Add OpenBao runtime secret authority; complete NK-WP-0006/0007/0008

Refine the recursive platform security architecture to make OpenBao the
canonical runtime secret authority, with SOPS/age, K8s Secrets, and the
emergency bundle reframed as bootstrap/delivery/break-glass mechanisms.

- credential-management standard v0.2: add OpenBao runtime authority
  section, rotation rules, and prohibited patterns (OpenBao-as-PDP,
  tenant platform-root)
- platform-identity-security-architecture: mark implemented; add
  flex-auth/Topaz implications, Coulomb onboarding path, and a
  production-readiness checklist
- NK-WP-0004/0005: document bootstrap-to-OpenBao handoff boundary
- NK-WP-0006/0007: status -> done with implementation reviews; add
  recursive platform/tenant split and OpenBao broker/audit role for
  object-storage STS vending
- NK-WP-0008: status -> done; repoint corpus to infospace-bench
- new ADR-0007 (orchestration boundary), ADR-0008 (STS vending
  boundary), and the object-storage STS credential-vending architecture

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
2026-05-20 22:51:20 +02:00
parent b49631acef
commit 7b211acd57
10 changed files with 1150 additions and 69 deletions

View File

@@ -4,16 +4,18 @@ type: workplan
title: IT Security Architecture Patterns Infospace
domain: netkingdom
repo: net-kingdom
status: proposed
status: done
owner: codex
topic_slug: netkingdom
planning_priority: high
planning_order: 8
created: 2026-05-17
updated: 2026-05-17
updated: 2026-05-19
depends_on:
- NK-WP-0006
state_hub_workstream_id: "053c6d96-9396-40c9-a2e5-c36531e7810d"
execution_repo: infospace-bench
infospace_path: infospaces/patterns-of-it-securita-architecture
---
# NK-WP-0008 - IT Security Architecture Patterns Infospace
@@ -49,13 +51,40 @@ and secrets management. Several patterns repeat across repos:
An infospace makes these repeatable architectural patterns explicit,
searchable, comparable, and teachable.
## Seeded Infospace
Bernd seeded the working corpus in `infospace-bench`:
```text
/home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture/
```
The current seed is:
```text
genesis/InitialExploration.md
```
That file already sketches the two intended collections: a security
capability catalog and a security architecture pattern catalog, with
readiness levels and mappings to standards such as NIST CSF, CIS, OWASP,
SLSA, and OpenSSF.
NK-WP-0008 will therefore use `infospace-bench` as the canonical working
space instead of creating a separate `docs/security-patterns/` tree in
`net-kingdom`. `net-kingdom` remains the owner of the NetKingdom security
architecture mapping; `infospace-bench` owns the concrete infospace
artifact lifecycle, manifests, evaluation reports, and exports.
## Scope
In scope:
- define a pattern document template
- create an infospace directory under `docs/security-patterns/`
- capture initial patterns and their NetKingdom mapping
- promote the seeded directory into a valid `infospace-bench` infospace
with `infospace.yaml`, `artifacts/index.yaml`, and the standard layout
- import `genesis/InitialExploration.md` as the seed source artifact
- define capability and pattern document templates inside the infospace
- capture initial capability, pattern, readiness, and mapping artifacts
- record source references and current product/tool options
- connect patterns to implementation repos and workplans
- distinguish canonical patterns from experiments and anti-patterns
@@ -63,74 +92,195 @@ In scope:
Out of scope:
- implementing every pattern
- building new lower-level `infospace-bench` engine features
- replacing ADRs
- duplicating vendor documentation
- using `net-kingdom/docs/security-patterns/` as the primary corpus
- writing full tutorials; tutorials are handled by NK-WP-0009
## Tasks
### T01 - Promote The Seed Into A Valid Infospace
```task
id: NK-WP-0008-T1
status: todo
status: done
priority: high
state_hub_task_id: "d1b7213c-3315-49d2-90c9-efdf2bea3563"
```
Define the security-pattern infospace structure and template:
problem, forces, applicability, threat model, canonical NetKingdom
mapping, implementation variants, operational checks, audit hooks,
anti-patterns, and references.
Promote
`/home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture`
from a genesis note into a valid `infospace-bench` project: create
`infospace.yaml`, `artifacts/index.yaml`, the required artifact/output
directories, and a manifest entry for `genesis/InitialExploration.md`.
Define the initial artifact taxonomy for:
- capabilities
- patterns
- readiness levels
- mappings
- source references
- generated reports
### T02 - Extract The Initial Capability And Pattern Catalogs
```task
id: NK-WP-0008-T2
status: todo
status: done
priority: high
state_hub_task_id: "59966187-27f1-4b9c-9dfc-e59d11ff115c"
```
Create initial pattern entries for: STS credential vending, workload
identity, secret zero avoidance, dynamic secrets, short-lived SSH
certificates, delegated authorization, break-glass access, and
policy-as-code.
Extract the first structured artifacts from the seeded exploration:
- a security capability catalog
- a security architecture pattern catalog
- readiness levels RL0-RL4
- a production readiness baseline
Initial patterns must include STS credential vending, workload identity,
secret zero avoidance, dynamic secrets, short-lived SSH certificates,
delegated authorization, break-glass access, tenant isolation, central
audit ledger, policy-as-code admission, and supply-chain provenance.
Each pattern artifact should use a repeatable template: problem, context,
forces, solution, implementation sketch, failure modes, related
capabilities, maturity, verification, and references.
### T03 - Map Patterns To NetKingdom And Ecosystem Ownership
```task
id: NK-WP-0008-T3
status: todo
status: done
priority: medium
state_hub_task_id: "927c08a5-1a7e-4634-a514-0f562e286708"
```
Map each pattern to NetKingdom/Railiance repos and components:
net-kingdom, key-cape, flex-auth, ops-warden, ops-bridge,
railiance-platform, artifact-store, Keycloak, Authelia, LLDAP,
privacyIDEA, OpenBao, Ceph RGW, and MinIO-compatible stores.
Map each capability and pattern to the owning repos, components, and
workplans:
- `net-kingdom`, NK-WP-0006, NK-WP-0007, NK-WP-0008, NK-WP-0009
- `key-cape`, Keycloak, Authelia, LLDAP, privacyIDEA
- `flex-auth`, Topaz, CARING descriptors, decision envelopes
- `railiance-platform`, OpenBao, Ceph RGW, MinIO-compatible stores
- `ops-warden`, `ops-bridge`, short-lived SSH and agent access
- `artifact-store`, object storage, STS consumers, artifact integrity
- relevant standards and references from the seed document
This mapping should distinguish platform ownership, product/application
ownership, tenant responsibility, and external provider responsibility.
### T04 - Build The Index, Maturity Matrix, And Report
```task
id: NK-WP-0008-T4
status: todo
status: done
priority: medium
state_hub_task_id: "884626ea-243e-4806-9267-77ef643158b7"
```
Create an index page with pattern status, maturity, owning repo,
implementation links, and open decisions.
Create the first infospace index/report with capability status, pattern
maturity, owning repo, implementation links, open decisions, and gaps.
The report should make it easy to answer:
- which patterns are canonical versus experimental
- which patterns already have NetKingdom/Railiance implementation anchors
- which patterns need ADRs, workplans, or tutorials
- which patterns feed NK-WP-0009 tutorials
### T05 - Define Admission And Review Criteria
```task
id: NK-WP-0008-T5
status: todo
status: done
priority: medium
state_hub_task_id: "d3b29f3d-0da5-43b5-a93a-d95fb8a0ceef"
```
Add review criteria for admitting new patterns: vendor neutrality,
threat-model clarity, open-source/commercial implementation options,
operability, auditability, and failure-mode behavior.
operability, auditability, failure-mode behavior, readiness-level fit,
evidence quality, and ownership clarity.
Define when a pattern is allowed to graduate from:
```text
seed -> draft -> reviewed -> canonical -> deprecated
```
The criteria should be expressed as an infospace evaluation/checklist so
future pattern additions can be reviewed consistently.
## Implementation Review - 2026-05-19
NK-WP-0008 has been implemented in `infospace-bench` at:
```text
/home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture/
```
Created artifacts:
- `infospace.yaml`
- `artifacts/index.yaml`
- `artifacts/entities/security-capability-catalog.md`
- `artifacts/entities/security-architecture-pattern-catalog.md`
- `artifacts/entities/security-readiness-levels.md`
- `artifacts/relations/netkingdom-ownership-map.md`
- `artifacts/generated/security-pattern-index.md`
- `artifacts/generated/pattern-admission-review.md`
- `reports/initial-security-pattern-report.md`
Population pass:
- copied the NetKingdom object-storage STS credential-vending document,
platform identity/security architecture document, ADR-0008, and
Railiance OpenBao platform secrets service note into
`artifacts/sources/`
- added `artifacts/entities/capability-object-storage-access.md`
- added `artifacts/entities/pattern-sts-credential-vending.md`
- added `artifacts/relations/sts-credential-vending-relationship-map.md`
- added `artifacts/generated/sts-credential-vending-extraction.md`
- registered the new STS/OpenBao evidence, capability, pattern, relation
map, extraction, index, and report edges in `artifacts/index.yaml`
- normalized relationship direction so the infospace graph remains
connected and acyclic
Catalogue population pass:
- added first-class pattern artifacts for the initial NetKingdom pattern
set beyond STS credential vending: workload identity, secret zero
avoidance, dynamic secrets, short-lived SSH certificates, delegated
authorization, break-glass access, tenant isolation, central audit
ledger, policy-as-code admission, supply-chain provenance, network
default deny, object-level authorization check, human/agent identity
split, and tenant context propagation
- added `artifacts/generated/research-pattern-normalization.md` to map
the broader `genesis/InitialExploration.md` research tables into the
first-class pattern set and future promotion candidates
- registered the pattern artifacts in `artifacts/index.yaml` with source
seed, catalog inclusion, ownership map, admission review, readiness,
and index summary relationships
Verification:
- `.venv/bin/python -m infospace_bench inspect infospaces/patterns-of-it-securita-architecture`
- `.venv/bin/python -m infospace_bench validate infospaces/patterns-of-it-securita-architecture`
- `.venv/bin/python -m infospace_bench metrics infospaces/patterns-of-it-securita-architecture` passed viability in snapshot `502d0933` with 16 artifacts, 100% coverage, one connected component, and zero consistency cycles
- `.venv/bin/python -m infospace_bench graph infospaces/patterns-of-it-securita-architecture --format mermaid`
- `.venv/bin/python -m pytest` passed with 179 passed, 2 skipped
## Acceptance Criteria
- `docs/security-patterns/` exists with a repeatable pattern template.
- `infospace-bench/infospaces/patterns-of-it-securita-architecture/`
is a valid infospace-bench project with a manifest and standard layout.
- Initial high-value security patterns are documented in a consistent
shape.
- Each pattern names the canonical NetKingdom mapping and the repos that
own implementation.
- The infospace distinguishes patterns, tutorials, ADRs, and vendor docs.
- State Hub task titles and descriptions reflect the concrete
infospace-bench workflow instead of generic placeholder task names.