Asset Status — Compact Reference
Status: ⬜ Not Started · 🟨 Scaffolding · 🟧 In Progress · 🟦 Code Complete · 🟩 Shipped
Package: [B] Baseline · [A] Advanced · [X] Cross-cutting · [QW] Quick-Win
Ownership: [SO] SnowOps-Operated · [CO] Client-Owned · [CA] Client-Adopted · [SH] Shared
For full descriptions and test details: docs/context/03-asset-catalog.md
A — Sales & CRM Automation (HubSpot) [X][SO]
| ID |
Name |
Status |
Milestone |
Owner |
| A1 |
HubSpot lead enrichment (Clearbit/Apollo) |
🟦 |
M1 |
CA |
| A2 |
ICP scoring → routing |
⏸️ postponed |
M2b |
CA |
| A3 |
Proposal generator (PDF) |
⏸️ postponed |
M2b |
CA |
| A4 |
Project kickoff webhook (Closed Won) |
⏸️ postponed |
M2b |
CA |
| A5 |
Discovery trigger (Qualified → G4 dispatch + offer email) |
🟦 |
M1 |
CA |
B — Client Onboarding [B]
| ID |
Name |
Status |
Milestone |
Owner |
| B1 |
GitHub App snowops-onboarder |
🟦 |
M1 |
SO→CO |
| B2 |
modules/azure/client-bootstrap/ (AAD app + federated cred + RBAC) |
🟦 |
M2a |
SO→CO |
| B3 |
modules/azure/subscription-baseline/ (F1 + group RBAC + MCSB) |
🟦 |
M2a |
CO |
| B4 |
modules/azure/client-state-backend/ (F6 + Blob RBAC + PE) |
🟦 |
M2a |
CO |
| B5 |
modules/azure/pim-azure-resources/ (Owner/Contributor/UAA PIM) |
🟦 |
M2a |
CO |
| B6 |
apps/client-bootstrap/ (prerequisite checker + permission validator) |
🟦 |
M3 |
CA |
C — CI/CD & Delivery Pipelines [B]
| ID |
Name |
Status |
Milestone |
Owner |
| C1 |
terraform-plan-apply.yml (OIDC, OPA post-plan, env gates) |
🟦 |
M2a ← KEYSTONE |
CA |
| C2 |
container-build-sign.yml (build → ACR → Notation sign → Grype) |
🟦 |
M2a |
CA |
| C3 |
aks-deploy.yml (ArgoCD image override → sync → smoke → rollback) |
🟦 |
M2a |
CA |
| C4 |
GitOps branching standard + client-repo template |
🟩 |
M1 QW |
CA |
| C5 |
Azure DevOps Pipeline templates (C1/C2/C3/D2 mirrors) |
🟦 |
M3 |
CA |
D — Quality & Security Gates [B]
| ID |
Name |
Status |
Milestone |
Owner |
| D1 |
.pre-commit-config.yaml (tflint, checkov, gitleaks, trivy, conftest) |
🟩 |
M1 QW |
CA |
| D2 |
PR-blocking GH Actions mirroring D1 |
🟦 |
M1 QW |
CA |
| D3 |
Conftest/OPA policy bundle for terraform plan JSON |
🟩 |
M1 QW |
CA |
| D4 |
Kyverno policy bundle for AKS (5 ClusterPolicies) |
🟦 |
M2a |
CO |
| D5 |
Policy waiver engine (waivers/, OPA exception records, expiry, CI enforcement) |
🟦 code-complete |
M2b |
CA |
E — Automated Evidence Collection [A]
| ID |
Name |
Status |
Milestone |
Owner |
| E0 |
Lightweight compliance snapshot (Policy + Defender score, wired to C1) |
🟦 |
M2b |
SH |
| E1 |
EvidencePlatform TS interface |
⏸️ postponed |
M4 |
SO |
| E2 |
VantaAdapter |
⏸️ postponed |
M4 |
SO |
| E3 |
DrataAdapter stub |
⏸️ postponed |
M4 |
SO |
| E4 |
Azure Resource Graph query library (SOC2 CC + ISO27001) |
⏸️ postponed |
M4 |
SH |
| E5 |
Defender → Vanta scheduled sync |
⏸️ postponed |
M4 |
SO |
| E6 |
Quarterly access review automation |
⏸️ postponed |
M4 |
SO |
| E7 |
TicketPlatform interface + adapters (GH/Jira/Linear/ADO) + CLI |
🟦 |
M3 |
CO/CA |
F — SnowOps Module Library [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| F0 |
modules/_contracts/ — 7 cloud-agnostic contracts |
🟦 |
M2a |
SO |
| F1 |
modules/azure/baseline/ (Mgmt Group, Policy, Defender, LAW) |
🟦 |
M2a |
CO |
| F2 |
modules/azure/network-hub/ (hub-spoke, Firewall, DNS, flow logs) |
🟦 |
M2a |
CO |
| F3 |
modules/azure/aks-secure/ (private AKS, Workload Identity, CNI Overlay) |
🟦 |
M2a |
CO |
| F4 |
modules/azure/acr/ (Premium ACR, PE, AAD-only, geo-replication) |
🟦 |
M2a |
CO |
| F5 |
modules/azure/key-vault/ (Premium KV, RBAC mode, purge-protect, PE) |
🟦 |
M2a |
CO |
| F6 |
modules/azure/state-backend/ (RA-GZRS state SA, containers, WORM) |
🟦 |
M2a |
CO |
| F7 |
Terragrunt live-infra reference (live/) |
🟦 |
M2b |
CO |
| F8 |
gitops/ — ArgoCD app-of-apps K8s bundle |
🟦 |
M2b |
CO |
| F9 |
modules/aws/* parity |
⏸️ deferred |
M5 |
CO |
| F10 |
modules/gcp/* parity |
⏸️ deferred |
M5 |
CO |
| F11 |
Module versioning + private registry (apps/module-registry/ + modules/registry.json) |
🟦 code-complete |
M3 |
SO |
| F12 |
Brownfield import library (modules/azure/import-blocks/, 9 modules) |
🟦 code-complete |
M3 |
CO |
G — Pre-Sales Discovery & Audit [X][SH]
| ID |
Name |
Status |
Milestone |
| G0 |
Reader + Security Reader SP bootstrap script |
🟦 |
M1 |
| G1 |
apps/discovery-auditor/ collectors (Resource Graph, Defender, Policy, AAD, Cost) |
🟦 |
M1 |
| G2 |
YAML rule pack (SOC2 CC + ISO27001 + CIS Azure, 11 rules) |
🟦 |
M1 |
| G3 |
Report renderer (Markdown → PDF, branded cover, exec summary, roadmap) |
🟦 |
M1 |
| G4 |
.github/workflows/discovery-run.yml (manual dispatch, artifact, Slack) |
🟦 |
M1 |
| G5 |
HubSpot integration (A5 → discovery_report_url) |
🟦 |
M1 |
| G6 |
Immutable run audit log (WORM blob, SHA-256 hash chain) |
🟦 |
M1 |
| G7 |
AWS discovery mode |
⏸️ postponed |
M4 |
H — Identity & Access Management [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| H1 |
modules/azure/aad-baseline/ (named locations, auth strength policy) |
🟦 |
M2a |
CO |
| H2 |
modules/azure/conditional-access/ (6 CA policies, break-glass exclusion) |
🟦 |
M2a |
CO |
| H3 |
modules/azure/pim-templates/ (tier-0/tier-1 Entra role PIM, Graph PATCH) |
🟦 |
M2a |
CO |
| H4 |
SCIM provisioning to SaaS |
⏸️ postponed |
M4 |
CO |
| H5 |
apps/sp-inventory/ + rotation workflow (read-only Graph, PR-driven) |
🟦 |
M2a |
CA |
| H6 |
Access review automation (AAD Access Reviews) |
⏸️ postponed |
M4 |
CO |
| H7 |
modules/azure/break-glass/ (group + perm Global Admin + sign-in alert) |
🟦 |
M2a |
CO |
I — Vulnerability & Patch Management [B]/[A]
| ID |
Name |
Status |
Milestone |
| I1 |
Container image scanning (reusable Trivy image scan) |
🟦 |
M2a |
| I2 |
Dependency scanning (Dependabot + review gate + digest) |
🟦 |
M2a |
| I3 |
SAST (CodeQL in PR) |
🟦 |
M2a |
| I4 |
DAST (OWASP ZAP) |
⏸️ postponed |
M4 |
| I5 |
Defender → ticket via E7 adapter (apps/defender-ticketer/) |
🟦 code-complete |
M2b |
| I6 |
Azure Update Manager compliance report |
⏸️ postponed |
M4 |
| I7 |
CVE triage runbook + SLA dashboard |
⏸️ postponed |
M4 |
J — Logging, Monitoring & SIEM [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| J1 |
modules/azure/log-analytics/ (standalone hardened LAW, per-table retention) |
🟦 |
M2a |
CO |
| J2 |
modules/azure/policy-diagnostics/ (DINE initiative, GUID-agnostic) |
🟦 |
M2a |
CO |
| J3 |
Microsoft Sentinel deployment |
⏸️ postponed |
M4 |
CO |
| J4 |
Alert rule pack (identity/network/privilege/data-exfil) |
🟦 code-complete |
M2b |
CO |
| J5 |
Managed Grafana dashboards-as-code |
⏸️ postponed |
M4 |
CO |
| J6 |
modules/azure/audit-log-archive/ (WORM-immutable blob, Activity Log) |
🟦 |
M2a |
CO |
| J7 |
Cost-controlled log strategy (Basic Logs tier) |
⏸️ postponed |
M4 |
CO |
K — Incident Response & SecOps [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| K1 |
IR runbook library (docs/runbooks/incident/) |
🟦 code-complete |
M2b |
CO |
| K2 |
On-call integration (modules/azure/oncall-integration/, PagerDuty/Opsgenie + Slack) |
🟦 code-complete |
M2b |
CO |
| K3 |
Sentinel SOAR playbooks |
⏸️ postponed |
M4 |
CO |
| K4 |
Post-incident review + GH issue via E7 |
⏸️ postponed |
M4 |
CA |
| K5 |
Tabletop exercise pack |
⏸️ postponed |
M4 |
CO |
L — Backup & Disaster Recovery [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| L1 |
Azure Backup policy module (VM, AKS, SQL, Storage) |
🟦 code-complete |
M2b |
CO |
| L2 |
Cross-region replication (object replication + SQL failover group) |
🟦 code-complete |
M2b |
CO |
| L3 |
DR runbook templates |
⏸️ postponed |
M4 |
CO |
| L4 |
Automated restore drill (apps/restore-drill/; restore→validate→teardown→S2 panel) |
🟦 code-complete |
M2b |
CO |
| L5 |
RTO/RPO doc generator |
⏸️ postponed |
M4 |
CO |
M — Data Protection & Privacy [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| M1 |
modules/azure/encryption-policy/ (Deny initiative: storage/SQL/disk CMK) |
🟦 |
M2a |
CO |
| M2 |
modules/azure/cmk/ (HSM-backed KV key + auto-rotation + Crypto grants) |
🟦 |
M2a |
CO |
| M3 |
modules/azure/tls-policy/ (Deny initiative: secure-transfer + HTTPS) |
🟦 |
M2a |
CO |
| M4 |
Microsoft Purview baseline |
⏸️ postponed |
M4 |
CO |
| M5 |
DLP policies (M365 + cloud storage) |
⏸️ postponed |
M4 |
CO |
| M6 |
modules/azure/data-residency-policy/ (Allowed-locations Deny initiative) |
🟦 |
M2a |
CO |
| M7 |
GDPR/CCPA evidence (data inventory + DSAR workflow) |
⏸️ postponed |
M4 |
CO |
N — Network Security [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| N1 |
Landing-zone hub-spoke (extends F2) |
⏸️ postponed |
M2a |
CO |
| N2 |
Azure Firewall Premium (TLS inspection, IDPS) |
⏸️ postponed |
M4 |
CO |
| N3 |
WAF policy module (bot protection, OWASP top-10) |
⏸️ postponed |
M2b |
CO |
| N4 |
DDoS Network Protection |
⏸️ postponed |
M2b |
CO |
| N5 |
modules/azure/private-endpoint-policy/ (Deny initiative: public network) |
🟦 |
M2a |
CO |
| N6 |
modules/azure/nsg-baseline/ (hardened NSG + flow logs + Traffic Analytics) |
🟦 |
M2a |
CO |
| N7 |
Zero-trust reference architecture |
⏸️ postponed |
M4 |
CO |
O — Endpoint & Workforce Security [A]
| ID |
Name |
Status |
Milestone |
| O1–O4 |
Intune / CA compliant device / Defender for Endpoint / Phishing sim |
⏸️ postponed |
M4 |
P — Vendor / Third-Party Risk [A]
| ID |
Name |
Status |
Milestone |
| P1–P4 |
Vendor inventory / SOC2 report tracker / DPA workflow / offboarding |
⏸️ postponed |
M4 |
Q — HR Security & Training [A]
| ID |
Name |
Status |
Milestone |
| Q1–Q5 |
Onboarding / Offboarding / Security training / Background check / AUP |
⏸️ postponed |
M4 |
R — Change Management [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| R1 |
PR template enforcement + validation workflow |
🟩 |
M1 QW |
CA |
| R2 |
Production change log (merged PRs → changelog) (apps/change-log/) |
🟦 code-complete |
M2b |
CA |
| R3 |
Emergency change workflow (break-glass label) |
⏸️ postponed |
M4 |
CA |
| R4 |
CAB automation (impact:high → CAB ticket via E7) |
⏸️ postponed |
M4 |
CA |
S — Continuous Compliance Monitoring & Drift [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| S1 |
Drift detection (scheduled terraform plan → issue via TicketPlatform) |
🟦 code-complete |
M2b |
CO |
| S2 |
Azure Policy compliance dashboard |
🟦 code-complete |
M2b |
CO |
| S3 |
Auto-remediation playbooks (Logic Apps) |
⏸️ postponed |
M4 |
CO |
| S4 |
Compliance scorecard generator (controls → branded PDF) |
⏸️ postponed |
M4 |
SH |
T — Trust Center & Customer-Facing [A]
| ID |
Name |
Status |
Milestone |
| T1–T4 |
Trust center / Status page / Subprocessor list / Security questionnaire library |
⏸️ postponed |
M4 |
U — Cost Governance [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| U1 |
modules/azure/budget-alert/ (subscription budget + action group) |
🟦 |
M2a |
CO |
| U2 |
modules/azure/tag-policy/ (mandatory-tag Deny initiative, §8 set) |
🟦 |
M2a |
CO |
| U3 |
Idle resource cleanup (Function App scheduled) |
⏸️ postponed |
M5 |
SO |
| U4 |
FinOps Grafana dashboard |
⏸️ postponed |
M4 |
CO |
| U5 |
Cost anomaly detection |
⏸️ postponed |
M4 |
CO |
V — Documentation & Policy Management [B]/[A]
| ID |
Name |
Status |
Milestone |
Owner |
| V1 |
Policy repo template (InfoSec, AUP, IR, BCP, Change, Vendor) |
⏸️ postponed |
M4 |
CO |
| V2 |
apps/diagram-generator/ (TF outputs → F0 contracts → d2lang diagram) |
🟦 |
M2b |
CO |
| V3 |
apps/runbook-generator/ (TF outputs → Handlebars → operational markdown) |
🟦 |
M2b |
CO |
| V4 |
Compliance manual generator |
⏸️ postponed |
M4 |
SH |
W — Multi-Tenant Client Management [X][SO] ⏸️ ALL POSTPONED (D35)
| ID |
Name |
Status |
Milestone |
| W1 |
Client repo template + provisioning (extends B1) |
⏸️ postponed |
M2a→postponed |
| W2 |
Per-client state backend (extends F6) |
⏸️ postponed |
M2a→postponed |
| W3 |
Per-client secret scoping in SnowOps GH org |
⏸️ postponed |
M2a→postponed |
| W4 |
Client offboarding playbook |
⏸️ postponed |
M3 |
| W5 |
SnowOps internal client dashboard |
⏸️ postponed |
M5 |
X — Testing Framework & Sandbox [X]
| ID |
Name |
Status |
Milestone |
Owner |
| X1 |
SnowOps Azure sandbox subscription (Terraform-managed) |
🟦 |
M1 |
SO |
| X2 |
Terratest harness (tests/terratest/, 35 top-level tests) |
🟦 |
M1 |
SO |
| X3 |
Conftest test suite for D3 |
🟩 |
M1 |
— |
| X4 |
Kyverno test framework for D4 (5 suites, 21 assertions) |
🟦 |
M2a |
— |
| X5 |
Pipeline integration tests (reusable workflow test consumer repos) |
🟦 code-complete |
M2b |
— |
| X6 |
Manual test runbooks (docs/runbooks/test/<id>.md) |
ongoing |
all |
— |
| X7 |
sandbox/cleanup/ + nightly cleanup workflow (ephemeral=true RGs) |
🟦 |
M2a |
SO |
| X8 |
Synthetic monitoring (Azure Monitor synthetic tests) |
🟦 code-complete |
M2b |
— |
Y — Go-To-Market & Sales Engine [X][SO] — all 🟦 (GTM Track A complete)
| ID |
Name |
File |
| Y0 |
GTM operating doc (sales spine, funnel, A-series map) |
gtm/Y0-operating-doc.md |
| Y1 |
Positioning & messaging house (value prop, ICP props, objections) |
gtm/Y1-positioning-messaging.md |
| Y2 |
Pricing & packaging sheet (rate card, inclusions, out-of-scope) ⚠️ numbers TBD |
gtm/Y2-pricing-packaging.md |
| Y3 |
ICP & target-account playbook (50-account seed list) |
gtm/Y3-icp-target-accounts.md |
| Y4 |
Cold-outreach kit (5-touch sequence, LinkedIn variants, subject-line bank) |
gtm/Y4-cold-outreach-kit.md |
| Y5 |
Discovery call script + qualification questionnaire |
gtm/Y5-discovery-script.md |
| Y6 |
Proposal & SOW template library (Baseline/Advanced/QW + findings-to-roadmap) |
gtm/Y6-proposal-sow/ |
| Y7 |
Compliance coverage matrix (SOC2 / ISO27001 / HIPAA / CIS Azure) |
gtm/Y7-compliance-coverage-matrix.md |
| Y8 |
Capabilities deck + one-pagers |
gtm/Y8-capabilities-deck/ |
| Y9 |
Proof & case-study kit (synthetic sandbox audit report) |
gtm/Y9-proof-case-study/ |
| Y10 |
Nurture & follow-up sequences (post-audit, no-response, lost-deal) |
gtm/Y10-nurture-sequences.md |
| Y11 |
Customer success & expansion playbook (handoff, QBR, upsell) |
gtm/Y11-cs-expansion.md |
| Y12 |
Contract & legal pack (MSA, SOW, DPA, NDA, cloud-access auth) — counsel review req'd |
gtm/Y12-contract-pack/ |
| Y13 |
Sales pipeline & CRM config (HubSpot stages + properties) |
gtm/Y13-crm-pipeline-config.md |
Human sign-offs pending: Nidhi (Y1/Y5/Y7/Y9/Z2/Z3 compliance claims + Y9 sanitization) · Sagar (Y2 real numbers, Y3 50-account seed list, Y13 HubSpot config) · Counsel (Y12) · Brand assets (Y8 deck design).
Z — Reference Architectures [X][SO→CO] — all 🟦 (GTM Track A complete)
| ID |
Name |
File |
| Z0 |
Reference-architecture framework (template all Z assets follow) |
gtm/z/Z0-framework.md |
| Z1 |
SaaS Startup Reference Platform (F1+F2+F3+F4+F5+F6+B-series+D4+C1–C3+H-series+F8) |
gtm/z/Z1-saas-reference-platform.md |
| Z2 |
FinTech Reference Platform (Z1 + CMK/HSM + enhanced logging + SIEM + tighter network + PCI posture) |
gtm/z/Z2-fintech-reference-platform.md |
| Z3 |
Healthcare / HealthTech Reference Platform (Z1 + HIPAA: PHI protection + classification + BAA logging) |
gtm/z/Z3-healthcare-reference-platform.md |