# Sprint 0124 · Excititor Ingestion & Evidence (Phase VI) ## Topic & Scope - Expose streaming, evidence, and attestation APIs with OpenAPI discovery/examples while keeping aggregation-only semantics. - Add mirror bundle import telemetry and crypto provider abstraction for deterministic verification profiles. - **Working directory:** `src/Excititor` (WebService) with AirGap/Policy coordination. ## Dependencies & Concurrency - Depends on Phase V outputs (portable bundles, mirror registration) and Evidence Locker manifests. - Concurrency: OpenAPI discovery/examples and streaming can proceed in parallel; crypto provider registry relies on security contract. ## Documentation Prerequisites - docs/modules/excititor/architecture.md - docs/modules/excititor/implementation_plan.md - docs/modules/excititor/observability/locker-manifest.md - Excititor WebService AGENTS.md ## Delivery Tracker | # | Task ID | Status | Key dependency / next step | Owners | Task Definition | | --- | --- | --- | --- | --- | --- | | 1 | EXCITITOR-WEB-OBS-52-001 | DONE | Depends on OBS-52 schema | Excititor WebService Guild | Provide SSE/WebSocket bridges for VEX timeline events with tenant filters, pagination anchors, guardrails. | | 2 | EXCITITOR-WEB-OBS-53-001 | DONE | Depends on 52-001; locker manifest available | Excititor WebService Guild · Evidence Locker Guild | `/evidence/vex/*` endpoints fetching locker bundles, enforcing scopes, surfacing verification metadata; no verdicts. | | 3 | EXCITITOR-WEB-OBS-54-001 | DONE | Depends on 53-001; DSSE manifests available | Excititor WebService Guild | `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, chain-of-custody links. | | 4 | EXCITITOR-WEB-OAS-61-001 | DONE | None | Excititor WebService Guild | Implement `/.well-known/openapi` with spec metadata + standard error envelope; update controller/unit tests. | | 5 | EXCITITOR-WEB-OAS-62-001 | DONE | Depends on 61-001 | Excititor WebService Guild · API Governance Guild | Publish curated examples + deprecation headers for evidence/attestation/timeline endpoints; align SDK docs. | | 6 | EXCITITOR-WEB-AIRGAP-58-001 | DONE | Depends on mirror thin bundle schema | Excititor WebService Guild · AirGap Importer/Policy Guilds | Emit timeline events + audit logs for mirror bundle imports (bundle ID, scope, actor); map sealed-mode violations to remediation. | | 7 | EXCITITOR-CRYPTO-90-001 | DONE | Security-approved registry contract | Excititor WebService Guild · Security Guild | Replace ad-hoc hashing/signing with `ICryptoProviderRegistry` implementations for deterministic verification across profiles. | ## Execution Log | Date (UTC) | Update | Owner | | --- | --- | --- | | 2025-12-03 | Normalised sprint to standard template; preserved task details/statuses. | Planning | ## Decisions & Risks - Aggregation-only stance preserved across streaming/evidence/attestation endpoints. - Crypto provider registry must remain deterministic; benchmark and feature-flag per profile. - Mirror bundle telemetry relies on thin bundle schema; revisit if schema changes to avoid telemetry mismatch. ## Next Checkpoints - Re-validate `/evidence` and `/attestations` responses after any locker/DSSE manifest updates. - Run OpenAPI discovery/examples regression when new routes land or headers change.