stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

news advisories

Browse Source
This commit is contained in:
StellaOps Bot
2025-11-30 21:00:38 +02:00
parent 0bef705bcc
commit 25254e3831
14 changed files with 7573 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

157
docs/product-advisories/ADVISORY_INDEX.md
View File

@@ -11,6 +11,89 @@ These are the authoritative advisories to reference for implementation:
- **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md
- **Status:** New sprint created
### CVSS v4.0 Momentum Briefing
- **Canonical:** `29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md`
- **Sprint:** SPRINT_0190_0001_0001_cvss_v4_receipts.md (context)
- **Related Docs:**
- `docs/product-advisories/25-Nov-2025 - Add CVSS v4.0 Score Receipts for Transparency.md` (implementation focus)
- `docs/product-advisories/29-Nov-2025 - CVSS v4.0 Momentum in Vulnerability Management.md` (this briefing)
- **Status:** Summarises the industry adoption signals (NVD/GitHub/Microsoft/Snyk) and why Stella Ops should treat CVSS v4.0 as first-class now.
### SCA Failure Catalogue
- **Canonical:** `29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/29-Nov-2025 - SCA Failure Catalogue for StellaOps Tests.md` (this catalogue)
- `docs/implplan/SPRINT_300_documentation_process.md` (tracking sync)
- **Status:** Captures five real-world regressions/ SBOM gaps for Trivy/Syft/Grype/Snyk and frames test vectors + alarm scenarios for StellaOps acceptance suites.
### Implementor Guidelines
- **Canonical:** `30-Nov-2025 - Implementor Guidelines for Stella Ops.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/30-Nov-2025 - Implementor Guidelines for Stella Ops.md` (this briefing)
- `docs/05_SYSTEM_REQUIREMENTS_SPEC.md` / `docs/13_RELEASE_ENGINEERING_PLAYBOOK.md` (reference requirements)
- **Status:** Operational checklist for contributors, plug-in authors, and implementors linking SRS/architecture to practical practices.
### SBOM → VEX Proof Blueprint
- **Canonical:** `29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/29-Nov-2025 - SBOM to VEX Proof Pipeline Blueprint.md` (itself)
- `docs/modules/platform/architecture-overview.md` (platform dossier link)
- **Status:** Diagram-first guide showing DSSE → Rekor v2 tiles → VEX linkage plus online/offline verification notes for StellaOps proofs.
### UI Micro-Interactions
- **Canonical:** `30-Nov-2025 - UI Micro-Interactions for StellaOps.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `apps/console/src/app/shared/micro/`
- `docs/product-advisories/30-Nov-2025 - UI Micro-Interactions for StellaOps.md`
- **Status:** Three Angular tasks covering audit trail reasons, low-noise VEX gating, and evidence provenance chips for air-gapped + online UX.
### Rekor Receipt Checklist
- **Canonical:** `30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/30-Nov-2025 - Rekor Receipt Checklist for Stella Ops.md`
- `docs/modules/platform/architecture-overview.md`
- **Status:** Field-level ownership map for receipts, bundles, and offline metadata so Authority/Sbomer/Vexer keep deterministic proofs.
### Ecosystem Reality Tests
- **Canonical:** `30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/30-Nov-2025 - Ecosystem Reality Test Cases for StellaOps.md`
- **Status:** Evidence-backed acceptance tests covering credential leaks, offline DB quirks, SBOM parity, and scanner instability.
### Unknowns Decay & Triage Heuristics
- **Canonical:** `30-Nov-2025 - Unknowns Decay & Triage Heuristics.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/30-Nov-2025 - Unknowns Decay & Triage Heuristics.md`
- **Status:** Confidence decay card + triage queue artifacts that feed UI + ops exports for stale unknowns.
### Standup Sprint Kickstarters
- **Canonical:** `30-Nov-2025 - Standup Sprint Kickstarters.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/30-Nov-2025 - Standup Sprint Kickstarters.md`
- **Status:** Three day-0 tasks (scanner regressions, Postgres slice, DSSE/Rekor sweep) with ticket names and assignments.
### Evidence + Suppression Patterns
- **Canonical:** `30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/30-Nov-2025 - Comparative Evidence Patterns for Stella Ops.md`
- **Status:** Snapshot of how Snyk, GitHub, Aqua, Anchore/Grype, and Prisma Cloud handle evidence, suppression, and audit/export primitives.
### Reachability Benchmark Fixtures
- **Canonical:** `30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md`
- **Sprint:** SPRINT_300_documentation_process.md (docs tracker)
- **Related Docs:**
- `docs/product-advisories/30-Nov-2025 - Reachability Benchmark Fixtures Snapshot.md`
- **Status:** SV-COMP + OSS-Fuzz grounded fixture plan plus Tier-2 guidance for Java/Python, packages, containers, call-graph corpora.
### SBOM/VEX Pipeline
- **Canonical:** `27-Nov-2025 - Deep Architecture Brief - SBOMFirst, VEXReady Spine.md`
- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (tasks 15a-15f)
@@ -107,7 +190,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - consolidates extensibility patterns across modules
### Evidence Bundle & Replay Contracts
- **Canonical:** `29-Nov-2025 - Evidence Bundle and Replay Contracts.md`
- **Canonical:** `28-Nov-2025 - Evidence Bundle and Replay Contracts.md`
- **Sprint:** SPRINT_0161_0001_0001_evidencelocker.md (PRIMARY)
- **Related Sprints:**
- SPRINT_0187_0001_0001_evidence_locker_cli_integration.md (CLI)
@@ -117,9 +200,16 @@ These are the authoritative advisories to reference for implementation:
- `docs/modules/evidence-locker/attestation-contract.md` - DSSE contract
- `docs/modules/evidence-locker/replay-payload-contract.md` - Replay schema
- **Status:** Fills HIGH-priority gap - covers deterministic bundles, attestations, replay, incident mode
### Acceptance Tests Pack for Guardrails
- **Canonical:** `29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md`
- **Sprint:** SPRINT_300_documentation_process.md (Docs Governance)
- **Related Docs:**
- `docs/product-advisories/29-Nov-2025 - Acceptance Tests Pack for StellaOps Guardrails.md` (itself)
- `docs/implplan/SPRINT_300_documentation_process.md` (tracking the sync)
- **Status:** Captures feed resiliency, SBOM validation, snapshot/replay rehearsals, reachability fallbacks, and pipeline swap guardrails for acceptance tests.
### Mirror & Offline Kit Strategy
- **Canonical:** `29-Nov-2025 - Mirror and Offline Kit Strategy.md`
- **Canonical:** `28-Nov-2025 - Mirror and Offline Kit Strategy.md`
- **Sprint:** SPRINT_0125_0001_0001 (Mirror Bundles)
- **Related Sprints:**
- SPRINT_0150_0001_0001 (DSSE/Time Anchors)
@@ -132,7 +222,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills HIGH-priority gap - covers thin bundles, DSSE/TUF signing, time anchoring
### Task Pack Orchestration & Automation
- **Canonical:** `29-Nov-2025 - Task Pack Orchestration and Automation.md`
- **Canonical:** `28-Nov-2025 - Task Pack Orchestration and Automation.md`
- **Sprint:** SPRINT_0157_0001_0001_taskrunner_i.md (PRIMARY)
- **Related Sprints:**
- SPRINT_0158_0001_0002_taskrunner_ii.md (Phase II)
@@ -144,7 +234,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills HIGH-priority gap - covers pack DSL, approvals, evidence capture
### Authentication & Authorization Architecture
- **Canonical:** `29-Nov-2025 - Authentication and Authorization Architecture.md`
- **Canonical:** `28-Nov-2025 - Authentication and Authorization Architecture.md`
- **Sprint:** Multiple (see below)
- **Related Sprints:**
- SPRINT_100_identity_signing.md (CLOSED - historical)
@@ -158,7 +248,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills HIGH-priority gap - consolidates token model, scopes, multi-tenant isolation
### CLI Developer Experience & Command UX
- **Canonical:** `29-Nov-2025 - CLI Developer Experience and Command UX.md`
- **Canonical:** `28-Nov-2025 - CLI Developer Experience and Command UX.md`
- **Sprint:** SPRINT_0201_0001_0001_cli_i.md (PRIMARY)
- **Related Sprints:**
- SPRINT_203_cli_iii.md
@@ -169,7 +259,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills HIGH-priority gap - covers command surface, auth model, Buildx integration
### Orchestrator Event Model & Job Lifecycle
- **Canonical:** `29-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md`
- **Canonical:** `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md`
- **Sprint:** SPRINT_0151_0001_0001_orchestrator_i.md (PRIMARY)
- **Related Sprints:**
- SPRINT_152_orchestrator_ii.md
@@ -179,7 +269,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills HIGH-priority gap - covers job lifecycle, quota governance, replay semantics
### Export Center & Reporting Strategy
- **Canonical:** `29-Nov-2025 - Export Center and Reporting Strategy.md`
- **Canonical:** `28-Nov-2025 - Export Center and Reporting Strategy.md`
- **Sprint:** SPRINT_0160_0001_0001_export_evidence.md (PRIMARY)
- **Related Sprints:**
- SPRINT_0161_0001_0001_evidencelocker.md
@@ -188,7 +278,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - covers profile system, adapters, distribution channels
### Runtime Posture & Observation (Zastava)
- **Canonical:** `29-Nov-2025 - Runtime Posture and Observation with Zastava.md`
- **Canonical:** `28-Nov-2025 - Runtime Posture and Observation with Zastava.md`
- **Sprint:** SPRINT_0144_0001_0001_zastava_runtime_signals.md (PRIMARY)
- **Related Sprints:**
- SPRINT_0140_0001_0001_runtime_signals.md
@@ -198,7 +288,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - covers runtime events, admission control, drift detection
### Notification Rules & Alerting Engine
- **Canonical:** `29-Nov-2025 - Notification Rules and Alerting Engine.md`
- **Canonical:** `28-Nov-2025 - Notification Rules and Alerting Engine.md`
- **Sprint:** SPRINT_0170_0001_0001_notify_engine.md (NEW)
- **Related Sprints:**
- SPRINT_0171_0001_0002_notify_connectors.md
@@ -208,7 +298,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - covers rules engine, channels, noise control, ack tokens
### Graph Analytics & Dependency Insights
- **Canonical:** `29-Nov-2025 - Graph Analytics and Dependency Insights.md`
- **Canonical:** `28-Nov-2025 - Graph Analytics and Dependency Insights.md`
- **Sprint:** SPRINT_0141_0001_0001_graph_indexer.md (PRIMARY)
- **Related Sprints:**
- SPRINT_0401_0001_0001_reachability_evidence_chain.md
@@ -218,7 +308,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - covers graph model, overlays, analytics, visualization
### Telemetry & Observability Patterns
- **Canonical:** `29-Nov-2025 - Telemetry and Observability Patterns.md`
- **Canonical:** `28-Nov-2025 - Telemetry and Observability Patterns.md`
- **Sprint:** SPRINT_0180_0001_0001_telemetry_core.md (NEW)
- **Related Sprints:**
- SPRINT_0181_0001_0002_telemetry_forensic.md
@@ -228,7 +318,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - covers collector topology, forensic mode, offline bundles
### Policy Simulation & Shadow Gates
- **Canonical:** `29-Nov-2025 - Policy Simulation and Shadow Gates.md`
- **Canonical:** `28-Nov-2025 - Policy Simulation and Shadow Gates.md`
- **Sprint:** SPRINT_0185_0001_0001_policy_simulation.md (NEW)
- **Related Sprints:**
- SPRINT_0120_0000_0001_policy_reasoning.md
@@ -238,7 +328,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - covers shadow runs, coverage fixtures, promotion gates
### Findings Ledger & Immutable Audit Trail
- **Canonical:** `29-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`
- **Canonical:** `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md`
- **Sprint:** SPRINT_0186_0001_0001_record_deterministic_execution.md (PRIMARY)
- **Related Sprints:**
- SPRINT_0120_0000_0001_policy_reasoning.md
@@ -248,7 +338,7 @@ These are the authoritative advisories to reference for implementation:
- **Status:** Fills MEDIUM-priority gap - covers append-only events, Merkle anchoring, projections
### Concelier Advisory Ingestion Model
- **Canonical:** `29-Nov-2025 - Concelier Advisory Ingestion Model.md`
- **Canonical:** `28-Nov-2025 - Concelier Advisory Ingestion Model.md`
- **Sprint:** SPRINT_0115_0001_0004_concelier_iv.md (PRIMARY)
- **Related Sprints:**
- SPRINT_0113_0001_0002_concelier_ii.md
@@ -372,6 +462,15 @@ For each topic, the implementer should read:
| Findings Ledger | `docs/modules/findings-ledger/openapi/` | `src/Findings/*/AGENTS.md` |
| Concelier | `docs/modules/concelier/architecture.md` | `src/Concelier/*/AGENTS.md` |
### Developer Onboarding Quick Start
- **Canonical:** `29-Nov-2025 - StellaOps Mid-Level .NET Onboarding (Quick Start).md`
- **Sprint:** SPRINT_300_documentation_process.md (Docs Governance)
- **Related Docs:**
- `docs/onboarding/dev-quickstart.md` (derived from this advisory)
- `docs/README.md` (new quickstart reference)
- `docs/modules/platform/architecture-overview.md` (platform dossier mention)
- **Status:** Documents deterministic onboarding for mid-level .NET engineers covering repos, determinism tests, DSSE/attestation patterns, and starter issues.
## Topical Gaps (Advisory Needed)
The following topics are mentioned in CLAUDE.md or module docs but lack dedicated product advisories:
@@ -380,20 +479,20 @@ The following topics are mentioned in CLAUDE.md or module docs but lack dedicate
|-----|----------|--------|-------|
| ~~Regional Crypto (eIDAS/FIPS/GOST/SM)~~ | HIGH | **FILLED** | `28-Nov-2025 - Sovereign Crypto for Regional Compliance.md` |
| ~~Plugin Architecture Patterns~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Plugin Architecture & Extensibility Patterns.md` |
| ~~Evidence Bundle Packaging~~ | HIGH | **FILLED** | `29-Nov-2025 - Evidence Bundle and Replay Contracts.md` |
| ~~Mirror/Offline Kit Strategy~~ | HIGH | **FILLED** | `29-Nov-2025 - Mirror and Offline Kit Strategy.md` |
| ~~Task Pack Orchestration~~ | HIGH | **FILLED** | `29-Nov-2025 - Task Pack Orchestration and Automation.md` |
| ~~Auth/AuthZ Architecture~~ | HIGH | **FILLED** | `29-Nov-2025 - Authentication and Authorization Architecture.md` |
| ~~CLI Developer Experience~~ | HIGH | **FILLED** | `29-Nov-2025 - CLI Developer Experience and Command UX.md` |
| ~~Orchestrator Event Model~~ | HIGH | **FILLED** | `29-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` |
| ~~Export Center Strategy~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Export Center and Reporting Strategy.md` |
| ~~Runtime Posture & Observation~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Runtime Posture and Observation with Zastava.md` |
| ~~Notification Rules Engine~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Notification Rules and Alerting Engine.md` |
| ~~Graph Analytics & Clustering~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Graph Analytics and Dependency Insights.md` |
| ~~Telemetry & Observability~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Telemetry and Observability Patterns.md` |
| ~~Policy Simulation & Shadow Gates~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Policy Simulation and Shadow Gates.md` |
| ~~Findings Ledger & Audit Trail~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` |
| ~~Concelier Advisory Ingestion~~ | MEDIUM | **FILLED** | `29-Nov-2025 - Concelier Advisory Ingestion Model.md` |
| ~~Evidence Bundle Packaging~~ | HIGH | **FILLED** | `28-Nov-2025 - Evidence Bundle and Replay Contracts.md` |
| ~~Mirror/Offline Kit Strategy~~ | HIGH | **FILLED** | `28-Nov-2025 - Mirror and Offline Kit Strategy.md` |
| ~~Task Pack Orchestration~~ | HIGH | **FILLED** | `28-Nov-2025 - Task Pack Orchestration and Automation.md` |
| ~~Auth/AuthZ Architecture~~ | HIGH | **FILLED** | `28-Nov-2025 - Authentication and Authorization Architecture.md` |
| ~~CLI Developer Experience~~ | HIGH | **FILLED** | `28-Nov-2025 - CLI Developer Experience and Command UX.md` |
| ~~Orchestrator Event Model~~ | HIGH | **FILLED** | `28-Nov-2025 - Orchestrator Event Model and Job Lifecycle.md` |
| ~~Export Center Strategy~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Export Center and Reporting Strategy.md` |
| ~~Runtime Posture & Observation~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Runtime Posture and Observation with Zastava.md` |
| ~~Notification Rules Engine~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Notification Rules and Alerting Engine.md` |
| ~~Graph Analytics & Clustering~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Graph Analytics and Dependency Insights.md` |
| ~~Telemetry & Observability~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Telemetry and Observability Patterns.md` |
| ~~Policy Simulation & Shadow Gates~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Policy Simulation and Shadow Gates.md` |
| ~~Findings Ledger & Audit Trail~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Findings Ledger and Immutable Audit Trail.md` |
| ~~Concelier Advisory Ingestion~~ | MEDIUM | **FILLED** | `28-Nov-2025 - Concelier Advisory Ingestion Model.md` |
| **CycloneDX 1.6 .NET Integration** | LOW | Open | Deep Architecture covers generically; expand with .NET-specific guidance |
## Known Issues (Non-Blocking)
@@ -409,4 +508,4 @@ Several filenames use en-dash (U+2011) instead of regular hyphen (-). This may c
---
*Index created: 2025-11-27*
*Last updated: 2025-11-29 (added 10 new advisories filling all identified gaps)*
*Last updated: 2025-11-30 (added Implementor Guidelines, UI micro-interactions brief, Rekor receipt checklist, Ecosystem test cases, Unknowns decay/triage heuristics, Standup Sprint Kickstarters, Comparative Evidence Patterns, and prior references)*