diff --git a/container/deploy.k9.ncl b/container/deploy.k9.ncl
index 7a4da8b..30e6ddf 100644
--- a/container/deploy.k9.ncl
+++ b/container/deploy.k9.ncl
@@ -153,7 +153,19 @@ echo "K9: Rollback complete."
 
 # Export the component
 {
-  pedigree = component_pedigree,
+  pedigree = {
+    # k9-validate scans for a literal `pedigree = { … }` field (it cannot
+    # follow the `let component_pedigree` indirection). This visible block
+    # carries the required identity/security fields; `& component_pedigree`
+    # then layers on the full L1–L5 component pedigree.
+    schema_version = "1.0.0",
+    component_type = "deployment",
+    security_level = "hunt",
+    metadata = {
+      name = "{{SERVICE_NAME}}-deploy",
+      version = "{{VERSION}}",
+    },
+  } & component_pedigree,
   deployment = deployment,
   scripts = scripts,
 
diff --git a/coordination.k9 b/coordination.k9
index 9c4804d..a0666b8 100644
--- a/coordination.k9
+++ b/coordination.k9
@@ -10,7 +10,7 @@ pedigree = {
   schema_version = "1.0.0",
   component_type = "session-coordination",
   leash = "Kennel",
-  security_level = "data-only",
+  security_level = "kennel",
 }
 
 session_management:
diff --git a/session/custom-checks.k9 b/session/custom-checks.k9
index b2f7338..6c8420b 100644
--- a/session/custom-checks.k9
+++ b/session/custom-checks.k9
@@ -10,7 +10,7 @@ pedigree = {
   schema_version = "1.0.0",
   component_type = "session-checks",
   leash = "Kennel",
-  security_level = "data-only",
+  security_level = "kennel",
 }
 
 version: "0.1"