generated from coulomb/repo-seed
7.7 KiB
7.7 KiB
Research Pattern Normalization
Status: complete coverage map for NK-WP-0010
Purpose
The genesis exploration contains a broad security architecture pattern catalogue. NK-WP-0010 promotes every exact pattern name from that catalogue into a first-class infospace artifact while preserving the earlier NetKingdom-specific umbrella patterns created during NK-WP-0008.
Completion Rule
- Every exact pattern name in
genesis/InitialExploration.mdhas a discoverableartifacts/entities/pattern-*.mdartifact. - Umbrella NetKingdom patterns remain when they describe a canonical platform shape that spans multiple exact genesis patterns.
- The generated index and ownership map link both exact and umbrella artifacts, but the exact genesis list is the completion baseline for this workplan.
Completion Matrix
| Family | Exact genesis pattern | Artifact | Current status |
|---|---|---|---|
| Identity and access | Central Identity Provider | artifacts/entities/pattern-central-identity-provider.md |
seed |
| Identity and access | Identity Broker | artifacts/entities/pattern-identity-broker.md |
seed |
| Identity and access | Tenant Membership Boundary | artifacts/entities/pattern-tenant-membership-boundary.md |
seed |
| Identity and access | Role Composition | artifacts/entities/pattern-role-composition.md |
seed |
| Identity and access | Policy Decision Point / Policy Enforcement Point | artifacts/entities/pattern-policy-decision-point-policy-enforcement-point.md |
reviewed |
| Identity and access | Time-boxed Privilege Elevation | artifacts/entities/pattern-time-boxed-privilege-elevation.md |
seed |
| Identity and access | Break-glass Access | artifacts/entities/pattern-break-glass-access.md |
reviewed |
| Identity and access | Human/Agent Identity Split | artifacts/entities/pattern-human-agent-identity-split.md |
draft |
| Tenant isolation | Namespace-per-Tenant | artifacts/entities/pattern-namespace-per-tenant.md |
seed |
| Tenant isolation | Cluster-per-Tenant | artifacts/entities/pattern-cluster-per-tenant.md |
seed |
| Tenant isolation | Cell-based Architecture | artifacts/entities/pattern-cell-based-architecture.md |
seed |
| Tenant isolation | Shared Control Plane, Isolated Data Plane | artifacts/entities/pattern-shared-control-plane-isolated-data-plane.md |
seed |
| Tenant isolation | Tenant Context Propagation | artifacts/entities/pattern-tenant-context-propagation.md |
draft |
| Tenant isolation | Tenant Data Partitioning | artifacts/entities/pattern-tenant-data-partitioning.md |
seed |
| Kubernetes and platform | Secure Cluster Baseline | artifacts/entities/pattern-secure-cluster-baseline.md |
seed |
| Kubernetes and platform | Policy-as-Code Admission Control | artifacts/entities/pattern-policy-as-code-admission-control.md |
seed |
| Kubernetes and platform | Pod Security Baseline/Restricted | artifacts/entities/pattern-pod-security-baseline-restricted.md |
seed |
| Kubernetes and platform | Network Default Deny | artifacts/entities/pattern-network-default-deny.md |
seed |
| Kubernetes and platform | Signed Image Admission | artifacts/entities/pattern-signed-image-admission.md |
seed |
| Kubernetes and platform | GitOps with Guardrails | artifacts/entities/pattern-gitops-with-guardrails.md |
seed |
| Kubernetes and platform | Runtime Threat Detection | artifacts/entities/pattern-runtime-threat-detection.md |
seed |
| Secrets and cryptography | External Secrets Operator | artifacts/entities/pattern-external-secrets-operator.md |
seed |
| Secrets and cryptography | Sealed Secret / Encrypted Git Secret | artifacts/entities/pattern-sealed-secret-encrypted-git-secret.md |
seed |
| Secrets and cryptography | Short-lived Credentials | artifacts/entities/pattern-short-lived-credentials.md |
reviewed |
| Secrets and cryptography | Key-per-Tenant | artifacts/entities/pattern-key-per-tenant.md |
seed |
| Secrets and cryptography | Certificate Automation | artifacts/entities/pattern-certificate-automation.md |
seed |
| Application/API security | API Gateway as Security Boundary | artifacts/entities/pattern-api-gateway-as-security-boundary.md |
seed |
| Application/API security | Backend-for-Frontend | artifacts/entities/pattern-backend-for-frontend.md |
seed |
| Application/API security | Object-Level Authorization Check | artifacts/entities/pattern-object-level-authorization-check.md |
draft |
| Application/API security | Schema-First API Security | artifacts/entities/pattern-schema-first-api-security.md |
seed |
| Application/API security | Idempotent Command API | artifacts/entities/pattern-idempotent-command-api.md |
seed |
| Application/API security | Secure File Upload Pipeline | artifacts/entities/pattern-secure-file-upload-pipeline.md |
seed |
| Supply chain | Protected Main Branch | artifacts/entities/pattern-protected-main-branch.md |
seed |
| Supply chain | Dependency Update Bot | artifacts/entities/pattern-dependency-update-bot.md |
seed |
| Supply chain | SBOM-per-Release | artifacts/entities/pattern-sbom-per-release.md |
seed |
| Supply chain | SLSA Build Provenance | artifacts/entities/pattern-slsa-build-provenance.md |
seed |
| Supply chain | Signed Container Images | artifacts/entities/pattern-signed-container-images.md |
seed |
| Supply chain | Quarantined Build Runner | artifacts/entities/pattern-quarantined-build-runner.md |
seed |
| Detection and response | Security Event Taxonomy | artifacts/entities/pattern-security-event-taxonomy.md |
seed |
| Detection and response | Central Audit Ledger | artifacts/entities/pattern-central-audit-ledger.md |
seed |
| Detection and response | Tenant Audit Log View | artifacts/entities/pattern-tenant-audit-log-view.md |
seed |
| Detection and response | Incident Runbook Library | artifacts/entities/pattern-incident-runbook-library.md |
seed |
| Detection and response | Kill Switch / Tenant Freeze | artifacts/entities/pattern-kill-switch-tenant-freeze.md |
seed |
| Detection and response | Token Revocation Sweep | artifacts/entities/pattern-token-revocation-sweep.md |
seed |
NetKingdom Umbrella Patterns
These artifacts remain first-class because they capture NetKingdom platform-specific architecture that spans multiple exact seed patterns:
| Umbrella pattern | Artifact | Covers |
|---|---|---|
| STS credential vending | artifacts/entities/pattern-sts-credential-vending.md |
short-lived object-storage credentials, delegated authorization, OpenBao broker/audit support |
| Workload identity | artifacts/entities/pattern-workload-identity.md |
service identities, workload secret injection, tenant context |
| Secret zero avoidance | artifacts/entities/pattern-secret-zero-avoidance.md |
encrypted Git secrets, bootstrap, break-glass, OpenBao handoff |
| Dynamic secrets | artifacts/entities/pattern-dynamic-secrets.md |
short-lived credentials, leases, rotation, revocation |
| Short-lived SSH certificates | artifacts/entities/pattern-short-lived-ssh-certificates.md |
time-boxed privilege, agent/admin access, SSH audit |
| Delegated authorization | artifacts/entities/pattern-delegated-authorization.md |
PDP/PEP, flex-auth, Topaz, decision envelopes |
| Tenant isolation | artifacts/entities/pattern-tenant-isolation.md |
namespace, cluster, cell, data, and control-plane isolation |
| Policy-as-code admission | artifacts/entities/pattern-policy-as-code-admission.md |
admission control, pod security, image trust, GitOps guardrails |
| Supply-chain provenance | artifacts/entities/pattern-supply-chain-provenance.md |
SBOMs, SLSA, signed images, protected branches, trusted runners |
Completion Result
No exact genesis pattern remains unaccounted. Future work should improve maturity and evidence quality, not create missing seed placeholders.