diff --git a/registry/capabilities/capability.security.iam-tooling-suite.md b/registry/capabilities/capability.security.iam-tooling-suite.md new file mode 100644 index 0000000..4618431 --- /dev/null +++ b/registry/capabilities/capability.security.iam-tooling-suite.md @@ -0,0 +1,130 @@ +--- +id: capability.security.iam-tooling-suite +name: NetKingdom Security/IAM Tooling Suite +summary: Dynamic, self-optimizing security platform for Kubernetes-deployed IT infrastructure; owns canonical + IAM/security standards and executable conformance tooling (IAM profile conformance, playbook capability + contract validation, security bootstrap console). +owner: net-kingdom +status: draft +domain: infotech +tags: +- security +- iam +- kubernetes +- conformance +maturity: + discovery: + current: D3 + target: D5 + confidence: medium + rationale: README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit + integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon, + and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md) + that key-cape and other repos implement against. + availability: + current: A2 + target: A3 + confidence: medium + rationale: 'No top-level package manifest, but tools/ holds three real, independently documented and + runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract + (executable validator), and security-bootstrap-console (local console + localhost web UI).' +external_evidence: + completeness: + level: C1 + confidence: low + basis: scope_vs_intent_and_consumer_expectations + satisfied_expectations: + - versioned canon standards already implemented by a sibling repo (key-cape) + - three documented, runnable conformance/bootstrap tools under tools/ + broken_expectations: [] + out_of_scope_expectations: [] + reliability: + level: R1 + confidence: low + basis: consumer_quality_signals + known_reliability_risks: + - no top-level packaging; each tool under tools/ has its own runtime dependencies, no unified install + path yet +discovery: + intent: Own the canonical IAM/security standards for the Coulomb ecosystem and provide executable conformance + tooling so implementers (like key-cape) can verify against the standard rather than guessing. + includes: + - canon/standards/ versioned IAM and playbook-capability-contract standards + - IAM profile conformance checker + - playbook capability contract validator + - security bootstrap console (local, non-secret-collecting) + excludes: + - concrete IAM implementations themselves (see key-cape for lightweight mode) + - live secret value handling (bootstrap console explicitly refuses live OpenBao initialization) + assumptions: [] + use_cases: [] + research_memos: [] +availability: + current_level: A2 + target_level: A3 + current_artifacts: + - tools/iam-profile-conformance + - tools/playbook-capability-contract + - tools/security-bootstrap-console + target_artifacts: [] + consumption_modes: + - cli + - local web ui +relations: + depends_on: [] + supports: [] + related_to: [] +evidence: + documentation: + - README.md + - docs/secrets-engine-security-infrastructure-boundary.md + - tools/*/README.md + tests: + - tools/iam-profile-conformance (pytest fixtures) + consumer_feedback: [] + bug_reports: [] + incidents: [] +consumer_guidance: + recommended_for: + - implementers needing to verify IAM/security conformance against Coulomb's canonical standards + not_recommended_for: + - needs for a packaged, single-install security suite (currently three separate tools) + known_limitations: + - no unified top-level packaging across the three tools +promotion_history: [] +--- + +# NetKingdom Security/IAM Tooling Suite + +## Overview + +`net-kingdom` provides a dynamic, self-optimizing security platform for Kubernetes-deployed infrastructure. It owns the canonical IAM and security standards (implemented by sibling repos like `key-cape`) and ships three executable conformance/bootstrap tools under `tools/`: IAM profile conformance checks, a playbook capability contract validator, and a non-secret-collecting security bootstrap console. + +## Assessment notes + +### Discovery + +README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon, and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md) that key-cape and other repos implement against. + +### Availability + +No top-level package manifest, but tools/ holds three real, independently documented and runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract (executable validator), and security-bootstrap-console (local console + localhost web UI). + +### Completeness + +First-pass honest assessment from the REUSE-WP-0017 coverage campaign +(reuse-surface). No external consumer feedback exists yet; levels reflect +scope-vs-intent documentation quality, not internal code quality. + +### Reliability + +No production consumer telemetry exists yet; reliability level is +intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence. + +## Promotion checklist + +- [x] ID follows `capability..` pattern +- [x] Maturity enums match `specs/CapabilityMaturityStandard.md` +- [x] `external_evidence` is populated separately from `maturity` +- [ ] Relations reference valid capability IDs (none yet) +- [x] Index entry added in `registry/indexes/capabilities.yaml` diff --git a/registry/indexes/capabilities.yaml b/registry/indexes/capabilities.yaml index f944e47..fc4e35a 100644 --- a/registry/indexes/capabilities.yaml +++ b/registry/indexes/capabilities.yaml @@ -1,4 +1,22 @@ version: 1 -updated: '2026-06-16' +updated: '2026-07-06' domain: helix_forge -capabilities: [] +capabilities: +- id: capability.security.iam-tooling-suite + name: NetKingdom Security/IAM Tooling Suite + summary: Dynamic, self-optimizing security platform for Kubernetes-deployed IT infrastructure; owns + canonical IAM/security standards and executable conformance tooling (IAM profile conformance, playbook + capability contract validation, security bootstrap console). + vector: D3 / A2 / C1 / R1 + domain: infotech + status: draft + owner: net-kingdom + path: registry/capabilities/capability.security.iam-tooling-suite.md + tags: + - security + - iam + - kubernetes + - conformance + consumption_modes: + - cli + - local web ui