# Sprint Series 3600 · Reference Architecture Gap Closure

## Overview

This sprint series addresses gaps identified from the **20-Dec-2025 Reference Architecture Advisory** analysis. These sprints complete the implementation of the Stella Ops reference architecture vision.

## Sprint Index

| Sprint | Title | Priority | Status | Dependencies |
|--------|-------|----------|--------|--------------|
| 3600.0001.0001 | Gateway WebService | HIGH | TODO | Router infrastructure (complete) |
| 3600.0002.0001 | CycloneDX 1.7 Upgrade | HIGH | TODO | None |
| 3600.0003.0001 | SPDX 3.0.1 Generation | MEDIUM | TODO | 3600.0002.0001 |

## Related Sprints (Other Series)

| Sprint | Title | Priority | Status | Series |
|--------|-------|----------|--------|--------|
| 4200.0001.0001 | Proof Chain Verification UI | HIGH | TODO | 4200 (UI) |
| 5200.0001.0001 | Starter Policy Template | HIGH | TODO | 5200 (Docs) |

## Gap Analysis Source

**Advisory**: `docs/product-advisories/archived/2025-12-21-reference-architecture/20-Dec-2025 - Stella Ops Reference Architecture.md`

### Gaps Addressed

| Gap | Sprint | Description |
|-----|--------|-------------|
| Gateway WebService Missing | 3600.0001.0001 | HTTP ingress service not implemented |
| CycloneDX 1.6 → 1.7 | 3600.0002.0001 | Upgrade to latest CycloneDX spec |
| SPDX 3.0.1 Generation | 3600.0003.0001 | Native SPDX SBOM generation |
| Proof Chain UI | 4200.0001.0001 | Evidence transparency dashboard |
| Starter Policy | 5200.0001.0001 | Day-1 policy pack for onboarding |

### Already Implemented (No Action Required)

| Component | Status | Notes |
|-----------|--------|-------|
| Scheduler | Complete | Full implementation with PostgreSQL, Redis |
| Policy Engine | Complete | Signed verdicts, deterministic IR, exceptions |
| Authority | Complete | DPoP/mTLS, OpToks, JWKS rotation |
| Attestor | Complete | DSSE/in-toto, Rekor v2, proof chains |
| Timeline/Notify | Complete | TimelineIndexer + Notify with 4 channels |
| Excititor | Complete | VEX ingestion, CycloneDX, OpenVEX |
| Concelier | Complete | 31+ connectors, Link-Not-Merge |
| Reachability/Signals | Complete | 5-factor scoring, lattice logic |
| OCI Referrers | Complete | ExportCenter + Excititor |
| Tenant Isolation | Complete | RLS, per-tenant keys, namespaces |

## Execution Order

```mermaid
graph LR
    A[3600.0002.0001<br/>CycloneDX 1.7] --> B[3600.0003.0001<br/>SPDX 3.0.1]
    C[3600.0001.0001<br/>Gateway WebService] --> D[Production Ready]
    B --> D
    E[4200.0001.0001<br/>Proof Chain UI] --> D
    F[5200.0001.0001<br/>Starter Policy] --> D
```

## Success Criteria for Series

- [ ] Gateway WebService accepts HTTP and routes to microservices
- [ ] All SBOMs generated in CycloneDX 1.7 format
- [ ] SPDX 3.0.1 available as alternative SBOM format
- [ ] Auditors can view complete evidence chains in UI
- [ ] New customers can deploy starter policy in <5 minutes

## Created

- **Date**: 2025-12-21
- **Source**: Reference Architecture Advisory Gap Analysis
- **Author**: Agent

---

## Sprint Status Summary

| Sprint | Tasks | Completed | Status |
|--------|-------|-----------|--------|
| 3600.0001.0001 | 10 | 0 | TODO |
| 3600.0002.0001 | 10 | 0 | TODO |
| 3600.0003.0001 | 10 | 0 | TODO |
| 4200.0001.0001 | 11 | 0 | TODO |
| 5200.0001.0001 | 10 | 0 | TODO |
| **Total** | **51** | **0** | **TODO** |