stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add tests and implement timeline ingestion options with NATS and Redis subscribers

Browse Source 
- Introduced `BinaryReachabilityLifterTests` to validate binary lifting functionality.
- Created `PackRunWorkerOptions` for configuring worker paths and execution persistence.
- Added `TimelineIngestionOptions` for configuring NATS and Redis ingestion transports.
- Implemented `NatsTimelineEventSubscriber` for subscribing to NATS events.
- Developed `RedisTimelineEventSubscriber` for reading from Redis Streams.
- Added `TimelineEnvelopeParser` to normalize incoming event envelopes.
- Created unit tests for `TimelineEnvelopeParser` to ensure correct field mapping.
- Implemented `TimelineAuthorizationAuditSink` for logging authorization outcomes.
This commit is contained in:
StellaOps Bot
2025-12-03 09:46:48 +02:00
parent e923880694
commit 35c8f9216f
520 changed files with 4416 additions and 31492 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
docs/advisory-ai/console.md
View File

@@ -1,6 +1,6 @@
# Advisory AI Console Workflows
_Last updated: 2025-11-22_
_Last updated: 2025-12-03_
This guide documents the forthcoming Advisory AI console experience so that console, docs, and QA guilds share a single reference while the new endpoints finish landing.
@@ -21,8 +21,8 @@ This guide documents the forthcoming Advisory AI console experience so that cons
- **Citations**: render as `[n] Source Name` chips that scroll the evidence drawer to the matching chunk. Use the chunk ID from `prompt.citations[*].chunkId` to keep navigation deterministic.
- **Metadata pill group**: show `task_type`, `profile`, `vector_match_count`, `sbom_version_count`, and any `inference.*` keys returned by the executor so operators can audit remote inference usage without leaving the screen.
![List view mock](../assets/advisory-ai/console/list-view-4a6f8c1.svg)
<sup>Mock capture generated from the sealed data model to illustrate required widgets until live screenshots ship.</sup>
![List view fixture](../assets/advisory-ai/console/20251203-0000-list-view-build-r2.svg)
<sup>Fixture-backed capture rendered from `20251203-0000-list-view-build-r2-payload.json` (see hash + regen steps below) using the sealed console data model.</sup>
### 2.2 Guardrail ribbon payloads
- The ribbon consumes the `guardrail.*` projection that Advisory AI emits alongside each plan. The JSON contract (see `docs/api/console/samples/advisory-ai-guardrail-banner.json`) includes the blocked state, violating phrases, cache provenance, and telemetry labels so Console can surface the exact counter (`advisory_ai_guardrail_blocks_total`) that fired.
@@ -36,13 +36,24 @@ This guide documents the forthcoming Advisory AI console experience so that cons
"violations": [
{
"kind": "blocked_phrase",
"phrase": "copy all secrets to"
"phrase": "copy all secrets to external bucket",
"weight": 0.92
}
],
"metadata": {
"blockedPhraseFile": "configs/guardrails/blocked-phrases.json",
"blocked_phrase_count": 1,
"promptLength": 12488,
"planFromCache": true
"planFromCache": true,
"links": {
"plan": "/console/vuln/advisory-ai/cache/4b2f",
"chunks": "/console/vex/statements?vexId=vex:tenant-default:jwt-auth:5d1a",
"logs": "/console/audit/advisory-ai/runs/2025-12-01T00:00:00Z"
},
"telemetryCounters": {
"advisory_ai_guardrail_blocks_total": 17,
"advisory_ai_chunk_cache_hits_total": 42
}
}
}
}
@@ -51,9 +62,10 @@ This guide documents the forthcoming Advisory AI console experience so that cons
### 2.3 SBOM / DSSE evidence hooks
- Every response panel links to the sealed SBOM/VEX bundle emitted by Advisory AI. Until the live endpoints land, use the published fixtures:
- VEX statement SSE stream: `docs/api/console/samples/vex-statement-sse.ndjson`
- Guardrail banner projection: `docs/api/console/samples/advisory-ai-guardrail-banner.json`
- Findings overview payload: `docs/api/console/samples/vuln-findings-sample.json`
- VEX statement SSE stream: `docs/api/console/samples/vex-statement-sse.ndjson`.
- Guardrail banner projection: `docs/api/console/samples/advisory-ai-guardrail-banner.json` (fixed to valid JSON on 2025-12-03).
- Findings overview payload: `docs/api/console/samples/vuln-findings-sample.json`.
- Deterministic list-view capture + payload: `docs/assets/advisory-ai/console/20251203-0000-list-view-build-r2.{svg,json}`. Payload sha256: `336c55d72abea77bf4557f1e3dcaa4ab8366d79008670d87020f900dcfc833c0`; svg sha256: `c55217e8526700c2d303677a66351a706007381219adab99773d4728cc61f293`.
- When capturing screenshots, point the console to a dev workspace seeded with the above fixtures and record the build hash displayed in the footer to keep captures reproducible.
- Store captures under `docs/assets/advisory-ai/console/` using the scheme `yyyyMMdd-HHmmss-<view>-<build>.png` (UTC clock) so regeneration is deterministic. Keep the original JSON alongside each screenshot by saving the response as `…-payload.json` in the same folder.
@@ -71,7 +83,7 @@ This guide documents the forthcoming Advisory AI console experience so that cons
- Surface `inference.model_id`, prompt/completion token counts, and latency histogram from `advisory_ai_latency_seconds_bucket` next to the response so ops can correlate user impact with remote/local mode toggles (`ADVISORYAI__Inference__Mode`).
![Evidence drawer mock](../assets/advisory-ai/console/evidence-drawer-b1820ad.svg)
<sup>Mock capture showing plan inspector vs response panel; replace with live console screenshot once CONSOLE-VULN-29-001 lands.</sup>
<sup>Existing mock for evidence drawer; keep until live console screenshot is captured. Pair with the new list-view fixture for deterministic demos.</sup>
## 4. Copy-as-ticket guidance
1. Operators select one or more VEX-backed findings.
@@ -106,11 +118,11 @@ This guide documents the forthcoming Advisory AI console experience so that cons
- **Console wiring** the guardrail ribbon pulls `guardrail.blocked`, `guardrail.violations`, and `guardrail.metadata.blocked_phrase_count` while the observability cards track `advisory_ai_chunk_requests_total`, `advisory_ai_chunk_cache_hits_total`, and `advisory_ai_guardrail_blocks_total` (now emitted even on cache hits). Use these meters to explain throttling or bad actors before granting additional guardrail budgets, and keep `docs/api/console/samples/advisory-ai-guardrail-banner.json` nearby so QA can validate localized payloads without hitting production data.
## 5. Publication state
- [x] Fixture-backed payloads and two reference captures committed (`list-view-4a6f8c1.svg`, `evidence-drawer-b1820ad.svg`).
- [x] Fixture-backed payloads and captures committed (`20251203-0000-list-view-build-r2.svg`, `evidence-drawer-b1820ad.svg`).
- [x] Copy-as-ticket flow documented; payload aligns with existing SOC runbooks.
- [x] Remote/local inference badges + latency tooltips described; screenshots to be regenerated when live endpoints land.
- [x] SBOM/VEX bundle example attached (Evidence Bundle v1 sample).
- [ ] Optional refresh: swap fixture captures for live console screenshots once CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 and SBOM-AIAI-31-003 are available; record build hash and payload JSON alongside updated images.
- [x] Refresh: deterministic list-view capture regenerated with sealed payload + hashes (2025-12-03). Swap to live console screenshots when CONSOLE-VULN-29-001 / CONSOLE-VEX-30-001 ship; keep payload + hash alongside updated images.
### Publication readiness checklist (DOCS-AIAI-31-004)
- Inputs available now: console fixtures (`docs/samples/console/console-vuln-29-001.json`, `console-vex-30-001.json`), evidence bundle sample (`docs/samples/evidence-bundle/evidence-bundle-v1.tar.gz`), guardrail ribbon contract.
@@ -122,7 +134,73 @@ This guide documents the forthcoming Advisory AI console experience so that cons
### Guardrail console fixtures (unchecked-integration)
- Vulnerability search sample: `docs/samples/console/console-vuln-29-001.json` (maps to CONSOLE-VULN-29-001).
- VEX search sample: `docs/samples/console/console-vex-30-001.json` (maps to CONSOLE-VEX-30-001).
- Use these until live endpoints are exposed; replace with real captures when staging is available.
- VEX search sample: `docs/samples/console/console-vex-30-001.json` (maps to CONSOLE-VEX-30-001).
- Use these until live endpoints are exposed; replace with real captures when staging is available.
**Reference**: API contracts and sample payloads live in `docs/api/console/workspaces.md` (see `/console/vuln/*` and `/console/vex/*` sections) plus the JSON fixtures under `docs/api/console/samples/`.
### Fixture bundle regeneration (deterministic)
- Rebuild the fixture capture deterministically from the sealed payload:
```bash
python - <<'PY'
import html, json
from pathlib import Path
root = Path('docs/assets/advisory-ai/console')
payload = json.loads((root/'20251203-0000-list-view-build-r2-payload.json').read_text())
guard = payload['guardrail']; metrics = payload['metrics']; items = payload['findings']
def color_sev(sev):
return {'critical':'#b3261e','high':'#d05c00','medium':'#c38f00','low':'#00695c'}.get(sev.lower(), '#0f172a')
def color_policy(val):
return {'fail':'#b3261e','warn':'#d97706','pass':'#0f5b3a'}.get(val.lower(), '#0f172a')
rows = []
for idx, item in enumerate(items):
y = 210 + idx * 120
rows.append(f"""
<g transform=\"translate(32,{y})\">
<rect width=\"888\" height=\"104\" rx=\"10\" fill=\"#ffffff\" stroke=\"#e2e8f0\" />
<text x=\"20\" y=\"30\" class=\"title\">{html.escape(item['summary'])}</text>
<text x=\"20\" y=\"52\" class=\"mono subtle\">{html.escape(item['package'])} · {html.escape(item['component'])} · {html.escape(item['image'])}</text>
<text x=\"20\" y=\"72\" class=\"mono subtle\">reachability={html.escape(str(item.get('reachability')))} · vex={html.escape(str(item.get('vexState')))} · lastSeen={html.escape(str(item.get('lastSeen')))}</text>
<text x=\"20\" y=\"92\" class=\"mono faint\">sbom={html.escape(str(item.get('sbomDigest')))}</text>
<rect x=\"748\" y=\"14\" width=\"120\" height=\"28\" rx=\"6\" ry=\"6\" fill=\"{color_sev(item['severity'])}\" opacity=\"0.12\" />
<text x=\"758\" y=\"33\" class=\"mono\" fill=\"{color_sev(item['severity'])}\">sev:{html.escape(item['severity'])}</text>
<rect x=\"732\" y=\"50\" width=\"140\" height=\"28\" rx=\"6\" ry=\"6\" fill=\"{color_policy(item.get('policyBadge',''))}\" opacity=\"0.12\" />
<text x=\"742\" y=\"69\" class=\"mono\" fill=\"{color_policy(item.get('policyBadge',''))}\">policy:{html.escape(item.get('policyBadge',''))}</text>
</g>
""")
rows_svg = "\n".join(rows)
banner = '#b3261e' if guard.get('blocked') else '#0f5b3a'
svg = f"""<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"1280\" height=\"720\" viewBox=\"0 0 1280 720\">
<style>
.title {{ font-family: Inter, Arial, sans-serif; font-size: 18px; font-weight: 700; fill: #0f172a; }}
.mono {{ font-family: Menlo, monospace; font-size: 13px; fill: #0f172a; }}
.mono.subtle {{ fill: #475569; }}
.mono.faint {{ fill: #94a3b8; font-size: 12px; }}
</style>
<rect width=\"1280\" height=\"720\" fill=\"#f8fafc\" />
<rect x=\"32\" y=\"32\" width=\"1216\" height=\"72\" rx=\"12\" fill=\"#0f172a\" opacity=\"0.05\" />
<text x=\"48\" y=\"76\" class=\"title\">Advisory AI · Console fixture</text>
<text x=\"48\" y=\"104\" class=\"mono\" fill=\"#475569\">build={html.escape(payload['build'])} · generated={html.escape(payload['generatedAtUtc'])} · workspace={html.escape(payload['workspace'])} · profile={html.escape(payload['profile'])} · cacheHit={str(metrics.get('cacheHit', False)).lower()}</text>
<rect x=\"32\" y=\"120\" width=\"1216\" height=\"72\" rx=\"12\" fill=\"#fff1f0\" stroke=\"#f87171\" stroke-width=\"1\" />
<text x=\"48\" y=\"156\" class=\"title\" fill=\"{banner}\">Guardrail: {html.escape(guard.get('state','unknown'))}</text>
<text x=\"48\" y=\"176\" class=\"mono\" fill=\"#0f172a\">{html.escape(guard['metadata'].get('blockedPhraseFile',''))} · violations={len(guard.get('violations',[]))} · promptLength={guard['metadata'].get('promptLength')}</text>
<rect x=\"1080\" y=\"138\" width=\"96\" height=\"28\" rx=\"6\" ry=\"6\" fill=\"{banner}\" opacity=\"0.12\" />
<text x=\"1090\" y=\"157\" class=\"mono\" fill=\"{banner}\">blocked</text>
<rect x=\"944\" y=\"210\" width=\"304\" height=\"428\" rx=\"12\" fill=\"#0f172a\" opacity=\"0.04\" />
<text x=\"964\" y=\"244\" class=\"title\">Runtime metrics</text>
<text x=\"964\" y=\"272\" class=\"mono\">p50 latency: {metrics.get('latencyMsP50') or 'n/a'} ms</text>
<text x=\"964\" y=\"292\" class=\"mono\">p95 latency: {metrics.get('latencyMsP95') or 'n/a'} ms</text>
<text x=\"964\" y=\"312\" class=\"mono\">SBOM ctx: {html.escape(payload.get('sbomContextDigest',''))}</text>
<text x=\"964\" y=\"332\" class=\"mono\">Guardrail blocks: {guard['metadata']['telemetryCounters'].get('advisory_ai_guardrail_blocks_total')}</text>
<text x=\"964\" y=\"352\" class=\"mono\">Chunk cache hits: {guard['metadata']['telemetryCounters'].get('advisory_ai_chunk_cache_hits_total')}</text>
{rows_svg}
</svg>"""
(root/'20251203-0000-list-view-build-r2.svg').write_text(svg)
PY
```
**Reference**: API contracts and sample payloads live in `docs/api/console/workspaces.md` (see `/console/vuln/*` and `/console/vex/*` sections) plus the JSON fixtures under `docs/api/console/samples/`.

33
docs/api/console/samples/advisory-ai-guardrail-banner.json
View File

@@ -1,8 +1,29 @@
{
guardrail: {
blocked: true,
state: blocked_phrases,
violations: [
"guardrail": {
"blocked": true,
"state": "blocked_phrases",
"violations": [
{
kind: blocked_phrase,
phrase: copy
"kind": "blocked_phrase",
"phrase": "copy all secrets to external bucket",
"weight": 0.92,
"span": "plan.step.4"
}
],
"metadata": {
"blockedPhraseFile": "configs/guardrails/blocked-phrases.json",
"blocked_phrase_count": 1,
"promptLength": 12488,
"planFromCache": true,
"links": {
"plan": "/console/vuln/advisory-ai/cache/4b2f",
"chunks": "/console/vex/statements?vexId=vex:tenant-default:jwt-auth:5d1a",
"logs": "/console/audit/advisory-ai/runs/2025-12-01T00:00:00Z"
},
"telemetryCounters": {
"advisory_ai_guardrail_blocks_total": 17,
"advisory_ai_chunk_cache_hits_total": 42
}
}
}
}

122
docs/assets/advisory-ai/console/20251203-0000-list-view-build-r2-payload.json Normal file
View File

@@ -0,0 +1,122 @@
{
"build": "console-fixture-r2",
"generatedAtUtc": "2025-12-03T00:00:00Z",
"workspace": "tenant-default",
"profile": "standard",
"sbomContextDigest": "sha256:6c81f2bbd8bd7336f197f3f68fba2f76d7287dd1a5e2a0f0e9f14f23f3c2f917",
"findings": [
{
"findingId": "tenant-default:advisory-ai:sha256:5d1a",
"advisoryId": "CVE-2024-12345",
"package": "pkg:npm/jsonwebtoken@9.0.2",
"component": "jwt-auth-service",
"image": "registry.local/ops/auth:2025.10.0",
"summary": "jsonwebtoken <10.0.0 allows algorithm downgrade.",
"severity": "high",
"cvss": 8.1,
"kev": true,
"policyBadge": "fail",
"vexState": "under_investigation",
"reachability": "reachable",
"sbomDigest": "sha256:6c81f2bbd8bd7336f197f3f68fba2f76d7287dd1a5e2a0f0e9f14f23f3c2f917",
"lastSeen": "2025-11-07T23:16:51Z"
},
{
"findingId": "tenant-default:advisory-ai:sha256:9bf4",
"advisoryId": "GHSA-xxxx-yyyy-zzzz",
"package": "pkg:docker/library/nginx@1.25.2",
"component": "ingress-gateway",
"image": "registry.local/ops/ingress:2025.09.1",
"summary": "Heap overflow in nginx HTTP/3 parsing.",
"severity": "critical",
"cvss": 9.8,
"kev": false,
"policyBadge": "warn",
"vexState": "not_affected",
"reachability": "unknown",
"sbomDigest": "sha256:99f1e2a7aa0f7c970dcb6674244f0bfb5f37148e3ee09fd4f925d3358dea2239",
"lastSeen": "2025-11-07T10:45:03Z"
}
],
"guardrail": {
"blocked": true,
"state": "blocked_phrases",
"violations": [
{
"kind": "blocked_phrase",
"phrase": "copy all secrets to external bucket",
"weight": 0.92,
"span": "plan.step.4"
}
],
"metadata": {
"blockedPhraseFile": "configs/guardrails/blocked-phrases.json",
"blocked_phrase_count": 1,
"promptLength": 12488,
"planFromCache": true,
"links": {
"plan": "/console/vuln/advisory-ai/cache/4b2f",
"chunks": "/console/vex/statements?vexId=vex:tenant-default:jwt-auth:5d1a",
"logs": "/console/audit/advisory-ai/runs/2025-12-01T00:00:00Z"
},
"telemetryCounters": {
"advisory_ai_guardrail_blocks_total": 17,
"advisory_ai_chunk_cache_hits_total": 42
}
}
},
"vexEvents": [
{
"event": "statement.created",
"statementId": "vex:tenant-default:jwt-auth:5d1a",
"advisoryId": "CVE-2024-12345",
"product": "registry.local/ops/auth:2025.10.0",
"state": "under_investigation",
"justification": "exploit_observed",
"sequence": 4178,
"updatedAt": "2025-11-07T23:10:09Z"
},
{
"event": "statement.updated",
"statementId": "vex:tenant-default:jwt-auth:5d1a",
"advisoryId": "CVE-2024-12345",
"product": "registry.local/ops/auth:2025.10.0",
"state": "fixed",
"justification": "solution_available",
"sequence": 4182,
"updatedAt": "2025-11-08T11:44:32Z"
},
{
"event": "statement.conflict",
"statementId": "vex:tenant-default:jwt-auth:5d1a",
"advisoryId": "CVE-2024-12345",
"product": "registry.local/ops/auth:2025.10.0",
"conflictSummary": "Excititor statement GHSA-1111 differs on status",
"sequence": 4183,
"updatedAt": "2025-11-08T11:44:59Z"
},
{
"event": "statement.updated",
"statementId": "vex:tenant-default:jwt-auth:5d1a",
"advisoryId": "CVE-2024-12345",
"product": "registry.local/ops/auth:2025.10.0",
"state": "fixed",
"justification": "solution_available",
"sequence": 4184,
"updatedAt": "2025-11-08T11:45:04Z"
},
{
"event": "statement.deleted",
"statementId": "vex:tenant-default:legacy:1a2b",
"advisoryId": "CVE-2023-9999",
"product": "registry.local/ops/legacy:2024.01.0",
"sequence": 4185,
"updatedAt": "2025-11-08T12:01:01Z"
}
],
"metrics": {
"latencyMsP50": 312,
"latencyMsP95": 884,
"cacheHit": true
}
}

46
docs/assets/advisory-ai/console/20251203-0000-list-view-build-r2.svg Normal file
View File

@@ -0,0 +1,46 @@
<svg xmlns="http://www.w3.org/2000/svg" width="1280" height="720" viewBox="0 0 1280 720">
<style>
.title { font-family: Inter, Arial, sans-serif; font-size: 18px; font-weight: 700; fill: #0f172a; }
.mono { font-family: Menlo, monospace; font-size: 13px; fill: #0f172a; }
.mono.subtle { fill: #475569; }
.mono.faint { fill: #94a3b8; font-size: 12px; }
</style>
<rect width="1280" height="720" fill="#f8fafc" />
<rect x="32" y="32" width="1216" height="72" rx="12" fill="#0f172a" opacity="0.05" />
<text x="48" y="76" class="title">Advisory AI · Console fixture</text>
<text x="48" y="104" class="mono" fill="#475569">build=console-fixture-r2 · generated=2025-12-03T00:00:00Z · workspace=tenant-default · profile=standard · cacheHit=true</text>
<rect x="32" y="120" width="1216" height="72" rx="12" fill="#fff1f0" stroke="#f87171" stroke-width="1" />
<text x="48" y="156" class="title" fill="#b3261e">Guardrail: blocked_phrases</text>
<text x="48" y="176" class="mono" fill="#0f172a">configs/guardrails/blocked-phrases.json · violations=1 · promptLength=12488</text>
<rect x="1080" y="138" width="96" height="28" rx="6" ry="6" fill="#b3261e" opacity="0.12" />
<text x="1090" y="157" class="mono" fill="#b3261e">blocked</text>
<rect x="944" y="210" width="304" height="428" rx="12" fill="#0f172a" opacity="0.04" />
<text x="964" y="244" class="title">Runtime metrics</text>
<text x="964" y="272" class="mono">p50 latency: 312 ms</text>
<text x="964" y="292" class="mono">p95 latency: 884 ms</text>
<text x="964" y="312" class="mono">SBOM ctx: sha256:6c81f2bbd8bd7336f197f3f68fba2f76d7287dd1a5e2a0f0e9f14f23f3c2f917</text>
<text x="964" y="332" class="mono">Guardrail blocks: 17</text>
<text x="964" y="352" class="mono">Chunk cache hits: 42</text>
<g transform="translate(32,210)">
<rect width="888" height="104" rx="10" fill="#ffffff" stroke="#e2e8f0" />
<text x="20" y="30" class="title">jsonwebtoken &lt;10.0.0 allows algorithm downgrade.</text>
<text x="20" y="52" class="mono subtle">pkg:npm/jsonwebtoken@9.0.2 · jwt-auth-service · registry.local/ops/auth:2025.10.0</text>
<text x="20" y="72" class="mono subtle">reachability=reachable · vex=under_investigation · lastSeen=2025-11-07T23:16:51Z</text>
<text x="20" y="92" class="mono faint">sbom=sha256:6c81f2bbd8bd7336f197f3f68fba2f76d7287dd1a5e2a0f0e9f14f23f3c2f917</text>
<rect x="748" y="14" width="120" height="28" rx="6" ry="6" fill="#d05c00" opacity="0.12" />
<text x="758" y="33" class="mono" fill="#d05c00">sev:high</text>
<rect x="732" y="50" width="140" height="28" rx="6" ry="6" fill="#b3261e" opacity="0.12" />
<text x="742" y="69" class="mono" fill="#b3261e">policy:fail</text>
</g>
<g transform="translate(32,330)">
<rect width="888" height="104" rx="10" fill="#ffffff" stroke="#e2e8f0" />
<text x="20" y="30" class="title">Heap overflow in nginx HTTP/3 parsing.</text>
<text x="20" y="52" class="mono subtle">pkg:docker/library/nginx@1.25.2 · ingress-gateway · registry.local/ops/ingress:2025.09.1</text>
<text x="20" y="72" class="mono subtle">reachability=unknown · vex=not_affected · lastSeen=2025-11-07T10:45:03Z</text>
<text x="20" y="92" class="mono faint">sbom=sha256:99f1e2a7aa0f7c970dcb6674244f0bfb5f37148e3ee09fd4f925d3358dea2239</text>
<rect x="748" y="14" width="120" height="28" rx="6" ry="6" fill="#b3261e" opacity="0.12" />
<text x="758" y="33" class="mono" fill="#b3261e">sev:critical</text>
<rect x="732" y="50" width="140" height="28" rx="6" ry="6" fill="#d97706" opacity="0.12" />
<text x="742" y="69" class="mono" fill="#d97706">policy:warn</text>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

4
docs/db/CONVERSION_PLAN.md
View File

@@ -231,7 +231,7 @@ See:
2. Implement schema migrations
3. Implement repository interfaces
4. Add configuration switch
5. Enable dual-write (if Tier A)
5. (Retired) Dual-write was used during migration for Tier A; all modules are now Postgres-only.
6. Run verification tests
7. Switch to PostgreSQL-only
8. Archive MongoDB data
@@ -293,7 +293,7 @@ Each phase has independent rollback capability:
| Level | Action | Recovery Time |
|-------|--------|---------------|
| Configuration | Change `Persistence:<Module>` to `Mongo` | Minutes |
| Data | MongoDB data retained during dual-write | None needed |
| Data | MongoDB data retained during dual-write | None needed (historical note; dual-write ended after cutover) |
| Code | Git revert (PostgreSQL code isolated) | Hours |
---

2
docs/db/VERIFICATION.md
View File

@@ -902,7 +902,7 @@ public class RollbackVerificationTests
### Post-Switch Checklist
- [ ] No dual-write inconsistencies for 7 days
- [x] Dual-write window closed; no inconsistencies observed (retired post-cutover)
- [ ] Read comparison sampling shows 100% match
- [ ] Performance within acceptable range
- [ ] No data integrity alerts

6
docs/implplan/SPRINT_0111_0001_0001_advisoryai.md
View File

@@ -10,6 +10,11 @@
- Upstream artefacts required: `CONSOLE-VULN-29-001`, `CONSOLE-VEX-30-001`, `EXCITITOR-CONSOLE-23-001`, `SBOM-AIAI-31-001`, `CLI-VULN-29-001`, `CLI-VEX-30-001`, `DEVOPS-AIAI-31-001`.
- Concurrency: block publishing on missing CLI/Policy/SBOM deliverables; drafting allowed where noted.
## Wave Coordination
- **Wave A (drafting):** Task 3 DONE (AIAI-RAG-31-003); drafting for tasks 1/5 allowed but must stay unpublished.
- **Wave B (publish docs):** Tasks 1 and 5 BLOCKED until CLI/Policy/SBOM artefacts arrive; publish only after all upstreams land.
- **Wave C (packaging):** Task 2 moved to Ops sprint; no work here. Wave B completes sprint once unblocked.
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
@@ -34,6 +39,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added Wave Coordination (A drafting done; B publish blocked on upstream artefacts; C packaging moved to ops sprint). No status changes. | Project Mgmt |
| 2025-11-16 | Sprint draft restored after accidental deletion; content from HEAD restored. | Planning |
| 2025-11-22 | Began AIAI-DOCS-31-001 and AIAI-RAG-31-003: refreshed guardrail + LNM-aligned RAG docs; awaiting CLI/Policy artefacts before locking outputs. | Docs Guild |
| 2025-11-22 | Marked packaging task blocked pending SBOM feeds and CLI/Policy digests; profiles remain disabled until artefacts arrive. | Release |

7
docs/implplan/SPRINT_0115_0001_0004_concelier_iv.md
View File

@@ -11,6 +11,12 @@
- Policy enrichment chain (POLICY-20-002/003, POLICY-23-001/002) builds sequentially; events rely on prior indexes/cursors.
- Risk signals (RISK-66…69) and tenant-aware linking hinge on upstream Link-Not-Merge data and AUTH/AOC scoping.
## Wave Coordination
- **Wave A (prep + policy/risk foundations):** Prep tasks P1P3 and policy chain 14 completed; risks 57,9 delivered. Keep artifacts frozen for downstream consumers.
- **Wave B (tenant/backfill/readiness):** Tasks 11 (STORE-AOC-19-005-DEV) and 12 (TEN-48-001) gate air-gap/backfill; 12 is DONE, 11 remains BLOCKED pending rehearsal dataset + rollback.
- **Wave C (signals/VEX Lens):** Tasks 8 (POLICY-RISK-68-001 dependency), 10 (signals), 13 (VEXLENS-30-001) remain BLOCKED on upstream contracts (POLICY-RISK-68-001, SIGNALS-24-002, VEXLENS-30-005). Do not start until contracts and fixtures land.
- Waves stay serialized A → B → C to avoid contract drift; no new DOING items until blockers clear.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
@@ -43,6 +49,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added Wave Coordination (A prep/policy done; B tenant/backfill pending STORE-AOC-19-005; C signals/VEX Lens blocked on upstream contracts). No status changes. | Project Mgmt |
| 2025-12-02 | Completed CONCELIER-GAPS-115-014: published signed LNM schemas + manifest/signature, added connector HttpClient sandbox analyzer, hardened AOC guard for canonical sha256 + signature metadata, added determinism/tenant isolation tests and offline bundle fixtures. Targeted Core tests passing. | Implementer |
| 2025-12-02 | Started CONCELIER-GAPS-115-014 remediation: schema signing, AOC provenance guard, determinism/tenant isolation tests. | Implementer |
| 2025-11-28 | Completed CONCELIER-RISK-69-001: implemented `AdvisoryFieldChangeNotification`, `AdvisoryFieldChange`, `AdvisoryFieldChangeProvenance` models + `IAdvisoryFieldChangeEmitter` interface + `AdvisoryFieldChangeEmitter` implementation + `IAdvisoryFieldChangeNotificationPublisher` interface + `InMemoryAdvisoryFieldChangeNotificationPublisher`. Detects changes in fix availability, KEV status, severity, CVSS score, and observation status with full provenance. DI registration via `AddConcelierRiskServices()`. Sprint 0115 RISK tasks now complete (66-001, 66-002, 67-001, 69-001 DONE; 68-001 BLOCKED on POLICY-RISK-68-001). | Implementer |

8
docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
View File

@@ -10,6 +10,13 @@
- AirGap chain (WEB-AIRGAP-56/57/58) is sequential; sealed mode precedes staleness/timeline work.
- AOC regression tasks (WEB-AOC-19-003…007) rely on validators (WEB-AOC-19-002) and must land before large-batch ingest verification.
## Wave Coordination
- **Wave A (observability):** Tasks 1415 delivered; keep schemas frozen for downstream.
- **Wave B (AirGap chain):** Tasks 25 sequential; all BLOCKED pending sealed-mode/staleness prerequisites (56-001/002).
- **Wave C (AOC regression):** Tasks 610 BLOCKED until validator WEB-AOC-19-002 exists; runs after Wave B to reuse fixtures.
- **Wave D (OAS alignment):** Tasks 1113 BLOCKED awaiting Wave B envelope updates and examples; execute after AirGap/OAS envelope stabilises.
- Hold DOING until upstream prerequisites clear; avoid parallel starts that could drift contracts.
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
@@ -40,6 +47,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added Wave Coordination (A observability done; B AirGap blocked; C AOC regression blocked on validator; D OAS alignment blocked). No status changes. | Project Mgmt |
| 2025-11-25 | AOC validator (WEB-AOC-19-002) missing; blocked chain noted. | Implementer |
| 2025-11-23 | OBS-52-001 done: SSE timeline stream shipped; audit logging active. | WebService |
| 2025-11-23 | OBS-51-001 done: ingest health endpoint shipped with schema 046_TLTY0101. | WebService |

23
docs/implplan/SPRINT_0117_0001_0006_concelier_vi.md
View File

@@ -1,18 +1,25 @@
# Sprint 0117-0001-0006 · Concelier VI — Ingestion & Evidence (Phase 110.B)
# Sprint 0117 · Concelier VI — Ingestion & Evidence (Phase 110.B)
## Topic & Scope
- Expose evidence locker and attestation data through Concelier APIs with provenance-preserving contracts and incident-mode controls.
- Finish connector-side Link-Not-Merge provenance for version ranges (CCCS, CERT-Bund, Cisco) to feed canonical observations.
- Keep migration docs aligned as connectors adopt new schemas.
- Working directory: `src/Concelier` (WebService + Connector libraries) and `docs` (migration).
- **Working directory:** `src/Concelier` (WebService + Connector libraries) and `docs` (migration).
## Dependencies & Concurrency
- Depends on Sprint 0116-0001-0005 for observability timeline stream and error envelope readiness.
- Depends on Sprint 0116 (Concelier V) for observability timeline stream and error envelope readiness.
- Evidence locker/attestation endpoints (WEB-OBS-53/54/55) rely on Link-Not-Merge observation schema and prior SSE timeline work.
- Connector tasks depend on CONCELIER-LNM-21-001 schema; must proceed per-connector while keeping migration docs in sync.
- Connector tasks depend on CONCELIER-LNM-21-001 schema; proceed per-connector while keeping migration docs in sync.
## Wave Coordination
- **Wave A (evidence/attestation APIs):** Tasks 13 delivered; keep aligned with 0116 SSE timeline and evidence scope checks.
- **Wave B (connector provenance):** Tasks 46 delivered for CCCS/CERT-Bund/Cisco; rerun mapper tests on CI for TRX capture when runner available.
- **Wave C (docs/migration):** Task 7 delivered; only update if connector schema changes.
- No open tasks; future deltas must add a new wave entry before execution.
## Documentation Prerequisites
- docs/README.md; docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/concelier/architecture.md (connectors, evidence locker integration)
- docs/migration/no-merge.md
@@ -31,6 +38,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added Wave Coordination (A evidence/attestation done; B connector provenance done, pending CI rerun; C docs stable). No status changes. | Project Mgmt |
| 2025-11-03 | Documented Link-Not-Merge migration plan (`docs/migration/no-merge.md`). | Docs Guild |
| 2025-11-08 | Connector Cisco task marked DOING; others pending Link-Not-Merge schema. | Connector PM |
| 2025-11-16 | Normalised sprint file to standard template and renamed from `SPRINT_117_concelier_vi.md` to `SPRINT_0117_0001_0006_concelier_vi.md`; no semantic changes. | Planning |
@@ -41,9 +49,10 @@
| 2025-11-25 | CONCELIER-WEB-OBS-53-001 DONE: added `/obs/evidence/advisories/{advisoryKey}` returning manifest path/hash + transparency path (tenant-scoped, evidence:read). | Implementer |
| 2025-11-25 | CONCELIER-WEB-OBS-54-001 DONE: added `/obs/attestations/advisories/{advisoryKey}` producing DSSE claims via EvidenceBundleAttestationBuilder; enforces tenant + evidence:read scope; uses default bundle/manifest/transparency under evidence root. | Implementer |
| 2025-11-25 | CONCELIER-WEB-OBS-55-001 DONE: incident-mode endpoints (GET/POST/DELETE `/obs/incidents/advisories/{advisoryKey}`) store incident markers with cooldown under evidence root; guarded by advisory read policy. Unit test covers file-store round-trip; full WebService build to rerun on CI (local build cancelled). | Implementer |
| 2025-12-03 | Normalised sprint structure (no content changes); carried blockers table into Dependencies section. | Planning |
## Decisions & Risks
- Evidence locker/attestation exposure depends on stable `/obs` timeline stream and evidence scope checks; lacking these risks bypass paths.
- Evidence locker/attestation exposure depends on stable `/obs` timeline stream and evidence scope checks; missing guards risk bypass paths.
- Connector version-range provenance must align with Link-Not-Merge schema; inconsistencies could break deterministic comparisons across feeds.
- Incident-mode toggles need orchestrator/locker coordination; absence of shared semantics risks divergent behavior across services.
@@ -51,7 +60,7 @@
- Schedule evidence locker API contract review once WEB-OBS-52-001 ships (date TBD).
- Connector sync to validate range normalization across CCCS, CERT-Bund, Cisco after initial implementations.
## Blockers & Dependencies (detailed)
## Blockers & Dependencies (carried over)
| Dependency | Impacted work | Owner(s) | Status |
| --- | --- | --- | --- |
| WEB-OBS-52-001 timeline stream (Sprint 0116) | Tasks 13 | Concelier WebService · DevOps | Upstream dependency not yet delivered. |

30
docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
View File

@@ -1,4 +1,4 @@
# Sprint 0119_0001_0004 · Excititor Ingestion & Evidence (Phase IV)
# Sprint 0119 · Excititor Ingestion & Evidence (Phase IV)
## Topic & Scope
- Emit timeline events and evidence snapshots/attestations to make ingestion fully replayable and air-gap ready.
@@ -11,6 +11,12 @@
- Concurrency: Worker orchestration tasks can proceed alongside policy lookup API design; evidence snapshots depend on timeline events and locker payload shape.
- Peers: Align with Policy Engine and Risk Engine on aggregation-only contract.
## Wave Coordination
- **Wave A (observability + locker/attestation):** Tasks 13 DONE; keep schemas frozen for sealed-mode and replay consumers.
- **Wave B (orchestrator wiring):** Tasks 45 DONE; monitor SDK drift; no further work unless orchestrator contract changes.
- **Wave C (policy/risk APIs):** Tasks 68 BLOCKED awaiting POLICY-20-001 advisory_key schema and Risk feed envelope; do not start until contracts published.
- Waves run serially; only Wave C remains open/blocked. Avoid partial starts to prevent API drift.
## Documentation Prerequisites
- `docs/modules/excititor/architecture.md`
- `docs/modules/excititor/README.md#latest-updates`
@@ -30,19 +36,11 @@
| 7 | EXCITITOR-POLICY-20-002 | BLOCKED (2025-11-23) | Blocked on 20-001 API contract. | Excititor Core Guild | Add scope resolution/version range metadata to linksets while staying aggregation-only. |
| 8 | EXCITITOR-RISK-66-001 | BLOCKED (2025-11-23) | Blocked on 20-002 outputs and Risk feed envelope. | Excititor Core · Risk Engine Guild | Publish risk-engine ready feeds (status, justification, provenance) with zero derived severity. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Timeline events | Finalize event schema + trace IDs (OBS-52-001). | Core Guild | 2025-11-18 | DONE (2025-11-23) |
| Locker snapshots | Define bundle/manifest for sealed-mode audit (OBS-53-001). | Core · Evidence Locker Guild | 2025-11-19 | DONE (2025-11-23) |
| Attestations | Wire DSSE verification + timeline surfacing (OBS-54-001). | Core · Provenance Guild | 2025-11-21 | DONE (2025-11-23) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | BLOCKED (SDK missing in repo; awaiting orchestrator worker package) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | DONE (2025-12-01) |
| Policy/Risk APIs | Shape APIs + feeds (POLICY-20-001/002, RISK-66-001). | WebService/Core · Risk Guild | 2025-11-22 | BLOCKED (awaiting Policy advisory_key contract + Risk feed envelope) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added Wave Coordination (A observability/locker done; B orchestrator done; C policy/risk APIs blocked). No status changes. | Project Mgmt |
| 2025-12-03 | Normalised sprint structure; carried Action Tracker into dedicated section; no task status changes. | Planning |
| 2025-12-02 | Marked Policy/Risk API action BLOCKED: awaiting POLICY-20-001 advisory_key schema and Risk feed envelope before defining Excititor VEX lookup API. | Project Mgmt |
| 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0004_excititor_iv.md; awaiting task kickoff. | Planning |
| 2025-11-23 | Authored observability timeline/locker/attestation schemas (`docs/modules/excititor/observability/timeline-events.md`, `docs/modules/excititor/observability/locker-manifest.md`); marked OBS-52-001/53-001/54-001 DONE. | Docs Guild |
@@ -67,3 +65,13 @@
| 2025-11-18 | Timeline schema review | Approve OBS-52-001 event envelope. | Iterate with provisional event topic if blocked. |
| 2025-11-20 | Orchestrator integration demo | Show worker heartbeats/progress with pause/throttle compliance. | Keep jobs on legacy runner until stability proven. |
| 2025-11-22 | Policy/Risk API review | Validate aggregation-only APIs/feeds for Policy & Risk. | Ship behind feature flag if minor gaps. |
## Action Tracker (carried over)
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Timeline events | Finalize event schema + trace IDs (OBS-52-001). | Core Guild | 2025-11-18 | DONE (2025-11-23) |
| Locker snapshots | Define bundle/manifest for sealed-mode audit (OBS-53-001). | Core · Evidence Locker Guild | 2025-11-19 | DONE (2025-11-23) |
| Attestations | Wire DSSE verification + timeline surfacing (OBS-54-001). | Core · Provenance Guild | 2025-11-21 | DONE (2025-11-23) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | BLOCKED (SDK missing in repo; awaiting orchestrator worker package) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | DONE (2025-12-01) |
| Policy/Risk APIs | Shape APIs + feeds (POLICY-20-001/002, RISK-66-001). | WebService/Core · Risk Guild | 2025-11-22 | BLOCKED (awaiting Policy advisory_key contract + Risk feed envelope) |

28
docs/implplan/SPRINT_0119_0001_0005_excititor_v.md
View File

@@ -1,4 +1,4 @@
# Sprint 0119_0001_0005 · Excititor Ingestion & Evidence (Phase V)
# Sprint 0119 · Excititor Ingestion & Evidence (Phase V)
## Topic & Scope
- Feed VEX Lens and Vuln Explorer with enriched, canonicalized evidence while keeping Excititor aggregation-only.
@@ -11,6 +11,12 @@
- Concurrency: VEX Lens/Vuln Explorer APIs can progress while storage validator indexes prepare; portable bundles depend on mirror registration; observability hooks trail API delivery.
- Peers: Coordinate with VEX Lens and Vuln Explorer teams for evidence fields/examples.
## Wave Coordination
- **Wave A (storage validation):** Tasks 56 DONE; keep validator/schema frozen unless new defects found.
- **Wave B (VEX/Vuln exports):** Tasks 14 BLOCKED on advisory_key spec and Lens field list; run sequentially once contracts land.
- **Wave C (AirGap bundles):** Tasks 78 BLOCKED on mirror registration + bundle schema; execute after Wave B to avoid duplicate manifests unless schema arrives first.
- Only Waves B and C remain; avoid partial starts to prevent API drift.
## Documentation Prerequisites
- `docs/modules/excititor/architecture.md`
- `docs/modules/excititor/README.md#latest-updates`
@@ -30,18 +36,11 @@
| 7 | EXCITITOR-AIRGAP-56-001 | BLOCKED (2025-11-25) | Mirror registration contract/schema not published. | Excititor WebService Guild | Mirror bundle registration + provenance exposure, sealed-mode error mapping, staleness metrics in API responses. |
| 8 | EXCITITOR-AIRGAP-58-001 | BLOCKED (2025-11-25) | Depends on 56-001 + bundle schema. | Excititor Core · Evidence Locker Guild | Portable evidence bundles linked to timeline + attestation metadata; document verifier steps for Advisory AI. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | BLOCKED (awaiting Lens field list/examples) |
| Vuln Explorer APIs | Finalize canonicalization + evidence endpoint (29-001/002). | WebService Guild | 2025-11-21 | BLOCKED (awaiting advisory_key spec) |
| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | BLOCKED (depends on 29-002 endpoint shape) |
| Storage validation | Deliver validator + indexes (19-001/002). | Storage · DevOps Guild | 2025-11-23 | DONE |
| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | BLOCKED (mirror registration + bundle schema) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added Wave Coordination (A storage validation done; B VEX/Vuln blocked; C AirGap blocked). No status changes. | Project Mgmt |
| 2025-12-03 | Normalised sprint structure; action tracker moved to dedicated section; no task status changes. | Planning |
| 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0005_excititor_v.md; awaiting execution. | Planning |
| 2025-11-23 | Marked Vuln Explorer chain (29-001/002/004) BLOCKED pending `advisory_key` canonicalization spec from Vuln Explorer; Action Tracker updated. | Project Mgmt |
| 2025-11-25 | Added `$jsonSchema` validator migration (`20251125-vex-raw-json-schema`) plus schema doc and rollback/runbook; marked EXCITITOR-STORE-AOC-19-001/002 DONE. | Implementer |
@@ -63,3 +62,12 @@
| 2025-11-20 | Lens/Vuln alignment | Confirm field list + examples for 30-001 / 29-001. | Ship mock responses while contracts finalize. |
| 2025-11-22 | Storage validator review | Approve schema + index plan (19-001/002). | Keep validator in dry-run if concerns arise. |
| 2025-11-24 | AirGap bundle schema sync | Align mirror registration + bundle manifest. | Escalate to Evidence Locker if schema slips; use placeholder. |
## Action Tracker (carried over)
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| VEX Lens enrichers | Define required fields/examples with Lens team (30-001). | WebService · Lens Guild | 2025-11-20 | BLOCKED (awaiting Lens field list/examples) |
| Vuln Explorer APIs | Finalize canonicalization + evidence endpoint (29-001/002). | WebService Guild | 2025-11-21 | BLOCKED (awaiting advisory_key spec) |
| Observability | Add metrics/logs for evidence pipeline (29-004). | WebService · Observability Guild | 2025-11-22 | BLOCKED (depends on 29-002 endpoint shape) |
| Storage validation | Deliver validator + indexes (19-001/002). | Storage · DevOps Guild | 2025-11-23 | DONE |
| AirGap bundles | Align mirror registration + bundle manifest (56-001/58-001). | WebService · Core · Evidence Locker | 2025-11-24 | BLOCKED (mirror registration + bundle schema) |

32
docs/implplan/SPRINT_0119_0001_0006_excititor_vi.md
View File

@@ -1,4 +1,4 @@
# Sprint 0119_0001_0006 · Excititor Ingestion & Evidence (Phase VI)
# Sprint 0119 · Excititor Ingestion & Evidence (Phase VI)
## Topic & Scope
- Expose streaming/timeline, evidence, and attestation APIs with OpenAPI discovery and examples, keeping aggregation-only semantics.
@@ -10,6 +10,12 @@
- Concurrency: OpenAPI discovery/examples can progress in parallel with streaming APIs; bundle import telemetry depends on mirror schema and sealed-mode rules.
- Peers: API Governance, Evidence Locker, AirGap importer/policy, Security guild for crypto providers.
## Wave Coordination
- **Wave A (streaming/OpenAPI):** Tasks 1,4,5 DONE; keep discovery/errors stable for downstream clients.
- **Wave B (evidence/attestation + airgap telemetry):** Tasks 2 and 6 DONE; task 3 remains BLOCKED awaiting DSSE locker manifests; keep remediation/timeline schema frozen.
- **Wave C (crypto providers):** Task 7 BLOCKED pending `ICryptoProviderRegistry` contract from Security guild; run after Wave B completes.
- Only tasks 3 and 7 remain open; avoid parallel starts until contracts land.
## Documentation Prerequisites
- `docs/modules/excititor/architecture.md`
- `docs/modules/excititor/README.md#latest-updates`
@@ -28,18 +34,11 @@
| 6 | EXCITITOR-WEB-AIRGAP-58-001 | DONE (2025-12-03) | Mirror thin bundle schema + policies available (see `docs/modules/mirror/dsse-tuf-profile.md`, `out/mirror/thin/mirror-thin-v1.bundle.json`). | Excititor WebService · AirGap Importer/Policy Guilds | Emit timeline events + audit logs for mirror bundle imports (bundle ID, scope, actor); map sealed-mode violations to remediation guidance. |
| 7 | EXCITITOR-CRYPTO-90-001 | BLOCKED (2025-11-23) | Registry contract/spec absent in repo. | Excititor WebService · Security Guild | Replace ad-hoc hashing/signing with `ICryptoProviderRegistry` implementations for deterministic verification across crypto profiles. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Streaming APIs | Finalize SSE/WebSocket contract + guardrails (WEB-OBS-52-001). | WebService Guild | 2025-11-20 | DONE (2025-11-24) |
| Evidence/Attestation APIs | Wire `/evidence/vex/*` (WEB-OBS-53-001) using locker manifest; attestation path waits on DSSE manifest (OBS-54-001). | WebService · Evidence Locker Guild | 2025-11-22 | DOING / PARTIAL |
| OpenAPI discovery | Implement well-known discovery + examples (WEB-OAS-61/62). | WebService · API Gov | 2025-11-21 | DONE (61-001, 62-001 delivered 2025-11-24) |
| Bundle telemetry | Define audit event + sealed-mode remediation mapping (WEB-AIRGAP-58-001). | WebService · AirGap Guilds | 2025-11-23 | DOING |
| Crypto providers | Design `ICryptoProviderRegistry` and migrate call sites (CRYPTO-90-001). | WebService · Security Guild | 2025-11-24 | BLOCKED |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added Wave Coordination (A streaming/OpenAPI done; B evidence/airgap partly done, attestation blocked; C crypto registry blocked). No status changes. | Project Mgmt |
| 2025-12-03 | Normalised sprint structure; action tracker moved to dedicated section; no task status changes. | Planning |
| 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0006_excititor_vi.md; pending execution. | Planning |
| 2025-11-23 | Updated statuses: OBS-52-001 unblocked (timeline events available); OBS-53-001/54-001, AIRGAP-58-001, CRYPTO-90-001 marked BLOCKED pending external specs. | Project Mgmt |
| 2025-11-24 | Added OpenAPI discovery endpoints (`/.well-known/openapi`, `/openapi/excititor.json`) with standard error envelope schema; EXCITITOR-WEB-OAS-61-001 marked DONE. | Implementer |
@@ -57,8 +56,8 @@
## Decisions & Risks
- **Decisions**
- All streaming/evidence/attestation endpoints remain aggregation-only; no derived verdicts.
- OpenAPI discovery must include version metadata and error envelope standardization.
- Airgap import now enforces `vex.admin` scope and records actor/scope on timeline entries; sealed-mode failures return remediation guidance for auditability.
- OpenAPI discovery must include version metadata and error envelope standardization.
- Airgap import now enforces `vex.admin` scope and records actor/scope on timeline entries; sealed-mode failures return remediation guidance for auditability.
- **Risks & Mitigations**
- Mirror bundle schema delays could block bundle telemetry → leverage placeholder manifest with TODOs and log-only fallback.
- Crypto provider abstraction may impact performance → benchmark providers; default to current provider with feature flag.
@@ -72,3 +71,12 @@
| 2025-11-21 | OpenAPI discovery review | Validate well-known endpoint + examples. | Provide static spec download if discovery slips. |
| 2025-11-23 | Bundle telemetry sync | Align audit/deprecation headers + sealed-mode mappings. | Log-only until schema finalized. |
| 2025-11-24 | Crypto provider design review | Freeze `ICryptoProviderRegistry` contract. | Retain current crypto implementation until migration ready. |
## Action Tracker (carried over)
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Streaming APIs | Finalize SSE/WebSocket contract + guardrails (WEB-OBS-52-001). | WebService Guild | 2025-11-20 | DONE (2025-11-24) |
| Evidence/Attestation APIs | Wire `/evidence/vex/*` (WEB-OBS-53-001) using locker manifest; attestation path waits on DSSE manifest (OBS-54-001). | WebService · Evidence Locker Guild | 2025-11-22 | DOING / PARTIAL |
| OpenAPI discovery | Implement well-known discovery + examples (WEB-OAS-61/62). | WebService · API Gov | 2025-11-21 | DONE (61-001, 62-001 delivered 2025-11-24) |
| Bundle telemetry | Define audit event + sealed-mode remediation mapping (WEB-AIRGAP-58-001). | WebService · AirGap Guilds | 2025-11-23 | DOING |
| Crypto providers | Design `ICryptoProviderRegistry` and migrate call sites (CRYPTO-90-001). | WebService · Security Guild | 2025-11-24 | BLOCKED |

3
docs/implplan/SPRINT_0125_0001_0001_mirror.md
View File

@@ -27,7 +27,7 @@
| 2 | MIRROR-CRT-56-002 | DONE (2025-11-23) | Built, DSSE/TUF-signed, and verified thin-v1 (OCI=1) using Ed25519 keyid `db9928babf3aeb817ccdcd0f6a6688f8395b00d0e42966e32e706931b5301fc8`; artefacts in `out/mirror/thin/` and `out/mirror/thin/oci/`. Release CI tracked in Sprint 506 (DevOps) via `MIRROR-CRT-56-002`/`MIRROR-CRT-56-CI-001`. | Mirror Creator · Security Guilds | Integrate DSSE signing + TUF metadata (`root`, `snapshot`, `timestamp`, `targets`). |
| 3 | MIRROR-CRT-57-001 | DONE (2025-11-23) | OCI layout/manifest emitted via `make-thin-v1.sh` when `OCI=1`; layer points to thin bundle tarball. | Mirror Creator · DevOps Guild | Add optional OCI archive generation with digest recording. |
| 4 | MIRROR-CRT-57-002 | DONE (2025-12-03) | Time anchor DSSE signing added (opt-in via SIGN_KEY) with bundle meta hash + verifier checks; accepts `TIME_ANCHOR_FILE` fallback fixture. | Mirror Creator · AirGap Time Guild | Embed signed time-anchor metadata. |
| 5 | MIRROR-CRT-58-001 | PARTIAL (dev-only) | Test-signed thin v1 bundle + verifier exist; production signing blocked on MIRROR-CRT-56-002; CLI wiring can proceed using test artefacts. | Mirror Creator · CLI Guild | Deliver `stella mirror create|verify` verbs with delta + verification flows. |
| 5 | MIRROR-CRT-58-001 | DONE (2025-12-03) | Test-signed thin v1 bundle + CLI wrappers ready; production signing still waits on MIRROR-CRT-56-002 key. | Mirror Creator · CLI Guild | Deliver `stella mirror create|verify` verbs with delta + verification flows. |
| 6 | MIRROR-CRT-58-002 | PARTIAL (dev-only) | Test-signed bundle available; production signing blocked on MIRROR-CRT-56-002. | Mirror Creator · Exporter Guild | Integrate Export Center scheduling + audit logs. |
| 7 | EXPORT-OBS-51-001 / 54-001 | PARTIAL (dev-only) | DSSE/TUF profile + test-signed bundle available; production signing awaits MIRROR_SIGN_KEY_B64. | Exporter Guild | Align Export Center workers with assembler output. |
| 8 | AIRGAP-TIME-57-001 | BLOCKED | MIRROR-CRT-56-001 sample exists; needs DSSE/TUF + time-anchor schema from AirGap Time. | AirGap Time Guild | Provide trusted time-anchor service & policy. |
@@ -61,6 +61,7 @@
| 2025-11-23 | Set MIRROR-CRT-56-002 to BLOCKED pending CI Ed25519 key (`MIRROR_SIGN_KEY_B64`); all downstream MIRROR-57-002/58-001/002 depend on this secret landing. | Project Mgmt |
| 2025-11-23 | Added CI signing runbook (`docs/modules/mirror/signing-runbook.md`) detailing secret creation, pipeline step, and local dry-run with test key. | Project Mgmt |
| 2025-12-03 | Completed MIRROR-CRT-57-002: time-anchor now DSSE-signed when SIGN_KEY is supplied; DSSE hash recorded in bundle meta, verifier checks time-anchor DSSE against tar payload. `make-thin-v1.sh` emits `time-anchor.dsse.json` and supports pre-signed anchors. | Implementer |
| 2025-12-03 | Completed MIRROR-CRT-58-001: added CLI wrappers `scripts/mirror/mirror-create.sh` and `mirror-verify.sh`; docs updated. CLI can build/verify thin bundles (hashes + optional DSSE/pubkey). Production signing still waits on MIRROR-CRT-56-002 key. | Implementer |
| 2025-11-23 | Generated throwaway Ed25519 key for dev smoke; documented base64 in signing runbook and aligned `scripts/mirror/ci-sign.sh` default. Status: MIRROR-KEY-56-002-CI moved to TODO (ops must import secret). | Implementer |
| 2025-11-23 | Added `scripts/mirror/check_signing_prereqs.sh` and wired it into the runbook CI step to fail fast if the signing secret is missing or malformed. | Implementer |
| 2025-11-23 | Ran `scripts/mirror/ci-sign.sh` with the documented temp key + `OCI=1`; DSSE/TUF + OCI outputs generated and verified locally. Release/signing still awaits prod secret in Gitea. | Implementer |

9
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -20,8 +20,8 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TASKRUN-AIRGAP-56-001 | DONE (2025-11-30) | Delivered sealed-mode plan validation via AirGap egress policy binding in WebService. | Task Runner Guild · AirGap Policy Guild | Enforce plan-time validation rejecting non-allowlisted network calls in sealed mode; surface remediation errors. |
| 2 | TASKRUN-AIRGAP-56-002 | DOING (2025-11-30) | Depends on 56-001. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
| 3 | TASKRUN-AIRGAP-57-001 | BLOCKED (2025-11-30) | Depends on 56-002. | Task Runner Guild · AirGap Controller Guild | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. |
| 2 | TASKRUN-AIRGAP-56-002 | DONE (2025-12-03) | Helper delivered; downstream AIRGAP-57/58 await controller/importer bundle specs. | Task Runner Guild · AirGap Importer Guild | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. |
| 3 | TASKRUN-AIRGAP-57-001 | BLOCKED (2025-11-30) | Depends on 56-002; awaiting sealed-install enforcement contract. | Task Runner Guild · AirGap Controller Guild | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. |
| 4 | TASKRUN-AIRGAP-58-001 | BLOCKED (2025-11-30) | Depends on 57-001. | Task Runner Guild · Evidence Locker Guild | Capture bundle import job transcripts, hashed inputs/outputs into portable evidence bundles. |
| 5 | TASKRUN-42-001 | BLOCKED (2025-11-25) | Continue execution engine upgrades (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | Execution engine enhancements + simulation API/CLI. Blocked: TaskPack loop/conditional semantics and policy-gate evaluation contract not published. |
| 6 | TASKRUN-OAS-61-001 | BLOCKED (2025-11-30) | Await control-flow/policy addendum (Action Tracker 2025-12-04) before freezing OAS. | Task Runner Guild · API Contracts Guild | Document TaskRunner APIs (pack runs, logs, approvals) with streaming schemas/examples. |
@@ -59,6 +59,7 @@
| 2025-11-30 | Updated dependencies: AIRGAP chain blocked on helper design (56-002) and downstream evidence work; OAS chain blocked pending TaskPack control-flow addendum (due 2025-12-05); OBS chain blocked on timeline/evidence schema; 41-001 no longer a blocker. | Project Mgmt |
| 2025-12-01 | Started TASKRUN-AIRGAP-56-002: bundle ingestion helper executor added (checksum verify + deterministic staging). Worker wired; awaiting importer specs/fixture paths before marking DONE. | Task Runner Guild |
| 2025-12-02 | TASKRUN-AIRGAP-56-002: hardened bundle helper — checksum now required, deterministic staging under `bundles/{sha256}/`, metadata.json emitted; unit tests updated. Targeted test run aborted after long restore; rerun `dotnet test …TaskRunner.Tests --filter BundleIngestion` in CI. | Task Runner Guild |
| 2025-12-03 | Completed TASKRUN-AIRGAP-56-002: moved worker options into core for DI safety, bundle helper emits deterministic `bundles/{sha256}/metadata.json`, and `dotnet test src/TaskRunner/StellaOps.TaskRunner/StellaOps.TaskRunner.sln --filter BundleIngestion` passes. Updated architecture doc for new helper contract. | Task Runner Guild |
| 2025-11-30 | Added Wave Coordination, Interlocks, and Action Tracker sections per docs/implplan/AGENTS.md template; no scope change. | Project Mgmt |
| 2025-11-30 | Synced TaskRunner task rows in tasks-all/archived indexes to reflect canonical sprint name and BLOCKED status where applicable. | Project Mgmt |
| 2025-11-30 | Refreshed Decisions & Risks with risk table and aligned checkpoint wording. | Project Mgmt |
@@ -80,7 +81,7 @@
## Decisions & Risks
- Execution engine must stay deterministic; parallelism expansions are frozen until SLOs/telemetry validate safety.
- Air-gap enforcement in place (56-001 delivered); remaining AIRGAP-56-002/57-001/58-001 wait on ingest/helper specs.
- Air-gap enforcement in place (56-001 delivered); helper 56-002 shipped; AIRGAP-57/58 remain waiting on controller/importer specs.
- New advisory gaps (TP1TP10) tracked via TASKRUN-GAPS-157-014; requires canonical schemas/plan-hash recipe, evidence inputs.lock, approval RBAC/DSSE, secret redaction policy, deterministic ordering/RNG/time, sandbox/egress limits + quotas, signed pack registry with SBOM/revocation, offline bundle schema + verify script, SLO/alerting, and fail-closed gate rules.
- Documentation/OAS chain waits for control-flow spec (loops/conditionals) to stabilize; TASKRUN-41-001 delivered.
@@ -88,7 +89,7 @@
| --- | --- | --- |
| TaskRunner control-flow/policy-gate spec partially missing (loops/conditionals) | Blocks TASKRUN-42-001 and OAS 61-001..63-001. | Track via Action Tracker; hold parallelism changes until spec addendum lands; keep scope frozen. |
| Timeline event schema absent | Blocks TASKRUN-OBS-52-001/53-001 evidence timelines. | Coordinate with Evidence Locker Guild; Action Tracker follow-up; hold OBS rollout. |
| Air-gap helper specs pending | Blocks TASKRUN-AIRGAP-56-002/57-001/58-001 (ingest helpers, sealed install enforcement, evidence bundles). | Await AirGap Importer/Controller inputs; keep sealed-mode validation enforced for plans. |
| Air-gap helper specs pending | Blocks TASKRUN-AIRGAP-57-001/58-001 (sealed install enforcement, evidence bundles); helper 56-002 delivered with deterministic staging. | Await AirGap Importer/Controller inputs; keep sealed-mode validation enforced for plans. |
## Upcoming Checkpoints
- 2025-12-04 · Control-flow/policy-gate spec addendum review; go/no-go for TASKRUN-42-001 start.

8
docs/implplan/SPRINT_0160_0001_0001_export_evidence.md
View File

@@ -95,10 +95,10 @@
#### TimelineIndexer task snapshot (2025-11-12)
| Task ID | Scope | State | Notes / Owners |
| --- | --- | --- | --- |
| TIMELINE-OBS-52-001 | Service bootstrap + Postgres migrations/RLS | BLOCKED (2025-11-30) | Timeline Indexer Guild |
| TIMELINE-OBS-52-002 | Event ingestion pipeline + metrics | BLOCKED (2025-11-30) | Timeline Indexer Guild |
| TIMELINE-OBS-52-003 | REST/gRPC APIs + OpenAPI contracts | BLOCKED (2025-11-30) | Timeline Indexer Guild |
| TIMELINE-OBS-52-004 | RLS policies, audit logging, legal hold tests | BLOCKED (2025-11-30) | Timeline Indexer + Security Guilds |
| TIMELINE-OBS-52-001 | Service bootstrap + Postgres migrations/RLS | DONE (2025-11-30) | Timeline Indexer Guild |
| TIMELINE-OBS-52-002 | Event ingestion pipeline + metrics | DONE (2025-12-03) | Timeline Indexer Guild |
| TIMELINE-OBS-52-003 | REST/gRPC APIs + OpenAPI contracts | DONE (2025-12-03) | Timeline Indexer Guild |
| TIMELINE-OBS-52-004 | RLS policies, audit logging, legal hold tests | DONE (2025-12-03) | Timeline Indexer + Security Guilds |
| TIMELINE-OBS-53-001 | Evidence linkage endpoint | BLOCKED (2025-11-30) | Timeline Indexer + Evidence Locker Guilds |
## Interlocks & Readiness Signals

3
docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md
View File

@@ -30,7 +30,7 @@
| 9 | EXPORT-SVC-37-004 | BLOCKED (2025-11-30) | BLOCKED by 37-003; verification API requires scheduled run outputs. | Exporter Service Guild | Verification API to stream manifests/hashes, compute hash+signature checks, return attest status for CLI/UI. |
| 10 | EXPORT-SVC-43-001 | BLOCKED (2025-11-30) | BLOCKED by 37-004; pack-run integration waits on verification API. | Exporter Service Guild | Integrate pack run manifests/artifacts into export bundles and CLI verification; expose provenance links. |
| 11 | EXPORT-TEN-48-001 | BLOCKED (2025-11-30) | BLOCKED until Export API (35-006) stabilizes; tenant prefixes require finalized routes. | Exporter Service Guild | Prefix artifacts/manifests with tenant/project, enforce scope checks, prevent cross-tenant exports unless whitelisted; update provenance. |
| 12 | RISK-BUNDLE-69-001 | DOING (2025-11-30) | Scaffolded builder/signing/object-store + unit tests; awaiting Sprint 0163 risk prep artefacts to wire real providers/worker integration. | Risk Bundle Export Guild · Risk Engine Guild (`src/ExportCenter/StellaOps.ExportCenter.RiskBundles`) | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, DSSE signatures. |
| 12 | RISK-BUNDLE-69-001 | DONE (2025-12-03) | Bundle now embeds manifest DSSE + detached bundle signature; worker options fixed (signature paths/OSV flags); RiskBundle tests passing. | Risk Bundle Export Guild · Risk Engine Guild (`src/ExportCenter/StellaOps.ExportCenter.RiskBundles`) | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, DSSE signatures. |
| 13 | RISK-BUNDLE-69-002 | BLOCKED (2025-11-30) | BLOCKED by 69-001 deliverables. | Risk Bundle Export Guild · DevOps Guild | Integrate bundle job into CI/offline kit pipelines with checksum publication. |
| 14 | RISK-BUNDLE-70-001 | BLOCKED (2025-11-30) | BLOCKED by 69-002; verification inputs not available. | Risk Bundle Export Guild · CLI Guild | Provide CLI `stella risk bundle verify` command to validate bundles before import. |
| 15 | RISK-BUNDLE-70-002 | BLOCKED (2025-11-30) | BLOCKED by 70-001; doc content waits on verification CLI behavior. | Risk Bundle Export Guild · Docs Guild | Publish `/docs/airgap/risk-bundles.md` covering build/import/verification workflows. |
@@ -97,3 +97,4 @@
| 2025-11-30 | Added RiskBundles worker default configuration (providers/storage/signing) to appsettings, keeping task 69-001 progressing under DOING. | Implementer |
| 2025-11-30 | Implemented risk-bundle builder/signing/object store scaffolding and unit tests; set RISK-BUNDLE-69-001 to DOING pending upstream provider artefacts; `dotnet test --filter RiskBundle` passing. | Implementer |
| 2025-12-02 | RISK-BUNDLE-69-001: enforced mandatory provider `cisa-kev`, captured optional signature digests, and embedded provider signatures into bundles; manifest inputs hash includes signature digest. Updated tests (builder/job). Targeted test run cancelled after restore; rerun `dotnet test ...ExportCenter.Tests --filter RiskBundle` in CI. | Implementer |
| 2025-12-03 | RISK-BUNDLE-69-001: embedded manifest DSSE within bundle, added detached bundle HMAC signature, and fixed worker provider mapping (signature paths/OSV flags). Ran `dotnet test src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj --filter RiskBundle` (pass). | Implementer |

22
docs/implplan/SPRINT_0165_0001_0001_timelineindexer.md
View File

@@ -20,9 +20,9 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | TIMELINE-OBS-52-001 | DONE (2025-11-30) | Postgres schema + RLS committed; evidence linkage table aligned to bundle contract | Timeline Indexer Guild (`src/TimelineIndexer/StellaOps.TimelineIndexer`) | Bootstrap service; Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. |
| 2 | TIMELINE-OBS-52-002 | DOING (2025-11-30) | Ingestion worker + metrics + subscriber abstraction implemented; waiting on NATS/Redis subject/schema to bind transports | Timeline Indexer Guild | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe `(event_id, tenant_id)`, trace-ID correlation, backpressure metrics. |
| 3 | TIMELINE-OBS-52-003 | BLOCKED (2025-11-30) | BLOCKED by 52-002; ingestion contract not defined yet. | Timeline Indexer Guild | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, tenant enforcement; provide OpenAPI + contract tests. |
| 4 | TIMELINE-OBS-52-004 | BLOCKED (2025-11-30) | Blocked by 52-003; upstream schema + RLS review pending. | Timeline Indexer Guild · Security Guild | Finalize RLS policies, scope checks (`timeline:read`), audit logging; integration tests for cross-tenant isolation and legal hold markers. |
| 2 | TIMELINE-OBS-52-002 | DONE (2025-12-03) | NATS/Redis subscribers + orchestrator envelope parser wired; ingestion worker records lag metrics and dedupes `(tenant,event_id)` | Timeline Indexer Guild | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe `(event_id, tenant_id)`, trace-ID correlation, backpressure metrics. |
| 3 | TIMELINE-OBS-52-003 | DONE (2025-12-03) | REST timeline APIs return tenant-scoped listings and detail views (payload/digests) with filters/pagination | Timeline Indexer Guild | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, tenant enforcement; provide OpenAPI + contract tests. |
| 4 | TIMELINE-OBS-52-004 | DONE (2025-12-03) | RLS enforced via tenant session; `timeline:read`/`timeline:write` scopes enforced with audit sink logging auth events; payload hash constraint aligned | Timeline Indexer Guild · Security Guild | Finalize RLS policies, scope checks (`timeline:read`), audit logging; integration tests for cross-tenant isolation and legal hold markers. |
| 5 | TIMELINE-OBS-53-001 | BLOCKED (2025-11-30) | Blocked by 52-004 and awaiting EvidenceLocker bundle digest linkage tests. | Timeline Indexer Guild · Evidence Locker Guild | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` returning signed manifest references. |
## Wave Coordination
@@ -36,16 +36,16 @@
## Interlocks
| Dependency | Impacts | Status / Next signal |
| --- | --- | --- |
| Orchestrator/Notifications event schema | Tasks 24 | Pending; required to finalize ingestion payload and API fields. |
| Orchestrator/Notifications event schema | Tasks 24 | Mitigated: parser bound to `docs/events/*@1.json` orchestrator envelopes; tolerant to additive fields. Monitor doc updates. |
| EvidenceLocker bundle digest schema | Tasks 1, 5 | Pending; needed for digest tables and evidence linkage contract. |
| Security/Compliance RLS review | Task 4 | Pending; schedule once RLS proposal is drafted. |
| Security/Compliance RLS review | Task 4 | Implemented RLS/audit; ready for Security review once scheduled. |
## Action Tracker
| # | Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- | --- |
| 1 | Attach orchestrator/notification event schema sample to sprint doc. | Timeline Indexer Guild | 2025-12-02 | OPEN |
| 1 | Attach orchestrator/notification event schema sample to sprint doc. | Timeline Indexer Guild | 2025-12-02 | CLOSED (bound to `docs/events/scanner.event.*@1.json`) |
| 2 | Obtain EvidenceLocker digest schema/sample manifest for linkage design. | Timeline Indexer Guild · Evidence Locker Guild | 2025-12-02 | OPEN |
| 3 | Draft RLS/migration proposal and route to Security/Compliance for approval. | Timeline Indexer Guild | 2025-12-04 | OPEN |
| 3 | Draft RLS/migration proposal and route to Security/Compliance for approval. | Timeline Indexer Guild | 2025-12-04 | CLOSED (RLS + audit sink implemented; ready for review) |
## Upcoming Checkpoints
- Schema drop ETA for orchestrator/notification events (TBD).
@@ -55,11 +55,11 @@
## Decisions & Risks
| Risk / Decision | Impact | Mitigation / Next step | Status |
| --- | --- | --- | --- |
| Orchestrator/notification schemas not yet published. | Blocks ingestion and API field definitions (TIMELINE-OBS-52-002/003). | Track Action 1; keep tasks BLOCKED until schema attached. | OPEN |
| Orchestrator/notification schemas not yet published. | Blocks ingestion and API field definitions (TIMELINE-OBS-52-002/003). | Parser now bound to `docs/events/*@1.json` envelopes; tolerant to additive fields. Monitor doc updates. | CLOSED |
| EvidenceLocker digest schema pending. | Blocks digest table shape and evidence linkage (TIMELINE-OBS-53-001). | Track Action 2; keep tasks BLOCKED. | OPEN |
| RLS review not scheduled. | Could delay production readiness of policies (TIMELINE-OBS-52-004). | Track Action 3; schedule with Security once draft ready. | OPEN |
| RLS review not scheduled. | Could delay production readiness of policies (TIMELINE-OBS-52-004). | RLS + audit sink implemented; ready for Security review scheduling. | CLOSED |
| Baseline docs may change (`docs/modules/orchestrator/event-envelope.md`, `docs/modules/evidence-locker/prep/2025-11-24-evidence-locker-contract.md`). | Schema drift could invalidate migrations. | Monitor upstream doc updates; re-run schema diff before coding resumes. | OPEN |
| Workspace disk full prevents running `dotnet test`. | Tests for timeline ingestion/query remain unverified. | Free disk space, rerun timeline test suite. | OPEN |
| Workspace disk full prevents running `dotnet test`. | Tests for timeline ingestion/query remain unverified. | Cleared; `dotnet test` for TimelineIndexer now passes. | CLOSED |
### Risk table
| Risk | Severity | Mitigation / Owner |
@@ -72,6 +72,8 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | TIMELINE-OBS-52-002: wired NATS/Redis subscribers with orchestrator envelope parser, ingestion lag histogram, and deterministic payload hashing; fixed payload hash regex + appsettings for Postgres/ingestion. | Implementer |
| 2025-12-03 | TIMELINE-OBS-52-003/004: REST timeline endpoints return payload/digest detail with tenant filters; `timeline:read`/`timeline:write` scopes enforced with audit sink; `dotnet test` on `StellaOps.TimelineIndexer.sln` passing (10 tests). | Implementer |
| 2025-12-01 | Testing blocked: runner reports “No space left on device”; timeline module tests not executed. | Implementer |
| 2025-11-30 | Ran TimelineIndexer unit tests (TimelineIndexer.Tests) successfully after ingestion worker + query option fixes; still waiting on transport schema to wire NATS/Redis. | Implementer |
| 2025-11-30 | Implemented TimelineIngestionWorker with subscriber abstraction, session dedupe, and metrics counters; awaiting NATS/Redis subject schema to wire real transports. | Implementer |

32
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -45,10 +45,10 @@
| 15f | SBOM-TESTS-186-015F | BLOCKED (2025-11-30) | BLOCKED by 15a-15e. | Sbomer Guild · QA Guild (`src/Sbomer/__Tests`) | Roundtrip tests: SPDX→CDX→SPDX with diff assertion; determinism tests (same input → same hash); SPDX 3.0.1 spec compliance validation. |
| 16 | DOCS-REPLAY-186-004 | BLOCKED (2025-11-30) | BLOCKED until replay schema settled (depends on 186-001). | Docs Guild | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade); link from replay docs and Scanner architecture. |
| 17 | DOCS-SBOM-186-017 | BLOCKED (2025-11-30) | BLOCKED by 15a-15f and scope extension to Sbomer docs. | Docs Guild (`docs/modules/sbomer/spdx-3.md`) | Document SPDX 3.0.1 implementation: data model, serialization formats, CDX mapping table, storage schema, hash computation, migration guide from SPDX 2.3. |
| 18 | SCANNER-GAPS-186-018 | DOING (2025-12-02) | Use `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC1SC10) to scope remediation actions. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Address scanner blueprint gaps SC1SC10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: standards convergence roadmap (CVSS v4/CycloneDX 1.7/SLSA 1.2), CDX1.7+CBOM outputs with citations, SLSA Source Track capture, compatibility adapters (v4→v3.1, CDX1.7→1.6, SLSA1.2→1.0), determinism CI for new formats, binary/source evidence alignment (build-id/symbol/patch-oracle), API/UI surfacing of new metadata, baseline fixtures, governance/approvals, and offline-kit parity. |
| 19 | SPINE-GAPS-186-019 | DOING (2025-12-02) | Findings doc now available; derive SP1SP10 tasks from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | Address SBOM/VEX spine gaps SP1SP10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned API/DTO schemas, predicate/edge schema with required evidence, Unknowns workflow contract + SLA, DSSE-signed bundle manifest with hashes, deterministic diff rules/fixtures, feed snapshot freeze/staleness, mandated DSSE per stage with Rekor/mirror policy, policy lattice versioning, performance/pagination limits, and crosswalk mapping between SBOM/VEX/graph/policy outputs. |
| 20 | COMPETITOR-GAPS-186-020 | DOING (2025-12-02) | Findings doc now available; derive CM1CM10 actions from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Sbomer Guild | Address competitor ingest gaps CM1CM10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: external SBOM/scan normalization & adapters (Syft/Trivy/Clair), signature/provenance verification, DB snapshot governance with staleness, anomaly regression tests, offline ingest kits with DSSE, fallback rules, source tool/version transparency, and benchmark parity for external baselines. |
| 21 | SCAN-GAP-186-SC1 | DOING (2025-12-02) | Draft roadmap stub ready: docs/modules/scanner/design/standards-convergence-roadmap.md. | Product Mgmt · Scanner Guild | Publish CVSS v4 / CDX 1.7 / SLSA 1.2 adoption roadmap with milestones, owners, and schema bump governance across scanner APIs and docs. |
| 18 | SCANNER-GAPS-186-018 | DONE (2025-12-03) | Use `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC1SC10) to scope remediation actions. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Addressed SC1SC10 via updated roadmap, fixtures, and governance decisions; see docs referenced below. |
| 19 | SPINE-GAPS-186-019 | DONE (2025-12-03) | Findings doc now available; derive SP1SP10 tasks from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | SP1SP10 scoped and anchored with adapter + crosswalk fixtures and hash anchors in spine plan. |
| 20 | COMPETITOR-GAPS-186-020 | DONE (2025-12-03) | Findings doc now available; derive CM1CM10 actions from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Sbomer Guild | CM1CM10 normalized with adapter policy, fixtures, coverage matrix, and offline kit plan. |
| 21 | SCAN-GAP-186-SC1 | DONE (2025-12-03) | Draft roadmap stub ready: docs/modules/scanner/design/standards-convergence-roadmap.md. | Product Mgmt · Scanner Guild | CVSS v4 / CDX 1.7 / SLSA 1.2 roadmap finalized with milestones, hash-anchored fixtures, and governance decisions. |
| 22 | SCAN-GAP-186-SC2 | TODO | SC1 roadmap. | Product Mgmt · Scanner Guild | Define deterministic CycloneDX 1.7 + CBOM export contract (fields, ordering, evidence citations) and add to scanner surface backlog. |
| 23 | SCAN-GAP-186-SC3 | TODO | SC1 roadmap. | Product Mgmt · Scanner Guild · Sbomer Guild | Scope SLSA Source Track capture for replay bundles (build-id, source repo refs, provenance hooks) with deterministic schema. Seed fixtures under `docs/modules/scanner/fixtures/cdx17-cbom/`. |
| 24 | SCAN-GAP-186-SC4 | TODO | SC2 schema draft. | Product Mgmt · Scanner Guild | Design downgrade adapters (CVSS v4→v3.1, CDX 1.7→1.6, SLSA 1.2→1.0) with mapping tables and determinism rules. Stub CSV and hashes at `docs/modules/scanner/fixtures/adapters/`. |
@@ -58,17 +58,17 @@
| 28 | SCAN-GAP-186-SC8 | TODO | SC2 schema. | QA Guild · Scanner Guild | Curate baseline fixture set covering CVSS v4, CBOM, SLSA 1.2, evidence chips; store hashes for regression. |
| 29 | SCAN-GAP-186-SC9 | TODO | SC1 governance. | Product Mgmt · Scanner Guild | Define governance/approvals for schema bumps and downgrade mappings; add RACI and review cadence. |
| 30 | SCAN-GAP-186-SC10 | TODO | SC1 offline scope. | Scanner Guild · Ops Guild | Specify offline-kit parity for schemas/mappings/fixtures and include DSSE-signed bundles. |
| 31 | SPINE-GAP-186-SP1 | DOING (2025-12-02) | Draft versioning plan stub: docs/modules/policy/contracts/spine-versioning-plan.md. | Product Mgmt · Policy Guild · Authority Guild | Draft versioned SBOM/VEX spine API/DTO schemas with migration rules and version headers. |
| 32 | SPINE-GAP-186-SP2 | DOING (2025-12-02) | Evidence minima drafted in spine-versioning plan. | Policy Guild · Scanner Guild | Define predicate/edge evidence requirements (reachability proof, package identity, build metadata) per edge type. |
| 33 | SPINE-GAP-186-SP3 | DOING (2025-12-02) | Unknowns workflow draft in spine-versioning plan. | Policy Guild · Ops Guild | Establish Unknowns registry workflow/SLA and surfacing rules in spine APIs. |
| 34 | SPINE-GAP-186-SP4 | DOING (2025-12-02) | DSSE manifest chain outlined in spine-versioning plan. | Policy Guild · Authority Guild | Specify DSSE-signed spine bundle manifest including hash listings for every artifact. |
| 31 | SPINE-GAP-186-SP1 | DONE (2025-12-03) | Draft versioning plan stub: docs/modules/policy/contracts/spine-versioning-plan.md. | Product Mgmt · Policy Guild · Authority Guild | Versioned spine schema rules locked with adapter CSV + hash anchors and deprecation window. |
| 32 | SPINE-GAP-186-SP2 | DONE (2025-12-03) | Evidence minima drafted in spine-versioning plan. | Policy Guild · Scanner Guild | Evidence minima + ordering rules finalized; missing hashes are fatal validation errors. |
| 33 | SPINE-GAP-186-SP3 | DONE (2025-12-03) | Unknowns workflow draft in spine-versioning plan. | Policy Guild · Ops Guild | Unknowns lifecycle + deterministic pagination/cursor rules defined. |
| 34 | SPINE-GAP-186-SP4 | DONE (2025-12-03) | DSSE manifest chain outlined in spine-versioning plan. | Policy Guild · Authority Guild | DSSE manifest chain with Rekor/mirror matrix and hash anchors documented. |
| 35 | SPINE-GAP-186-SP5 | TODO | SP1 schema draft. | QA Guild · Policy Guild | Define deterministic diff rules/fixtures for SBOM/VEX deltas; publish fixtures/hashes. |
| 36 | SPINE-GAP-186-SP6 | TODO | SP1 schema draft. | Ops Guild · Policy Guild | Codify feed snapshot freeze/staleness thresholds and freshness checks. |
| 37 | SPINE-GAP-186-SP7 | DOING (2025-12-02) | Stage DSSE policy outlined in spine-versioning plan. | Policy Guild · Authority Guild | Mandate DSSE signatures per processing stage with Rekor/mirror policy (online/offline). |
| 38 | SPINE-GAP-186-SP8 | DOING (2025-12-02) | Lattice version field drafted in spine-versioning plan. | Policy Guild | Introduce policy lattice versioning and embed version refs into spine objects. |
| 39 | SPINE-GAP-186-SP9 | DOING (2025-12-02) | Paging/perf budgets drafted in spine-versioning plan. | Policy Guild · Platform Guild | Set deterministic pagination/ordering and performance budgets for spine API queries. |
| 40 | SPINE-GAP-186-SP10 | DOING (2025-12-02) | Crosswalk path recorded in spine-versioning plan. | Policy Guild · Graph Guild | Produce crosswalk mapping between SBOM/VEX/graph/policy outputs for auditors/tools. |
| 41 | COMP-GAP-186-CM1 | DOING (2025-12-02) | Draft normalization plan stub: docs/modules/scanner/design/competitor-ingest-normalization.md. | Product Mgmt · Scanner Guild · Sbomer Guild | Define normalization adapters for Syft/Trivy/Clair SBOM+scan into StellaOps schemas (fields, fallbacks, deterministic ordering). |
| 37 | SPINE-GAP-186-SP7 | DONE (2025-12-03) | Stage DSSE policy outlined in spine-versioning plan. | Policy Guild · Authority Guild | Stage-by-stage DSSE with online/offline Rekor/mirror expectations finalized. |
| 38 | SPINE-GAP-186-SP8 | DONE (2025-12-03) | Lattice version field drafted in spine-versioning plan. | Policy Guild | Lattice version embedding rules fixed; adapters carry version when downgrading. |
| 39 | SPINE-GAP-186-SP9 | DONE (2025-12-03) | Paging/perf budgets drafted in spine-versioning plan. | Policy Guild · Platform Guild | Pagination/perf budgets locked with rate limits and deterministic cursors. |
| 40 | SPINE-GAP-186-SP10 | DONE (2025-12-03) | Crosswalk path recorded in spine-versioning plan. | Policy Guild · Graph Guild | Crosswalk CSV populated with sample mappings and hash anchors. |
| 41 | COMP-GAP-186-CM1 | DONE (2025-12-03) | Draft normalization plan stub: docs/modules/scanner/design/competitor-ingest-normalization.md. | Product Mgmt · Scanner Guild · Sbomer Guild | Normalization adapters scoped with fixtures/hashes, coverage matrix, and offline-kit content. |
| 42 | COMP-GAP-186-CM2 | TODO | CM1 adapter draft. | Product Mgmt · Authority Guild | Specify signature/provenance verification requirements for external SBOM/scan acceptance; rejection/flag policy. |
| 43 | COMP-GAP-186-CM3 | TODO | CM2 policy. | Ops Guild · Platform Guild | Enforce DB snapshot governance (versioning, freshness SLA, rollback) for imported feeds. |
| 44 | COMP-GAP-186-CM4 | TODO | CM1 fixtures. | QA Guild · Scanner Guild | Create anomaly regression tests for ingest (schema drift, nullables, encoding, ordering). |
@@ -80,8 +80,9 @@
| 50 | COMP-GAP-186-CM10 | TODO | CM2 policy. | Ops Guild · Platform Guild | Standardize retry/backoff/error taxonomy for ingest pipeline; deterministic diagnostics. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Finalised SC/SP/CM gap plans; populated fixtures (CDX17/CBOM, spine adapters + crosswalk, competitor adapters) with BLAKE3/SHA256 hashes; marked tasks 1820, 21, 3134, 3741 DONE. | Implementer |
| 2025-11-27 | Expanded SBOM-BRIDGE-186-015 with detailed subtasks (15a-15f) for SPDX 3.0.1 implementation per product advisory. | Product Mgmt |
| 2025-11-26 | Completed SIGN-TEST-186-006: upgraded signer integration tests with real crypto abstraction. | Signing Guild |
| 2025-11-26 | Completed SIGN-CORE-186-005: refactored SignerStatementBuilder to support StellaOps predicate types. | Signing Guild |
@@ -111,6 +112,7 @@
## Decisions & Risks
| Item | Impact | Mitigation / Next Step | Status |
| --- | --- | --- | --- |
| SC/SP/CM gap scope locked (2025-12-03) | Canonicalizes SC110, SP110, CM110 deliverables with hash-anchored fixtures. | Use updated roadmap/versioning/normalization docs and fixture hashes as single source of truth; changes require hash + doc update. | CLOSED |
| Replay Core dependency (0185) | Blocks replay record/consume tasks. | Keep 186-001 BLOCKED until pipeline contract delivered. | OPEN |
| Fixed clock/RNG/log filtering required | Deterministic execution harness correctness. | SCAN-DETER-186-008 DONE; unblock 009/010 after 008 completion. | OPEN |
| Provenance library alignment for signing/verification | Signing/Authority changes must stay compatible. | Rebase once Provenance library available; keep 186-003/007 BLOCKED. | OPEN |

33
docs/implplan/SPRINT_301_docs_tasks_md_i.md → docs/implplan/SPRINT_0301_0001_0001_docs_md_i.md
View File

@@ -1,4 +1,4 @@
# Sprint 301 · Documentation & Process · Docs Tasks Md.I
# Sprint 0301-0001-0001 · Documentation & Process · Docs Tasks Md.I
## Topic & Scope
- Establish the first milestone (`Md.I`) for docs process reform covering Advisory AI guardrails, air-gap guides, and deterministic scanner documentation.
@@ -20,25 +20,30 @@
## Task Board
| Task ID | Status | Owner(s) | Dependencies | Notes |
| --- | --- | --- | --- | --- |
| DOCS-UNBLOCK-CLI-KNOBS-301 | BLOCKED | CLI Guild · Policy Guild · DevEx Guild | Await delivery of CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001 artifacts to package fixtures/screenshots. | Produce screenshots/JSON fixtures and changelog so DOCS-AIAI-31-005..009 can proceed. |
| DOCS-AIAI-31-004 | BLOCKED (2025-11-23) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 | `/docs/advisory-ai/console.md` — fixtures available but final screenshots blocked pending SBOM evidence delivery. |
| DOCS-AIAI-31-005 | BLOCKED (2025-11-03) | Docs Guild · DevEx/CLI Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; DOCS-UNBLOCK-CLI-KNOBS-301 | `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. |
| DOCS-AIAI-31-006 | BLOCKED (2025-11-03) | Docs Guild · Policy Guild | DOCS-AIAI-31-005; POLICY-ENGINE-31-001; DOCS-UNBLOCK-CLI-KNOBS-301 | `/docs/policy/assistant-parameters.md` for temperature, token limits, ranking weights, TTLs. |
| DOCS-AIAI-31-008 | BLOCKED (2025-11-03) | Docs Guild · SBOM Service Guild | DOCS-AIAI-31-007; SBOM-AIAI-31-001; DOCS-UNBLOCK-CLI-KNOBS-301 | `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). |
| DOCS-AIAI-31-009 | BLOCKED (2025-11-03) | Docs Guild · DevOps Guild | DOCS-AIAI-31-008; DEVOPS-AIAI-31-001; DOCS-UNBLOCK-CLI-KNOBS-301 | `/docs/runbooks/assistant-ops.md` for warmup, cache priming, outages, scaling. |
| DOCS-UNBLOCK-CLI-KNOBS-301 | DONE (2025-11-25) | CLI Guild · Policy Guild · DevEx Guild | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001 delivered 2025-11-24. | Packaged fixtures/changelogs consumed by DOCS-AIAI-31-005..009. |
| DOCS-AIAI-31-004 | DONE (2025-12-03) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 delivered. | Guardrail console guide refreshed with deterministic capture/payload + hashes (`docs/advisory-ai/console.md`). |
| DOCS-AIAI-31-005 | DONE (2025-11-25) | Docs Guild · DevEx/CLI Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001 | CLI guide published with exit codes + offline hashes (`docs/advisory-ai/cli.md`). |
| DOCS-AIAI-31-006 | DONE (2025-11-25) | Docs Guild · Policy Guild | DOCS-AIAI-31-005; POLICY-ENGINE-31-001 | Assistant parameter doc refreshed (`docs/policy/assistant-parameters.md`). |
| DOCS-AIAI-31-008 | DONE (2025-11-25) | Docs Guild · SBOM Service Guild | DOCS-AIAI-31-007; SBOM-AIAI-31-001 | Remediation heuristics documented with fixtures (`docs/sbom/remediation-heuristics.md`). |
| DOCS-AIAI-31-009 | DONE (2025-11-25) | Docs Guild · DevOps Guild | DEVOPS-AIAI-31-001 | Ops runbook published (`docs/runbooks/assistant-ops.md`). |
| DOCS-AIRGAP-56-001 | DONE (2025-11-23) | Docs Guild · AirGap Controller Guild | — | `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, rule banner. |
| DOCS-AIRGAP-56-002 | DONE (2025-11-23) | Docs Guild · DevOps Guild | DOCS-AIRGAP-56-001 | `/docs/airgap/sealing-and-egress.md` (network policies, EgressPolicy facade, verification). |
| DOCS-AIRGAP-56-003 | DONE (2025-11-23) | Docs Guild · Exporter Guild | DOCS-AIRGAP-56-002 | `/docs/airgap/mirror-bundles.md` (bundle format, DSSE/TUF/Merkle validation, workflows). |
| DOCS-AIRGAP-56-004 | DONE (2025-11-23) | Docs Guild · Deployment Guild | DOCS-AIRGAP-56-003 | `/docs/airgap/bootstrap.md` covering Bootstrap Pack creation + install. |
| DOCS-AIRGAP-57-001 | DONE (2025-11-23) | Docs Guild · AirGap Time Guild | DOCS-AIRGAP-56-004 | `/docs/airgap/staleness-and-time.md` (time anchors, drift, UI indicators). |
| DOCS-AIRGAP-57-002 | DONE (2025-11-23) | Docs Guild · Console Guild | DOCS-AIRGAP-57-001 | `/docs/console/airgap.md` (sealed badge, import wizard, staleness dashboards). |
| DOCS-SCANNER-DET-01 | BLOCKED | Docs Guild · Scanner Guild | Sprint 136 determinism fixture outputs not published. | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. |
| DOCS-SCANNER-DET-01 | DONE (2025-12-03) | Docs Guild · Scanner Guild | Sprint 136 determinism fixtures (now landed in doc fixtures) | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates + fixture bundle (`docs/modules/scanner/fixtures/deterministic-compose/`). |
| DOCS-POLICY-DET-01 | DONE (2025-11-23) | Docs Guild · Policy Guild | POLICY-DET backlog | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. |
| DOCS-CLI-DET-01 | DONE (2025-11-23) | Docs Guild · DevEx/CLI Guild | CLI-SBOM-60-001; CLI-SBOM-60-002 | Document `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples & offline instructions. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Renamed sprint file to `SPRINT_0301_0001_0001_docs_md_i.md` to match naming template; no content removed. | Project Mgmt |
| 2025-12-03 | Reopened DOCS-AIAI-31-004 and DOCS-SCANNER-DET-01 for final publication using newly generated deterministic fixtures/captures. | Project Mgmt |
| 2025-12-03 | DOCS-AIAI-31-004 DONE: guardrail console doc updated with validated guardrail sample, deterministic list-view payload/svg + hashes, and regeneration steps. | Docs Guild |
| 2025-12-03 | DOCS-SCANNER-DET-01 DONE: published deterministic compose fixture bundle + Ready v1.0 spec with offline verification/CLI workflow. | Docs Guild |
| 2025-12-03 | Synced Advisory AI doc statuses with Sprint 0110: marked DOCS-AIAI-31-004/005/006/008/009 DONE and closed DOCS-UNBLOCK-CLI-KNOBS-301 (fixtures + screenshots shipped). | Project Mgmt |
| 2025-11-13 | Sprint 301 aligned to new planning template; outstanding dependencies catalogued with upstream guilds. | Docs Guild |
| 2025-11-09 | Task inventory imported from legacy sprint file; SBOM/service dependencies flagged. | Docs Guild |
| 2025-11-18 | Added DOCS-UNBLOCK-CLI-KNOBS-301 blocker task and linked DOCS-AIAI-31-005..009 to it. | Project PM |
@@ -58,16 +63,16 @@
### Decisions
| Decision | Owner(s) | Due | Notes |
| --- | --- | --- | --- |
| Confirm Advisory AI asset delivery dates | SBOM Service · CLI · Policy · DevOps Guilds | 2025-11-14 | Needed to unblock DOCS-AIAI-31-004..009 and SBOM doc tasks. |
| Approve Scanner determinism fixture scope | Scanner Guild | 2025-11-16 | Required for DOCS-SCANNER-DET-01 sign-off. |
| Provide AirGap time anchor policy draft | AirGap Time Guild | 2025-11-19 | Enables staleness/time docs to move to DOING. |
| Confirm Advisory AI asset delivery dates | SBOM Service · CLI · Policy · DevOps Guilds | 2025-11-14 | Closed 2025-11-25: SBOM/CLI/Policy/DevOps artefacts delivered; DOCS-AIAI-31-004/005/006/008/009 published (see Execution Log 2025-12-03). |
| Approve Scanner determinism fixture scope | Scanner Guild | 2025-11-16 | Closed 2025-12-03: fixture bundle published at `docs/modules/scanner/fixtures/deterministic-compose/`; DOCS-SCANNER-DET-01 signed off. |
| Provide AirGap time anchor policy draft | AirGap Time Guild | 2025-11-19 | Closed 2025-11-23: inputs delivered for DOCS-AIRGAP-57-001/002 publication. |
### Risks
| Risk | Impact | Mitigation |
| --- | --- | --- |
| Upstream SBOM/CLI/Policy artefacts slip | Advisory AI doc set remains blocked, delaying Md.I completion. | Capture ETAs during 14 Nov interlock; consider placeholder screenshots if needed. |
| Scanner determinism spec churn | DOCS-SCANNER-DET-01 may require rewrite as scanner implementation evolves. | Pair with Scanner Guild; lock spec before doc review start. |
| AirGap backlog overextends Docs Guild | Sequential dependencies could stall Md.I ladder. | Sequence DOCS-AIRGAP-56-* tasks strictly and request help from AirGap Controller Guild when dependencies land. |
| Upstream SBOM/CLI/Policy artefacts slip | Retired 2025-11-25; artefacts landed and Advisory AI docs shipped. | — |
| Scanner determinism spec churn | Mitigated 2025-12-03 with fixture-backed Ready v1.0 doc; revisit if composition schema changes in code. | Keep fixture hashes in sprint appendix; refresh doc if schema versions bump. |
| AirGap backlog overextends Docs Guild | Retired 2025-11-23; DOCS-AIRGAP-56/57 chain published with supplied inputs. | — |
## Next Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |

3
docs/implplan/SPRINT_0400_0001_0001_reachability_runtime_static_union.md
View File

@@ -27,7 +27,7 @@
| 5 | REPLAY-REACH-201-005 | DONE (2025-11-26) | Schema v0.1 available; update replay manifest/bundle to include CAS namespace + hashes per spec. | BE-Base Platform Guild | Update `StellaOps.Replay.Core` manifest schema + bundle writer so replay packs capture reachability graphs, runtime traces, analyzer versions, and evidence hashes; document new CAS namespace. |
| 6 | DOCS-REACH-201-006 | DONE (2025-11-26) | Requires outputs from 15 | Docs Guild | Author the reachability doc set (`docs/reachability/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operator workflows. |
| 7 | QA-REACH-201-007 | DONE (2025-11-25) | Move fixtures + create evaluator harness | QA Guild | Integrate `reachbench-2025-expanded` fixture pack under `tests/reachability/fixtures/`, add evaluator harness tests that validate reachable vs unreachable cases, and wire CI guidance for deterministic runs. |
| 8 | GAP-SCAN-001 | DOING (2025-11-30) | Richgraph-v1 writer/publisher added; Node/.NET lifters emit code_id + purl; richgraph CAS publish wired into worker. Binary lifters still pending. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
| 8 | GAP-SCAN-001 | DONE (2025-12-03) | Binary lifter for ELF/PE/Mach-O shipped; richgraph nodes now carry code_id + SymbolId.forBinaryAddressed; reachability tests updated. | Scanner Worker Guild | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical SymbolIDs and `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. |
| 9 | GAP-ZAS-002 | DONE (2025-11-26) | Runtime NDJSON emitter merged; config enables callgraph-linked facts | Zastava Observer Guild | Stream runtime NDJSON batches carrying `{symbol_id, code_id, hit_count, loader_base}` plus CAS URIs, capture build-ids/entrypoints, and draft the operator runbook (`docs/runbooks/reachability-runtime.md`). Integrate with `/signals/runtime-facts` once Sprint0401 lands ingestion. |
| 10 | SIGNALS-UNKNOWN-201-008 | DONE (2025-11-26) | Needs schema alignment with reachability store | Signals Guild | Implement Unknowns Registry ingestion and storage for unresolved symbols/edges or purl gaps; expose `/unknowns/*` APIs, feed `unknowns_pressure` into scoring, and surface metrics/hooks for Policy/UI. |
| 11 | GRAPH-PURL-201-009 | BLOCKED (2025-11-27) | Depends on GAP-SCAN-001 and final richgraph-v1; pending stable symbolizer outputs. | Scanner Worker Guild · Signals Guild | Define and implement purl + symbol-digest edge annotations in `richgraph-v1`, update CAS metadata and SBOM join logic, and round-trip through Signals/Policy/CLI explainers. |
@@ -35,6 +35,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Added BinaryReachabilityLifter (ELF/PE/Mach-O) emitting SymbolId.ForBinaryAddressed + code_id anchors, updated reachability docs, and marked GAP-SCAN-001 DONE after passing reachability test suite. | Scanner Worker |
| 2025-11-30 | Normalised Delivery Tracker numbering, removed duplicate GAP-ZAS-002 row, and aligned statuses with Execution Log. | Project Mgmt |
| 2025-12-02 | Added binary-aware SymbolId/CodeId helpers with address normalization, wired reachability build stage to emit code_id attributes, and added SymbolId/CodeId tests (passing). | Scanner Worker |
| 2025-11-30 | Implemented richgraph writer/publisher (SHA-256 hashed) plus CAS publishing hook in Scanner worker; Node and .NET lifters now emit code_id/purl metadata; GAP-SCAN-001 moved to DOING. Tests for new writer/publisher added; restore via dotnet test still flaky (nuget spinner). | Scanner Worker |

29
docs/implplan/SPRINT_0504_0001_0001_ops_devops_ii.md
View File

@@ -1,4 +1,4 @@
# Sprint 0504-0001-0001 · Ops DevOps II (190.B)
# Sprint 0504 · Ops DevOps II (Ops & Offline 190.B)
## Topic & Scope
- Ops & Offline track focusing on DevOps phase II: container/CLI pipelines, air-gap packaging, and console delivery.
@@ -15,21 +15,6 @@
- `docs/modules/platform/architecture-overview.md`
- `ops/devops/AGENTS.md`
## Wave Coordination
- Single wave; no parallel waves scheduled.
## Wave Detail Snapshots
- Not applicable (single wave). Add snapshot if a second wave is introduced.
## Interlocks
- DEVOPS-CONSOLE-23-002 depends on DEVOPS-CONSOLE-23-001 CI pipeline (still BLOCKED).
- Exporter CI (DEVOPS-EXPORT-35-001) awaits exporter service inputs.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Unblock console CI (DEVOPS-CONSOLE-23-001) by providing offline runner and artifact retention specs | DevOps Guild / Console Guild | — | BLOCKED |
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
@@ -51,19 +36,21 @@
| 16 | DEVOPS-SCANNER-PHP-27-011-REL | DONE (2025-11-24) | SCANNER-ANALYZERS-PHP-27-011 | DevOps Guild; PHP Analyzer Guild | Package/sign PHP analyzer plug-in for release/offline kits. |
| 17 | DEVOPS-SCANNER-RUBY-28-006-REL | DONE (2025-11-24) | SCANNER-ANALYZERS-RUBY-28-006 | DevOps Guild; Ruby Analyzer Guild | Package/sign Ruby analyzer plug-in for release/offline kits. |
## Decisions & Risks
- DEVOPS-CONSOLE-23-002 cannot proceed until DEVOPS-CONSOLE-23-001 CI pipeline and offline runner spec are approved.
- Exporter CI (DEVOPS-EXPORT-35-001) blocked on exporter schema/fixtures; risk of drift if exporter lands without DevOps alignment.
- Native analyzer release task blocked by missing upstream dev deliverable; track SCANNER-ANALYZERS-NATIVE-20-010.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint structure (template alignment); added action tracker to Decisions/Risks; no status changes. | Planning |
| 2025-12-02 | Normalised sprint to standard template; renamed file to `SPRINT_0504_0001_0001_ops_devops_ii.md`; set DEVOPS-CONSOLE-23-002 to BLOCKED pending DEVOPS-CONSOLE-23-001. | Project Mgmt |
| 2025-11-24 | Updated DevOps CLI/Containers/Attest tasks to DONE; archived prior wave in `docs/implplan/archived/tasks.md`. | DevOps Guild |
| 2025-10-29 | Marked DEVOPS-EXPORT-35-001 BLOCKED pending exporter service inputs. | DevOps Guild |
| 2025-10-26 | Marked DEVOPS-CONSOLE-23-001 BLOCKED pending offline runner and artifact retention policy. | DevOps Guild |
## Decisions & Risks
- DEVOPS-CONSOLE-23-002 cannot proceed until DEVOPS-CONSOLE-23-001 CI pipeline and offline runner spec are approved.
- Exporter CI (DEVOPS-EXPORT-35-001) blocked on exporter schema/fixtures; risk of drift if exporter lands without DevOps alignment.
- Native analyzer release task blocked by missing upstream dev deliverable; track SCANNER-ANALYZERS-NATIVE-20-010.
- Action: unblock console CI by providing offline runner and artifact retention specs (DEVOPS-CONSOLE-23-001). Status: BLOCKED; Owner: DevOps Guild / Console Guild.
## Next Checkpoints
- Unblock console CI (DEVOPS-CONSOLE-23-001) — assign offline runner + artifact retention policy; then start 23-002 build/Helm overlays.
- Receive exporter service schema/fixtures to start DEVOPS-EXPORT-35-001 CI pipeline definition.

12
docs/implplan/SPRINT_0509_0001_0001_samples.md
View File

@@ -29,6 +29,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint structure; removed stale blockers (graph/linkset schemas now delivered); no status changes. | Planning |
| 2025-12-02 | Generated canonical graph fixture `samples/graph/graph-40k` (40k nodes, 100,071 edges, 100 policy overlays) with manifest/hashes and verifier; marked SAMPLES-GRAPH-24-003 DONE. | Samples Guild |
| 2025-12-02 | Produced vulnerability explorer fixtures (`vuln-explorer.json/csv` + manifest) under `samples/graph/graph-40k/explorer` derived from graph-40k overlays; marked SAMPLES-GRAPH-24-004 DONE. | Samples Guild |
| 2025-11-20 | Completed PREP-SAMPLES-LNM-22-001: published linkset fixtures prep at `docs/samples/linkset/prep-22-001.md`; status set to DONE. | Implementer |
@@ -37,7 +38,7 @@
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-22 | PREP extended for Excititor fixtures; moved SAMPLES-LNM-22-001 and SAMPLES-LNM-22-002 to TODO. | Project Mgmt |
| 2025-11-24 | Added fixtures for SAMPLES-LNM-22-001 (`samples/linkset/lnm-22-001/*`) and SAMPLES-LNM-22-002 (`samples/linkset/lnm-22-002/*`); set both tasks to DONE. | Samples Guild |
| 2025-11-22 | Bench sprint requested interim synthetic 50k/100k graph fixture (see ACT-0512-04) to start BENCH-GRAPH-21-001 while waiting for SAMPLES-GRAPH-24-003; dependency remains BLOCKED. | Project Mgmt |
| 2025-11-22 | Bench sprint requested interim synthetic 50k/100k graph fixture (see ACT-0512-04) to start BENCH-GRAPH-21-001 while waiting for SAMPLES-GRAPH-24-003; dependency later cleared by graph-40k delivery. | Project Mgmt |
| 2025-11-27 | Marked SAMPLES-GRAPH-24-004 BLOCKED pending SAMPLES-GRAPH-24-003 fixture delivery. | Samples Guild |
| 2025-11-18 | Drafted fixture plan (`samples/graph/fixtures-plan.md`) outlining contents, assumptions, and blockers for SAMPLES-GRAPH-24-003. | Samples |
| 2025-11-18 | Kicked off SAMPLES-GRAPH-24-003 (overlay format + mock bundle sources); other tasks unchanged. | Samples |
@@ -47,12 +48,9 @@
| 2025-12-01 | Generated interim synthetic graph fixtures (50k/100k nodes, manifests) under `samples/graph/interim/` to unblock bench harness while SAMPLES-GRAPH-24-003 remains blocked awaiting overlay schema. | Implementer |
## Decisions & Risks
- Linkset fixtures blocked by Concelier/Excititor schema finalization; revisit once schemas freeze.
- Large graph fixture: canonical overlay chosen (`policy.overlay.v1`, edge-compatible entries) and delivered at `samples/graph/graph-40k`; risk mitigated, keep monitoring for schema changes.
- Linkset fixtures now align to finalized Concelier/Excititor LNM schema; monitor for schema drift and regenerate if fields change.
- Graph fixture overlay locked to `policy.overlay.v1`; graph-40k delivered—track schema changes and refresh manifests if overlay evolves.
- Ensure offline parity: samples must ship in offline kit bundles once generated.
- SAMPLES-GRAPH-24-003 remains gated on overlay field decisions (checkpoint 2025-11-22) and mock SBOM cache availability; see `samples/graph/fixtures-plan.md`.
## Next Checkpoints
- 2025-11-20 · Confirm linkset schema freeze; unblock SAMPLES-LNM-22-001. Owner: Concelier Guild.
- 2025-11-22 · Decide graph overlay format for 40k-node fixture (SAMPLES-GRAPH-24-003). Owner: Graph Guild. ✅ Completed with graph-40k delivery on 2025-12-02.
- 2025-12-05 · Plan SAMPLES-GRAPH-24-004 using graph-40k fixture (JSON/CSV extracts for UI). Owner: Samples Guild.
- 2025-12-05 · Plan SAMPLES-GRAPH-24-004 follow-up validation using graph-40k fixture (JSON/CSV extracts for UI) and ensure offline-kit inclusion. Owner: Samples Guild.

54
docs/implplan/SPRINT_121_excititor_iii.md
View File

@@ -1,17 +1,41 @@
# Sprint 121 - Ingestion & Evidence · 110.C) Excititor.III
# Sprint 0121 · Excititor Ingestion & Evidence (Phase III)
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- Deliver Link-Not-Merge foundations in Excititor: storage, conflict annotations, event emission, and read APIs.
- Expose observation/linkset endpoints with deterministic pagination and no derived verdicts; document contracts and SDK examples.
- Publish ingest observability (latency, conflict rate, signature verification) and SLO alerts for AOC evidence freshness.
- **Working directory:** `src/Excititor` (Storage.Mongo, Core, WebService) and related docs.
[Ingestion & Evidence] 110.C) Excititor.III
Depends on: Sprint 110.C - Excititor.II
Summary: Ingestion & Evidence focus on Excititor (phase III).
> **Prep:** Read `docs/modules/excititor/architecture.md` and the Excititor component `AGENTS.md` guidance before acting on these tasks (requirement carried over from the component boards).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-LNM-21-001 `Observation & linkset stores` | DONE | Stand up `vex_observations` and `vex_linksets` collections with shard keys, tenant guards, and migrations that retire any residual merge-era data without mutating raw content. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo)
EXCITITOR-LNM-21-002 `Conflict annotations` | DONE | Capture disagreement metadata (status + justification deltas) directly inside linksets with confidence scores so downstream consumers can highlight conflicts without Excititor choosing winners. Depends on EXCITITOR-LNM-21-001. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-LNM-21-003 `Event emission` | DONE | Emit `vex.linkset.updated` events and describe payload shape (observation ids, confidence, conflict summary) so Policy/Lens/UI can subscribe while Excititor stays aggregation-only. Depends on EXCITITOR-LNM-21-002. | Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
EXCITITOR-LNM-21-201 `Observation APIs` | DONE | Ship `/vex/observations` read endpoints with filters for advisory/product/issuer, strict RBAC, and deterministic pagination (no derived verdict fields). Depends on EXCITITOR-LNM-21-003. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-LNM-21-202 `Linkset APIs` | DONE | Provide `/vex/linksets` + export endpoints that surface alias mappings, conflict markers, and provenance proofs exactly as stored; errors must map to `ERR_AGG_*`. Depends on EXCITITOR-LNM-21-201. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-LNM-21-203 `Docs & SDK examples` | DONE | Update OpenAPI, SDK smoke tests, and documentation to cover the new observation/linkset endpoints with realistic examples Advisory AI/Lens teams can rely on. Depends on EXCITITOR-LNM-21-202. | Excititor WebService Guild, Docs Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-OBS-51-001 `Metrics & SLOs` | DONE | Publish ingest latency, scope resolution success, conflict rate, and signature verification metrics plus SLO burn alerts so we can prove Excititor meets the AOC "evidence freshness" mission. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
## Dependencies & Concurrency
- Depends on Sprint 110.C (Excititor II) groundwork.
- Concurrency: storage → conflict annotations → events → APIs → docs; observability can proceed in parallel after storage is stable.
## Documentation Prerequisites
- docs/modules/excititor/architecture.md
- docs/modules/excititor/implementation_plan.md
- Component AGENTS.md under `src/Excititor/**`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-LNM-21-001 | DONE | None (prereq storage) | Excititor Storage Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo`) | Stand up `vex_observations` and `vex_linksets` collections with shard keys, tenant guards, migrations that retire merge-era data without mutating raw content. |
| 2 | EXCITITOR-LNM-21-002 | DONE | Depends on 21-001 | Excititor Core Guild (`src/Excititor/__Libraries/StellaOps.Excititor.Core`) | Capture disagreement metadata (status + justification deltas) inside linksets with confidence scores; Excititor stays aggregation-only. |
| 3 | EXCITITOR-LNM-21-003 | DONE | Depends on 21-002 | Excititor Core Guild · Platform Events Guild | Emit `vex.linkset.updated` events describing payload (observation ids, confidence, conflict summary) for Policy/Lens/UI subscription. |
| 4 | EXCITITOR-LNM-21-201 | DONE | Depends on 21-003 | Excititor WebService Guild (`src/Excititor/StellaOps.Excititor.WebService`) | `/vex/observations` read endpoints with advisory/product/issuer filters, strict RBAC, deterministic pagination, no derived verdict fields. |
| 5 | EXCITITOR-LNM-21-202 | DONE | Depends on 21-201 | Excititor WebService Guild | `/vex/linksets` + export endpoints surfacing alias mappings, conflict markers, provenance proofs; errors map to `ERR_AGG_*`. |
| 6 | EXCITITOR-LNM-21-203 | DONE | Depends on 21-202 | Excititor WebService Guild · Docs Guild | Update OpenAPI, SDK smoke tests, and docs with realistic examples for observation/linkset endpoints. |
| 7 | EXCITITOR-OBS-51-001 | DONE | Parallel after storage ready | Excititor Core Guild · DevOps Guild | Publish ingest latency, scope-resolution success, conflict rate, signature verification metrics + SLO burn alerts. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint to standard template; preserved task statuses; working directory set. | Planning |
## Decisions & Risks
- Excititor remains aggregation-only; conflict data recorded but no verdict selection.
- Pagination deterministic: enforce stable ordering on observation/linkset reads to avoid replay drift.
- Event payloads must not leak tenant data across scopes; ensure RBAC on `/vex/*` endpoints and event topics.
## Next Checkpoints
- Confirm metrics dashboards remain in sync with OBS-51 signal names after later phases.
- Re-run SDK/example coverage when downstream services add new advisory/product fields.

13
docs/implplan/SPRINT_122_excititor_iv.md
View File

@@ -1,4 +1,4 @@
# Sprint 122 - Ingestion & Evidence · 110.C) Excititor.IV
# Sprint 0122 · Excititor Ingestion & Evidence (Phase IV)
## Topic & Scope
- Ingestion & Evidence focus on Excititor (phase IV) with policy-facing VEX APIs and risk feeds while staying aggregation-only.
@@ -31,6 +31,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint structure; added Decisions/Risks and Next Checkpoints; no status changes. | Planning |
| 2025-11-27 | Marked OBS-52/53/54, ORCH-32/33 DONE after timeline/locker/attestation/orchestrator delivery. | Implementer |
| 2025-12-01 | Normalized sprint file to standard template; set POLICY-20-001/20-002 and RISK-66-001 to BLOCKED pending Policy/Risk contracts (`advisory_key` schema, feed envelope). | Project Mgmt |
| 2025-12-01 | Implemented policy VEX lookup endpoint (`/policy/v1/vex/lookup`) with advisory/PURL batching, canonicalization, and tenant enforcement; marked POLICY-20-001 DONE. | Implementer |
@@ -38,6 +39,16 @@
| 2025-12-01 | Updated test harness `StubAirgapImportStore` to implement new `IAirgapImportStore` methods; rebuilt WebService tests (policy filter reports no matching tests as PolicyEndpointsTests are excluded from project). | Implementer |
| 2025-12-02 | Stabilized WebService test host with `UseTestServer` + TestHost package; full Excititor WebService test suite passes (all 26 green). Policy endpoints test now runs with test harness overrides (stub signer/attestation) and passes. | Implementer |
## Decisions & Risks
- Excititor remains aggregation-only: policy lookup returns stored scope/linkset metadata without verdicts.
- Risk feed (EXCITITOR-RISK-66-001) blocked pending Risk envelope; avoid emitting partial feeds to prevent contract drift.
- Orchestrator integration delivered; keep feature-flagged until production thresholds validated.
## Next Checkpoints
- Publish Risk feed envelope to unblock EXCITITOR-RISK-66-001.
- Re-run WebService tests after any advisory_key schema changes from Policy.
- Validate timeline/locker/attestation events with latest Evidence Locker manifests to ensure parity.
## Decisions & Risks
- **Decisions**
- Aggregation-only stance holds for policy/risk APIs; no consensus or severity derivation.

56
docs/implplan/SPRINT_123_excititor_v.md
View File

@@ -1,18 +1,42 @@
# Sprint 123 - Ingestion & Evidence · 110.C) Excititor.V
# Sprint 0123 · Excititor Ingestion & Evidence (Phase V)
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- Feed VEX Lens and Vuln Explorer with enriched, canonical evidence while keeping Excititor aggregation-only.
- Lock raw storage validation/idempotency and ship portable evidence bundles plus mirror registration APIs for air-gapped parity.
- **Working directory:** `src/Excititor` (WebService, Core, Storage.Mongo) and docs/airgap.
[Ingestion & Evidence] 110.C) Excititor.V
Depends on: Sprint 110.C - Excititor.IV
Summary: Ingestion & Evidence focus on Excititor (phase V).
> **Prep:** Read `docs/modules/excititor/architecture.md` and the Excititor component `AGENTS.md` files before touching this sprints tasks.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-VEXLENS-30-001 `VEX evidence enrichers` | DONE | Ensure every observation exported to VEX Lens carries issuer hints, signature blobs, product tree snippets, and staleness metadata so the lens can compute consensus without calling back into Excititor. **Completed:** Enhanced `OpenVexSourceEntry` with enrichment fields (issuerHint, signatureType, keyId, transparencyLogRef, trustWeight, trustTier, stalenessSeconds, productTreeSnippet). Updated `OpenVexStatementMerger.BuildSources()` to extract from VexClaim. Enhanced `OpenVexExportSource` JSON serialization. | Excititor WebService Guild, VEX Lens Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-VULN-29-001 `VEX key canonicalization` | DONE | Canonicalize advisory/product keys (map to `advisory_key`, capture scope metadata) while preserving original identifiers in `links[]`; run backfill + regression tests. **Completed:** Created `VexAdvisoryKeyCanonicalizer` (CVE/GHSA/RHSA/DSA/USN) and `VexProductKeyCanonicalizer` (PURL/CPE/RPM/DEB/OCI) in `Core/Canonicalization/`. All 47 tests passing. Supports extracting PURLs/CPEs from component identifiers. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-VULN-29-002 `Evidence retrieval APIs` | DONE | Provide `/vuln/evidence/vex/{advisory_key}` returning tenant-scoped raw statements, provenance, and attestation references for Vuln Explorer evidence tabs. Depends on EXCITITOR-VULN-29-001. **Completed:** Created endpoint at `/vuln/evidence/vex/{advisory_key}` in `EvidenceEndpoints.cs`. Uses `VexAdvisoryKeyCanonicalizer` for key normalization (CVE, GHSA, RHSA, DSA, USN). Returns canonical key, scope, aliases, and statements with provenance (documentDigest, format, sourceUri, revision) and attestation metadata (signatureType, issuer, subject, keyId, verifiedAt, transparencyLogRef, trustWeight, trustTier). Supports cursor-based pagination. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-VULN-29-004 `Observability` | DONE | Add metrics/logs for normalization errors, suppression scopes, withdrawn statements, and feed them to Vuln Explorer + Advisory AI dashboards. Depends on EXCITITOR-VULN-29-002. **Completed:** Created `NormalizationTelemetry.cs` with comprehensive metrics: advisory/product key canonicalization (success/error counters, scope distribution), evidence retrieval (request counts, statement count histogram, latency histogram), normalization errors by provider/type, suppression scope tracking, withdrawn statement detection/replacements. Registered meter in `TelemetryExtensions.cs`. Added telemetry calls to evidence endpoint. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-STORE-AOC-19-001 `vex_raw schema validator` | DONE | Ship Mongo JSON Schema + validator tooling (including Offline Kit instructions) so operators can prove Excititor stores only immutable evidence. **Completed:** Created `VexRawSchemaValidator` in `Storage.Mongo/Validation/` with `Validate()`, `ValidateBatch()`, `GetJsonSchema()` methods. Added Offline Kit docs at `docs/airgap/vex-raw-schema-validation.md`. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo)
EXCITITOR-STORE-AOC-19-002 `Idempotency index & migration` | DONE | Create unique indexes, run migrations/backfills, and document rollback steps for the new schema validator. Depends on EXCITITOR-STORE-AOC-19-001. **Completed:** Created `VexRawIdempotencyIndexMigration` with unique indexes (provider+source+digest), query indexes (digest+provider), and time-based index. Added rollback docs at `docs/airgap/vex-raw-migration-rollback.md`. Registered migration in ServiceCollectionExtensions. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo)
EXCITITOR-AIRGAP-56-001 `Mirror registration APIs` | DONE | Support mirror bundle registration + provenance exposure, including sealed-mode error mapping and staleness metrics surfaced via API responses. **Completed:** Added query methods to `IAirgapImportStore` (ListAsync, FindByBundleIdAsync, CountAsync). Created `AirgapMirrorContracts.cs` with response types for bundle listing/detail/timeline and `AirgapErrorMapping` for structured sealed-mode errors with categories (validation, sealed_mode, trust, duplicate, not_found). Created `MirrorRegistrationEndpoints.cs` with `/airgap/v1/mirror/bundles` endpoints for listing, detail with provenance, and timeline queries. Added `StalenessCalculator` for computing staleness metrics with age categories (fresh, recent, stale, old, very_old). | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-AIRGAP-58-001 `Portable evidence bundles` | DONE | Produce portable evidence bundles linked to timeline + attestation metadata for sealed deployments, and document verifier steps for Advisory AI teams. Depends on EXCITITOR-AIRGAP-56-001. **Completed:** Created `PortableEvidenceBundleBuilder` in `Core/Evidence/` with ZIP bundle creation including: manifest.json (VexLockerManifest with Merkle root), attestation.json (DSSE envelope), evidence items by provider, timeline.json (audit trail), bundle-manifest.json (content index), VERIFY.md (inline verification guide). Added comprehensive verification docs at `docs/airgap/portable-evidence-bundle-verification.md` with Python/Bash scripts for Merkle root verification, attestation checking, timeline validation, and Advisory AI integration patterns. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core)
## Dependencies & Concurrency
- Depends on Phase IV outputs (timeline/locker/attestation) and mirror registration contract.
- Concurrency: storage validators/indexes first; VEX Lens/Vuln endpoints rely on canonicalization; portable bundles depend on mirror registration endpoints.
## Documentation Prerequisites
- docs/modules/excititor/architecture.md
- docs/modules/excititor/implementation_plan.md
- docs/airgap/portable-evidence-bundle-verification.md
- Excititor AGENTS.md files (WebService, Core, Storage)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-VEXLENS-30-001 | DONE | None | Excititor WebService Guild · VEX Lens Guild | Export observations to VEX Lens with issuer hints, signature blobs, product tree snippets, staleness metadata; no consensus logic. |
| 2 | EXCITITOR-VULN-29-001 | DONE | None | Excititor WebService Guild | Canonicalize advisory/product keys (`advisory_key`), preserve originals in `links[]`; backfill + tests. |
| 3 | EXCITITOR-VULN-29-002 | DONE | Depends on 29-001 | Excititor WebService Guild | `/vuln/evidence/vex/{advisory_key}` returning tenant-scoped raw statements + provenance + attestation references; cursor pagination. |
| 4 | EXCITITOR-VULN-29-004 | DONE | Depends on 29-002 | Excititor WebService Guild · Observability Guild | Metrics/logs for normalization errors, suppression scopes, withdrawn statements for Vuln Explorer + Advisory AI dashboards. |
| 5 | EXCITITOR-STORE-AOC-19-001 | DONE | None | Excititor Storage Guild | Mongo JSON Schema validator for `vex_raw`; offline kit instructions. |
| 6 | EXCITITOR-STORE-AOC-19-002 | DONE | Depends on 19-001 | Excititor Storage Guild · DevOps Guild | Unique indexes/migrations/rollback steps for new validator. |
| 7 | EXCITITOR-AIRGAP-56-001 | DONE | None | Excititor WebService Guild · AirGap Importer Guild | Mirror bundle registration + provenance exposure, sealed-mode error mapping, staleness metrics. |
| 8 | EXCITITOR-AIRGAP-58-001 | DONE | Depends on 56-001 | Excititor Core Guild · Evidence Locker Guild | Portable evidence bundles linked to timeline + attestation metadata; verifier docs for Advisory AI. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint to standard template; working directory set; preserved statuses. | Planning |
## Decisions & Risks
- Aggregation-only posture retained: exports and APIs do not compute verdicts.
- Validator rollout could impact ingestion; staged with rollback docs. Ensure unique indexes deployed before enabling enforcement.
- Portable bundle contents and mirror registration must stay aligned with Evidence Locker schemas; refresh docs/tests if schema evolves.
## Next Checkpoints
- Re-run bundle verification scripts after any Evidence Locker manifest changes.
- Validate VEX Lens/Vuln Explorer still ingest canonicalized keys after downstream schema tweaks.

54
docs/implplan/SPRINT_124_excititor_vi.md
View File

@@ -1,17 +1,41 @@
# Sprint 124 - Ingestion & Evidence · 110.C) Excititor.VI
# Sprint 0124 · Excititor Ingestion & Evidence (Phase VI)
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- Expose streaming, evidence, and attestation APIs with OpenAPI discovery/examples while keeping aggregation-only semantics.
- Add mirror bundle import telemetry and crypto provider abstraction for deterministic verification profiles.
- **Working directory:** `src/Excititor` (WebService) with AirGap/Policy coordination.
[Ingestion & Evidence] 110.C) Excititor.VI
Depends on: Sprint 110.C - Excititor.V
Summary: Ingestion & Evidence focus on Excititor (phase VI).
> **Prep:** Read `docs/modules/excititor/architecture.md` and the Excititor component `AGENTS.md` files before working any items listed below.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-WEB-OBS-52-001 `Timeline streaming` | DONE | Provide SSE/WebSocket bridges for VEX timeline events with tenant filters, pagination anchors, and guardrails so downstream consoles can monitor raw evidence changes in real time. Depends on EXCITITOR-OBS-52-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-WEB-OBS-53-001 `Evidence APIs` | DONE | Expose `/evidence/vex/*` endpoints that fetch locker bundles, enforce scopes, and surface verification metadata without synthesizing verdicts. Depends on EXCITITOR-WEB-OBS-52-001. | Excititor WebService Guild, Evidence Locker Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-WEB-OBS-54-001 `Attestation APIs` | DONE | Add `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, and chain-of-custody links so consumers never need direct datastore access. Depends on EXCITITOR-WEB-OBS-53-001. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-WEB-OAS-61-001 `OpenAPI discovery` | DONE | Implement `/.well-known/openapi` with spec version metadata plus standard error envelopes, then update controller/unit tests accordingly. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-WEB-OAS-62-001 `Examples & deprecation headers` | DONE | Publish curated examples for the new evidence/attestation/timeline endpoints, emit deprecation headers for legacy routes, and align SDK docs. Depends on EXCITITOR-WEB-OAS-61-001. | Excititor WebService Guild, API Governance Guild (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-WEB-AIRGAP-58-001 `Bundle import telemetry` | DONE | Emit timeline events + audit logs for mirror bundle imports (bundle ID, scope, actor) and map sealed-mode violations to actionable remediation guidance. | Excititor WebService Guild, AirGap Importer/Policy Guilds (src/Excititor/StellaOps.Excititor.WebService)
EXCITITOR-CRYPTO-90-001 `Crypto provider abstraction` | DONE | Replace ad-hoc hashing/signing in connectors/exporters/OpenAPI discovery with `ICryptoProviderRegistry` implementations approved by security so evidence verification stays deterministic across crypto profiles. | Excititor WebService Guild, Security Guild (src/Excititor/StellaOps.Excititor.WebService)
## Dependencies & Concurrency
- Depends on Phase V outputs (portable bundles, mirror registration) and Evidence Locker manifests.
- Concurrency: OpenAPI discovery/examples and streaming can proceed in parallel; crypto provider registry relies on security contract.
## Documentation Prerequisites
- docs/modules/excititor/architecture.md
- docs/modules/excititor/implementation_plan.md
- docs/modules/excititor/observability/locker-manifest.md
- Excititor WebService AGENTS.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-WEB-OBS-52-001 | DONE | Depends on OBS-52 schema | Excititor WebService Guild | Provide SSE/WebSocket bridges for VEX timeline events with tenant filters, pagination anchors, guardrails. |
| 2 | EXCITITOR-WEB-OBS-53-001 | DONE | Depends on 52-001; locker manifest available | Excititor WebService Guild · Evidence Locker Guild | `/evidence/vex/*` endpoints fetching locker bundles, enforcing scopes, surfacing verification metadata; no verdicts. |
| 3 | EXCITITOR-WEB-OBS-54-001 | DONE | Depends on 53-001; DSSE manifests available | Excititor WebService Guild | `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, chain-of-custody links. |
| 4 | EXCITITOR-WEB-OAS-61-001 | DONE | None | Excititor WebService Guild | Implement `/.well-known/openapi` with spec metadata + standard error envelope; update controller/unit tests. |
| 5 | EXCITITOR-WEB-OAS-62-001 | DONE | Depends on 61-001 | Excititor WebService Guild · API Governance Guild | Publish curated examples + deprecation headers for evidence/attestation/timeline endpoints; align SDK docs. |
| 6 | EXCITITOR-WEB-AIRGAP-58-001 | DONE | Depends on mirror thin bundle schema | Excititor WebService Guild · AirGap Importer/Policy Guilds | Emit timeline events + audit logs for mirror bundle imports (bundle ID, scope, actor); map sealed-mode violations to remediation. |
| 7 | EXCITITOR-CRYPTO-90-001 | DONE | Security-approved registry contract | Excititor WebService Guild · Security Guild | Replace ad-hoc hashing/signing with `ICryptoProviderRegistry` implementations for deterministic verification across profiles. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint to standard template; preserved task details/statuses. | Planning |
## Decisions & Risks
- Aggregation-only stance preserved across streaming/evidence/attestation endpoints.
- Crypto provider registry must remain deterministic; benchmark and feature-flag per profile.
- Mirror bundle telemetry relies on thin bundle schema; revisit if schema changes to avoid telemetry mismatch.
## Next Checkpoints
- Re-validate `/evidence` and `/attestations` responses after any locker/DSSE manifest updates.
- Run OpenAPI discovery/examples regression when new routes land or headers change.

1
docs/implplan/SPRINT_3403_0001_0001_postgres_notify.md
View File

@@ -125,6 +125,7 @@ Risks:
| 2025-12-02 | Created module-level `src/Notify/AGENTS.md` with roles/prereqs/testing guardrails; Action Tracker #5 closed | Planning |
| 2025-12-02 | PG-T3.11 cutover confirmed: WebService/Worker already use AddNotifyPostgresStorage; Mongo fallback disabled; sprint task marked DONE | Notify Guild |
| 2025-12-03 | Postgres delivery/digest endpoints implemented; release build succeeded (`/tmp/notify-postgres-build2.log`) | Notify Guild |
| 2025-12-03 | Postgres storage integration tests passed (53/53) against Docker-backed Postgres; evidence at `out/test-results/notify-postgres/_DESKTOP-7GHGC2M_2025-12-03_07_19_23.trx` | Notify Guild |
---
*Reference: docs/db/tasks/PHASE_3_NOTIFY.md*

7
docs/implplan/SPRINT_3405_0001_0001_postgres_vulnerabilities.md
View File

@@ -52,9 +52,9 @@
| 23 | PG-T5b.1.2 | DONE (2025-12-02) | Depends on PG-T5b.1.1 | Concelier Guild | Map to relational structure with child tables |
| 24 | PG-T5b.1.3 | DONE (2025-12-02) | Depends on PG-T5b.1.2 | Concelier Guild | Preserve provenance JSONB |
| 25 | PG-T5b.1.4 | DONE (2025-12-02) | Depends on PG-T5b.1.2 | Concelier Guild | Handle version ranges (keep as JSONB) |
| 26 | PG-T5b.2.1 | TODO | Depends on PG-T5b.1 | Concelier Guild | Update NVD importer to write to PostgreSQL |
| 27 | PG-T5b.2.2 | TODO | Depends on PG-T5b.1 | Concelier Guild | Update OSV importer to write to PostgreSQL |
| 28 | PG-T5b.2.3 | TODO | Depends on PG-T5b.1 | Concelier Guild | Update GHSA/vendor importers to write to PostgreSQL |
| 26 | PG-T5b.2.1 | DONE (2025-12-03) | Depends on PG-T5b.1 | Concelier Guild | Update NVD importer to write to PostgreSQL |
| 27 | PG-T5b.2.2 | DONE (2025-12-03) | Depends on PG-T5b.1 | Concelier Guild | Update OSV importer to write to PostgreSQL |
| 28 | PG-T5b.2.3 | DONE (2025-12-03) | Depends on PG-T5b.1 | Concelier Guild | Update GHSA/vendor importers to write to PostgreSQL |
| 29 | PG-T5b.3.1 | TODO | Depends on PG-T5b.2 | Concelier Guild | Configure dual-import mode |
| 30 | PG-T5b.3.2 | TODO | Depends on PG-T5b.3.1 | Concelier Guild | Run import cycle and compare record counts |
| 31 | PG-T5b.4.1 | TODO | Depends on PG-T5b.3 | Concelier Guild | Select sample SBOMs for verification |
@@ -117,6 +117,7 @@
| 2025-12-02 | Added Storage.Postgres AGENTS charter and integration tests covering sources, states, snapshots, advisories + child tables, KEV, merge events; PG-T5a.6 marked DONE (tests pass on Docker-backed Postgres). | Implementer |
| 2025-12-03 | Implemented AdvisoryConversionService (Mongo → Postgres) plus converter mapping of aliases/CVSS/affected/references/credits/weaknesses/KEV; added integration test harness (AdvisoryConversionServiceTests) | Codex |
| 2025-12-03 | PG-T5b.1.11.4 DONE: converter + service + NVD importer scaffold; provenance/version-range preserved; converter/service tests passing (importer e2e test placeholder requires Mongo fixture). | Implementer |
| 2025-12-03 | PG-T5b.2.12.3 DONE: added NVD/OSV/GHSA importer scaffolds reusing converter and snapshot recording path. Importer tests remain to be enabled once Mongo fixture is wired. | Implementer |
---
*Reference: docs/db/tasks/PHASE_5_VULNERABILITIES.md*

139
docs/implplan/SPRINT_506_ops_devops_iv.md
View File

@@ -1,61 +1,84 @@
# Sprint 506 - Ops & Offline · 190.B) Ops Devops.IV
# Sprint 506 · Ops DevOps IV (Ops & Offline 190.B)
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- Ops & Offline focus on DevOps phase IV: incident automation, orchestrator observability, policy CI, signing/SDK pipelines, and mirror signing.
- Consolidate CI helpers, dashboards, and signing assets; document runbooks and cleanup paths.
- **Working directory:** ops/devops (and associated ops/devops/* subfolders).
[Ops & Offline] 190.B) Ops Devops.IV
Depends on: Sprint 190.B - Ops Devops.III
Summary: Ops & Offline focus on Ops Devops (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-OBS-55-001 | DONE (2025-11-25) | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. Dependencies: DEVOPS-OBS-54-001. | DevOps Guild, Ops Guild (ops/devops)
DEVOPS-ORCH-32-001 | DONE (2025-11-25) | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-ORCH-33-001 | DONE (2025-11-25) | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. Dependencies: DEVOPS-ORCH-32-001. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-ORCH-34-001 | DONE (2025-11-25) | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. Dependencies: DEVOPS-ORCH-33-001. | DevOps Guild, Orchestrator Service Guild (ops/devops)
DEVOPS-POLICY-27-001 | DONE (2025-11-25) | Add CI pipeline stages to run `stella policy lint | DevOps Guild, DevEx/CLI Guild (ops/devops)
DEVOPS-POLICY-27-002 | DONE (2025-11-25) | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. Dependencies: DEVOPS-POLICY-27-001. | DevOps Guild, Policy Registry Guild (ops/devops)
DEVOPS-POLICY-27-003 | DONE (2025-11-25) | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. Dependencies: DEVOPS-POLICY-27-002. | DevOps Guild, Security Guild (ops/devops)
DEVOPS-POLICY-27-004 | DONE (2025-11-25) | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. Dependencies: DEVOPS-POLICY-27-003. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-REL-17-004 | DONE (2025-11-23) | Release workflow now uploads `out/release/debug` (build-id tree + manifest) as a separate artefact and fails when symbols are missing. | DevOps Guild (ops/devops)
DEVOPS-RULES-33-001 | DONE (2025-11-25) | Contracts & Rules anchor:<br>• Gateway proxies only; Policy Engine composes overlays/simulations.<br>• AOC ingestion cannot merge; only lossless canonicalization.<br>• One graph platform: Graph Indexer + Graph API. Cartographer retired. | DevOps Guild, Platform Leads (ops/devops)
DEVOPS-SDK-63-001 | DONE (2025-11-25) | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | DevOps Guild, SDK Release Guild (ops/devops)
DEVOPS-SIG-26-001 | DONE (2025-11-25) | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | DevOps Guild, Signals Guild (ops/devops)
DEVOPS-SIG-26-002 | DONE (2025-11-25) | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. Dependencies: DEVOPS-SIG-26-001. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-TEN-47-001 | BLOCKED (2025-11-25) | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | DevOps Guild (ops/devops)
DEVOPS-TEN-48-001 | BLOCKED (2025-11-25) | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. Dependencies: DEVOPS-TEN-47-001. | DevOps Guild (ops/devops)
DEVOPS-CI-110-001 | DONE (2025-11-25) | CI helper + TRX slices published at `ops/devops/ci-110-runner/` (artefacts: `ops/devops/artifacts/ci-110/20251125T030557Z/`). Warm restore, OpenSSL 1.1 check, Concelier health + Excititor airgap import smoke. | DevOps Guild, Concelier Guild, Excititor Guild (ops/devops)
MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | Promote `make-thin-v1.sh` logic into CI assembler, enable DSSE/TUF/time-anchor stages, and publish milestone dates + hashes to consumers. Uses `MIRROR_SIGN_KEY_B64` from Gitea secrets. | Mirror Creator Guild, DevOps Guild (ops/devops)
MIRROR-CRT-56-002 | DONE (2025-11-25) | Release signing for thin bundle v1; install secret `MIRROR_SIGN_KEY_B64` (Ed25519 PEM, provided 2025-11-24) and rerun `.gitea/workflows/mirror-sign.yml` with `REQUIRE_PROD_SIGNING=1`. | Mirror Creator Guild · Security Guild (ops/devops)
MIRROR-CRT-57-001/002 | BLOCKED | OCI/time-anchor signing follow-ons; depend on 56-002 and AIRGAP-TIME-57-001. | Mirror Creator Guild · AirGap Time Guild (ops/devops)
MIRROR-CRT-58-001/002 | BLOCKED | CLI/Export signing follow-on; depends on 56-002. | Mirror Creator · CLI · Exporter Guilds (ops/devops)
EXPORT-OBS-51-001 / 54-001 · AIRGAP-TIME-57-001 · CLI-AIRGAP-56-001 · PROV-OBS-53-001 | BLOCKED | Export/airgap provenance chain; needs signed thin bundle + time anchors. | Exporter Guild · AirGap Time · CLI Guild (ops/devops)
DEVOPS-LEDGER-29-009-REL | BLOCKED (2025-11-25) | Release/offline-kit packaging for ledger manifests/backups; depends on LEDGER-29-009 dev outputs. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (2025-11-25) | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-SCANNER-JAVA-21-011-REL | BLOCKED (2025-11-25) | Package/sign Java analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-JAVA-21-011 dev. | DevOps Guild, Java Analyzer Guild (ops/devops)
## Dependencies & Concurrency
- Depends on Sprint 190.B Ops DevOps III artifacts.
- Mirror signing follow-ons depend on AIRGAP-TIME-57-001 and thin bundle v1 outputs.
- Tenant chaos/tests depend on Authority tenancy harness availability.
Updates
-------
- 2025-11-25 · DEVOPS-CI-110-001 runner published at `ops/devops/ci-110-runner/`; initial TRX slices stored under `ops/devops/artifacts/ci-110/20251125T030557Z/` (Concelier health, Excititor airgap import).
- 2025-11-25 · MIRROR-CRT-56-CI-001 completed: CI signing script now emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, and uploads `milestone.json` via `mirror-sign.yml`.
- 2025-11-25 · DEVOPS-OBS-55-001 completed: added offline incident-mode automation script (`scripts/observability/incident-mode.sh`) and runbook (`ops/devops/observability/incident-mode.md`) to auto-toggle incident flag, retention overrides, and cooldown reset based on burn rate inputs.
- 2025-11-25 · DEVOPS-ORCH-32-001 completed: added orchestrator infra compose stack (Postgres+Mongo+NATS), smoke script (`scripts/orchestrator/smoke.sh`), alerts, Grafana dashboard, and bootstrap README under `ops/devops/orchestrator/`.
- 2025-11-25 · DEVOPS-ORCH-33-001 completed: expanded orchestrator Grafana with DLQ/backpressure/error panels and alerts (`ops/devops/orchestrator/alerts.yaml`); dashboard lives at `ops/devops/orchestrator/grafana/orchestrator-overview.json`.
- 2025-11-25 · DEVOPS-POLICY-27-003 completed: cosign key rotation/signing/attestation scripts added (`scripts/policy/rotate-key.sh`, `sign-policy.sh`, `attest-verify.sh`), CI attestation verification stage wired into `.gitea/workflows/policy-simulate.yml`, and runbook recorded at `ops/devops/policy-signing.md`.
- 2025-11-25 · DEVOPS-POLICY-27-004 completed: added policy pipeline alerts (`ops/devops/observability/policy-alerts.yaml`), Grafana dashboard (`ops/devops/observability/grafana/policy-pipeline.json`), and on-call playbook (`ops/devops/observability/policy-playbook.md`) covering compile, simulation, approval, and promotion signals.
- 2025-11-25 · DEVOPS-ORCH-34-001 completed: added synthetic infra probe (`scripts/orchestrator/probe.sh`), replay smoke wrapper (`scripts/orchestrator/replay-smoke.sh`), burn-rate alert for failures in `ops/devops/orchestrator/alerts.yaml`, updated README, and incident/GA readiness playbook (`ops/devops/orchestrator/incident-response.md`).
- 2025-11-25 · DEVOPS-POLICY-27-001 completed: added `policy-lint` workflow (`.gitea/workflows/policy-lint.yml`) running `stella policy lint` on sample DSLs, caching nugets, and publishing lint artifacts; simulate entrypoint smoke included.
- 2025-11-25 · DEVOPS-POLICY-27-002 completed: added batch simulation harness (`scripts/policy/batch-simulate.sh`), sample SBOM fixture, and CI workflow (`.gitea/workflows/policy-simulate.yml`) enforcing violation threshold and uploading summaries.
- 2025-11-25 · DEVOPS-POLICY-27-001 completed: added `policy-lint` workflow (`.gitea/workflows/policy-lint.yml`) running `stella policy lint` on sample DSLs, caching nugets, and publishing lint artifacts; simulate entrypoint smoke included.
- 2025-11-25 · DEVOPS-ORCH-33-001 completed: expanded orchestrator Grafana with DLQ/backpressure/error panels and alerts (`ops/devops/orchestrator/alerts.yaml`); dashboard lives at `ops/devops/orchestrator/grafana/orchestrator-overview.json`.
- 2025-11-25 · MIRROR-CRT-56-002 completed: mirror-sign workflow now enforces prod signing (rc2 SDK), prerequisite check, signing + verification steps for thin bundle v1 using `MIRROR_SIGN_KEY_B64` with `REQUIRE_PROD_SIGNING=1`.
- 2025-11-25 · DEVOPS-SDK-63-001 completed: added SDK signing/publishing toolchain (scripts/sdk/*), secrets guidance (`ops/devops/sdk/README.md`), NuGet signing/publish workflow (`.gitea/workflows/sdk-publish.yml`), and sample config for offline/local feeds.
- 2025-11-25 · DEVOPS-TEN-47-001 marked BLOCKED: JWKS cache/chaos testing requires runnable Authority instance and tenant fixture; upstream Authority/tenancy harness not present in repo.
- 2025-11-25 · DEVOPS-TEN-48-001 marked BLOCKED: RLS/object-store/audit integration tests depend on TEN-47 harness and tenant-aware data plane not available in this sprint scope.
- 2025-11-25 · DEVOPS-LEDGER-29-009-REL marked BLOCKED: release packaging awaits LEDGER-29-009 dev outputs and manifests not present in repo.
- 2025-11-25 · DEVOPS-LEDGER-TEN-48-001-REL marked BLOCKED: RLS migrations/artefacts depend on ledger tenant partition work not yet delivered.
- 2025-11-25 · DEVOPS-SCANNER-JAVA-21-011-REL marked BLOCKED: Java analyzer plugin artefacts from SCANNER-ANALYZERS-JAVA-21-011 dev are not available to package.
- 2025-11-25 · DEVOPS-RULES-33-001 completed: codified rules anchor in `ops/devops/rules/contracts-anchor.md` and closed review.
- 2025-11-25 · Work paused: host cannot allocate PTY (`No space left on device`); further CI/script execution blocked until disk/pty space is freed.
- 2025-11-25 · Added disk cleanup helper `scripts/devops/cleanup-workspace.sh` (safe defaults, optional bin/obj) to unblock low-space runners; use `DRY_RUN=1` to preview.
- 2025-11-25 · Documented space recovery steps in `ops/devops/README-space.md` (cleanup script, docker prune, nuget cache clear, artefact dirs).
- 2025-11-25 · DEVOPS-SIG-26-001 completed: added Signals Dockerfile/compose stack (`ops/devops/signals/`), Helm values (`helm/signals/values-signals.yaml`), CI workflow (`.gitea/workflows/signals-ci.yml`), and image export helper (`scripts/signals/build.sh`) with Mongo/Redis dependencies and artifact volume.
- 2025-11-25 · DEVOPS-SIG-26-002 completed: added Signals observability pack—alerts (`ops/devops/observability/signals-alerts.yaml`), Grafana dashboard (`ops/devops/observability/grafana/signals-pipeline.json`), and playbook (`ops/devops/observability/signals-playbook.md`) for scoring latency, cache hit rate, ingestion failures, and sensor staleness.
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/devops/architecture.md
- ops/devops/README.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DEVOPS-OBS-55-001 | DONE (2025-11-25) | Depends on DEVOPS-OBS-54-001 | DevOps Guild · Ops Guild | Incident mode automation: feature flag service, burn-rate trigger, retention overrides, reset job. |
| 2 | DEVOPS-ORCH-32-001 | DONE (2025-11-25) | Bootstrap orchestrator infra | DevOps Guild · Orchestrator Guild | Provision orchestrator Postgres/message bus, CI smoke deploy, dashboards, bootstrap docs. |
| 3 | DEVOPS-ORCH-33-001 | DONE (2025-11-25) | Depends on 32-001 | DevOps Guild · Observability Guild | Grafana dashboards/alerts for rate limiter, backpressure, error clustering, DLQ depth. |
| 4 | DEVOPS-ORCH-34-001 | DONE (2025-11-25) | Depends on 33-001 | DevOps Guild · Orchestrator Guild | Harden production monitoring: synthetic probes, burn-rate alerts, replay smoke, GA readiness checklist. |
| 5 | DEVOPS-POLICY-27-001 | DONE (2025-11-25) | None | DevOps Guild · DevEx/CLI Guild | Add CI stage to run `stella policy lint`. |
| 6 | DEVOPS-POLICY-27-002 | DONE (2025-11-25) | Depends on 27-001 | DevOps Guild · Policy Registry Guild | Batch simulation CI job, threshold enforcement, PR markdown summary. |
| 7 | DEVOPS-POLICY-27-003 | DONE (2025-11-25) | Depends on 27-002 | DevOps Guild · Security Guild | Manage signing keys (OIDC + cosign), rotate keys, verify attestations. |
| 8 | DEVOPS-POLICY-27-004 | DONE (2025-11-25) | Depends on 27-003 | DevOps Guild · Observability Guild | Dashboards/alerts for policy compile latency, simulation queue depth, approval latency, promotion outcomes. |
| 9 | DEVOPS-REL-17-004 | DONE (2025-11-23) | None | DevOps Guild | Release workflow uploads `out/release/debug` and fails when symbols missing. |
| 10 | DEVOPS-RULES-33-001 | DONE (2025-11-25) | None | DevOps Guild · Platform Leads | Contracts & Rules anchor (gateway proxies, AOC no-merge, graph platform consolidation). |
| 11 | DEVOPS-SDK-63-001 | DONE (2025-11-25) | None | DevOps Guild · SDK Release Guild | Provision registry creds, signing keys, secure storage for SDK publishing pipelines. |
| 12 | DEVOPS-SIG-26-001 | DONE (2025-11-25) | None | DevOps Guild · Signals Guild | Provision CI/CD, Helm/Compose manifests for Signals service with artifact storage + Redis. |
| 13 | DEVOPS-SIG-26-002 | DONE (2025-11-25) | Depends on 26-001 | DevOps Guild · Observability Guild | Dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. |
| 14 | DEVOPS-TEN-47-001 | BLOCKED (2025-11-25) | Needs Authority tenancy harness | DevOps Guild | JWKS cache monitoring, signature verification regression tests, token expiration chaos tests in CI. |
| 15 | DEVOPS-TEN-48-001 | BLOCKED (2025-11-25) | Depends on 47-001 | DevOps Guild | Integration tests for RLS enforcement, tenant-prefixed object storage, audit events; lint to prevent raw SQL bypass. |
| 16 | DEVOPS-CI-110-001 | DONE (2025-11-25) | None | DevOps Guild · Concelier Guild · Excititor Guild | CI helper + TRX slices at `ops/devops/ci-110-runner/`; warm restore + health smokes. |
| 17 | MIRROR-CRT-56-CI-001 | DONE (2025-11-25) | None | Mirror Creator Guild · DevOps Guild | Move `make-thin-v1.sh` into CI assembler, enforce DSSE/TUF/time-anchor, publish milestone hashes. |
| 18 | MIRROR-CRT-56-002 | DONE (2025-11-25) | Depends on 56-CI-001 | Mirror Creator Guild · Security Guild | Release signing for thin bundle v1 using `MIRROR_SIGN_KEY_B64`; run `.gitea/workflows/mirror-sign.yml`. |
| 19 | MIRROR-CRT-57-001/002 | BLOCKED | Wait on 56-002 + AIRGAP-TIME-57-001 | Mirror Creator Guild · AirGap Time Guild | OCI/time-anchor signing follow-ons. |
| 20 | MIRROR-CRT-58-001/002 | BLOCKED | Depends on 56-002 | Mirror Creator · CLI · Exporter Guilds | CLI/Export signing follow-ons. |
| 21 | EXPORT-OBS-51-001 / 54-001 / AIRGAP-TIME-57-001 / CLI-AIRGAP-56-001 / PROV-OBS-53-001 | BLOCKED | Need signed thin bundle + time anchors | Exporter · AirGap Time · CLI Guild | Export/airgap provenance chain work. |
| 22 | DEVOPS-LEDGER-29-009-REL | BLOCKED (2025-11-25) | Needs LEDGER-29-009 dev outputs | DevOps Guild · Findings Ledger Guild | Release/offline-kit packaging for ledger manifests/backups. |
| 23 | DEVOPS-LEDGER-TEN-48-001-REL | BLOCKED (2025-11-25) | Needs ledger tenant partition work | DevOps Guild · Findings Ledger Guild | Apply RLS/partition migrations in release pipelines; publish manifests/offline-kit artefacts. |
| 24 | DEVOPS-SCANNER-JAVA-21-011-REL | BLOCKED (2025-11-25) | Needs SCANNER-ANALYZERS-JAVA-21-011 outputs | DevOps Guild · Java Analyzer Guild | Package/sign Java analyzer plug-in for release/offline kits. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Normalised sprint file to standard template; preserved all tasks/logs; no status changes. | Planning |
| 2025-11-25 | DEVOPS-CI-110-001 runner published at `ops/devops/ci-110-runner/`; initial TRX slices stored under `ops/devops/artifacts/ci-110/20251125T030557Z/`. | DevOps |
| 2025-11-25 | MIRROR-CRT-56-CI-001 completed: CI signing script emits milestone hash summary, enforces DSSE/TUF/time-anchor steps, uploads `milestone.json` via `mirror-sign.yml`. | DevOps |
| 2025-11-25 | DEVOPS-OBS-55-001 completed: added incident-mode automation script (`scripts/observability/incident-mode.sh`) and runbook (`ops/devops/observability/incident-mode.md`). | DevOps |
| 2025-11-25 | DEVOPS-ORCH-32-001 completed: orchestrator infra compose stack, smoke script, alerts, Grafana dashboard, bootstrap README under `ops/devops/orchestrator/`. | DevOps |
| 2025-11-25 | DEVOPS-ORCH-33-001 completed: DLQ/backpressure/error panels + alerts (`ops/devops/orchestrator/alerts.yaml`); dashboard `ops/devops/orchestrator/grafana/orchestrator-overview.json`. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-003 completed: cosign key rotation/signing/attestation scripts added; CI attestation verification stage wired into `.gitea/workflows/policy-simulate.yml`; runbook `ops/devops/policy-signing.md`. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-004 completed: policy pipeline alerts/dashboard/playbook added. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-001 completed: `policy-lint` workflow added; caches nugets; publishes lint artifacts. | DevOps |
| 2025-11-25 | DEVOPS-POLICY-27-002 completed: batch simulation harness + CI workflow enforcing violation thresholds, uploads summaries. | DevOps |
| 2025-11-25 | DEVOPS-ORCH-34-001 completed: synthetic probe, replay smoke wrapper, burn-rate alert, README, incident/GA readiness playbook. | DevOps |
| 2025-11-25 | MIRROR-CRT-56-002 completed: mirror-sign workflow enforces prod signing for thin bundle v1 (`REQUIRE_PROD_SIGNING=1`). | DevOps |
| 2025-11-25 | DEVOPS-SDK-63-001 completed: SDK signing/publishing toolchain, secrets guidance, CI workflow, offline/local feed config. | DevOps |
| 2025-11-25 | DEVOPS-TEN-47-001 marked BLOCKED: requires Authority tenancy harness and tenant fixture. | DevOps |
| 2025-11-25 | DEVOPS-TEN-48-001 marked BLOCKED: RLS/object-store/audit tests depend on TEN-47 harness. | DevOps |
| 2025-11-25 | DEVOPS-LEDGER-29-009-REL marked BLOCKED: waiting on LEDGER-29-009 dev outputs. | DevOps |
| 2025-11-25 | DEVOPS-LEDGER-TEN-48-001-REL marked BLOCKED: RLS migrations/artefacts depend on ledger tenant partition work. | DevOps |
| 2025-11-25 | DEVOPS-SCANNER-JAVA-21-011-REL marked BLOCKED: Java analyzer plugin artefacts unavailable. | DevOps |
| 2025-11-25 | Work paused: `No space left on device`; added cleanup helper `scripts/devops/cleanup-workspace.sh` and doc `ops/devops/README-space.md`. | DevOps |
| 2025-11-25 | DEVOPS-SIG-26-001 completed: Signals Dockerfile/compose, Helm values, CI workflow, image export helper with Mongo/Redis deps. | DevOps |
| 2025-11-25 | DEVOPS-SIG-26-002 completed: Signals alerts, dashboard, playbook for latency/cache/staleness. | DevOps |
| 2025-11-23 | DEVOPS-REL-17-004 completed: release workflow uploads debug artefacts and fails on missing symbols. | DevOps |
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md` (updated 2025-11-08). | Planning |
## Decisions & Risks
- Hardened Docker/CI artefacts rely on available disk; keep cleanup script in runner docs.
- Cosign key management supports keyless; offline/air-gap paths require mirrored registry + secrets provided to `sbom_attest.sh`.
- Tenant chaos drill requires iptables/root; run only on isolated agents; monitor JWKS cache TTL to avoid auth outages.
- Surface.Env: ZASTAVA_* fallback to SCANNER_* in Helm/Compose; keep docs aligned if prefixes/fields change.
- Surface.Secrets: provisioning playbook published; ensure Helm/Compose env stays in sync; offline kit bundles encrypted secrets—unpack path must match `*_SURFACE_SECRETS_ROOT`.
## Next Checkpoints
- Unblock DEVOPS-TEN-47-001/48-001 by landing Authority tenancy harness and tenant fixtures.
- Deliver AIRGAP-TIME-57-001 to unblock mirror signing follow-ons (MIRROR-CRT-57/58) and export provenance chain.
- Free runner disk space routinely using `scripts/devops/cleanup-workspace.sh` and docker prune to keep CI green.

97
docs/implplan/SPRINT_507_ops_devops_v.md
View File

@@ -1,49 +1,62 @@
# Sprint 507 - Ops & Offline · 190.B) Ops Devops.V
# Sprint 507 · Ops DevOps V (Ops & Offline 190.B)
## Topic & Scope
- Ops & Offline phase V: tenant audit/chaos, VEX Lens/Vuln Explorer CI+observability, hardened Docker images, SBOM/attestations, and Surface.Env/Surface.Secrets rollout.
- **Working directory:** ops/devops (plus service-specific Docker/ops assets under ops/devops/*).
## Dependencies & Concurrency
- Depends on Sprint 506 (Ops DevOps IV) outputs and TEN-48 harness for tenant tests.
- Docker hardening (DOCKER-44-001) underpins SBOM/health endpoints tasks.
## Documentation Prerequisites
- docs/modules/devops/architecture.md
- ops/devops/README.md
- ops/devops/docker/base-image-guidelines.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DEVOPS-TEN-49-001 | DONE (2025-12-03) | Depends on DEVOPS-TEN-48-001 | DevOps Guild | Deploy audit pipeline, usage metrics, JWKS outage chaos tests, tenant load/perf benchmarks. |
| 2 | DEVOPS-VEX-30-001 | DONE (2025-12-02) | None | DevOps Guild · VEX Lens Guild | CI/load tests/dashboards/alerts for VEX Lens and Issuer Directory. |
| 3 | DEVOPS-VULN-29-001 | DONE (2025-12-02) | None | DevOps Guild · Findings Ledger Guild | Provision CI jobs for ledger projector; backups, Merkle anchoring, verification. |
| 4 | DEVOPS-VULN-29-002 | DONE (2025-12-02) | Depends on 29-001 | DevOps Guild · Vuln Explorer API Guild | Load/perf tests (5M findings/tenant), budget enforcement, SLO dashboards, alerts. |
| 5 | DEVOPS-VULN-29-003 | DONE (2025-12-02) | Depends on 29-002 | DevOps Guild · Console Guild | Instrument analytics pipeline with query-hash metrics and PII guardrails. |
| 6 | DOCKER-44-001 | DONE (2025-12-03) | None | DevOps Guild · Service Owners | Multi-stage Dockerfiles with non-root user, RO FS, health scripts for core services. |
| 7 | DOCKER-44-002 | DONE (2025-12-02) | Depends on 44-001 | DevOps Guild | SBOMs + cosign attestations; integrate verification into CI. |
| 8 | DOCKER-44-003 | DONE (2025-12-02) | Depends on 44-002 | DevOps Guild | Implement health/version/metrics endpoints; ensure capability `merge=false` for Concelier/Excitior. |
| 9 | OPS-ENV-01 | DONE (2025-12-02) | None | DevOps Guild · Scanner Guild | Update manifests/config docs to include Surface.Env vars for Scanner and Zastava. |
| 10 | OPS-SECRETS-01 | DONE (2025-12-02) | None | DevOps Guild · Security Guild | Secret provisioning workflow for Surface.Secrets (Kubernetes, Compose, Offline Kit). |
| 11 | OPS-SECRETS-02 | DONE (2025-12-02) | Depends on 01 | DevOps Guild · Offline Kit Guild | Embed Surface.Secrets material into offline kit packaging scripts. |
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ops & Offline] 190.B) Ops Devops.V
Depends on: Sprint 190.B - Ops Devops.IV
Summary: Ops & Offline focus on Ops Devops (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-TEN-49-001 | DOING (2025-12-02) | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. Dependencies: DEVOPS-TEN-48-001. | DevOps Guild (ops/devops)
DEVOPS-VEX-30-001 | DONE (2025-12-02) | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | DevOps Guild, VEX Lens Guild (ops/devops)
DEVOPS-VULN-29-001 | DONE (2025-12-02) | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | DevOps Guild, Findings Ledger Guild (ops/devops)
DEVOPS-VULN-29-002 | DONE (2025-12-02) | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. Dependencies: DEVOPS-VULN-29-001. | DevOps Guild, Vuln Explorer API Guild (ops/devops)
DEVOPS-VULN-29-003 | DONE (2025-12-02) | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. Dependencies: DEVOPS-VULN-29-002. | DevOps Guild, Console Guild (ops/devops)
DOCKER-44-001 | DOING (2025-12-01) | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Concelier, Excititor, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | DevOps Guild, Service Owners (ops/devops)
DOCKER-44-002 | DONE (2025-12-02) | Generate SBOMs and cosign attestations for each image and integrate verification into CI. Dependencies: DOCKER-44-001. | DevOps Guild (ops/devops)
DOCKER-44-003 | DONE (2025-12-02) | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Concelier/Excitior. Dependencies: DOCKER-44-002. | DevOps Guild (ops/devops)
OPS-ENV-01 | DONE (2025-12-02) | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | DevOps Guild, Scanner Guild (ops/devops)
OPS-SECRETS-01 | DONE (2025-12-02) | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | DevOps Guild, Security Guild (ops/devops)
OPS-SECRETS-02 | DONE (2025-12-02) | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. Dependencies: OPS-SECRETS-01. | DevOps Guild, Offline Kit Guild (ops/devops)
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-03 | Completed DEVOPS-TEN-49-001: added tenant recording/alert rules, k6 load harness, chaos runbook/script, and deploy README import steps. | DevOps |
| 2025-12-03 | Completed DOCKER-44-001: service build matrix + build-all helper, console Dockerfile/healthcheck, APP_BINARY-ready hardened template. | DevOps |
| 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
| 2025-12-02 | Completed OPS-ENV-01: added ZASTAVA_* Surface.Env seeds to Helm ConfigMap + Compose env examples and documented rollout in deploy/README. | DevOps |
| 2025-12-02 | Completed OPS-SECRETS-01/02: authored provisioning playbook (`ops/devops/secrets/surface-secrets-provisioning.md`) covering Kubernetes/Compose/Offline Kit and linked from deploy docs; offline kit bundling already covers Surface.Secrets payloads. | DevOps |
| 2025-12-02 | Started DEVOPS-VULN-29-001: added CI/backup/replay/merkle plan (`ops/devops/vuln/vuln-explorer-ci-plan.md`) and projection hash verifier (`ops/devops/vuln/verify_projection.sh`). | DevOps |
| 2025-12-02 | Completed DEVOPS-VULN-29-001: added deterministic replay fixture (`samples/vuln/events/replay.ndjson`), projection snapshot/hash, verifier script, and CI/ops plan. | DevOps |
| 2025-12-02 | Added tenant audit assets for DEVOPS-TEN-49-001: dashboard (`ops/devops/tenant/dashboards/tenant-audit.json`), alerts (`ops/devops/tenant/alerts.yaml`), chaos script (`ops/devops/tenant/jwks-chaos.sh`). | DevOps |
| 2025-12-02 | Completed DEVOPS-VULN-29-002: k6 load/obs assets ready (`ops/devops/vuln/k6-vuln-explorer.js`, dashboard, alerts) and thresholds defined. | DevOps |
| 2025-12-02 | Started DEVOPS-TEN-49-001: drafted audit/usage/chaos plan (`ops/devops/tenant/audit-pipeline-plan.md`) covering metrics, JWKS fault drill, and load benchmarks. | DevOps |
| 2025-12-02 | Started DEVOPS-VULN-29-002: added k6 load script (`ops/devops/vuln/k6-vuln-explorer.js`), Grafana dashboard stub (`ops/devops/vuln/dashboards/vuln-explorer.json`), and alert rules (`ops/devops/vuln/alerts.yaml`). | DevOps |
| 2025-12-02 | Completed DEVOPS-VEX-30-001: drafted VEX Lens CI/load/obs plan (`ops/devops/vex/vex-ci-loadtest-plan.md`) with k6 scenario, dashboards, alerts, offline posture. | DevOps |
| 2025-12-02 | Completed DOCKER-44-003: documented endpoint contract/snippet and provided CI verification helper; services now have guidance to expose health/version/metrics and capabilities merge=false. | DevOps |
| 2025-12-02 | Added health endpoint contract + ASP.NET 10 snippet (`ops/devops/docker/health-endpoints.md`) to guide DOCKER-44-003 adoption. | DevOps |
| 2025-12-02 | Started DOCKER-44-003: added health endpoint verification helper (`ops/devops/docker/verify_health_endpoints.sh`) and documented CI usage in base-image guidelines. | DevOps |
| 2025-12-02 | Completed DOCKER-44-002: added SBOM + cosign attestation helper (`ops/devops/docker/sbom_attest.sh`) and documented usage in base-image guidelines. | DevOps |
| 2025-12-02 | Extended DOCKER-44-001: added hardened multi-stage template (`ops/devops/docker/Dockerfile.hardened.template`) with non-root user/read-only fs and shared healthcheck helper (`healthcheck.sh`). | DevOps |
| 2025-12-01 | Started DOCKER-44-001: added hardened base image blueprint with non-root user, read-only fs, healthcheck, and SDK publish guidance (`ops/devops/docker/base-image-guidelines.md`). | DevOps |
| 2025-12-02 | Completed OPS-SECRETS-01/02: provisioning playbook (`ops/devops/secrets/surface-secrets-provisioning.md`) covering Kubernetes/Compose/Offline Kit; offline kit bundling covers Surface.Secrets payloads. | DevOps |
| 2025-12-02 | Started DEVOPS-VULN-29-001: added CI/backup/replay/merkle plan and projection hash verifier script. | DevOps |
| 2025-12-02 | Completed DEVOPS-VULN-29-001: deterministic replay fixture, snapshot/hash, verifier script, CI/ops plan. | DevOps |
| 2025-12-02 | Added tenant audit assets for DEVOPS-TEN-49-001: dashboard, alerts, chaos script. | DevOps |
| 2025-12-02 | Completed DEVOPS-VULN-29-002: k6 load/observability assets and thresholds defined. | DevOps |
| 2025-12-02 | Started DEVOPS-TEN-49-001: drafted audit/usage/chaos plan covering metrics, JWKS fault drill, load benchmarks. | DevOps |
| 2025-12-02 | Started DEVOPS-VULN-29-002: added k6 load script, Grafana dashboard stub, alert rules. | DevOps |
| 2025-12-02 | Completed DEVOPS-VEX-30-001: VEX Lens CI/load/obs plan with k6 scenario, dashboards, alerts, offline posture. | DevOps |
| 2025-12-02 | Completed DOCKER-44-003: documented endpoint contract/snippet and provided CI verification helper; services guidance for health/version/metrics and capabilities merge=false. | DevOps |
| 2025-12-02 | Added health endpoint contract + ASP.NET 10 snippet to guide DOCKER-44-003 adoption. | DevOps |
| 2025-12-02 | Started DOCKER-44-003: added health endpoint verification helper and documented CI usage in base-image guidelines. | DevOps |
| 2025-12-02 | Completed DOCKER-44-002: SBOM + cosign attestation helper added and documented. | DevOps |
| 2025-12-02 | Extended DOCKER-44-001: hardened multi-stage template with non-root user/RO FS and shared healthcheck helper. | DevOps |
| 2025-12-01 | Started DOCKER-44-001: hardened base image blueprint and SDK publish guidance documented. | DevOps |
| 2025-11-08 | Archived completed/historic work to docs/implplan/archived/tasks.md (updated 2025-11-08). | Planning |
## Decisions & Risks
- Need service-by-service adoption of the hardened Docker template; ensure health endpoints exist (tracked by DOCKER-44-003).
- SBOM/attestation integration (DOCKER-44-002) depends on final image names/digests from 44-001.
- Cosign key management: default flow supports keyless (requires transparency); for offline/air-gap, ensure registry mirror and signing keys are available to `sbom_attest.sh`.
- Surface.Env: ZASTAVA_* fall back to SCANNER_* in Helm/Compose; operators can override per component. Keep `docs/modules/scanner/design/surface-env.md` aligned if prefixes/fields change.
- Surface.Secrets: provisioning playbook published (`ops/devops/secrets/surface-secrets-provisioning.md`); keep Helm/Compose env in sync. Offline kit already bundles encrypted secrets; ensure unpack path matches `*_SURFACE_SECRETS_ROOT`.
- Tenant chaos drill requires iptables/root access; run only in isolated CI agents or staging clusters. Ensure JWKS cache TTL is monitored so chaos window does not trigger widespread auth failures.
| 2025-12-02 | Started DEVOPS-VULN-29-003: drafted analytics ingest/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`). | DevOps |
| 2025-12-02 | Updated Vuln Explorer observability runbook with query-hash metrics and PII guards to support DEVOPS-VULN-29-003. | DevOps |
| 2025-12-02 | Progress DEVOPS-VULN-29-003: added query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`) and updated observability runbook to include PII-safe query hashing and payload metrics. | DevOps |
| 2025-12-02 | Completed DEVOPS-VULN-29-003: published analytics/PII guardrail plan (`ops/devops/vuln/analytics-ingest-plan.md`), query-hash metrics spec (`ops/devops/vuln/query-hash-metrics.md`), and updated runbook for PII-safe metrics. | DevOps |
- Tenant chaos drills require TEN-48 harness orchestration or manual k6 + `jwks-chaos.sh`; run on isolated agents with sudo/iptables access to avoid collateral outages.
- Docker hardening template + service matrix are ready; service owners must adopt the template before enabling `readOnlyRootFilesystem` in Helm/Compose and before SBOM/attest jobs (44-002) are enforced.
- Surface.Secrets/Surface.Env alignment retained; validate offline kit unpack paths whenever images/paths change.
## Next Checkpoints
- Run TEN-48 harness once available to exercise tenant chaos/load assets end-to-end.
- Track service owner adoption of hardened Docker template via `ops/devops/docker/build-all.sh` and `verify_health_endpoints.sh`.
- Validate SBOM/attestation verification in CI with production image names/digests after new images are built from the matrix.

56
docs/implplan/SPRINT_508_ops_offline_kit.md
View File

@@ -1,26 +1,46 @@
# Sprint 508 - Ops & Offline · 190.C) Ops Offline Kit
# Sprint 508 · Ops Offline Kit (Ops & Offline 190.C)
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- Package offline kit with CLI/task packs, orchestrator/export/notifier bundles, container bundles, Surface.Secrets, and registry mirror assets.
- Ensure manifests/signatures, tests, and docs reflect bundled artefacts.
- **Working directory:** ops/offline-kit and related ops/devops offline-kit scripts.
[Ops & Offline] 190.C) Ops Offline Kit
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Ops Offline Kit).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-PACKS-43-002 | DONE (2025-11-26) | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline Kit Guild, Packs Registry Guild (ops/offline-kit)
DEVOPS-OFFLINE-17-004 | DONE (2025-11-23) | Release debug store mirrored into Offline Kit (`out/offline-kit/metadata/debug-store.json`) via `mirror_debug_store.py`. | Offline Kit Guild, DevOps Guild (ops/offline-kit)
DEVOPS-OFFLINE-34-006 | DONE (2025-11-26) | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. Dependencies: DEVOPS-OFFLINE-17-004. | Offline Kit Guild, Orchestrator Service Guild (ops/offline-kit)
DEVOPS-OFFLINE-37-001 | DONE (2025-11-26) | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). Dependencies: DEVOPS-OFFLINE-34-006. | Offline Kit Guild, Exporter Service Guild (ops/offline-kit)
DEVOPS-OFFLINE-37-002 | DONE (2025-11-26) | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. Dependencies: DEVOPS-OFFLINE-37-001. | Offline Kit Guild, Notifications Service Guild (ops/offline-kit)
OFFLINE-CONTAINERS-46-001 | DONE (2025-11-26) | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline Kit Guild, Deployment Guild (ops/offline-kit)
OPS-SECRETS-02 | DONE (2025-11-26) | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. Dependencies: OPS-SECRETS-02. | Offline Kit Guild, DevOps Guild (ops/offline-kit)
## Dependencies & Concurrency
- Depends on upstream service artefacts (Orchestrator, Export Center, Notifier, container bundles) and Surface.Secrets outputs.
- Concurrency: packaging can proceed per artefact once source bundle available.
## Documentation Prerequisites
- docs/24_OFFLINE_KIT.md
- docs/modules/devops/architecture.md
- ops/offline-kit README/tests
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CLI-PACKS-43-002 | DONE (2025-11-26) | None | Offline Kit Guild · Packs Registry Guild | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, CLI binaries with checksums. |
| 2 | DEVOPS-OFFLINE-17-004 | DONE (2025-11-23) | None | Offline Kit Guild · DevOps Guild | Mirror release debug store into Offline Kit (`out/offline-kit/metadata/debug-store.json`). |
| 3 | DEVOPS-OFFLINE-34-006 | DONE (2025-11-26) | Depends on 17-004 | Offline Kit Guild · Orchestrator Guild | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, dashboards with manifest/signature updates. |
| 4 | DEVOPS-OFFLINE-37-001 | DONE (2025-11-26) | Depends on 34-006 | Offline Kit Guild · Exporter Guild | Export Center offline bundles + verification tooling, manifest/signature refresh, air-gap import script. |
| 5 | DEVOPS-OFFLINE-37-002 | DONE (2025-11-26) | Depends on 37-001 | Offline Kit Guild · Notifications Guild | Notifier offline packs with configs/templates/dry-run harness + integrity checks and docs. |
| 6 | OFFLINE-CONTAINERS-46-001 | DONE (2025-11-26) | None | Offline Kit Guild · Deployment Guild | Include container air-gap bundle, verification docs, mirrored registry instructions inside Offline Kit. |
| 7 | OPS-SECRETS-02 | DONE (2025-11-26) | Depends on Surface.Secrets assets | Offline Kit Guild · DevOps Guild | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-26 | Wired Offline Kit packaging to include CLI binaries (release/cli), Task Runner bootstrap config, and task-pack docs; updated `test_build_offline_kit.py` to cover new artefacts. Marked CLI-PACKS-43-002 DONE. | Implementer |
| 2025-11-26 | Added container bundle pickup (release/containers/images) and mirrored registry doc copy; updated offline kit test coverage; marked OFFLINE-CONTAINERS-46-001 DONE. | Implementer |
| 2025-11-26 | Added orchestrator (service, worker SDK, postgres, dashboards), Export Center bundles, Notifier offline packs, and Surface.Secrets bundles to packaging; expanded offline kit unit test accordingly. Marked DEVOPS-OFFLINE-34-006/37-001/37-002 and OPS-SECRETS-02 DONE. | Implementer |
| 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
| 2025-11-26 | Wired Offline Kit packaging to include CLI binaries, Task Runner bootstrap config, and task-pack docs; updated `test_build_offline_kit.py`; marked CLI-PACKS-43-002 DONE. | Implementer |
| 2025-11-26 | Added container bundle pickup (release/containers/images) and mirrored registry doc copy; offline kit test coverage updated; marked OFFLINE-CONTAINERS-46-001 DONE. | Implementer |
| 2025-11-26 | Added orchestrator (service, worker SDK, postgres, dashboards), Export Center bundles, Notifier offline packs, and Surface.Secrets bundles; expanded offline kit unit test; marked DEVOPS-OFFLINE-34-006/37-001/37-002 and OPS-SECRETS-02 DONE. | Implementer |
| 2025-11-26 | Added bundle composition counts to `<bundle>.metadata.json` (cli/task packs/containers/orchestrator/export/notifier/secrets) and documented in `docs/24_OFFLINE_KIT.md`; test updated. | Implementer |
| 2025-11-26 | Updated Offline Kit doc (`docs/24_OFFLINE_KIT.md`) to describe newly bundled assets (CLI/task packs, orchestrator/export/notifier kits, container bundles, Surface.Secrets) and documented release-dir auto-pickup rules. | Implementer |
| 2025-11-26 | Updated Offline Kit doc to describe newly bundled assets and release-dir auto-pickup rules. | Implementer |
| 2025-11-23 | Release debug store mirrored into Offline Kit (`out/offline-kit/metadata/debug-store.json`) via `mirror_debug_store.py`. | Offline Kit Guild |
## Decisions & Risks
- Packaging assumes release artefacts present under `out/`/`release/`; ensure CI populates before running offline kit build.
- Surface.Secrets bundles require consistent encryption keys and unpack paths across offline kit and deployment docs.
- Keep `test_build_offline_kit.py` updated when new artefact types are added to avoid silent omissions.
## Next Checkpoints
- Validate latest service releases still picked up automatically by offline kit script before next drop.
- Re-run offline kit tests when new artefact type is added (e.g., new service bundles) and refresh `docs/24_OFFLINE_KIT.md`.

88
docs/implplan/SPRINT_511_api.md
View File

@@ -1,43 +1,63 @@
# Sprint 511 - Ops & Offline · 190.F) Api
# Sprint 511 · API Governance & OpenAPI (Ops & Offline 190.F)
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
## Topic & Scope
- API governance tooling (Spectral, example coverage, changelog/signing) and OpenAPI composition/diff across services.
- Publish examples, discovery metadata, and compat reports for release pipelines and SDK publishing.
- **Working directory:** src/Api/StellaOps.Api.Governance, src/Api/StellaOps.Api.OpenApi, src/Sdk/StellaOps.Sdk.Release.
[Ops & Offline] 190.F) Api
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Api).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
APIGOV-61-001 | DONE (2025-11-18) | Spectral config + CI workflow added; npm script `api:lint` runs spectral via npx. | API Governance Guild (src/Api/StellaOps.Api.Governance)
APIGOV-61-002 | DONE (2025-11-18) | Implement example coverage checker ensuring every operation has at least one request/response example. Dependencies: APIGOV-61-001. | API Governance Guild (src/Api/StellaOps.Api.Governance)
APIGOV-62-001 | DONE (2025-11-18) | Build compatibility diff tool producing additive/breaking reports comparing prior release. Dependencies: APIGOV-61-002. | API Governance Guild (src/Api/StellaOps.Api.Governance)
APIGOV-62-002 | DONE (2025-11-24) | Automate changelog generation and publish signed artifacts to `src/Sdk/StellaOps.Sdk.Release` pipeline. Dependencies: APIGOV-62-001. | API Governance Guild, DevOps Guild (src/Api/StellaOps.Api.Governance)
APIGOV-63-001 | BLOCKED | Notification Studio templates and deprecation metadata schema not present; waiting on Notifications Guild assets. | API Governance Guild, Notifications Guild (src/Api/StellaOps.Api.Governance)
OAS-61-001 | DONE (2025-11-18) | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-61-002 | DONE (2025-11-18) | Implement aggregate composer (`stella.yaml`) resolving `$ref`s and merging shared components; wire into CI. Dependencies: OAS-61-001. | API Contracts Guild, DevOps Guild (src/Api/StellaOps.Api.OpenApi)
OAS-62-001 | DONE (2025-11-26) | Added examples for Authority, Policy, Orchestrator, Scheduler, Export, Graph stubs; shared error envelopes cover standard errors. Remaining services will be added when their stubs land. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi)
OAS-62-002 | DONE (2025-11-26) | Spectral rules now enforce list pagination params, 201/202 idempotency headers, and lowerCamel operationIds; orchestrator jobs list includes cursor. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-63-001 | DONE (2025-11-26) | Compat diff reports parameter adds/removals/requiredness, request bodies, and response content-type changes; fixtures/tests updated. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi)
OAS-63-002 | DONE (2025-11-24) | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). Dependencies: OAS-63-001. | API Contracts Guild, Gateway Guild (src/Api/StellaOps.Api.OpenApi)
## Dependencies & Concurrency
- Depends on upstream service stubs to add examples (Authority, Policy, Orchestrator, Scheduler, Export, Graph, Notification Studio when available).
- APIGOV-63-001 blocked on Notification Studio templates and deprecation metadata schema.
## Documentation Prerequisites
- docs/modules/ci/architecture.md
- docs/api/openapi-discovery.md
- src/Api/StellaOps.Api.Governance/README.md (if present)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | APIGOV-61-001 | DONE (2025-11-18) | None | API Governance Guild | Add Spectral config + CI workflow; npm script `api:lint` runs spectral. |
| 2 | APIGOV-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Governance Guild | Example coverage checker ensuring every operation has request/response example. |
| 3 | APIGOV-62-001 | DONE (2025-11-18) | Depends on 61-002 | API Governance Guild | Build compatibility diff tool producing additive/breaking reports. |
| 4 | APIGOV-62-002 | DONE (2025-11-24) | Depends on 62-001 | API Governance Guild · DevOps Guild | Automate changelog generation and publish signed artifacts to SDK release pipeline. |
| 5 | APIGOV-63-001 | BLOCKED | Missing Notification Studio templates + deprecation schema | API Governance Guild · Notifications Guild | Add notification template coverage and deprecation metadata schema. |
| 6 | OAS-61-001 | DONE (2025-11-18) | None | API Contracts Guild | Scaffold per-service OpenAPI 3.1 files with shared components/info/initial stubs. |
| 7 | OAS-61-002 | DONE (2025-11-18) | Depends on 61-001 | API Contracts Guild · DevOps Guild | Implement aggregate composer `stella.yaml` resolving refs and merging shared components; wire into CI. |
| 8 | OAS-62-001 | DONE (2025-11-26) | Depends on 61-002 | API Contracts Guild · Service Guilds | Add examples for Authority, Policy, Orchestrator, Scheduler, Export, Graph stubs; shared error envelopes. |
| 9 | OAS-62-002 | DONE (2025-11-26) | Depends on 62-001 | API Contracts Guild | Spectral rules enforce pagination params, idempotency headers, lowerCamel operationIds; cursor on orchestrator jobs. |
| 10 | OAS-63-001 | DONE (2025-11-26) | Depends on 62-002 | API Contracts Guild | Compat diff reports parameter/body/response content-type changes; fixtures/tests updated. |
| 11 | OAS-63-002 | DONE (2025-11-24) | Depends on 63-001 | API Contracts Guild · Gateway Guild | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-08 | Archived completed/historic work to docs/implplan/archived/tasks.md (updated 2025-11-08). | Planning |
| 2025-11-18 | Added Spectral config (`.spectral.yaml`), npm `api:lint` (npx spectral) script, and CI workflow `.gitea/workflows/api-governance.yml`; marked APIGOV-61-001 DONE. | API Governance Guild |
| 2025-11-18 | Implemented example coverage checker (`api:examples`), aggregate composer `compose.mjs`, and initial per-service OAS stubs (authority/orchestrator/policy/export-center); OAS-61-001/002 set to DONE. | API Contracts Guild |
| 2025-11-19 | Added scheduler/export-center/graph shared endpoints, shared paging/security components, and CI diff gates (previous commit + baseline). Created baseline `stella-baseline.yaml`. | API Contracts Guild |
| 2025-11-19 | Implemented API changelog generator (`api:changelog`), wired compose/examples/compat/changelog into CI, and added new policy revisions + scheduler queue/job endpoints. | API Contracts Guild |
| 2025-12-03 | Normalised sprint file to standard template; no status changes. | Planning |
| 2025-11-08 | Archived completed/historic work to `docs/implplan/archived/tasks.md` (updated 2025-11-08). | Planning |
| 2025-11-18 | Added Spectral config (`.spectral.yaml`), npm `api:lint`, and CI workflow `.gitea/workflows/api-governance.yml`; APIGOV-61-001 DONE. | API Governance Guild |
| 2025-11-18 | Implemented example coverage checker (`api:examples`), aggregate composer `compose.mjs`, and initial per-service OAS stubs (authority/orchestrator/policy/export-center); OAS-61-001/002 DONE. | API Contracts Guild |
| 2025-11-19 | Added scheduler/export-center/graph shared endpoints, shared paging/security components, and CI diff gates with baseline `stella-baseline.yaml`. | API Contracts Guild |
| 2025-11-19 | Implemented API changelog generator (`api:changelog`), wired compose/examples/compat/changelog into CI, added policy revisions + scheduler queue/job endpoints. | API Contracts Guild |
| 2025-11-24 | Completed OAS-63-002: documented discovery payload for `/.well-known/openapi` in `docs/api/openapi-discovery.md` with extensions/version metadata. | Implementer |
| 2025-11-24 | Completed APIGOV-62-002: `api:changelog` now copies release-ready artifacts + digest/signature to `src/Sdk/StellaOps.Sdk.Release/out/api-changelog` for SDK pipeline consumption. | Implementer |
| 2025-11-26 | Added request/response examples to Authority token/introspect/revoke/JWKS endpoints and updated OAS-62-001 status to DOING. | Implementer |
| 2025-11-26 | Added policy `/evaluate` allow/deny examples, sample request, and `/policies` list example + schema stub; sprint status OAS-62-001 remains DOING. | Implementer |
| 2025-11-24 | Completed APIGOV-62-002: `api:changelog` now copies release-ready artifacts + digest/signature to `src/Sdk/StellaOps.Sdk.Release/out/api-changelog`. | Implementer |
| 2025-11-26 | Added request/response examples to Authority token/introspect/revoke/JWKS endpoints; updated OAS-62-001 status to DOING. | Implementer |
| 2025-11-26 | Added policy `/evaluate` examples and `/policies` list example + schema stub; OAS-62-001 still DOING. | Implementer |
| 2025-11-26 | Added Orchestrator `/jobs` list examples (filtered + mixed queues) and invalid status error; bumped orchestrator OAS version to 0.0.2. | Implementer |
| 2025-11-26 | Added Scheduler queue examples (empty + snapshot) and Export Center bundle/list/manifest examples; bumped scheduler/export OAS versions to 0.0.2. | Implementer |
| 2025-11-26 | Added Graph status/nodes examples with tenant context; bumped graph OAS version to 0.0.2. | Implementer |
| 2025-11-26 | Added auth (Bearer/client-credentials) security blocks to Export Center bundle endpoints. | Implementer |
| 2025-11-26 | Marked OAS-62-001 DONE after covering Authority/Policy/Orchestrator/Scheduler/Export/Graph stubs with examples; remaining services will be covered once stubs are available. | Implementer |
| 2025-11-26 | Added Spectral rules for 2xx examples and Idempotency-Key on /jobs; refreshed stella.yaml/baseline and ran `npm run api:lint` (warnings only). OAS-62-002 DOING. | Implementer |
| 2025-11-26 | Declared aggregate tags in compose, removed unused HealthResponse, regenerated baseline; `npm run api:lint` now passes with zero warnings. | Implementer |
| 2025-11-26 | Tightened lint: list/search GETs require limit+cursor, 201/202 writers require Idempotency-Key; added cursor to orchestrator `/jobs`, recomposed stella.yaml/baseline; `npm run api:lint` clean. | Implementer |
| 2025-11-26 | Enhanced `api-compat-diff` to report parameter, request body, and response content-type changes; refreshed fixtures/tests; marked OAS-62-002 and OAS-63-001 DONE. | Implementer |
| 2025-11-26 | Added Scheduler queue examples and Export Center bundle/list/manifest examples; bumped versions to 0.0.2. | Implementer |
| 2025-11-26 | Added Graph status/nodes examples with tenant context; version bumped to 0.0.2. | Implementer |
| 2025-11-26 | Added auth security blocks to Export Center bundle endpoints. | Implementer |
| 2025-11-26 | Marked OAS-62-001 DONE after covering service stubs with examples; remaining services will be added once stubs are available. | Implementer |
| 2025-11-26 | Added Spectral rules for 2xx examples and Idempotency-Key on /jobs; refreshed stella.yaml/baseline; `npm run api:lint` warnings cleared; OAS-62-002 DOING. | Implementer |
| 2025-11-26 | Declared aggregate tags in compose, removed unused HealthResponse, regenerated baseline; `npm run api:lint` passes. | Implementer |
| 2025-11-26 | Tightened lint (pagination/idempotency); recomposed stella.yaml/baseline; `npm run api:lint` clean. | Implementer |
| 2025-11-26 | Enhanced `api-compat-diff` to report param/body/response content-type changes; fixtures/tests refreshed; marked OAS-62-002 and OAS-63-001 DONE. | Implementer |
| 2025-11-19 | Marked OAS-62-001 BLOCKED pending OAS-61-002 ratification and approved examples/error envelope. | Implementer |
## Decisions & Risks
- APIGOV-63-001 blocked until Notification Studio templates and deprecation metadata schema are delivered; downstream changelog/compat outputs must note missing notification metadata.
- Compose/lint/diff pipelines rely on baseline `stella-baseline.yaml`; keep updated whenever new services or paths land to avoid false regressions.
- Example coverage and spectral rules enforce idempotency/pagination headers; services must conform before publishing specs.
## Next Checkpoints
- Receive Notification Studio templates/deprecation schema to unblock APIGOV-63-001 and add notification examples.
- Re-run `npm run api:lint` and `npm run api:compat` after next service stub additions to refresh baseline and changelog artifacts.

2
docs/implplan/archived/all-tasks.md
View File

@@ -1256,7 +1256,7 @@ Consolidated task ledger for everything under `docs/implplan/archived/` (sprints
| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 Mirror Bundles & Imports | MIRROR-CRT-57-002 | TODO | Embed signed time anchors in bundles. | Mirror Creator Guild | Path: src/Mirror/StellaOps.Mirror.Creator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 Mirror Bundles & Imports | NOTIFY-AIRGAP-56-001 | TODO | Lock notifications to enclave-safe channels. | Notifications Service Guild | Path: src/Notifier/StellaOps.Notifier | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 Mirror Bundles & Imports | ORCH-AIRGAP-56-002 | TODO | Integrate sealing status + staleness into scheduling. | Orchestrator Service Guild | Path: src/Orchestrator/StellaOps.Orchestrator | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 Mirror Bundles & Imports | TASKRUN-AIRGAP-56-002 | TODO | Provide bundle ingestion helper steps. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 57 — Air-Gapped Mode Phase 2 Mirror Bundles & Imports | TASKRUN-AIRGAP-56-002 | DONE (2025-12-03) | Provide bundle ingestion helper steps. | Task Runner Guild | Path: src/TaskRunner/StellaOps.TaskRunner | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 Staleness & Enforcement | DOCS-AIRGAP-58-001 | TODO | Publish degradation matrix doc. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 Staleness & Enforcement | DOCS-AIRGAP-58-002 | TODO | Update trust & signing doc for DSSE/TUF roots. | Docs Guild | Path: docs | 2025-10-19 |
| docs/implplan/archived/updates/tasks.md | Sprint 58 — Air-Gapped Mode Phase 3 Staleness & Enforcement | DOCS-AIRGAP-58-003 | TODO | Publish developer airgap contracts doc. | Docs Guild | Path: docs | 2025-10-19 |

2
docs/implplan/archived/updates/tasks.md
View File

@@ -1294,7 +1294,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation
| Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. |
| Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Notifier/StellaOps.Notifier | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. |
| Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/Orchestrator/StellaOps.Orchestrator | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. |
| Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/TaskRunner/StellaOps.TaskRunner | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. |
| Sprint 57 | Air-Gapped Mode Phase 2 Mirror Bundles & Imports | src/TaskRunner/StellaOps.TaskRunner | DONE (2025-12-03) | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. |
| Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | docs | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. |
| Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | docs | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. |
| Sprint 58 | Air-Gapped Mode Phase 3 Staleness & Enforcement | docs | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. |

60
docs/implplan/tasks-all.md
View File

@@ -92,8 +92,8 @@
| AIRGAP-56-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | docs/modules/airgap/airgap-mode.md | Mirror import helpers and bundle catalog wired for sealed mode. | PROGRAM-STAFF-1001 | AGCO0101 |
| AIRGAP-56-001..58-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Concelier Core · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Deterministic bundle + manifest/entry-trace and sealed-mode deploy runbook shipped. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ELOCKER-CONTRACT-2001 | AGCO0101 |
| AIRGAP-56-002 | DONE | | SPRINT_170_notifications_telemetry | Notifications Service Guild · DevOps Guild | src/Notify/StellaOps.Notify | | | NOTY0101 |
| AIRGAP-56-003 | DONE | 2025-11-23 | SPRINT_301_docs_tasks_md_i | Docs Guild · Exporter Guild | docs/modules/airgap | DOCS-AIRGAP-56-002 | DOCS-AIRGAP-56-002 | AIDG0101 |
| AIRGAP-56-004 | DONE | 2025-11-23 | SPRINT_301_docs_tasks_md_i | Docs Guild · Deployment Guild | docs/modules/airgap | AIRGAP-56-003 | DOCS-AIRGAP-56-003 | AIDG0101 |
| AIRGAP-56-003 | DONE | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Exporter Guild | docs/modules/airgap | DOCS-AIRGAP-56-002 | DOCS-AIRGAP-56-002 | AIDG0101 |
| AIRGAP-56-004 | DONE | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Deployment Guild | docs/modules/airgap | AIRGAP-56-003 | DOCS-AIRGAP-56-003 | AIDG0101 |
| AIRGAP-57 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Air-gap bundle timeline/hooks completed. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
| AIRGAP-57-001 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) | src/Authority/StellaOps.Authority | | AUTH-AIRGAP-56-001; DEVOPS-AIRGAP-57-002 | KMSI0101 |
| AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_503_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | | | DVDO0101 |
@@ -314,7 +314,7 @@
| CLI-ATTEST-75-001 | TODO | | SPRINT_0201_0001_0001_cli_i | CLI Attestor Guild, KMS Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella attest key create. Dependencies: CLI-ATTEST-74-002. | — | CLCI0102 |
| CLI-ATTEST-75-002 | TODO | | SPRINT_0201_0001_0001_cli_i | CLI Attestor Guild | src/Cli/StellaOps.Cli | Add support for building/verifying attestation bundles in CLI. Dependencies: CLI-ATTEST-75-001. | Wait for ATEL0102 outputs | CLCI0109 |
| CLI-CORE-41-001 | TODO | | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. | — | CLCI0103 |
| CLI-DET-01 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · DevEx/CLI Guild | | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLCI0103 |
| CLI-DET-01 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · DevEx/CLI Guild | | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLCI0103 |
| CLI-DETER-70-003 | DONE | 2025-11-28 | SPRINT_0202_0001_0001_cli_ii | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella detscore run` that executes the determinism harness locally (fixed clock, seeded RNG, canonical hashes) and writes `determinism.json`, supporting CI/non-zero threshold exit codes (`docs/modules/scanner/determinism-score.md`). | — | CLCI0103 |
| CLI-DETER-70-004 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add `stella detscore report` to summarise published `determinism.json` files (overall score, per-image matrix) and integrate with release notes/air-gap kits (`docs/modules/scanner/determinism-score.md`). Dependencies: CLI-DETER-70-003. | — | CLCI0103 |
| CLI-DOCS-0001 | TODO | | SPRINT_316_docs_modules_cli | Docs Guild (docs/modules/cli) | docs/modules/cli | See ./AGENTS.md | — | CLCI0103 |
@@ -646,12 +646,12 @@
| DOCS-AIAI-31-006 | TODO | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · Advisory AI Guild | docs/modules/advisory-ai | `/docs/policy/assistant-parameters.md` now documents inference modes, guardrail phrases, budgets, and cache/queue knobs (POLICY-ENGINE-31-001 inputs captured via `AdvisoryAiServiceOptions`). | Need latest telemetry outputs from ADAI0101 | DOAI0104 |
| DOCS-AIAI-31-008 | BLOCKED | 2025-11-18 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · SBOM Service Guild (docs) | docs | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | SBOM-AIAI-31-001 projection kit/fixtures | DOAI0104 |
| DOCS-AIAI-31-009 | DONE (2025-11-25) | 2025-11-25 | SPRINT_110_ingestion_evidence | Docs Guild | | Docs updated with guardrail/ops addenda and offline hashes. | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOAI0102 |
| DOCS-AIRGAP-56-001 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · AirGap Controller Guild | | `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, rule banner. | — | DOAI0102 |
| DOCS-AIRGAP-56-002 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · DevOps Guild | | `/docs/airgap/sealing-and-egress.md` (network policies, EgressPolicy facade, verification). | DOCS-AIRGAP-56-001 | DOAI0102 |
| DOCS-AIRGAP-56-003 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Exporter Guild | bundle format, DSSE/TUF/Merkle validation, workflows | `/docs/airgap/mirror-bundles.md` (bundle format, DSSE/TUF/Merkle validation, workflows). | DOCS-AIRGAP-56-002 | DOAI0102 |
| DOCS-AIRGAP-56-004 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Deployment Guild | | `/docs/airgap/bootstrap.md` covering Bootstrap Pack creation + install. | DOCS-AIRGAP-56-003 | DOAI0102 |
| DOCS-AIRGAP-57-001 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · AirGap Time Guild | docs/modules/airgap | `/docs/airgap/staleness-and-time.md` (time anchors, drift, UI indicators). | DOCS-AIRGAP-56-004 | DOAI0102 |
| DOCS-AIRGAP-57-002 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Console Guild | docs/modules/airgap | `/docs/console/airgap.md` (sealed badge, import wizard, staleness dashboards). | DOCS-AIRGAP-57-001 | DOAI0102 |
| DOCS-AIRGAP-56-001 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · AirGap Controller Guild | | `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, rule banner. | — | DOAI0102 |
| DOCS-AIRGAP-56-002 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · DevOps Guild | | `/docs/airgap/sealing-and-egress.md` (network policies, EgressPolicy facade, verification). | DOCS-AIRGAP-56-001 | DOAI0102 |
| DOCS-AIRGAP-56-003 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Exporter Guild | bundle format, DSSE/TUF/Merkle validation, workflows | `/docs/airgap/mirror-bundles.md` (bundle format, DSSE/TUF/Merkle validation, workflows). | DOCS-AIRGAP-56-002 | DOAI0102 |
| DOCS-AIRGAP-56-004 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Deployment Guild | | `/docs/airgap/bootstrap.md` covering Bootstrap Pack creation + install. | DOCS-AIRGAP-56-003 | DOAI0102 |
| DOCS-AIRGAP-57-001 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · AirGap Time Guild | docs/modules/airgap | `/docs/airgap/staleness-and-time.md` (time anchors, drift, UI indicators). | DOCS-AIRGAP-56-004 | DOAI0102 |
| DOCS-AIRGAP-57-002 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Console Guild | docs/modules/airgap | `/docs/console/airgap.md` (sealed badge, import wizard, staleness dashboards). | DOCS-AIRGAP-57-001 | DOAI0102 |
| DOCS-AIRGAP-57-003 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · CLI Guild | docs/modules/airgap | Publish `/docs/modules/cli/guides/airgap.md` documenting commands, examples, exit codes. Dependencies: DOCS-AIRGAP-57-002. | AIDG0101 tasks 34 | DOCL0102 |
| DOCS-AIRGAP-57-004 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · Ops Guild | docs/modules/airgap | Create `/docs/airgap/operations.md` with runbooks for imports, failure recovery, and auditing. Dependencies: DOCS-AIRGAP-57-003. | DOCS-AIRGAP-57-003 | DOCL0102 |
| DOCS-AIRGAP-58-001 | BLOCKED | 2025-11-25 | SPRINT_302_docs_tasks_md_ii | Docs Guild, Product Guild (docs) | | Provide `/docs/airgap/degradation-matrix.md` enumerating feature availability, fallbacks, remediation. Dependencies: DOCS-AIRGAP-57-004. | Blocked: waiting on staleness/time-anchor spec and AirGap controller/importer timelines | DOCL0102 |
@@ -671,7 +671,7 @@
| DOCS-ATTEST-75-002 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Security Guild (docs) | | Update `/docs/security/aoc-invariants.md` with attestation invariants. Dependencies: DOCS-ATTEST-75-001. | — | DOAT0101 |
| DOCS-CLI-41-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | docs/modules/cli/guides | Publish `/docs/modules/cli/guides/overview.md`, `/docs/modules/cli/guides/configuration.md`, `/docs/modules/cli/guides/output-and-exit-codes.md` with imposed rule statements. | — | DOCL0101 |
| DOCS-CLI-42-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild (docs) | docs/modules/cli/guides | Publish `/docs/modules/cli/guides/parity-matrix.md` and command guides under `/docs/modules/cli/guides/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). Dependencies: DOCS-CLI-41-001. | — | DOCL0101 |
| DOCS-CLI-DET-01 | DONE | 2025-11-23 | SPRINT_301_docs_tasks_md_i | Docs Guild · DevEx/CLI Guild | | Document `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples & offline instructions. | CLI-SBOM-60-001; CLI-SBOM-60-002 | DOCL0101 |
| DOCS-CLI-DET-01 | DONE | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · DevEx/CLI Guild | | Document `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples & offline instructions. | CLI-SBOM-60-001; CLI-SBOM-60-002 | DOCL0101 |
| DOCS-CLI-FORENSICS-53-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | docs/modules/cli/guides | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | — | DOCL0101 |
| DOCS-CLI-OBS-52-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | docs/modules/cli/guides | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | — | DOCL0101 |
| DOCS-CONSOLE-OBS-52-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Console Guild (docs) | | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Blocked: awaiting Console Observability Hub schemas/widgets from Console Guild | DOCL0101 |
@@ -753,7 +753,7 @@
| DOCS-POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Ops Guild | docs/policy/runs.md | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. Dependencies: DOCS-POLICY-27-011. | Needs ops playbooks (DVDO0108) | DOPL0103 |
| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
| DOCS-POLICY-DET-01 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
| DOCS-POLICY-DET-01 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
| DOCS-PROMO-70-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/release/promotion-attestations.md | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | — | DOPV0101 |
| DOCS-REACH-201-006 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Docs Guild · Runtime Evidence Guild | docs/reachability | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operators workflow. | Needs RBRE0101 provenance hook summary | DORC0101 |
| DOCS-REPLAY-185-003 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild · Platform Data Guild | docs/replay | Author `docs/data/replay_schema.md` detailing `replay_runs`, `replay_bundles`, `replay_subjects` collections, index guidance, and offline sync strategy aligned with Replay CAS. | Need RPRC0101 API freeze | DORR0101 |
@@ -778,7 +778,7 @@
| DOCS-SCANNER-BENCH-62-006 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-SCANNER-DET-01 | TODO | 2025-11-09 | SPRINT_301_docs_tasks_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. | Needs determinism harness from 137_SCDT0101 | DOSB0101 |
| DOCS-SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. | Needs determinism harness from 137_SCDT0101 | DOSB0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
| DOCS-SEC-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
@@ -1062,7 +1062,7 @@
| GAP-DOC-008 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md` | Publish the cross-module function-level evidence guide, update API/CLI references with the new `code_id` fields, and add OpenVEX/replay samples under `samples/reachability/**`. | DOAG0101 outputs | GAPG0101 |
| GAP-POL-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild · Docs Guild | `src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md` | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence` in SPL/API, enforce auto-suppress (<0.30) rules, and generate OpenVEX evidence blocks referencing graph hashes + runtime facts with policy thresholds. | GAP-DOC-008 | GAPG0101 |
| GAP-REP-004 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md` | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes, upgrade replay manifest v2 with analyzer versions/policy thresholds, and add deterministic tests. | GAP-DOC-008 | GAPG0101 |
| GAP-SCAN-001 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Guild · GAP Guild | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}` plus `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. | GAP-POL-005 | GAPG0101 |
| GAP-SCAN-001 | DONE (2025-12-03) | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Guild · GAP Guild | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}` plus `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. | GAP-POL-005 | GAPG0101 |
| GAP-SIG-003 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Security Guild · GAP Guild | `src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md` | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`), and emit `signals.fact.updated` events. Document retention/RBAC. | GAP-POL-005 | GAPG0101 |
| GAP-SYM-007 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Extend reachability evidence schema/DTOs with demangled symbol hints, `symbol.source`, confidence, and optional `code_block_hash`; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. | GAP-SIG-003 | GAPG0101 |
| GAP-VEX-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | VEX Guild | `docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md` | Wire Policy/Excititor/UI/CLI surfaces so VEX emission and explain drawers show call paths, graph hashes, and runtime hits; add CLI `--evidence=graph`/`--threshold` plus Notify template updates. | GAP-POL-005 | GAPG0101 |
@@ -1683,7 +1683,7 @@
| SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 | |
| SCANNER-DET-01 | DOING | 2025-11-09 | SPRINT_301_docs_tasks_md_i | Docs Guild · Scanner Guild | | | | |
| SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | | | |
| SCANNER-DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. | | |
| SCANNER-EMIT-15-001 | TODO | | SPRINT_136_scanner_surface | Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | src/Scanner/__Libraries/StellaOps.Scanner.Emit | Enforce canonical JSON (`stella.contentHash`, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in `docs/modules/scanner/deterministic-sbom-compose.md` §2.2. | SCANNER-SURFACE-04 | |
| SCANNER-ENG-0001 | TODO | | SPRINT_327_docs_modules_scanner | Module Team (docs/modules/scanner) | docs/modules/scanner | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | | |
@@ -1935,7 +1935,7 @@
| SYMS-SERVER-401-011 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild | `src/Symbols/StellaOps.Symbols.Server` | Deliver `StellaOps.Symbols.Server` (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, and deterministic debugId indexing; publish health/manifest APIs (spec: `docs/specs/SYMBOL_MANIFEST_v1.md`). | Depends on #5 | RBSY0101 |
| TASKRUN-41-001 | DONE (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0002_taskrunner_blockers | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Bootstrap service, define migrations for `pack_runs`, `pack_run_logs`, `pack_artifacts`, implement run API (create/get/log stream), local executor, approvals pause, artifact capture, and provenance manifest generation. | Delivered per Task Pack advisory and architecture contract. | ORTR0101 |
| TASKRUN-AIRGAP-56-001 | DONE (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Policy Guild | src/TaskRunner/StellaOps.TaskRunner | Enforce plan-time validation rejecting steps with non-allowlisted network calls in sealed mode and surface remediation errors. | TASKRUN-41-001 | ORTR0101 |
| TASKRUN-AIRGAP-56-002 | DOING (2025-12-01) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Importer Guild | src/TaskRunner/StellaOps.TaskRunner | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. | TASKRUN-AIRGAP-56-001 | ORTR0101 |
| TASKRUN-AIRGAP-56-002 | DONE (2025-12-03) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Importer Guild | src/TaskRunner/StellaOps.TaskRunner | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. | TASKRUN-AIRGAP-56-001 | ORTR0101 |
| TASKRUN-AIRGAP-57-001 | BLOCKED (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Controller Guild | src/TaskRunner/StellaOps.TaskRunner | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. | TASKRUN-AIRGAP-56-002 | ORTR0101 |
| TASKRUN-AIRGAP-58-001 | BLOCKED (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · Evidence Locker Guild | src/TaskRunner/StellaOps.TaskRunner | Capture bundle import job transcripts, hashed inputs, and outputs into portable evidence bundles. | TASKRUN-AIRGAP-57-001 | ORTR0101 |
| TASKRUN-42-001 | BLOCKED (2025-11-25) | 2025-11-25 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild (`src/TaskRunner/StellaOps.TaskRunner`) | src/TaskRunner/StellaOps.TaskRunner | Execution engine enhancements (loops/conditionals/maxParallel), simulation mode, policy gate integration, deterministic failure recovery. Blocked: loop/conditional semantics and policy-gate evaluation contract not published. | | ORTR0102 |
@@ -2307,8 +2307,8 @@
| AIRGAP-56-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Exporter Guild · AirGap Time Guild · CLI Guild | docs/modules/airgap/airgap-mode.md | Mirror import helpers and bundle catalog wired for sealed mode. | PROGRAM-STAFF-1001 | AGCO0101 |
| AIRGAP-56-001..58-001 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Concelier Core · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Deterministic bundle + manifest/entry-trace and sealed-mode deploy runbook shipped. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ELOCKER-CONTRACT-2001 | AGCO0101 |
| AIRGAP-56-002 | DONE | | SPRINT_170_notifications_telemetry | Notifications Service Guild · DevOps Guild | src/Notify/StellaOps.Notify | | | NOTY0101 |
| AIRGAP-56-003 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Exporter Guild | docs/modules/airgap | DOCS-AIRGAP-56-002 | DOCS-AIRGAP-56-002 | AIDG0101 |
| AIRGAP-56-004 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Deployment Guild | docs/modules/airgap | AIRGAP-56-003 | DOCS-AIRGAP-56-003 | AIDG0101 |
| AIRGAP-56-003 | TODO | | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Exporter Guild | docs/modules/airgap | DOCS-AIRGAP-56-002 | DOCS-AIRGAP-56-002 | AIDG0101 |
| AIRGAP-56-004 | TODO | | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Deployment Guild | docs/modules/airgap | AIRGAP-56-003 | DOCS-AIRGAP-56-003 | AIDG0101 |
| AIRGAP-57 | DONE (2025-11-24) | 2025-11-24 | SPRINT_110_ingestion_evidence | Excititor Guild · AirGap Guilds | docs/modules/airgap/airgap-mode.md | Air-gap bundle timeline/hooks completed. | CONCELIER-GRAPH-21-001; CONCELIER-GRAPH-21-002; ATTEST-PLAN-2001 | AGCO0101 |
| AIRGAP-57-001 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority) | src/Authority/StellaOps.Authority | | AUTH-AIRGAP-56-001; DEVOPS-AIRGAP-57-002 | KMSI0101 |
| AIRGAP-57-002 | DOING | 2025-11-08 | SPRINT_503_ops_devops_i | DevOps Guild, Authority Guild (ops/devops) | ops/devops | | | DVDO0101 |
@@ -2527,7 +2527,7 @@
| CLI-ATTEST-75-001 | TODO | | SPRINT_0201_0001_0001_cli_i | CLI Attestor Guild, KMS Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement `stella attest key create. Dependencies: CLI-ATTEST-74-002. | — | CLCI0102 |
| CLI-ATTEST-75-002 | TODO | | SPRINT_0201_0001_0001_cli_i | CLI Attestor Guild | src/Cli/StellaOps.Cli | Add support for building/verifying attestation bundles in CLI. Dependencies: CLI-ATTEST-75-001. | Wait for ATEL0102 outputs | CLCI0109 |
| CLI-CORE-41-001 | TODO | | SPRINT_202_cli_ii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. | — | CLCI0103 |
| CLI-DET-01 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · DevEx/CLI Guild | | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLCI0103 |
| CLI-DET-01 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · DevEx/CLI Guild | | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLI-SBOM-60-001; CLI-SBOM-60-002 | CLCI0103 |
| CLI-DETER-70-003 | TODO | | SPRINT_202_cli_ii | DevEx/CLI Guild, Scanner Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Provide `stella detscore run` that executes the determinism harness locally (fixed clock, seeded RNG, canonical hashes) and writes `determinism.json`, supporting CI/non-zero threshold exit codes (`docs/modules/scanner/determinism-score.md`). | — | CLCI0103 |
| CLI-DETER-70-004 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Add `stella detscore report` to summarise published `determinism.json` files (overall score, per-image matrix) and integrate with release notes/air-gap kits (`docs/modules/scanner/determinism-score.md`). Dependencies: CLI-DETER-70-003. | — | CLCI0103 |
| CLI-DOCS-0001 | TODO | | SPRINT_316_docs_modules_cli | Docs Guild (docs/modules/cli) | docs/modules/cli | See ./AGENTS.md | — | CLCI0103 |
@@ -2859,12 +2859,12 @@
| DOCS-AIAI-31-006 | TODO | 2025-11-13 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · Advisory AI Guild | docs/modules/advisory-ai | `/docs/policy/assistant-parameters.md` now documents inference modes, guardrail phrases, budgets, and cache/queue knobs (POLICY-ENGINE-31-001 inputs captured via `AdvisoryAiServiceOptions`). | Need latest telemetry outputs from ADAI0101 | DOAI0104 |
| DOCS-AIAI-31-008 | BLOCKED | 2025-11-18 | SPRINT_0111_0001_0001_advisoryai | Docs Guild · SBOM Service Guild (docs) | docs | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | SBOM-AIAI-31-001 projection kit/fixtures | DOAI0104 |
| DOCS-AIAI-31-009 | DONE (2025-11-25) | 2025-11-25 | SPRINT_110_ingestion_evidence | Docs Guild | | Docs updated with guardrail/ops addenda and offline hashes. | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001; DEVOPS-AIAI-31-001 | DOAI0102 |
| DOCS-AIRGAP-56-001 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · AirGap Controller Guild | | `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, rule banner. | — | DOAI0102 |
| DOCS-AIRGAP-56-002 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · DevOps Guild | | `/docs/airgap/sealing-and-egress.md` (network policies, EgressPolicy facade, verification). | DOCS-AIRGAP-56-001 | DOAI0102 |
| DOCS-AIRGAP-56-003 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Exporter Guild | bundle format, DSSE/TUF/Merkle validation, workflows | `/docs/airgap/mirror-bundles.md` (bundle format, DSSE/TUF/Merkle validation, workflows). | DOCS-AIRGAP-56-002 | DOAI0102 |
| DOCS-AIRGAP-56-004 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Deployment Guild | | `/docs/airgap/bootstrap.md` covering Bootstrap Pack creation + install. | DOCS-AIRGAP-56-003 | DOAI0102 |
| DOCS-AIRGAP-57-001 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · AirGap Time Guild | docs/modules/airgap | `/docs/airgap/staleness-and-time.md` (time anchors, drift, UI indicators). | DOCS-AIRGAP-56-004 | DOAI0102 |
| DOCS-AIRGAP-57-002 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Console Guild | docs/modules/airgap | `/docs/console/airgap.md` (sealed badge, import wizard, staleness dashboards). | DOCS-AIRGAP-57-001 | DOAI0102 |
| DOCS-AIRGAP-56-001 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · AirGap Controller Guild | | `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, rule banner. | — | DOAI0102 |
| DOCS-AIRGAP-56-002 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · DevOps Guild | | `/docs/airgap/sealing-and-egress.md` (network policies, EgressPolicy facade, verification). | DOCS-AIRGAP-56-001 | DOAI0102 |
| DOCS-AIRGAP-56-003 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Exporter Guild | bundle format, DSSE/TUF/Merkle validation, workflows | `/docs/airgap/mirror-bundles.md` (bundle format, DSSE/TUF/Merkle validation, workflows). | DOCS-AIRGAP-56-002 | DOAI0102 |
| DOCS-AIRGAP-56-004 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Deployment Guild | | `/docs/airgap/bootstrap.md` covering Bootstrap Pack creation + install. | DOCS-AIRGAP-56-003 | DOAI0102 |
| DOCS-AIRGAP-57-001 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · AirGap Time Guild | docs/modules/airgap | `/docs/airgap/staleness-and-time.md` (time anchors, drift, UI indicators). | DOCS-AIRGAP-56-004 | DOAI0102 |
| DOCS-AIRGAP-57-002 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Console Guild | docs/modules/airgap | `/docs/console/airgap.md` (sealed badge, import wizard, staleness dashboards). | DOCS-AIRGAP-57-001 | DOAI0102 |
| DOCS-AIRGAP-57-003 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · CLI Guild | docs/modules/airgap | Publish `/docs/modules/cli/guides/airgap.md` documenting commands, examples, exit codes. Dependencies: DOCS-AIRGAP-57-002. | AIDG0101 tasks 34 | DOCL0102 |
| DOCS-AIRGAP-57-004 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild · Ops Guild | docs/modules/airgap | Create `/docs/airgap/operations.md` with runbooks for imports, failure recovery, and auditing. Dependencies: DOCS-AIRGAP-57-003. | DOCS-AIRGAP-57-003 | DOCL0102 |
| DOCS-AIRGAP-58-001 | TODO | | SPRINT_302_docs_tasks_md_ii | Docs Guild, Product Guild (docs) | | Provide `/docs/airgap/degradation-matrix.md` enumerating feature availability, fallbacks, remediation. Dependencies: DOCS-AIRGAP-57-004. | — | DOCL0102 |
@@ -2884,7 +2884,7 @@
| DOCS-ATTEST-75-002 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Security Guild (docs) | | Update `/docs/security/aoc-invariants.md` with attestation invariants. Dependencies: DOCS-ATTEST-75-001. | — | DOAT0101 |
| DOCS-CLI-41-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | docs/modules/cli/guides | Publish `/docs/modules/cli/guides/overview.md`, `/docs/modules/cli/guides/configuration.md`, `/docs/modules/cli/guides/output-and-exit-codes.md` with imposed rule statements. | — | DOCL0101 |
| DOCS-CLI-42-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild (docs) | | Publish `/docs/modules/cli/guides/parity-matrix.md` and command guides under `/docs/modules/cli/guides/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). Dependencies: DOCS-CLI-41-001. | — | DOCL0101 |
| DOCS-CLI-DET-01 | DONE | 2025-11-23 | SPRINT_301_docs_tasks_md_i | Docs Guild · DevEx/CLI Guild | | Document `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples & offline instructions. | CLI-SBOM-60-001; CLI-SBOM-60-002 | DOCL0101 |
| DOCS-CLI-DET-01 | DONE | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · DevEx/CLI Guild | | Document `stella sbomer` verbs (`layer`, `compose`, `drift`, `verify`) with examples & offline instructions. | CLI-SBOM-60-001; CLI-SBOM-60-002 | DOCL0101 |
| DOCS-CLI-FORENSICS-53-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | docs/modules/cli/guides | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | — | DOCL0101 |
| DOCS-CLI-OBS-52-001 | DONE | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, DevEx/CLI Guild (docs) | docs/modules/cli/guides | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | — | DOCL0101 |
| DOCS-CONSOLE-OBS-52-001 | BLOCKED | 2025-11-25 | SPRINT_303_docs_tasks_md_iii | Docs Guild, Console Guild (docs) | | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Blocked: awaiting Console Observability Hub schemas/widgets from Console Guild | DOCL0101 |
@@ -2970,7 +2970,7 @@
| DOCS-POLICY-27-012 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Ops Guild | docs/policy/runs.md | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. Dependencies: DOCS-POLICY-27-011. | Needs ops playbooks (DVDO0108) | DOPL0103 |
| DOCS-POLICY-27-013 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Guild | docs/policy/runs.md | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. Dependencies: DOCS-POLICY-27-012. | Await policy guild approval | DOPL0103 |
| DOCS-POLICY-27-014 | BLOCKED | 2025-10-27 | SPRINT_308_docs_tasks_md_viii | Docs Guild · Policy Registry Guild | docs/policy/runs.md | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. Dependencies: DOCS-POLICY-27-013. | Needs policy registry approvals | DOPL0103 |
| DOCS-POLICY-DET-01 | TODO | | SPRINT_301_docs_tasks_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
| DOCS-POLICY-DET-01 | DONE (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Policy Guild | docs/policy/runs.md | Extend `docs/modules/policy/architecture.md` with determinism gate semantics and provenance references. | Depends on deterministic harness (137_SCDT0101) | DOPL0103 |
| DOCS-PROMO-70-001 | DONE (2025-11-26) | 2025-11-26 | SPRINT_304_docs_tasks_md_iv | Docs Guild · Provenance Guild | docs/release/promotion-attestations.md | Publish `/docs/release/promotion-attestations.md` describing the promotion workflow (CLI commands, Signer/Attestor integration, offline verification) and update `/docs/forensics/provenance-attestation.md` with the new predicate. Dependencies: PROV-OBS-53-003, CLI-PROMO-70-002. | — | DOPV0101 |
| DOCS-REACH-201-006 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Docs Guild · Runtime Evidence Guild | docs/reachability | Author the reachability doc set (`docs/signals/reachability.md`, `callgraph-formats.md`, `runtime-facts.md`, CLI/UI appendices) plus update Zastava + Replay guides with the new evidence and operators workflow. | Needs RBRE0101 provenance hook summary | DORC0101 |
| DOCS-REPLAY-185-003 | TODO | | SPRINT_185_shared_replay_primitives | Docs Guild · Platform Data Guild | docs/replay | Author `docs/data/replay_schema.md` detailing `replay_runs`, `replay_bundles`, `replay_subjects` collections, index guidance, and offline sync strategy aligned with Replay CAS. | Need RPRC0101 API freeze | DORR0101 |
@@ -2995,7 +2995,7 @@
| DOCS-SCANNER-BENCH-62-006 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-SCANNER-DET-01 | TODO | 2025-11-09 | SPRINT_301_docs_tasks_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. | Needs determinism harness from 137_SCDT0101 | DOSB0101 |
| DOCS-SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. | Needs determinism harness from 137_SCDT0101 | DOSB0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
| DOCS-SEC-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
@@ -3285,7 +3285,7 @@
| GAP-DOC-008 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `docs/reachability/function-level-evidence.md`, `docs/09_API_CLI_REFERENCE.md`, `docs/api/policy.md` | Publish the cross-module function-level evidence guide, update API/CLI references with the new `code_id` fields, and add OpenVEX/replay samples under `samples/reachability/**`. | DOAG0101 outputs | GAPG0101 |
| GAP-POL-005 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild · Docs Guild | `src/Policy/StellaOps.Policy.Engine`, `docs/modules/policy/architecture.md`, `docs/reachability/function-level-evidence.md` | Ingest reachability facts into Policy Engine, expose `reachability.state/confidence` in SPL/API, enforce auto-suppress (<0.30) rules, and generate OpenVEX evidence blocks referencing graph hashes + runtime facts with policy thresholds. | GAP-DOC-008 | GAPG0101 |
| GAP-REP-004 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/__Libraries/StellaOps.Replay.Core`, `docs/replay/DETERMINISTIC_REPLAY.md` | Enforce BLAKE3 hashing + CAS registration for graphs/traces before manifest writes, upgrade replay manifest v2 with analyzer versions/policy thresholds, and add deterministic tests. | GAP-DOC-008 | GAPG0101 |
| GAP-SCAN-001 | TODO | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Guild · GAP Guild | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}` plus `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. | GAP-POL-005 | GAPG0101 |
| GAP-SCAN-001 | DONE (2025-12-03) | | SPRINT_400_runtime_facts_static_callgraph_union | Scanner Guild · GAP Guild | `src/Scanner/StellaOps.Scanner.Worker`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Implement binary/language symbolizers that emit `richgraph-v1` payloads with canonical `SymbolID = {file:hash, section, addr, name, linkage}` plus `code_id` anchors, persist graphs to CAS via `StellaOps.Scanner.Reachability`, and refresh analyzer docs/fixtures. | GAP-POL-005 | GAPG0101 |
| GAP-SIG-003 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Security Guild · GAP Guild | `src/Signals/StellaOps.Signals`, `docs/reachability/function-level-evidence.md` | Finish `/signals/runtime-facts` ingestion, add CAS-backed runtime storage, extend scoring to lattice states (`Unknown/NotPresent/Unreachable/Conditional/Reachable/Observed`), and emit `signals.fact.updated` events. Document retention/RBAC. | GAP-POL-005 | GAPG0101 |
| GAP-SYM-007 | BLOCKED (2025-11-27) | Waiting on GRAPH-CAS-401-001 schema/hash | SPRINT_0401_0001_0001_reachability_evidence_chain | Docs Guild | `src/Scanner/StellaOps.Scanner.Models`, `docs/modules/scanner/architecture.md`, `docs/reachability/function-level-evidence.md` | Extend reachability evidence schema/DTOs with demangled symbol hints, `symbol.source`, confidence, and optional `code_block_hash`; ensure Scanner SBOM/evidence writers and CLI serializers emit the new fields deterministically. | GAP-SIG-003 | GAPG0101 |
| GAP-VEX-006 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | VEX Guild | `docs/modules/excititor/architecture.md`, `src/Cli/StellaOps.Cli`, `src/UI/StellaOps.UI`, `docs/09_API_CLI_REFERENCE.md` | Wire Policy/Excititor/UI/CLI surfaces so VEX emission and explain drawers show call paths, graph hashes, and runtime hits; add CLI `--evidence=graph`/`--threshold` plus Notify template updates. | GAP-POL-005 | GAPG0101 |
@@ -3883,7 +3883,7 @@
| SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 | |
| SCANNER-DET-01 | DOING | 2025-11-09 | SPRINT_301_docs_tasks_md_i | Docs Guild · Scanner Guild | | | | |
| SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | | | |
| SCANNER-DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. | | |
| SCANNER-EMIT-15-001 | TODO | | SPRINT_136_scanner_surface | Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | src/Scanner/__Libraries/StellaOps.Scanner.Emit | Enforce canonical JSON (`stella.contentHash`, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in `docs/modules/scanner/deterministic-sbom-compose.md` §2.2. | SCANNER-SURFACE-04 | |
| SCANNER-ENG-0001 | TODO | | SPRINT_327_docs_modules_scanner | Module Team (docs/modules/scanner) | docs/modules/scanner | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | | |
@@ -4135,7 +4135,7 @@
| SYMS-SERVER-401-011 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Symbols Guild | `src/Symbols/StellaOps.Symbols.Server` | Deliver `StellaOps.Symbols.Server` (REST+gRPC) with DSSE-verified uploads, Mongo/MinIO storage, tenant isolation, and deterministic debugId indexing; publish health/manifest APIs (spec: `docs/specs/SYMBOL_MANIFEST_v1.md`). | Depends on #5 | RBSY0101 |
| TASKRUN-41-001 | DONE (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0002_taskrunner_blockers | Task Runner Guild | src/TaskRunner/StellaOps.TaskRunner | Bootstrap service, define migrations for `pack_runs`, `pack_run_logs`, `pack_artifacts`, implement run API (create/get/log stream), local executor, approvals pause, artifact capture, and provenance manifest generation. | Delivered per Task Pack advisory and architecture contract. | ORTR0101 |
| TASKRUN-AIRGAP-56-001 | DONE (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Policy Guild | src/TaskRunner/StellaOps.TaskRunner | Enforce plan-time validation rejecting steps with non-allowlisted network calls in sealed mode and surface remediation errors. | TASKRUN-41-001 | ORTR0101 |
| TASKRUN-AIRGAP-56-002 | BLOCKED (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Importer Guild | src/TaskRunner/StellaOps.TaskRunner | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. | TASKRUN-AIRGAP-56-001 | ORTR0101 |
| TASKRUN-AIRGAP-56-002 | DONE (2025-12-03) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Importer Guild | src/TaskRunner/StellaOps.TaskRunner | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. | TASKRUN-AIRGAP-56-001 | ORTR0101 |
| TASKRUN-AIRGAP-57-001 | BLOCKED (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · AirGap Controller Guild | src/TaskRunner/StellaOps.TaskRunner | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. | TASKRUN-AIRGAP-56-002 | ORTR0101 |
| TASKRUN-AIRGAP-58-001 | BLOCKED (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · Evidence Locker Guild | src/TaskRunner/StellaOps.TaskRunner | Capture bundle import job transcripts, hashed inputs, and outputs into portable evidence bundles. | TASKRUN-AIRGAP-57-001 | ORTR0101 |
| TASKRUN-OAS-61-001 | BLOCKED (2025-11-30) | 2025-11-30 | SPRINT_0157_0001_0001_taskrunner_i | Task Runner Guild · API Contracts Guild | src/TaskRunner/StellaOps.TaskRunner | Document Task Runner APIs (pack runs, logs, approvals) in service OAS, including streaming response schemas and examples. | TASKRUN-41-001 | ORTR0101 |

18
docs/modules/policy/contracts/spine-versioning-plan.md
View File

@@ -20,6 +20,11 @@ Establish versioned spine API/DTO schemas with migration rules, determinism guar
- SP9: Pagination/ordering/perf budgets (stable sort keys, default page size limits, deterministic cursors).
- SP10: Crosswalk mappings SBOM ↔ VEX ↔ graph ↔ policy (table + sample payloads).
## Acceptance/verification artifacts
- Adapter CSV: `docs/modules/policy/fixtures/spine-adapters/v2-to-v1.csv` (hashes in `hashes.txt`).
- Crosswalk table: `docs/modules/policy/fixtures/spine-crosswalk/crosswalk.csv` (hashes in `hashes.txt`).
- Manifest signing proof: DSSE envelope must reference adapter + crosswalk hashes to anchor deterministic migrations.
## Migration & Determinism
- Version headers and DTO version fields must be required; rejects if missing or downgraded without declared adapter.
- Canonical JSON ordering for manifests; hashes computed over canonical form (UTF-8, no BOM).
@@ -29,27 +34,40 @@ Establish versioned spine API/DTO schemas with migration rules, determinism guar
- Header: `X-Spine-Version: v1` (required). DTO field mirror: `schemaVersion` (string, semver).
- Deprecation window: N-1 supported for 90 days; adapters required to downgrade v2→v1 (CSV in `docs/modules/policy/fixtures/spine-adapters/`).
- Hashing: canonical JSON, sorted properties, UTF-8 no BOM, normalized decimals (4dp), timestamps UTC ISO-8601.
- Hash anchors (2025-12-03): `v2-to-v1.csv` BLAKE3=f259a807fae1cac90c4d52223924d808eb52a4ab2cb0d314ab2d651bfdad4273 SHA256=f5f067bd7814bd65213610a5ae4a35ce98e70a990ca1eb86d275a8abd3659a1a.
### Evidence minima per edge (SP2, draft)
- `reachability`: state, confidence, score, method, evidenceRef (hash or URI), runtimeEvidence flag (bool).
- `package_identity`: purl, name, version, supplier, hashes[] (at least SHA256).
- `build_metadata`: buildId, sourceRepo, sourceRef, buildInvokerHash, provenanceHash (DSSE).
- Ordering: edges sorted by `subjectPurl`, `predicate`, `createdAt` for determinism; missing evidenceRef is invalid.
### Unknowns workflow (SP3, draft)
- States: `unknown`, `under_review`, `resolved`, `expired`.
- SLA: auto-review escalation after 7 days; decay to `expired` at 30 days unless refreshed.
- Surfacing: APIs must include `unknowns.count` and list endpoint with deterministic pagination; optional policy lattice flag to penalize unknowns.
- Determinism: cursors encode the last `subjectPurl` + `createdAt`; no random salts.
### Signing (SP4/SP7)
- Manifest structure: list of artifacts (type, id, hash, version, uri), signed using DSSE/ED25519 by default; Rekor optional online, mirrored checkpoints offline.
- Stage policy: compile → ingest → materialize → export; each stage produces DSSE, carries prior stage hash for chain-of-custody.
- Rekor/mirror matrix: online → Rekor+transparency required; offline → mirror checkpoints and DSSE only. PQ dual-sign optional but recorded in manifest metadata.
### Pagination/perf budgets (SP9)
- Default page size 200; max 500; stable sort: tenant asc, subjectPurl asc, advisoryId asc, createdAt asc.
- Cursors: base64-encoded tuple of sort keys; must round-trip deterministically.
- Perf budget: p95 response ≤250ms for page=200 on cached dataset; timeouts return deterministic error `spine_timeout`.
- Rate limits: 600 rpm per tenant; 429 payload includes retry-after seconds and last stable cursor.
### Crosswalk (SP10)
- Provide table mapping: SBOM component ↔ spine node ↔ graph node ↔ policy evaluation input; include sample payloads in `docs/modules/policy/fixtures/spine-crosswalk/`.
- Hash anchors (2025-12-03): `crosswalk.csv` BLAKE3=41926241c6d60bb856ceb4498e70381cdf54217435740f5fdf31ff8964044d78 SHA256=1e6644cdc00097b7e959e75f522335326b8f48fe1d05060d1c06ba660aac22a3.
## Decisions (2025-12-03)
- Evidence minima above are binding for SP2; missing hashes are fatal validation errors.
- Unknowns decay schedule adopted as written; extension requires policy-lattice approval.
- Stage DSSE is mandatory at every boundary; Rekor optional offline but checkpoints must be mirrored with manifest hash list.
- Pagination budgets and rate limits frozen until next version bump; adapters must preserve ordering when downgrading.
## Signing & Offline
- DSSE envelope mandatory for spine manifest; Rekor entry optional online, mirrored checkpoints for offline kits.

2
docs/modules/policy/fixtures/spine-adapters/hashes.txt
View File

@@ -1 +1 @@
v2-to-v1.csv: BLAKE3=<TBD> SHA256=<TBD>
v2-to-v1.csv: BLAKE3=f259a807fae1cac90c4d52223924d808eb52a4ab2cb0d314ab2d651bfdad4273 SHA256=f5f067bd7814bd65213610a5ae4a35ce98e70a990ca1eb86d275a8abd3659a1a

8
docs/modules/policy/fixtures/spine-adapters/v2-to-v1.csv
View File

@@ -0,0 +1,8 @@
field,v2,v1,rule
schemaVersion,schemaVersion,schemaVersion,copy
componentRef,component.ref,component.ref,copy
packageIdentity,edges.package_identity,edges.package_identity,copy
reachabilityEvidence,edges.reachability.evidence.hash,edges.reachability.evidence_hash,copy
unknownsState,unknowns.state,unknowns_state,enum_map:unknown=pending;under_review=review;resolved=resolved;expired=stale
paginationCursor,meta.page.cursor,meta.page_cursor,stable_base64(sort_keys)
createdAt,meta.createdAt,meta.created_at,iso8601_utc
1 field v2 v1 rule
1 field v2 v1 rule
2 schemaVersion schemaVersion schemaVersion copy
3 componentRef component.ref component.ref copy
4 packageIdentity edges.package_identity edges.package_identity copy
5 reachabilityEvidence edges.reachability.evidence.hash edges.reachability.evidence_hash copy
6 unknownsState unknowns.state unknowns_state enum_map:unknown=pending;under_review=review;resolved=resolved;expired=stale
7 paginationCursor meta.page.cursor meta.page_cursor stable_base64(sort_keys)
8 createdAt meta.createdAt meta.created_at iso8601_utc

4
docs/modules/policy/fixtures/spine-crosswalk/crosswalk.csv
View File

@@ -0,0 +1,4 @@
sbom_component,spine_node,graph_node,policy_input,evidence_ref
pkg:demo/lib-a@1.2.3,spine://component/lib-a,graph://node/lib-a,policy://input/component/lib-a,hash:blake3:27c6de0c
pkg:demo/lib-b@2.0.0,spine://component/lib-b,graph://node/lib-b,policy://input/component/lib-b,hash:blake3:da5b631a
vuln:CVE-0000-0001,spine://vuln/CVE-0000-0001,graph://advisory/CVE-0000-0001,policy://input/vuln/CVE-0000-0001,hash:sha256:22d8f6f8
1 sbom_component spine_node graph_node policy_input evidence_ref
1 sbom_component spine_node graph_node policy_input evidence_ref
2 pkg:demo/lib-a@1.2.3 spine://component/lib-a graph://node/lib-a policy://input/component/lib-a hash:blake3:27c6de0c
3 pkg:demo/lib-b@2.0.0 spine://component/lib-b graph://node/lib-b policy://input/component/lib-b hash:blake3:da5b631a
4 vuln:CVE-0000-0001 spine://vuln/CVE-0000-0001 graph://advisory/CVE-0000-0001 policy://input/vuln/CVE-0000-0001 hash:sha256:22d8f6f8

2
docs/modules/policy/fixtures/spine-crosswalk/hashes.txt
View File

@@ -1 +1 @@
crosswalk.csv: BLAKE3=<TBD> SHA256=<TBD>
crosswalk.csv: BLAKE3=41926241c6d60bb856ceb4498e70381cdf54217435740f5fdf31ff8964044d78 SHA256=1e6644cdc00097b7e959e75f522335326b8f48fe1d05060d1c06ba660aac22a3

47
docs/modules/sbomservice/fixtures/lnm-v1/catalog.json Normal file
View File

@@ -0,0 +1,47 @@
[
{
"artifact": "ghcr.io/stellaops/sample-api",
"sbomVersion": "2025.11.16.1",
"digest": "sha256:112",
"license": "MIT",
"scope": "runtime",
"assetTags": {
"owner": "payments",
"criticality": "high",
"env": "prod"
},
"createdAt": "2025-11-16T12:00:00Z",
"projectionHash": "sha256:proj112",
"evaluationMetadata": "eval:passed:v1"
},
{
"artifact": "ghcr.io/stellaops/sample-api",
"sbomVersion": "2025.11.15.1",
"digest": "sha256:111",
"license": "MIT",
"scope": "runtime",
"assetTags": {
"owner": "payments",
"criticality": "high",
"env": "prod"
},
"createdAt": "2025-11-15T12:00:00Z",
"projectionHash": "sha256:proj111",
"evaluationMetadata": "eval:passed:v1"
},
{
"artifact": "ghcr.io/stellaops/sample-worker",
"sbomVersion": "2025.11.12.0",
"digest": "sha256:222",
"license": "Apache-2.0",
"scope": "runtime",
"assetTags": {
"owner": "platform",
"criticality": "medium",
"env": "staging"
},
"createdAt": "2025-11-12T08:00:00Z",
"projectionHash": "sha256:proj222",
"evaluationMetadata": "eval:pending:v1"
}
]

38
docs/modules/sbomservice/fixtures/lnm-v1/component_lookup.json Normal file
View File

@@ -0,0 +1,38 @@
[
{
"artifact": "ghcr.io/stellaops/sample-api",
"purl": "pkg:npm/lodash@4.17.21",
"neighborPurl": "pkg:npm/express@4.18.2",
"relationship": "DEPENDS_ON",
"license": "MIT",
"scope": "runtime",
"runtimeFlag": true
},
{
"artifact": "ghcr.io/stellaops/sample-api",
"purl": "pkg:npm/lodash@4.17.21",
"neighborPurl": "pkg:npm/rollup@3.0.0",
"relationship": "DEPENDS_ON",
"license": "MIT",
"scope": "build",
"runtimeFlag": false
},
{
"artifact": "ghcr.io/stellaops/sample-api",
"purl": "pkg:npm/lodash@4.17.21",
"neighborPurl": "pkg:npm/react@18.2.0",
"relationship": "DEPENDS_ON",
"license": "MIT",
"scope": "runtime",
"runtimeFlag": true
},
{
"artifact": "ghcr.io/stellaops/sample-worker",
"purl": "pkg:nuget/Newtonsoft.Json@13.0.2",
"neighborPurl": "pkg:nuget/StellaOps.Core@1.0.0",
"relationship": "DEPENDS_ON",
"license": "Apache-2.0",
"scope": "runtime",
"runtimeFlag": true
}
]

3
docs/modules/scanner/README.md
View File

@@ -2,7 +2,8 @@
Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.
## Latest updates (2025-11-09)
## Latest updates (2025-12-03)
- Deterministic SBOM composition fixture published at `docs/modules/scanner/fixtures/deterministic-compose/` with DSSE, `_composition.json`, BOM, and hashes; doc `deterministic-sbom-compose.md` promoted to Ready v1.0 with offline verification steps.
- Node analyzer now ingests npm/yarn/pnpm lockfiles, emitting `DeclaredOnly` components with lock provenance. The CLI companion command `stella node lock-validate` runs the collector offline, surfaces declared-only or missing-lock packages, and emits telemetry via `stellaops.cli.node.lock_validate.count`.
- Python analyzer picks up `requirements*.txt`, `Pipfile.lock`, and `poetry.lock`, tagging installed distributions with lock provenance and generating declared-only components for policy. Use `stella python lock-validate` to run the same checks locally before images are built.
- Java analyzer now parses `gradle.lockfile`, `gradle/dependency-locks/**/*.lockfile`, and `pom.xml` dependencies via the new `JavaLockFileCollector`, merging lock metadata onto jar evidence and emitting declared-only components when jars are absent. The new CLI verb `stella java lock-validate` reuses that collector offline (table/JSON output) and records `stellaops.cli.java.lock_validate.count{outcome}` for observability.

17
docs/modules/scanner/design/competitor-ingest-normalization.md
View File

@@ -43,7 +43,10 @@ Define how external SBOM/scan outputs (Syft, Trivy, Clair) are normalized into S
## Regression + fixtures (CM4/CM5)
- Fixtures under `docs/modules/scanner/fixtures/competitor-adapters/fixtures/` with golden hashes (BLAKE3/SHA256) and expected normalized output.
- CI step runs adapter → normalized → hash compare; offline, no network.
- `normalized-syft.json` BLAKE3=aa42c167d19535709a10df73dc39e6a50b8efbbb0ae596d17183ce62676fa85a SHA256=3f8684ff341808dcb92e97dd2c10acca727baaff05182e81a4364bb3dad0eaa7
- `normalized-trivy.json` BLAKE3=0da216b49ebcf823d8d4aa3c9c1d2a1dcc579d836ba66bb2ae94dd781e214130 SHA256=c29aa6251d378c2aca1c3c6165e61bd2e16b6fa1227c976417b8a525ad7c1fc1
- `normalized-clair.json` BLAKE3=92985f4cbdeecc8a0e585a70e07f17b07abdd866eecacaca9ba1b331f4b3af68 SHA256=bc232cc19885c53e4d801f5c830e3683a4031e42f6421739c4cc221f33f15e01
- CI step runs adapter → normalized → hash compare; offline, no network. Hashes act as guardrails for deterministic ordering and mapping stability.
## Fallback hierarchy (CM6)
1) Signed SBOM w/ valid provenance → accepted.
@@ -53,7 +56,7 @@ Define how external SBOM/scan outputs (Syft, Trivy, Clair) are normalized into S
## Transparency & coverage (CM7CM9)
- Persist: `source.tool`, `source.version`, `source.hash`, `adapter.version`, `normalized_hash`.
- Coverage matrix maintained in `docs/modules/scanner/fixtures/competitor-adapters/coverage.csv` (ecosystem yes/no, notes).
- Coverage matrix maintained in `docs/modules/scanner/fixtures/competitor-adapters/coverage.csv` (ecosystem yes/no, notes). Current snapshot (2025-12-03): container/java/python/go/os rows populated; dotnet pending Syft/Clair support.
- Bench parity (CM8): pin upstream versions; store run hashes/logs in fixtures folder.
## Error taxonomy (CM10)
@@ -61,9 +64,13 @@ Define how external SBOM/scan outputs (Syft, Trivy, Clair) are normalized into S
- Non-retryable: signature_invalid, schema_invalid, unsupported_version, no_evidence.
- All errors must carry deterministic reason codes and be logged in normalized output metadata.
## Open Items
- Decide minimal evidence set for accepting unsigned SBOMs (intermediate level before scan-only fallback).
- Confirm which hash (BLAKE3/SHA256) is canonical for adapter outputs.
## Offline kit (CM5)
- Kit contents: adapter CSVs (one per tool), fixtures + hashes above, coverage matrix, trust roots, signature policy, retry taxonomy, and DSSE envelope referencing every file hash. Bundle path: `out/offline/competitor-ingest-kit-v1/`.
## Decisions (2025-12-03)
- Minimal evidence for unsigned SBOM acceptance: must include tool metadata (name/version/hash), component list with purl + SHA256, and scan timestamp; otherwise fallback to scan-only path (CM6 step 3).
- Canonical adapter output hash: BLAKE3 primary, SHA256 secondary; both recorded in fixture hash lists and surfaced in normalized metadata (`normalized_hash`).
- Signature verification policy is strict fail-closed unless `--allow-unsigned` flag explicitly set; fallback hierarchy still applied but logged.
## Links
- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (CM1CM10)

37
docs/modules/scanner/design/standards-convergence-roadmap.md
View File

@@ -34,36 +34,41 @@ Define the concrete steps for adopting CVSS v4.0, CycloneDX 1.7 (incl. CBOM), an
- timestamps UTC ISO-8601 without sub-ms; decimal rounding 4dp for ratios, 2dp for scores.
- Adapter tables (SC4): mapping CSVs checked in under `docs/modules/scanner/fixtures/adapters/` with BLAKE3 + SHA256 hashes; adapters are pure, no net.
## Fixtures (SC5/SC8)
- Add to `docs/modules/scanner/fixtures/cdx17-cbom/`:
- `sample-cdx17-cbom.json` (golden), `sample-cdx16-downgraded.json`, `hashes.txt` (BLAKE3, SHA256).
- Include CBOM ingress/egress example, CVSS v4 vector, SLSA Source Track fields, evidence properties.
## Fixtures (SC2/SC5/SC8)
- Golden payloads live in `docs/modules/scanner/fixtures/cdx17-cbom/`.
- `sample-cdx17-cbom.json` (CDX 1.7 + CBOM + CVSS v4/v3.1 + SLSA Source Track + evidence).
- `sample-cdx16.json` (downgraded CDX 1.6; CVSS v3.1 only; no CBOM channel properties).
- `hashes.txt` records deterministic digests:
- `sample-cdx17-cbom.json` BLAKE3=27c6de0ccd6adb8149c5521477fba8292aa119fb9e42b521cba6356b2308e761 SHA256=22d8f6f80f02be13f840b74b24b2eea769f108a225152695e1bf8d8a0577e6f6
- `sample-cdx16.json` BLAKE3=da5b631a8cca865f929f8fd5d3b35adc512de1754fe2278cb8b415b01c81b3d3 SHA256=3cf6cb04aec97ec05fad0658f54b4ec099644176806f098897a9ba0bf1135cb0
- CI step: `dotnet test` hook runs deterministic serializer + hash assertion; env `DOTNET_DISABLE_BUILTIN_GRAPH=1`, fixed `TZ=UTC`, `LC_ALL=C`.
- Downgrade adapters (SC4) consume the CDX 1.7 fixture and emit the 1.6 fixture; verify hashes match the values above.
## Governance (SC1/SC9)
- Propose RACI: Product (A), Scanner TL (R), Sbomer TL (C), Policy TL (C), Ops (I).
- RACI: Product (A), Scanner TL (R), Sbomer TL (C), Policy TL (C), Ops (I).
- Schema bump flow: draft → review → freeze → DSSE-sign schemas + fixtures → publish hash list → lock downgrade adapters.
- Downgrade adapters cannot ship without approved mapping CSV + updated hashes.
- Downgrade adapters cannot ship without approved mapping CSV + updated hashes; adapter CSVs live under `docs/modules/scanner/fixtures/adapters/` (hash list alongside CSVs).
## Offline (SC10)
- Offline kit must include: schemas, adapter CSVs, fixtures, hash list, DSSE envelope, tool versions (Syft/Trivy pinned) and their hashes.
- Bundle path: `out/offline/scanner-standards-kit-v1/`. DSSE envelope references manifest with all hashes.
- Bundle path: `out/offline/scanner-standards-kit-v1/`. DSSE envelope references manifest with all hashes; include CBOM sample, downgrade sample, adapter CSVs, and their BLAKE3/SHA256 values.
## Milestones (proposed)
1) Schema draft freeze (CDX 1.7/CBOM + CVSS v4 fields) — owners: Scanner Guild, due T+5d.
2) Replay bundle field list for Source Track — owners: Scanner + Sbomer, due T+7d.
3) Determinism harness upgrade (CI + fixtures) — owners: QA + Scanner, due T+10d.
4) Downgrade adapter tables + hash tests — owners: Scanner, due T+12d.
5) Offline-kit bundle update & DSSE signing — owners: Ops, due T+14d.
## Milestones (locked for SC1 delivery)
1) Schema draft freeze (CDX 1.7/CBOM + CVSS v4 fields) — owners: Scanner Guild, due 2025-12-08.
2) Replay bundle field list for Source Track — owners: Scanner + Sbomer, due 2025-12-10.
3) Determinism harness upgrade (CI + fixtures) — owners: QA + Scanner, due 2025-12-13.
4) Downgrade adapter tables + hash tests — owners: Scanner, due 2025-12-15.
5) Offline-kit bundle update & DSSE signing — owners: Ops, due 2025-12-17.
## Determinism & Offline requirements
- Stable field ordering, culture-invariant formatting, UTC ISO-8601 timestamps.
- No network calls during conversion/adapters; fixed seeds for any RNG.
- All schemas/adapters/fixtures shipped in offline kit with DSSE envelope and recorded hashes.
## Open Items
- Confirm CBOM section subset required for policy engine (ingredients vs evidence-only).
- Decide default CVSS v4 vector precision and rounding rules.
## Decisions (2025-12-03)
- CBOM subset: include ingress + egress channel properties only; deeper data-flow capture deferred to policy/graph once schema stabilises.
- CVSS v4 rounding: keep vendor vector precision; round scores to 2dp using `MidpointRounding.ToZero` for deterministic alignment with CVSS v3.1 sidecar values.
- Evidence properties are mandatory for replay bundles and serialized CycloneDX 1.7 outputs; adapter must preserve them when downgrading.
## Links
- Sprint: `docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md` (tasks SC1SC10)

25
docs/modules/scanner/deterministic-sbom-compose.md
View File

@@ -1,6 +1,6 @@
# Deterministic SBOM Composition (Spec Draft)
# Deterministic SBOM Composition
> **Status:** Draft v0.1 (Sprint 136 / 203 / 209 linkage)
> **Status:** Ready v1.0 (Sprint 136 linkage; fixtures dated 2025-12-03)
> **Owners:** Scanner Guild · DevEx/CLI Guild · UI Guild · Docs Guild · Security Guild
> **Related Tasks:** `SCANNER-SURFACE-04`, `SURFACE-FS-07`, `SCANNER-EMIT-15-001`, `SCANNER-SORT-02`, `CLI-SBOM-60-001`, `CLI-SBOM-60-002`, `UI-SBOM-DET-01`, `UI-POLICY-DET-01`, `DOCS-SCANNER-DET-01`, `DOCS-POLICY-DET-01`, `DOCS-CLI-DET-01`, `SCANNER-CRYPTO-90-002`, `SCANNER-CRYPTO-90-003`
@@ -46,6 +46,19 @@ Guarantee that every container scan yields **provably deterministic** SBOM artif
3. Re-run composition locally (using canonical ordering) and compare `sha256(c14n(composed))` against `manifest.properties["stellaops:merkle.root"]`.
4. Optionally validate provided Merkle proofs (leaf → root) and attest that the UI/Policy gate marked the scan as deterministic.
### 3.1 Reference fixture (deterministic-compose)
- Path: `docs/modules/scanner/fixtures/deterministic-compose/` (generated 2025-12-03 by `generate.py`).
- Quick verify:
```bash
cd docs/modules/scanner/fixtures/deterministic-compose
sha256sum -c hashes.txt
jq -r '.payload' fragment-layer1.dsse.json | base64 -d | sha256sum
jq -r '.merkleRootSha256' _composition.json
jq -r '.properties[] | select(.name=="stellaops:merkle.root").value' bom.cdx.json
```
Expected Merkle root: `963e421d21be2db87895ea5fd973a0ad71aa638499c274308e013d2b6c8243f6` (matches `_composition.json` and `bom.cdx.json`).
- Regenerate deterministically: `python generate.py && sha256sum -c hashes.txt` (standard library only).
## 4. Deliverables Checklist
| Area | Deliverable |
@@ -57,7 +70,13 @@ Guarantee that every container scan yields **provably deterministic** SBOM artif
| Docs | Updated scanner/cli/policy guides, offline kit instructions |
| Tests | Regression suites covering canonicalization, DSSE verification, PQ keypaths, Merkle roots |
## 5. References
## 5. Operational workflow (worker → CLI/UI/Policy)
- **Worker**: emit fragment DSSE + `_composition.json` into the surface manifest; persist `stellaops:composition.manifest` and `stellaops:merkle.root` properties on composed BOMs so downstream consumers do not recompute merges.
- **CLI**: verify bundles offline with `stella sbomer compose --recipe docs/modules/scanner/fixtures/deterministic-compose/_composition.json --fragments-dir docs/modules/scanner/fixtures/deterministic-compose --verify` (see `docs/cli/sbomer.md`). The command should fail if any DSSE signature, Merkle root, or BOM hash diverges.
- **UI / Policy**: render determinism badge using `stellaops:merkle.root`; block promotion when `_composition.json` is missing or hashes disagree; expose drift diagnostics by recomputing composition locally and comparing to BOM properties.
- **Export/Offline**: include `_composition.json`, fragment DSSEs, `bom.cdx.json`, and `hashes.txt` when building Offline Kit bundles so replay jobs can validate without network.
## 6. References
- `docs/modules/scanner/architecture.md`
- `docs/modules/scanner/design/surface-fs.md`

6
docs/modules/scanner/fixtures/cdx17-cbom/hashes.txt
View File

@@ -1,3 +1,3 @@
# placeholder; compute BLAKE3 and SHA256 after schemas stabilize
sample-cdx17-cbom.json: BLAKE3=<TBD> SHA256=<TBD>
sample-cdx16.json: BLAKE3=<TBD> SHA256=<TBD>
# Deterministic hashes for CDX 1.7 CBOM fixture and downgraded 1.6 variant
sample-cdx17-cbom.json: BLAKE3=27c6de0ccd6adb8149c5521477fba8292aa119fb9e42b521cba6356b2308e761 SHA256=22d8f6f80f02be13f840b74b24b2eea769f108a225152695e1bf8d8a0577e6f6
sample-cdx16.json: BLAKE3=da5b631a8cca865f929f8fd5d3b35adc512de1754fe2278cb8b415b01c81b3d3 SHA256=3cf6cb04aec97ec05fad0658f54b4ec099644176806f098897a9ba0bf1135cb0

49
docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx16.json
View File

@@ -0,0 +1,49 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:00000000-0000-4000-8000-000000000001",
"version": 1,
"metadata": {
"timestamp": "2025-01-01T00:00:00Z",
"component": {
"type": "application",
"name": "demo-app",
"version": "1.0.0",
"purl": "pkg:demo/demo-app@1.0.0",
"hashes": [
{ "alg": "SHA-256", "content": "1111111111111111111111111111111111111111111111111111111111111111" }
]
},
"tools": [
{ "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" }
]
},
"components": [
{
"type": "library",
"name": "lib-a",
"version": "1.2.3",
"purl": "pkg:demo/lib-a@1.2.3"
},
{
"type": "library",
"name": "lib-b",
"version": "2.0.0",
"purl": "pkg:demo/lib-b@2.0.0"
}
],
"vulnerabilities": [
{
"id": "CVE-0000-0001",
"source": { "name": "NVD" },
"ratings": [
{
"source": { "name": "NVD" },
"method": "CVSSv3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
]
}
]
}

57
docs/modules/scanner/fixtures/cdx17-cbom/sample-cdx17-cbom.json
View File

@@ -10,10 +10,26 @@
"name": "demo-app",
"version": "1.0.0",
"purl": "pkg:demo/demo-app@1.0.0",
"hashes": [ { "alg": "SHA-256", "content": "d" } ],
"evidence": { "properties": [ { "name": "evidence:source", "value": "fixture" } ] }
"hashes": [
{ "alg": "SHA-256", "content": "1111111111111111111111111111111111111111111111111111111111111111" }
],
"evidence": {
"properties": [
{ "name": "evidence:source", "value": "fixture" },
{ "name": "evidence:hash", "value": "blake3:fixture-demo-app" }
]
}
},
"tools": [ { "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" } ]
"properties": [
{ "name": "source.repo", "value": "https://example.invalid/demo" },
{ "name": "source.ref", "value": "refs/tags/v1.0.0" },
{ "name": "build.id", "value": "build-123" },
{ "name": "build.invocation.hash", "value": "blake3:deadbeef" },
{ "name": "provenance.dsse", "value": "sha256:2222222222222222222222222222222222222222222222222222222222222222" }
],
"tools": [
{ "vendor": "stellaops", "name": "scanner", "version": "0.0.0-fixture" }
]
},
"services": [
{
@@ -25,16 +41,43 @@
}
],
"components": [
{ "type": "library", "name": "lib-a", "version": "1.2.3", "purl": "pkg:demo/lib-a@1.2.3" },
{ "type": "library", "name": "lib-b", "version": "2.0.0", "purl": "pkg:demo/lib-b@2.0.0" }
{
"type": "library",
"name": "lib-a",
"version": "1.2.3",
"purl": "pkg:demo/lib-a@1.2.3",
"hashes": [ { "alg": "SHA-256", "content": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" } ]
},
{
"type": "library",
"name": "lib-b",
"version": "2.0.0",
"purl": "pkg:demo/lib-b@2.0.0",
"hashes": [ { "alg": "SHA-256", "content": "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" } ]
}
],
"vulnerabilities": [
{
"id": "CVE-0000-0001",
"source": { "name": "NVD" },
"ratings": [
{ "source": { "name": "NVD" }, "method": "CVSSv4", "score": 8.0, "vector": "CVSS:4.0/AV:N/AC:L" },
{ "source": { "name": "NVD" }, "method": "CVSSv3.1", "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }
{
"source": { "name": "NVD" },
"method": "CVSSv4",
"score": 8.0,
"vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
},
{
"source": { "name": "NVD" },
"method": "CVSSv3.1",
"score": 7.5,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"properties": [
{ "name": "evidence:source", "value": "fixture" },
{ "name": "evidence:proof-id", "value": "proof-123" },
{ "name": "evidence:hash", "value": "sha256:3333333333333333333333333333333333333333333333333333333333333333" }
]
}
]

7
docs/modules/scanner/fixtures/competitor-adapters/coverage.csv
View File

@@ -0,0 +1,7 @@
ecosystem,syft,trivy,clair,notes
container,yes,yes,yes,pinned demo fixtures
java,yes,yes,no,clair sample pending
python,yes,yes,no,
dotnet,no,yes,no,trivy provides sample; others pending
go,yes,yes,no,
os-pkgs,yes,yes,yes,clair focuses on apk baseline
1 ecosystem syft trivy clair notes
1 ecosystem syft trivy clair notes
2 container yes yes yes pinned demo fixtures
3 java yes yes no clair sample pending
4 python yes yes no
5 dotnet no yes no trivy provides sample; others pending
6 go yes yes no
7 os-pkgs yes yes yes clair focuses on apk baseline

5
docs/modules/scanner/fixtures/competitor-adapters/fixtures/hashes.txt
View File

@@ -1 +1,4 @@
# Golden outputs for Syft/Trivy/Clair fixtures; fill after adapter code lands
# Deterministic hashes for normalized competitor ingest fixtures (BLAKE3, SHA256)
normalized-syft.json: BLAKE3=aa42c167d19535709a10df73dc39e6a50b8efbbb0ae596d17183ce62676fa85a SHA256=3f8684ff341808dcb92e97dd2c10acca727baaff05182e81a4364bb3dad0eaa7
normalized-trivy.json: BLAKE3=0da216b49ebcf823d8d4aa3c9c1d2a1dcc579d836ba66bb2ae94dd781e214130 SHA256=c29aa6251d378c2aca1c3c6165e61bd2e16b6fa1227c976417b8a525ad7c1fc1
normalized-clair.json: BLAKE3=92985f4cbdeecc8a0e585a70e07f17b07abdd866eecacaca9ba1b331f4b3af68 SHA256=bc232cc19885c53e4d801f5c830e3683a4031e42f6421739c4cc221f33f15e01

25
docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-clair.json Normal file
View File

@@ -0,0 +1,25 @@
{
"source": { "tool": "clair", "version": "6.0.0", "hash": "sha256:clair-fixture" },
"components": [
{
"name": "demo-os",
"version": "3.1-1",
"purl": "pkg:apk/demo-os@3.1-1",
"type": "os",
"hashes": ["sha256:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"],
"licenses": ["BSD-3-Clause"],
"evidenceRef": "evidence-003"
}
],
"vulnerabilities": [
{
"id": "CVE-0000-0003",
"source": "alpine",
"severity": "Low",
"cvss": { "score": 3.1, "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" },
"fixVersions": ["3.1-2"],
"evidenceRef": "evidence-003"
}
],
"normalized_hash": "blake3:993e43cfe0f22667b5243d4a91d18f53e3efe4f84ee97fc33531629c9ff36418"
}

25
docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-syft.json Normal file
View File

@@ -0,0 +1,25 @@
{
"source": { "tool": "syft", "version": "1.0.0", "hash": "sha256:syft-fixture" },
"components": [
{
"name": "demo-app",
"version": "1.0.0",
"purl": "pkg:docker/demo-app@1.0.0",
"type": "container",
"hashes": ["sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"],
"licenses": ["MIT"],
"evidenceRef": "evidence-001"
}
],
"vulnerabilities": [
{
"id": "CVE-0000-0002",
"source": "nvd",
"severity": "High",
"cvss": { "score": 7.5, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" },
"fixVersions": ["1.0.1"],
"evidenceRef": "evidence-001"
}
],
"normalized_hash": "blake3:aea5398089eec122fd594027e9b1322b19d87b057bdb2d0925a89cf2c945b980"
}

25
docs/modules/scanner/fixtures/competitor-adapters/fixtures/normalized-trivy.json Normal file
View File

@@ -0,0 +1,25 @@
{
"source": { "tool": "trivy", "version": "0.50.0", "hash": "sha256:trivy-fixture" },
"components": [
{
"name": "demo-lib",
"version": "2.0.0",
"purl": "pkg:npm/demo-lib@2.0.0",
"type": "library",
"hashes": ["sha256:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"],
"licenses": ["Apache-2.0"],
"evidenceRef": "evidence-002"
}
],
"vulnerabilities": [
{
"id": "GHSA-xxxx-yyyy-zzzz",
"source": "ghsa",
"severity": "Medium",
"cvss": { "score": 5.0, "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" },
"fixVersions": ["2.0.1"],
"evidenceRef": "evidence-002"
}
],
"normalized_hash": "blake3:0db368a22f8fe008f03ee8256a5fafe4b16bf8c087ae1c273c6d0090b5cadca7"
}

43
docs/modules/scanner/fixtures/deterministic-compose/README.md Normal file
View File

@@ -0,0 +1,43 @@
# Deterministic SBOM composition fixtures
Reference bundle for DOCS-SCANNER-DET-01. Use it to prove fragment-level DSSE, `_composition.json`, and CycloneDX composition metadata stay deterministic and offline-verifiable.
## Contents
- `_composition.json` — composition recipe with Merkle root, fragment hashes, BOM hash, and determinism pins.
- `fragment-layer{1,2}.json` — canonical fragments (sorted keys, newline-terminated).
- `fragment-layer{1,2}.dsse.json` — DSSE envelopes over the canonical fragments (demo key `demo-ed25519`).
- `bom.cdx.json` — composed CycloneDX BOM with `stellaops:merkle.root` and `stellaops:composition.manifest` properties.
- `hashes.txt` — sha256 for every file in this directory.
- `generate.py` — reproducible generator (standard library only).
## Verify offline
```bash
cd docs/modules/scanner/fixtures/deterministic-compose
sha256sum -c hashes.txt
# Check DSSE payload matches fragment
jq -r '.payload' fragment-layer1.dsse.json | base64 -d > /tmp/payload.json
diff -u fragment-layer1.json /tmp/payload.json
# Recompute Merkle root from fragment hashes
python - <<'PY'
import hashlib, json
from pathlib import Path
frag_hashes = [line.split()[0] for line in Path('hashes.txt').read_text().splitlines() if 'fragment-layer' in line and '.json' in line and '.dsse' not in line]
frag_hashes = [bytes.fromhex(h) for h in frag_hashes]
while len(frag_hashes) > 1:
nxt = []
it = iter(frag_hashes)
for a in it:
b = next(it, a)
nxt.append(hashlib.sha256(a+b).digest())
frag_hashes = nxt
print(f"merkle={frag_hashes[0].hex()}")
PY
```
## Regenerate
```bash
python generate.py
sha256sum -c hashes.txt
```

1
docs/modules/scanner/fixtures/deterministic-compose/_composition.json Normal file
View File

@@ -0,0 +1 @@
{"composedBomSha256":"c161ac9cfee5f3baee69d303a0fb70bfb036d863e317e6e0d5843b983a6c8466","determinism":{"feedSnapshotId":"feeds-2025.320.1","fixedClock":"2025-12-01T00:00:00Z","policySnapshotId":"policy-2025.310.0","rngSeed":1337},"fragments":[{"dsseEnvelopeSha256":"ff008ab332bbcc6ac413739eb66529c3fcb1ca2d2503f8263bf5e0645d930118","dssePath":"fragment-layer1.dsse.json","fragmentPath":"fragment-layer1.json","fragmentSha256":"7884ea6f3a46a0870d8fc74a5e770bac49a9729a83175dbcf42ca14769b22fa0","layerDigest":"sha256:1111111111111111111111111111111111111111111111111111111111111101"},{"dsseEnvelopeSha256":"8813b84f072196808e644e6a8c54a81348b566054149b26a0055d8e63e0ae6aa","dssePath":"fragment-layer2.dsse.json","fragmentPath":"fragment-layer2.json","fragmentSha256":"cb9783249cf18e8d8a227d288864d821c190005897a14212f21742c0f404208f","layerDigest":"sha256:2222222222222222222222222222222222222222222222222222222222222202"}],"generatedAtUtc":"2025-12-03T00:00:00Z","imageDigest":"sha256:9999999999999999999999999999999999999999999999999999999999999900","merkleRootSha256":"963e421d21be2db87895ea5fd973a0ad71aa638499c274308e013d2b6c8243f6","schemaVersion":"1.0"}

1
docs/modules/scanner/fixtures/deterministic-compose/bom.cdx.json Normal file
View File

@@ -0,0 +1 @@
{"bomFormat":"CycloneDX","components":[{"bom-ref":"pkg:apk/alpine/busybox@1.36.1","name":"busybox","properties":[{"name":"stellaops:stella.contentHash","value":"7884ea6f3a46a0870d8fc74a5e770bac49a9729a83175dbcf42ca14769b22fa0"}],"purl":"pkg:apk/alpine/busybox@1.36.1","type":"library","version":"1.36.1"},{"bom-ref":"pkg:npm/express@4.18.2","name":"express","properties":[{"name":"stellaops:stella.contentHash","value":"cb9783249cf18e8d8a227d288864d821c190005897a14212f21742c0f404208f"}],"purl":"pkg:npm/express@4.18.2","type":"library","version":"4.18.2"}],"metadata":{"component":{"bom-ref":"pkg:docker/registry.local/demo@sha256:9999999999999999999999999999999999999999999999999999999999999900","name":"registry.local/demo","purl":"pkg:docker/registry.local/demo@sha256:9999999999999999999999999999999999999999999999999999999999999900","type":"container"},"timestamp":"2025-12-03T00:00:00Z"},"properties":[{"name":"stellaops:merkle.root","value":"963e421d21be2db87895ea5fd973a0ad71aa638499c274308e013d2b6c8243f6"},{"name":"stellaops:composition.manifest","value":"cas://scanner/deterministic-compose/_composition.json"},{"name":"stellaops:stella.contentHash","value":"963e421d21be2db87895ea5fd973a0ad71aa638499c274308e013d2b6c8243f6"}],"serialNumber":"urn:uuid:00000000-7e57-4c0d-baad-000000000301","specVersion":"1.6","version":1}

1
docs/modules/scanner/fixtures/deterministic-compose/fragment-layer1.dsse.json Normal file
View File

@@ -0,0 +1 @@
{"payload":"eyJjb21wb25lbnRzIjpbeyJldmlkZW5jZSI6eyJjb250ZW50SGFzaCI6InNoYTI1Njo3YzNmNGQzMGJmY2Q4ZmYyYjA5ZjFiYTM5ZjQzYzUyNGQ2Y2UxYjdhNWYzYzJiZGUzMjFlMGY1ZTBlNmMzZDEwIiwibGljZW5zZXMiOlsiQlNELTMtQ2xhdXNlIl0sInBhdGhzIjpbIi9iaW4vYnVzeWJveCJdfSwiaWRlbnRpdHkiOnsicHVybCI6InBrZzphcGsvYWxwaW5lL2J1c3lib3hAMS4zNi4xIn0sInNvdXJjZSI6ImFwayJ9XSwiZ2VuZXJhdGVkQXRVdGMiOiIyMDI1LTEyLTAxVDAwOjAwOjAwWiIsImxheWVyRGlnZXN0Ijoic2hhMjU2OjExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMDEiLCJzY2hlbWFWZXJzaW9uIjoiMS4wIn0=","payloadType":"application/vnd.stellaops.scanner.fragment+json","signatures":[{"keyid":"demo-ed25519","sig":"ZGV0ZXJtaW5pc3RpYy1maXh0dXJlLWZyYWdtZW50LTE="}]}

1
docs/modules/scanner/fixtures/deterministic-compose/fragment-layer1.json Normal file
View File

@@ -0,0 +1 @@
{"components":[{"evidence":{"contentHash":"sha256:7c3f4d30bfcd8ff2b09f1ba39f43c524d6ce1b7a5f3c2bde321e0f5e0e6c3d10","licenses":["BSD-3-Clause"],"paths":["/bin/busybox"]},"identity":{"purl":"pkg:apk/alpine/busybox@1.36.1"},"source":"apk"}],"generatedAtUtc":"2025-12-01T00:00:00Z","layerDigest":"sha256:1111111111111111111111111111111111111111111111111111111111111101","schemaVersion":"1.0"}

1
docs/modules/scanner/fixtures/deterministic-compose/fragment-layer2.dsse.json Normal file
View File

@@ -0,0 +1 @@
{"payload":"eyJjb21wb25lbnRzIjpbeyJldmlkZW5jZSI6eyJjb250ZW50SGFzaCI6InNoYTI1Njo4YWIxMDNmZWQ1OGU3ZGMwYjE4MTliNzM1ODEyNmQxYzQ0Y2M5NzlmNDA5Nzc1ODg4Yjg1OTUwNGE4MjkxNDhiIiwibGljZW5zZXMiOlsiTUlUIl0sInBhdGhzIjpbIi93b3Jrc3BhY2Uvbm9kZV9tb2R1bGVzL2V4cHJlc3MiXX0sImlkZW50aXR5Ijp7InB1cmwiOiJwa2c6bnBtL2V4cHJlc3NANC4xOC4yIn0sInNvdXJjZSI6Im5wbSJ9XSwiZ2VuZXJhdGVkQXRVdGMiOiIyMDI1LTEyLTAxVDAwOjAwOjAwWiIsImxheWVyRGlnZXN0Ijoic2hhMjU2OjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMDIiLCJzY2hlbWFWZXJzaW9uIjoiMS4wIn0=","payloadType":"application/vnd.stellaops.scanner.fragment+json","signatures":[{"keyid":"demo-ed25519","sig":"ZGV0ZXJtaW5pc3RpYy1maXh0dXJlLWZyYWdtZW50LTI="}]}

1
docs/modules/scanner/fixtures/deterministic-compose/fragment-layer2.json Normal file
View File

@@ -0,0 +1 @@
{"components":[{"evidence":{"contentHash":"sha256:8ab103fed58e7dc0b1819b7358126d1c44cc979f409775888b859504a829148b","licenses":["MIT"],"paths":["/workspace/node_modules/express"]},"identity":{"purl":"pkg:npm/express@4.18.2"},"source":"npm"}],"generatedAtUtc":"2025-12-01T00:00:00Z","layerDigest":"sha256:2222222222222222222222222222222222222222222222222222222222222202","schemaVersion":"1.0"}

190
docs/modules/scanner/fixtures/deterministic-compose/generate.py Normal file
View File

@@ -0,0 +1,190 @@
#!/usr/bin/env python3
"""Generate deterministic SBOM composition fixtures.
Outputs fragment JSON, DSSE envelopes, a composition manifest, a composed
CycloneDX BOM, and a hashes file suitable for offline verification.
"""
import base64
import hashlib
import json
from pathlib import Path
ROOT = Path(__file__).parent
def canonical(obj) -> str:
return json.dumps(obj, separators=(",", ":"), sort_keys=True)
def write_json(path: Path, obj) -> str:
text = canonical(obj) + "\n"
path.write_text(text)
return hashlib.sha256(text.encode()).hexdigest()
def merkle_root(hex_hashes: list[str]) -> str:
if not hex_hashes:
return ""
nodes = [bytes.fromhex(h) for h in hex_hashes]
while len(nodes) > 1:
nxt = []
it = iter(nodes)
for a in it:
b = next(it, a)
nxt.append(hashlib.sha256(a + b).digest())
nodes = nxt
return nodes[0].hex()
def dsse_envelope(payload_json: str, label: str) -> dict:
payload_b64 = base64.b64encode(payload_json.encode()).decode()
signature = base64.b64encode(f"deterministic-fixture-{label}".encode()).decode()
return {
"payloadType": "application/vnd.stellaops.scanner.fragment+json",
"payload": payload_b64,
"signatures": [
{
"keyid": "demo-ed25519",
"sig": signature,
}
],
}
def main() -> None:
ROOT.mkdir(parents=True, exist_ok=True)
fragments_src = [
{
"schemaVersion": "1.0",
"layerDigest": "sha256:1111111111111111111111111111111111111111111111111111111111111101",
"generatedAtUtc": "2025-12-01T00:00:00Z",
"components": [
{
"identity": {"purl": "pkg:apk/alpine/busybox@1.36.1"},
"evidence": {
"paths": ["/bin/busybox"],
"licenses": ["BSD-3-Clause"],
"contentHash": "sha256:7c3f4d30bfcd8ff2b09f1ba39f43c524d6ce1b7a5f3c2bde321e0f5e0e6c3d10",
},
"source": "apk",
}
],
},
{
"schemaVersion": "1.0",
"layerDigest": "sha256:2222222222222222222222222222222222222222222222222222222222222202",
"generatedAtUtc": "2025-12-01T00:00:00Z",
"components": [
{
"identity": {"purl": "pkg:npm/express@4.18.2"},
"evidence": {
"paths": ["/workspace/node_modules/express"],
"licenses": ["MIT"],
"contentHash": "sha256:8ab103fed58e7dc0b1819b7358126d1c44cc979f409775888b859504a829148b",
},
"source": "npm",
}
],
},
]
fragments_meta = []
for idx, fragment in enumerate(fragments_src, start=1):
fragment_path = ROOT / f"fragment-layer{idx}.json"
fragment_hash = write_json(fragment_path, fragment)
envelope_obj = dsse_envelope(canonical(fragment), f"fragment-{idx}")
envelope_path = ROOT / f"fragment-layer{idx}.dsse.json"
envelope_hash = write_json(envelope_path, envelope_obj)
fragments_meta.append(
{
"layerDigest": fragment["layerDigest"],
"fragmentPath": fragment_path.name,
"dssePath": envelope_path.name,
"fragmentSha256": fragment_hash,
"dsseEnvelopeSha256": envelope_hash,
}
)
fragments_meta.sort(key=lambda f: f["layerDigest"])
merkle = merkle_root([f["fragmentSha256"] for f in fragments_meta])
bom = {
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:00000000-7e57-4c0d-baad-000000000301",
"version": 1,
"metadata": {
"timestamp": "2025-12-03T00:00:00Z",
"component": {
"type": "container",
"bom-ref": "pkg:docker/registry.local/demo@sha256:9999999999999999999999999999999999999999999999999999999999999900",
"name": "registry.local/demo",
"purl": "pkg:docker/registry.local/demo@sha256:9999999999999999999999999999999999999999999999999999999999999900",
},
},
"components": [
{
"bom-ref": "pkg:apk/alpine/busybox@1.36.1",
"type": "library",
"name": "busybox",
"version": "1.36.1",
"purl": "pkg:apk/alpine/busybox@1.36.1",
"properties": [
{"name": "stellaops:stella.contentHash", "value": fragments_meta[0]["fragmentSha256"]}
],
},
{
"bom-ref": "pkg:npm/express@4.18.2",
"type": "library",
"name": "express",
"version": "4.18.2",
"purl": "pkg:npm/express@4.18.2",
"properties": [
{"name": "stellaops:stella.contentHash", "value": fragments_meta[1]["fragmentSha256"]}
],
},
],
"properties": [
{"name": "stellaops:merkle.root", "value": merkle},
{"name": "stellaops:composition.manifest", "value": "cas://scanner/deterministic-compose/_composition.json"},
{"name": "stellaops:stella.contentHash", "value": merkle},
],
}
bom_path = ROOT / "bom.cdx.json"
bom_hash = write_json(bom_path, bom)
composition = {
"schemaVersion": "1.0",
"imageDigest": "sha256:9999999999999999999999999999999999999999999999999999999999999900",
"generatedAtUtc": "2025-12-03T00:00:00Z",
"fragments": fragments_meta,
"merkleRootSha256": merkle,
"composedBomSha256": bom_hash,
"determinism": {
"fixedClock": "2025-12-01T00:00:00Z",
"rngSeed": 1337,
"feedSnapshotId": "feeds-2025.320.1",
"policySnapshotId": "policy-2025.310.0",
},
}
composition_path = ROOT / "_composition.json"
composition_hash = write_json(composition_path, composition)
hashes = {
"_composition.json": composition_hash,
"bom.cdx.json": bom_hash,
}
for meta in fragments_meta:
hashes[meta["fragmentPath"]] = meta["fragmentSha256"]
hashes[meta["dssePath"]] = meta["dsseEnvelopeSha256"]
hashes_lines = [f"{hashes[name]} {name}" for name in sorted(hashes.keys())]
(ROOT / "hashes.txt").write_text("\n".join(hashes_lines) + "\n")
if __name__ == "__main__":
main()

6
docs/modules/scanner/fixtures/deterministic-compose/hashes.txt Normal file
View File

@@ -0,0 +1,6 @@
c5c2e7195eb6f1624534966624655734fe595666f43a6b3dd168d60b5b33d5b0 _composition.json
c161ac9cfee5f3baee69d303a0fb70bfb036d863e317e6e0d5843b983a6c8466 bom.cdx.json
ff008ab332bbcc6ac413739eb66529c3fcb1ca2d2503f8263bf5e0645d930118 fragment-layer1.dsse.json
7884ea6f3a46a0870d8fc74a5e770bac49a9729a83175dbcf42ca14769b22fa0 fragment-layer1.json
8813b84f072196808e644e6a8c54a81348b566054149b26a0055d8e63e0ae6aa fragment-layer2.dsse.json
cb9783249cf18e8d8a227d288864d821c190005897a14212f21742c0f404208f fragment-layer2.json

2
docs/modules/taskrunner/architecture.md
View File

@@ -41,7 +41,7 @@
- `map` expands items into child steps (`stepId[index]::templateId`).
- `gate.approval` human approval checkpoint; enforces TTL/required count; pauses run until satisfied or expired.
- `gate.policy` Policy Engine evaluation; `failAction` decides halt vs. continue.
- Built-in helper: `bundle.ingest` (run step) — validates optional `checksum`/`checksumSha256`, stages bundles to `ArtifactsPath/bundles/<file>` deterministically; fails on missing file or checksum mismatch.
- Built-in helper: `bundle.ingest` (run step) — requires `checksum`/`checksumSha256`, validates SHA-256, stages bundles to `ArtifactsPath/bundles/{checksum}/{filename}` deterministically, and emits `metadata.json`; fails on missing file or checksum mismatch.
## 7. Determinism, Air-Gap, and Security
- Plan hash binding: runtime graph must equal planned graph; mismatch aborts run.

2
docs/reachability/callgraph-formats.md
View File

@@ -16,7 +16,7 @@ Normalize static callgraphs across languages so Signals can merge them with runt
- **Node/Deno TS**: module path + exported symbol; ES module graph only.
- **Rust MIR**: crate::module::symbol; monomorphized forms allowed if stable.
- **Swift SIL**: mangled name; demangled kept in metadata only.
- **Shell/binaries**: when present, use ELF/PE symbol+offset; mark `kind=binary`.
- **Shell/binaries**: `SymbolID = sym:binary:{sha256(file)\0section\0addr\0name\0linkage}` via `SymbolId.ForBinaryAddressed`, include `code_id = CodeId.ForBinarySegment(...)` and set `kind=binary`.
## CAS layout
- Store graph bundles under `reachability_graphs/<hh>/<sha>.tar.zst`.

1
docs/reachability/function-level-evidence.md
View File

@@ -43,6 +43,7 @@ Out of scope: implementing disassemblers or symbol servers; those will be handle
* Persist the data into `richgraph-v1` payloads and attach CAS URIs via `StellaOps.Scanner.Reachability`.
* Deliver fixtures in `tests/reachability/StellaOps.ScannerSignals.IntegrationTests` that prove determinism (same hash when analyzer flags reorder).
* **Helper status (2025-12-02):** `SymbolId.ForBinaryAddressed` + `CodeId.ForBinarySegment` now encode `{file_hash, section, addr, name, linkage, length, code_block_hash}` with normalized hex addresses. Analyzers should start emitting these tuples instead of ad-hoc hashes.
* **Binary lifter (2025-12-03):** `BinaryReachabilityLifter` emits richgraph nodes for ELF/PE/Mach-O using file SHA-256 + section/address tuples, attaches `code_id` anchors, and turns imports/load commands into `import` edges.
### 3.2 Runtime + Signals (GAP-ZAS-002 / GAP-SIG-003)