|
| 1 | +--- |
| 2 | +name: ACES Asset Inventory |
| 3 | +about: Capture participant-discoverable asset evidence and map it to ACES. |
| 4 | +title: "[INVENTORY] <scenario>: <asset>" |
| 5 | +labels: enhancement |
| 6 | +assignees: "" |
| 7 | +--- |
| 8 | + |
| 9 | +# ACES Asset Inventory Issue Template |
| 10 | + |
| 11 | +Copy this file, or the body below, into a downstream backend repository's |
| 12 | +`.github/ISSUE_TEMPLATE/` tree when that repository needs an issue form for |
| 13 | +inventorying realized scenario assets against the ACES methodology. |
| 14 | + |
| 15 | +## Methodology Authority |
| 16 | + |
| 17 | +Use the ACES participant-discoverable asset inventory methodology as the |
| 18 | +authority: |
| 19 | + |
| 20 | +- Methodology: |
| 21 | + `docs/aces/inventory/asset-inventory-methodology.md` |
| 22 | +- Assurance report: |
| 23 | + `docs/aces/inventory/methodology-assurance-report.md` |
| 24 | +- Agent workflow: |
| 25 | + `.codex-skills/aces-asset-inventory-capture/SKILL.md` and |
| 26 | + `.claude/skills/aces-asset-inventory-capture/SKILL.md` |
| 27 | + |
| 28 | +## Target |
| 29 | + |
| 30 | +- Scenario: |
| 31 | +- Asset id: |
| 32 | +- Asset kind: image / running container / VM / host / composed service / other |
| 33 | +- Backend/runtime: |
| 34 | +- Expected source class: custom-build / upstream-image / runtime-composed |
| 35 | +- Allowed discovery vantages: |
| 36 | +- Destructive reset allowed: yes / no |
| 37 | + |
| 38 | +## Scope |
| 39 | + |
| 40 | +Capture every fact that a participant or in-range agent could discover from |
| 41 | +the realized range. Do not filter by relevance, intent, current backend |
| 42 | +support, or elegance. Host-side Docker or backend evidence may support |
| 43 | +provenance, but it does not shrink the participant-discoverable boundary. |
| 44 | + |
| 45 | +Operator/out-of-scenario secrets are outside the inventory boundary. Exclude |
| 46 | +them or record a first-class `capture-limits.txt` entry. Scenario-target |
| 47 | +secrets are capture facts when an in-range participant or agent could discover |
| 48 | +them. |
| 49 | + |
| 50 | +## Required Bundle |
| 51 | + |
| 52 | +The asset bundle should include: |
| 53 | + |
| 54 | +- `README.md` with scope, target identity, commands, and limits. |
| 55 | +- `capture-evidence.sh` or equivalent committed capture commands. |
| 56 | +- `mapping-ledger.yaml`. |
| 57 | +- `evidence/captured-at-utc.txt`. |
| 58 | +- `evidence/capture-limits.txt`. |
| 59 | +- `evidence/evidence-sha256sums.txt`. |
| 60 | +- Raw evidence for discovery vantage, runtime state, provenance, package/SBOM, |
| 61 | + vulnerability, filesystem, relationship, and trust-surface facts. |
| 62 | + |
| 63 | +For Docker/Compose/container-image captures, start from: |
| 64 | + |
| 65 | +- `.codex-skills/aces-asset-inventory-capture/scripts/capture-container-evidence-template.sh` |
| 66 | +- `.codex-skills/aces-asset-inventory-capture/scripts/normalize-syft-cyclonedx.jq` |
| 67 | + |
| 68 | +## Capture Checklist |
| 69 | + |
| 70 | +- [ ] Defined all in-range discovery vantages. |
| 71 | +- [ ] Captured participant-discoverable network, service, process, package, |
| 72 | + filesystem, credential, trust, relationship, data, and configuration |
| 73 | + facts. |
| 74 | +- [ ] Captured source provenance, immutable image/artifact identifiers, runtime |
| 75 | + configuration, and scanner/tool versions. |
| 76 | +- [ ] Captured required Trivy CycloneDX SBOM and Trivy vulnerability JSON, or |
| 77 | + recorded a first-class limit with ledger reference. |
| 78 | +- [ ] Attempted Syft, osquery, and filesystem-manifest capture where |
| 79 | + applicable, or recorded first-class limits with ledger references. |
| 80 | +- [ ] Kept every evidence-affecting normalization deterministic and committed |
| 81 | + as script or jq. |
| 82 | +- [ ] Generated `evidence-sha256sums.txt` after evidence capture. |
| 83 | + |
| 84 | +## Mapping And Gap Triage |
| 85 | + |
| 86 | +For every captured fact, record one mapping disposition in |
| 87 | +`mapping-ledger.yaml`: |
| 88 | + |
| 89 | +- `encoded` |
| 90 | +- `encoded_with_caveat` |
| 91 | +- `blocked_by_aces_gap` |
| 92 | +- `blocked_by_aptl_gap` |
| 93 | +- `needs_gap_triage` only while actively triaging |
| 94 | + |
| 95 | +Before completion: |
| 96 | + |
| 97 | +- [ ] No `needs_gap_triage` mapping remains. |
| 98 | +- [ ] Every evidence file is referenced by a fact, provenance entry, |
| 99 | + correspondence check, or capture-limit fact. |
| 100 | +- [ ] Every `blocked_by_aces_gap` row links an ACES issue. |
| 101 | +- [ ] Every `blocked_by_aptl_gap` row links a downstream backend issue. |
| 102 | +- [ ] Correspondence checks describe how later encoding work will compare ACES |
| 103 | + surfaces against fresh realized evidence. |
| 104 | + |
| 105 | +## Validation |
| 106 | + |
| 107 | +Run the downstream ledger validator before closing: |
| 108 | + |
| 109 | +```shell |
| 110 | +aptl aces-inventory schema |
| 111 | +aptl aces-inventory validate <asset-dir> |
| 112 | +aptl aces-inventory gaps <asset-dir> |
| 113 | +``` |
| 114 | + |
| 115 | +Also run the backend repository's normal test and documentation checks for any |
| 116 | +changed code, docs, templates, or committed evidence. |
| 117 | + |
| 118 | +## Completion Claim |
| 119 | + |
| 120 | +This issue is complete only when every participant-discoverable fact in scope |
| 121 | +is captured, mapped to ACES, or blocked by a linked ACES/downstream issue with |
| 122 | +an explicit limitation. Evidence bundles, scanner output, screenshots, |
| 123 | +summaries, and backend support limits are proof inputs only; they do not |
| 124 | +replace ACES specification or explicit gap records. |
0 commit comments