generated from coulomb/repo-seed
4.5 KiB
4.5 KiB
Security Pattern Index And Maturity Matrix
Status: generated index refreshed for NK-WP-0010
Capability Index
| Capability group | Initial status | Primary owner | Gaps |
|---|---|---|---|
| Security governance and readiness | draft | NetKingdom, State Hub | risk register and readiness gates need formalization |
| Identity and user management | partial | NetKingdom, key-cape, Keycloak | lifecycle and federation evidence incomplete |
| Authorization and access control | partial | flex-auth, NetKingdom | policy package lifecycle and Topaz runtime checks need implementation |
| Tenant isolation | draft | NetKingdom, Railiance, product repos | isolation patterns now exist; product conformance tests remain |
| Secrets, keys, and credentials | partial | NetKingdom, Railiance platform, OpenBao | OpenBao drills and certificate lifecycle evidence pending |
| Network and edge security | seed | Railiance, product repos | default-deny and gateway patterns need concrete manifests |
| Platform and Kubernetes hardening | seed | Railiance | baseline, pod-security, and admission patterns need implementation evidence |
| Application and API security | seed | product repos, NetKingdom | object-level, schema, BFF, command, and upload patterns need product adoption |
| Data protection and privacy | seed | product repos, platform | tenant data partitioning and key-per-tenant need storage-specific decisions |
| Software supply chain security | seed | Railiance, artifact-store, product repos | SBOM/provenance/signature pipeline needs implementation anchors |
| Observability, detection, and audit | draft | Railiance, NetKingdom, State Hub | event taxonomy and tenant audit projection need storage decision |
| Incident response and recovery | draft | Railiance, NetKingdom | runbooks, tenant freeze, and revocation sweep need drills |
Genesis Pattern Coverage
| Family | Exact patterns | Artifact coverage | Maturity spread |
|---|---|---|---|
| Identity and access | 8 | complete | seed to reviewed |
| Tenant isolation | 6 | complete | seed to draft |
| Kubernetes and platform | 7 | complete | seed |
| Secrets and cryptography | 5 | complete | seed to reviewed |
| Application/API security | 6 | complete | seed to draft |
| Supply chain | 6 | complete | seed |
| Detection and response | 6 | complete | seed |
The authoritative per-pattern completion matrix is
artifacts/generated/research-pattern-normalization.md.
NetKingdom Umbrella Pattern Index
| Pattern | Maturity | Owner | Implementation links |
|---|---|---|---|
| STS credential vending | reviewed | NetKingdom, flex-auth, Railiance platform | NK-WP-0007, ADR-0008, artifact-store follow-up |
| Workload identity | draft | Railiance platform, NetKingdom | IAM Profile, OpenBao Kubernetes auth |
| Secret zero avoidance | reviewed | NetKingdom, Railiance platform | NK-WP-0004, NK-WP-0005, Railiance OpenBao |
| Dynamic secrets | draft | OpenBao, Railiance platform | OpenBao leases and revocation |
| Short-lived SSH certificates | draft | ops-warden, ops-bridge, NetKingdom | SSH certificate issuance and audit |
| Delegated authorization | reviewed | flex-auth, NetKingdom | flex-auth, Topaz, CARING descriptors |
| Tenant isolation | draft | NetKingdom, Railiance platform, product repos | namespace, cluster, cell, data, and control-plane isolation |
| Policy-as-code admission | seed | Railiance platform, NetKingdom | admission policy, pod security, image trust |
| Supply-chain provenance | seed | Railiance platform, artifact-store, product repos | SBOM, signatures, SLSA provenance |
Tutorial Handoff To NK-WP-0009
High-value tutorial candidates after NK-WP-0010 completion:
- Vend temporary S3 credentials from a NetKingdom identity token.
- Deploy OpenBao as canonical Railiance platform secrets manager.
- Use short-lived SSH credentials for admins, agents, and automations.
- Add a protected system to flex-auth using PDP/PEP boundaries.
- Apply secret-zero avoidance from bootstrap to runtime OpenBao.
- Build tenant audit visibility from the central audit ledger.
- Add policy-as-code admission with pod-security and signed-image gates.
- Produce SBOM, signature, and SLSA-style provenance for a release.
Open Decisions And Gaps
- Decide durable audit ledger storage and tenant-visible audit boundary.
- Decide which seed patterns should graduate to reviewed before tutorial writing starts.
- Decide how machine-readable capability and pattern status should be represented.
- Decide which pattern families need product-specific conformance tests before being marked canonical.