--- id: capability.security.iam-tooling-suite name: NetKingdom Security/IAM Tooling Suite summary: Dynamic, self-optimizing security platform for Kubernetes-deployed IT infrastructure; owns canonical IAM/security standards and executable conformance tooling (IAM profile conformance, playbook capability contract validation, security bootstrap console). owner: net-kingdom status: draft domain: infotech tags: - security - iam - kubernetes - conformance maturity: discovery: current: D3 target: D5 confidence: medium rationale: README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon, and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md) that key-cape and other repos implement against. availability: current: A2 target: A3 confidence: medium rationale: 'No top-level package manifest, but tools/ holds three real, independently documented and runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract (executable validator), and security-bootstrap-console (local console + localhost web UI).' external_evidence: completeness: level: C1 confidence: low basis: scope_vs_intent_and_consumer_expectations satisfied_expectations: - versioned canon standards already implemented by a sibling repo (key-cape) - three documented, runnable conformance/bootstrap tools under tools/ broken_expectations: [] out_of_scope_expectations: [] reliability: level: R1 confidence: low basis: consumer_quality_signals known_reliability_risks: - no top-level packaging; each tool under tools/ has its own runtime dependencies, no unified install path yet discovery: intent: Own the canonical IAM/security standards for the Coulomb ecosystem and provide executable conformance tooling so implementers (like key-cape) can verify against the standard rather than guessing. includes: - canon/standards/ versioned IAM and playbook-capability-contract standards - IAM profile conformance checker - playbook capability contract validator - security bootstrap console (local, non-secret-collecting) excludes: - concrete IAM implementations themselves (see key-cape for lightweight mode) - live secret value handling (bootstrap console explicitly refuses live OpenBao initialization) assumptions: [] use_cases: [] research_memos: [] availability: current_level: A2 target_level: A3 current_artifacts: - tools/iam-profile-conformance - tools/playbook-capability-contract - tools/security-bootstrap-console target_artifacts: [] consumption_modes: - cli - local web ui relations: depends_on: [] supports: [] related_to: [] evidence: documentation: - README.md - docs/secrets-engine-security-infrastructure-boundary.md - tools/*/README.md tests: - tools/iam-profile-conformance (pytest fixtures) consumer_feedback: [] bug_reports: [] incidents: [] consumer_guidance: recommended_for: - implementers needing to verify IAM/security conformance against Coulomb's canonical standards not_recommended_for: - needs for a packaged, single-install security suite (currently three separate tools) known_limitations: - no unified top-level packaging across the three tools promotion_history: [] --- # NetKingdom Security/IAM Tooling Suite ## Overview `net-kingdom` provides a dynamic, self-optimizing security platform for Kubernetes-deployed infrastructure. It owns the canonical IAM and security standards (implemented by sibling repos like `key-cape`) and ships three executable conformance/bootstrap tools under `tools/`: IAM profile conformance checks, a playbook capability contract validator, and a non-secret-collecting security bootstrap console. ## Assessment notes ### Discovery README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon, and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md) that key-cape and other repos implement against. ### Availability No top-level package manifest, but tools/ holds three real, independently documented and runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract (executable validator), and security-bootstrap-console (local console + localhost web UI). ### Completeness First-pass honest assessment from the REUSE-WP-0017 coverage campaign (reuse-surface). No external consumer feedback exists yet; levels reflect scope-vs-intent documentation quality, not internal code quality. ### Reliability No production consumer telemetry exists yet; reliability level is intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence. ## Promotion checklist - [x] ID follows `capability..` pattern - [x] Maturity enums match `specs/CapabilityMaturityStandard.md` - [x] `external_evidence` is populated separately from `maturity` - [ ] Relations reference valid capability IDs (none yet) - [x] Index entry added in `registry/indexes/capabilities.yaml`