Classroom Glossary Public page

Week 11: Capstone Workshop

1,534 words

The pre-capstone alignment week. You bring Tool v0.3 (Lab 7), disclosure draft (Lab 9), and ethics statement (Lab 10) to a 30-minute 1-on-1 scope-check meeting with the instructor. The instructor identifies gaps between v0.3 and v1.0; you close them in Weeks 12-13.

Theme

The capstone is two weeks (12-13) of intensive work. Week 11 is the gate: do you have what you need to ship a capstone-quality deliverable in two weeks?

The lab is the scope-check meeting. The instructor reviews your three artifacts (Tool v0.3, CVD draft, ethics statement) and identifies specific gaps to close. The output of the meeting is a written punch-list: "for capstone v1.0, you need to add X, Y, Z." You take the punch-list into Week 12.

Common gaps the workshop surfaces:

  • Packaging. Tool v0.3 may run from python -m sb6141_csrf.v03 but lacks a pyproject.toml; v1.0 needs the package metadata.
  • README polish. Tool v0.3 has a README stub from Lab 4; v1.0 needs a full install-and-run guide a stranger could follow.
  • Test coverage gaps. v0.3 has unit tests for happy paths; v1.0 needs at least one regression test for a bug you found in your own tool.
  • Disclosure-report negative scope. Lab 9 used a hypothetical; the capstone report applies to the SB6141. Are all 12 CERT/CC sections present? Is the negative scope specific to the SB6141 case?
  • Rollback implementation. v0.3 has the design pattern documented but the implementation is a stub. v1.0 may complete it (stretch) or document it as deferred (acceptable; some capstones run out of time).
  • CHANGELOG. v0.3 -> v1.0 history; one section per version (0.1, 0.2, 0.3, 1.0).
  • License file. MIT or Apache 2.0; pick one; commit LICENSE to the repo.

By the end of Week 11 you have: a documented punch-list of gaps to close in Weeks 12-13; instructor sign-off on the capstone scope; a defense-prep mock outline for the Week 13 oral defense.

Schneier weave (~270 words, A Hacker's Mind Ch 18)

Schneier devotes Chapter 18 of A Hacker's Mind to the question of how systems prepare adversarial actors for shipping work. His worked examples include the Apollo flight checklist process (where crews ran simulated missions for months before launch), the legal-brief workshop tradition (where junior associates' briefs are reviewed by senior partners before filing), and the medical-residency case-presentation tradition (where residents present cases to attending physicians for critique before publishing). The pattern: high-stakes shipping work is improved by structured pre-shipping review where the author and reviewer's incentives align toward catching problems.

The capstone workshop is the same pattern. You and the instructor want the capstone to succeed; the workshop's structure (30 minutes of focused review against a written rubric) creates the conditions for catching problems before they reach the defense panel. The instructor's "you're missing a LICENSE file" is the cheap catch; the defense panel's "you're missing a LICENSE file" is the expensive catch.

Schneier's argument extends to the discipline of taking feedback well. The Apollo crews who survived simulated emergencies were the crews who treated each emergency as data, not as criticism. The residency tradition treats every case-presentation critique as the system working as intended. The capstone workshop expects the same posture: each gap the instructor identifies is the workshop doing its job; defensiveness in the workshop is the failure mode.

The shipping work itself happens in Weeks 12-13. The workshop is the structural pause that says: "before you ship, what do you NOT have that the deliverable requires?" Catching the gap now is the difference between a smooth capstone and a stressful one.

Reading list (~30 min)

The week is mostly meeting-prep and writing; reading is light.

  1. Schneier, A Hacker's Mind, Ch 18 ("Hacking Adversarial Preparation"). Academy library; calibre id 677.
  2. PEP 621 (project metadata in pyproject.toml) at https://peps.python.org/pep-0621/. ~10 min. The package-metadata standard.
  3. CERT/CC vulnerability-note examples (your choice; pick 2 to compare against your CVD draft).
  4. https://choosealicense.com/ at https://choosealicense.com/. The 5-minute "pick a license" guide. MIT and Apache 2.0 are the academy-default choices.

Lecture outline (~50 min)

Part 1: The workshop format (10 min)

  • 30-minute 1-on-1 with instructor. Each student schedules a slot; instructor's schedule fills across the week.
  • Bring. Your ~/adv-101/lab-portfolio.md (the lab portfolio that summarizes Labs 1-10); the path to your lab-7/sb6141_csrf/v03.py (the tool); the path to your lab-9/disclosure-report.md (the CVD draft); the path to your lab-10/ethics-statement.md (the ethics statement). Capstone shape: Tool v1.0 + CERT/CC-grade report on the SB6141 CSRF + 20-minute oral defense.
  • Format. Walk-through; instructor asks clarifying questions; instructor names specific gaps; you take notes on the punch-list. End of meeting: you have a written list of work for Weeks 12-13.
  • Output. A "Capstone scope acceptance" note signed by both you and the instructor; the lab-portfolio entry for Week 11.

Part 2: Common gap patterns (15 min)

  • Packaging gaps. Pyproject.toml; LICENSE; CHANGELOG; entry_points ([project.scripts]); requirements pinning; manifest of installed files. v0.3 typically has none of these; v1.0 needs all of them.
  • Test gaps. v0.3 typically has happy-path tests; v1.0 needs at least one regression test (a test for a bug you found) plus edge-case tests (missing-argument, fingerprint-mismatch, user-abort).
  • Documentation gaps. README that lets a stranger install + run; CHANGELOG showing version evolution; inline docstrings on public functions; SECURITY-MODEL.md documenting the safety controls explicitly.
  • Disclosure-report gaps. Negative scope specific to the SB6141 case; vendor-interaction history (the end-of-life vendor never coordinated; document the timeline as "vendor unresponsive; published per CVD default after 90 days from notification, with academic-research authorization").
  • Defense-prep gaps. No mock defense; no anticipation of panel questions; no demo script. The Week 13 defense is 20 minutes; running a mock-defense in Week 12 catches the rough spots.

Part 3: The instructor's checklist (15 min)

The instructor uses a standard checklist; transparency about the checklist helps you self-review:

Capstone Workshop Gap Identification, ADV-101 Cohort <X>, Student <Y>

## Tool v0.3 -> v1.0

- [ ] pyproject.toml present with PEP 621 metadata
- [ ] LICENSE file (MIT or Apache 2.0)
- [ ] CHANGELOG.md with 0.1 / 0.2 / 0.3 / 1.0 sections
- [ ] README.md ~200 words with install + usage + safety controls
- [ ] `[project.scripts]` entry point so `sb6141-csrf` is a callable command
- [ ] pytest suite: happy paths + 3+ edge cases + 1+ regression
- [ ] All Lab 5 + Lab 7 safety controls present and enforced
- [ ] Inline docstrings on every public function
- [ ] SECURITY-MODEL.md documenting the safety-control rationale

## Disclosure report

- [ ] All 12 CERT/CC sections present
- [ ] CVSS vector + per-metric justification (from Lab 8 + adversarial-review updates)
- [ ] Reproduction steps reproducible by a peer
- [ ] Negative scope specific to SB6141 case (not generic Lab 9 template)
- [ ] Remediation realistic given SB6141 EOL status
- [ ] Mitigation actionable for current SB6141 operators
- [ ] Disclosure timeline documents the hypothetical-vendor-coordination scenario

## Defense readiness

- [ ] Demo script with `sb6141-csrf --help` + one dry-run + one mock execution path
- [ ] One mock defense run (with a cohort peer)
- [ ] Anticipated-question list with prepared answers (5+ questions)
- [ ] Reflective-depth paragraph: bug found and fixed
- [ ] Reflective-depth paragraph: what you would do differently
- [ ] Lab portfolio current; Week 1 through Week 10 sessions entered

Gaps identified for Week 12-13 work:

(written list; specific; bounded; agreed by instructor + student)

Part 4: Defense-prep introduction (10 min)

  • Defense format. 20 minutes per student. 8 minutes student presentation; 12 minutes panel Q&A. Three-reviewer panel: ADV-101 instructor; academy alumnus; external practitioner.
  • Presentation structure. What the tool does; live demo of --help and --dry-run; one safety-control walkthrough; report key sections; reflective bug-paragraph; reflective what-would-you-do-differently-paragraph.
  • Q&A categories. Technical (about the CSRF mechanism); safety (about the controls); CVSS (about your score); disclosure (about the CVD); ethics (about the framework); limits (about future work).
  • Practice. Pair with a cohort peer in Week 12; do a 20-minute mock defense; trade roles; iterate.

Disclosure-Ethics Sidebar

Norm system Week 11 What the workshop does
Responsible disclosure The disclosure draft becomes the capstone deliverable The workshop catches gaps before the deliverable is graded
Academic ethics The capstone is the academy's published exemplar of student work The workshop ensures the exemplar reflects the academy's discipline
Legal authorization The capstone tool is shipped (potentially publicly) The workshop verifies the tool's safety controls before release

The workshop is the cheap-catch-versus-expensive-catch tradeoff. Use the workshop.

Labs (~3 hr)

Lab 11: Capstone Workshop (labs/lab-11-workshop.md)

  • Goal: schedule + complete the 30-minute scope-check meeting with the instructor; produce the written punch-list; document the capstone-scope acceptance
  • Time: ~3 hr (90 min prep; 30 min meeting; 60 min punch-list synthesis)
  • Artifact: lab-11/workshop-punch-list.md + signed lab-11/scope-acceptance.md in ~/adv-101/lab-11/

Independent practice (~5 hr)

  1. Mock defense with a peer (2 hr). Each of you delivers a 20-minute defense; the other plays panelist. Trade roles. The exercise catches the gaps that the workshop missed.
  2. Package research (1 hr). Read three open-source Python packages' pyproject.toml files (requests; pytest; any small academy-suitable tool). Notice the structure; you mirror it for your v1.0.
  3. Schneier A Hacker's Mind Ch 19 (45 min). Bridges to the capstone work; argues for shipping completeness rather than perfection.
  4. README review (45 min). Read three open-source README files (a small tool of your choice; httpx; rich). Notice the install-then-usage structure; the worked example pattern.
  5. Punch-list timeboxing (30 min). Take the workshop's punch-list; estimate how long each item will take in Weeks 12-13. If the total exceeds 30 hours, trim scope; surface to instructor.

Reflection prompts (~30 min)

  1. The workshop produces a written punch-list. Did anything surprise you in the gap-identification? If yes, what?
  2. You will close gaps in Weeks 12-13. Which gap will be hardest? Why?
  3. The defense panel reviews three artifacts (tool, report, oral). Which do you feel most confident about? Least?
  4. If the capstone deadline slipped by a week, what would you add to the tool or report? Why is it not in the current scope?
  5. One thing from this week you want to know more about?

Adversary Diary (Week 11)

New entries:

  • PEP 621 at https://peps.python.org/pep-0621/. Python package metadata standard.
  • choosealicense.com at https://choosealicense.com/. License-picker quick reference.
  • pyproject.toml real-world examples (your reading list item 2).
  • Capstone workshop punch-list template (from this week's lab; reusable for any future ship-readiness review).

What would a reviewer ask?

  1. "Walk me through your capstone punch-list. Which items are blocking; which are nice-to-have?"
  2. "If you had to cut one item from the punch-list, which would you cut? Defend."
  3. "Your mock defense surfaced what? Did the surface match what the panel will probably surface?"

What comes next

Weeks 12-13 are the capstone. No lecture; instructor office hours; you build, document, polish, defend. Week 13 final session is the defense (20 minutes per student). After defense: the course is over; you are a Belt-4 ADV-101 graduate.