10 KiB
10 KiB
Consolidation Decision Ledger
Last updated: 2026-03-04 Owner: Sprint 218 (DOCS: Consolidation Decision Finalization) Wave: Microservices Consolidation Wave 1 (Feb-Mar 2026)
This document records the final outcome of every consolidation sprint in the first consolidation wave. Each sprint was evaluated for source-level consolidation (moving source directories under a parent module) and schema-level consolidation (merging DbContexts). In all cases where consolidation proceeded, only source consolidation was executed; schema merges were rejected to preserve security boundaries and avoid blast-radius expansion.
Outcome Legend
| Outcome | Meaning |
|---|---|
| Proceed (done) | Source consolidation completed. Code moved under parent module. |
| Boundary-preserved | Evaluated and deliberately kept as separate modules. No consolidation. |
| Deferred | Consolidation approved in principle but deferred to a future wave. |
| Canceled | Consolidation evaluated and rejected. Will not proceed. |
| No-op | Not applicable to the consolidation wave. |
| Completed separately | Work done outside the consolidation wave. |
Complete Outcome Table
| Sprint | ID | Description | Outcome | Sprint File |
|---|---|---|---|---|
| Gateway deletion | 200 | Delete src/Gateway/; Router is canonical |
Proceed (done) | SPRINT_20260225_200_Platform_gateway_deletion.md |
| Scanner absorb Cartographer | 201 | Move Cartographer under Scanner | Proceed (done) | SPRINT_20260225_201_Scanner_absorb_cartographer.md |
| BinaryIndex absorb Symbols | 202 | Move Symbols under BinaryIndex | Proceed (done) | SPRINT_20260225_202_BinaryIndex_absorb_symbols.md |
| Concelier absorb Feedser/Excititor | 203 | Move Feedser and Excititor under Concelier | Proceed (done) | SPRINT_20260225_203_Concelier_absorb_feedser_excititor.md |
| Attestor absorb Signer/Provenance | 204 | Move Signer and Provenance under Attestor | Proceed (done) | SPRINT_20260225_204_Attestor_absorb_signer_provenance.md |
| VEX consolidation (VexHub/VexLens) | 205 | Consolidate VexHub and VexLens | Deferred -- future wave | (no sprint file; deferred before sprint creation) |
| Policy/Unknowns boundary | 206 | Evaluate Policy absorbing Unknowns | Boundary-preserved | SPRINT_20260225_206_Policy_absorb_unknowns.md |
| Findings absorb RiskEngine/VulnExplorer | 207 | Move RiskEngine and VulnExplorer under Findings | Proceed (done) | SPRINT_20260225_207_Findings_absorb_riskengine_vulnexplorer.md |
| Orchestrator absorb Scheduler/TaskRunner/PacksRegistry | 208 | Move Scheduler, TaskRunner, PacksRegistry under Orchestrator | Proceed (done) | SPRINT_20260225_208_Orchestrator_absorb_scheduler_taskrunner_packsregistry.md |
| Notify/Notifier boundary | 209 | Evaluate Notify absorbing Notifier | Boundary-preserved | SPRINT_20260225_209_Notify_absorb_notifier.md |
| Timeline absorb TimelineIndexer | 210 | Move TimelineIndexer under Timeline | Proceed (done) | SPRINT_20260225_210_Timeline_absorb_timelineindexer.md |
| ExportCenter/AirGap boundary | 211 | Evaluate ExportCenter absorbing Mirror and AirGap | Boundary-preserved | SPRINT_20260225_211_ExportCenter_absorb_mirror_airgap.md |
| Tools absorb Bench/Verifier/Sdk/DevPortal | 212 | Move Bench, Verifier, Sdk, DevPortal under Tools | Proceed (done) | SPRINT_20260225_212_Tools_absorb_bench_verifier_sdk_devportal.md |
| AdvisoryAI absorb OpsMemory | 213 | Move OpsMemory under AdvisoryAI | Proceed (done) | SPRINT_20260225_213_AdvisoryAI_absorb_opsmemory.md |
| Integrations absorb Extensions | 214 | Move Extensions under Integrations | Proceed (done) | SPRINT_20260225_214_Integrations_absorb_extensions.md |
| SmRemote standalone | 215 | SmRemote standalone evaluation | No-op in consolidation wave | (no sprint file; SmRemote remains standalone) |
| Authority absorb IssuerDirectory | 216 | Move IssuerDirectory under Authority | Proceed (done) | SPRINT_20260225_216_Authority_absorb_issuerdirectory.md |
| Orphan library cleanup | 217 | Archive AdvisoryLens and Resolver | Proceed (done) | SPRINT_20260225_217_Platform_orphan_library_cleanup.md |
| Consolidation docs finalization | 218 | Final documentation sweep | Proceed (done) | SPRINT_20260225_218_DOCS_consolidation_final_update.md |
| EF compiled model generation | 219 | EF compiled model pre-requisite | Completed separately | (completed outside consolidation wave) |
| SbomService absorption | 220 | Evaluate SbomService merge | Canceled -- decision not to merge | (canceled before sprint creation) |
| Orchestrator domain rename | 221 | Rename Orchestrator to JobEngine | Proceed (done) | SPRINT_20260225_221_Orchestrator_domain_rename.md |
Schema Merge Decisions (All Rejected)
Every consolidation sprint evaluated whether DbContexts should be merged in addition to source consolidation. In all cases, schema merges were rejected. The common rationale: merging DbContexts widens the blast radius of credential compromise and couples unrelated write patterns.
| Domain | Decision | Rationale |
|---|---|---|
| Orchestrator + Scheduler | No merge | OrchestratorDbContext (39 entities) and SchedulerDbContext (11 entities) have Jobs/JobHistory name collisions with incompatible semantics. |
| Authority + IssuerDirectory | No merge | AuthorityDbContext manages passwords, MFA, tokens. Merging would expose authentication internals to issuer metadata code paths. |
| Concelier + Excititor + Feedser | No merge | Three DbContexts (49 entities, 5 schemas) have distinct write lifecycles. Schema isolation is a feature. |
| Attestor + Signer | No merge | Security boundary between key material and attestation evidence is deliberate. |
| Policy + Unknowns | No merge | UnknownsDbContext retains independent schema ownership. Boundary preserved. |
| ExportCenter + AirGap | No merge | AirGap has 14+ external consumers vs ExportCenter's 2. Asymmetric coupling makes merge a poor tradeoff. |
| SbomService | Canceled | Decision not to merge SbomService into any other module. |
Post-Consolidation Module Layout
After all consolidation sprints, the canonical module layout is:
| Module | Source Path | Notes |
|---|---|---|
| Authority | src/Authority/ |
Now includes IssuerDirectory (Sprint 216) |
| Scanner | src/Scanner/ |
Now includes Cartographer (Sprint 201) |
| BinaryIndex | src/BinaryIndex/ |
Now includes Symbols (Sprint 202) |
| Concelier | src/Concelier/ |
Now includes Feedser and Excititor (Sprint 203) |
| Attestor | src/Attestor/ |
Now includes Signer and Provenance (Sprint 204) |
| Findings | src/Findings/ |
Now includes RiskEngine and VulnExplorer (Sprint 207) |
| JobEngine | src/JobEngine/ |
Now includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221) |
| Timeline | src/Timeline/ |
Now includes TimelineIndexer (Sprint 210) |
| Tools | src/Tools/ |
Now includes Bench, Verifier, Sdk, DevPortal (Sprint 212) |
| AdvisoryAI | src/AdvisoryAI/ |
Now includes OpsMemory (Sprint 213) |
| Integrations | src/Integrations/ |
Now includes Extensions (Sprint 214) |
Preserved Boundaries (no consolidation)
| Module A | Module B | Sprint | Rationale |
|---|---|---|---|
| Policy | Unknowns | 206 | Distinct domain ownership, separate DbContexts |
| Notify | Notifier | 209 | Library vs. host application boundary |
| ExportCenter | AirGap | 211 | Asymmetric coupling, blast radius |
Deleted / Archived
| Item | Sprint | Action |
|---|---|---|
src/Gateway/ |
200 | Deleted (Router is canonical) |
| AdvisoryLens library | 217 | Archived |
| Resolver library | 217 | Archived |
Deferred / Canceled
| Item | Sprint | Status |
|---|---|---|
| VexHub/VexLens consolidation | 205 | Deferred to future wave |
| SbomService absorption | 220 | Canceled |
| SmRemote | 215 | No-op (remains standalone) |