:WorkloadIdentity
notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor.
- native: Namespace
category: scope-signal
native_scope: namespace
caring_mapping: Scope
canon_mappings:
- model/landscape:RuntimeContainment
- model/access-control:ResourceScope
- model/network:SegmentationContext
notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence.
- native: Verb
category: action
native_scope: rule
caring_mapping: Capability
canon_mappings:
- model/access-control:Action
- standard/caring:CARINGCapabilityProfile
notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope.
- native: Resource
category: target
native_scope: api-group
caring_mapping: Scope
canon_mappings:
- model/access-control:Resource
- model/landscape:RuntimeResource
- model/data:ProtectedInformationAsset
notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications.
- native: Scope
category: boundary
native_scope: namespace-or-cluster
caring_mapping: Scope
canon_mappings:
- model/access-control:ResourceScope
- model/landscape:LandscapeScope
- model/governance:GovernanceScope
notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence.
mapping_constraints:
- Kubernetes native names are preserved as source semantics.
- CARING canonical roles are assigned only after analyzing lifecycle responsibility posture.
- Namespace tenancy is a reviewable claim, not a default mapping.
- Effective access must include controller-mediated and workload-mediated paths where relevant.

View File

@@ -1,14 +1,14 @@
{ {
"details": { "details": {
"artifact_count": 49, "artifact_count": 54,
"relationship_count": 212 "relationship_count": 238
}, },
"errors": [], "errors": [],
"metrics": { "metrics": {
"coherence_components": 1.0, "coherence_components": 1.0,
"consistency_cycles": 0.0, "consistency_cycles": 0.0,
"coverage_ratio": 1.0, "coverage_ratio": 1.0,
"granularity_entropy": 3.6776822595640257, "granularity_entropy": 3.9972143235892474,
"redundancy_ratio": 0.0 "redundancy_ratio": 0.0
}, },
"ok": true, "ok": true,

View File

@@ -2,10 +2,15 @@
# By Concept # By Concept
Concept count: **74** Concept count: **79**
| Concept | Owner | Source | | Concept | Owner | Source |
| --- | --- | --- | | --- | --- | --- |
| CARING Kubernetes RBAC Benchmark | `benchmark/caring/kubernetes-rbac` | `artifact_title` |
| Kubernetes RBAC CARING Access Descriptors | `benchmark/caring/kubernetes-rbac/access-descriptors` | `artifact_title` |
| Kubernetes RBAC To CARING Mapping | `benchmark/caring/kubernetes-rbac/caring-mapping` | `artifact_title` |
| Kubernetes RBAC Benchmark Findings And Canon Pressure | `benchmark/caring/kubernetes-rbac/findings` | `artifact_title` |
| Kubernetes RBAC Native Concept Map | `benchmark/caring/kubernetes-rbac/native-concepts` | `artifact_title` |
| Repo Scoping Canon Benefit Analysis | `comparison/repo-scoping/canon-benefit-analysis` | `artifact_title` | | Repo Scoping Canon Benefit Analysis | `comparison/repo-scoping/canon-benefit-analysis` | `artifact_title` |
| Repo Scoping Consumer Workplan Brief | `comparison/repo-scoping/consumer-workplan-brief` | `artifact_title` | | Repo Scoping Consumer Workplan Brief | `comparison/repo-scoping/consumer-workplan-brief` | `artifact_title` |
| Repo Scoping Canon Extension Candidates | `comparison/repo-scoping/extension-candidates` | `artifact_title` | | Repo Scoping Canon Extension Candidates | `comparison/repo-scoping/extension-candidates` | `artifact_title` |

View File

@@ -2,6 +2,13 @@
# By Mapping Target # By Mapping Target
## `benchmark/caring/kubernetes-rbac`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `part_of`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `part_of`
- `benchmark/caring/kubernetes-rbac/findings` via `part_of`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `part_of`
## `comparison/repo-scoping/report` ## `comparison/repo-scoping/report`
- `comparison/repo-scoping/canon-benefit-analysis` via `part_of` - `comparison/repo-scoping/canon-benefit-analysis` via `part_of`
@@ -57,6 +64,10 @@
## `model/access-control` ## `model/access-control`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
- `evaluation/user-engine` via `uses` - `evaluation/user-engine` via `uses`
- `evaluation/user-engine/questions` via `uses` - `evaluation/user-engine/questions` via `uses`
- `evaluation/user-engine/small-saas-alignment` via `uses` - `evaluation/user-engine/small-saas-alignment` via `uses`
@@ -80,6 +91,8 @@
## `model/devsecops` ## `model/devsecops`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps` - `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -90,6 +103,9 @@
## `model/governance` ## `model/governance`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
- `comparison/repo-scoping/canon-benefit-analysis` via `maps` - `comparison/repo-scoping/canon-benefit-analysis` via `maps`
- `comparison/repo-scoping/extension-candidates` via `proposes` - `comparison/repo-scoping/extension-candidates` via `proposes`
- `comparison/repo-scoping/frame` via `uses` - `comparison/repo-scoping/frame` via `uses`
@@ -121,6 +137,7 @@
## `model/landscape` ## `model/landscape`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
- `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps` - `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -131,6 +148,7 @@
## `model/network` ## `model/network`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps` - `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -141,6 +159,7 @@
## `model/observability` ## `model/observability`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps` - `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -184,6 +203,10 @@
## `model/security` ## `model/security`
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
- `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric` via `uses`
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
- `conformance/railiance-fabric/mapping-expectations` via `maps` - `conformance/railiance-fabric/mapping-expectations` via `maps`
@@ -296,6 +319,11 @@
## `standard/caring` ## `standard/caring`
- `benchmark/caring/kubernetes-rbac` via `conforms_to`
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
- `evaluation/user-engine` via `uses` - `evaluation/user-engine` via `uses`
- `evaluation/user-engine/interface-card-expectations` via `uses` - `evaluation/user-engine/interface-card-expectations` via `uses`
- `kernel/itc-kernel-map` via `maps` - `kernel/itc-kernel-map` via `maps`
@@ -304,6 +332,7 @@
## `standard/tagging` ## `standard/tagging`
- `benchmark/caring/kubernetes-rbac` via `uses`
- `comparison/repo-scoping/canon-benefit-analysis` via `maps` - `comparison/repo-scoping/canon-benefit-analysis` via `maps`
- `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric` via `uses`
- `kernel/itc-kernel-map` via `maps` - `kernel/itc-kernel-map` via `maps`

View File

@@ -2,54 +2,59 @@
# Import Matrix # Import Matrix
| Artifact | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` | | Artifact | `benchmark/caring/kubernetes-rbac` | `benchmark/caring/kubernetes-rbac/access-descriptors` | `benchmark/caring/kubernetes-rbac/caring-mapping` | `benchmark/caring/kubernetes-rbac/findings` | `benchmark/caring/kubernetes-rbac/native-concepts` | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `comparison/repo-scoping/canon-benefit-analysis` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` | | `benchmark/caring/kubernetes-rbac` | | | | | | | | | | | | | | | | | | | | | | | | | | `stress_tests` | | `stress_tests` | `stress_tests` | | | `stress_tests` | `stress_tests` | | | `stress_tests` | | | | | | | | | | | | | | | | | `conforms_to` | `uses` |
| `comparison/repo-scoping/consumer-workplan-brief` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | `benchmark/caring/kubernetes-rbac/access-descriptors` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `uses` | | | | | | | | `uses` | | | | | | | | | | | | | | | | | `uses` | |
| `comparison/repo-scoping/extension-candidates` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | | | `benchmark/caring/kubernetes-rbac/caring-mapping` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | | | | | | | `maps` | | | | | | | | | | | | | | | | | `maps` | |
| `comparison/repo-scoping/frame` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | | | `benchmark/caring/kubernetes-rbac/findings` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `proposes` | | | | | | | `proposes` | | | | | | | | | | | | | | | | | `proposes` | |
| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | | | `benchmark/caring/kubernetes-rbac/native-concepts` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | `maps` | | | | | | | | | | | | | | | | | | | | | | `maps` | |
| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | `comparison/repo-scoping/canon-benefit-analysis` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` |
| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` | | `comparison/repo-scoping/consumer-workplan-brief` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | `comparison/repo-scoping/extension-candidates` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | | | `comparison/repo-scoping/frame` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/mapping-expectations` | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | | | `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | |
| `conformance/railiance-fabric/visualization-examples` | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | | | `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` |
| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | | | `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine/questions` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | | | `conformance/railiance-fabric/mapping-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | |
| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | | | `conformance/railiance-fabric/visualization-examples` | | | | | | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | | | `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | |
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` | | `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | |
| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | | | `evaluation/user-engine/questions` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
| `model/access-control` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | |
| `model/data` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | |
| `model/devsecops` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/governance` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` |
| `model/information-space` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | |
| `model/landscape` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `model/access-control` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | |
| `model/network` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | `model/data` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/observability` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | `model/devsecops` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
| `model/organization` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `model/governance` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/purpose-demand-extension` | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | `model/information-space` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/security` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `model/landscape` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `model/task` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `model/network` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | | | `model/observability` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `profile/small-saas` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` | | `model/organization` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | | | `model/purpose-demand-extension` | | | | | | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | | | `model/security` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | | | `model/task` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | | | `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | |
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | | | `profile/small-saas` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` |
| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | | | `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | | | `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | | | `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | | | `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | | | `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | | | `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | | | `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | | | `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
| `standard/caring` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` | | `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
| `standard/tagging` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | | | `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | |
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
| `standard/caring` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` |
| `standard/tagging` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | |

View File

@@ -3,12 +3,16 @@
# Kernel Overview # Kernel Overview
- Infospace: `canon` - Infospace: `canon`
- Artifacts: 49 - Artifacts: 54
## Artifact Kinds ## Artifact Kinds
- `access-descriptor-set`: 1
- `benchmark-findings`: 1
- `benchmark-workspace`: 1
- `benefit-analysis`: 1 - `benefit-analysis`: 1
- `capture-criteria`: 1 - `capture-criteria`: 1
- `caring-mapping`: 1
- `comparison-frame`: 1 - `comparison-frame`: 1
- `comparison-report`: 1 - `comparison-report`: 1
- `concept-catalog`: 1 - `concept-catalog`: 1
@@ -24,6 +28,7 @@
- `mapping-expectation`: 1 - `mapping-expectation`: 1
- `model`: 11 - `model`: 11
- `model-extension`: 1 - `model-extension`: 1
- `native-concept-map`: 1
- `pattern`: 1 - `pattern`: 1
- `profile`: 1 - `profile`: 1
- `profile-alignment`: 1 - `profile-alignment`: 1
@@ -36,7 +41,7 @@
- `access_evidenced_by`: 1 - `access_evidenced_by`: 1
- `changes`: 1 - `changes`: 1
- `compares`: 1 - `compares`: 1
- `conforms_to`: 16 - `conforms_to`: 17
- `constrained_by`: 1 - `constrained_by`: 1
- `deploys`: 1 - `deploys`: 1
- `evaluates`: 2 - `evaluates`: 2
@@ -50,14 +55,15 @@
- `instantiates`: 13 - `instantiates`: 13
- `introduces`: 1 - `introduces`: 1
- `isolated_by`: 2 - `isolated_by`: 2
- `maps`: 29 - `maps`: 36
- `member_of`: 1 - `member_of`: 1
- `owned_by`: 3 - `owned_by`: 3
- `part_of`: 13 - `part_of`: 17
- `partitioned_for`: 2 - `partitioned_for`: 2
- `proposes`: 4 - `proposes`: 7
- `represented_by`: 1 - `represented_by`: 1
- `requires`: 13 - `requires`: 13
- `separates`: 2 - `separates`: 2
- `serves`: 2 - `serves`: 2
- `uses`: 79 - `stress_tests`: 6
- `uses`: 84

View File

@@ -2,10 +2,15 @@
# Repository Tree # Repository Tree
File count: **131** File count: **142**
- `README.md` - `README.md`
- `agent/README.md` - `agent/README.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-findings.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md`
- `agent/briefs/benchmark-caring-kubernetes-rbac.md`
- `agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md` - `agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md`
- `agent/briefs/comparison-repo-scoping-consumer-workplan-brief.md` - `agent/briefs/comparison-repo-scoping-consumer-workplan-brief.md`
- `agent/briefs/comparison-repo-scoping-extension-candidates.md` - `agent/briefs/comparison-repo-scoping-extension-candidates.md`
@@ -124,6 +129,12 @@ File count: **131**
- `schemas/standard.schema.yaml` - `schemas/standard.schema.yaml`
- `schemas/workplan.schema.yaml` - `schemas/workplan.schema.yaml`
- `standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md` - `standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md`
- `standards/caring/benchmarks/kubernetes-rbac/README.md`
- `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
- `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
- `standards/tagging/InfoTechCanonTaggingStandard.md` - `standards/tagging/InfoTechCanonTaggingStandard.md`
- `validation/README.md` - `validation/README.md`
- `validation/latest.json` - `validation/latest.json`

View File

@@ -10,8 +10,12 @@ import yaml
GENERATED_NOTICE = "<!-- GENERATED by info_tech_canon; do not edit by hand. -->" GENERATED_NOTICE = "<!-- GENERATED by info_tech_canon; do not edit by hand. -->"
RETRIEVAL_ARTIFACT_KINDS = { RETRIEVAL_ARTIFACT_KINDS = {
"access-descriptor-set",
"benefit-analysis", "benefit-analysis",
"benchmark-findings",
"benchmark-workspace",
"capture-criteria", "capture-criteria",
"caring-mapping",
"comparison-frame", "comparison-frame",
"comparison-report", "comparison-report",
"concept-catalog", "concept-catalog",
@@ -27,6 +31,7 @@ RETRIEVAL_ARTIFACT_KINDS = {
"mapping-expectation", "mapping-expectation",
"model", "model",
"model-extension", "model-extension",
"native-concept-map",
"pattern", "pattern",
"profile-alignment", "profile-alignment",
"profile", "profile",
@@ -869,10 +874,18 @@ def _safe_id(value: str) -> str:
def _summary_for_artifact(artifact: Any) -> str: def _summary_for_artifact(artifact: Any) -> str:
if artifact.kind == "profile-artifact": if artifact.kind == "profile-artifact":
return f"Example artifact for the {artifact.provenance.get('profile', 'unknown')} profile: {artifact.title}." return f"Example artifact for the {artifact.provenance.get('profile', 'unknown')} profile: {artifact.title}."
if artifact.kind == "access-descriptor-set":
return f"Structured CARING access descriptor set: {artifact.title}."
if artifact.kind == "benefit-analysis": if artifact.kind == "benefit-analysis":
return f"Consumer benefit analysis against canon surfaces: {artifact.title}." return f"Consumer benefit analysis against canon surfaces: {artifact.title}."
if artifact.kind == "benchmark-findings":
return f"Benchmark findings, gaps, and canon pressure: {artifact.title}."
if artifact.kind == "benchmark-workspace":
return f"Benchmark workspace definition and review criteria: {artifact.title}."
if artifact.kind == "capture-criteria": if artifact.kind == "capture-criteria":
return f"Criteria for canonical entity and edge capture: {artifact.title}." return f"Criteria for canonical entity and edge capture: {artifact.title}."
if artifact.kind == "caring-mapping":
return f"Native access model to CARING mapping: {artifact.title}."
if artifact.kind == "comparison-frame": if artifact.kind == "comparison-frame":
return f"Structured comparison questions and domains: {artifact.title}." return f"Structured comparison questions and domains: {artifact.title}."
if artifact.kind == "comparison-report": if artifact.kind == "comparison-report":
@@ -899,6 +912,8 @@ def _summary_for_artifact(artifact: Any) -> str:
return f"Expected mappings between consumer graph capture and canon surfaces: {artifact.title}." return f"Expected mappings between consumer graph capture and canon surfaces: {artifact.title}."
if artifact.kind == "model-extension": if artifact.kind == "model-extension":
return f"Candidate extension to an existing canon model: {artifact.title}." return f"Candidate extension to an existing canon model: {artifact.title}."
if artifact.kind == "native-concept-map":
return f"Native source concept map for assimilation or benchmark work: {artifact.title}."
if artifact.kind == "pattern": if artifact.kind == "pattern":
return f"Reusable canon pattern: {artifact.title}." return f"Reusable canon pattern: {artifact.title}."
if artifact.kind == "profile-alignment": if artifact.kind == "profile-alignment":

View File

@@ -53,8 +53,12 @@ REQUIRED_SCHEMAS = (
) )
RETRIEVAL_BRIEF_KINDS = { RETRIEVAL_BRIEF_KINDS = {
"access-descriptor-set",
"benefit-analysis", "benefit-analysis",
"benchmark-findings",
"benchmark-workspace",
"capture-criteria", "capture-criteria",
"caring-mapping",
"comparison-frame", "comparison-frame",
"comparison-report", "comparison-report",
"concept-catalog", "concept-catalog",
@@ -69,6 +73,7 @@ RETRIEVAL_BRIEF_KINDS = {
"mapping-expectation", "mapping-expectation",
"model", "model",
"model-extension", "model-extension",
"native-concept-map",
"pattern", "pattern",
"profile-alignment", "profile-alignment",
"profile", "profile",
@@ -243,6 +248,40 @@ REPO_SCOPING_REQUIRED_EXTENSION_CANDIDATES = {
"extension/scope-md-interface", "extension/scope-md-interface",
} }
CARING_K8S_BENCHMARK_ARTIFACT_IDS = {
"benchmark/caring/kubernetes-rbac",
"benchmark/caring/kubernetes-rbac/access-descriptors",
"benchmark/caring/kubernetes-rbac/caring-mapping",
"benchmark/caring/kubernetes-rbac/findings",
"benchmark/caring/kubernetes-rbac/native-concepts",
}
CARING_K8S_REQUIRED_NATIVE_CONCEPTS = {
"Role",
"ClusterRole",
"RoleBinding",
"ClusterRoleBinding",
"ServiceAccount",
"Namespace",
"Verb",
"Resource",
"Scope",
}
CARING_K8S_REQUIRED_CASES = {
"namespace-pod-reader",
"workload-creator-derived-execution",
"cluster-secret-reader",
"namespace-as-tenant-boundary",
}
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES = {
"declared_access",
"effective_access",
"derived_capability",
"induced_access",
}
def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]: def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]:
errors: list[dict[str, Any]] = [] errors: list[dict[str, Any]] = []
@@ -270,6 +309,11 @@ def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]:
context.infospace.artifacts, context.infospace.artifacts,
errors, errors,
) )
_check_caring_kubernetes_rbac_benchmark_assets(
context.infospace_root,
context.infospace.artifacts,
errors,
)
_check_optional_assets(context.infospace_root, warnings) _check_optional_assets(context.infospace_root, warnings)
return {"errors": errors, "warnings": warnings} return {"errors": errors, "warnings": warnings}
@@ -1167,6 +1211,216 @@ def _check_repo_scoping_comparison_assets(
) )
def _check_caring_kubernetes_rbac_benchmark_assets(
infospace_root: Path,
artifacts: list[Any],
errors: list[dict[str, Any]],
) -> None:
artifact_ids = {artifact.id for artifact in artifacts}
for artifact_id in sorted(CARING_K8S_BENCHMARK_ARTIFACT_IDS - artifact_ids):
errors.append(
{
"code": "missing_caring_kubernetes_rbac_benchmark_artifact",
"artifact_id": artifact_id,
}
)
benchmark_root = infospace_root / "standards" / "caring" / "benchmarks" / "kubernetes-rbac"
if not benchmark_root.is_dir():
errors.append(
{
"code": "missing_caring_kubernetes_rbac_benchmark_workspace",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac",
}
)
return
benchmark = _read_yaml(benchmark_root / "benchmark.yaml", errors)
if isinstance(benchmark, dict):
for field in ("source_corpus", "expected_outputs", "review_criteria"):
items = benchmark.get(field) or []
if not isinstance(items, list) or not items:
errors.append(
{
"code": "missing_caring_kubernetes_benchmark_field",
"field": field,
}
)
cases = benchmark.get("cases") or []
if not isinstance(cases, list):
errors.append(
{
"code": "invalid_caring_kubernetes_benchmark_cases",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
}
)
else:
case_ids = {
str(case.get("id"))
for case in cases
if isinstance(case, dict) and case.get("id")
}
for case_id in sorted(CARING_K8S_REQUIRED_CASES - case_ids):
errors.append(
{
"code": "missing_caring_kubernetes_benchmark_case",
"case": case_id,
}
)
native = _read_yaml(benchmark_root / "native-concepts.yaml", errors)
if isinstance(native, dict):
if native.get("namespace_tenant_boundary_warning") is not True:
errors.append(
{
"code": "missing_caring_kubernetes_namespace_warning",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
}
)
concepts = native.get("concepts") or []
if not isinstance(concepts, list):
errors.append(
{
"code": "invalid_caring_kubernetes_native_concepts",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
}
)
else:
native_names = {
str(concept.get("native"))
for concept in concepts
if isinstance(concept, dict) and concept.get("native")
}
for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - native_names):
errors.append(
{
"code": "missing_caring_kubernetes_native_concept",
"concept": concept,
}
)
mapping = _read_yaml(benchmark_root / "caring-mapping.yaml", errors)
if isinstance(mapping, dict):
if mapping.get("namespace_tenant_boundary_warning") is not True:
errors.append(
{
"code": "missing_caring_kubernetes_mapping_namespace_warning",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
}
)
mappings = mapping.get("mappings") or []
if not isinstance(mappings, list):
errors.append(
{
"code": "invalid_caring_kubernetes_mappings",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
}
)
else:
mapped_names = {
str(item.get("native_concept"))
for item in mappings
if isinstance(item, dict) and item.get("native_concept")
}
for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - mapped_names):
errors.append(
{
"code": "missing_caring_kubernetes_mapping",
"concept": concept,
}
)
analysis_rules = mapping.get("analysis_rules") or []
if not isinstance(analysis_rules, list) or not analysis_rules:
errors.append(
{
"code": "missing_caring_kubernetes_analysis_rules",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
}
)
descriptors = _read_yaml(benchmark_root / "access-descriptors.yaml", errors)
if isinstance(descriptors, dict):
descriptor_classes = set(descriptors.get("descriptor_classes") or [])
for descriptor_class in sorted(
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - descriptor_classes
):
errors.append(
{
"code": "missing_caring_kubernetes_descriptor_class",
"descriptor_class": descriptor_class,
}
)
descriptor_items = descriptors.get("descriptors") or []
if not isinstance(descriptor_items, list):
errors.append(
{
"code": "invalid_caring_kubernetes_descriptors",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
}
)
else:
used_classes = {
str(item.get("descriptor_class"))
for item in descriptor_items
if isinstance(item, dict) and item.get("descriptor_class")
}
for descriptor_class in sorted(
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - used_classes
):
errors.append(
{
"code": "missing_caring_kubernetes_descriptor_example",
"descriptor_class": descriptor_class,
}
)
required_fields = (
"subject",
"scope",
"plane",
"capabilities",
"exposure_mode",
"lifecycle_state",
"native_evidence",
)
for item in descriptor_items:
if not isinstance(item, dict):
continue
for field in required_fields:
if not item.get(field):
errors.append(
{
"code": "incomplete_caring_kubernetes_descriptor",
"descriptor": item.get("id"),
"field": field,
}
)
findings = _read_yaml(benchmark_root / "findings-and-canon-pressure.yaml", errors)
if isinstance(findings, dict):
for field in ("stable_findings", "gaps", "conflicts", "proposed_changes"):
items = findings.get(field) or []
if not isinstance(items, list) or not items:
errors.append(
{
"code": "missing_caring_kubernetes_findings_field",
"field": field,
}
)
stable_findings = findings.get("stable_findings") or []
finding_ids = {
str(finding.get("id"))
for finding in stable_findings
if isinstance(finding, dict) and finding.get("id")
}
if "finding/namespace-not-tenant-boundary" not in finding_ids:
errors.append(
{
"code": "missing_caring_kubernetes_namespace_finding",
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
}
)
def _artifact_paths_by_path( def _artifact_paths_by_path(
infospace_root: Path, infospace_root: Path,
errors: list[dict[str, Any]], errors: list[dict[str, Any]],

View File

@@ -11,7 +11,7 @@ def test_cli_inspect_emits_json(capsys) -> None:
assert exit_code == 0 assert exit_code == 0
payload = json.loads(capsys.readouterr().out) payload = json.loads(capsys.readouterr().out)
assert payload["ok"] is True assert payload["ok"] is True
assert payload["infospace"]["artifact_count"] == 49 assert payload["infospace"]["artifact_count"] == 54
def test_cli_missing_profile_uses_structured_error(capsys) -> None: def test_cli_missing_profile_uses_structured_error(capsys) -> None:

View File

@@ -19,10 +19,14 @@ def test_inspect_canon_counts_artifact_kinds() -> None:
assert payload["ok"] is True assert payload["ok"] is True
assert payload["infospace"]["slug"] == "canon" assert payload["infospace"]["slug"] == "canon"
assert payload["infospace"]["artifact_count"] == 49 assert payload["infospace"]["artifact_count"] == 54
assert payload["infospace"]["kinds"] == { assert payload["infospace"]["kinds"] == {
"access-descriptor-set": 1,
"benefit-analysis": 1, "benefit-analysis": 1,
"benchmark-findings": 1,
"benchmark-workspace": 1,
"capture-criteria": 1, "capture-criteria": 1,
"caring-mapping": 1,
"comparison-frame": 1, "comparison-frame": 1,
"comparison-report": 1, "comparison-report": 1,
"concept-catalog": 1, "concept-catalog": 1,
@@ -38,6 +42,7 @@ def test_inspect_canon_counts_artifact_kinds() -> None:
"mapping-expectation": 1, "mapping-expectation": 1,
"model": 11, "model": 11,
"model-extension": 1, "model-extension": 1,
"native-concept-map": 1,
"pattern": 1, "pattern": 1,
"profile-alignment": 1, "profile-alignment": 1,
"profile": 1, "profile": 1,
@@ -58,14 +63,14 @@ def test_validate_canon_passes_scaffold() -> None:
assert payload["ok"] is True assert payload["ok"] is True
assert payload["errors"] == [] assert payload["errors"] == []
assert "warnings" in payload assert "warnings" in payload
assert payload["details"]["artifact_count"] == 49 assert payload["details"]["artifact_count"] == 54
def test_graph_exports_relationship_summary() -> None: def test_graph_exports_relationship_summary() -> None:
payload = artifact_graph() payload = artifact_graph()
assert payload["ok"] is True assert payload["ok"] is True
assert payload["graph"]["node_count"] == 49 assert payload["graph"]["node_count"] == 54
assert payload["graph"]["edge_count"] > 15 assert payload["graph"]["edge_count"] > 15
@@ -115,6 +120,9 @@ def test_generators_write_expected_assets(tmp_path) -> None:
assert ( assert (
root / "agent" / "briefs" / "comparison-repo-scoping-report.md" root / "agent" / "briefs" / "comparison-repo-scoping-report.md"
).is_file() ).is_file()
assert (
root / "agent" / "briefs" / "benchmark-caring-kubernetes-rbac.md"
).is_file()
assert (root / "agent" / "briefs" / "pattern-intent-scope-purposes.md").is_file() assert (root / "agent" / "briefs" / "pattern-intent-scope-purposes.md").is_file()
assert ( assert (
root / "agent" / "templates" / "canon-interface-card.template.yaml" root / "agent" / "templates" / "canon-interface-card.template.yaml"

View File

@@ -4,7 +4,7 @@ type: workplan
title: "CARING Kubernetes RBAC Benchmark" title: "CARING Kubernetes RBAC Benchmark"
domain: canon domain: canon
repo: info-tech-canon repo: info-tech-canon
status: proposed status: finished
priority: medium priority: medium
created: "2026-05-23" created: "2026-05-23"
updated: "2026-05-23" updated: "2026-05-23"
@@ -33,7 +33,7 @@ Governance, Security, Network, DevSecOps, Observability, Task, and Tagging.
```task ```task
id: ITC-WP-0010-T01 id: ITC-WP-0010-T01
status: todo status: done
priority: high priority: high
state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4" state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
``` ```
@@ -45,7 +45,7 @@ state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
```task ```task
id: ITC-WP-0010-T02 id: ITC-WP-0010-T02
status: todo status: done
priority: high priority: high
state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442" state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
``` ```
@@ -58,7 +58,7 @@ state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
```task ```task
id: ITC-WP-0010-T03 id: ITC-WP-0010-T03
status: todo status: done
priority: high priority: high
state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83" state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
``` ```
@@ -71,7 +71,7 @@ state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
```task ```task
id: ITC-WP-0010-T04 id: ITC-WP-0010-T04
status: todo status: done
priority: medium priority: medium
state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42" state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
``` ```
@@ -84,3 +84,16 @@ state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
- Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile. - Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile.
- CARING descriptor shape is tested with practical examples. - CARING descriptor shape is tested with practical examples.
- Benchmark findings produce explicit canon change proposals. - Benchmark findings produce explicit canon change proposals.
## Implementation Notes
- Created `infospace/standards/caring/benchmarks/kubernetes-rbac/` as a
distinct benchmark workspace.
- Added benchmark workspace, native concept map, CARING mapping, descriptor
set, and findings/canon-pressure artifacts.
- Registered all benchmark artifacts in the artifact index and retrieval
generation flow.
- Added structural validation for the benchmark corpus, Kubernetes RBAC native
concept coverage, namespace tenant-boundary warning, CARING descriptor
classes, and findings/proposals.
- Regenerated agent briefs, indexes, tree views, and validation output.

View File

@@ -136,7 +136,7 @@ workplans:
- id: ITC-WP-0010 - id: ITC-WP-0010
title: CARING Kubernetes RBAC Benchmark title: CARING Kubernetes RBAC Benchmark
status: proposed status: finished
priority: medium priority: medium
path: workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md path: workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md
depends_on: depends_on: