cbc-bridge-service — Migration Plan

Version: 1.0 Status: Draft Owner: Government / Emergency + MNO Partnerships + Regulator Liaison Last Updated: 2026-04-21 References: SERVICE_OVERVIEW.md, _report.md, SERVICE_READINESS.md, SERVICE_RISK_REGISTER.md

The service is greenfield. Migration is primarily a partner-engagement exercise (MNO + Government + Regulator) rather than a data or behavioural migration. Engineering is a smaller fraction of the work.

1. What Is Migrating

Input	Source	Volume	Notes
National-PKI trust anchors	Afghan government (or Ghasi Government Trust Anchor as interim per CBC-RISK-01)	~5 CA certs	HSM-loaded
Authorised caller registry	Government agencies (NDMA, Police, MoPH, Civil Defence) via MoU	~10-20 callers at launch	`cbc.authorised_callers`
MNO CBE credentials (per MNO)	MNO MoU	5 MNOs × credentials	Vault paths
MNO cell-tower database	Per-MNO export	~50,000 cells nationwide	`cbc.mno_cell_database`
Restricted broadcast templates	Content team + NDMA	~30 templates (Pashto/Dari/Arabic/English variants)	`compliance.approved_templates` (via EP-CE-13)
Monthly drill schedule	Platform + NDMA	1 cron rule	`cbc.drill_schedule`

No existing data migrates — this is a net-new capability for Afghanistan.

2. Migration Phases

Phase 0 — Pre-migration engagement (3 months)

Critical engagement phase before any code reaches production:

Step	Owner	Output	Gate
Regulator-Liaison engagement with ATRA on cell-broadcast service MoU	Regulator Liaison + Legal	ATRA MoU	GA blocker
Government-agency MoUs (NDMA, Police, MoPH, Civil Defence)	Government / Emergency + Legal	1 MoU per agency	Callers onboarded
MNO MoUs (per operator: CBE protocol, endpoints, credentials, SLAs, incident contacts)	MNO Partnerships + SRE	5 MoUs	Service can dispatch
National-PKI authority engagement (where available)	Regulator Liaison + Legal	Formal CA cert; or interim Ghasi Trust Anchor sign-off	PKI trust chain
Content + translation review for emergency templates	Trust & Safety + Content + NDMA	~30 approved templates	Phase 2 blocker
Per-MNO CBE adapter development + testing against MNO staging	SRE + Engineering	5 adapters passing against staging	Phase 1 blocker
HSM provisioning + trust-anchor load	Security + SRE	HSM operational	GA blocker
Per-MNO egress IP pool exchange (whitelisted at MNO)	SRE + MNO Partnerships	Firewalled egress paths	Service can connect
Drill procedure + after-action template agreed with NDMA + ATRA	Government / Emergency	Procedure document	Phase 1 blocker
Out-of-band communication bridge (phone + Slack) established	SRE + Government Liaison	Runbook	GA blocker

Phase 1 — Drill-only (60 days)

Service live in production but operates in drill-only mode.

Step	Owner	Output
Service deployed to `ghasi-prod` (Kabul primary; Mazar standby)	SRE	Production health
Authorised-caller registry populated with government + test callers	Government / Emergency	Callers in DB
Monthly drill schedule active; first drill fires on schedule	Service	Drill telemetry
ATRA observer granted audit visibility via regulator-portal	Regulator Liaison	ATRA acknowledgement
Weekly cell-DB refresh from MNOs active	SRE	Coverage % per MNO
Engineering-only access to production broadcast endpoint (emergency severity blocked by feature flag)	SRE	Feature flag `CBC_ACCEPT_SEVERITY_MAX=NONE`
Chaos drill (HSM, MNO, region) executed and passed	SRE + Security	GameDay report

Exit criteria. 2 consecutive monthly drills 100% delivered; 0 PKI verification false-failures; 0 audit chain breaks; ATRA satisfaction; no critical incidents.

Phase 2 — Non-life-critical emergencies (30 days)

Enable P2 (advisory) and P1 (major) severity for public-health and security advisories.

Step	Owner	Output
`CBC_ACCEPT_SEVERITY_MAX=P1`	SRE	Severity-gated
First real advisory broadcasts (e.g., MoPH public-health alerts)	Government / Emergency	Real-world traffic
SIEM forwarding of `cbc.audit.v1` live to ATRA	Regulator Portal	Audit visibility
Daily audit-chain verification active	Service	Verifier status
Per-MNO capacity monitoring active	SRE	Capacity data

Exit criteria. ≥ 5 successful real broadcasts; no complaint or regulator escalation; PARTIAL rate < 5%; no unauthorised broadcasts; ATRA + NDMA sign-off.

Phase 3 — Full emergency (ongoing)

Enable P0 for life-critical emergencies.

Step	Owner	Output
`CBC_ACCEPT_SEVERITY_MAX=P0`	SRE	Full service
Citizen-facing trust campaign (PR + MedComms)	Marketing + Government / Emergency	Public awareness
Quarterly GameDay with MNO staging endpoints	SRE + MNO Partnerships	Ongoing validation
Annual CEO-chaired risk review	Leadership	Stability

Rollback via feature flags:

CBC_ACCEPT_SEVERITY_MAX = NONE | P2 | P1 | P0 — gate severity acceptance.
CBC_DRILL_ENABLED = true | false — independent of broadcasts.
CBC_REGION = kbl | mzr | both — region routing.

3. MNO Onboarding (per operator, Phase 0)

A per-MNO playbook executed during Phase 0:

Commercial: MoU signed; SLA + incident contacts + 30-d advance notice on protocol changes documented.
Technical handshake:
- Ghasi provides egress IP pool (per-region dedicated IPs).
- MNO provides CBE endpoint URLs + protocol version.
- MNO provides CBE credentials (delivered via secure channel; stored in Vault).
- MNO provides cell-tower database export (or API).
Adapter development: Engineering builds adapter (Standard3gpp / Ericsson / Huawei) matching MNO's stack.
Staging integration:
- Test broadcast from Ghasi staging → MNO staging CBE.
- MNO confirms receipt + handset display.
- Ghasi confirms ack back.
Production cutover:
- Production endpoint swapped from MNO staging to production CBE.
- First drill reaching real handsets (limited area).
- MNO confirmation.

Per-MNO onboarding takes 4-8 weeks. Phase 0 runs 5 MNO onboardings in parallel.

4. Content / Template Bootstrap

Pre-approved emergency templates are required before Phase 2:

Template category	Languages	Owner
Earthquake warning	en, fa, ps, ar	NDMA
Flood warning	en, fa, ps, ar	NDMA
Civil defence alert	en, fa, ps, ar	Police / Civil Defence
Public-health emergency	en, fa, ps, ar	MoPH
Infrastructure alert (power, water)	en, fa, ps, ar	Relevant ministries
Security advisory	en, fa, ps, ar	Police

Each template:

Reviewed by native-speaker translator from Trust & Safety.
Approved via compliance-engine EP-CE-13 workflow.
Linked to specific authorised-caller (only NDMA can trigger earthquake templates, etc.).
Re-attested annually.

5. Cross-Region Bootstrap (ADR-0004 §5, §14)

Concern	Phase 0 bootstrap
Kabul primary region	Full service deployed first
Mazar standby region	Deployed in Phase 1 (drill-only) to test region-local operation
Dubai DR	Audit mirror + escrow trust anchor — deployed Phase 2
Cross-region reconciliation cron	Active from Phase 1
Manual-gated region fail-over	Runbook drafted Phase 0; drilled in Phase 1 GameDay

6. Regulator Engagement

Step	Phase	Owner
ATRA MoU for CBC service	Phase 0	Regulator Liaison + Legal
ATRA observer access to `regulator-portal-service` for audit visibility	Phase 1	Regulator Portal + Regulator Liaison
SIEM forwarding of `cbc.audit.v1` to ATRA	Phase 2	Regulator Portal
Monthly drill after-action report to ATRA	Phase 1	Government / Emergency
Quarterly compliance attestation	Phase 2+	Compliance
Annual audit by ATRA or its delegate	Post-GA	Compliance + Legal

7. Success Metrics for Migration

Metric	Target	Measurement
Phase 0 MoUs signed	5 MNOs + 4 government agencies + ATRA	Before Phase 1 entry
Phase 1 drills delivered on schedule	100%	Monthly
Phase 1 drills reaching ≥ 4 of 5 MNOs	100%	Monthly
Phase 2 broadcasts with PARTIAL rate	< 5%	Ongoing
Phase 2 unauthorised broadcasts	0	Ongoing
Phase 3 mean-time-to-dispatch (P0 emergency)	≤ 60 s	Per broadcast
Citizen trust (survey)	≥ 80% "aware + trusting"	Annual
ATRA compliance-audit finding	0 critical findings	Annual audit

8. Rollback Plan

Phase	Rollback action
Phase 0	N/A (not live)
Phase 1 (Drill)	`CBC_DRILL_ENABLED=false` disables drill; service remains online for future drill scheduling
Phase 2	`CBC_ACCEPT_SEVERITY_MAX=NONE` reverts to Phase 1 (drill-only)
Phase 3	`CBC_ACCEPT_SEVERITY_MAX=P1` reverts to Phase 2 (non-life-critical)

Catastrophic rollback (e.g., compromised caller cert used for unauthorised broadcast):

CBC_ACCEPT_SEVERITY_MAX=NONE immediately — all new submissions rejected.
Revoke compromised cert in cbc.authorised_callers.
Notify ATRA + MNO NOCs + CEO + Board Secretary.
Public clarification via citizen-portal + press release.
Incident review + reporting to regulator within 72 h.

9. Dependencies

ATRA MoU for CBC service (blocker).
Government-agency MoUs (blocker for each authorised caller).
MNO MoUs (blocker for each target MNO).
HSM provisioned with regional quorum (ADR-0004 §11).
Service mesh with SPIRE SVIDs (ADR-0004 §12).
compliance-engine EP-CE-13 trusted-template workflow live.
regulator-portal-service EP-REG-01 live (for ATRA observer access).
admin-dashboard EP-ADMDASH-10 (for NDMA / government client workbench).
notification-service EP-NOTIF-07 (for internal incident broadcasts when CBC system itself is in incident).
Translation-reviewed template library per Trust & Safety.
National-PKI (or interim Ghasi Government Trust Anchor) operational.

Any missing dependency blocks progression to the phase in which it is first required.

10. Post-Launch Runbook Refinement

Within 90 days of Phase 3 go-live:

Review actual emergency broadcast performance vs. plan.
Refine drill playbook based on live experience.
Review MNO CBE incident-contact responsiveness; renegotiate SLAs if needed.
Update translation templates based on real-world effectiveness.
Cross-reference CBC audit events with citizen feedback / complaints.
Share anonymised lessons with regional partners (GSMA, neighbouring regulators).

1. What Is Migrating​

2. Migration Phases​

Phase 0 — Pre-migration engagement (3 months)​

Phase 1 — Drill-only (60 days)​

Phase 2 — Non-life-critical emergencies (30 days)​

Phase 3 — Full emergency (ongoing)​

3. MNO Onboarding (per operator, Phase 0)​

4. Content / Template Bootstrap​

5. Cross-Region Bootstrap (ADR-0004 §5, §14)​

6. Regulator Engagement​

7. Success Metrics for Migration​

8. Rollback Plan​

9. Dependencies​

10. Post-Launch Runbook Refinement​