Skip to content

Commit 4a1fddb

Browse files
authored
Merge pull request #566 from Brad-Edwards/353-inventory-methodology-closeout
docs: reconcile asset inventory methodology closeout
2 parents f29c437 + a288ec3 commit 4a1fddb

5 files changed

Lines changed: 157 additions & 1 deletion

File tree

changelog.d/353.changed.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
Document the ACES asset-inventory issue-template fragment and reconcile the
2+
methodology closeout notes for ACES #353.
Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
---
2+
name: ACES Asset Inventory
3+
about: Capture participant-discoverable asset evidence and map it to ACES.
4+
title: "[INVENTORY] <scenario>: <asset>"
5+
labels: enhancement
6+
assignees: ""
7+
---
8+
9+
# ACES Asset Inventory Issue Template
10+
11+
Copy this file, or the body below, into a downstream backend repository's
12+
`.github/ISSUE_TEMPLATE/` tree when that repository needs an issue form for
13+
inventorying realized scenario assets against the ACES methodology.
14+
15+
## Methodology Authority
16+
17+
Use the ACES participant-discoverable asset inventory methodology as the
18+
authority:
19+
20+
- Methodology:
21+
`docs/aces/inventory/asset-inventory-methodology.md`
22+
- Assurance report:
23+
`docs/aces/inventory/methodology-assurance-report.md`
24+
- Agent workflow:
25+
`.codex-skills/aces-asset-inventory-capture/SKILL.md` and
26+
`.claude/skills/aces-asset-inventory-capture/SKILL.md`
27+
28+
## Target
29+
30+
- Scenario:
31+
- Asset id:
32+
- Asset kind: image / running container / VM / host / composed service / other
33+
- Backend/runtime:
34+
- Expected source class: custom-build / upstream-image / runtime-composed
35+
- Allowed discovery vantages:
36+
- Destructive reset allowed: yes / no
37+
38+
## Scope
39+
40+
Capture every fact that a participant or in-range agent could discover from
41+
the realized range. Do not filter by relevance, intent, current backend
42+
support, or elegance. Host-side Docker or backend evidence may support
43+
provenance, but it does not shrink the participant-discoverable boundary.
44+
45+
Operator/out-of-scenario secrets are outside the inventory boundary. Exclude
46+
them or record a first-class `capture-limits.txt` entry. Scenario-target
47+
secrets are capture facts when an in-range participant or agent could discover
48+
them.
49+
50+
## Required Bundle
51+
52+
The asset bundle should include:
53+
54+
- `README.md` with scope, target identity, commands, and limits.
55+
- `capture-evidence.sh` or equivalent committed capture commands.
56+
- `mapping-ledger.yaml`.
57+
- `evidence/captured-at-utc.txt`.
58+
- `evidence/capture-limits.txt`.
59+
- `evidence/evidence-sha256sums.txt`.
60+
- Raw evidence for discovery vantage, runtime state, provenance, package/SBOM,
61+
vulnerability, filesystem, relationship, and trust-surface facts.
62+
63+
For Docker/Compose/container-image captures, start from:
64+
65+
- `.codex-skills/aces-asset-inventory-capture/scripts/capture-container-evidence-template.sh`
66+
- `.codex-skills/aces-asset-inventory-capture/scripts/normalize-syft-cyclonedx.jq`
67+
68+
## Capture Checklist
69+
70+
- [ ] Defined all in-range discovery vantages.
71+
- [ ] Captured participant-discoverable network, service, process, package,
72+
filesystem, credential, trust, relationship, data, and configuration
73+
facts.
74+
- [ ] Captured source provenance, immutable image/artifact identifiers, runtime
75+
configuration, and scanner/tool versions.
76+
- [ ] Captured required Trivy CycloneDX SBOM and Trivy vulnerability JSON, or
77+
recorded a first-class limit with ledger reference.
78+
- [ ] Attempted Syft, osquery, and filesystem-manifest capture where
79+
applicable, or recorded first-class limits with ledger references.
80+
- [ ] Kept every evidence-affecting normalization deterministic and committed
81+
as script or jq.
82+
- [ ] Generated `evidence-sha256sums.txt` after evidence capture.
83+
84+
## Mapping And Gap Triage
85+
86+
For every captured fact, record one mapping disposition in
87+
`mapping-ledger.yaml`:
88+
89+
- `encoded`
90+
- `encoded_with_caveat`
91+
- `blocked_by_aces_gap`
92+
- `blocked_by_aptl_gap`
93+
- `needs_gap_triage` only while actively triaging
94+
95+
Before completion:
96+
97+
- [ ] No `needs_gap_triage` mapping remains.
98+
- [ ] Every evidence file is referenced by a fact, provenance entry,
99+
correspondence check, or capture-limit fact.
100+
- [ ] Every `blocked_by_aces_gap` row links an ACES issue.
101+
- [ ] Every `blocked_by_aptl_gap` row links a downstream backend issue.
102+
- [ ] Correspondence checks describe how later encoding work will compare ACES
103+
surfaces against fresh realized evidence.
104+
105+
## Validation
106+
107+
Run the downstream ledger validator before closing:
108+
109+
```shell
110+
aptl aces-inventory schema
111+
aptl aces-inventory validate <asset-dir>
112+
aptl aces-inventory gaps <asset-dir>
113+
```
114+
115+
Also run the backend repository's normal test and documentation checks for any
116+
changed code, docs, templates, or committed evidence.
117+
118+
## Completion Claim
119+
120+
This issue is complete only when every participant-discoverable fact in scope
121+
is captured, mapped to ACES, or blocked by a linked ACES/downstream issue with
122+
an explicit limitation. Evidence bundles, scanner output, screenshots,
123+
summaries, and backend support limits are proof inputs only; they do not
124+
replace ACES specification or explicit gap records.

docs/aces/inventory/asset-inventory-methodology.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,31 @@ the code, environment, parameters, and artifacts needed to assess a
5555
computational claim, without overstating that the result is an independent
5656
scientific replication.
5757

58+
## Requirement Alignment
59+
60+
This methodology is support for the ACES requirements that govern apparatus,
61+
provenance, realized-form disclosure, replay, and realization honesty. It does
62+
not replace those requirements or define final SDL syntax. Its role is to make
63+
the evidence and gap trail explicit enough for those requirement surfaces to
64+
consume:
65+
66+
- `EXP-704` apparatus context: record discovery vantages, tool agents, backend
67+
identity, runtime identities, and capture limits.
68+
- `EXP-712` reproducibility and replay: preserve rerunnable commands,
69+
immutable artifact identifiers, scanner/tool versions, checksums, and known
70+
non-claims.
71+
- `EXP-720` canonical run provenance: separate entities, activities, agents,
72+
and evidence artifacts so later run records can cite the inventory.
73+
- `EXP-722` realized-form disclosure: capture realized runtime state even when
74+
it differs from authored intent or backend defaults.
75+
- `ASR-519` realization honesty: force explicit mappings, caveats, and gap
76+
issues instead of silent approximation or evidence-only claims.
77+
- `DSL-115` and follow-on DSL gap work: route missing SDL expressivity to ACES
78+
issue records with evidence and checked surfaces.
79+
80+
The reusable downstream issue skeleton for applying this method lives in
81+
`docs/aces/inventory/asset-inventory-issue-template.md`.
82+
5883
## Evidence Model
5984

6085
Each asset is described across five layers:

docs/aces/inventory/index.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ Use these documents as the ACES authority:
1212
- [Methodology assurance report](methodology-assurance-report.md) records the
1313
DevOps, supply-chain, reproducible-research, and verification/validation
1414
basis for the method.
15+
- [Reference asset-inventory issue template](asset-inventory-issue-template.md)
16+
is the vendorable GitHub issue skeleton downstream backends can copy into
17+
their own `.github/ISSUE_TEMPLATE/` trees.
1518
- [SCN-010 expressivity gap analysis](scn010-expressivity-gap-analysis.md)
1619
is the peer-review-grade analysis of the ACES SDL runtime-surface
1720
expressivity gaps found while holding the 16 remaining APTL TechVault
@@ -32,6 +35,7 @@ methodology owner.
3235
3336
asset-inventory-methodology
3437
methodology-assurance-report
38+
asset-inventory-issue-template
3539
scn010-expressivity-gap-analysis
3640
issue-516-redaction-boundary-preflight
3741
webapp-preflight

docs/aces/inventory/methodology-assurance-report.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,8 @@ later issues must not silently carry them into final claims:
7171
- The Trivy SBOM and vulnerability outputs are scanner state tied to tool,
7272
database, advisory, and capture time. They are not permanent ground truth.
7373
- The ledger proves mapping accountability, not semantic completeness of ACES.
74-
ACES #354 remains a blocker for typed runtime configuration surfaces.
74+
ACES #354 added the first typed runtime configuration surfaces, but later
75+
captures may still expose additional SDL gaps that need their own issues.
7576
- Correspondence checks are planned. Final encoding issues must implement them
7677
by comparing ACES/source-package content against fresh realized evidence.
7778

0 commit comments

Comments
 (0)