Docs | SpectraStrike | Nexus | Nyxera Labs

Sprint 11 Engineering Log

Program Context

Phase: Phase 4
Sprint: Sprint 11
Status: Completed
Primary Architecture Layers: Armory Registry, Supply-Chain Security, Operator Control Plane

Architectural Intent

Implement The Armory as an internal immutable tool registry to support BYOT onboarding without trust-on-first-use.

Implementation Detail

Added internal OCI registry service (armory-registry) in dev/prod compose with immutable semantics (REGISTRY_STORAGE_DELETE_ENABLED=false).
Implemented Python Armory service (pkg.armory.service) with deterministic pipeline:
- artifact digest (sha256) calculation,
- SBOM generation contract,
- vulnerability scan summary contract,
- Cosign/Sigstore-equivalent signing metadata generation.
Implemented file-backed registry persistence (.spectrastrike/armory/registry.json) and approval workflow for authorized digests.
Expanded Web UI Armory controls:
- ingest endpoint now emits digest metadata,
- approve endpoint to authorize specific digests,
- authorized-list endpoint for execution allowlist visibility.
Expanded Admin TUI with Armory command set:
- armory ingest <tool_name> <image_ref>
- armory list
- armory approve <tool_sha256>

Security and Control Posture

Digest-based execution authorization is explicit and deny-by-default.
Registry modifications are append/replace-by-digest and approval-gated.
Armory actions remain bound to authenticated UI/TUI session controls.

QA and Validation Evidence

Added tests/unit/test_armory_service.py for ingest/approve/authorized retrieval behavior.
Extended TUI and client unit coverage for Armory command flow.

Risk Register

Current signer and scanner providers are deterministic local adapters pending external Sigstore/Syft/Grype runtime wiring. Contract boundaries are fixed for drop-in replacement.

Forward Linkage

Sprint 12 consumes authorized Armory digests in the Universal Edge Runner execution path.

Docs | SpectraStrike | Nexus | Nyxera Labs