generated from coulomb/repo-seed
2.3 KiB
2.3 KiB
Security Readiness Levels
Status: initial readiness model extracted from the genesis exploration
Purpose
Readiness levels make the catalog operational. They define how strong a capability or pattern must be before it is trusted for a given deployment stage.
Levels
| Level | Name | Suitable for | Minimum expectations |
|---|---|---|---|
| RL0 | Experimental | local prototypes | no production data, no external users, no real secrets in code |
| RL1 | Internal alpha | internal use | central login preferred, basic access control, secrets not committed, known risks documented |
| RL2 | Private beta | selected external users | tenant model defined, isolation tested, backups configured, security logging centralized |
| RL3 | Production | paid customers | MFA for privileged users, least privilege, secrets rotation, auditable admin actions, restore tested |
| RL4 | Regulated production | high-trust or regulated customers | formal risk management, customer audit logs, artifact provenance, stronger data residency and deletion controls |
Pattern Maturity
Pattern maturity is related to readiness, but not identical:
seed -> draft -> reviewed -> canonical -> deprecated
seed: captured from exploration, source notes, or external reading.draft: written in the pattern template with initial mapping.reviewed: checked for threat model, ownership, and verification.canonical: accepted as the recommended NetKingdom pattern.deprecated: retained for history but no longer recommended.
Evidence By Level
| Evidence | RL1 | RL2 | RL3 | RL4 |
|---|---|---|---|---|
| owner named | required | required | required | required |
| threat notes | useful | required | required | required |
| verification checklist | useful | required | required | required |
| operational runbook | optional | useful | required | required |
| audit hooks | optional | useful | required | required |
| restore or failure drill | optional | useful | required | required |
| standards mapping | optional | useful | useful | required |
NetKingdom Default
Patterns that touch identity, authorization, secrets, tenant isolation, or privileged access should not be marked canonical below RL3 unless their production limitations are explicitly documented.