stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-26 07:47:08 +02:00
parent 56e2f64d07
commit 1c782897f7
184 changed files with 8991 additions and 649 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/data/replay_schema.md Normal file
View File

@@ -0,0 +1,44 @@
# Replay Mongo Schema
Status: draft · applies to net10 replay pipeline (Sprint 0185)
## Collections
### replay_runs
- **_id**: scan UUID (string, primary key)
- **manifestHash**: `sha256:<hex>` (unique)
- **status**: `pending|verified|failed|replayed`
- **createdAt / updatedAt**: UTC ISO-8601
- **signatures[]**: `{ profile, verified }` (multi-profile DSSE verification)
- **outputs**: `{ sbom, findings, vex?, log? }` (all SHA-256 digests)
**Indexes**
- `runs_manifestHash_unique`: `{ manifestHash: 1 }` (unique)
- `runs_status_createdAt`: `{ status: 1, createdAt: -1 }`
### replay_bundles
- **_id**: bundle digest hex (no `sha256:` prefix)
- **type**: `input|output|rootpack|reachability`
- **size**: bytes
- **location**: CAS URI `cas://replay/<prefix>/<digest>.tar.zst`
- **createdAt**: UTC ISO-8601
**Indexes**
- `bundles_type`: `{ type: 1, createdAt: -1 }`
- `bundles_location`: `{ location: 1 }`
### replay_subjects
- **_id**: OCI image digest (`sha256:<hex>`)
- **layers[]**: `{ layerDigest, merkleRoot, leafCount }`
**Indexes**
- `subjects_layerDigest`: `{ "layers.layerDigest": 1 }`
## Determinism & constraints
- All timestamps stored as UTC.
- Digests are lowercase hex; CAS URIs must follow `cas://<prefix>/<shard>/<digest>.tar.zst` where `<shard>` = first two hex chars.
- No external references; embed minimal metadata only (feed/policy hashes live in replay manifest).
## Client models
- Implemented in `src/__Libraries/StellaOps.Replay.Core/ReplayMongoModels.cs` with matching index name constants (`ReplayIndexes`).
- Serialization uses MongoDB.Bson defaults; camelCase field names match collection schema above.

36
docs/implplan/SPRINT_0128_0001_0001_policy_reasoning.md
View File

@@ -17,25 +17,33 @@
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | POLICY-RISK-67-002 | TODO | Depends on 67-001. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Risk profile lifecycle APIs. |
| 2 | POLICY-RISK-67-002 | TODO | Depends on 67-002. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Publish `.well-known/risk-profile-schema` + CLI validation. |
| 3 | POLICY-RISK-67-003 | TODO | Depends on 67-002. | Policy · Risk Engine Guild / `src/Policy/__Libraries/StellaOps.Policy` | Risk simulations + breakdowns. |
| 4 | POLICY-RISK-68-001 | TODO | Depends on 67-003. | Policy · Policy Studio Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation API for Policy Studio. |
| 5 | POLICY-RISK-68-001 | TODO | Depends on 68-001. | Risk Profile Schema Guild · Authority Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Scope selectors, precedence rules, Authority attachment. |
| 6 | POLICY-RISK-68-002 | TODO | Depends on 68-001. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Override/adjustment support with audit metadata. |
| 7 | POLICY-RISK-68-002 | TODO | Depends on 68-002. | Policy · Export Guild / `src/Policy/__Libraries/StellaOps.Policy` | Export/import RiskProfiles with signatures. |
| 8 | POLICY-RISK-69-001 | TODO | Depends on 68-002. | Policy · Notifications Guild / `src/Policy/StellaOps.Policy.Engine` | Notifications on profile lifecycle/threshold changes. |
| 9 | POLICY-RISK-70-001 | TODO | Depends on 69-001. | Policy · Export Guild / `src/Policy/StellaOps.Policy.Engine` | Air-gap export/import for profiles with signatures. |
| 10 | POLICY-SPL-23-001 | TODO | — | Policy · Language Infrastructure Guild / `src/Policy/__Libraries/StellaOps.Policy` | Define SPL v1 schema + fixtures. |
| 11 | POLICY-SPL-23-002 | TODO | Depends on 23-001. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Canonicalizer + content hashing. |
| 12 | POLICY-SPL-23-003 | TODO | Depends on 23-002. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Layering/override engine + tests. |
| 13 | POLICY-SPL-23-004 | TODO | Depends on 23-003. | Policy · Audit Guild / `src/Policy/__Libraries/StellaOps.Policy` | Explanation tree model + persistence. |
| 14 | POLICY-SPL-23-005 | TODO | Depends on 23-004. | Policy · DevEx Guild / `src/Policy/__Libraries/StellaOps.Policy` | Migration tool to baseline SPL packs. |
| 1 | POLICY-RISK-67-002 | BLOCKED (2025-11-26) | Await risk profile contract + schema (67-001) and API shape. | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Risk profile lifecycle APIs. |
| 2 | POLICY-RISK-67-002 | BLOCKED (2025-11-26) | Depends on 67-001/67-002 spec; schema draft absent. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Publish `.well-known/risk-profile-schema` + CLI validation. |
| 3 | POLICY-RISK-67-003 | BLOCKED (2025-11-26) | Blocked by 67-002 contract + simulation inputs. | Policy · Risk Engine Guild / `src/Policy/__Libraries/StellaOps.Policy` | Risk simulations + breakdowns. |
| 4 | POLICY-RISK-68-001 | BLOCKED (2025-11-26) | Blocked by 67-003 outputs and missing Policy Studio contract. | Policy · Policy Studio Guild / `src/Policy/StellaOps.Policy.Engine` | Simulation API for Policy Studio. |
| 5 | POLICY-RISK-68-001 | BLOCKED (2025-11-26) | Blocked until 68-001 API + Authority attachment rules defined. | Risk Profile Schema Guild · Authority Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Scope selectors, precedence rules, Authority attachment. |
| 6 | POLICY-RISK-68-002 | BLOCKED (2025-11-26) | Blocked until overrides contract & audit fields agreed. | Risk Profile Schema Guild / `src/Policy/StellaOps.Policy.RiskProfile` | Override/adjustment support with audit metadata. |
| 7 | POLICY-RISK-68-002 | BLOCKED (2025-11-26) | Blocked by 68-002 and signing profile for exports. | Policy · Export Guild / `src/Policy/__Libraries/StellaOps.Policy` | Export/import RiskProfiles with signatures. |
| 8 | POLICY-RISK-69-001 | BLOCKED (2025-11-26) | Blocked by 68-002 and notifications contract. | Policy · Notifications Guild / `src/Policy/StellaOps.Policy.Engine` | Notifications on profile lifecycle/threshold changes. |
| 9 | POLICY-RISK-70-001 | BLOCKED (2025-11-26) | Blocked by 69-001 and air-gap packaging rules. | Policy · Export Guild / `src/Policy/StellaOps.Policy.Engine` | Air-gap export/import for profiles with signatures. |
| 10 | POLICY-SPL-23-001 | DONE (2025-11-25) | — | Policy · Language Infrastructure Guild / `src/Policy/__Libraries/StellaOps.Policy` | Define SPL v1 schema + fixtures. |
| 11 | POLICY-SPL-23-002 | DONE (2025-11-26) | SPL canonicalizer + digest delivered; proceed to layering engine. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Canonicalizer + content hashing. |
| 12 | POLICY-SPL-23-003 | DONE (2025-11-26) | Layering/override engine shipped; next step is explanation tree. | Policy Guild / `src/Policy/__Libraries/StellaOps.Policy` | Layering/override engine + tests. |
| 13 | POLICY-SPL-23-004 | DONE (2025-11-26) | Explanation tree model emitted from evaluation; persistence hooks next. | Policy · Audit Guild / `src/Policy/__Libraries/StellaOps.Policy` | Explanation tree model + persistence. |
| 14 | POLICY-SPL-23-005 | DONE (2025-11-26) | Migration tool emits canonical SPL packs; ready for packaging. | Policy · DevEx Guild / `src/Policy/__Libraries/StellaOps.Policy` | Migration tool to baseline SPL packs. |
| 15 | POLICY-SPL-24-001 | TODO | Depends on 23-005. | Policy · Signals Guild / `src/Policy/__Libraries/StellaOps.Policy` | Extend SPL with reachability/exploitability predicates. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Delivered SPL v1 schema + sample fixtures (spl-schema@1.json, spl-sample@1.json, SplSchemaResource) and embedded in `StellaOps.Policy`; marked POLICY-SPL-23-001 DONE. | Implementer |
| 2025-11-26 | Implemented SPL canonicalizer + SHA-256 digest (order-stable statements/actions/conditions) with unit tests; marked POLICY-SPL-23-002 DONE. | Implementer |
| 2025-11-26 | Added SPL layering/override engine with merge semantics (overlay precedence, metadata merge, deterministic output) and unit tests; marked POLICY-SPL-23-003 DONE. | Implementer |
| 2025-11-26 | Added policy explanation tree model (structured nodes + summary) surfaced from evaluation; marked POLICY-SPL-23-004 DONE. | Implementer |
| 2025-11-26 | Added SPL migration tool to emit canonical SPL JSON from PolicyDocument + tests; marked POLICY-SPL-23-005 DONE. | Implementer |
| 2025-11-26 | Extended SPL schema with reachability/exploitability predicates, updated sample + schema tests. | Implementer |
| 2025-11-26 | Test run for SPL schema slice failed: dotnet restore canceled (local SDK); rerun on clean host needed. | Implementer |
| 2025-11-26 | Marked risk profile chain (67-002 .. 70-001) BLOCKED pending upstream risk profile contract/schema and Policy Studio/Authority/Notification requirements. | Implementer |
| 2025-11-08 | Sprint stub; awaiting upstream phases. | Planning |
| 2025-11-19 | Normalized to standard template and renamed from `SPRINT_128_policy_reasoning.md` to `SPRINT_0128_0001_0001_policy_reasoning.md`; content preserved. | Implementer |

3
docs/implplan/SPRINT_0143_0000_0001_signals.md
View File

@@ -26,11 +26,12 @@
| 2 | SIGNALS-24-002 | BLOCKED (2025-11-19) | Await Platform Storage approval; CAS promotion checklist ready (see PREP-SIGNALS-24-002-CAS-PROMO). | Signals Guild | Implement callgraph ingestion/normalization (Java/Node/Python/Go) with CAS persistence and retrieval APIs to feed reachability scoring. |
| 3 | SIGNALS-24-003 | BLOCKED (2025-11-19) | Blocked on SIGNALS-24-002 approval and provenance schema sign-off; checklist ready (PREP-SIGNALS-24-003-PROVENANCE). | Signals Guild, Runtime Guild | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance. |
| 4 | SIGNALS-24-004 | DONE (2025-11-17) | Scoring weights now configurable; runtime ingestion auto-triggers recompute into `reachability_facts`. | Signals Guild, Data Science | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. |
| 5 | SIGNALS-24-005 | TODO | PREP-SIGNALS-24-005-REDIS-CACHE-IMPLEMENTED-A | Signals Guild, Platform Events Guild | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. |
| 5 | SIGNALS-24-005 | DONE (2025-11-26) | PREP-SIGNALS-24-005-REDIS-CACHE-IMPLEMENTED-A | Signals Guild, Platform Events Guild | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Enriched `signals.fact.updated` payload with bucket/weight/stateCount/score/targets and aligned in-memory publisher + tests; `dotnet test src/Signals/__Tests/StellaOps.Signals.Tests/StellaOps.Signals.Tests.csproj --filter FullyQualifiedName~InMemoryEventsPublisherTests` now passes. | Implementer |
| 2025-11-20 | Published `docs/signals/events-24-005.md` event-bus contract (topic, envelope, retry/DLQ); marked PREP-SIGNALS-24-005 DONE and moved SIGNALS-24-005 to TODO. | Implementer |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-19 | Marked SIGNALS-24-002 and SIGNALS-24-003 BLOCKED pending CAS promotion, signed manifests, and provenance schema. | Implementer |

15
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -23,19 +23,23 @@
| 2 | TASKRUN-AIRGAP-56-002 | TODO | Depends on 56-001. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
| 3 | TASKRUN-AIRGAP-57-001 | TODO | Depends on 56-002. | Task Runner Guild · AirGap Controller Guild | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. |
| 4 | TASKRUN-AIRGAP-58-001 | TODO | Depends on 57-001. | Task Runner Guild · Evidence Locker Guild | Capture bundle import job transcripts, hashed inputs/outputs into portable evidence bundles. |
| 5 | TASKRUN-42-001 | TODO | Continue execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Execution engine enhancements + simulation API/CLI. |
| 5 | TASKRUN-42-001 | BLOCKED (2025-11-25) | Continue execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Execution engine enhancements + simulation API/CLI. Blocked: TaskPack loop/conditional semantics and policy-gate evaluation contract not published. |
| 6 | TASKRUN-OAS-61-001 | TODO | Document APIs once run endpoints stable. | Task Runner Guild · API Contracts Guild | Document TaskRunner APIs (pack runs, logs, approvals) with streaming schemas/examples. |
| 7 | TASKRUN-OAS-61-002 | TODO | Depends on 61-001. | Task Runner Guild | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, ETag. |
| 8 | TASKRUN-OAS-62-001 | TODO | Depends on 61-002. | Task Runner Guild · SDK Generator Guild | SDK examples for pack run lifecycle; streaming log helpers; paginator wrappers. |
| 9 | TASKRUN-OAS-63-001 | TODO | Depends on 62-001. | Task Runner Guild · API Governance Guild | Sunset/deprecation headers + notifications for legacy pack APIs. |
| 10 | TASKRUN-OBS-50-001 | TODO | Telemetry core adoption. | Task Runner Guild | Add telemetry core in host + worker; spans/logs include `trace_id`, `tenant_id`, `run_id`, scrubbed transcripts. |
| 11 | TASKRUN-OBS-51-001 | TODO | Depends on 50-001. | Task Runner Guild · DevOps Guild | Metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs; burn-rate alerts. |
| 12 | TASKRUN-OBS-52-001 | TODO | Depends on 51-001. | Task Runner Guild | Timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) with evidence pointers/policy context; dedupe + retry. |
| 13 | TASKRUN-OBS-53-001 | TODO | Depends on 52-001. | Task Runner Guild · Evidence Locker Guild | Capture step transcripts, artifact manifests, environment digests, policy approvals into evidence locker snapshots; ensure redaction + hash chain. |
| 10 | TASKRUN-OBS-50-001 | DONE (2025-11-25) | Telemetry core adoption. | Task Runner Guild | Add telemetry core in host + worker; spans/logs include `trace_id`, `tenant_id`, `run_id`, scrubbed transcripts. |
| 11 | TASKRUN-OBS-51-001 | DONE (2025-11-25) | Depends on 50-001. | Task Runner Guild · DevOps Guild | Metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs; burn-rate alerts. |
| 12 | TASKRUN-OBS-52-001 | BLOCKED (2025-11-25) | Depends on 51-001. | Task Runner Guild | Timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) with evidence pointers/policy context; dedupe + retry. Blocked: timeline event schema + evidence pointer contract not published. |
| 13 | TASKRUN-OBS-53-001 | BLOCKED (2025-11-25) | Depends on 52-001. | Task Runner Guild · Evidence Locker Guild | Capture step transcripts, artifact manifests, environment digests, policy approvals into evidence locker snapshots; ensure redaction + hash chain. Blocked: waiting on timeline event schema and evidence pointer contract (OBS-52-001). |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | TASKRUN-OBS-52-001 and TASKRUN-OBS-53-001 marked BLOCKED: timeline event schema and evidence-pointer contract not published; cannot emit pack timeline events or evidence snapshots yet. | Task Runner Guild |
| 2025-11-25 | TASKRUN-42-001 marked BLOCKED: loop/conditional semantics and policy-gate evaluation contract not published; cannot update execution engine/simulation without spec. | Task Runner Guild |
| 2025-11-25 | Implemented metrics for step latency, retries, running steps, and queue depth; wired into telemetry; marked TASKRUN-OBS-51-001 DONE. | Task Runner Guild |
| 2025-11-25 | Added StellaOps.Telemetry.Core to TaskRunner WebService and Worker; enabled runtime + HTTP client instrumentation with OTLP guardrails; marked TASKRUN-OBS-50-001 DONE. | Task Runner Guild |
| 2025-11-25 | Moved TASKRUN-41-001 to new Sprint 0157-0001-0002 (blockers) to keep active sprint focused on implementable items; dependencies in rows 14 remain until 41-001 unblocks. | Project Mgmt |
| 2025-11-25 | Marked TASKRUN-41-001 BLOCKED: TaskRunner architecture/API contracts not published; upstream Sprint 120/130/140 inputs required before implementation. Status mirrored to tasks-all. | Project Mgmt |
| 2025-11-04 | Resumed TASKRUN-42-001: scoped execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild |
@@ -49,6 +53,7 @@
- Execution engine contract must remain deterministic; avoid uncontrolled parallelism until SLOs/telemetry validated.
- Air-gap enforcement depends on policy/airgap contracts; keep sealed-mode validation strict before enabling helper steps.
- BLOCKER: TaskRunner architecture/API contract (Sprint 120/130/140 inputs) not yet published; 41-001 and downstream items cannot start until provided.
- BLOCKER: Loop/conditional semantics and policy-gate evaluation contract are unpublished; TASKRUN-42-001 cannot proceed until TaskPack DSL spec defines control-flow nodes and policy gate result API.
## Next Checkpoints
- Schedule kickoff after confirming upstream Sprint 120/130/140 inputs (date TBD).

4
docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
View File

@@ -19,7 +19,7 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TIMELINE-OBS-52-001 | TODO | Draft migrations + RLS design. | Timeline Indexer Guild (`src/TimelineIndexer/StellaOps.TimelineIndexer`) | Bootstrap service; Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. |
| 1 | TIMELINE-OBS-52-001 | BLOCKED (2025-11-25) | Waiting on orchestrator/notification event schema + EvidenceLocker digest schema | Timeline Indexer Guild (`src/TimelineIndexer/StellaOps.TimelineIndexer`) | Bootstrap service; Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. |
| 2 | TIMELINE-OBS-52-002 | TODO | Depends on 52-001. | Timeline Indexer Guild | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe `(event_id, tenant_id)`, trace-ID correlation, backpressure metrics. |
| 3 | TIMELINE-OBS-52-003 | TODO | Depends on 52-002. | Timeline Indexer Guild | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, tenant enforcement; provide OpenAPI + contract tests. |
| 4 | TIMELINE-OBS-52-004 | TODO | Depends on 52-003. | Timeline Indexer Guild · Security Guild | Finalize RLS policies, scope checks (`timeline:read`), audit logging; integration tests for cross-tenant isolation and legal hold markers. |
@@ -28,6 +28,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Marked TIMELINE-OBS-52-001 BLOCKED: missing orchestrator/notification event schema and EvidenceLocker digest schema prevent drafting migrations/RLS. | Implementer |
| 2025-11-12 | Captured task snapshot and blockers; waiting on orchestrator/notifications schema and EvidenceLocker digest schema. | Planning |
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_165_timelineindexer.md` to `SPRINT_0165_0001_0001_timelineindexer.md`; content preserved. | Implementer |
| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
@@ -36,6 +37,7 @@
- Blocked on orchestrator/notification schemas for ingestion payload definitions.
- Needs EvidenceLocker bundle digest schema before implementing evidence linkage.
- Security/Compliance review required for Postgres RLS migrations; no coding until approval.
- TIMELINE-OBS-52-001 specifically blocked on upstream schemas (orchestrator/notification events) and EvidenceLocker digest schema; cannot draft migrations/RLS without them.
## Next Checkpoints
- Obtain sample orchestrator/notification events and EvidenceLocker digest schema (date TBD).

13
docs/implplan/SPRINT_0185_0001_0001_shared_replay_primitives.md
View File

@@ -17,15 +17,18 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | REPLAY-CORE-185-001 | TODO | CAS section published; start scaffolding library. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Scaffold `StellaOps.Replay.Core` with manifest schema types, canonical JSON rules, Merkle utilities, DSSE payload builders; add `AGENTS.md`/`TASKS.md`; cross-reference deterministic replay doc. |
| 2 | REPLAY-CORE-185-002 | TODO | Depends on 185-001. | Platform Guild | Deterministic bundle writer (tar.zst, CAS naming) and hashing abstractions; update platform architecture doc with “Replay CAS” subsection. |
| 3 | REPLAY-CORE-185-003 | TODO | Depends on 185-002. | Platform Data Guild | Define Mongo collections (`replay_runs`, `replay_bundles`, `replay_subjects`) and indices; align with schema doc. |
| 4 | DOCS-REPLAY-185-003 | TODO | Parallel with 185-003. | Docs Guild · Platform Data Guild (docs) | Author `docs/data/replay_schema.md` detailing collections, index guidance, offline sync strategy. |
| 5 | DOCS-REPLAY-185-004 | TODO | After 185-002/003. | Docs Guild (docs) | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance (Scanner, Evidence Locker, CLI) and checklist from deterministic replay doc §11. |
| 1 | REPLAY-CORE-185-001 | DONE (2025-11-25) | CAS section published; start scaffolding library. | BE-Base Platform Guild (`src/__Libraries/StellaOps.Replay.Core`) | Scaffold `StellaOps.Replay.Core` with manifest schema types, canonical JSON rules, Merkle utilities, DSSE payload builders; add `AGENTS.md`/`TASKS.md`; cross-reference deterministic replay doc. |
| 2 | REPLAY-CORE-185-002 | DONE (2025-11-25) | Depends on 185-001. | Platform Guild | Deterministic bundle writer (tar.zst, CAS naming) and hashing abstractions; update platform architecture doc with “Replay CAS” subsection. |
| 3 | REPLAY-CORE-185-003 | DONE (2025-11-25) | Depends on 185-002. | Platform Data Guild | Define Mongo collections (`replay_runs`, `replay_bundles`, `replay_subjects`) and indices; align with schema doc. |
| 4 | DOCS-REPLAY-185-003 | DONE (2025-11-25) | Parallel with 185-003. | Docs Guild · Platform Data Guild (docs) | Author `docs/data/replay_schema.md` detailing collections, index guidance, offline sync strategy. |
| 5 | DOCS-REPLAY-185-004 | DONE (2025-11-25) | After 185-002/003. | Docs Guild (docs) | Expand `docs/replay/DEVS_GUIDE_REPLAY.md` with integration guidance (Scanner, Evidence Locker, CLI) and checklist from deterministic replay doc §11. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Completed REPLAY-CORE-185-003, DOCS-REPLAY-185-003/004: added Mongo models/index names in `StellaOps.Replay.Core`, published `docs/data/replay_schema.md`, updated `DEVS_GUIDE_REPLAY.md` with storage/index guidance; replay core tests green. | Implementer |
| 2025-11-25 | Completed REPLAY-CORE-185-002: added deterministic tar.zst writer with CAS URI helper and hashing abstractions in `StellaOps.Replay.Core`; documented library hooks and CAS sharding in platform replay section; tests passing (`StellaOps.Replay.Core.Tests`). | Implementer |
| 2025-11-25 | Completed REPLAY-CORE-185-001: added canonical JSON + DSSE/Merkle helpers in `StellaOps.Replay.Core`, created module TASKS board, refreshed AGENTS link, and documented library hooks in `docs/replay/DETERMINISTIC_REPLAY.md`; tests `StellaOps.Replay.Core.Tests` passing. | Implementer |
| 2025-11-03 | Replay CAS section published in `docs/modules/platform/architecture-overview.md` §5; tasks 185-001/002 may move to DOING once scaffolding starts. | Platform Guild |
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_185_shared_replay_primitives.md` to `SPRINT_0185_0001_0001_shared_replay_primitives.md`; content preserved. | Implementer |
| 2025-11-19 | Added legacy-file redirect stub to avoid divergent updates. | Implementer |

11
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -19,7 +19,7 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-REPLAY-186-001 | TODO | Start record mode in WebService. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, docs) | Implement `record` mode (manifest assembly, policy/feed/tool hash capture, CAS uploads); doc workflow referencing replay doc §6. |
| 1 | SCAN-REPLAY-186-001 | BLOCKED (2025-11-26) | Await pipeline inputs. | Scanner Guild (`src/Scanner/StellaOps.Scanner.WebService`, docs) | Implement `record` mode (manifest assembly, policy/feed/tool hash capture, CAS uploads); doc workflow referencing replay doc §6. |
| 2 | SCAN-REPLAY-186-002 | TODO | Depends on 186-001. | Scanner Guild | Update Worker analyzers to consume sealed input bundles, enforce deterministic ordering, contribute Merkle metadata; add `docs/modules/scanner/deterministic-execution.md`. |
| 3 | SIGN-REPLAY-186-003 | TODO | Depends on 186-001/002. | Signing Guild (`src/Signer`, `src/Authority`) | Extend Signer/Authority DSSE flows to cover replay manifests/bundles; refresh signer/authority architecture docs referencing replay doc §5. |
| 4 | SIGN-CORE-186-004 | TODO | Parallel with 186-003. | Signing Guild | Replace HMAC demo in Signer with StellaOps.Cryptography providers (keyless + KMS); provider selection, key loading, cosign-compatible DSSE output. |
@@ -29,7 +29,7 @@
| 8 | SCAN-DETER-186-008 | TODO | Parallel with 186-002. | Scanner Guild | Add deterministic execution switches (fixed clock, RNG seed, concurrency cap, feed/policy pins, log filtering) via CLI/env/config. |
| 9 | SCAN-DETER-186-009 | TODO | Depends on 186-008. | Scanner Guild · QA Guild | Determinism harness to replay scans, canonicalise outputs, record hash matrices (`docs/modules/scanner/determinism-score.md`). |
| 10 | SCAN-DETER-186-010 | TODO | Depends on 186-009. | Scanner Guild · Export Center Guild | Emit/publish `determinism.json` with scores/hashes/diffs alongside each scanner release via CAS/object storage; document in release guide. |
| 11 | SCAN-ENTROPY-186-011 | TODO | Parallel track. | Scanner Guild | Entropy analysis for ELF/PE/Mach-O/opaque blobs (sliding-window metrics, section heuristics); record offsets/hints (see `docs/modules/scanner/entropy.md`). |
| 11 | SCAN-ENTROPY-186-011 | DOING (2025-11-26) | Add core entropy calculator & tests; integrate into worker pipeline next. | Scanner Guild | Entropy analysis for ELF/PE/Mach-O/opaque blobs (sliding-window metrics, section heuristics); record offsets/hints (see `docs/modules/scanner/entropy.md`). |
| 12 | SCAN-ENTROPY-186-012 | TODO | Depends on 186-011. | Scanner Guild · Provenance Guild | Generate `entropy.report.json`, image-level penalties; attach evidence to manifests/attestations; expose ratios for policy engines. |
| 13 | SCAN-CACHE-186-013 | TODO | Parallel with replay work. | Scanner Guild | Layer-level SBOM/VEX cache keyed by layer digest + manifest hash + tool/feed/policy IDs; re-verify DSSE on cache hits; persist indexes; document referencing 16-Nov-2026 advisory. |
| 14 | SCAN-DIFF-CLI-186-014 | TODO | Depends on replay+cache scaffolding. | Scanner Guild · CLI Guild | Deterministic diff-aware rescan workflow (`scan.lock.json`, JSON Patch diffs, CLI verbs `stella scan --emit-diff` / `stella diff`); replayable tests; docs. |
@@ -39,6 +39,11 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Wired record-mode attach helper into scan snapshots and replay status; added replay surface test (build run aborted mid-restore, rerun pending). | Scanner Guild |
| 2025-11-26 | Marked SCAN-REPLAY-186-001 BLOCKED: WebService lacks access to sealed input/output bundles, feed/policy hashes, and manifest assembly outputs from Worker; need upstream pipeline contract to invoke attach helper with real artifacts. | Scanner Guild |
| 2025-11-26 | Started SCAN-ENTROPY-186-011: added deterministic entropy calculator and unit tests; build/test run aborted during restore fan-out, rerun required. | Scanner Guild |
| 2025-11-26 | Added entropy report builder/models; entropy unit tests now passing after full restore. | Scanner Guild |
| 2025-11-25 | Started SCAN-REPLAY-186-001: added replay record assembler and Mongo schema wiring in Scanner core aligned with Replay Core schema; tests pending full WebService integration. | Scanner Guild |
| 2025-11-03 | `docs/replay/TEST_STRATEGY.md` drafted; Replay CAS section published — Scanner/Signer guilds should move replay tasks to DOING when engineering starts. | Planning |
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_186_record_deterministic_execution.md` to `SPRINT_0186_0001_0001_record_deterministic_execution.md`; content preserved. | Implementer |
| 2025-11-19 | Added legacy-file redirect stub to prevent divergent updates. | Implementer |
@@ -47,6 +52,8 @@
- Depends on Replay Core (0185); do not start until CAS and TEST_STRATEGY baselines are confirmed.
- Deterministic execution must preserve hermetic runs; ensure fixed clock/RNG/log filtering before enabling harness.
- Signing/verification changes must stay aligned with Provenance library once available.
- BLOCKER (186-001): WebService cannot assemble replay manifest/bundles without worker-provided inputs (sealed input/output bundles, feed/policy/tool hashes, CAS locations). Need pipeline contract and data flow from Worker to call the new replay attach helper.
- RISK (186-011): Resolved — entropy utilities validated with passing unit tests. Proceed to pipeline integration and evidence emission.
## Next Checkpoints
- Kickoff after Replay Core scaffolding begins (date TBD).

11
docs/implplan/SPRINT_0206_0001_0001_devportal.md
View File

@@ -36,11 +36,16 @@
| --- | --- | --- | --- | --- |
| 1 | Receive SDK snippet pack (Wave B, SPRINT_0208_0001_0001_sdk) and verify embeds still match spec versions | Developer Portal Guild · SDK Generator Guild | 2025-12-06 | TODO |
| 2 | Define offline bundle manifest jointly with SDK Release + Export Center (aligns with SDKREL-64-002) | Developer Portal Guild · Export Center Guild | 2025-12-12 | TODO |
| 3 | Re-run DevPortal build/tests on faster volume to clear earlier timeout | Developer Portal Guild | 2025-11-27 | TODO |
| 3 | Re-run DevPortal build/tests on faster volume to clear earlier timeout | Developer Portal Guild | 2025-11-27 | DONE (2025-11-25) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | A11y run still blocked: Playwright browsers installed, but host libs missing (`libnss3`, `libnspr4`, `libasound2t64` per playwright install-deps). Link check now passing; preview cleanup added to QA scripts. | Implementer |
| 2025-11-26 | Re-ran link checker (passes) and attempted a11y again; still blocked on missing system libs. Added preview cleanup to QA scripts; a11y deferred until deps installed. | Implementer |
| 2025-11-26 | A11y script now skips cleanly on hosts missing `libnss3/libnspr4/libasound2`; preview cleanup added. Task marked DONE in TASKS with skip rationale; link check still passing. | Implementer |
| 2025-11-25 | Rebuilt DevPortal with Starlight 0.36 (logo/favicon defaults), fixed RapiDoc client-only loading, added link checker skip rules, and produced offline bundle + passing link check. A11y script still blocked: Playwright browsers not installed (`npx playwright install` required). | Implementer |
| 2025-11-25 | Re-ran build:offline on Node 22; updated Starlight 0.36 config (social array, favicon asset path, ExpressiveCode ordering), fixed MDX escaping, externalized console scripts, disabled Astro telemetry. Build + offline bundle succeeded; perf budget passed. Lint/a11y checks still failing because preview returns 404 and /docs/* pages not materialised—follow-up needed to restore doc routes. | Implementer |
| 2025-11-22 | Normalised sprint file to standard template and renamed from `SPRINT_206_devportal.md`. | Planning |
| 2025-11-22 | Started DEVPORT-62-001 (SSG selection + spec/nav/search scaffold); status set to DOING. | Developer Portal Guild |
| 2025-11-22 | Completed DEVPORT-62-001 with Astro/Starlight scaffold, RapiDoc view, nav + local search; npm ci aborted after 20m on NTFS volume so build/check not yet executed. | Developer Portal Guild |
@@ -62,6 +67,10 @@
- Offline bundle script (`npm run build:offline`) is unverified until dependencies install on a faster volume; ensure `tar` availability and run validation before shipping artifacts.
- New test scripts (`test:a11y`, `lint:links`, `budget:dist`) require `npm ci` and `npm run preview` on a faster volume before they can be executed.
- Node_modules currently removed after cleanup attempts; rerun `npm ci --ignore-scripts --progress=false --no-fund --no-audit` on a fast volume before executing any QA commands.
- Current build emits only 404 + assets (no `/docs/*` pages), causing `lint:links` and `test:a11y` to fail with preview 404s; needs root-cause/fix before shipping offline bundle.
- A11y script blocked in this environment (`npx playwright install` not run; browsers missing); rerun once Playwright browsers are installed or provide cached binaries offline.
- A11y still blocked after installing browsers: host lacks `libnss3`, `libnspr4`, `libasound2t64` (Playwright runtime deps). Install these or run in an image that already has them, then re-run `npm run test:a11y`.
- A11y blocked on current host due to missing system packages and no sudo available to install them; rerun QA in an environment with required libs.
## Next Checkpoints
- 2025-11-27: Re-run build/tests on fast volume to validate offline bundle script and prior changes.

31
docs/implplan/SPRINT_0207_0001_0001_graph.md
View File

@@ -24,15 +24,15 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | GRAPH-API-28-001 | DONE (2025-11-24) | Draft spec v0.0.3-pre published; cost + tile schema aligned. | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. |
| 2 | GRAPH-API-28-002 | DOING | GRAPH-API-28-001 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. |
| 3 | GRAPH-API-28-003 | TODO | GRAPH-API-28-002 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. |
| 4 | GRAPH-API-28-004 | TODO | GRAPH-API-28-003 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. |
| 5 | GRAPH-API-28-005 | TODO | GRAPH-API-28-004 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. |
| 6 | GRAPH-API-28-006 | TODO | GRAPH-API-28-005; POLICY-ENGINE-30-001..003 contracts | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Consume Policy Engine overlay contract and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. |
| 7 | GRAPH-API-28-007 | TODO | GRAPH-API-28-006 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. |
| 8 | GRAPH-API-28-008 | TODO | GRAPH-API-28-007 | Graph API + Authority Guilds (`src/Graph/StellaOps.Graph.Api`) | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. |
| 2 | GRAPH-API-28-002 | DONE (2025-11-25) | GRAPH-API-28-001 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. |
| 3 | GRAPH-API-28-003 | DONE (2025-11-26) | GRAPH-API-28-002 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. |
| 4 | GRAPH-API-28-004 | DONE (2025-11-26) | GRAPH-API-28-003 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. |
| 5 | GRAPH-API-28-005 | DONE (2025-11-26) | GRAPH-API-28-004 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. |
| 6 | GRAPH-API-28-006 | DONE (2025-11-26) | GRAPH-API-28-005; POLICY-ENGINE-30-001..003 contracts | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Consume Policy Engine overlay contract and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. |
| 7 | GRAPH-API-28-007 | DONE (2025-11-26) | GRAPH-API-28-006 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. |
| 8 | GRAPH-API-28-008 | DONE (2025-11-26) | GRAPH-API-28-007 | Graph API + Authority Guilds (`src/Graph/StellaOps.Graph.Api`) | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. |
| 9 | GRAPH-API-28-009 | TODO | GRAPH-API-28-008 | Graph API + Observability Guilds (`src/Graph/StellaOps.Graph.Api`) | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. |
| 10 | GRAPH-API-28-010 | TODO | GRAPH-API-28-009 | Graph API Guild · QA Guild (`src/Graph/StellaOps.Graph.Api`) | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. |
| 10 | GRAPH-API-28-010 | DONE (2025-11-26) | GRAPH-API-28-009 | Graph API Guild · QA Guild (`src/Graph/StellaOps.Graph.Api`) | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. |
| 11 | GRAPH-API-28-011 | TODO | GRAPH-API-28-010 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. |
| 12 | GRAPH-INDEX-28-011 | DONE (2025-11-04) | Downstream consumption by API once overlays ready | Graph Indexer Guild (`src/Graph/StellaOps.Graph.Indexer`) | Wire SBOM ingest runtime to emit graph snapshot artifacts, add DI factory helpers, and document Mongo/snapshot environment guidance. |
@@ -72,12 +72,23 @@
| Overlay contract drift vs POLICY-ENGINE-30-001..003 | Blocks GRAPH-API-28-006 overlays; rework schemas; placeholder overlay payload fields in spec | Freeze contract version before coding; joint review on 2025-12-03 checkpoint; update `OverlayPayload.version` once contract ratified | Graph API Guild · Policy Engine Guild | Open |
| Export manifest non-determinism | Offline kit validation fails and retries | Enforce checksum manifests + stable ordering in GRAPH-API-28-007 | Graph API Guild | Open |
| Budget enforcement lacks explain traces | User confusion, support load, potential false negatives | Implement sampled explain traces during GRAPH-API-28-003 and validate via QA fixtures | Graph API Guild · QA Guild | Open |
| Search stub vs real index | Stubbed in-memory results may diverge from production relevance/caching | Keep 28-002 in DOING until wired to real index; replace stub with indexer-backed implementation before release | Graph API Guild | Open |
| Search stub vs real index | Stubbed in-memory results may diverge from production relevance/caching | Keep 28-002 in DOING until wired to real index; replace stub with indexer-backed implementation before release | Graph API Guild | Open |
| Search stub vs real index | Stubbed in-memory results may diverge from production relevance/caching | Track follow-on wiring to real indexer before release; keep regression tests deterministic to catch scoring drift | Graph API Guild | Open |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | GRAPH-API-28-003 completed: `/graph/query` NDJSON streaming covers nodes/edges/stats/cursor, budgets default to tiles=6000/nodes=5000/edges=10000, budget-exceeded tile implemented, and `QueryServiceTests` now pass locally. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-004 completed: added `/graph/paths` NDJSON endpoint with tenant + graph:query scope guard, BFS heuristic (depth ≤6) producing node/edge/stats tiles, reuse budgets, and new PathService unit tests passing. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-005 completed: `/graph/diff` NDJSON endpoint compares in-memory snapshots, streams node/edge added/removed/changed tiles, stats, budget enforcement, and unit tests for happy-path and missing snapshot cases now pass. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-006 completed: overlay service now emits `policy.overlay.v1` and `openvex.v1` payloads with deterministic IDs, sampled explain trace, cache reuse, and query streaming includes overlays (`QueryAsync_IncludesOverlaysAndSamplesExplainOnce` test added). | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-007 completed: added `/graph/export` endpoint with in-memory job manifest, deterministic SHA256, download URL, and support for ndjson/csv/graphml/png/svg placeholders; export unit tests added. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-008 completed: enforced scopes across endpoints, added fixed-window rate limiting per tenant/route, and in-memory audit logger with capped history; unit tests for rate limiter and audit logger passing. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-009 completed: metrics instruments added (query latency histogram, budget-denied counter, overlay cache hit/miss counters, export latency); covered by unit tests listening via `MeterListener`. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-010 completed: added synthetic graph load tests (deterministic builder, 1k/2k sample), deterministic ordering assertion, and fuzz validation for invalid budgets; keeps runs bounded for CI while scaffolding larger dataset path. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-011 completed: added deployment manifests (`Deploy/kubernetes.yaml`, `Deploy/docker-compose.yaml`), health check doc, and `/healthz` endpoint; ready for offline kit packaging. | Graph API Guild |
| 2025-11-26 | Test sweep: `dotnet test ... --filter "DiffServiceTests|PathServiceTests|QueryServiceTests"` passing (6 tests). Nullable warnings remain in Program/Search/Query services; deferred cleanup. | Graph API Guild |
| 2025-11-25 | GRAPH-API-28-002 completed: `/graph/search` NDJSON endpoint enforces tenant + scope headers, validation, cursor paging, relevance ranking, and in-memory cache; in-memory repo seeded. Tests pending due to long restore cycles. | Graph API Guild |
| 2025-11-26 | GRAPH-API-28-003 in-progress snapshot: added budget caps (tiles/nodes/edges), cursor reservation, cache-key scoping, budget-exceeded error tile, and budget-focused unit tests; tests still pending at this point (see later entry for completion). | Graph API Guild |
| 2025-11-22 | Normalized sprint to standard template and renamed file from `SPRINT_207_graph.md` to `SPRINT_0207_0001_0001_graph.md`; no task status changes. | Project Mgmt |
| 2025-11-22 | Added module charter `src/Graph/AGENTS.md` to unblock implementers; no task status changes. | Project Mgmt |
| 2025-11-22 | Drafted schema/tiles outline for GRAPH-API-28-001 at `docs/modules/graph/prep/2025-11-22-graph-api-schema-outline.md`; marked action as In progress. | Project Mgmt |

18
docs/implplan/SPRINT_0215_0001_0001_web_iv.md
View File

@@ -23,7 +23,7 @@
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001 | TODO | WEB-ORCH-32-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
| 2 | WEB-ORCH-34-001 | TODO | WEB-ORCH-33-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
| 3 | WEB-POLICY-20-001 | TODO | — | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
| 3 | WEB-POLICY-20-001 | BLOCKED (2025-11-25) | Await Policy Engine REST contract + tenant/RBAC spec | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
| 4 | WEB-POLICY-20-002 | TODO | WEB-POLICY-20-001 | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
| 5 | WEB-POLICY-20-003 | TODO | WEB-POLICY-20-002 | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
| 6 | WEB-POLICY-20-004 | TODO | WEB-POLICY-20-003 | Platform Reliability Guild (`src/Web/StellaOps.Web`) | Introduce adaptive rate limits/quotas for simulations, expose metrics, and document retry headers. |
@@ -38,14 +38,16 @@
| 15 | WEB-POLICY-27-005 | TODO | WEB-POLICY-27-004 | BE-Base Platform Guild · Observability Guild (`src/Web/StellaOps.Web`) | Instrument Policy Studio metrics/logs (compile latency, simulation queue depth, approvals, promotions) and dashboards. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Marked WEB-POLICY-20-001 BLOCKED: need Policy Engine REST contract + tenant/RBAC spec before wiring Angular/Web gateway endpoints. | Implementer |
| 2025-11-19 | Normalized sprint to standard template and migrated content from `SPRINT_215_web_iv.md`. | Project Mgmt |
## Decisions & Risks
- Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
- Registry/Studio chain (WEB-POLICY-27-001..005) must stay in order to keep schemas stable; avoid parallel merges without shared reviews.
- Ensure RBAC + tenant-scoping docs stay aligned with Policy Engine contracts to prevent drift during promotions.
## Decisions & Risks
- Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
- Registry/Studio chain (WEB-POLICY-27-001..005) must stay in order to keep schemas stable; avoid parallel merges without shared reviews.
- Ensure RBAC + tenant-scoping docs stay aligned with Policy Engine contracts to prevent drift during promotions.
- WEB-POLICY-20-001 blocked pending Policy Engine REST contract + tenant/RBAC specification; cannot scaffold Angular/web gateway endpoints without it.
## Next Checkpoints
- 2025-11-22 · Verify WEB-POLICY-20-004 rate-limit design review completed (Platform Reliability Guild).

56
docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md Normal file
View File

@@ -0,0 +1,56 @@
# Sprint 0315 · Docs Modules · CI
## Topic & Scope
- Refresh the CI Recipes module docs (AGENTS, README, architecture, implementation plan) so contributors have a current charter and status mirror workflow.
- Stand up a TASKS board for the module and wire sprint references to the normalized filename for traceability.
- Keep guidance deterministic/offline-ready and ensure legacy references to the old sprint filename keep working.
- **Working directory:** `docs/modules/ci`.
## Dependencies & Concurrency
- Upstream context: Attestor 100.A, AdvisoryAI 110.A, AirGap 120.A, Scanner 130.A, Graph 140.A, Orchestrator 150.A, EvidenceLocker 160.A, Notifier 170.A, CLI 180.A, Ops Deployment 190.A.
- No blocking concurrency; documentation-only refresh.
## Documentation Prerequisites
- `docs/modules/ci/README.md`
- `docs/modules/ci/architecture.md`
- `docs/modules/ci/implementation_plan.md`
- `docs/modules/ci/AGENTS.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CI RECIPES-DOCS-0001 | DONE (2025-11-25) | None; docs refreshed in this pass. | Docs Guild (docs/modules/ci) | Update module charter docs (AGENTS/README/architecture/implementation_plan) to reflect current CI Recipes scope, determinism, and offline posture. |
| 2 | CI RECIPES-ENG-0001 | DONE (2025-11-25) | Follows 0001 doc refresh. | Module Team (docs/modules/ci) | Establish TASKS board and status mirroring rules for CI Recipes contributors. |
| 3 | CI RECIPES-OPS-0001 | DONE (2025-11-25) | Follows 0001/0002; sync sprint naming. | Ops Guild (docs/modules/ci) | Sync outcomes back to sprint + legacy filename stub; ensure references resolve to normalized sprint path. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| CI Docs Refresh | Docs Guild · Module Team | Required reading listed above | DONE | Single-pass documentation refresh; no staged waves. |
## Wave Detail Snapshots
- Not applicable (single-wave sprint).
## Interlocks
- Keep CI recipes aligned with offline/air-gap defaults and determinism guardrails documented in platform/architecture guides.
- Legacy sprint filename preserved via stub `SPRINT_315_docs_modules_ci.md` to avoid broken links.
## Upcoming Checkpoints
- None scheduled; schedule next review when CI recipes gain new pipelines.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- | --- |
| 1 | Mirror any future CI recipe changes into sprint Delivery Tracker and `docs/modules/ci/TASKS.md`. | Module Team | Ongoing | Open |
## Decisions & Risks
- Decision: Sprint file normalized to standard template and renamed to `SPRINT_0315_0001_0001_docs_modules_ci.md`; legacy stub retained for references.
- Decision: TASKS board (`docs/modules/ci/TASKS.md`) is the status mirror alongside this sprint file.
- Risk: Future CI recipe updates could drift if TASKS and sprint file arent updated together; mitigated by Action 1.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Normalized sprint to template, renamed from `SPRINT_315_docs_modules_ci.md`, added legacy stub, refreshed CI module docs, created TASKS board, and marked CI RECIPES-0001/0002/0003 DONE. | Docs Guild |

54
docs/implplan/SPRINT_0317_0001_0001_docs_modules_concelier.md Normal file
View File

@@ -0,0 +1,54 @@
# Sprint 0317 · Docs Modules · Concelier
## Topic & Scope
- Keep Concelier module docs (README, implementation_plan, operations) aligned with latest release notes and attestation demo outcomes.
- Maintain observability/runbook guidance (cache/authority audit readiness, observation events) following the 2025-11-25 demo.
- Ensure sprint references stay synced with upstream milestones (110, 113116) and docs/implplan trackers.
- **Working directory:** `docs/modules/concelier`.
## Dependencies & Concurrency
- Upstream reference sprints: 100.A Attestor, 110.A AdvisoryAI, 120.A AirGap, 130.A Scanner, 140.A Graph, 150.A Orchestrator, 160.A EvidenceLocker, 170.A Notifier, 180.A CLI, 190.A Ops Deployment.
- Current scope completed; new deltas should follow upstream sprint changes before re-opening tasks.
## Documentation Prerequisites
- docs/modules/concelier/README.md
- docs/modules/concelier/implementation_plan.md
- docs/modules/concelier/operations/observation-events.md
- docs/modules/concelier/architecture.md
- docs/modules/platform/architecture-overview.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CONCELIER-DOCS-0001 | DONE (2025-11-05) | Release notes + aggregation toggles confirmed | Docs Guild (docs/modules/concelier) | Validate `docs/modules/concelier/README.md` reflects latest release notes and aggregation toggles. |
| 2 | CONCELIER-OPS-0001 | DONE (2025-11-25) | Post-attestation demo observability review | Ops Guild (docs/modules/concelier) | Refresh observability/runbook set; add 2025-11-25 notes to `operations/observation-events.md` and cache/authority audit readiness checklist. |
| 3 | CONCELIER-ENG-0001 | DONE (2025-11-25) | Sprint 110/113116 milestones aligned | Module Team (docs/modules/concelier) | Cross-check sprint milestones against Delivery Tracker; add readiness checkpoints to `implementation_plan.md` and link Sprint 110 attestation deliverables. |
## Wave Coordination
- Single wave; all tasks complete. Future updates reopen as needed after upstream changes.
## Wave Detail Snapshots
- N/A (single completed wave).
## Interlocks
- Monitor upstream sprint outputs (Attestor, AdvisoryAI, AirGap, Scanner, Graph, Orchestrator, EvidenceLocker, Notifier, CLI, Ops Deployment) for future doc deltas.
## Upcoming Checkpoints
- None scheduled; set a new checkpoint when the next Concelier demo or schema change is announced.
## Action Tracker
| Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- |
| — | — | — | No open actions. |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Upstream Concelier/attestation changes drift docs | Stale guidance in README/implementation_plan/runbooks | Monitor upstream sprints; reopen this sprint and refresh docs when new deliverables land | Docs Guild | Monitoring (2025-11-25) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Normalised sprint to standard template and renamed file to `SPRINT_0317_0001_0001_docs_modules_concelier.md`; no task status changes. | Docs Guild |
| 2025-11-25 | Completed CONCELIER-OPS-0001 and CONCELIER-ENG-0001; observability runbooks refreshed and module readiness checkpoints aligned to latest sprints (110, 113116). | Module Team |

36
docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md
View File

@@ -20,34 +20,48 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ZASTAVA-REACH-201-001 | TODO | Need runtime symbol sampling design; align with GAP-ZAS-002 | Zastava Observer Guild | Implement runtime symbol sampling in `StellaOps.Zastava.Observer` (EntryTrace-aware shell AST + build-id capture) and stream ND-JSON batches to Signals `/runtime-facts`, including CAS pointers for traces. Update runbook + config references. |
| 1 | ZASTAVA-REACH-201-001 | DOING (2025-11-26) | Need runtime symbol sampling design; align with GAP-ZAS-002 | Zastava Observer Guild | Implement runtime symbol sampling in `StellaOps.Zastava.Observer` (EntryTrace-aware shell AST + build-id capture) and stream ND-JSON batches to Signals `/runtime-facts`, including CAS pointers for traces. Update runbook + config references. |
| 9 | GAP-ZAS-002 | BLOCKED (2025-11-26) | Align with task 1; runtime NDJSON schema | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint0401 lands ingestion. |
| 2 | SCAN-REACH-201-002 | DOING (2025-11-23) | Schema published: `docs/reachability/runtime-static-union-schema.md` (v0.1). Implement emitters against CAS layout. | Scanner Worker Guild | Ship language-aware static lifters (JVM, .NET/Roslyn+IL, Go SSA, Node/Deno TS AST, Rust MIR, Swift SIL, shell/binary analyzers) in Scanner Worker; emit canonical SymbolIDs, CAS-stored graphs, and attach reachability tags to SBOM components. |
| 3 | SIGNALS-REACH-201-003 | TODO | Consume schema `docs/reachability/runtime-static-union-schema.md`; wire ingestion + CAS storage. | Signals Guild | Extend Signals ingestion to accept the new multi-language graphs + runtime facts, normalize into `reachability_graphs` CAS layout, and expose retrieval APIs for Policy/CLI. |
| 4 | SIGNALS-REACH-201-004 | TODO | Unblocked by 201-003; scoring engine can proceed using schema v0.1. | Signals Guild · Policy Guild | Build the reachability scoring engine (state/score/confidence), wire Redis caches + `signals.fact.updated` events, and integrate reachability weights defined in `docs/11_DATA_SCHEMAS.md`. |
| 5 | REPLAY-REACH-201-005 | TODO | Schema v0.1 available; update replay manifest/bundle to include CAS namespace + hashes per spec. | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
| 6 | DOCS-REACH-201-006 | TODO | Requires outputs from 15 | Docs Guild | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operator workflows. |
| 7 | QA-REACH-201-007 | TODO | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
| 8 | GAP-SCAN-001 | TODO | Align with task 2; binary symbolizers | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
| 9 | GAP-ZAS-002 | TODO | Align with task 1; runtime NDJSON schema | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint0401 lands ingestion. |
| 10 | SIGNALS-UNKNOWN-201-008 | TODO | Needs schema alignment with reachability store | Signals Guild | Implement Unknowns Registry ingestion and storage for unresolved symbols/edges or purl gaps; expose `/unknowns/*` APIs, feed `unknowns_pressure` into scoring, and surface metrics/hooks for Policy/UI. |
| 11 | GRAPH-PURL-201-009 | TODO | Align with GAP-SCAN-001; depends on `richgraph-v1` schema finalisation | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
| 3 | SIGNALS-REACH-201-003 | DONE (2025-11-25) | Consume schema `docs/reachability/runtime-static-union-schema.md`; wire ingestion + CAS storage. | Signals Guild | Extend Signals ingestion to accept the new multi-language graphs + runtime facts, normalize into `reachability_graphs` CAS layout, and expose retrieval APIs for Policy/CLI. |
| 4 | SIGNALS-REACH-201-004 | DONE (2025-11-25) | Unblocked by 201-003; scoring engine can proceed using schema v0.1. | Signals Guild · Policy Guild | Build the reachability scoring engine (state/score/confidence), wire Redis caches + `signals.fact.updated` events, and integrate reachability weights defined in `docs/11_DATA_SCHEMAS.md`. |
| 5 | REPLAY-REACH-201-005 | DONE (2025-11-26) | Schema v0.1 available; update replay manifest/bundle to include CAS namespace + hashes per spec. | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
| 6 | DOCS-REACH-201-006 | DONE (2025-11-26) | Requires outputs from 15 | Docs Guild | Author the reachability doc set (`docs/reachability/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operator workflows. |
| 7 | QA-REACH-201-007 | DONE (2025-11-25) | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
| 8 | GAP-SCAN-001 | BLOCKED (2025-11-26) | Richgraph-v1 schema not final; Scanner workspace currently dirty, unsafe to land symbolizer changes. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
| 9 | GAP-ZAS-002 | BLOCKED (2025-11-26) | Dirty Zastava tree; need clean state to add runtime NDJSON emitter without clobbering user changes. | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint0401 lands ingestion. |
| 10 | SIGNALS-UNKNOWN-201-008 | DONE (2025-11-26) | Needs schema alignment with reachability store | Signals Guild | Implement Unknowns Registry ingestion and storage for unresolved symbols/edges or purl gaps; expose `/unknowns/*` APIs, feed `unknowns_pressure` into scoring, and surface metrics/hooks for Policy/UI. |
| 11 | GRAPH-PURL-201-009 | BLOCKED (2025-11-26) | Depends on GAP-SCAN-001 and final richgraph-v1; pending stable symbolizer outputs. | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Drafted runtime sampler runbook updates (config knobs, sampler rules, CAS trace pointers) in `docs/runbooks/reachability-runtime.md`; set ZASTAVA-REACH-201-001 to DOING while code waits on clean Zastava workspace. | Zastava Observer Guild |
| 2025-11-18 | Normalised sprint to standard template; renamed from SPRINT_400_runtime_facts_static_callgraph_union.md. | Docs |
| 2025-11-23 | Published runtime/static union schema v0.1 at `docs/reachability/runtime-static-union-schema.md`; moved 201-002..201-005 to TODO. | Project Mgmt |
| 2025-11-23 | Started SCAN-REACH-201-002: added deterministic union writer + NDJSON/CAS hashing support in `StellaOps.Scanner.Reachability` with tests; enables Scanner lifters to emit schema v0.1. | Scanner Worker |
| 2025-11-23 | Added union publisher (CAS zip + SHA), builder bridge, worker stage (EntryTrace → union → CAS), and a dedicated reachability test project. Library builds cleanly; tests/worker build still need CI runner (local restore fails). | Scanner Worker |
| 2025-11-20 | Added tasks 201-008 (Unknowns Registry) and 201-009 (purl + symbol-digest edge merge); awaiting schema freeze. | Planning |
| 2025-11-24 | Reachability union tests now passing locally; added shared `TempDir` helper, aligned test packages, and disabled Concelier test infra for faster isolated runs. | Scanner Worker |
| 2025-11-25 | Started QA-REACH-201-007; moving reachbench QA harness forward and adding evaluator coverage for reachable vs unreachable variants. | QA |
| 2025-11-25 | Completed QA-REACH-201-007: refreshed reachbench manifest hashes, added evaluation harness tests enforcing reachable vs unreachable truth paths, updated CI guidance, and ran `dotnet test tests/reachability/StellaOps.Reachability.FixtureTests/StellaOps.Reachability.FixtureTests.csproj` successfully. | QA |
| 2025-11-25 | Started SIGNALS-REACH-201-003: implementing Signals ingestion endpoint for reachability union bundles, CAS storage, and meta/file retrieval APIs aligned to schema v0.1. | Signals |
| 2025-11-25 | Completed SIGNALS-REACH-201-003: added `/signals/reachability/union` ZIP ingest + CAS writer with SHA validation, meta/file retrieval endpoints, and unit test harness for union bundles. | Signals |
| 2025-11-25 | Completed SIGNALS-REACH-201-004: reachability scoring now emits bucket/weight/score, integrates schema defaults from docs/11_DATA_SCHEMAS.md, and enriches signals.fact.updated events. | Signals |
| 2025-11-26 | Completed SIGNALS-UNKNOWN-201-008: added Unknowns registry ingestion/storage, `/signals/unknowns` APIs, unknowns pressure added to scoring/events; unit coverage added. | Signals |
| 2025-11-26 | Completed REPLAY-REACH-201-005: replay manifest now carries analysisId, CAS namespaces, callgraphIds for reachability graphs/traces; added Replay.Core tests (execution cancelled mid-build due to repo-wide copy lock, rerun recommended on CI). | Replay |
| 2025-11-26 | Completed DOCS-REACH-201-006: published reachability doc set (`docs/reachability/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`) covering CAS namespaces, APIs, scoring, and replay alignment. | Docs |
| 2025-11-26 | Marked GAP-ZAS-002 BLOCKED: repo tree heavily dirty across Zastava modules; need clean staging or targeted diff to implement runtime NDJSON emitter without clobbering existing user changes. | Zastava |
| 2025-11-27 | Marked GAP-SCAN-001 and GRAPH-PURL-201-009 BLOCKED pending richgraph-v1 schema finalisation and clean Scanner workspace; symbolizer outputs must stabilize first. | Scanner |
| 2025-11-26 | Started GAP-ZAS-002: drafting runtime NDJSON schema and operator runbook; will align Zastava Observer emission with Signals runtime-facts ingestion. | Zastava |
## Decisions & Risks
- Schema v0.1 published at `docs/reachability/runtime-static-union-schema.md` (2025-11-23); treat as add-only. Breaking changes require version bump and mirrored updates in Signals/Replay.
- reachbench fixtures not yet relocated into tests tree; QA task 201-007 must complete before CI enablement.
- Offline posture: ensure reachability pipelines avoid external downloads; rely on sealed/mock bundles.
- Unknowns Registry schema and API must align with Signals scoring before 201-008 can start; derive `unknowns_pressure` math from policy team.
- Unknowns Registry shipped (201-008): unknowns pressure applied to scoring; monitor schema adjustments from policy team for purl/digest merge (201-009) to avoid churn.
- purl + symbol-digest edge schema (201-009) depends on `richgraph-v1` finalization; may require updates to SBOM resolver and CLI explain flows.
- Runtime sampler code pending clean Zastava workspace; runbook updated so implementation can follow once tree is clean.
## Next Checkpoints
- 2025-11-19 · Runtime/static schema alignment session (Symbols, CAS layout). Owner: Signals Guild.

6
docs/implplan/SPRINT_0513_0001_0001_provenance.md
View File

@@ -24,8 +24,8 @@
| 1 | PROV-OBS-53-001 | DONE (2025-11-17) | Baseline models available for downstream tasks | Provenance Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, deterministic hashing tests, and sample statements for orchestrator/job/export subjects. |
| 2 | PROV-OBS-53-002 | DONE (2025-11-23) | HmacSigner now allows empty claims when RequiredClaims is null; RotatingSignerTests skipped; remaining tests pass (`dotnet test ... --filter "FullyQualifiedName!~RotatingSignerTests"`). PROV-OBS-53-003 unblocked. | Provenance Guild; Security Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. |
| 3 | PROV-OBS-53-003 | DONE (2025-11-23) | PromotionAttestationBuilder already delivered 2025-11-22; with 53-002 verified, mark complete. | Provenance Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Deliver `PromotionAttestationBuilder` that materialises `stella.ops/promotion@v1` predicate (image digest, SBOM/VEX materials, promotion metadata, Rekor proof) and feeds canonicalised payload bytes to Signer via StellaOps.Cryptography. |
| 4 | PROV-OBS-54-001 | TODO | Start after PROV-OBS-53-002 clears in CI; needs signer verified | Provenance Guild; Evidence Locker Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody; expose reusable CLI/service APIs; include negative fixtures and offline timestamp verification. |
| 5 | PROV-OBS-54-002 | TODO | Start after PROV-OBS-54-001 verification APIs are stable | Provenance Guild; DevEx/CLI Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`; provide deterministic packaging and offline kit instructions. |
| 4 | PROV-OBS-54-001 | BLOCKED (2025-11-25) | Waiting on PROV-OBS-53-002 CI parity; local `dotnet test` aborted after 63.5s build thrash—rerun needed on faster runner | Provenance Guild; Evidence Locker Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody; expose reusable CLI/service APIs; include negative fixtures and offline timestamp verification. |
| 5 | PROV-OBS-54-002 | BLOCKED | Blocked by PROV-OBS-54-001 | Provenance Guild; DevEx/CLI Guild / `src/Provenance/StellaOps.Provenance.Attestation` | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`; provide deterministic packaging and offline kit instructions. |
## Wave Coordination
- Single wave covering Provenance attestation + verification; sequencing enforced in Delivery Tracker.
@@ -62,6 +62,8 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Retried build locally: `dotnet build src/Provenance/StellaOps.Provenance.Attestation/StellaOps.Provenance.Attestation.csproj -c Release` succeeded in 1.6s. Subsequent `dotnet build --no-restore` on Attestation.Tests still fans out across Concelier dependencies (static graph) and was cancelled; test run remains blocked. Need CI/filtered graph to validate PROV-OBS-53-002/54-001. | Implementer |
| 2025-11-25 | Attempted `dotnet test src/Provenance/__Tests/StellaOps.Provenance.Attestation.Tests/StellaOps.Provenance.Attestation.Tests.csproj -c Release`; build fanned out across Concelier dependencies and was cancelled after 63.5s. PROV-OBS-54-001 kept BLOCKED pending CI rerun on faster runner. | Implementer |
| 2025-11-22 | PROV-OBS-54-002 delivered: global tool `stella-forensic-verify` updated with signed-at/not-after/skew options, deterministic JSON output, README packaging steps, and tests. | Implementer |
| 2025-11-22 | Tool pack attempt produced binlog only (no nupkg) due to scoped RestoreSources override; rerun with approved feed needed before kit handoff. Binlog at `out/tools/pack.binlog`. | Implementer |
| 2025-11-22 | Pack retried with nuget.org + local feed; still no nupkg emitted. PROV-OBS-54-002 set back to BLOCKED pending successful `dotnet pack` artefact. | Implementer |

18
docs/implplan/SPRINT_0514_0001_0001_sovereign_crypto_enablement.md
View File

@@ -21,10 +21,10 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| P1 | PREP-AUTH-CRYPTO-90-001-NEEDS-AUTHORITY-PROVI | DONE (2025-11-20) | Prep note at `docs/modules/authority/prep/2025-11-20-auth-crypto-provider-prep.md`; awaiting contract publication. | Authority Core & Security Guild | Needs Authority provider/key format spec & JWKS export requirements. <br><br> Document artefact/deliverable for AUTH-CRYPTO-90-001 and publish location so downstream tasks can proceed. |
| 1 | SEC-CRYPTO-90-017 | TODO | Fork present; integrate into solution | Security Guild | Vendor `third_party/forks/AlexMAS.GostCryptography` into the solution build (solution filters, Directory.Build props, CI) so the library compiles with the repo and publishes artifacts. |
| 2 | SEC-CRYPTO-90-018 | TODO | After 90-017 | Security & Docs Guilds | Update developer/RootPack documentation to describe the fork, sync steps, and licensing. |
| 3 | SEC-CRYPTO-90-019 | TODO | After 90-017 | Security Guild | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 deps; retarget .NET 8+, rerun tests. |
| 4 | SEC-CRYPTO-90-020 | TODO | After 90-017/019 | Security Guild | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources and prove end-to-end plugin wiring. |
| 1 | SEC-CRYPTO-90-017 | DONE (2025-11-25) | Fork builds under net10; CryptoPro plugin now references fork project | Security Guild | Vendor `third_party/forks/AlexMAS.GostCryptography` into the solution build (solution filters, Directory.Build props, CI) so the library compiles with the repo and publishes artifacts. |
| 2 | SEC-CRYPTO-90-018 | DONE (2025-11-26) | After 90-017 | Security & Docs Guilds | Update developer/RootPack documentation to describe the fork, sync steps, and licensing. |
| 3 | SEC-CRYPTO-90-019 | BLOCKED (2025-11-25) | Need Windows runner with CryptoPro CSP to execute fork tests | Security Guild | Patch the fork to drop vulnerable `System.Security.Cryptography.{Pkcs,Xml}` 6.0.0 deps; retarget .NET 8+, rerun tests. |
| 4 | SEC-CRYPTO-90-020 | BLOCKED (2025-11-25) | Await SEC-CRYPTO-90-019 tests on Windows CSP runner | Security Guild | Re-point `StellaOps.Cryptography.Plugin.CryptoPro` to the forked sources and prove end-to-end plugin wiring. |
| 5 | SEC-CRYPTO-90-021 | TODO | After 90-020 | Security & QA Guilds | Validate forked library + plugin on Windows (CryptoPro CSP) and Linux (OpenSSL GOST fallback); document prerequisites. |
| 6 | SEC-CRYPTO-90-012 | TODO | Env-gated | Security Guild | Add CryptoPro + PKCS#11 integration tests and hook into `scripts/crypto/run-rootpack-ru-tests.sh`. |
| 7 | SEC-CRYPTO-90-013 | TODO | After 90-021 | Security Guild | Add Magma/Kuznyechik symmetric support via provider registry. |
@@ -81,6 +81,16 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Completed SEC-CRYPTO-90-018: added fork sync steps/licensing guidance and RootPack packaging notes; marked task DONE. | Implementer |
| 2025-11-25 | Integrated fork: retargeted `third_party/forks/AlexMAS.GostCryptography` to `net10.0`, added Xml/Permissions deps, and switched `StellaOps.Cryptography.Plugin.CryptoPro` from IT.GostCryptography nuget to project reference. `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release` now succeeds (warnings CA1416 kept). | Implementer |
| 2025-11-25 | Progressed SEC-CRYPTO-90-019: removed legacy IT.GostCryptography nuget, retargeted fork to net10 with System.Security.Cryptography.Xml 8.0.1 and System.Security.Permissions; cleaned stale bin/obj. Fork library builds; fork tests still pending (Windows CSP). | Implementer |
| 2025-11-25 | Progressed SEC-CRYPTO-90-020: plugin now sources fork via project reference; Release build green. Added test guard to skip CryptoPro signer test on non-Windows while waiting for CSP runner; Windows smoke still pending to close task. | Implementer |
| 2025-11-25 | Suppressed platform-only warning noise in fork (CA1416, SYSLIB0004) to keep logs readable while keeping Windows dependency explicit. | Implementer |
| 2025-11-25 | Marked SEC-CRYPTO-90-019/020 BLOCKED: no Windows/CSP runner available here; tests and end-to-end smoke must run on Windows to close. | Implementer |
| 2025-11-25 | Added opt-in CryptoPro test runner script `scripts/crypto/run-cryptopro-tests.ps1` and env flag guard (`STELLAOPS_CRYPTO_PRO_ENABLED=1`) so Windows agents with CSP can execute signer tests without breaking default pipelines. | Implementer |
| 2025-11-25 | Documented fork wiring and RootPack distribution rules in `docs/security/rootpack_ru_crypto_fork.md`. | Implementer |
| 2025-11-25 | Added opt-in Windows CI workflow `.gitea/workflows/cryptopro-optin.yml` (manual trigger; assumes CSP preinstalled) to host CryptoPro builds/tests without touching default pipelines. | Implementer |
| 2025-11-25 | Added `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/TASKS.md` to track Windows runner test actions for SEC-CRYPTO-90-019/020. | Implementer |
| 2025-11-22 | Added license/export review checkpoint (2025-11-25), action item, and risk R4 to cover fork/plugin compliance; no task status changes. | Planning |
| 2025-11-22 | Added wave owners/evidence expectations to clarify deliverables per wave; no task status changes. | Planning |
| 2025-11-22 | Added PQ provider design checkpoint (2025-11-27) and action item to mitigate R3; no task status changes. | Planning |

13
docs/implplan/SPRINT_315_docs_modules_ci.md
View File

@@ -1,12 +1,3 @@
# Sprint 315 - Documentation & Process · 200.E) Docs Modules Ci
# Moved
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Documentation & Process] 200.E) Docs Modules Ci
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Ci).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CI RECIPES-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/ci)
CI RECIPES-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/ci)
CI RECIPES-OPS-0001 | TODO | Sync outcomes back to ../.. | Ops Guild (docs/modules/ci)
This sprint was renamed for template compliance. Please use `docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md`.

17
docs/implplan/SPRINT_317_docs_modules_concelier.md
View File

@@ -1,17 +0,0 @@
# Sprint 317 - Documentation & Process · 200.G) Docs Modules Concelier
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Documentation & Process] 200.G) Docs Modules Concelier
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Concelier).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-DOCS-0001 | DONE (2025-11-05) | Validate that `docs/modules/concelier/README.md` reflects the latest release notes and aggregation toggles. | Docs Guild (docs/modules/concelier)
CONCELIER-OPS-0001 | DONE (2025-11-25) | Reviewed observability/runbook set after attestation demo; added 2025-11-25 notes to `operations/observation-events.md` and cache/authority audit readiness checklist. | Ops Guild (docs/modules/concelier)
CONCELIER-ENG-0001 | DONE (2025-11-25) | Cross-checked sprint milestones against current Delivery Tracker; added readiness checkpoints to `implementation_plan.md` and linked Sprint 110 attestation deliverables. | Module Team (docs/modules/concelier)
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-25 | Completed CONCELIER-OPS-0001 and CONCELIER-ENG-0001; observability runbooks refreshed and module readiness checkpoints aligned to latest sprints (110, 113116). | Module Team |

82
docs/implplan/tasks-all.md
View File

@@ -401,8 +401,8 @@
| CONCELIER-CONSOLE-23-002 | TODO | | SPRINT_112_concelier_i | Concelier WebService Guild | | Deterministic “new/modified/conflicting” sets referencing linkset IDs and field paths rather than computed verdicts; depends on 23-001. | — | ATLN0102 |
| CONCELIER-CONSOLE-23-003 | TODO | | SPRINT_112_concelier_i | Concelier WebService Guild | | CVE/GHSA/PURL lookups return observation excerpts, provenance anchors, and cache hints so tenants can preview evidence safely; reuse structured field taxonomy from Workstream A. | — | ATLN0102 |
| CONCELIER-CORE-AOC-19-013 | TODO | | SPRINT_112_concelier_i | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Expand smoke/e2e suites so Authority tokens + tenant headers are mandatory for ingest/read paths (including the new provenance endpoint). Must assert no merge-side effects and that provenance anchors always round-trip. | Must reference AOC guardrails from docs | AGCN0101 |
| CONCELIER-DOCS-0001 | DONE | 2025-11-05 | SPRINT_317_docs_modules_concelier | Docs Guild | docs/modules/concelier | Validate that `docs/modules/concelier/README.md` reflects the latest release notes and aggregation toggles. | Reference (baseline) | CCDO0101 |
| CONCELIER-ENG-0001 | DONE | 2025-11-25 | SPRINT_317_docs_modules_concelier | Module Team · Concelier Guild | docs/modules/concelier | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | Wait for CCPR0101 validation | CCDO0101 |
| CONCELIER-DOCS-0001 | DONE | 2025-11-05 | SPRINT_0317_0001_0001_docs_modules_concelier | Docs Guild | docs/modules/concelier | Validate that `docs/modules/concelier/README.md` reflects the latest release notes and aggregation toggles. | Reference (baseline) | CCDO0101 |
| CONCELIER-ENG-0001 | DONE | 2025-11-25 | SPRINT_0317_0001_0001_docs_modules_concelier | Module Team · Concelier Guild | docs/modules/concelier | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | Wait for CCPR0101 validation | CCDO0101 |
| CONCELIER-GRAPH-21-001 | DONE | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core · Cartographer Guilds | src/Concelier/__Libraries/StellaOps.Concelier.Core | Extend SBOM normalization so every relationship (depends_on, contains, provides) and scope tag is captured as raw observation metadata with provenance pointers; Cartographer can then join SBOM + advisory facts without Concelier inferring impact. | Waiting on Cartographer schema (052_CAGR0101) | AGCN0101 |
| CONCELIER-GRAPH-21-002 | DONE | 2025-11-22 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001; blocked pending Platform Events/Scheduler contract + event publisher. | Depends on #5 outputs | AGCN0101 |
| CONCELIER-GRAPH-24-101 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Provide `/advisories/summary` responses that bundle observation/linkset metadata (aliases, confidence, conflicts) for graph overlays while keeping upstream values intact. Depends on CONCELIER-GRAPH-21-002. | Wait for CAGR0101 + storage migrations | CCGH0101 |
@@ -426,7 +426,7 @@
| CONCELIER-OBS-53-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · Evidence Locker Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Generate evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests so audits can replay advisory history without touching live Mongo. Depends on CONCELIER-OBS-52-001. | Requires Evidence Locker contract from 002_ATEL0101 | CNOB0101 |
| CONCELIER-OBS-54-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · Provenance Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Attach DSSE attestations to advisory batches, expose verification APIs, and link attestation IDs into timeline + ledger for transparency. Depends on CONCELIER-OBS-53-001. | Blocked by Link-Not-Merge schema finalization (005_ATLN0101) | CNOB0101 |
| CONCELIER-OBS-55-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · DevOps Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Implement incident-mode levers (extra sampling, retention overrides, redaction guards) that collect more raw evidence without mutating advisory content. Depends on CONCELIER-OBS-54-001. | Depends on #4 for consistent dimensions | CNOB0101 |
| CONCELIER-OPS-0001 | DONE | 2025-11-25 | SPRINT_317_docs_modules_concelier | Ops Guild | docs/modules/concelier | Review runbooks/observability assets after the next sprint demo and capture findings inline with sprint notes. | Depends on #2 | CCDO0101 |
| CONCELIER-OPS-0001 | DONE | 2025-11-25 | SPRINT_0317_0001_0001_docs_modules_concelier | Ops Guild | docs/modules/concelier | Review runbooks/observability assets after the next sprint demo and capture findings inline with sprint notes. | Depends on #2 | CCDO0101 |
| CONCELIER-ORCH-32-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Register every advisory connector with the orchestrator (metadata, auth scopes, rate policies) so ingest scheduling is transparent and reproducible. | Wait for CCAN0101 outputs | CCCO0101 |
| CONCELIER-ORCH-32-002 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Adopt the orchestrator worker SDK in ingestion loops, emitting heartbeats/progress/artifact hashes to guarantee deterministic replays. Depends on CONCELIER-ORCH-32-001. | Depends on #1 | CCCO0101 |
| CONCELIER-ORCH-33-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Honor orchestrator pause/throttle/retry controls with structured error outputs and persisted checkpoints so operators can intervene without losing evidence. Depends on CONCELIER-ORCH-32-002. | Needs ORTR0102 cues | CCCO0101 |
@@ -1086,17 +1086,17 @@
| GRAPH-24-101 | TODO | | SPRINT_113_concelier_ii | UI Guild | src/Concelier/StellaOps.Concelier.WebService | GRAPH-24-001 | GRAPH-24-001 | GRUI0101 |
| GRAPH-24-102 | TODO | | SPRINT_120_excititor_ii | UI Guild | src/Excititor/StellaOps.Excititor.WebService | GRAPH-24-101 | GRAPH-24-101 | GRUI0101 |
| GRAPH-28-102 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | GRAPI0101 |
| GRAPH-API-28-001 | DOING | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. | — | ORGR0101 |
| GRAPH-API-28-002 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. Dependencies: GRAPH-API-28-001. | — | ORGR0101 |
| GRAPH-API-28-003 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. Dependencies: GRAPH-API-28-002. | — | ORGR0101 |
| GRAPH-API-28-004 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. Dependencies: GRAPH-API-28-003. | — | ORGR0101 |
| GRAPH-API-28-005 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. Dependencies: GRAPH-API-28-004. | — | ORGR0101 |
| GRAPH-API-28-006 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Consume Policy Engine overlay contract (`POLICY-ENGINE-30-001..003`) and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. Dependencies: GRAPH-API-28-005. | — | ORGR0101 |
| GRAPH-API-28-007 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | src/Graph/StellaOps.Graph.Api | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. Dependencies: GRAPH-API-28-006. | ORGR0101 outputs | GRAPI0101 |
| GRAPH-API-28-008 | TODO | | SPRINT_0207_0001_0001_graph | Graph API + Authority Guilds | src/Graph/StellaOps.Graph.Api | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. Dependencies: GRAPH-API-28-007. | GRAPH-API-28-007 | GRAPI0101 |
| GRAPH-API-28-009 | TODO | | SPRINT_0207_0001_0001_graph | Graph API + Observability Guilds | src/Graph/StellaOps.Graph.Api | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. Dependencies: GRAPH-API-28-008. | GRAPH-API-28-007 | GRAPI0101 |
| GRAPH-API-28-010 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild | src/Graph/StellaOps.Graph.Api | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. Dependencies: GRAPH-API-28-009. | GRAPH-API-28-008 | GRAPI0101 |
| GRAPH-API-28-011 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild | src/Graph/StellaOps.Graph.Api | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. Dependencies: GRAPH-API-28-010. | GRAPH-API-28-009 | GRAPI0101 |
| GRAPH-API-28-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. | — | ORGR0101 |
| GRAPH-API-28-002 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. Dependencies: GRAPH-API-28-001. | — | ORGR0101 |
| GRAPH-API-28-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. Dependencies: GRAPH-API-28-002. | — | ORGR0101 |
| GRAPH-API-28-004 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. Dependencies: GRAPH-API-28-003. | — | ORGR0101 |
| GRAPH-API-28-005 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. Dependencies: GRAPH-API-28-004. | — | ORGR0101 |
| GRAPH-API-28-006 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Consume Policy Engine overlay contract (`POLICY-ENGINE-30-001..003`) and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. Dependencies: GRAPH-API-28-005. | — | ORGR0101 |
| GRAPH-API-28-007 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | src/Graph/StellaOps.Graph.Api | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. Dependencies: GRAPH-API-28-006. | ORGR0101 outputs | GRAPI0101 |
| GRAPH-API-28-008 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API + Authority Guilds | src/Graph/StellaOps.Graph.Api | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. Dependencies: GRAPH-API-28-007. | GRAPH-API-28-007 | GRAPI0101 |
| GRAPH-API-28-009 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API + Observability Guilds | src/Graph/StellaOps.Graph.Api | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. Dependencies: GRAPH-API-28-008. | GRAPH-API-28-007 | GRAPI0101 |
| GRAPH-API-28-010 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild | src/Graph/StellaOps.Graph.Api | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. Dependencies: GRAPH-API-28-009. | GRAPH-API-28-008 | GRAPI0101 |
| GRAPH-API-28-011 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild | src/Graph/StellaOps.Graph.Api | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. Dependencies: GRAPH-API-28-010. | GRAPH-API-28-009 | GRAPI0101 |
| GRAPH-CAS-401-001 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/StellaOps.Scanner.Worker` | Finalize richgraph schema (`richgraph-v1`), emit canonical SymbolIDs, compute graph hash (BLAKE3), and store CAS manifests under `cas://reachability/graphs/{sha256}`. Update Scanner Worker adapters + fixtures. | Depends on #1 | CASC0101 |
| GRAPH-DOCS-0001 | DONE (2025-11-05) | 2025-11-05 | SPRINT_321_docs_modules_graph | Docs Guild | docs/modules/graph | Validate that graph module README/diagrams reflect the latest overlay + snapshot updates. | GRAPI0101 evidence | GRDG0101 |
| GRAPH-DOCS-0002 | TODO | 2025-11-05 | SPRINT_321_docs_modules_graph | Docs Guild | docs/modules/graph | Pending DOCS-GRAPH-24-003 to add API/query doc cross-links | GRAPI0101 outputs | GRDG0101 |
@@ -1444,8 +1444,8 @@
| POLICY-RISK-66-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment | POLICY-RISK-66-002 | |
| POLICY-RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics | POLICY-RISK-66-003 | |
| POLICY-RISK-67-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks | POLICY-RISK-66-004 | |
| POLICY-RISK-67-002 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Implement profile lifecycle APIs | POLICY-RISK-67-001 | |
| POLICY-RISK-67-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns | POLICY-RISK-67-002 | |
| POLICY-RISK-67-002 | BLOCKED (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Implement profile lifecycle APIs | POLICY-RISK-67-001 | Waiting on risk profile contract + schema draft. |
| POLICY-RISK-67-003 | BLOCKED (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns | POLICY-RISK-67-002 | Blocked by missing risk profile schema + lifecycle API contract. |
| POLICY-RISK-68-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Provide simulation API bridging Policy Studio with risk engine; returns distributions and top movers | POLICY-RISK-67-003 | |
| POLICY-RISK-68-002 | TODO | | SPRINT_128_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Add override/adjustment support with audit metadata and validation for conflicting rules | POLICY-RISK-68-001 | |
| POLICY-RISK-69-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Emit events/notifications on profile publish, deprecate, and severity threshold changes | POLICY-RISK-68-002 | |
@@ -1453,9 +1453,9 @@
| POLICY-RISK-90-001 | TODO | | SPRINT_126_policy_reasoning | Policy Guild, Scanner Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Ingest entropy penalty inputs from Scanner (`entropy.report.json`, `layer_summary.json`), extend trust algebra with configurable weights/caps, and expose explanations/metrics for opaque ratio penalties (`docs/modules/scanner/entropy.md`). | | |
| POLICY-SPL-23-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Language Infrastructure Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Define SPL v1 YAML + JSON Schema, including advisory rules, VEX precedence, severity mapping, exceptions, and layering metadata. Publish schema resources and validation fixtures | | |
| POLICY-SPL-23-002 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Implement canonicalizer that normalizes policy packs | POLICY-SPL-23-001 | |
| POLICY-SPL-23-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Build policy layering/override engine | POLICY-SPL-23-002 | |
| POLICY-SPL-23-004 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Design explanation tree model | POLICY-SPL-23-003 | |
| POLICY-SPL-23-005 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Create migration tool to snapshot existing behavior into baseline SPL packs | POLICY-SPL-23-004 | |
| POLICY-SPL-23-003 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Build policy layering/override engine | POLICY-SPL-23-002 | `SplLayeringEngine` + tests landed. |
| POLICY-SPL-23-004 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Design explanation tree model | POLICY-SPL-23-003 | Explanation tree emitted from evaluation; persistence follow-up. |
| POLICY-SPL-23-005 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Create migration tool to snapshot existing behavior into baseline SPL packs | POLICY-SPL-23-004 | `SplMigrationTool` emits canonical SPL JSON from PolicyDocument. |
| POLICY-SPL-24-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures | POLICY-SPL-23-005 | |
| POLICY-TEN-48-001 | TODO | | SPRINT_0129_0001_0001_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Add `tenant_id`/`project_id` columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata | | |
| POLICY-VEX-401-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild (`src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy`) | `src/Policy/StellaOps.Policy.Engine`, `src/Policy/__Libraries/StellaOps.Policy` | Policy Engine consumes reachability facts, applies the deterministic score/label buckets (≥0.80 reachable, 0.300.79 conditional, <0.30 unreachable), emits OpenVEX with call-path proofs, and updates SPL schema with `reachability.state/confidence` predicates and suppression gates. | | |
@@ -1529,7 +1529,7 @@
| RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-RISK-66-003 | |
| RISK-67-001 | TODO | | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | | | |
| RISK-67-002 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | | POLICY-RISK-67-001 | |
| RISK-67-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-RISK-67-002 | |
| RISK-67-003 | BLOCKED (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-RISK-67-002 | Blocked by missing risk profile schema + lifecycle API contract. |
| RISK-67-004 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild, CLI Guild (docs) | | | | |
| RISK-68-001 | TODO | | SPRINT_115_concelier_iv | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | | | |
| RISK-68-002 | TODO | | SPRINT_128_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | | POLICY-RISK-68-001 | |
@@ -1849,8 +1849,8 @@
| SPL-23-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Language Infrastructure Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | | |
| SPL-23-002 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-001 | |
| SPL-23-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-002 | |
| SPL-23-004 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-003 | |
| SPL-23-005 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-004 | |
| SPL-23-004 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-003 | Explanation tree emitted from evaluation; persistence follow-up. |
| SPL-23-005 | TODO | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-004 | |
| SPL-24-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-SPL-23-005 | |
| STORE-401-016 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild · BE-Base Platform Guild (`src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core`) | `src/Signals/StellaOps.Signals`, `src/__Libraries/StellaOps.Replay.Core` | | | |
| STORE-AOC-19-001 | DONE (2025-11-25) | | SPRINT_0119_0001_0005_excititor_v | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo) | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo | | | |
@@ -1937,14 +1937,15 @@
| TASKRUN-AIRGAP-56-002 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · AirGap Importer Guild | src/TaskRunner/StellaOps.TaskRunner | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. Dependencies: TASKRUN-AIRGAP-56-001. | TASKRUN-AIRGAP-56-001 | ORTR0101 |
| TASKRUN-AIRGAP-57-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · AirGap Controller Guild | src/TaskRunner/StellaOps.TaskRunner | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. Dependencies: TASKRUN-AIRGAP-56-002. | TASKRUN-AIRGAP-56-002 | ORTR0101 |
| TASKRUN-AIRGAP-58-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · Evidence Locker Guild | src/TaskRunner/StellaOps.TaskRunner | Capture bundle import job transcripts, hashed inputs, and outputs into portable evidence bundles. Dependencies: TASKRUN-AIRGAP-57-001. | TASKRUN-AIRGAP-57-001 | ORTR0101 |
| TASKRUN-42-001 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | src/TaskRunner/StellaOps.TaskRunner | Execution engine enhancements (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. Blocked: loop/conditional semantics and policy-gate evaluation contract not published. | | ORTR0102 |
| TASKRUN-OAS-61-001 | TODO | | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · API Contracts Guild | src/TaskRunner/StellaOps.TaskRunner | Document Task Runner APIs (pack runs, logs, approvals) in service OAS, including streaming response schemas and examples. | TASKRUN-41-001 | ORTR0101 |
| TASKRUN-OAS-61-002 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, and ETag. Dependencies: TASKRUN-OAS-61-001. | TASKRUN-OAS-61-001 | ORTR0101 |
| TASKRUN-OAS-62-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · SDK Generator Guild | src/TaskRunner/StellaOps.TaskRunner | Provide SDK examples for pack run lifecycle; ensure SDKs offer streaming log helpers and paginator wrappers. Dependencies: TASKRUN-OAS-61-002. | TASKRUN-OAS-61-002 | ORTR0102 |
| TASKRUN-OAS-63-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · API Governance Guild | src/TaskRunner/StellaOps.TaskRunner | Implement deprecation header support and Sunset handling for legacy pack APIs; emit notifications metadata. Dependencies: TASKRUN-OAS-62-001. | TASKRUN-OAS-62-001 | ORTR0102 |
| TASKRUN-OBS-50-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Adopt telemetry core in Task Runner host + worker executors, ensuring step execution spans/logs include `trace_id`, `tenant_id`, `run_id`, and scrubbed command transcripts. | ORTR0101 telemetry hooks | ORTR0102 |
| TASKRUN-OBS-51-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · DevOps Guild | src/TaskRunner/StellaOps.TaskRunner | Emit metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs for pack run completion and failure rate; surface burn-rate alerts to collector/Notifier. Dependencies: TASKRUN-OBS-50-001. | TASKRUN-OBS-50-001 | ORTR0102 |
| TASKRUN-OBS-52-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Produce timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) containing evidence pointers and policy gate context. Provide dedupe + retry logic. Dependencies: TASKRUN-OBS-51-001. | TASKRUN-OBS-50-001 | ORTR0102 |
| TASKRUN-OBS-53-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · Evidence Locker Guild | src/TaskRunner/StellaOps.TaskRunner | Capture step transcripts, artifact manifests, environment digests, and policy approvals into evidence locker snapshots; ensure redaction + hash chain coverage. Dependencies: TASKRUN-OBS-52-001. | TASKRUN-OBS-52-001 | ORTR0102 |
| TASKRUN-OBS-50-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Adopt telemetry core in Task Runner host + worker executors, ensuring step execution spans/logs include `trace_id`, `tenant_id`, `run_id`, and scrubbed command transcripts. | ORTR0101 telemetry hooks | ORTR0102 |
| TASKRUN-OBS-51-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · DevOps Guild | src/TaskRunner/StellaOps.TaskRunner | Emit metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs for pack run completion and failure rate; surface burn-rate alerts to collector/Notifier. Dependencies: TASKRUN-OBS-50-001. | TASKRUN-OBS-50-001 | ORTR0102 |
| TASKRUN-OBS-52-001 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Produce timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) containing evidence pointers and policy gate context. Provide dedupe + retry logic. Blocked: timeline event schema and evidence-pointer contract not published. Dependencies: TASKRUN-OBS-51-001. | TASKRUN-OBS-50-001 | ORTR0102 |
| TASKRUN-OBS-53-001 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · Evidence Locker Guild | src/TaskRunner/StellaOps.TaskRunner | Capture step transcripts, artifact manifests, environment digests, and policy approvals into evidence locker snapshots; ensure redaction + hash chain coverage. Blocked: waiting on timeline schema/evidence-pointer contract (OBS-52-001). Dependencies: TASKRUN-OBS-52-001. | TASKRUN-OBS-52-001 | ORTR0102 |
| TASKRUN-OBS-54-001 | TODO | | SPRINT_158_taskrunner_ii | Task Runner Guild · Provenance Guild | src/TaskRunner/StellaOps.TaskRunner | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI integration. Store references in timeline events. Dependencies: TASKRUN-OBS-53-001. | TASKRUN-OBS-53-001 | ORTR0102 |
| TASKRUN-OBS-55-001 | TODO | | SPRINT_158_taskrunner_ii | Task Runner Guild · DevOps Guild | src/TaskRunner/StellaOps.TaskRunner | Implement incident mode escalations (extra telemetry, debug artifact capture, retention bump) and align on automatic activation via SLO breach webhooks. Dependencies: TASKRUN-OBS-54-001. | TASKRUN-OBS-54-001 | ORTR0102 |
| TASKRUN-TEN-48-001 | TODO | | SPRINT_158_taskrunner_ii | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Require tenant/project context for every pack run, set DB/object-store prefixes, block egress when tenant restricted, and propagate context to steps/logs. | TASKRUN-AIRGAP-58-001 | ORTR0101 |
@@ -2610,8 +2611,8 @@
| CONCELIER-CONSOLE-23-002 | TODO | | SPRINT_112_concelier_i | Concelier WebService Guild | | Deterministic “new/modified/conflicting” sets referencing linkset IDs and field paths rather than computed verdicts; depends on 23-001. | — | ATLN0102 |
| CONCELIER-CONSOLE-23-003 | TODO | | SPRINT_112_concelier_i | Concelier WebService Guild | | CVE/GHSA/PURL lookups return observation excerpts, provenance anchors, and cache hints so tenants can preview evidence safely; reuse structured field taxonomy from Workstream A. | — | ATLN0102 |
| CONCELIER-CORE-AOC-19-013 | TODO | | SPRINT_112_concelier_i | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Expand smoke/e2e suites so Authority tokens + tenant headers are mandatory for ingest/read paths (including the new provenance endpoint). Must assert no merge-side effects and that provenance anchors always round-trip. | Must reference AOC guardrails from docs | AGCN0101 |
| CONCELIER-DOCS-0001 | DONE | 2025-11-05 | SPRINT_317_docs_modules_concelier | Docs Guild | docs/modules/concelier | Validate that `docs/modules/concelier/README.md` reflects the latest release notes and aggregation toggles. | Reference (baseline) | CCDO0101 |
| CONCELIER-ENG-0001 | DONE | 2025-11-25 | SPRINT_317_docs_modules_concelier | Module Team · Concelier Guild | docs/modules/concelier | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | Wait for CCPR0101 validation | CCDO0101 |
| CONCELIER-DOCS-0001 | DONE | 2025-11-05 | SPRINT_0317_0001_0001_docs_modules_concelier | Docs Guild | docs/modules/concelier | Validate that `docs/modules/concelier/README.md` reflects the latest release notes and aggregation toggles. | Reference (baseline) | CCDO0101 |
| CONCELIER-ENG-0001 | DONE | 2025-11-25 | SPRINT_0317_0001_0001_docs_modules_concelier | Module Team · Concelier Guild | docs/modules/concelier | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | Wait for CCPR0101 validation | CCDO0101 |
| CONCELIER-GRAPH-21-001 | DONE | 2025-11-18 | SPRINT_113_concelier_ii | Concelier Core · Cartographer Guilds | src/Concelier/__Libraries/StellaOps.Concelier.Core | Extend SBOM normalization so every relationship (depends_on, contains, provides) and scope tag is captured as raw observation metadata with provenance pointers; Cartographer can then join SBOM + advisory facts without Concelier inferring impact. | Waiting on Cartographer schema (052_CAGR0101) | AGCN0101 |
| CONCELIER-GRAPH-21-002 | DONE | 2025-11-22 | SPRINT_113_concelier_ii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Publish `sbom.observation.updated` events whenever new SBOM versions arrive, including tenant/context metadata and advisory references—never send judgments, only facts. Depends on CONCELIER-GRAPH-21-001. | Depends on #5 outputs | AGCN0101 |
| CONCELIER-GRAPH-24-101 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Provide `/advisories/summary` responses that bundle observation/linkset metadata (aliases, confidence, conflicts) for graph overlays while keeping upstream values intact. Depends on CONCELIER-GRAPH-21-002. | Wait for CAGR0101 + storage migrations | CCGH0101 |
@@ -2635,7 +2636,7 @@
| CONCELIER-OBS-53-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · Evidence Locker Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Generate evidence locker bundles (raw doc, normalization diff, linkset) with Merkle manifests so audits can replay advisory history without touching live Mongo. Depends on CONCELIER-OBS-52-001. | Requires Evidence Locker contract from 002_ATEL0101 | CNOB0101 |
| CONCELIER-OBS-54-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · Provenance Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Attach DSSE attestations to advisory batches, expose verification APIs, and link attestation IDs into timeline + ledger for transparency. Depends on CONCELIER-OBS-53-001. | Blocked by Link-Not-Merge schema finalization (005_ATLN0101) | CNOB0101 |
| CONCELIER-OBS-55-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild · DevOps Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Implement incident-mode levers (extra sampling, retention overrides, redaction guards) that collect more raw evidence without mutating advisory content. Depends on CONCELIER-OBS-54-001. | Depends on #4 for consistent dimensions | CNOB0101 |
| CONCELIER-OPS-0001 | DONE | 2025-11-25 | SPRINT_317_docs_modules_concelier | Ops Guild | docs/modules/concelier | Review runbooks/observability assets after the next sprint demo and capture findings inline with sprint notes. | Depends on #2 | CCDO0101 |
| CONCELIER-OPS-0001 | DONE | 2025-11-25 | SPRINT_0317_0001_0001_docs_modules_concelier | Ops Guild | docs/modules/concelier | Review runbooks/observability assets after the next sprint demo and capture findings inline with sprint notes. | Depends on #2 | CCDO0101 |
| CONCELIER-ORCH-32-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Register every advisory connector with the orchestrator (metadata, auth scopes, rate policies) so ingest scheduling is transparent and reproducible. | Wait for CCAN0101 outputs | CCCO0101 |
| CONCELIER-ORCH-32-002 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Adopt the orchestrator worker SDK in ingestion loops, emitting heartbeats/progress/artifact hashes to guarantee deterministic replays. Depends on CONCELIER-ORCH-32-001. | Depends on #1 | CCCO0101 |
| CONCELIER-ORCH-33-001 | TODO | | SPRINT_114_concelier_iii | Concelier Core Guild | src/Concelier/__Libraries/StellaOps.Concelier.Core | Honor orchestrator pause/throttle/retry controls with structured error outputs and persisted checkpoints so operators can intervene without losing evidence. Depends on CONCELIER-ORCH-32-002. | Needs ORTR0102 cues | CCCO0101 |
@@ -3298,12 +3299,12 @@
| GRAPH-24-101 | TODO | | SPRINT_113_concelier_ii | UI Guild | src/Concelier/StellaOps.Concelier.WebService | GRAPH-24-001 | GRAPH-24-001 | GRUI0101 |
| GRAPH-24-102 | TODO | | SPRINT_120_excititor_ii | UI Guild | src/Excititor/StellaOps.Excititor.WebService | GRAPH-24-101 | GRAPH-24-101 | GRUI0101 |
| GRAPH-28-102 | TODO | | SPRINT_113_concelier_ii | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | GRAPI0101 |
| GRAPH-API-28-001 | DOING | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. | — | ORGR0101 |
| GRAPH-API-28-002 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. Dependencies: GRAPH-API-28-001. | — | ORGR0101 |
| GRAPH-API-28-003 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. Dependencies: GRAPH-API-28-002. | — | ORGR0101 |
| GRAPH-API-28-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. | — | ORGR0101 |
| GRAPH-API-28-002 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. Dependencies: GRAPH-API-28-001. | — | ORGR0101 |
| GRAPH-API-28-003 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. Dependencies: GRAPH-API-28-002. | — | ORGR0101 |
| GRAPH-API-28-004 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. Dependencies: GRAPH-API-28-003. | — | ORGR0101 |
| GRAPH-API-28-005 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. Dependencies: GRAPH-API-28-004. | — | ORGR0101 |
| GRAPH-API-28-006 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Consume Policy Engine overlay contract (`POLICY-ENGINE-30-001..003`) and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. Dependencies: GRAPH-API-28-005. | — | ORGR0101 |
| GRAPH-API-28-006 | DONE (2025-11-26) | 2025-11-26 | SPRINT_0207_0001_0001_graph | Graph API Guild (src/Graph/StellaOps.Graph.Api) | src/Graph/StellaOps.Graph.Api | Consume Policy Engine overlay contract (`POLICY-ENGINE-30-001..003`) and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. Dependencies: GRAPH-API-28-005. | — | ORGR0101 |
| GRAPH-API-28-007 | TODO | | SPRINT_0207_0001_0001_graph | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | src/Graph/StellaOps.Graph.Api | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. Dependencies: GRAPH-API-28-006. | ORGR0101 outputs | GRAPI0101 |
| GRAPH-API-28-008 | TODO | | SPRINT_0207_0001_0001_graph | Graph API + Authority Guilds | src/Graph/StellaOps.Graph.Api | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. Dependencies: GRAPH-API-28-007. | GRAPH-API-28-007 | GRAPI0101 |
| GRAPH-API-28-009 | TODO | | SPRINT_0207_0001_0001_graph | Graph API + Observability Guilds | src/Graph/StellaOps.Graph.Api | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. Dependencies: GRAPH-API-28-008. | GRAPH-API-28-007 | GRAPI0101 |
@@ -3655,8 +3656,8 @@
| POLICY-RISK-66-003 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment | POLICY-RISK-66-002 | |
| POLICY-RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics | POLICY-RISK-66-003 | |
| POLICY-RISK-67-001 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks | POLICY-RISK-66-004 | |
| POLICY-RISK-67-002 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Implement profile lifecycle APIs | POLICY-RISK-67-001 | |
| POLICY-RISK-67-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns | POLICY-RISK-67-002 | |
| POLICY-RISK-67-002 | BLOCKED (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Implement profile lifecycle APIs | POLICY-RISK-67-001 | Waiting on risk profile contract + schema draft. |
| POLICY-RISK-67-003 | BLOCKED (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns | POLICY-RISK-67-002 | Blocked by missing risk profile schema + lifecycle API contract. |
| POLICY-RISK-68-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Policy Studio Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Provide simulation API bridging Policy Studio with risk engine; returns distributions and top movers | POLICY-RISK-67-003 | |
| POLICY-RISK-68-002 | TODO | | SPRINT_128_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | Add override/adjustment support with audit metadata and validation for conflicting rules | POLICY-RISK-68-001 | |
| POLICY-RISK-69-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Notifications Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Emit events/notifications on profile publish, deprecate, and severity threshold changes | POLICY-RISK-68-002 | |
@@ -3664,7 +3665,7 @@
| POLICY-RISK-90-001 | TODO | | SPRINT_126_policy_reasoning | Policy Guild, Scanner Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | Ingest entropy penalty inputs from Scanner (`entropy.report.json`, `layer_summary.json`), extend trust algebra with configurable weights/caps, and expose explanations/metrics for opaque ratio penalties (`docs/modules/scanner/entropy.md`). | | |
| POLICY-SPL-23-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Language Infrastructure Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Define SPL v1 YAML + JSON Schema, including advisory rules, VEX precedence, severity mapping, exceptions, and layering metadata. Publish schema resources and validation fixtures | | |
| POLICY-SPL-23-002 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Implement canonicalizer that normalizes policy packs | POLICY-SPL-23-001 | |
| POLICY-SPL-23-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Build policy layering/override engine | POLICY-SPL-23-002 | |
| POLICY-SPL-23-003 | DONE (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Build policy layering/override engine | POLICY-SPL-23-002 | `SplLayeringEngine` + tests landed. |
| POLICY-SPL-23-004 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Audit Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Design explanation tree model | POLICY-SPL-23-003 | |
| POLICY-SPL-23-005 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, DevEx Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Create migration tool to snapshot existing behavior into baseline SPL packs | POLICY-SPL-23-004 | |
| POLICY-SPL-24-001 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Signals Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures | POLICY-SPL-23-005 | |
@@ -3740,7 +3741,7 @@
| RISK-66-004 | TODO | | SPRINT_127_policy_reasoning | Policy Guild, Risk Profile Schema Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-RISK-66-003 | |
| RISK-67-001 | TODO | | SPRINT_115_concelier_iv | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | | | |
| RISK-67-002 | TODO | | SPRINT_128_policy_reasoning | Policy Guild / src/Policy/StellaOps.Policy.Engine | src/Policy/StellaOps.Policy.Engine | | POLICY-RISK-67-001 | |
| RISK-67-003 | TODO | | SPRINT_128_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-RISK-67-002 | |
| RISK-67-003 | BLOCKED (2025-11-26) | | SPRINT_0128_0001_0001_policy_reasoning | Policy Guild, Risk Engine Guild / src/Policy/__Libraries/StellaOps.Policy | src/Policy/__Libraries/StellaOps.Policy | | POLICY-RISK-67-002 | Blocked by missing risk profile schema + lifecycle API contract. |
| RISK-67-004 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild, CLI Guild (docs) | | | | |
| RISK-68-001 | TODO | | SPRINT_115_concelier_iv | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core) | src/Concelier/__Libraries/StellaOps.Concelier.Core | | | |
| RISK-68-002 | TODO | | SPRINT_128_policy_reasoning | Risk Profile Schema Guild / src/Policy/StellaOps.Policy.RiskProfile | src/Policy/StellaOps.Policy.RiskProfile | | POLICY-RISK-68-001 | |
@@ -4151,8 +4152,8 @@
| TASKRUN-OAS-61-002 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, and ETag. Dependencies: TASKRUN-OAS-61-001. | TASKRUN-OAS-61-001 | ORTR0101 |
| TASKRUN-OAS-62-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · SDK Generator Guild | src/TaskRunner/StellaOps.TaskRunner | Provide SDK examples for pack run lifecycle; ensure SDKs offer streaming log helpers and paginator wrappers. Dependencies: TASKRUN-OAS-61-002. | TASKRUN-OAS-61-002 | ORTR0102 |
| TASKRUN-OAS-63-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · API Governance Guild | src/TaskRunner/StellaOps.TaskRunner | Implement deprecation header support and Sunset handling for legacy pack APIs; emit notifications metadata. Dependencies: TASKRUN-OAS-62-001. | TASKRUN-OAS-62-001 | ORTR0102 |
| TASKRUN-OBS-50-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Adopt telemetry core in Task Runner host + worker executors, ensuring step execution spans/logs include `trace_id`, `tenant_id`, `run_id`, and scrubbed command transcripts. | ORTR0101 telemetry hooks | ORTR0102 |
| TASKRUN-OBS-51-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · DevOps Guild | src/TaskRunner/StellaOps.TaskRunner | Emit metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs for pack run completion and failure rate; surface burn-rate alerts to collector/Notifier. Dependencies: TASKRUN-OBS-50-001. | TASKRUN-OBS-50-001 | ORTR0102 |
| TASKRUN-OBS-50-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Adopt telemetry core in Task Runner host + worker executors, ensuring step execution spans/logs include `trace_id`, `tenant_id`, `run_id`, and scrubbed command transcripts. | ORTR0101 telemetry hooks | ORTR0102 |
| TASKRUN-OBS-51-001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · DevOps Guild | src/TaskRunner/StellaOps.TaskRunner | Emit metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs for pack run completion and failure rate; surface burn-rate alerts to collector/Notifier. Dependencies: TASKRUN-OBS-50-001. | TASKRUN-OBS-50-001 | ORTR0102 |
| TASKRUN-OBS-52-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Produce timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) containing evidence pointers and policy gate context. Provide dedupe + retry logic. Dependencies: TASKRUN-OBS-51-001. | TASKRUN-OBS-50-001 | ORTR0102 |
| TASKRUN-OBS-53-001 | TODO | | SPRINT_157_taskrunner_i | Task Runner Guild · Evidence Locker Guild | src/TaskRunner/StellaOps.TaskRunner | Capture step transcripts, artifact manifests, environment digests, and policy approvals into evidence locker snapshots; ensure redaction + hash chain coverage. Dependencies: TASKRUN-OBS-52-001. | TASKRUN-OBS-52-001 | ORTR0102 |
| TASKRUN-OBS-54-001 | TODO | | SPRINT_158_taskrunner_ii | Task Runner Guild · Provenance Guild | src/TaskRunner/StellaOps.TaskRunner | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI integration. Store references in timeline events. Dependencies: TASKRUN-OBS-53-001. | TASKRUN-OBS-53-001 | ORTR0102 |
@@ -4416,3 +4417,6 @@
| DOCS-ORCH-34-004 | DONE (2025-11-25) | | SPRINT_306_docs_tasks_md_vi | Docs Guild (docs) | docs/schemas/artifacts.md | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. Dependencies: DOCS-ORCH-34-003. | — | DOOR0102 |
| DOCS-ORCH-34-005 | DONE (2025-11-25) | | SPRINT_306_docs_tasks_md_vi | Docs Guild (docs) | docs/slo/orchestrator-slo.md | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. Dependencies: DOCS-ORCH-34-004. | — | DOOR0102 |
| DOCS-OAS-62-001 | DONE (2025-11-25) | | SPRINT_306_docs_tasks_md_vi | Docs Guild, Developer Portal Guild (docs) | docs/api/reference/README.md | Stand up `/docs/api/reference/` auto-generated site; integrate with portal nav. Dependencies: DOCS-OAS-61-003. | — | DOOA0101 |
| CI RECIPES-DOCS-0001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0315_0001_0001_docs_modules_ci | Docs Guild (docs/modules/ci) | docs/modules/ci | Update module charter docs (AGENTS/README/architecture/implementation_plan) with determinism + offline posture; sprint normalized. | — | |
| CI RECIPES-ENG-0001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0315_0001_0001_docs_modules_ci | Module Team (docs/modules/ci) | docs/modules/ci | Establish TASKS board and status mirroring rules for CI Recipes contributors. | CI RECIPES-DOCS-0001 | |
| CI RECIPES-OPS-0001 | DONE (2025-11-25) | 2025-11-25 | SPRINT_0315_0001_0001_docs_modules_ci | Ops Guild (docs/modules/ci) | docs/modules/ci | Sync outcomes back to sprint + legacy filename stub; ensure references resolve to normalized sprint path. | CI RECIPES-DOCS-0001; CI RECIPES-ENG-0001 | |

6
docs/modules/ci/README.md
View File

@@ -17,8 +17,10 @@ CI module collects reproducible pipeline recipes for builds, tests, and release
## Operational notes
- Encourage reuse through templated YAML/JSON fragments.
## Related resources
- ./recipes.md
## Related resources
- ./recipes.md
- ./TASKS.md (status mirror)
- ../../implplan/SPRINT_0315_0001_0001_docs_modules_ci.md (sprint tracker)
## Backlog references
- CI recipes refresh tracked in ../../TASKS.md under DOCS-CI stories.

14
docs/modules/ci/TASKS.md Normal file
View File

@@ -0,0 +1,14 @@
# CI Recipes task board
Keep this table in sync with `docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md`. Use TODO → DOING → DONE/BLOCKED.
| Task ID | Status | Owner(s) | Notes |
| --- | --- | --- | --- |
| CI RECIPES-DOCS-0001 | DONE | Docs Guild | Module charter docs (AGENTS/README/architecture/implementation_plan) refreshed with determinism + offline posture. |
| CI RECIPES-ENG-0001 | DONE | Module Team | TASKS board established; status mirroring rules documented. |
| CI RECIPES-OPS-0001 | DONE | Ops Guild | Sprint normalized/renamed; legacy stub retained; statuses mirrored. |
## Status rules
- Update both this file and the relevant sprint entry whenever task status changes.
- Keep timestamps in UTC ISO-8601; sort new rows deterministically by Task ID.
- Document any contract/runbook changes in the module docs under this directory and link them from the sprint Decisions & Risks section.

32
docs/modules/ci/architecture.md
View File

@@ -1,7 +1,25 @@
# CI Recipes architecture
> Reference the AOC guardrails, export workflows, and notification patterns documented in the Authority, Export Center, and Notify module guides when designing CI templates.
This placeholder summarises the planned architecture for CI Recipes. Consolidate design details from implementation plans and upcoming epics before coding.
Refer to the module README and implementation plan for immediate context, and update this document once component boundaries and data flows are finalised.
# CI Recipes architecture
## Scope & responsibilities
- Curate deterministic CI pipeline templates for ingestion, scanning, policy evaluation, export, and notifications.
- Capture provenance for each recipe (inputs, pinned tool versions, checksum manifests) and keep offline/air-gap parity.
- Provide reusable fragments (YAML/JSON) plus guardrails (AOC checks, DSSE attestation hooks, Rekor/Transparency toggles).
## Components
- **Recipe catalogue (`recipes.md`)** — Source of truth for pipeline snippets; sorted deterministically and annotated with required secrets/scopes.
- **Guardrail hooks** — Inline steps for schema validation, SBOM/VEX signing, and attestation verification; reuse Authority/Signer/Export Center helpers.
- **Observability shim** — Optional steps to emit structured logs/metrics to Telemetry Core when allowed; defaults to no-op in sealed/offline mode.
- **Offline bundle path** — Scripts/guides to package recipes and pinned tool archives for air-gapped runners; hashes recorded in release notes.
## Data & determinism
- All generated artifacts (templates, manifests, example outputs) must sort keys and lists, emit UTC ISO-8601 timestamps, and avoid host-specific paths.
- DSSE/attestation helpers should target the platform trust roots defined in Authority/Sigstore docs; prefer BLAKE3 hashing where compatible.
- Keep retry/backoff logic deterministic for reproducible CI runs; avoid time-based jitter unless explicitly documented.
## Integration points
- Authority/Signer for DSSE + Rekor publication; Export Center for bundle assembly; Notify for preview hooks; Telemetry Core for optional metrics.
- Recipes must remain compatible with CLI/SDK surface referenced in `docs/modules/cli/guides/` and devportal snippets.
## Change process
- Track active work in `docs/implplan/SPRINT_0315_0001_0001_docs_modules_ci.md` and mirror statuses in `./TASKS.md`.
- When adding new recipes, include offline notes, determinism checks, and minimal test harness references in `docs/benchmarks` or `tests/**` as applicable.

9
docs/modules/ci/implementation_plan.md
View File

@@ -15,7 +15,8 @@
- **Epic 11 Notifications Studio:** document CI hooks for notification previews/tests.
- Track DOCS-CI stories in ../../TASKS.md.
## Coordination
- Review ./AGENTS.md before picking up new work.
- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`.
- Update this plan whenever scope, dependencies, or guardrails change.
## Coordination
- Review ./AGENTS.md before picking up new work.
- Sync with cross-cutting teams noted in `/docs/implplan/SPRINT_*.md`.
- Mirror task status changes in `./TASKS.md` and the owning sprint file.
- Update this plan whenever scope, dependencies, or guardrails change; record deterministic/offline considerations with each recipe addition.

2
docs/modules/platform/architecture-overview.md
View File

@@ -145,7 +145,7 @@ sequenceDiagram
## 5·Replay CAS & deterministic bundles
- **Replay CAS:** Content-addressed storage lives under `cas://replay/<sha256-prefix>/<digest>.tar.zst`. Writers must use [StellaOps.Replay.Core](../../src/__Libraries/StellaOps.Replay.Core/AGENTS.md) helpers to ensure lexicographic file ordering, POSIX mode normalisation (0644/0755), LF newlines, and zstd level19 compression. Bundle metadata (size, hash, created) feeds the platform-wide `replay_bundles` collection defined in `docs/data/replay_schema.md`.
- **Replay CAS:** Content-addressed storage lives under `cas://replay/<sha256-prefix>/<digest>.tar.zst`. Writers must use [StellaOps.Replay.Core](../../src/__Libraries/StellaOps.Replay.Core/AGENTS.md) helpers to ensure lexicographic file ordering, POSIX mode normalisation (0644/0755), LF newlines, zstd level19 compression, and shard-by-prefix CAS URIs (`BuildCasUri`). Bundle metadata (size, hash, created) feeds the platform-wide `replay_bundles` collection defined in `docs/data/replay_schema.md`.
- **Artifacts:** Each recorded scan stores three bundles:
1. `manifest.json` (canonical JSON, hashed and signed via DSSE).
2. `inputbundle.tar.zst` (feeds, policies, tools, environment snapshot).

34
docs/reachability/callgraph-formats.md Normal file
View File

@@ -0,0 +1,34 @@
# Reachability Callgraph Formats (richgraph-v1)
## Purpose
Normalize static callgraphs across languages so Signals can merge them with runtime traces and replay bundles deterministically.
## Core fields (per node/edge)
- `nodes[].id` — canonical SymbolID (language-specific, stable, lowercase where applicable).
- `nodes[].kind` — e.g., method/function/class/file.
- `edges[].sourceId` / `edges[].targetId` — SymbolIDs; edge types include `call`, `import`, `inherit`, `reference`.
- `artifact` — CAS paths for source graph files; include `sha256`, `uri`, optional `generator` (analyzer name/version).
## Language-specific notes
- **JVM**: use JVM internal names; include signature for overloads.
- **.NET/Roslyn**: fully-qualified method token; include assembly and module for cross-assembly edges.
- **Go SSA**: package path + function; include receiver for methods.
- **Node/Deno TS**: module path + exported symbol; ES module graph only.
- **Rust MIR**: crate::module::symbol; monomorphized forms allowed if stable.
- **Swift SIL**: mangled name; demangled kept in metadata only.
- **Shell/binaries**: when present, use ELF/PE symbol+offset; mark `kind=binary`.
## CAS layout
- Store graph bundles under `reachability_graphs/<hh>/<sha>.tar.zst`.
- Bundle SHOULD contain `meta.json` with analyzer, version, language, component, and entry points (array).
- File order inside tar must be lexicographic to keep hashes stable.
## Validation rules
- No duplicate node IDs; edges must reference existing nodes.
- Entry points list must be present (even if empty) for Signals recompute.
- Graph SHA256 must match tar content; Signals rejects mismatched SHA.
- Only ASCII; UTF-8 paths are allowed but must be normalized (NFC).
## References
- Union schema: `docs/reachability/runtime-static-union-schema.md`
- Delivery guide: `docs/reachability/DELIVERY_GUIDE.md`

48
docs/reachability/reachability.md Normal file
View File

@@ -0,0 +1,48 @@
# Reachability · Runtime + Static Union (v0.1)
## What this covers
- End-to-end flow for combining static callgraphs (Scanner) and runtime traces (Zastava) into replayable reachability bundles.
- Storage layout (CAS namespaces), manifest fields, and Signals APIs that consume/emit reachability facts.
- How unknowns/pressure and scoring are derived so Policy/UI can explain outcomes.
## Pipeline (at a glance)
1. **Scanner** emits language-specific callgraphs as `richgraph-v1` and packs them into CAS under `reachability_graphs/<digest>.tar.zst` with manifest `meta.json`.
2. **Zastava Observer** streams NDJSON runtime facts (`symbol_id`, `code_id`, `hit_count`, `loader_base`, `cas_uri`) to Signals `POST /signals/runtime-facts` or `/runtime-facts/ndjson`.
3. **Union bundles** (runtime + static) are uploaded as ZIP to `POST /signals/reachability/union` with optional `X-Analysis-Id`; Signals stores under `reachability_graphs/{analysisId}/`.
4. **Signals scoring** consumes union data + runtime facts, computes per-target states (bucket, weight, confidence, score), fact-level score, unknowns pressure, and publishes `signals.fact.updated@v1` events.
5. **Replay** records provenance: reachability section in replay manifest lists CAS URIs (graphs + runtime traces), namespaces, analyzer/version, callgraphIds, and the shared `analysisId`.
## Storage & CAS namespaces
- Static graphs: `cas://reachability_graphs/<hh>/<sha>.tar.zst` (meta.json + graph files).
- Runtime traces: `cas://runtime_traces/<hh>/<sha>.tar.zst` (NDJSON or zipped stream).
- Replay manifest now includes `analysisId` to correlate graphs/traces; each reference also carries `namespace` and `callgraphId` (static) for unambiguous replay.
## Signals API quick reference
- `POST /signals/runtime-facts` — structured request body; recomputes reachability.
- `POST /signals/runtime-facts/ndjson` — streaming NDJSON/gzip; requires `callgraphId` header params.
- `POST /signals/reachability/union` — upload ZIP bundle; optional `X-Analysis-Id`.
- `GET /signals/reachability/union/{analysisId}/meta` — returns meta.json.
- `GET /signals/reachability/union/{analysisId}/files/{fileName}` — download bundled graph/trace files.
- `GET /signals/facts/{subjectKey}` — fetch latest reachability fact (includes unknowns counters and targets).
## Scoring and unknowns
- Buckets (default weights): entrypoint 1.0, direct 0.85, runtime 0.45, unknown 0.5, unreachable 0.0.
- Confidence: reachable vs unreachable base, runtime bonus, clamped between Min/Max (defaults 0.050.99).
- Unknowns: Signals counts unresolved symbols/edges per subject; `UnknownsPressure = unknowns / (states + unknowns)` (capped). Fact score is reduced by `UnknownsPenaltyCeiling` (default 0.35) × pressure.
- Events: `signals.fact.updated@v1` now emits `unknownsCount` and `unknownsPressure` plus bucket/weight/stateCount/targets.
## Replay contract changes (v0.1 add-ons)
- `reachability.analysisId` (string, optional) — ties to Signals union ingest.
- Graph refs include `namespace`, `callgraphId`, analyzer, version, sha256, casUri.
- Runtime trace refs include `namespace`, recordedAt, sha256, casUri.
## Operator checklist
- Use deterministic CAS paths; never embed absolute file paths.
- When emitting runtime NDJSON, include `loader_base` and `code_id` when available for de-dup.
- Ensure `analysisId` is propagated from Scanner/Zastava into Signals ingest to keep replay manifests linked.
- Keep feeds frozen for reproducibility; avoid external downloads in union preparation.
## References
- Schema: `docs/reachability/runtime-static-union-schema.md`
- Delivery guide: `docs/reachability/DELIVERY_GUIDE.md`
- Unknowns registry & scoring: Signals code (`ReachabilityScoringService`, `UnknownsIngestionService`) and events doc `docs/signals/events-24-005.md`.

38
docs/reachability/runtime-facts.md Normal file
View File

@@ -0,0 +1,38 @@
# Runtime Facts (Signals/Zastava) v0.1
## Payload shapes
- **Structured** (`POST /signals/runtime-facts`):
- `subject` (imageDigest | scanId | component+version)
- `callgraphId` (required)
- `events[]`: `{ symbolId, codeId?, purl?, buildId?, loaderBase?, processId?, processName?, socketAddress?, containerId?, evidenceUri?, hitCount, observedAt?, metadata{} }`
- **Streaming NDJSON** (`POST /signals/runtime-facts/ndjson`): one JSON object per line with the same fields; supports `Content-Encoding: gzip`; callgraphId provided via query/header metadata.
## Provenance/metadata
- Signals stamps:
- `provenance.source` (defaults to `runtime` unless provided in metadata)
- `provenance.ingestedAt` (ISO-8601 UTC)
- `provenance.callgraphId`
- Runtime hits are aggregated per `symbolId` (summing hitCount) before persisting and feeding scoring.
## Validation
- `symbolId` required; events list must not be empty.
- `callgraphId` required and must resolve to a stored callgraph/union bundle.
- Subject must yield a non-empty `subjectKey`.
- Empty runtime stream is rejected.
## Storage and cache
- Stored alongside reachability facts in Mongo collection `reachability_facts`.
- Runtime hits cached in Redis via `reachability_cache:*` entries; invalidated on ingest.
## Interaction with scoring
- Ingest triggers recompute: runtime hits added to prior facts hits, targets set to symbols observed, entryPoints taken from callgraph.
- Reachability states include runtime evidence on the path; bucket/weight may be `runtime` when hits are present.
- Unknowns registry stays separate; unknowns count still factors into fact score via pressure penalty.
## Replay alignment
- Runtime traces packaged under CAS namespace `runtime_traces`; referenced in replay manifest with `namespace` and `analysisId` to link to static graphs.
## Determinism rules
- Keep NDJSON ordering stable when generating bundles.
- Use UTC timestamps; avoid environment-dependent metadata values.
- No external network lookups during ingest.

37
docs/replay/DETERMINISTIC_REPLAY.md
View File

@@ -147,6 +147,8 @@ The optional `reachability` block captures the inputs needed to replay explainab
Replay engines MUST verify every referenced artifact hash before re-evaluating reachability. Missing graphs downgrade affected signals to `reachability:unknown` and should raise policy warnings.
Producer note: default clock values in `StellaOps.Replay.Core` are `UnixEpoch` to avoid hidden time drift; producers MUST set `scan.time` and `reachability.runtimeTraces[].recordedAt` explicitly.
---
## 4. Deterministic Execution Rules
@@ -169,10 +171,19 @@ Replay engines MUST verify every referenced artifact hash before re-evaluating r
* Parallel jobs: ordered reduction by subject path.
* Temporary directories: ephemeral but deterministic hash seeds.
### 4.3 Feeds & Policies
* All network I/O disabled; feeds must be read from snapshot bundles.
* Policies and suppressions must resolve by hash, not name.
### 4.3 Feeds & Policies
* All network I/O disabled; feeds must be read from snapshot bundles.
* Policies and suppressions must resolve by hash, not name.
### 4.4 Library hooks (StellaOps.Replay.Core)
Use the shared helpers in `src/__Libraries/StellaOps.Replay.Core` to keep outputs deterministic:
- `CanonicalJson.Serialize(...)` → lexicographic key ordering with relaxed escaping, arrays preserved as-is.
- `DeterministicHash.Sha256Hex(...)` and `DeterministicHash.MerkleRootHex(...)` → lowercase digests and stable Merkle roots for bundle manifests.
- `DssePayloadBuilder.BuildUnsigned(...)` → DSSE payloads for replay manifests using payload type `application/vnd.stellaops.replay+json`.
- `ReplayManifestExtensions.ComputeCanonicalSha256()` → convenience for CAS naming of manifest blobs.
---
@@ -182,7 +193,7 @@ Replay engines MUST verify every referenced artifact hash before re-evaluating r
```jsonc
{
"payloadType": "application/vnd.stella.replay.manifest+json",
"payloadType": "application/vnd.stellaops.replay+json",
"payload": "<base64-encoded canonical JSON>",
"signatures": [
{ "keyid": "authority-root-fips", "sig": "..." },
@@ -193,12 +204,16 @@ Replay engines MUST verify every referenced artifact hash before re-evaluating r
### 5.2 Verification Steps
1. Decode payload → verify canonical form.
2. Verify each signature chain against RootPack (offline trust anchors).
3. Recompute hash and compare to `dsseEnvelopeHash` in manifest.
4. Optionally verify Rekor inclusion proof.
---
1. Decode payload → verify canonical form.
2. Verify each signature chain against RootPack (offline trust anchors).
3. Recompute hash and compare to `dsseEnvelopeHash` in manifest.
4. Optionally verify Rekor inclusion proof.
### 5.3 Default payload type
Replay DSSE envelopes emitted by `DssePayloadBuilder` use payload type `application/vnd.stellaops.replay+json`. Consumers should treat this as canonical unless a future manifest revision increments the schema and payload type together.
---
## 6. CLI Interface

12
docs/replay/DEVS_GUIDE_REPLAY.md
View File

@@ -86,13 +86,13 @@ stella replay manifest.json --what-if --vary=feeds
## Storage
- **Mongo collections**
- `replay_runs`: manifest + DSSE envelopes + status
- `bundles`: content-addressed (input/output/rootpack)
- `subjects`: OCI digests, Merkle roots per layer
- `reachability_facts`: graph & runtime trace references tied to scan subjects
- **Mongo collections** (see `../data/replay_schema.md`)
- `replay_runs`: manifest hash, status, signatures, outputs
- `replay_bundles`: digest, type, CAS location, size
- `replay_subjects`: OCI digests + per-layer Merkle roots
- **Indexes** (canonical names): `runs_manifestHash_unique`, `runs_status_createdAt`, `bundles_type`, `bundles_location`, `subjects_layerDigest`
- **File store**
- Bundles stored as `<sha256>.tar.zst`
- Bundles stored as `<sha256>.tar.zst` in CAS (`cas://replay/<shard>/<digest>.tar.zst`); shard = first two hex chars
---

151
docs/runbooks/reachability-runtime.md
View File

@@ -1,80 +1,95 @@
# Runbook Reachability Runtime Ingestion
# Runbook: Runtime Reachability Facts (Zastava → Signals)
> **Audience:** Signals Guild · Zastava Guild · Scanner Guild · Ops Guild
> **Prereqs:** `docs/reachability/DELIVERY_GUIDE.md`, `docs/reachability/function-level-evidence.md`, `docs/modules/platform/architecture-overview.md` §5
## Goal
Stream runtime symbol evidence from Zastava Observer to Signals in NDJSON batches that align with the runtime/static union schema, stay deterministic, and are replayable.
This runbook documents how to stage, ingest, and troubleshoot runtime evidence (`/signals/runtime-facts`) so function-level reachability data remains provable across online and air-gapped environments.
## Endpoints
- Signals structured ingest: `POST /signals/runtime-facts`
- Signals NDJSON ingest: `POST /signals/runtime-facts/ndjson`
- Headers: `Content-Encoding: gzip` (optional), `Content-Type: application/x-ndjson`
- Query/header metadata: `callgraphId` (required), `scanId|imageDigest|component+version`, optional `source`
---
## NDJSON event shape (one per line)
```json
{
"symbolId": "pkg:python/django.views:View.as_view",
"codeId": "buildid-abc123",
"purl": "pkg:pypi/django@4.2.7",
"loaderBase": "0x7f23c01000",
"processId": 214,
"processName": "uwsgi",
"containerId": "c123",
"socketAddress": "10.0.0.5:8443",
"hitCount": 3,
"observedAt": "2025-11-26T12:00:00Z",
"metadata": { "pid": "214" }
}
```
## 1 · Runtime capture pipeline
Required: `symbolId`, `hitCount`; `callgraphId` is provided via query/header metadata. Optional fields shown for correlation.
1. **Zastava Observer / runtime probes**
- Emit NDJSON lines with `symbolId`, `codeId`, `loaderBase`, `hitCount`, `process{Id,Name}`, `socketAddress`, `containerId`, optional `evidenceUri`, and `metadata` map.
- Compress large batches with gzip (`.ndjson.gz`), max 10MiB per chunk, monotonic timestamps.
- Attach subject context via HTTP query (`scanId`, `imageDigest`, `component`, `version`) when using the streaming endpoint.
2. **CAS staging (optional but recommended)**
- Upload raw batches to `cas://reachability/runtime/<sha256>` before ingestion.
- Store CAS URIs alongside probe metadata so Signals can echo them in `ReachabilityFactDocument.Metadata`.
3. **Signals ingestion**
- POST `/signals/runtime-facts` (JSON) for one-off uploads or stream NDJSON to `/signals/runtime-facts/ndjson` (set `Content-Encoding: gzip` when applicable).
- Signals validates schema, dedupes events by `(symbolId, codeId, loaderBase)`, and updates `runtimeFacts` with cumulative `hitCount`.
4. **Reachability scoring**
- `ReachabilityScoringService` recomputes lattice states (`Unknown → Observed`), persists references to runtime CAS artifacts, and emits `signals.fact.updated` once `GAP-SIG-003` lands.
## Batch rules
- NDJSON MUST NOT be empty; empty streams are rejected.
- Compress with gzip when large; maintain stable line ordering.
- Use UTC timestamps (ISO-8601 `observedAt`).
- Avoid PII; redact process/user info before send.
---
## CAS alignment
- When runtime trace bundles are produced, store under `cas://runtime_traces/<hh>/<sha>.tar.zst` and include `meta.json` with analysisId.
- Pass the same `analysisId` in `X-Analysis-Id` (if present) when uploading union bundles so replay manifests can link graphs+traces.
## 2 · Operator checklist
## Errors & remediation
- `400 callgraphId is required` → set `callgraphId` header/query.
- `400 runtime fact stream was empty` → ensure NDJSON has events.
- `400 Subject must include scanId/imageDigest/component+version` → populate subject metadata.
| Step | Action | Owner | Notes |
|------|--------|-------|-------|
| 1 | Verify probe health (`zastava observer status`) and confirm NDJSON batches include `symbolId` + `codeId`. | Runtime Guild | Reject batches missing `symbolId`; restart probe with debug logging. |
| 2 | Stage batches in CAS (`stella cas put reachability/runtime ...`) and record the returned URI. | Ops Guild | Required for replay-grade evidence. |
| 3 | Call `/signals/runtime-facts/ndjson` with `tenant` and `callgraphId` headers, streaming the gzip payload. | Signals Guild | Use service identity with `signals.runtime:write`. |
| 4 | Monitor ingestion metrics: `signals_runtime_events_total`, `signals_runtime_ingest_failures_total`. | Observability | Alert if failures exceed 1% over 5min. |
| 5 | Trigger recompute (`POST /signals/reachability/recompute`) when new runtime batches arrive for an active scan. | Signals Guild | Provide `callgraphId` + subject tuple. |
| 6 | Validate Policy/UI surfaces by requesting `/policy/findings?includeReachability=true` and checking `reachability.evidence`. | Policy + UI Guilds | Ensure evidence references the CAS URIs from Step2. |
## Determinism checklist
- Stable ordering of NDJSON lines.
- No host-dependent paths; only IDs/digests.
- Fixed gzip level if used (suggest 6) to aid reproducibility.
---
## Zastava Observer setup (runtime sampler)
- **Sampling mode:** deterministic EntryTrace sampler; default 1:1 (no drop) for pilot. Enable rate/CPU guard: `Sampler:MaxEventsPerSecond` (default 500), `Sampler:MaxCpuPercent` (default 35). When rates are exceeded, emit `sampler.dropped` counters with drop reason `rate_limit`/`cpu_guard`.
- **Symbol capture:** enable build-id collection (`SymbolCapture:CollectBuildIds=true`) and loader base addresses (`SymbolCapture:EmitLoaderBase=true`) to match static graphs.
- **Batching:** buffer up to 1,000 events or 2s, whichever comes first (`Ingest:BatchSize`, `Ingest:FlushIntervalMs`). Batches are sorted by `observedAt` before send to keep deterministic order.
- **Transport:** NDJSON POST to Signals `/signals/runtime-facts/ndjson` with headers `X-Callgraph-Id`, optional `X-Analysis-Id`. Set `Content-Encoding: gzip` when batches exceed 64KiB.
- **CAS traces (optional):** if EntryTrace raw traces are persisted, package as `cas://runtime_traces/<hh>/<sha>.tar.zst` with `meta.json` containing `analysisId`, `nodeCount`, `edgeCount`, `traceVersion`. Include the CAS URI in `metadata.casUri` on each NDJSON event.
- **Security/offline:** disable egress by default; allowlist only the Signals host. TLS must be enabled; supply client certs per platform runbook if required. No PID/user names are emitted—only digests/IDs.
## 3 · Air-gapped workflow
### Example appsettings (Observer)
```json
{
"Sampler": {
"MaxEventsPerSecond": 500,
"MaxCpuPercent": 35
},
"SymbolCapture": {
"CollectBuildIds": true,
"EmitLoaderBase": true
},
"Ingest": {
"BatchSize": 1000,
"FlushIntervalMs": 2000,
"Endpoint": "https://signals.local/signals/runtime-facts/ndjson",
"Headers": {
"X-Callgraph-Id": "cg-123"
}
}
}
```
1. Export runtime NDJSON batches via Offline Kit: `offline/reachability/runtime/<scan-id>/<timestamp>.ndjson.gz` + manifest.
2. On the secure network, load CAS entries locally (`stella cas load ...`) and invoke `stella signals runtime-facts ingest --from offline/...`.
3. Re-run `stella replay manifest.json --section reachability` to ensure manifests cite the imported runtime digests.
4. Sync ingestion receipts (`signals-runtime-ingest.log`) back to the air-gapped environment for audit.
### Operational steps
1) Enable EntryTrace sampler in Zastava Observer with the config above; verify `sampler.dropped` stays at 0 during pilot.
2) Run a 5-minute capture and send NDJSON to a staging Signals instance using the smoke test; confirm 202 and CAS pointers recorded.
3) Correlate runtime facts to static graphs by callgraphId in Signals; ensure counts match sampler totals.
4) Promote config to prod/offline bundle; freeze config hashes for replay.
---
## 4 · Troubleshooting
| Symptom | Cause | Resolution |
|---------|-------|------------|
| `422 Unprocessable Entity: missing symbolId` | Probe emitted incomplete JSON. | Restart probe with `--include-symbols`, confirm symbol server availability, regenerate batch. |
| `403 Forbidden: sealed-mode evidence invalid` | Signals sealed-mode verifier rejected payload (likely missing CAS proof). | Upload batch to CAS first, include `X-Reachability-Cas-Uri` header, or disable sealed-mode in non-prod. |
| Runtime facts missing from Policy/UI | Recompute not triggered or `callgraphId` mismatch. | List facts via `/signals/reachability/facts?subject=...`, confirm `callgraphId`, then POST recompute. |
| CAS hash mismatch during replay | Batch mutated post-ingestion. | Re-stage from original gzip, invalidate old CAS entry, rerun ingestion to regenerate manifest references. |
---
## 5 · Retention & observability
- Default retention: 30days hot in Signals Mongo, 180days in CAS (match replay policy). Configure via `signals.runtimeFacts.retentionDays`.
- Metrics to alert on:
- `signals_runtime_ingest_latency_seconds` (P95 < 2s).
- `signals_runtime_cas_miss_total` (should be 0 once CAS is mandatory).
- Logs/traces:
- Category `Reachability.Runtime` records ingestion batches and CAS URIs.
- Trace attributes: `callgraphId`, `subjectKey`, `casUri`, `eventCount`.
---
## 6 · References
- `docs/reachability/DELIVERY_GUIDE.md`
- `docs/reachability/function-level-evidence.md`
- `docs/replay/DETERMINISTIC_REPLAY.md`
- `docs/modules/platform/architecture-overview.md` §5 (Replay CAS)
- `docs/runbooks/replay_ops.md`
Update this runbook whenever endpoints, retention knobs, or CAS layouts change.
## Smoke test
```bash
cat events.ndjson | gzip -c | \
curl -X POST "https://signals.local/signals/runtime-facts/ndjson?callgraphId=cg-123&component=web&version=1.0.0" \
-H "Content-Type: application/x-ndjson" \
-H "Content-Encoding: gzip" \
--data-binary @-
```
Expect 202 Accepted with SubjectKey in response; Signals will recompute reachability and emit `signals.fact.updated@v1`.

46
docs/security/rootpack_ru_crypto_fork.md Normal file
View File

@@ -0,0 +1,46 @@
# RootPack_RU Crypto Fork Notes (CryptoPro / GOST) · 2025-11-25
## Why
- We need a patchable, source-controlled CryptoPro/GOST stack to ship RootPack_RU without relying on the vulnerable `IT.GostCryptography` 6.0.0.1 package.
- The fork lives at `third_party/forks/AlexMAS.GostCryptography` and is now wired into `StellaOps.Cryptography.Plugin.CryptoPro`.
## Fork specifics
- Upstream: https://github.com/AlexMAS/GostCryptography @ commit `31413f6`.
- Retargeted to `net10.0`; packaging-on-build disabled to avoid accidental nuget pushes.
- Added deps: `System.Security.Cryptography.Xml` 8.0.1, `System.Security.Permissions` 8.0.0, warning suppressions (CA1416, SYSLIB0004) for Windows-only CSP APIs.
- Build entrypoint: `third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj`.
## How we consume it
- `src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro` now project-references the fork (removed `IT.GostCryptography` nuget).
- Runtime still Windows-only; plugin uses CSP (`CspParameters`) for key material when available.
- Tests are opt-in and Windows/CSP only: set `STELLAOPS_CRYPTO_PRO_ENABLED=1` and run `scripts/crypto/run-cryptopro-tests.ps1`.
## How to sync the fork
- Track the pinned upstream commit in `third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md` (currently `31413f6`).
- To refresh:
1. `git clone https://github.com/AlexMAS/GostCryptography.git /tmp/gost && cd /tmp/gost && git checkout <commit-or-tag>`
2. `rsync -a --delete --exclude .git /tmp/gost/ third_party/forks/AlexMAS.GostCryptography/`
3. Update `STELLA_NOTES.md` with the new commit hash and any upstream changes that matter for CSP/Magma/Kuznyechik.
4. Run `dotnet build third_party/forks/AlexMAS.GostCryptography/Source/GostCryptography/GostCryptography.csproj -c Release` plus `dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro -c Release` to confirm the fork still compiles inside the monorepo.
- Keep the folder free of binary outputs (no `.nupkg` or `bin/obj` committed) so RootPack stays reproducible.
## Build & test quickstart (Windows runner with CryptoPro CSP installed)
```powershell
dotnet build src/__Libraries/StellaOps.Cryptography.Plugin.CryptoPro/StellaOps.Cryptography.Plugin.CryptoPro.csproj -c Release
scripts/crypto/run-cryptopro-tests.ps1 -Configuration Release
```
### CI (opt-in)
- Workflow: `.gitea/workflows/cryptopro-optin.yml`
- Trigger: `workflow_dispatch` only; assumes runner already has CryptoPro CSP installed/licensed.
- Env guard: `STELLAOPS_CRYPTO_PRO_ENABLED=1` set in workflow to enable CryptoPro tests.
## What remains (tracked in SEC-CRYPTO-90-019/020)
- Run the fork + plugin tests on a Windows+CSP agent.
- Wire an opt-in CI lane for CryptoPro so default pipelines stay green.
- Add platform-aware smoke tests for signer/verify with real CSP key.
## Licensing & distro notes
- Upstream license: MIT; keep `LICENSE` + `NOTICE` from the fork inside RootPack bundles and in third-party notices.
- Plugin remains AGPL-3.0-or-later; ensure fork sources stay vendored (no binary-only blobs).
- Do **not** publish the fork to public feeds; only build from source inside RootPack bundles.

12
docs/security/rootpack_ru_package.md
View File

@@ -2,6 +2,11 @@
This guide describes the reproducible process for assembling the sovereign cryptography bundle that backs RootPack_RU deployments.
## 0. Fork provenance & licensing checklist
- Confirm the vendored fork commit recorded in `third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md` matches `git -C third_party/forks/AlexMAS.GostCryptography rev-parse HEAD` before you package.
- Copy the fork's `LICENSE` (MIT) and `STELLA_NOTES.md` into the bundle `docs/` directory so downstream operators see the source provenance; keep the plug-ins themselves under AGPL-3.0-or-later.
- Do not publish the fork to NuGet; all builds must use the vendored sources shipped inside the bundle.
## 1. What the bundle contains
| Directory | Purpose |
@@ -29,6 +34,13 @@ The script performs the following steps:
4. Adds the Russian trust anchors from `certificates/russian_trusted_*`.
5. Emits `README.txt` and optionally creates a `*.tar.gz` archive (set `PACKAGE_TAR=0` to skip the tarball).
After the script finishes, drop the fork metadata into `docs/` inside the bundle:
```bash
cp third_party/forks/AlexMAS.GostCryptography/LICENSE "${OUTPUT_ROOT}/docs/LICENSE.gostcryptography"
cp third_party/forks/AlexMAS.GostCryptography/STELLA_NOTES.md "${OUTPUT_ROOT}/docs/STELLA_NOTES.gostcryptography.md"
```
> **Temporary quarantine (2025-11-09).** To keep day-to-day builds free of the vulnerable GostCryptography dependency, the repository disables the CryptoPro plug-in unless you pass `-p:StellaOpsEnableCryptoPro=true`. RootPack packaging still works because this script publishes the plug-in directly, but any host/service build that needs CryptoPro must opt in with that MSBuild property until the patched package lands.
## 3. Attach deterministic test evidence