# Security Pattern Index And Maturity Matrix Status: generated index refreshed for NK-WP-0010 ## Capability Index | Capability group | Initial status | Primary owner | Gaps | | --- | --- | --- | --- | | Security governance and readiness | draft | NetKingdom, State Hub | risk register and readiness gates need formalization | | Identity and user management | partial | NetKingdom, key-cape, Keycloak | lifecycle and federation evidence incomplete | | Authorization and access control | partial | flex-auth, NetKingdom | policy package lifecycle and Topaz runtime checks need implementation | | Tenant isolation | draft | NetKingdom, Railiance, product repos | isolation patterns now exist; product conformance tests remain | | Secrets, keys, and credentials | partial | NetKingdom, Railiance platform, OpenBao | OpenBao drills and certificate lifecycle evidence pending | | Network and edge security | seed | Railiance, product repos | default-deny and gateway patterns need concrete manifests | | Platform and Kubernetes hardening | seed | Railiance | baseline, pod-security, and admission patterns need implementation evidence | | Application and API security | seed | product repos, NetKingdom | object-level, schema, BFF, command, and upload patterns need product adoption | | Data protection and privacy | seed | product repos, platform | tenant data partitioning and key-per-tenant need storage-specific decisions | | Software supply chain security | seed | Railiance, artifact-store, product repos | SBOM/provenance/signature pipeline needs implementation anchors | | Observability, detection, and audit | draft | Railiance, NetKingdom, State Hub | event taxonomy and tenant audit projection need storage decision | | Incident response and recovery | draft | Railiance, NetKingdom | runbooks, tenant freeze, and revocation sweep need drills | ## Genesis Pattern Coverage | Family | Exact patterns | Artifact coverage | Maturity spread | | --- | ---: | --- | --- | | Identity and access | 8 | complete | seed to reviewed | | Tenant isolation | 6 | complete | seed to draft | | Kubernetes and platform | 7 | complete | seed | | Secrets and cryptography | 5 | complete | seed to reviewed | | Application/API security | 6 | complete | seed to draft | | Supply chain | 6 | complete | seed | | Detection and response | 6 | complete | seed | The authoritative per-pattern completion matrix is `artifacts/generated/research-pattern-normalization.md`. ## NetKingdom Umbrella Pattern Index | Pattern | Maturity | Owner | Implementation links | | --- | --- | --- | --- | | STS credential vending | reviewed | NetKingdom, flex-auth, Railiance platform | NK-WP-0007, ADR-0008, artifact-store follow-up | | Workload identity | draft | Railiance platform, NetKingdom | IAM Profile, OpenBao Kubernetes auth | | Secret zero avoidance | reviewed | NetKingdom, Railiance platform | NK-WP-0004, NK-WP-0005, Railiance OpenBao | | Dynamic secrets | draft | OpenBao, Railiance platform | OpenBao leases and revocation | | Short-lived SSH certificates | draft | ops-warden, ops-bridge, NetKingdom | SSH certificate issuance and audit | | Delegated authorization | reviewed | flex-auth, NetKingdom | flex-auth, Topaz, CARING descriptors | | Tenant isolation | draft | NetKingdom, Railiance platform, product repos | namespace, cluster, cell, data, and control-plane isolation | | Policy-as-code admission | seed | Railiance platform, NetKingdom | admission policy, pod security, image trust | | Supply-chain provenance | seed | Railiance platform, artifact-store, product repos | SBOM, signatures, SLSA provenance | ## Tutorial Handoff To NK-WP-0009 High-value tutorial candidates after NK-WP-0010 completion: 1. Vend temporary S3 credentials from a NetKingdom identity token. 2. Deploy OpenBao as canonical Railiance platform secrets manager. 3. Use short-lived SSH credentials for admins, agents, and automations. 4. Add a protected system to flex-auth using PDP/PEP boundaries. 5. Apply secret-zero avoidance from bootstrap to runtime OpenBao. 6. Build tenant audit visibility from the central audit ledger. 7. Add policy-as-code admission with pod-security and signed-image gates. 8. Produce SBOM, signature, and SLSA-style provenance for a release. ## Open Decisions And Gaps - Decide durable audit ledger storage and tenant-visible audit boundary. - Decide which seed patterns should graduate to reviewed before tutorial writing starts. - Decide how machine-readable capability and pattern status should be represented. - Decide which pattern families need product-specific conformance tests before being marked canonical.