Presently if no domain is specified it defaults to legacy security "other" with a capability reference - this means once legacy security is removed a mapping to Elytron is ALWAYS required.

At the same time should consider if "security-domain" can start to map to the Elytron domain, can we detect if legacy security has been removed at this early stage?