generated from coulomb/repo-seed
Honest first-pass maturity vector grounded in README/docs/tests present in this repo; no invented evidence. Flagged for human review before publish. See reuse-surface history/2026-07-06-coverage-classification.md. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
131 lines
5.3 KiB
Markdown
131 lines
5.3 KiB
Markdown
---
|
|
id: capability.security.iam-tooling-suite
|
|
name: NetKingdom Security/IAM Tooling Suite
|
|
summary: Dynamic, self-optimizing security platform for Kubernetes-deployed IT infrastructure; owns canonical
|
|
IAM/security standards and executable conformance tooling (IAM profile conformance, playbook capability
|
|
contract validation, security bootstrap console).
|
|
owner: net-kingdom
|
|
status: draft
|
|
domain: infotech
|
|
tags:
|
|
- security
|
|
- iam
|
|
- kubernetes
|
|
- conformance
|
|
maturity:
|
|
discovery:
|
|
current: D3
|
|
target: D5
|
|
confidence: medium
|
|
rationale: README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit
|
|
integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon,
|
|
and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md)
|
|
that key-cape and other repos implement against.
|
|
availability:
|
|
current: A2
|
|
target: A3
|
|
confidence: medium
|
|
rationale: 'No top-level package manifest, but tools/ holds three real, independently documented and
|
|
runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract
|
|
(executable validator), and security-bootstrap-console (local console + localhost web UI).'
|
|
external_evidence:
|
|
completeness:
|
|
level: C1
|
|
confidence: low
|
|
basis: scope_vs_intent_and_consumer_expectations
|
|
satisfied_expectations:
|
|
- versioned canon standards already implemented by a sibling repo (key-cape)
|
|
- three documented, runnable conformance/bootstrap tools under tools/
|
|
broken_expectations: []
|
|
out_of_scope_expectations: []
|
|
reliability:
|
|
level: R1
|
|
confidence: low
|
|
basis: consumer_quality_signals
|
|
known_reliability_risks:
|
|
- no top-level packaging; each tool under tools/ has its own runtime dependencies, no unified install
|
|
path yet
|
|
discovery:
|
|
intent: Own the canonical IAM/security standards for the Coulomb ecosystem and provide executable conformance
|
|
tooling so implementers (like key-cape) can verify against the standard rather than guessing.
|
|
includes:
|
|
- canon/standards/ versioned IAM and playbook-capability-contract standards
|
|
- IAM profile conformance checker
|
|
- playbook capability contract validator
|
|
- security bootstrap console (local, non-secret-collecting)
|
|
excludes:
|
|
- concrete IAM implementations themselves (see key-cape for lightweight mode)
|
|
- live secret value handling (bootstrap console explicitly refuses live OpenBao initialization)
|
|
assumptions: []
|
|
use_cases: []
|
|
research_memos: []
|
|
availability:
|
|
current_level: A2
|
|
target_level: A3
|
|
current_artifacts:
|
|
- tools/iam-profile-conformance
|
|
- tools/playbook-capability-contract
|
|
- tools/security-bootstrap-console
|
|
target_artifacts: []
|
|
consumption_modes:
|
|
- cli
|
|
- local web ui
|
|
relations:
|
|
depends_on: []
|
|
supports: []
|
|
related_to: []
|
|
evidence:
|
|
documentation:
|
|
- README.md
|
|
- docs/secrets-engine-security-infrastructure-boundary.md
|
|
- tools/*/README.md
|
|
tests:
|
|
- tools/iam-profile-conformance (pytest fixtures)
|
|
consumer_feedback: []
|
|
bug_reports: []
|
|
incidents: []
|
|
consumer_guidance:
|
|
recommended_for:
|
|
- implementers needing to verify IAM/security conformance against Coulomb's canonical standards
|
|
not_recommended_for:
|
|
- needs for a packaged, single-install security suite (currently three separate tools)
|
|
known_limitations:
|
|
- no unified top-level packaging across the three tools
|
|
promotion_history: []
|
|
---
|
|
|
|
# NetKingdom Security/IAM Tooling Suite
|
|
|
|
## Overview
|
|
|
|
`net-kingdom` provides a dynamic, self-optimizing security platform for Kubernetes-deployed infrastructure. It owns the canonical IAM and security standards (implemented by sibling repos like `key-cape`) and ships three executable conformance/bootstrap tools under `tools/`: IAM profile conformance checks, a playbook capability contract validator, and a non-secret-collecting security bootstrap console.
|
|
|
|
## Assessment notes
|
|
|
|
### Discovery
|
|
|
|
README plus docs/secrets-engine-security-infrastructure-boundary.md describe an explicit integration boundary with OpenBao, flex-auth, user-engine, ops-warden, ops-bridge, info-tech-canon, and State Hub; canon/standards/ holds versioned standards (iam-profile_v0.2.md, playbook-capability-contract_v0.1.md) that key-cape and other repos implement against.
|
|
|
|
### Availability
|
|
|
|
No top-level package manifest, but tools/ holds three real, independently documented and runnable tools: iam-profile-conformance (executable checks, pytest fixtures), playbook-capability-contract (executable validator), and security-bootstrap-console (local console + localhost web UI).
|
|
|
|
### Completeness
|
|
|
|
First-pass honest assessment from the REUSE-WP-0017 coverage campaign
|
|
(reuse-surface). No external consumer feedback exists yet; levels reflect
|
|
scope-vs-intent documentation quality, not internal code quality.
|
|
|
|
### Reliability
|
|
|
|
No production consumer telemetry exists yet; reliability level is
|
|
intentionally conservative pending REUSE-WP-0019 reuse-telemetry evidence.
|
|
|
|
## Promotion checklist
|
|
|
|
- [x] ID follows `capability.<domain>.<name>` pattern
|
|
- [x] Maturity enums match `specs/CapabilityMaturityStandard.md`
|
|
- [x] `external_evidence` is populated separately from `maturity`
|
|
- [ ] Relations reference valid capability IDs (none yet)
|
|
- [x] Index entry added in `registry/indexes/capabilities.yaml`
|