# 10-Feb-2026 - SBOM attestation Postgres hot lookup profile

## Advisory source
- Source: user-provided product advisory text (analysis session, 2026-02-10 UTC).
- Scope: PostgreSQL storage/query shape for SBOM and attestation hot lookups (digest, component, VEX triage), partitioning, and retention.

## Outcome
- Result: partial gaps confirmed.
- Decision: advisory translated into docs + sprint tasks and archived.

## Confirmed gap themes
- Scanner lacks an explicit contract for a partitioned Postgres hot-lookup projection that supports direct SQL lookup by digest/PURL/pending-triage state.
- Existing CAS-first architecture and BOM-index sidecar strategy remain valid, but the Postgres projection boundary and operational lifecycle needed formalization.
- Analytics separation is already present, but scanner OLTP vs analytics responsibility needed clearer contract language.

## Translation artifacts
- Active sprint: `docs/implplan/SPRINT_20260210_001_DOCS_sbom_attestation_hot_lookup_contract.md`
- High-level docs update: `docs/key-features.md`
- Module contract: `docs/modules/scanner/sbom-attestation-hot-lookup-profile.md`

## Notes
- Supersedes/extends:
  - `docs-archived/product/advisories/14-Dec-2025/01-Dec-2025 -  PostgreSQL Patterns for Each StellaOps Module.md`
- External web fetches: none.