SYSTEM-STANDARD.md — System Component Type (as-built spec + how to build/operate it)
Type-layer standard, sibling of
TEMPLATE-STANDARD.md(report) andPROFILE-STANDARD.md(profile). Governs the(system)component type ONLY. A system is a PRESCRIPTIVE product: its value is a delivered technical capability — what to build, how to deploy/configure/harden it, and how to operate it — NOT knowledge about a subject. It does NOT carry the report anatomy (BLUF / Key Judgments / ACH / PIR) or the profile spine; it has its own spine, below.
Living standard. Reconciled 2026-07-04 to the requirements-traceable spine that all 19 system cells actually use (SYS-001..010, AGT-001/002/004/005/007/008, OSINT-041/054/062). The prior revision prescribed a build/operations skeleton (Document Control / verbatim caveat / Annexes A-B) that no cell implemented; the reconciled spine below is the NEED → REQ → verification → acceptance-test chain the cells were built on, which is the stronger fit for the project’s requirements doctrine (atomic, verifiable requirements each carrying a verification method at definition time).
1. What a system is
Value = a built/configured technical capability handed to the client or team — a platform, feed, dashboard, pipeline, kit, or loadout — documented so it can be reproduced, accepted, and operated. Imperative/prescriptive voice about the build and its operation, never an estimate about a subject. The reader builds, accepts, and runs from it; they do not read it to know a fact.
2. Required anatomy (every system deliverable carries this 8-section spine)
# <SYSTEM NAME>+ a one-line as-built descriptor that states the design-basis / acceptance- criterion discipline.## 1. Purpose and Design Basis— the requirements core:- 1.1 Scope and Objective — what the system is and does; the in / out-of-scope boundary.
- 1.2 Design Basis — the design principle(s) the build rests on (what it replaces, why this shape).
- 1.3 Needs — each
NEED-<DID>-NNin stakeholder language, with a Source (named stakeholder, by initials) and a Context. A need is unverifiable as stated. - 1.4 Requirements — each
REQ-<DID>-NNatomic, verifiable, solution-bounded, traced to a NEED, carrying a verification reference[VR-<DID>-NN]and a Verification Method (Inspection / Analysis / Demonstration / Test) at definition time. One requirement, one shall.
## 2. Architecture As Built— the logical / physical architecture as an ASCII block diagram.## 3. Components and Bill of Materials— table: Component | Spec | Vendor/Link | Price | Tier | Status | Traceability (→ REQ). Real, grounded components (named OSS/stack, priced; internal work at $0.00); no fictional or speculative tools.## 4. Build and Deployment— phased, reproducible provision → configure → start.## 5. Hardening Baseline— host / network / process / data-at-rest controls; each control traces to a REQ or a stated threat / design principle.## 6. Integration Points— table: Interface | Type | Direction (Consumed / Produced) | Contract. Every seam the system consumes or produces, with its contract; cross-domain seams reflect the manifest’sART-<slug>wiring.## 7. Acceptance Tests— table: Criterion (REQ) | Method | Expected Result | Reference (VR). Every requirement has a matching acceptance test; no claim of “built” without a test that proves it.## 8. Run and Maintenance Handover— console start, maintenance schedule / cadence, ownership (named element / initials). Every operational duty names a cadence and a responsible element.END OF SYSTEM.
A system MAY add domain annexes after §8 where the build warrants (e.g., a severity-matrix mapping or a delivery-schema contract, as in SYS-008) — additive, never a substitute for the spine.
3. The load-bearing rule (system-specific discipline)
Every architectural component (§2-§3) and every hardening control (§5) traces to a stated design basis — a NEED/REQ, a threat, or a design principle — AND to a corresponding acceptance criterion in §7. No component without a reason; no “built” without a test that proves it. Every requirement in §1.4 is atomic (one shall), verifiable, and carries its verification method; every integration point names its direction and contract; every operational duty in §8 names a cadence and an owner.
4. Lawful-collection caveat (mandatory where the system collects or monitors)
Where the system performs collection or monitoring, state that collection is restricted to publicly available information — no authentication bypass, no intrusion, no acquisition of non-public data — and that scraping / monitoring at scale carries ToS, CFAA-analogue, and data-protection (GDPR/CCPA) exposure to be scoped with counsel per engagement; document authorization basis, lawful purpose, jurisdiction, and retention before operation begins. Systems that do not collect (comms loadouts, C2/TOC, sandboxes) state that the collection caveat does not apply and omit it — do not pad. This is not legal advice.
5. Sourcing & confidence discipline
Admiralty grading (A-F x 1-6) and the L x I 1-25 risk key apply ONLY where the system’s output or this spec actually cites graded intelligence or scores risk (e.g., a tipping / threat-feed acceptance criterion). A pure build/operations spec cites no subject-intelligence — in that case state that the analytic scales do not apply and omit them; do not pad.
6. Format
Pure heading hierarchy; markdown tables for every matrix; an ASCII architecture diagram in §2. Real
stack / components only, no live commercial tool names invented for effect. No emojis anywhere
(verify-enforced); ASCII-clean; personnel by initials; operational language renders to lawful effects
per DOCTRINE.md. END OF SYSTEM closes the file.