generated from coulomb/repo-seed
Draft capability entry (reuse-surface REUSE-WP-0017-T04, cohort 2)
Honest first-pass maturity vector grounded in README/docs/tests present in this repo; no invented evidence. Flagged for human review before publish. See reuse-surface history/2026-07-06-coverage-classification.md. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
130
registry/capabilities/capability.security.iam-tooling-suite.md
Normal file
130
registry/capabilities/capability.security.iam-tooling-suite.md
Normal file
@@ -0,0 +1,130 @@
|
|||||||
|
---
|
||||||
|
id: capability.security.iam-tooling-suite
|
||||||
|
name: NetKingdom Security/IAM Tooling Suite
|
||||||
|
summary: Dynamic, self-optimizing security platform for Kubernetes-deployed IT infrastructure; owns canonical
|
||||||
|
IAM/security standards and executable conformance tooling (IAM profile conformance, playbook capability
|
||||||
|
contract validation, security bootstrap console).
|
||||||
|
owner: net-kingdom
|
||||||
|
status: draft
|
||||||
|
domain: infotech
|
||||||
|
tags:
|
||||||
|
- security
|
||||||
|
- iam
|
||||||
|
- kubernetes
|
||||||
|
- conformance
|
||||||
|
maturity:
|
||||||
|
discovery:
|
||||||
|
current: D3
|
||||||
|
target: D5
|
||||||
|
confidence: medium
|
||||||
|
rationale: README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit
|
||||||
|
integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon,
|
||||||
|
and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md)
|
||||||
|
that key-cape and other repos implement against.
|
||||||
|
availability:
|
||||||
|
current: A2
|
||||||
|
target: A3
|
||||||
|
confidence: medium
|
||||||
|
rationale: 'No top-level package manifest, but tools/ holds three real, independently documented and
|
||||||
|
runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract
|
||||||
|
(executable validator), and security-bootstrap-console (local console + localhost web UI).'
|
||||||
|
external_evidence:
|
||||||
|
completeness:
|
||||||
|
level: C1
|
||||||
|
confidence: low
|
||||||
|
basis: scope_vs_intent_and_consumer_expectations
|
||||||
|
satisfied_expectations:
|
||||||
|
- versioned canon standards already implemented by a sibling repo (key-cape)
|
||||||
|
- three documented, runnable conformance/bootstrap tools under tools/
|
||||||
|
broken_expectations: []
|
||||||
|
out_of_scope_expectations: []
|
||||||
|
reliability:
|
||||||
|
level: R1
|
||||||
|
confidence: low
|
||||||
|
basis: consumer_quality_signals
|
||||||
|
known_reliability_risks:
|
||||||
|
- no top-level packaging; each tool under tools/ has its own runtime dependencies, no unified install
|
||||||
|
path yet
|
||||||
|
discovery:
|
||||||
|
intent: Own the canonical IAM/security standards for the Coulomb ecosystem and provide executable conformance
|
||||||
|
tooling so implementers (like key-cape) can verify against the standard rather than guessing.
|
||||||
|
includes:
|
||||||
|
- canon/standards/ versioned IAM and playbook-capability-contract standards
|
||||||
|
- IAM profile conformance checker
|
||||||
|
- playbook capability contract validator
|
||||||
|
- security bootstrap console (local, non-secret-collecting)
|
||||||
|
excludes:
|
||||||
|
- concrete IAM implementations themselves (see key-cape for lightweight mode)
|
||||||
|
- live secret value handling (bootstrap console explicitly refuses live OpenBao initialization)
|
||||||
|
assumptions: []
|
||||||
|
use_cases: []
|
||||||
|
research_memos: []
|
||||||
|
availability:
|
||||||
|
current_level: A2
|
||||||
|
target_level: A3
|
||||||
|
current_artifacts:
|
||||||
|
- tools/iam-profile-conformance
|
||||||
|
- tools/playbook-capability-contract
|
||||||
|
- tools/security-bootstrap-console
|
||||||
|
target_artifacts: []
|
||||||
|
consumption_modes:
|
||||||
|
- cli
|
||||||
|
- local web ui
|
||||||
|
relations:
|
||||||
|
depends_on: []
|
||||||
|
supports: []
|
||||||
|
related_to: []
|
||||||
|
evidence:
|
||||||
|
documentation:
|
||||||
|
- README.md
|
||||||
|
- docs/secrets-engine-security-infrastructure-boundary.md
|
||||||
|
- tools/*/README.md
|
||||||
|
tests:
|
||||||
|
- tools/iam-profile-conformance (pytest fixtures)
|
||||||
|
consumer_feedback: []
|
||||||
|
bug_reports: []
|
||||||
|
incidents: []
|
||||||
|
consumer_guidance:
|
||||||
|
recommended_for:
|
||||||
|
- implementers needing to verify IAM/security conformance against Coulomb's canonical standards
|
||||||
|
not_recommended_for:
|
||||||
|
- needs for a packaged, single-install security suite (currently three separate tools)
|
||||||
|
known_limitations:
|
||||||
|
- no unified top-level packaging across the three tools
|
||||||
|
promotion_history: []
|
||||||
|
---
|
||||||
|
|
||||||
|
# NetKingdom Security/IAM Tooling Suite
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
`net-kingdom` provides a dynamic, self-optimizing security platform for Kubernetes-deployed infrastructure. It owns the canonical IAM and security standards (implemented by sibling repos like `key-cape`) and ships three executable conformance/bootstrap tools under `tools/`: IAM profile conformance checks, a playbook capability contract validator, and a non-secret-collecting security bootstrap console.
|
||||||
|
|
||||||
|
## Assessment notes
|
||||||
|
|
||||||
|
### Discovery
|
||||||
|
|
||||||
|
README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon, and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md) that key-cape and other repos implement against.
|
||||||
|
|
||||||
|
### Availability
|
||||||
|
|
||||||
|
No top-level package manifest, but tools/ holds three real, independently documented and runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract (executable validator), and security-bootstrap-console (local console + localhost web UI).
|
||||||
|
|
||||||
|
### Completeness
|
||||||
|
|
||||||
|
First-pass honest assessment from the REUSE-WP-0017 coverage campaign
|
||||||
|
(reuse-surface). No external consumer feedback exists yet; levels reflect
|
||||||
|
scope-vs-intent documentation quality, not internal code quality.
|
||||||
|
|
||||||
|
### Reliability
|
||||||
|
|
||||||
|
No production consumer telemetry exists yet; reliability level is
|
||||||
|
intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence.
|
||||||
|
|
||||||
|
## Promotion checklist
|
||||||
|
|
||||||
|
- [x] ID follows `capability.<domain>.<name>` pattern
|
||||||
|
- [x] Maturity enums match `specs/CapabilityMaturityStandard.md`
|
||||||
|
- [x] `external_evidence` is populated separately from `maturity`
|
||||||
|
- [ ] Relations reference valid capability IDs (none yet)
|
||||||
|
- [x] Index entry added in `registry/indexes/capabilities.yaml`
|
||||||
@@ -1,4 +1,22 @@
|
|||||||
version: 1
|
version: 1
|
||||||
updated: '2026-06-16'
|
updated: '2026-07-06'
|
||||||
domain: helix_forge
|
domain: helix_forge
|
||||||
capabilities: []
|
capabilities:
|
||||||
|
- id: capability.security.iam-tooling-suite
|
||||||
|
name: NetKingdom Security/IAM Tooling Suite
|
||||||
|
summary: Dynamic, self-optimizing security platform for Kubernetes-deployed IT infrastructure; owns
|
||||||
|
canonical IAM/security standards and executable conformance tooling (IAM profile conformance, playbook
|
||||||
|
capability contract validation, security bootstrap console).
|
||||||
|
vector: D3 / A2 / C1 / R1
|
||||||
|
domain: infotech
|
||||||
|
status: draft
|
||||||
|
owner: net-kingdom
|
||||||
|
path: registry/capabilities/capability.security.iam-tooling-suite.md
|
||||||
|
tags:
|
||||||
|
- security
|
||||||
|
- iam
|
||||||
|
- kubernetes
|
||||||
|
- conformance
|
||||||
|
consumption_modes:
|
||||||
|
- cli
|
||||||
|
- local web ui
|
||||||
|
|||||||
Reference in New Issue
Block a user