06 · Traceability

SRS × Capability

Three views, same four clusters. First view is the sponsor picture — every SRS module lit against the four clusters. Second shows which individual buckets are most relied on. Third is the full module × bucket matrix for audit.

Platform Floor Product Surface Integration Surface Ops Surface

View 1 · Module × Cluster — the big picture Click to expand

■ filled square = primary mechanism · □ outline square = supporting · — em-dash = out of scope

SRS §3.X module	Integration Surface	Ops Surface
§3.1 AuthREQ-AUTH-1..39	—
§3.1B AuthZREQ-AUTHZ-1..25	—	—
§3.2 Compliance ReadinessREQ-CR-1..8	—
§3.3 Atomic Control LibraryREQ-CTRL-1..8	—
§3.4 EvidenceREQ-EVID-1..10	—
§3.5 Risk ManagementREQ-RISK-1..7	—	—
§3.6 Vendor (TPRM)REQ-VNDR-1..29
§3.7 Document Control · PolicyREQ-POL-1..36	—
§3.8 Awareness TrainingREQ-TRN-1..7	—	—
§3.9 CSPMREQ-CSPM-1..9
§3.10 SCM SecurityREQ-SCM-1..6
§3.11 Supply ChainREQ-SC-1..5
§3.12 Vulnerability AssessmentREQ-VA-1..5		—
§3.13 Incident ManagementREQ-INC-1..7	—	—
§3.14 IAM Governance · UARREQ-IAM-1..7		—
§3.15 Internal AuditREQ-AUD-1..6	—	—
§3.16 Dashboard · Action ItemsREQ-DASH-1..5	—	—
§3.17 Integrations ManagementREQ-INT-1..7

View 2 · Hot-path buckets — what most modules depend on Click to expand

Bar width = number of SRS modules that rely on this bucket · Colour = cluster

C3 · Tenant Data StoreREQ-SEC-1 · §6 · Platform Floor
17 / 17
C12 · Observability§5.4 · REQ-SEC-7 · Platform Floor
17 / 17
C14 · Frontend Foundation§4.1 · WCAG AA · Product Surface
17 / 17
C2 · AuthorizationREQ-AUTHZ-1..25 · Platform Floor
14 / 17
C13 · Deployment & Packaging§6 · REQ-SAFE-5 · Ops Surface
13 / 17
C6 · Session / QueueREQ-AUTH-12..14 · Platform Floor
11 / 17
C7 · Email DispatcherREQ-TRN · REQ-VNDR-16 · REQ-POL-23 · Platform Floor
9 / 17
C5 · Object StorageREQ-EVID-4 · REQ-POL-32 · Platform Floor
7 / 17
C4 · Secrets & KeysREQ-SEC-4/5 · Platform Floor
6 / 17
C10 · Connector Framework§3.17 · §3.9/10/14 · Integration Surface
6 / 17
C8 · Malware / File ScanREQ-SEC-11 · REQ-EVID-9 · Platform Floor
5 / 17
C1 · IAM CoreREQ-AUTH-1..39 · Platform Floor
4 / 17
C11 · Security Check Libraries§3.9 · §3.10 · §3.11 · §3.12 · Integration Surface
4 / 17
C9 · Document Editor · ExportREQ-POL-9..11 · REQ-POL-32 · Product Surface
3 / 17

View 3 · Full matrix — every bucket, every module (audit reference) Click to expand

Column dividers show the four clusters · ● primary · ○ supporting · · out of scope

SRS §3.X module	Platform Floor									Product		Integration		Ops
SRS §3.X module	C1	C2	C3	C4	C5	C6	C7	C8	C12	C9	C14	C10	C11	C13
§3.1 Auth	●	○	○	●	·	●	●	·	○	·	○	·	·	○
§3.1B AuthZ	○	●	○	·	·	○	·	·	○	·	○	·	·	·
§3.2 Compliance Readiness	·	○	●	·	·	○	·	·	○	·	●	·	·	○
§3.3 Atomic Control Library	·	○	●	·	·	·	·	·	○	·	○	·	·	●
§3.4 Evidence	○	○	●	·	●	○	●	●	○	·	○	·	·	○
§3.5 Risk Management	○	●	●	·	·	·	○	·	○	·	●	·	·	·
§3.6 Vendor (TPRM)	○	○	●	·	●	○	●	●	○	·	●	○	·	○
§3.7 Policy · SOP	○	○	●	·	●	○	●	○	○	●	●	·	·	○
§3.8 Awareness Training	·	○	●	·	○	○	●	·	○	·	●	·	·	·
§3.9 CSPM	·	○	●	●	·	○	·	·	○	·	●	●	●	○
§3.10 SCM Security	·	○	●	●	·	○	·	·	○	·	●	●	●	○
§3.11 Supply Chain	·	○	●	○	○	○	·	○	○	·	●	●	●	○
§3.12 Vulnerability Assessment	·	○	●	·	●	·	·	●	○	·	●	·	●	·
§3.13 Incident Management	○	●	●	·	○	○	○	·	○	·	●	·	·	·
§3.14 IAM Governance · UAR	○	●	●	●	·	○	○	·	○	·	●	●	·	·
§3.15 Internal Audit	○	●	●	·	○	·	○	·	·	●	●	·	·	·
§3.16 Dashboard · Action Items	○	●	●	·	·	○	·	·	○	○	●	·	·	·
§3.17 Integrations Management	○	●	●	●	·	·	·	·	○	·	●	●	●	○
Modules using this bucket	4	14	17	6	7	11	9	5	17	3	17	6	4	13

Takeaways for the sponsor

Every module touches the Platform Floor. That is why the floor is the critical path: slip it and every module slips.
Three buckets power all 17 modules: tenant data store, observability, frontend shell. These are the architectural invariants that cannot fail.
Integration Surface is narrower — only the scanner and governance modules pull on it (§3.9-§3.12, §3.14, §3.17). That matches v1.0-Extended scoping.
No orphan modules. Every SRS module lights up at least one cluster. Coverage is complete.
No unused buckets. Every bucket earns its place — the map is tight, not padded.