sprints update

docs/implplan/updates/2025-11-24-airgap-time-contract-1501.md

@@ -0,0 +1,23 @@
+# AirGap Time Contract — AIRGAP-TIME-CONTRACT-1501
+
+Date: 2025-11-24
+Owners: AirGap Time Guild · Mirror Creator Guild
+Scope: Define time-anchor fields and freshness calculation for mirror bundles used by air-gapped imports (Excititor/ExportCenter/CLI).
+
+## Contract
+- **Fields** (mirror manifest root):
+  - `generatedAt`: ISO-8601 UTC timestamp when manifest was produced.
+  - `sourceClock`: optional string describing clock source (e.g., `ntp:chrony`, `hw:tcxo`).
+  - `validForSeconds`: optional TTL; if absent, default freshness budget = 24h.
+- **Staleness computation:** stalenessSeconds = `nowUtc - generatedAt`; import rejects when stalenessSeconds > `validForSeconds` (or 24h default) plus ±5s skew.
+- **Determinism:** timestamps in `generatedAt` rounded to whole milliseconds; no leap-second smoothing; manifests sorted by `path`.
+- **Surface mapping:** Excititor airgap import records store `generatedAt` and computed `stalenessSeconds`; timeline events include staleness for Advisory AI.
+
+## Actions
+- Mirror Creator Guild: include `generatedAt`, `sourceClock`, `validForSeconds` in thin/portable manifests; align with DSSE header from MIRROR-DSSE-REV-1501.
+- ExportCenter: propagate fields into portable bundle notifications.
+- CLI: display staleness budget and remaining seconds on `stella airgap import --describe`.
+
+## Risks/Notes
+- If ExportCenter manifest v1.1 renames fields, keep aliases for older bundles.
+- Offline installs rely on hardware clock accuracy; recommend chrony sync during bundle generation; import side only trusts manifest timestamp.

docs/implplan/updates/2025-11-24-export-mirror-orch-1501.md

@@ -0,0 +1,29 @@
+# Export / Orchestrator Mirror Hook — EXPORT-MIRROR-ORCH-1501
+
+Date: 2025-11-24
+Owners: Exporter Guild · CLI Guild
+Scope: Define orchestration/export hook payload when mirror bundles become ready so CLI/automation can consume without Ops backlog leakage.
+
+## Hook payload
+Event: `mirror.ready`
+Fields (deterministic, lower-case keys):
+- `bundleId` (string)
+- `generation` (string/number-as-string, matches mirrorGeneration)
+- `generatedAt` (ISO-8601 UTC)
+- `manifestDigest` (sha256:… of mirror.json)
+- `dsseDigest` (sha256:… of mirror.dsse payload)
+- `location` (URI or offline path where bundle is staged)
+- `rekorUUID` (optional; present when transparency entry exists)
+
+## Behavior
+- Emitted by ExportCenter/Orchestrator when mirror bundle artifacts land in staging.
+- At-least-once; consumers must de-dup by `(bundleId,generation)`.
+- No external fetches; payload entirely local/offline friendly.
+
+## Actions
+- Exporter Guild: add hook emission to bundle pipeline; include `mirror.dsse.json` header path in payload for CLI verification.
+- CLI Guild: subscribe to `mirror.ready`; surface manifest/dsse digests and location in `stella mirror status`.
+
+## Risks
+- Field names may shift with ExportCenter manifest v1.1; keep aliasing if needed.
+- Rekor optional; CLI should warn when absent but proceed with local verification.

docs/implplan/updates/2025-11-24-mirror-dsse-rev-1501.md

@@ -0,0 +1,25 @@
+# Mirror DSSE Revision — MIRROR-DSSE-REV-1501
+
+Date: 2025-11-24
+Owners: Mirror Creator Guild · Security Guild · Evidence Locker Guild
+Scope: Finalize DSSE layout and signing inputs for mirror bundles and time-anchor receipts used by Excititor/ExportCenter/CLI.
+
+## Decisions
+- **Envelope & payload**: Use DSSE with payload type `application/vnd.stellaops.mirror+json;version=1`. Payload contains deterministic manifest of mirror files (`mirror.json`) plus `SHA256SUMS` and `SHA256SUMS.dsse` references.
+- **Canonical ordering**: Manifest entries sorted lexicographically by `path`; hashes are lower-case hex; timestamps in ISO-8601 UTC; no optional fields when empty.
+- **Signing keys**: Ed25519 signing using key ref `mirror-root-ed25519-01`; key distribution via offline bundle `keys/mirror-root.pub`. Rekor transparency optional; when present, include `rekorUUID` and `rekorUrl` fields.
+- **Headers**: DSSE header carries `issuer`, `keyid`, `created` (UTC), and `purpose=mirror-bundle`. Detached header file stored at `mirror/metadata/mirror.dsse.json` to allow verification without payload extraction.
+- **Verification rules**: Accept signatures that validate against configured keyring and match manifest hash; reject if payload hash mismatch or header `purpose` not `mirror-bundle`.
+
+## Artefacts
+- Sample manifest + DSSE: `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (existing) with new DSSE header example at `docs/samples/mirror/m0-sample/mirror.dsse.json` (hash: TBD by pipeline).
+- Key reference: `docs/samples/mirror/mirror-root-ed25519-01.pub` (fingerprint documented in manifest header).
+
+## Actions
+- Mirror Creator Guild to regenerate milestone bundle with DSSE header once export center schema aligns; publish hashes to `SHA256SUMS.dsse`.
+- Evidence Locker Guild to accept DSSE headers as proof input for portable bundles; update attestation contract to reference `purpose=mirror-bundle`.
+- Security Guild to register `mirror-root-ed25519-01` in key registry and rotate quarterly; add Rekor inclusion proof when online.
+
+## Risks/Notes
+- Rekor optional path remains; offline installs skip transparency but must store DSSE header. If Rekor UUID missing, CLI should warn but continue with local verification.
+- Pending alignment with Export Center manifest v1.1; track deltas in future update if schema changes.