save checkpoint

docs/product/README.md

@@ -12,6 +12,7 @@ Product strategy, competitive analysis, and marketing bridge documents.
 | [decision-capsules.md](decision-capsules.md) | Decision Capsules concept (audit-grade evidence bundles) |
 | [evidence-linked-vex.md](evidence-linked-vex.md) | Evidence-linked VEX technical bridge |
 | [hybrid-reachability.md](hybrid-reachability.md) | Hybrid reachability feature positioning |
+| [portable-audit-pack-plan.md](portable-audit-pack-plan.md) | Portable supply-chain audit pack rollout plan |
 | [reachability-benchmark-launch.md](reachability-benchmark-launch.md) | Reachability benchmark launch materials |
 
 ## Audience

docs/product/portable-audit-pack-plan.md

@@ -0,0 +1,60 @@
+# Portable Audit Pack Plan (2026-02-10)
+
+## Objective
+Deliver a portable, signed, offline-verifiable software supply-chain audit pack profile that auditors and air-gapped operators can validate end-to-end without network calls.
+
+## Why now
+- Stella Ops already has strong DSSE/Rekor/offline primitives, but contracts are split across multiple bundle formats.
+- Current implementation has partial deterministic guarantees and inconsistent manifest models.
+- A single contract and rollout plan is needed before scaling evidence export/import across modules.
+
+## Planned outcome
+- One canonical portable pack profile with:
+  - JCS-canonicalized manifest
+  - SBOM + DSSE attestation references
+  - Rekor inclusion/checkpoint anchors with tile material references
+  - deterministic file inventory and content digests
+  - optional analytics index profile (`components.parquet`)
+
+## Scope
+### In scope
+- Contract unification across AuditPack, Attestor EvidencePack, EvidenceLocker exports, and CLI verifier paths.
+- Deterministic generation and offline verification hardening.
+- Golden fixtures and deterministic replay verification matrix.
+
+### Out of scope (initial phase)
+- Mandatory Parquet generation in baseline profile.
+- Runtime policy model changes unrelated to pack generation/verification.
+- External transparency services beyond current supported Rekor-compatible model.
+
+## Delivery phases
+1. Contract freeze
+   - Canonical manifest/schema and compatibility mapping.
+   - Required/optional artifact matrix and fail-closed verification rules.
+2. Generator hardening
+   - Deterministic serialization, archive metadata, ordering, and digest workflows.
+3. Verification parity
+   - Offline signature, digest, and Rekor inclusion verification aligned across services and CLI.
+4. Optional analytics profile
+   - `components.parquet` schema profile, fingerprinting, and operator guidance.
+5. QA and release readiness
+   - Deterministic fixtures, tamper scenarios, and regression coverage.
+
+## Key risks
+- Contract drift between modules.
+- Hidden non-determinism (timestamps, traversal order, serializer differences).
+- Operator confusion from overlapping legacy bundle formats.
+- Optional analytics dependencies introducing rollout friction.
+
+## Mitigations
+- Single schema contract and explicit compatibility tables.
+- Pinned toolchains and fixture-based byte-stability checks.
+- Clear migration/runbook guidance for legacy formats.
+- Optional analytics profile behind explicit enablement.
+
+## Traceability
+- Translation sprint (completed): `docs-archived/implplan/2026-02-10-completed-sprints/SPRINT_20260210_003_DOCS_portable_audit_pack_translation.md`
+- Active implementation sprint: `docs/implplan/SPRINT_20260210_005_EvidenceLocker_portable_audit_pack_implementation.md`
+- Detailed contract: `docs/modules/evidence-locker/portable-audit-pack-contract.md`
+- Advisory archive record: `docs-archived/product/advisories/10-Feb-2026 - Portable software supply chain audit pack.md`
+