docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints

Archive completed sprint documentation and deliverables: ## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE ✅) - Windows filesystem hash sanitization (colon → underscore) - Namespace conflict resolution (Subgraph → PoESubgraph) - Mock test improvements with It.IsAny<>() - Direct orchestrator unit tests - 8/8 PoE tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/ ## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE ✅) - Four-tier backport detection system - 9 production modules (4,044 LOC) - Binary fingerprinting (TLSH + instruction hashing) - VEX integration with proof-carrying verdicts - 42+ unit tests passing (100% success) - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE ✅) - PostgreSQL repository implementations - Database migrations (4 evidence tables + audit) - Test data seed scripts (12 evidence records, 3 CVEs) - Integration tests with Testcontainers - <100ms proof generation performance - Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/ ## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE ✅) - Console admin RBAC UI components - Branding editor with tenant isolation - Authority backend endpoints - Archived to: docs/implplan/archived/ ## Additional Documentation - CLI command reference and compliance guides - Module architecture docs (26 modules documented) - Data schemas and contracts - Operations runbooks - Security risk models - Product roadmap All archived sprints achieved 100% completion of planned deliverables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 15:02:38 +02:00
parent fda92af9bc
commit b444284be5
77 changed files with 7673 additions and 556 deletions
--- a/docs2/security/forensics-and-evidence-locker.md
+++ b/docs2/security/forensics-and-evidence-locker.md
@@ -0,0 +1,33 @@
+# Forensics and evidence locker
+
+The evidence locker is a WORM friendly store for audit and forensic artifacts
+such as bundles, logs, and attestations.
+
+Storage model
+- Object storage with immutable retention and versioning.
+- PostgreSQL index with metadata and retention fields.
+
+Ingest rules
+- Append only, content addressed paths.
+- Require tenant, hash, size, and provenance.
+- Reject partial uploads or missing signatures.
+
+Retention and legal hold
+- Default retention per tenant.
+- Legal hold blocks deletion until cleared by approval.
+- Daily retention job emits audit logs.
+
+Access and verification
+- RBAC scopes for read, write, and legal hold.
+- Verify hashes and DSSE signatures on demand.
+- Background sampling emits failure events.
+
+Minimum bundle layout
+- manifest.json with hashes and provenance
+- data/ payloads
+- signatures/ for DSSE or sigstore bundles
+
+Related references
+- docs/forensics/evidence-locker.md
+- docs/forensics/provenance-attestation.md
+- docs/evidence-locker/evidence-pack-schema.md
--- a/docs2/security/risk-model.md
+++ b/docs2/security/risk-model.md
@@ -0,0 +1,35 @@
+# Risk model and scoring
+
+Risk scoring turns evidence into a normalized score and severity band. The
+model is deterministic and explainable.
+
+Core concepts
+- Signals become evidence after validation.
+- Evidence is normalized into factors.
+- Profiles define weights, thresholds, and overrides.
+- Formulas aggregate factors into scores and severity.
+
+Lifecycle
+1. Job submit with tenant, profile, and findings.
+2. Evidence ingestion from scanners, reachability, and VEX.
+3. Normalization and dedupe by provenance hash.
+4. Profile evaluation with gates and overrides.
+5. Severity assignment and explainability output.
+6. Export to Findings Ledger and Export Center.
+
+Artifacts
+- Profile schema: signals, weights, overrides, provenance.
+- Job and result schema: score, severity, contributions.
+- Explainability payloads for UI and CLI.
+
+Determinism rules
+- Stable ordering for factors and signals.
+- Fixed precision math and UTC timestamps.
+- Hashes and provenance recorded for every input.
+
+Related references
+- docs/risk/overview.md
+- docs/risk/factors.md
+- docs/risk/formulas.md
+- docs/risk/profiles.md
+- docs/risk/api.md