# Research Pattern Normalization Status: complete coverage map for NK-WP-0010 ## Purpose The genesis exploration contains a broad security architecture pattern catalogue. NK-WP-0010 promotes every exact pattern name from that catalogue into a first-class infospace artifact while preserving the earlier NetKingdom-specific umbrella patterns created during NK-WP-0008. ## Completion Rule - Every exact pattern name in `genesis/InitialExploration.md` has a discoverable `artifacts/entities/pattern-*.md` artifact. - Umbrella NetKingdom patterns remain when they describe a canonical platform shape that spans multiple exact genesis patterns. - The generated index and ownership map link both exact and umbrella artifacts, but the exact genesis list is the completion baseline for this workplan. ## Completion Matrix | Family | Exact genesis pattern | Artifact | Current status | | --- | --- | --- | --- | | Identity and access | Central Identity Provider | `artifacts/entities/pattern-central-identity-provider.md` | seed | | Identity and access | Identity Broker | `artifacts/entities/pattern-identity-broker.md` | seed | | Identity and access | Tenant Membership Boundary | `artifacts/entities/pattern-tenant-membership-boundary.md` | seed | | Identity and access | Role Composition | `artifacts/entities/pattern-role-composition.md` | seed | | Identity and access | Policy Decision Point / Policy Enforcement Point | `artifacts/entities/pattern-policy-decision-point-policy-enforcement-point.md` | reviewed | | Identity and access | Time-boxed Privilege Elevation | `artifacts/entities/pattern-time-boxed-privilege-elevation.md` | seed | | Identity and access | Break-glass Access | `artifacts/entities/pattern-break-glass-access.md` | reviewed | | Identity and access | Human/Agent Identity Split | `artifacts/entities/pattern-human-agent-identity-split.md` | draft | | Tenant isolation | Namespace-per-Tenant | `artifacts/entities/pattern-namespace-per-tenant.md` | seed | | Tenant isolation | Cluster-per-Tenant | `artifacts/entities/pattern-cluster-per-tenant.md` | seed | | Tenant isolation | Cell-based Architecture | `artifacts/entities/pattern-cell-based-architecture.md` | seed | | Tenant isolation | Shared Control Plane, Isolated Data Plane | `artifacts/entities/pattern-shared-control-plane-isolated-data-plane.md` | seed | | Tenant isolation | Tenant Context Propagation | `artifacts/entities/pattern-tenant-context-propagation.md` | draft | | Tenant isolation | Tenant Data Partitioning | `artifacts/entities/pattern-tenant-data-partitioning.md` | seed | | Kubernetes and platform | Secure Cluster Baseline | `artifacts/entities/pattern-secure-cluster-baseline.md` | seed | | Kubernetes and platform | Policy-as-Code Admission Control | `artifacts/entities/pattern-policy-as-code-admission-control.md` | seed | | Kubernetes and platform | Pod Security Baseline/Restricted | `artifacts/entities/pattern-pod-security-baseline-restricted.md` | seed | | Kubernetes and platform | Network Default Deny | `artifacts/entities/pattern-network-default-deny.md` | seed | | Kubernetes and platform | Signed Image Admission | `artifacts/entities/pattern-signed-image-admission.md` | seed | | Kubernetes and platform | GitOps with Guardrails | `artifacts/entities/pattern-gitops-with-guardrails.md` | seed | | Kubernetes and platform | Runtime Threat Detection | `artifacts/entities/pattern-runtime-threat-detection.md` | seed | | Secrets and cryptography | External Secrets Operator | `artifacts/entities/pattern-external-secrets-operator.md` | seed | | Secrets and cryptography | Sealed Secret / Encrypted Git Secret | `artifacts/entities/pattern-sealed-secret-encrypted-git-secret.md` | seed | | Secrets and cryptography | Short-lived Credentials | `artifacts/entities/pattern-short-lived-credentials.md` | reviewed | | Secrets and cryptography | Key-per-Tenant | `artifacts/entities/pattern-key-per-tenant.md` | seed | | Secrets and cryptography | Certificate Automation | `artifacts/entities/pattern-certificate-automation.md` | seed | | Application/API security | API Gateway as Security Boundary | `artifacts/entities/pattern-api-gateway-as-security-boundary.md` | seed | | Application/API security | Backend-for-Frontend | `artifacts/entities/pattern-backend-for-frontend.md` | seed | | Application/API security | Object-Level Authorization Check | `artifacts/entities/pattern-object-level-authorization-check.md` | draft | | Application/API security | Schema-First API Security | `artifacts/entities/pattern-schema-first-api-security.md` | seed | | Application/API security | Idempotent Command API | `artifacts/entities/pattern-idempotent-command-api.md` | seed | | Application/API security | Secure File Upload Pipeline | `artifacts/entities/pattern-secure-file-upload-pipeline.md` | seed | | Supply chain | Protected Main Branch | `artifacts/entities/pattern-protected-main-branch.md` | seed | | Supply chain | Dependency Update Bot | `artifacts/entities/pattern-dependency-update-bot.md` | seed | | Supply chain | SBOM-per-Release | `artifacts/entities/pattern-sbom-per-release.md` | seed | | Supply chain | SLSA Build Provenance | `artifacts/entities/pattern-slsa-build-provenance.md` | seed | | Supply chain | Signed Container Images | `artifacts/entities/pattern-signed-container-images.md` | seed | | Supply chain | Quarantined Build Runner | `artifacts/entities/pattern-quarantined-build-runner.md` | seed | | Detection and response | Security Event Taxonomy | `artifacts/entities/pattern-security-event-taxonomy.md` | seed | | Detection and response | Central Audit Ledger | `artifacts/entities/pattern-central-audit-ledger.md` | seed | | Detection and response | Tenant Audit Log View | `artifacts/entities/pattern-tenant-audit-log-view.md` | seed | | Detection and response | Incident Runbook Library | `artifacts/entities/pattern-incident-runbook-library.md` | seed | | Detection and response | Kill Switch / Tenant Freeze | `artifacts/entities/pattern-kill-switch-tenant-freeze.md` | seed | | Detection and response | Token Revocation Sweep | `artifacts/entities/pattern-token-revocation-sweep.md` | seed | ## NetKingdom Umbrella Patterns These artifacts remain first-class because they capture NetKingdom platform-specific architecture that spans multiple exact seed patterns: | Umbrella pattern | Artifact | Covers | | --- | --- | --- | | STS credential vending | `artifacts/entities/pattern-sts-credential-vending.md` | short-lived object-storage credentials, delegated authorization, OpenBao broker/audit support | | Workload identity | `artifacts/entities/pattern-workload-identity.md` | service identities, workload secret injection, tenant context | | Secret zero avoidance | `artifacts/entities/pattern-secret-zero-avoidance.md` | encrypted Git secrets, bootstrap, break-glass, OpenBao handoff | | Dynamic secrets | `artifacts/entities/pattern-dynamic-secrets.md` | short-lived credentials, leases, rotation, revocation | | Short-lived SSH certificates | `artifacts/entities/pattern-short-lived-ssh-certificates.md` | time-boxed privilege, agent/admin access, SSH audit | | Delegated authorization | `artifacts/entities/pattern-delegated-authorization.md` | PDP/PEP, flex-auth, Topaz, decision envelopes | | Tenant isolation | `artifacts/entities/pattern-tenant-isolation.md` | namespace, cluster, cell, data, and control-plane isolation | | Policy-as-code admission | `artifacts/entities/pattern-policy-as-code-admission.md` | admission control, pod security, image trust, GitOps guardrails | | Supply-chain provenance | `artifacts/entities/pattern-supply-chain-provenance.md` | SBOMs, SLSA, signed images, protected branches, trusted runners | ## Completion Result No exact genesis pattern remains unaccounted. Future work should improve maturity and evidence quality, not create missing seed placeholders.