diff --git a/workplans/NK-WP-0010-genesis-security-pattern-completion.md b/workplans/NK-WP-0010-genesis-security-pattern-completion.md new file mode 100644 index 0000000..b706430 --- /dev/null +++ b/workplans/NK-WP-0010-genesis-security-pattern-completion.md @@ -0,0 +1,352 @@ +--- +id: NK-WP-0010 +type: workplan +title: Genesis Security Pattern Completion +domain: netkingdom +repo: net-kingdom +status: done +owner: codex +topic_slug: netkingdom +planning_priority: medium +planning_order: 10 +created: 2026-05-19 +updated: 2026-05-19 +depends_on: + - NK-WP-0008 +unblocks: + - NK-WP-0009 +execution_repo: infospace-bench +infospace_path: infospaces/patterns-of-it-securita-architecture +state_hub_workstream_id: "f4faf8b4-ae57-40cf-a881-6fe66ca6ad74" +--- + +# NK-WP-0010 - Genesis Security Pattern Completion + +## Goal + +Promote every security architecture and solution pattern explicitly +named in +`/home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture/genesis/InitialExploration.md` +into a first-class infospace artifact. + +NK-WP-0008 created the infospace and populated the first NetKingdom +pattern set. NK-WP-0010 closes the remaining catalogue gap: no pattern +mentioned in the genesis research should remain only as prose inside the +source note or as a candidate row in the normalization artifact. + +## Context + +The genesis file names a broad security pattern catalogue across seven +families: + +- identity and access +- tenant isolation +- Kubernetes and platform +- secrets and cryptography +- application/API security +- supply chain +- detection and response + +NK-WP-0008 already created first-class artifacts for the NetKingdom +initial pattern set, including STS credential vending, workload +identity, secret zero avoidance, dynamic secrets, short-lived SSH +certificates, delegated authorization, break-glass access, tenant +isolation, central audit ledger, policy-as-code admission, supply-chain +provenance, network default deny, object-level authorization, +human/agent identity split, and tenant context propagation. + +This workplan should complete the literal genesis coverage while keeping +the distinction between: + +- an exact pattern named by the research seed +- a NetKingdom canonical pattern +- an umbrella pattern that groups several exact seed patterns +- a future tutorial candidate for NK-WP-0009 + +## Scope + +In scope: + +- create or reconcile one first-class artifact for each exact pattern + name in the genesis security architecture pattern catalogue +- keep existing NK-WP-0008 pattern artifacts, adding aliases or related + links instead of duplicating them where an exact seed pattern is + already represented +- update `artifacts/index.yaml` with source, catalogue, ownership, + admission, readiness, index, and report relationships +- update `artifacts/generated/research-pattern-normalization.md` so it + becomes a completion map rather than a candidate-only map +- update the generated index, report, and ownership map +- preserve an acyclic, connected infospace graph + +Out of scope: + +- writing tutorials; that remains NK-WP-0009 +- implementing platform services +- resolving every open architecture decision in the pattern artifacts +- replacing ADRs or vendor docs + +## Genesis Pattern Inventory + +This workplan targets the exact pattern names in the genesis file: + +| Family | Patterns | +| --- | --- | +| Identity and access | Central Identity Provider; Identity Broker; Tenant Membership Boundary; Role Composition; Policy Decision Point / Policy Enforcement Point; Time-boxed Privilege Elevation; Break-glass Access; Human/Agent Identity Split | +| Tenant isolation | Namespace-per-Tenant; Cluster-per-Tenant; Cell-based Architecture; Shared Control Plane, Isolated Data Plane; Tenant Context Propagation; Tenant Data Partitioning | +| Kubernetes and platform | Secure Cluster Baseline; Policy-as-Code Admission Control; Pod Security Baseline/Restricted; Network Default Deny; Signed Image Admission; GitOps with Guardrails; Runtime Threat Detection | +| Secrets and cryptography | External Secrets Operator; Sealed Secret / Encrypted Git Secret; Short-lived Credentials; Key-per-Tenant; Certificate Automation | +| Application/API security | API Gateway as Security Boundary; Backend-for-Frontend; Object-Level Authorization Check; Schema-First API Security; Idempotent Command API; Secure File Upload Pipeline | +| Supply chain | Protected Main Branch; Dependency Update Bot; SBOM-per-Release; SLSA Build Provenance; Signed Container Images; Quarantined Build Runner | +| Detection and response | Security Event Taxonomy; Central Audit Ledger; Tenant Audit Log View; Incident Runbook Library; Kill Switch / Tenant Freeze; Token Revocation Sweep | + +## Tasks + +### T01 - Reconcile The Genesis Inventory + +```task +id: NK-WP-0010-T1 +status: done +priority: high +state_hub_task_id: "61160df5-7305-4a0f-a34d-2a763c29eab4" +``` + +Create a completion matrix from `genesis/InitialExploration.md` that +lists every exact seed pattern, current artifact coverage, aliases, +canonical NetKingdom mapping, owner, status, and whether a new artifact +is needed. + +Update `artifacts/generated/research-pattern-normalization.md` so it +becomes the authoritative inventory for this workplan. + +### T02 - Complete Identity And Access Patterns + +```task +id: NK-WP-0010-T2 +status: done +priority: high +state_hub_task_id: "dad43681-9404-47b8-b58c-39b7218c2542" +``` + +Create or reconcile first-class artifacts for: + +- Central Identity Provider +- Identity Broker +- Tenant Membership Boundary +- Role Composition +- Policy Decision Point / Policy Enforcement Point +- Time-boxed Privilege Elevation +- Break-glass Access +- Human/Agent Identity Split + +Existing break-glass and human/agent identity artifacts should be +retained and enriched. The PDP/PEP artifact may reference the existing +delegated authorization artifact, but the exact seed pattern must be +discoverable as a first-class artifact or explicit alias. + +### T03 - Complete Tenant Isolation Patterns + +```task +id: NK-WP-0010-T3 +status: done +priority: high +state_hub_task_id: "dee39f82-aa3a-4824-ba61-7fbdbd5c3d21" +``` + +Create or reconcile first-class artifacts for: + +- Namespace-per-Tenant +- Cluster-per-Tenant +- Cell-based Architecture +- Shared Control Plane, Isolated Data Plane +- Tenant Context Propagation +- Tenant Data Partitioning + +Ensure these link to the existing tenant isolation and tenant context +propagation artifacts without flattening their different isolation +strengths and failure modes. + +### T04 - Complete Kubernetes And Platform Patterns + +```task +id: NK-WP-0010-T4 +status: done +priority: high +state_hub_task_id: "19def7b4-4f1a-45ad-b15b-6a56e675be41" +``` + +Create or reconcile first-class artifacts for: + +- Secure Cluster Baseline +- Policy-as-Code Admission Control +- Pod Security Baseline/Restricted +- Network Default Deny +- Signed Image Admission +- GitOps with Guardrails +- Runtime Threat Detection + +Preserve the relationship to Railiance platform responsibilities, +admission policy, pod security, image provenance, network segmentation, +and detection coverage. + +### T05 - Complete Secrets And Cryptography Patterns + +```task +id: NK-WP-0010-T5 +status: done +priority: high +state_hub_task_id: "622c3bbe-77a7-4049-b6f4-0cd1f54f3783" +``` + +Create or reconcile first-class artifacts for: + +- External Secrets Operator +- Sealed Secret / Encrypted Git Secret +- Short-lived Credentials +- Key-per-Tenant +- Certificate Automation + +Link these to OpenBao, secret-zero avoidance, dynamic secrets, STS +credential vending, credential bootstrap, tenant isolation, and +certificate lifecycle ownership. + +### T06 - Complete Application And API Security Patterns + +```task +id: NK-WP-0010-T6 +status: done +priority: medium +state_hub_task_id: "e792f598-4dfc-4598-ba86-facd13cd8a12" +``` + +Create or reconcile first-class artifacts for: + +- API Gateway as Security Boundary +- Backend-for-Frontend +- Object-Level Authorization Check +- Schema-First API Security +- Idempotent Command API +- Secure File Upload Pipeline + +Ensure each artifact names where platform responsibility ends and +product/application responsibility begins. + +### T07 - Complete Supply-Chain Patterns + +```task +id: NK-WP-0010-T7 +status: done +priority: medium +state_hub_task_id: "a43b189a-d1b4-4692-94d7-9c7e140808ca" +``` + +Create or reconcile first-class artifacts for: + +- Protected Main Branch +- Dependency Update Bot +- SBOM-per-Release +- SLSA Build Provenance +- Signed Container Images +- Quarantined Build Runner + +Relate these to artifact-store, signed image admission, policy-as-code +admission, build provenance, SBOM storage, and release evidence. + +### T08 - Complete Detection And Response Patterns + +```task +id: NK-WP-0010-T8 +status: done +priority: medium +state_hub_task_id: "78a2d242-5a56-40a7-8499-ba7c72150700" +``` + +Create or reconcile first-class artifacts for: + +- Security Event Taxonomy +- Central Audit Ledger +- Tenant Audit Log View +- Incident Runbook Library +- Kill Switch / Tenant Freeze +- Token Revocation Sweep + +Retain the existing central audit ledger artifact and add explicit +patterns for event classification, tenant-visible projections, +response playbooks, containment, and credential revocation. + +### T09 - Refresh Relationships, Indexes, And Reports + +```task +id: NK-WP-0010-T9 +status: done +priority: high +state_hub_task_id: "8ec9bc00-1f7b-4f34-b02e-33fdacda9da5" +``` + +Update the infospace manifest and narrative artifacts: + +- `artifacts/index.yaml` +- `artifacts/entities/security-architecture-pattern-catalog.md` +- `artifacts/relations/netkingdom-ownership-map.md` +- `artifacts/generated/security-pattern-index.md` +- `artifacts/generated/pattern-admission-review.md` +- `artifacts/generated/research-pattern-normalization.md` +- `reports/initial-security-pattern-report.md` + +The final graph must remain connected and acyclic. + +### T10 - Verify Completion And Feed NK-WP-0009 + +```task +id: NK-WP-0010-T10 +status: done +priority: medium +state_hub_task_id: "a5449bc6-8529-4350-822b-7c758bf790cb" +``` + +Run the infospace verification suite: + +- `.venv/bin/python -m infospace_bench validate infospaces/patterns-of-it-securita-architecture` +- `.venv/bin/python -m infospace_bench metrics infospaces/patterns-of-it-securita-architecture` +- `.venv/bin/python -m infospace_bench graph infospaces/patterns-of-it-securita-architecture --format mermaid` +- `.venv/bin/python -m pytest` + +Update State Hub progress, mark completed tasks, and add a handoff note +for NK-WP-0009 identifying which completed patterns should become +tutorials first. + +## Implementation Evidence + +Completed on 2026-05-19 in +`/home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture`. + +- Promoted all 44 exact genesis pattern names into first-class pattern + artifacts or retained exact existing artifacts. +- Preserved the nine NetKingdom umbrella/canonical pattern artifacts + created by NK-WP-0008 and linked them to the exact seed patterns. +- Refreshed `artifacts/index.yaml`, the pattern catalog, ownership map, + security pattern index, admission review, normalization matrix, and + initial report. +- Verification passed: + - `.venv/bin/python -m infospace_bench validate infospaces/patterns-of-it-securita-architecture` + - `.venv/bin/python -m infospace_bench metrics infospaces/patterns-of-it-securita-architecture` + with snapshot `7bf35f3b`, 69 artifacts, one connected component, + zero cycles, coverage `1.0`, and viability passed. + - `.venv/bin/python -m infospace_bench graph infospaces/patterns-of-it-securita-architecture --format mermaid` + - `.venv/bin/python -m pytest` with 181 passed and 2 skipped. + +## Acceptance Criteria + +- Every exact pattern name from the genesis pattern catalogue is + discoverable as a first-class artifact or explicit alias in the + infospace. +- `research-pattern-normalization.md` shows no unaccounted seed + patterns. +- The manifest registers all pattern artifacts and relationships. +- The generated index and report identify canonical, draft, seed, and + promotion-candidate patterns. +- `infospace_bench validate` passes. +- `infospace_bench metrics` passes viability with one connected + component and zero consistency cycles. +- NK-WP-0009 has a clear tutorial-priority handoff from the completed + pattern library.