coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4232e62a503acaa8efa6f1c35a5d4eb9b032a0a2
net-kingdom/workplans/NK-WP-0010-genesis-security-pattern-completion.md

12 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, unblocks, execution_repo, infospace_path, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated depends_on unblocks execution_repo infospace_path state_hub_workstream_id
NK-WP-0010 workplan Genesis Security Pattern Completion netkingdom net-kingdom done codex netkingdom medium 10 2026-05-19 2026-05-19
NK-WP-0008
NK-WP-0009
infospace-bench infospaces/patterns-of-it-securita-architecture f4faf8b4-ae57-40cf-a881-6fe66ca6ad74

NK-WP-0010 - Genesis Security Pattern Completion

Goal

Promote every security architecture and solution pattern explicitly named in /home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture/genesis/InitialExploration.md into a first-class infospace artifact.

NK-WP-0008 created the infospace and populated the first NetKingdom pattern set. NK-WP-0010 closes the remaining catalogue gap: no pattern mentioned in the genesis research should remain only as prose inside the source note or as a candidate row in the normalization artifact.

Context

The genesis file names a broad security pattern catalogue across seven families:

  • identity and access
  • tenant isolation
  • Kubernetes and platform
  • secrets and cryptography
  • application/API security
  • supply chain
  • detection and response

NK-WP-0008 already created first-class artifacts for the NetKingdom initial pattern set, including STS credential vending, workload identity, secret zero avoidance, dynamic secrets, short-lived SSH certificates, delegated authorization, break-glass access, tenant isolation, central audit ledger, policy-as-code admission, supply-chain provenance, network default deny, object-level authorization, human/agent identity split, and tenant context propagation.

This workplan should complete the literal genesis coverage while keeping the distinction between:

  • an exact pattern named by the research seed
  • a NetKingdom canonical pattern
  • an umbrella pattern that groups several exact seed patterns
  • a future tutorial candidate for NK-WP-0009

Scope

In scope:

  • create or reconcile one first-class artifact for each exact pattern name in the genesis security architecture pattern catalogue
  • keep existing NK-WP-0008 pattern artifacts, adding aliases or related links instead of duplicating them where an exact seed pattern is already represented
  • update artifacts/index.yaml with source, catalogue, ownership, admission, readiness, index, and report relationships
  • update artifacts/generated/research-pattern-normalization.md so it becomes a completion map rather than a candidate-only map
  • update the generated index, report, and ownership map
  • preserve an acyclic, connected infospace graph

Out of scope:

  • writing tutorials; that remains NK-WP-0009
  • implementing platform services
  • resolving every open architecture decision in the pattern artifacts
  • replacing ADRs or vendor docs

Genesis Pattern Inventory

This workplan targets the exact pattern names in the genesis file:

Family Patterns
Identity and access Central Identity Provider; Identity Broker; Tenant Membership Boundary; Role Composition; Policy Decision Point / Policy Enforcement Point; Time-boxed Privilege Elevation; Break-glass Access; Human/Agent Identity Split
Tenant isolation Namespace-per-Tenant; Cluster-per-Tenant; Cell-based Architecture; Shared Control Plane, Isolated Data Plane; Tenant Context Propagation; Tenant Data Partitioning
Kubernetes and platform Secure Cluster Baseline; Policy-as-Code Admission Control; Pod Security Baseline/Restricted; Network Default Deny; Signed Image Admission; GitOps with Guardrails; Runtime Threat Detection
Secrets and cryptography External Secrets Operator; Sealed Secret / Encrypted Git Secret; Short-lived Credentials; Key-per-Tenant; Certificate Automation
Application/API security API Gateway as Security Boundary; Backend-for-Frontend; Object-Level Authorization Check; Schema-First API Security; Idempotent Command API; Secure File Upload Pipeline
Supply chain Protected Main Branch; Dependency Update Bot; SBOM-per-Release; SLSA Build Provenance; Signed Container Images; Quarantined Build Runner
Detection and response Security Event Taxonomy; Central Audit Ledger; Tenant Audit Log View; Incident Runbook Library; Kill Switch / Tenant Freeze; Token Revocation Sweep

Tasks

T01 - Reconcile The Genesis Inventory

id: NK-WP-0010-T1
status: done
priority: high
state_hub_task_id: "61160df5-7305-4a0f-a34d-2a763c29eab4"

Create a completion matrix from genesis/InitialExploration.md that lists every exact seed pattern, current artifact coverage, aliases, canonical NetKingdom mapping, owner, status, and whether a new artifact is needed.

Update artifacts/generated/research-pattern-normalization.md so it becomes the authoritative inventory for this workplan.

T02 - Complete Identity And Access Patterns

id: NK-WP-0010-T2
status: done
priority: high
state_hub_task_id: "dad43681-9404-47b8-b58c-39b7218c2542"

Create or reconcile first-class artifacts for:

  • Central Identity Provider
  • Identity Broker
  • Tenant Membership Boundary
  • Role Composition
  • Policy Decision Point / Policy Enforcement Point
  • Time-boxed Privilege Elevation
  • Break-glass Access
  • Human/Agent Identity Split

Existing break-glass and human/agent identity artifacts should be retained and enriched. The PDP/PEP artifact may reference the existing delegated authorization artifact, but the exact seed pattern must be discoverable as a first-class artifact or explicit alias.

T03 - Complete Tenant Isolation Patterns

id: NK-WP-0010-T3
status: done
priority: high
state_hub_task_id: "dee39f82-aa3a-4824-ba61-7fbdbd5c3d21"

Create or reconcile first-class artifacts for:

  • Namespace-per-Tenant
  • Cluster-per-Tenant
  • Cell-based Architecture
  • Shared Control Plane, Isolated Data Plane
  • Tenant Context Propagation
  • Tenant Data Partitioning

Ensure these link to the existing tenant isolation and tenant context propagation artifacts without flattening their different isolation strengths and failure modes.

T04 - Complete Kubernetes And Platform Patterns

id: NK-WP-0010-T4
status: done
priority: high
state_hub_task_id: "19def7b4-4f1a-45ad-b15b-6a56e675be41"

Create or reconcile first-class artifacts for:

  • Secure Cluster Baseline
  • Policy-as-Code Admission Control
  • Pod Security Baseline/Restricted
  • Network Default Deny
  • Signed Image Admission
  • GitOps with Guardrails
  • Runtime Threat Detection

Preserve the relationship to Railiance platform responsibilities, admission policy, pod security, image provenance, network segmentation, and detection coverage.

T05 - Complete Secrets And Cryptography Patterns

id: NK-WP-0010-T5
status: done
priority: high
state_hub_task_id: "622c3bbe-77a7-4049-b6f4-0cd1f54f3783"

Create or reconcile first-class artifacts for:

  • External Secrets Operator
  • Sealed Secret / Encrypted Git Secret
  • Short-lived Credentials
  • Key-per-Tenant
  • Certificate Automation

Link these to OpenBao, secret-zero avoidance, dynamic secrets, STS credential vending, credential bootstrap, tenant isolation, and certificate lifecycle ownership.

T06 - Complete Application And API Security Patterns

id: NK-WP-0010-T6
status: done
priority: medium
state_hub_task_id: "e792f598-4dfc-4598-ba86-facd13cd8a12"

Create or reconcile first-class artifacts for:

  • API Gateway as Security Boundary
  • Backend-for-Frontend
  • Object-Level Authorization Check
  • Schema-First API Security
  • Idempotent Command API
  • Secure File Upload Pipeline

Ensure each artifact names where platform responsibility ends and product/application responsibility begins.

T07 - Complete Supply-Chain Patterns

id: NK-WP-0010-T7
status: done
priority: medium
state_hub_task_id: "a43b189a-d1b4-4692-94d7-9c7e140808ca"

Create or reconcile first-class artifacts for:

  • Protected Main Branch
  • Dependency Update Bot
  • SBOM-per-Release
  • SLSA Build Provenance
  • Signed Container Images
  • Quarantined Build Runner

Relate these to artifact-store, signed image admission, policy-as-code admission, build provenance, SBOM storage, and release evidence.

T08 - Complete Detection And Response Patterns

id: NK-WP-0010-T8
status: done
priority: medium
state_hub_task_id: "78a2d242-5a56-40a7-8499-ba7c72150700"

Create or reconcile first-class artifacts for:

  • Security Event Taxonomy
  • Central Audit Ledger
  • Tenant Audit Log View
  • Incident Runbook Library
  • Kill Switch / Tenant Freeze
  • Token Revocation Sweep

Retain the existing central audit ledger artifact and add explicit patterns for event classification, tenant-visible projections, response playbooks, containment, and credential revocation.

T09 - Refresh Relationships, Indexes, And Reports

id: NK-WP-0010-T9
status: done
priority: high
state_hub_task_id: "8ec9bc00-1f7b-4f34-b02e-33fdacda9da5"

Update the infospace manifest and narrative artifacts:

  • artifacts/index.yaml
  • artifacts/entities/security-architecture-pattern-catalog.md
  • artifacts/relations/netkingdom-ownership-map.md
  • artifacts/generated/security-pattern-index.md
  • artifacts/generated/pattern-admission-review.md
  • artifacts/generated/research-pattern-normalization.md
  • reports/initial-security-pattern-report.md

The final graph must remain connected and acyclic.

T10 - Verify Completion And Feed NK-WP-0009

id: NK-WP-0010-T10
status: done
priority: medium
state_hub_task_id: "a5449bc6-8529-4350-822b-7c758bf790cb"

Run the infospace verification suite:

  • .venv/bin/python -m infospace_bench validate infospaces/patterns-of-it-securita-architecture
  • .venv/bin/python -m infospace_bench metrics infospaces/patterns-of-it-securita-architecture
  • .venv/bin/python -m infospace_bench graph infospaces/patterns-of-it-securita-architecture --format mermaid
  • .venv/bin/python -m pytest

Update State Hub progress, mark completed tasks, and add a handoff note for NK-WP-0009 identifying which completed patterns should become tutorials first.

Implementation Evidence

Completed on 2026-05-19 in /home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture.

  • Promoted all 44 exact genesis pattern names into first-class pattern artifacts or retained exact existing artifacts.
  • Preserved the nine NetKingdom umbrella/canonical pattern artifacts created by NK-WP-0008 and linked them to the exact seed patterns.
  • Refreshed artifacts/index.yaml, the pattern catalog, ownership map, security pattern index, admission review, normalization matrix, and initial report.
  • Verification passed:
    • .venv/bin/python -m infospace_bench validate infospaces/patterns-of-it-securita-architecture
    • .venv/bin/python -m infospace_bench metrics infospaces/patterns-of-it-securita-architecture with snapshot 7bf35f3b, 69 artifacts, one connected component, zero cycles, coverage 1.0, and viability passed.
    • .venv/bin/python -m infospace_bench graph infospaces/patterns-of-it-securita-architecture --format mermaid
    • .venv/bin/python -m pytest with 181 passed and 2 skipped.

Acceptance Criteria

  • Every exact pattern name from the genesis pattern catalogue is discoverable as a first-class artifact or explicit alias in the infospace.
  • research-pattern-normalization.md shows no unaccounted seed patterns.
  • The manifest registers all pattern artifacts and relationships.
  • The generated index and report identify canonical, draft, seed, and promotion-candidate patterns.
  • infospace_bench validate passes.
  • infospace_bench metrics passes viability with one connected component and zero consistency cycles.
  • NK-WP-0009 has a clear tutorial-priority handoff from the completed pattern library.
Reference in New Issue View Git Blame Copy Permalink