stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Reachability Corpus Validation / validate-corpus (push) Has been cancelled
Details
Reachability Corpus Validation / validate-ground-truths (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Reachability Corpus Validation / determinism-check (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-14 15:50:38 +02:00
parent f1a39c4ce3
commit 233873f620
249 changed files with 29746 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
docs/implplan/archived/SPRINT_0410_0001_0001_entrypoint_detection_reengineering_program.md Normal file
View File

@@ -0,0 +1,159 @@
# Sprint 0410.0001.0001 - Entrypoint Detection Re-Engineering Program
## Topic & Scope
- Window: 2025-12-16 -> 2026-02-28 (UTC); phased delivery across 5 child sprints.
- **Vision:** Re-engineer entrypoint detection to be industry-leading with semantic understanding, temporal tracking, multi-container mesh analysis, speculative execution, binary intelligence, and predictive risk scoring.
- **Strategic Goal:** Position StellaOps entrypoint detection as the foundation for context-aware vulnerability assessment - answering not just "what's installed" but "what's running, how it's invoked, and what can reach it."
- **Working directory:** `docs/implplan` (coordination); implementation in `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/` and related modules.
## Program Architecture
### Current State
The existing entrypoint detection has:
- Container-level OCI config parsing (ENTRYPOINT/CMD)
- ShellFlow static analyzer for shell scripts
- Per-language analyzers (Python, Java, Node, .NET, Go, Ruby, Rust, Bun, Deno, PHP)
- Evidence chains with `usedByEntrypoint` flags
- Dual-mode (static image + running container)
### Target State: Entrypoint Knowledge Graph
```
┌────────────────────────────────────────────────────────────────────┐
│ ENTRYPOINT KNOWLEDGE GRAPH │
├────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Semantic │────▶│ Temporal │────▶│ Mesh │ │
│ │ Engine │ │ Graph │ │ Analysis │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Speculative │────▶│ Binary │────▶│ Predictive │ │
│ │ Execution │ │ Intelligence │ │ Risk │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ Query: "Which images have Django entrypoints reachable to │
│ log4j 2.14.1?" │
│ Answer: 847 images, 12 in production, 3 internet-facing │
│ │
└────────────────────────────────────────────────────────────────────┘
```
## Child Sprints
| Sprint ID | Name | Focus | Window | Status |
|-----------|------|-------|--------|--------|
| 0411.0001.0001 | Semantic Entrypoint Engine | Semantic understanding, intent/capability inference | 2025-12-16 -> 2025-12-30 | TODO |
| 0412.0001.0001 | Temporal & Mesh Entrypoint | Temporal tracking, multi-container mesh | 2026-01-02 -> 2026-01-17 | TODO |
| 0413.0001.0001 | Speculative Execution Engine | Symbolic execution, path enumeration | 2026-01-20 -> 2026-02-03 | TODO |
| 0414.0001.0001 | Binary Intelligence | Fingerprinting, symbol recovery | 2026-02-06 -> 2026-02-17 | TODO |
| 0415.0001.0001 | Predictive Risk Scoring | Risk-aware scoring, business context | 2026-02-20 -> 2026-02-28 | TODO |
## Dependencies & Concurrency
- Upstream: Sprint 0401 Reachability Evidence Chain (completed tasks for richgraph-v1, symbol_id, code_id).
- Upstream: Sprint 0408 Scanner Language Detection Gaps Program (mature language analyzers).
- Child sprints 0411-0413 can proceed in parallel after semantic foundation lands.
- Sprints 0414-0415 depend on earlier sprints for data structures but can overlap.
## Documentation Prerequisites
- docs/modules/scanner/architecture.md
- docs/modules/scanner/operations/entrypoint-problem.md
- docs/modules/scanner/operations/entrypoint-static-analysis.md
- docs/modules/scanner/operations/entrypoint-shell-analysis.md
- docs/modules/scanner/operations/entrypoint-runtime-overview.md
- docs/reachability/function-level-evidence.md
- docs/reachability/lattice.md
- src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md (to be created)
## Key Deliverables
### Phase 1: Semantic Foundation (Sprint 0411)
1. **SemanticEntrypoint** record with intent, capabilities, attack surface
2. **ApplicationIntent** enumeration (web-server, cli-tool, batch-job, worker, serverless, etc.)
3. **CapabilityClass** enumeration (network-listen, file-write, exec-spawn, crypto, etc.)
4. **ThreatVector** inference from entrypoint characteristics
5. Cross-language semantic detection adapters
### Phase 2: Temporal & Mesh (Sprint 0412)
1. **TemporalEntrypointGraph** for version-to-version tracking
2. **EntrypointDrift** detection and alerting
3. **MeshEntrypointGraph** for multi-container orchestration
4. **CrossContainerPath** reachability across services
5. Kubernetes/Compose manifest parsing
### Phase 3: Speculative Execution (Sprint 0413)
1. **SymbolicExecutionEngine** for ShellFlow enhancement
2. **PathEnumerator** for all terminal states
3. **ConstraintSolver** for complex conditionals
4. **BranchCoverage** metrics and confidence
### Phase 4: Binary Intelligence (Sprint 0414)
1. **CodeFingerprint** index from OSS package corpus
2. **SymbolRecovery** for stripped binaries
3. **SourceCorrelation** service
4. **FunctionSignatureInference** from binary analysis
### Phase 5: Predictive Risk (Sprint 0415)
1. **RiskFactorExtractor** pipeline
2. **EntrypointRiskScorer** with business context
3. **AttackSurfaceQuantifier** per entrypoint
4. **EntrypointAsCode** auto-generated specifications
## Competitive Differentiation
| Capability | StellaOps (Target) | Competition |
|------------|-------------------|-------------|
| Semantic understanding | Full intent + capability inference | Pattern matching only |
| Temporal tracking | Version-to-version evolution | Snapshot only |
| Multi-container | Full mesh with cross-container reachability | Single container |
| Stripped binaries | Fingerprint + ML recovery | Limited/none |
| Speculative execution | All paths enumerated symbolically | Best-effort heuristics |
| Entrypoint-as-Code | Auto-generated, executable specs | Manual documentation |
| Predictive risk | Business-context-aware scoring | Static CVSS only |
## Wave Coordination
| Wave | Child Sprints | Shared Prerequisites | Status | Notes |
|------|---------------|----------------------|--------|-------|
| Foundation | 0411 | Sprint 0401 richgraph/symbol contracts | TODO | Must land before other phases |
| Parallel | 0412, 0413 | 0411 semantic records | TODO | Can run concurrently |
| Intelligence | 0414 | 0411-0413 data structures | TODO | Binary focus |
| Risk | 0415 | 0411-0414 evidence chains | TODO | Final phase |
## Interlocks
- Semantic record schema (Sprint 0411) must stabilize before Temporal/Mesh (0412) or Speculative (0413) start.
- Binary fingerprint corpus (Sprint 0414) requires OSS package index integration.
- Risk scoring (Sprint 0415) needs Policy Engine integration for gate enforcement.
- All phases emit to richgraph-v1 with BLAKE3 hashing per CONTRACT-RICHGRAPH-V1-015.
## Upcoming Checkpoints
- 2025-12-16 - Sprint 0411 kickoff; semantic schema draft review.
- 2025-12-23 - Sprint 0411 midpoint; ApplicationIntent/CapabilityClass enums frozen.
- 2025-12-30 - Sprint 0411 close; semantic foundation ready for 0412/0413.
- 2026-01-02 - Sprints 0412/0413 kickoff (parallel).
- 2026-02-28 - Program close; all phases delivered.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
|---|--------|-------|-----------|--------|-------|
| 1 | Create AGENTS.md for EntryTrace module | Scanner Guild | 2025-12-16 | TODO | Foundation for implementers |
| 2 | Draft SemanticEntrypoint schema | Scanner Guild | 2025-12-18 | TODO | Phase 1 core deliverable |
| 3 | Define ApplicationIntent enumeration | Scanner Guild | 2025-12-20 | TODO | Needs cross-language input |
| 4 | Create temporal graph storage design | Platform Guild | 2026-01-02 | TODO | Phase 2 dependency |
| 5 | Evaluate binary fingerprint corpus options | Scanner Guild | 2026-02-01 | TODO | Phase 4 dependency |
## Decisions & Risks
| ID | Risk | Impact | Mitigation / Owner |
|----|------|--------|-------------------|
| R1 | Semantic schema changes mid-program | Rework in dependent phases | Freeze schema by Sprint 0411 close; Scanner Guild |
| R2 | Binary fingerprint corpus size/latency | Slow startup, large storage | Use lazy loading, tiered caching; Platform Guild |
| R3 | Multi-container mesh complexity | Detection gaps in complex K8s | Phased support; start with common patterns; Scanner Guild |
| R4 | Speculative execution path explosion | Performance issues | Add depth limits, caching; Scanner Guild |
| R5 | Risk scoring model accuracy | False confidence signals | Train on CVE exploitation data; validate with red team; Signals Guild |
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-13 | Created program sprint from strategic analysis; outlined 5 child sprints with phased delivery; defined competitive differentiation matrix. | Planning |

191
docs/implplan/archived/SPRINT_3412_0001_0001_postgres_durability_phase2.md Normal file
View File

@@ -0,0 +1,191 @@
# Sprint 3412 - PostgreSQL Durability Phase 2
## Topic & Scope
- Implement PostgreSQL storage for modules currently using in-memory/filesystem storage after MongoDB removal
- Complete Excititor PostgreSQL migration (Provider, Observation, Attestation, Timeline stores still in-memory)
- Restore production durability for AirGap, TaskRunner, Signals, Graph, PacksRegistry, SbomService
- Complete Notify Postgres repository implementation for missing repos
- Fix Graph.Indexer determinism test failures
- **Working directory:** cross-module; all modules with in-memory/filesystem storage
## Dependencies & Concurrency
- Upstream: Sprint 3410 (MongoDB Final Removal) - COMPLETE
- Upstream: Sprint 3411 (Notifier Architectural Cleanup) - COMPLETE
- Each module can be implemented independently; modules can be worked in parallel
- Prefer Excititor, AirGap.Controller and TaskRunner first due to HIGH production risk
## Documentation Prerequisites
- docs/db/SPECIFICATION.md
- docs/operations/postgresql-guide.md
- Module AGENTS.md files
- Existing Postgres storage implementations (Authority, Scheduler, Concelier) as reference patterns
## Database Abstraction Layer Requirements
**All implementations MUST follow the established pattern:**
```
DataSourceBase (Infrastructure.Postgres)
└── ModuleDataSource : DataSourceBase
└── RepositoryBase<TDataSource>
└── ConcreteRepository : RepositoryBase<ModuleDataSource>, IRepository
```
### Reference Implementations
| Pattern | Reference Location |
|---------|-------------------|
| DataSourceBase | `src/__Libraries/StellaOps.Infrastructure.Postgres/Connections/DataSourceBase.cs` |
| RepositoryBase | `src/__Libraries/StellaOps.Infrastructure.Postgres/Repositories/RepositoryBase.cs` |
| Module DataSource | `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres/AuthorityDataSource.cs` |
| Repository Example | `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres/Repositories/ApiKeyRepository.cs` |
| Test Fixture | `src/__Libraries/StellaOps.Infrastructure.Postgres.Testing/PostgresIntegrationFixture.cs` |
### Implementation Checklist
Each new Postgres repository MUST:
- [ ] Inherit from `RepositoryBase<TModuleDataSource>`
- [ ] Implement module-specific interface (e.g., `IVexProviderStore`)
- [ ] Accept `tenantId` as first parameter in all queries
- [ ] Use base class helpers: `QueryAsync`, `QuerySingleOrDefaultAsync`, `ExecuteAsync`
- [ ] Use `AddParameter`, `AddJsonbParameter` for safe parameter binding
- [ ] Include static mapper function for data mapping
- [ ] Be registered as **Scoped** in DI (DataSource is Singleton)
- [ ] Include embedded SQL migrations
- [ ] Have integration tests using `PostgresIntegrationFixture`
## Delivery Tracker
### T12.0: Excititor PostgreSQL Completion (HIGH PRIORITY)
**Context:** Excititor has partial PostgreSQL implementation. Core stores (raw docs, linksets, checkpoints) are complete, but 4 auxiliary stores remain in-memory only with explicit TODO comments indicating temporary status.
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T12.0.1 | DONE | None | Excititor Guild | Implement `PostgresVexProviderStore` (replace InMemoryVexProviderStore) |
| 2 | MR-T12.0.2 | DONE | None | Excititor Guild | Implement `PostgresVexObservationStore` (replace InMemoryVexObservationStore) |
| 3 | MR-T12.0.3 | DONE | None | Excititor Guild | Implement `PostgresVexAttestationStore` (replace InMemoryVexAttestationStore) |
| 4 | MR-T12.0.4 | DONE | None | Excititor Guild | Implement `PostgresVexTimelineEventStore` (IVexTimelineEventStore - no impl exists) |
| 5 | MR-T12.0.5 | DONE | MR-T12.0.1-4 | Excititor Guild | Add vex schema migrations for provider, observation, attestation, timeline tables |
| 6 | MR-T12.0.6 | DONE | MR-T12.0.5 | Excititor Guild | Update DI in ServiceCollectionExtensions to use Postgres stores by default |
| 7 | MR-T12.0.7 | DONE | MR-T12.0.6 | Excititor Guild | Add integration tests with PostgresIntegrationFixture |
### T12.1: AirGap.Controller PostgreSQL Storage (HIGH PRIORITY)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T12.1.1 | DONE | None | AirGap Guild | Design airgap.state PostgreSQL schema and migration |
| 2 | MR-T12.1.2 | DONE | MR-T12.1.1 | AirGap Guild | Implement `PostgresAirGapStateStore` repository |
| 3 | MR-T12.1.3 | DONE | MR-T12.1.2 | AirGap Guild | Wire DI for Postgres storage, update ServiceCollectionExtensions |
| 4 | MR-T12.1.4 | DONE | MR-T12.1.3 | AirGap Guild | Add integration tests with Testcontainers |
### T12.2: TaskRunner PostgreSQL Storage (HIGH PRIORITY)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 5 | MR-T12.2.1 | DONE | None | TaskRunner Guild | Design taskrunner schema and migration (state, approvals, logs, evidence) |
| 6 | MR-T12.2.2 | DONE | MR-T12.2.1 | TaskRunner Guild | Implement Postgres repositories (PackRunStateStore, PackRunApprovalStore, PackRunLogStore, PackRunEvidenceStore) |
| 7 | MR-T12.2.3 | DONE | MR-T12.2.2 | TaskRunner Guild | Wire DI for Postgres storage, create ServiceCollectionExtensions |
| 8 | MR-T12.2.4 | DONE | MR-T12.2.3 | TaskRunner Guild | Add integration tests with Testcontainers |
### T12.3: Notify Missing Repositories
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 9 | MR-T12.3.1 | SKIPPED | None | Notifier Guild | `PackApprovalRepository` - no model exists in codebase |
| 10 | MR-T12.3.2 | DONE | None | Notifier Guild | Implement `ThrottleConfigRepository` with Postgres backing |
| 11 | MR-T12.3.3 | DONE | None | Notifier Guild | Implement `OperatorOverrideRepository` with Postgres backing |
| 12 | MR-T12.3.4 | DONE | None | Notifier Guild | Implement `LocalizationBundleRepository` with Postgres backing |
| 13 | MR-T12.3.5 | DONE | MR-T12.3.2-4 | Notifier Guild | Wire Postgres repos in DI via ServiceCollectionExtensions |
### T12.4: Signals PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 14 | MR-T12.4.1 | DONE | None | Signals Guild | Design signals schema (callgraphs, reachability_facts, unknowns, func_nodes, call_edges, cve_func_hits) |
| 15 | MR-T12.4.2 | DONE | MR-T12.4.1 | Signals Guild | Implement Postgres repositories (PostgresCallgraphRepository, PostgresReachabilityFactRepository, PostgresUnknownsRepository, PostgresReachabilityStoreRepository) |
| 16 | MR-T12.4.3 | DONE | MR-T12.4.1 | Signals Guild | Create SignalsDataSource and ServiceCollectionExtensions |
| 17 | MR-T12.4.4 | DONE | MR-T12.4.2-3 | Signals Guild | Build verified with no errors |
| 18 | MR-T12.4.5 | DONE | MR-T12.4.4 | Signals Guild | Add integration tests with Testcontainers |
### T12.5: Graph.Indexer PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 19 | MR-T12.5.1 | DONE | None | Graph Guild | Design graph schema (idempotency_tokens, pending_snapshots, cluster_assignments, centrality_scores, graph_nodes, graph_edges) |
| 20 | MR-T12.5.2 | DONE | MR-T12.5.1 | Graph Guild | Implement Postgres graph writer repository (PostgresGraphDocumentWriter) |
| 21 | MR-T12.5.3 | DONE | MR-T12.5.1 | Graph Guild | Implement Postgres snapshot store (PostgresGraphSnapshotProvider, PostgresIdempotencyStore, PostgresGraphAnalyticsWriter) |
| 22 | MR-T12.5.4 | DONE | MR-T12.5.2-3 | Graph Guild | Created GraphIndexerDataSource and ServiceCollectionExtensions, build verified |
| 23 | MR-T12.5.5 | DONE | MR-T12.5.4 | Graph Guild | Add integration tests with Testcontainers for Graph.Indexer repositories |
| 24 | MR-T12.5.6 | DONE | MR-T12.5.5 | Graph Guild | Fix GraphAnalyticsEngine determinism test failures |
| 25 | MR-T12.5.7 | DONE | MR-T12.5.5 | Graph Guild | Fix GraphSnapshotBuilder determinism test failures |
### T12.6: PacksRegistry PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 25 | MR-T12.6.1 | DONE | None | PacksRegistry Guild | Design packs schema (packs, attestations, audit_log, lifecycles, mirror_sources, parities) |
| 26 | MR-T12.6.2 | DONE | MR-T12.6.1 | PacksRegistry Guild | Implement Postgres repositories (PostgresPackRepository, PostgresAttestationRepository, PostgresAuditRepository, PostgresLifecycleRepository, PostgresMirrorRepository, PostgresParityRepository) |
| 27 | MR-T12.6.3 | DONE | MR-T12.6.2 | PacksRegistry Guild | Created PacksRegistryDataSource and ServiceCollectionExtensions, build verified |
| 28 | MR-T12.6.4 | DONE | MR-T12.6.3 | PacksRegistry Guild | Add integration tests with Testcontainers |
### T12.7: SbomService PostgreSQL Storage
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 29 | MR-T12.7.1 | DONE | None | SbomService Guild | Design sbom schema (catalog, component_lookups, entrypoints, orchestrator_sources, orchestrator_control, projections) |
| 30 | MR-T12.7.2 | DONE | MR-T12.7.1 | SbomService Guild | Implement Postgres repositories (PostgresCatalogRepository, PostgresComponentLookupRepository, PostgresEntrypointRepository, PostgresOrchestratorRepository, PostgresOrchestratorControlRepository, PostgresProjectionRepository) |
| 31 | MR-T12.7.3 | DONE | MR-T12.7.1 | SbomService Guild | Created SbomServiceDataSource and ServiceCollectionExtensions |
| 32 | MR-T12.7.4 | DONE | MR-T12.7.2-3 | SbomService Guild | Build verified with 0 errors |
| 33 | MR-T12.7.5 | DONE | MR-T12.7.4 | SbomService Guild | Add integration tests with Testcontainers |
## Wave Coordination
- **Wave 1 (HIGH PRIORITY):** T12.0 (Excititor), T12.1 (AirGap), T12.2 (TaskRunner) - production durability critical
- **Wave 2:** T12.3 (Notify repos) - completes Notify Postgres migration
- **Wave 3:** T12.4-T12.7 (Signals, Graph, PacksRegistry, SbomService) - can be parallelized
## Current Storage Locations
| Module | Current Implementation | Files |
|--------|------------------------|-------|
| Excititor | Postgres COMPLETE | All stores implemented: `PostgresVexProviderStore`, `PostgresVexObservationStore`, `PostgresVexAttestationStore`, `PostgresVexTimelineEventStore` |
| AirGap.Controller | Postgres COMPLETE | `PostgresAirGapStateStore` in `StellaOps.AirGap.Storage.Postgres` |
| TaskRunner | Postgres COMPLETE | `PostgresPackRunStateStore`, `PostgresPackRunApprovalStore`, `PostgresPackRunLogStore`, `PostgresPackRunEvidenceStore` in `StellaOps.TaskRunner.Storage.Postgres` |
| Signals | Postgres COMPLETE | `StellaOps.Signals.Storage.Postgres`: PostgresCallgraphRepository, PostgresReachabilityFactRepository, PostgresUnknownsRepository, PostgresReachabilityStoreRepository |
| Graph.Indexer | Postgres COMPLETE | `StellaOps.Graph.Indexer.Storage.Postgres`: PostgresIdempotencyStore, PostgresGraphSnapshotProvider, PostgresGraphAnalyticsWriter, PostgresGraphDocumentWriter |
| PacksRegistry | Postgres COMPLETE | `StellaOps.PacksRegistry.Storage.Postgres`: PostgresPackRepository, PostgresAttestationRepository, PostgresAuditRepository, PostgresLifecycleRepository, PostgresMirrorRepository, PostgresParityRepository |
| SbomService | Postgres COMPLETE | `StellaOps.SbomService.Storage.Postgres`: PostgresCatalogRepository, PostgresComponentLookupRepository, PostgresEntrypointRepository, PostgresOrchestratorRepository, PostgresOrchestratorControlRepository, PostgresProjectionRepository |
| Notify | Postgres COMPLETE | All repositories implemented including new: `ThrottleConfigRepository`, `OperatorOverrideRepository`, `LocalizationBundleRepository` |
## Decisions & Risks
- **Decisions:** All Postgres implementations MUST follow the `RepositoryBase<TDataSource>` abstraction pattern established in Authority, Scheduler, and Concelier modules. Use Testcontainers for integration testing. No direct Npgsql access without abstraction.
- **Risks:**
- ~~Excititor VEX attestations not persisted until T12.0 completes - HIGH PRIORITY~~ **MITIGATED** - T12.0 complete
- ~~AirGap sealing state loss on restart until T12.1 completes~~ **MITIGATED** - T12.1 complete
- ~~TaskRunner has no HA/scaling support until T12.2 completes~~ **MITIGATED** - T12.2 complete
- ~~Signals callgraphs and reachability facts not durable~~ **MITIGATED** - T12.4 complete
- ~~Graph.Indexer determinism tests currently failing (null edge resolution, duplicate nodes)~~ **MITIGATED** - T12.5.6-7 complete
| Risk | Mitigation |
| --- | --- |
| Production durability gaps | Prioritize Excititor, AirGap and TaskRunner (Wave 1) |
| Schema design complexity | Reference existing Postgres implementations (Authority, Scheduler) |
| Inconsistent abstraction patterns | Enforce `RepositoryBase<TDataSource>` pattern via code review |
| Test infrastructure | Use existing Testcontainers patterns from Scanner.Storage |
| Excititor in-memory stores have complex semantics | Use InMemoryVexStores.cs as behavioral specification |
## Modules NOT in This Sprint (Already Complete)
| Module | Status | Evidence |
|--------|--------|----------|
| Concelier | COMPLETE | 32 PostgreSQL repositories in `StellaOps.Concelier.Storage.Postgres` |
| Authority | COMPLETE | 24 PostgreSQL repositories in `StellaOps.Authority.Storage.Postgres` |
| Scheduler | COMPLETE | 11+ PostgreSQL repositories in `StellaOps.Scheduler.Storage.Postgres` |
| Scanner | COMPLETE | PostgreSQL storage with migrations in `StellaOps.Scanner.Storage` |
| Policy | COMPLETE | PostgreSQL repositories in `StellaOps.Policy.Storage.Postgres` |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-13 | Sprint created to track PostgreSQL durability follow-up work from Sprint 3410 (MongoDB Final Removal). | Infrastructure Guild |
| 2025-12-13 | Added Excititor T12.0 section - identified 4 stores still using in-memory implementations. Added Database Abstraction Layer Requirements section. Updated wave priorities. | Infrastructure Guild |
| 2025-12-13 | Completed T12.0.1-6: Implemented PostgresVexProviderStore, PostgresVexObservationStore, PostgresVexAttestationStore, PostgresVexTimelineEventStore. Updated ServiceCollectionExtensions to register new stores. Tables created via EnsureTableAsync lazy initialization pattern. Integration tests (T12.0.7) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.2.1-3: Implemented TaskRunner PostgreSQL storage in new `StellaOps.TaskRunner.Storage.Postgres` project. Created repositories: PostgresPackRunStateStore (pack_run_state table), PostgresPackRunApprovalStore (pack_run_approvals table), PostgresPackRunLogStore (pack_run_logs table), PostgresPackRunEvidenceStore (pack_run_evidence table). All use EnsureTableAsync lazy initialization and OpenSystemConnectionAsync for cross-tenant access. Integration tests (T12.2.4) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.4.1-4: Implemented Signals PostgreSQL storage in new `StellaOps.Signals.Storage.Postgres` project. Created SignalsDataSource and 4 repositories: PostgresCallgraphRepository (callgraphs table with JSONB), PostgresReachabilityFactRepository (reachability_facts table with JSONB), PostgresUnknownsRepository (unknowns table), PostgresReachabilityStoreRepository (func_nodes, call_edges, cve_func_hits tables). Uses OpenSystemConnectionAsync for non-tenant-scoped data. Build verified with no errors. Integration tests (T12.4.5) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.5.1-4: Implemented Graph.Indexer PostgreSQL storage in new `StellaOps.Graph.Indexer.Storage.Postgres` project. Created GraphIndexerDataSource ("graph" schema) and 4 repositories: PostgresIdempotencyStore (idempotency_tokens table), PostgresGraphSnapshotProvider (pending_snapshots table), PostgresGraphAnalyticsWriter (cluster_assignments, centrality_scores tables), PostgresGraphDocumentWriter (graph_nodes, graph_edges tables with JSONB). Build verified with 0 errors. Determinism test fixes (T12.5.5-6) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.6.1-3: Implemented PacksRegistry PostgreSQL storage in new `StellaOps.PacksRegistry.Storage.Postgres` project. Created PacksRegistryDataSource ("packs" schema) and 6 repositories: PostgresPackRepository (packs table with BYTEA for content/provenance), PostgresAttestationRepository (attestations table with BYTEA), PostgresAuditRepository (audit_log table, append-only), PostgresLifecycleRepository (lifecycles table), PostgresMirrorRepository (mirror_sources table), PostgresParityRepository (parities table). Build verified with 0 errors. Integration tests (T12.6.4) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed T12.7.1-4: Implemented SbomService PostgreSQL storage in new `StellaOps.SbomService.Storage.Postgres` project. Created SbomServiceDataSource ("sbom" schema) and 6 repositories: PostgresCatalogRepository (catalog table with JSONB asset_tags, GIN index), PostgresComponentLookupRepository (component_lookups table), PostgresEntrypointRepository (entrypoints table with composite PK), PostgresOrchestratorRepository (orchestrator_sources table with idempotent insert), PostgresOrchestratorControlRepository (orchestrator_control table), PostgresProjectionRepository (projections table with JSONB). Build verified with 0 errors. Integration tests (T12.7.5) still pending. | Infrastructure Guild |
| 2025-12-13 | Completed integration tests for Wave 3 modules (T12.4.5, T12.5.5, T12.6.4, T12.7.5): Created 4 new test projects with PostgresIntegrationFixture-based tests: `StellaOps.Signals.Storage.Postgres.Tests` (PostgresCallgraphRepositoryTests), `StellaOps.Graph.Indexer.Storage.Postgres.Tests` (PostgresIdempotencyStoreTests), `StellaOps.PacksRegistry.Storage.Postgres.Tests` (PostgresPackRepositoryTests), `StellaOps.SbomService.Storage.Postgres.Tests` (PostgresEntrypointRepositoryTests, PostgresOrchestratorControlRepositoryTests). All test projects build successfully. Uses ICollectionFixture pattern with per-test truncation. Remaining work: T12.5.6-7 determinism test fixes, T12.0.7/T12.1.4/T12.2.4 integration tests for Wave 1 modules. | Infrastructure Guild |
| 2025-12-14 | Completed remaining integration tests (T12.0.7 Excititor, T12.1.4 AirGap, T12.2.4 TaskRunner) and Graph determinism test fixes (T12.5.6-7). T12.0.7: 4 VEX store tests (PostgresVexProviderStoreTests, PostgresVexAttestationStoreTests, PostgresVexObservationStoreTests, PostgresVexTimelineEventStoreTests). T12.1.4: Created AirGapPostgresFixture, PostgresAirGapStateStoreTests. T12.2.4: Created TaskRunnerPostgresFixture, PostgresPackRunStateStoreTests. T12.5.6: Fixed ImmutableArray equality comparison in GraphAnalyticsEngineTests by converting to arrays. T12.5.7: Fixed NullReferenceException in TryResolveEdgeEndpoints by adding fallback for simple source/target edge format. All tests passing. Sprint 3412 complete. | Infrastructure Guild |