--- id: NK-WP-0008 type: workplan title: IT Security Architecture Patterns Infospace domain: netkingdom repo: net-kingdom status: proposed owner: codex topic_slug: netkingdom planning_priority: high planning_order: 8 created: 2026-05-17 updated: 2026-05-17 depends_on: - NK-WP-0006 state_hub_workstream_id: "053c6d96-9396-40c9-a2e5-c36531e7810d" --- # NK-WP-0008 - IT Security Architecture Patterns Infospace ## Goal Create a curated infospace of reusable IT security architecture patterns for NetKingdom-enabled infrastructures. The infospace should be a reference library of patterns, tradeoffs, threats, implementation variants, and canonical NetKingdom mappings. It should help us recognize patterns such as STS credential vending, workload identity, secret zero avoidance, break-glass access, delegated authorization, short-lived certificates, and policy-as-code before they become scattered repo-local folklore. ## Context The platform now spans identity, MFA, policy, SSH certificates, reverse tunnels, object storage, artifact storage, Kubernetes platform services, and secrets management. Several patterns repeat across repos: - key-cape and Keycloak implement OIDC identity contracts. - flex-auth implements policy-as-code authorization decisions. - ops-warden issues short-lived SSH certificates. - ops-bridge consumes short-lived SSH credentials and records actor attribution. - artifact-store consumes object storage and needs temporary S3 credential support. - Railiance platform services need a canonical secrets manager and object-storage integration. An infospace makes these repeatable architectural patterns explicit, searchable, comparable, and teachable. ## Scope In scope: - define a pattern document template - create an infospace directory under `docs/security-patterns/` - capture initial patterns and their NetKingdom mapping - record source references and current product/tool options - connect patterns to implementation repos and workplans - distinguish canonical patterns from experiments and anti-patterns Out of scope: - implementing every pattern - replacing ADRs - duplicating vendor documentation - writing full tutorials; tutorials are handled by NK-WP-0009 ## Tasks ```task id: NK-WP-0008-T1 status: todo priority: high state_hub_task_id: "d1b7213c-3315-49d2-90c9-efdf2bea3563" ``` Define the security-pattern infospace structure and template: problem, forces, applicability, threat model, canonical NetKingdom mapping, implementation variants, operational checks, audit hooks, anti-patterns, and references. ```task id: NK-WP-0008-T2 status: todo priority: high state_hub_task_id: "59966187-27f1-4b9c-9dfc-e59d11ff115c" ``` Create initial pattern entries for: STS credential vending, workload identity, secret zero avoidance, dynamic secrets, short-lived SSH certificates, delegated authorization, break-glass access, and policy-as-code. ```task id: NK-WP-0008-T3 status: todo priority: medium state_hub_task_id: "927c08a5-1a7e-4634-a514-0f562e286708" ``` Map each pattern to NetKingdom/Railiance repos and components: net-kingdom, key-cape, flex-auth, ops-warden, ops-bridge, railiance-platform, artifact-store, Keycloak, Authelia, LLDAP, privacyIDEA, OpenBao, Ceph RGW, and MinIO-compatible stores. ```task id: NK-WP-0008-T4 status: todo priority: medium state_hub_task_id: "884626ea-243e-4806-9267-77ef643158b7" ``` Create an index page with pattern status, maturity, owning repo, implementation links, and open decisions. ```task id: NK-WP-0008-T5 status: todo priority: medium state_hub_task_id: "d3b29f3d-0da5-43b5-a93a-d95fb8a0ceef" ``` Add review criteria for admitting new patterns: vendor neutrality, threat-model clarity, open-source/commercial implementation options, operability, auditability, and failure-mode behavior. ## Acceptance Criteria - `docs/security-patterns/` exists with a repeatable pattern template. - Initial high-value security patterns are documented in a consistent shape. - Each pattern names the canonical NetKingdom mapping and the repos that own implementation. - The infospace distinguishes patterns, tutorials, ADRs, and vendor docs.