generated from coulomb/repo-seed
Draft capability entry (reuse-surface REUSE-WP-0017-T04, cohort 2)
Honest first-pass maturity vector grounded in README/docs/tests present in this repo; no invented evidence. Flagged for human review before publish. See reuse-surface history/2026-07-06-coverage-classification.md. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
130
registry/capabilities/capability.security.iam-tooling-suite.md
Normal file
130
registry/capabilities/capability.security.iam-tooling-suite.md
Normal file
@@ -0,0 +1,130 @@
|
||||
---
|
||||
id: capability.security.iam-tooling-suite
|
||||
name: NetKingdom Security/IAM Tooling Suite
|
||||
summary: Dynamic, self-optimizing security platform for Kubernetes-deployed IT infrastructure; owns canonical
|
||||
IAM/security standards and executable conformance tooling (IAM profile conformance, playbook capability
|
||||
contract validation, security bootstrap console).
|
||||
owner: net-kingdom
|
||||
status: draft
|
||||
domain: infotech
|
||||
tags:
|
||||
- security
|
||||
- iam
|
||||
- kubernetes
|
||||
- conformance
|
||||
maturity:
|
||||
discovery:
|
||||
current: D3
|
||||
target: D5
|
||||
confidence: medium
|
||||
rationale: README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit
|
||||
integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon,
|
||||
and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md)
|
||||
that key-cape and other repos implement against.
|
||||
availability:
|
||||
current: A2
|
||||
target: A3
|
||||
confidence: medium
|
||||
rationale: 'No top-level package manifest, but tools/ holds three real, independently documented and
|
||||
runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract
|
||||
(executable validator), and security-bootstrap-console (local console + localhost web UI).'
|
||||
external_evidence:
|
||||
completeness:
|
||||
level: C1
|
||||
confidence: low
|
||||
basis: scope_vs_intent_and_consumer_expectations
|
||||
satisfied_expectations:
|
||||
- versioned canon standards already implemented by a sibling repo (key-cape)
|
||||
- three documented, runnable conformance/bootstrap tools under tools/
|
||||
broken_expectations: []
|
||||
out_of_scope_expectations: []
|
||||
reliability:
|
||||
level: R1
|
||||
confidence: low
|
||||
basis: consumer_quality_signals
|
||||
known_reliability_risks:
|
||||
- no top-level packaging; each tool under tools/ has its own runtime dependencies, no unified install
|
||||
path yet
|
||||
discovery:
|
||||
intent: Own the canonical IAM/security standards for the Coulomb ecosystem and provide executable conformance
|
||||
tooling so implementers (like key-cape) can verify against the standard rather than guessing.
|
||||
includes:
|
||||
- canon/standards/ versioned IAM and playbook-capability-contract standards
|
||||
- IAM profile conformance checker
|
||||
- playbook capability contract validator
|
||||
- security bootstrap console (local, non-secret-collecting)
|
||||
excludes:
|
||||
- concrete IAM implementations themselves (see key-cape for lightweight mode)
|
||||
- live secret value handling (bootstrap console explicitly refuses live OpenBao initialization)
|
||||
assumptions: []
|
||||
use_cases: []
|
||||
research_memos: []
|
||||
availability:
|
||||
current_level: A2
|
||||
target_level: A3
|
||||
current_artifacts:
|
||||
- tools/iam-profile-conformance
|
||||
- tools/playbook-capability-contract
|
||||
- tools/security-bootstrap-console
|
||||
target_artifacts: []
|
||||
consumption_modes:
|
||||
- cli
|
||||
- local web ui
|
||||
relations:
|
||||
depends_on: []
|
||||
supports: []
|
||||
related_to: []
|
||||
evidence:
|
||||
documentation:
|
||||
- README.md
|
||||
- docs/secrets-engine-security-infrastructure-boundary.md
|
||||
- tools/*/README.md
|
||||
tests:
|
||||
- tools/iam-profile-conformance (pytest fixtures)
|
||||
consumer_feedback: []
|
||||
bug_reports: []
|
||||
incidents: []
|
||||
consumer_guidance:
|
||||
recommended_for:
|
||||
- implementers needing to verify IAM/security conformance against Coulomb's canonical standards
|
||||
not_recommended_for:
|
||||
- needs for a packaged, single-install security suite (currently three separate tools)
|
||||
known_limitations:
|
||||
- no unified top-level packaging across the three tools
|
||||
promotion_history: []
|
||||
---
|
||||
|
||||
# NetKingdom Security/IAM Tooling Suite
|
||||
|
||||
## Overview
|
||||
|
||||
`net-kingdom` provides a dynamic, self-optimizing security platform for Kubernetes-deployed infrastructure. It owns the canonical IAM and security standards (implemented by sibling repos like `key-cape`) and ships three executable conformance/bootstrap tools under `tools/`: IAM profile conformance checks, a playbook capability contract validator, and a non-secret-collecting security bootstrap console.
|
||||
|
||||
## Assessment notes
|
||||
|
||||
### Discovery
|
||||
|
||||
README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon, and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md) that key-cape and other repos implement against.
|
||||
|
||||
### Availability
|
||||
|
||||
No top-level package manifest, but tools/ holds three real, independently documented and runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract (executable validator), and security-bootstrap-console (local console + localhost web UI).
|
||||
|
||||
### Completeness
|
||||
|
||||
First-pass honest assessment from the REUSE-WP-0017 coverage campaign
|
||||
(reuse-surface). No external consumer feedback exists yet; levels reflect
|
||||
scope-vs-intent documentation quality, not internal code quality.
|
||||
|
||||
### Reliability
|
||||
|
||||
No production consumer telemetry exists yet; reliability level is
|
||||
intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence.
|
||||
|
||||
## Promotion checklist
|
||||
|
||||
- [x] ID follows `capability.<domain>.<name>` pattern
|
||||
- [x] Maturity enums match `specs/CapabilityMaturityStandard.md`
|
||||
- [x] `external_evidence` is populated separately from `maturity`
|
||||
- [ ] Relations reference valid capability IDs (none yet)
|
||||
- [x] Index entry added in `registry/indexes/capabilities.yaml`
|
||||
Reference in New Issue
Block a user