600f3a7a3c
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Console CI / console-ci (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
- Added graph.inspect.v1 documentation outlining payload structure and determinism rules. - Created JSON schema for graph.inspect.v1 to enforce payload validation. - Defined mapping rules for graph relationships, advisories, and VEX statements. feat(notifications): establish remediation blueprint for gaps NR1-NR10 - Documented requirements, evidence, and tests for Notifier runtime. - Specified deliverables and next steps for addressing identified gaps. docs(notifications): organize operations and schemas documentation - Created README files for operations, schemas, and security notes to clarify deliverables and policies. feat(advisory): implement PostgreSQL caching for Link-Not-Merge linksets - Created database schema for advisory linkset cache. - Developed repository for managing advisory linkset cache operations. - Added tests to ensure correct functionality of the AdvisoryLinksetCacheRepository.
13 KiB
13 KiB
Sprint 0161_0001_0001 · EvidenceLocker
Topic & Scope
- Advance 160.A EvidenceLocker stream: finalize bundle packaging, replay ingest/retention, CLI/ops readiness, and sovereign crypto routing.
- Produce ready-to-execute task definitions that unblock downstream ExportCenter/TimelineIndexer once upstream schemas land.
- Working directory:
docs/implplan(coordination for EvidenceLocker; code lives insrc/EvidenceLocker& CLI modules tracked elsewhere).
Dependencies & Concurrency
- Upstream: AdvisoryAI evidence bundle schema + payload notes (Sprint 110.A); Orchestrator/Notifications capsule schemas (Sprint 150.A / 140); Replay Ledger rules in
docs/replay/DETERMINISTIC_REPLAY.md; crypto auditdocs/security/crypto-routing-audit-2025-11-07.md. - Concurrency: runs alongside Sprint 160 coordination; blocks ExportCenter (Sprint 162/163) and TimelineIndexer (Sprint 165) until manifests/envelopes freeze.
- Ready signals required before DOING: (1) AdvisoryAI schema freeze, (2) Orchestrator envelopes freeze, (3) crypto registry plan approved at 2025-11-18 review.
Documentation Prerequisites
docs/modules/evidence-locker/architecture.mddocs/modules/evidence-locker/bundle-packaging.mddocs/modules/evidence-locker/incident-mode.mddocs/replay/DETERMINISTIC_REPLAY.mddocs/runbooks/replay_ops.mddocs/security/crypto-routing-audit-2025-11-07.mddocs/events/orchestrator-scanner-events.mddocs/modules/cli/architecture.md
Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---|---|---|---|---|
| P0 | PREP-EVID-ATTEST-73-SCOPE-NOTE | DONE (2025-11-19) | Due 2025-11-20 · Accountable: Evidence Locker Guild · Concelier Guild · Excititor Guild | Evidence Locker Guild · Concelier Guild · Excititor Guild | Published attestation scope/sign-off note at docs/modules/evidence-locker/attestation-scope-note.md with required claims and sample builder payload; to be linked in Evidence Bundle v1 change log. |
| P1 | PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER | DONE (2025-11-20) | Prep doc at docs/modules/evidence-locker/replay-payload-contract.md; awaiting ledger retention freeze for implementation. |
Evidence Locker Guild · Replay Delivery Guild | Await replay ledger retention shape; schemas available. Document artefact/deliverable for EVID-REPLAY-187-001 and publish location so downstream tasks can proceed. |
| P2 | PREP-CLI-REPLAY-187-002-WAITING-ON-EVIDENCELO | DONE (2025-11-20) | Prep doc at docs/modules/cli/guides/replay-cli-prep.md; tracks CLI surface pending schema freeze. |
CLI Guild | Waiting on EvidenceLocker APIs after bundle packaging finalization. Document artefact/deliverable for CLI-REPLAY-187-002 and publish location so downstream tasks can proceed. |
| P3 | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | DONE (2025-11-20) | Prep doc at docs/runbooks/replay_ops_prep_187_004.md; merge into runbook once APIs freeze. |
Docs Guild · Ops Guild | Depends on retention APIs + CLI behavior. Document artefact/deliverable for RUNBOOK-REPLAY-187-004 and publish location so downstream tasks can proceed. |
| P4 | PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO | DONE (2025-11-20) | Prep note at docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md; awaiting AdvisoryAI/Orch envelopes. |
Planning | BLOCKED (schemas not yet delivered). Document artefact/deliverable for Evidence Locker Guild and publish location so downstream tasks can proceed. |
| P5 | PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU | DONE (2025-11-20) | Prep note at docs/modules/evidence-locker/prep/2025-11-20-replay-delivery-sync.md; waiting on ledger retention defaults. |
Planning | BLOCKED (awaiting schema signals). Document artefact/deliverable for Evidence Locker Guild · Replay Delivery Guild and publish location so downstream tasks can proceed. |
| 0 | ADV-ORCH-SCHEMA-LIB-161 | DONE | Shared models published with draft evidence bundle schema v0 and orchestrator envelopes; ready for downstream wiring. | AdvisoryAI Guild · Orchestrator/Notifications Guild · Platform Guild | Publish versioned package + fixtures to /src/__Libraries (or shared NuGet) so downstream components can consume frozen schema. |
| 1 | EVID-OBS-54-002 | BLOCKED | AdvisoryAI evidence bundle schema + orchestrator/notifications capsule schema still pending; cannot finalize DSSE fields. | Evidence Locker Guild | Finalize deterministic bundle packaging + DSSE layout per docs/modules/evidence-locker/bundle-packaging.md, including portable/incident modes. |
| 2 | EVID-REPLAY-187-001 | BLOCKED | PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER | Evidence Locker Guild · Replay Delivery Guild | Implement replay bundle ingestion + retention APIs; update storage policy per docs/replay/DETERMINISTIC_REPLAY.md. |
| 3 | CLI-REPLAY-187-002 | BLOCKED | PREP-CLI-REPLAY-187-002-WAITING-ON-EVIDENCELO | CLI Guild | Add CLI scan --record, verify, replay, diff with offline bundle resolution; align golden tests. |
| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | Docs Guild · Ops Guild | Publish /docs/runbooks/replay_ops.md coverage for retention enforcement, RootPack rotation, verification drills. |
| 5 | CRYPTO-REGISTRY-DECISION-161 | DONE | Decision recorded in docs/security/crypto-registry-decision-2025-11-18.md; publish contract defaults. |
Security Guild · Evidence Locker Guild | Capture decision from 2025-11-18 review; emit changelog + reference implementation for downstream parity. |
| 6 | EVID-CRYPTO-90-001 | DONE | Implemented; MerkleTreeCalculator now uses ICryptoProviderRegistry for sovereign crypto routing. |
Evidence Locker Guild · Security Guild | Route hashing/signing/bundle encryption through ICryptoProviderRegistry/ICryptoHash for sovereign crypto providers. |
| 7 | EVID-GAPS-161-007 | DOING (2025-12-04) | See EB1–EB10 plan docs/modules/evidence-locker/eb-gaps-161-007-plan.md; schemas + offline guide drafted. |
Product Mgmt · Evidence Locker Guild · CLI Guild | Address EB1–EB10 from docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md: publish bundle.manifest.schema.json + checksums.schema.json (canonical JSON), hash/Merkle recipe doc, mandatory DSSE predicate/log policy, replay provenance block, chunking/CAS rules, incident-mode signed activation/exit, tenant isolation + redaction manifest, offline verifier script (docs/modules/evidence-locker/verify-offline.md), golden bundles/replay fixtures under tests/EvidenceLocker/Bundles/Golden, and SemVer/change-log updates. |
Action Tracker
| Action | Owner(s) | Due | Status |
|---|---|---|---|
| Capture AdvisoryAI + orchestrator schema deltas into this sprint and attach sample payloads. | Evidence Locker Guild | 2025-11-15 | DONE (2025-11-20) — see docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md |
| Draft Replay Ledger API + CLI notes to unblock EVID-REPLAY-187-001/002. | Evidence Locker Guild · Replay Delivery Guild | 2025-11-16 | DONE (2025-11-20) — see docs/modules/evidence-locker/prep/2025-11-20-replay-delivery-sync.md |
Validate ICryptoProviderRegistry plan at readiness review. |
Evidence Locker Guild · Security Guild | 2025-11-18 | Pending |
Interlocks & Readiness Signals
| Dependency | Impacts | Status / Next signal |
|---|---|---|
| AdvisoryAI evidence bundle schema & payload notes (Sprint 110.A) | EVID-OBS-54-002, EVID-REPLAY-187-001/002 | Pending; expected at 2025-11-14 stand-up. Required before DOING. |
Orchestrator + Notifications capsule schema (docs/events/orchestrator-scanner-events.md) |
All tasks | Pending; expected 2025-11-15 handoff. Required before DOING. |
| Sovereign crypto readiness review | EVID-CRYPTO-90-001 | Scheduled 2025-11-18; blocks sovereign routing. |
Replay Ledger spec alignment (docs/replay/DETERMINISTIC_REPLAY.md) |
EVID-REPLAY-187-001/002, RUNBOOK-REPLAY-187-004 | Sections 2,8,9 must be reflected once schemas land. |
Decisions & Risks
| Item | Status / Decision | Notes |
|---|---|---|
| Schema readiness | BLOCKED | Waiting on AdvisoryAI + orchestrator envelopes; no DOING until frozen. |
| Crypto routing approval | DONE | Defaults recorded in docs/security/crypto-registry-decision-2025-11-18.md; implement in EvidenceLocker/CLI. |
| Template & filename normalization | DONE (2025-11-17) | Renamed to SPRINT_0161_0001_0001_evidencelocker.md; structure aligned to sprint template. |
| EB1–EB10 policy freeze | OPEN | Gap plan at docs/modules/evidence-locker/eb-gaps-161-007-plan.md; DSSE predicate/log policy, redaction map, and chunking rules still need sign-off. |
Risk table
| Risk | Severity | Mitigation / Owner |
|---|---|---|
| AdvisoryAI schema slips past 2025-11-14, delaying DSSE manifest freeze. | High | AdvisoryAI Guild to provide interim sample payloads; EvidenceLocker to stub adapters. |
| Orchestrator/Notifications schema handoff misses 2025-11-15. | High | Escalate to Wave 150/140; keep tasks BLOCKED and schedule daily stand-ups until envelopes land. |
| Sovereign crypto routing design not ready by 2025-11-18. | Medium | Security to publish reference implementation; EvidenceLocker to nominate fallback providers. |
| Replay Ledger alignment drifts from CLI behavior. | Medium | Sync docs/runbooks with CLI/EvidenceLocker changes once schemas land; add deterministic test cases. |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-11-19 | Cleaned PREP-EVID-REPLAY-187-001-AWAIT-REPLAY-LEDGER Task ID (removed trailing hyphen) so dependency lookup works. | Project Mgmt |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-19 | Completed PREP-EVID-ATTEST-73-SCOPE-NOTE: published scope note + builder inputs at docs/modules/evidence-locker/attestation-scope-note.md to unblock Concelier/Excititor attestation tracks. |
Project Mgmt |
| 2025-11-19 | EVID-OBS-54-002 marked BLOCKED: awaiting frozen AdvisoryAI evidence bundle schema and orchestrator/notifications capsule schema to finalize DSSE fields. | Implementer |
| 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
| 2025-11-17 | Normalized sprint to standard template, renamed file, and set all tasks BLOCKED pending schemas/crypto review. | Implementer |
| 2025-11-18 | Added ADV-ORCH-SCHEMA-LIB-161 and CRYPTO-REGISTRY-DECISION-161 tasks; marked downstream items blocked on them. | Project PM |
| 2025-11-18 | Set ADV-ORCH-SCHEMA-LIB-161 and CRYPTO-REGISTRY-DECISION-161 to DOING; drafting shared models package and crypto decision record. | Implementer |
| 2025-11-18 | Shared models updated with draft evidence bundle schema v0; ADV-ORCH-SCHEMA-LIB-161 set to DONE and downstream tasks unblocked. | Implementer |
| 2025-11-18 | Recorded crypto registry decision in docs/security/crypto-registry-decision-2025-11-18.md; moved CRYPTO-REGISTRY-DECISION-161 to DONE and unblocked EVID-CRYPTO-90-001. |
Implementer |
| 2025-11-18 | Started EVID-OBS-54-002 DOING using shared schema draft. | Implementer |
| 2025-11-18 | Started EVID-OBS-54-002 with shared schema; replay/CLI remain pending ledger shape. | Implementer |
| 2025-11-20 | Completed PREP-EVID-REPLAY-187-001, PREP-CLI-REPLAY-187-002, and PREP-RUNBOOK-REPLAY-187-004; published prep docs at docs/modules/evidence-locker/replay-payload-contract.md, docs/modules/cli/guides/replay-cli-prep.md, and docs/runbooks/replay_ops_prep_187_004.md. |
Implementer |
| 2025-11-20 | Added schema readiness and replay delivery prep notes for Evidence Locker Guild; see docs/modules/evidence-locker/prep/2025-11-20-schema-readiness-blockers.md and .../2025-11-20-replay-delivery-sync.md. Marked PREP-EVIDENCE-LOCKER-GUILD-BLOCKED-SCHEMAS-NO and PREP-EVIDENCE-LOCKER-GUILD-REPLAY-DELIVERY-GU DONE. |
Implementer |
| 2025-11-27 | Completed EVID-CRYPTO-90-001: Extended ICryptoProviderRegistry with ContentHashing capability and ResolveHasher method; created ICryptoHasher interface with DefaultCryptoHasher implementation; wired MerkleTreeCalculator to use crypto registry for sovereign crypto routing; added EvidenceCryptoOptions for algorithm/provider configuration. |
Implementer |
| 2025-12-01 | Added EVID-GAPS-161-007 to capture EB1–EB10 remediation from docs/product-advisories/archived/27-Nov-2025-superseded/28-Nov-2025 - Evidence Bundle and Replay Contracts.md. |
Product Mgmt |
| 2025-12-02 | Scoped EVID-GAPS-161-007 deliverables: schemas + DSSE, Merkle recipe, replay provenance, chunk/CAS rules, incident governance, tenant redaction, offline verifier doc, golden fixtures path, and SemVer/change-log updates. | Project Mgmt |
| 2025-12-04 | Moved EVID-GAPS-161-007 to DOING; drafted EB1/EB2 schemas, offline verifier guide, gap plan, and golden fixtures path. | Project Mgmt |
| 2025-12-04 | Updated attestation, replay, incident-mode docs with DSSE subject=Merkle root, log policy, replay provenance block, and signed incident toggles; added CAS/Merkle rules to bundle packaging. | Implementer |