Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

2026-01-06 21:03:06 +02:00
parent 8cb2bc677a 4789027317
commit 05833e0af2
841 changed files with 15706 additions and 68106 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Advisory/AGENTS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Advisory/AGENTS.md
@@ -13,7 +13,7 @@ Provide advisory feed integration and offline bundles for CVE-to-symbol mapping
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/scanner/architecture.md`
 - `docs/modules/concelier/architecture.md`
- `docs/reachability/slice-schema.md`
+- `docs/modules/reach-graph/guides/slice-schema.md`

 ## Working Directory & Boundaries
 - Primary scope: `src/Scanner/__Libraries/StellaOps.Scanner.Advisory/`
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj
@@ -8,6 +8,10 @@
    <EnableDefaultItems>false</EnableDefaultItems>
  </PropertyGroup>

+  <ItemGroup>
+    <InternalsVisibleTo Include="StellaOps.Scanner.Analyzers.Lang.Python.Tests" />
+  </ItemGroup>
+
  <ItemGroup>
    <Compile Include="**\*.cs" Exclude="obj\**;bin\**" />
    <EmbeddedResource Include="**\*.json" Exclude="obj\**;bin\**" />
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Secrets/SecretsAnalyzer.cs
@@ -85,7 +85,11 @@ public sealed class SecretsAnalyzer : ILanguageAnalyzer
                    continue;
                }

+<<<<<<< HEAD
                var evidence = SecretLeakEvidence.FromMatch(match, _masker, _ruleset, _timeProvider);
+=======
+                var evidence = SecretLeakEvidence.FromMatch(match, _masker, _ruleset!, _timeProvider);
+>>>>>>> 47890273170663b2236a1eb995d218fe5de6b11a
                findings.Add(evidence);
            }
        }
--- a/src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/AGENTS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/AGENTS.md
@@ -12,8 +12,8 @@ Provide deterministic call graph extraction for supported languages and native b
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/scanner/architecture.md`
- `docs/reachability/DELIVERY_GUIDE.md`
- `docs/reachability/binary-reachability-schema.md`
+- `docs/modules/reach-graph/guides/DELIVERY_GUIDE.md`
+- `docs/modules/reach-graph/guides/binary-reachability-schema.md`

 ## Working Directory & Boundaries
 - Primary scope: `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/`
--- a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md
@@ -156,7 +156,7 @@ Located in `Risk/`:
 - `docs/modules/scanner/architecture.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/scanner/operations/entrypoint-problem.md`
- `docs/reachability/function-level-evidence.md`
+- `docs/modules/reach-graph/guides/function-level-evidence.md`

 ## Working Agreement
 - 1. Update task status to `DOING`/`DONE` in both correspoding sprint file `/docs/implplan/SPRINT_*.md` and the local `TASKS.md` when you start or finish work.
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/AGENTS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/AGENTS.md
@@ -12,9 +12,9 @@ Deliver deterministic reachability analysis, slice generation, and evidence arti
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/scanner/architecture.md`
- `docs/reachability/DELIVERY_GUIDE.md`
- `docs/reachability/slice-schema.md`
- `docs/reachability/replay-verification.md`
+- `docs/modules/reach-graph/guides/DELIVERY_GUIDE.md`
+- `docs/modules/reach-graph/guides/slice-schema.md`
+- `docs/modules/reach-graph/guides/replay-verification.md`

 ## Working Directory & Boundaries
 - Primary scope: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SUBGRAPH_EXTRACTION.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Reachability/SUBGRAPH_EXTRACTION.md
@@ -225,7 +225,7 @@ If no entry points detected:

 Sinks are vulnerable functions identified by CVE-to-symbol mapping.

-**Data Source:** `IVulnSurfaceService` (see `docs/reachability/cve-symbol-mapping.md`)
+**Data Source:** `IVulnSurfaceService` (see `docs/modules/reach-graph/guides/cve-symbol-mapping.md`)

 ### 4.2 CVE→Symbol Mapping Flow

@@ -643,9 +643,9 @@ public async Task ExtractSubgraph_WithSameInputs_ProducesSameHash(string fixture

 - **Sprint:** `docs/implplan/SPRINT_3500_0001_0001_proof_of_exposure_mvp.md`
 - **Advisory:** `docs/product-advisories/23-Dec-2026 - Binary Mapping as Attestable Proof.md`
- **Reachability Docs:** `docs/reachability/function-level-evidence.md`, `docs/reachability/lattice.md`
+- **Reachability Docs:** `docs/modules/reach-graph/guides/function-level-evidence.md`, `docs/modules/reach-graph/guides/lattice.md`
 - **EntryTrace:** `docs/modules/scanner/operations/entrypoint-static-analysis.md`
- **CVE Mapping:** `docs/reachability/cve-symbol-mapping.md`
+- **CVE Mapping:** `docs/modules/reach-graph/guides/cve-symbol-mapping.md`

 ---

--- a/src/Scanner/__Libraries/StellaOps.Scanner.Runtime/AGENTS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Runtime/AGENTS.md
@@ -13,8 +13,8 @@ Capture and normalize runtime trace evidence (eBPF/ETW) and merge it with static
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/scanner/architecture.md`
 - `docs/modules/zastava/architecture.md`
- `docs/reachability/runtime-facts.md`
- `docs/reachability/runtime-static-union-schema.md`
+- `docs/modules/reach-graph/guides/runtime-facts.md`
+- `docs/modules/reach-graph/schemas/runtime-static-union-schema.md`

 ## Working Directory & Boundaries
 - Primary scope: `src/Scanner/__Libraries/StellaOps.Scanner.Runtime/`
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/AGENTS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/AGENTS.md
@@ -12,7 +12,7 @@ Package and store reachability slice artifacts as OCI artifacts with determinist
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/scanner/architecture.md`
- `docs/reachability/binary-reachability-schema.md`
+- `docs/modules/reach-graph/guides/binary-reachability-schema.md`
 - `docs/24_OFFLINE_KIT.md`

 ## Working Directory & Boundaries
--- a/src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/AGENTS.md
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/AGENTS.md
@@ -12,7 +12,7 @@ Build and serve vulnerability surface data for CVE and package-level symbol mapp
 - `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
 - `docs/modules/platform/architecture-overview.md`
 - `docs/modules/scanner/architecture.md`
- `docs/reachability/slice-schema.md`
+- `docs/modules/reach-graph/guides/slice-schema.md`

 ## Working Directory & Boundaries
 - Primary scope: `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/`