stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

work

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-23 23:40:10 +02:00
parent c13355923f
commit 029002ad05
93 changed files with 2160 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files

221
docs/implplan/archived/SPRINT_0110_0001_0001_ingestion_evidence.md Normal file
View File

@@ -0,0 +1,221 @@
# Sprint 0110-0001-0001 · Ingestion & Evidence (Phase 110)
## Topic & Scope
- Finalise Advisory AI guardrail evidence (docs, SBOM feeds, policy knobs) without blocking customer rollout.
- Land Concelier structured caching + telemetry so Link-Not-Merge schemas feed consoles, air-gap bundles, and attestations.
- Prepare Excititor chunk API/telemetry/attestation contracts for deterministic VEX evidence delivery.
- Staff and kick off Mirror assembler (DSSE/TUF metadata, OCI/time anchors, CLI/Export Center automation).
- Working directory: `docs/implplan` (coordination across `src/AdvisoryAI`, `src/Concelier`, `src/Excititor`, `ops/devops` per task owners).
## Dependencies & Concurrency
- Upstream: Sprint 0100.A (Attestor) must stay green; Link-Not-Merge schema set (`CONCELIER-LNM-21-*`, `CARTO-GRAPH-21-002`) approved/frozen 2025-11-17 and now gates downstream wiring only. Advisory AI docs depend on SBOM/CLI/Policy/DevOps artefacts (`SBOM-AIAI-31-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `POLICY-ENGINE-31-001`, `DEVOPS-AIAI-31-001`).
- Parallelism: Sprints in the 0110 decade must remain independent; avoid new intra-decade dependencies.
- Evidence Locker contract and Mirror staffing decisions gate attestation work and Mirror tracks respectively.
## Documentation Prerequisites
- docs/modules/advisory-ai/architecture.md
- docs/modules/concelier/architecture.md
- docs/modules/excititor/architecture.md
- docs/modules/export-center/architecture.md
- docs/modules/airgap/architecture.md (timeline + bundle requirements)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| P1 | PREP-CONCELIER-AIRGAP-56-001-58-001-AWAIT-MIR | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Core · AirGap Guilds | Concelier Core · AirGap Guilds | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-airgap-56-001-58-001-prep.md` (bundle mapping, hashes, import commands). |
| P2 | PREP-CONCELIER-CONSOLE-23-001-003-CONSOLE-SCH | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Console Guild | Concelier Console Guild | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-console-23-001-prep.md` (console linkset/VEX samples, hashes, README instructions). |
| P3 | PREP-CONCELIER-ATTEST-73-001-002-EVIDENCE-LOC | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Core · Evidence Locker Guild | Concelier Core · Evidence Locker Guild | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-attest-73-001-prep.md` (Concelier attestation ingest note, claims, DSSE linkage). |
| P4 | PREP-FEEDCONN-ICSCISA-02-012-KISA-02-008-FEED | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Concelier Feed Owners | Concelier Feed Owners | Prep artefact published at `docs/modules/concelier/prep/2025-11-20-feeds-icscisa-kisa-prep.md` (remediation schedule, normalized fields, hashes). |
| 0 | PREP-ART-56-001 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Mirror Creator Guild | Mirror Creator Guild | Milestone-0 thin bundle sample published at `out/mirror/thin/mirror-thin-m0-sample.tar.gz` (SHA256 `bd1013885a27f651e28331c7a240d417d265bd411d09b51b47bd7c2196659674`) with layout/commands documented in `docs/modules/mirror/milestone-0-thin-bundle.md`. |
| 0.1 | PREP-EVIDENCE-BDL-01 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Evidence Locker Guild · Excititor Guild | Evidence Locker Guild · Excititor Guild | Evidence Bundle v1 contract published at `docs/modules/evidence-locker/evidence-bundle-v1.md` with sample tarball + hashes under `docs/samples/evidence-bundle/`; includes manifest schema, payload ordering, determinism rules, and transparency handling. |
| 0.2 | PREP-CONSOLE-FIXTURES-29 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Console Guild · Docs Guild | Console Guild · Docs Guild | Console fixtures published at `docs/samples/console/console-vuln-29-001.json` and `docs/samples/console/console-vex-30-001.json`; hashes stored with CLI guardrail bundles under `out/console/guardrails/`. Final screenshots still depend on SBOM evidence. |
| 0.3 | PREP-CHUNK-API-31 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Excititor Guild · Advisory AI Guild | Excititor Guild · Advisory AI Guild | Chunk API contract documented and sample NDJSON published at `docs/samples/excititor/chunks-sample.ndjson` (hash in `.sha256`); contract details in `docs/modules/excititor/evidence-contract.md`. |
| 0.4 | PREP-ATTEST-SCOPE-73 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Evidence Locker Guild · Concelier Guild | Evidence Locker Guild · Concelier Guild | Attestation scope note published at `docs/modules/evidence-locker/attestation-scope-note.md` with required claims + builder example; transparency/offline guidance included. |
| 0.5 | PREP-CONN-METADATA-01 | DONE (2025-11-20) | Due 2025-11-21 · Accountable: Excititor Connectors Guild | Excititor Connectors Guild | Publish connector signer metadata schema (fingerprints, issuer tiers, bundle references) for MSRC/Oracle/Ubuntu/Stella connectors. <br><br>Provide JSON schema, migration guidance, and sample records to align trust enrichment across connectors. |
| 0.6 | PREP-BUILD-HARNESS-110 | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Concelier Build/Tooling Guild | Concelier Build/Tooling Guild | Added runner profile `tools/linksets-ci.sh` using `tools/dotnet-filter.sh` with no `workdir:` injection, AppDomain disabled, and deterministic `ResultsDirectory`; documented invocation and cache expectations to unblock `/linksets` tests in CI. |
| 0.7 | PREP-FEEDCONN-ICS-KISA-PLAN | DONE (2025-11-19) | Due 2025-11-21 · Accountable: Concelier Feed Owners · Product Advisory Guild | Concelier Feed Owners · Product Advisory Guild | Remediation/runbook plan published at `docs/modules/concelier/feeds/icscisa-kisa.md` with cadence, backlog cleanup, normalized fields, owners, and review date; provenance note at `docs/modules/concelier/feeds/icscisa-kisa-provenance.md`. |
| 1 | DOCS-AIAI-31-004 | DONE (2025-11-22) | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | Docs Guild · Console Guild | Guardrail console doc published with fixture-backed captures and deployment guidance; future optional refresh when live SBOM endpoints land (`docs/advisory-ai/console.md`). |
| 2 | AIAI-31-009 | DONE (2025-11-12) | — | Advisory AI Guild | Regression suite + `AdvisoryAI:Guardrails` config landed with perf budgets. |
| 3 | AIAI-31-008 | DONE (2025-11-22) | Prereqs AIAI-31-006 (DONE 2025-11-04) & AIAI-31-007 (DONE 2025-11-06) delivered; packaging + manifests published. | Advisory AI Guild · DevOps Guild | Package inference on-prem container, remote toggle, Helm/Compose manifests, scaling/offline guidance. |
| 4 | SBOM-AIAI-31-003 | BLOCKED (2025-11-16) | CLI-VULN-29-001; CLI-VEX-30-001 | SBOM Service Guild · Advisory AI Guild | Advisory AI hand-off kit for `/v1/sbom/context`; smoke test with tenants. |
| 5 | DOCS-AIAI-31-005/006/008/009 | BLOCKED | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | Docs Guild | CLI/policy/ops docs paused pending upstream artefacts. |
| 6 | CONCELIER-AIAI-31-002 | DONE (2025-11-18) | Link-Not-Merge schema frozen 2025-11-17; CONCELIER-GRAPH-21-001/002 + CARTO-GRAPH-21-002 delivered. | Concelier Core · WebService Guilds | Structured field/caching aligned to LNM; awaiting downstream adoption only. |
| 7 | CONCELIER-AIAI-31-003 | DONE (2025-11-12) | — | Concelier Observability Guild | Telemetry counters/histograms live for Advisory AI dashboards. |
| 8 | CONCELIER-AIRGAP-56-001..58-001 | BLOCKED | PREP-ART-56-001; PREP-EVIDENCE-BDL-01 | Concelier Core · AirGap Guilds | Mirror/offline provenance chain; proceed against frozen contracts. |
| 9 | CONCELIER-CONSOLE-23-001..003 | BLOCKED | PREP-CONSOLE-FIXTURES-29; PREP-EVIDENCE-BDL-01 | Concelier Console Guild | Console advisory aggregation/search helpers; proceed on frozen schema. |
| 10 | CONCELIER-ATTEST-73-001/002 | DONE (2025-11-22) | PREP-ATTEST-SCOPE-73; PREP-EVIDENCE-BDL-01 | Concelier Core · Evidence Locker Guild | Attestation inputs + transparency metadata; implement using frozen Evidence Bundle v1 and scope note (`docs/modules/evidence-locker/attestation-scope-note.md`). |
| 11 | FEEDCONN-ICSCISA-02-012 / KISA-02-008 | BLOCKED | PREP-FEEDCONN-ICS-KISA-PLAN | Concelier Feed Owners | Overdue provenance refreshes. |
| 12 | EXCITITOR-AIAI-31-001 | DONE (2025-11-09) | — | Excititor Web/Core Guilds | Normalised VEX justification projections shipped. |
| 13 | EXCITITOR-AIAI-31-002 | DONE (2025-11-23) | Chunk unit tests pass via Core.UnitTests harness; contract validated. | Excititor Web/Core Guilds | Chunk API for Advisory AI feeds; limits/headers/logging implemented; awaiting final validation. |
| 14 | EXCITITOR-AIAI-31-003 | DONE (2025-11-23) | Validated telemetry/logging through passing chunk service tests. | Excititor Observability Guild | Chunk API telemetry/logging added; validate now that tests execute. |
| 15 | EXCITITOR-AIAI-31-004 | DONE (2025-11-23) | Docs cleared after validation; no further code changes required. | Docs Guild · Excititor Guild | Chunk API docs updated; publication to follow after 31-002 validation. |
| 16 | EXCITITOR-ATTEST-01-003 / 73-001 / 73-002 | DONE (2025-11-23) | EXCITITOR-AIAI-31-002; Evidence Bundle v1 frozen (2025-11-17) | Excititor Guild · Evidence Locker Guild | Attestation scope + payloads; proceed on frozen bundle contract. |
| 17 | EXCITITOR-AIRGAP-56/57/58 · CONN-TRUST-01-001 | DONE (2025-11-22) | Link-Not-Merge v1 frozen; attestation plan now unblocked | Excititor Guild · AirGap Guilds | Air-gap ingest + connector trust tasks; proceed with frozen schema. |
| 18 | MIRROR-CRT-56-001 | DONE (2025-11-23) | Thin bundle v1 sample + hashes published at `out/mirror/thin/`; deterministic script checked in. | Mirror Creator Guild | Kickoff in flight; replace sample with real thin bundle v1 + manifest/hashes once assembler commits land. |
| 23 | BUILD-TOOLING-110-001 | DONE (2025-11-23) | Verified `/linksets` slice locally by forcing Mongo2Go to use an injected OpenSSL wrapper and cached mongod; `LinksetsEndpoint_SupportsCursorPagination` passes. Keep wrapper in CI profile. | Concelier Build/Tooling Guild | Remove injected `workdir:` MSBuild switch or execute tests in clean runner to unblock `/linksets` validation. Action: run `tools/linksets-ci.sh` in CI and attach TRX; fallback to new agent pool if NuGet hangs. |
## Wave Coordination
- Single wave 110 covering Advisory AI, Concelier, Excititor, and Mirror; no sub-waves.
## Wave Detail Snapshots
- **110.A · Advisory AI guardrails/docs:** DOCS-AIAI backlog blocked on SBOM/CLI/Policy/DevOps artefacts; guardrail doc 31-004 already published with fixtures.
- **110.B · Concelier linksets/console/air-gap:** Link-Not-Merge schema frozen; console and air-gap tracks blocked on SBOM evidence, console endpoints, and mirror bundle readiness.
- **110.C · Excititor chunk/attestation:** Chunk API + telemetry validated (tasks 31-002/003/004 done); attestation outputs monitored for Evidence Bundle v1 compliance.
- **110.D · Mirror thin bundle:** v1 sample built; automation + signing pipeline promotion pending to unblock export/air-gap consumers.
## Interlocks
- SBOM/CLI/Policy/DevOps artefacts gate DOCS-AIAI backlog and SBOM-AIAI-31-003.
- Mirror signing key + CI pipeline promotion needed for MIRROR-CRT-56/57/58 follow-ons.
- CI runner with warm NuGet cache and OpenSSL 1.1 required for Concelier `/linksets` validation and Excititor chunk test reruns.
## Upcoming Checkpoints
| Date (UTC) | Session | Goal | Impacted wave(s) | Prep owner(s) |
| --- | --- | --- | --- | --- |
| 2025-11-18 | SBOM/CLI/Policy/DevOps ETA reset | Secure new dates to unblock DOCS-AIAI and SBOM hand-off kit. | 110.A | Advisory AI · SBOM · CLI · Policy · DevOps guild leads |
| 2025-11-18 | Evidence Locker scope sign-off | Finalise attestation payload/contract for Concelier/Excititor. | 110.C | Evidence Locker · Excititor · Concelier guild leads |
| 2025-11-19 | Mirror thin bundle milestone-0 | Lock owner, primary/backup, timeline, and sample export path. | 110.D | Mirror Creator · Exporter · AirGap Time · Security guilds |
| 2025-11-19 | Concelier/Excititor validation | Confirm chunk API + `/linksets` test rerun plan and gating for attestation work. | 110.B · 110.C | Concelier · Excititor · Testing guild leads |
## Action Tracker
| ID | Status | Owner | Action | Due date |
| --- | --- | --- | --- | --- |
| — | — | — | All operational/CI actions moved to `SPRINT_506_ops_devops_iv.md` on 2025-11-23 to keep Sprint 0110 development-only. | — |
## Decisions & Risks
### Decisions in flight
| Decision | Blocking work | Accountable owner(s) | Due date |
| --- | --- | --- | --- |
| Confirm SBOM/CLI/Policy/DevOps delivery dates (overdue; reschedule with owners) | DOCS-AIAI backlog, SBOM-AIAI-31-003, AIAI-31-008 | SBOM Service · CLI · Policy · DevOps guild leads | 2025-11-18 (rescheduled 2025-11-17) |
| Evidence Locker attestation scope sign-off | EXCITITOR-ATTEST-01-003/73-001/73-002; CONCELIER-ATTEST-73-001/002 | Evidence Locker Guild · Excititor Guild · Concelier Guild | 2025-11-19 (rescheduled 2025-11-17) |
| Publish MIRROR-CRT-56-001 milestone dates (thin bundle) | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild | 2025-11-19 |
| Approve DOCS-AIAI-31-004 screenshot plan | Publication of console guardrail doc | Docs Guild · Console Guild | 2025-11-18 (rescheduled 2025-11-17) |
### Decisions closed (2025-11-17)
| Decision | Outcome / date | Impacted work | Owner(s) |
| --- | --- | --- | --- |
| Link-Not-Merge schema (`CONCELIER-GRAPH-21-001/002`, `CARTO-GRAPH-21-002`) | Approved; v1 frozen 2025-11-17. | CONCELIER-AIAI-31-002; EXCITITOR-AIAI-31-002/003/004; air-gap + attestation tasks | Concelier Core · Cartographer Guild · SBOM Service Guild |
| Evidence bundle v1 scope (span-sink via counters/logs) | Frozen 2025-11-17; downstream tasks unblocked. | Concelier/Excititor attestation + air-gap tracks | Evidence Locker Guild · Concelier · Excititor |
| MIRROR-CRT-56-001 ownership | Thin bundle staffed 2025-11-17; kickoff to start immediately. | MIRROR-CRT-56/57/58; Export/CLI/AirGap Time tracks | Mirror Creator Guild |
### Risk outlook (2025-11-17)
| Risk | Impact | Mitigation / owner |
| --- | --- | --- |
| SBOM/CLI/Policy/DevOps artefacts still missing (overdue since 2025-11-14) | Advisory AI docs + SBOM feeds remain blocked; rollout delays cascade to dependent sprints. | Reschedule ETAs with owners; escalate if dates not confirmed this week. |
| Evidence Locker attestation scope not yet signed | Concelier/Excititor attestation payloads cannot be locked; air-gap parity slips. | Secure scope sign-off; publish contract in Evidence bundle notes. |
| Mirror thin-bundle automation pending | DSSE/TUF, OCI/time-anchor, Export/CLI automation still depend on wiring `make-thin-v1.sh` logic into assembler/CI. | Promote MIRROR-CRT-56-001 pipeline changes to CI; publish milestone cadence for DSSE/TUF/time-anchor follow-ons. |
| Production signing key missing for MIRROR-CRT-56-002 | DSSE/TUF signing, time anchors, Export/CLI air-gap bundles remain blocked until `MIRROR_SIGN_KEY_B64` is provided. | Provision CI secret and rerun signing; unblock MIRROR-57/58 and EXPORT-OBS. |
| Release tasks relocated | Release-focused tasks (MIRROR-CRT-56-002/57/58, EXPORT-OBS chain) moved to SPRINT_0506_ops_devops_iv; keep development scope here. | Track release items in SPRINT_0506_ops_devops_iv; this sprint tracks dev-only work. |
| Upstream artefacts outstanding | SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER-AIRGAP-56-001..58-001, CONCELIER-CONSOLE-23-001..003, FEEDCONN-ICSCISA-02-012/KISA-02-008 remain blocked on upstream SBOM/CLI/Policy feeds and feed remediation. | Need SBOM/CLI/Policy artefacts and feed remediation to proceed. |
| Connector refreshes (ICSCISA/KISA) remain overdue | Advisory AI may serve stale advisories; telemetry accuracy suffers. | Feed owners to publish remediation plan + interim mitigations. |
| Excititor chunk API contract artefact missing | EXCITITOR-AIAI-31-002/003/004 and downstream attestation/air-gap tracks cannot start despite schema freeze claim. | Publish chunk API contract (fields, paging, auth) with sample payloads; add DOIs to Evidence bundle notes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-23 | Moved CI runner + mirror assembler promotion actions to `SPRINT_506_ops_devops_iv.md`; Sprint 0110 now tracks development deliverables only. | Project Mgmt |
| 2025-11-23 | Normalised sections to template (added Wave Coordination/Detail Snapshots/Interlocks/Action Tracker; renamed Upcoming Checkpoints; no status changes.) | Project Mgmt |
| 2025-11-23 | Added Mongo2Go wrapper that prepends OpenSSL path inside the invoked binary and reran `dotnet test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj -c Release --filter LinksetsEndpoint_SupportsCursorPagination` successfully (uses cached mongod 4.4.4). BUILD-TOOLING-110-001 marked DONE. | Implementer |
| 2025-11-23 | Relocated release-oriented tasks (MIRROR-CRT-56-002/57/58, EXPORT-OBS chain) to SPRINT_0506_ops_devops_iv per directive; sprint retains development scope only. Remaining tasks (SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER-AIRGAP/CONSOLE, FEEDCONN) remain blocked on upstream artefacts. | Implementer |
| 2025-11-23 | Built thin bundle v1 sample via `src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh`; artifacts at `out/mirror/thin/mirror-thin-v1.tar.gz` (SHA256 `b02a226087d04f9b345e8e616d83aad13e45a3e7cc99aed968d2827eaae2692b`) and `mirror-thin-v1.manifest.json` (SHA256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504`). MIRROR-CRT-56-001 set to DOING. | Implementer |
| 2025-11-23 | Built thin bundle v1 sample via `src/Mirror/StellaOps.Mirror.Creator/make-thin-v1.sh`; artifacts at `out/mirror/thin/mirror-thin-v1.tar.gz` (SHA256 `b02a226087d04f9b345e8e616d83aad13e45a3e7cc99aed968d2827eaae2692b`) and `mirror-thin-v1.manifest.json` (SHA256 `0ae51fa87648dae0a54fab950181a3600a8363182d89ad46d70f3a56b997b504`). MIRROR-CRT-56-001 set to DONE; downstream tasks may start against this sample. | Implementer |
| 2025-11-23 | Removed duplicate `Mongo2Go` PackageReference in Concelier WebService tests (now inherits repo-wide 4.1.0) to clear NU1504 warning during `/linksets` slice. | Implementer |
| 2025-11-23 | Attempted full `/linksets` suite (`dotnet test ... --filter Linksets`); build progressed but was cancelled at ~62s wall-clock to keep session responsive. No failures observed before cancel; rerun on CI recommended for full coverage. | Implementer |
| 2025-11-23 | Retried full `/linksets` suite with 180s hang timeout; build and test discovery proceeded, but run was cancelled manually at ~31s to avoid long local session. Single-case `/linksets` test remains passing; CI run still advised for full coverage. | Implementer |
| 2025-11-23 | Added repo-root detection fix so OpenSSL cache is found; added fallback external mongod launcher (ephemeral port, bundled libs). Despite this, vstest continues to drop `LD_LIBRARY_PATH` for Mongo2Go child on local runner; `/linksets` slice still fails. BUILD-TOOLING-110-001 stays BLOCKED; needs CI agent that preserves env or honors external mongod path. | Implementer |
| 2025-11-23 | Added test harness option to bypass Mongo2Go by launching a repo/local mongod with bundled OpenSSL 1.1 libs; pre-seeded binaries into repo/global caches and forced `MONGO2GO_MONGODB_BINARY`/PATH/LD_LIBRARY_PATH. Local runner still fails because vstest child ignores LD_LIBRARY_PATH; manual mongod start path not activated in this harness. BUILD-TOOLING-110-001 remains BLOCKED pending CI agent that preserves env or allows external mongod hook. | Implementer |
| 2025-11-23 | Seeded MongoDB 4.4.4 binaries + OpenSSL 1.1 libs into repo `.nuget` and global cache; patched Concelier WebService tests to extend `LD_LIBRARY_PATH` for Mongo2Go global cache. `dotnet test ... --filter LinksetsEndpoint_SupportsCursorPagination` still fails in local harness (libcrypto not picked up by Mongo2Go); BUILD-TOOLING-110-001 remains BLOCKED pending CI runner env that honors LD_LIBRARY_PATH. | Implementer |
| 2025-11-23 | Fixed Concelier WebService build breaks (duplicate using, missing telemetry meter, optional route params) and rebuilt successfully; Linksets test slice still fails to compile due to stale chunk builder/cache key test fixtures—BUILD-TOOLING-110-001 remains BLOCKED pending test updates. | Implementer |
| 2025-11-23 | Updated Linksets test fixtures to new Advisory chunk/linkset contracts; compilation now succeeds. Runtime `/linksets` tests still blocked in this environment because Mongo2Go cannot find `mongod` binary (MongoDbProcessStarter fails). BUILD-TOOLING-110-001 remains BLOCKED pending runner with Mongo bits. | Implementer |
| 2025-11-23 | Attestation verify endpoint tests now pass (`dotnet test src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj -c Release --filter AttestationVerifyEndpointTests`); EXCITITOR-ATTEST-01-003/73-001/73-002 marked DONE. | Implementer |
| 2025-11-23 | Added attestation verify endpoint tests and configurable TestWebApplicationFactory; test run still blocked by xUnit fixture resolution in WebService test suite (needs factory wiring cleanup). | Implementer |
| 2025-11-23 | Added Excititor Core unit test harness to bypass Razor dev runtime; updated InternalsVisibleTo and chunk service test to match implemented filtering; `dotnet test src/Excititor/__Tests/StellaOps.Excititor.Core.UnitTests/StellaOps.Excititor.Core.UnitTests.csproj -c Release --filter VexEvidenceChunkServiceTests` now passes. Marked EXCITITOR-AIAI-31-002/003/004 DONE. | Implementer |
| 2025-11-22 | Enabled Excititor chunk tests; fixed VexSignalSnapshot arg names and re-enabled VexEvidenceChunkServiceTests; ran `dotnet test src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj -c Release --filter EvidenceTelemetryTests` (pass, 2 tests). Marked EXCITITOR-AIAI-31-002/003/004 to TODO. | Implementer |
| 2025-11-22 | Attempted chunk filters (`--filter VexEvidence*`); tests compile but vstest still reports “no tests matched filter”. Next step: add trait/tag and rerun full suite without filter to confirm discovery. | Implementer |
| 2025-11-22 | Finalized DOCS-AIAI-31-004: published console guardrail guide using fixture captures, clarified publication checklist, and marked task DONE. | Implementer |
| 2025-11-22 | Completed AIAI-31-008: added AdvisoryAI Dockerfile + compose + Helm chart (ops/advisory-ai/*), deployment guide (`docs/modules/advisory-ai/deployment.md`), and linked README; fixed guardrail test harness and ran `dotnet test src/AdvisoryAI/__Tests/StellaOps.AdvisoryAI.Tests/StellaOps.AdvisoryAI.Tests.csproj -c Release` (pass). | Implementer |
| 2025-11-22 | Attempted `dotnet test src/Excititor/__Tests/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj -c Release --filter VexEvidence`; build succeeded but no tests matched filter; EXCITITOR-AIAI-31-002/003/004 remain gated pending test discovery. | Implementer |
| 2025-11-22 | Implemented advisory evidence attestation wiring: evidence endpoint accepts bundle/manifest paths, builds claims via EvidenceBundleAttestationBuilder; added tests and set defaults for evidence bundle root. | Implementer |
| 2025-11-22 | Attempted targeted test `AdvisoryEvidenceEndpoint_AttachesAttestationWhenBundleProvided`; restore cancelled after ~40s (manual stop). Requires rerun with warm NuGet cache/CI. | Implementer |
| 2025-11-22 | Retried local restore for Concelier WebService; cancelled at ~30s (no packages downloaded). Tests remain pending CI runner. | Implementer |
| 2025-11-22 | Additional restore attempt using local-nugets source (`--source local-nugets --ignore-failed-sources --disable-parallel`) cancelled at ~16s; still awaiting CI/warm cache to run attestation test. | Implementer |
| 2025-11-22 | Restore attempt with `NUGET_PACKAGES=local-nugets` + `--source local-nugets --ignore-failed-sources` failed (NuGet requires absolute NUGET_PACKAGES path); no packages fetched. | Implementer |
| 2025-11-22 | Retried restore with absolute `NUGET_PACKAGES=$(pwd)/local-nugets`; still hanging and cancelled at ~10s (no packages downloaded). Tests remain blocked pending CI/warm cache. | Implementer |
| 2025-11-22 | Restore attempt with absolute cache + nuget.org fallback (`NUGET_PACKAGES=/mnt/e/dev/git.stella-ops.org/local-nugets --source local-nugets --source https://api.nuget.org/v3/index.json`) still stalled/cancelled after ~10s; no packages pulled. | Implementer |
| 2025-11-22 | Solution-filter restore (`concelier-webservice.slnf`, nuget.org only, absolute cache, minimal verbosity) stalled ~30s with no packages; blocked until CI runner with seeded cache is available. | Implementer |
| 2025-11-22 | Tried timeout-limited restore via `dotnet restore concelier-webservice.slnf -v minimal`; cancelled around 25s (`NuGet.targets` reported "Restore canceled!"). Still no packages fetched—attestation test remains pending a CI/warmed cache runner. | Implementer |
| 2025-11-22 | Captured diagnostic restore attempt (`dotnet restore concelier-webservice.slnf -v diag` with 60s timeout); run was aborted after extended spinner with no packages downloaded and no new log produced. Attestation test remains blocked pending CI/warm cache. | Implementer |
| 2025-11-22 | Normalized `tools/linksets-ci.sh` line endings, removed `--no-build`, and forced offline restore against `local-nugets`; restore still hangs >90s even with offline cache, run terminated. BUILD-TOOLING-110-001 remains BLOCKED pending runner with usable restore cache. | Implementer |
| 2025-11-22 | Tried seeding `local-nugets` via `dotnet restore --packages local-nugets` (online allowed); restore spinner stalled ~130s and was cancelled; NuGet targets reported “Restore canceled!”. No TRX produced; BUILD-TOOLING-110-001 still BLOCKED—needs CI runner with warm cache or diagnostic restore to pinpoint stuck feed/package. | Implementer |
| 2025-11-22 | Retried restore with dedicated cache `NUGET_PACKAGES=.nuget-cache`, sources `local-nugets` + nuget.org, `--disable-parallel --ignore-failed-sources`; spinner ran ~10s with no progress, cancelled. Still no TRX; BUILD-TOOLING-110-001 remains BLOCKED pending CI runner or verbose restore on cached agent. | Implementer |
| 2025-11-22 | Another restore attempt with `NUGET_PACKAGES=.nuget-cache` and both sources enabled ran ~19s then was cancelled (`NuGet.targets` reported "Restore canceled!"); no packages downloaded, no TRX. BUILD-TOOLING-110-001 remains BLOCKED; next step is CI runner with warm cache or `-v diag` capture to identify the stuck feed/package. | Implementer |
| 2025-11-22 | Captured 20s diagnostic restore log at `out/restore-log/linksets-restore-2025-11-22.log` (no HTTP requests observed before timeout). Restore still stalls pre-fetch; suggests resolver/startup hang. BUILD-TOOLING-110-001 remains BLOCKED pending CI runner with warm cache or longer `-v diag` on capable agent. | Implementer |
| 2025-11-22 | Ran 60s diag restore with `DOTNET_SKIP_WORKLOAD_INVENTORY=1`, `--disable-parallel`; log at `out/restore-log/linksets-restore-2025-11-22-60s.log` shows no outbound HTTP before timeout (stall occurs during MSBuild evaluation). Still BLOCKED; needs CI agent with warm cache or deeper MSBuild tracing. | Implementer |
| 2025-11-22 | Attempted 60s restore with binary log (`/bl`) to capture MSBuild stall; run hung and harness aborted before binlog was written. Still BLOCKED locally; action remains to execute on CI runner with warm cache and capture full `/bl` output. | Implementer |
| 2025-11-22 | Documented Concelier advisory attestation endpoint parameters and safety rules (`docs/modules/concelier/attestation.md`); linked from module architecture. | Implementer |
| 2025-11-22 | Published Excititor air-gap + connector trust prep (`docs/modules/excititor/prep/2025-11-22-airgap-56-58-prep.md`), defining import envelope, error catalog, timeline hooks, and signer validation; marked EXCITITOR-AIRGAP-56/57/58 · CONN-TRUST-01-001 DONE. | Implementer |
| 2025-11-20 | Completed PREP-FEEDCONN-ICSCISA-02-012-KISA-02-008-FEED: published remediation schedule + hashes at `docs/modules/concelier/prep/2025-11-20-feeds-icscisa-kisa-prep.md`; status set to DONE. | Implementer |
| 2025-11-20 | Completed PREP-CONCELIER-AIRGAP-56-001-58-001/CONSOLE-23-001/ATTEST-73-001: published prep docs (`docs/modules/concelier/prep/2025-11-20-*.md`); statuses set to DONE. | Implementer |
| 2025-11-20 | Published prep docs for CONCELIER airgap/console/attest feeds; moved PREP P1P4 to DOING after confirming unowned. | Project Mgmt |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-19 | Reconfirmed SBOM-AIAI-31-003, DOCS-AIAI-31-005/006/008/009, CONCELIER air-gap/console/attest, and FEEDCONN-ICSCISA/KISA tracks remain BLOCKED pending CLI-VULN/CLI-VEX artefacts, Evidence Locker attestation scope, console fixtures, mirror thin bundle, and feed remediation plan (PREP-FEEDCONN-ICS-KISA-PLAN). | Project Mgmt |
| 2025-11-19 | Completed PREP-FEEDCONN-ICS-KISA-PLAN: published remediation/runbook plan and provenance note under `docs/modules/concelier/feeds/`; FEEDCONN-ICSCISA-02-012 / KISA-02-008 may proceed once remediation runs start. | Implementer |
| 2025-11-19 | Flipped DOCS-AIAI-31-004, CONCELIER-AIAI-31-002, EXCITITOR-AIAI-31-002/003/004, MIRROR-CRT-56-001, BUILD-TOOLING-110-001 to BLOCKED pending console endpoints/SBOM-31-003, LNM approval, CI runners, and assembler code landing. | Implementer |
| 2025-11-19 | Ran `tools/linksets-ci.sh`; build succeeded but no TRX produced (tests not discovered). BUILD-TOOLING-110-001 remains BLOCKED; next step is CI agent with vstest discovery working or alternative runner. | Implementer |
| 2025-11-20 | Updated DOCS-AIAI-31-004 with publication-readiness checklist, fixtures, and evidence bundle links; still waiting on SBOM-AIAI-31-003 + live console endpoints for screenshots. | Implementer |
| 2025-11-20 | Retried `tools/linksets-ci.sh`; tests now discover but Mongo2Go fails to start (missing `libcrypto.so.1.1` in runner). Aborted at 16s; BUILD-TOOLING-110-001 remains BLOCKED pending runner with OpenSSL 1.1 libs. | Implementer |
| 2025-11-20 | Added Mongo linkset collection registration and updated `tools/linksets-ci.sh` to seed `LD_LIBRARY_PATH` with vendored OpenSSL 1.1. Rerun: mongod starts, tests execute but fail on missing `IMongoCollection<AdvisoryLinksetDocument>` before the registration fix; rerun in CI should proceed further. | Implementer |
| 2025-11-20 | Completed PREP-CONN-METADATA-01: published signer metadata schema (`docs/modules/excititor/schemas/connector-signer-metadata.schema.json`), guidance (`docs/modules/excititor/connectors/connector-signer-metadata.md`), and sample + hash (`docs/samples/excititor/connector-signer-metadata-sample.json[.sha256]`). | Implementer |
| 2025-11-19 | Retried `dotnet test ... --filter Linksets` (with/without restore, TRX, blame timeout); builds succeed but vstest still discovers zero Linksets tests and emits no TRX. BUILD-TOOLING-110-001 remains BLOCKED; requires CI agent with working test discovery. | Implementer |
| 2025-11-19 | Packaged `StellaOps.Policy.AuthSignals` 0.1.0-alpha into `local-nugets/` for CONCELIER/POLICY/EXCITITOR consumers. | Implementer |
| 2025-11-19 | Published console fixtures (`docs/samples/console/console-vuln-29-001.json`, `console-vex-30-001.json`) so DOCS-AIAI-31-004 can proceed while awaiting SBOM evidence. | Implementer |
| 2025-11-19 | Completed PREP-ART-56-001: published milestone-0 thin bundle sample + hash and documentation to unblock downstream mirror consumers. | Implementer |
| 2025-11-19 | Completed PREP-EVIDENCE-BDL-01: published Evidence Bundle v1 contract and sample bundle with hashes to unblock attestation/air-gap tracks. | Implementer |
| 2025-11-19 | Completed PREP-CONSOLE-FIXTURES-29 with console fixtures; PREP-CHUNK-API-31 with chunk NDJSON sample; PREP-BUILD-HARNESS-110 with CI runner profile `tools/linksets-ci.sh`. | Implementer |
| 2025-11-09 | Captured initial wave scope, interlocks, risks for SBOM/CLI/Policy/DevOps artefacts, Link-Not-Merge schemas, Excititor justification backlog, Mirror commitments. | Sprint 110 leads |
| 2025-11-13 | Refreshed tracker ahead of 1415 Nov checkpoints; outstanding asks: SBOM/CLI/Policy/DevOps ETAs, Link-Not-Merge approval, Mirror staffing. | Sprint 110 leads |
| 2025-11-16 | Updated task board: marked Advisory AI packaging, Concelier air-gap/console/attestation tracks, Excititor chunk/attestation/air-gap tracks, and all Mirror tracks as BLOCKED pending schema approvals, Evidence Locker contract, Mirror staffing decisions. | Implementer |
| 2025-11-17 | Applied coordinator decisions: Link-Not-Merge v1 frozen; Evidence bundle v1 frozen; span-sink permitted via counters/logs; Mirror thin bundle staffed; flipped dependent tasks to TODO. | Coordinator |
| 2025-11-17 | Added deterministic ordering + cursor paging tests for `ConcelierMongoLinksetStore` (createdAt desc, advisoryId asc) to de-risk `/linksets` evidence paging. | Concelier Guild |
| 2025-11-17 | Verified linkset paging determinism via `dotnet test ... --filter ConcelierMongoLinksetStoreTests --no-build` (pass, 4 tests, 6.3s). | Concelier Guild |
| 2025-11-17 | Targeted Mongo linkset store tests passing; WebService `/linksets` integration tests remain pending runner fix. | Concelier Guild |
| 2025-11-17 | WebService `/linksets` integration tests now passing (`dotnet test ...WebService.Tests.csproj --filter Linksets --no-build`). | Concelier Guild |
| 2025-11-18 | Added migration `EnsureAdvisoryLinksetsTenantLowerMigration` to lowercase tenant ids; added unit test; targeted storage tests passing (migration + linkset store). Full storage suite cancelled after partial run to save time. | Concelier Guild |
| 2025-11-16 | Drafted LNM schema + samples (`docs/modules/concelier/link-not-merge-schema.md`, `docs/samples/lnm/*`); moved CONCELIER-AIAI-31-002 to DOING pending review; added migration + tests to Mongo storage. | Implementer |
| 2025-11-17 | Wired LNM ingestion writes: observations+linksets persisted via Mongo sinks, WebService DI updated, build green. Next: expose read APIs and backfill. | Implementer |
| 2025-11-17 | Added cursor-paged `/linksets` API with normalized purls/versions; implemented linkset lookup/paging + unit test coverage. | Implementer |
| 2025-11-17 | Persisted normalized linksets (purls/versions) in ingestion/backfill; added /linksets integration tests for normalized fields and cursor paging. Full solution test run aborted mid-build; rerun targeted Concelier WebService tests. | Implementer |
| 2025-11-17 | Targeted `/linksets` WebService tests (Linksets filter) now passing via `dotnet test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/... --filter Linksets` (no-build). | Implementer |
| 2025-11-17 | Second attempt to run `/linksets` tests with response files disabled still hit `--nologo,workdir:` switch injection; no tests executed. | Implementer |
| 2025-11-17 | Added local `tools/dotnet-filter.sh` to strip injected `workdir:` from MSBuild args; test run now progresses but full build still long/unfinished in local session. | Implementer |
| 2025-11-17 | Cleared `src/__Libraries/StellaOps.Configuration/obj` NuGet props collision; reran targeted `StellaOps.Concelier.WebService.Tests` `Linksets` filter via `tools/dotnet-filter.sh`. Build/restore now proceeds but remains multi-minute locally; tests still pending until a cached/CI runner is used. | Implementer |
| 2025-11-17 | Reran WebService slice with `tools/dotnet-filter.sh`; fixed Storage.Mongo observation DI/upsert, rebuilt `StellaOps.Concelier.Storage.Mongo` clean. `/linksets` tests still blocked locally by vstest rejecting the test DLL argument; need CI runner to execute. | Implementer |
| 2025-11-17 | Full `dotnet-filter.sh test` (Linksets) still fails: vstest reports test source DLL missing and `bin/Debug/net10.0` remains empty despite successful build; local harness limitation persists. Next: run in CI/clean runner. | Implementer |
| 2025-11-18 | Consolidated Excititor linkset observation refs under `VexLinksetObservationRefModel`; Excititor Core/WebService test projects now build clean locally, but vstest still misroutes to Concelier DLL so chunk tests remain unrun. | Implementer |
| 2025-11-18 | Retried chunk endpoint tests; local harness continues to treat Concelier DLL as test source even after clean builds; CI runner required to execute `VexEvidence*`. | Implementer |
| 2025-11-18 | Another targeted `Linksets*` run shows vstest still refusing the DLL path (test artifacts not emitted locally). No new code changes; action remains to execute on CI runner that preserves build outputs. | Implementer |
| 2025-11-18 | Aligned Excititor `/v1/vex/evidence/chunks` limits with spec (default 500, max 2000) in Program.cs; code change only, no behavior beyond limit bounds. | Implementer |
| 2025-11-18 | Updated Excititor evidence endpoints to emit `Excititor-Results-{Total,Truncated}` headers (was `X-*`); matches doc + tests for chunks stream. | Implementer |
| 2025-11-18 | Attempted Excititor `VexEvidenceChunkServiceTests` (and solution filter) but local harness still routes vstest to missing Concelier test DLL; no tests executed. Need CI/clean runner to validate chunk API. | Implementer |
| 2025-11-17 | Added test-only linkset fixtures (`AdvisoryLinksetDocument`, normalized/payload DTOs) to satisfy `/linksets` WebService tests; reran filtered tests via `tools/dotnet-filter.sh`—build succeeds, run canceled locally due to duration; CI runner needed for results. | Implementer |
| 2025-11-17 | Added test-only `AdvisoryLinksetDocument` fixture and cleaned/rebuilt Concelier Storage; started `/linksets` slice again via `tools/dotnet-filter.sh`, cancelled after build success due to long local runtime. | Implementer |
| 2025-11-17 | Attempted `--no-build --filter Linksets*` and direct `dotnet vstest`; local build emits only coverage maps (no test DLL), vstest reports missing source. Marked `/linksets` execution blocked pending CI runner. | Implementer |
| 2025-11-18 | Added missing `AdvisoryObservationLinksetAggregate` record + scope/relationship wiring; cleaned Core/Storage builds. `dotnet test --filter Linksets*` still in progress locally (multiple runners active); expect CI run to finalize. | Implementer |
| 2025-11-17 | Attempted single-case `/linksets` run (`--filter LinksetsEndpoint_ReturnsNormalizedLinksetsFromIngestion` + `--no-build`); vstest still hangs post-restore and requires manual cancel. Tests remain unexecuted locally; defer to CI runner. | Implementer |
| 2025-11-17 | Refreshed Decisions/Risks: closed LNM/evidence bundle/mirror staffing items; flagged SBOM/CLI/Policy/DevOps ETAs and Evidence Locker scope as overdue; dated risk outlook to 2025-11-17. | Planning |
| 2025-11-17 | Created BUILD-TOOLING-110-001 to strip `workdir:` arg and queued `/linksets` retest after fix; requested MIRROR-CRT-56-001 milestone dates for 2025-11-19 checkpoint. | Planning |
| 2025-11-17 | Rescheduled overdue decision due dates (SBOM/CLI/Policy/DevOps ETAs, Evidence Locker scope, DOCS-AIAI screenshots) to 2025-11-18/19, moved MIRROR-CRT-56-001 to DOING, and set fresh checkpoints for the week. | Planning |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_110_ingestion_evidence.md` to `SPRINT_0110_0001_0001_ingestion_evidence.md`; no semantic changes. | Planning |
| 2025-11-17 | EXCITITOR-AIAI-31-002 marked BLOCKED pending published chunk API contract (fields/paging/auth) and sample payloads aligned to frozen LNM/evidence bundle. | Implementer |
| 2025-11-17 | Attempted `tools/dotnet-filter.sh test src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj --filter Linksets`; fixed missing `AdvisoryLinksetNormalizedDocument` using/import and added `ReconciledFrom` arg, then reran. Build and restore succeeded, but vstest still rejects the test DLL as “invalid test source”; tests not executed. BUILD-TOOLING-110-001 remains DOING. | Implementer |
| 2025-11-17 | Tried `dotnet test ... --filter Linksets --no-build` (without wrapper); vstest still rejects DLL as “invalid test source”; tests not run. | Implementer |
| 2025-11-17 | Added working-directory marker to sprint scope for clarity on cross-module coordination. | Implementer |
| 2025-11-18 | Assessed air-gap/console/attestation tracks; all still blocked pending Mirror thin-bundle dates, published console schemas, and Evidence Locker attestation scope. Updated Delivery Tracker statuses accordingly. | Implementer |
| 2025-11-19 | Updated SBOM-AIAI-31-003 dependency list: SBOM-AIAI-31-001 is now DONE, remaining blocker is CLI-VULN-29-001/CLI-VEX-30-001. | Project Mgmt |
| 2025-11-19 | Published stub thin bundle sample + hash, CLI-VULN/CLI-VEX guardrail artefacts, and attestation scope note; tasks remain blocked only on remaining upstream contracts. | Project Mgmt |
| 2025-11-20 | Added EvidenceBundleAttestationBuilder + DI registration and unit tests (builder harness) for CONCELIER-ATTEST-73-001/002; vstest harness still failing locally (invalid test source). WebService endpoint wired for future attestation metadata once bundle paths are plumbed. | Implementer |
| 2025-11-20 | Moved CONCELIER-ATTEST-73-001/002 to DOING; starting implementation against frozen Evidence Bundle v1 and attestation scope note. Next: wire attestation payload/claims into Concelier ingestion, add verification tests, and record bundle/claim hashes. | Implementer |
## Appendix
- Detailed coordination artefacts, contingency playbook, and historical notes live at `docs/implplan/archived/SPRINT_110_ingestion_evidence_2025-11-13.md`.

63
docs/implplan/archived/SPRINT_0112_0001_0001_concelier_i.md Normal file
View File

@@ -0,0 +1,63 @@
# Sprint 0112-0001-0001 · Concelier I — Canonical Evidence & Provenance (Rebaseline 2025-11-13)
## Topic & Scope
- Deliver canonical advisory chunks with provenance anchors so Advisory AI consumes source-true data (no merge transforms) with deterministic ordering and cache keys.
- Keep Concelier aligned with competitor schemas (GHSA GraphQL, Red Hat CVE API, Cisco PSIRT openVuln) while remaining offline-capable and attestation-ready.
- Prepare mirror/offline provenance paths and transparency metadata so Attestor and Console surfaces can expose document-id + observation-path handles.
- Working directory: `src/Concelier` (WebService + Core libraries).
### Canonical model commitments (unchanged)
- `/advisories/{key}/chunks` render from the canonical `Advisory` aggregate (document id + latest observation set) only.
- Each structured field cites both the Mongo `_id` of the backing observation and the JSON Pointer into that observation (`observationPath`).
- Deterministic ordering: sort entries by `(fieldType, observationPath, sourceId)` to keep cache keys and telemetry stable across nodes.
- Continue mapping competitor field names to keep migrations predictable.
## Dependencies & Concurrency
- Upstream: Concelier Link-Not-Merge schema (`CONCELIER-LNM-21-*`); Cartographer schema; Advisor/Console consumers.
- Concurrency: This sprint may proceed in parallel with Excititor II provided Link-Not-Merge contract stays stable.
## Documentation Prerequisites
- `docs/modules/concelier/architecture.md`
- `docs/modules/concelier/operations/cache.md`
- `docs/modules/concelier/implementation_plan.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-LNM-21-001 | DONE (2025-11-22) | Await Cartographer schema. | Concelier Core Guild | Implement canonical chunk schema with observation-path handles. |
| 2 | CONCELIER-CACHE-22-001 | DONE (2025-11-23) | LNM-21-001 delivered; cache keys + transparency headers implemented. | Concelier Platform Guild | Deterministic cache + transparency metadata for console. |
| 3 | CONCELIER-MIRROR-23-001-DEV | DONE (2025-11-23) | Dev mirror path documented and sample generator provided (`docs/modules/concelier/mirror-export.md`); uses existing endpoints with unsigned dev bundle layout. | Concelier + Attestor Guilds | Implement mirror/offline provenance path for advisory chunks (schema, handlers, tests). |
| 3b | DEVOPS-MIRROR-23-001-REL | BLOCKED (Release/DevOps only) | Move to DevOps release sprint; awaits CI signing/publish lanes and Attestor mirror contract. Not a development blocker. | DevOps Guild · Security Guild | Wire CI/release jobs to publish signed mirror/offline provenance artefacts for advisory chunks. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Schema | Finalize canonical chunk schema | Concelier Core | 2025-11-18 | DONE (2025-11-22) |
| Cache | Define deterministic cache keys | Concelier Platform | 2025-11-19 | TODO (schema available; proceed with key plan) |
| Provenance | Mirror/attestor alignment | Concelier + Attestor | 2025-11-20 | TODO (dev scope only; release wiring moved to DevOps task 3b) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
| 2025-11-18 | WebService test rebuild emits DLL; full `dotnet test --no-build` and blame-hang runs stall (>8m, low CPU). Saved test list to `tmp/ws-tests.list`; hang investigation needed before progressing AIAI-31-002. | Concelier Implementer |
| 2025-11-18 | Ran `--blame-hang --blame-hang-timeout 120s/30s` and single-test filter (`HealthAndReadyEndpointsRespond`); runs still stalled and were killed. Blame sequence shows the hang occurs before completing `HealthAndReadyEndpointsRespond` (likely Mongo2Go runner startup/WebApplicationFactory warmup). No TRX produced; sequence at `src/Concelier/__Tests/StellaOps.Concelier.WebService.Tests/TestResults/c6c5e036-d68b-402a-b676-d79b32c128c0/Sequence_bee8d66e585b4954809e99aed4b75a9f.xml`. | Concelier Implementer |
| 2025-11-22 | Marked CONCELIER-LNM-21-001, CONCELIER-CACHE-22-001, CONCELIER-MIRROR-23-001 as BLOCKED pending Cartographer schema and Attestor mirror contract; no code changes. | Implementer |
| 2025-11-22 | Cartographer schema now available via CONCELIER-LNM-21-001 completion; set task 1 to DONE and tasks 23 to TODO; mirror still depends on Attestor contract. | Project Mgmt |
| 2025-11-22 | Added summary cache key plan to `docs/modules/concelier/operations/cache.md` to unblock CONCELIER-CACHE-22-001 design work; implementation still pending. | Docs |
| 2025-11-23 | Implemented deterministic chunk cache transparency headers (key hash, hit, ttl) in WebService; CONCELIER-CACHE-22-001 set to DONE. | Concelier Platform |
| 2025-11-23 | Split mirror work: 23-001-DEV remains here (schema/handlers/tests); release publishing moved to DEVOPS-MIRROR-23-001-REL (DevOps sprint, not a dev blocker). | Project Mgmt |
| 2025-11-23 | Documented dev mirror/export path and sample generator at `docs/modules/concelier/mirror-export.md`; CONCELIER-MIRROR-23-001-DEV marked DONE. | Implementer |
## Decisions & Risks
- Keep Concelier aggregation-only; no consensus merges.
- Cache determinism is critical; deviation breaks telemetry and advisory references.
- Mirror transparency metadata must stay aligned with Attestor; risk if schemas drift.
- Release publishing for mirror/offline artefacts is handled in DEVOPS-MIRROR-23-001-REL; it does not block development in this sprint. Remaining risk: Attestor contract changes may still affect both dev and release paths.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |
| --- | --- | --- | --- |
| 2025-11-18 | Schema review | Finalize canonical chunk schema. | Approve partial shape if Cartographer lags. |
| 2025-11-19 | Cache review | Lock deterministic cache keys. | Use feature flags for rollout. |
| 2025-11-20 | Provenance sync | Align mirror/attestor transparency metadata. | Ship draft with clear TBD flags. |