docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints
Archive completed sprint documentation and deliverables: ## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE ✅) - Windows filesystem hash sanitization (colon → underscore) - Namespace conflict resolution (Subgraph → PoESubgraph) - Mock test improvements with It.IsAny<>() - Direct orchestrator unit tests - 8/8 PoE tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/ ## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE ✅) - Four-tier backport detection system - 9 production modules (4,044 LOC) - Binary fingerprinting (TLSH + instruction hashing) - VEX integration with proof-carrying verdicts - 42+ unit tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE ✅) - PostgreSQL repository implementations - Database migrations (4 evidence tables + audit) - Test data seed scripts (12 evidence records, 3 CVEs) - Integration tests with Testcontainers - <100ms proof generation performance - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE ✅) - Console admin RBAC UI components - Branding editor with tenant isolation - Authority backend endpoints - Archived to: docs/implplan/archived/ ## Additional Documentation - CLI command reference and compliance guides - Module architecture docs (26 modules documented) - Data schemas and contracts - Operations runbooks - Security risk models - Product roadmap All archived sprints achieved 100% completion of planned deliverables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
master
@@ -2,150 +2,38 @@
|
||||
|
||||
## Core services
|
||||
|
||||
Authority
|
||||
- Purpose: issue OpTok tokens with DPoP or mTLS sender constraints.
|
||||
- Inputs: client credentials, device code, or auth code.
|
||||
- Outputs: JWT access tokens with tenant, audience, and scope claims.
|
||||
- Storage: PostgreSQL for client and tenant data, Valkey for DPoP nonce cache.
|
||||
|
||||
Signer
|
||||
- Purpose: produce DSSE envelopes and enforce Proof of Entitlement (PoE).
|
||||
- Inputs: signing requests from trusted services and PoE proof.
|
||||
- Outputs: DSSE bundles for SBOMs, reports, and exports.
|
||||
- Storage: audit logs only; keys live in KMS or keyless providers.
|
||||
|
||||
Attestor
|
||||
- Purpose: log DSSE bundles to Rekor and provide verification APIs.
|
||||
- Inputs: DSSE bundles from Signer or Scanner.
|
||||
- Outputs: Rekor entries and proofs, verification results.
|
||||
- Storage: PostgreSQL for receipts and indexes.
|
||||
|
||||
Scanner (Web + Worker)
|
||||
- Purpose: deterministic SBOM generation, inventory and usage views, diffs.
|
||||
- Inputs: image digest or SBOM, analyzer manifests, policy snapshots.
|
||||
- Outputs: SBOMs, diffs, reachability graphs, evidence bundles.
|
||||
- Storage: RustFS for artifacts, PostgreSQL for metadata, Valkey for queues.
|
||||
|
||||
Concelier
|
||||
- Purpose: ingest and normalize advisory sources under AOC.
|
||||
- Inputs: vendor and ecosystem advisory feeds.
|
||||
- Outputs: raw advisory facts, linksets, deterministic exports.
|
||||
- Storage: PostgreSQL (vuln schema).
|
||||
|
||||
Excititor
|
||||
- Purpose: ingest VEX statements under AOC and preserve conflicts.
|
||||
- Inputs: OpenVEX, CSAF VEX, CycloneDX VEX.
|
||||
- Outputs: normalized VEX observations and consensus views.
|
||||
- Storage: PostgreSQL (vex schema).
|
||||
|
||||
Policy Engine
|
||||
- Purpose: deterministic policy evaluation with explain traces and unknowns.
|
||||
- Inputs: SBOM inventory, advisory facts, VEX evidence, reachability.
|
||||
- Outputs: verdicts, effective findings, decision traces, derived VEX.
|
||||
- Storage: PostgreSQL (policy schema).
|
||||
|
||||
Scheduler
|
||||
- Purpose: impact selection and analysis-only re-evaluation.
|
||||
- Inputs: advisory and VEX deltas, BOM index metadata.
|
||||
- Outputs: rescan jobs and delta events.
|
||||
- Storage: PostgreSQL (scheduler schema), Valkey for queues.
|
||||
|
||||
Notify
|
||||
- Purpose: route events to channels with rules and templates.
|
||||
- Inputs: scan and scheduler events.
|
||||
- Outputs: deliveries to Slack, Teams, email, webhooks.
|
||||
- Storage: PostgreSQL (notify schema), Valkey for queues.
|
||||
|
||||
Export Center
|
||||
- Purpose: deterministic export bundles and offline mirror layouts.
|
||||
- Inputs: raw facts, policy outputs, SBOMs and evidence bundles.
|
||||
- Outputs: JSON exports, Trivy DB exports, mirror bundles, offline kits.
|
||||
- Storage: RustFS and PostgreSQL.
|
||||
|
||||
CLI
|
||||
- Purpose: automation and verification for scanning, export, and replay.
|
||||
- Inputs: user commands and offline bundles.
|
||||
- Outputs: API calls, local verification reports.
|
||||
|
||||
UI and Console
|
||||
- Purpose: operator console for scans, policy, VEX, and notifications.
|
||||
- Inputs: API responses, SSE streams.
|
||||
- Outputs: operational workflows and audit views.
|
||||
|
||||
Advisory AI
|
||||
- Purpose: evidence-grounded analysis with guardrails.
|
||||
- Inputs: SBOM and evidence bundles.
|
||||
- Outputs: structured findings and guidance artifacts.
|
||||
|
||||
Orchestrator
|
||||
- Purpose: job DAGs and pack runs for automation.
|
||||
- Inputs: job definitions and run requests.
|
||||
- Outputs: run status, job artifacts.
|
||||
- Storage: PostgreSQL (orchestrator schema).
|
||||
|
||||
Registry Token Service
|
||||
- Purpose: issue tokens for internal registry and scoped pulls.
|
||||
- Inputs: client credentials.
|
||||
- Outputs: short-lived registry tokens.
|
||||
|
||||
Graph Explorer
|
||||
- Purpose: graph indexing and exploration for evidence and relationships.
|
||||
- Inputs: graph snapshots and overlays.
|
||||
- Outputs: graph queries and exports.
|
||||
|
||||
VEX Lens
|
||||
- Purpose: reproducible consensus views over VEX statements.
|
||||
- Inputs: normalized VEX observations and trust weights.
|
||||
- Outputs: consensus status and evidence refs.
|
||||
|
||||
Vulnerability Explorer
|
||||
- Purpose: triage workflows and evidence ledger views.
|
||||
- Inputs: effective findings and Decision Capsules.
|
||||
- Outputs: triage actions and audit records.
|
||||
|
||||
Telemetry Stack
|
||||
- Purpose: metrics, logs, traces, and dashboards.
|
||||
- Inputs: service telemetry and audit events.
|
||||
- Outputs: dashboards and alerts.
|
||||
|
||||
DevOps and Release
|
||||
- Purpose: release trains, signing, and distribution workflows.
|
||||
- Inputs: build artifacts and manifests.
|
||||
- Outputs: signed releases and offline kit bundles.
|
||||
|
||||
Platform
|
||||
- Purpose: cross-cutting determinism, offline, and identity rules.
|
||||
|
||||
CI Recipes
|
||||
- Purpose: deterministic CI templates and guardrails.
|
||||
|
||||
Zastava
|
||||
- Purpose: runtime observer and optional admission enforcement.
|
||||
- Inputs: runtime facts and policy verdicts.
|
||||
- Outputs: runtime events and admission decisions.
|
||||
- [Authority](authority.md)
|
||||
- [Signer](signer.md)
|
||||
- [Attestor](attestor.md)
|
||||
- [Scanner](scanner.md)
|
||||
- [Concelier](concelier.md)
|
||||
- [Excititor](excititor.md)
|
||||
- [Policy Engine](policy.md)
|
||||
- [Scheduler](scheduler.md)
|
||||
- [Notify](notify.md)
|
||||
- [Export Center](export-center.md)
|
||||
- [CLI](cli.md)
|
||||
- [UI and Console](ui.md)
|
||||
- [Advisory AI](advisory-ai.md)
|
||||
- [Orchestrator](orchestrator.md)
|
||||
- [Registry Token Service](registry.md)
|
||||
- [Graph Explorer](graph.md)
|
||||
- [VEX Lens](vex-lens.md)
|
||||
- [Vulnerability Explorer](vuln-explorer.md)
|
||||
- [Telemetry Stack](telemetry.md)
|
||||
- [DevOps and Release](devops.md)
|
||||
- [Platform](platform.md)
|
||||
- [CI Recipes](ci.md)
|
||||
- [Zastava](zastava.md)
|
||||
|
||||
## Supporting and adjacent modules
|
||||
|
||||
Issuer Directory
|
||||
- Trust registry for VEX issuers and keys.
|
||||
|
||||
VexHub
|
||||
- Aggregation and distribution of VEX statements for downstream consumers.
|
||||
|
||||
SBOM Service
|
||||
- Deterministic SBOM projections and lineage ledger.
|
||||
|
||||
Signals
|
||||
- Reachability scoring, unknowns registry, and signal APIs.
|
||||
|
||||
TaskRunner
|
||||
- Deterministic task pack execution with approvals and evidence capture.
|
||||
|
||||
BinaryIndex
|
||||
- Binary identity mapping for patch-aware and backport-aware matching.
|
||||
|
||||
Benchmark
|
||||
- Benchmark harness and ground-truth corpus management.
|
||||
|
||||
Gateway and Router (optional)
|
||||
- Edge routing and transport abstraction for deployments that require a shared ingress.
|
||||
- [Issuer Directory](issuer-directory.md)
|
||||
- [VexHub](vexhub.md)
|
||||
- [SBOM Service](sbomservice.md)
|
||||
- [Signals](signals.md)
|
||||
- [TaskRunner](taskrunner.md)
|
||||
- [BinaryIndex](binaryindex.md)
|
||||
- [Benchmark](benchmark.md)
|
||||
- [Gateway](gateway.md)
|
||||
- [Router](router.md)
|
||||
|
||||
Reference in New Issue
Block a user