Skip to main content

cbc-bridge-service — Jira-Ready Epics & User Stories

Status: populated Owner: Government / Emergency Last updated: 2026-04-21 Service prefix: CBC Scope: Cell-broadcast bridge to MNO RAN (3GPP TS 23.041) for civil emergency alerts. Government-PKI-authenticated, multi-language, geo-targeted, drill-capable. Per ADR-0004 §3 and 07-epics-and-user-stories.md §6.6.

Epic Summary

Epic IDTitleStoriesPoints
EP-CBC-013GPP TS 23.041 Cell-Broadcast Adapter to MNO RANUS-CBC-001 – US-CBC-00639
EP-CBC-02Government PKI Signature Verification on Broadcast RequestsUS-CBC-007 – US-CBC-01019
EP-CBC-03Multi-Language Broadcast and Geographic TargetingUS-CBC-011 – US-CBC-01421
EP-CBC-04Broadcast Drill Mode + Public Test ChannelUS-CBC-015 – US-CBC-01711
Total17 stories90

EP-CBC-01 · 3GPP TS 23.041 Cell-Broadcast Adapter to MNO RAN

Context: Bridge to MNO Cell Broadcast Entities (CBE) using standard 3GPP TS 23.041 where supported; vendor-specific adapters (Ericsson, Huawei) where not. Reaches every handset in the targeted area within seconds.

US-CBC-001 · Submit emergency broadcast via gRPC

Type: Feature | Points: 8

Description: As an authorised Civil Defence operator, I need a gRPC BroadcastEmergency method to submit a prioritised broadcast so that it reaches every handset in the targeted area within seconds.

Acceptance Criteria:

  • gRPC BroadcastEmergency(req) accepts { headline, body { en, fa, ps, ar }, geoTarget, severity, expiry, channelClass }
  • Caller mTLS client cert from a recognised national-PKI authority (verified per US-CBC-007)
  • On accept → returns broadcastId, acceptedAt, expectedDispatchBy (≤ 60 s)
  • Persists cbc.broadcasts row with status ACCEPTED
  • Publishes cbc.broadcast.requested.v1 to NATS within 1 s
  • Failure cases: bad signature → UNAUTHENTICATED; missing required language fields → INVALID_ARGUMENT

US-CBC-002 · Translate request to 3GPP TS 23.041 CBS PDU

Type: Feature | Points: 8

Description: As the cbc-bridge-service, I need to translate the broadcast request into 3GPP TS 23.041 CBS message PDUs per MNO so the MNO CBE can accept and broadcast natively.

Acceptance Criteria:

  • CBS message identifier set per severity (P0=4370, P1=4371, P2=4372)
  • DCS UCS-2 for Pashto/Dari/Arabic; GSM7 for English
  • Page count computed (max 93 chars/page UCS-2; 82 GSM7); multi-page concatenation per spec
  • Geographic scope encoded per Cell-ID list, polygon, or country-code list
  • Conformance unit tests: 100 sample bodies × 4 languages round-trip

US-CBC-003 · Per-MNO CBE adapter dispatch

Type: Feature | Points: 8

Description: As the cbc-bridge-service, I need to dispatch the broadcast to all MNO CBE endpoints in parallel via per-MNO adapters so all operators broadcast within seconds of each other.

Acceptance Criteria:

  • Adapters: Standard3gppCbeAdapter, EricssonProprietaryCbeAdapter, HuaweiProprietaryCbeAdapter
  • Parallel dispatch with 30 s per-MNO timeout
  • Each MNO row in cbc.mno_dispatches with status PENDING → DISPATCHED → ACKED|FAILED|TIMEOUT
  • Per-MNO Vault credentials at secret/cbc/mno/{mno-id}/cbe-credentials
  • Metric cbc_dispatch_latency_seconds{mno} histogram; alert P95 > 30 s

US-CBC-004 · Aggregate per-MNO acknowledgements + final status

Type: Feature | Points: 5

Description: As the cbc-bridge-service, I need to aggregate per-MNO acks and compute a final broadcast status so the government caller sees one coherent result with per-MNO breakdown.

Acceptance Criteria:

  • Status = DELIVERED if all MNOs ACKED; PARTIAL if mixed; FAILED if all failed
  • Final status published cbc.broadcast.acked.v1 with per-MNO JSON breakdown
  • GetBroadcastStatus(broadcastId) returns live status
  • Status transition audit-logged

US-CBC-005 · Cancel pending broadcast (dual-control)

Type: Feature | Points: 5

Description: As an authorised Civil Defence operator, I need to cancel a pending broadcast within the dispatch window with dual-control approval so a mistaken alert can be retracted.

Acceptance Criteria:

  • CancelBroadcast(broadcastId) requires a second authorised caller's PKI signature within 60 s
  • Cancellation only effective for MNOs in PENDING or DISPATCHED
  • Cancellation audit-logged with both initiator and approver IDs
  • Status transitions to CANCELLED with per-MNO breakdown

US-CBC-006 · Hash-chained immutable broadcast audit log

Type: Feature | Points: 5

Description: As a regulator auditor, I need to verify integrity of every historical broadcast via a hash chain so tampering is detectable.

Acceptance Criteria:

  • Each cbc.broadcasts row carries prev_hash and record_hash = sha256(payload || prev_hash)
  • cbc.audit.v1 published with record_hash for every transition
  • GET /v1/cbc/broadcasts/:id/audit returns full chain
  • Cron daily verifies last 24 h chain integrity; alert on break

EP-CBC-02 · Government PKI Signature Verification on Broadcast Requests

Context: Broadcast authority must be loud and verifiable. Every request carries a national-PKI signature; verification is HSM-bound; in-process key fallback forbidden.

US-CBC-007 · National-PKI signature verification (HSM-bound)

Type: Feature | Points: 8

Description: As a security engineer, I need every BroadcastEmergency request signed by a recognised national-PKI cert with HSM-bound verification so only authorised government clients can broadcast.

Acceptance Criteria:

  • X-Gov-Signature header carries detached PKCS#7 signature over canonicalised request body
  • Verified via HSM (PKCS#11) against national-PKI CA chain — no in-process key fallback
  • Verification result logged to cbc.signature_audit
  • Failed verification → UNAUTHENTICATED; rate > 1/min → alert (probing detection)

US-CBC-008 · Caller-cert revocation honoured (CRL/OCSP)

Type: Feature | Points: 5

Description: As a security engineer, I need CRL and OCSP-stapled revocation honoured on caller certs so a revoked government cert cannot broadcast.

Acceptance Criteria:

  • CRL pulled every 4 h; cached in Redis
  • OCSP-stapled response checked on every TLS handshake
  • Revoked cert → connection rejected at TLS layer; audit row written
  • Cache miss + URL unreachable → fail-closed

US-CBC-009 · Authorised-caller registry

Type: Feature | Points: 3

Description: As a platform admin, I need a registry of authorised government callers so authorisation is explicit, not implicit-by-cert-validity.

Acceptance Criteria:

  • cbc.authorised_callers (orgName, certSubject, allowedSeverities[], allowedRegions[], notBefore, notAfter, mou_ref)
  • Admin REST CRUD; immutable history
  • BroadcastEmergency rejected if caller cert subject not in registry, even if signature valid

US-CBC-010 · Signature-audit dashboard

Type: Feature | Points: 3

Description: As a security engineer, I need a dashboard of signature verifications so probing attacks or cert misconfigurations are detected.

Acceptance Criteria:

  • Grafana panel: success/fail rate per hour, top failing cert subjects
  • Alert when failure rate > 10/h
  • Linked runbook runbooks/cbc-signature-failures.md

EP-CBC-03 · Multi-Language Broadcast (Pashto/Dari/Arabic/English) and Geographic Targeting

US-CBC-011 · Multi-language body required for every broadcast

Type: Feature | Points: 5

Description: As a Civil Defence operator, I need to provide the broadcast body in Pashto, Dari, Arabic, and English in a single request so all linguistic communities receive the alert.

Acceptance Criteria:

  • body { en, fa, ps, ar } — at least en + one of fa/ps mandatory; both fa+ps mandatory for severity P0
  • Each language page-counted independently per encoding (UCS-2 vs GSM7)
  • MNO CBE receives one CBS message per language with proper DCS
  • Translation memory link to customer-portal localisation glossary (EP-CUST-09)

US-CBC-012 · Geographic targeting modes (cell IDs, polygon, region)

Type: Feature | Points: 8

Description: As a Civil Defence operator, I need to target by Cell-ID list, polygon, or named region so alerts are scoped to the actual hazard area.

Acceptance Criteria:

  • Targeting modes: cell_ids[], polygon (GeoJSON), region (province/district), country (default)
  • Polygon → resolved to Cell-ID list via cached MNO cell-tower coordinates
  • Each mode produces a per-MNO Cell-ID list at dispatch time
  • Validation: polygon area > national area → reject; unknown cell IDs → reject with detail

US-CBC-013 · Cell-tower coordinate refresh from MNOs

Type: Feature | Points: 5

Description: As a platform engineer, I need to refresh per-MNO cell-tower coordinate datasets weekly so polygon targeting remains accurate.

Acceptance Criteria:

  • Cron weekly fetches from each MNO's cell-database export endpoint; manual upload fallback
  • Stored in cbc.mno_cell_database (mno, cellId, lat, lng, accuracy, lastUpdated)
  • Coverage report: % of national area covered by known cells per MNO

US-CBC-014 · Severity-based delivery prioritisation

Type: Feature | Points: 3

Description: As a Civil Defence operator, I need severity (P0 extreme, P1 major, P2 advisory) to drive priority handling at MNO CBE so catastrophic alerts pre-empt routine ones.

Acceptance Criteria:

  • Severity → CBS Message Identifier mapping (per US-CBC-002)
  • P0 sets MNO CBE priority flag where supported
  • Severity escalation (P1 → P0 promotion) requires second-approver

EP-CBC-04 · Broadcast Drill Mode + Public Test Channel

US-CBC-015 · Drill mode with "DRILL" prefix

Type: Feature | Points: 5

Description: As a platform admin, I need to run a drill broadcast in the test Message Identifier range with a "DRILL" prefix in every language so drills are unmistakable.

Acceptance Criteria:

  • POST /v1/cbc/drill with body, geoTarget, scheduledAt
  • CBS Message Identifier in test range (4370..4379, designated test slot)
  • Body prefixed with localised "DRILL — NO ACTION REQUIRED" per language
  • Drill rows tagged is_drill=true; never produce ATRA-reporting events

US-CBC-016 · Drill scheduling + after-action report

Type: Feature | Points: 3

Description: As a platform admin, I need to schedule monthly drills and receive an after-action report so the CBC pipeline is continuously validated.

Acceptance Criteria:

  • Cron schedule configurable; default monthly (first Tuesday 10:00 Asia/Kabul)
  • After-action report emailed to NDMA + Ghasi NOC
  • Report includes per-MNO ack latency, dispatched cells count, partial-failure breakdown

US-CBC-017 · Public test channel for media partners

Type: Feature | Points: 3

Description: As a media partner, I want to subscribe to a public test channel so I can verify Ghasi's emergency-broadcast capability and maintain public confidence.

Acceptance Criteria:

  • A pre-registered Test channel where drills also publish as a non-emergency push (in-app / web)
  • Public dashboard https://status.ghasi.io/cbc-drills shows last 12 months of drill records
  • Subscribers via HMAC-signed webhook receive drill-result feed