coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d4adfa2c1b7b982a0cc2e0c09ffcd1c92e963ea4
net-kingdom/workplans/NK-WP-0008-it-security-architecture-patterns-infospace.md

4.1 KiB
Raw Blame History

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, state_hub_workstream_id
id type title domain repo status owner topic_slug planning_priority planning_order created updated depends_on state_hub_workstream_id
NK-WP-0008 workplan IT Security Architecture Patterns Infospace netkingdom net-kingdom proposed codex netkingdom high 8 2026-05-17 2026-05-17
NK-WP-0006
053c6d96-9396-40c9-a2e5-c36531e7810d

NK-WP-0008 - IT Security Architecture Patterns Infospace

Goal

Create a curated infospace of reusable IT security architecture patterns for NetKingdom-enabled infrastructures.

The infospace should be a reference library of patterns, tradeoffs, threats, implementation variants, and canonical NetKingdom mappings. It should help us recognize patterns such as STS credential vending, workload identity, secret zero avoidance, break-glass access, delegated authorization, short-lived certificates, and policy-as-code before they become scattered repo-local folklore.

Context

The platform now spans identity, MFA, policy, SSH certificates, reverse tunnels, object storage, artifact storage, Kubernetes platform services, and secrets management. Several patterns repeat across repos:

  • key-cape and Keycloak implement OIDC identity contracts.
  • flex-auth implements policy-as-code authorization decisions.
  • ops-warden issues short-lived SSH certificates.
  • ops-bridge consumes short-lived SSH credentials and records actor attribution.
  • artifact-store consumes object storage and needs temporary S3 credential support.
  • Railiance platform services need a canonical secrets manager and object-storage integration.

An infospace makes these repeatable architectural patterns explicit, searchable, comparable, and teachable.

Scope

In scope:

  • define a pattern document template
  • create an infospace directory under docs/security-patterns/
  • capture initial patterns and their NetKingdom mapping
  • record source references and current product/tool options
  • connect patterns to implementation repos and workplans
  • distinguish canonical patterns from experiments and anti-patterns

Out of scope:

  • implementing every pattern
  • replacing ADRs
  • duplicating vendor documentation
  • writing full tutorials; tutorials are handled by NK-WP-0009

Tasks

id: NK-WP-0008-T1
status: todo
priority: high
state_hub_task_id: "d1b7213c-3315-49d2-90c9-efdf2bea3563"

Define the security-pattern infospace structure and template: problem, forces, applicability, threat model, canonical NetKingdom mapping, implementation variants, operational checks, audit hooks, anti-patterns, and references.

id: NK-WP-0008-T2
status: todo
priority: high
state_hub_task_id: "59966187-27f1-4b9c-9dfc-e59d11ff115c"

Create initial pattern entries for: STS credential vending, workload identity, secret zero avoidance, dynamic secrets, short-lived SSH certificates, delegated authorization, break-glass access, and policy-as-code.

id: NK-WP-0008-T3
status: todo
priority: medium
state_hub_task_id: "927c08a5-1a7e-4634-a514-0f562e286708"

Map each pattern to NetKingdom/Railiance repos and components: net-kingdom, key-cape, flex-auth, ops-warden, ops-bridge, railiance-platform, artifact-store, Keycloak, Authelia, LLDAP, privacyIDEA, OpenBao, Ceph RGW, and MinIO-compatible stores.

id: NK-WP-0008-T4
status: todo
priority: medium
state_hub_task_id: "884626ea-243e-4806-9267-77ef643158b7"

Create an index page with pattern status, maturity, owning repo, implementation links, and open decisions.

id: NK-WP-0008-T5
status: todo
priority: medium
state_hub_task_id: "d3b29f3d-0da5-43b5-a93a-d95fb8a0ceef"

Add review criteria for admitting new patterns: vendor neutrality, threat-model clarity, open-source/commercial implementation options, operability, auditability, and failure-mode behavior.

Acceptance Criteria

  • docs/security-patterns/ exists with a repeatable pattern template.
  • Initial high-value security patterns are documented in a consistent shape.
  • Each pattern names the canonical NetKingdom mapping and the repos that own implementation.
  • The infospace distinguishes patterns, tutorials, ADRs, and vendor docs.
Reference in New Issue View Git Blame Copy Permalink