net-kingdom/INTENT.md

INTENT

This file captures why this repository exists, the direction it is moving toward, and the kind of system it is meant to become. It is intentionally aspirational and stable, not a description of current implementation.

---

One-liner

Open security core for DevSecOps on Kubernetes — designed to bootstrap, evolve, and continuously adapt security in an agent-driven world.

---

Why This Exists

Modern IT is entering a phase where automation and agentic systems dramatically accelerate both capability and risk.

Security is no longer a static perimeter problem — it is:

• dynamic,
• adversarial,
• continuously evolving.

The result is a Cambrian explosion of vulnerabilities and countermeasures, driven by:

• AI-powered development,
• autonomous agents,
• rapidly shifting infrastructure states.

Traditional security approaches fail because they are:

• too static,
• too centralized,
• too slow to adapt.

NetKingdom exists to establish a foundational security core that is:

• dynamic by design
• bootstrappable from minimal environments
• grounded in open, inspectable components
• capable of evolving alongside the systems it protects

---

Why "NetKingdom"

The name is a deliberate metaphor, and a useful one: a kingdom is a governed, defended, living territory that grows over time and is tended by its people. NetKingdom is the same for an IT landscape:

• Governed — identity is the control plane; who may do what, under which conditions, is the law of the land.
• Defended — security is the spine the whole territory is built on, not a wall added afterward.
• Living and evolving — the landscapes NetKingdom stands up are not set once and frozen. They grow capability by capability and adapt as the systems and threats around them change. "NetKingdom" names this dynamic evolvement of the infrastructure as much as its initial setup.
• Tended by its people — a kingdom that runs well is maintained continuously. NetKingdom's "people" are kaizen agents (see Operating Model below): hired to attend to the recurring duties that keep the kingdom healthy and to carry out improvements and changes.

---

The Mission

Where we are going.

NetKingdom aims to become a:

Dynamic, self-optimizing, full-circle security platform for Kubernetes-based infrastructure

This means:

• Security is continuously adapting, not periodically configured
• Identity, access, and secrets form a coherent control loop
• The system can start small (bootstrap) and grow into enterprise-grade security
• You select the capabilities you need, and NetKingdom places and orchestrates the right components to turn-key readiness — bringing an IT landscape up safely and iteratively, like building a house to handover condition
• Security decisions become observable, testable, and evolvable

---

Core Principles

1. Bootstrap First

Security must work before the platform is complete.

A minimal, local, and controllable identity and trust layer is essential to:

• start systems safely
• evolve them incrementally

---

2. Identity is the Control Plane

Security is fundamentally about who can do what, under which conditions.

NetKingdom treats identity as:

• the primary abstraction layer
• the integration contract across systems (e.g. IAM Profile)

---

3. Open & Replaceable Core

Every component should be:

• based on open standards
• replaceable without breaking the system
• observable and verifiable

No hidden black boxes at the foundation.

---

4. Progressive, Capability-Driven Expansion

Security evolves by adding capabilities, not by rebuilding. The path runs from bootstrap identity, through lightweight SSO and 2FA, runtime secrets and fine-grained authorization, up to enterprise federation SSO — but each step is taken because a capability is needed, never because of user count. Footprint and cost follow the capability choice; they do not drive it.

Each tier must:

• be usable on its own — you get value at every tier, not only at the top
• transition without structural breaks — because every tier targets the same IAM Profile contract, adding 2FA, secrets, authorization, or federation extends the system rather than replacing it

The concrete capability ladder (C0–C6) lives in docs/platform-identity-security-architecture.md → Capability Progression.

---

5. Self-Optimization over Static Configuration

The system should:

• learn from usage
• adapt policies
• surface inconsistencies

Security becomes a feedback system, not a rule set.

---

6. Minimize Threat Exposure by Design

Instead of reacting to threats:

• reduce attack surface early
• constrain capabilities intentionally
• enforce least privilege from the start

---

7. Meta-Orchestration over Re-Implementation

NetKingdom does not re-implement deployment mechanics. Execution lives in Railiance playbooks — parametrized, scenario-specific, with sensible defaults. NetKingdom performs meta-orchestration:

• select the services and playbooks a scenario requires
• parametrize them where tuning is warranted; otherwise trust defaults
• hold the responsibility map — which element (a Railiance layer, an external provider, a tenant-owned piece) owns what across the landscape

NetKingdom is the architect and conductor; Railiance is the contractor and the instrument. (See ADR-0007 → Meta-Orchestration Layer.)

---

Operating Model — A Kingdom Run by Kaizen Agents

Once a reasonable setup is established, the kingdom is not left to run itself by accident. It is staffed. NetKingdom adopts a kaizen-agentic operating model: specialized agents are "hired" and assigned to the work the kingdom needs done on an ongoing basis —

• Recurring duties that keep the kingdom healthy: readiness checks, rotation, audit review, drift detection, backup/restore drills, consistency reconciliation.
• Change and improvement work, where agents matter even more: introducing a new capability tier, onboarding a tenant, refining policy, remediating findings — each carried out as inspectable, repeatable work.

This is the human-and-agent embodiment of Self-Optimization (Principle 5): the kingdom continuously improves because it has a workforce attending to it, not because a static configuration happens to hold.

---

What This Is (Conceptually)

NetKingdom is:

• a security control core
• a reference architecture
• a bootstrap path from zero → production-grade security
• a capability-selectable, turn-key orchestrator for identity, authentication, and authorization — it places the right components and brings them to ready-to-run state, then grows tier by tier
• a contract layer for identity and trust
• a foundation for agent-aware security systems

This is the larger ambition: an IT-security framework that builds IT landscapes safely and iteratively from scratch — you choose how far up the capability ladder you need to go, and the system gets you there without structural breaks.

---

What This Is Not

NetKingdom is not:

• a full infrastructure platform
• an application framework
• a monolithic security product
• a closed ecosystem

It is the security spine that other systems attach to.

---

Direction of Evolution

NetKingdom is expected to evolve toward:

• Agent-aware security orchestration
• A standing workforce of kaizen agents tending the kingdom's recurring duties and driving its improvements
• Meta-orchestrated, turn-key landscapes composed from Railiance playbooks per scenario
• Policy as code with feedback loops
• Tight integration with DevSecOps workflows
• Autonomous detection and mitigation patterns
• Security as a continuously optimized system

---

Guiding Question

How can security become a system that improves itself while remaining fully observable, controllable, and grounded in open primitives?