Classroom Glossary Public page

Lab 11: Capstone Workshop

722 words

~3 hr. Schedule + complete the 30-minute scope-check meeting with the instructor. Produce a written punch-list of capstone gaps; obtain instructor sign-off on the capstone scope.

Goal: ship two artifacts: lab-11/workshop-punch-list.md (the gap inventory the instructor identified) and lab-11/scope-acceptance.md (the signed scope-acceptance note).

Estimated time: ~3 hr (90 min self-review + meeting prep; 30 min meeting; 60 min punch-list synthesis).

Prerequisites: Week 11 lecture. Labs 1-10 complete. Tool v0.3 working (Lab 7); CVD draft (Lab 9); ethics statement (Lab 10).

Authorization line: Lab 11 is meeting + documentation.

Lab 11 session, 2026-MM-DD HH:MM. Capstone workshop scope-check meeting with instructor;
no hardware contact; punch-list synthesis.

Setup

mkdir -p ~/adv-101/lab-11
cd ~/adv-101/lab-11

Schedule a 30-minute meeting slot with your instructor (calendar; cohort scheduler; sign-up sheet). The instructor's office hours typically distribute across the week; slots fill on a first-come basis.

Part A: Pre-meeting self-review (~75 min)

Before the meeting, do the workshop's checklist against your own work. Bring the checklist with your honest self-scoring to the meeting; the instructor's job is to verify and add.

Open the worksheet workshop-self-review.md and fill in:

# Capstone Workshop Self-Review

Student: <your name>
Date: 2026-MM-DD

## Tool v0.3 -> v1.0 inventory

(For each item: [present] / [partial] / [missing])

- [_] pyproject.toml with PEP 621 metadata
- [_] LICENSE file
- [_] CHANGELOG.md (0.1 / 0.2 / 0.3 / 1.0 sections)
- [_] README.md (~200 words; install + usage + safety controls)
- [_] [project.scripts] entry-point
- [_] pytest suite: happy paths + 3+ edge cases + 1+ regression
- [_] All Lab 5 + Lab 7 safety controls present and enforced
- [_] Inline docstrings on public functions
- [_] SECURITY-MODEL.md

## Disclosure-report inventory

- [_] All 12 CERT/CC sections present (review Lab 9 draft AND apply to SB6141 specifically)
- [_] CVSS vector from Lab 8 + per-metric justification embedded
- [_] Reproduction steps reproducible
- [_] SB6141-specific negative-scope (not generic Lab 9 template)
- [_] Remediation realistic given EOL status
- [_] Mitigation actionable for current operators
- [_] Disclosure timeline appropriate (vendor-EOL scenario)

## Defense-readiness inventory

- [_] Demo script outlined (`--help`, dry-run, mock execute)
- [_] At least one mock defense completed
- [_] Anticipated-question list with prepared answers
- [_] Bug-found-and-fixed reflective paragraph
- [_] What-would-you-do-differently reflective paragraph
- [_] Lab portfolio current through Week 10

## My estimated time to close gaps in Weeks 12-13

(Estimate per major gap; if total exceeds 30 hours, surface to instructor)

Honest self-scoring is the discipline; the instructor adds value when you give them an honest inventory rather than a polished version.

Part B: The 30-minute meeting (~30 min)

The instructor walks through your inventory; asks clarifying questions; adds gaps you missed; trims gaps that are nice-to-have. Take notes; the synthesis is the deliverable.

Common things the instructor catches that students miss:

  • The CHANGELOG entries are too brief. "v0.3: added logging" is not enough; "v0.3: added per-run JSON logs at ~/.sb6141-csrf/runs/; added extended fingerprint for idempotency; documented rollback design pattern" is.
  • The disclosure report's negative scope is generic. Lab 9 was hypothetical; the capstone report needs SB6141-specific language ("this report does not demonstrate post-exploitation against the SB6141 admin interface, including but not limited to dropping configuration backups, modifying firewall rules, or chaining with any other CVE").
  • The reflective paragraphs are missing. The capstone rubric weights reflective depth at 30%; the bug-found-and-fixed and what-you-would-do-differently paragraphs are required, not optional.
  • The lab portfolio is stale. Sessions for Labs 8/9/10 sometimes get skipped; the portfolio's per-session log must be current through the workshop date.

Listen; take notes; do not argue at the meeting. If you disagree with a gap, note it and address in the punch-list synthesis (Part C).

Part C: Synthesize the punch-list (~60 min)

After the meeting:

# Workshop Punch-List for Weeks 12-13

Student: <your name>
Workshop date: 2026-MM-DD
Instructor: <instructor name>

## Punch-list items (in priority order)

### P1 (blocking; required for capstone submission)

1. **<item>**: <description>. Estimated effort: <hours>.
2. **<item>**: <description>. Estimated effort: <hours>.
(etc.)

### P2 (strongly recommended; capstone grade impact)

1. **<item>**: <description>. Estimated effort: <hours>.
(etc.)

### P3 (nice-to-have; defer if time-constrained)

1. **<item>**: <description>. Estimated effort: <hours>.
(etc.)

## Items the instructor noted as DEFERRED to post-cohort (stretch)

(Items the instructor mentioned but agreed are stretch / forward-stretch / out of scope for this cohort)

## Weekly plan

### Week 12

- Day 1: <items>
- Day 2: <items>
- ...

### Week 13

- Day 1: <items>
- Day 2-3: <items>
- Day 4: mock defense + revisions
- Day 5: final polish
- Day final session: capstone defense

## Total estimated effort

<sum hours>. Capacity in Weeks 12-13 is ~30 hours (~15/week). If estimate exceeds capacity:
trim or escalate.

## Disagreements with instructor (if any)

(If you disagreed with a gap; record here. The instructor is not infallible; respectful
disagreement with reasoning is appropriate. Most disagreements get resolved by Week 12
via further conversation.)

Part D: Sign the scope-acceptance (~15 min)

# Capstone Scope Acceptance

Student: <your name>
Cohort: <cohort identifier>
Workshop date: 2026-MM-DD
Instructor: <instructor name>

## Capstone scope (agreed)

- Target: Motorola SURFboard SB6141, Longenecker CSRF (CERT/CC VU#419568)
- Tool v1.0: Python package per CAPSTONE.md spec; safety controls per Lab 5 + Lab 7
- Disclosure report: CERT/CC-grade, 12 sections per CAPSTONE.md spec
- Oral defense: 20 minutes (8 + 12) before 3-reviewer panel at Week 13 final session

## Punch-list summary

<P1 count> P1 items; <P2 count> P2 items; <P3 count> P3 items.

Total estimated effort: <X> hours; cohort capacity ~30 hours. Plan fits / exceeds /
requires escalation: <fits>.

## Signatures

Student: <name>; signed 2026-MM-DD
Instructor: <name>; counter-signed 2026-MM-DD

---

*Scope-acceptance v0.1.*

Commit:

cd ~/adv-101/lab-11
git add workshop-self-review.md workshop-punch-list.md scope-acceptance.md
git commit -m "Lab 11: capstone workshop punch-list + scope acceptance"

cd ~/adv-101
cat >> lab-portfolio.md <<EOF

### Lab 11 session, 2026-MM-DD HH:MM

**Target:** none (workshop meeting + documentation)
**Action:** capstone workshop self-review + 30-min instructor meeting + punch-list
synthesis
**Authorization basis:** meeting + documentation; no hardware contact
**Session duration:** ~3h
**Artifacts produced:** lab-11/workshop-self-review.md;
lab-11/workshop-punch-list.md; lab-11/scope-acceptance.md
**Incidents:** none
EOF
git add lab-portfolio.md
git commit -m "Portfolio: Lab 11 session entry"

Expected output / artifact

~/adv-101/lab-11/:

  • workshop-self-review.md: your pre-meeting self-scoring
  • workshop-punch-list.md: post-meeting prioritized gap list with timeboxes
  • scope-acceptance.md: signed by you + instructor; the capstone-scope contract

What's the failure mode?

  1. Glossing over your gaps in the self-review. Honest self-scoring is the discipline; "all checks marked present" when half are actually partial wastes the workshop's time and the instructor's.
  2. Arguing at the meeting. The meeting's job is gap identification; the rebuttal time is Part C. Take notes; rebut later if needed.
  3. Punch-list without time estimates. "Add CHANGELOG" is a punch; "add CHANGELOG (~1 hr)" is a plan. Estimate.
  4. Overcommitting in Weeks 12-13. If the punch-list estimates total 40+ hours and you have 30 hours of capacity, the plan does not fit; trim or escalate at the workshop.

Common pitfalls

  • Skipping the mock defense. Week 12 needs at least one mock-defense session with a cohort peer. Block the calendar for it now.
  • Hidden scope assumptions. "The CVD report will be ~3000 words" is an assumption; pull from CAPSTONE.md to verify the spec range; do not under-scope.
  • Lab portfolio stale. Update the portfolio with sessions for Labs 8-10 BEFORE the workshop; the instructor reads the portfolio first.
  • Defense-prep deferred to Week 13 day 1. Too late. The mock defense in Week 12 catches issues that Week 13 lacks time to fix.

What would a reviewer ask?

  1. "Walk me through your P1 items. What makes each blocking?"
  2. "Your effort estimates total hours; cohort capacity is . If estimates are wrong by 30%, do you still ship?"
  3. "Which punch-list item would you cut if time forces it? Defend."

Stretch (optional)

  1. Pre-build the pyproject.toml. If packaging is a known gap, do the metadata work in Week 11 evening; you free time for content work in Week 12.
  2. Schedule TWO mock defenses. One in mid-Week 12; one at the end. The first catches structural issues; the second polishes.
  3. Draft the LICENSE and CHANGELOG. 10-minute work; do it now; clears two punch-list items pre-emptively.

Lab 11 v0.1.