stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

refactor(jobengine): delete TaskRunner service

Browse Source 
- Remove TaskRunner source, tests, libraries (3 directories)
- Remove from compose, services-matrix, nginx, hosts, smoke tests
- Remove CLI commands, UI references, Authority scopes
- Remove docs, OpenAPI spec, QA state files
- Leave task_runner_id DB columns as nullable legacy
- PacksRegistry preserved (independent service)
- Eliminates 2 containers (taskrunner-web + taskrunner-worker)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-04-08 14:11:20 +03:00
parent 80c33d3c59
commit 0e25344bd7
208 changed files with 57 additions and 29942 deletions
Download Patch File Download Diff File Expand all files Collapse all files

886
docs/api/taskrunner-openapi.yaml
View File

@@ -1,886 +0,0 @@
# OpenAPI 3.1 specification for StellaOps TaskRunner WebService
openapi: 3.1.0
info:
title: StellaOps TaskRunner API
version: 0.1.0-draft
description: |
Contract for TaskRunner service covering pack runs, simulations, logs, artifacts, and approvals.
Uses the platform error envelope and tenant header `X-StellaOps-Tenant`.
## Streaming Endpoints
The `/runs/{runId}/logs` endpoint returns logs in NDJSON (Newline Delimited JSON) format
for efficient streaming. Each line is a complete JSON object.
## Control Flow Steps
TaskPacks support the following step kinds:
- **run**: Execute an action using a builtin or custom executor
- **parallel**: Execute child steps concurrently with optional maxParallel limit
- **map**: Iterate over items and execute a template step for each
- **loop**: Iterate with items expression, range, or static list
- **conditional**: Branch based on condition expressions
- **gate.approval**: Require manual approval before proceeding
- **gate.policy**: Evaluate policy and optionally require override approval
servers:
- url: https://taskrunner.stellaops.example.com
description: Production
- url: https://taskrunner.dev.stellaops.example.com
description: Development
security:
- oauth2: [taskrunner.viewer]
- oauth2: [taskrunner.operator]
- oauth2: [taskrunner.admin]
paths:
/v1/task-runner/simulations:
post:
summary: Simulate a task pack
description: |
Validates a task pack manifest, creates an execution plan, and simulates the run
without actually executing any steps. Returns the simulation result showing which
steps would execute, which are skipped, and which require approvals.
operationId: simulateTaskPack
tags: [Simulations]
parameters:
- $ref: '#/components/parameters/Tenant'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SimulationRequest'
examples:
basic-simulation:
summary: Basic simulation request
value:
manifest: |
apiVersion: stellaops.io/pack.v1
kind: TaskPack
metadata:
name: scan-deploy
version: 1.0.0
spec:
inputs:
- name: target
type: string
required: true
sandbox:
mode: sealed
egressAllowlist: []
cpuLimitMillicores: 100
memoryLimitMiB: 128
quotaSeconds: 60
slo:
runP95Seconds: 300
approvalP95Seconds: 900
maxQueueDepth: 100
steps:
- id: scan
run:
uses: builtin:scanner
with:
target: "{{ inputs.target }}"
inputs:
target: "registry.example.com/app:v1.2.3"
responses:
'200':
description: Simulation completed
content:
application/json:
schema:
$ref: '#/components/schemas/SimulationResponse'
examples:
simulation-result:
value:
planHash: "sha256:a1b2c3d4e5f6..."
failurePolicy:
maxAttempts: 1
backoffSeconds: 0
continueOnError: false
steps:
- id: scan
templateId: scan
kind: Run
enabled: true
status: Pending
uses: "builtin:scanner"
children: []
outputs: []
hasPendingApprovals: false
'400':
description: Invalid manifest or inputs
content:
application/json:
schema:
$ref: '#/components/schemas/PlanErrorResponse'
default:
$ref: '#/components/responses/Error'
/v1/task-runner/runs:
post:
summary: Create a pack run
description: |
Creates a new pack run from a task pack manifest. The run is scheduled for execution
and will proceed through its steps. If approval gates are present, the run will pause
at those gates until approvals are granted.
operationId: createPackRun
tags: [Runs]
parameters:
- $ref: '#/components/parameters/Tenant'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateRunRequest'
examples:
create-run:
summary: Create a new run
value:
runId: "run-20251206-001"
manifest: |
apiVersion: stellaops.io/pack.v1
kind: TaskPack
metadata:
name: deploy-app
version: 2.0.0
spec:
sandbox:
mode: sealed
egressAllowlist: []
cpuLimitMillicores: 200
memoryLimitMiB: 256
quotaSeconds: 120
slo:
runP95Seconds: 600
approvalP95Seconds: 1800
maxQueueDepth: 50
approvals:
- id: security-review
grants: [packs.approve]
steps:
- id: build
run:
uses: builtin:build
- id: approval
gate:
approval:
id: security-review
message: "Security review required before deploy"
- id: deploy
run:
uses: builtin:deploy
tenantId: "tenant-prod"
responses:
'201':
description: Run created
headers:
Location:
description: URL of the created run
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/RunStateResponse'
'400':
description: Invalid manifest or inputs
content:
application/json:
schema:
$ref: '#/components/schemas/PlanErrorResponse'
'409':
description: Run ID already exists
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
default:
$ref: '#/components/responses/Error'
/v1/task-runner/runs/{runId}:
get:
summary: Get run state
description: |
Returns the current state of a pack run, including status of all steps,
failure policy, and timing information.
operationId: getRunState
tags: [Runs]
parameters:
- $ref: '#/components/parameters/Tenant'
- $ref: '#/components/parameters/RunId'
responses:
'200':
description: Run state
content:
application/json:
schema:
$ref: '#/components/schemas/RunStateResponse'
examples:
running:
summary: Run in progress
value:
runId: "run-20251206-001"
planHash: "sha256:a1b2c3d4..."
failurePolicy:
maxAttempts: 2
backoffSeconds: 30
continueOnError: false
createdAt: "2025-12-06T10:00:00Z"
updatedAt: "2025-12-06T10:05:00Z"
steps:
- stepId: build
kind: Run
enabled: true
continueOnError: false
status: Succeeded
attempts: 1
lastTransitionAt: "2025-12-06T10:02:00Z"
- stepId: approval
kind: GateApproval
enabled: true
continueOnError: false
approvalId: security-review
gateMessage: "Security review required before deploy"
status: Pending
attempts: 0
statusReason: "awaiting-approval"
- stepId: deploy
kind: Run
enabled: true
continueOnError: false
status: Pending
attempts: 0
'404':
description: Run not found
default:
$ref: '#/components/responses/Error'
/v1/task-runner/runs/{runId}/logs:
get:
summary: Stream run logs
description: |
Returns run logs as a stream of NDJSON (Newline Delimited JSON) entries.
Each line is a complete JSON object representing a log entry with timestamp,
level, event type, message, and optional metadata.
**Content-Type**: `application/x-ndjson`
operationId: streamRunLogs
tags: [Logs]
parameters:
- $ref: '#/components/parameters/Tenant'
- $ref: '#/components/parameters/RunId'
responses:
'200':
description: Log stream
content:
application/x-ndjson:
schema:
$ref: '#/components/schemas/RunLogEntry'
examples:
log-stream:
summary: Sample NDJSON log stream
value: |
{"timestamp":"2025-12-06T10:00:00Z","level":"info","eventType":"run.created","message":"Run created via API.","metadata":{"planHash":"sha256:a1b2c3d4...","requestedAt":"2025-12-06T10:00:00Z"}}
{"timestamp":"2025-12-06T10:00:01Z","level":"info","eventType":"step.started","message":"Starting step: build","stepId":"build"}
{"timestamp":"2025-12-06T10:02:00Z","level":"info","eventType":"step.completed","message":"Step completed: build","stepId":"build","metadata":{"duration":"119s"}}
{"timestamp":"2025-12-06T10:02:01Z","level":"warn","eventType":"gate.awaiting","message":"Awaiting approval: security-review","stepId":"approval"}
'404':
description: Run not found
default:
$ref: '#/components/responses/Error'
/v1/task-runner/runs/{runId}/artifacts:
get:
summary: List run artifacts
description: |
Returns a list of artifacts captured during the run, including file outputs,
evidence bundles, and expression-evaluated results.
operationId: listRunArtifacts
tags: [Artifacts]
parameters:
- $ref: '#/components/parameters/Tenant'
- $ref: '#/components/parameters/RunId'
responses:
'200':
description: Artifact list
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/RunArtifact'
examples:
artifacts:
value:
- name: scan-report
type: file
sourcePath: "/output/scan-report.json"
storedPath: "runs/run-20251206-001/artifacts/scan-report.json"
status: captured
capturedAt: "2025-12-06T10:02:00Z"
- name: evidence-bundle
type: object
status: captured
capturedAt: "2025-12-06T10:02:00Z"
expressionJson: '{"sha256":"abc123...","attestations":[...]}'
'404':
description: Run not found
default:
$ref: '#/components/responses/Error'
/v1/task-runner/runs/{runId}/approvals/{approvalId}:
post:
summary: Apply approval decision
description: |
Applies an approval decision (approved, rejected, or expired) to a pending
approval gate. The planHash must match to prevent approving a stale plan.
If approved, the run will resume execution. If rejected, the run will fail
at the gate step.
operationId: applyApprovalDecision
tags: [Approvals]
parameters:
- $ref: '#/components/parameters/Tenant'
- $ref: '#/components/parameters/RunId'
- $ref: '#/components/parameters/ApprovalId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ApprovalDecisionRequest'
examples:
approve:
summary: Approve the gate
value:
decision: approved
planHash: "sha256:a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef"
actorId: "user:alice@example.com"
summary: "Reviewed and approved for production deployment"
reject:
summary: Reject the gate
value:
decision: rejected
planHash: "sha256:a1b2c3d4e5f678901234567890abcdef1234567890abcdef1234567890abcdef"
actorId: "user:bob@example.com"
summary: "Security scan found critical vulnerabilities"
responses:
'200':
description: Decision applied
content:
application/json:
schema:
$ref: '#/components/schemas/ApprovalDecisionResponse'
examples:
approved:
value:
status: approved
resumed: true
'400':
description: Invalid decision or planHash format
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
'404':
description: Run or approval not found
'409':
description: Plan hash mismatch
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
default:
$ref: '#/components/responses/Error'
/v1/task-runner/runs/{runId}/cancel:
post:
summary: Cancel a run
description: |
Requests cancellation of a run. Remaining pending steps will be marked as
skipped. Steps that have already succeeded or been skipped are not affected.
operationId: cancelRun
tags: [Runs]
parameters:
- $ref: '#/components/parameters/Tenant'
- $ref: '#/components/parameters/RunId'
responses:
'202':
description: Cancellation accepted
headers:
Location:
description: URL of the run
schema:
type: string
content:
application/json:
schema:
type: object
properties:
status:
type: string
enum: [cancelled]
'404':
description: Run not found
default:
$ref: '#/components/responses/Error'
/.well-known/openapi:
get:
summary: Get OpenAPI metadata
description: |
Returns metadata about the OpenAPI specification including the spec URL,
ETag for caching, and a signature for verification.
operationId: getOpenApiMetadata
tags: [Metadata]
responses:
'200':
description: OpenAPI metadata
headers:
ETag:
description: Spec version ETag
schema:
type: string
X-Signature:
description: Spec signature for verification
schema:
type: string
content:
application/json:
schema:
$ref: '#/components/schemas/OpenApiMetadata'
examples:
metadata:
value:
specUrl: "/openapi"
version: "0.1.0-draft"
buildVersion: "20251206.1"
etag: '"abc123"'
signature: "sha256:def456..."
components:
securitySchemes:
oauth2:
type: oauth2
flows:
clientCredentials:
tokenUrl: https://auth.stellaops.example.com/oauth/token
scopes:
taskrunner.viewer: Read-only access to runs and logs
taskrunner.operator: Create runs and apply approvals
taskrunner.admin: Full administrative access
parameters:
Tenant:
name: X-StellaOps-Tenant
in: header
required: false
description: Tenant slug (optional for single-tenant deployments)
schema:
type: string
RunId:
name: runId
in: path
required: true
description: Unique run identifier
schema:
type: string
pattern: '^[a-zA-Z0-9_-]+$'
ApprovalId:
name: approvalId
in: path
required: true
description: Approval gate identifier (from task pack approvals section)
schema:
type: string
responses:
Error:
description: Standard error envelope
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorEnvelope'
examples:
internal-error:
value:
error:
code: internal_error
message: "An unexpected error occurred"
traceId: "f62f3c2b9c8e4c53"
schemas:
ErrorEnvelope:
type: object
required: [error]
properties:
error:
type: object
required: [code, message]
properties:
code:
type: string
description: Machine-readable error code
message:
type: string
description: Human-readable error message
traceId:
type: string
description: Trace ID for debugging
SimulationRequest:
type: object
required: [manifest]
properties:
manifest:
type: string
description: Task pack manifest in YAML format
inputs:
type: object
additionalProperties: true
description: Input values to provide to the task pack
SimulationResponse:
type: object
required: [planHash, failurePolicy, steps, outputs, hasPendingApprovals]
properties:
planHash:
type: string
description: SHA-256 hash of the execution plan
pattern: '^sha256:[a-f0-9]{64}$'
failurePolicy:
$ref: '#/components/schemas/FailurePolicy'
steps:
type: array
items:
$ref: '#/components/schemas/SimulationStep'
outputs:
type: array
items:
$ref: '#/components/schemas/SimulationOutput'
hasPendingApprovals:
type: boolean
description: Whether the plan contains approval gates
SimulationStep:
type: object
required: [id, templateId, kind, enabled, status, children]
properties:
id:
type: string
templateId:
type: string
kind:
type: string
enum: [Run, GateApproval, GatePolicy, Parallel, Map, Loop, Conditional, Unknown]
enabled:
type: boolean
status:
type: string
enum: [Pending, Skipped, RequiresApproval, RequiresPolicy, WillIterate, WillBranch]
statusReason:
type: string
uses:
type: string
description: Executor reference for run steps
approvalId:
type: string
gateMessage:
type: string
maxParallel:
type: integer
continueOnError:
type: boolean
children:
type: array
items:
$ref: '#/components/schemas/SimulationStep'
loopInfo:
$ref: '#/components/schemas/LoopInfo'
conditionalInfo:
$ref: '#/components/schemas/ConditionalInfo'
policyInfo:
$ref: '#/components/schemas/PolicyInfo'
LoopInfo:
type: object
description: Loop step simulation details
properties:
itemsExpression:
type: string
iterator:
type: string
index:
type: string
maxIterations:
type: integer
aggregationMode:
type: string
enum: [collect, merge, last, first, none]
ConditionalInfo:
type: object
description: Conditional step simulation details
properties:
branches:
type: array
items:
type: object
properties:
condition:
type: string
stepCount:
type: integer
elseStepCount:
type: integer
outputUnion:
type: boolean
PolicyInfo:
type: object
description: Policy gate simulation details
properties:
policyId:
type: string
policyVersion:
type: string
failureAction:
type: string
enum: [abort, warn, requestOverride, branch]
retryCount:
type: integer
SimulationOutput:
type: object
required: [name, type, requiresRuntimeValue]
properties:
name:
type: string
type:
type: string
requiresRuntimeValue:
type: boolean
pathExpression:
type: string
valueExpression:
type: string
CreateRunRequest:
type: object
required: [manifest]
properties:
runId:
type: string
description: Optional custom run ID (auto-generated if not provided)
manifest:
type: string
description: Task pack manifest in YAML format
inputs:
type: object
additionalProperties: true
description: Input values to provide to the task pack
tenantId:
type: string
description: Tenant identifier
RunStateResponse:
type: object
required: [runId, planHash, failurePolicy, createdAt, updatedAt, steps]
properties:
runId:
type: string
planHash:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
failurePolicy:
$ref: '#/components/schemas/FailurePolicy'
createdAt:
type: string
format: date-time
updatedAt:
type: string
format: date-time
steps:
type: array
items:
$ref: '#/components/schemas/RunStateStep'
RunStateStep:
type: object
required: [stepId, kind, enabled, continueOnError, status, attempts]
properties:
stepId:
type: string
kind:
type: string
enum: [Run, GateApproval, GatePolicy, Parallel, Map, Loop, Conditional, Unknown]
enabled:
type: boolean
continueOnError:
type: boolean
maxParallel:
type: integer
approvalId:
type: string
gateMessage:
type: string
status:
type: string
enum: [Pending, Running, Succeeded, Failed, Skipped]
attempts:
type: integer
lastTransitionAt:
type: string
format: date-time
nextAttemptAt:
type: string
format: date-time
statusReason:
type: string
FailurePolicy:
type: object
required: [maxAttempts, backoffSeconds, continueOnError]
properties:
maxAttempts:
type: integer
minimum: 1
backoffSeconds:
type: integer
minimum: 0
continueOnError:
type: boolean
RunLogEntry:
type: object
required: [timestamp, level, eventType, message]
description: |
Log entry returned in NDJSON stream. Each entry is a single JSON object
followed by a newline character.
properties:
timestamp:
type: string
format: date-time
level:
type: string
enum: [debug, info, warn, error]
eventType:
type: string
description: |
Event type identifier, e.g.:
- run.created, run.started, run.completed, run.failed, run.cancelled
- step.started, step.completed, step.failed, step.skipped
- gate.awaiting, gate.approved, gate.rejected
- run.schedule-failed, run.cancel-requested
message:
type: string
stepId:
type: string
metadata:
type: object
additionalProperties:
type: string
RunArtifact:
type: object
required: [name, type, status]
properties:
name:
type: string
type:
type: string
enum: [file, object]
sourcePath:
type: string
storedPath:
type: string
status:
type: string
enum: [pending, captured, failed]
notes:
type: string
capturedAt:
type: string
format: date-time
expressionJson:
type: string
description: JSON string of evaluated expression result for object outputs
ApprovalDecisionRequest:
type: object
required: [decision, planHash]
properties:
decision:
type: string
enum: [approved, rejected, expired]
planHash:
type: string
pattern: '^sha256:[a-f0-9]{64}$'
description: Plan hash to verify against (must match current run plan)
actorId:
type: string
description: Identifier of the approver (e.g., user:alice@example.com)
summary:
type: string
description: Optional comment explaining the decision
ApprovalDecisionResponse:
type: object
required: [status, resumed]
properties:
status:
type: string
enum: [approved, rejected, expired]
resumed:
type: boolean
description: Whether the run was resumed (true for approved decisions)
PlanErrorResponse:
type: object
required: [errors]
properties:
errors:
type: array
items:
type: object
required: [path, message]
properties:
path:
type: string
description: JSON path to the error location
message:
type: string
OpenApiMetadata:
type: object
required: [specUrl, version, etag]
properties:
specUrl:
type: string
description: URL to fetch the full OpenAPI spec
version:
type: string
description: API version
buildVersion:
type: string
description: Build version identifier
etag:
type: string
description: ETag for caching
signature:
type: string
description: Signature for spec verification
tags:
- name: Simulations
description: Task pack simulation without execution
- name: Runs
description: Pack run lifecycle management
- name: Logs
description: Run log streaming
- name: Artifacts
description: Run artifact management
- name: Approvals
description: Approval gate decisions
- name: Metadata
description: Service metadata and discovery

29
docs/features/checked/taskrunner/pack-run-approval-gates.md
View File

@@ -1,29 +0,0 @@
# Pack Run Approval Gates
## Module
TaskRunner
## Status
IMPLEMENTED
## Description
Approval gate system for task packs with coordinator, decision service, state tracking, and gate state updating.
## Implementation Details
- **Approval coordinator**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunApprovalCoordinator.cs` -- orchestrates approval gate flow
- **Approval state**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunApprovalState.cs` -- approval state tracking model
- **Approval status**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunApprovalStatus.cs` -- approval status enum
- **Approval store interface**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunApprovalStore.cs` -- approval persistence contract
- **Gate state updater**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunGateStateUpdater.cs` -- updates gate states during execution
- **Decision service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/PackRunApprovalDecisionService.cs` -- processes approval decisions
- **File-based store**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilePackRunApprovalStore.cs` -- file-backed approval persistence
- **Postgres store**: `src/TaskRunner/__Libraries/StellaOps.TaskRunner.Persistence/Postgres/Repositories/PostgresPackRunApprovalStore.cs` -- PostgreSQL approval persistence
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunApprovalCoordinatorTests.cs`, `PackRunApprovalDecisionServiceTests.cs`, `PackRunGateStateUpdaterTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify approval gates block execution until approved
- [ ] Test approval coordinator handles multi-approver gates
- [ ] Verify gate state transitions (pending -> approved/rejected)
- [ ] Test approval persistence survives service restart
- [ ] Verify rejected gates prevent pack run continuation

32
docs/features/checked/taskrunner/pack-run-evidence-and-provenance.md
View File

@@ -1,32 +0,0 @@
# Pack Run Evidence and Provenance
## Module
TaskRunner
## Status
IMPLEMENTED
## Description
Evidence capture and provenance writing for pack runs, including attestation service for DSSE-signed provenance records.
## Implementation Details
- **Attestation service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Attestation/IPackRunAttestationService.cs` -- DSSE-signed attestation contract
- **Attestation model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Attestation/PackRunAttestation.cs` -- attestation record for pack runs
- **Evidence snapshot service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceSnapshotService.cs` -- evidence snapshot capture
- **Evidence snapshot model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/PackRunEvidenceSnapshot.cs` -- snapshot data model
- **Evidence store**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunEvidenceStore.cs` -- evidence persistence contract
- **Redaction guard**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/IPackRunRedactionGuard.cs` -- sensitive data redaction
- **Bundle import evidence**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Evidence/BundleImportEvidence.cs`, `IBundleImportEvidenceService.cs` -- air-gap bundle import evidence
- **Provenance writer interface**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunProvenanceWriter.cs` -- provenance writing contract
- **Provenance manifest factory**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/ProvenanceManifestFactory.cs` -- creates SLSA-compatible provenance manifests
- **Filesystem provenance writer**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilesystemPackRunProvenanceWriter.cs`
- **Postgres evidence store**: `src/TaskRunner/__Libraries/StellaOps.TaskRunner.Persistence/Postgres/Repositories/PostgresPackRunEvidenceStore.cs`
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunAttestationTests.cs`, `PackRunEvidenceSnapshotTests.cs`, `PackRunProvenanceWriterTests.cs`, `BundleImportEvidenceTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify DSSE-signed attestations are generated per pack run
- [ ] Test evidence snapshot captures all execution artifacts
- [ ] Verify provenance manifest includes SLSA-compatible metadata
- [ ] Test redaction guard strips sensitive data from evidence
- [ ] Verify bundle import evidence records air-gap import provenance

35
docs/features/checked/taskrunner/pack-run-execution-engine.md
View File

@@ -1,35 +0,0 @@
# Pack Run Execution Engine
## Module
TaskRunner
## Status
IMPLEMENTED
## Description
Full execution engine with graph-based execution planning, step state machine, and processor for running task packs.
## Implementation Details
- **Processor**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunProcessor.cs` -- main execution engine processor
- **Processor result**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunProcessorResult.cs` -- execution result model
- **Execution graph**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunExecutionGraph.cs` -- DAG-based execution planning
- **Graph builder**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunExecutionGraphBuilder.cs` -- builds execution graphs from manifests
- **Step state machine**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunStepStateMachine.cs` -- state transitions for individual steps
- **Step executor interface**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunStepExecutor.cs` -- step execution contract
- **Execution context**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunExecutionContext.cs` -- runtime context for execution
- **State management**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunState.cs`, `PackRunStateFactory.cs` -- execution state tracking
- **Job dispatcher**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/IPackRunJobDispatcher.cs`, `IPackRunJobScheduler.cs` -- job scheduling and dispatch
- **Simulation engine**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/Simulation/PackRunSimulationEngine.cs`, `PackRunSimulationModels.cs` -- dry-run simulation
- **Telemetry**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/TaskRunnerTelemetry.cs` -- execution metrics
- **Worker service**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Services/PackRunWorkerService.cs` -- background worker
- **Infrastructure**: file-based and no-op step executors, dispatchers, artifact uploaders under `StellaOps.TaskRunner.Infrastructure/Execution/`
- **Postgres state store**: `src/TaskRunner/__Libraries/StellaOps.TaskRunner.Persistence/Postgres/Repositories/PostgresPackRunStateStore.cs`, `PostgresPackRunLogStore.cs`
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunProcessorTests.cs`, `PackRunExecutionGraphBuilderTests.cs`, `PackRunStepStateMachineTests.cs`, `PackRunStateFactoryTests.cs`, `PackRunSimulationEngineTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify execution graph correctly orders steps based on dependencies
- [ ] Test step state machine transitions (pending -> running -> completed/failed)
- [ ] Verify processor handles step failures with configured retry/abort behavior
- [ ] Test simulation engine produces accurate dry-run results
- [ ] Verify execution state persists across service restarts

30
docs/features/checked/taskrunner/sealed-mode-install-enforcer.md
View File

@@ -1,30 +0,0 @@
# Sealed-Mode Install Enforcer (Air-Gap Support)
## Module
TaskRunner
## Status
IMPLEMENTED
## Description
Enforcer for sealed/air-gap mode that ensures task pack installations comply with offline constraints and logs all install actions for audit.
## Implementation Details
- **Enforcer interface**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/AirGap/ISealedInstallEnforcer.cs` -- sealed mode enforcement contract
- **Enforcer implementation**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/AirGap/SealedInstallEnforcer.cs` -- validates installations comply with offline constraints
- **Enforcement result**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/AirGap/SealedInstallEnforcementResult.cs` -- result model for enforcement checks
- **Sealed mode status**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/AirGap/SealedModeStatus.cs` -- current sealed mode state
- **Sealed requirements**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/AirGap/SealedRequirements.cs` -- requirements for sealed mode compliance
- **Audit logger**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/AirGap/ISealedInstallAuditLogger.cs` -- audit logging for install actions
- **Air-gap status provider**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/AirGap/IAirGapStatusProvider.cs` -- checks if system is in air-gap mode
- **HTTP status provider**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/AirGap/HttpAirGapStatusProvider.cs` -- HTTP-based air-gap status check
- **Bundle ingestion executor**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/BundleIngestionStepExecutor.cs` -- air-gap bundle ingestion step
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/SealedInstallEnforcerTests.cs`, `BundleIngestionStepExecutorTests.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify enforcer blocks network-dependent installations in sealed mode
- [ ] Test sealed mode status detection via HTTP provider
- [ ] Verify audit logger records all install actions in sealed mode
- [ ] Test bundle ingestion step works in offline environment
- [ ] Verify enforcement result reports compliance violations

30
docs/features/checked/taskrunner/taskpack-manifest-and-planning.md
View File

@@ -1,30 +0,0 @@
# TaskPack Manifest and Planning
## Module
TaskRunner
## Status
IMPLEMENTED
## Description
Full task pack manifest system with loading, validation, planning, and plan hashing for deterministic execution verification.
## Implementation Details
- **Manifest model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/TaskPacks/TaskPackManifest.cs` -- task pack manifest schema
- **Manifest loader**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/TaskPacks/TaskPackManifestLoader.cs` -- loads manifests from filesystem/storage
- **Manifest validator**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/TaskPacks/TaskPackManifestValidator.cs` -- validates manifest structure and constraints
- **Planner**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlanner.cs` -- creates execution plans from manifests
- **Plan model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlan.cs` -- execution plan data model
- **Plan hasher**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlanHasher.cs` -- deterministic plan hashing for verification
- **Plan insights**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Planning/TaskPackPlanInsights.cs` -- planning insights and analysis
- **Expressions**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Expressions/TaskPackExpressions.cs` -- expression evaluation for manifest conditions
- **Canonical JSON**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Serialization/CanonicalJson.cs` -- deterministic JSON serialization for plan hashing
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/TaskPackPlannerTests.cs`, `TestManifests.cs`, `TestManifests.Egress.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify manifest loading from filesystem
- [ ] Test manifest validation catches invalid structures
- [ ] Verify planner creates correct execution plans from manifests
- [ ] Test deterministic plan hashing produces consistent hashes
- [ ] Verify expression evaluation in manifest conditions

27
docs/features/checked/taskrunner/taskrunner-loop-and-conditional-step-kinds.md
View File

@@ -1,27 +0,0 @@
# TaskRunner Loop and Conditional Step Kinds
## Module
TaskRunner
## Status
IMPLEMENTED
## Description
Extended TaskRunner execution engine with loop and conditional step types, enabling iterative and branching task execution patterns beyond simple sequential flows.
## Implementation Details
- **Step state machine**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunStepStateMachine.cs` -- manages step state transitions including loop and conditional steps
- **Execution graph**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunExecutionGraph.cs` -- DAG supports loop and conditional edges
- **Graph builder**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunExecutionGraphBuilder.cs` -- builds graphs with loop/conditional nodes
- **Expressions**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Expressions/TaskPackExpressions.cs` -- expression evaluation for conditional branching
- **Manifest model**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/TaskPacks/TaskPackManifest.cs` -- manifest supports loop and conditional step kind definitions
- **Processor**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunProcessor.cs` -- processes loop iterations and conditional branches
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/PackRunStepStateMachineTests.cs`, `PackRunExecutionGraphBuilderTests.cs`, `PackRunProcessorTests.cs`
- **Source**: SPRINT_0157_0001_0001_taskrunner_i.md
## E2E Test Plan
- [ ] Verify loop steps iterate the configured number of times
- [ ] Test conditional steps branch based on expression evaluation
- [ ] Verify loop step supports early exit on condition
- [ ] Test nested loops and conditionals execute correctly
- [ ] Verify execution graph handles loop back-edges without cycles

32
docs/features/checked/taskrunner/taskrunner-sdk-client-with-openapi.md
View File

@@ -1,32 +0,0 @@
# TaskRunner SDK Client with OpenAPI
## Module
TaskRunner
## Status
IMPLEMENTED
## Description
Auto-generated SDK client for TaskRunner APIs with OpenAPI spec, deprecation middleware, and versioned endpoint support for external integrators.
## Implementation Details
- **Client interface**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/ITaskRunnerClient.cs` -- SDK client contract
- **Client implementation**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/TaskRunnerClient.cs` -- HTTP client for TaskRunner APIs
- **Client options**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/TaskRunnerClientOptions.cs` -- configurable client options
- **DI extensions**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/Extensions/TaskRunnerClientServiceCollectionExtensions.cs` -- DI registration
- **Pack run models**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/Models/PackRunModels.cs` -- client-side pack run models
- **Lifecycle helper**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/Lifecycle/PackRunLifecycleHelper.cs` -- pack run lifecycle management
- **Pagination**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/Pagination/Paginator.cs` -- paginated API result handling
- **Streaming log reader**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Client/Streaming/StreamingLogReader.cs` -- real-time log streaming
- **OpenAPI metadata**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/OpenApiMetadataFactory.cs` -- OpenAPI spec generation
- **Deprecation middleware**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Deprecation/ApiDeprecationMiddleware.cs`, `ApiDeprecationOptions.cs`, `IDeprecationNotificationService.cs` -- API versioning and deprecation support
- **WebService program**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs` -- API host with OpenAPI endpoints
- **Tests**: `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/TaskRunnerClientTests.cs`, `OpenApiMetadataFactoryTests.cs`, `ApiDeprecationTests.cs`
- **Source**: SPRINT_0157_0001_0001_taskrunner_i.md
## E2E Test Plan
- [ ] Verify SDK client can list, create, and manage pack runs
- [ ] Test streaming log reader receives real-time execution logs
- [ ] Verify OpenAPI spec is generated and accessible at /swagger endpoint
- [ ] Test deprecation middleware returns correct headers for deprecated endpoints
- [ ] Verify pagination handles large result sets correctly

20
docs/modules/jobengine/architecture.md
View File

@@ -157,7 +157,7 @@ All responses include deterministic timestamps, job digests, and DSSE signature
## 8) Orchestration domain subdomains (Sprint 208)
Sprint 208 consolidated Scheduler, TaskRunner, and PacksRegistry source trees under `src/JobEngine/` as subdomains of the orchestration domain. Each subdomain retains its own project names, namespaces, and runtime identities. No namespace renames were performed.
Sprint 208 consolidated Scheduler, TaskRunner, and PacksRegistry source trees under `src/JobEngine/` as subdomains of the orchestration domain. Each subdomain retains its own project names, namespaces, and runtime identities. No namespace renames were performed. **TaskRunner was subsequently removed (2026-04-08); its `task_runner_id` DB columns remain as nullable legacy fields.**
### 8.1) Scheduler subdomain
@@ -169,21 +169,9 @@ The Scheduler service re-evaluates already-cataloged images when intelligence ch
**Database:** `SchedulerDbContext` (schema `scheduler`, 11 entities). Owns `schedules`, `runs`, `impact_cursors`, `locks`, `audit` tables. See archived docs: `docs-archived/modules/scheduler/architecture.md`.
### 8.2) TaskRunner subdomain
### 8.2) TaskRunner subdomain (REMOVED)
**Source location:** `src/JobEngine/StellaOps.TaskRunner/`, `src/JobEngine/StellaOps.TaskRunner.__Libraries/`
The TaskRunner provides the execution substrate for Orchestrator jobs. Workers poll lease endpoints, execute tasks, report outcomes, and stream logs/artifacts for pack-runs.
**Deployables:** `StellaOps.TaskRunner.WebService`, `StellaOps.TaskRunner.Worker`.
**Database and storage contract (Sprint 312):**
- `Storage:Driver=postgres` is the production default for run state, logs, and approvals.
- Postgres-backed stores: `PostgresPackRunStateStore`, `PostgresPackRunLogStore`, `PostgresPackRunApprovalStore` via `TaskRunnerDataSource`.
- Artifact payload channel uses object storage path (`seed-fs` driver) configured with `TaskRunner:Storage:ObjectStore:SeedFs:RootPath`.
- Startup fails fast when `Storage:ObjectStore:Driver` is set to `rustfs` (not implemented) or any unsupported driver value.
- Non-development startup fails fast when `Storage:Driver=postgres` and no connection string is configured.
- Explicit non-production overrides remain available (`filesystem`, `inmemory`) but are no longer implicit defaults.
> TaskRunner was deleted on 2026-04-08. Source directories, Docker services, CLI commands, and docs have been removed. The `task_runner_id` columns in the database remain as nullable legacy fields. No new migrations were created.
### 8.3) PacksRegistry subdomain
@@ -221,7 +209,7 @@ Merging would require renaming one set of entities (e.g., `SchedulerJobs`, `Sche
3. Schemas provide clean separation at zero cost.
4. Future domain rename (Sprint 221) is a better venue for any schema consolidation.
**Consequences:** TaskRunner and PacksRegistry remain independent subdomains and now implement explicit storage contracts (Postgres state/metadata plus object-store payload channels) without cross-schema DB merge.
**Consequences:** PacksRegistry remains an independent subdomain implementing explicit storage contracts (Postgres state/metadata plus object-store payload channels) without cross-schema DB merge. TaskRunner was subsequently removed.
---

48
docs/operations/devops/task-runner-simulation.md
View File

@@ -1,48 +0,0 @@
# Task Runner — Simulation & Failure Policy Notes
> **Status:** Draft (2025-11-04) — execution wiring + CLI simulate command landed; docs pending final polish
The Task Runner planning layer now materialises additional runtime metadata to unblock execution and simulation flows:
- **Execution graph builder** converts `TaskPackPlan` steps (including `map` and `parallel`) into a deterministic graph with preserved enablement flags and per-step metadata (`maxParallel`, `continueOnError`, parameters, approval IDs).
- **Simulation engine** walks the execution graph and classifies steps as `pending`, `skipped`, `requires-approval`, or `requires-policy`, producing a deterministic preview for CLI/UI consumers while surfacing declared outputs.
- **Failure policy** pack-level `spec.failure.retries` is normalised into a `TaskPackPlanFailurePolicy` (default: `maxAttempts = 1`, `backoffSeconds = 0`). The new step state machine uses this policy to schedule retries and to determine when a run must abort.
- **Simulation API + Worker** `POST /v1/task-runner/simulations` returns the deterministic preview; `GET /v1/task-runner/runs/{id}` exposes persisted retry windows now written by the worker as it honours `maxParallel`, `continueOnError`, and retry windows during execution.
## Current behaviour
- Map steps expand into child iterations (`stepId[index]::templateId`) with per-item parameters preserved for runtime reference.
- Parallel blocks honour `maxParallel` (defaults to unlimited) and the worker executes children accordingly, short-circuiting when `continueOnError` is false.
- Simulation output mirrors approvals/policy gates, allowing the WebService/CLI to show which actions must occur before execution resumes.
- File-backed state store persists `PackRunState` snapshots (`nextAttemptAt`, attempts, reasons) so orchestration clients and CLI can resume runs deterministically even in air-gapped environments.
- Step state machine transitions:
- `pending → running → succeeded`
- `running → failed` (abort) once attempts ≥ `maxAttempts`
- `running → pending` with scheduled `nextAttemptAt` when retries remain
- `pending → skipped` for disabled steps (e.g., `when` expressions).
## CLI usage
Run the simulation without mutating state:
```bash
stella task-runner simulate \
--manifest ./packs/sample-pack.yaml \
--inputs ./inputs.json \
--format table
```
Use `--format json` (or `--output path.json`) to emit the raw payload produced by `POST /api/task-runner/simulations`.
## Follow-up gaps
- Fold the CLI command into the official reference/quickstart guides and capture exit-code conventions.
References:
- `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunExecutionGraphBuilder.cs`
- `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/Simulation/PackRunSimulationEngine.cs`
- `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Execution/PackRunStepStateMachine.cs`
- `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Execution/FilePackRunStateStore.cs`
- `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Services/PackRunWorkerService.cs`
- `src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs`

135
docs/qa/feature-checks/state/taskrunner.json
View File

@@ -1,135 +0,0 @@
{
"module": "taskrunner",
"featureCount": 7,
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"summary": {
"passed": 7,
"failed": 0,
"blocked": 0,
"skipped": 0,
"done": 7,
"queued": 0
},
"buildNote": "All 7 taskrunner features verified via Tier 0/1/2 pipeline on 2026-02-13. Baseline: 227/227 tests pass in StellaOps.TaskRunner.Tests.csproj (net10.0, 1.6s). All source files verified on disk. All features moved to docs/features/checked/taskrunner/.",
"features": {
"pack-run-approval-gates": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-001",
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"featureFile": "docs/features/checked/taskrunner/pack-run-approval-gates.md",
"notes": [
"[2026-02-13T08:00:00Z] checking: Tier 0 source verification - 8 source files confirmed on disk (coordinator, state, status, store interface, gate updater, decision service, file store, postgres store).",
"[2026-02-13T08:00:00Z] checking: Tier 1 build passed 227/227 tests. Code review confirms approval coordinator with ConcurrentDictionary, approve/reject/expire transitions, plan hash verification.",
"[2026-02-13T08:00:00Z] done: Tier 2 behavioral verification passed. 12 tests across PackRunApprovalCoordinatorTests, PackRunApprovalDecisionServiceTests, PackRunGateStateUpdaterTests. All approval state transitions, plan hash mismatch detection, and scheduler resume logic verified. Moved to checked/."
]
},
"pack-run-evidence-and-provenance": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-001",
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"featureFile": "docs/features/checked/taskrunner/pack-run-evidence-and-provenance.md",
"notes": [
"[2026-02-13T08:00:00Z] checking: Tier 0 source verification - 12 source files confirmed (attestation service, evidence snapshot, evidence store, redaction guard, bundle import evidence, provenance writer, provenance manifest factory, filesystem provenance writer, postgres evidence store).",
"[2026-02-13T08:00:00Z] checking: Tier 1 build passed 227/227 tests. Code review confirms DSSE attestation with signing/verification, Merkle root evidence snapshots, deterministic hashing, sensitive data redaction.",
"[2026-02-13T08:00:00Z] done: Tier 2 behavioral verification passed. 48 tests across PackRunAttestationTests (13), PackRunEvidenceSnapshotTests (24), PackRunProvenanceWriterTests (1), BundleImportEvidenceTests (10). Full attestation lifecycle (generate/verify/revoke), deterministic hashing, redaction, evidence export verified. Moved to checked/."
]
},
"pack-run-execution-engine": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-001",
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"featureFile": "docs/features/checked/taskrunner/pack-run-execution-engine.md",
"notes": [
"[2026-02-13T08:00:00Z] checking: Tier 0 source verification - 14 source files confirmed (processor, execution graph, graph builder, step state machine, step executor, execution context, state management, job dispatcher, simulation engine, telemetry, worker service, infrastructure step executors, postgres stores).",
"[2026-02-13T08:00:00Z] checking: Tier 1 build passed 227/227 tests. Code review confirms DAG-based execution graph, step state machine with retry/backoff, processor with approval integration, simulation engine for dry-run.",
"[2026-02-13T08:00:00Z] done: Tier 2 behavioral verification passed. 18 tests across PackRunProcessorTests (2), PackRunExecutionGraphBuilderTests (2), PackRunStepStateMachineTests (4), PackRunStateFactoryTests, PackRunSimulationEngineTests (7). State transitions, retry policy, parallel/map steps, simulation accuracy verified. Moved to checked/."
]
},
"sealed-mode-install-enforcer": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-001",
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"featureFile": "docs/features/checked/taskrunner/sealed-mode-install-enforcer.md",
"notes": [
"[2026-02-13T08:00:00Z] checking: Tier 0 source verification - 9 source files confirmed (enforcer interface/impl, enforcement result, sealed mode status, sealed requirements, audit logger, air-gap status provider, HTTP status provider, bundle ingestion executor).",
"[2026-02-13T08:00:00Z] checking: Tier 1 build passed 227/227 tests. Code review confirms sealed-mode enforcement with configurable options, 5 requirement types (bundle version, staleness, time anchor, offline duration, signature verification), bundle ingestion with checksum validation.",
"[2026-02-13T08:00:00Z] done: Tier 2 behavioral verification passed. 18 tests across SealedInstallEnforcerTests (13) and BundleIngestionStepExecutorTests (4). All enforcement scenarios verified: pack not requiring sealed, enforcement disabled, sealed required but not sealed, sealed and satisfied, bundle version below minimum, advisory too stale, time anchor missing/invalid, status provider failure. Bundle ingestion with checksum verified. Moved to checked/."
]
},
"taskpack-manifest-and-planning": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-001",
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"featureFile": "docs/features/checked/taskrunner/taskpack-manifest-and-planning.md",
"notes": [
"[2026-02-13T08:00:00Z] checking: Tier 0 source verification - 9 source files confirmed (manifest model/loader/validator, planner, plan model/hasher/insights, expressions, canonical JSON).",
"[2026-02-13T08:00:00Z] checking: Tier 1 build passed 227/227 tests. Code review confirms manifest loading, validation, planning with expression evaluation, deterministic plan hashing via canonical JSON, egress policy enforcement.",
"[2026-02-13T08:00:00Z] done: Tier 2 behavioral verification passed. 13 tests in TaskPackPlannerTests. Deterministic sha256 hash format, condition evaluation, step references, map expansion, approval requirements, secrets, outputs, failure policies, sealed-mode egress validation verified. 8+ manifest variants used. Moved to checked/."
]
},
"taskrunner-loop-and-conditional-step-kinds": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-001",
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"featureFile": "docs/features/checked/taskrunner/taskrunner-loop-and-conditional-step-kinds.md",
"notes": [
"[2026-02-13T08:00:00Z] checking: Tier 0 source verification - 6 source files confirmed (step state machine, execution graph, graph builder, expressions, manifest model, processor). Shared implementation with execution engine.",
"[2026-02-13T08:00:00Z] checking: Tier 1 build passed 227/227 tests. Code review confirms PackRunStepKind.Loop and PackRunStepKind.Conditional in enum, simulation WillIterate and WillBranch statuses, loop info with iterator/index/maxIterations/aggregationMode, conditional info with branches and outputUnion.",
"[2026-02-13T08:00:00Z] done: Tier 2 behavioral verification passed. 15 tests across PackRunStepStateMachineTests, PackRunExecutionGraphBuilderTests, PackRunProcessorTests, PackRunSimulationEngineTests. Loop step with WillIterate status, conditional step with WillBranch status, map step expansion, disabled conditional step skipping verified. Moved to checked/."
]
},
"taskrunner-sdk-client-with-openapi": {
"status": "done",
"tier": 2,
"retryCount": 0,
"sourceVerified": true,
"buildVerified": true,
"e2eVerified": true,
"skipReason": null,
"lastRunId": "run-001",
"lastUpdatedUtc": "2026-02-13T08:00:00Z",
"featureFile": "docs/features/checked/taskrunner/taskrunner-sdk-client-with-openapi.md",
"notes": [
"[2026-02-13T08:00:00Z] checking: Tier 0 source verification - 13 source files confirmed (client interface/impl/options, DI extensions, pack run models, lifecycle helper, paginator, streaming log reader, OpenAPI metadata factory, deprecation middleware/options/notification service, WebService program).",
"[2026-02-13T08:00:00Z] checking: Tier 1 build passed 227/227 tests. Code review confirms SDK client with HTTP implementation, NDJSON streaming log reader, paginator with async enumeration, OpenAPI metadata with deterministic signatures/ETags, deprecation middleware with wildcard path matching and sunset headers.",
"[2026-02-13T08:00:00Z] done: Tier 2 behavioral verification passed. 25 tests across TaskRunnerClientTests (13), OpenApiMetadataFactoryTests (4), ApiDeprecationTests (8). Streaming log parsing with level filtering and step grouping, pagination with multi-page collection, OpenAPI deterministic signatures, deprecation sunset scheduling with path pattern matching verified. Moved to checked/."
]
}
}
}

4
docs/technical/architecture/component-map.md
View File

@@ -22,7 +22,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
## Policy & Governance
- **Policy** — Policy Engine core libraries and services executing lattice logic across SBOM, advisory, and VEX evidence. Emits explain traces, drives Findings, Notifier, and Export Center (`docs/modules/policy/architecture.md`).
- **Policy Studio / TaskRunner / PacksRegistry** - Authoring, automation, and reusable template services that orchestrate policy and operational workflows (`docs/modules/packs-registry/guides/`, `docs/modules/cli/`, `docs/modules/ui/`).
- **Policy Studio / PacksRegistry** - Authoring and reusable template services that orchestrate policy and operational workflows (`docs/modules/packs-registry/guides/`, `docs/modules/cli/`, `docs/modules/ui/`).
- **Governance components** (Authority scopes, Policy governance, Console policy UI) are covered in `docs/security/policy-governance.md` and `docs/modules/ui/policies.md`.
## Identity, Signing & Provenance
@@ -35,7 +35,7 @@ Concise descriptions of every top-level component under `src/`, summarising the
## Scheduling, Orchestration & Automation
- **Scheduler** — Detects advisory/VEX deltas and orchestrates deterministic rescan runs toward Scanner and Policy Engine (`docs/modules/scheduler/architecture.md`).
- **Orchestrator** — Central coordination service dispatching jobs (scans, exports, policy runs) to modules, working closely with Scheduler, CLI, and UI (`docs/modules/jobengine/architecture.md`).
- **TaskRunner** - Executes automation packs sourced from PacksRegistry, integrating with Orchestrator, CLI, Notify, and Authority (`docs/modules/packs-registry/guides/runbook.md`).
- **Signals** — Ingests runtime posture signals and feeds Policy/Notifier workflows (`docs/modules/zastava/architecture.md`, signals sections).
- **TimelineIndexer** — Builds timelines of evidence/events for forensics and audit tooling (`docs/modules/timeline-indexer/guides/timeline.md`).

8
docs/technical/architecture/module-matrix.md
View File

@@ -23,7 +23,7 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
| Scanning & Analysis | 5 | Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph |
| Artifacts & Evidence | 7 | Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, Provenance, Provcache |
| Policy & Risk | 3 | Policy, RiskEngine, Unknowns (VulnExplorer merged into Findings Ledger) |
| Operations | 8 | Scheduler, Orchestrator, TaskRunner, Notify, Notifier, PacksRegistry, TimelineIndexer, Replay |
| Operations | 7 | Scheduler, Orchestrator, Notify, Notifier, PacksRegistry, TimelineIndexer, Replay |
| Integration | 5 | CLI, Zastava, Web, API, Registry |
| Infrastructure | 6 | Cryptography, Telemetry, Graph, Signals, AirGap, AOC |
| Testing & Benchmarks | 2 | Benchmark, Bench |
@@ -81,7 +81,7 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
| Module | Path | Purpose | WebService | Worker | Storage |
|--------|------|---------|------------|--------|---------|
| **JobEngine** | `src/JobEngine/` | Workflow orchestration, scheduling, task execution, pack registry. Includes Scheduler, TaskRunner, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). | Yes | Yes | PostgreSQL (`orchestrator`, `scheduler`) |
| **JobEngine** | `src/JobEngine/` | Workflow orchestration, scheduling, pack registry. Includes Scheduler, PacksRegistry (Sprint 208); renamed from Orchestrator (Sprint 221). TaskRunner removed. | Yes | Yes | PostgreSQL (`orchestrator`, `scheduler`) |
| **Notify** | `src/Notify/` | Unified notification service (shared libraries + merged WebService). Notifier WebService merged into Notify WebService (2026-04-08). | Yes | N/A | PostgreSQL (`notify`) |
| **Notifier** | `src/Notifier/` | Notifier Worker (delivery engine). WebService merged into Notify (2026-04-08). | N/A | Yes | PostgreSQL (`notify`) |
| **Timeline** | `src/Timeline/` | Timeline query, event indexing, and replay. Includes TimelineIndexer (Sprint 210). | Yes | No | PostgreSQL |
@@ -132,7 +132,7 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
| Type | Modules |
|------|---------|
| **WebService + Worker** | Scanner, Concelier, Excititor, Policy, Notifier, TaskRunner, AirGap, Mirror |
| **WebService + Worker** | Scanner, Concelier, Excititor, Policy, Notifier, AirGap, Mirror |
| **WebService Only** | Authority, Gateway, Router, Platform, VexLens, VexHub, IssuerDirectory, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, EvidenceLocker, ExportCenter, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry |
| **Library** | Feedser, Provenance, Provcache, Notify, API, Cryptography, Telemetry, Graph, Signals, AOC |
| **CLI/Tool** | CLI, Benchmark, Bench, Tools |
@@ -142,7 +142,7 @@ The solution contains **46 top-level modules** in `src/`. The architecture docum
| Store | Modules |
|-------|---------|
| **PostgreSQL** | Authority, Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, Policy, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, TaskRunner, Notifier, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry |
| **PostgreSQL** | Authority, Concelier, Excititor, VexLens, VexHub, IssuerDirectory, Scanner, BinaryIndex, AdvisoryAI, Symbols, ReachGraph, Attestor, Signer, SbomService, Policy, RiskEngine, VulnExplorer, Unknowns, Scheduler, Orchestrator, Notifier, PacksRegistry, TimelineIndexer, Replay, Zastava, Registry |
| **RustFS (S3)** | Scanner, Attestor, SbomService, EvidenceLocker, ExportCenter, AirGap, Mirror |
| **Valkey** | Gateway, Router, Scanner, Policy, Scheduler, Notifier (for queues/cache) |
| **Stateless** | Gateway, Platform, CLI, Web |

8
docs/technical/architecture/platform-topology.md
View File

@@ -97,10 +97,10 @@ SUPPORTING
┌─────────────────────────────────────────────────────────────────────┐
│ ORCHESTRATION & WORKFLOW │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ │ Scheduler │ │ Orchestrator │ │ TaskRunner │
│ │(Job Sched) │ │(Coordinator) │ │(Executor) │
│ └──────────────┘ └──────────────┘ └──────────────┘
│ ┌──────────────┐ ┌──────────────┐
│ │ Scheduler │ │ Orchestrator │
│ │(Job Sched) │ │(Coordinator) │
│ └──────────────┘ └──────────────┘
└─────────────────────────────────────────────────────────────────────┘

6
docs/technical/architecture/port-registry.md
View File

@@ -33,7 +33,7 @@ This page focuses on deterministic slot/port allocation and may include legacy o
| 15 | 10150 | 10151 | ~~Policy Gateway~~ (merged into Policy Engine, Slot 14) | `policy-gateway.stella-ops.local` -> `policy-engine.stella-ops.local` | _removed_ | _removed_ |
| 16 | 10160 | 10161 | RiskEngine | `riskengine.stella-ops.local` | `src/Findings/StellaOps.RiskEngine.WebService` | `STELLAOPS_RISKENGINE_URL` |
| 17 | 10170 | 10171 | ~~Orchestrator~~ (retired; audit/first-signal moved to Release Orchestrator, Slot 48) | `jobengine.stella-ops.local` | _removed_ | _removed_ |
| 18 | 10180 | 10181 | TaskRunner | `taskrunner.stella-ops.local` | `src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService` | `STELLAOPS_TASKRUNNER_URL` |
| 18 | 10180 | 10181 | ~~TaskRunner~~ (removed) | `taskrunner.stella-ops.local` | _removed_ | _removed_ |
| 19 | 10190 | 10191 | Scheduler | `scheduler.stella-ops.local` | `src/JobEngine/StellaOps.Scheduler.WebService` | `STELLAOPS_SCHEDULER_URL` |
| 20 | 10200 | 10201 | Graph API | `graph.stella-ops.local` | `src/Graph/StellaOps.Graph.Api` | `STELLAOPS_GRAPH_URL` |
| 21 | 10210 | 10211 | Cartographer | `cartographer.stella-ops.local` | `src/Scanner/StellaOps.Scanner.Cartographer` | `STELLAOPS_CARTOGRAPHER_URL` |
@@ -76,7 +76,7 @@ Worker services associated with a web service use ports offset by +2/+3 from the
| 10062 | 10063 | EvidenceLocker Worker | `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker` |
| 10162 | 10163 | RiskEngine Worker | `src/Findings/StellaOps.RiskEngine.Worker` |
| 10172 | 10173 | Orchestrator Worker | `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.Worker` |
| 10182 | 10183 | TaskRunner Worker | `src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker` |
| 10182 | 10183 | ~~TaskRunner Worker~~ (removed) | _removed_ |
| 10232 | 10233 | TimelineIndexer Worker | `src/Timeline/StellaOps.TimelineIndexer.Worker` |
| 10282 | 10283 | Notifier Worker | `src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Worker` |
| 10342 | 10343 | PacksRegistry Worker | `src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker` |
@@ -128,7 +128,7 @@ Add the following to your hosts file (`C:\Windows\System32\drivers\etc\hosts` on
127.1.0.14 policy-gateway.stella-ops.local # alias -> policy-engine (merged)
127.1.0.16 riskengine.stella-ops.local
127.1.0.17 jobengine.stella-ops.local
127.1.0.18 taskrunner.stella-ops.local
# 127.1.0.18 taskrunner.stella-ops.local # REMOVED
127.1.0.19 scheduler.stella-ops.local
127.1.0.20 graph.stella-ops.local
127.1.0.21 cartographer.stella-ops.local

2
docs/technical/architecture/webservice-catalog.md
View File

@@ -35,7 +35,7 @@ This page is the source-of-truth inventory for Stella Ops `*.WebService` runtime
| JobEngine | JobEngine | `jobengine.stella-ops.local` | Release orchestration, approvals, DAG/workflow APIs. | postgres | `src/JobEngine/StellaOps.JobEngine/StellaOps.JobEngine.WebService` | `src/JobEngine` |
| JobEngine | PacksRegistry | `packsregistry.stella-ops.local` | Pack/provenance/attestation registry APIs. | postgres + seed-fs object payloads | `src/JobEngine/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService` | `src/JobEngine` |
| JobEngine | Scheduler | `scheduler.stella-ops.local` | Schedule/run planning and event APIs. | postgres | `src/JobEngine/StellaOps.Scheduler.WebService` | `src/JobEngine` |
| JobEngine | TaskRunner | `taskrunner.stella-ops.local` | Task execution, run state/log, approval, and artifact APIs. | postgres + seed-fs object payloads | `src/JobEngine/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService` | `src/JobEngine` |
| Notify | Notify | `notify.stella-ops.local` | Notification rule/channel/template, delivery, escalation, incident, and simulation APIs (merged from Notifier). | postgres | `src/Notify/StellaOps.Notify.WebService` | `src/Notify` |
| Platform | Platform | `platform.stella-ops.local` | Console aggregation, setup, admin, and read-model APIs. | postgres | `src/Platform/StellaOps.Platform.WebService` | `src/Platform` |
| ReachGraph | ReachGraph | `reachgraph.stella-ops.local` | Reachability graph and CVE mapping APIs. | postgres | `src/ReachGraph/StellaOps.ReachGraph.WebService` | `src/ReachGraph` |

2
docs/technical/cicd/path-filters.md
View File

@@ -199,7 +199,7 @@ Each module has defined source and test paths:
| Module | Source Paths | Test Paths |
|--------|--------------|------------|
| JobEngine (includes Scheduler, TaskRunner, PacksRegistry) | `src/JobEngine/**` | `src/JobEngine/__Tests/**` |
| JobEngine (includes Scheduler, PacksRegistry) | `src/JobEngine/**` | `src/JobEngine/__Tests/**` |
| Notify | `src/Notify/**` | `src/Notify/__Tests/**` |
| Notifier | `src/Notifier/**` | `src/Notifier/__Tests/**` |
| Timeline (includes TimelineIndexer) | `src/Timeline/**` | `src/Timeline/__Tests/**` |