generated from coulomb/repo-seed
92 lines
7.7 KiB
Markdown
92 lines
7.7 KiB
Markdown
# Research Pattern Normalization
|
|
|
|
Status: complete coverage map for NK-WP-0010
|
|
|
|
## Purpose
|
|
|
|
The genesis exploration contains a broad security architecture pattern
|
|
catalogue. NK-WP-0010 promotes every exact pattern name from that
|
|
catalogue into a first-class infospace artifact while preserving the
|
|
earlier NetKingdom-specific umbrella patterns created during NK-WP-0008.
|
|
|
|
## Completion Rule
|
|
|
|
- Every exact pattern name in `genesis/InitialExploration.md` has a
|
|
discoverable `artifacts/entities/pattern-*.md` artifact.
|
|
- Umbrella NetKingdom patterns remain when they describe a canonical
|
|
platform shape that spans multiple exact genesis patterns.
|
|
- The generated index and ownership map link both exact and umbrella
|
|
artifacts, but the exact genesis list is the completion baseline for
|
|
this workplan.
|
|
|
|
## Completion Matrix
|
|
|
|
| Family | Exact genesis pattern | Artifact | Current status |
|
|
| --- | --- | --- | --- |
|
|
| Identity and access | Central Identity Provider | `artifacts/entities/pattern-central-identity-provider.md` | seed |
|
|
| Identity and access | Identity Broker | `artifacts/entities/pattern-identity-broker.md` | seed |
|
|
| Identity and access | Tenant Membership Boundary | `artifacts/entities/pattern-tenant-membership-boundary.md` | seed |
|
|
| Identity and access | Role Composition | `artifacts/entities/pattern-role-composition.md` | seed |
|
|
| Identity and access | Policy Decision Point / Policy Enforcement Point | `artifacts/entities/pattern-policy-decision-point-policy-enforcement-point.md` | reviewed |
|
|
| Identity and access | Time-boxed Privilege Elevation | `artifacts/entities/pattern-time-boxed-privilege-elevation.md` | seed |
|
|
| Identity and access | Break-glass Access | `artifacts/entities/pattern-break-glass-access.md` | reviewed |
|
|
| Identity and access | Human/Agent Identity Split | `artifacts/entities/pattern-human-agent-identity-split.md` | draft |
|
|
| Tenant isolation | Namespace-per-Tenant | `artifacts/entities/pattern-namespace-per-tenant.md` | seed |
|
|
| Tenant isolation | Cluster-per-Tenant | `artifacts/entities/pattern-cluster-per-tenant.md` | seed |
|
|
| Tenant isolation | Cell-based Architecture | `artifacts/entities/pattern-cell-based-architecture.md` | seed |
|
|
| Tenant isolation | Shared Control Plane, Isolated Data Plane | `artifacts/entities/pattern-shared-control-plane-isolated-data-plane.md` | seed |
|
|
| Tenant isolation | Tenant Context Propagation | `artifacts/entities/pattern-tenant-context-propagation.md` | draft |
|
|
| Tenant isolation | Tenant Data Partitioning | `artifacts/entities/pattern-tenant-data-partitioning.md` | seed |
|
|
| Kubernetes and platform | Secure Cluster Baseline | `artifacts/entities/pattern-secure-cluster-baseline.md` | seed |
|
|
| Kubernetes and platform | Policy-as-Code Admission Control | `artifacts/entities/pattern-policy-as-code-admission-control.md` | seed |
|
|
| Kubernetes and platform | Pod Security Baseline/Restricted | `artifacts/entities/pattern-pod-security-baseline-restricted.md` | seed |
|
|
| Kubernetes and platform | Network Default Deny | `artifacts/entities/pattern-network-default-deny.md` | seed |
|
|
| Kubernetes and platform | Signed Image Admission | `artifacts/entities/pattern-signed-image-admission.md` | seed |
|
|
| Kubernetes and platform | GitOps with Guardrails | `artifacts/entities/pattern-gitops-with-guardrails.md` | seed |
|
|
| Kubernetes and platform | Runtime Threat Detection | `artifacts/entities/pattern-runtime-threat-detection.md` | seed |
|
|
| Secrets and cryptography | External Secrets Operator | `artifacts/entities/pattern-external-secrets-operator.md` | seed |
|
|
| Secrets and cryptography | Sealed Secret / Encrypted Git Secret | `artifacts/entities/pattern-sealed-secret-encrypted-git-secret.md` | seed |
|
|
| Secrets and cryptography | Short-lived Credentials | `artifacts/entities/pattern-short-lived-credentials.md` | reviewed |
|
|
| Secrets and cryptography | Key-per-Tenant | `artifacts/entities/pattern-key-per-tenant.md` | seed |
|
|
| Secrets and cryptography | Certificate Automation | `artifacts/entities/pattern-certificate-automation.md` | seed |
|
|
| Application/API security | API Gateway as Security Boundary | `artifacts/entities/pattern-api-gateway-as-security-boundary.md` | seed |
|
|
| Application/API security | Backend-for-Frontend | `artifacts/entities/pattern-backend-for-frontend.md` | seed |
|
|
| Application/API security | Object-Level Authorization Check | `artifacts/entities/pattern-object-level-authorization-check.md` | draft |
|
|
| Application/API security | Schema-First API Security | `artifacts/entities/pattern-schema-first-api-security.md` | seed |
|
|
| Application/API security | Idempotent Command API | `artifacts/entities/pattern-idempotent-command-api.md` | seed |
|
|
| Application/API security | Secure File Upload Pipeline | `artifacts/entities/pattern-secure-file-upload-pipeline.md` | seed |
|
|
| Supply chain | Protected Main Branch | `artifacts/entities/pattern-protected-main-branch.md` | seed |
|
|
| Supply chain | Dependency Update Bot | `artifacts/entities/pattern-dependency-update-bot.md` | seed |
|
|
| Supply chain | SBOM-per-Release | `artifacts/entities/pattern-sbom-per-release.md` | seed |
|
|
| Supply chain | SLSA Build Provenance | `artifacts/entities/pattern-slsa-build-provenance.md` | seed |
|
|
| Supply chain | Signed Container Images | `artifacts/entities/pattern-signed-container-images.md` | seed |
|
|
| Supply chain | Quarantined Build Runner | `artifacts/entities/pattern-quarantined-build-runner.md` | seed |
|
|
| Detection and response | Security Event Taxonomy | `artifacts/entities/pattern-security-event-taxonomy.md` | seed |
|
|
| Detection and response | Central Audit Ledger | `artifacts/entities/pattern-central-audit-ledger.md` | seed |
|
|
| Detection and response | Tenant Audit Log View | `artifacts/entities/pattern-tenant-audit-log-view.md` | seed |
|
|
| Detection and response | Incident Runbook Library | `artifacts/entities/pattern-incident-runbook-library.md` | seed |
|
|
| Detection and response | Kill Switch / Tenant Freeze | `artifacts/entities/pattern-kill-switch-tenant-freeze.md` | seed |
|
|
| Detection and response | Token Revocation Sweep | `artifacts/entities/pattern-token-revocation-sweep.md` | seed |
|
|
|
|
## NetKingdom Umbrella Patterns
|
|
|
|
These artifacts remain first-class because they capture NetKingdom
|
|
platform-specific architecture that spans multiple exact seed patterns:
|
|
|
|
| Umbrella pattern | Artifact | Covers |
|
|
| --- | --- | --- |
|
|
| STS credential vending | `artifacts/entities/pattern-sts-credential-vending.md` | short-lived object-storage credentials, delegated authorization, OpenBao broker/audit support |
|
|
| Workload identity | `artifacts/entities/pattern-workload-identity.md` | service identities, workload secret injection, tenant context |
|
|
| Secret zero avoidance | `artifacts/entities/pattern-secret-zero-avoidance.md` | encrypted Git secrets, bootstrap, break-glass, OpenBao handoff |
|
|
| Dynamic secrets | `artifacts/entities/pattern-dynamic-secrets.md` | short-lived credentials, leases, rotation, revocation |
|
|
| Short-lived SSH certificates | `artifacts/entities/pattern-short-lived-ssh-certificates.md` | time-boxed privilege, agent/admin access, SSH audit |
|
|
| Delegated authorization | `artifacts/entities/pattern-delegated-authorization.md` | PDP/PEP, flex-auth, Topaz, decision envelopes |
|
|
| Tenant isolation | `artifacts/entities/pattern-tenant-isolation.md` | namespace, cluster, cell, data, and control-plane isolation |
|
|
| Policy-as-code admission | `artifacts/entities/pattern-policy-as-code-admission.md` | admission control, pod security, image trust, GitOps guardrails |
|
|
| Supply-chain provenance | `artifacts/entities/pattern-supply-chain-provenance.md` | SBOMs, SLSA, signed images, protected branches, trusted runners |
|
|
|
|
## Completion Result
|
|
|
|
No exact genesis pattern remains unaccounted. Future work should improve
|
|
maturity and evidence quality, not create missing seed placeholders.
|