coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49be67f267c6cdce2e8a4f76fd36e879cf28855f
net-kingdom/workplans/NK-WP-0010-genesis-security-pattern-completion.md

353 lines
12 KiB
Markdown
Raw Blame History

---
id: NK-WP-0010
type: workplan
title: Genesis Security Pattern Completion
domain: netkingdom
repo: net-kingdom
status: done
owner: codex
topic_slug: netkingdom
planning_priority: medium
planning_order: 10
created: 2026-05-19
updated: 2026-05-19
depends_on:
- NK-WP-0008
unblocks:
- NK-WP-0009
execution_repo: infospace-bench
infospace_path: infospaces/patterns-of-it-securita-architecture
state_hub_workstream_id: "f4faf8b4-ae57-40cf-a881-6fe66ca6ad74"
---
# NK-WP-0010 - Genesis Security Pattern Completion
## Goal
Promote every security architecture and solution pattern explicitly
named in
`/home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture/genesis/InitialExploration.md`
into a first-class infospace artifact.
NK-WP-0008 created the infospace and populated the first NetKingdom
pattern set. NK-WP-0010 closes the remaining catalogue gap: no pattern
mentioned in the genesis research should remain only as prose inside the
source note or as a candidate row in the normalization artifact.
## Context
The genesis file names a broad security pattern catalogue across seven
families:
- identity and access
- tenant isolation
- Kubernetes and platform
- secrets and cryptography
- application/API security
- supply chain
- detection and response
NK-WP-0008 already created first-class artifacts for the NetKingdom
initial pattern set, including STS credential vending, workload
identity, secret zero avoidance, dynamic secrets, short-lived SSH
certificates, delegated authorization, break-glass access, tenant
isolation, central audit ledger, policy-as-code admission, supply-chain
provenance, network default deny, object-level authorization,
human/agent identity split, and tenant context propagation.
This workplan should complete the literal genesis coverage while keeping
the distinction between:
- an exact pattern named by the research seed
- a NetKingdom canonical pattern
- an umbrella pattern that groups several exact seed patterns
- a future tutorial candidate for NK-WP-0009
## Scope
In scope:
- create or reconcile one first-class artifact for each exact pattern
name in the genesis security architecture pattern catalogue
- keep existing NK-WP-0008 pattern artifacts, adding aliases or related
links instead of duplicating them where an exact seed pattern is
already represented
- update `artifacts/index.yaml` with source, catalogue, ownership,
admission, readiness, index, and report relationships
- update `artifacts/generated/research-pattern-normalization.md` so it
becomes a completion map rather than a candidate-only map
- update the generated index, report, and ownership map
- preserve an acyclic, connected infospace graph
Out of scope:
- writing tutorials; that remains NK-WP-0009
- implementing platform services
- resolving every open architecture decision in the pattern artifacts
- replacing ADRs or vendor docs
## Genesis Pattern Inventory
This workplan targets the exact pattern names in the genesis file:
| Family | Patterns |
| --- | --- |
| Identity and access | Central Identity Provider; Identity Broker; Tenant Membership Boundary; Role Composition; Policy Decision Point / Policy Enforcement Point; Time-boxed Privilege Elevation; Break-glass Access; Human/Agent Identity Split |
| Tenant isolation | Namespace-per-Tenant; Cluster-per-Tenant; Cell-based Architecture; Shared Control Plane, Isolated Data Plane; Tenant Context Propagation; Tenant Data Partitioning |
| Kubernetes and platform | Secure Cluster Baseline; Policy-as-Code Admission Control; Pod Security Baseline/Restricted; Network Default Deny; Signed Image Admission; GitOps with Guardrails; Runtime Threat Detection |
| Secrets and cryptography | External Secrets Operator; Sealed Secret / Encrypted Git Secret; Short-lived Credentials; Key-per-Tenant; Certificate Automation |
| Application/API security | API Gateway as Security Boundary; Backend-for-Frontend; Object-Level Authorization Check; Schema-First API Security; Idempotent Command API; Secure File Upload Pipeline |
| Supply chain | Protected Main Branch; Dependency Update Bot; SBOM-per-Release; SLSA Build Provenance; Signed Container Images; Quarantined Build Runner |
| Detection and response | Security Event Taxonomy; Central Audit Ledger; Tenant Audit Log View; Incident Runbook Library; Kill Switch / Tenant Freeze; Token Revocation Sweep |
## Tasks
### T01 - Reconcile The Genesis Inventory
```task
id: NK-WP-0010-T1
status: done
priority: high
state_hub_task_id: "61160df5-7305-4a0f-a34d-2a763c29eab4"
```
Create a completion matrix from `genesis/InitialExploration.md` that
lists every exact seed pattern, current artifact coverage, aliases,
canonical NetKingdom mapping, owner, status, and whether a new artifact
is needed.
Update `artifacts/generated/research-pattern-normalization.md` so it
becomes the authoritative inventory for this workplan.
### T02 - Complete Identity And Access Patterns
```task
id: NK-WP-0010-T2
status: done
priority: high
state_hub_task_id: "dad43681-9404-47b8-b58c-39b7218c2542"
```
Create or reconcile first-class artifacts for:
- Central Identity Provider
- Identity Broker
- Tenant Membership Boundary
- Role Composition
- Policy Decision Point / Policy Enforcement Point
- Time-boxed Privilege Elevation
- Break-glass Access
- Human/Agent Identity Split
Existing break-glass and human/agent identity artifacts should be
retained and enriched. The PDP/PEP artifact may reference the existing
delegated authorization artifact, but the exact seed pattern must be
discoverable as a first-class artifact or explicit alias.
### T03 - Complete Tenant Isolation Patterns
```task
id: NK-WP-0010-T3
status: done
priority: high
state_hub_task_id: "dee39f82-aa3a-4824-ba61-7fbdbd5c3d21"
```
Create or reconcile first-class artifacts for:
- Namespace-per-Tenant
- Cluster-per-Tenant
- Cell-based Architecture
- Shared Control Plane, Isolated Data Plane
- Tenant Context Propagation
- Tenant Data Partitioning
Ensure these link to the existing tenant isolation and tenant context
propagation artifacts without flattening their different isolation
strengths and failure modes.
### T04 - Complete Kubernetes And Platform Patterns
```task
id: NK-WP-0010-T4
status: done
priority: high
state_hub_task_id: "19def7b4-4f1a-45ad-b15b-6a56e675be41"
```
Create or reconcile first-class artifacts for:
- Secure Cluster Baseline
- Policy-as-Code Admission Control
- Pod Security Baseline/Restricted
- Network Default Deny
- Signed Image Admission
- GitOps with Guardrails
- Runtime Threat Detection
Preserve the relationship to Railiance platform responsibilities,
admission policy, pod security, image provenance, network segmentation,
and detection coverage.
### T05 - Complete Secrets And Cryptography Patterns
```task
id: NK-WP-0010-T5
status: done
priority: high
state_hub_task_id: "622c3bbe-77a7-4049-b6f4-0cd1f54f3783"
```
Create or reconcile first-class artifacts for:
- External Secrets Operator
- Sealed Secret / Encrypted Git Secret
- Short-lived Credentials
- Key-per-Tenant
- Certificate Automation
Link these to OpenBao, secret-zero avoidance, dynamic secrets, STS
credential vending, credential bootstrap, tenant isolation, and
certificate lifecycle ownership.
### T06 - Complete Application And API Security Patterns
```task
id: NK-WP-0010-T6
status: done
priority: medium
state_hub_task_id: "e792f598-4dfc-4598-ba86-facd13cd8a12"
```
Create or reconcile first-class artifacts for:
- API Gateway as Security Boundary
- Backend-for-Frontend
- Object-Level Authorization Check
- Schema-First API Security
- Idempotent Command API
- Secure File Upload Pipeline
Ensure each artifact names where platform responsibility ends and
product/application responsibility begins.
### T07 - Complete Supply-Chain Patterns
```task
id: NK-WP-0010-T7
status: done
priority: medium
state_hub_task_id: "a43b189a-d1b4-4692-94d7-9c7e140808ca"
```
Create or reconcile first-class artifacts for:
- Protected Main Branch
- Dependency Update Bot
- SBOM-per-Release
- SLSA Build Provenance
- Signed Container Images
- Quarantined Build Runner
Relate these to artifact-store, signed image admission, policy-as-code
admission, build provenance, SBOM storage, and release evidence.
### T08 - Complete Detection And Response Patterns
```task
id: NK-WP-0010-T8
status: done
priority: medium
state_hub_task_id: "78a2d242-5a56-40a7-8499-ba7c72150700"
```
Create or reconcile first-class artifacts for:
- Security Event Taxonomy
- Central Audit Ledger
- Tenant Audit Log View
- Incident Runbook Library
- Kill Switch / Tenant Freeze
- Token Revocation Sweep
Retain the existing central audit ledger artifact and add explicit
patterns for event classification, tenant-visible projections,
response playbooks, containment, and credential revocation.
### T09 - Refresh Relationships, Indexes, And Reports
```task
id: NK-WP-0010-T9
status: done
priority: high
state_hub_task_id: "8ec9bc00-1f7b-4f34-b02e-33fdacda9da5"
```
Update the infospace manifest and narrative artifacts:
- `artifacts/index.yaml`
- `artifacts/entities/security-architecture-pattern-catalog.md`
- `artifacts/relations/netkingdom-ownership-map.md`
- `artifacts/generated/security-pattern-index.md`
- `artifacts/generated/pattern-admission-review.md`
- `artifacts/generated/research-pattern-normalization.md`
- `reports/initial-security-pattern-report.md`
The final graph must remain connected and acyclic.
### T10 - Verify Completion And Feed NK-WP-0009
```task
id: NK-WP-0010-T10
status: done
priority: medium
state_hub_task_id: "a5449bc6-8529-4350-822b-7c758bf790cb"
```
Run the infospace verification suite:
- `.venv/bin/python -m infospace_bench validate infospaces/patterns-of-it-securita-architecture`
- `.venv/bin/python -m infospace_bench metrics infospaces/patterns-of-it-securita-architecture`
- `.venv/bin/python -m infospace_bench graph infospaces/patterns-of-it-securita-architecture --format mermaid`
- `.venv/bin/python -m pytest`
Update State Hub progress, mark completed tasks, and add a handoff note
for NK-WP-0009 identifying which completed patterns should become
tutorials first.
## Implementation Evidence
Completed on 2026-05-19 in
`/home/worsch/infospace-bench/infospaces/patterns-of-it-securita-architecture`.
- Promoted all 44 exact genesis pattern names into first-class pattern
artifacts or retained exact existing artifacts.
- Preserved the nine NetKingdom umbrella/canonical pattern artifacts
created by NK-WP-0008 and linked them to the exact seed patterns.
- Refreshed `artifacts/index.yaml`, the pattern catalog, ownership map,
security pattern index, admission review, normalization matrix, and
initial report.
- Verification passed:
- `.venv/bin/python -m infospace_bench validate infospaces/patterns-of-it-securita-architecture`
- `.venv/bin/python -m infospace_bench metrics infospaces/patterns-of-it-securita-architecture`
with snapshot `7bf35f3b`, 69 artifacts, one connected component,
zero cycles, coverage `1.0`, and viability passed.
- `.venv/bin/python -m infospace_bench graph infospaces/patterns-of-it-securita-architecture --format mermaid`
- `.venv/bin/python -m pytest` with 181 passed and 2 skipped.
## Acceptance Criteria
- Every exact pattern name from the genesis pattern catalogue is
discoverable as a first-class artifact or explicit alias in the
infospace.
- `research-pattern-normalization.md` shows no unaccounted seed
patterns.
- The manifest registers all pattern artifacts and relationships.
- The generated index and report identify canonical, draft, seed, and
promotion-candidate patterns.
- `infospace_bench validate` passes.
- `infospace_bench metrics` passes viability with one connected
component and zero consistency cycles.
- NK-WP-0009 has a clear tutorial-priority handoff from the completed
pattern library.
Reference in New Issue View Git Blame Copy Permalink