stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: add PolicyPackSelectorComponent with tests and integration

Browse Source 
- Implemented PolicyPackSelectorComponent for selecting policy packs.
- Added unit tests for component behavior, including API success and error handling.
- Introduced monaco-workers type declarations for editor workers.
- Created acceptance tests for guardrails with stubs for AT1–AT10.
- Established SCA Failure Catalogue Fixtures for regression testing.
- Developed plugin determinism harness with stubs for PL1–PL10.
- Added scripts for evidence upload and verification processes.
This commit is contained in:
StellaOps Bot
2025-12-05 21:24:34 +02:00
parent 347c88342c
commit 18d87c64c5
220 changed files with 7700 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

148
docs/implplan/BLOCKED_DEPENDENCY_TREE.md
View File

@@ -1,6 +1,6 @@
# BLOCKED Tasks Dependency Tree
> **Last Updated:** 2025-12-05 (13 specs + 3 implementations = ~84+ tasks unblocked)
> **Last Updated:** 2025-12-06 (post Md.IX sync; 13 specs + 3 implementations = ~84+ tasks unblocked)
> **Last Updated:** 2025-12-06 (post Md.IX sync; 13 specs + 3 implementations = ~84+ tasks unblocked)
> **Purpose:** This document maps all BLOCKED tasks and their root causes to help teams prioritize unblocking work.
## How to Use This Document
@@ -201,6 +201,105 @@ attestor SDK transport contract (scanner analyzers ✅ COMPILE)
---
## 7. DOCS MD.IX (SPRINT_0309_0001_0009_docs_tasks_md_ix)
**Root Blocker:** `DOCS-RISK-67-002 draft (risk API)` (due 2025-12-09)
```
DOCS-RISK-67-002 draft missing
+-- DOCS-RISK-67-003 (risk UI docs)
+-- DOCS-RISK-67-004 (CLI risk guide)
+-- DOCS-RISK-68-001 (airgap risk bundles)
+-- DOCS-RISK-68-002 (AOC invariants update)
```
**Impact:** 4 docs tasks (risk chain)
**To Unblock:** API Guild to deliver DOCS-RISK-67-002 draft by 2025-12-09; Console Guild to provide UI captures/hashes by 2025-12-10.
---
**Root Blocker:** `Signals schema + UI overlay assets` (due 2025-12-09)
```
Signals schema/overlays missing
+-- DOCS-SIG-26-001 (reachability states/scores)
+-- DOCS-SIG-26-002 (callgraph formats)
+-- DOCS-SIG-26-003 (runtime facts)
+-- DOCS-SIG-26-004 (signals weighting)
+-- DOCS-SIG-26-005 (UI overlays)
+-- DOCS-SIG-26-006 (CLI reachability guide)
+-- DOCS-SIG-26-007 (API reference)
```
**Impact:** 7 docs tasks (signals chain)
**To Unblock:** Signals Guild + UI Guild to drop schema notes and overlay assets by 2025-12-09; Policy Guild to supply SPL weighting examples by 2025-12-10; DevEx/CLI Guild to share CLI recipes by 2025-12-12.
---
**Root Blocker:** `SDK generator sample outputs (TS/Python/Go/Java)` (due 2025-12-11)
```
SDK generator outputs pending
+-- DOCS-SDK-62-001 (SDK overview + language guides)
```
**Impact:** 1 docs task (+ downstream parity/CLI consumers)
**To Unblock:** SDK Generator Guild to deliver frozen samples by 2025-12-11.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
**Root Blocker:** `Export bundle shapes + hashing inputs` (due 2025-12-11)
```
Export bundle shapes pending
+-- DOCS-RISK-68-001 (airgap risk bundles guide)
+-- DOCS-RISK-68-002 (AOC invariants update)
```
**Impact:** 2 docs tasks
**To Unblock:** Export Guild to send bundle shapes + hash inputs by 2025-12-11.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
**Root Blocker:** `Security scope matrix + privacy controls` (due 2025-12-11)
```
Security scopes/privacy inputs pending
+-- DOCS-SEC-62-001 (auth scopes)
+-- DOCS-SEC-OBS-50-001 (redaction & privacy)
```
**Impact:** 2 docs tasks
**To Unblock:** Security Guild + Authority Core to provide scope matrix/tenancy header rules and privacy/opt-in debug guidance by 2025-12-11.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
**Root Blocker:** `Ops incident checklist` (due 2025-12-10)
```
Ops incident checklist missing
+-- DOCS-RUNBOOK-55-001 (incident runbook)
```
**Impact:** 1 docs task
**To Unblock:** Ops Guild to hand over activation/escalation/retention checklist by 2025-12-10.
**Escalation:** If missed, escalate to guild leads on 2025-12-13 and rebaseline Md.IX dates.
---
## 7. CONSOLE OBSERVABILITY DOCS (CONOBS5201)
**Root Blocker:** Observability Hub widget captures + deterministic sample payload hashes not delivered (Console Guild)
@@ -787,6 +886,51 @@ LEDGER-AIRGAP-56-002 staleness spec + AirGap time anchors
---
## 15. POLICY REGISTRY SCHEMA ALIGNMENT (POLREG-27)
**Root Blocker:** Registry schema alignment with `docs/schemas/api-baseline.schema.json` for policy registry endpoints
```
Registry schema/API alignment pending
+-- DOCS-POLICY-27-008: /docs/policy/api.md
+-- DOCS-POLICY-27-009: /docs/security/policy-attestations.md
+-- DOCS-POLICY-27-010: /docs/modules/policy/registry-architecture.md
+-- DOCS-POLICY-27-011: /docs/observability/policy-telemetry.md
+-- DOCS-POLICY-27-012: /docs/runbooks/policy-incident.md
+-- DOCS-POLICY-27-013: /docs/examples/policy-templates.md
+-- DOCS-POLICY-27-014: /docs/aoc/aoc-guardrails.md
```
**Impact:** 7 policy documentation tasks (Md.VIII) remain blocked
**To Unblock:** Policy Registry Guild to deliver aligned registry schema + feature-flag list referencing the API baseline; notify Docs Guild when ready
**Next Signal to Capture:** Confirmation of schema alignment (due 2025-12-12) to move DOCS-POLICY-27-008 to DOING
---
## 16. RISK PROFILE SCHEMA APPROVAL (RISK-PLLG0104)
**Root Blocker:** PLLG0104 risk profile schema approval + risk engine API readiness
```
Risk profile schema/API approval pending (PLLG0104)
+-- DOCS-RISK-66-001: /docs/risk/overview.md
+-- DOCS-RISK-66-002: /docs/risk/profiles.md
+-- DOCS-RISK-66-003: /docs/risk/factors.md
+-- DOCS-RISK-66-004: /docs/risk/formulas.md
+-- DOCS-RISK-67-001: /docs/risk/explainability.md
+-- DOCS-RISK-67-002: /docs/risk/api.md
```
**Impact:** 6 risk documentation tasks (Md.VIII) blocked awaiting schema/API artifacts and UI telemetry captures
**To Unblock:** PLLG0104 to approve schema; Risk Engine Guild to provide API payload samples + telemetry artifacts; Docs Guild to start outlines immediately after approval
**Next Signal to Capture:** PLLG0104 approval and sample payloads (due 2025-12-13) to move DOCS-RISK-66-001/002 to DOING
---
## Summary Statistics
| Root Blocker Category | Root Blockers | Downstream Tasks |

41
docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
View File

@@ -29,8 +29,8 @@
| P1 | PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Zastava Observer/Webhook Guilds · Surface Guild | Zastava Observer/Webhook Guilds · Surface Guild | Prep artefact published at `docs/modules/zastava/prep/2025-11-20-surface-fs-env-prep.md` (cache drop cadence, env helper ownership, DSSE requirements). |
| P2 | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | DONE (2025-11-22) | Prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap parity review template at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; review execution scheduled 2025-11-23. | SBOM Service Guild · Cartographer Guild · Observability Guild | Published readiness/prep note plus AirGap parity review template; awaiting review minutes + hashes to flip SBOM wave from TODO to DOING. |
| 1 | 140.A Graph wave | DONE (2025-11-28) | Sprint 0141 (Graph Indexer) complete: all GRAPH-INDEX-28-007..010 tasks DONE. | Graph Indexer Guild · Observability Guild | Enable clustering/backfill (GRAPH-INDEX-28-007..010) against mock bundle; revalidate once real cache lands. |
| 2 | 140.B SBOM Service wave | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
| 3 | 140.C Signals wave | DOING (2025-11-28) | Sprint 0143: SIGNALS-24-001/002/003 DONE; SIGNALS-24-004/005 remain BLOCKED on CAS promotion. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
| 2 | 140.B SBOM Service wave | DONE (2025-12-05) | Sprint 0142 complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002, SBOM-CONSOLE-23-001/002, SBOM-CONSOLE-23-101-STORAGE all DONE. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
| 3 | 140.C Signals wave | BLOCKED (2025-12-05) | CAS promotion + provenance appendix overdue; SIGNALS-24-002/003 cannot proceed until Storage approval + provenance freeze. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
| 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
| 5 | DECAY-GAPS-140-005 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Product Mgmt | Address decay gaps U1U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
| 6 | UNKNOWN-GAPS-140-006 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
@@ -41,9 +41,23 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | SBOM wave 140.B marked DONE after Sprint 0142 completion (console endpoints + storage wiring finished). | Implementer |
| 2025-12-05 | Built deterministic dev-key tar `evidence-locker/signals/2025-12-05/signals-evidence.tar` (sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d) containing bundles + payloads; added `tools/signals-verify-evidence-tar.sh` (hash + inner SHA check). Production re-sign still pending Alice Carter key/CI secret. | Implementer |
| 2025-12-05 | Verified evidence tar via `tools/signals-verify-evidence-tar.sh` (hash a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d; inner SHA256SUMS all OK). | Implementer |
| 2025-12-05 | Added CI helper `.gitea/workflows/signals-evidence-locker.yml` to package/verify/push signals evidence tar when `CI_EVIDENCE_LOCKER_TOKEN` + `EVIDENCE_LOCKER_URL` are provided. | Implementer |
| 2025-12-05 | Refreshed `docs/modules/signals/evidence/README.md` to point to 2025-12-05 OUT_DIR/paths and document evidence-locker workflow inputs (`retention_target`, `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL`). | Implementer |
| 2025-12-05 | Blocked on external inputs: need `COSIGN_PRIVATE_KEY_B64` (prod key) for production re-sign and `EVIDENCE_LOCKER_URL`/`CI_EVIDENCE_LOCKER_TOKEN` to publish signals + zastava evidence tars. No further repo work pending until creds arrive. | Implementer |
| 2025-12-05 | Added combined uploader `tools/upload-all-evidence.sh` to push signals and zastava tars together once locker creds land. | Implementer |
| 2025-12-05 | Added ops handoff doc `docs/ops/evidence-locker-handoff.md` summarizing hashes, required secrets, and upload/re-sign commands. | Implementer |
| 2025-12-05 | Verified dev DSSE bundles with `cosign verify-blob --bundle evidence-locker/signals/2025-12-05/*.sigstore.json --key tools/cosign/cosign.dev.pub` (all OK). Production re-sign still required once Alice Carter key arrives. | Implementer |
| 2025-12-05 | Escalated CAS approval to Platform Storage leadership; awaiting response. Mark SIGNALS-24-002 as BLOCKED pending approval outcome. | Implementer |
| 2025-12-05 | Added escalation action items for CAS approval and provenance appendix freeze (due 2025-12-06/07) to keep Signals wave momentum while blockers persist. | Implementer |
| 2025-12-05 | Added updated Next Actions (target 2025-12-07) to focus on CAS decision, provenance freeze, and prod re-sign with Alice Carter key. | Implementer |
| 2025-12-05 | Marked 140.C Signals wave as BLOCKED: CAS promotion + provenance appendix still overdue; SIGNALS-24-002/003 cannot progress until Storage approval and provenance freeze. | Implementer |
| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with `COSIGN_ALLOW_DEV_KEY=1` and OUT_DIR `evidence-locker/signals/2025-12-05/`; produced sigstore bundles + `SHA256SUMS` for decay/unknowns/heuristics. Tlog disabled; key `tools/cosign/cosign.dev.key` (password `stellaops-dev`). | Implementer |
| 2025-12-04 | Created `.gitea/workflows/signals-dsse-sign.yml` CI workflow for automated DSSE signing. Requires `COSIGN_PRIVATE_KEY_B64` and optional `COSIGN_PASSWORD` secrets. Workflow triggers on push to main (signals paths) or manual dispatch. Updated `tools/cosign/README.md` and `docs/modules/signals/evidence/README.md` with CI setup instructions. Dev key (`tools/cosign/cosign.dev.key`) verified working for local testing with `COSIGN_ALLOW_DEV_KEY=1`. Production signing unblocked once CI secrets are configured. | Implementer |
| 2025-12-05 | Smoke-signed Signals artefacts with dev key into `docs/modules/signals/dev-smoke/2025-12-05/` (decay, unknowns, heuristics) using `tools/cosign/sign-signals.sh`; tlog disabled. Production DSSE still pending Alice Carter key. | Docs Guild |
| 2025-12-05 | Blockers for production close-out: (1) Provide `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` for production DSSE (decay/unknowns/heuristics). (2) Console observability/forensics assets + hashes. (3) Exception lifecycle/routing/API/UI/CLI contracts + assets. (4) Excititor chunk API pinned spec + samples + hashes. (5) DevPortal SDK Wave B snippets + hashes. (6) Graph demo observability exports + hashes. Agents can proceed once inputs arrive. | Project Mgmt |
| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-05/`; tlog disabled. Production DSSE still pending Alice Carter key/CI secret. | Docs Guild |
| 2025-12-04 | Verified all artifacts against SHA256SUMS (8/8 pass): decay config, unknowns manifest, heuristic catalog/schema, and 4 golden fixtures. Documentation complete for U1U10, UN1UN10, UT1UT10. Tasks 57 are ready for DSSE signing; once `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` (Alice Carter) is available, run `OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh` to complete. | Implementer |
| 2025-12-04 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-04/`; script now forces absolute OUT_DIR, disables tlog, and detects v3 bundles. DSSE deliverables remain BLOCKED pending Alice Carter key/CI secret. | Implementer |
@@ -94,7 +108,7 @@
- SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
- CAS promotion + signed manifest approval (overdue) blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
- Cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`); repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). DSSE signing executed 2025-12-05 with dev key into `evidence-locker/signals/2025-12-05/` (tlog disabled). Production re-sign with Alice Carter key is recommended when available; swap in `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` and rerun helper if Evidence Locker requires prod trust roots.
- DSSE signing window fixed for 2025-12-05; slip would cascade into 0143/0144/0150. Ensure envelopes plus SHA256SUMS are ingested into Evidence Locker the same day to avoid backfill churn.
- DSSE signing completed 2025-12-05 with dev key into `evidence-locker/signals/2025-12-05/` (tlog disabled). Re-sign with Alice Carter production key when provided to align Evidence Locker trust roots; helper supports rerun via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`.
- Runtime provenance appendix (overdue) blocks SIGNALS-24-003 enrichment/backfill and risks double uploads until frozen.
- Surface.FS cache drop timeline (overdue) and Surface.Env owner assignment keep Zastava env/secret/admission tasks blocked.
- AirGap parity review scheduling for SBOM path/timeline endpoints remains open; Advisory AI adoption depends on it.
@@ -117,8 +131,10 @@
| 2025-11-23 | AirGap parity review (SBOM paths/versions/events) | Run review using `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; record minutes and link fixtures hash list. | Observability Guild · SBOM Service Guild · Cartographer Guild |
| 2025-12-03 | Decay config review | Freeze `confidence_decay_config`, weighted signal taxonomy, floor/freeze/SLA clamps, and observability counters for U1U10. | Signals Guild · Policy Guild · Product Mgmt |
| 2025-12-04 | Unknowns schema review | Approve Unknowns registry schema/enums + deterministic scoring manifest (UN1UN10) and offline bundle inclusion plan. | Signals Guild · Policy Guild |
| 2025-12-05 | Heuristic catalog publish | Publish signed heuristic catalog + golden outputs/fixtures for UT1UT10; gate Signals scoring adoption. | Signals Guild · Runtime Guild |
| 2025-12-05 | DSSE signing & Evidence Locker ingest | Sign decay config, unknowns manifest, heuristic catalog/schema with required predicates; upload envelopes + SHA256SUMS to Evidence Locker paths in `docs/modules/signals/evidence/README.md`. | Signals Guild · Policy Guild |
| 2025-12-05 | Heuristic catalog publish | DONE 2025-12-05 (dev key): signed heuristic catalog + golden outputs/fixtures; bundles in `evidence-locker/signals/2025-12-05/`. | Signals Guild · Runtime Guild |
| 2025-12-05 | DSSE signing & Evidence Locker ingest | DONE 2025-12-05 (dev key): decay, unknowns, heuristics signed with `tools/cosign/cosign.dev.key`, bundles + `SHA256SUMS` staged under `evidence-locker/signals/2025-12-05/`; re-sign with prod key when available. | Signals Guild · Policy Guild |
| 2025-12-06 | CAS approval decision | Escalation sent; await Platform Storage approval or explicit blockers; flip SIGNALS-24-002 when response arrives. | Signals Guild · Platform Storage Guild |
| 2025-12-07 | Provenance appendix freeze | Publish final appendix + fixtures; unblock SIGNALS-24-003 backfill. | Runtime Guild · Authority Guild |
| 2025-12-04 | Inject COSIGN_PRIVATE_KEY_B64 into CI secrets | Ensure CI has base64 private key + optional COSIGN_PASSWORD so `tools/cosign/sign-signals.sh` can run in pipelines before 2025-12-05 signing window. | Platform / Build Guild |
| 2025-12-03 | Provide cosign/offline signer | DONE 2025-12-02: cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`) plus repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). Use whichever matches signing script; add `tools/cosign` to PATH if forcing v2 flags. | Platform / Build Guild |
| 2025-12-03 | Assign DSSE signer (done 2025-12-02: Alice Carter) | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
@@ -301,10 +317,14 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
| Concelier/Cartographer schema review stalls | Capture outstanding fields/issues, loop in Advisory AI + AirGap leadership, and evaluate temporary schema adapters for SBOM Service. | SBOM Service Guild · Concelier Core | Escalate at 2025-11-15 runtime governance call. |
| Surface.Env owner not assigned | Default to Zastava Observer guild owning both ENV tasks, and add webhook coverage as a follow-on item; document resource gap. | Surface Guild · Zastava Observer Guild | Escalate by 2025-11-16. |
## Action item tracker (status as of 2025-11-18)
## Action item tracker (status as of 2025-12-05)
| Item | Status | Next step | Owner(s) | Due |
| --- | --- | --- | --- | --- |
| Prod DSSE re-sign (Signals gaps) | TODO | Provide Alice Carter production key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`, rerun `OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh` to replace dev bundles; upload refreshed SHA256SUMS. | Signals Guild · Platform / Build Guild | 2025-12-06 |
| CAS approval escalation | TODO | Escalate CAS checklist to Platform Storage leadership; require approval or written blockers; mirror outcome in Signals 24-002 status. | Signals Guild · Platform Storage Guild | 2025-12-06 |
| Provenance appendix freeze | TODO | Publish final provenance appendix + fixtures; record freeze timestamp and propagate to Signals 24-003; unblock backfill. | Runtime Guild · Authority Guild | 2025-12-07 |
| Upload signals evidence to locker | TODO | After production re-sign, run `.gitea/workflows/signals-evidence-locker.yml` or `tools/signals-verify-evidence-tar.sh && curl` with `CI_EVIDENCE_LOCKER_TOKEN`/`EVIDENCE_LOCKER_URL` to push `evidence-locker/signals/2025-12-05/signals-evidence.tar`. | Signals Guild · Platform / Build Guild | 2025-12-07 |
| CAS checklist feedback | Overdue — awaiting decision | Platform Storage to mark checklist “approved” or list blockers for runtime sync. | Platform Storage Guild | 2025-11-13 |
| Signed manifest PRs | Pending CAS approval | Merge once CAS checklist approved, then deploy to staging. | Signals Guild | 2025-11-14 |
| Provenance schema appendix | Overdue — draft exists | Runtime/Authority to publish final appendix + fixtures to repo. | Runtime Guild · Authority Guild | 2025-11-13 |
@@ -343,6 +363,14 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
| Scanner Guild | Publish surface cache ETA/hash and manifests; unblock Graph revalidation and Zastava Surface tasks. |
| Zastava Guilds | Assign Surface.Env owner, finalize adoption checklist, ready sealed-mode tests for cache drop. |
# Next actions (target: 2025-12-07)
| Owner(s) | Action |
| --- | --- |
| Signals Guild · Platform Storage Guild | Secure CAS approval response; if approved, flip SIGNALS-24-002 to DOING and merge signed manifests; if blocked, record blockers in Decisions & Risks. |
| Runtime Guild · Authority Guild | Freeze and publish provenance appendix + fixtures; once committed, unblock SIGNALS-24-003 backfill. |
| Signals Guild · Platform / Build Guild | Re-sign evidence bundles with Alice Carter production key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`, rerun `OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh`, refresh SHA256SUMS. |
# Downstream dependency rollup (snapshot: 2025-11-13)
| Track | Dependent sprint(s) | Impact if delayed |
@@ -361,6 +389,7 @@ This file now only tracks the runtime & signals status snapshot. Active backlog
| CAS promotion approval (overdue) | SIGNALS-24-002 cannot close; scoring/cache remain blocked | Signals Guild · Platform Storage — secure CAS checklist approval, merge signed manifest PRs, enable alerts. |
| Provenance appendix freeze (overdue) | SIGNALS-24-003 backfill/enrichment blocked; double-upload risk | Runtime Guild · Authority Guild — publish final appendix + fixtures; Signals to backfill with provenance once frozen. |
| Surface.FS cache drop + Surface.Env owner (overdue) | ZASTAVA env/secret/admission flows blocked | Surface Guild · Zastava Guilds — assign owner, publish helper adoption steps, provide cache drop timeline. |
| Evidence Locker trust roots (prod key pending) | Dev-signed bundles cannot be ingested as production evidence | Signals Guild — rerun `tools/cosign/sign-signals.sh` with Alice Carter key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`; replace bundles in `evidence-locker/signals/2025-12-05/`. |
# Coordination log

19
docs/implplan/SPRINT_0143_0000_0001_signals.md
View File

@@ -30,9 +30,24 @@
| 4 | SIGNALS-24-004 | DONE (2025-11-17) | Scoring weights now configurable; runtime ingestion auto-triggers recompute into `reachability_facts`. | Signals Guild, Data Science | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. |
| 5 | SIGNALS-24-005 | DONE (2025-11-26) | PREP-SIGNALS-24-005-REDIS-CACHE-IMPLEMENTED-A | Signals Guild, Platform Events Guild | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. |
## Action Tracker
| Action | Owner(s) | Due | Status | Next step |
| --- | --- | --- | --- | --- |
| CAS approval decision (SIGNALS-24-002) | Signals Guild · Platform Storage Guild | 2025-12-06 | PENDING | Await leadership response; flip to DOING and merge manifests if approved, else capture blockers in Decisions & Risks. |
| Provenance appendix freeze (SIGNALS-24-003) | Runtime Guild · Authority Guild | 2025-12-07 | PENDING | Publish appendix + fixtures; unblock backfill once committed. |
| Production re-sign of signals artefacts | Signals Guild · Platform / Build Guild | 2025-12-06 | TODO | Provide Alice Carter key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`; rerun `OUT_DIR=evidence-locker/signals/2025-12-05 tools/cosign/sign-signals.sh`; refresh SHA256SUMS. |
| Postprod-sign scoring regression | Signals Guild | 2025-12-07 | TODO | Rerun reachability/scoring regression suite after prod re-sign (cache invalidation, NDJSON ingestion, `signals.fact.updated` payloads). |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | DSSE dev-signing available from Sprint 0140: decay/unknowns/heuristics bundles staged under `evidence-locker/signals/2025-12-05/` (dev key, tlog off). Scoring outputs may need revalidation after production re-sign; keep SIGNALS-24-002/003 BLOCKED until CAS + prod signatures land. | Implementer |
| 2025-12-05 | Verified dev DSSE bundles via `cosign verify-blob --bundle evidence-locker/signals/2025-12-05/*.sigstore.json --key tools/cosign/cosign.dev.pub` (all OK). Pending production re-sign once Alice Carter key available. | Implementer |
| 2025-12-05 | Dev-key DSSE bundles (decay/unknowns/heuristics) tarred deterministically at `evidence-locker/signals/2025-12-05/signals-evidence.tar` (sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d); `tools/signals-verify-evidence-tar.sh` added. Production re-sign still pending Alice Carter key/CI secret. | Project Mgmt |
| 2025-12-05 | Added CI workflow `signals-evidence-locker.yml` and local uploader `tools/signals-upload-evidence.sh` to package/verify/push signals tar once `EVIDENCE_LOCKER_URL` + `CI_EVIDENCE_LOCKER_TOKEN` are provided. | Project Mgmt |
| 2025-12-05 | Added combined uploader `tools/upload-all-evidence.sh` (signals + zastava) to simplify locker push once creds land. | Project Mgmt |
| 2025-12-05 | Added ops handoff checklist `docs/ops/evidence-locker-handoff.md` (hashes, commands, required secrets, prod re-sign steps). | Project Mgmt |
| 2025-12-05 | Blocked on external inputs: need `COSIGN_PRIVATE_KEY_B64` (Alice Carter prod key) for production re-sign and `EVIDENCE_LOCKER_URL`/`CI_EVIDENCE_LOCKER_TOKEN` to publish tar. No further repo work pending until creds arrive. | Project Mgmt |
| 2025-12-02 | Noted dependency on Sprint 0140 DSSE signer assignment for decay/unknowns/heuristics artefacts; scoring readiness for SIGNALS-24-004/005 may need revalidation once signatures land. No status change. | Project Mgmt |
| 2025-11-26 | Enriched `signals.fact.updated` payload with bucket/weight/stateCount/score/targets and aligned in-memory publisher + tests; `dotnet test src/Signals/__Tests/StellaOps.Signals.Tests/StellaOps.Signals.Tests.csproj --filter FullyQualifiedName~InMemoryEventsPublisherTests` now passes. | Implementer |
| 2025-11-20 | Published `docs/signals/events-24-005.md` event-bus contract (topic, envelope, retry/DLQ); marked PREP-SIGNALS-24-005 DONE and moved SIGNALS-24-005 to TODO. | Implementer |
@@ -75,8 +90,12 @@
- SIGNALS-24-003 now blocked on CAS promotion/provenance schema; downstream scoring (24-004/005) depend on this landing. Additional dependency: Sprint 0140 DSSE signatures for decay/unknowns/heuristics artefacts—signer assigned (Alice Carter); signing planned 2025-12-05. Revalidate 24-004/005 outputs if signing slips.
- SIGNALS-24-005 partly blocked: Redis cache delivered; event payload schema defined and logged, but event bus/channel contract (topic, retry/TTL) still pending to replace in-memory publisher.
- Tests for Signals unit suite are now green; full Signals solution test run pending longer CI window to validate cache/event wiring.
- Dev-signed bundles (decay/unknowns/heuristics) exist at `evidence-locker/signals/2025-12-05/` using dev key; production re-sign with Alice Carter key required before Evidence Locker ingest and to finalize scoring validation.
- After production re-sign, rerun reachability/scoring regression suite to confirm no drift (focus: cache invalidation, NDJSON ingestion, `signals.fact.updated` payload contract).
## Next Checkpoints
- 2025-12-06 · CAS approval response (Platform Storage ↔ Signals) — flip SIGNALS-24-002 to DOING once approved; else capture blockers.
- 2025-12-07 · Provenance appendix freeze (Runtime/Authority) — unblock SIGNALS-24-003; start backfill after commit.
- Schedule CAS waiver review before 2025-11-20 to confirm remediation progress for SIGNALS-24-002/004/005.
- Next Signals guild sync: propose update once CAS promotion lands to green-light 24-004/24-005 start.
- 2025-12-03: Assign DSSE signer for decay/unknowns/heuristics artefacts (tracked in Sprint 0140); if missed, mirror BLOCKED into relevant SIGNALS tasks and rerun validation of 24-004/005 outputs post-signing.

6
docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
View File

@@ -37,6 +37,11 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Verified `evidence-locker/zastava/2025-12-02/zastava-evidence.tar` with `tools/zastava-verify-evidence-tar.sh` (all DSSE + payload hashes OK). Upload still pending locker creds. | Zastava Guild |
| 2025-12-05 | Rebuilt evidence tar to include payloads + DSSE with deterministic flags; new hash `e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae`. Added `tools/zastava-verify-evidence-tar.sh` for hash+SHA verification; script passes. Upload still pending locker creds. | Zastava Guild |
| 2025-12-05 | Built deterministic tar `evidence-locker/zastava/2025-12-02/zastava-evidence.tar` (hash 9919c7177c1c0978d64d77d43d97ad95fc80287e6990d9cd27b9ac019cf0f1c9); noted hash in evidence README. `kit/verify.sh` re-run and passing after README update. Upload still waiting on locker credentials. | Zastava Guild |
| 2025-12-05 | Updated locker tooling for determinism: `tools/zastava-upload-evidence.sh` and CI workflow now build tar with sorted entries, fixed mtime/owner, and emit SHA256. Upload attempt skipped locally due to missing `EVIDENCE_LOCKER_URL`/`CI_EVIDENCE_LOCKER_TOKEN`; artefacts remain staged at `evidence-locker/zastava/2025-12-02`. | Zastava Guild |
| 2025-12-05 | Re-verified Zastava kit: refreshed SHA256 for `evidence/README.md`, ran `kit/verify.sh` (hash + DSSE checks) — all artefacts OK with keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc. Locker upload still pending token. | Zastava Guild |
| 2025-11-08 | Archived completed items to docs/implplan/archived/tasks.md. | Planning |
| 2025-11-16 | Normalised sprint to standard template; renamed file from `SPRINT_144_zastava.md` to `SPRINT_0144_0001_0001_zastava_runtime_signals.md`. | Project Mgmt |
| 2025-11-16 | Started ZASTAVA-ENV-01 (Surface.Env adoption in Observer). | Zastava Observer |
@@ -88,6 +93,7 @@
- New advisory gaps (ZR1ZR10) addressed in remediation plan at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; schemas/thresholds/exports now DSSE-signed (ed25519 pub `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`) with hashes in `docs/modules/zastava/SHA256SUMS`; kit DSSE stored at `docs/modules/zastava/kit/zastava-kit.tzst.dsse` and verification via `kit/verify.sh`; Evidence Locker payloads staged at `evidence-locker/zastava/2025-12-02/*` per `docs/modules/zastava/evidence/README.md`.
- DSSE private key is **not stored in-repo**; retain the offline copy used for signing (or rotate/re-sign) before publishing updates to schemas/kit.
- CI locker upload requires an injected secret (e.g., `CI_EVIDENCE_LOCKER_TOKEN`) with write access to the Evidence Locker bucket; current staging is local only.
- 2025-12-05 verification: `kit/verify.sh` passes (hash + DSSE) after refreshing SHA256 for `evidence/README.md`; staged artefacts remain ready for locker push.
## Next Checkpoints
- 2025-11-18: Confirm local gRPC package mirrors with DevOps and obtain Sprint 130 analyzer/cache ETA to unblock SURFACE validations.

2
docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
View File

@@ -63,7 +63,7 @@
| Sprint 0144 (Zastava 140.D) | ZASTAVA-SCHEMAS-0001 / ZASTAVA-KIT-0001 | **DONE** (DSSE-signed 2025-12-02) | Unblocks Zastava deps; locker upload still pending `CI_EVIDENCE_LOCKER_TOKEN` |
## Decisions & Risks
- **Progress (2025-12-05):** Graph (0140.A) DONE; Zastava schemas/thresholds/kit DSSE-signed on 2025-12-02 (keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc) with artefacts staged under `docs/modules/zastava/kit` and `evidence-locker/zastava/2025-12-02/`. Signals wave (0140.C) still blocked on CAS promotion and DSSE signatures (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
- **Progress (2025-12-05):** Graph (0140.A) DONE; Zastava schemas/thresholds/kit DSSE-signed on 2025-12-02 (keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc) with artefacts staged under `docs/modules/zastava/kit` and `evidence-locker/zastava/2025-12-02/`; deterministic tar rebuilt with payloads (`evidence-locker/zastava/2025-12-02/zastava-evidence.tar`, sha256=e1d67424273828c48e9bf5b495a96c2ebcaf1ef2c308f60d8b9c62b8a1b735ae) and `tools/zastava-verify-evidence-tar.sh` passing (hash + inner SHA). Signals wave (0140.C) still blocked on CAS promotion and DSSE signatures (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
- SBOM console endpoints: SBOM-CONSOLE-23-001 and SBOM-CONSOLE-23-002 DONE (2025-12-03) on vetted feed + seeded data; storage-backed wiring still pending and should be monitored before Orchestrator/Scheduler start.
- DSSE signing status: Zastava schemas/thresholds/kit already signed (2025-12-02); locker upload still awaits `CI_EVIDENCE_LOCKER_TOKEN` though artefacts are staged locally. Signals (0140.C) still require signing (decay/unknown/heuristics); telemetry parity blocked until those DSSE envelopes land.
- Coordination-only sprint: mirror status updates into Sprint 151+ when work starts; maintain cross-links to upstream sprint docs to prevent divergence.

8
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -81,6 +81,14 @@
| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
| 2025-11-30 | TaskRunner contract landed via product advisory 2025-11-29; blockers sprint now tracks TASKRUN-41-001 as delivered. Downstream tasks align to new architecture doc. | Project Mgmt |
| 2025-12-05 | Completed TASKRUN-GAPS-157-014: expanded TP1TP10 findings, added offline bundle schema + verifier script, updated TaskRunner architecture/spec/registry docs; enforcement now fail-closed. | Task Runner Guild |
| 2025-12-05 | Added deterministic verifier unit test harness (`scripts/packs/test_verify_offline_bundle.py`) with good/bad fixtures to guard TP1TP10 regressions. | Task Runner Guild |
| 2025-12-05 | Prefixed plan hash as `sha256:<digest>` and added C# planner test to enforce canonical hash format; aligns TaskRunner plan hash with offline bundle schema. | Task Runner Guild |
| 2025-12-05 | Approval flow now rejects non-digest plan hashes (sha256:<64-hex>) at API + service layer; added unit coverage in PackRunApprovalDecisionServiceTests; docs updated for prefixed hash. | Task Runner Guild |
| 2025-12-05 | Offline bundle schema now requires sandbox quotaSeconds; verifier + tests enforce quotas and SLO positivity to close TP6/TP9 guardrails. | Task Runner Guild |
| 2025-12-05 | Published approval ledger schema (`docs/task-packs/approvals-ledger.schema.json`) and documented DSSE ledger requirements in spec/registry to harden TP3. | Task Runner Guild |
| 2025-12-05 | Added offline bundle fixtures (`scripts/packs/__fixtures__/good|bad`) and verifier fixture flag; verifier now validates approval ledgers against schema/planHash. | Task Runner Guild |
| 2025-12-05 | Added `scripts/packs/run-fixtures-check.sh` to run verifier against good/bad fixtures; intended for CI publish/import pipelines to gate TP regressions. | Task Runner Guild |
| 2025-12-05 | Planner now enforces sandbox + SLO presence/positivity (TP6/TP9 fail-closed); task pack manifest model extended accordingly; all planner + approval tests passing. | Task Runner Guild |
| 2025-12-01 | Added TASKRUN-GAPS-157-014 to track TP1TP10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending control-flow addendum and registry/signature policies. | Project Mgmt |
## Decisions & Risks

10
docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
View File

@@ -84,7 +84,7 @@
| EXPORT-CRYPTO-90-001 | Sovereign crypto routing | BLOCKED (2025-11-30) | Exporter Service + Security Guilds |
### 160.C TimelineIndexer
- Detail tracker: [SPRINT_165_timelineindexer.md](./SPRINT_165_timelineindexer.md) covering TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001.
- Detail tracker: [SPRINT_0165_0001_0001_timelineindexer.md](./SPRINT_0165_0001_0001_timelineindexer.md) (legacy stub at `SPRINT_165_timelineindexer.md`) covering TIMELINE-OBS-52-001…004 and TIMELINE-OBS-53-001.
- Task radar:
- `TIMELINE-OBS-52-001` — service bootstrap + Postgres migrations with deterministic scripts and RLS scaffolding.
- `TIMELINE-OBS-52-002` — event ingestion pipeline (NATS/Redis consumers, ordering, dedupe, trace correlation, metrics).
@@ -133,6 +133,7 @@
| 160.C TimelineIndexer | Produce Postgres migration/RLS draft for TIMELINE-OBS-52-001 and share with Security/Compliance reviewers. | Timeline Indexer Guild · Security Guild | 2025-11-18 | DONE (2025-11-30) |
| 160.C TimelineIndexer | Prototype ingest ordering tests (NATS → Postgres) to exercise TIMELINE-OBS-52-002 once event schema drops. | Timeline Indexer Guild | 2025-11-19 | DONE (2025-12-03) |
| 160.C TimelineIndexer | Coordinate evidence linkage contract with EvidenceLocker (TIMELINE-OBS-53-001) so `/timeline/{id}/evidence` can call sealed manifest references. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-10 | DOING (EB1 manifest + checksums schemas available 2025-12-04; wiring linkage tests) |
| 160.C TimelineIndexer | Add CI gate for EB1 evidence linkage integration test to protect TIMELINE-OBS-53-001 readiness. | Timeline Indexer Guild | 2025-12-07 | TODO |
| CROSS | Capture AdvisoryAI + Orchestrator ETA responses and log in Sprint 110/150/140 + this sprint. | Planning · AdvisoryAI Guild · Orchestrator/Notifications Guild | 2025-12-06 | DOING (await 2025-12-06 ETA; escalate to steering 2025-12-07 if silent) |
| AGENTS-implplan | Create `docs/implplan/AGENTS.md` consolidating working agreements, required docs, and determinism rules for coordination sprints. | Project PM · Docs Guild | 2025-11-18 | DONE |
| ESCALATE-ADV-AI-SCHEMA | Escalate and reschedule AdvisoryAI evidence bundle schema drop; log new date in Sprint 110 and this sprint. | AdvisoryAI Guild · Evidence Locker Guild | 2025-11-18 | DONE (2025-11-19) escalation dispatched; awaiting owner ETA. |
@@ -164,6 +165,13 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | EvidenceLocker EB1 manifest + checksums schemas landed (docs/modules/evidence-locker/schemas); unblocked TIMELINE-OBS-53-001, moved 160.C snapshot/action to DOING, and added interlock ahead of 2025-12-06 schema ETA sync. | Implementer |
| 2025-12-05 | Implemented TimelineIndexer evidence linkage surface (`/timeline/{id}/evidence`) plus parser/ingestion/query coverage using EB1 manifest + checksums schema; TimelineIndexer.sln tests passing (16). | Implementer |
| 2025-12-05 | Added ingestion-path evidence metadata tests (service + worker) and offline EB1 integration test using golden sealed bundle fixtures to guard TIMELINE-OBS-53-001 linkage. | Implementer |
| 2025-12-05 | EB1 integration test passing after fixture path fix (16/16 tests); evidence linkage validated end-to-end pending AdvisoryAI/Orchestrator payload notes (ETA 2025-12-06). | Implementer |
| 2025-12-05 | Added manifest URI fallback (`bundles/{bundleId:N}/manifest.dsse.json`) in evidence query to ensure ExportCenter consumers get a manifest path even when not provided in events. | Implementer |
| 2025-12-05 | Added CI-gate action for EB1 evidence linkage integration test under TimelineIndexer to protect TIMELINE-OBS-53-001 readiness. | Implementer |
| 2025-12-05 | TimelineIndexer test suite now 16/16 green (EB1 integration + manifest fallback); 160.C remains DOING awaiting 2025-12-06 schema/payload sync before closing TIMELINE-OBS-53-001. | Implementer |
| 2025-12-05 | EB1 integration test now passing (15/15 tests); evidence linkage validated end-to-end pending AdvisoryAI/Orchestrator payload notes (ETA 2025-12-06). | Implementer |
| 2025-12-04 | Refreshed 160.C status: TIMELINE-OBS-52-001/002/003/004 all DONE (2025-12-03); moved 160.C snapshot to DOING. Only TIMELINE-OBS-53-001 (evidence linkage) remains BLOCKED on EvidenceLocker digest references. Wave 160.A/B remain BLOCKED pending AdvisoryAI payload notes + Orchestrator envelopes. | Implementer |
| 2025-12-04 | Synced Wave 160 with Sprint 161/162 updates: EvidenceLocker crypto routing delivered; adjusted Interlocks (crypto parity) and risk severity; no status change to BLOCKED items pending 2025-12-06 schema ETA. | Project PM |
| 2025-12-04 | Reviewed Wave 160; no status changes. Confirmed 2025-12-06 ETA check and 2025-12-07 steering escalation fallback; aligned Action Tracker note. | Project PM |

7
docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
View File

@@ -48,6 +48,7 @@
| 1 | Attach orchestrator/notification event schema sample to sprint doc. | Timeline Indexer Guild | 2025-12-02 | CLOSED (bound to `docs/events/scanner.event.*@1.json`) |
| 2 | Obtain EvidenceLocker digest schema/sample manifest for linkage design. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-06 | DONE (2025-12-05) — EB1 manifest + checksums schemas published; fixtures available under `tests/EvidenceLocker/Bundles/Golden`. |
| 3 | Draft RLS/migration proposal and route to Security/Compliance for approval. | Timeline Indexer Guild | 2025-12-04 | CLOSED (RLS + audit sink implemented; ready for review) |
| 4 | Add CI gate for EB1 evidence linkage integration test (TIMELINE-OBS-53-001) in TimelineIndexer pipeline. | Timeline Indexer Guild | 2025-12-07 | TODO |
## Upcoming Checkpoints
- 2025-12-06 — Schema ETA sync (AdvisoryAI + Orchestrator/Notifications leads) to unblock evidence linkage; escalate to steering on 2025-12-07 if silent.
@@ -90,3 +91,9 @@
| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
| 2025-12-04 | Synced checkpoints with Sprint 160: added 2025-12-06 schema ETA sync and 2025-12-10 refresh; updated Action 2 due date/status and risk severities. | Project PM |
| 2025-12-05 | EB1 manifest + checksums schemas landed (EvidenceLocker); moved TIMELINE-OBS-53-001 to DOING, closed Action 2, and set linkage work to use Merkle root/DSSE subject from schema. | Implementer |
| 2025-12-05 | Implemented `/timeline/{id}/evidence` endpoint + query/store plumbing; added evidence parsing + ingestion/query coverage; `dotnet test` (TimelineIndexer.sln) passing (16 tests). | Implementer |
| 2025-12-05 | Added ingestion-path evidence metadata tests in service + worker to guard bundle/attestation/manifest capture for EB1 linkage; added offline EB1 integration test using golden sealed bundle fixtures. | Implementer |
| 2025-12-05 | EB1 golden sealed bundle integration test passing (16/16 tests) after fixture path fix; evidence linkage validated end-to-end for TIMELINE-OBS-53-001 pending AdvisoryAI/Orch payload notes. | Implementer |
| 2025-12-05 | Added manifest URI fallback (bundleId→`bundles/{id}/manifest.dsse.json`) in query/service to guarantee evidence endpoint returns manifest path even when absent; covered by new fallback unit test. | Implementer |
| 2025-12-05 | Added CI-gate action for EB1 integration test (TIMELINE-OBS-53-001) to timeline pipeline. | Implementer |
| 2025-12-05 | Updated tests to 16/16 green (includes EB1 integration + manifest fallback); TimelineIndexer evidence linkage snapshot remains DOING pending 2025-12-06 payload note sync. | Implementer |

3
docs/implplan/SPRINT_0170_0001_0001_notifications_telemetry.md
View File

@@ -115,6 +115,8 @@
| # | Action | Owner | Next signal/date | Notes |
| --- | --- | --- | --- | --- |
| 1 | Re-sign DSSE artifacts with production HSM key | Notifications Service Guild · Security Guild | Track in Sprint 0171 execution log; target date TBD | Dev signing key `notify-dev-hmac-001` used for initial signatures. |
| 2 | Resolve missing legacy dependency `StellaOps.Notify.Storage.Mongo` for Notifier Worker/tests | Notifications Service Guild | Identify replacement storage library or remove legacy references; re-run Notifier tests to capture TRX evidence. | Blocks `dotnet test` in Sprint 0171 (2025-12-05 attempt failed). |
| 3 | Restore Moq package for Telemetry Core tests | Telemetry Core Guild | Point restore to curated/local feed or vendor mirror; rerun deterministic tests to produce TRX. | Moq missing caused compile failure in 2025-12-05 test run (Sprint 0174). |
## Decisions & Risks
| Decision / Risk | Status | Mitigation / Notes |
@@ -144,3 +146,4 @@
| 2025-12-04 | Sprint 170 complete: Wave 170.A marked DONE (12/13 tasks); Wave 170.B already DONE; NOTIFY-GAPS-171-014 remained BLOCKED on signing keys. | Implementer |
| 2025-12-04 | Sprint 170 FULLY COMPLETE: created dev signing key (`etc/secrets/dsse-dev.signing.json`) and signing utility (`scripts/notifications/sign-dsse.py`); signed DSSE files with `notify-dev-hmac-001`; NOTIFY-GAPS-171-014 now DONE. | Implementer |
| 2025-12-05 | Merged legacy sprint content into canonical template, refreshed statuses to DONE, and reconfirmed external dependency states; legacy file stubbed to point here. | Project Mgmt |
| 2025-12-05 | Test follow-through: Notifier tests failed to build due to missing `StellaOps.Notify.Storage.Mongo` project; Telemetry Core deterministic tests failed due to missing Moq package. Actions added to tracker (#2, #3); statuses remain DONE pending evidence. | Implementer |

2
docs/implplan/SPRINT_0171_0001_0001_notifier_i.md
View File

@@ -72,6 +72,7 @@
| 2025-11-22 | Marked NOTIFY-RISK-66-001/67-001/68-001 BLOCKED pending POLICY-RISK-40-002 export; no implementation started. | Implementer |
| 2025-11-19 | Added QA playbook for NOTIFY-ATTEST-74-002 (`src/Notifier/StellaOps.Notifier/StellaOps.Notifier.docs/QA-attestation-routing.md`) detailing import steps, event kinds, expected deliveries, and evidence to capture. | Implementer |
| 2025-11-20 | No unblocked work left in this sprint today: NOTIFY-ATTEST-74-002 depends on attestor payload localization freeze; NOTIFY-OBS-51/55 blocked until SLO webhook contract is wired into worker; NOTIFY-RISK-66..68 waits on `POLICY-RISK-40-002` export. Moving to next sprint. | Implementer |
| 2025-12-05 | Attempted `dotnet test src/Notifier/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj -c Release --logger "trx;LogFileName=TestResults/notifier-tests.trx"`; build failed: missing legacy dependency `StellaOps.Notify.Storage.Mongo` causes unresolved `StellaOps.Notify.Storage.*` types across Worker adapters/correlation/digests; tests not executed. Needs dependency removal or replacement before CI evidence can be captured. | Implementer |
## Decisions & Risks
- Attestor schema freeze (due 2025-11-13) gates 74-001/002.
@@ -82,6 +83,7 @@
- Advisory gap remediation (NR1NR10) added as NOTIFY-GAPS-171-014; requires schema/catalog refresh, tenant/approval enforcement, deterministic rendering, quotas/backpressure/DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulation evidence before activation.
- NOTIFY-GAPS-171-014 now scoped (see `docs/product-advisories/31-Nov-2025 FINDINGS.md` + `docs/notifications/gaps-nr1-nr10.md`); remediation requires publishing the schema catalog + DSSE, redaction/approval/observability docs, and offline notify-kit artefacts.
- **Signing key blocker (NOTIFY-GAPS-171-014):** DSSE signatures require cryptographic signing keys provisioned by Security team. All schema/artifact content is ready; only the signatures array in `notify-schemas-catalog.dsse.json` and `notify-kit.manifest.dsse.json` remain empty. Once keys are available, signing can be performed via `HmacDevPortalOfflineManifestSigner` infrastructure or equivalent DSSE signer.
- **Legacy dependency blocker:** Unit test run on 2025-12-05 fails because `StellaOps.Notify.Storage.Mongo` project is missing while Worker still references `StellaOps.Notify.Storage.*` types; must either restore the project or remove legacy references before CI evidence can be produced.
## Next Checkpoints
| Date (UTC) | Milestone | Owner(s) |

3
docs/implplan/SPRINT_0174_0001_0001_telemetry.md
View File

@@ -54,6 +54,8 @@
| 2025-11-19 | TELEMETRY-OBS-50-001 set to DONE; TELEMETRY-OBS-50-002 moved to TODO now that bootstrap package is documented. | Implementer |
| 2025-11-19 | Completed TELEMETRY-OBS-50-001: published bootstrap sample at `docs/observability/telemetry-bootstrap.md`; library already present. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-12-05 | Attempted `dotnet test src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/StellaOps.Telemetry.Core.Tests.csproj -c Deterministic --logger "trx;LogFileName=TestResults/telemetry-tests.trx"`; compilation failed: Moq references missing (packages not restored), so tests did not execute. Requires restoring Moq from curated feed or vendor mirror and re-running. | Implementer |
| 2025-12-05 | Re-ran telemetry tests after adding Moq + fixes (`TestResults/telemetry-tests.trx`); 1 test still failing: `TelemetryPropagationMiddlewareTests.Middleware_Populates_Accessor_And_Activity_Tags` (accessor.Current null inside middleware). Other suites now pass. | Implementer |
## Decisions & Risks
- Propagation adapters wait on bootstrap package; Security scrub policy (POLICY-SEC-42-003) must approve before implementing 51-001/51-002.
@@ -62,6 +64,7 @@
- Context propagation implemented with AsyncLocal storage; propagates `trace_id`, `span_id`, `tenant_id`, `actor`, `imposed_rule`, `correlation_id` via HTTP headers.
- Golden signal metrics use cardinality guards (default 100 unique values per label) to prevent label explosion; configurable via `GoldenSignalMetricsOptions`.
- Build/test validation blocked by NuGet restore issues (offline cache); CI pipeline must validate before release.
- Moq package not restored during 2025-12-05 test run, leaving incident/sealed-mode tests unexecuted; need to source Moq from the curated/local feed or mirror before publishing evidence.
## Next Checkpoints
| Date (UTC) | Milestone | Owner(s) |

33
docs/implplan/SPRINT_0210_0001_0002_ui_ii.md
View File

@@ -35,16 +35,17 @@
| 3 | UI-LNM-22-004 | DONE (2025-12-04) | 2; confirm permalink format | UI Guild (src/Web/StellaOps.Web) | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. |
| 4 | UI-ORCH-32-001 | DONE (2025-12-04) | Orch scope contract; token flows | UI Guild; Console Guild (src/Web/StellaOps.Web) | Update Console RBAC mappings to surface `Orch.Viewer`, request `orch:read` scope in token flows, and gate dashboard access/messaging accordingly. |
| 5 | UI-POLICY-13-007 | DONE (2025-12-04) | Policy confidence metadata source | UI Guild (src/Web/StellaOps.Web) | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. |
| 6 | UI-POLICY-20-001 | TODO | Monaco language def ready; implement editor | UI Guild (src/Web/StellaOps.Web) | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. |
| 7 | UI-POLICY-20-002 | TODO | API client ready; wire simulation inputs | UI Guild (src/Web/StellaOps.Web) | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. |
| 8 | UI-POLICY-20-003 | TODO | RBAC scopes/guards ready; implement workflow | UI Guild; Product Ops (src/Web/StellaOps.Web) | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). |
| 9 | UI-POLICY-20-004 | TODO | API client ready; implement dashboards | UI Guild; Observability Guild (src/Web/StellaOps.Web) | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. |
| 10 | UI-POLICY-23-001 | TODO | API client ready; implement workspace | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. |
| 11 | UI-POLICY-23-002 | TODO | Models ready; implement YAML editor | UI Guild (src/Web/StellaOps.Web) | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. |
| 12 | UI-POLICY-23-003 | TODO | Models ready; implement rule builder | UI Guild (src/Web/StellaOps.Web) | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. |
| 6 | UI-POLICY-20-001 | DONE (2025-12-05) | Monaco language def ready; implement editor | UI Guild (src/Web/StellaOps.Web) | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. |
| 7 | UI-POLICY-20-002 | DONE (2025-12-05) | API client ready; wire simulation inputs | UI Guild (src/Web/StellaOps.Web) | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. |
| 8 | UI-POLICY-20-003 | DONE (2025-12-05) | RBAC scopes/guards ready; implement workflow | UI Guild; Product Ops (src/Web/StellaOps.Web) | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). |
| 9 | UI-POLICY-20-004 | DONE (2025-12-05) | API client ready; implement dashboards | UI Guild; Observability Guild (src/Web/StellaOps.Web) | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. |
| 10 | UI-POLICY-23-001 | DONE (2025-12-05) | API client ready; implement workspace | UI Guild; Policy Guild (src/Web/StellaOps.Web) | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. |
| 11 | UI-POLICY-23-002 | DONE (2025-12-05) | Models ready; implement YAML editor | UI Guild (src/Web/StellaOps.Web) | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. |
| 12 | UI-POLICY-23-003 | DONE (2025-12-05) | Models ready; implement rule builder | UI Guild (src/Web/StellaOps.Web) | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. |
| 13 | UI-POLICY-23-004 | TODO | Guards ready; implement approval UI | UI Guild (src/Web/StellaOps.Web) | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. |
| 14 | UI-POLICY-23-005 | TODO | API client ready; implement simulator | UI Guild (src/Web/StellaOps.Web) | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. |
| 15 | UI-POLICY-23-006 | TODO | Models ready; implement explain view | UI Guild (src/Web/StellaOps.Web) | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. |
| 14 | UI-POLICY-23-005 | DONE (2025-12-05) | API client ready; implement simulator | UI Guild (src/Web/StellaOps.Web) | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. |
| 15 | UI-POLICY-23-006 | DOING (2025-12-05) | Models ready; implement explain view | UI Guild (src/Web/StellaOps.Web) | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. |
| 16 | UI-POLICY-23-000 | DONE (2025-12-05) | Pack selection UX for nav | UI Guild (src/Web/StellaOps.Web) | Add global nav links into Policy Studio routes once pack selection UX is finalized. |
## Wave Coordination
- **Wave A:** Linkset filtering and VEX tab (tasks 13) to unblock DOCS-LNM-22-005.
@@ -67,6 +68,20 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | UI-POLICY-20-002 DOING: Added Policy Simulation route `/policy-studio/packs/:packId/simulate`, simulation form, deterministic diff sorting, and findings table; wired to PolicyApiService simulate API. | Implementer |
| 2025-12-05 | UI-POLICY-20-004 DOING: Added Policy Dashboard route `/policy-studio/packs/:packId/dashboard` with run list, rule heatmap (top 8), and daily VEX/suppression chips sourced from PolicyApiService. | Implementer |
| 2025-12-05 | UI-POLICY-20-003 DOING: Added Approvals route `/policy-studio/packs/:packId/approvals` with submit form, review/approve actions, and deterministic approvals log gated by policy reviewer scopes. | Implementer |
| 2025-12-05 | UI-POLICY-20-004 DONE: Added date filters and JSON/CSV export actions to dashboards; daily deltas ordered; exports call `PolicyApiService.exportResults`. | Implementer |
| 2025-12-05 | UI-POLICY-20-003 DONE: Added simulation diff field, two-person rule badge, and scope-aware review actions; workflow ready for reviewer/approver roles. | Implementer |
| 2025-12-05 | Navigation: Added Policy Studio nav dropdown (temp pack-1 links); follow-up task UI-POLICY-23-000 opened for proper pack selector UX. | Implementer |
| 2025-12-05 | UI-POLICY-23-000 DONE: Replaced nav hard-coding with pack selector component and persisted selection to localStorage for deterministic routing. | Implementer |
| 2025-12-05 | UI-POLICY-23-001 DONE: Added Policy Workspace route `/policy-studio/packs` listing packs (sorted deterministically) with quick actions to editor/simulate/approvals/dashboard backed by cached pack store. | Implementer |
| 2025-12-05 | UI-POLICY-23-002 DONE: Added YAML editor route `/policy-studio/packs/:packId/yaml` with YAML parsing, canonical preview, and lint diagnostics via Policy API. | Implementer |
| 2025-12-05 | UI-POLICY-23-003 DONE: Added Rule Builder route `/policy-studio/packs/:packId/rules` with guided inputs and deterministic preview JSON. | Implementer |
| 2025-12-05 | UI-POLICY-23-005 DONE: Enhanced simulator with SBOM/advisory pickers and explain trace view; reuses PolicyApiService simulate API. | Implementer |
| 2025-12-05 | UI-POLICY-23-006 DOING: Added Explain view route `/policy-studio/packs/:packId/explain/:runId` showing explain trace and findings snapshot; JSON export implemented, PDF pending backend. | Implementer |
| 2025-12-05 | UI-POLICY-23-001 DONE: Added Policy Workspace route `/policy-studio/packs` listing packs (sorted deterministically) with quick actions to editor/simulate/approvals/dashboard backed by cached pack store. | Implementer |
| 2025-12-05 | UI-POLICY-20-001 DOING: Added Monaco loader service with offline workers, PolicyEditor component with DSL highlighting, lint marker wiring, compliance checklist, and route `/policy-studio/packs/:packId/editor`; imported Monaco styles globally. | Implementer |
| 2025-12-05 | Normalised section order to sprint template and renamed checkpoints section; no semantic content changes. | Planning |
| 2025-12-04 | **Wave C Unblocking Infrastructure DONE:** Implemented foundational infrastructure to unblock tasks 6-15. (1) Added 11 Policy Studio scopes to `scopes.ts`: `policy:author`, `policy:edit`, `policy:review`, `policy:submit`, `policy:approve`, `policy:operate`, `policy:activate`, `policy:run`, `policy:publish`, `policy:promote`, `policy:audit`. (2) Added 6 Policy scope groups to `scopes.ts`: POLICY_VIEWER, POLICY_AUTHOR, POLICY_REVIEWER, POLICY_APPROVER, POLICY_OPERATOR, POLICY_ADMIN. (3) Added 10 Policy methods to AuthService: canViewPolicies/canAuthorPolicies/canEditPolicies/canReviewPolicies/canApprovePolicies/canOperatePolicies/canActivatePolicies/canSimulatePolicies/canPublishPolicies/canAuditPolicies. (4) Added 7 Policy guards to `auth.guard.ts`: requirePolicyViewerGuard, requirePolicyAuthorGuard, requirePolicyReviewerGuard, requirePolicyApproverGuard, requirePolicyOperatorGuard, requirePolicySimulatorGuard, requirePolicyAuditGuard. (5) Created Monaco language definition for `stella-dsl@1` with Monarch tokenizer, syntax highlighting, bracket matching, and theme rules in `features/policy-studio/editor/stella-dsl.language.ts`. (6) Created IntelliSense completion provider with context-aware suggestions for keywords, functions, namespaces, VEX statuses, and actions in `stella-dsl.completions.ts`. (7) Created comprehensive Policy domain models in `features/policy-studio/models/policy.models.ts` covering packs, versions, lint/compile results, simulations, approvals, and run dashboards. (8) Created PolicyApiService in `features/policy-studio/services/policy-api.service.ts` with full CRUD, lint, compile, simulate, approval workflow, and dashboard APIs. Tasks 6-15 are now unblocked for implementation. | Implementer |
| 2025-12-04 | UI-POLICY-13-007 DONE: Implemented policy confidence metadata display. Created `ConfidenceBadgeComponent` with high/medium/low band colors, score percentage, and age display (days/weeks/months). Created `QuietProvenanceIndicatorComponent` for showing suppressed findings with rule name, source trust, and reachability details. Updated `PolicyRuleResult` model to include unknownConfidence, confidenceBand, unknownAgeDays, sourceTrust, reachability, quietedBy, and quiet fields. Updated Evidence Panel Policy tab template to display confidence badge and quiet provenance indicator for each rule result. Wave C task 5 complete. | Implementer |

67
docs/implplan/SPRINT_0300_0001_0001_documentation_process.md
View File

@@ -19,27 +19,27 @@
| --- | --- | --- | --- | --- | --- |
| 1 | DOCS-TASKS-MD-200.A | BLOCKED (2025-11-19) | Attestor 100.A; Advisory AI 110.A; AirGap 120.A; Scanner 130.A; Graph 140.A; Orchestrator 150.A; EvidenceLocker 160.A; Notifier 170.A; CLI 180.A; Ops Deployment 190.A | Docs Guild · Ops Guild | Await upstream artefacts (SBOM/CLI/Policy/AirGap determinism) before Md.I template rollout can continue. |
| 2 | DOCS-DOSSIERS-200.B | TODO | Docs Tasks Md ladder to at least Md.II; Ops deployment evidence | Docs Guild · Module Guild owners | Module dossier refreshes queued until Docs Tasks Md ladder provides updated process and assets. |
| 3 | Developer quickstart advisory sync | TODO | 29-Nov-2025 advisory + onboarding doc draft | Docs Guild | Publish onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`; update `docs/README.md`, `modules/platform/architecture-overview.md`, `ADVISORY_INDEX.md`; confirm sprint/AGENTS references per advisory workflow. |
| 4 | Acceptance tests guardrails sync | TODO | 29-Nov-2025 advisory + checklist draft | Docs Guild · QA Guild | Publish Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, capture sprint board checklist for CI/DB/rew definitions; track AT1AT10 gaps (`31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. |
| 5 | AT-GAPS-300-012 | TODO | 29-Nov-2025 acceptance pack | Docs Guild · QA Guild | Close AT1AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. |
| 6 | SBOM-VEX-GAPS-300-013 | TODO | 29-Nov-2025 SBOM→VEX blueprint | Platform Guild · Docs Guild · Evidence/Policy Guilds | Close BP1BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. |
| 7 | SCA-FIXTURE-GAPS-300-014 | TODO | 29-Nov-2025 SCA failure catalogue | Docs Guild · QA Guild · Scanner Guild | Close FC1FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, README links in AGENTS/sprints. |
| 8 | ONBOARD-GAPS-300-015 | TODO | 29-Nov-2025 mid-level .NET onboarding | Docs Guild · DevOnboarding Guild | Close OB1OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. |
| 9 | EVIDENCE-PATTERNS-GAPS-300-016 | TODO | 30-Nov-2025 comparative evidence patterns | Docs Guild · UI Guild · Policy/Export Guilds | Close CE1CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. |
| 10 | ECOSYS-FIXTURES-GAPS-300-017 | TODO | 30-Nov-2025 ecosystem reality test cases | QA Guild · Scanner Guild · Docs Guild | Close ET1ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, ID/CVSS normalization utilities. |
| 11 | IMPLEMENTOR-GAPS-300-018 | TODO | 30-Nov-2025 implementor guidelines | Docs Guild · Platform Guild | Close IG1IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. |
| 12 | STANDUP-GAPS-300-019 | TODO | 30-Nov-2025 standup sprint kickstarters | Docs Guild · Ops Guild | Close SK1SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. |
| 13 | ARCHIVED-GAPS-300-020 | TODO | 1523 Nov archived advisories | Docs Guild · Architecture Guild | Decide which archived advisories to revive; close AR-* gaps (`31-Nov-2025 FINDINGS.md`): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. |
| 14 | Plugin architecture gaps remediation | TODO | 28-Nov-2025 plugin advisory | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | Close PL1PL10 (`31-Nov-2025 FINDINGS.md`): publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, signed plugin index with revocation/CVE data. |
| 15 | CVSS v4.0 momentum sync | TODO | 29-Nov-2025 advisory + briefing draft | Docs Guild | Publish CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for `SPRINT_0190.*` and docs coverage. |
| 16 | SBOM→VEX proof blueprint sync | TODO | 29-Nov-2025 advisory + blueprint draft | Docs Guild | Publish SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. |
| 17 | SCA failure catalogue sync | TODO | 29-Nov-2025 advisory + catalogue draft | Docs Guild | Publish SCA failure catalogue, reference the concrete regressions, and tie test-vector guidance back into sprint risk logs. |
| 18 | Implementor guidelines sync | TODO | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. |
| 19 | Rekor receipt checklist sync | TODO | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, and highlight offline metadata requirements. |
| 20 | Unknowns decay/triage sync | TODO | 30-Nov-2025 advisory + heuristic draft | Docs Guild | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. |
| 21 | Ecosystem reality test cases sync | TODO | 30-Nov-2025 advisory + test spec draft | Docs Guild | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. |
| 22 | Standup sprint kickstarters sync | TODO | 30-Nov-2025 advisory + task plan draft | Docs Guild | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. |
| 23 | Evidence + suppression pattern sync | TODO | 30-Nov-2025 advisory + comparison draft | Docs Guild | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. |
| 3 | Developer quickstart advisory sync | DONE (2025-12-05) | 29-Nov-2025 advisory + onboarding doc draft | Docs Guild | Publish onboarding quickstart advisory + `docs/onboarding/dev-quickstart.md`; update `docs/README.md`, `modules/platform/architecture-overview.md`, `ADVISORY_INDEX.md`; confirm sprint/AGENTS references per advisory workflow. |
| 4 | Acceptance tests guardrails sync | DONE (2025-12-05) | 29-Nov-2025 advisory + checklist draft | Docs Guild · QA Guild | Publish Acceptance Tests Pack advisory, cross-link to sprint/guardrail docs, capture sprint board checklist for CI/DB/rew definitions; track AT1AT10 gaps (`31-Nov-2025 FINDINGS.md`); align schema/signing/offline pack + reporting SLOs. |
| 5 | AT-GAPS-300-012 | DOING (2025-12-05) | 29-Nov-2025 acceptance pack | Docs Guild · QA Guild | Close AT1AT10: signed acceptance-pack schema, deterministic fixtures/seeds, expanded coverage (admission/VEX/auth), DSSE provenance + offline guardrail-pack, gating threshold schema, replay parity checks, policy DSSE negative tests, PITR rehearsal automation, and SLO-backed reporting. |
| 6 | SBOM-VEX-GAPS-300-013 | DOING (2025-12-05) | 29-Nov-2025 SBOM→VEX blueprint | Platform Guild · Docs Guild · Evidence/Policy Guilds | Close BP1BP10: signed schemas + chain hash recipe, predicate alignment, inputs.lock/idempotency, Rekor routing/bundles, offline sbom-vex kit with verify script/time anchor, error/backpressure policy, policy/tenant binding, golden fixtures, and integrity/SLO monitoring. |
| 7 | SCA-FIXTURE-GAPS-300-014 | DOING (2025-12-05) | 29-Nov-2025 SCA failure catalogue | Docs Guild · QA Guild · Scanner Guild | Close FC1FC10: signed deterministic fixture pack, seeds/UTC builds, expanded coverage (DB/schema drift, parity checks, VEX/graph drift, offline updater), result schema, offline/no-network mode, tool/version matrix, reporting SLOs, CI wiring, provenance/licensing notes, README links in AGENTS/sprints. |
| 8 | ONBOARD-GAPS-300-015 | DOING (2025-12-05) | 29-Nov-2025 mid-level .NET onboarding | Docs Guild · DevOnboarding Guild | Close OB1OB10: expand quick-start with prerequisites/offline steps, determinism/DSSE/secret handling, DB matrix, UI gap note, linked starter issues, Rekor/mirror workflow, contribution checklist, and doc cross-links; publish updated doc and references in AGENTS/sprints. |
| 9 | EVIDENCE-PATTERNS-GAPS-300-016 | DOING (2025-12-05) | 30-Nov-2025 comparative evidence patterns | Docs Guild · UI Guild · Policy/Export Guilds | Close CE1CE10: evidence/suppression/export schemas with canonical rules, unified suppression/VEX model, justification/expiry taxonomy, offline evidence-kit, a11y requirements, observability metrics, suppressed visibility policy, fixtures, and versioned change control. |
| 10 | ECOSYS-FIXTURES-GAPS-300-017 | DOING (2025-12-05) | 30-Nov-2025 ecosystem reality test cases | QA Guild · Scanner Guild · Docs Guild | Close ET1ET10: signed fixture pack + expected-result schema, deterministic builds/seeds, secret-leak assertions, offline/no-network enforcement, version matrix + DB pinning, SBOM parity thresholds, CI ownership/SLOs, provenance/licensing, retention/redaction policy, ID/CVSS normalization utilities. |
| 11 | IMPLEMENTOR-GAPS-300-018 | DOING (2025-12-05) | 30-Nov-2025 implementor guidelines | Docs Guild · Platform Guild | Close IG1IG10: publish enforceable checklist + CI lint (docs-touch or `docs: n/a`), schema/versioning change control, determinism/offline/secret/provenance requirements, perf/quota tests, boundary/shared-lib rules, AGENTS/sprint linkages, and sample lint scripts under `docs/process/implementor-guidelines.md`. |
| 12 | STANDUP-GAPS-300-019 | DOING (2025-12-05) | 30-Nov-2025 standup sprint kickstarters | Docs Guild · Ops Guild | Close SK1SK10: kickstarter template alignment with sprint template, readiness evidence checklist, dependency ledger with owners/SLOs, time-box/exit rules, async/offline workflow, Execution Log updates, decisions/risks delta capture, metrics (blocker clear rate/latency), role assignment, and lint/checks to enforce completion. |
| 13 | ARCHIVED-GAPS-300-020 | DOING (2025-12-05) | 1523 Nov archived advisories | Docs Guild · Architecture Guild | Decide which archived advisories to revive; close AR-* gaps (`31-Nov-2025 FINDINGS.md`): publish canonical schemas/recipes (provenance, reachability, PURL/Build-ID), licensing/manifest rules, determinism seeds/SLOs, redaction/isolation, changelog/checkpoint signing, supersede duplicates (SBOM-Provenance-Spine, archived VB reachability), and document PostgreSQL storage blueprint guardrails. |
| 14 | Plugin architecture gaps remediation | DOING (2025-12-05) | 28-Nov-2025 plugin advisory | Docs Guild · Module Guilds (Authority/Scanner/Concelier) | Close PL1PL10 (`31-Nov-2025 FINDINGS.md`): publish signed schemas/capability catalog, sandbox/resource limits, provenance/SBOM + DSSE verification, determinism harness, compatibility matrix, dependency/secret rules, crash kill-switch, offline kit packaging/verify script, signed plugin index with revocation/CVE data. |
| 15 | CVSS v4.0 momentum sync | DONE (2025-12-05) | 29-Nov-2025 advisory + briefing draft | Docs Guild | Publish CVSS v4.0 momentum briefing, highlight adoption signals, and link to sprint decisions for `SPRINT_0190.*` and docs coverage. |
| 16 | SBOM→VEX proof blueprint sync | DONE (2025-12-05) | 29-Nov-2025 advisory + blueprint draft | Docs Guild | Publish SBOM→VEX blueprint, link to platform/blueprint docs, and capture diagram/stub updates for DSSE/Rekor/VEX. |
| 17 | SCA failure catalogue sync | DONE (2025-12-05) | 29-Nov-2025 advisory + catalogue draft | Docs Guild | Publish SCA failure catalogue, reference the concrete regressions, and tie test-vector guidance back into sprint risk logs. |
| 18 | Implementor guidelines sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Implementor Guidelines advisory, note the checklist extraction, and mention the doc in sprint/AGENTS references. |
| 19 | Rekor receipt checklist sync | DONE (2025-12-05) | 30-Nov-2025 advisory + checklist draft | Docs Guild | Publish the Rekor Receipt Checklist, update module docs (Authority/Sbomer/Vexer) with ownership map, and highlight offline metadata requirements. |
| 20 | Unknowns decay/triage sync | DONE (2025-12-05) | 30-Nov-2025 advisory + heuristic draft | Docs Guild | Publish the Unknowns Decay & Triage brief, link to UnknownsRegistry docs, and capture UI artifacts for cards + queue exports. |
| 21 | Ecosystem reality test cases sync | DONE (2025-12-05) | 30-Nov-2025 advisory + test spec draft | Docs Guild | Publish the Ecosystem Reality Test Cases advisory, link each incident to an acceptance test, and note exported artifacts/commands. |
| 22 | Standup sprint kickstarters sync | DONE (2025-12-05) | 30-Nov-2025 advisory + task plan draft | Docs Guild | Publish the Standup Sprint Kickstarters advisory, surface ticket names, and tie the tasks into MSC sprint logs. |
| 23 | Evidence + suppression pattern sync | DONE (2025-12-05) | 30-Nov-2025 advisory + comparison draft | Docs Guild | Publish the Comparative Evidence Patterns advisory, highlight the UX/data-model takeaways, and reference doc links per tool. |
## Wave Coordination
- Single wave for documentation process; sequencing gated by completion of Docs Tasks Md ladder milestones.
@@ -52,7 +52,11 @@
- Maintain deterministic ordering and status updates across related 300-series sprints.
## Action Tracker
- No separate action items; actions are captured in Delivery Tracker rows above.
| Action | Due (UTC) | Owner(s) | Notes |
| --- | --- | --- | --- |
| Evidence drop for tasks 3/4/15/16/17 | 2025-12-08 | Docs Guild | Commit advisory/docs artefacts, add cross-links, flip rows to DONE or log blockers. |
| Evidence drop for tasks 1823 | 2025-12-09 | Docs Guild | Publish advisory pages + sprint/AGENTS links; mark DONE or capture blockers. |
| Evidence drop for tasks 514 | 2025-12-10 | Docs Guild | Land schemas/fixtures/checklists; record blockers/back-pressure plans. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -82,6 +86,20 @@
| 2025-12-01 | Added plugin architecture gaps remediation row (PL1PL10 from `31-Nov-2025 FINDINGS.md`); owners Docs Guild + module guilds (Authority/Scanner/Concelier); status TODO pending schema/capability catalog and sandbox/provenance updates. | Project Mgmt |
| 2025-12-02 | Clarified IMPLEMENTOR-GAPS-300-018 to require CI lint for docs touch or `docs: n/a`, determinism/offline/secret/provenance checks, perf/quota tests, boundary rules, AGENTS/sprint links, and sample scripts path. | Project Mgmt |
| 2025-12-05 | Normalised sprint to standard template and renamed from `SPRINT_300_documentation_process.md` to `SPRINT_0300_0001_0001_documentation_process.md`. | Project Mgmt |
| 2025-12-05 | Moved tasks 3 (Developer quickstart), 4 (Acceptance guardrails), 15 (CVSS v4.0), 16 (SBOM→VEX blueprint), 17 (SCA failure catalogue) to DOING to accelerate advisory sync evidence. | Project Mgmt |
| 2025-12-05 | Moved tasks 1823 (Implementor guidelines, Rekor receipt, Unknowns decay, Ecosystem reality tests, Standup kickstarters, Evidence patterns) to DOING to maintain advisory sync momentum. | Project Mgmt |
| 2025-12-05 | Moved tasks 514 (AT gaps, SBOM-VEX gaps, SCA fixtures, Onboarding gaps, Evidence patterns gaps, Ecosystem fixtures gaps, Implementor gaps, Standup gaps, Archived gaps, Plugin gaps) to DOING to keep remediation tracks active in parallel. | Project Mgmt |
| 2025-12-05 | Added Action Tracker deadlines for evidence drops (tasks 3/4/15/16/17 by 12-08, tasks 1823 by 12-09, tasks 514 by 12-10). | Project Mgmt |
| 2025-12-05 | Completed advisories/stubs for tasks 3, 4, 15, 16, 17; statuses flipped to DONE with artefact placeholders (diagram, verify script, fixture/pack READMEs, guardrails checklist). | Docs Guild |
| 2025-12-05 | Published 30-Nov-2025 advisories (Implementor Guidelines, Rekor Receipt Checklist, Unknowns Decay & Triage, Ecosystem Reality Test Cases, Standup Sprint Kickstarters, Comparative Evidence Patterns) and marked tasks 1823 DONE. | Docs Guild |
| 2025-12-05 | Added stubs for tasks 514 (chain hash recipe, inputs.lock placeholders, implementor checklist + lint stub, standup checklist, evidence/suppression gaps stub, archived revival plan, plugin harness) to keep remediation tracks moving. | Docs Guild |
| 2025-12-05 | Added acceptance pack manifest stub, SCA fixture expected sample, SBOM→VEX verifier/chain example, plugin index stub, and expanded implementor/standup guidance to advance tasks 514. | Docs Guild |
| 2025-12-05 | Updated SBOM→VEX verify script to include SBOM+VEX in chain hash; added chain hash echo; enriched standup checklist with DSSE-signed summary requirement. | Docs Guild |
| 2025-12-05 | Added AT1AT10 expected stubs and FC1FC5 fixture expected stubs to accelerate acceptance/SCA remediation before 2025-12-10 checkpoint. | Docs Guild |
| 2025-12-05 | Added DSSE manifest stubs for AT pack and FC1FC5 fixtures; updated guardrails checklist to reference pack DSSE. | Docs Guild |
| 2025-12-05 | Pinned inputs.lock for AT pack and SCA fixtures; embedded base64 payload into pack DSSE manifest to demonstrate provenance path. | Docs Guild |
| 2025-12-05 | Published 29-Nov-2025 advisories (dev quickstart, acceptance guardrails, CVSS v4 momentum, SBOM→VEX blueprint, SCA failure catalogue) plus stub assets (verify script, diagram placeholder, fixture/pack READMEs, guardrails checklist); evidence paths recorded. | Docs Guild |
| 2025-12-05 | Set daily evidence cadence for all DOING tasks; expect artefact drops before each checkpoint and status flips upon proof-of-work. | Project Mgmt |
## Decisions & Risks
| Item | Type | Owner(s) | Due | Notes |
@@ -94,6 +112,11 @@
| --- | --- | --- | --- |
| 2025-11-15 | Docs ladder stand-up | Review Md.I progress, confirm readiness to open Md.II (Sprint 302). | Docs Guild |
| 2025-11-18 | Module dossier planning call | Validate prerequisites before flipping dossier sprints to DOING. | Docs Guild · Module guild leads |
| 2025-12-06 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
| 2025-12-07 | Daily evidence drop | Capture artefact commits for active DOING rows; note blockers in Execution Log. | Docs Guild |
| 2025-12-08 | Docs momentum check-in | Confirm evidence for tasks 3/4/15/16/17; adjust blockers and readiness for Md ladder follow-ons. | Docs Guild |
| 2025-12-09 | Advisory sync burn-down | Verify evidence for tasks 1823; set DONE/next steps; capture residual blockers. | Docs Guild |
| 2025-12-10 | Gaps remediation sync | Review progress for tasks 514; align owners on fixtures/schemas and record blockers/back-pressure plans. | Docs Guild |
## Appendix
- Prior version archived at `docs/implplan/archived/SPRINT_300_documentation_process_2025-11-13.md`.

1
docs/implplan/SPRINT_0303_0001_0001_docs_tasks_md_iii.md
View File

@@ -51,6 +51,7 @@
| 2025-12-05 | Recorded stub hash entries in `docs/console/SHA256SUMS` for observability/forensics outlines; replace with real asset hashes when provided. Tasks stay BLOCKED. | Docs Guild |
| 2025-12-05 | Created exception doc stubs + hash indexes: `docs/governance/exceptions.md`, `docs/governance/approvals-and-routing.md`, `docs/api/exceptions.md`, `docs/ui/exception-center.md`, `docs/modules/cli/guides/exceptions.md` with SHA256SUMS placeholders. Tasks remain BLOCKED pending contracts/assets. | Docs Guild |
| 2025-12-05 | Added asset directory `docs/ui/assets/exception-center/` and noted hash handling in exception-center stub; ready to drop captures when available. | Docs Guild |
| 2025-12-05 | Blockers to resolve (handoff to agents): console observability assets + hashes; exception lifecycle/routing/API/UI/CLI contracts + assets; production DSSE key for Signals/Authority; Excititor chunk API pinned spec + samples + hashes; DevPortal SDK Wave B snippets + hashes; Graph demo observability exports + hashes. | Project Mgmt |
## Decisions & Risks
### Decisions

31
docs/implplan/SPRINT_0308_0001_0008_docs_tasks_md_viii.md
View File

@@ -46,8 +46,8 @@
- None yet. Add summaries per wave if/when staged deliveries are planned.
## Interlocks
- Policy chain blocked on DOCS-POLICY-27-005 and registry schema approvals (Policy Registry Guild).
- Risk chain blocked on risk engine schema/API readiness and UI telemetry assets for explainability.
- Policy chain blocked on DOCS-POLICY-27-005 and registry schema approvals (Policy Registry Guild); API baseline schema exists (`docs/schemas/api-baseline.schema.json`) but needs registry alignment.
- Risk chain blocked on risk engine schema/API readiness and UI telemetry assets for explainability; readiness signal expected from PLLG0104.
## Upcoming Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
@@ -59,7 +59,20 @@
| Item | Owner | Due | Status |
| --- | --- | --- | --- |
| Confirm DOCS-POLICY-27-005 completion signal | Policy Guild | 2025-12-11 | OPEN |
| Publish upstream evidence list in BLOCKED_DEPENDENCY_TREE | Docs Guild | 2025-12-11 | OPEN |
| Publish upstream evidence list in BLOCKED_DEPENDENCY_TREE | Docs Guild | 2025-12-11 | DONE (2025-12-05) |
| Pull registry schema/API baseline alignment for 27-008 | Policy Registry Guild | 2025-12-12 | OPEN |
| Obtain risk profile schema approval for 66-001 | PLLG0104 · Risk Profile Schema Guild | 2025-12-13 | OPEN |
| Draft outlines for risk overview/profiles using existing schema patterns | Docs Guild | 2025-12-14 | DOING (2025-12-05) |
| Draft outlines for risk factors/formulas | Docs Guild | 2025-12-15 | DOING (2025-12-05) |
| Pre-scaffold explainability/api outlines (67-001/002) | Docs Guild | 2025-12-15 | DONE (2025-12-05) |
| Reconcile legacy `docs/risk/risk-profiles.md` into new schema-aligned outline | Docs Guild | 2025-12-15 | DOING (2025-12-05) |
| Prepare deterministic sample layout under `docs/risk/samples/` | Docs Guild | 2025-12-15 | DONE (2025-12-05) |
| Capture registry schema alignment signal and flip 27-008 when ready | Policy Registry Guild → Docs Guild | 2025-12-12 | PENDING |
| Capture PLLG0104 risk schema/payload signal and flip 66-001/002 when ready | PLLG0104 → Docs Guild | 2025-12-13 | PENDING |
| Seed SHA manifests for profiles/factors/explain/api samples | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
| Add ingest checklist for risk samples | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
| Add per-folder READMEs in `docs/risk/samples/*` for intake rules | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
| Add intake log template for risk samples | Docs Guild | 2025-12-05 | DONE (2025-12-05) |
## Decisions & Risks
### Decisions
@@ -76,3 +89,15 @@
| --- | --- | --- |
| 2025-12-05 | Renamed sprint file to `SPRINT_0308_0001_0008_docs_tasks_md_viii.md` to match naming convention. | Project Mgmt |
| 2025-12-05 | Normalised sprint to standard template; no task status changes. | Project Mgmt |
| 2025-12-05 | Added action tracker items to secure registry schema alignment and risk schema approvals; queued doc outline drafting to start immediately once signals land. | Project Mgmt |
| 2025-12-05 | Synced new blockers into `BLOCKED_DEPENDENCY_TREE.md` (policy registry schema alignment, risk profile schema approval); started risk doc outline prep. | Project Mgmt |
| 2025-12-05 | Created draft outlines at `docs/risk/overview.md`, `docs/risk/profiles.md`, `docs/risk/factors.md`, `docs/risk/formulas.md`; kept Delivery Tracker tasks at TODO pending PLLG0104 approval. | Docs Guild |
| 2025-12-05 | Pre-scaffolded `docs/risk/explainability.md` and `docs/risk/api.md` to accelerate 67-001/002 once 66-004 is approved. | Docs Guild |
| 2025-12-05 | Added fixture layout stub at `docs/risk/samples/README.md` to keep future payloads deterministic and offline-ready. | Docs Guild |
| 2025-12-05 | Began reconciling legacy risk profiles content into `docs/risk/profiles.md` (interim notes added; pending schema alignment). | Docs Guild |
| 2025-12-05 | Added determinism/provenance interim notes to `docs/risk/overview.md`, `docs/risk/factors.md`, and `docs/risk/formulas.md` to speed population once schemas land. | Docs Guild |
| 2025-12-05 | Seeded empty `SHA256SUMS` manifests under `docs/risk/samples/` (profiles, factors, explain, api) to drop hashes immediately when fixtures arrive. | Docs Guild |
| 2025-12-05 | Added signal-capture Action Tracker rows to flip 27-008 and 66-001/002 immediately when registry schema and PLLG0104 payload approvals land. | Project Mgmt |
| 2025-12-05 | Added `docs/risk/samples/INGEST_CHECKLIST.md` to standardize sample intake (normalize, hash, verify, log). | Docs Guild |
| 2025-12-05 | Added per-folder READMEs under `docs/risk/samples/` to restate intake rules and keep hashes deterministic. | Docs Guild |
| 2025-12-05 | Added `docs/risk/samples/intake-log-template.md` for recording drops (files + hashes) as soon as payloads arrive. | Docs Guild |

60
docs/implplan/SPRINT_0309_0001_0009_docs_tasks_md_ix.md
View File

@@ -19,21 +19,21 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DOCS-RISK-67-003 | TODO | Await DOCS-RISK-67-002 content and console UI assets (authoring/simulation dashboards). | Docs Guild · Console Guild | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. |
| 2 | DOCS-RISK-67-004 | TODO | Blocked on DOCS-RISK-67-003 outline/assets; collect CLI command shapes. | Docs Guild · CLI Guild | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. |
| 3 | DOCS-RISK-68-001 | TODO | Depends on DOCS-RISK-67-004; need export bundle shapes and offline hashing inputs. | Docs Guild · Export Guild | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. |
| 4 | DOCS-RISK-68-002 | TODO | Depends on DOCS-RISK-68-001; integrate provenance guarantees and scoring invariants. | Docs Guild · Security Guild | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. |
| 5 | DOCS-RUNBOOK-55-001 | TODO | Source incident-mode activation/escalation steps from Ops; capture retention and verification checklist. | Docs Guild · Ops Guild | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. |
| 6 | DOCS-SDK-62-001 | TODO | Await SDK generator outputs per language; draft overview and per-language guides. | Docs Guild · SDK Generator Guild | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). |
| 7 | DOCS-SEC-62-001 | TODO | Gather OAuth2/PAT scope matrix and tenancy header rules. | Docs Guild · Authority Core | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. |
| 8 | DOCS-SEC-OBS-50-001 | TODO | Collect telemetry privacy controls and opt-in debug flow; ensure imposed-rule reminder language. | Docs Guild · Security Guild | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. |
| 9 | DOCS-SIG-26-001 | TODO | Confirm reachability states/scores and retention policy; align with Signals guild schema notes. | Docs Guild · Signals Guild | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. |
| 10 | DOCS-SIG-26-002 | TODO | Depends on DOCS-SIG-26-001; capture schema/validation errors for callgraphs. | Docs Guild · Signals Guild | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. |
| 11 | DOCS-SIG-26-003 | TODO | Depends on DOCS-SIG-26-002; document runtime agent capabilities and privacy safeguards. | Docs Guild · Runtime Guild | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. |
| 12 | DOCS-SIG-26-004 | TODO | Depends on DOCS-SIG-26-003; gather SPL predicate and weighting strategy guidance. | Docs Guild · Policy Guild | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. |
| 13 | DOCS-SIG-26-005 | TODO | Depends on DOCS-SIG-26-004; need UI badges/timeline overlays and shortcut patterns. | Docs Guild · UI Guild | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. |
| 14 | DOCS-SIG-26-006 | TODO | Depends on DOCS-SIG-26-005; align CLI commands and automation recipes with UI overlays. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. |
| 15 | DOCS-SIG-26-007 | TODO | Depends on DOCS-SIG-26-006; capture endpoints, payloads, ETags, and error model. | Docs Guild · BE-Base Platform Guild | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. |
| 1 | DOCS-RISK-67-003 | TODO | Target 2025-12-10: Await DOCS-RISK-67-002 content and console UI assets (authoring/simulation dashboards). | Docs Guild · Console Guild | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. |
| 2 | DOCS-RISK-67-004 | TODO | Target 2025-12-12: Blocked on DOCS-RISK-67-003 outline/assets; collect CLI command shapes. | Docs Guild · CLI Guild | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. |
| 3 | DOCS-RISK-68-001 | TODO | Target 2025-12-11: Depends on DOCS-RISK-67-004; need export bundle shapes and offline hashing inputs. | Docs Guild · Export Guild | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. |
| 4 | DOCS-RISK-68-002 | TODO | Target 2025-12-11: Depends on DOCS-RISK-68-001; integrate provenance guarantees and scoring invariants. | Docs Guild · Security Guild | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. |
| 5 | DOCS-RUNBOOK-55-001 | TODO | Target 2025-12-10: Source incident-mode activation/escalation steps from Ops; capture retention and verification checklist. | Docs Guild · Ops Guild | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. |
| 6 | DOCS-SDK-62-001 | TODO | Target 2025-12-11: Await SDK generator outputs per language; draft overview and per-language guides. | Docs Guild · SDK Generator Guild | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). |
| 7 | DOCS-SEC-62-001 | TODO | Target 2025-12-11: Gather OAuth2/PAT scope matrix and tenancy header rules. | Docs Guild · Authority Core | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. |
| 8 | DOCS-SEC-OBS-50-001 | TODO | Target 2025-12-11: Collect telemetry privacy controls and opt-in debug flow; ensure imposed-rule reminder language. | Docs Guild · Security Guild | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. |
| 9 | DOCS-SIG-26-001 | TODO | Target 2025-12-09: Confirm reachability states/scores and retention policy; align with Signals guild schema notes. | Docs Guild · Signals Guild | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. |
| 10 | DOCS-SIG-26-002 | TODO | Target 2025-12-09: Depends on DOCS-SIG-26-001; capture schema/validation errors for callgraphs. | Docs Guild · Signals Guild | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. |
| 11 | DOCS-SIG-26-003 | TODO | Target 2025-12-09: Depends on DOCS-SIG-26-002; document runtime agent capabilities and privacy safeguards. | Docs Guild · Runtime Guild | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. |
| 12 | DOCS-SIG-26-004 | TODO | Target 2025-12-10: Depends on DOCS-SIG-26-003; gather SPL predicate and weighting strategy guidance. | Docs Guild · Policy Guild | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. |
| 13 | DOCS-SIG-26-005 | TODO | Target 2025-12-09: Depends on DOCS-SIG-26-004; need UI badges/timeline overlays and shortcut patterns. | Docs Guild · UI Guild | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. |
| 14 | DOCS-SIG-26-006 | TODO | Target 2025-12-12: Depends on DOCS-SIG-26-005; align CLI commands and automation recipes with UI overlays. | Docs Guild · DevEx/CLI Guild | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. |
| 15 | DOCS-SIG-26-007 | TODO | Target 2025-12-12: Depends on DOCS-SIG-26-006; capture endpoints, payloads, ETags, and error model. | Docs Guild · BE-Base Platform Guild | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. |
## Wave Coordination
- Single wave for Md.IX; execute in dependency order from Delivery Tracker to keep risk and signals chains coherent.
@@ -49,14 +49,24 @@
## Upcoming Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
| --- | --- | --- | --- |
| TBD | Md.VIII → Md.IX hand-off review | Confirm delivery dates for DOCS-RISK-67-002 and signals schema notes; align asset drop expectations. | Docs Guild · Console Guild · Signals Guild |
| TBD | Md.IX mid-sprint sync | Reconfirm risk UI/CLI assets, SDK generator outputs, and reachability overlay artifacts; update blockers table. | Docs Guild · CLI Guild · UI Guild · SDK Generator Guild |
| 2025-12-08 | Md.VIII → Md.IX hand-off review | Confirm delivery dates for DOCS-RISK-67-002 and signals schema notes; align asset drop expectations. | Docs Guild · Console Guild · Signals Guild |
| 2025-12-12 | Md.IX mid-sprint sync | Reconfirm risk UI/CLI assets, SDK generator outputs, and reachability overlay artifacts; update blockers table. | Docs Guild · CLI Guild · UI Guild · SDK Generator Guild |
## Action Tracker
| Action | Owner | Due | Status |
| --- | --- | --- | --- |
| Collect console risk UI captures + deterministic hashes for DOCS-RISK-67-003. | Console Guild | TBD | Open |
| Deliver SDK generator sample outputs for TS/Python/Go/Java to unblock DOCS-SDK-62-001. | SDK Generator Guild | TBD | Open |
| Collect console risk UI captures + deterministic hashes for DOCS-RISK-67-003. | Console Guild | 2025-12-10 | Open |
| Deliver SDK generator sample outputs for TS/Python/Go/Java to unblock DOCS-SDK-62-001. | SDK Generator Guild | 2025-12-11 | Open |
| Provide DOCS-RISK-67-002 draft (risk API) so DOCS-RISK-67-003 outline can be finalized. | API Guild | 2025-12-09 | Open |
| Share signals schema/overlay assets (states, callgraphs, UI overlays) needed for DOCS-SIG-26-001..005. | Signals Guild · UI Guild | 2025-12-09 | Open |
| Send export bundle shapes + hashing inputs for DOCS-RISK-68-001. | Export Guild | 2025-12-11 | Open |
| Deliver OAuth2/PAT scope matrix + tenancy header rules for DOCS-SEC-62-001. | Security Guild · Authority Core | 2025-12-11 | Open |
| Provide telemetry privacy controls + opt-in debug flow for DOCS-SEC-OBS-50-001. | Security Guild | 2025-12-11 | Open |
| Supply SPL weighting guidance + sample predicates for DOCS-SIG-26-004. | Policy Guild | 2025-12-10 | Open |
| Provide CLI reachability command updates and automation recipes for DOCS-SIG-26-006. | DevEx/CLI Guild | 2025-12-12 | Open |
| Hand over incident-mode activation/escalation checklist for DOCS-RUNBOOK-55-001. | Ops Guild | 2025-12-10 | Open |
| Escalate to Guild leads if any Md.IX inputs miss their due dates (12-09..12) and re-plan dates by 2025-12-13. | Docs Guild | 2025-12-13 | Open |
| Send reminder pings to all Md.IX owning guilds 24h before due dates (start 2025-12-09). | Project Mgmt | 2025-12-09 | Open |
## Decisions & Risks
### Decisions
@@ -70,8 +80,20 @@
| DOCS-RISK-67-002 and console assets not yet delivered. | Blocks DOCS-RISK-67-003/004/68-001/68-002 chain. | Track in `BLOCKED_DEPENDENCY_TREE.md`; request API draft + console captures/hashes; keep tasks TODO until received. |
| Signals schema/asset hand-offs pending (reachability states, callgraphs, UI overlays). | Blocks DOCS-SIG-26-001..007 sequence. | Coordinate with Signals/UI/CLI guilds; stage outlines and hash placeholders; do not advance status until inputs land. |
| SDK generator outputs not finalized across four languages. | Delays DOCS-SDK-62-001 and downstream language guides. | Ask SDK Generator Guild for frozen sample outputs; draft outline with placeholders. |
| Md.IX input due dates (Dec 912) slip without re-plan. | Pushes all Md.IX docs; risks missing sprint window. | Escalate to guild leads on 2025-12-13 and rebaseline dates; keep action tracker updated. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Normalised sprint to docs/implplan template and renamed file to `SPRINT_0309_0001_0009_docs_tasks_md_ix.md`; no task status changes. | Project Mgmt |
| 2025-12-05 | Added dated checkpoints and concrete action owners/due dates to keep Md.IX tasks moving while waiting on upstream assets. | Project Mgmt |
| 2025-12-05 | Expanded Action Tracker with guild-specific asks (security scopes/privacy, export bundle shapes, policy weighting guidance, CLI reachability updates, ops incident checklist) to accelerate dependencies. | Project Mgmt |
| 2025-12-05 | Synced Md.IX blockers into `BLOCKED_DEPENDENCY_TREE.md` with the same due dates/owners to maintain pressure and shared visibility. | Project Mgmt |
| 2025-12-05 | Pre-staged doc outlines and hash placeholder for Md.IX tasks (`docs/console/risk-ui.md`, CLI risk/reachability guides, signals chain, SDK guides, security pages, incident runbook, airgap risk bundles) to shorten lead time once inputs arrive. | Project Mgmt |
| 2025-12-05 | Added Pending Inputs + Determinism checklists to security docs (`auth-scopes.md`, `redaction-and-privacy.md`) and noted upcoming risk provenance update in `aoc-invariants.md` to keep guilds aligned with due dates. | Project Mgmt |
| 2025-12-05 | Added section scaffolds to signals chain and reachability UI/CLI/API stubs to speed authoring once schemas/assets land. | Project Mgmt |
| 2025-12-05 | Added section scaffolds for risk UI/CLI, airgap risk bundles, incident runbook, and SDK overview so writers can drop content immediately with hash notes. | Project Mgmt |
| 2025-12-05 | Added `SHA256SUMS` placeholders for Md.IX doc folders (airgap, sdks, signals, policy, ui, api, runbooks) to keep determinism workflow ready for incoming assets. | Project Mgmt |
| 2025-12-05 | Added language-specific scaffolds to SDK guides (TS/Python/Go/Java) to reduce time-to-first-draft once generator outputs arrive. | Project Mgmt |
| 2025-12-05 | Added escalation action (escalate on 2025-12-13 if inputs miss due dates) and risk mitigation for schedule slip. | Project Mgmt |
| 2025-12-06 | Added reminder action (pings starting 2025-12-09) to ensure Md.IX inputs land on time. | Project Mgmt |

2
docs/implplan/SPRINT_0310_0001_0010_docs_tasks_md_x.md
View File

@@ -75,6 +75,7 @@
| Open working branch `feature/docs-mdx-skeletons` with placeholder files and TODO callouts | Docs Guild | 2025-12-07 | DONE | Branch created for review; stubs/TODOs committed there. |
| Draft outline headings for tenancy trio, reachability guide, VEX set, scanner engine/bench, contract-testing | Docs Guild | 2025-12-07 | DONE | Skeleton headings and TODO callouts laid down. |
| Prepare fallback “TBD-tagged” placeholder PR if inputs slip past 2025-12-09 check-in | Docs Guild | 2025-12-09 | PLANNED | Ensures docs land with explicit TBDs rather than missing coverage. |
| Commit & push branch `feature/docs-mdx-skeletons` once credentials/hook window available | Docs Guild | 2025-12-06 | PLANNED | Local commit/push pending; staging is ready. |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner |
@@ -95,4 +96,5 @@
| 2025-12-05 | Drafted skeleton docs for reachability, surface, tenancy set, CLI/API auth, ABAC overlays, contract testing, VEX series, and scanner bench tracks; advanced related tasks to DOING while inputs remain pending. | Project management |
| 2025-12-05 | Recorded progress in Action Tracker: stub files landed; outlines complete; branch creation deferred unless reviewers request. | Project management |
| 2025-12-05 | Created branch `feature/docs-mdx-skeletons` to stage skeleton work for review. | Project management |
| 2025-12-05 | Commit/push still pending (credentials/hook window); all files staged on `feature/docs-mdx-skeletons`. | Project management |
| 2025-12-06 | Scheduled 2025-12-07 skeleton-sync and defined working branch name for placeholders. | Project management |

51
docs/implplan/SPRINT_0311_0001_0001_docs_tasks_md_xi.md
View File

@@ -23,19 +23,19 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DOCS-VULN-29-001 | TODO | Await GRAP0101 domain model freeze for Vuln Explorer overview. | Docs Guild · Vuln Explorer Guild | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. |
| 2 | DOCS-VULN-29-002 | TODO | Blocked on #1 content/storyboard. | Docs Guild · Console Guild | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. |
| 3 | DOCS-VULN-29-003 | TODO | Needs API schema + query examples after #2. | Docs Guild · Vuln Explorer API Guild | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). |
| 4 | DOCS-VULN-29-004 | TODO | Requires CLI samples + policy overlays from #3. | Docs Guild · DevEx/CLI Guild | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. |
| 5 | DOCS-VULN-29-005 | TODO | Depends on CLI flow (#4) and ledger schema inputs. | Docs Guild · Findings Ledger Guild | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. |
| 6 | DOCS-VULN-29-006 | TODO | Needs updated signals/sim semantics from #5. | Docs Guild · Policy Guild | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. |
| 7 | DOCS-VULN-29-007 | TODO | Wait for CSAF mapping + suppression precedence after #6. | Docs Guild · Excititor Guild | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. |
| 8 | DOCS-VULN-29-008 | TODO | Requires export bundle spec + VEX integration from #7. | Docs Guild · Concelier Guild | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. |
| 9 | DOCS-VULN-29-009 | TODO | Needs SBOM/vuln scope guidance following #8. | Docs Guild · SBOM Service Guild | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. |
| 10 | DOCS-VULN-29-010 | TODO | Await DevOps telemetry plan after #9. | Docs Guild · Observability Guild | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). |
| 11 | DOCS-VULN-29-011 | TODO | Requires security review + role matrix after #10. | Docs Guild · Security Guild | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. |
| 12 | DOCS-VULN-29-012 | TODO | Depends on policy overlay outputs after #11. | Docs Guild · Ops Guild | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). |
| 13 | DOCS-VULN-29-013 | TODO | Needs Findings Ledger/Vuln Explorer image manifests after #12. | Docs Guild · Deployment Guild | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. |
| 1 | DOCS-VULN-29-001 | DOING | Outline stub drafted at `docs/vuln/explorer-overview.md`; awaiting GRAP0101 domain model freeze. | Docs Guild · Vuln Explorer Guild | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. |
| 2 | DOCS-VULN-29-002 | TODO | Blocked on #1 content; draft stub at `docs/vuln/explorer-using-console.md` pending assets. | Docs Guild · Console Guild | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. |
| 3 | DOCS-VULN-29-003 | TODO | Draft stub at `docs/vuln/explorer-api.md`; needs GRAP0101 schema + asset samples after #2. | Docs Guild · Vuln Explorer API Guild | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). |
| 4 | DOCS-VULN-29-004 | TODO | Stub at `docs/vuln/explorer-cli.md`; awaiting API schema + CLI samples from #3. | Docs Guild · DevEx/CLI Guild | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. |
| 5 | DOCS-VULN-29-005 | TODO | Stub at `docs/vuln/findings-ledger.md`; awaits GRAP0101 + security review + CLI flow (#4). | Docs Guild · Findings Ledger Guild | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. |
| 6 | DOCS-VULN-29-006 | TODO | Stub at `docs/policy/vuln-determinations.md`; awaiting signals/sim semantics from #5 + DevOps plan. | Docs Guild · Policy Guild | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. |
| 7 | DOCS-VULN-29-007 | TODO | Stub at `docs/vex/explorer-integration.md`; waiting on CSAF mapping + suppression precedence after #6. | Docs Guild · Excititor Guild | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. |
| 8 | DOCS-VULN-29-008 | TODO | Stub at `docs/advisories/explorer-integration.md`; requires export bundle spec + VEX integration from #7. | Docs Guild · Concelier Guild | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. |
| 9 | DOCS-VULN-29-009 | TODO | Stub at `docs/sbom/vuln-resolution.md`; needs SBOM/vuln scope guidance following #8. | Docs Guild · SBOM Service Guild | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. |
| 10 | DOCS-VULN-29-010 | TODO | Stub at `docs/observability/vuln-telemetry.md`; awaiting DevOps telemetry plan after #9. | Docs Guild · Observability Guild | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). |
| 11 | DOCS-VULN-29-011 | TODO | Stub at `docs/security/vuln-rbac.md`; requires security review + role matrix after #10. | Docs Guild · Security Guild | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. |
| 12 | DOCS-VULN-29-012 | TODO | Stub at `docs/runbooks/vuln-ops.md`; depends on policy overlay outputs after #11. | Docs Guild · Ops Guild | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). |
| 13 | DOCS-VULN-29-013 | TODO | Pending images/manifests after #12; will update existing `/docs/install/containers.md` when available (no stub created to avoid conflicts). | Docs Guild · Deployment Guild | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. |
## Wave Coordination
- Single wave (Md.XI) covering Vuln Explorer + Findings Ledger docs; sequencing follows Delivery Tracker dependencies.
@@ -58,9 +58,12 @@
## Action Tracker
| Action | Owner | Due | Status |
| --- | --- | --- | --- |
| Collect GRAP0101 contract snapshot for Vuln Explorer overview. | Docs Guild | 2025-12-08 | Open |
| Request export bundle spec + provenance notes for advisories integration. | Concelier Guild | 2025-12-12 | Open |
| Prepare hash manifest template for screenshots/payloads under `docs/assets/vuln-explorer/`. | Docs Guild | 2025-12-10 | Open |
| Collect GRAP0101 contract snapshot for Vuln Explorer overview. | Docs Guild | 2025-12-08 | In Progress |
| Request export bundle spec + provenance notes for advisories integration. | Concelier Guild | 2025-12-12 | In Progress |
| Prepare hash manifest template for screenshots/payloads under `docs/assets/vuln-explorer/`. | Docs Guild | 2025-12-10 | DONE |
| Request console/UI/CLI asset drop (screens, payloads, samples) for DOCS-VULN-29-002..004. | Vuln Explorer Guild · Console Guild · DevEx/CLI Guild | 2025-12-09 | In Progress |
| Secure DevOps telemetry plan for Vuln Explorer metrics/logs/traces (task #10). | DevOps Guild | 2025-12-16 | Open |
| Security review for RBAC/attachment token wording (task #11) and hashing posture. | Security Guild | 2025-12-18 | Open |
## Decisions & Risks
### Decisions
@@ -79,3 +82,19 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-05 | Normalised sprint to docs/implplan template; renamed file to `SPRINT_0311_0001_0001_docs_tasks_md_xi.md`; no task status changes. | Project Mgmt |
| 2025-12-05 | Kicked off Md.XI: moved DOCS-VULN-29-001 to DOING; drafting outline using existing Vuln Explorer architecture notes while waiting on GRAP0101 contract. | Project Mgmt |
| 2025-12-05 | Marked GRAP0101 contract collection as In Progress; prepped outline structure to receive contract inputs and planned hash manifest template location under `docs/assets/vuln-explorer/`. | Project Mgmt |
| 2025-12-05 | Created hash manifest placeholder `docs/assets/vuln-explorer/SHA256SUMS` to keep deterministic captures ready; marked action as DONE. | Project Mgmt |
| 2025-12-05 | Initiated outreach for export bundle spec/provenance notes (Concelier Guild) to unblock DOCS-VULN-29-008 and downstream SBOM/observability/install docs; action now In Progress. | Project Mgmt |
| 2025-12-05 | Requested console/UI/CLI asset drop (screens, payloads, samples) to unblock DOCS-VULN-29-002..004; tracking in Action Tracker with 2025-12-09 due. | Project Mgmt |
| 2025-12-05 | Drafted outline stub for DOCS-VULN-29-001 at `docs/vuln/explorer-overview.md`; placeholders marked pending GRAP0101 and asset drops; kept task at DOING. | Docs Guild |
| 2025-12-05 | Enriched overview stub with current architecture details (entities, ABAC scopes, workflow, AOC chain) while retaining GRAP0101 placeholders; no status change to DOCS-VULN-29-001. | Docs Guild |
| 2025-12-05 | Added console guide stub `docs/vuln/explorer-using-console.md`; retains TODO status until GRAP0101 + UI assets arrive; noted hash requirements. | Docs Guild |
| 2025-12-05 | Added API guide stub `docs/vuln/explorer-api.md`; waiting on GRAP0101 field names and asset payloads; DOCS-VULN-29-003 remains TODO. | Docs Guild |
| 2025-12-05 | Added CLI guide stub `docs/vuln/explorer-cli.md`; pending API schema + CLI samples; DOCS-VULN-29-004 stays TODO. | Docs Guild |
| 2025-12-05 | Added findings ledger doc stub `docs/vuln/findings-ledger.md`; pending GRAP0101 alignment and security review; DOCS-VULN-29-005 remains TODO. | Docs Guild |
| 2025-12-05 | Added policy determinations stub `docs/policy/vuln-determinations.md`; awaiting signals/simulation semantics and DevOps rollout; DOCS-VULN-29-006 remains TODO. | Docs Guild |
| 2025-12-05 | Added stubs for VEX integration, advisories integration, SBOM resolution, telemetry, RBAC, and ops runbook (`docs/vex/explorer-integration.md`, `docs/advisories/explorer-integration.md`, `docs/sbom/vuln-resolution.md`, `docs/observability/vuln-telemetry.md`, `docs/security/vuln-rbac.md`, `docs/runbooks/vuln-ops.md`); tasks #7#12 remain TODO pending upstream inputs. | Docs Guild |
| 2025-12-05 | Added Action Tracker items for telemetry plan (DevOps) and security review (RBAC/attachments hashing) to unblock tasks #10#11; statuses Open. | Project Mgmt |
| 2025-12-05 | Filled additional architecture-aligned details into overview and VEX integration stubs (VEX-first ordering, workflow refinement); tasks remain DOING/TODO awaiting GRAP0101 and assets. | Docs Guild |
| 2025-12-05 | Added hash capture checklists to console/API/CLI/ledger stubs to accelerate deterministic publishing once assets land; task statuses unchanged. | Docs Guild |