d09ebd0b64
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Updated AGENTS.md with implementation planning conventions and stream index. Refactored SPRINT_110_ingestion_evidence.md, SPRINT_125_mirror.md, and SPRINT_300_documentation_process.md to use a topic-oriented template, clarify dependencies, task boards, and checkpoint structure. Archived previous sprint details and added new templates and status snapshot files to docs/implplan.
4.6 KiB
4.6 KiB
Sprint 125 · Ingestion & Evidence · Mirror
Topic & Scope
- Build the deterministic mirror bundle assembler covering advisories, VEX, policy packs, and optional OCI artefacts.
- Layer DSSE/TUF metadata, time anchors, and CLI automation so air-gapped sites receive verifiable bundles.
- Wire Export Center and scheduling hooks so mirror creation can be orchestrated automatically.
Dependencies & Concurrency
- Upstream: Sprint 110.D must deliver the assembler foundation (
MIRROR-CRT-56-001). Attestor v2 contracts from Sprint 100.A remain required. - Mirror sprints share the 120s decade with Policy & Reasoning work but remain independent; avoid adding dependencies on
SPRINT_125_policy_reasoning.md. - Evidence Locker, Export Center, CLI, and AirGap Time guild commitments must be available as soon as assembler code exists.
Documentation Prerequisites
docs/modules/export-center/architecture.mddocs/modules/airgap/architecture.mddocs/modules/devops/architecture.mddocs/modules/policy/architecture.md(for provenance expectations)
Task Board
| Task ID | Status | Owner(s) | Dependencies | Notes |
|---|---|---|---|---|
| MIRROR-CRT-56-001 | TODO | Mirror Creator Guild | Staffing decision | Implement deterministic assembler with manifest + CAS layout. |
| MIRROR-CRT-56-002 | TODO | Mirror Creator · Security Guilds | MIRROR-CRT-56-001; PROV-OBS-53-001 | Integrate DSSE signing + TUF metadata (root, snapshot, timestamp, targets). |
| MIRROR-CRT-57-001 | TODO | Mirror Creator · DevOps Guild | MIRROR-CRT-56-001 | Add optional OCI archive generation with digest recording. |
| MIRROR-CRT-57-002 | TODO | Mirror Creator · AirGap Time Guild | MIRROR-CRT-56-002; AIRGAP-TIME-57-001 | Embed signed time-anchor metadata. |
| MIRROR-CRT-58-001 | TODO | Mirror Creator · CLI Guild | MIRROR-CRT-56-002; CLI-AIRGAP-56-001 | Deliver `stella mirror create |
| MIRROR-CRT-58-002 | TODO | Mirror Creator · Exporter Guild | MIRROR-CRT-56-002; EXPORT-OBS-54-001 | Integrate Export Center scheduling + audit logs. |
| EXPORT-OBS-51-001 / 54-001 | TODO | Exporter Guild | MIRROR-CRT-56-001 staffing | Align Export Center workers with assembler output. |
| AIRGAP-TIME-57-001 | TODO | AirGap Time Guild | MIRROR-CRT-56-001; MIRROR-CRT-57-002 | Provide trusted time-anchor service & policy. |
| CLI-AIRGAP-56-001 | TODO | CLI Guild | MIRROR-CRT-56-002; MIRROR-CRT-58-001 | Extend CLI offline kit tooling to consume mirror bundles. |
| PROV-OBS-53-001 | TODO | Security Guild | MIRROR-CRT-56-001 | Define provenance observers + verification hooks. |
Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-11-13 | Kickoff rescheduled to 15 Nov pending MIRROR-CRT-56-001 staffing; downstream guilds alerted to prepare resource plans. | Mirror Creator Guild |
Decisions & Risks
Decisions
| Decision | Owner(s) | Due | Notes |
|---|---|---|---|
| Assign primary engineer for MIRROR-CRT-56-001 | Mirror Creator Guild · Exporter Guild | 2025-11-15 kickoff | Without an owner the assembler cannot start and all downstream tasks remain blocked. |
| Confirm DSSE/TUF signing profile | Security Guild · Attestor Guild | 2025-11-18 | Needed before MIRROR-CRT-56-002 can merge. |
| Lock time-anchor authority scope | AirGap Time Guild · Mirror Creator Guild | 2025-11-19 | Required for MIRROR-CRT-57-002 policy enforcement. |
Risks
| Risk | Impact | Mitigation |
|---|---|---|
| Staffing gap for MIRROR-CRT-56-001 persists after kickoff | DSSE/TUF, OCI, CLI, Export tracks slip; Sprint 125 jams the Export Center roadmap. | Escalate to program leadership, reassign engineers from Export Center or Excititor queue. |
| DSSE/TUF contract debates with Security guild | Signing + transparency integration slips, blocking CLI/Export release. | Align on profile ahead of development; capture ADR in docs/airgap. |
| Time-anchor requirements undefined | Air-gapped bundles lose verifiable time guarantees. | Run focused session with AirGap Time Guild to lock policy + service interface. |
Next Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
|---|---|---|---|
| 2025-11-15 | Mirror evidence kickoff | Assign MIRROR-CRT-56-001 owner, outline scope, confirm downstream staffing. | Mirror Creator · Exporter · AirGap Time · Security guilds |
| 2025-11-18 | DSSE/TUF design review | Freeze signing profile + manifest shape. | Mirror Creator · Security Guild |
| 2025-11-19 | Time-anchor policy workshop | Approve requirements for AIRGAP-TIME-57-001. | AirGap Time Guild · Mirror Creator |
Appendix
- Previous detailed notes retained at
docs/implplan/archived/SPRINT_125_mirror_2025-11-13.md.