# SIGNALS-24-002 · CAS promotion checklist (v1)

Purpose: unblock CAS promotion + signed manifest rollout for callgraph storage so SIGNALS-24-002 can move from BLOCKED to implementation.

## Preconditions
- CAS bucket created for `signals-callgraphs` with write limited to Signals service principals.
- Surface bundle mock hash recorded; real scanner cache ETA published.
- Signed manifest tooling available (sigstore or in-house signer) with add-only policy.

## Steps
1) Freeze manifest schema (fields: `graph_id`, `digest`, `language`, `source`, `created`, `signer`, `signature`).
2) Generate manifests for existing callgraphs; store under `cas://signals/manifests/{graph_id}.json`.
3) Sign each manifest; attach DSSE envelope; store under `cas://signals/manifests/{graph_id}.json.dsse`.
4) Apply bucket policy: read-only for downstream, write for Signals service; deny deletes.
5) Configure GC policy: retain manifests indefinitely; callgraph blobs keep 30d rolling unless referenced.
6) Enable alerts for failed retrievals and missing manifest/DSSE pairs.
7) Record hash list and signer key IDs in release notes.

## Deliverables
- Policy document + proof of applied IAM
- Manifest schema JSON
- Signed manifest samples (see tests)
- Hash list of all published callgraphs (sha256)

## Evidence locations (repo paths)
- Policy & schema: `docs/signals/cas-promotion-24-002.md` (this file)
- Sample manifest + DSSE: `tests/reachability/corpus/manifest.json` (already present) maps to expected structure.

## Owners
- Signals Guild (implementation)
- Platform Storage Guild (policy/approvals)

## Status
- Checklist published 2025-11-19; awaiting Platform Storage approval to proceed.