Skip to content

๐Ÿ›ก๏ธ Security Architect Agent Specification

๐ŸŽฏ Purpose

The Security Architect Agent ensures that every microservice, API, event stream, database, and AI capability generated by the ConnectSoft AI Software Factory adheres to a Security-by-Design model โ€” aligned with Zero Trust, Multi-Tenant SaaS, and Cloud-Native principles.

Its purpose is to eliminate security drift, automate protection, and propagate identity-aware controls into every output from all agents.

๐Ÿ” Key Security Goals

Goal Outcome
๐Ÿ”‘ Access Control Ensure all APIs and resources require scopes, roles, or claims
๐Ÿงพ Auditability Every policy, secret, and access control is traceable and versioned
๐Ÿง Least Privilege Services and agents are only granted access they need
๐Ÿ’ฌ API Trust Zones Define boundary trust levels (internal vs external) and access expectations
๐Ÿงฌ End-to-End Encryption Automatically inject TLS, field-level encryption metadata
๐Ÿ” Observability of Security Events Publish violations, token anomalies, or privilege escalations
โ˜ ๏ธ Secret Hygiene Ensure secrets are never embedded in source; enforce managed retrieval

๐Ÿ”“ Without This Agent

Without the Security Architect Agent, the platform is exposed to:

  • Misconfigured APIs lacking authorization or token validation
  • Unscoped event publishing or cross-tenant data leakage
  • Secrets embedded in generated source code
  • Inconsistent scope definitions and token parsing logic
  • Lack of audit trails for access control, leading to compliance failure
  • Missing encryption of PII or sensitive fields
  • No automatic enforcement of rate limiting or denial of service protection

๐Ÿ”’ With This Agent

With the Security Architect Agent, ConnectSoft ensures:

โœ… Every API and event route includes validated OAuth2 scopes and optional role/claim-based conditions
โœ… Secrets are automatically referenced from secure stores (e.g., Azure Key Vault, HashiCorp Vault)
โœ… Field-level encryption policies are injected into both schema and access policies
โœ… Security rules are emitted as machine-readable and human-reviewable artifacts
โœ… All access control violations or anomalies trigger observability events

๐Ÿ’ก Position in the Factory

This agent sits at the cross-cutting enforcement layer across:

  • APIs (OpenAPI scopes, rate limits, OAuth2 flows)
  • Events (stream authorization, subscriber ACLs)
  • Data (PII encryption, masking, audit retention)
  • Identity (roles, claims, users, access tokens)
  • Secrets (service-to-service identity, encrypted transport)

๐Ÿ“˜ Example Tasks Performed

Task Output
Define API scopes per endpoint api-security.yaml
Assign roles to scopes access-policy-map.yaml
Detect PII fields requiring encryption encryption-policy.yaml
Enforce mTLS for service-to-service traffic trust-boundary-map.yaml
Publish SecurityPolicyPublished event after generation security-events.json

๐Ÿงญ Summary

The Security Architect Agent enforces:

  • โœ… Secure by default: no endpoint without access control
  • โœ… Compliant by structure: PII, keys, and sessions are tagged and managed
  • โœ… Traceable by design: Every scope, secret, and token rule is logged and versioned
  • โœ… Zero Trust ready: No agent or service trusts another by default
  • โœ… Automated remediation: Detect, log, and respond to missing, misused, or excessive privileges

๐Ÿงญ Scope of Influence

The Security Architect Agent operates across the entire ConnectSoft Software Factory stack, embedding security architecture at every level:

  • ๐Ÿงฉ Microservice APIs
  • ๐Ÿ“ฌ Event-driven messaging
  • ๐Ÿงฑ Data storage
  • ๐Ÿค Inter-service communication
  • ๐Ÿง‘ Identity and access control
  • ๐Ÿ” Secret management
  • ๐Ÿ“ฆ Deployment and runtime boundary protection

๐Ÿ”ท Key System Layers Affected

Layer Influence
API Layer Defines and validates OAuth2 scopes, claims, and rate limits per route
Event Bus Enforces publisher/subscriber ACLs, topic-level scopes, and signing
Database Ensures field-level PII tags, encryption hints, masking, and RBAC triggers
Infrastructure (K8s, Mesh) Generates mTLS service policies, workload identity binding
IAM (AuthN/AuthZ) Defines and version-controls scopes, roles, claim sets
Secrets & Key Management Declares expected secrets, references, and KMS policies

๐Ÿ“˜ Platform Capabilities It Governs

Capability Examples
Scopes & Claims invoice.read, client.write, admin.fullAccess, JWT claims enforcement
Rate Limiting & Throttling Max requests per user, IP, service
Zero Trust No implicit trust โ€” all access must be scoped and authenticated
Audit Trail Hooks Field-level logging of access and modification (e.g., email, role)
mTLS Enforcement Required between agents, gateways, and services
Role Mapping support_agent โ†’ read:clients, create:notes
PII/Compliance Flags ssn, dob, email, etc. for encryption, retention, masking

โš™๏ธ Boundaries of Enforcement

Area Included
โœ… REST APIs (OpenAPI) Auth required + scopes + security definitions
โœ… Async APIs (AsyncAPI) Event-based trust and access control
โœ… Schema enforcement Sensitive field encryption and access policy generation
โœ… Secrets Declaration and vault reference injection
โœ… Token models JWT validation, issuer/audience, signing algos
โœ… Multi-tenant separation Tenant ID validation, cross-tenant isolation
โœ… CI/CD context Prevents deployment of unprotected APIs or secrets in source

๐Ÿ›‘ Out of Scope

Area Handled by
Runtime token validation logic IAM Microservice (auth server)
Secret rotation Secrets Manager (e.g., Azure Key Vault, Vault)
User provisioning and login Identity Microservice
Intrusion detection Platform-level infrastructure monitoring

๐Ÿง  Sample Security Assertions Injected

GET /invoices:
  security:
    oauth2:
      scopes: [invoice.read]
    rateLimit:
      requestsPerMinute: 120
    trace:
      required_headers: [trace_id, user_id]

client.email:
  pii: true
  encrypted: true
  masked: true

service-secrets:
  - name: signing-key
    type: rsa
    source: AzureKeyVault
    path: /connectsoft/invoice/signing-key

โœ… Summary of Control Surface

Category Controlled
๐Ÿ”’ Access (who) โœ… Roles, scopes, claims
๐Ÿ” Secrets (what) โœ… Declaration + no hardcoding
๐Ÿ›ก๏ธ Trust (where) โœ… Network policy, origin restrictions
๐Ÿงพ Audit (when/why) โœ… Token traceability + observability events
โ˜๏ธ Boundaries โœ… Cross-agent, cross-tenant, CI/CD scoped enforcement

๐Ÿ“‹ Core Responsibilities

The Security Architect Agent is responsible for generating, enforcing, and publishing the complete security blueprint for any microservice or system component within the ConnectSoft AI Software Factory.

It automates access control, encryption strategy, secret usage, and trust boundary enforcement in every generated asset โ€” ensuring secure-by-default service behavior.

๐Ÿ” 1. Scope & Claim Modeling

Task Output
Generate OAuth2 scopes per API route api-security.yaml
Map scopes to roles (RBAC) and claims (ABAC) access-policy-map.yaml
Version and tag scopes with audit metadata scope-definitions.json
Create claim-based rules for advanced permissions e.g., "department = 'support'" AND "location = 'EU'"

๐Ÿงพ 2. Security Metadata for APIs and Events

Task Output
Inject OpenAPI security: block with scopes and flows REST & gRPC APIs
Annotate AsyncAPI topics with required publish_scope / subscribe_scope event-security.yaml
Define required headers: trace_id, user_id, client_id Observability-first enforcement
Tag internal vs external trust levels trust-boundary-map.yaml

๐Ÿ” 3. PII & Data Protection Controls

Task Output
Detect sensitive fields (email, ssn, dob) encryption-policy.yaml
Tag fields as x-encrypted, x-sensitive, x-mask: true Used by database and adapter generators
Generate redaction/obfuscation policy per field type Auto-tag in schemas and retention maps

๐Ÿ”‘ 4. Secrets and Key Management

Task Output
Declare all required secrets for a service service-secrets.yaml
Reference secrets from Azure Key Vault / Vault With path, version, and TTL
Ensure no hardcoded tokens in artifacts Auto-scan templates and code
Inject trust anchors for mTLS Cert and CA policy map for internal comms

๐Ÿง 5. Rate Limiting and Abuse Protection

Task Output
Annotate API routes with throttling metadata rate-limit-policy.yaml
Define rules per service, IP, client_id, or user_id
Allow exemptions for internal traffic Based on x-origin: internal or trust tag

๐Ÿ“ข 6. Policy Publication & Observability

Task Output
Emit SecurityPolicyPublished event with version and trace_id security-events.json
Generate Markdown and YAML summaries for human review Optional: security-summary.md
Emit span templates for access denied, rate limit triggered, and missing scope events Used by Observability Agent

๐Ÿ›ก๏ธ 7. Governance Enforcement

Task Effect
Block generation of APIs without security: tag โœ…
Require all services to declare required secrets โœ…
Prevent deployment if PII field lacks encryption tag โœ…
Log scope/claim drift from previous version ๐Ÿ” auto-correct or escalate
Validate token strategy (algorithms, claims) for integrity e.g., no none, enforce RS256

โœ… Summary of Responsibilities

Responsibility Area Artifact
OAuth2 scopes, roles, claims api-security.yaml, access-policy-map.yaml
PII/Field-level security encryption-policy.yaml, field-retention-map.yaml
Secrets usage service-secrets.yaml
Trust zones, identity enforcement trust-boundary-map.yaml
Publishing SecurityPolicyPublished (event)
Observability & diagnostics security-span-map.yaml, security-events.json

๐Ÿ“ฅ Core Inputs

The Security Architect Agent relies on upstream architectural artifacts, compliance definitions, and domain metadata to:

  • Derive access scopes
  • Map roles and claims
  • Identify sensitive fields
  • Generate secure token and secret usage models
  • Validate trust relationships and origin boundaries

๐Ÿ“‚ Required Input Artifacts

Artifact Source Agent Purpose
api-surface-summary.md / openapi.yaml API Designer Agent Enumerates all routes and methods requiring protection
event-catalog.yaml Event-Driven Architect Agent Defines pub/sub flows and message types
field-retention-map.yaml Data Architect / Compliance Agent Identifies PII, redactable, encrypted fields
application-architecture.md Application Architect Agent Declares multi-tenancy, origin trust zones, cross-service dependencies
security-policies.yaml Solution/Platform Architect Global security posture, e.g., allowed auth flows, required encryption
previous-security-spec.yaml (optional) CI or prior generation Enables diffing of scopes, claims, policies
trace_id, service_name, bounded_context Orchestrator For versioning, event publication, and lineage

๐Ÿ“˜ Sample Artifacts

๐Ÿ”น api-surface-summary.md

| Endpoint           | Method | Description        |
|--------------------|--------|--------------------|
| /invoices          | GET    | List invoices      |
| /invoices/{id}     | DELETE | Delete an invoice  |
| /clients/{id}      | PATCH  | Update client info |

โ†’ Used to generate scope: invoice.read, invoice.delete, client.write

๐Ÿ”น field-retention-map.yaml

client.email:
  pii: true
  encrypted: true
  redactable: true

invoice.amount:
  pii: false
  encrypted: false

โ†’ Triggers x-sensitive, x-encrypted flags in schema + encryption policies

๐Ÿ”น application-architecture.md (excerpt)

This service is exposed externally via public REST API.

- Must require OAuth2 with PKCE
- mTLS required between API Gateway and downstream services
- tenant_id must be validated on all incoming requests

โ†’ Used to set trust levels and token validation flow

๐Ÿ”น security-policies.yaml

allowed_auth_flows: [authorization_code, client_credentials]
require_mtls: true
token_signing_algorithms: [RS256]
minimum_password_length: 14
scopes_must_be_versioned: true

โ†’ Controls security blueprint rules

๐Ÿ“‘ Optional: previous-security-spec.yaml

Used to detect changes like added/removed scopes, role reassignment, token algorithm changes

scopes:
  - name: client.read
    version: v1
    roles: [support_agent]
  - name: admin.fullAccess
    version: v1
    roles: [admin]

โœ… Input Validation Rules

Rule Description
Every API path must have a valid HTTP method โœ…
All sensitive fields must appear in field-retention-map.yaml โœ…
Roles and claims must be uniquely named and scoped โœ…
All required secrets must have declared source + TTL โœ…
Every event must have publish_scope and/or subscribe_scope โœ…

๐Ÿ“ฆ Aggregated Input Prompt Example

assignment: generate-security-spec

project:
  trace_id: trace-security-8842
  service_name: ClientService
  bounded_context: CRM

inputs:
  openapi_url: https://.../client/openapi.yaml
  retention_map_url: https://.../client/field-retention-map.yaml
  application_architecture_url: https://.../client/app-architecture.md
  global_policies_url: https://.../security/security-policies.yaml
  previous_security_url: https://.../client/security-v1.yaml

settings:
  generate_claims_map: true
  enforce_rate_limits: true
  emit_security_events: true

๐Ÿ“ค Core Outputs

The Security Architect Agent emits a security specification bundle that defines, enforces, and documents:

  • API and event-level access controls
  • Role and claim-based permission mappings
  • Field-level data protection strategies
  • Secret usage declarations
  • Trust boundaries and transport-level security
  • Lifecycle events for policy observability

These outputs are machine-readable for CI/CD validation and human-readable for security audit review.

๐Ÿ“ฆ Output Artifact Summary

Artifact Format Purpose
api-security.yaml YAML Per-endpoint OAuth2 scopes, required claims, rate limits
access-policy-map.yaml YAML Role โ†’ scopes and claims (RBAC/ABAC)
encryption-policy.yaml YAML Field-level encryption and masking rules
service-secrets.yaml YAML Declared secrets, reference paths, vault source
rate-limit-policy.yaml YAML Limits per route/client/service
trust-boundary-map.yaml YAML mTLS, internal vs external service boundaries
security-events.json JSON Emitted events like SecurityPolicyPublished, violations
security-summary.md Markdown Human-readable policy report (optional)

๐Ÿงพ Artifact Details

๐Ÿ” api-security.yaml

paths:
  /clients:
    GET:
      scopes: [client.read]
      rateLimit:
        requestsPerMinute: 100
      requires_mtls: true
  /admin/reports:
    GET:
      scopes: [admin.fullAccess]
      required_claims: [role=admin, department=security]

๐Ÿ‘ค access-policy-map.yaml

roles:
  support_agent:
    scopes:
      - client.read
      - note.write
  admin:
    scopes:
      - "*"
    claims:
      - role=admin
      - clearance_level >= 3

๐Ÿ” encryption-policy.yaml

fields:
  client.email:
    encrypted: true
    pii: true
    masked: true
  client.ssn:
    encrypted: true
    redactable: true

๐Ÿ”‘ service-secrets.yaml

secrets:
  - name: jwt-signing-key
    source: AzureKeyVault
    path: /connectsoft/auth/jwt-signing-key
    type: rsa
    rotation_policy: 90d
  - name: encryption-key
    source: HashiCorpVault
    path: /secrets/encryption-key

๐Ÿงญ trust-boundary-map.yaml

zones:
  external:
    requires_mtls: true
    token_validation: enabled
  internal:
    trusted_proxies: [api-gateway, audit-service]
    allow_client_credentials_flow: true

๐Ÿšฆ rate-limit-policy.yaml

rules:
  global:
    max_requests_per_minute: 500
  paths:
    /clients:
      GET:
        requestsPerMinute: 100
        burst: 20
    /admin/reports:
      GET:
        requestsPerMinute: 25

๐Ÿ“ข security-events.json

{
  "event": "SecurityPolicyPublished",
  "traceId": "trace-security-8842",
  "service": "ClientService",
  "version": "v2.0.0",
  "artifacts": {
    "apiSecurity": "https://.../api-security.yaml",
    "accessMap": "https://.../access-policy-map.yaml"
  },
  "timestamp": "2025-05-01T23:50:00Z"
}

โœ… Output Quality Criteria

Criteria Rule
All routes must have a scopes: field โœ…
PII fields must have encrypted: true or masked: true โœ…
Each secret must define source and path โœ…
Trust zones must distinguish internal/external services โœ…
At least one security lifecycle event emitted โœ…

๐Ÿ“š Knowledge Base Overview

The Security Architect Agent relies on a deep and continually evolving knowledge base to generate secure, compliant, and scalable policies for:

  • Access control
  • Token validation
  • Encryption and masking
  • Trust boundaries
  • Secret management
  • Identity-based routing and enforcement

This knowledge base blends static rule sets with learned security patterns from previously generated services and cross-agent schemas.

๐Ÿง  1. Scope & Role Naming Conventions

Pattern Description
resource.verb client.read, invoice.write, report.generate
Hierarchical scopes admin.*, billing.*, tenant.manage
Role naming support_agent, system_admin, org_owner
Claim patterns department = sales, clearance_level >= 3
Versioning client.read.v1, admin.fullAccess.v2 (if scopes_must_be_versioned: true)

๐Ÿ”’ 2. Known Sensitive Field Patterns

Field Pattern Auto-Tagged As
email, ssn, dob, phone, passport_number x-sensitive, x-encrypted, x-mask
password, api_key, refresh_token secret = true, enforce vault retrieval
trace_id, user_id, client_id audit_required = true
ip_address, geo_location obfuscate-at-export = true

๐Ÿ“ฆ 3. Secret Hygiene and Source Standards

Rule Standard
Secrets must not be embedded in generated code โœ… auto-scan and strip
Allowed secret sources Azure Key Vault, HashiCorp Vault, AWS Secrets Manager
Recommended secret TTL 90 days unless explicitly tagged
Secrets in config files Only allowed if redacted and sourced from vault on startup
KMS Enforcement Required for encryption of at-rest data

๐Ÿงพ 4. Token Security Patterns

Pattern Best Practice
Signing algorithm Enforce RS256, ES256 (no none or HS256 in production)
Required claims exp, iat, sub, aud, scope, tenant_id
Scope binding Scope must match method + path + role
Audience validation Audience must match service or external boundary
Key rotation strategy kid header required; JWKs auto-sync every 1h

๐Ÿ›ก๏ธ 5. Trust Boundary Classifications

Zone Policy
external mTLS required, OAuth2 required, claims validated
internal mTLS preferred, short-lived client credentials tokens
sandbox Mock secrets and reduced scopes
shared Token-scoped access with tenant isolation enforced

๐Ÿ” 6. Security Drift Detection Memory

Detection Trigger
Role was removed but still assigned Warn, rollback, or reassign
Scope changed without claim mapping Block publication or mark as breaking
Field previously encrypted: true is now false Escalate and mark as regression
Scope removed from endpoint Validate claim/role fallbacks or block contract publication

๐Ÿ“˜ 7. Reusable Security Snippets

Use Case Output Snippet
Protecting GET /admin/users Require admin.fullAccess + role = admin
Masking email in logs x-mask: true, masking_profile: default.email
Multi-tenant trust Require tenant_id in token + access filter in query
Internal call from API Gateway to service mTLS with aud = internal + client_id whitelist

๐Ÿง  Semantic Memory Match Example

query: "Protect route /clients/{id}"
result:
  scope: client.read
  required_claims: [role=support_agent]
  rate_limit: 100 rpm
  trace_fields: [trace_id, tenant_id, user_id]

โœ… Knowledge Base Summary

Category Description
Scope naming and versioning Consistent naming across services
Claim rules and role mappings Memory-guided reuse
PII pattern detection Learned rules + glossary patterns
Secret patterns Vault-only enforcement + TTL best practices
Token enforcement JWT claims, signing, and trust propagation
Trust zones Boundary-level protections and policy fallback detection

๐Ÿ”„ End-to-End Process Flow

The Security Architect Agent executes a multi-phase, memory-guided process to generate and validate security policies that protect:

  • APIs
  • Events
  • Data fields
  • Secrets
  • Trust boundaries

The process is orchestrated via Semantic Kernel skills, with each step traceable, observable, and retry-safe.

๐Ÿ“‹ Step-by-Step Flow

Step Description
1๏ธโƒฃ Parse Inputs - Load and validate the following input files:
- openapi.yaml, api-surface-summary.md, field-retention-map.yaml, application-architecture.md, security-policies.yaml, and previous-security-spec.yaml (if present).
- Extract necessary information such as:
- All routes and HTTP methods
- Sensitive fields and masking hints
- Trust boundary types (external/internal/sandbox)
- Existing scopes, roles, and claims (for comparison).
2๏ธโƒฃ Scope and Access Rule Generation - For each route, the following tasks are performed:
- Suggest a scope using semantic naming (e.g., resource.verb)
- Determine if a role or claim is required (support for ABAC)
- Generate scope version (e.g., client.read.v2) if enabled.
- Emit the following files:
- api-security.yaml
- access-policy-map.yaml.
3๏ธโƒฃ PII and Field-Level Encryption Enforcement - Match all fields marked as pii: true from the field-retention-map.yaml file.
- Generate the following:
- encryption-policy.yaml with flags: encrypted, masked, redactable.
- Enforcement hints for adapters and schema agents to handle encryption and data masking properly.
4๏ธโƒฃ Secret Declaration and Trust Planning - Detect secret usages (e.g., JWT signing keys, encryption keys, API keys).
- Emit the following files:
- service-secrets.yaml
- trust-boundary-map.yaml based on call graphs and architecture.
- Validate that:
- Each secret must be externalized for security.
- Trust zones must align with the origin of traffic to ensure proper security boundary enforcement.
5๏ธโƒฃ Rate Limit and Throttle Mapping - For each API route, suggest rate limits:
- Base RPM (Requests Per Minute)
- Burst and exemption flags for handling traffic spikes.
- Emit the rate-limit-policy.yaml file containing the rate-limiting configuration.
6๏ธโƒฃ Security Drift & Scope Diff Check - If previous-security-spec.yaml is available, perform the following checks:
- Detect scope removal or changes.
- Compare role โ†’ scope mappings to detect discrepancies.
- Flag breaking changes or missing encryption to ensure security consistency.
7๏ธโƒฃ Emit Artifacts and Events - Outputs include:
- api-security.yaml, access-policy-map.yaml, encryption-policy.yaml, service-secrets.yaml, rate-limit-policy.yaml, trust-boundary-map.yaml, and security-events.json.
- Emit the SecurityPolicyPublished event containing:
- Trace ID
- Version
- Artifact links
- Change summary (if applicable).

1๏ธโƒฃ Parse Inputs

  • Load and validate:

    • openapi.yaml, api-surface-summary.md
    • field-retention-map.yaml
    • application-architecture.md
    • security-policies.yaml
    • previous-security-spec.yaml (if present)

  • Extract:

    • All routes and HTTP methods
    • Sensitive fields and masking hints
    • Trust boundary types (external/internal/sandbox)
    • Existing scopes, roles, claims (for comparison)

2๏ธโƒฃ Scope and Access Rule Generation

  • For each route:

    • Suggest scope using semantic naming: resource.verb
    • Determine if role or claim is required (ABAC support)
    • Generate scope version (client.read.v2) if enabled

  • Emit:

    • api-security.yaml
    • access-policy-map.yaml

3๏ธโƒฃ PII and Field-Level Encryption Enforcement

  • Match all pii: true fields from field-retention-map.yaml
  • Generate:
    • encryption-policy.yaml with flags: encrypted, masked, redactable
    • Enforcement hints for adapters and schema agent

4๏ธโƒฃ Secret Declaration and Trust Planning

  • Detect secret usages (e.g., JWT signing keys, encryption keys, API keys)

  • Emit:

    • service-secrets.yaml
    • trust-boundary-map.yaml based on call graphs and architecture

  • Validate:

    • Each secret must be externalized
    • Trust zones must align with origin of traffic

5๏ธโƒฃ Rate Limit and Throttle Mapping

  • For each API route, suggest:
    • Base RPM (requests per minute)
    • Burst and exemption flags
  • Emit rate-limit-policy.yaml

6๏ธโƒฃ Security Drift & Scope Diff Check

  • If previous-security-spec.yaml is available:
    • Detect scope removal or changes
    • Compare role โ†’ scope mappings
    • Flag breaking changes or missing encryption

7๏ธโƒฃ Emit Artifacts and Events

  • Outputs:

    • api-security.yaml, access-policy-map.yaml
    • encryption-policy.yaml, service-secrets.yaml, rate-limit-policy.yaml
    • trust-boundary-map.yaml, security-events.json

  • Emit SecurityPolicyPublished with:

    • Trace ID
    • Version
    • Artifact links
    • Change summary (if applicable)

๐Ÿง  Flow Diagram (Mermaid)

flowchart TD
    A[Parse Inputs + Previous Specs] --> B[Generate Scopes and Roles]
    B --> C[Encrypt + Mask Sensitive Fields]
    C --> D[Declare Secrets + Trust Zones]
    D --> E[Rate Limit and Scope Diff]
    E --> F[Emit Artifacts + SecurityPolicyPublished]
Hold "Alt" / "Option" to enable pan & zoom

๐Ÿ“ˆ Observability & Telemetry

Span Purpose
scope_generation.duration_ms Time to assign all endpoint scopes
pii_field_tagging.total Count of fields encrypted or masked
secret_detection.retry_count Times fallback or fix was applied
breaking_change_detected True/False โ€” triggers version bump
security_event_published Lifecycle signal for CI/CD

๐Ÿ” Retry & Fallback Handling

Scenario Fallback
Scope missing for endpoint Use inferred scope + append .inferred tag
Unknown secret source Default to AzureKeyVault, emit warning
Role-scope mismatch Auto-generate new role or escalate for review
Missing trace_id / user_id fields Inject into API security map and observability policy

๐Ÿ› ๏ธ Skills and Kernel Functions

The Security Architect Agent is composed of modular Semantic Kernel (.NET) skills, each focused on a specific layer of security enforcement and policy generation.
All skills are designed to support retry logic, span observability, and composability across service types.

๐Ÿ” 1. Scope & Claim Modeling Skills

Skill Purpose
ScopeGeneratorSkill Suggests scopes for each endpoint (e.g., client.read, invoice.write)
RoleToScopeMapperSkill Maps platform-defined roles to valid scope sets
ClaimRuleBuilderSkill Constructs ABAC-style claim conditions (role=admin, level > 2)
ScopeDiffDetectorSkill Compares previous-security-spec.yaml to detect breaking changes or missing mappings

๐Ÿ” 2. Sensitive Field & PII Protection Skills

Skill Purpose
FieldSensitivityTaggerSkill Detects pii, x-encrypted, and x-mask field requirements
EncryptionPolicyAssemblerSkill Emits encryption-policy.yaml with compliant tags
MaskingProfileSelectorSkill Suggests masking templates (default.email, ssn.partial)
AuditFieldEnforcerSkill Ensures trace_id, user_id, tenant_id appear in logs and security maps

๐Ÿ”‘ 3. Secret & Trust Skills

Skill Purpose
SecretUsageScannerSkill Detects JWT signing keys, API keys, encryption secrets
SecretDeclarationEmitterSkill Emits service-secrets.yaml with vault source/path
TrustBoundaryClassifierSkill Classifies internal, external, shared, and sandbox zones
MTLSPolicyPlannerSkill Adds mTLS requirement between services in trust boundary map

๐Ÿšฆ 4. Rate Limit & Abuse Prevention

Skill Purpose
RateLimitRuleGeneratorSkill Suggests requestsPerMinute, burst, backoff based on endpoint type
ThrottleExemptionTaggerSkill Marks internal or elevated-role users for reduced enforcement
RateLimitPolicyEmitterSkill Outputs rate-limit-policy.yaml with detailed configs

๐Ÿ“ก 5. Lifecycle and Observability Skills

Skill Purpose
SecurityPolicyPublisherSkill Emits the SecurityPolicyPublished event, including trace ID and relevant links to ensure that the policy is properly published and tracked.
SecuritySpanTemplateGeneratorSkill Injects span templates into security-events.json for comprehensive logging and traceability. Example spans include:
- access_denied: Logs when access is denied.
- token_expired: Logs when a token expires.
- rate_limit_triggered: Logs when the rate limit is triggered.
ChangelogEmitterSkill (Optional) Emits the security-changelog.md file if a version bump is required, ensuring traceability and change management for security-related changes.

๐Ÿงฉ Skill Composition Flow

flowchart TD
    A[ScopeGeneratorSkill] --> B[ClaimRuleBuilderSkill]
    B --> C[FieldSensitivityTaggerSkill]
    C --> D[SecretDeclarationEmitterSkill]
    D --> E[RateLimitRuleGeneratorSkill]
    E --> F[SecurityPolicyPublisherSkill]
Hold "Alt" / "Option" to enable pan & zoom

๐Ÿ” Retry Behaviors (Auto-Fixable Failures)

Skill Retry Trigger Correction
ScopeGeneratorSkill Scope already exists with different claims Suffix version (.v2) or auto-namespace
SecretDeclarationEmitterSkill Secret missing source Default to Azure Key Vault + warn
TrustBoundaryClassifierSkill Undeclared origin service Assume external unless whitelisted
RateLimitRuleGeneratorSkill Too aggressive Fallback to conservative template (60rpm, burst=5)

๐Ÿ“ˆ Skill Metrics Emitted

Metric Description
scope_generated_total Count of new scopes created
pii_fields_tagged_total Number of fields marked for encryption/masking
rate_limit_rules_applied_total Endpoint-level throttling annotations
trust_boundary_conflict_count Detected policy mismatches across origin zones
security_event_emitted Lifecycle events logged to CI and dashboards

๐Ÿ› ๏ธ Core Technologies Used

The Security Architect Agent leverages a robust ecosystem of identity, encryption, vaulting, and policy-as-code technologies, all orchestrated within the ConnectSoft AI Software Factory using Semantic Kernel (.NET).

These tools ensure secure-by-default generation, policy propagation, and runtime compliance across all service types.

๐Ÿ” 1. Authentication & Authorization Protocols

Technology Role
OAuth2 Standard for scopes, flows (PKCE, client credentials)
OpenID Connect Enriches tokens with identity and claims
JWT (JSON Web Tokens) Default token format (RS256 recommended)
JWK (Key Set) Token signature verification and rotation
ABAC/RBAC DSLs YAML-based policies for claim and role mappings

๐Ÿ”‘ 2. Secret Management & Encryption

Tool Purpose
Azure Key Vault Default source for managed secrets, JWT signing keys, DB passwords
HashiCorp Vault Optional self-hosted secrets manager
KMS (Azure, AWS) Encrypt fields at rest, rotate encryption keys
Field-level tagging DSL Defines encrypted, mask, redactable, and ttl in YAML format
Secrets-as-Code Injection Secure referencing via service-secrets.yaml

๐Ÿงฐ 3. Policy & Access Enforcement

Tool Purpose
OPA (Open Policy Agent) (optional downstream enforcement) Enforce runtime claims and resource access
ConnectSoft Access Map access-policy-map.yaml describes scopes, roles, conditions
Trust Boundary Mapper Emits trust-boundary-map.yaml to define internal/external boundaries
Rate Limiter DSL Defines throttling rules, per-IP/client limits

๐Ÿ“„ 4. Schema and API Integration

Artifact Role
openapi.yaml Annotated with security: blocks, scopes, headers
asyncapi.yaml Annotated with publish/subscribe scope requirements
schema.yaml Injects x-sensitive, x-encrypted, x-mask on fields
field-retention-map.yaml Used to correlate PII fields with encryption policy

๐Ÿ“ก 5. Telemetry and Event Publishing

Technology Function
OpenTelemetry Emit spans for scope_generation, token_violation, rate_limit_triggered
Azure Event Grid Publish SecurityPolicyPublished and change events
Prometheus + Grafana Visualize enforcement metrics across services
Application Insights / ELK Capture logs from rejected tokens, audit failures

๐Ÿ“ฆ 6. Output Formats & Compatibility

Format Description
api-security.yaml Machine-parseable contract for scopes and claims
access-policy-map.yaml RBAC + ABAC definitions for services
encryption-policy.yaml Field-level controls for encryption, masking, redaction
service-secrets.yaml Secret sources, TTLs, vault paths
security-events.json Lifecycle signals for observability and CI/CD
security-summary.md (Optional) audit-friendly Markdown summary

๐Ÿ›ก๏ธ 7. Compliance Standards Alignment

Standard Alignment Actions
SOC 2 Audit trail on access policy changes, secrets versioning
GDPR Redaction, right-to-be-forgotten tagging, masking policies
HIPAA Field-level protection, encryption at rest, access logs
Zero Trust No implicit trust between services, mTLS + identity required
PCI-DSS Masking of cardholder fields, role segregation

๐Ÿง  Agent Tooling Infrastructure

Technology Description
Semantic Kernel (.NET) Agent framework and orchestration layer
YAML DSL processors Custom schema validators for all *.yaml policies
Mermaid / Markdown generators Optional doc rendering for security-summary.md
CI/CD Integration (Azure Pipelines) Gatekeeper for schema validation and contract promotion

โœ… Summary

Layer Tools Used
Authentication & Tokenization OAuth2, OIDC, JWT, JWK
Secrets & Encryption Azure Key Vault, Vault, KMS
Access Control access-policy-map.yaml, OPA
Observability OpenTelemetry, Event Grid
Compliance SOC 2, GDPR, HIPAA mappings
Output YAML/JSON contracts, Markdown summaries

๐Ÿ“œ System Prompt (Bootstrapping Instruction)

The System Prompt defines the initial operating context and expectations of the Security Architect Agent. It ensures that every generated output is secure-by-default, zero-trust aligned, and compliant with ConnectSoftโ€™s platform security model.

โœ… Full System Prompt (Plain Text)

You are the **Security Architect Agent** within the ConnectSoft AI Software Factory.

Your responsibility is to ensure that all services, APIs, event streams, and storage layers follow a **Security-by-Design** approach and align with Zero Trust principles.

---

## Your Core Tasks:

1. For every API or event:
   - Generate required OAuth2 scopes (e.g., `invoice.read`, `admin.fullAccess`)
   - Map roles to scopes and claims using `access-policy-map.yaml`
   - Annotate `openapi.yaml` and `asyncapi.yaml` with `security` sections

2. For every sensitive field:
   - Tag as `x-sensitive: true`, `x-encrypted: true`, `x-mask: true` if applicable
   - Ensure presence in `encryption-policy.yaml`

3. For every secret or credential:
   - Ensure declaration in `service-secrets.yaml` with source and TTL
   - Prevent any secrets from being hardcoded into generated artifacts

4. For every route:
   - Define rate limits in `rate-limit-policy.yaml`
   - Flag exempt services (e.g., internal agents or trusted CI clients)

5. For service-level trust:
   - Emit `trust-boundary-map.yaml` describing inter-service mTLS zones
   - Enforce identity-based policies for access (e.g., `aud`, `client_id` validation)

6. Publish:
   - `api-security.yaml`, `access-policy-map.yaml`, `encryption-policy.yaml`, `rate-limit-policy.yaml`
   - `security-events.json` with `SecurityPolicyPublished` or `TokenScopeViolationDetected`

---

## Required Output Standards:

- All scopes must be namespaced (e.g., `client.read`, `billing.generateStatement`)
- Every PII field must be tagged and included in encryption map
- Trust boundaries must be versioned and traceable via `trace_id`
- All events must be published to `SecurityEventStream` or output to `security-events.json`
- Output files must include metadata: `agent_version`, `trace_id`, `schema_version`

---

## Versioning:

- Changes in roles, scopes, encryption strategy, or token model = bump policy version
- Breaking security drift = emit changelog + block CI/CD until resolved

---

## Observability:

- Emit spans for:
  - Scope generation
  - Token validation failures
  - Rate limit triggers
  - Secret declaration gaps

- Ensure each span includes `trace_id`, `agent_version`, `service_name`

---

## Policy Failures:

If a violation or incomplete configuration is detected:
- Retry with default/fallback enforcement
- Emit `SecurityPolicyWarning` or `SecurityContractFailed` event
- Block publication if access cannot be resolved safely

๐Ÿงญ Summary of Agent Behavior

With this system prompt:

  • All services get scoped, claim-driven access enforcement
  • PII fields are always protected and traceable
  • Secrets are externalized and source-bound
  • Trust boundaries are explicit and contractually enforced
  • Outputs are auditable, versioned, and compliance-ready

๐Ÿ“ฅ Input Prompt Template

The Security Architect Agent is activated by a YAML-based input prompt provided by ConnectSoftโ€™s orchestration layer.
This prompt defines:

  • Service context and traceability metadata
  • Links to all relevant source documents (API specs, compliance maps, secrets, architecture)
  • Enforcement settings and feature flags
  • Output format expectations

โœ… Example Input Prompt (YAML)

assignment: generate-security-spec

project:
  trace_id: "trace-security-55429"
  project_id: "connectsoft-saas"
  bounded_context: "CRM"
  service_name: "ClientService"
  agent_version: "1.4.0"

inputs:
  openapi_url: "https://artifacts.connectsoft.dev/client/openapi.yaml"
  event_catalog_url: "https://artifacts.connectsoft.dev/client/event-catalog.yaml"
  field_retention_map_url: "https://artifacts.connectsoft.dev/client/field-retention-map.yaml"
  application_architecture_url: "https://artifacts.connectsoft.dev/client/application-architecture.md"
  security_policies_url: "https://artifacts.connectsoft.dev/platform/security-policies.yaml"
  previous_security_spec_url: "https://artifacts.connectsoft.dev/client/security-v1.yaml"

settings:
  enforce_rate_limits: true
  scopes_must_be_versioned: true
  allow_client_credentials_flow: true
  generate_access_summary_markdown: true
  emit_security_events: true

๐Ÿ“‚ Required Fields

๐Ÿ“ฆ project

Field Description
trace_id Unique identifier for traceability across all artifacts
service_name The microservice the security spec applies to
bounded_context Domain context of the service
agent_version Version of the Security Architect Agent executing the spec

๐Ÿ“š inputs

Artifact Purpose
openapi_url Enumerates all routes to generate scopes and security: blocks
event_catalog_url Defines events and required publish/subscribe_scope
field_retention_map_url Maps sensitive fields to encryption/masking requirements
application_architecture_url Declares trust zones and internal/external route exposure
security_policies_url Global policy posture (e.g., allowed auth flows, token rules)
previous_security_spec_url Enables diffing for scope/role drift detection (optional)

โš™๏ธ settings

Flag Description
enforce_rate_limits Enables generation of rate-limit-policy.yaml
scopes_must_be_versioned Appends .vX to scopes for CI traceability
allow_client_credentials_flow Enables token strategy compatibility for internal services
generate_access_summary_markdown Produces security-summary.md for audit reports
emit_security_events Publishes SecurityPolicyPublished, ScopeViolationDetected, etc.

โœ… Minimal Prompt Example

assignment: generate-security-spec
project:
  service_name: InvoiceService
  trace_id: trace-994

inputs:
  openapi_url: https://.../invoice/openapi.yaml
  field_retention_map_url: https://.../invoice/field-retention.yaml
  security_policies_url: https://.../security/global.yaml

settings:
  scopes_must_be_versioned: true

๐Ÿงพ Validation Rules

Rule Description
trace_id, service_name, and openapi_url are required โœ…
field_retention_map_url must be present for PII enforcement โœ…
security_policies_url required for platform-level constraints โœ…
If scopes_must_be_versioned, all generated scopes must end in .vX โœ…
Secrets and token models must align with application_architecture.md โœ…

๐Ÿ“ˆ Trace Metadata Injected into All Outputs

metadata:
  trace_id: trace-security-55429
  service_name: ClientService
  schema_version: v2.1.0
  agent_version: 1.4.0
  generated_on: 2025-05-01T23:59:00Z

๐Ÿ“ค Output Expectations

The Security Architect Agent generates a complete, versioned, and policy-compliant security specification bundle.
These artifacts are:

  • Machine-readable for CI/CD and enforcement agents
  • Human-readable (optional) for audits and governance
  • Traceable, version-controlled, and lifecycle-linked via events

๐Ÿ“ฆ Output Artifact Summary

Artifact Format Purpose
api-security.yaml YAML Declares OAuth2 scopes, roles, claims per route
access-policy-map.yaml YAML Maps roles to scopes and/or claims (RBAC/ABAC)
encryption-policy.yaml YAML Flags fields for encryption, masking, or redaction
service-secrets.yaml YAML Declares secrets with vault path, type, TTL
rate-limit-policy.yaml YAML Throttling rules per method, IP, or role
trust-boundary-map.yaml YAML Describes internal vs external communication requirements
security-events.json JSON Contains emitted lifecycle or anomaly events
security-summary.md (optional) Markdown Human-readable summary for audit or manual review

๐Ÿ“˜ Example: api-security.yaml

paths:
  /clients:
    GET:
      scopes: [client.read.v2]
      requires_mtls: true
      rate_limit:
        rpm: 100
        burst: 10
  /admin/reports:
    GET:
      scopes: [admin.fullAccess.v1]
      required_claims: [role=admin, clearance_level=3]

๐Ÿ‘ค Example: access-policy-map.yaml

roles:
  support_agent:
    scopes:
      - client.read.v2
      - note.write.v1
  admin:
    scopes: ["*"]
    claims:
      - role=admin
      - clearance_level >= 3

๐Ÿ” Example: encryption-policy.yaml

fields:
  client.email:
    encrypted: true
    pii: true
    mask: true
    masking_profile: default.email
  client.ssn:
    encrypted: true
    redactable: true

๐Ÿ”‘ Example: service-secrets.yaml

secrets:
  - name: jwt-signing-key
    source: AzureKeyVault
    path: /connectsoft/auth/jwt-signing-key
    rotation_policy: 90d
  - name: db-password
    source: HashiCorpVault
    path: /connectsoft/db/invoice-password
    type: password

๐Ÿงญ Example: trust-boundary-map.yaml

zones:
  internal:
    trusted_proxies: [api-gateway]
    requires_mtls: true
    token_flow: client_credentials
  external:
    requires_mtls: true
    token_flow: authorization_code
    audience_validation: required

๐Ÿ“ก Example: security-events.json

{
  "event": "SecurityPolicyPublished",
  "trace_id": "trace-security-55429",
  "service": "ClientService",
  "version": "v2.1.0",
  "artifacts": {
    "apiSecurity": "https://.../api-security.yaml",
    "accessMap": "https://.../access-policy-map.yaml"
  },
  "timestamp": "2025-05-01T23:59:00Z"
}

๐Ÿ“‘ (Optional) security-summary.md

A Markdown summary for governance review boards, DevSecOps, and documentation purposes.

โœ… Output Quality Checklist

Rule Enforced
Every route must include a scopes: declaration โœ…
Every PII field must appear in encryption-policy.yaml โœ…
All secrets must have source, type, and path โœ…
Internal/external zones must be declared in trust map โœ…
At least one SecurityPolicyPublished event is emitted โœ…
All outputs include trace_id, agent_version, and schema_version โœ…

๐Ÿง  Memory Model Overview

The Security Architect Agent uses a multi-layered memory model to ensure:

  • Consistent scope and claim generation across services
  • Role and permission reuse
  • Enforcement of historical encryption and trust policies
  • Security drift detection (between spec versions)
  • Anomaly correction via past patterns and fallback models

This memory includes short-term (in-session) memory and long-term (cross-service semantic) memory.

๐Ÿ• Short-Term Memory (Session Scoped)

Memory Component Description
routes_scanned[] All API endpoints and event topics processed
generated_scopes[] Scopes proposed per endpoint
claims_applied[] Any required claims or role-based access
sensitive_fields[] PII fields tagged for protection
secrets_declared[] All secrets referenced in this run
trust_zones_defined[] Internal, external, shared boundaries detected
diff_detected[] Changes between current and previous-security-spec.yaml
rate_limits_applied[] RPM/burst metadata assigned per route

๐Ÿ“š Long-Term Semantic Memory (Cross-Service)

๐Ÿ” 1. Scope & Role History

Feature Purpose
Scope usage frequency Helps avoid unnecessary proliferation
Known role mappings Maps support_agent โ†’ client.read, note.write
Scopes tagged as "privileged" Requires claims enforcement (e.g., admin.*)
Scope version history Tracks semantic changes across client.read.v1 โ†’ v2

๐Ÿงพ 2. Field Protection Policies

Match Policy
email, ssn, dob, phone_number encrypted: true, mask: true, audit: true
Custom field marked pii: true Enforce redactable: true
Previously encrypted field now untagged Raise warning: encryption-downgrade-risk

๐Ÿ” 3. Secret Management Patterns

Detected Pattern Action
JWT signing key present Require type: rsa, rotation_policy <= 90d
Password fields Default source = Vault or AzureKeyVault
Hardcoded token in spec Redact, replace with source_ref and emit warning

๐Ÿงญ 4. Trust Boundary Policy Cache

Zone Default Behaviors
external mTLS required, token required, rate limit enabled
internal Client credentials accepted, optional mTLS
sandbox Reduced claims enforcement, dummy secrets
shared Scoped token access, tenant isolation enforced

๐Ÿง  Memory Query Example

query: "What are the default access rules for /admin/settings?"
memory_match:
  scope: admin.fullAccess
  required_claims: [role=admin, clearance_level >= 3]
  zone: external
  mTLS: true
  rate_limit: 25 rpm
  version: admin.fullAccess.v2

๐Ÿง  Drift Detection and Changelog Memory

Change Detected Result
Scope removed from endpoint Raise warning, emit diff entry
Role deleted but still assigned to scope Auto-remap or escalate
Claims relaxed in access-policy-map.yaml Suggest escalation or block
Secret source changed from Vault to inline Escalate to Governance Agent

๐Ÿ“ˆ Memory-Aware Changelog Example

changelog:
  version: v2.2.0
  changes:
    - scope_added: note.delete
    - role_scope_reassignment: admin now has note.delete
    - field_encryption_added: client.ssn
    - rate_limit_increased: /clients GET from 60 to 100 rpm
    - trust_zone_promoted: /admin/* moved to external

โœ… Benefits of Memory Usage

Value Description
Consistent access modeling Scopes and roles evolve predictably
Reuse reduces redundancy Avoids generating 10+ duplicate scopes
Tracks security regressions Detects field decryption, missing scope bindings
Supports changelogs & CI validation Required for policy diff pipelines
Enhances fallback safety Uses past scopes/claims to resolve errors when uncertain

โœ… Validation and Correction Pipeline

The Security Architect Agent performs multi-layered validation of all generated security artifacts to ensure:

  • Policies are complete, traceable, and compliant
  • Secrets are externalized
  • Scopes and roles are logically consistent
  • No breaking changes are introduced without detection
  • Outputs are safe for CI/CD pipeline promotion

It automatically corrects, diffs, or escalates based on validation outcomes.

๐Ÿงช Validation Phases

1๏ธโƒฃ Schema and Syntax Validation

Artifact Check
api-security.yaml Valid YAML, all endpoints present, required scopes defined
access-policy-map.yaml Unique role names, no orphan scopes, claims resolvable
encryption-policy.yaml Field names match schema, masking/encryption flags consistent
service-secrets.yaml All secrets include name, source, path, and type
trust-boundary-map.yaml Zones well-formed, consistent with app architecture

2๏ธโƒฃ Cross-Artifact Consistency Checks

Rule Example
Every route in openapi.yaml must exist in api-security.yaml โœ…
All pii: true fields in field-retention-map.yaml must be present in encryption-policy.yaml โœ…
Roles in access-policy-map.yaml must map to existing scopes โœ…
Secrets must be declared in Vault or Key Vault (no source: none) โœ…
Scope versions must be monotonic and consistent across updates โœ…

3๏ธโƒฃ Security Drift and Regression Detection

Check Outcome
Scope removed or reassigned Log as breaking change, block pipeline if unapproved
Encryption tag removed from a previously protected field Raise critical warning
Trust zone changed from internal โ†’ external Revalidate mTLS, token scope, and claims
Claim requirement relaxed (e.g., role: admin โ†’ role: user) Mark as potential escalation risk

๐Ÿ” Auto-Correction Behaviors

Issue Detected Correction
Scope missing for new endpoint Suggest resource.verb.vX, add to api-security.yaml
Secret missing source Default to Azure Key Vault, emit warning
PII field unencrypted Tag as x-encrypted: true, suggest masking profile
Rate limit too permissive (>1000rpm) Lower to default per service class
Missing required claims on admin.* scope Suggest role=admin, clearance_level >= 3

๐Ÿ“œ Correction Example Log

{
  "trace_id": "trace-sec-11992",
  "skill": "ScopeGeneratorSkill",
  "retry": 1,
  "issue": "Missing scope for DELETE /clients/{id}",
  "suggested_scope": "client.delete.v1",
  "correction_applied": true
}

๐Ÿšจ Escalation Triggers

Trigger Action
3+ unresolvable secrets Block SecurityPolicyPublished, emit SecurityContractFailed
Trust boundary downgrade (external โ†’ internal) Escalate to Governance Agent
Breaking scope/claim diff Emit SecurityDriftDetected, require manual approval
PII field encryption downgraded Block output, emit DataProtectionViolationDetected

๐Ÿ“ˆ Observability Metrics Emitted

Metric Description
scope_generation_failures_total Number of scopes that required fallback
pii_encryption_missed_total PII fields missing encryption on first pass
policy_retry_count_by_skill Retry behavior by skill (used for tuning + audit)
security_drift_detected_total Total breaking changes compared to prior spec
secrets_missing_source_total Count of secrets declared without valid vault reference

โœ… Final Output Guarantee

A SecurityPolicyPublished event is emitted only if:

  • All security YAML files pass validation
  • All PII fields are covered by encryption policy
  • No hardcoded secrets are present
  • Role and scope mappings are valid
  • All trust zones are respected
  • Traceability fields (trace_id, service_name, version) are included in all artifacts

๐Ÿค Collaboration Interfaces

The Security Architect Agent operates as a cross-cutting policy generator and enforcer.
It integrates with upstream structural agents and downstream enforcement, DevOps, and observability agents to propagate Zero Trust, compliance, and identity-aware controls.

๐Ÿ”ผ Upstream Inputs

Agent Artifacts Provided
API Designer Agent openapi.yaml, api-surface-summary.md โ€” used for scope generation
Event-Driven Architect Agent event-catalog.yaml โ€” defines event topics for pub/sub scopes
Data Architect Agent field-retention-map.yaml, schema.yaml โ€” identifies PII/encrypted fields
Application Architect Agent application-architecture.md โ€” trust boundaries, origin mapping
Compliance Architect Agent retention-policy.yaml โ€” additional field compliance enforcement
Solution Architect Agent security-policies.yaml โ€” global platform-wide security constraints
Glossary Agent (optional) Glossary entries for common roles, reusable claims, known risk vocab

๐Ÿ”ฝ Downstream Consumers

Agent Artifacts Consumed
Adapter Generator Agent access-policy-map.yaml, encryption-policy.yaml โ€” applies RBAC/ABAC enforcement, encrypts/masks fields
DevOps Architect Agent service-secrets.yaml, trust-boundary-map.yaml โ€” deploys secrets and network policies
API Gateway Configurator Agent api-security.yaml, rate-limit-policy.yaml โ€” applies per-route security
Test Generator Agent access-policy-map.yaml, security-summary.md โ€” generates negative access tests, rate limit checks
Observability Agent security-events.json โ€” listens to and emits trace events for security enforcement violations
Developer Portal Generator Agent security-summary.md โ€” embeds access rules and data protection indicators in UI

๐Ÿ“ข Events Emitted

Event Trigger
SecurityPolicyPublished Emitted when spec generation completes successfully
SecurityContractFailed Blocker event if secrets or scope/role violations exist
SecurityDriftDetected Emitted on version regression, dropped encryption, or deleted roles
ScopeViolationDetected Optional runtime signal when token lacks required scope (emitted by downstream agent but spec-driven)

๐Ÿ” Policy Distribution Points

Target Format Function
API Gateway api-security.yaml, rate limits Enables routing enforcement + JWT validation
Identity Microservice access-policy-map.yaml Loads RBAC/ABAC for JWT validation service
Secrets Manager Integration service-secrets.yaml Drives Azure Key Vault / Vault resource creation
Service Mesh / mTLS Layer trust-boundary-map.yaml Informs service-to-service trust and isolation policies

๐Ÿ”„ Collaboration Flow Diagram

flowchart TD
    API_Designer -->|openapi.yaml| SecurityArchitect
    DataArchitect -->|field-retention-map.yaml| SecurityArchitect
    EventArchitect -->|event-catalog.yaml| SecurityArchitect
    ComplianceArchitect -->|retention-policies.yaml| SecurityArchitect

    SecurityArchitect --> AdapterGenerator
    SecurityArchitect --> DevOpsArchitect
    SecurityArchitect --> APIGatewayConfigurator
    SecurityArchitect --> ObservabilityAgent
    SecurityArchitect --> TestGenerator
    SecurityArchitect --> DeveloperPortal
Hold "Alt" / "Option" to enable pan & zoom

๐Ÿง  Traceability Integration

All artifacts and emitted events include:

metadata:
  trace_id: trace-security-99821
  service_name: ClientService
  schema_version: v2.3.0
  agent_version: 1.4.1
  generated_on: 2025-05-02T00:15:00Z

This enables all downstream agents to align to the same execution trace, ensuring auditability and lifecycle tracking.

๐Ÿ“ก Observability & Traceability

The Security Architect Agent is fully observable via OpenTelemetry, emits structured events for CI/CD pipelines, and includes embedded metadata for:

  • Runtime validation (JWTs, secrets, encryption)
  • Policy change tracking (version diffs, trust changes)
  • Access control drift detection
  • Data protection coverage reporting

All generated files and events carry full agent and execution metadata.

๐Ÿ›ฐ๏ธ Emitted Spans

Span Name Description
scope_generation Emitted for every scope inferred or diffed
pii_encryption_applied Field tagging spans (e.g., email, ssn)
secret_declared Vault reference creation
rate_limit_computed Rate control decisions per route
security_policy_published Final span for full contract output
security_drift_detected Span with severity, version delta, and violated entity

Each span includes:
โœ… trace_id
โœ… service_name
โœ… agent_version
โœ… duration_ms
โœ… status

๐Ÿ“ข Lifecycle Event Emission

๐Ÿ”” SecurityPolicyPublished (Success Signal)

{
  "event": "SecurityPolicyPublished",
  "service": "ClientService",
  "version": "v2.1.0",
  "trace_id": "trace-sec-88239",
  "agent_version": "1.4.1",
  "artifacts": {
    "accessMap": "https://.../access-policy-map.yaml",
    "apiSecurity": "https://.../api-security.yaml"
  },
  "timestamp": "2025-05-02T00:17:00Z"
}

โš ๏ธ SecurityContractFailed (Blocking Signal)

Emitted when critical security violation is found and generation is aborted:

  • Missing encryption on PII
  • Downgraded scope protection
  • Role mapping broken
  • Secret declared with source: none
  • Trust downgrade without mTLS enforcement

๐Ÿ“Š Dashboards & CI/CD Integration

Dashboard Tile Source
๐Ÿ”’ Scope Coverage % api-security.yaml per service
๐Ÿ” Secrets Declared / Used service-secrets.yaml
๐Ÿ“‰ Drift/Regression Count Diff engine vs previous spec
๐Ÿšฆ Rate Limit Violations From runtime Observability Agent
๐Ÿงช Token Failure Paths From security span trace logs
โœ… Spec Version & Changelog From embedded metadata and published events

๐Ÿ› ๏ธ Governance Hooks

Action Result
security-policy.yaml regression Block promotion to staging/prod
Secrets missing source Red-flag in CI/CD checks
Trust downgrade Escalation to human-in-the-loop reviewer
Drift in claim mapping Notify Compliance Agent + force manual override

โœ… Final Security Outcomes

With the Security Architect Agent, ConnectSoft ensures:

  • โœ… No microservice is deployed without role- or claim-based protection
  • โœ… PII data is always tagged, masked, or encrypted
  • โœ… Secrets are never exposed in code โ€” only referenced securely
  • โœ… Trust zones and traffic origin are enforced via mTLS
  • โœ… Full lifecycle of security design is traceable, diffable, and CI-integrated

๐Ÿ“ฆ Output Recap

Artifact Description
api-security.yaml Route-based scopes, rate limits, mTLS flags
access-policy-map.yaml Role-based and claim-based mappings
encryption-policy.yaml Field-level PII/secret tagging
service-secrets.yaml Secrets with path, type, TTL
trust-boundary-map.yaml External/internal zones, token validation rules
security-events.json Lifecycle event feed for observability and audit
security-summary.md Optional human-readable changelog and role diagram