UIAO Substrate Status

At-a-glance view of the substrate manifest, workspace contract, active adapters, and CI enforcement stack.

UIAO Substrate Status

Snapshot of the substrate’s current state, derived from the canonical artifacts listed in the provenance block above. This page is regenerable: running make walk produces the same facts in machine form; this page renders them for humans.

Topology

Post-consolidation (April 2026, ADR-028 / ADR-032), the original three-module topology (core/, docs/, impl/) collapsed into a single Python package at src/uiao/ plus the documentation site at docs/. The substrate manifest (src/uiao/canon/substrate-manifest.yaml, UIAO_200) still carries the pre-consolidation module list for historical provenance; new code lands under src/uiao/.

Module	Role	Canon consumer	Purpose
`src/uiao/`	authority + implementation	—	Schemas, canon documents, control library, Python CLI, generators, adapters, substrate walker
`docs/`	consumer	yes	Articles, guides, narrative, rendered Quarto site

Workspace root: $UIAO_WORKSPACE_ROOT (never hardcoded — see AGENTS.md for the canon-consumer convention).

Adapter registry

Source: src/uiao/canon/modernization-registry.yaml + src/uiao/canon/adapter-registry.yaml.

Modernization adapters (change-making)

Adapter	Status	Phase	Mission class	FedRAMP	Vendor
`entra-id`	active	phase-1	integration	—	Microsoft
`m365`	active	phase-1	integration	—	Microsoft
`service-now`	active	phase-1	integration	—	ServiceNow
`palo-alto`	active	phase-1	integration	—	Palo Alto Networks
`scuba`	active	phase-1	integration	—	CISA
`terraform`	active	phase-1	integration	—	HashiCorp / OpenTofu
`cyberark`	active	phase-1	integration	—	CyberArk
`infoblox`	active	phase-1	integration	Moderate, CDM-integrated	Infoblox
`bluecat-address-manager`	active	phase-1	integration	—	BlueCat
`mainframe`	reserved	phase-planning	integration	—	IBM

9 of 10 active. Only mainframe remains reserved — blocks on z/OS Connect / MQ bridge infrastructure (see its notes: field).

Conformance adapters (read-only)

See src/uiao/canon/adapter-registry.yaml for the complete list. Notable: scubagear (CISA SCuBA assessor).

Test-tier status

Per UIAO_131 Adapter Test Strategy, every adapter is tested across three tiers: live commercial tenant (tier 1), contract fixtures (tier 2), reference deployment against a partner agency’s GCC-Moderate tenant (tier 3). UIAO lives outside the federal boundary — this table is the honest map of what’s been exercised.

Adapter	Registry status	Tier 1 (live)	Tier 2 (contract)	Tier 3 (reference)	Gate achievable
`entra-id`	active	⏳ pending (live tenant)	✅ scheduler-wired	🚫 none	dispatches through UIAO_100 scheduler; live tenant via M365 Developer Program pending
`m365`	active	⏳ pending	⏳ pending	🚫 none	fixture setup required for `beta`
`service-now`	active	⏳ pending	⏳ pending	🚫 none	vendor developer program sign-up pending
`palo-alto`	active	⏳ pending	⏳ pending	🚫 none	vendor sandbox pending
`scuba`	active	⏳ pending	⏳ pending	🚫 none	ScubaGear fixture + live run
`terraform`	active	✅ 55 tests	✅ fixture + scheduler-wired	🚫 none	first real adapter wired into UIAO_100 scheduler (§1.5)
`cyberark`	active	⏳ pending	⏳ pending	🚫 none	vendor developer program pending
`infoblox`	active	🟥 blocked	⏳ pending	🚫 none	No public developer sandbox — exclusion per UIAO_131 §5.1
`bluecat-address-manager`	active	🟥 excluded	⏳ pending	🚫 none	Vendor-contact-only access — exclusion per UIAO_131 §5.1
`mainframe`	reserved	N/A	N/A	N/A	No impl; no target

Legend: ✅ green · ⏳ pending (author work required) · 🟥 blocked/excluded · 🚫 requires partner agency · N/A not applicable

Reality at writing: zero adapters have completed tier-1 or tier-2 evidence. All currently-active adapter registry entries sit above the UIAO_131 conformance gate threshold. That’s drift — flagged below.

Canon invariants

Every registered modernization adapter satisfies the four canon invariants, schema-enforced:

gcc-boundary: gcc-moderate (Amazon Connect exception noted per-adapter)
ssot-mutation: never
certificate-anchored: true
object-identity-only: true

Document registry

Source: src/uiao/canon/document-registry.yaml.

Reserved ranges:

Range	Purpose	Examples
`UIAO_001`	Single Source of Truth	`UIAO-SSOT.md`
`UIAO_002–099`	Top-level canon documents	UIAO_002 SCuBA Spec, UIAO_003 Adapter Segmentation Overview, UIAO_004 Executive Orders
`UIAO_100–199`	Subsystem specifications	UIAO_100 Compliance Orchestrator, UIAO_110 Drift Engine Spec, UIAO_121–124 Adapter-framework specs
`UIAO_200–299`	Operational / runtime artifacts	UIAO_200 Substrate Manifest, UIAO_201 Workspace Contract
`UIAO_900–999`	Test fixtures	—

31 documents registered (32 with UIAO_131). Of those, the implementation-reality map:

UIAO_NNN	Doc	Spec	Impl	Deployed	Real today?
UIAO_001	SSOT	✅	n/a (doctrine)	referenced across substrate	✅
UIAO_002	SCuBA Spec	✅	impl/ CLI exists	partial (no live run)	🟡 partial
UIAO_003	Adapter Segmentation	✅	registry enforces	10 registered adapters	✅
UIAO_004	Executive Orders	✅	n/a (doctrine)	—	✅ declared
UIAO_100	Compliance Orchestrator	✅	scheduler shipped	`uiao orchestrator schedule`; 14 unit + 1 e2e test	🟡 partial
UIAO_101	Platform Overview	✅	partial	—	⚠️ aspirational
UIAO_102	Platform Services Layer	✅	partial	—	⚠️ aspirational
UIAO_103	Spec-Test Enforcement	✅	enforcement mechanism shipped	RFC 2119 audit + CI gate; coverage doc baselined	✅ complete
UIAO_104	Test Harness & CI	✅	impl	CI running	✅
UIAO_105	Auditor API	✅	core impl	`src/uiao/api/`; v1 routers for ZTMM / EPL / Enforcement / Archive plus pre-existing `/api/auditor` (`evidence` / `findings` / `POA&M` / OSCAL endpoints); 21 tests	🟡 working
UIAO_106	Compliance CLI	✅	impl	`uiao` CLI ships in v0.2.1	✅
UIAO_107	Collector Interface	✅	partial	—	⚠️ aspirational
UIAO_108	CQL	✅	core impl	`src/uiao/governance/cql.py`; 5 canonical queries; `/api/v1/cql/*` endpoints; 42 tests	🟡 working
UIAO_109	Data Lake Model	✅	core impl	`src/uiao/storage/data_lake.py`; per-adapter retention from canon `retention-years:`; FilesystemArchive backend; 24 tests	🟡 working
UIAO_110	Drift Engine	✅	DRIFT-SCHEMA + DRIFT-PROVENANCE only	walker runs	🟡 partial (2/5 classes)
UIAO_111	Enforcement Runtime	✅	core impl	`src/uiao/governance/enforcement.py`; 5 default handlers; EnforcementJournal JSONL audit trail; 25 tests	🟡 working
UIAO_112	Multi-Tenant Isolation	✅	core impl	`src/uiao/governance/tenancy.py`; tenant model + namespace primitives + walker hygiene gate; 37 tests (UIAO_119 v1 added 13)	🟡 working
UIAO_113	Evidence Graph	✅	working	scheduler-run ingestion + 4-emitter OSCAL augmentation + back-matter link resources; 62 tests	✅
UIAO_114	HA / Fault Tolerance	✅	—	deferred to Phase 2 per §4.4 assessment	⚠️ aspirational
UIAO_115	Performance Engineering	✅	—	deferred pending baseline per §4.4 assessment	⚠️ aspirational
UIAO_116	EPL	✅	core impl	`src/uiao/governance/epl.py`; 5 reference policies in `src/uiao/canon/policies/`; 29 tests; OSCAL back-matter projection	🟡 working
UIAO_117	Recovery Layer	✅	Phase 1 shipped	Raw-Zone immutability + checkpoint label in `src/uiao/storage/data_lake.py`; manual SOP for Class A/B in Phase 1 record; Phase 2 deferred per §4.4 assessment; 32 tests	🟡 working
UIAO_118	Release Engineering	✅	impl	release.yml signs v0.2.1	✅
UIAO_119	Tenancy Strategy	✅	all action items shipped	v1 / v2 / tagging / check-points / API filter / sandbox / ops runbook / plane flags / CLI promote-preview / CQL experimental ops — see the §4.4 assessment for the full table of links. CQL `regex` op gated by `auditor-api.cql.experimental-ops` (CQL exp ops)	🟡 working
UIAO_120	Zero-Trust Integration	✅	core impl	`src/uiao/governance/ztmm.py`; 16 active adapters declare `ztmm-pillars:`; 30 tests; OSCAL back-matter resources surfaced	🟡 working
UIAO_121	Adapter Conformance TP	✅ (template)	2 instantiations	`terraform` (30/30 PASS) + `entra-id` (30/30 PASS, tier-1 pending); also referenced by scubagear conformance plan	🟡 working
UIAO_122	Adapter Developer Training	✅ (subset of UIAO_125)	—	—	⚠️ aspirational
UIAO_123	Adapter Integration TP	✅ (template)	2 instantiations	`terraform` (Phases 1–3 PASS) + `entra-id` (Phases 1–3 PASS); both pending Phase 4–5 (live creds)	🟡 working
UIAO_124	Adapter Ops Runbook	✅	first instance shipped	UIAO_119 canary → regulated rollout SOP (closes §4.4 assessment action 119.5)	🟡 working
UIAO_125	Training Program	✅	first delivery shipped	adapter-author onboarding session record (2026-04-26)	🟡 working
UIAO_126	Test Plans Program	✅	first delivery shipped	scubagear conformance test plan instantiates UIAO_121	🟡 working
UIAO_127	Project Plans Program	✅	first delivery shipped	Acme Federal modernization plan (synthetic reference shape)	🟡 working
UIAO_128	Education Program	✅	first delivery shipped	agency onboarding walkthrough (15-min CIO/CISO read)	🟡 working
UIAO_129	Application Identity Model	✅	spec only	—	🟡 spec, no impl
UIAO_130	App Identity Onboarding Runbook	✅	spec only	—	🟡 spec, no impl
UIAO_131	Adapter Test Strategy	✅	—	0 adapters have any tier evidence	⚠️ aspirational
UIAO_200	Substrate Manifest	✅	impl enforces	substrate walker uses daily	✅
UIAO_201	Workspace Contract	✅	impl enforces	`$UIAO_WORKSPACE_ROOT` in use	✅

Summary

✅ Real today: 8 of 37 artifacts (UIAO_001, 003, 004, 104, 106, 118, 200, 201)
🟡 Partially implemented: 13 (UIAO_002, 103, 110, 113, 117, 119, 121, 123, 124, 125, 126, 127, 128)
⚠️ Aspirational or draft: 16

That’s the honest state. An aspirational banner is applied per ADR-030 §6 to pages describing ⚠️ and 🟡 artifacts.

CI enforcement stack

Source: .github/workflows/.

Workflow	Status	Trigger
`schema-validation.yml`	blocking	Canon / schema PRs
`pytest.yml`	blocking (substrate + full impl)	`impl/**` PRs
`substrate-drift.yml`	blocking	Substrate / registry PRs
`metadata-validator.yml`	blocking	Canon doc PRs
`quarto.yml`	blocking render; deploy on main	`docs/**` PRs
`ruff.yml`	blocking	`impl/**` PRs
`link-check.yml`	blocking	Any Markdown/Quarto PR + weekly cron
`release.yml`	tag-triggered	`v..*` push → wheel + sdist + CycloneDX SBOM + sigstore signing
`release-drafter.yml`	continuous	Every main push / PR label — maintains the draft release

All 7 substantive workflows are blocking. Link-check was promoted from soft-fail to blocking in §0.6 (2026-04-25) once the lychee baseline against the live repo returned 0 errors with the existing .lycheeignore.

Drift taxonomy

Five classes defined in docs/docs/16_DriftDetectionStandard.qmd:

Class	Detected by	Severity max	Status
`DRIFT-SCHEMA`	`uiao substrate walk`	P1	implemented
`DRIFT-PROVENANCE`	`uiao substrate walk`	P1	implemented
`DRIFT-SEMANTIC`	runtime — `src/uiao/freshness/drift_semantic.py` evaluates scheduler-run evidence against per-adapter `freshness-window-hours`; fallback chain registry→family→global	P2	✅ complete
`DRIFT-AUTHZ`	runtime — `src/uiao/governance/drift.py::classify_authz_drift` (state-diff: role/delegation/escalation) + `src/uiao/governance/consent_envelope.py::ConsentEnvelopeValidator` (registry consent envelope: out-of-scope object access). Substrate walker scans both registries for missing/empty `scope:` declarations	P1	✅ complete
`DRIFT-IDENTITY`	runtime — `src/uiao/governance/drift.py::classify_identity_drift` (state-diff: OrgPath / lifecycle / required-field) + `src/uiao/governance/issuer_resolution.py::IssuerResolver` (runtime issuer-chain: terminal-issuer match against canon `trust-anchor:`). Substrate walker scans both registries for missing `trust-anchor:` declarations on `certificate-anchored: true` adapters	P1	✅ complete

Runtime classes have their home in src/uiao/canon/specs/drift.md (UIAO_110); implementation is tracked as future engineering work (see ADR-029 §Consequences).

Aspirational-content triage

The scan is intentionally noisy — about 30–40% are false positives (session logs using “planned” in past-tense context, status dashboards naturally listing roadmaps, glossaries defining terms). Full triage report: inbox/drafts/aspirational-candidates-2026-04-17.md.

Mechanically flagged as aspirational (via Lua filter + aspirational: true frontmatter — see PR #57):

~~All program pages (UIAO_125–128) and narrative companions — 9 pages~~ → un-flagged 2026-04-26 once UIAO_125–128 each shipped a first delivery (roadmap §3.8 + §4.3 round 1).
Series landings + book landing — 4 pages
All PHASE5_*.qmd files — 8 pages
All customer-documents/validation-suites/adapters/* — 11 pages (13 → 11 as terraform and entra-id flipped to active per §2.6 / 2026-04-26)
All customer-documents/adapter-specs/* — 5 pages (7 → 5 once terraform and scubagear flipped to active in §4.3 round 3)
docs/docs/canon/migration-plan.md, docs/docs/mvp-roadmap.qmd

Total flagged ≈ 22 pages (~4% of the 504 rendered surfaces). Selective flagging preserves signal — a banner on half the site is noise.

The remaining 263 hits are under per-file review; not mass-flagged pending author judgment.

Optimization posture

Cumulative from the consolidation (2026-04-17):

History preserved: 3,549 commits across the four predecessor repos
Working-tree reduction: ~290 MB (128.9 MB via pngquant, 160 MB of tracked build artifacts retired, 795 KB of junk text files removed)
Dead code retired: 38 Python files (~1,600 LOC) of ARC-5 scaffolding under directory_migration/ + 3 stub duplicate provider adapters
Quality burn-down: 16 ruff errors fixed (gate flipped to blocking), 4 slug-style document_ids renumbered, 10 mechanical stale-ref fixes

How to verify any of this

# Validate schemas (canon YAML/JSON vs their JSON Schemas)
make schemas

# Walk the substrate (structural + provenance drift)
make walk

# Run substrate walker tests only (fast)
make test-substrate

# Render this page as part of the full site
make docs

Every cell above is regenerable from the canonical artifacts. If this page disagrees with the live src/uiao/canon/*.yaml, the canon wins — this page is a derived view, not a source.