Skip to main content

regulator-portal-service — Jira-Ready Epics & User Stories

Status: populated Owner: Regulator-facing + Legal Last updated: 2026-04-21 Service prefix: REG Scope: ATRA-facing portal: LI requests, complaint ingest, scheduled and ad-hoc reports, SIEM forwarding, periodic compliance attestations. Per ADR-0004 §3 and 07-epics-and-user-stories.md §6.9.

Epic Summary

Epic IDTitleStoriesPoints
EP-REG-01ATRA-Facing Portal: Reports, License Artifacts, LI Requests, Complaint IngestUS-REG-001 – US-REG-00846
EP-REG-02SIEM Forwarding (Splunk/ELK/QRadar) for Security & Compliance EventsUS-REG-009 – US-REG-01219
EP-REG-03Periodic Compliance Attestations (ISO 27001, SOC 2 Type II)US-REG-013 – US-REG-01618
Total16 stories83

EP-REG-01 · ATRA-Facing Portal: Reports, License Artifacts, LI Requests, Complaint Ingest

Context: The regulator-of-record interface. mTLS-only; national PKI; LI workflow; complaint triage; scheduled and ad-hoc reports.

US-REG-001 · Regulator login via mTLS + national PKI

Type: Feature | Points: 5

Description: As an ATRA regulator user, I need to log in with my national-PKI client cert so my identity is cryptographically verifiable.

Acceptance Criteria:

  • Portal /login requires mTLS handshake; failed handshake → TLS-level rejection
  • Cert subject mapped to regulator.users (orgName, role, allowedRegions)
  • CRL + OCSP-stapled checks honoured
  • Audit row written for every login

US-REG-002 · LI request submission

Type: Feature | Points: 8

Description: As an ATRA LI officer, I need to submit a lawful intercept request so Ghasi can prepare the requested data within the 24-h SLA.

Acceptance Criteria:

  • POST /v1/regulator/li/requests accepts { targetMsisdn, dateRange, scope (IRI/CC/full), legalRef, signedWarrantHash }
  • Validates regulator user role + signed warrant hash matches uploaded PDF
  • State RECEIVED; SLA timer starts; row in regulator.li_requests
  • regulator.li.received.v1 published
  • Returns liRequestId, ackBy (now+1h)

US-REG-003 · LI workflow state machine + dual-control

Type: Feature | Points: 8

Description: As Ghasi legal + security, I need to process LI requests through RECEIVED → ACK → IN_PROGRESS → DELIVERED → CLOSED with dual-control approvals so every state transition is auditable.

Acceptance Criteria:

  • Each state transition requires both initiator and approver sign-off
  • Each transition writes to regulator.li_audit (append-only)
  • State times tracked vs. SLA; alert before SLA expiry
  • ACK by 1 h; IN_PROGRESS within 4 h; DELIVERED within 18 h; CLOSED on regulator confirmation

US-REG-004 · LI delivery package (signed, court-admissible)

Type: Feature | Points: 5

Description: As Ghasi legal team, I need to deliver a signed package containing IRI / CC data so the regulator receives evidence in a court-admissible form.

Acceptance Criteria:

  • Package: structured JSON (IRI), CSV (CC events), PDF cover letter
  • Signed with regulator-package signing key (HSM)
  • Delivered via SFTP drop-box agreed with ATRA, audit-logged with confirmed receipt

US-REG-005 · Citizen complaint ingest from ATRA

Type: Feature | Points: 5

Description: As an ATRA complaints handler, I need to forward a citizen complaint to Ghasi for triage so the platform can investigate and respond.

Acceptance Criteria:

  • POST /v1/regulator/complaints accepts { citizenMsisdn, complaintType, summary, receivedAt, regulatorRef }
  • Persisted in regulator.complaints; visible in admin-dashboard workbench
  • SLA target: 5 business days for response; alert if breached
  • regulator.complaint.received.v1 published

US-REG-006 · Daily CDR submission status report

Type: Feature | Points: 5

Description: As an ATRA auditor, I want to see daily CDR submission status for the past 90 days so I can verify Ghasi's reporting compliance.

Acceptance Criteria:

  • Pulls from cdr-mediation-service daily-submission state
  • UI: 90-d table with per-day status (SUBMITTED/ACK/REJECTED/MISSING), file count, signed hash
  • Re-submission link (audit-logged) if MISSING
  • Daily auto-email if any day in last 7 lacks ACK

US-REG-007 · Scheduled monthly compliance summary report

Type: Feature | Points: 5

Description: As an ATRA compliance officer, I want a monthly compliance summary report delivered to my inbox so I have continuous visibility.

Acceptance Criteria:

  • Cron 1st of month 06:00 generates report from compliance-engine + consent-ledger-service aggregates
  • PDF signed; uploaded to s3://ghasi-regulator/reports/{yyyy}/{mm}/
  • Email with download link sent to configured ATRA addresses
  • Report contents: total messages, blocked, held, top tenants by violation, sender-ID activity, consent-revocation rate

US-REG-008 · Ad-hoc report generation

Type: Feature | Points: 5

Description: As an ATRA auditor, I want to generate ad-hoc reports by date range, tenant, sender-ID so I can investigate specific incidents.

Acceptance Criteria:

  • POST /v1/regulator/reports with filters; returns reportId
  • Async generation; polling endpoint returns signed download URL
  • SLA: ≤ 30 min for hot windows; ≤ 24 h for cold
  • Audit row + retention 7 y

EP-REG-02 · SIEM Forwarding (Splunk/ELK/QRadar) for Security & Compliance Events

US-REG-009 · SIEM forwarder (CEF/LEEF)

Type: Feature | Points: 8

Description: As a security engineer, I need to stream platform security events to ATRA's SIEM in CEF or LEEF so regulator-side correlation rules work.

Acceptance Criteria:

  • NATS consumer for auth.events.*, compliance.audit.v1, consent.*, sender.id.*, cbc.audit.v1
  • Mapper translates to CEF (Splunk) and LEEF (QRadar); chosen per destination
  • Destination: Splunk HEC / Logstash / QRadar — configurable per regulator
  • At-least-once with explicit ACK from SIEM
  • Lag > 60 s → alert

US-REG-010 · Multi-destination SIEM fan-out

Type: Feature | Points: 3

Description: As a security engineer, I need to forward to multiple SIEM destinations (ATRA primary + Ghasi internal) so both have the same view.

Acceptance Criteria:

  • regulator.siem_destinations table holds N targets with auth + format + filter
  • Per-destination ack tracked independently
  • Per-destination alert on backlog

US-REG-011 · SIEM-forwarding back-pressure + disk buffer

Type: Feature | Points: 5

Description: As an SRE, I need a disk-backed buffer when SIEM destinations stall so events are never lost during regulator-side outages.

Acceptance Criteria:

  • NATS buffer first; if NATS lag > 1 h, fall back to disk WAL
  • Disk WAL replayed when SIEM recovers
  • Disk WAL > 24 h → alert critical

US-REG-012 · SIEM destination health dashboard

Type: Feature | Points: 3

Description: As a security engineer, I want a panel showing per-SIEM throughput and lag.

Acceptance Criteria:

  • Grafana panel paired with EP-ADMDASH-10 SIEM widget
  • Throughput, lag, last successful ACK timestamp per destination
  • Click-through to destination config

EP-REG-03 · Periodic Compliance Attestations (ISO 27001, SOC 2 Type II)

US-REG-013 · Compliance attestation evidence catalog

Type: Feature | Points: 5

Description: As a compliance officer, I want a catalog of ISO 27001 / SOC 2 / GSMA AA.18 controls with current evidence status so audits are continuously evidenced.

Acceptance Criteria:

  • regulator.attestations table: framework, controlId, ownerService, evidenceRef, status, lastReview
  • Status STALE if lastReview > 60 d; MISSING if no evidence
  • Dashboard on admin-dashboard (per EP-ADMDASH-10)

US-REG-014 · Auto-collection of evidence from upstream services

Type: Feature | Points: 5

Description: As a compliance officer, I want machine-checkable evidence auto-collected so audit prep is automatic.

Acceptance Criteria:

  • Scheduled jobs pull SBOM, image-signing, CI test results, access reviews
  • Stored at s3://ghasi-regulator/evidence/{framework}/{controlId}/ with manifest hash
  • Evidence freshness updated automatically

US-REG-015 · Auditor portal (read-only)

Type: Feature | Points: 3

Description: As an external auditor, I want read-only access to the evidence catalog with download capability so I can complete audit field-work efficiently.

Acceptance Criteria:

  • Special role external-auditor in regulator.users; mTLS via auditor's PKI
  • Read-only views; download audit-logged with auditor identity
  • Time-boxed access (default 30 d, extendable)

US-REG-016 · Annual attestation report bundle

Type: Feature | Points: 5

Description: As a compliance officer, I want a year-end attestation bundle with all evidence per framework so audit firms receive a single self-contained package.

Acceptance Criteria:

  • POST /v1/regulator/attestations/bundle?framework=ISO27001&year=2026
  • Bundle includes: control matrix, evidence files, signed manifest, exec summary
  • Signed with attestation-bundle key (HSM)
  • Stored at s3://ghasi-regulator/bundles/{framework}/{year}/