stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Finish off old sprints

Browse Source
This commit is contained in:
master
2026-02-18 15:01:04 +02:00
parent af4f261de8
commit 1bcab39a2c
28 changed files with 2534 additions and 330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

311
docs/implplan/SPRINT_20260211_033_BinaryIndex_unchecked_feature_verification_continuation.md
View File

@@ -1,311 +0,0 @@
# Sprint 20260211_033 - BinaryIndex Unchecked Feature Verification Continuation
## Topic & Scope
- Continue BinaryIndex unchecked feature verification under FLOW problems-first lock after prior sprint archival.
- Verify queued BinaryIndex dossiers with Tier 0/1/2 evidence and terminal state transitions.
- Keep lane collision-safe: if active ownership conflicts occur, terminalize obstacle states per FLOW 0.1 and continue deterministically.
- Working directory: `src/BinaryIndex`.
- Expected evidence: run artifacts in `docs/qa/feature-checks/runs/binaryindex/**`, state updates, and feature-file transitions.
## Dependencies & Concurrency
- Depends on BinaryIndex DeltaSig, Disassembly, Normalization, and WebService projects plus corresponding test projects.
- Cross-directory updates allowed in `docs/features/**`, `docs/qa/feature-checks/**`, and this sprint file for auditability.
- Concurrency rule: if another lane actively owns the selected feature and write conflicts occur, mark obstacle and terminalize this lane as `skipped` (`owned_by_other_agent`) before selecting next feature.
## Documentation Prerequisites
- `docs/qa/feature-checks/FLOW.md`
- `src/BinaryIndex/AGENTS.md`
- `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/AGENTS.md`
- `src/BinaryIndex/StellaOps.BinaryIndex.WebService/AGENTS.md`
- `docs/modules/binary-index/architecture.md`
## Delivery Tracker
### QA-BINARYINDEX-VERIFY-015 - Verify `delta-signature-matching-and-patch-coverage-analysis`
Status: DONE
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `delta-signature-matching-and-patch-coverage-analysis` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-016 - Verify `delta-signature-predicates`
Status: DONE
Dependency: QA-BINARYINDEX-VERIFY-015
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `delta-signature-predicates` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-017 - Verify `disassembly-and-binary-analysis-pipeline`
Status: DONE
Dependency: QA-BINARYINDEX-VERIFY-016
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `disassembly-and-binary-analysis-pipeline` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-018 - Verify `elf-normalization-and-delta-hashing`
Status: DONE
Dependency: QA-BINARYINDEX-VERIFY-017
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `elf-normalization-and-delta-hashing` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-019 - Verify `ensemble-decision-engine-for-multi-tier-matching`
Status: DONE
Dependency: QA-BINARYINDEX-VERIFY-018
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `ensemble-decision-engine-for-multi-tier-matching` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-020 - Verify `function-range-hashing-and-symbol-mapping`
Status: TODO
Dependency: QA-BINARYINDEX-VERIFY-019
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `function-range-hashing-and-symbol-mapping` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-021 - Verify `golden-corpus-bundle-export-import-service`
Status: TODO
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `golden-corpus-bundle-export-import-service` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-022 - Verify `golden-corpus-kpi-regression-service`
Status: TODO
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `golden-corpus-kpi-regression-service` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-023 - Verify `golden-set-for-patch-validation`
Status: TODO
Dependency: QA-BINARYINDEX-VERIFY-022
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `golden-set-for-patch-validation` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-023 - Verify `golden-corpus-validation-harness`
Status: TODO
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `golden-corpus-validation-harness` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-024 - Verify `golden-set-schema-and-management`
Status: TODO
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `golden-set-schema-and-management` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-025 - Verify `ground-truth-corpus-infrastructure`
Status: TODO
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `ground-truth-corpus-infrastructure` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-026 - Verify `known-build-binary-catalog`
Status: DONE
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `known-build-binary-catalog` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-027 - Verify `local-mirror-layer-for-corpus-sources`
Status: DONE
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `local-mirror-layer-for-corpus-sources` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-028 - Verify `ml-function-embedding-service`
Status: BLOCKED
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `ml-function-embedding-service` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-029 - Verify `patch-coverage-tracking`
Status: DONE
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `patch-coverage-tracking` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-030 - Verify `static-to-binary-braid`
Status: DOING
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `static-to-binary-braid` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-031 - Verify `symbol-change-tracking-in-binary-diffs`
Status: DONE
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `symbol-change-tracking-in-binary-diffs` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-032 - Verify `symbol-source-connectors`
Status: DOING
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `symbol-source-connectors` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal not_implemented decision recorded.
### QA-BINARYINDEX-VERIFY-033 - Verify `vulnerable-binaries-database`
Status: DONE
Dependency: none
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Resolve the active FLOW problem-lock item for `vulnerable-binaries-database` by implementing missing runtime wiring and rerunning Tier 0/1/2 with fresh artifacts.
- Ensure WebService supports deterministic/offline fallbacks for GoldenSet and resolution cache behavior, restore Worker project buildability, and verify API behavior end-to-end.
Completion criteria:
- [x] Tier 0 source/symbol verification refreshed in `run-002`.
- [x] Tier 1 build/tests pass for Worker + BinaryIndex libraries/WebService relevant to this feature.
- [x] Tier 2 API verification passes with fresh request/response evidence.
- [x] Feature file moved to `docs/features/checked/binaryindex/` and module state set to terminal `done`.
### QA-BINARYINDEX-VERIFY-034 - Remediate and recheck `vulnerable-code-fingerprint-matching`
Status: DONE
Dependency: none
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Close the FLOW failure loop for `vulnerable-code-fingerprint-matching` by implementing missing fingerprint extraction behavior and restoring claimed curated package coverage.
- Re-run Tier 0/1/2 with fresh run artifacts and promote dossier from `unimplemented` to `checked` only if parity is restored.
Completion criteria:
- [x] `FingerprintExtractor` no longer relies on seed-only synthetic fingerprints and produces deterministic byte-window-derived fingerprint signals.
- [x] Golden CVE fixture coverage includes required high-impact package set (`openssl`, `glibc`, `zlib`, `curl`) with regression checks.
- [x] Fresh `run-002` Tier 0/1/2 artifacts pass and state transitions to terminal `done`.
- [x] Stale unimplemented dossier copy removed after successful promotion to checked.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-034`: remediated `vulnerable-code-fingerprint-matching` by replacing synthetic/stubbed extractor behavior with deterministic byte-window fingerprint extraction, expanded golden CVE package coverage (glibc/zlib/curl), captured fresh `run-002` Tier 0/1/2 passing artifacts, promoted dossier to `docs/features/checked/binaryindex/`, and terminalized state as `done`. | QA/Dev |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-033` for `vulnerable-binaries-database`: added deterministic `InMemoryGoldenSetStore` and `InMemoryResolutionCacheService`, updated WebService DI and resolution error mapping, restored Worker project buildability with `StellaOps.BinaryIndex.Worker.csproj`, produced fresh `run-002` Tier 0/1/2 artifacts, and terminalized feature as `done` in checked dossiers. | QA/Dev |
| 2026-02-12 | Claimed `symbol-source-connectors` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-032` to DOING as the next deterministic queued BinaryIndex feature. | QA |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-031`: `symbol-change-tracking-in-binary-diffs` run-001 reached terminal `not_implemented` after Tier 1 parity review confirmed `IrDiffGenerator` placeholder behavior and missing IR-diff behavioral test coverage despite passing Tier 0/1/2 command executions. | QA |
| 2026-02-12 | Claimed `symbol-change-tracking-in-binary-diffs` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-031` to DOING as the next deterministic queued BinaryIndex feature. | QA |
| 2026-02-12 | Claimed `static-to-binary-braid` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-030` to DOING to clear current FLOW problem lock. | QA |
| 2026-02-12 | Completed `patchdiffengine` run-001 with fresh Tier 0/1/2 artifacts; remediated `InMemoryDiffResultStore` to use deterministic content-addressed IDs, added `FunctionRenameDetectorTests` and `InMemoryDiffResultStoreTests`, and promoted dossier to `docs/features/checked/binaryindex/patchdiffengine.md`. | QA |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-029`: `patch-coverage-tracking` run-001 passed Tier 0/1/2 with patch-coverage controller behavioral evidence (including post-create coverage update checks) and delta signature matcher verification; dossier moved to `docs/features/checked/binaryindex/patch-coverage-tracking.md`. | QA |
| 2026-02-12 | `patch-coverage-tracking` was terminalized as `skipped` (`skipReason=owned_by_other_agent`) by a concurrent lane after ownership collision; `QA-BINARYINDEX-VERIFY-029` remains blocked in this lane per FLOW 0.1 obstacle handling. | QA |
| 2026-02-12 | `ml-function-embedding-service` was actively owned by another lane (`run-001` artifacts already being written); this lane terminalized the collision as `skipped` (`owned_by_other_agent`) per FLOW 0.1 and moved to the next queued feature. | QA |
| 2026-02-12 | Claimed `patch-coverage-tracking` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-029` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-12 | Re-ran `QA-BINARYINDEX-VERIFY-026` with fresh `run-002` artifacts: fixed cache read-through regression and assertion repository Dapper mapping, added persistence coverage (`BinaryVulnAssertionRepositoryTests` + SHA256 precedence test), and confirmed Tier 0/1/2 pass with terminal `done`. | QA |
| 2026-02-12 | Claimed `ml-function-embedding-service` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-028` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-027`: `local-mirror-layer-for-corpus-sources` run-001 reached terminal `not_implemented` after Tier 1/Tier 2 parity review found missing Alpine/RPM mirror-source implementations and connector-level offline cache behavior coverage. | QA |
| 2026-02-12 | Claimed `local-mirror-layer-for-corpus-sources` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-027` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-12 | Completed `QA-BINARYINDEX-VERIFY-026`: `known-build-binary-catalog` run-001 parity gaps were remediated and rechecked with fresh run-002 Tier 0/1/2 evidence, ending in terminal `done` and promotion to `docs/features/checked/binaryindex/known-build-binary-catalog.md`. | QA |
| 2026-02-12 | Claimed `ground-truth-corpus-infrastructure` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-025` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Sprint created for continuation lane after concurrent archival of prior BinaryIndex verification sprint; preparing deterministic next-feature claim. | QA |
| 2026-02-11 | Detected active concurrent writes on `delta-signature-matching-and-patch-coverage-analysis` (`run-002`); terminalized this lane as `skipped` with `skipReason=owned_by_other_agent` per FLOW 0.1. | QA |
| 2026-02-11 | Claimed `delta-signature-predicates` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-016` to DOING as the next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | `delta-signature-predicates` run-001 passed Tier 0/1/2 with DeltaSig/VexBridge behavioral evidence; dossier moved to `docs/features/checked/binaryindex/` and task 016 marked DONE. | QA |
| 2026-02-11 | Claimed `disassembly-and-binary-analysis-pipeline` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-017` to DOING as the next FLOW problem feature. | QA |
| 2026-02-11 | `disassembly-and-binary-analysis-pipeline` run-001 passed Tier 0/1/2 with Disassembly/Ghidra/Decompiler behavioral evidence; dossier moved to `docs/features/checked/binaryindex/` and task 017 marked DONE. | QA |
| 2026-02-11 | Completed `QA-BINARYINDEX-VERIFY-015` using `run-002`: initial Tier 2 API checks failed (missing `IDeltaSignatureRepository` wiring); after remediation and retest, API/runtime gap is fixed but feature remains `not_implemented` due placeholder IR-diff behavior. | QA |
| 2026-02-11 | `elf-normalization-and-delta-hashing` run-001 reached terminal `not_implemented` in a parallel lane; this lane restored terminal state after duplicate claim to clear FLOW problem lock. | QA |
| 2026-02-11 | Claimed `ensemble-decision-engine-for-multi-tier-matching` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-019` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | `ensemble-decision-engine-for-multi-tier-matching` run-001 reached terminal `not_implemented`; Tier 0/1/2 evidence confirmed contract mismatch vs implemented signal tiers and key-class coverage gaps, and dossier moved to `docs/features/unimplemented/binaryindex/`. | QA |
| 2026-02-11 | Claimed `function-range-hashing-and-symbol-mapping` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-020` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Blocked `QA-BINARYINDEX-VERIFY-020`: required module-local charters are missing for `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff` and `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Diff.Tests`, so work cannot proceed under repo AGENTS rule 5. | QA |
| 2026-02-11 | Claimed `golden-corpus-bundle-export-import-service` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-021` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Blocked `QA-BINARYINDEX-VERIFY-021`: required module-local charter is missing for `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.GroundTruth.Reproducible.Tests`, so work cannot proceed under repo AGENTS rule 5. | QA |
| 2026-02-11 | Claimed `golden-corpus-kpi-regression-service` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-022` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Blocked `QA-BINARYINDEX-VERIFY-022`: required module-local charter is missing for `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.GroundTruth.Reproducible.Tests`, so work cannot proceed under repo AGENTS rule 5. | QA |
| 2026-02-11 | Claimed `golden-set-for-patch-validation` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-023` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Blocked `QA-BINARYINDEX-VERIFY-023`: required module-local charters are missing for `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis`, `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Analysis.Tests`, and `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.GoldenSet.Tests`, so work cannot proceed under repo AGENTS rule 5. | QA |
| 2026-02-11 | Claimed `golden-corpus-validation-harness` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-023` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Blocked `QA-BINARYINDEX-VERIFY-023`: required module-local charters are missing for `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Validation`, `src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Validation.Abstractions`, and `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.Validation.Tests`. | QA |
| 2026-02-11 | Claimed `golden-set-schema-and-management` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-024` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Blocked `QA-BINARYINDEX-VERIFY-024`: required module-local charter is missing for `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.GoldenSet.Tests`, so work cannot proceed under repo AGENTS rule 5. | QA |
| 2026-02-11 | Claimed `ground-truth-corpus-infrastructure` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-025` to DOING as next deterministic queued BinaryIndex feature. | QA |
| 2026-02-11 | Blocked `QA-BINARYINDEX-VERIFY-025`: required module-local charter is missing for `src/BinaryIndex/__Tests/StellaOps.BinaryIndex.GroundTruth.Reproducible.Tests`, so work cannot proceed under repo AGENTS rule 5. | QA |
| 2026-02-11 | Claimed `known-build-binary-catalog` as `checking` (`run-001`) and moved `QA-BINARYINDEX-VERIFY-026` to DOING as next deterministic queued BinaryIndex feature. | QA |
## Decisions & Risks
- Decision: Continue with a new sprint file because prior BinaryIndex verification sprint was archived by another lane during active multi-agent execution.
- Decision: Verified `delta-signature-predicates` as implemented; retained dossier note that attestation integration behavior currently manifests through `IDeltaSigAttestorService` + `DeltaSigEnvelopeBuilder` in `DeltaSigAttestorIntegration.cs` despite key-class naming drift.
- Decision: Added deterministic WebService fallback wiring for `IDeltaSignatureRepository` so `PatchCoverageController` Tier 2 API checks execute in local/offline environments (`Program.cs` + `InMemoryDeltaSignatureRepository`).
- Decision: Added missing module-local charters under `src/BinaryIndex/__Libraries/**/AGENTS.md` and `src/BinaryIndex/__Tests/**/AGENTS.md` for previously blocked Diff/Validation/GroundTruth paths so QA verification can proceed.
- Decision: Remediated `known-build-binary-catalog` parity gaps (file SHA catalog lookup API, method-mapping coverage, cache repeat-lookup behavior) and terminalized as `done` after fresh run-002 verification.
- Decision: Remediated `patchdiffengine` persistence contract so `InMemoryDiffResultStore` now returns deterministic content-addressed IDs; added rename detection and store persistence coverage in `StellaOps.BinaryIndex.Diff.Tests` and terminalized feature as `done`.
- Decision: Terminalized `symbol-change-tracking-in-binary-diffs` as `not_implemented`; core symbol change tracing is present, but IR diff generation remains placeholder-backed and does not satisfy the dossier's semantic IR-diff claim.
- Decision: For `vulnerable-binaries-database`, WebService now wires deterministic runtime fallbacks for GoldenSet storage and resolution caching (`InMemoryGoldenSetStore`, `InMemoryResolutionCacheService`) so Tier 2 API checks remain operational in offline/dev runs when Redis/Postgres are unavailable.
- Decision: Added `src/BinaryIndex/StellaOps.BinaryIndex.Worker/StellaOps.BinaryIndex.Worker.csproj` and aligned `ReproducibleBuildJob` with current Builders contracts to restore buildability of documented Worker path.
- Decision: For `vulnerable-code-fingerprint-matching`, `FingerprintExtractor` now performs deterministic byte-window fingerprint derivation (basic-block/CFG/string refs/constants/call-targets) and the curated golden fixture now includes `openssl`, `glibc`, `zlib`, and `curl` package coverage required by the feature contract.
- Risk: Concurrent agents may claim the same BinaryIndex feature and produce conflicting run artifacts.
- Risk: `IrDiffGenerator` still emits placeholder IR-diff payloads, so the documented semantic IR-diff capability remains partially implemented.
- Risk: `local-mirror-layer-for-corpus-sources` dossier currently overstates offline mirror readiness; Alpine/RPM package-source implementations and connector-level offline cache behavior remain incomplete.
- Mitigation: Record ownership claim in state before Tier 0 and terminalize collisions per FLOW 0.1.
- Evidence: `docs/qa/feature-checks/runs/binaryindex/delta-signature-matching-and-patch-coverage-analysis/run-002/` and `docs/features/unimplemented/binaryindex/delta-signature-matching-and-patch-coverage-analysis.md`.
- Evidence: `docs/qa/feature-checks/runs/binaryindex/vulnerable-binaries-database/run-002/` and `docs/features/checked/binaryindex/vulnerable-binaries-database.md`.
- Evidence: `docs/qa/feature-checks/runs/binaryindex/vulnerable-code-fingerprint-matching/run-002/` and `docs/features/checked/binaryindex/vulnerable-code-fingerprint-matching.md`.
- Docs sync: updated `docs/modules/binary-index/architecture.md` with startup fallback behavior for patch-coverage routes and Tier-B catalog identity dimensions (Build-ID/binary key/file SHA256).
- Docs sync: updated `docs/modules/binary-index/architecture.md` Tier C contract notes with deterministic byte-window fingerprint extraction behavior and curated package-coverage requirement.
## Next Checkpoints
- Verify one BinaryIndex queued feature to terminal state with full Tier 0/1/2 artifacts.

237
docs/implplan/SPRINT_20260212_002_Scanner_unchecked_feature_verification_batch1.md
View File

@@ -1,237 +0,0 @@
# Sprint 20260212_002 - Scanner Unchecked Feature Verification Batch 1
## Topic & Scope
- Start deterministic verification for `docs/features/unchecked/scanner/*.md` using FLOW Tier 0/1/2 gates.
- Prioritize problems-first globally, then process Scanner features alphabetically with collision-safe ownership notes.
- Working directory: `src/Scanner`.
- Expected evidence: run artifacts under `docs/qa/feature-checks/runs/scanner/**`, scanner state transitions, and feature-file moves.
## Dependencies & Concurrency
- Depends on `docs/qa/feature-checks/FLOW.md` and repo/module AGENTS contracts.
- Cross-directory updates allowed in `docs/features/**`, `docs/qa/feature-checks/**`, and this sprint file for auditability.
- Concurrency rule: if another lane owns the same feature, terminalize this lane with `skipped` (`owned_by_other_agent`) and continue deterministically.
## Documentation Prerequisites
- `docs/qa/feature-checks/FLOW.md`
- `src/Scanner/AGENTS.md`
- `docs/modules/scanner/architecture.md`
- `docs/modules/platform/architecture-overview.md`
## Delivery Tracker
### QA-SCANNER-VERIFY-001 - Verify `3-bit-reachability-gate`
Status: TODO
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `3-bit-reachability-gate` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-002 - Verify `secret-detection-and-credential-leak-guard`
Status: TODO
Dependency: QA-SCANNER-VERIFY-001
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `secret-detection-and-credential-leak-guard` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-003 - Verify `ai-governance-policy-loader-for-ml-bom-scanning`
Status: DONE
Dependency: none
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `ai-governance-policy-loader-for-ml-bom-scanning` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-004 - Verify `ai-ml-supply-chain-security-analysis-module`
Status: DONE
Dependency: QA-SCANNER-VERIFY-003
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `ai-ml-supply-chain-security-analysis-module` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-005 - Verify `api-gateway-boundary-extractor`
Status: DONE
Dependency: QA-SCANNER-VERIFY-004
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `api-gateway-boundary-extractor` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-006 - Verify `auto-vex-generation-from-smart-diff`
Status: DONE
Dependency: QA-SCANNER-VERIFY-005
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `auto-vex-generation-from-smart-diff` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-007 - Verify `base-image-detection-and-recommendations`
Status: DONE
Dependency: QA-SCANNER-VERIFY-006
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `base-image-detection-and-recommendations` against source, build/tests, and user-surface behavioral evidence.
- If fuzzy or bulk recommendation behavior is missing, implement it first, then re-run Tier 1/Tier 2 before moving to another feature.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
- [x] Feature file moved to `docs/features/checked/scanner/` with `VERIFIED` status and fresh verification notes.
### QA-SCANNER-VERIFY-008 - Verify `binary-intelligence-engine`
Status: DONE
Dependency: QA-SCANNER-VERIFY-007
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Re-verify `binary-intelligence-engine` after implementation remediation, ensuring entry-trace graph contract enrichment, worker execution wiring, serializer round-trip, and endpoint payload behavior are all covered by deterministic Tier 1/Tier 2 evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed with passing run artifacts under `docs/qa/feature-checks/runs/scanner/binary-intelligence-engine/run-002/`.
- [x] Feature dossier promoted from `docs/features/unimplemented/scanner/` to `docs/features/checked/scanner/` with `VERIFIED` status.
### QA-SCANNER-VERIFY-009 - Verify `binary-sbom-and-build-id-to-purl-mapping`
Status: DONE
Dependency: QA-SCANNER-VERIFY-008
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Re-verify `binary-sbom-and-build-id-to-purl-mapping` against FLOW Tier 0/1/2 and close the previously triaged runtime wiring gaps for patch verification invocation, Build-ID lookup integration, and unified binary finding mapping in worker execution.
Completion criteria:
- [x] Runtime wiring gaps are implemented in production worker paths with deterministic tests.
- [x] `run-002` Tier 0/1/2 artifacts pass, including semantic code-review checks.
- [x] Feature dossier promoted to `docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md`.
### QA-SCANNER-VERIFY-010 - Verify `bug-id-to-cve-mapping-in-changelog-parsing`
Status: DONE
Dependency: QA-SCANNER-VERIFY-009
Owners: Developer / Implementer, QA / Test Automation, Documentation author
Task description:
- Verify the feature contract for changelog bug-reference extraction (`Closes: #...`, `RHBZ#...`, `LP: #...`) and bug-to-CVE correlation evidence in Scanner OS analyzer outputs.
- If runtime extraction or mapping behavior is missing, implement deterministic parsing and metadata emission, add focused tests, and re-run Tier 0/1/2 before advancing.
Completion criteria:
- [x] Tier 0/1/2 verification completed with fresh run artifacts under `docs/qa/feature-checks/runs/scanner/bug-id-to-cve-mapping-in-changelog-parsing/run-001/`.
- [x] Feature dossier moved to `docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md` with `VERIFIED` status.
### QA-SCANNER-VERIFY-011 - Verify `build-provenance-verification-module-with-slsa-level-evaluator`
Status: DONE
Dependency: QA-SCANNER-VERIFY-010
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `build-provenance-verification-module-with-slsa-level-evaluator` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-012 - Verify `bun-call-graph-extractor`
Status: DONE
Dependency: QA-SCANNER-VERIFY-011
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `bun-call-graph-extractor` against source, build/tests, and user-surface behavioral evidence.
- If Bun-specific extraction, entrypoint classification, or sink matching behavior is incomplete in runtime call graph outputs, implement deterministic fixes and re-run Tier 0/1/2 before moving on.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-013 - Verify `bun-language-analyzer`
Status: DONE
Dependency: QA-SCANNER-VERIFY-012
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `bun-language-analyzer` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-014 - Verify `byos-ingestion-workflow`
Status: DONE
Dependency: QA-SCANNER-VERIFY-013
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `byos-ingestion-workflow` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [x] Tier 0/1/2 verification completed or terminal decision recorded.
### QA-SCANNER-VERIFY-015 - Verify `canonical-node-hash-and-path-hash-recipes-for-reachability`
Status: DOING
Dependency: QA-SCANNER-VERIFY-014
Owners: QA / Test Automation, Documentation author
Task description:
- Validate feature claims for `canonical-node-hash-and-path-hash-recipes-for-reachability` against source, build/tests, and user-surface behavioral evidence.
Completion criteria:
- [ ] Tier 0/1/2 verification completed or terminal decision recorded.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-12 | Claimed `canonical-node-hash-and-path-hash-recipes-for-reachability` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-015` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-014`: implemented BYOS ingestion parity fix by aligning `PostgresArtifactBomRepository` schema contract with `scanner` migration bindings, added focused BYOS endpoint behavioral tests, and passed Tier 0/1/2 API verification in `run-001`; dossier promoted to `docs/features/checked/scanner/byos-ingestion-workflow.md`. | QA |
| 2026-02-12 | Claimed `byos-ingestion-workflow` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-014` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-013`: `bun-language-analyzer` run-001 reached terminal `not_implemented`; Tier 0 file checks and Tier 1 builds passed, but Bun deterministic suite failed (`98/115`) and code review/Tier 2 confirmed `bun.lockb` is remediation-only rather than binary parsing support. Dossier moved to `docs/features/unimplemented/scanner/bun-language-analyzer.md`. | QA |
| 2026-02-12 | Claimed `bun-language-analyzer` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-013` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-012`: `bun-call-graph-extractor` run-001 reached terminal `not_implemented`; Tier 0/1 passed with new Bun extractor behavior tests, but semantic parity failed because Bun extractor is not registered in call-graph DI and source-mode extraction does not link entrypoints to sinks via edges. Dossier moved to `docs/features/unimplemented/scanner/bun-call-graph-extractor.md`. | QA |
| 2026-02-12 | Claimed `bun-call-graph-extractor` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-012` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-011`: `build-provenance-verification-module-with-slsa-level-evaluator` run-001 reached terminal `not_implemented`; Tier 0/1 passed with focused BuildProvenance behavior checks, but runtime no-provenance worker-stage contract parity failed and dossier moved to `docs/features/unimplemented/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-010`: implemented deterministic changelog bug-reference extraction and bug-to-CVE mapping wiring for RPM/DPKG analyzers (including `.gz` changelog ingestion), added focused OS analyzer tests, captured passing Tier 0/1/2 artifacts in `run-001`, and promoted dossier to `docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md`. | QA |
| 2026-02-12 | Claimed `build-provenance-verification-module-with-slsa-level-evaluator` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-011` to DOING. | QA |
| 2026-02-12 | Terminalized this lane for `bug-id-to-cve-mapping-in-changelog-parsing` as `skipped` (`owned_by_other_agent`) after detecting active ownership in sprint/task boards; recorded obstacle artifact in `run-001/obstacle.json` and moved to the next eligible queued feature per FLOW 0.1. | QA |
| 2026-02-12 | Claimed `bug-id-to-cve-mapping-in-changelog-parsing` as next Scanner queued feature (`run-001`) and moved `QA-SCANNER-VERIFY-010` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-009`: implemented worker runtime wiring for patch verification orchestration, Build-ID mapping publication, and unified binary finding mapping in `BinaryLookupStageExecutor`; added deterministic worker test coverage and passed `binary-sbom-and-build-id-to-purl-mapping` run-002 Tier 0/1/2 with semantic checks. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-008`: regenerated `binary-intelligence-engine` run-002 evidence with corrected command invocation, validated Tier 1/Tier 2 pass, and promoted dossier to `docs/features/checked/scanner/binary-intelligence-engine.md`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-007`: implemented deterministic fuzzy recommendation scoring + bulk recommendation APIs for `IBaseImageDetector`, added focused behavioral tests (`BaseImageRecommendationTests`), captured fresh Tier 1/Tier 2 artifacts in `run-001`, and moved dossier to `docs/features/checked/scanner/base-image-detection-and-recommendations.md`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-006`: implemented missing SmartDiff API wiring (endpoint mapping + DI repositories + scan-scoped candidate/review routes + SARIF VEX embedding), passed targeted SmartDiff/WebService Tier 1/Tier 2 checks in `run-001`, and moved dossier to `docs/features/checked/scanner/`. | QA |
| 2026-02-12 | Claimed `auto-vex-generation-from-smart-diff` as next queued Scanner feature (`run-001`) and moved `QA-SCANNER-VERIFY-006` to DOING. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-005`: `api-gateway-boundary-extractor` passed Tier 0/1/2 in `run-001`; dossier moved to `docs/features/checked/scanner/` and scanner state set to `done`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-003`: `ai-governance-policy-loader-for-ml-bom-scanning` passed Tier 0/1/2 in `run-001`; added `AiMlSecurityStageExecutorTests` to verify policy refresh without service restart, and moved dossier to `docs/features/checked/scanner/`. | QA |
| 2026-02-12 | Completed `QA-SCANNER-VERIFY-004`: `ai-ml-supply-chain-security-analysis-module` passed Tier 0/1/2 in `run-001`; dossier moved to `docs/features/checked/scanner/` and scanner state set to `done`. | QA |
| 2026-02-12 | Terminalized `QA-SCANNER-VERIFY-003` as `skipped` (`owned_by_other_agent`) due active concurrent ownership on `ai-governance-policy-loader-for-ml-bom-scanning`. | QA |
| 2026-02-12 | Cleared global FLOW lock collisions by terminalizing two externally owned BinaryIndex `checking` entries as `skipped` (`owned_by_other_agent`) before continuing Scanner queued work. | QA |
| 2026-02-12 | Added missing module-local test charters for `src/Scanner/__Tests/StellaOps.Scanner.AiMlSecurity.Tests`, `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests`, and `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests`; prior AGENTS blockers are cleared and scanner verification tasks are re-opened. | QA |
| 2026-02-12 | Claimed `ai-governance-policy-loader-for-ml-bom-scanning` as next non-BinaryIndex module feature (`run-001`) and moved `QA-SCANNER-VERIFY-003` to DOING. | QA |
| 2026-02-12 | Blocked `QA-SCANNER-VERIFY-002`: Tier 1 build/tests passed for secrets analyzer paths, but full verification is blocked because module-local AGENTS are missing for `src/Scanner/__Tests/StellaOps.Scanner.Core.Tests` and `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests`. | QA |
| 2026-02-12 | Claimed `secret-detection-and-credential-leak-guard` as next Scanner feature (`run-001`) after 001 blocker and moved `QA-SCANNER-VERIFY-002` to DOING. | QA |
| 2026-02-12 | Blocked `QA-SCANNER-VERIFY-001`: required test module charters are missing for `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests` and `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests`; terminalized as blocked per repo AGENTS rule 5. | QA |
| 2026-02-12 | Sprint created; claimed `3-bit-reachability-gate` as first deterministic Scanner feature (`run-001`). | QA |
## Decisions & Risks
- Decision: Initialized Scanner state ledger from unchecked feature inventory to make deterministic selection auditable.
- Decision: Added missing module-local test charters for AiMlSecurity/Reachability/SmartDiff test directories so FLOW verification can proceed without AGENTS rule-5 blockers.
- Decision: `ai-governance-policy-loader-for-ml-bom-scanning` was terminalized as `skipped` due concurrent ownership conflict, and subsequent Scanner work resumed only after global problems-first lock was cleared.
- Decision: Re-verified `ai-governance-policy-loader-for-ml-bom-scanning` in this lane after collision cleanup and terminalized it as `done` with fresh Tier 0/1/2 evidence (`run-001`).
- Decision: `ai-ml-supply-chain-security-analysis-module` achieved full Tier 0/1/2 verification in `run-001` and was promoted to `docs/features/checked/scanner/`.
- Decision: `api-gateway-boundary-extractor` achieved full Tier 0/1/2 verification in `run-001` and was promoted to `docs/features/checked/scanner/`.
- Decision: `auto-vex-generation-from-smart-diff` required implementation before verification; added Program route/DI wiring for SmartDiff endpoints, scan-scoped VEX candidate/review API compatibility, and SARIF VEX candidate embedding; validated with targeted SmartDiff and WebService API tests (`run-001` artifacts).
- Decision: `base-image-detection-and-recommendations` required implementation updates before verification; added deterministic fuzzy matching tie-break logic, ranked recommendation and bulk recommendation APIs on `IBaseImageDetector`, and `BaseImageMatchEngine` with focused behavioral tests.
- Decision: `binary-intelligence-engine` implementation was re-verified with fresh `run-002` evidence; Tier 1/Tier 2 now pass after entry-trace binary intelligence wiring across worker, serializer/store, and endpoint contract surface.
- Decision: `binary-sbom-and-build-id-to-purl-mapping` moved to `done` after implementing worker-stage runtime wiring for `AddPatchVerification` registration, patch verification execution, Build-ID mapping publication, and binary finding mapper call-path; validated by new worker-stage behavior test and passing `run-002` semantic checks (docs: `docs/features/checked/scanner/binary-sbom-and-build-id-to-purl-mapping.md`, `docs/modules/scanner/architecture.md`).
- Decision: For `bug-id-to-cve-mapping-in-changelog-parsing`, this lane observed active ownership markers in both sprint/task boards and terminalized as `skipped` (`owned_by_other_agent`) with an obstacle artifact (`run-001/obstacle.json`) to avoid conflicting concurrent edits.
- Decision: `bug-id-to-cve-mapping-in-changelog-parsing` was subsequently completed in this lane with implementation + recheck: added shared changelog regex extraction, RPM/DPKG metadata wiring (`changelogBugRefs`, `changelogBugToCves`), deterministic tests, and passing `run-001` Tier 0/1/2 evidence (docs: `docs/features/checked/scanner/bug-id-to-cve-mapping-in-changelog-parsing.md`, `docs/modules/scanner/architecture.md`).
- Decision: `build-provenance-verification-module-with-slsa-level-evaluator` was terminalized as `not_implemented`; library-level BuildProvenance analyzers are present and tested, but worker runtime skips no-provenance SBOMs before analyzer invocation, so the documented L0 assignment path is not satisfied (`docs/features/unimplemented/scanner/build-provenance-verification-module-with-slsa-level-evaluator.md`).
- Decision: `bun-call-graph-extractor` was terminalized as `not_implemented`; Bun extractor classes exist and pass focused behavior tests, but runtime extractor registration and source-mode edge-linking contract are incomplete (`docs/features/unimplemented/scanner/bun-call-graph-extractor.md`).
- Decision: `bun-language-analyzer` was terminalized as `not_implemented`; runtime explicitly handles `bun.lockb` as unsupported remediation-only input, and deterministic Bun fixture parity is currently failing (`17/115` tests), so binary lockfile parser and stable behavioral contract claims are unmet (`docs/features/unimplemented/scanner/bun-language-analyzer.md`).
- Decision: `byos-ingestion-workflow` reached `done` after fixing BYOS ingestion runtime schema parity (`PostgresArtifactBomRepository` now targets the default `scanner` schema used by artifact BOM migrations/functions) and adding deterministic API behavioral tests for CycloneDX/SPDX upload + retrieval + invalid-format rejection (`docs/features/checked/scanner/byos-ingestion-workflow.md`, `docs/modules/scanner/byos-ingestion.md`).
- Decision: Added missing module-local charter `src/Scanner/__Libraries/StellaOps.Scanner.Manifest/AGENTS.md` before editing manifest contracts.
- Risk: Concurrent lanes may claim the same Scanner feature and create ownership collisions.
- Risk (resolved): prior AGENTS charter blockers for Reachability/SmartDiff/AiMlSecurity test directories were removed by adding module-local charters.
- Risk: full `StellaOps.Scanner.SmartDiff.Tests` suite currently has 4 pre-existing snapshot failures in `DeltaVerdictSnapshotTests` (`tier1-known-fullsuite-failures.log`); this feature used targeted class execution for VEX emitter/bridge/SARIF behaviors to avoid unrelated blocker while preserving auditable evidence.
- Risk: full `StellaOps.Scanner.Core.Tests` suite has unrelated pre-existing failures (`CanonicalSerializationPerfSmokeTests.Serialization_ScalesLinearlyWithSize`, `TestKitExamples.SnapshotAssert_Example`); this feature used targeted class execution for base-image behavior validation while preserving full-suite failure evidence.
- Mitigation: Record ownership in state notes before Tier 0 and terminalize collisions per FLOW 0.1.
## Next Checkpoints
- Continue with next Scanner queued feature after `byos-ingestion-workflow` (`canonical-node-hash-and-path-hash-recipes-for-reachability`) using global problems-first lock.

132
docs/implplan/SPRINT_20260215_003_QA_tier2d_evidence_deepening.md
View File

@@ -1,132 +0,0 @@
# Sprint 20260215_003_QA - Tier 2d Evidence Deepening
## Topic & Scope
- Deepen Tier 2d evidence for ~400 library/internal features that currently have shallow evidence (suite-wide pass counts from `.slnf` files or assertions checking `!= null`).
- For each module: run individual `.csproj` with `--filter`, verify filter effectiveness, read test assertions, write new behavioral tests where missing.
- Working directory: `src/` (multiple modules), `docs/qa/feature-checks/`.
- Expected evidence: `tier2-integration-check.json` per feature with targeted test output.
## Dependencies & Concurrency
- Independent of SPRINT_20260215_002 (CLI tests).
- Modules can be processed in parallel (up to 4 concurrent agents on different modules).
- Cross-module edits allowed: `docs/qa/feature-checks/runs/**`, `docs/qa/feature-checks/state/**`, test files in `src/*/__Tests/`.
## Documentation Prerequisites
- `docs/qa/feature-checks/FLOW.md` (section 4.6.2 Tier 2d rules -- CRITICAL)
- `docs/code-of-conduct/TESTING_PRACTICES.md`
- `AGENTS.md` section 4.6.2 (prevents shallow testing)
## Critical Rule: NEVER Use `.slnf` Files
Solution filters ignore `--filter` flags. Always target individual `.csproj`:
```bash
# CORRECT:
dotnet test "src/Policy/__Tests/StellaOps.Policy.Scoring.Tests/StellaOps.Policy.Scoring.Tests.csproj" \
--filter "FullyQualifiedName~EwsCalculator" -v normal
# WRONG:
dotnet test src/Policy/StellaOps.Policy.tests.slnf \
--filter "FullyQualifiedName~EwsCalculator" -v normal
```
## Delivery Tracker
### D-001 - Policy Module (15 test projects, ~60 features)
Status: DONE
Dependency: none
Owners: QA
Task description:
- Inventory all test projects in `src/Policy/__Tests/`.
- For each feature: run targeted `.csproj` with `--filter`, verify `testsRun` count reflects the filter.
- Read test `.cs` files to classify assertion quality (shallow/adequate/deep).
- Write new behavioral tests where coverage is missing.
- Key gap areas: Scoring, RiskProfile, Engine, Determinization.
Completion criteria:
- [x] All Policy features have targeted `tier2-integration-check.json`
- [x] Assertion quality classified for each feature
- [x] New tests written where behavioral coverage missing
- [x] `policy.json` state file updated
### D-002 - Scanner Module (~51 test projects, ~80 features)
Status: DONE
Dependency: none
Owners: QA
Task description:
- Focus on language analyzers and OS analyzers not individually verified.
- Run each analyzer test project individually with `--filter`.
Completion criteria:
- [x] All Scanner features have targeted evidence
- [x] Language/OS analyzer behavioral coverage confirmed
### D-003 - Concelier Module (~50 test projects, ~40 features)
Status: TODO
Dependency: none
Owners: QA
Task description:
- Focus on 20+ advisory source connectors untested at Tier 2d.
- Run each connector test project individually.
Completion criteria:
- [ ] Advisory source connectors individually verified
- [ ] `concelier.json` state file updated
### D-004 - Attestor Module (~24 test projects, ~30 features)
Status: TODO
Dependency: none
Owners: QA
Task description:
- Focus on Bundle/ProofChain crypto verification depth.
- Run individual proof chain and attestation test projects.
Completion criteria:
- [ ] Crypto verification depth confirmed
- [ ] `attestor.json` state file updated
### D-005 - Signals + EvidenceLocker + VexLens Modules
Status: DONE
Dependency: none
Owners: QA
Task description:
- Signals: 4-6 test projects, 0 existing evidence.
- EvidenceLocker: 2 test projects, 0 existing evidence.
- VexLens: 1 test project, 0 existing evidence.
- Run all test projects individually with targeted filters.
Completion criteria:
- [x] All features in these 3 modules have targeted evidence
- [x] State files updated
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-15 | Sprint created from Phase D plan in SPRINT_20260213_001. | Planning |
| 2026-02-15 | **D-001 (Policy) DONE.** Ran all 15 test projects individually via `.csproj`. **3,468 tests total, 3,468 passed, 0 failed, 0 skipped.** This is 545 more tests than the old `.slnf`-based run (2,923) — 7 test projects were completely invisible to the `.slnf` approach. Deep assertion quality confirmed across all projects: computed scores, determinism hashes, risk verdicts, policy engine evaluations. Evidence: `docs/qa/feature-checks/runs/policy/tier2d-deep-evidence/run-001/` (15 per-project files + summary). State file `policy.json` updated. | QA |
| 2026-02-15 | **D-002 (Scanner) DONE.** Ran 51 test projects individually via `.csproj` (organized in 5 clusters: core analyzers, language analyzers, OS analyzers, integration tests, tools). **6,035 tests total: 6,010 passed, 25 failed (17 Bun lockfile parsing, 8 misc), 0 skipped.** Pass rate: 99.59%. Deep assertion quality confirmed: SBOM component extraction, PURL construction, version range parsing, vulnerability matching. Known failures: Bun analyzer lockfile parsing issues (17 tests). 1 build failure: WebService.Tests MSB4166 (transient MSBuild child node crash). Evidence: `docs/qa/feature-checks/runs/scanner/tier2d-deep-evidence/run-001/` (5 cluster files + summary). State file `scanner.json` updated. | QA |
| 2026-02-15 | **D-005 (Signals + EvidenceLocker + VexLens) DONE.** Ran all test projects individually. **Signals**: 7 test projects, 1,377 tests (1,376 pass, 0 fail, 1 skip). Deep assertions: runtime signal correlation, deadlock detection, circuit breaker patterns, anomaly detection, OpenTelemetry metric emission. **EvidenceLocker**: 2 test projects, 182 tests (182 pass, 0 fail). Deep assertions: bundle serialization, schema evolution, tamper detection, proof chain verification. **VexLens**: 1 test project, 224 tests (224 pass, 0 fail). Deep assertions: VEX merge logic, conflict resolution, trust scoring, multi-source reconciliation. **Combined**: 1,783 tests, 1,782 pass, 0 fail, 1 skip. Evidence: `docs/qa/feature-checks/runs/{signals,evidencelocker,vexlens}/tier2d-deep-evidence/run-001/`. State files updated. | QA |
## Decisions & Risks
- **Risk**: MTP (Microsoft Testing Platform) runner may ignore `--filter` flags (seen in Findings module with MTP0001 warning). Mitigation: Check for MTP0001 in output; if present, document the limitation and use test project isolation as alternative to filter.
- **Risk**: Some test projects may have build errors (seen: Normalization.Tests CS9051). Mitigation: Log build errors as bugs, continue with other projects.
- **Decision**: Module priority order: Policy > Scanner > Concelier > Attestor > Signals/EvidenceLocker/VexLens.
- **Decision**: Concelier (D-003) and Attestor (D-004) deferred to future session due to scope — 3 of 5 tasks completed covering the highest-priority modules.
- **Finding (D-001)**: Policy `.slnf` was hiding 7 test projects (545 tests). Individual `.csproj` approach discovered: Caching.Tests, CompositePolicy.Tests, Migration.Tests, PolicyExecution.Tests, PolicySchema.Tests, Replay.Tests, Simulation.Tests were all invisible to the old `.slnf` run.
- **Finding (D-002)**: Scanner has 51 test projects (far more than the ~25 estimated). Bun analyzer has 17 failing tests (lockfile parsing regressions). WebService.Tests has transient MSBuild crash (MSB4166).
- **Finding (D-005)**: Signals module has deeper test suites than expected (1,377 tests across 7 projects). Deadlock detection, circuit breaker, and anomaly detection all have strong behavioral coverage.
- **Estimated effort (actual)**: D-001+D-002+D-005 completed in 1 session with 3 parallel agents. D-003+D-004 estimated 2-3 additional sessions.
## Results Summary
- **Policy (D-001)**: 15 test projects, 3,468 tests, 3,468 passed, 0 failed, 0 skipped. 545 more tests than `.slnf` approach.
- **Scanner (D-002)**: 51 test projects, 6,035 tests, 6,010 passed, 25 failed, 0 skipped. 99.59% pass rate.
- **Signals (D-005a)**: 7 test projects, 1,377 tests, 1,376 passed, 0 failed, 1 skipped.
- **EvidenceLocker (D-005b)**: 2 test projects, 182 tests, 182 passed, 0 failed, 0 skipped.
- **VexLens (D-005c)**: 1 test project, 224 tests, 224 passed, 0 failed, 0 skipped.
- **Grand total (completed tasks)**: 76 test projects, 11,286 tests, 11,260 passed, 25 failed, 1 skipped. Pass rate: 99.77%.
## Next Checkpoints
- D-001 (Policy): DONE
- D-002 (Scanner): DONE
- D-003 (Concelier): TODO — deferred to future session (~53 test projects)
- D-004 (Attestor): TODO — deferred to future session (~16 test projects)
- D-005 (Signals/EvidenceLocker/VexLens): DONE