# Overview — 23-gate matrix

* **Owner**: `@nkap360`
* **Baseline**: tag `v1.1.0` on `github.com/NKAP360-dev/edge-app` at SHA `16d7b77`
* **Method**: every gate is **binary** (PASS / FAIL). A gate cannot be partially passed; failing a gate makes its dependents unassessed.

The first 8 gates (00–07) are the **bank-ready baseline**. They map directly to what an external GRC team will ask before letting Edge touch a production banking surface. Gates 08–23 are the **Phase 2 hardening** roadmap that closes the operational and signing-supply-chain gaps.

## Current status

```mermaid
flowchart LR
    G0[Gate 00<br/>Repo hygiene<br/>✅] --> G1
    G1[Gate 01<br/>Secrets<br/>✅] --> G2
    G2[Gate 02<br/>Supply chain<br/>🟡] --> G3
    G3[Gate 03<br/>CI/CD security<br/>🟡] --> G4
    G4[Gate 04<br/>Container security<br/>✅] --> G5
    G5[Gate 05<br/>Observability<br/>🟡] --> G6
    G6[Gate 06<br/>Access control<br/>✅] --> G7
    G7[Gate 07<br/>Incident response<br/>🟡]
```

## Summary at `v1.1.0`

| #  | Gate               | Status  | Owner      | Notes                                                 |
| -- | ------------------ | ------- | ---------- | ----------------------------------------------------- |
| 00 | Repo hygiene       | ✅ PASS  | `@nkap360` | History scrubbed; CODEOWNERS in place                 |
| 01 | Secret management  | ✅ PASS  | `@nkap360` | Trufflehog/Gitleaks blocking; rotation SLA documented |
| 02 | Supply chain       | 🟡 FAIL | `@nkap360` | 30 Dependabot alerts pending triage                   |
| 03 | CI/CD security     | 🟡 FAIL | `@nkap360` | CI green + GitHub Team protection rules pending       |
| 04 | Container security | ✅ PASS  | `@nkap360` | Trivy blocking; SBOM + provenance shipped             |
| 05 | Observability      | 🟡 FAIL | `@nkap360` | `/health` smoke test missing in CI                    |
| 06 | Access control     | ✅ PASS  | `@nkap360` | SSO + CODEOWNERS; Team-plan enforcement pending       |
| 07 | Incident response  | 🟡 FAIL | `@nkap360` | Quarterly drill cadence not yet scheduled             |

**Bank-ready baseline declared**: foundational gates (00, 01, 04, 06) are PASS — i.e. the repo is **safe to be looked at by a banking auditor** as of `v1.1.0`.

**Phase 1 hardening** closes Gates 02, 03, 05, 07 before any banking customer rollout.

## Phase 2 roadmap (gates 08–23)

| #  | Gate                                     | Focus               | Target    |
| -- | ---------------------------------------- | ------------------- | --------- |
| 08 | Cosign keyless signing                   | Verifiable images   | Q3 2026   |
| 09 | Branch protection enforced at plan level | GitHub Team upgrade | Q3 2026   |
| 10 | `pb_migrations` refactor                 | Remove binary DB    | T+2 weeks |
| 11 | mTLS internal                            | App ↔ MCP ↔ PB      | Q3 2026   |
| 12 | Signed release notes                     | Tag attestation     | Q3 2026   |
| 13 | DORA Art 19 incident reporting wiring    | Compliance          | Q4 2026   |
| 14 | Quarterly DR drill                       | Operations          | Q3 2026   |
| 15 | BCP / failover doc                       | Operations          | Q4 2026   |
| 16 | Pen-test (external)                      | Security            | Q4 2026   |
| 17 | DAST in CI                               | Security            | Q4 2026   |
| 18 | Bias/toxicity guardrails on production   | EU AI Act           | Q4 2026   |
| 19 | Model card publication                   | EU AI Act           | Q4 2026   |
| 20 | Right-of-erasure tooling                 | GDPR Art 17         | Q1 2027   |
| 21 | Data-residency option                    | GDPR + DORA         | Q1 2027   |
| 22 | Third-party risk register                | DORA Art 28         | Q1 2027   |
| 23 | Exit plan documented                     | DORA Art 28         | Q1 2027   |

Each Phase 2 gate becomes its own page in this section as it lands.

## How gates evolve

Each gate has a dedicated page (left nav) with:

* Required items (checklist).
* Current evidence (file paths, commit SHAs, run links).
* Failure mode (why it would block bank rollout).
* Closing plan (action + owner + ETA).

When a gate flips state, the page is updated **in the same PR** that lands the change. The `cutover-history.md` page records the gate transitions over time.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.edge.nyami.fr/banking-readiness/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.