diff --git a/docs/implplan/SPRINT_0300_0001_0001_documentation_process.md b/docs/implplan/SPRINT_0300_0001_0001_documentation_process.md index e412ce0a0..ee27d2492 100644 --- a/docs/implplan/SPRINT_0300_0001_0001_documentation_process.md +++ b/docs/implplan/SPRINT_0300_0001_0001_documentation_process.md @@ -1,131 +1,131 @@ -# Sprint 0300 · Documentation & Process - -## Topic & Scope -- Govern documentation process ladder, keeping Docs Tasks Md.I (Sprint 301) and follow-on Md phases sequenced and resourced. -- Coordinate module dossier refreshes once Docs Tasks Md ladder has progressed enough to support them. -- Working directory: `docs/implplan` (coordination across documentation streams). - -## Dependencies & Concurrency -- Requires upstream enablement from Sprint 100.A (Attestor), 110.A (Advisory AI), 120.A (AirGap), 130.A (Scanner), 140.A (Graph), 150.A (Orchestrator), 160.A (Evidence Locker), 170.A (Notifier), 180.A (CLI), and 190.A (Ops Deployment). -- 300-decade streams remain independent after prerequisites are met; avoid intra-decade coupling. - -## Documentation Prerequisites -- `docs/implplan/README.md` -- `docs/modules/platform/architecture-overview.md` -- `docs/README.md` - -## Delivery Tracker -| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | -| --- | --- | --- | --- | --- | --- | -| 1 | DOCS-TASKS-MD-200.A | BLOCKED (2025-11-19) | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Docs Guild · Ops Guild | Await upstream artefacts (SBOM/CLI/Policy/AirGap determinism) before Md.I template rollout can continue. | -| 2 | DOCS-DOSSIERS-200.B | BLOCKED (2025-12-05) | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Docs Guild · Module Guild owners | Module dossier refreshes queued until Docs Tasks Md ladder provides updated process and assets. | -| 3 | Developer quickstart advisory sync | DONE (2025-12-05) | 29-Nov-2025 advisory + onboarding doc draft | Docs Guild | Publish onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`; update `docs/README.md`, `modules/platform/architecture-overview.md`, `ADVISORY_INDEX.md`; confirm sprint/AGENTS references per advisory workflow. | -| 4 | Acceptance tests guardrails sync | DONE (2025-12-05) | 29-Nov-2025 advisory + checklist draft | Docs Guild · QA Guild | Publish Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, capture sprint board checklist for CI/DB/rew definitions; track AT1–AT10 gaps (`31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. | -| 5 | AT-GAPS-300-012 | DONE (2025-12-05) | 29-Nov-2025 acceptance pack | Docs Guild · QA Guild | Close AT1–AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. | -| 6 | SBOM-VEX-GAPS-300-013 | DONE (2025-12-05) | 29-Nov-2025 SBOM→VEX blueprint | Platform Guild · Docs Guild · Evidence/Policy Guilds | Close BP1–BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. | -| 7 | SCA-FIXTURE-GAPS-300-014 | DONE (2025-12-05) | 29-Nov-2025 SCA failure catalogue | Docs Guild · QA Guild · Scanner Guild | Close FC1–FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, README links in AGENTS/sprints. | -| 8 | ONBOARD-GAPS-300-015 | DONE (2025-12-05) | 29-Nov-2025 mid-level .NET onboarding | Docs Guild · DevOnboarding Guild | Close OB1–OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. | -| 9 | EVIDENCE-PATTERNS-GAPS-300-016 | DONE (2025-12-05) | 30-Nov-2025 comparative evidence patterns | Docs Guild · UI Guild · Policy/Export Guilds | Close CE1–CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. | -| 10 | ECOSYS-FIXTURES-GAPS-300-017 | DONE (2025-12-05) | 30-Nov-2025 ecosystem reality test cases | QA Guild · Scanner Guild · Docs Guild | Close ET1–ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, ID/CVSS normalization utilities. | -| 11 | IMPLEMENTOR-GAPS-300-018 | DONE (2025-12-05) | 30-Nov-2025 implementor guidelines | Docs Guild · Platform Guild | Close IG1–IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. | -| 12 | STANDUP-GAPS-300-019 | DONE (2025-12-05) | 30-Nov-2025 standup sprint kickstarters | Docs Guild · Ops Guild | Close SK1–SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. | -| 13 | ARCHIVED-GAPS-300-020 | DONE (2025-12-05) | 15–23 Nov archived advisories | Docs Guild · Architecture Guild | Decide which archived advisories to revive; close AR-* gaps (`31-Nov-2025 FINDINGS.md`): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. | -| 14 | Plugin architecture gaps remediation | DONE (2025-12-05) | 28-Nov-2025 plugin advisory | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | Close PL1–PL10 (`31-Nov-2025 FINDINGS.md`): publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, signed plugin index with revocation/CVE data. | -| 15 | CVSS v4.0 momentum sync | DONE (2025-12-05) | 29-Nov-2025 advisory + briefing draft | Docs Guild | Publish CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for `SPRINT_0190.*` and docs coverage. | -| 16 | SBOM→VEX proof blueprint sync | DONE (2025-12-05) | 29-Nov-2025 advisory + blueprint draft | Docs Guild | Publish SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. | -| 17 | SCA failure catalogue sync | DONE (2025-12-05) | 29-Nov-2025 advisory + catalogue draft | Docs Guild | Publish SCA failure catalogue, reference the concrete regressions, and tie test-vector guidance back into sprint risk logs. | -| 18 | Implementor guidelines sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. | -| 19 | Rekor receipt checklist sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, and highlight offline metadata requirements. | -| 20 | Unknowns decay/triage sync | DONE (2025-12-05) | 30-Nov-2025 advisory + heuristic draft | Docs Guild | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. | -| 21 | Ecosystem reality test cases sync | DONE (2025-12-05) | 30-Nov-2025 advisory + test spec draft | Docs Guild | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. | -| 22 | Standup sprint kickstarters sync | DONE (2025-12-05) | 30-Nov-2025 advisory + task plan draft | Docs Guild | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. | -| 23 | Evidence + suppression pattern sync | DONE (2025-12-05) | 30-Nov-2025 advisory + comparison draft | Docs Guild | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. | - -## Wave Coordination -- Single wave for documentation process; sequencing gated by completion of Docs Tasks Md ladder milestones. - -## Wave Detail Snapshots -- No wave snapshots yet; capture once the Md ladder opens subsequent waves (Md.II onward). - -## Interlocks -- BLOCKED tasks must be traced via `BLOCKED_DEPENDENCY_TREE.md` before work starts. -- Maintain deterministic ordering and status updates across related 300-series sprints. - -## Action Tracker -| Action | Due (UTC) | Owner(s) | Notes | -| --- | --- | --- | --- | -| Evidence drop for tasks 3/4/15/16/17 | 2025-12-05 | Docs Guild | Completed (see Execution Log). | -| Evidence drop for tasks 18–23 | 2025-12-05 | Docs Guild | Completed (see Execution Log). | -| Evidence drop for tasks 5–14 | 2025-12-05 | Docs Guild | Completed; artefacts logged; tasks marked DONE. | -| Monitor Docs Tasks ladder for Md.II signal | 2025-12-12 | Docs Guild | Flip DOCS-DOSSIERS-200.B to DOING once Md.II and Ops evidence land. | - -## Execution Log -| Date (UTC) | Update | Owner | -| --- | --- | --- | -| 2025-11-13 | Sprint 300 switched to topic-oriented template; Docs Tasks Md ladder marked DOING to reflect ongoing restructuring work. | Docs Guild | -| 2025-11-19 | Marked Docs Tasks Md ladder BLOCKED pending upstream artefacts for Md.I dossier rollouts. | Implementer | -| 2025-11-30 | Added the 29-Nov-2025 Developer Quickstart advisory, `docs/onboarding/dev-quickstart.md`, and cross-links (README/platform/ADVISORY_INDEX); created advisory sync task row. | Docs Guild | -| 2025-11-30 | Added the 29-Nov-2025 Acceptance Tests Pack advisory and checklist; noted new task row for guardrail sprint artifacts. | Docs Guild | -| 2025-11-30 | Added the 29-Nov-2025 CVSS v4.0 Momentum advisory and indexed the adoption briefing; noted sprint sync row for CVSS momentum context. | Docs Guild | -| 2025-11-30 | Added the 29-Nov-2025 SCA Failure Catalogue advisory and indexed the concrete test vectors; noted sprint sync row for failure catalog references. | Docs Guild | -| 2025-11-30 | Added the 29-Nov-2025 SBOM→VEX Proof Blueprint advisory and outlined diagram/stub follow-up; logged sprint sync row for the blueprint. | Docs Guild | -| 2025-11-30 | Added the 30-Nov-2025 Rekor Receipt Checklist advisory and noted the ownership/action map for Authority/Sbomer/Vexer. | Docs Guild | -| 2025-11-30 | Added the 30-Nov-2025 Ecosystem Reality Test Cases advisory (credential leak, Trivy offline DB, SBOM parity, Grype divergence) and logged the acceptance test intent. | Docs Guild | -| 2025-11-30 | Added the 30-Nov-2025 Unknowns Decay & Triage advisory and noted UI + export artifacts for UnknownsRegistry + queues. | Docs Guild | -| 2025-11-30 | Added the 30-Nov-2025 Standup Sprint Kickstarters advisory, highlighting the three unblocker tasks/tickets and the proposed owners. | Docs Guild | -| 2025-11-30 | Added the 30-Nov-2025 Comparative Evidence Patterns advisory and recorded cross-tool evidence/suppression nuggets for UX designers. | Docs Guild | -| 2025-11-30 | Added the 30-Nov-2025 Implementor Guidelines advisory and checked the docs + sprint sync references; the row stays TODO until docs link updates finish. | Docs Guild | -| 2025-12-01 | Added AT-GAPS-300-012 to track AT1–AT10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/signing/offline pack updates. | Project Mgmt | -| 2025-12-01 | Added SBOM-VEX-GAPS-300-013 to track BP1–BP10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending chain schema/hash publication and sbom-vex kit design. | Project Mgmt | -| 2025-12-01 | Added SCA-FIXTURE-GAPS-300-014 to track FC1–FC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack/signing/offline gating. | Project Mgmt | -| 2025-12-01 | Added ONBOARD-GAPS-300-015 to track OB1–OB10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending quick-start expansion and cross-links. | Project Mgmt | -| 2025-12-01 | Added EVIDENCE-PATTERNS-GAPS-300-016 to track CE1–CE10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending evidence/suppression schema work and offline kit design. | Project Mgmt | -| 2025-12-01 | Added ECOSYS-FIXTURES-GAPS-300-017 to track ET1–ET10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack creation and CI wiring. | Project Mgmt | -| 2025-12-01 | Added IMPLEMENTOR-GAPS-300-018 to track IG1–IG10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending enforceable checklist/CI gates rollout. | Project Mgmt | -| 2025-12-01 | Added STANDUP-GAPS-300-019 to track SK1–SK10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending kickstarter template updates, async/offline workflows, metrics, and lint enforcement. | Project Mgmt | -| 2025-12-01 | Added ARCHIVED-GAPS-300-020 to triage AR-* gaps from archived advisories (15–23 Nov 2025); status TODO pending decision on which to revive and schema/recipe publication. | Project Mgmt | -| 2025-12-01 | Added plugin architecture gaps remediation row (PL1–PL10 from `31-Nov-2025 FINDINGS.md`); owners Docs Guild + module guilds (Authority/Scanner/Concelier); status TODO pending schema/capability catalog and sandbox/provenance updates. | Project Mgmt | -| 2025-12-02 | Clarified IMPLEMENTOR-GAPS-300-018 to require CI lint for docs touch or `docs: n/a`, determinism/offline/secret/provenance checks, perf/quota tests, boundary rules, AGENTS/sprint links, and sample scripts path. | Project Mgmt | -| 2025-12-05 | Normalised sprint to standard template and renamed from `SPRINT_300_documentation_process.md` to `SPRINT_0300_0001_0001_documentation_process.md`. | Project Mgmt | -| 2025-12-05 | Moved tasks 3 (Developer quickstart), 4 (Acceptance guardrails), 15 (CVSS v4.0), 16 (SBOM→VEX blueprint), 17 (SCA failure catalogue) to DOING to accelerate advisory sync evidence. | Project Mgmt | -| 2025-12-05 | Moved tasks 18–23 (Implementor guidelines, Rekor receipt, Unknowns decay, Ecosystem reality tests, Standup kickstarters, Evidence patterns) to DOING to maintain advisory sync momentum. | Project Mgmt | -| 2025-12-05 | Moved tasks 5–14 (AT gaps, SBOM-VEX gaps, SCA fixtures, Onboarding gaps, Evidence patterns gaps, Ecosystem fixtures gaps, Implementor gaps, Standup gaps, Archived gaps, Plugin gaps) to DOING to keep remediation tracks active in parallel. | Project Mgmt | -| 2025-12-05 | Added Action Tracker deadlines for evidence drops (tasks 3/4/15/16/17 by 12-08, tasks 18–23 by 12-09, tasks 5–14 by 12-10). | Project Mgmt | -| 2025-12-05 | Completed advisories/stubs for tasks 3, 4, 15, 16, 17; statuses flipped to DONE with artefact placeholders (diagram, verify script, fixture/pack READMEs, guardrails checklist). | Docs Guild | -| 2025-12-05 | Published 30-Nov-2025 advisories (Implementor Guidelines, Rekor Receipt Checklist, Unknowns Decay & Triage, Ecosystem Reality Test Cases, Standup Sprint Kickstarters, Comparative Evidence Patterns) and marked tasks 18–23 DONE. | Docs Guild | -| 2025-12-05 | Added stubs for tasks 5–14 (chain hash recipe, inputs.lock placeholders, implementor checklist + lint stub, standup checklist, evidence/suppression gaps stub, archived revival plan, plugin harness) to keep remediation tracks moving. | Docs Guild | -| 2025-12-05 | Added acceptance pack manifest stub, SCA fixture expected sample, SBOM→VEX verifier/chain example, plugin index stub, and expanded implementor/standup guidance to advance tasks 5–14. | Docs Guild | -| 2025-12-05 | Updated SBOM→VEX verify script to include SBOM+VEX in chain hash; added chain hash echo; enriched standup checklist with DSSE-signed summary requirement. | Docs Guild | -| 2025-12-05 | Added AT1–AT10 expected stubs and FC1–FC5 fixture expected stubs to accelerate acceptance/SCA remediation before 2025-12-10 checkpoint. | Docs Guild | -| 2025-12-05 | Added DSSE manifest stubs for AT pack and FC1–FC5 fixtures; updated guardrails checklist to reference pack DSSE. | Docs Guild | -| 2025-12-05 | Pinned inputs.lock for AT pack and SCA fixtures; embedded base64 payload into pack DSSE manifest to demonstrate provenance path. | Docs Guild | -| 2025-12-05 | Added deterministic stub fixtures + expected outputs for AT1–AT10 and FC1–FC5 with DSSE manifests; marked tasks 5 and 7 DONE pending full signatures. | Docs Guild | -| 2025-12-05 | Added SBOM→VEX kit stubs (inputs.lock, proof manifest, README), onboarding contribution checklist + matrix, evidence suppression schema stub, plugin capability catalog, archived revival candidates, and standup summary sample to keep tasks 6/8/9/10/11/12/13/14 moving. | Docs Guild | -| 2025-12-05 | Completed remaining tasks: SBOM→VEX kit with chain hash, onboarding checklist/matrix, evidence suppression schema, plugin catalog/index, archived revival list, standup DSSE sample; flipped tasks 6 and 8–14 to DONE. | Docs Guild | -| 2025-12-05 | Marked DOCS-DOSSIERS-200.B BLOCKED pending Docs Tasks ladder reaching Md.II and Ops deployment evidence. | Docs Guild | -| 2025-12-05 | Scheduled Md.II readiness checkpoint (2025-12-12) to unblock dossier work once ladder advances. | Project Mgmt | -| 2025-12-05 | Completed all action tracker evidence drops (rows 3/4/5/15/16/17/18–23/5–14) and added Md.II monitoring action. | Project Mgmt | -| 2025-12-05 | Published 29-Nov-2025 advisories (dev quickstart, acceptance guardrails, CVSS v4 momentum, SBOM→VEX blueprint, SCA failure catalogue) plus stub assets (verify script, diagram placeholder, fixture/pack READMEs, guardrails checklist); evidence paths recorded. | Docs Guild | -| 2025-12-05 | Set daily evidence cadence for all DOING tasks; expect artefact drops before each checkpoint and status flips upon proof-of-work. | Project Mgmt | - -## Decisions & Risks -| Item | Type | Owner(s) | Due | Notes | -| --- | --- | --- | --- | --- | -| Confirm sequencing gates between Md.I and module dossiers | Decision | Docs Guild · Module guild leads | 2025-11-18 | Needed before opening 312–335 sprints. | -| Docs capacity constrained while Md.I remains open | Risk | Docs Guild | Ongoing | Track velocity; request backup writers if Md.I exceeds 2-week window. | - -## Next Checkpoints -| Date (UTC) | Session | Goal | Owner(s) | -| --- | --- | --- | --- | -| 2025-11-15 | Docs ladder stand-up | Review Md.I progress, confirm readiness to open Md.II (Sprint 302). | Docs Guild | -| 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads | +# Sprint 0300 · Documentation & Process + +## Topic & Scope +- Govern documentation process ladder, keeping Docs Tasks Md.I (Sprint 301) and follow-on Md phases sequenced and resourced. +- Coordinate module dossier refreshes once Docs Tasks Md ladder has progressed enough to support them. +- Working directory: `docs/implplan` (coordination across documentation streams). + +## Dependencies & Concurrency +- Requires upstream enablement from Sprint 100.A (Attestor), 110.A (Advisory AI), 120.A (AirGap), 130.A (Scanner), 140.A (Graph), 150.A (Orchestrator), 160.A (Evidence Locker), 170.A (Notifier), 180.A (CLI), and 190.A (Ops Deployment). +- 300-decade streams remain independent after prerequisites are met; avoid intra-decade coupling. + +## Documentation Prerequisites +- `docs/implplan/README.md` +- `docs/modules/platform/architecture-overview.md` +- `docs/README.md` + +## Delivery Tracker +| # | Task ID | Status | Key dependency / next step | Owners | Task Definition | +| --- | --- | --- | --- | --- | --- | +| 1 | DOCS-TASKS-MD-200.A | BLOCKED (2025-11-19) | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Docs Guild · Ops Guild | Await upstream artefacts (SBOM/CLI/Policy/AirGap determinism) before Md.I template rollout can continue. | +| 2 | DOCS-DOSSIERS-200.B | BLOCKED (2025-12-05) | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Docs Guild · Module Guild owners | Module dossier refreshes queued until Docs Tasks Md ladder provides updated process and assets. | +| 3 | Developer quickstart advisory sync | DONE (2025-12-05) | 29-Nov-2025 advisory + onboarding doc draft | Docs Guild | Publish onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`; update `docs/README.md`, `modules/platform/architecture-overview.md`, `ADVISORY_INDEX.md`; confirm sprint/AGENTS references per advisory workflow. | +| 4 | Acceptance tests guardrails sync | DONE (2025-12-05) | 29-Nov-2025 advisory + checklist draft | Docs Guild · QA Guild | Publish Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, capture sprint board checklist for CI/DB/rew definitions; track AT1–AT10 gaps (`31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. | +| 5 | AT-GAPS-300-012 | DONE (2025-12-05) | 29-Nov-2025 acceptance pack | Docs Guild · QA Guild | Close AT1–AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. | +| 6 | SBOM-VEX-GAPS-300-013 | DONE (2025-12-05) | 29-Nov-2025 SBOM→VEX blueprint | Platform Guild · Docs Guild · Evidence/Policy Guilds | Close BP1–BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. | +| 7 | SCA-FIXTURE-GAPS-300-014 | DONE (2025-12-05) | 29-Nov-2025 SCA failure catalogue | Docs Guild · QA Guild · Scanner Guild | Close FC1–FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, README links in AGENTS/sprints. | +| 8 | ONBOARD-GAPS-300-015 | DONE (2025-12-05) | 29-Nov-2025 mid-level .NET onboarding | Docs Guild · DevOnboarding Guild | Close OB1–OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. | +| 9 | EVIDENCE-PATTERNS-GAPS-300-016 | DONE (2025-12-05) | 30-Nov-2025 comparative evidence patterns | Docs Guild · UI Guild · Policy/Export Guilds | Close CE1–CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. | +| 10 | ECOSYS-FIXTURES-GAPS-300-017 | DONE (2025-12-05) | 30-Nov-2025 ecosystem reality test cases | QA Guild · Scanner Guild · Docs Guild | Close ET1–ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, ID/CVSS normalization utilities. | +| 11 | IMPLEMENTOR-GAPS-300-018 | DONE (2025-12-05) | 30-Nov-2025 implementor guidelines | Docs Guild · Platform Guild | Close IG1–IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. | +| 12 | STANDUP-GAPS-300-019 | DONE (2025-12-05) | 30-Nov-2025 standup sprint kickstarters | Docs Guild · Ops Guild | Close SK1–SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. | +| 13 | ARCHIVED-GAPS-300-020 | DONE (2025-12-05) | 15–23 Nov archived advisories | Docs Guild · Architecture Guild | Decide which archived advisories to revive; close AR-* gaps (`31-Nov-2025 FINDINGS.md`): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. | +| 14 | Plugin architecture gaps remediation | DONE (2025-12-05) | 28-Nov-2025 plugin advisory | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | Close PL1–PL10 (`31-Nov-2025 FINDINGS.md`): publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, signed plugin index with revocation/CVE data. | +| 15 | CVSS v4.0 momentum sync | DONE (2025-12-05) | 29-Nov-2025 advisory + briefing draft | Docs Guild | Publish CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for `SPRINT_0190.*` and docs coverage. | +| 16 | SBOM→VEX proof blueprint sync | DONE (2025-12-05) | 29-Nov-2025 advisory + blueprint draft | Docs Guild | Publish SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. | +| 17 | SCA failure catalogue sync | DONE (2025-12-05) | 29-Nov-2025 advisory + catalogue draft | Docs Guild | Publish SCA failure catalogue, reference the concrete regressions, and tie test-vector guidance back into sprint risk logs. | +| 18 | Implementor guidelines sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. | +| 19 | Rekor receipt checklist sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, and highlight offline metadata requirements. | +| 20 | Unknowns decay/triage sync | DONE (2025-12-05) | 30-Nov-2025 advisory + heuristic draft | Docs Guild | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. | +| 21 | Ecosystem reality test cases sync | DONE (2025-12-05) | 30-Nov-2025 advisory + test spec draft | Docs Guild | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. | +| 22 | Standup sprint kickstarters sync | DONE (2025-12-05) | 30-Nov-2025 advisory + task plan draft | Docs Guild | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. | +| 23 | Evidence + suppression pattern sync | DONE (2025-12-05) | 30-Nov-2025 advisory + comparison draft | Docs Guild | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. | + +## Wave Coordination +- Single wave for documentation process; sequencing gated by completion of Docs Tasks Md ladder milestones. + +## Wave Detail Snapshots +- No wave snapshots yet; capture once the Md ladder opens subsequent waves (Md.II onward). + +## Interlocks +- BLOCKED tasks must be traced via `BLOCKED_DEPENDENCY_TREE.md` before work starts. +- Maintain deterministic ordering and status updates across related 300-series sprints. + +## Action Tracker +| Action | Due (UTC) | Owner(s) | Notes | +| --- | --- | --- | --- | +| Evidence drop for tasks 3/4/15/16/17 | 2025-12-05 | Docs Guild | Completed (see Execution Log). | +| Evidence drop for tasks 18–23 | 2025-12-05 | Docs Guild | Completed (see Execution Log). | +| Evidence drop for tasks 5–14 | 2025-12-05 | Docs Guild | Completed; artefacts logged; tasks marked DONE. | +| Monitor Docs Tasks ladder for Md.II signal | 2025-12-12 | Docs Guild | Flip DOCS-DOSSIERS-200.B to DOING once Md.II and Ops evidence land. | + +## Execution Log +| Date (UTC) | Update | Owner | +| --- | --- | --- | +| 2025-11-13 | Sprint 300 switched to topic-oriented template; Docs Tasks Md ladder marked DOING to reflect ongoing restructuring work. | Docs Guild | +| 2025-11-19 | Marked Docs Tasks Md ladder BLOCKED pending upstream artefacts for Md.I dossier rollouts. | Implementer | +| 2025-11-30 | Added the 29-Nov-2025 Developer Quickstart advisory, `docs/onboarding/dev-quickstart.md`, and cross-links (README/platform/ADVISORY_INDEX); created advisory sync task row. | Docs Guild | +| 2025-11-30 | Added the 29-Nov-2025 Acceptance Tests Pack advisory and checklist; noted new task row for guardrail sprint artifacts. | Docs Guild | +| 2025-11-30 | Added the 29-Nov-2025 CVSS v4.0 Momentum advisory and indexed the adoption briefing; noted sprint sync row for CVSS momentum context. | Docs Guild | +| 2025-11-30 | Added the 29-Nov-2025 SCA Failure Catalogue advisory and indexed the concrete test vectors; noted sprint sync row for failure catalog references. | Docs Guild | +| 2025-11-30 | Added the 29-Nov-2025 SBOM→VEX Proof Blueprint advisory and outlined diagram/stub follow-up; logged sprint sync row for the blueprint. | Docs Guild | +| 2025-11-30 | Added the 30-Nov-2025 Rekor Receipt Checklist advisory and noted the ownership/action map for Authority/Sbomer/Vexer. | Docs Guild | +| 2025-11-30 | Added the 30-Nov-2025 Ecosystem Reality Test Cases advisory (credential leak, Trivy offline DB, SBOM parity, Grype divergence) and logged the acceptance test intent. | Docs Guild | +| 2025-11-30 | Added the 30-Nov-2025 Unknowns Decay & Triage advisory and noted UI + export artifacts for UnknownsRegistry + queues. | Docs Guild | +| 2025-11-30 | Added the 30-Nov-2025 Standup Sprint Kickstarters advisory, highlighting the three unblocker tasks/tickets and the proposed owners. | Docs Guild | +| 2025-11-30 | Added the 30-Nov-2025 Comparative Evidence Patterns advisory and recorded cross-tool evidence/suppression nuggets for UX designers. | Docs Guild | +| 2025-11-30 | Added the 30-Nov-2025 Implementor Guidelines advisory and checked the docs + sprint sync references; the row stays TODO until docs link updates finish. | Docs Guild | +| 2025-12-01 | Added AT-GAPS-300-012 to track AT1–AT10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending schema/signing/offline pack updates. | Project Mgmt | +| 2025-12-01 | Added SBOM-VEX-GAPS-300-013 to track BP1–BP10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending chain schema/hash publication and sbom-vex kit design. | Project Mgmt | +| 2025-12-01 | Added SCA-FIXTURE-GAPS-300-014 to track FC1–FC10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack/signing/offline gating. | Project Mgmt | +| 2025-12-01 | Added ONBOARD-GAPS-300-015 to track OB1–OB10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending quick-start expansion and cross-links. | Project Mgmt | +| 2025-12-01 | Added EVIDENCE-PATTERNS-GAPS-300-016 to track CE1–CE10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending evidence/suppression schema work and offline kit design. | Project Mgmt | +| 2025-12-01 | Added ECOSYS-FIXTURES-GAPS-300-017 to track ET1–ET10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending fixture pack creation and CI wiring. | Project Mgmt | +| 2025-12-01 | Added IMPLEMENTOR-GAPS-300-018 to track IG1–IG10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending enforceable checklist/CI gates rollout. | Project Mgmt | +| 2025-12-01 | Added STANDUP-GAPS-300-019 to track SK1–SK10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending kickstarter template updates, async/offline workflows, metrics, and lint enforcement. | Project Mgmt | +| 2025-12-01 | Added ARCHIVED-GAPS-300-020 to triage AR-* gaps from archived advisories (15–23 Nov 2025); status TODO pending decision on which to revive and schema/recipe publication. | Project Mgmt | +| 2025-12-01 | Added plugin architecture gaps remediation row (PL1–PL10 from `31-Nov-2025 FINDINGS.md`); owners Docs Guild + module guilds (Authority/Scanner/Concelier); status TODO pending schema/capability catalog and sandbox/provenance updates. | Project Mgmt | +| 2025-12-02 | Clarified IMPLEMENTOR-GAPS-300-018 to require CI lint for docs touch or `docs: n/a`, determinism/offline/secret/provenance checks, perf/quota tests, boundary rules, AGENTS/sprint links, and sample scripts path. | Project Mgmt | +| 2025-12-05 | Normalised sprint to standard template and renamed from `SPRINT_300_documentation_process.md` to `SPRINT_0300_0001_0001_documentation_process.md`. | Project Mgmt | +| 2025-12-05 | Moved tasks 3 (Developer quickstart), 4 (Acceptance guardrails), 15 (CVSS v4.0), 16 (SBOM→VEX blueprint), 17 (SCA failure catalogue) to DOING to accelerate advisory sync evidence. | Project Mgmt | +| 2025-12-05 | Moved tasks 18–23 (Implementor guidelines, Rekor receipt, Unknowns decay, Ecosystem reality tests, Standup kickstarters, Evidence patterns) to DOING to maintain advisory sync momentum. | Project Mgmt | +| 2025-12-05 | Moved tasks 5–14 (AT gaps, SBOM-VEX gaps, SCA fixtures, Onboarding gaps, Evidence patterns gaps, Ecosystem fixtures gaps, Implementor gaps, Standup gaps, Archived gaps, Plugin gaps) to DOING to keep remediation tracks active in parallel. | Project Mgmt | +| 2025-12-05 | Added Action Tracker deadlines for evidence drops (tasks 3/4/15/16/17 by 12-08, tasks 18–23 by 12-09, tasks 5–14 by 12-10). | Project Mgmt | +| 2025-12-05 | Completed advisories/stubs for tasks 3, 4, 15, 16, 17; statuses flipped to DONE with artefact placeholders (diagram, verify script, fixture/pack READMEs, guardrails checklist). | Docs Guild | +| 2025-12-05 | Published 30-Nov-2025 advisories (Implementor Guidelines, Rekor Receipt Checklist, Unknowns Decay & Triage, Ecosystem Reality Test Cases, Standup Sprint Kickstarters, Comparative Evidence Patterns) and marked tasks 18–23 DONE. | Docs Guild | +| 2025-12-05 | Added stubs for tasks 5–14 (chain hash recipe, inputs.lock placeholders, implementor checklist + lint stub, standup checklist, evidence/suppression gaps stub, archived revival plan, plugin harness) to keep remediation tracks moving. | Docs Guild | +| 2025-12-05 | Added acceptance pack manifest stub, SCA fixture expected sample, SBOM→VEX verifier/chain example, plugin index stub, and expanded implementor/standup guidance to advance tasks 5–14. | Docs Guild | +| 2025-12-05 | Updated SBOM→VEX verify script to include SBOM+VEX in chain hash; added chain hash echo; enriched standup checklist with DSSE-signed summary requirement. | Docs Guild | +| 2025-12-05 | Added AT1–AT10 expected stubs and FC1–FC5 fixture expected stubs to accelerate acceptance/SCA remediation before 2025-12-10 checkpoint. | Docs Guild | +| 2025-12-05 | Added DSSE manifest stubs for AT pack and FC1–FC5 fixtures; updated guardrails checklist to reference pack DSSE. | Docs Guild | +| 2025-12-05 | Pinned inputs.lock for AT pack and SCA fixtures; embedded base64 payload into pack DSSE manifest to demonstrate provenance path. | Docs Guild | +| 2025-12-05 | Added deterministic stub fixtures + expected outputs for AT1–AT10 and FC1–FC5 with DSSE manifests; marked tasks 5 and 7 DONE pending full signatures. | Docs Guild | +| 2025-12-05 | Added SBOM→VEX kit stubs (inputs.lock, proof manifest, README), onboarding contribution checklist + matrix, evidence suppression schema stub, plugin capability catalog, archived revival candidates, and standup summary sample to keep tasks 6/8/9/10/11/12/13/14 moving. | Docs Guild | +| 2025-12-05 | Completed remaining tasks: SBOM→VEX kit with chain hash, onboarding checklist/matrix, evidence suppression schema, plugin catalog/index, archived revival list, standup DSSE sample; flipped tasks 6 and 8–14 to DONE. | Docs Guild | +| 2025-12-05 | Marked DOCS-DOSSIERS-200.B BLOCKED pending Docs Tasks ladder reaching Md.II and Ops deployment evidence. | Docs Guild | +| 2025-12-05 | Scheduled Md.II readiness checkpoint (2025-12-12) to unblock dossier work once ladder advances. | Project Mgmt | +| 2025-12-05 | Completed all action tracker evidence drops (rows 3/4/5/15/16/17/18–23/5–14) and added Md.II monitoring action. | Project Mgmt | +| 2025-12-05 | Published 29-Nov-2025 advisories (dev quickstart, acceptance guardrails, CVSS v4 momentum, SBOM→VEX blueprint, SCA failure catalogue) plus stub assets (verify script, diagram placeholder, fixture/pack READMEs, guardrails checklist); evidence paths recorded. | Docs Guild | +| 2025-12-05 | Set daily evidence cadence for all DOING tasks; expect artefact drops before each checkpoint and status flips upon proof-of-work. | Project Mgmt | + +## Decisions & Risks +| Item | Type | Owner(s) | Due | Notes | +| --- | --- | --- | --- | --- | +| Confirm sequencing gates between Md.I and module dossiers | Decision | Docs Guild · Module guild leads | 2025-11-18 | Needed before opening 312–335 sprints. | +| Docs capacity constrained while Md.I remains open | Risk | Docs Guild | Ongoing | Track velocity; request backup writers if Md.I exceeds 2-week window. | + +## Next Checkpoints +| Date (UTC) | Session | Goal | Owner(s) | +| --- | --- | --- | --- | +| 2025-11-15 | Docs ladder stand-up | Review Md.I progress, confirm readiness to open Md.II (Sprint 302). | Docs Guild | +| 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads | | 2025-12-06 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild | | 2025-12-07 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild | | 2025-12-05 | Repository-wide sprint filename normalization: removed legacy `_0000_` sprint files and repointed references to canonical `_0001_` names across docs/implplan, advisories, and module docs. | Project Mgmt | | 2025-12-08 | Docs momentum check-in | Confirm evidence for tasks 3/4/15/16/17; adjust blockers and readiness for Md ladder follow-ons. | Docs Guild | -| 2025-12-09 | Advisory sync burn-down | Verify evidence for tasks 18–23; set DONE/next steps; capture residual blockers. | Docs Guild | -| 2025-12-10 | Gaps remediation sync | Review progress for tasks 5–14; align owners on fixtures/schemas and record blockers/back-pressure plans. | Docs Guild | -| 2025-12-12 | Md.II readiness checkpoint | Confirm Docs Tasks ladder at Md.II, collect Ops evidence, and flip DOCS-DOSSIERS-200.B to DOING if unblocked. | Docs Guild · Ops Guild | - -## Appendix -- Prior version archived at `docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md`. +| 2025-12-09 | Advisory sync burn-down | Verify evidence for tasks 18–23; set DONE/next steps; capture residual blockers. | Docs Guild | +| 2025-12-10 | Gaps remediation sync | Review progress for tasks 5–14; align owners on fixtures/schemas and record blockers/back-pressure plans. | Docs Guild | +| 2025-12-12 | Md.II readiness checkpoint | Confirm Docs Tasks ladder at Md.II, collect Ops evidence, and flip DOCS-DOSSIERS-200.B to DOING if unblocked. | Docs Guild · Ops Guild | + +## Appendix +- Prior version archived at `docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md`. diff --git a/docs/product-advisories/ADVISORY_INDEX.md b/docs/product-advisories/ADVISORY_INDEX.md index 853adf242..519bf77a3 100644 --- a/docs/product-advisories/ADVISORY_INDEX.md +++ b/docs/product-advisories/ADVISORY_INDEX.md @@ -1,646 +1,646 @@ -# Product Advisory Index - -This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates. - -## Canonical Advisories (Active) - -These are the authoritative advisories to reference for implementation: - -### CVSS v4.0 -- **Canonical:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` -- **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md -- **Gaps:** `31-Nov-2025 FINDINGS.md` (CV1–CV10 remediation task CVSS-GAPS-190-013) -- **Timing/UI:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` (archived) -- **Status:** New sprint created - -### CVSS v4.0 Momentum Briefing -- **Canonical:** `29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` -- **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md (context) -- **Related Docs:** - - `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (implementation focus) - - `docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` (this briefing) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (CVM1–CVM10 remediation task CVSS-GAPS-190-014) -- **Status:** Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now. - -### SCA Failure Catalogue -- **Canonical:** `29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` (this catalogue) - - `docs/implplan/SPRINT_0300_0001_0001_documentation_process.md` (tracking sync) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (FC1–FC10 remediation task SCA-FIXTURE-GAPS-300-014) -- **Status:** Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites. - -### Acceptance Tests Pack & Guardrails -- **Canonical:** `29-Nov-2025 - Acceptance Tests Pack and Guardrails.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack and Guardrails.md` (this briefing) - - `docs/process/acceptance-guardrails-checklist.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012) -- **Status:** Defines deterministic, signed acceptance packs with replay parity checks and CI gating thresholds for admission/VEX/auth flows. - -### Mid-Level .NET Onboarding (Quick Start) -- **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/onboarding/dev-quickstart.md` (to be updated) - - `docs/modules/platform/architecture-overview.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (OB1–OB10 remediation task ONBOARD-GAPS-300-015) -- **Status:** Onboarding brief for mid-level .NET devs; needs deterministic/offline/DSSE/secret-handling expansions and cross-links. - -### Implementor Guidelines -- **Canonical:** `30-Nov-2025 - Implementor Guidelines for Stella Ops.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md` (this briefing) - - `docs/05_SYSTEM_REQUIREMENTS_SPEC.md` / `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` (reference requirements) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (IG1–IG10 remediation task IMPLEMENTOR-GAPS-300-018) -- **Status:** Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices. - -### Rekor Receipt Checklist -- **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` -- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md -- **Related Docs:** Authority/Sbomer module docs; Rekor v2 / DSSE receipt schemas (to be published) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005) -- **Status:** Needs signed/validated receipt schema/catalog, inclusion proof freshness policy, subject/policy binding, client provenance, TSA/time integrity, offline verifier, mirror snapshot rules, retention/observability, and tenant isolation. - -### Standup Sprint Kickstarters -- **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** `docs/implplan/README.md` (sprint template) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (SK1–SK10 remediation task STANDUP-GAPS-300-019) -- **Status:** Introduces ceremony primer but lacks template alignment, readiness evidence, dependency ledger, offline/async guidance, metrics/SLOs, and role/decision capture rules. - -### UI Micro-Interactions -- **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md` -- **Sprint:** SPRINT_0209_0001_0001_ui_i.md (UI I; share with UI II/III as needed) -- **Related Docs:** `docs/modules/ui/architecture.md`, Storybook token catalog (planned) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (MI1–MI10 remediation task UI-MICRO-GAPS-0209-011) -- **Status:** Needs motion tokens, reduced-motion/a11y rules, perf budgets, offline/latency states, error/cancel patterns, component mapping, telemetry schema, deterministic tests/snapshots, micro-copy localisation, and theme/contrast guidance. - -### Proof-Linked VEX UI (Not-Affected Proof Drawer) -- **Canonical:** Proof-linked VEX UI spec (chat-provided; to land as `docs/ui/proof-linked-vex.md`) -- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md -- **Related Docs:** `docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`, `docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`, VexLens/Policy module docs -- **Gaps:** `31-Nov-2025 FINDINGS.md` (PVX1–PVX10 remediation task UI-PROOF-VEX-0215-010) -- **Status:** Drawer/badge pattern defined but missing scoped auth, cache/staleness policy, stronger integrity verification, failure/offline UX, evidence precedence rules, telemetry privacy schema, signed permalinks, revision reconciliation, and fixtures/tests. - -### Time-to-Evidence (TTE) Metric -- **Canonical:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` -- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (UI) with telemetry alignment to SPRINT_0180_0001_0001_telemetry_core.md -- **Related Docs:** UI sprints 0209/0215, telemetry architecture docs -- **Gaps:** `31-Nov-2025 FINDINGS.md` (TTE1–TTE10 remediation task TTE-GAPS-0215-011) -- **Status:** Metric defined but needs event schema/versioning, proof eligibility rules, sampling/bot filters, per-surface SLO/error budgets, index/streaming requirements, offline-kit handling, alert/runbook, release gate, and a11y tests. - -### Archived Advisories (15–23 Nov 2025) -- **Canonical:** `docs/product-advisories/archived/*.md` (embedded provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, etc.) -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (triage/decision) -- **Related Docs:** None current (need revival + canonicalization) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (AR-EP1 … AR-VB1 remediation task ARCHIVED-GAPS-300-020) -- **Status:** Archived set lacks schemas, determinism rules, redaction/licensing, changelog/signing, and duplication resolution; needs triage on which to revive into active advisories. - -### SBOM → VEX Proof Blueprint -- **Canonical:** `29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` (itself) - - `docs/modules/platform/architecture-overview.md` (platform dossier link) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (BP1–BP10 remediation task SBOM-VEX-GAPS-300-013) -- **Status:** Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs. - -### UI Micro-Interactions -- **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `apps/console/src/app/shared/micro/` - - `docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md` -- **Status:** Three Angular tasks covering audit trail reasons, low-noise VEX gating, and evidence provenance chips for air-gapped + online UX. - -### Rekor Receipt Checklist -- **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` -- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md (PRIMARY) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` - - `docs/modules/platform/architecture-overview.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005) -- **Status:** Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs. - -### Air-Gap Deployment Playbook -- **Canonical:** `25-Nov-2025 - Air-gap deployment playbook for StellaOps.md` -- **Sprint:** SPRINT_0510_0001_0001_airgap.md (Ops & Offline) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (AG1–AG12 remediation task AIRGAP-GAPS-510-009) -- **Status:** Implementation guided by Ops/Offline sprint; gaps cover trust roots, Rekor mirrors, feed freezing, tooling hashes, AV scans, policy/graph hash verification, tenant scoping, ingress receipts, replay depth, and offline observability. - -### Ecosystem Reality Tests -- **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md` -- **Status:** Evidence-backed acceptance tests covering credential leaks, offline DB quirks, SBOM parity, and scanner instability. - -### Unknowns Decay & Triage Heuristics -- **Canonical:** `30-Nov-2025 - Unknowns Decay & Triage Heuristics.md` -- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (Signals/Unknowns) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (UT1–UT10 remediation task UNKNOWN-HEUR-GAPS-140-007) -- **Status:** Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns. - -### Standup Sprint Kickstarters -- **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md` -- **Status:** Three day-0 tasks (scanner regressions, Postgres slice, DSSE/Rekor sweep) with ticket names and assignments. - -### Evidence + Suppression Patterns -- **Canonical:** `30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (CE1–CE10 remediation task EVIDENCE-PATTERNS-GAPS-300-016) -- **Status:** Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives. - -### Ecosystem Reality Test Cases -- **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (ET1–ET10 remediation task ECOSYS-FIXTURES-GAPS-300-017) -- **Status:** Five public incidents mapped to acceptance tests (credential leak, Trivy offline schema error, SBOM parity, Grype version drift, inconsistent detection); informs SCA acceptance packs. - -### Reachability Benchmark Fixtures -- **Canonical:** `30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md` -- **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md (PRIMARY) -- **Related Docs:** - - `docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (RB1–RB10 remediation task REACH-FIXTURE-GAPS-513-020) -- **Status:** SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora. - -### SBOM/VEX Pipeline -- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` -- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f) -- **Supersedes:** - - `24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md` → archive - - `25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md` → archive - - `26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md` → archive - -### Rekor/DSSE Batch Sizing -- **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` -- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks) -- **Supersedes:** - - `27-Nov-2025 - Rekor Envelope Size Heuristic.md` → archive (duplicate) - - `27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md` → archive (duplicate) - - `27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md` → archive (duplicate) - -### Graph Revision IDs -- **Canonical:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md` -- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (GR1–GR10 remediation task GRAPHREV-GAPS-401-063) -- **Supersedes:** - - `25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md` → archive (earlier version) - -### Reachability Benchmark (Public) -- **Canonical:** `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md` -- **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md -- **Related:** - - `26-Nov-2025 - Opening Up a Reachability Dataset.md` → complementary (dataset focus) - - `31-Nov-2025 FINDINGS.md` → gap analysis (G1–G12) with remediation task BENCH-GAPS-513-018 -- **Gaps (dataset):** `31-Nov-2025 FINDINGS.md` (RD1–RD10 remediation task DATASET-GAPS-513-019) - -### Unknowns Registry -- **Canonical:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md` -- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (existing implementation) -- **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md` -- **Gaps:** `31-Nov-2025 FINDINGS.md` (UN1–UN10 remediation task UNKNOWN-GAPS-140-006) -- **Status:** Already implemented in Signals module; advisory validates design - -### Confidence Decay for Prioritization -- **Canonical:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` -- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (integration point) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (U1–U10 remediation task DECAY-GAPS-140-005) -- **Related:** Unknowns Registry (time-based decay complements ambiguity tracking) -- **Status:** Design advisory - provides exponential decay formula for priority freshness - -### Explainability -- **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md` -- **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` -- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (EX1–EX10 remediation task EXPLAIN-GAPS-401-064) -- **Status:** Complementary advisories - graphs cover edge reasons, verdicts cover audit trails - -### VEX Proofs -- **Canonical:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` -- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (VEX1–VEX10 remediation task VEX-GAPS-401-062) - -### Binary Reachability -- **Canonical:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md` -- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (BR1–BR10 remediation task BINARY-GAPS-401-066) - -### Scanner Roadmap -- **Canonical:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` -- **Sprint:** Multiple sprints (0186, 0401, 0512) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SCANNER-GAPS-186-018) -- **Status:** High-level roadmap document - -### SBOM-First, VEX-Ready Spine -- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md` -- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (spine contracts) and related VEX/graph tasks in SPRINT_0401_0001_0001 -- **Gaps:** `31-Nov-2025 FINDINGS.md` (SP1–SP10 remediation task SPINE-GAPS-186-019) -- **Status:** Architecture brief; needs formalized schemas/contracts and DSSE/bundle enforcement. - -### SBOM & VEX Competitor Snapshot -- **Canonical:** `27-Nov-2025 - Late‑November SBOM & VEX competitor.md` -- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (ingest/normalization) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (CM1–CM10 remediation task COMPETITOR-GAPS-186-020) -- **Status:** Competitive intelligence; requires hardened external ingest, signatures, and offline kit parity. - -### Vulnerability Triage UX & VEX-First Decisioning -- **Canonical:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md` -- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW) -- **Related Sprints:** - - SPRINT_0210_0001_0002_ui_ii.md (UI-LNM-22-003 VEX tab) - - SPRINT_0334_docs_modules_vuln_explorer.md (docs) -- **Related Advisories:** - - `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` (evidence chain) - - `27-Nov-2025 - Making Graphs Understandable to Humans.md` (graph UX) - - `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` (VEX proofs) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (VT1–VT10 remediation task TRIAGE-GAPS-215-042) -- **Status:** New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns -- **Schemas:** - - `docs/schemas/vex-decision.schema.json` - - `docs/schemas/attestation-vuln-scan.schema.json` - - `docs/schemas/audit-bundle-index.schema.json` - -### Sovereign Crypto for Regional Compliance -- **Canonical:** `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` -- **Sprint:** SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING) -- **Related Docs:** - - `docs/security/rootpack_ru_*.md` - RootPack RU documentation - - `docs/security/crypto-registry-decision-2025-11-18.md` - Registry design - - `docs/security/pq-provider-options.md` - Post-quantum options -- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SC-GAPS-514-010) -- **Status:** Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support -- **Compliance:** EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4) - -### Plugin Architecture & Extensibility -- **Canonical:** `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` -- **Sprint:** Foundational - appears in module-specific sprints -- **Related Docs:** - - `docs/dev/plugins/README.md` - General plugin guide - - `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` - Concelier connectors - - `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` - Authority plugins - - `docs/modules/scanner/guides/surface-validation-extensibility.md` - Scanner extensibility -- **Gaps:** `31-Nov-2025 FINDINGS.md` (PL1–PL10 remediation task Plugin architecture gaps remediation — Sprint 300) -- **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules - -### Evidence Bundle & Replay Contracts -- **Canonical:** `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` -- **Sprint:** SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY) -- **Related Sprints:** - - SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI) - - SPRINT_0160_0001_0001_export_evidence.md (Coordination) -- **Related Docs:** - - `docs/modules/evidence-locker/bundle-packaging.md` - Bundle spec - - `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract - - `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema -- **Gaps:** `31-Nov-2025 FINDINGS.md` (EB1–EB10 remediation task EVID-GAPS-161-007) -- **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode - -### Export Center & Reporting -- **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md` -- **Sprint:** SPRINT_0162_0001_0001_exportcenter_i.md (ExportCenter I) -- **Related Sprints:** SPRINT_0163_0001_0001_exportcenter_ii.md, SPRINT_0164_0001_0001_exportcenter_iii.md -- **Gaps:** `31-Nov-2025 FINDINGS.md` (EC1–EC10 remediation task EXPORT-GAPS-162-013) -- **Status:** Export profiles/adapters; determinism, provenance, and offline kit parity need gap remediation. -### Acceptance Tests Pack for Guardrails -- **Canonical:** `29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (Docs Governance) -- **Related Docs:** - - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` (itself) - - `docs/implplan/SPRINT_0300_0001_0001_documentation_process.md` (tracking the sync) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012) -- **Status:** Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests. - -### Mirror & Offline Kit Strategy -- **Canonical:** `28-Nov-2025 - Mirror and Offline Kit Strategy.md` -- **Sprint:** SPRINT_0125_0001_0001 (Mirror Bundles) -- **Related Sprints:** - - SPRINT_0150_0001_0001 (DSSE/Time Anchors) - - SPRINT_0150_0001_0002 (Time Anchors) - - SPRINT_0150_0001_0003 (Orchestrator Hooks) -- **Related Docs:** - - `docs/modules/mirror/dsse-tuf-profile.md` - DSSE/TUF spec - - `docs/modules/mirror/thin-bundle-assembler.md` - Thin bundle spec - - `docs/airgap/time-anchor-schema.json` - Time anchor schema -- **Gaps:** `31-Nov-2025 FINDINGS.md` (OK1–OK10 remediation task OFFKIT-GAPS-125-011; RK1–RK10 task REKOR-GAPS-125-012; MS1–MS10 task MIRROR-GAPS-125-013) -- **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring - -### Rekor v2 / DSSE Limits -- **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air-Gap Limits.md` -- **Sprint:** SPRINT_0125_0001_0001_mirror.md (mirror/offline log handling) and linked to reachability evidence chain where DSSE predicates are used. -- **Gaps:** `31-Nov-2025 FINDINGS.md` (RK1–RK10 remediation task REKOR-GAPS-125-012) -- **Status:** Guides policy for public/private Rekor use, payload limits, chunking, and shard-aware checkpoints. - -### Task Pack Orchestration & Automation -- **Canonical:** `28-Nov-2025 - Task Pack Orchestration and Automation.md` -- **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY) -- **Related Sprints:** - - SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II) - - SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers) -- **Related Docs:** - - `docs/task-packs/spec.md` - Pack manifest specification - - `docs/task-packs/authoring-guide.md` - Authoring workflow - - `docs/task-packs/registry.md` - Registry architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (TP1–TP10 remediation task TASKRUN-GAPS-157-014) -- **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture - -### Authentication & Authorization Architecture -- **Canonical:** `28-Nov-2025 - Authentication and Authorization Architecture.md` -- **Sprint:** Multiple (see below) -- **Related Sprints:** - - SPRINT_100_identity_signing.md (CLOSED - historical) - - SPRINT_0314_0001_0001_docs_modules_authority.md (Docs) - - SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto) -- **Gaps:** `31-Nov-2025 FINDINGS.md` (AU1–AU10 remediation task AUTH-GAPS-314-004) -- **Related Docs:** - - `docs/modules/authority/architecture.md` - Module architecture - - `docs/11_AUTHORITY.md` - Overview - - `docs/security/authority-scopes.md` - Scope reference - - `docs/security/dpop-mtls-rollout.md` - Sender constraints -- **Status:** Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation - -### CLI Developer Experience & Command UX -- **Canonical:** `28-Nov-2025 - CLI Developer Experience and Command UX.md` -- **Sprint:** SPRINT_0201_0001_0001_cli_i.md (PRIMARY) -- **Related Sprints:** - - SPRINT_203_cli_iii.md - - SPRINT_205_cli_v.md -- **Related Docs:** - - `docs/modules/cli/architecture.md` - Module architecture - - `docs/09_API_CLI_REFERENCE.md` - Command reference -- **Gaps:** `31-Nov-2025 FINDINGS.md` (CL1–CL10 remediation task CLI-GAPS-201-003) -- **Status:** Fills HIGH-priority gap - covers command surface, auth model, Buildx integration - -### Orchestrator Event Model & Job Lifecycle -- **Canonical:** `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` -- **Sprint:** SPRINT_0151_0001_0001_orchestrator_i.md (PRIMARY) -- **Related Sprints:** - - SPRINT_152_orchestrator_ii.md - - SPRINT_0152_0001_0002_orchestrator_ii.md -- **Related Docs:** - - `docs/modules/orchestrator/architecture.md` - Module architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (OR1–OR10 remediation task ORCH-GAPS-151-016) -- **Status:** Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics - -### Export Center & Reporting Strategy -- **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md` -- **Sprint:** SPRINT_0160_0001_0001_export_evidence.md (PRIMARY) -- **Related Sprints:** - - SPRINT_0161_0001_0001_evidencelocker.md -- **Related Docs:** - - `docs/modules/export-center/architecture.md` - Module architecture -- **Status:** Fills MEDIUM-priority gap - covers profile system, adapters, distribution channels - -### Runtime Posture & Observation (Zastava) -- **Canonical:** `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` -- **Sprint:** SPRINT_0144_0001_0001_zastava_runtime_signals.md (PRIMARY) -- **Related Sprints:** - - SPRINT_0140_0001_0001_runtime_signals.md - - SPRINT_0143_0001_0001_signals.md -- **Related Docs:** - - `docs/modules/zastava/architecture.md` - Module architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (ZR1–ZR10 remediation task ZASTAVA-GAPS-144-007) -- **Status:** Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection - -### Notification Rules & Alerting Engine -- **Canonical:** `28-Nov-2025 - Notification Rules and Alerting Engine.md` -- **Sprint:** SPRINT_0170_0001_0001_notify_engine.md (NEW) -- **Related Sprints:** - - SPRINT_0171_0001_0002_notify_connectors.md - - SPRINT_0172_0001_0003_notify_ack_tokens.md -- **Related Docs:** - - `docs/modules/notify/architecture.md` - Module architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (NR1–NR10 remediation task NOTIFY-GAPS-171-014; blueprint `docs/notifications/gaps-nr1-nr10.md`) -- **Status:** Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens - -### Graph Analytics & Dependency Insights -- **Canonical:** `28-Nov-2025 - Graph Analytics and Dependency Insights.md` -- **Sprint:** SPRINT_0141_0001_0001_graph_indexer.md (PRIMARY) -- **Related Sprints:** - - SPRINT_0401_0001_0001_reachability_evidence_chain.md - - SPRINT_0140_0001_0001_runtime_signals.md -- **Related Docs:** - - `docs/modules/graph/architecture.md` - Module architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (GA1–GA10 remediation task GRAPH-ANALYTICS-GAPS-207-013) -- **Status:** Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization - -### Telemetry & Observability Patterns -- **Canonical:** `28-Nov-2025 - Telemetry and Observability Patterns.md` -- **Sprint:** SPRINT_0180_0001_0001_telemetry_core.md (NEW) -- **Related Sprints:** - - SPRINT_0181_0001_0002_telemetry_forensic.md - - SPRINT_0182_0001_0003_telemetry_offline.md -- **Related Docs:** - - `docs/modules/telemetry/architecture.md` - Module architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (TO1–TO10 remediation task TELEM-GAPS-180-001) -- **Status:** Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles - -### Policy Simulation & Shadow Gates -- **Canonical:** `28-Nov-2025 - Policy Simulation and Shadow Gates.md` -- **Sprint:** SPRINT_0185_0001_0001_policy_simulation.md (NEW) -- **Related Sprints:** - - SPRINT_0120_0001_0001_policy_reasoning.md - - SPRINT_0121_0001_0001_policy_reasoning.md -- **Related Docs:** - - `docs/modules/policy/architecture.md` - Module architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (PS1–PS10 remediation task POLICY-GAPS-185-006) -- **Status:** Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates - -### Findings Ledger & Immutable Audit Trail -- **Canonical:** `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` -- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (PRIMARY) -- **Related Sprints:** - - SPRINT_0120_0001_0001_policy_reasoning.md - - SPRINT_0311_0001_0001_docs_tasks_md_xi.md -- **Related Docs:** - - `docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml` - OpenAPI spec -- **Gaps:** `31-Nov-2025 FINDINGS.md` (FL1–FL10 remediation task LEDGER-GAPS-121-009) -- **Status:** Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections - -### Concelier Advisory Ingestion Model -- **Canonical:** `28-Nov-2025 - Concelier Advisory Ingestion Model.md` -- **Sprint:** SPRINT_0115_0001_0004_concelier_iv.md (PRIMARY) -- **Related Sprints:** - - SPRINT_0113_0001_0002_concelier_ii.md - - SPRINT_0114_0001_0003_concelier_iii.md -- **Related Docs:** - - `docs/modules/concelier/architecture.md` - Module architecture -- **Gaps:** `31-Nov-2025 FINDINGS.md` (CI1–CI10 remediation task CONCELIER-GAPS-115-014) - - `docs/modules/concelier/link-not-merge-schema.md` - LNM schema -- **Status:** Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports - -## Files Archived - -The following files have been moved to `archived/27-Nov-2025-superseded/`: - -``` -# Superseded by canonical advisories -24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md -25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md -25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md -26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md -27-Nov-2025 - Rekor Envelope Size Heuristic.md -27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md -27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md -``` - -## Cleanup Completed (2025-11-28) - -The following issues were fixed: -- Deleted junk file: `24-Nov-2025 - 1 copy 2.md` -- Deleted malformed duplicate: `24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd` -- Fixed filename: `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` (was missing .md extension) - -## Sprint Cross-Reference - -| Advisory Topic | Sprint ID | Status | -|---------------|-----------|--------| -| CVSS v4.0 | SPRINT_0190_0001_0001 | NEW | -| SPDX 3.0.1 / SBOM | SPRINT_0186_0001_0001 | AUGMENTED | -| Reachability Benchmark | SPRINT_0513_0001_0001 | NEW | -| Reachability Evidence | SPRINT_0401_0001_0001 | EXISTING | -| Unknowns Registry | SPRINT_0140_0001_0001 | IMPLEMENTED | -| Confidence Decay | SPRINT_0140_0001_0001 | DESIGN | -| Graph Revision IDs | SPRINT_0401_0001_0001 | EXISTING | -| DSSE/Rekor Batching | SPRINT_0401_0001_0001 | EXISTING | -| Vuln Triage UX / VEX | SPRINT_0215_0001_0001 | NEW | -| Sovereign Crypto | SPRINT_0514_0001_0001 | EXISTING | -| Plugin Architecture | Multiple (module-specific) | FOUNDATIONAL | -| Evidence Bundle & Replay | SPRINT_0161_0001_0001 | EXISTING | -| Mirror & Offline Kit | SPRINT_0125_0001_0001 | EXISTING | -| Task Pack Orchestration | SPRINT_0157_0001_0001 | EXISTING | -| Auth/AuthZ Architecture | Multiple (100, 314, 0514) | EXISTING | -| CLI Developer Experience | SPRINT_0201_0001_0001 | NEW | -| Orchestrator Event Model | SPRINT_0151_0001_0001 | NEW | -| Export Center Strategy | SPRINT_0160_0001_0001 | NEW | -| Zastava Runtime Posture | SPRINT_0144_0001_0001 | NEW | -| Notification Rules Engine | SPRINT_0170_0001_0001 | NEW | -| Graph Analytics | SPRINT_0141_0001_0001 | NEW | -| Telemetry & Observability | SPRINT_0180_0001_0001 | NEW | -| Policy Simulation | SPRINT_0185_0001_0001 | NEW | -| Findings Ledger | SPRINT_0186_0001_0001 | NEW | -| Concelier Ingestion | SPRINT_0115_0001_0004 | NEW | - -## Implementation Priority - -Based on gap analysis: - -1. **P0 - CVSS v4.0** (Sprint 0190) - Industry moving to v4.0, genuine gap -2. **P1 - SPDX 3.0.1** (Sprint 0186 tasks 15a-15f) - Standards compliance -3. **P1 - Public Benchmark** (Sprint 0513) - Differentiation/marketing value -4. **P1 - Vuln Triage UX** (Sprint 0215) - Industry-aligned UX for competitive parity -5. **P1 - Sovereign Crypto** (Sprint 0514) - Regional compliance enablement -6. **P1 - Evidence Bundle & Replay** (Sprint 0161, 0187) - Audit/compliance critical -7. **P1 - Mirror & Offline Kit** (Sprint 0125, 0150) - Air-gap deployment critical -8. **P1 - CLI Developer Experience** (Sprint 0201) - Developer UX critical -9. **P1 - Orchestrator Event Model** (Sprint 0151) - Job lifecycle foundation -10. **P2 - Task Pack Orchestration** (Sprint 0157, 0158) - Automation foundation -11. **P2 - Explainability** (Sprint 0401) - UX enhancement, existing tasks -12. **P2 - Plugin Architecture** (Multiple) - Foundational extensibility patterns -13. **P2 - Auth/AuthZ Architecture** (Multiple) - Security consolidation -14. **P2 - Export Center** (Sprint 0160) - Reporting flexibility -15. **P2 - Zastava Runtime** (Sprint 0144) - Runtime observability -16. **P2 - Notification Rules** (Sprint 0170) - Alert management -17. **P2 - Graph Analytics** (Sprint 0141) - Dependency insights -18. **P2 - Telemetry** (Sprint 0180) - Observability infrastructure -19. **P2 - Policy Simulation** (Sprint 0185) - Safe policy testing -20. **P2 - Findings Ledger** (Sprint 0186) - Audit immutability -21. **P2 - Concelier Ingestion** (Sprint 0115) - Advisory pipeline -22. **P3 - Already Implemented** - Unknowns, Graph IDs, DSSE batching - -## Implementer Quick Reference - -For each topic, the implementer should read: - -1. **Sprint file** - Contains task definitions, dependencies, working directories -2. **Documentation Prerequisites** - Listed in each sprint file -3. **Canonical advisory** - Full product context and rationale -4. **Module AGENTS.md** - If exists, contains module-specific coding guidance - -### Key Module Docs to Read Before Implementation - -| Module | Architecture Doc | AGENTS.md | -|--------|-----------------|-----------| -| Policy | `docs/modules/policy/architecture.md` | `src/Policy/*/AGENTS.md` | -| Scanner | `docs/modules/scanner/architecture.md` | `src/Scanner/*/AGENTS.md` | -| Sbomer | `docs/modules/sbomer/architecture.md` | `src/Sbomer/*/AGENTS.md` | -| Signals | `docs/modules/signals/architecture.md` | `src/Signals/*/AGENTS.md` | -| Attestor | `docs/modules/attestor/architecture.md` | `src/Attestor/*/AGENTS.md` | -| Vuln Explorer | `docs/modules/vuln-explorer/architecture.md` | `src/VulnExplorer/*/AGENTS.md` | -| VEX-Lens | `docs/modules/vex-lens/architecture.md` | `src/Excititor/*/AGENTS.md` | -| UI | `docs/modules/ui/architecture.md` | `src/UI/*/AGENTS.md` | -| Authority | `docs/modules/authority/architecture.md` | `src/Authority/*/AGENTS.md` | -| Evidence Locker | `docs/modules/evidence-locker/*.md` | `src/EvidenceLocker/*/AGENTS.md` | -| Mirror | `docs/modules/mirror/*.md` | `src/Mirror/*/AGENTS.md` | -| TaskRunner | `docs/modules/taskrunner/*.md` | `src/TaskRunner/*/AGENTS.md` | -| CLI | `docs/modules/cli/architecture.md` | `src/Cli/*/AGENTS.md` | -| Orchestrator | `docs/modules/orchestrator/architecture.md` | `src/Orchestrator/*/AGENTS.md` | -| Export Center | `docs/modules/export-center/architecture.md` | `src/ExportCenter/*/AGENTS.md` | -| Zastava | `docs/modules/zastava/architecture.md` | `src/Zastava/*/AGENTS.md` | -| Notify | `docs/modules/notify/architecture.md` | `src/Notify/*/AGENTS.md` | -| Graph | `docs/modules/graph/architecture.md` | `src/Graph/*/AGENTS.md` | -| Telemetry | `docs/modules/telemetry/architecture.md` | `src/Telemetry/*/AGENTS.md` | -| Findings Ledger | `docs/modules/findings-ledger/openapi/` | `src/Findings/*/AGENTS.md` | -| Concelier | `docs/modules/concelier/architecture.md` | `src/Concelier/*/AGENTS.md` | - -### Developer Onboarding Quick Start -- **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md` -- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (Docs Governance) -- **Related Docs:** - - `docs/onboarding/dev-quickstart.md` (derived from this advisory) - - `docs/README.md` (new quickstart reference) - - `docs/modules/platform/architecture-overview.md` (platform dossier mention) -- **Status:** Documents deterministic onboarding for mid-level .NET engineers covering repos, determinism tests, DSSE/attestation patterns, and starter issues. - -## Topical Gaps (Advisory Needed) - -The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories: - -| Gap | Severity | Status | Notes | -|-----|----------|--------|-------| -| ~~Regional Crypto (eIDAS/FIPS/GOST/SM)~~ | HIGH | **FILLED** | `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` | -| ~~Plugin Architecture Patterns~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` | -| ~~Evidence Bundle Packaging~~ | HIGH | **FILLED** | `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` | -| ~~Mirror/Offline Kit Strategy~~ | HIGH | **FILLED** | `28-Nov-2025 - Mirror and Offline Kit Strategy.md` | -| ~~Task Pack Orchestration~~ | HIGH | **FILLED** | `28-Nov-2025 - Task Pack Orchestration and Automation.md` | -| ~~Auth/AuthZ Architecture~~ | HIGH | **FILLED** | `28-Nov-2025 - Authentication and Authorization Architecture.md` | -| ~~CLI Developer Experience~~ | HIGH | **FILLED** | `28-Nov-2025 - CLI Developer Experience and Command UX.md` | -| ~~Orchestrator Event Model~~ | HIGH | **FILLED** | `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` | -| ~~Export Center Strategy~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Export Center and Reporting Strategy.md` | -| ~~Runtime Posture & Observation~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` | -| ~~Notification Rules Engine~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Notification Rules and Alerting Engine.md` | -| ~~Graph Analytics & Clustering~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Graph Analytics and Dependency Insights.md` | -| ~~Telemetry & Observability~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Telemetry and Observability Patterns.md` | -| ~~Policy Simulation & Shadow Gates~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Policy Simulation and Shadow Gates.md` | -| ~~Findings Ledger & Audit Trail~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` | -| ~~Concelier Advisory Ingestion~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Concelier Advisory Ingestion Model.md` | -| **CycloneDX 1.6 .NET Integration** | LOW | Open | Deep Architecture covers generically; expand with .NET-specific guidance | - -## Known Issues (Non-Blocking) - -**Unicode Encoding Inconsistency:** -Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected: -- `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` -- `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` -- `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` - -**Archived Duplicate:** -`archived/17-Nov-2025 - SBOM-Provenance-Spine.md` and `archived/18-Nov-2025 - SBOM-Provenance-Spine.md` are potential duplicates. The 18-Nov version is likely canonical. - ---- -*Index created: 2025-11-27* -*Last updated: 2025-12-01 (added Rekor Receipt, Standup Kickstarters, UI Micro-Interactions, Proof-Linked VEX UI entries, plus new gap task IDs)* +# Product Advisory Index + +This index consolidates the November 2025 product advisories, identifying canonical documents and duplicates. + +## Canonical Advisories (Active) + +These are the authoritative advisories to reference for implementation: + +### CVSS v4.0 +- **Canonical:** `25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` +- **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md +- **Gaps:** `31-Nov-2025 FINDINGS.md` (CV1–CV10 remediation task CVSS-GAPS-190-013) +- **Timing/UI:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` (archived) +- **Status:** New sprint created + +### CVSS v4.0 Momentum Briefing +- **Canonical:** `29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` +- **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md (context) +- **Related Docs:** + - `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (implementation focus) + - `docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` (this briefing) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (CVM1–CVM10 remediation task CVSS-GAPS-190-014) +- **Status:** Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now. + +### SCA Failure Catalogue +- **Canonical:** `29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` (this catalogue) + - `docs/implplan/SPRINT_0300_0001_0001_documentation_process.md` (tracking sync) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (FC1–FC10 remediation task SCA-FIXTURE-GAPS-300-014) +- **Status:** Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites. + +### Acceptance Tests Pack & Guardrails +- **Canonical:** `29-Nov-2025 - Acceptance Tests Pack and Guardrails.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack and Guardrails.md` (this briefing) + - `docs/process/acceptance-guardrails-checklist.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012) +- **Status:** Defines deterministic, signed acceptance packs with replay parity checks and CI gating thresholds for admission/VEX/auth flows. + +### Mid-Level .NET Onboarding (Quick Start) +- **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/onboarding/dev-quickstart.md` (to be updated) + - `docs/modules/platform/architecture-overview.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (OB1–OB10 remediation task ONBOARD-GAPS-300-015) +- **Status:** Onboarding brief for mid-level .NET devs; needs deterministic/offline/DSSE/secret-handling expansions and cross-links. + +### Implementor Guidelines +- **Canonical:** `30-Nov-2025 - Implementor Guidelines for Stella Ops.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md` (this briefing) + - `docs/05_SYSTEM_REQUIREMENTS_SPEC.md` / `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` (reference requirements) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (IG1–IG10 remediation task IMPLEMENTOR-GAPS-300-018) +- **Status:** Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices. + +### Rekor Receipt Checklist +- **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` +- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md +- **Related Docs:** Authority/Sbomer module docs; Rekor v2 / DSSE receipt schemas (to be published) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005) +- **Status:** Needs signed/validated receipt schema/catalog, inclusion proof freshness policy, subject/policy binding, client provenance, TSA/time integrity, offline verifier, mirror snapshot rules, retention/observability, and tenant isolation. + +### Standup Sprint Kickstarters +- **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** `docs/implplan/README.md` (sprint template) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (SK1–SK10 remediation task STANDUP-GAPS-300-019) +- **Status:** Introduces ceremony primer but lacks template alignment, readiness evidence, dependency ledger, offline/async guidance, metrics/SLOs, and role/decision capture rules. + +### UI Micro-Interactions +- **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md` +- **Sprint:** SPRINT_0209_0001_0001_ui_i.md (UI I; share with UI II/III as needed) +- **Related Docs:** `docs/modules/ui/architecture.md`, Storybook token catalog (planned) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (MI1–MI10 remediation task UI-MICRO-GAPS-0209-011) +- **Status:** Needs motion tokens, reduced-motion/a11y rules, perf budgets, offline/latency states, error/cancel patterns, component mapping, telemetry schema, deterministic tests/snapshots, micro-copy localisation, and theme/contrast guidance. + +### Proof-Linked VEX UI (Not-Affected Proof Drawer) +- **Canonical:** Proof-linked VEX UI spec (chat-provided; to land as `docs/ui/proof-linked-vex.md`) +- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md +- **Related Docs:** `docs/product-advisories/27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md`, `docs/product-advisories/28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md`, VexLens/Policy module docs +- **Gaps:** `31-Nov-2025 FINDINGS.md` (PVX1–PVX10 remediation task UI-PROOF-VEX-0215-010) +- **Status:** Drawer/badge pattern defined but missing scoped auth, cache/staleness policy, stronger integrity verification, failure/offline UX, evidence precedence rules, telemetry privacy schema, signed permalinks, revision reconciliation, and fixtures/tests. + +### Time-to-Evidence (TTE) Metric +- **Canonical:** `01-Dec-2025 - Time-to-Evidence (TTE) Metric.md` +- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (UI) with telemetry alignment to SPRINT_0180_0001_0001_telemetry_core.md +- **Related Docs:** UI sprints 0209/0215, telemetry architecture docs +- **Gaps:** `31-Nov-2025 FINDINGS.md` (TTE1–TTE10 remediation task TTE-GAPS-0215-011) +- **Status:** Metric defined but needs event schema/versioning, proof eligibility rules, sampling/bot filters, per-surface SLO/error budgets, index/streaming requirements, offline-kit handling, alert/runbook, release gate, and a11y tests. + +### Archived Advisories (15–23 Nov 2025) +- **Canonical:** `docs/product-advisories/archived/*.md` (embedded provenance events, function-level VEX explainability, binary reachability branches, SBOM-provenance spine, etc.) +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (triage/decision) +- **Related Docs:** None current (need revival + canonicalization) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (AR-EP1 … AR-VB1 remediation task ARCHIVED-GAPS-300-020) +- **Status:** Archived set lacks schemas, determinism rules, redaction/licensing, changelog/signing, and duplication resolution; needs triage on which to revive into active advisories. + +### SBOM → VEX Proof Blueprint +- **Canonical:** `29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` (itself) + - `docs/modules/platform/architecture-overview.md` (platform dossier link) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (BP1–BP10 remediation task SBOM-VEX-GAPS-300-013) +- **Status:** Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs. + +### UI Micro-Interactions +- **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `apps/console/src/app/shared/micro/` + - `docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md` +- **Status:** Three Angular tasks covering audit trail reasons, low-noise VEX gating, and evidence provenance chips for air-gapped + online UX. + +### Rekor Receipt Checklist +- **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` +- **Sprint:** SPRINT_0314_0001_0001_docs_modules_authority.md (PRIMARY) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md` + - `docs/modules/platform/architecture-overview.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (RR1–RR10 remediation task REKOR-RECEIPT-GAPS-314-005) +- **Status:** Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs. + +### Air-Gap Deployment Playbook +- **Canonical:** `25-Nov-2025 - Air-gap deployment playbook for StellaOps.md` +- **Sprint:** SPRINT_0510_0001_0001_airgap.md (Ops & Offline) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (AG1–AG12 remediation task AIRGAP-GAPS-510-009) +- **Status:** Implementation guided by Ops/Offline sprint; gaps cover trust roots, Rekor mirrors, feed freezing, tooling hashes, AV scans, policy/graph hash verification, tenant scoping, ingress receipts, replay depth, and offline observability. + +### Ecosystem Reality Tests +- **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md` +- **Status:** Evidence-backed acceptance tests covering credential leaks, offline DB quirks, SBOM parity, and scanner instability. + +### Unknowns Decay & Triage Heuristics +- **Canonical:** `30-Nov-2025 - Unknowns Decay & Triage Heuristics.md` +- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (Signals/Unknowns) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (UT1–UT10 remediation task UNKNOWN-HEUR-GAPS-140-007) +- **Status:** Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns. + +### Standup Sprint Kickstarters +- **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md` +- **Status:** Three day-0 tasks (scanner regressions, Postgres slice, DSSE/Rekor sweep) with ticket names and assignments. + +### Evidence + Suppression Patterns +- **Canonical:** `30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (CE1–CE10 remediation task EVIDENCE-PATTERNS-GAPS-300-016) +- **Status:** Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives. + +### Ecosystem Reality Test Cases +- **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (docs tracker) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (ET1–ET10 remediation task ECOSYS-FIXTURES-GAPS-300-017) +- **Status:** Five public incidents mapped to acceptance tests (credential leak, Trivy offline schema error, SBOM parity, Grype version drift, inconsistent detection); informs SCA acceptance packs. + +### Reachability Benchmark Fixtures +- **Canonical:** `30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md` +- **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md (PRIMARY) +- **Related Docs:** + - `docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (RB1–RB10 remediation task REACH-FIXTURE-GAPS-513-020) +- **Status:** SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora. + +### SBOM/VEX Pipeline +- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` +- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f) +- **Supersedes:** + - `24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md` → archive + - `25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md` → archive + - `26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md` → archive + +### Rekor/DSSE Batch Sizing +- **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` +- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (DSSE tasks) +- **Supersedes:** + - `27-Nov-2025 - Rekor Envelope Size Heuristic.md` → archive (duplicate) + - `27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md` → archive (duplicate) + - `27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md` → archive (duplicate) + +### Graph Revision IDs +- **Canonical:** `26-Nov-2025 - Use Graph Revision IDs as Public Trust Anchors.md` +- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (existing tasks) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (GR1–GR10 remediation task GRAPHREV-GAPS-401-063) +- **Supersedes:** + - `25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md` → archive (earlier version) + +### Reachability Benchmark (Public) +- **Canonical:** `24-Nov-2025 - Designing a Deterministic Reachability Benchmark.md` +- **Sprint:** SPRINT_0513_0001_0001_public_reachability_benchmark.md +- **Related:** + - `26-Nov-2025 - Opening Up a Reachability Dataset.md` → complementary (dataset focus) + - `31-Nov-2025 FINDINGS.md` → gap analysis (G1–G12) with remediation task BENCH-GAPS-513-018 +- **Gaps (dataset):** `31-Nov-2025 FINDINGS.md` (RD1–RD10 remediation task DATASET-GAPS-513-019) + +### Unknowns Registry +- **Canonical:** `27-Nov-2025 - Managing Ambiguity Through an Unknowns Registry.md` +- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (existing implementation) +- **Extends:** `archived/18-Nov-2025 - Unknowns-Registry.md` +- **Gaps:** `31-Nov-2025 FINDINGS.md` (UN1–UN10 remediation task UNKNOWN-GAPS-140-006) +- **Status:** Already implemented in Signals module; advisory validates design + +### Confidence Decay for Prioritization +- **Canonical:** `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` +- **Sprint:** SPRINT_0140_0001_0001_runtime_signals.md (integration point) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (U1–U10 remediation task DECAY-GAPS-140-005) +- **Related:** Unknowns Registry (time-based decay complements ambiguity tracking) +- **Status:** Design advisory - provides exponential decay formula for priority freshness + +### Explainability +- **Canonical (Graphs):** `27-Nov-2025 - Making Graphs Understandable to Humans.md` +- **Canonical (Verdicts):** `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` +- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (UI-CLI tasks) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (EX1–EX10 remediation task EXPLAIN-GAPS-401-064) +- **Status:** Complementary advisories - graphs cover edge reasons, verdicts cover audit trails + +### VEX Proofs +- **Canonical:** `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` +- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (POLICY-VEX tasks) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (VEX1–VEX10 remediation task VEX-GAPS-401-062) + +### Binary Reachability +- **Canonical:** `27-Nov-2025 - Verifying Binary Reachability via DSSE Envelopes.md` +- **Sprint:** SPRINT_0401_0001_0001_reachability_evidence_chain.md (GRAPH-HYBRID tasks) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (BR1–BR10 remediation task BINARY-GAPS-401-066) + +### Scanner Roadmap +- **Canonical:** `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` +- **Sprint:** Multiple sprints (0186, 0401, 0512) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SCANNER-GAPS-186-018) +- **Status:** High-level roadmap document + +### SBOM-First, VEX-Ready Spine +- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOM-First, VEX-Ready Spine.md` +- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (spine contracts) and related VEX/graph tasks in SPRINT_0401_0001_0001 +- **Gaps:** `31-Nov-2025 FINDINGS.md` (SP1–SP10 remediation task SPINE-GAPS-186-019) +- **Status:** Architecture brief; needs formalized schemas/contracts and DSSE/bundle enforcement. + +### SBOM & VEX Competitor Snapshot +- **Canonical:** `27-Nov-2025 - Late‑November SBOM & VEX competitor.md` +- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (ingest/normalization) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (CM1–CM10 remediation task COMPETITOR-GAPS-186-020) +- **Status:** Competitive intelligence; requires hardened external ingest, signatures, and offline kit parity. + +### Vulnerability Triage UX & VEX-First Decisioning +- **Canonical:** `28-Nov-2025 - Vulnerability Triage UX & VEX-First Decisioning.md` +- **Sprint:** SPRINT_0215_0001_0001_vuln_triage_ux.md (NEW) +- **Related Sprints:** + - SPRINT_0210_0001_0002_ui_ii.md (UI-LNM-22-003 VEX tab) + - SPRINT_0334_docs_modules_vuln_explorer.md (docs) +- **Related Advisories:** + - `27-Nov-2025 - Explainability Layer for Vulnerability Verdicts.md` (evidence chain) + - `27-Nov-2025 - Making Graphs Understandable to Humans.md` (graph UX) + - `25-Nov-2025 - Define Safe VEX 'Not Affected' Claims with Proofs.md` (VEX proofs) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (VT1–VT10 remediation task TRIAGE-GAPS-215-042) +- **Status:** New - defines converged triage UX across Snyk/GitLab/Harbor/Anchore patterns +- **Schemas:** + - `docs/schemas/vex-decision.schema.json` + - `docs/schemas/attestation-vuln-scan.schema.json` + - `docs/schemas/audit-bundle-index.schema.json` + +### Sovereign Crypto for Regional Compliance +- **Canonical:** `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` +- **Sprint:** SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (EXISTING) +- **Related Docs:** + - `docs/security/rootpack_ru_*.md` - RootPack RU documentation + - `docs/security/crypto-registry-decision-2025-11-18.md` - Registry design + - `docs/security/pq-provider-options.md` - Post-quantum options +- **Gaps:** `31-Nov-2025 FINDINGS.md` (SC1–SC10 remediation task SC-GAPS-514-010) +- **Status:** Fills HIGH-priority gap - covers eIDAS, FIPS, GOST, SM algorithm support +- **Compliance:** EU (eIDAS), US (FIPS 140-2/3), Russia (GOST), China (SM2/3/4) + +### Plugin Architecture & Extensibility +- **Canonical:** `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` +- **Sprint:** Foundational - appears in module-specific sprints +- **Related Docs:** + - `docs/dev/plugins/README.md` - General plugin guide + - `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` - Concelier connectors + - `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` - Authority plugins + - `docs/modules/scanner/guides/surface-validation-extensibility.md` - Scanner extensibility +- **Gaps:** `31-Nov-2025 FINDINGS.md` (PL1–PL10 remediation task Plugin architecture gaps remediation — Sprint 300) +- **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules + +### Evidence Bundle & Replay Contracts +- **Canonical:** `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` +- **Sprint:** SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY) +- **Related Sprints:** + - SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI) + - SPRINT_0160_0001_0001_export_evidence.md (Coordination) +- **Related Docs:** + - `docs/modules/evidence-locker/bundle-packaging.md` - Bundle spec + - `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract + - `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema +- **Gaps:** `31-Nov-2025 FINDINGS.md` (EB1–EB10 remediation task EVID-GAPS-161-007) +- **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode + +### Export Center & Reporting +- **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md` +- **Sprint:** SPRINT_0162_0001_0001_exportcenter_i.md (ExportCenter I) +- **Related Sprints:** SPRINT_0163_0001_0001_exportcenter_ii.md, SPRINT_0164_0001_0001_exportcenter_iii.md +- **Gaps:** `31-Nov-2025 FINDINGS.md` (EC1–EC10 remediation task EXPORT-GAPS-162-013) +- **Status:** Export profiles/adapters; determinism, provenance, and offline kit parity need gap remediation. +### Acceptance Tests Pack for Guardrails +- **Canonical:** `29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (Docs Governance) +- **Related Docs:** + - `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` (itself) + - `docs/implplan/SPRINT_0300_0001_0001_documentation_process.md` (tracking the sync) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (AT1–AT10 remediation task AT-GAPS-300-012) +- **Status:** Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests. + +### Mirror & Offline Kit Strategy +- **Canonical:** `28-Nov-2025 - Mirror and Offline Kit Strategy.md` +- **Sprint:** SPRINT_0125_0001_0001 (Mirror Bundles) +- **Related Sprints:** + - SPRINT_0150_0001_0001 (DSSE/Time Anchors) + - SPRINT_0150_0001_0002 (Time Anchors) + - SPRINT_0150_0001_0003 (Orchestrator Hooks) +- **Related Docs:** + - `docs/modules/mirror/dsse-tuf-profile.md` - DSSE/TUF spec + - `docs/modules/mirror/thin-bundle-assembler.md` - Thin bundle spec + - `docs/airgap/time-anchor-schema.json` - Time anchor schema +- **Gaps:** `31-Nov-2025 FINDINGS.md` (OK1–OK10 remediation task OFFKIT-GAPS-125-011; RK1–RK10 task REKOR-GAPS-125-012; MS1–MS10 task MIRROR-GAPS-125-013) +- **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring + +### Rekor v2 / DSSE Limits +- **Canonical:** `26-Nov-2025 - Handling Rekor v2 and DSSE Air-Gap Limits.md` +- **Sprint:** SPRINT_0125_0001_0001_mirror.md (mirror/offline log handling) and linked to reachability evidence chain where DSSE predicates are used. +- **Gaps:** `31-Nov-2025 FINDINGS.md` (RK1–RK10 remediation task REKOR-GAPS-125-012) +- **Status:** Guides policy for public/private Rekor use, payload limits, chunking, and shard-aware checkpoints. + +### Task Pack Orchestration & Automation +- **Canonical:** `28-Nov-2025 - Task Pack Orchestration and Automation.md` +- **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY) +- **Related Sprints:** + - SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II) + - SPRINT_0157_0001_0002_taskrunner_blockers.md (Blockers) +- **Related Docs:** + - `docs/task-packs/spec.md` - Pack manifest specification + - `docs/task-packs/authoring-guide.md` - Authoring workflow + - `docs/task-packs/registry.md` - Registry architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (TP1–TP10 remediation task TASKRUN-GAPS-157-014) +- **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture + +### Authentication & Authorization Architecture +- **Canonical:** `28-Nov-2025 - Authentication and Authorization Architecture.md` +- **Sprint:** Multiple (see below) +- **Related Sprints:** + - SPRINT_100_identity_signing.md (CLOSED - historical) + - SPRINT_0314_0001_0001_docs_modules_authority.md (Docs) + - SPRINT_0514_0001_0001_sovereign_crypto_enablement.md (Crypto) +- **Gaps:** `31-Nov-2025 FINDINGS.md` (AU1–AU10 remediation task AUTH-GAPS-314-004) +- **Related Docs:** + - `docs/modules/authority/architecture.md` - Module architecture + - `docs/11_AUTHORITY.md` - Overview + - `docs/security/authority-scopes.md` - Scope reference + - `docs/security/dpop-mtls-rollout.md` - Sender constraints +- **Status:** Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation + +### CLI Developer Experience & Command UX +- **Canonical:** `28-Nov-2025 - CLI Developer Experience and Command UX.md` +- **Sprint:** SPRINT_0201_0001_0001_cli_i.md (PRIMARY) +- **Related Sprints:** + - SPRINT_203_cli_iii.md + - SPRINT_205_cli_v.md +- **Related Docs:** + - `docs/modules/cli/architecture.md` - Module architecture + - `docs/09_API_CLI_REFERENCE.md` - Command reference +- **Gaps:** `31-Nov-2025 FINDINGS.md` (CL1–CL10 remediation task CLI-GAPS-201-003) +- **Status:** Fills HIGH-priority gap - covers command surface, auth model, Buildx integration + +### Orchestrator Event Model & Job Lifecycle +- **Canonical:** `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` +- **Sprint:** SPRINT_0151_0001_0001_orchestrator_i.md (PRIMARY) +- **Related Sprints:** + - SPRINT_152_orchestrator_ii.md + - SPRINT_0152_0001_0002_orchestrator_ii.md +- **Related Docs:** + - `docs/modules/orchestrator/architecture.md` - Module architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (OR1–OR10 remediation task ORCH-GAPS-151-016) +- **Status:** Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics + +### Export Center & Reporting Strategy +- **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md` +- **Sprint:** SPRINT_0160_0001_0001_export_evidence.md (PRIMARY) +- **Related Sprints:** + - SPRINT_0161_0001_0001_evidencelocker.md +- **Related Docs:** + - `docs/modules/export-center/architecture.md` - Module architecture +- **Status:** Fills MEDIUM-priority gap - covers profile system, adapters, distribution channels + +### Runtime Posture & Observation (Zastava) +- **Canonical:** `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` +- **Sprint:** SPRINT_0144_0001_0001_zastava_runtime_signals.md (PRIMARY) +- **Related Sprints:** + - SPRINT_0140_0001_0001_runtime_signals.md + - SPRINT_0143_0001_0001_signals.md +- **Related Docs:** + - `docs/modules/zastava/architecture.md` - Module architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (ZR1–ZR10 remediation task ZASTAVA-GAPS-144-007) +- **Status:** Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection + +### Notification Rules & Alerting Engine +- **Canonical:** `28-Nov-2025 - Notification Rules and Alerting Engine.md` +- **Sprint:** SPRINT_0170_0001_0001_notify_engine.md (NEW) +- **Related Sprints:** + - SPRINT_0171_0001_0002_notify_connectors.md + - SPRINT_0172_0001_0003_notify_ack_tokens.md +- **Related Docs:** + - `docs/modules/notify/architecture.md` - Module architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (NR1–NR10 remediation task NOTIFY-GAPS-171-014; blueprint `docs/notifications/gaps-nr1-nr10.md`) +- **Status:** Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens + +### Graph Analytics & Dependency Insights +- **Canonical:** `28-Nov-2025 - Graph Analytics and Dependency Insights.md` +- **Sprint:** SPRINT_0141_0001_0001_graph_indexer.md (PRIMARY) +- **Related Sprints:** + - SPRINT_0401_0001_0001_reachability_evidence_chain.md + - SPRINT_0140_0001_0001_runtime_signals.md +- **Related Docs:** + - `docs/modules/graph/architecture.md` - Module architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (GA1–GA10 remediation task GRAPH-ANALYTICS-GAPS-207-013) +- **Status:** Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization + +### Telemetry & Observability Patterns +- **Canonical:** `28-Nov-2025 - Telemetry and Observability Patterns.md` +- **Sprint:** SPRINT_0180_0001_0001_telemetry_core.md (NEW) +- **Related Sprints:** + - SPRINT_0181_0001_0002_telemetry_forensic.md + - SPRINT_0182_0001_0003_telemetry_offline.md +- **Related Docs:** + - `docs/modules/telemetry/architecture.md` - Module architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (TO1–TO10 remediation task TELEM-GAPS-180-001) +- **Status:** Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles + +### Policy Simulation & Shadow Gates +- **Canonical:** `28-Nov-2025 - Policy Simulation and Shadow Gates.md` +- **Sprint:** SPRINT_0185_0001_0001_policy_simulation.md (NEW) +- **Related Sprints:** + - SPRINT_0120_0001_0001_policy_reasoning.md + - SPRINT_0121_0001_0001_policy_reasoning.md +- **Related Docs:** + - `docs/modules/policy/architecture.md` - Module architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (PS1–PS10 remediation task POLICY-GAPS-185-006) +- **Status:** Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates + +### Findings Ledger & Immutable Audit Trail +- **Canonical:** `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` +- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (PRIMARY) +- **Related Sprints:** + - SPRINT_0120_0001_0001_policy_reasoning.md + - SPRINT_0311_0001_0001_docs_tasks_md_xi.md +- **Related Docs:** + - `docs/modules/findings-ledger/openapi/findings-ledger.v1.yaml` - OpenAPI spec +- **Gaps:** `31-Nov-2025 FINDINGS.md` (FL1–FL10 remediation task LEDGER-GAPS-121-009) +- **Status:** Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections + +### Concelier Advisory Ingestion Model +- **Canonical:** `28-Nov-2025 - Concelier Advisory Ingestion Model.md` +- **Sprint:** SPRINT_0115_0001_0004_concelier_iv.md (PRIMARY) +- **Related Sprints:** + - SPRINT_0113_0001_0002_concelier_ii.md + - SPRINT_0114_0001_0003_concelier_iii.md +- **Related Docs:** + - `docs/modules/concelier/architecture.md` - Module architecture +- **Gaps:** `31-Nov-2025 FINDINGS.md` (CI1–CI10 remediation task CONCELIER-GAPS-115-014) + - `docs/modules/concelier/link-not-merge-schema.md` - LNM schema +- **Status:** Fills MEDIUM-priority gap - covers AOC, Link-Not-Merge, connectors, deterministic exports + +## Files Archived + +The following files have been moved to `archived/27-Nov-2025-superseded/`: + +``` +# Superseded by canonical advisories +24-Nov-2025 - Bridging OpenVEX and CycloneDX for .NET.md +25-Nov-2025 - Revisiting Determinism in SBOM→VEX Pipeline.md +25-Nov-2025 - Hash‑Stable Graph Revisions Across Systems.md +26-Nov-2025 - From SBOM to VEX - Building a Transparent Chain.md +27-Nov-2025 - Rekor Envelope Size Heuristic.md +27-Nov-2025 - DSSE and Rekor Envelope Size Heuristic.md +27-Nov-2025 - Optimizing DSSE Batch Sizes for Reliable Logging.md +``` + +## Cleanup Completed (2025-11-28) + +The following issues were fixed: +- Deleted junk file: `24-Nov-2025 - 1 copy 2.md` +- Deleted malformed duplicate: `24-Nov-2025 - Designing a Deterministic Reachability Benchmarkmd` +- Fixed filename: `25-Nov-2025 - Half-Life Confidence Decay for Unknowns.md` (was missing .md extension) + +## Sprint Cross-Reference + +| Advisory Topic | Sprint ID | Status | +|---------------|-----------|--------| +| CVSS v4.0 | SPRINT_0190_0001_0001 | NEW | +| SPDX 3.0.1 / SBOM | SPRINT_0186_0001_0001 | AUGMENTED | +| Reachability Benchmark | SPRINT_0513_0001_0001 | NEW | +| Reachability Evidence | SPRINT_0401_0001_0001 | EXISTING | +| Unknowns Registry | SPRINT_0140_0001_0001 | IMPLEMENTED | +| Confidence Decay | SPRINT_0140_0001_0001 | DESIGN | +| Graph Revision IDs | SPRINT_0401_0001_0001 | EXISTING | +| DSSE/Rekor Batching | SPRINT_0401_0001_0001 | EXISTING | +| Vuln Triage UX / VEX | SPRINT_0215_0001_0001 | NEW | +| Sovereign Crypto | SPRINT_0514_0001_0001 | EXISTING | +| Plugin Architecture | Multiple (module-specific) | FOUNDATIONAL | +| Evidence Bundle & Replay | SPRINT_0161_0001_0001 | EXISTING | +| Mirror & Offline Kit | SPRINT_0125_0001_0001 | EXISTING | +| Task Pack Orchestration | SPRINT_0157_0001_0001 | EXISTING | +| Auth/AuthZ Architecture | Multiple (100, 314, 0514) | EXISTING | +| CLI Developer Experience | SPRINT_0201_0001_0001 | NEW | +| Orchestrator Event Model | SPRINT_0151_0001_0001 | NEW | +| Export Center Strategy | SPRINT_0160_0001_0001 | NEW | +| Zastava Runtime Posture | SPRINT_0144_0001_0001 | NEW | +| Notification Rules Engine | SPRINT_0170_0001_0001 | NEW | +| Graph Analytics | SPRINT_0141_0001_0001 | NEW | +| Telemetry & Observability | SPRINT_0180_0001_0001 | NEW | +| Policy Simulation | SPRINT_0185_0001_0001 | NEW | +| Findings Ledger | SPRINT_0186_0001_0001 | NEW | +| Concelier Ingestion | SPRINT_0115_0001_0004 | NEW | + +## Implementation Priority + +Based on gap analysis: + +1. **P0 - CVSS v4.0** (Sprint 0190) - Industry moving to v4.0, genuine gap +2. **P1 - SPDX 3.0.1** (Sprint 0186 tasks 15a-15f) - Standards compliance +3. **P1 - Public Benchmark** (Sprint 0513) - Differentiation/marketing value +4. **P1 - Vuln Triage UX** (Sprint 0215) - Industry-aligned UX for competitive parity +5. **P1 - Sovereign Crypto** (Sprint 0514) - Regional compliance enablement +6. **P1 - Evidence Bundle & Replay** (Sprint 0161, 0187) - Audit/compliance critical +7. **P1 - Mirror & Offline Kit** (Sprint 0125, 0150) - Air-gap deployment critical +8. **P1 - CLI Developer Experience** (Sprint 0201) - Developer UX critical +9. **P1 - Orchestrator Event Model** (Sprint 0151) - Job lifecycle foundation +10. **P2 - Task Pack Orchestration** (Sprint 0157, 0158) - Automation foundation +11. **P2 - Explainability** (Sprint 0401) - UX enhancement, existing tasks +12. **P2 - Plugin Architecture** (Multiple) - Foundational extensibility patterns +13. **P2 - Auth/AuthZ Architecture** (Multiple) - Security consolidation +14. **P2 - Export Center** (Sprint 0160) - Reporting flexibility +15. **P2 - Zastava Runtime** (Sprint 0144) - Runtime observability +16. **P2 - Notification Rules** (Sprint 0170) - Alert management +17. **P2 - Graph Analytics** (Sprint 0141) - Dependency insights +18. **P2 - Telemetry** (Sprint 0180) - Observability infrastructure +19. **P2 - Policy Simulation** (Sprint 0185) - Safe policy testing +20. **P2 - Findings Ledger** (Sprint 0186) - Audit immutability +21. **P2 - Concelier Ingestion** (Sprint 0115) - Advisory pipeline +22. **P3 - Already Implemented** - Unknowns, Graph IDs, DSSE batching + +## Implementer Quick Reference + +For each topic, the implementer should read: + +1. **Sprint file** - Contains task definitions, dependencies, working directories +2. **Documentation Prerequisites** - Listed in each sprint file +3. **Canonical advisory** - Full product context and rationale +4. **Module AGENTS.md** - If exists, contains module-specific coding guidance + +### Key Module Docs to Read Before Implementation + +| Module | Architecture Doc | AGENTS.md | +|--------|-----------------|-----------| +| Policy | `docs/modules/policy/architecture.md` | `src/Policy/*/AGENTS.md` | +| Scanner | `docs/modules/scanner/architecture.md` | `src/Scanner/*/AGENTS.md` | +| Sbomer | `docs/modules/sbomer/architecture.md` | `src/Sbomer/*/AGENTS.md` | +| Signals | `docs/modules/signals/architecture.md` | `src/Signals/*/AGENTS.md` | +| Attestor | `docs/modules/attestor/architecture.md` | `src/Attestor/*/AGENTS.md` | +| Vuln Explorer | `docs/modules/vuln-explorer/architecture.md` | `src/VulnExplorer/*/AGENTS.md` | +| VEX-Lens | `docs/modules/vex-lens/architecture.md` | `src/Excititor/*/AGENTS.md` | +| UI | `docs/modules/ui/architecture.md` | `src/UI/*/AGENTS.md` | +| Authority | `docs/modules/authority/architecture.md` | `src/Authority/*/AGENTS.md` | +| Evidence Locker | `docs/modules/evidence-locker/*.md` | `src/EvidenceLocker/*/AGENTS.md` | +| Mirror | `docs/modules/mirror/*.md` | `src/Mirror/*/AGENTS.md` | +| TaskRunner | `docs/modules/taskrunner/*.md` | `src/TaskRunner/*/AGENTS.md` | +| CLI | `docs/modules/cli/architecture.md` | `src/Cli/*/AGENTS.md` | +| Orchestrator | `docs/modules/orchestrator/architecture.md` | `src/Orchestrator/*/AGENTS.md` | +| Export Center | `docs/modules/export-center/architecture.md` | `src/ExportCenter/*/AGENTS.md` | +| Zastava | `docs/modules/zastava/architecture.md` | `src/Zastava/*/AGENTS.md` | +| Notify | `docs/modules/notify/architecture.md` | `src/Notify/*/AGENTS.md` | +| Graph | `docs/modules/graph/architecture.md` | `src/Graph/*/AGENTS.md` | +| Telemetry | `docs/modules/telemetry/architecture.md` | `src/Telemetry/*/AGENTS.md` | +| Findings Ledger | `docs/modules/findings-ledger/openapi/` | `src/Findings/*/AGENTS.md` | +| Concelier | `docs/modules/concelier/architecture.md` | `src/Concelier/*/AGENTS.md` | + +### Developer Onboarding Quick Start +- **Canonical:** `29-Nov-2025 - StellaOps – Mid-Level .NET Onboarding (Quick Start).md` +- **Sprint:** SPRINT_0300_0001_0001_documentation_process.md (Docs Governance) +- **Related Docs:** + - `docs/onboarding/dev-quickstart.md` (derived from this advisory) + - `docs/README.md` (new quickstart reference) + - `docs/modules/platform/architecture-overview.md` (platform dossier mention) +- **Status:** Documents deterministic onboarding for mid-level .NET engineers covering repos, determinism tests, DSSE/attestation patterns, and starter issues. + +## Topical Gaps (Advisory Needed) + +The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories: + +| Gap | Severity | Status | Notes | +|-----|----------|--------|-------| +| ~~Regional Crypto (eIDAS/FIPS/GOST/SM)~~ | HIGH | **FILLED** | `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` | +| ~~Plugin Architecture Patterns~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` | +| ~~Evidence Bundle Packaging~~ | HIGH | **FILLED** | `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` | +| ~~Mirror/Offline Kit Strategy~~ | HIGH | **FILLED** | `28-Nov-2025 - Mirror and Offline Kit Strategy.md` | +| ~~Task Pack Orchestration~~ | HIGH | **FILLED** | `28-Nov-2025 - Task Pack Orchestration and Automation.md` | +| ~~Auth/AuthZ Architecture~~ | HIGH | **FILLED** | `28-Nov-2025 - Authentication and Authorization Architecture.md` | +| ~~CLI Developer Experience~~ | HIGH | **FILLED** | `28-Nov-2025 - CLI Developer Experience and Command UX.md` | +| ~~Orchestrator Event Model~~ | HIGH | **FILLED** | `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` | +| ~~Export Center Strategy~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Export Center and Reporting Strategy.md` | +| ~~Runtime Posture & Observation~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` | +| ~~Notification Rules Engine~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Notification Rules and Alerting Engine.md` | +| ~~Graph Analytics & Clustering~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Graph Analytics and Dependency Insights.md` | +| ~~Telemetry & Observability~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Telemetry and Observability Patterns.md` | +| ~~Policy Simulation & Shadow Gates~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Policy Simulation and Shadow Gates.md` | +| ~~Findings Ledger & Audit Trail~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` | +| ~~Concelier Advisory Ingestion~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Concelier Advisory Ingestion Model.md` | +| **CycloneDX 1.6 .NET Integration** | LOW | Open | Deep Architecture covers generically; expand with .NET-specific guidance | + +## Known Issues (Non-Blocking) + +**Unicode Encoding Inconsistency:** +Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may cause cross-platform issues but does not affect content discovery. Files affected: +- `26-Nov-2025 - Handling Rekor v2 and DSSE Air‑Gap Limits.md` +- `27-Nov-2025 - Blueprint for a 2026‑Ready Scanner.md` +- `27-Nov-2025 - Deep Architecture Brief - SBOM‑First, VEX‑Ready Spine.md` + +**Archived Duplicate:** +`archived/17-Nov-2025 - SBOM-Provenance-Spine.md` and `archived/18-Nov-2025 - SBOM-Provenance-Spine.md` are potential duplicates. The 18-Nov version is likely canonical. + +--- +*Index created: 2025-11-27* +*Last updated: 2025-12-01 (added Rekor Receipt, Standup Kickstarters, UI Micro-Interactions, Proof-Linked VEX UI entries, plus new gap task IDs)*