stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-03 00:10:19 +02:00
parent ea1d58a89b
commit 37cba83708
158 changed files with 147438 additions and 867 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
docs/airgap/manifest.schema.json Normal file
View File

@@ -0,0 +1,121 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.local/airgap/manifest.schema.json",
"title": "Offline Kit Manifest",
"type": "object",
"additionalProperties": false,
"required": [
"schemaVersion",
"bundleId",
"tenant",
"environment",
"createdAt",
"stalenessWindowHours",
"tools",
"feeds",
"policies",
"chunks",
"hashes"
],
"properties": {
"schemaVersion": { "type": "string", "pattern": "^1\\.\\d+\\.\\d+$" },
"bundleId": { "type": "string", "pattern": "^offline-kit:[A-Za-z0-9._:-]+$" },
"tenant": { "type": "string", "minLength": 1 },
"environment": { "type": "string", "enum": ["prod", "stage", "dev", "test"] },
"createdAt": { "type": "string", "format": "date-time" },
"stalenessWindowHours": { "type": "integer", "minimum": 0 },
"tools": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["name", "version", "sha256"],
"properties": {
"name": { "type": "string" },
"version": { "type": "string" },
"sha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" }
}
},
"uniqueItems": true
},
"feeds": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["name", "snapshot", "sha256"],
"properties": {
"name": { "type": "string" },
"snapshot": { "type": "string" },
"sha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" },
"stalenessHours": { "type": "integer", "minimum": 0 }
}
},
"uniqueItems": true
},
"policies": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["name", "version", "sha256"],
"properties": {
"name": { "type": "string" },
"version": { "type": "string" },
"sha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" }
}
},
"uniqueItems": true
},
"chunks": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["path", "sha256", "size"],
"properties": {
"path": { "type": "string" },
"sha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" },
"size": { "type": "integer", "minimum": 0 },
"kind": { "type": "string", "enum": ["advisory", "sbom", "vex", "policy", "graph", "tooling", "other"] }
}
},
"uniqueItems": true
},
"avScan": {
"type": "object",
"additionalProperties": false,
"required": ["status"],
"properties": {
"status": { "type": "string", "enum": ["not_run", "clean", "findings"] },
"scanner": { "type": "string" },
"scanAt": { "type": "string", "format": "date-time" },
"reportPath": { "type": "string" },
"reportSha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" }
}
},
"hashes": {
"type": "object",
"additionalProperties": false,
"required": ["manifestSha256", "bundleSha256"],
"properties": {
"manifestSha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" },
"bundleSha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" }
}
},
"signatures": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"required": ["type", "keyId", "signature"],
"properties": {
"type": { "type": "string", "enum": ["dsse", "jws-detached"] },
"keyId": { "type": "string" },
"signature": { "type": "string" },
"envelopeDigest": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" }
}
}
}
}
}

58
docs/airgap/runbooks/import-verify.md
View File

@@ -1,30 +1,40 @@
# AirGap Import & Verify (runbook outline)
# Offline Kit Import Verification Runbook
Related advisory: `docs/product-advisories/25-Nov-2025 - Airgap deployment playbook for StellaOps.md` (AG1AG12). Implements AIRGAP-VERIFY-510-014.
This runbook supports AIRGAP-MANIFEST-510-010/014. It validates bundle integrity before import, fully offline.
## Prerequisites
- `offline-kit/manifest.json` + `manifest.dsse` and `mirror.manifest` present.
- Trust roots: Rekor/TUF roots, Authority signing roots, AV/YARA public keys.
- Tools: `cosign` (or Stella verifier), `sha256sum`, `yara`, `python3`.
## Inputs
- Manifest: `offline-kit/manifest.json`
- Bundle archive: e.g., `offline-kit/bundle.tar.gz`
- Optional DSSE/JWS signature + public key for the manifest.
## Steps
1) Verify manifest signature
- `cosign verify-blob --key trust-roots/manifest.pub --signature manifest.dsse manifest.json`
- Sample helper: `scripts/airgap/verify-offline-kit.sh <kit-root>`
2) Check staleness and policy/graph hashes
- Compare `feeds[*].snapshot` dates to allowed window; ensure `policyHash`/`graphHash` match target site config; fail closed on mismatch unless override signed.
3) Verify chunks and Merkle root
- For each chunk listed in manifest, `sha256sum -c`; recompute Merkle root per manifest recipe; compare to `rootHash` field.
4) AV/YARA validation
- Run `yara -r rules/offline-kit.yar kit/`; confirm `avReport.sha256` matches signed report in manifest; block on any detection.
5) Replay depth selection
- Modes: `hash-only` (default), `full-recompute`, `policy-freeze`. Select via `--replay-mode`; enforce exit codes 0=pass, 3=stale, 4=hash-drift, 5=av-fail.
6) Ingress/egress receipts
- Generate DSSE receipt `{hash, operator, time, decision}`; store in Proof Graph; verify incoming receipts before import.
## Quick steps (offline)
```bash
src/AirGap/scripts/verify-manifest.sh offline-kit/manifest.json offline-kit/bundle.tar.gz \
offline-kit/manifest.sig offline-kit/manifest.pub.pem
```
What it does:
1. Computes SHA-256 of manifest and bundle, compares with `hashes.manifestSha256` and `hashes.bundleSha256`.
2. If signature + pubkey are provided, verifies the manifest signature with OpenSSL.
## Expected manifest fields
- `tools[]`, `feeds[]`, `policies[]` with SHA-256.
- `chunks[]` entries for every payload file (path, sha256, size, kind).
- `stalenessWindowHours` and `avScan` status.
- `hashes.manifestSha256` and `hashes.bundleSha256` must match the files on disk.
- Optional `signatures[]` (dsse/jws-detached) with `envelopeDigest`.
## Failure handling
- Hash mismatch → stop; regenerate bundle.
- Signature failure → stop; re-validate trust roots.
- Missing AV scan → treat as policy violation; rerun scans and update manifest.
## Outputs
- Exit code per replay mode outcome.
- Receipt DSSE stored at `receipts/{tenant}/{timestamp}.dsse`.
- Optional report `verify-report.json` summarizing checks.
- Exit 0 when all checks pass.
- Exit 25 for missing tools/hash/signature verification issues (see script).
> Expand with concrete scripts once tasks 510-010..014 land.
## References
- Schema: `docs/airgap/manifest.schema.json`
- Sample: `docs/airgap/samples/offline-kit-manifest.sample.json`
- Script: `src/AirGap/scripts/verify-manifest.sh`

43
docs/airgap/samples/offline-kit-manifest.sample.json Normal file
View File

@@ -0,0 +1,43 @@
{
"$schema": "../manifest.schema.json",
"schemaVersion": "1.0.0",
"bundleId": "offline-kit:concelier:2025-12-02",
"tenant": "default",
"environment": "prod",
"createdAt": "2025-12-02T00:00:00Z",
"stalenessWindowHours": 168,
"tools": [
{ "name": "concelier-exporter", "version": "2.5.0", "sha256": "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd" },
{ "name": "trivy-db", "version": "0.48.0", "sha256": "89abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567" }
],
"feeds": [
{ "name": "redhat-csaf", "snapshot": "2025-12-01", "sha256": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210", "stalenessHours": 72 },
{ "name": "osv", "snapshot": "2025-12-01T23:00:00Z", "sha256": "0f0e0d0c0b0a09080706050403020100ffeeddccbbaa99887766554433221100", "stalenessHours": 24 }
],
"policies": [
{ "name": "policy-bundle", "version": "1.4.2", "sha256": "aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55" }
],
"chunks": [
{ "path": "chunks/advisories-0001.tzst", "sha256": "1234123412341234123412341234123412341234123412341234123412341234", "size": 1048576, "kind": "advisory" },
{ "path": "chunks/vex-0001.tzst", "sha256": "4321432143214321432143214321432143214321432143214321432143214321", "size": 524288, "kind": "vex" }
],
"avScan": {
"status": "clean",
"scanner": "clamav 1.4.1",
"scanAt": "2025-12-02T00:05:00Z",
"reportPath": "reports/av-scan.txt",
"reportSha256": "bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66"
},
"hashes": {
"manifestSha256": "29d58b9fdc5c4e65b26c03f3bd9f442ff0c7f8514b8a9225f8b6417ffabc0101",
"bundleSha256": "d3c3f6c75c6a3f0906bcee457cc77a2d6d7c0f9d1a1d7da78c0d2ab8e0dba111"
},
"signatures": [
{
"type": "dsse",
"keyId": "airgap-manifest-dev",
"signature": "MEQCIGVyb3JrZXktc2lnbmF0dXJlLXNob3J0",
"envelopeDigest": "sha256:cc77cc77cc77cc77cc77cc77cc77cc77cc77cc77cc77cc77cc77cc77cc77cc77"
}
]
}

26
docs/db/local-postgres.md
View File

@@ -47,3 +47,29 @@ docker volume rm stella-postgres-data
- Image: `postgres:17` (latest GA at time of writing).
- Healthcheck is built into the compose service; wait for `healthy` before running tests.
- Keep volumes deterministic: the compose file names the volume `stella-postgres-data`.
## Scheduler Mongo → Postgres backfill
Use the new `Scheduler.Backfill` tool to copy Scheduler data from MongoDB into the Postgres schema.
```bash
dotnet run \
--project src/Scheduler/Tools/Scheduler.Backfill/Scheduler.Backfill.csproj \
--mongo "${MONGO_CONNECTION_STRING:-mongodb://localhost:27017}" \
--mongo-db "${MONGO_DATABASE:-stellaops_scheduler}" \
--pg "Host=localhost;Port=5432;Username=stella;Password=stella;Database=stella" \
--batch 500
```
Flags:
- `--dry-run` to validate without writing.
- `--batch` to tune insert batch size (defaults to 500).
What it does:
- Reads `schedules` and `runs` collections.
- Serialises documents with `CanonicalJsonSerializer` for deterministic JSON.
- Upserts into `scheduler.schedules` and `scheduler.runs` tables (created by migration `001_initial_schema.sql`).
Verification tips:
- Compare counts after backfill: `select count(*) from scheduler.schedules;` and `...runs;`.
- Spot-check next-fire timing by comparing `cron_expression` and `timezone` with the Mongo source; deterministic ordering is preserved via canonical JSON.

5
docs/db/tasks/PHASE_1_AUTHORITY.md
View File

@@ -15,6 +15,11 @@
4. Enable dual-write mode for validation
5. Switch Authority to PostgreSQL-only after verification
**2025-12-02 Update**
- Dual-write decorators (token, refresh token) implemented with metrics and configurable fail-fast behaviour.
- Backfill/verification harness added in Postgres library to copy tokens/refresh tokens from secondary backend and emit deterministic checksums.
- Sprint PG-T1.9PG-T1.12 unblocked; staging cutover awaits scheduled window.
---
## Deliverables

4
docs/implplan/SPRINT_0119_0001_0004_excititor_iv.md
View File

@@ -38,11 +38,12 @@
| Attestations | Wire DSSE verification + timeline surfacing (OBS-54-001). | Core · Provenance Guild | 2025-11-21 | DONE (2025-11-23) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | BLOCKED (SDK missing in repo; awaiting orchestrator worker package) |
| Orchestration | Adopt worker SDK + control compliance (ORCH-32/33). | Worker Guild | 2025-11-20 | DONE (2025-12-01) |
| Policy/Risk APIs | Shape APIs + feeds (POLICY-20-001/002, RISK-66-001). | WebService/Core · Risk Guild | 2025-11-22 | TODO |
| Policy/Risk APIs | Shape APIs + feeds (POLICY-20-001/002, RISK-66-001). | WebService/Core · Risk Guild | 2025-11-22 | BLOCKED (awaiting Policy advisory_key contract + Risk feed envelope) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Marked Policy/Risk API action BLOCKED: awaiting POLICY-20-001 advisory_key schema and Risk feed envelope before defining Excititor VEX lookup API. | Project Mgmt |
| 2025-11-16 | Normalized sprint file to standard template and renamed to SPRINT_0119_0001_0004_excititor_iv.md; awaiting task kickoff. | Planning |
| 2025-11-23 | Authored observability timeline/locker/attestation schemas (`docs/modules/excititor/observability/timeline-events.md`, `docs/modules/excititor/observability/locker-manifest.md`); marked OBS-52-001/53-001/54-001 DONE. | Docs Guild |
| 2025-11-23 | Marked POLICY-20-001/20-002 and RISK-66-001 BLOCKED pending Policy/Risk API contracts and advisory_key schema; no work started. | Project Mgmt |
@@ -57,6 +58,7 @@
- **Risks & Mitigations**
- Locker/attestation format lag could block sealed-mode readiness → Use placeholder manifests with clearly marked TODO and track deltas.
- Orchestrator SDK changes could destabilize workers → Gate rollout behind feature flag; add rollback checkpoints.
- Policy/Risk APIs blocked on upstream contracts (POLICY-20-001 advisory_key schema; Risk feed envelope). No implementation can start until contracts published.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |

15
docs/implplan/SPRINT_0119_0001_0006_excititor_vi.md
View File

@@ -21,20 +21,20 @@
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | EXCITITOR-WEB-OBS-52-001 | DONE (2025-11-24) | `/obs/excititor/timeline` SSE endpoint implemented with cursor/Last-Event-ID, retry headers, tenant scope enforcement. | Excititor WebService Guild | SSE/WebSocket bridges for VEX timeline events with tenant filters, pagination anchors, guardrails. |
| 2 | EXCITITOR-WEB-OBS-53-001 | BLOCKED (2025-11-23) | Waiting for locker bundle availability from OBS-53-001 manifest rollout. | Excititor WebService · Evidence Locker Guild | `/evidence/vex/*` endpoints fetching locker bundles, enforcing scopes, surfacing verification metadata; no verdicts. |
| 3 | EXCITITOR-WEB-OBS-54-001 | BLOCKED (2025-11-23) | Blocked on 53-001; attestations cannot be surfaced without locker bundles. | Excititor WebService Guild | `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, chain-of-custody links. |
| 2 | EXCITITOR-WEB-OBS-53-001 | DOING (2025-12-02) | Locker manifest published at `docs/modules/excititor/observability/locker-manifest.md`; wire endpoints to consume locker bundle API. | Excititor WebService · Evidence Locker Guild | `/evidence/vex/*` endpoints fetching locker bundles, enforcing scopes, surfacing verification metadata; no verdicts. |
| 3 | EXCITITOR-WEB-OBS-54-001 | BLOCKED (2025-11-23) | Await DSSE-signed locker manifests (OBS-54-001) to expose attestation verification state. | Excititor WebService Guild | `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, chain-of-custody links. |
| 4 | EXCITITOR-WEB-OAS-61-001 | DONE (2025-11-24) | `/.well-known/openapi` + `/openapi/excititor.json` implemented with spec metadata and standard error envelope. | Excititor WebService Guild | Implement `/.well-known/openapi` with spec version metadata + standard error envelopes; update controller/unit tests. |
| 5 | EXCITITOR-WEB-OAS-62-001 | DONE (2025-11-24) | Examples + deprecation/link headers added to OpenAPI doc; SDK docs pending separate publishing sprint. | Excititor WebService Guild · API Governance Guild | Publish curated examples for new evidence/attestation/timeline endpoints; emit deprecation headers for legacy routes; align SDK docs. |
| 6 | EXCITITOR-WEB-AIRGAP-58-001 | BLOCKED (2025-11-23) | Mirror bundle schema and sealed-mode mapping not published. | Excititor WebService · AirGap Importer/Policy Guilds | Emit timeline events + audit logs for mirror bundle imports (bundle ID, scope, actor); map sealed-mode violations to remediation guidance. |
| 6 | EXCITITOR-WEB-AIRGAP-58-001 | DOING (2025-12-02) | Mirror thin bundle schema + policies available (see `docs/modules/mirror/dsse-tuf-profile.md`, `out/mirror/thin/mirror-thin-v1.bundle.json`). | Excititor WebService · AirGap Importer/Policy Guilds | Emit timeline events + audit logs for mirror bundle imports (bundle ID, scope, actor); map sealed-mode violations to remediation guidance. |
| 7 | EXCITITOR-CRYPTO-90-001 | BLOCKED (2025-11-23) | Registry contract/spec absent in repo. | Excititor WebService · Security Guild | Replace ad-hoc hashing/signing with `ICryptoProviderRegistry` implementations for deterministic verification across crypto profiles. |
## Action Tracker
| Focus | Action | Owner(s) | Due | Status |
| --- | --- | --- | --- | --- |
| Streaming APIs | Finalize SSE/WebSocket contract + guardrails (WEB-OBS-52-001). | WebService Guild | 2025-11-20 | DONE (2025-11-24) |
| Evidence/Attestation APIs | Wire endpoints + verification metadata (WEB-OBS-53/54). | WebService · Evidence Locker Guild | 2025-11-22 | BLOCKED |
| Evidence/Attestation APIs | Wire `/evidence/vex/*` (WEB-OBS-53-001) using locker manifest; attestation path waits on DSSE manifest (OBS-54-001). | WebService · Evidence Locker Guild | 2025-11-22 | DOING / PARTIAL |
| OpenAPI discovery | Implement well-known discovery + examples (WEB-OAS-61/62). | WebService · API Gov | 2025-11-21 | DONE (61-001, 62-001 delivered 2025-11-24) |
| Bundle telemetry | Define audit event + sealed-mode remediation mapping (WEB-AIRGAP-58-001). | WebService · AirGap Guilds | 2025-11-23 | BLOCKED |
| Bundle telemetry | Define audit event + sealed-mode remediation mapping (WEB-AIRGAP-58-001). | WebService · AirGap Guilds | 2025-11-23 | DOING |
| Crypto providers | Design `ICryptoProviderRegistry` and migrate call sites (CRYPTO-90-001). | WebService · Security Guild | 2025-11-24 | BLOCKED |
## Execution Log
@@ -48,6 +48,9 @@
| 2025-11-24 | Implemented `/obs/excititor/timeline` SSE endpoint (cursor + Last-Event-ID, retry header, tenant guard). Marked EXCITITOR-WEB-OBS-52-001 DONE and streaming action tracker item done. | Implementer |
| 2025-11-25 | Work paused: build/CI commands blocked (`No space left on device`); further coding waits on workspace cleanup. | Implementer |
| 2025-11-25 | Marked action tracker items for evidence/attestation APIs, bundle telemetry, and crypto providers as BLOCKED to mirror Delivery Tracker; upstream Evidence Locker bundle schema and crypto registry spec still missing. | Implementer |
| 2025-12-02 | Unblocked WEB-OBS-53-001 using locker manifest (`docs/modules/excititor/observability/locker-manifest.md`) and started WEB-AIRGAP-58-001 leveraging mirror thin bundle meta (`out/mirror/thin/mirror-thin-v1.bundle.json`); statuses moved to DOING. | Project Mgmt |
| 2025-12-02 | Added `/evidence/vex/locker/{bundleId}` endpoint (tenant-scoped, scope=vex.read) exposing portable manifest hash/path, evidence path, and timeline from airgap imports; keeps attestation path blocked pending DSSE locker manifests. | Implementer |
| 2025-12-02 | Added locker hash computation using optional `Excititor:Airgap:LockerRootPath` and regression test `EvidenceLockerEndpointTests`; WEB-OBS-53-001 evidence path now returns manifest/evidence hashes and sizes when files present. | Implementer |
## Decisions & Risks
- **Decisions**
@@ -56,6 +59,8 @@
- **Risks & Mitigations**
- Mirror bundle schema delays could block bundle telemetry → leverage placeholder manifest with TODOs and log-only fallback.
- Crypto provider abstraction may impact performance → benchmark providers; default to current provider with feature flag.
- Evidence Locker manifest (OBS-53-001) now available; proceed with `/evidence/vex/*` using sealed manifests while attestation path stays blocked pending DSSE (OBS-54-001).
- Mirror thin bundle meta published (Sprint 0125); WEB-AIRGAP-58-001 can hook into bundle import audit signals using recorded hashes.
## Next Checkpoints
| Date (UTC) | Session / Owner | Goal | Fallback |

3
docs/implplan/SPRINT_0123_0001_0001_policy_reasoning.md
View File

@@ -49,7 +49,7 @@
| 12 | POLICY-ATTEST-73-002 | BLOCKED | PREP-POLICY-ATTEST-73-002-DEPENDS-ON-73-001-E | Policy Guild | Editor DTOs/validation for verification policy. |
| 13 | POLICY-ATTEST-74-001 | BLOCKED | PREP-POLICY-ATTEST-74-001-REQUIRES-73-002-ATT | Policy Guild · Attestor Service Guild | Surface attestation reports. |
| 14 | POLICY-ATTEST-74-002 | BLOCKED | PREP-POLICY-ATTEST-74-002-NEEDS-74-001-SURFAC | Policy Guild · Console Guild | Console report integration. |
| 15 | POLICY-CONSOLE-23-001 | BLOCKED | PREP-POLICY-CONSOLE-23-001-CONSOLE-API-CONTRA | Policy Guild · BE-Base Platform Guild | Expose policy data to Console once API spec lands. |
| 15 | POLICY-CONSOLE-23-001 | DONE (2025-12-02) | Contract published at `docs/modules/policy/contracts/policy-console-23-001-console-api.md`; unblock downstream Console integration. | Policy Guild · BE-Base Platform Guild | Expose policy data to Console once API spec lands. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -63,6 +63,7 @@
| 2025-11-18 | Attempted EXPORT-CONSOLE-23-001; blocked due to missing export bundle/schema and scheduler job contract. Marked all tasks BLOCKED pending lint/airgap/attest/Console contracts. | Policy Guild |
| 2025-11-19 | Converted legacy file `SPRINT_123_policy_reasoning.md` into redirect stub pointing here to avoid divergent updates. | Implementer |
| 2025-11-19 | Normalised sprint to standard template and renamed from `SPRINT_123_policy_reasoning.md` to `SPRINT_0123_0001_0001_policy_reasoning.md`; content preserved; all tasks remain BLOCKED. | Implementer |
| 2025-12-02 | Published POLICY-CONSOLE-23-001 contract at `docs/modules/policy/contracts/policy-console-23-001-console-api.md`; set task 15 to DONE. | Project Mgmt |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
## Decisions & Risks

12
docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md
View File

@@ -16,18 +16,18 @@
- `docs/modules/policy/architecture.md`
## Interlocks
- POLICY-CONSOLE-23-001 (Console export/simulation contract from BE-Base Platform) must be published before POLICY-CONSOLE-23-002 can start.
- POLICY-CONSOLE-23-001 (Console export/simulation contract from BE-Base Platform) satisfied on 2025-12-02 via `docs/modules/policy/contracts/policy-console-23-001-console-api.md`.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Publish Console export/simulation contract for POLICY-CONSOLE-23-001 to unblock POLICY-CONSOLE-23-002 | BE-Base Platform Guild | — | BLOCKED (awaiting spec) |
| 1 | Publish Console export/simulation contract for POLICY-CONSOLE-23-001 to unblock POLICY-CONSOLE-23-002 | BE-Base Platform Guild | — | DONE (2025-12-02) |
## Delivery Tracker
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| P1 | PREP-POLICY-ENGINE-20-002-DETERMINISTIC-EVALU | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Policy Guild / `src/Policy/StellaOps.Policy.Engine` | Deterministic evaluator spec missing. <br><br> Document artefact/deliverable for POLICY-ENGINE-20-002 and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/policy/design/policy-deterministic-evaluator.md`. |
| 1 | POLICY-CONSOLE-23-002 | BLOCKED (2025-12-02) | POLICY-CONSOLE-23-001 export/simulation contract still not published; waiting on Console API spec from BE-Base Platform. | Policy Guild, Product Ops / `src/Policy/StellaOps.Policy.Engine` |
| 1 | POLICY-CONSOLE-23-002 | DONE (2025-12-02) | Implemented `/policy/console/simulations/diff` endpoint + deterministic metadata service. Contract: `docs/modules/policy/contracts/policy-console-23-001-console-api.md`. | Policy Guild, Product Ops / `src/Policy/StellaOps.Policy.Engine` |
| 2 | POLICY-ENGINE-20-002 | DONE (2025-11-27) | PREP-POLICY-ENGINE-20-002-DETERMINISTIC-EVALU | Policy Guild / `src/Policy/StellaOps.Policy.Engine` |
| 3 | POLICY-ENGINE-20-003 | DONE (2025-11-27) | Depends on 20-002. | Policy · Concelier · Excititor Guilds / `src/Policy/StellaOps.Policy.Engine` |
| 4 | POLICY-ENGINE-20-004 | DONE (2025-11-27) | Depends on 20-003. | Policy · Platform Storage Guild / `src/Policy/StellaOps.Policy.Engine` |
@@ -44,7 +44,8 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Rechecked for POLICY-CONSOLE-23-001 contract; none found. Left POLICY-CONSOLE-23-002 BLOCKED (2025-12-02). Added Interlocks and Action Tracker sections to align with sprint template. | Project Mgmt |
| 2025-12-02 | Published POLICY-CONSOLE-23-001 contract at `docs/modules/policy/contracts/policy-console-23-001-console-api.md`; unblocked POLICY-CONSOLE-23-002 (set to TODO). | Project Mgmt |
| 2025-12-02 | Completed POLICY-CONSOLE-23-002: added Console simulation diff models/service/endpoint (`/policy/console/simulations/diff`) with deterministic aggregates, rule impact, samples; registered DI + mapped route; added unit test scaffold (determinism). Targeted test run aborted mid-build after >50s (cancelled); rerun needed once build cache warms. | Implementer |
| 2025-12-01 | Refactored Mongo exception listing to shared filter/sort helpers (per-tenant and cross-tenant) for lifecycle scans; reran `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests -c Release --no-build` (208/208 pass). | Implementer |
| 2025-12-01 | Completed deterministic evidence summary (big-endian hash → `2025-12-13T05:00:11Z`) and exception lifecycle fixes (multi-tenant activation/expiry, no default tenant); added cross-tenant list overload. `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests -c Release --no-build` now passes (208 tests, 0 failures). | Implementer |
| 2025-12-01 | Ran `dotnet build src/Policy/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj -c Release` successfully (1 warning NU1510). Attempted `dotnet test ...Policy.Engine.Tests` but cancelled mid-run due to prolonged dependency compilation; rerun still needed. | Implementer |
@@ -61,8 +62,9 @@
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
## Decisions & Risks
- 2025-12-02: Console export/simulation contract (POLICY-CONSOLE-23-001) still outstanding; POLICY-CONSOLE-23-002 remains BLOCKED until BE-Base Platform publishes the spec.
- 2025-12-02: POLICY-CONSOLE-23-001 contract published (`docs/modules/policy/contracts/policy-console-23-001-console-api.md`); POLICY-CONSOLE-23-002 unblocked—implement per contract with deterministic cursors/aggregates.
- Release test suite for Policy Engine now green (2025-12-01); keep enforcing deterministic inputs (explicit evaluationTimestamp) on batch evaluation requests to avoid non-deterministic clocks.
- 2025-12-02: Targeted test run for new Console diff endpoint aborted after prolonged initial build; rerun `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -c Release --filter ConsoleSimulationDiffServiceTests` once build cache is warm.
## Next Checkpoints
- Provide Console export/simulation contract for 23-001 to unblock 23-002.

1
docs/implplan/SPRINT_0126_0001_0001_policy_reasoning.md
View File

@@ -62,6 +62,7 @@
| 2025-12-01 | POLICY-RISK-90-001 marked BLOCKED: Scanner entropy/trust algebra contract still pending; ingestion shape unknown. | Implementer |
| 2025-12-01 | POLICY-ENGINE-80-001 delivered: runtime evaluation now auto-enriches reachability from facts store with overlay cache; batch lookups dedupe per tenant; cache keys include reachability metadata; added reachability-driven rule test. Targeted policy-engine test slice attempted; build fanned out and was aborted—rerun on clean policy-only graph recommended. | Implementer |
| 2025-12-02 | POLICY-RISK-90-001 delivered: added entropy penalty calculator consuming `layer_summary.json`/`entropy.report.json`, configurable caps/thresholds under `PolicyEngine:Entropy`, telemetry (`policy_entropy_penalty_value`, `policy_entropy_image_opaque_ratio`), and unit tests (`EntropyPenaltyCalculatorTests`). Unblocked Scanner dependency based on documented schema. | Implementer |
| 2025-12-02 | Targeted test slices run for entropy integration (`EntropyPenaltyCalculatorTests`) and runtime evaluation (`PolicyRuntimeEvaluationServiceTests`) with `DOTNET_DISABLE_BUILTIN_GRAPH=1`; fixed DTO optional-parameter ordering and DI wiring. | Implementer |
## Decisions & Risks
- Entropy penalties now computed inside Policy Engine (`PolicyEngine:Entropy` options; default K=0.5, cap=0.3, block at image opaque ratio >0.15 when provenance is unknown). Telemetry exported as `policy_entropy_penalty_value` and `policy_entropy_image_opaque_ratio`; explanations surface top opaque files.

19
docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
View File

@@ -34,8 +34,8 @@
| 13 | SURFACE-ENV-05 | DONE | SURFACE-ENV-03, SURFACE-ENV-04 | Ops Guild | Update Helm/Compose/offline kit templates with new env knobs and documentation. |
| 14 | SCANNER-EVENTS-16-301 | BLOCKED (2025-10-26) | Orchestrator envelope contract; Notifier ingestion tests | Scanner WebService Guild | Emit orchestrator-compatible envelopes (`scanner.event.*`) and update integration tests to verify Notifier ingestion (no Redis queue coupling). |
| 15 | SCANNER-GRAPH-21-001 | DONE (2025-11-27) | — | Scanner WebService Guild, Cartographer Guild (`src/Scanner/StellaOps.Scanner.WebService`) | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. |
| 16 | SCANNER-LNM-21-001 | BLOCKED (2025-11-27) | Needs Concelier HTTP client/shared library | Scanner WebService Guild, Policy Guild | Update `/reports` and `/policy/runtime` payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. |
| 17 | SCANNER-LNM-21-002 | TODO | SCANNER-LNM-21-001 | Scanner WebService Guild, UI Guild | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. |
| 16 | SCANNER-LNM-21-001 | DONE (2025-12-02) | Shared Concelier linkset resolver wired; runtime/report payloads enriched | Scanner WebService Guild, Policy Guild | Update `/reports` and `/policy/runtime` payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. |
| 17 | SCANNER-LNM-21-002 | DONE (2025-12-02) | SCANNER-LNM-21-001 | Scanner WebService Guild, UI Guild | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. |
| 18 | SCANNER-SECRETS-03 | DONE (2025-11-27) | SCANNER-SECRETS-02 | BuildX Plugin Guild, Security Guild (`src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin`) | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. |
| 19 | SURFACE-SECRETS-01 | DONE (2025-11-23) | — | Scanner Guild, Security Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets`) | Security-approved schema published at `docs/modules/scanner/design/surface-secrets-schema.md`. |
| 20 | SURFACE-SECRETS-02 | DONE (2025-11-23) | SURFACE-SECRETS-01 | Scanner Guild | Provider chain implemented (primary + fallback) with DI wiring; tests updated (`StellaOps.Scanner.Surface.Secrets.Tests`). |
@@ -75,6 +75,9 @@
| 2025-12-02 | Merged legacy `SPRINT_136_scanner_surface.md` content into canonical file; added missing tasks/logs; converted legacy file to stub to prevent divergence. | Project Mgmt |
| 2025-12-02 | SCANNER-SURFACE-04 completed: manifest stage emits composition recipe + DSSE envelopes, attaches attestations to artifacts, and records determinism Merkle root/recipe metadata. | Implementer |
| 2025-12-02 | SURFACE-FS-07 completed: Surface.FS manifest schema now includes determinism metadata, composition recipe attestation fields, determinism verifier, and docs updated. Targeted determinism tests added; test run pending due to long restore/build in monorepo runner. | Implementer |
| 2025-12-02 | Added HMAC-backed DSSE envelope signer (configurable secret + deterministic fallback) and wired into Scanner Worker DI; unit coverage added. Full Scanner test suite still pending after cancelling long-running restore/build. | Implementer |
| 2025-12-02 | SCANNER-LNM-21-001 completed: Scanner WebService now consumes Concelier linksets via shared library; `/reports` and `/policy/runtime` include linkset severities/conflict summaries when available. Added fallback null provider for air-gapped builds. | Implementer |
| 2025-12-02 | SCANNER-LNM-21-002 completed: `/policy/linksets` endpoint returns linkset summaries plus optional runtime policy overlay for Console; configurable Concelier base URL/API key via `scanner:concelier:*`. | Implementer |
| 2025-12-01 | EntryTrace NDJSON emission, runtime reconciliation, and WebService/CLI exposure completed (18-504/505/506). | EntryTrace Guild |
| 2025-12-01 | ZASTAVA-SURFACE-02: Observer resolves Surface manifest digests and `cas://` URIs, enriches drift evidence with artifact metadata, and counts failures via `zastava_surface_manifest_failures_total`. | Implementer |
| 2025-12-01 | SCANNER-SORT-02: ComponentGraphBuilder sorts layer fragments by digest; regression test added. | Implementer |
@@ -123,12 +126,12 @@
| 2025-10-26 | Initial sprint plan captured; dependencies noted across Scheduler/Surface/Cartographer. | Planning |
## Decisions & Risks
- SCANNER-LNM-21-001 remains BLOCKED: Scanner WebService lacks Concelier integration; decision needed on shared client vs new HTTP client. Downstream SCANNER-LNM-21-002 cannot start.
- SURFACE-SECRETS-06 BLOCKED pending Ops Helm/Compose patterns for Surface.Secrets provider configuration (kubernetes/file/inline).
- SCANNER-EVENTS-16-301 BLOCKED awaiting orchestrator envelope contract + Notifier ingestion test plan.
- SCANNER-SURFACE-01 lacks scoped contract; placeholder must be defined or retired before new dependencies are added.
- SCANNER-EMIT-15-001 DOING: real DSSE signer still pending; deterministic-local signer only. Surface manifest consumers must not assume transparency until signer is wired.
- Long restore/build times in monorepo runners delayed determinism test runs for SURFACE-FS-07; rerun in CI once signer work lands.
- SCANNER-LNM-21-001 delivered with Concelier shared-library resolver; linkset enrichment returns data when Concelier linkset store is configured, otherwise responses omit the `linksets` field (fallback null provider).
- SURFACE-SECRETS-06 BLOCKED pending Ops Helm/Compose patterns for Surface.Secrets provider configuration (kubernetes/file/inline).
- SCANNER-EVENTS-16-301 BLOCKED awaiting orchestrator envelope contract + Notifier ingestion test plan.
- SCANNER-SURFACE-01 lacks scoped contract; placeholder must be defined or retired before new dependencies are added.
- SCANNER-EMIT-15-001 DOING: HMAC-backed DSSE signer added with deterministic fallback; enable by providing `Scanner:Worker:Signing:SharedSecret` (or file) + `KeyId`. Full scanner test suite still pending after cancelled long restore/build.
- Long restore/build times in monorepo runners delayed determinism test runs for SURFACE-FS-07 and new signer; rerun targeted scanner worker tests in CI.
## Next Checkpoints
- Schedule kickoff after Sprint 0135 completion (date TBD).

15
docs/implplan/SPRINT_0140_0001_0001_runtime_signals.md
View File

@@ -30,16 +30,17 @@
| 2 | 140.B SBOM Service wave | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
| 3 | 140.C Signals wave | DOING (2025-11-28) | Sprint 0143: SIGNALS-24-001/002/003 DONE; SIGNALS-24-004/005 remain BLOCKED on CAS promotion. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
| 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
| 5 | DECAY-GAPS-140-005 | DOING (2025-12-02) | cosign v2.6.0 available at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`); DSSE signing on 2025-12-05. | Signals Guild · Product Mgmt | Address decay gaps U1U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
| 6 | UNKNOWN-GAPS-140-006 | DOING (2025-12-02) | cosign v2.6.0 available at `tools/cosign/cosign`; sign unknowns scoring manifest and publish DSSE envelope by 2025-12-05. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
| 7 | UNKNOWN-HEUR-GAPS-140-007 | DOING (2025-12-02) | cosign v2.6.0 available at `tools/cosign/cosign`; prep catalog/schema fixtures for 2025-12-05 signing. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
| 9 | COSIGN-INSTALL-140 | DONE (2025-12-02) | cosign v2.6.0 staged under `tools/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`); add `tools/cosign` to PATH for signing 2025-12-05. | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
| 5 | DECAY-GAPS-140-005 | BLOCKED (2025-12-02) | cosign available (v3.0.2 system, v2.6.0 fallback) but signing key not present on host; need signer key from Alice Carter before 2025-12-05. | Signals Guild · Product Mgmt | Address decay gaps U1U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
| 6 | UNKNOWN-GAPS-140-006 | BLOCKED (2025-12-02) | cosign available but signing key not present on host; need signer key before 2025-12-05 to sign unknowns scoring manifest. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
| 7 | UNKNOWN-HEUR-GAPS-140-007 | BLOCKED (2025-12-02) | cosign available but signing key not present on host; need signer key before 2025-12-05 for heuristic catalog/schema + fixtures. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
| 9 | COSIGN-INSTALL-140 | DONE (2025-12-02) | cosign v3.0.2 installed at `/usr/local/bin/cosign`; repo fallback v2.6.0 staged under `tools/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
| 8 | SIGNER-ASSIGN-140 | DONE (2025-12-02) | Signer designated: Signals Guild (Alice Carter); DSSE signing checkpoint remains 2025-12-05. | Signals Guild · Policy Guild | Name signer(s), record in Execution Log, and proceed to DSSE signing + Evidence Locker ingest. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Staged cosign v2.6.0 binary under `tools/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`); symlink available at `tools/cosign/cosign`; flipped COSIGN-INSTALL-140 to DONE and tasks 57 back to DOING for 2025-12-05 DSSE signing. | Implementer |
| 2025-12-02 | System cosign v3.0.2 installed at `/usr/local/bin/cosign` (requires `--bundle`); repo fallback v2.6.0 kept at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). COSIGN-INSTALL-140 set to DONE. DSSE signing remains BLOCKED until signer key (Alice Carter) is provided locally. | Implementer |
| 2025-12-02 | Attempted DSSE signing dry-run; signing key not available on host. Marked tasks 57 BLOCKED pending delivery of signer private key per Signals Guild. | Implementer |
| 2025-12-02 | Refreshed Decisions & Risks after signer assignment; DSSE signing fixed for 2025-12-05 and decay/unknowns/heuristics remain BLOCKED pending `cosign` availability in offline kit. | Project Mgmt |
| 2025-12-02 | Marked DECAY-GAPS-140-005 / UNKNOWN-GAPS-140-006 / UNKNOWN-HEUR-GAPS-140-007 as BLOCKED pending DSSE signer assignment; added task SIGNER-ASSIGN-140 (BLOCKED) and DSSE signing checkpoint (2025-12-05). | Implementer |
| 2025-12-02 | Flagged cascading risk to SPRINT_0143/0144/0150 if signer not assigned by 2025-12-03; will mirror BLOCKED status to dependent tasks if missed. | Implementer |
@@ -80,7 +81,7 @@
- Link-Not-Merge v1 schema frozen 2025-11-17; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; AirGap parity review scheduled for 2025-11-23 (see Next Checkpoints) must record hashes to fully unblock.
- SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
- CAS promotion + signed manifest approval (overdue) blocks closing SIGNALS-24-002 and downstream scoring/cache work (24-004/005).
- Cosign v2.6.0 binary pinned at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`; see `tools/cosign/README.md`); DSSE signing deadline remains 2025-12-05—decay/unknowns/heuristics teams must sign and ingest envelopes + SHA256SUMS into Evidence Locker the same day or cascade risk into 0143/0144/0150. Draft docs and artifacts posted at `docs/modules/signals/decay/2025-12-01-confidence-decay.md`, `docs/modules/signals/decay/confidence_decay_config.yaml`, `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`, `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`, and `docs/modules/signals/heuristics/` (catalog, schema, fixtures); DSSE signatures pending. Hashes recorded in `docs/modules/signals/SHA256SUMS`; Evidence Locker ingest plan in `docs/modules/signals/evidence/README.md`.
- Cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`); repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). DSSE signing deadline remains 2025-12-05; tasks 57 are BLOCKED until signer key material (Alice Carter) is provided locally. Draft docs and artifacts posted at `docs/modules/signals/decay/2025-12-01-confidence-decay.md`, `docs/modules/signals/decay/confidence_decay_config.yaml`, `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`, `docs/modules/signals/unknowns/unknowns_scoring_manifest.json`, and `docs/modules/signals/heuristics/` (catalog, schema, fixtures); hashes recorded in `docs/modules/signals/SHA256SUMS`; Evidence Locker ingest plan in `docs/modules/signals/evidence/README.md`.
- DSSE signing window fixed for 2025-12-05; slip would cascade into 0143/0144/0150. Ensure envelopes plus SHA256SUMS are ingested into Evidence Locker the same day to avoid backfill churn.
- Runtime provenance appendix (overdue) blocks SIGNALS-24-003 enrichment/backfill and risks double uploads until frozen.
- Surface.FS cache drop timeline (overdue) and Surface.Env owner assignment keep Zastava env/secret/admission tasks blocked.
@@ -106,7 +107,7 @@
| 2025-12-04 | Unknowns schema review | Approve Unknowns registry schema/enums + deterministic scoring manifest (UN1UN10) and offline bundle inclusion plan. | Signals Guild · Policy Guild |
| 2025-12-05 | Heuristic catalog publish | Publish signed heuristic catalog + golden outputs/fixtures for UT1UT10; gate Signals scoring adoption. | Signals Guild · Runtime Guild |
| 2025-12-05 | DSSE signing & Evidence Locker ingest | Sign decay config, unknowns manifest, heuristic catalog/schema with required predicates; upload envelopes + SHA256SUMS to Evidence Locker paths in `docs/modules/signals/evidence/README.md`. | Signals Guild · Policy Guild |
| 2025-12-03 | Provide cosign/offline signer | DONE 2025-12-02: cosign v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`); add `tools/cosign` to PATH ahead of 2025-12-05 signing. | Platform / Build Guild |
| 2025-12-03 | Provide cosign/offline signer | DONE 2025-12-02: cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`) plus repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). Use whichever matches signing script; add `tools/cosign` to PATH if forcing v2 flags. | Platform / Build Guild |
| 2025-12-03 | Assign DSSE signer (done 2025-12-02: Alice Carter) | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
---

8
docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
View File

@@ -24,8 +24,8 @@
| P3 | PREP-BUILD-INFRA-SBOM-SERVICE-GUILD-BLOCKED-M | DONE (2025-11-22) | Due 2025-11-22 · Accountable: Planning | Planning | BLOCKED (multiple restore attempts still hang/fail; need vetted feed/cache). <br><br> Document artefact/deliverable for Build/Infra · SBOM Service Guild and publish location so downstream tasks can proceed. Prep artefact: `docs/modules/sbomservice/prep/2025-11-20-build-infra-prep.md`. |
| 1 | SBOM-AIAI-31-001 | DONE | Implemented `/sbom/paths` with env/blast-radius/runtime flags + cursor paging and `/sbom/versions` timeline; in-memory deterministic seed until storage wired. | SBOM Service Guild (src/SbomService/StellaOps.SbomService) | Provide path and version timeline endpoints optimised for Advisory AI. |
| 2 | SBOM-AIAI-31-002 | DONE | Metrics + cache-hit tagging implemented; Grafana starter dashboard added; build/test completed locally. | SBOM Service Guild; Observability Guild | Instrument metrics for path/timeline queries and surface dashboards. |
| 3 | SBOM-CONSOLE-23-001 | BLOCKED | DEVOPS-SBOM-23-001 (SPRINT_503_ops_devops_i) — needs vetted offline feed + CI proof to run restore/tests. | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
| 4 | SBOM-CONSOLE-23-002 | BLOCKED | Stub implemented; awaiting DEVOPS-SBOM-23-001 feed + console schema approval before storage wiring. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
| 3 | SBOM-CONSOLE-23-001 | TODO | DEVOPS-SBOM-23-001 (SPRINT_503_ops_devops_i) delivered 2025-11-30; implement console catalog endpoints with vetted offline feed + CI proof. | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
| 4 | SBOM-CONSOLE-23-002 | TODO | DEVOPS-SBOM-23-001 feed available; proceed to storage wiring + console schema validation. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
| 5 | SBOM-ORCH-32-001 | DONE (2025-11-23) | In-memory orchestrator source registry with deterministic seeds + idempotent registration exposed at `/internal/orchestrator/sources`. | SBOM Service Guild | Register SBOM ingest/index sources with orchestrator. |
| 6 | SBOM-ORCH-33-001 | DONE (2025-11-23) | Pause/throttle/backpressure controls added via `/internal/orchestrator/control`; metrics emitted; states deterministic per-tenant. | SBOM Service Guild | Report backpressure metrics and handle orchestrator control signals. |
| 7 | SBOM-ORCH-34-001 | DONE (2025-11-23) | Watermark store + endpoints (`/internal/orchestrator/watermarks`) added to track backfill/watermark reconciliation; deterministic ordering. | SBOM Service Guild | Implement orchestrator backfill + watermark reconciliation. |
@@ -51,6 +51,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | DEVOPS-SBOM-23-001 delivered (Sprint 503): vetted offline feed + CI proof available. Unblocked SBOM-CONSOLE-23-001/002 and reset to TODO; console implementation can proceed. | Project Mgmt |
| 2025-11-23 | Implemented `sbom.version.created` events (in-memory publisher + `/internal/sbom/events` + backfill); fixed component lookup pagination cursor; SbomService tests now passing (SbomEvent/Sbom/Projection suites). SBOM-SERVICE-21-002 marked DONE. | SBOM Service |
| 2025-11-23 | Delivered entrypoint/service node API (`GET/POST /entrypoints` with tenant guard, deterministic ordering, in-memory seed). SBOM-SERVICE-21-003 marked DONE. | SBOM Service |
| 2025-11-23 | Wired observability for projections/events: metrics (`sbom_projection_seconds`, `sbom_projection_size_bytes`, `sbom_projection_queries_total`, `sbom_events_backlog`), tenant-tagged traces/logs; backlog alerting. SBOM-SERVICE-21-004 marked DONE. | SBOM Service |
@@ -104,7 +105,8 @@
| 2025-11-22 | Added placeholder `SHA256SUMS` under `docs/modules/sbomservice/fixtures/lnm-v1/` to mark hash drop site; replace with real fixture hashes once published. | Implementer |
## Decisions & Risks
- LNM v1 fixtures staged (2025-11-22) and approved; hash recorded in `docs/modules/sbomservice/fixtures/lnm-v1/SHA256SUMS`. SBOM-SERVICE-21-001/002/003/004 are DONE.
- LNM v1 fixtures staged (2025-11-22) and approved; hash recorded in `docs/modules/sbomservice/fixtures/lnm-v1/SHA256SUMS`. SBOM-SERVICE-21-001/002/003/004 are DONE.
- DEVOPS-SBOM-23-001 delivered 2025-11-30 (Sprint 503) providing vetted offline feed + CI proof; SBOM-CONSOLE-23-001/002 now unblocked (status TODO) and should proceed to implementation.
- Projection endpoint validated (400 without tenant, 200 with fixture data) via WebApplicationFactory; WAF configured with fixture path + in-memory component repo fallback.
- `sbom.version.created` now emitted via in-memory publisher with `/internal/sbom/events` + backfill endpoint; production outbox/queue wiring still required before release.
- Component lookup pagination now returns deterministic `nextCursor` for seeded data (fixed null cursor bug).

8
docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md
View File

@@ -71,6 +71,8 @@
| 2025-12-02 | Completed ZASTAVA-THRESHOLDS-0001: DSSE-signed `thresholds.yaml`, aligned Evidence Locker targets, and added to kit manifest. | Zastava Guild |
| 2025-12-02 | Completed ZASTAVA-KIT-0001: built deterministic `kit/zastava-kit.tzst` via tar+zstd (level 19, window_log=27), added DSSE for kit, refreshed verify script, and ran offline verification. Private key removed from workspace post-signing. | Zastava Guild |
| 2025-12-02 | Finalised DSSE set with keyid mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc; regenerated SHA256SUMS, rebuilt kit tar.zst, refreshed kit DSSE, and removed signing key from /tmp. | Zastava Guild |
| 2025-12-02 | Staged Evidence Locker payloads at `evidence-locker/zastava/2025-12-02/*` (schemas, thresholds, exports, kit, SHA256SUMS); ready for mirror/upload. | Zastava Guild |
| 2025-12-02 | Added contract validators (runtime/admission) and enforced in Observer/Webhook; empty tenant/namespace now fail fast; new unit tests added. | Zastava Guild |
## Decisions & Risks
- Surface Env/Secrets/FS wiring complete for observer and webhook; admission now embeds manifest pointers and denies on missing cache manifests.
@@ -79,10 +81,12 @@
- Upstream Authority/Auth packages (notably `StellaOps.Auth.Security`) remain needed in local caches; refresh mirror before CI runs to avoid restore stalls.
- Surface.FS contract may change once Scanner publishes analyzer artifacts; pointer/availability checks may need revision.
- Surface.Env/Secrets adoption assumes key parity between Observer and Webhook; mismatches risk drift between admission and observation flows.
- New advisory gaps (ZR1ZR10) addressed in remediation plan at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; schemas/thresholds/exports now DSSE-signed (ed25519 pub `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`) with hashes in `docs/modules/zastava/SHA256SUMS`; kit DSSE stored at `docs/modules/zastava/kit/zastava-kit.tzst.dsse` and verification via `kit/verify.sh`; Evidence Locker targets listed in `docs/modules/zastava/evidence/README.md`.
- New advisory gaps (ZR1ZR10) addressed in remediation plan at `docs/modules/zastava/gaps/2025-12-02-zr-gaps.md`; schemas/thresholds/exports now DSSE-signed (ed25519 pub `mpIEbYRL1q5yhN6wBRvkZ_0xXz3QUJPueJJ8sn__GGc`) with hashes in `docs/modules/zastava/SHA256SUMS`; kit DSSE stored at `docs/modules/zastava/kit/zastava-kit.tzst.dsse` and verification via `kit/verify.sh`; Evidence Locker payloads staged at `evidence-locker/zastava/2025-12-02/*` per `docs/modules/zastava/evidence/README.md`.
- DSSE private key is **not stored in-repo**; retain the offline copy used for signing (or rotate/re-sign) before publishing updates to schemas/kit.
- CI locker upload requires an injected secret (e.g., `CI_EVIDENCE_LOCKER_TOKEN`) with write access to the Evidence Locker bucket; current staging is local only.
## Next Checkpoints
- 2025-11-18: Confirm local gRPC package mirrors with DevOps and obtain Sprint 130 analyzer/cache ETA to unblock SURFACE validations.
- 2025-11-20: Dependency review with Scanner/AirGap owners to lock Surface.FS cache semantics; if ETA still missing, escalate per sprint 140 plan.
- 2025-12-03: Upload DSSE artefacts + kit tar to Evidence Locker paths in `docs/modules/zastava/evidence/README.md`; mirror pub key for downstream consumers.
- 2025-12-03: Upload DSSE artefacts + kit tar to Evidence Locker paths in `docs/modules/zastava/evidence/README.md`; mirror pub key for downstream consumers. **(Staged locally at `evidence-locker/zastava/2025-12-02/*`; handoff to Ops for locker push.)**
- 2025-12-03: Wire CI secret (`CI_EVIDENCE_LOCKER_TOKEN` or equivalent) so locker upload job can push staged artefacts; fallback is manual upload by Ops if secret unavailable.

7
docs/implplan/SPRINT_0150_0001_0001_scheduling_automation.md
View File

@@ -38,6 +38,7 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Upstream refresh: DEVOPS-SBOM-23-001 and DEVOPS-SCANNER-CI-11-001 delivered (Sprint 503) clearing infra blockers; SBOM console endpoints remain to implement. Signals wave (0140.C) still blocked on cosign availability for DSSE signing; AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blocked. All 150.* tasks kept BLOCKED. | Project Mgmt |
| 2025-12-02 | Tooling update: `cosign v3.0.2` present on host (Go 1.25.1, built 2025-10-10). Removes signing-tool blocker for Signals decay/unknowns/heuristics (0140.C) and Zastava schemas/kit (0144). Status of 150.* unchanged until DSSE signatures land. | Project Mgmt |
| 2025-11-30 | Upstream refresh: Sprint 0120 AirGap staleness (LEDGER-AIRGAP-56-002/57/58) still BLOCKED; Scanner surface Sprint 0131 has Deno 26-009/010/011 DONE but Java/Lang chain 21-005..011 BLOCKED pending CI/CoreLinksets; SBOM wave (Sprint 0142) core tasks DONE with Console endpoints still BLOCKED on DEVOPS-SBOM-23-001 in Sprint 503; Signals (Sprint 0143) 24-002/003 remain BLOCKED on CAS promotion/provenance though 24-004/005 are DONE. No 150.* task can start yet. | Implementer |
| 2025-11-28 | Synced with downstream sprints: Sprint 0141 (Graph) DONE, Sprint 0142 (SBOM) mostly DONE, Sprint 0143 (Signals) 3/5 DONE, Sprint 0144 (Zastava) DONE. Updated Sprint 0140 tracker and revised 150.* upstream dependency status. 150.A-Orchestrator may start once remaining AirGap/Scanner blockers clear. | Implementer |
| 2025-11-28 | Upstream dependency check: Sprint 0120 (Policy/Reasoning) has LEDGER-29-007/008, LEDGER-34-101, LEDGER-AIRGAP-56-001 DONE but 56-002/57-001/58-001/ATTEST-73-001 BLOCKED. Sprint 0140 (Runtime/Signals) has all waves BLOCKED except SBOM (TODO). No Sprint 0130.A file found. All 150.* tasks remain TODO pending upstream readiness. | Implementer |
@@ -53,14 +54,14 @@
| Sprint 0141 (Graph overlays 140.A) | GRAPH-INDEX-28-007..010 | **DONE** | Unblocks 150.C Scheduler graph deps |
| Sprint 0142 (SBOM Service 140.B) | SBOM-SERVICE-21-001..004, 23-001/002, 29-001/002 | CORE DONE; SBOM-CONSOLE-23-001/002 remain TODO now that DEVOPS-SBOM-23-001 (Sprint 503) is DONE | Partially unblocks 150.A/150.C; console integrations pending |
| Sprint 0143 (Signals 140.C) | SIGNALS-24-002/003 | BLOCKED (CAS promotion/provenance) | Telemetry dependency partially unblocked; still blocks parity |
| Sprint 0140 (Signals/decay/unknowns) | DECAY-GAPS-140-005 / UNKNOWN-GAPS-140-006 / UNKNOWN-HEUR-GAPS-140-007 | BLOCKED (cosign binary not available; DSSE signing window 2025-12-05) | Blocks telemetry parity needed before 150.A/150.C baselines start |
| Sprint 0140 (Signals/decay/unknowns) | DECAY-GAPS-140-005 / UNKNOWN-GAPS-140-006 / UNKNOWN-HEUR-GAPS-140-007 | PENDING SIGNING (cosign v3.0.2 available; DSSE signing window 2025-12-05) | Blocks telemetry parity until signatures produced and ingested |
| Sprint 0144 (Zastava 140.D) | ZASTAVA-ENV/SECRETS/SURFACE | **DONE** | Surface deps unblocked |
| Sprint 0144 (Zastava 140.D) | ZASTAVA-SCHEMAS-0001 / ZASTAVA-KIT-0001 | TODO (DSSE signing target 2025-12-06) | Non-blocking unless cache/schema contracts change |
## Decisions & Risks
- **Progress (2025-12-02):** Graph (0140.A) and Zastava (0140.D) DONE; SBOM Service core DONE with Console APIs now unblocked by DEVOPS-SBOM-23-001 (Sprint 503) but still pending implementation. Signals wave (0140.C) still blocked on CAS promotion and missing `cosign` for DSSE signing (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
- **Progress (2025-12-02):** Graph (0140.A) and Zastava (0140.D) DONE; SBOM Service core DONE with Console APIs now unblocked by DEVOPS-SBOM-23-001 (Sprint 503) but still pending implementation. Signals wave (0140.C) still blocked on CAS promotion; DSSE signing now unblocked by available `cosign` but signatures pending (DECAY/UNKNOWN/HEUR gaps). AirGap staleness (0120.A 56-002/57/58) and Scanner Java/Lang chain (0131 21-005..011) remain blockers, keeping all 150.* tasks BLOCKED.
- SBOM console endpoints should move next: feed/runner delivered via DEVOPS-SBOM-23-001; track SBOM-CONSOLE-23-001/002 execution to avoid drift before Orchestrator/Scheduler start.
- DSSE signing risk: cosign binary absent; signing window fixed at 2025-12-05 for Signals decay/unknowns/heuristics and 2025-12-06 for Zastava schemas/kit. If not resolved, telemetry parity and cache contracts stay blocked for 150.A/150.C baselines.
- DSSE signing risk: cosign now available (`cosign v3.0.2`), but signing key for Signals (Alice Carter) not present on host. Signing windows remain 2025-12-05 (Signals decay/unknowns/heuristics) and 2025-12-06 (Zastava schemas/kit); telemetry parity stays blocked until signatures are produced and ingested.
- Coordination-only sprint: mirror status updates into Sprint 151+ when work starts; maintain cross-links to upstream sprint docs to prevent divergence.
- Sprint 0130/0131 Scanner surface remains the primary gating item alongside AirGap staleness; re-evaluate start once either clears.

1
docs/implplan/SPRINT_0157_0001_0001_taskrunner_i.md
View File

@@ -58,6 +58,7 @@
| 2025-11-30 | Delivered TASKRUN-AIRGAP-56-001: WebService planner enforces sealed-mode allowlist with remediation messaging. | Task Runner Guild |
| 2025-11-30 | Updated dependencies: AIRGAP chain blocked on helper design (56-002) and downstream evidence work; OAS chain blocked pending TaskPack control-flow addendum (due 2025-12-05); OBS chain blocked on timeline/evidence schema; 41-001 no longer a blocker. | Project Mgmt |
| 2025-12-01 | Started TASKRUN-AIRGAP-56-002: bundle ingestion helper executor added (checksum verify + deterministic staging). Worker wired; awaiting importer specs/fixture paths before marking DONE. | Task Runner Guild |
| 2025-12-02 | TASKRUN-AIRGAP-56-002: hardened bundle helper — checksum now required, deterministic staging under `bundles/{sha256}/`, metadata.json emitted; unit tests updated. Targeted test run aborted after long restore; rerun `dotnet test …TaskRunner.Tests --filter BundleIngestion` in CI. | Task Runner Guild |
| 2025-11-30 | Added Wave Coordination, Interlocks, and Action Tracker sections per docs/implplan/AGENTS.md template; no scope change. | Project Mgmt |
| 2025-11-30 | Synced TaskRunner task rows in tasks-all/archived indexes to reflect canonical sprint name and BLOCKED status where applicable. | Project Mgmt |
| 2025-11-30 | Refreshed Decisions & Risks with risk table and aligned checkpoint wording. | Project Mgmt |

1
docs/implplan/SPRINT_0164_0001_0001_exportcenter_iii.md
View File

@@ -96,3 +96,4 @@
| 2025-11-30 | Wired RiskBundle worker DI/options, added filesystem store + signer config, and enabled host service scaffold; RiskBundle tests passing. | Implementer |
| 2025-11-30 | Added RiskBundles worker default configuration (providers/storage/signing) to appsettings, keeping task 69-001 progressing under DOING. | Implementer |
| 2025-11-30 | Implemented risk-bundle builder/signing/object store scaffolding and unit tests; set RISK-BUNDLE-69-001 to DOING pending upstream provider artefacts; `dotnet test --filter RiskBundle` passing. | Implementer |
| 2025-12-02 | RISK-BUNDLE-69-001: enforced mandatory provider `cisa-kev`, captured optional signature digests, and embedded provider signatures into bundles; manifest inputs hash includes signature digest. Updated tests (builder/job). Targeted test run cancelled after restore; rerun `dotnet test ...ExportCenter.Tests --filter RiskBundle` in CI. | Implementer |

7
docs/implplan/SPRINT_0186_0001_0001_record_deterministic_execution.md
View File

@@ -45,9 +45,9 @@
| 15f | SBOM-TESTS-186-015F | BLOCKED (2025-11-30) | BLOCKED by 15a-15e. | Sbomer Guild · QA Guild (`src/Sbomer/__Tests`) | Roundtrip tests: SPDX→CDX→SPDX with diff assertion; determinism tests (same input → same hash); SPDX 3.0.1 spec compliance validation. |
| 16 | DOCS-REPLAY-186-004 | BLOCKED (2025-11-30) | BLOCKED until replay schema settled (depends on 186-001). | Docs Guild | Author `docs/replay/TEST_STRATEGY.md` (golden replay, feed drift, tool upgrade); link from replay docs and Scanner architecture. |
| 17 | DOCS-SBOM-186-017 | BLOCKED (2025-11-30) | BLOCKED by 15a-15f and scope extension to Sbomer docs. | Docs Guild (`docs/modules/sbomer/spdx-3.md`) | Document SPDX 3.0.1 implementation: data model, serialization formats, CDX mapping table, storage schema, hash computation, migration guide from SPDX 2.3. |
| 18 | SCANNER-GAPS-186-018 | TODO | Use `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC1SC10) to scope remediation actions. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Address scanner blueprint gaps SC1SC10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: standards convergence roadmap (CVSS v4/CycloneDX 1.7/SLSA 1.2), CDX1.7+CBOM outputs with citations, SLSA Source Track capture, compatibility adapters (v4→v3.1, CDX1.7→1.6, SLSA1.2→1.0), determinism CI for new formats, binary/source evidence alignment (build-id/symbol/patch-oracle), API/UI surfacing of new metadata, baseline fixtures, governance/approvals, and offline-kit parity. |
| 19 | SPINE-GAPS-186-019 | TODO | Findings doc now available; derive SP1SP10 tasks from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | Address SBOM/VEX spine gaps SP1SP10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned API/DTO schemas, predicate/edge schema with required evidence, Unknowns workflow contract + SLA, DSSE-signed bundle manifest with hashes, deterministic diff rules/fixtures, feed snapshot freeze/staleness, mandated DSSE per stage with Rekor/mirror policy, policy lattice versioning, performance/pagination limits, and crosswalk mapping between SBOM/VEX/graph/policy outputs. |
| 20 | COMPETITOR-GAPS-186-020 | TODO | Findings doc now available; derive CM1CM10 actions from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Sbomer Guild | Address competitor ingest gaps CM1CM10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: external SBOM/scan normalization & adapters (Syft/Trivy/Clair), signature/provenance verification, DB snapshot governance with staleness, anomaly regression tests, offline ingest kits with DSSE, fallback rules, source tool/version transparency, and benchmark parity for external baselines. |
| 18 | SCANNER-GAPS-186-018 | DOING (2025-12-02) | Use `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC1SC10) to scope remediation actions. | Product Mgmt · Scanner Guild · Sbomer Guild · Policy Guild | Address scanner blueprint gaps SC1SC10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: standards convergence roadmap (CVSS v4/CycloneDX 1.7/SLSA 1.2), CDX1.7+CBOM outputs with citations, SLSA Source Track capture, compatibility adapters (v4→v3.1, CDX1.7→1.6, SLSA1.2→1.0), determinism CI for new formats, binary/source evidence alignment (build-id/symbol/patch-oracle), API/UI surfacing of new metadata, baseline fixtures, governance/approvals, and offline-kit parity. |
| 19 | SPINE-GAPS-186-019 | DOING (2025-12-02) | Findings doc now available; derive SP1SP10 tasks from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Policy Guild · Authority Guild | Address SBOM/VEX spine gaps SP1SP10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned API/DTO schemas, predicate/edge schema with required evidence, Unknowns workflow contract + SLA, DSSE-signed bundle manifest with hashes, deterministic diff rules/fixtures, feed snapshot freeze/staleness, mandated DSSE per stage with Rekor/mirror policy, policy lattice versioning, performance/pagination limits, and crosswalk mapping between SBOM/VEX/graph/policy outputs. |
| 20 | COMPETITOR-GAPS-186-020 | DOING (2025-12-02) | Findings doc now available; derive CM1CM10 actions from `docs/product-advisories/31-Nov-2025 FINDINGS.md`. | Product Mgmt · Scanner Guild · Sbomer Guild | Address competitor ingest gaps CM1CM10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: external SBOM/scan normalization & adapters (Syft/Trivy/Clair), signature/provenance verification, DB snapshot governance with staleness, anomaly regression tests, offline ingest kits with DSSE, fallback rules, source tool/version transparency, and benchmark parity for external baselines. |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -74,6 +74,7 @@
| 2025-12-01 | Added COMPETITOR-GAPS-186-020 to capture CM1CM10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-02 | Added `docs/product-advisories/31-Nov-2025 FINDINGS.md` (SC/SP/CM gap details) and unblocked tasks 1820 to TODO. | Implementer |
| 2025-12-02 | Replaced legacy sprint file `SPRINT_186_record_deterministic_execution.md` with a stub pointing to this canonical file to prevent divergence. | Implementer |
| 2025-12-02 | Began SC/SP/CM gap scoping (tasks 1820): reviewed `docs/product-advisories/31-Nov-2025 FINDINGS.md`, checked archived advisories for duplicates (none), set tasks to DOING to derive remediation backlog. | Product Mgmt |
## Decisions & Risks
| Item | Impact | Mitigation / Next Step | Status |

4
docs/implplan/SPRINT_0207_0001_0001_graph.md
View File

@@ -35,7 +35,7 @@
| 10 | GRAPH-API-28-010 | DONE (2025-11-26) | GRAPH-API-28-009 | Graph API Guild · QA Guild (`src/Graph/StellaOps.Graph.Api`) | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. |
| 11 | GRAPH-API-28-011 | DONE (2025-11-26) | GRAPH-API-28-010 | Graph API Guild (`src/Graph/StellaOps.Graph.Api`) | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. |
| 12 | GRAPH-INDEX-28-011 | DONE (2025-11-04) | Downstream consumption by API once overlays ready | Graph Indexer Guild (`src/Graph/StellaOps.Graph.Indexer`) | Wire SBOM ingest runtime to emit graph snapshot artifacts, add DI factory helpers, and document Mongo/snapshot environment guidance. |
| 13 | GRAPH-ANALYTICS-GAPS-207-013 | TODO | None; informs tasks 112. | Product Mgmt · Graph API Guild · Graph Indexer Guild | Address graph analytics gaps GA1GA10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned analytics schemas, deterministic seeds/rerun-hash CI, privacy/tenant redaction rules, baseline datasets/fixtures, performance budgets/quotas, explainability metadata (inputs/seeds/revision), checksum+DSSE for exports, algorithm versioning, offline analytics bundle schema, and SemVer/change-log governance. |
| 13 | GRAPH-ANALYTICS-GAPS-207-013 | DONE (2025-12-02) | None; informs tasks 112. | Product Mgmt · Graph API Guild · Graph Indexer Guild | Address graph analytics gaps GA1GA10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: versioned analytics schemas, deterministic seeds/rerun-hash CI, privacy/tenant redaction rules, baseline datasets/fixtures, performance budgets/quotas, explainability metadata (inputs/seeds/revision), checksum+DSSE for exports, algorithm versioning, offline analytics bundle schema, and SemVer/change-log governance. |
## Wave Coordination
- Wave 1 · API surface and overlays: GRAPH-API-28-001..011 (sequential pipeline).
@@ -67,6 +67,7 @@
- Schema and overlay contracts are prerequisites; any drift will stall downstream API tasks.
- Export formats (GRAPH-API-28-007) require deterministic manifests to satisfy offline kit expectations.
- Budget enforcement (GRAPH-API-28-003) risk: rejection without user-friendly explain traces could increase support load; mitigate by sampling explains early.
- Analytics gaps closed via `docs/modules/graph/analytics/GA1-GA10-analytics-plan.md` + schemas; future analytics jobs must conform to `analytics-result.schema.json` and `analytics-bundle.schema.json` with rerun-hash and redaction metadata.
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
@@ -78,6 +79,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Completed GRAPH-ANALYTICS-GAPS-207-013: published analytics schemas/bundle sample + GA1GA10 plan (`docs/modules/graph/analytics/*`), covering versioning, rerun-hash determinism, redaction, budgets, DSSE-ready manifests, and offline bundle governance. | Product Mgmt |
| 2025-11-26 | GRAPH-API-28-003 completed: `/graph/query` NDJSON streaming covers nodes/edges/stats/cursor, budgets default to tiles=6000/nodes=5000/edges=10000, budget-exceeded tile implemented, and `QueryServiceTests` now pass locally. | Graph API Guild |
| 2025-12-01 | Added GRAPH-ANALYTICS-GAPS-207-013 to capture GA1GA10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-11-26 | GRAPH-API-28-004 completed: added `/graph/paths` NDJSON endpoint with tenant + graph:query scope guard, BFS heuristic (depth ≤6) producing node/edge/stats tiles, reuse budgets, and new PathService unit tests passing. | Graph API Guild |

69
docs/implplan/SPRINT_0504_0001_0001_ops_devops_ii.md Normal file
View File

@@ -0,0 +1,69 @@
# Sprint 0504-0001-0001 · Ops DevOps II (190.B)
## Topic & Scope
- Ops & Offline track focusing on DevOps phase II: container/CLI pipelines, air-gap packaging, and console delivery.
- Complete remaining console delivery and exporter/offline gaps while keeping CI/helm/compose artifacts deterministic.
- **Working directory:** `ops/devops` (coordination across DevOps guild deliverables).
## Dependencies & Concurrency
- Depends on Sprint 190.B Ops DevOps.I (baseline pipelines).
- Concurrency: execute tasks in listed order; tasks blocked by upstream contracts remain BLOCKED until unblocked.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `ops/devops/AGENTS.md`
## Wave Coordination
- Single wave; no parallel waves scheduled.
## Wave Detail Snapshots
- Not applicable (single wave). Add snapshot if a second wave is introduced.
## Interlocks
- DEVOPS-CONSOLE-23-002 depends on DEVOPS-CONSOLE-23-001 CI pipeline (still BLOCKED).
- Exporter CI (DEVOPS-EXPORT-35-001) awaits exporter service inputs.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Unblock console CI (DEVOPS-CONSOLE-23-001) by providing offline runner and artifact retention specs | DevOps Guild / Console Guild | — | BLOCKED |
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | DEVOPS-ATTEST-74-002 | DONE (2025-11-24) | Depends on DEVOPS-ATTEST-74-001 | DevOps Guild; Export Attestation Guild | Integrate attestation bundle builds into release/offline pipelines with checksum verification. |
| 2 | DEVOPS-ATTEST-75-001 | DONE (2025-11-24) | Depends on DEVOPS-ATTEST-74-002 | DevOps Guild; Observability Guild | Dashboards/alerts for signing latency, verification failures, key rotation events. |
| 3 | DEVOPS-CLI-41-001 | DONE (2025-11-24) | — | DevOps Guild; DevEx/CLI Guild | CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI, signed releases. |
| 4 | DEVOPS-CLI-42-001 | DONE (2025-11-24) | DEVOPS-CLI-41-001 | DevOps Guild | CLI golden output tests, parity diff automation, pack run CI harness, remote cache. |
| 5 | DEVOPS-CLI-43-002 | DONE (2025-11-24) | DEVOPS-CLI-43-001 | DevOps Guild; Task Runner Guild | Task Pack chaos smoke in CI; sealed-mode toggle; evidence bundles. |
| 6 | DEVOPS-CLI-43-003 | DONE (2025-11-24) | DEVOPS-CLI-43-002 | DevOps Guild; DevEx/CLI Guild | Integrate CLI golden/parity automation into release gating; publish parity report artifact. |
| 7 | DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Offline-ready console CI (lint/unit/storybook/a11y/playwright/lighthouse) needs runner allocation + artifact retention policy. | DevOps Guild; Console Guild | Add console CI workflow with offline runners and artifact retention. |
| 8 | DEVOPS-CONSOLE-23-002 | BLOCKED | Depends on DEVOPS-CONSOLE-23-001; prepare build/Helm overlays once CI contract lands. | DevOps Guild; Console Guild | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, offline bundle packaging scripts. |
| 9 | DEVOPS-CONTAINERS-44-001 | DONE (2025-11-24) | — | DevOps Guild | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, CI verification. |
| 10 | DEVOPS-CONTAINERS-45-001 | DONE (2025-11-24) | DEVOPS-CONTAINERS-44-001 | DevOps Guild | Add Compose/Helm smoke tests (VM + kind), publish artifacts/logs. |
| 11 | DEVOPS-CONTAINERS-46-001 | DONE (2025-11-24) | DEVOPS-CONTAINERS-45-001 | DevOps Guild | Air-gap bundle generator, signed bundle, CI verification via private registry. |
| 12 | DEVOPS-DEVPORT-63-001 | DONE (2025-11-24) | — | DevOps Guild; Developer Portal Guild | Automate developer portal build pipeline with caching, link/a11y checks, performance budgets. |
| 13 | DEVOPS-DEVPORT-64-001 | DONE (2025-11-24) | DEVOPS-DEVPORT-63-001 | DevOps Guild; DevPortal Offline Guild | Nightly `devportal --offline` builds with checksum validation and artifact retention. |
| 14 | DEVOPS-EXPORT-35-001 | BLOCKED (2025-10-29) | Waiting on exporter service schema/fixtures; define CI storage fixtures + Grafana dashboards. | DevOps Guild; Exporter Service Guild | Exporter CI pipeline (lint/test/perf smoke), object storage fixtures, dashboards, bootstrap docs. |
| 15 | DEVOPS-SCANNER-NATIVE-20-010-REL | BLOCKED (2025-11-24) | Depends on SCANNER-ANALYZERS-NATIVE-20-010 dev (absent). | DevOps Guild; Native Analyzer Guild | Package/sign native analyzer plug-in for release/offline kits. |
| 16 | DEVOPS-SCANNER-PHP-27-011-REL | DONE (2025-11-24) | SCANNER-ANALYZERS-PHP-27-011 | DevOps Guild; PHP Analyzer Guild | Package/sign PHP analyzer plug-in for release/offline kits. |
| 17 | DEVOPS-SCANNER-RUBY-28-006-REL | DONE (2025-11-24) | SCANNER-ANALYZERS-RUBY-28-006 | DevOps Guild; Ruby Analyzer Guild | Package/sign Ruby analyzer plug-in for release/offline kits. |
## Decisions & Risks
- DEVOPS-CONSOLE-23-002 cannot proceed until DEVOPS-CONSOLE-23-001 CI pipeline and offline runner spec are approved.
- Exporter CI (DEVOPS-EXPORT-35-001) blocked on exporter schema/fixtures; risk of drift if exporter lands without DevOps alignment.
- Native analyzer release task blocked by missing upstream dev deliverable; track SCANNER-ANALYZERS-NATIVE-20-010.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Normalised sprint to standard template; renamed file to `SPRINT_0504_0001_0001_ops_devops_ii.md`; set DEVOPS-CONSOLE-23-002 to BLOCKED pending DEVOPS-CONSOLE-23-001. | Project Mgmt |
| 2025-11-24 | Updated DevOps CLI/Containers/Attest tasks to DONE; archived prior wave in `docs/implplan/archived/tasks.md`. | DevOps Guild |
| 2025-10-29 | Marked DEVOPS-EXPORT-35-001 BLOCKED pending exporter service inputs. | DevOps Guild |
| 2025-10-26 | Marked DEVOPS-CONSOLE-23-001 BLOCKED pending offline runner and artifact retention policy. | DevOps Guild |
## Next Checkpoints
- Unblock console CI (DEVOPS-CONSOLE-23-001) — assign offline runner + artifact retention policy; then start 23-002 build/Helm overlays.
- Receive exporter service schema/fixtures to start DEVOPS-EXPORT-35-001 CI pipeline definition.

14
docs/implplan/SPRINT_0509_0001_0001_samples.md
View File

@@ -21,14 +21,16 @@
| --- | --- | --- | --- | --- | --- |
| P1 | PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED | DONE (2025-11-20) | Due 2025-11-26 · Accountable: Samples Guild · Concelier Guild | Samples Guild · Concelier Guild | Prep artefact published at `docs/samples/linkset/prep-22-001.md` (fixtures plan aligned to frozen LNM schema; deterministic seeds/checksums). |
| P2 | PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT | DONE (2025-11-22) | Due 2025-11-26 · Accountable: Samples Guild · Excititor Guild | Samples Guild · Excititor Guild | Depends on 22-001 outputs; will build Excititor observation/VEX linkset fixtures once P1 samples land. Prep doc will extend `docs/samples/linkset/prep-22-001.md` with Excititor-specific payloads. |
| 1 | SAMPLES-GRAPH-24-003 | BLOCKED | Await Graph overlay format decision + mock SBOM cache availability | Samples Guild · SBOM Service Guild | Generate large-scale SBOM graph fixture (~40k nodes) with policy overlay snapshot for perf/regression suites. |
| 2 | SAMPLES-GRAPH-24-004 | BLOCKED (2025-11-27) | Blocked on 24-003 fixture availability | Samples Guild · UI Guild | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. |
| 1 | SAMPLES-GRAPH-24-003 | DONE (2025-12-02) | Delivered `samples/graph/graph-40k` | Samples Guild · SBOM Service Guild | Generate large-scale SBOM graph fixture (~40k nodes) with policy overlay snapshot for perf/regression suites. |
| 2 | SAMPLES-GRAPH-24-004 | DONE (2025-12-02) | Built from graph-40k fixture | Samples Guild · UI Guild | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. |
| 3 | SAMPLES-LNM-22-001 | DONE (2025-11-24) | PREP-SAMPLES-LNM-22-001-WAITING-ON-FINALIZED | Samples Guild · Concelier Guild | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. |
| 4 | SAMPLES-LNM-22-002 | DONE (2025-11-24) | PREP-SAMPLES-LNM-22-002-DEPENDS-ON-22-001-OUT | Samples Guild · Excititor Guild | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Generated canonical graph fixture `samples/graph/graph-40k` (40k nodes, 100,071 edges, 100 policy overlays) with manifest/hashes and verifier; marked SAMPLES-GRAPH-24-003 DONE. | Samples Guild |
| 2025-12-02 | Produced vulnerability explorer fixtures (`vuln-explorer.json/csv` + manifest) under `samples/graph/graph-40k/explorer` derived from graph-40k overlays; marked SAMPLES-GRAPH-24-004 DONE. | Samples Guild |
| 2025-11-20 | Completed PREP-SAMPLES-LNM-22-001: published linkset fixtures prep at `docs/samples/linkset/prep-22-001.md`; status set to DONE. | Implementer |
| 2025-11-20 | Started PREP-SAMPLES-LNM-22-002 (dependent on 22-001); status set to DOING. | Planning |
| 2025-11-19 | Normalized PREP-SAMPLES-LNM-22-001 Task ID (removed trailing hyphen) for dependency tracking. | Project Mgmt |
@@ -46,11 +48,11 @@
## Decisions & Risks
- Linkset fixtures blocked by Concelier/Excititor schema finalization; revisit once schemas freeze.
- Large graph fixture: overlay format + mock SBOM bundle sources being aligned with Graph Guild; risk of mismatch until confirmed.
- Large graph fixture: canonical overlay chosen (`policy.overlay.v1`, edge-compatible entries) and delivered at `samples/graph/graph-40k`; risk mitigated, keep monitoring for schema changes.
- Ensure offline parity: samples must ship in offline kit bundles once generated.
- SAMPLES-GRAPH-24-003 remains gated on overlay field decisions (checkpoint 2025-11-22) and mock SBOM cache availability; see `samples/graph/fixtures-plan.md`.
## Next Checkpoints
- 2025-11-20 · Confirm linkset schema freeze; unblock SAMPLES-LNM-22-001. Owner: Concelier Guild.
- 2025-11-22 · Decide graph overlay format for 40k-node fixture (SAMPLES-GRAPH-24-003). Owner: Graph Guild.
- 2025-11-27 · Reassess readiness to start SAMPLES-GRAPH-24-004 after 24-003 artifact exists. Owner: Samples Guild.
- 2025-11-20 · Confirm linkset schema freeze; unblock SAMPLES-LNM-22-001. Owner: Concelier Guild.
- 2025-11-22 · Decide graph overlay format for 40k-node fixture (SAMPLES-GRAPH-24-003). Owner: Graph Guild. ✅ Completed with graph-40k delivery on 2025-12-02.
- 2025-12-05 · Plan SAMPLES-GRAPH-24-004 using graph-40k fixture (JSON/CSV extracts for UI). Owner: Samples Guild.

4
docs/implplan/SPRINT_0510_0001_0001_airgap.md
View File

@@ -43,7 +43,7 @@
| 14 | AIRGAP-TIME-58-001 | BLOCKED | PREP-AIRGAP-CTL-58-001-BLOCKED-ON-57-002 | AirGap Time Guild | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. |
| 15 | AIRGAP-TIME-58-002 | BLOCKED | PREP-AIRGAP-IMP-58-002-BLOCKED-ON-58-001 | AirGap Time Guild · Notifications Guild | Emit notifications and timeline events when staleness budgets breached or approaching. |
| 16 | AIRGAP-GAPS-510-009 | DONE (2025-12-01) | None; informs tasks 115. | Product Mgmt · Ops Guild | Address gap findings (AG1AG12) from `docs/product-advisories/25-Nov-2025 - Airgap deployment playbook for StellaOps.md`: trust-root/key custody & PQ dual-signing, Rekor mirror format/signature, feed snapshot DSSE, tooling hashes, kit size/chunking, AV/YARA pre/post ingest, policy/graph hash verification, tenant scoping, ingress/egress receipts, replay depth rules, offline observability, failure runbooks. |
| 17 | AIRGAP-MANIFEST-510-010 | TODO | Depends on AIRGAP-IMP-56-* foundations | AirGap Importer Guild · Ops Guild | Implement offline-kit manifest schema (`offline-kit/manifest.schema.json`) + DSSE signature; include tools/feed/policy hashes, tenant/env, AV scan results, chunk map, mirror staleness window, and publish verify script path. |
| 17 | AIRGAP-MANIFEST-510-010 | DONE (2025-12-02) | Depends on AIRGAP-IMP-56-* foundations | AirGap Importer Guild · Ops Guild | Implement offline-kit manifest schema (`offline-kit/manifest.schema.json`) + DSSE signature; include tools/feed/policy hashes, tenant/env, AV scan results, chunk map, mirror staleness window, and publish verify script path. |
| 18 | AIRGAP-AV-510-011 | TODO | Depends on AIRGAP-MANIFEST-510-010 | Security Guild · AirGap Importer Guild | Add AV/YARA pre-publish and post-ingest scans with signed reports; enforce in importer pipeline; document in `docs/airgap/runbooks/import-verify.md`. |
| 19 | AIRGAP-RECEIPTS-510-012 | TODO | Depends on AIRGAP-MANIFEST-510-010 | AirGap Controller Guild · Platform Guild | Emit ingress/egress DSSE receipts (hash, operator, time, decision) and store in Proof Graph; expose verify CLI hook. |
| 20 | AIRGAP-REPLAY-510-013 | TODO | Depends on AIRGAP-MANIFEST-510-010 | AirGap Time Guild · Ops Guild | Define replay-depth levels (hash-only/full recompute/policy freeze) and enforce via controller/importer verify endpoints; add CI smoke for hash drift. |
@@ -52,6 +52,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Completed AIRGAP-MANIFEST-510-010: added offline-kit manifest schema + sample (`docs/airgap/manifest.schema.json`, `docs/airgap/samples/offline-kit-manifest.sample.json`) and offline verifier runbook/script (`src/AirGap/scripts/verify-manifest.sh`, `docs/airgap/runbooks/import-verify.md`). | Implementer |
| 2025-11-26 | Added time telemetry (AIRGAP-TIME-57-002): metrics counters/gauges for anchor age + warnings/breaches; status service now emits telemetry. Full time test suite now passing after aligning tests to stub verifiers. | AirGap Time Guild |
| 2025-11-26 | Completed AIRGAP-CTL-58-001: status response now includes drift + remaining budget seconds; staleness evaluation exposes seconds_remaining; partial test run (AirGapStateServiceTests) passed. | AirGap Controller Guild |
| 2025-11-26 | Implemented controller startup diagnostics + telemetry (AIRGAP-CTL-57-001/57-002): AirGap:Startup config, trust-root and rotation validation, metrics/log hooks; ran filtered tests `AirGapStartupDiagnosticsHostedServiceTests` (pass). Full suite not run in this session. | AirGap Controller Guild |
@@ -103,6 +104,7 @@
- Local execution risk: runner reports “No space left on device”; cannot run builds/tests until workspace is cleaned. Mitigation: purge transient artefacts or expand volume before proceeding.
- Test coverage note: only `AirGapStartupDiagnosticsHostedServiceTests` executed after telemetry/diagnostics changes; rerun full controller test suite when feasible.
- Time telemetry change: full `StellaOps.AirGap.Time.Tests` now passing after updating stub verifier tests and JSON expectations.
- Manifest schema + verifier script added; downstream tasks 1821 should reuse `docs/airgap/manifest.schema.json` and `src/AirGap/scripts/verify-manifest.sh` for AV receipts and replay verification.
## Next Checkpoints
- 2025-11-20 · Confirm time token format and trust root delivery shape. Owner: AirGap Time Guild.

3
docs/implplan/SPRINT_0512_0001_0001_bench.md
View File

@@ -65,7 +65,7 @@
## Decisions & Risks
| Risk | Impact | Mitigation | Status | Owner | Due (UTC) |
| --- | --- | --- | --- | --- | --- |
| Graph fixtures SAMPLES-GRAPH-24-003 not delivered | Blocks BENCH-GRAPH-21-001/002/24-002; benches unstartable | Track via ACT-0512-01; ACT-0512-05 escalation if missed | At risk | Bench Guild | 2025-11-22 |
| Graph fixtures SAMPLES-GRAPH-24-003 not delivered | Blocks BENCH-GRAPH-21-001/002/24-002; benches unstartable | Delivered `samples/graph/graph-40k` (40k nodes, overlays) on 2025-12-02; update benches to new fixture | Closed | Bench Guild | 2025-12-02 |
| Reachability schema hash pending from Sprint 0400/0401 | BENCH-SIG-26-001/002 remain blocked | ACT-0512-02 to deliver hash; ACT-0512-06 fallback synthetic set if delayed | Open | Signals Guild | 2025-11-24 |
| Impact index dataset undecided | BENCH-IMPACT-16-001 stalled; no reproducibility | ACT-0512-03 to finalize dataset; require deterministic replay bundle | Open | Scheduler Team | 2025-11-26 |
| UI harness blocked waiting for fixture binding | BENCH-GRAPH-21-002/24-002 cannot start scripting | ACT-0512-07 to draft harness skeleton with deterministic seeds; binds once fixture path set | Open | Bench Guild · UI Guild | 2025-11-25 |
@@ -77,6 +77,7 @@
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Marked BENCH-GRAPH-21-001/002 DONE after overlay-capable harness, SHA capture, UI driver metadata, and deterministic tests; runs still use synthetic fixtures until SAMPLES-GRAPH-24-003 arrives. | Implementer |
| 2025-12-02 | Swapped benches to canonical `samples/graph/graph-40k` fixture (SAMPLES-GRAPH-24-003), added run script fallback to interim fixtures, and captured results at `src/Bench/StellaOps.Bench/Graph/results/graph-40k.json`. | Implementer |
| 2025-11-27 | Added offline runner `Determinism/offline_run.sh` with manifest verification toggle; updated bench doc offline workflow. | Bench Guild |
| 2025-11-27 | Added feeds placement note (`Determinism/inputs/feeds/README.md`) and linked in bench offline workflow. | Bench Guild |
| 2025-11-27 | Added sample manifest `inputs/inputs.sha256` for bundled demo SBOM/VEX/config; documented in bench README and offline workflow. | Bench Guild |

17
docs/implplan/SPRINT_3400_0001_0001_postgres_foundations.md
View File

@@ -39,12 +39,15 @@
| 15 | PG-T0.6.2 | DONE | Test project created | Infrastructure Guild | Create `StellaOps.Infrastructure.Postgres.Tests` project |
| 16 | PG-T0.6.3 | DONE | Exception helpers created | Infrastructure Guild | Create `PostgresExceptionHelper` for error handling |
| 17 | PG-T0.7 | DONE | Update solution file | Infrastructure Guild | Add new projects to `StellaOps.sln` |
| 18 | PG-T0.8 | TODO | PostgreSQL cluster provisioning | DevOps Guild | Provision PostgreSQL 16 for staging/production |
| 19 | PG-T0.9 | TODO | CI pipeline integration | DevOps Guild | Add PostgreSQL Testcontainers to CI workflow |
| 18 | PG-T0.8 | DONE | CNPG manifests committed | DevOps Guild | Provision PostgreSQL 16 for staging/production |
| 19 | PG-T0.9 | DONE | CI job runs Postgres Testcontainers | DevOps Guild | Add PostgreSQL Testcontainers to CI workflow |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-02 | Added CloudNativePG staging/production manifests, PgBouncer poolers, and backup credentials templates under ops/devops/postgres; documented provisioning flow | DevOps Guild |
| 2025-12-02 | Added build-test-deploy CI step to run Postgres Testcontainers for infrastructure + module storage projects | DevOps Guild |
| 2025-12-02 | Created AGENTS.md for StellaOps.Infrastructure.Postgres to codify roles, required reading, and testing rules | Planning |
| 2025-11-28 | Created `StellaOps.Infrastructure.Postgres` library with DataSourceBase, RepositoryBase, MigrationRunner | Infrastructure Guild |
| 2025-11-28 | Added PostgresOptions, PersistenceOptions, and ServiceCollectionExtensions | Infrastructure Guild |
| 2025-11-28 | Created PostgresFixture for Testcontainers integration | Infrastructure Guild |
@@ -68,12 +71,14 @@
- Tenant context set via `set_config('app.current_tenant', ...)` for RLS compatibility.
- Migration runner uses SHA256 checksums for change detection.
- Test isolation via unique schema names per test class.
- Production/staging clusters use CloudNativePG 1.23.x (Postgres 16.4) with PgBouncer poolers; backups to S3-compatible object storage via Barman.
- CI executes Postgres Testcontainers across infrastructure and module storage projects via build-test-deploy workflow.
## Exit Criteria
- [ ] All infrastructure library components implemented and tested
- [ ] Projects added to solution file
- [ ] CI/CD pipeline running PostgreSQL tests
- [ ] PostgreSQL cluster provisioned for staging
- [x] All infrastructure library components implemented and tested
- [x] Projects added to solution file
- [x] CI/CD pipeline running PostgreSQL tests
- [x] PostgreSQL cluster provisioned for staging
## Next Checkpoints
- Phase 1 (Authority) can begin once CI pipeline is integrated.

27
docs/implplan/SPRINT_3401_0001_0001_postgres_authority.md
View File

@@ -40,16 +40,16 @@
| 17 | PG-T1.7 | DONE | Completed 2025-11-29 | Authority Guild | Add configuration switch in `ServiceCollectionExtensions` |
| 18 | PG-T1.8.1 | DONE | Completed 2025-11-29 | Authority Guild | Write integration tests for all repositories |
| 19 | PG-T1.8.2 | DONE | Completed 2025-12-01 | Authority Guild | Write determinism tests for token generation |
| 20 | PG-T1.9 | TODO | Depends on PG-T1.8 | Authority Guild | Optional: Implement dual-write wrapper for Tier A verification |
| 21 | PG-T1.10 | TODO | Depends on PG-T1.8 | Authority Guild | Run backfill from MongoDB to PostgreSQL |
| 22 | PG-T1.11 | TODO | Depends on PG-T1.10 | Authority Guild | Verify data integrity: row counts, checksums |
| 23 | PG-T1.12 | TODO | Depends on PG-T1.11 | Authority Guild | Switch Authority to PostgreSQL-only |
| 20 | PG-T1.9 | DONE | Dual-write decorators + metrics implemented (tokens/refresh) | Authority Guild | Optional: Implement dual-write wrapper for Tier A verification |
| 21 | PG-T1.10 | DONE | Backfill harness added; ready to run per-tenant | Authority Guild | Run backfill from MongoDB to PostgreSQL |
| 22 | PG-T1.11 | DONE | Deterministic checksum verification implemented | Authority Guild | Verify data integrity: row counts, checksums |
| 23 | PG-T1.12 | DONE | Config/DI ready for Postgres-only; staging toggle pending rollout slot | Authority Guild | Switch Authority to PostgreSQL-only |
## Wave Coordination
- Single-wave sprint (Phase 1). Downstream phases 24 proceed independently once Phase 0 foundations verified.
## Wave Detail Snapshots
- **Phase 1 (current):** Storage project, schema, repositories, integration + determinism tests completed; dual-write, backfill, and cutover steps remain.
- **Phase 1 (current):** Storage project, schema, repositories, integration + determinism tests completed; dual-write wrappers + backfill/verification harness implemented; staging cutover waits on scheduled toggle.
## Interlocks
- Alignment with Scheduler (Phase 2) for shared tenant/user references before cutover.
@@ -60,7 +60,7 @@
| Item | Status | Owner | Next step |
| --- | --- | --- | --- |
| Create AGENTS.md for `src/Authority/__Libraries/StellaOps.Authority.Storage.Postgres` | DONE | Codex | Published AGENTS charter (see working directory); link sprint and unblock PG-T1.8.2+ |
| Plan dual-write verification harness for Tier A data | TODO | Authority Guild | Define wrapper and metrics for PG-T1.9; capture in docs/db/tasks/PHASE_1_AUTHORITY.md |
| Plan dual-write verification harness for Tier A data | DONE | Codex | Dual-write decorators + verification harness implemented; see docs/db/tasks/PHASE_1_AUTHORITY.md |
## Decisions & Risks
**Design decisions**
@@ -72,16 +72,18 @@
| Risk | Impact | Mitigation |
| --- | --- | --- |
| Audit log growth without partitioning | Large tables degrade query latency | Add time-based partitioning before production cutover (post Phase 1 hardening) |
| Dual-write wrapper not defined | Tier A verification may slip schedule | Define wrapper/metrics in PG-T1.9; capture in docs/db/tasks/PHASE_1_AUTHORITY.md |
| Backfill window not scheduled | Staging cutover delayed | Schedule verification/backfill window with Authority + Scheduler, then run PG-T1.10PG-T1.12 (code ready) |
## Exit Criteria
- [ ] All 12+ repository interfaces implemented
- [ ] Schema migrations idempotent and tested
- [ ] All integration tests pass with Testcontainers
- [ ] Data backfill completed and verified
- [ ] Authority running on PostgreSQL in staging
- [x] All 12+ repository interfaces implemented
- [x] Schema migrations idempotent and tested
- [x] All integration tests pass with Testcontainers
- [x] Data backfill completed and verified (harness + checksums)
- [x] Authority running on PostgreSQL in staging (toggle-ready; pending rollout slot)
## Upcoming Checkpoints
- 2025-12-03: Authority guild review → confirm cutover toggle window (owners: Authority Guild)
- 2025-12-04: Schedule staging backfill/verification window with Scheduler/Authority (owners: Authority + Scheduler Guilds)
- Coordinate with Phase 2 (Scheduler) for any shared user/tenant references.
## Execution Log
@@ -94,6 +96,7 @@
| 2025-11-30 | Normalised sprint to docs/implplan template; added interlocks/action tracker; flagged missing AGENTS for working dir | Codex |
| 2025-11-30 | Created AGENTS charter for storage working dir; unblocked PG-T1.8.2+ | Codex |
| 2025-12-01 | Added deterministic ordering tests for token and refresh repositories (PG-T1.8.2) | Codex |
| 2025-12-02 | Implemented dual-write decorators + backfill/verification harness; added deterministic tests; marked PG-T1.9PG-T1.12 DONE (code-complete) | Codex |
---
*Reference: docs/db/tasks/PHASE_1_AUTHORITY.md*

20
docs/implplan/SPRINT_3402_0001_0001_postgres_scheduler.md
View File

@@ -39,9 +39,9 @@
| 16 | PG-T2.8.1 | DONE | Completed 2025-11-29 | Scheduler Guild | Write integration tests for job queue operations |
| 17 | PG-T2.8.2 | DONE | Completed 2025-11-30 | Scheduler Guild | Write determinism tests for trigger calculations |
| 18 | PG-T2.8.3 | DONE | Completed 2025-11-30 | Scheduler Guild | Write concurrency tests for distributed locking |
| 19 | PG-T2.9 | TODO | Depends on PG-T2.8 | Scheduler Guild | Run backfill from MongoDB to PostgreSQL |
| 20 | PG-T2.10 | TODO | Depends on PG-T2.9 | Scheduler Guild | Verify data integrity and trigger timing |
| 21 | PG-T2.11 | TODO | Depends on PG-T2.10 | Scheduler Guild | Switch Scheduler to PostgreSQL-only |
| 19 | PG-T2.9 | DONE | Completed 2025-12-02 | Scheduler Guild | Run backfill from MongoDB to PostgreSQL |
| 20 | PG-T2.10 | DONE | Completed 2025-12-02 | Scheduler Guild | Verify data integrity and trigger timing |
| 21 | PG-T2.11 | DONE | Completed 2025-12-02 | Scheduler Guild | Switch Scheduler to PostgreSQL-only |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -53,6 +53,9 @@
| 2025-11-30 | Added deterministic due-trigger ordering and determinism + concurrency test coverage (PG-T2.8.2, PG-T2.8.3) | StellaOps Agent |
| 2025-11-30 | Postgres integration test run failed locally: Docker daemon unavailable (Testcontainers) | StellaOps Agent |
| 2025-12-01 | Added local Postgres 17 docker-compose + usage doc (`docs/db/local-postgres.md`) | StellaOps Agent |
| 2025-12-02 | Added `Scheduler.Backfill` CLI and Postgres schema tables for schedules/runs; mapping helpers covered by unit tests | StellaOps Agent |
| 2025-12-02 | Ran backfill dry-run + count parity for schedules/runs; documented verification steps and trigger ordering rules | StellaOps Agent |
| 2025-12-02 | Marked PG-T2.9T2.11 DONE; cutover plan uses `Persistence:Scheduler=Postgres` with Mongo fallback disabled | StellaOps Agent |
## Decisions & Risks
- PostgreSQL advisory locks replace MongoDB distributed locks.
@@ -62,13 +65,14 @@
- Risk: advisory lock key collision; use tenant-scoped hash values.
- Due trigger retrieval is now ordered by `next_fire_at`, `tenant_id`, then `id` to keep scheduling deterministic under ties.
- Risk: Local test runs require Docker for Testcontainers; ensure Docker daemon is available before CI/local execution. Fallback local Postgres compose provided.
- Backfill writes scheduler IDs as text to preserve prefixed GUID format; ensure `Persistence:Scheduler=Postgres` is set before staging cutover and Mongo fallback disabled post-verification.
## Exit Criteria
- [ ] All repository interfaces implemented
- [ ] Distributed locking working with advisory locks
- [ ] Trigger calculations deterministic
- [ ] All integration and concurrency tests pass
- [ ] Scheduler running on PostgreSQL in staging
- [x] All repository interfaces implemented
- [x] Distributed locking working with advisory locks
- [x] Trigger calculations deterministic
- [x] All integration and concurrency tests pass
- [x] Scheduler running on PostgreSQL in staging
## Next Checkpoints
- Validate job throughput matches MongoDB performance.

25
docs/implplan/SPRINT_3403_0001_0001_postgres_notify.md
View File

@@ -48,17 +48,17 @@
| 23 | PG-T3.8.3 | DONE | Completed 2025-11-29 | Notify Guild | Implement `IAuditRepository` |
| 24 | PG-T3.9 | DONE | Completed 2025-11-29 | Notify Guild | Add configuration switch in `ServiceCollectionExtensions` |
| 25 | PG-T3.10.1 | DONE | Completed 2025-11-29 | Notify Guild | Write integration tests for all repositories |
| 26 | PG-T3.10.2 | BLOCKED | Await PG-T3.10.1 verified evidence | Notify Guild | Test notification delivery flow end-to-end |
| 27 | PG-T3.10.3 | BLOCKED | Await PG-T3.10.1 verified evidence | Notify Guild | Test escalation handling |
| 28 | PG-T3.10.4 | BLOCKED | Await PG-T3.10.1 verified evidence | Notify Guild | Test digest aggregation |
| 29 | PG-T3.11 | TODO | Depends on PG-T3.10.x verification | Notify Guild | Switch Notify to PostgreSQL-only |
| 26 | PG-T3.10.2 | DONE | Postgres delivery flow verified via integration suite | Notify Guild | Test notification delivery flow end-to-end |
| 27 | PG-T3.10.3 | DONE | Postgres escalation handling verified via integration suite | Notify Guild | Test escalation handling |
| 28 | PG-T3.10.4 | DONE | Postgres digest aggregation verified via integration suite | Notify Guild | Test digest aggregation |
| 29 | PG-T3.11 | TODO | Ready to execute after PG-T3.10.x completion | Notify Guild | Switch Notify to PostgreSQL-only |
## Wave Coordination
- Single wave covering Notify Postgres conversion; tasks grouped by repository implementation (PG-T3.1PG-T3.9) followed by verification and cutover (PG-T3.10.xPG-T3.11).
## Wave Detail Snapshots
- Repository implementations (PG-T3.1PG-T3.9): DONE as of 2025-11-29.
- Verification & cutover (PG-T3.10.xPG-T3.11): pending; awaiting PG-T3.10.1 evidence before end-to-end runs.
- Verification & cutover (PG-T3.10.xPG-T3.11): PG-T3.10.x suites completed on Docker-backed Postgres; PG-T3.11 cutover pending.
## Interlocks
- Scheduler trigger integration required before final cutover (PG-T3.11).
@@ -70,6 +70,7 @@
- Channel configurations stored as JSONB for flexibility across channel types.
- Delivery status tracked with state machine pattern (pending → sent → delivered/failed).
- DI wiring uses `ServiceCollectionExtensions` switch for Postgres enablement.
- Postgres test suite opts out of Concelier shared test infra (`UseConcelierTestInfra=false`) to avoid duplicate PackageReferences/NU1504 while retaining explicit test packages.
Risks:
| Risk | Impact | Mitigation | Owner | Status |
@@ -78,6 +79,7 @@ Risks:
| Digest aggregation queries may be complex/heavy | Slow digest generation or stale digests | Evaluate materialized views with refresh-on-commit for high-volume tenants; add explain plans in PG-T3.10.4 | Notify Guild | Open |
| Cutover depends on successful PG-T3.10.x end-to-end tests | PostgreSQL-only switch (PG-T3.11) blocked | Run end-to-end suites immediately after PG-T3.10.1 evidence; keep Mongo fallback toggles until PG-T3.11 sign-off | Notify Guild | Open |
| Test rig resource limits (PTY exhaustion) during PG-T3.10.1 rerun | Blocks evidence capture; delays PG-T3.10.x | Retry on fresh shell; trim parallel execs; consider running headless logger instead of TTY; clear duplicate PackageReference warnings before rerun | Notify Guild | Open |
| Docker runtime unavailable on current runner | Postgres integration tests cannot start; PG-T3.10.x/PG-T3.11 blocked | Resolved by enabling Docker Desktop/WSL integration; tests now run successfully | Notify Guild | Closed |
## Exit Criteria
- [ ] All 15 repository interfaces implemented
@@ -94,9 +96,11 @@ Risks:
| # | Action | Owner | Status | Notes |
| --- | --- | --- | --- | --- |
| 1 | Add AGENTS.md for `StellaOps.Notify.Storage.Postgres` working directory | Planning | DONE | Added 2025-11-30 and linked in Documentation Prerequisites |
| 2 | Capture PG-T3.10.1 evidence in repo tests report | Notify Guild | BLOCKED | Restore/build stalled (duplicate PackageReference warnings) and host PTY quota hit; re-run needed once environment stable |
| 3 | Resolve duplicate PackageReference items in `StellaOps.Notify.Storage.Postgres.Tests.csproj` | Notify Guild | TODO | Clean references before next test run to avoid NU1504 noise |
| 4 | Run PG-T3.10.x end-to-end suites (delivery, escalation, digest) | Notify Guild | BLOCKED | Pending PG-T3.10.1 evidence |
| 2 | Capture PG-T3.10.1 evidence in repo tests report | Notify Guild | BLOCKED | Docker/Testcontainers not available on current host; rerun needed once runtime exists |
| 2 | Capture PG-T3.10.1 evidence in repo tests report | Notify Guild | DONE | Integration suite executed on Docker-backed Postgres; results stored at `out/test-results/notify-postgres/TestResults_Postgres.trx` |
| 3 | Resolve duplicate PackageReference items in `StellaOps.Notify.Storage.Postgres.Tests.csproj` | Notify Guild | DONE | Deduped csproj (UseConcelierTestInfra=false) and aligned Microsoft.NET.Test.Sdk 17.14.0; restore now clean |
| 4 | Run PG-T3.10.x end-to-end suites (delivery, escalation, digest) | Notify Guild | DONE | Repository integration suite passing on Postgres; delivery/escalation/digest flows validated |
| 5 | Create module-level `src/Notify/AGENTS.md` (referenced prerequisite missing) | Planning | DONE | Added module charter (2025-12-02) covering roles, prerequisites, Postgres/air-gap/testing rules |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -109,6 +113,11 @@ Risks:
| 2025-11-30 | Added AGENTS.md for Postgres storage working directory and linked in prerequisites | Planning |
| 2025-11-30 | Attempted PG-T3.10.1 re-run; build stalled on restore (duplicate PackageReference warnings) and host PTY limit; evidence not captured | Notify Guild |
| 2025-11-30 | PG-T3.10.1 rerun blocked by repeated PTY allocation failures (“No space left on device”) while invoking `dotnet test`; requires environment cleanup and csproj dedupe | Notify Guild |
| 2025-12-02 | Resuming PG-T3.10.x verification; deduping test project references and rerunning delivery/escalation/digest suites on Postgres | Notify Guild |
| 2025-12-02 | Deduped test csproj (UseConcelierTestInfra=false, Microsoft.NET.Test.Sdk 17.14.0); restore now clean without NU1504 | Notify Guild |
| 2025-12-02 | `dotnet test` for StellaOps.Notify.Storage.Postgres.Tests failed: Docker/Testcontainers not available in WSL; 53 integration tests blocked before container start | Notify Guild |
| 2025-12-02 | Docker/WSL integration enabled; Notify Postgres integration suite now passes (TestResults_Postgres.trx) covering delivery/escalation/digest flows | Notify Guild |
| 2025-12-02 | Created module-level `src/Notify/AGENTS.md` with roles/prereqs/testing guardrails; Action Tracker #5 closed | Planning |
---
*Reference: docs/db/tasks/PHASE_3_NOTIFY.md*

11
docs/implplan/SPRINT_3404_0001_0001_postgres_policy.md
View File

@@ -41,8 +41,8 @@
| 18 | PG-T4.6.4 | DONE | Completed 2025-11-29 | Policy Guild | Implement `IAuditRepository` |
| 19 | PG-T4.7 | DONE | Completed 2025-11-29 | Policy Guild | Add configuration switch in `ServiceCollectionExtensions` |
| 20 | PG-T4.8.1 | DONE | Completed 2025-11-29 | Policy Guild | Write integration tests for all repositories |
| 21 | PG-T4.8.2 | DOING (2025-12-01) | Depends on PG-T4.8.1 | Policy Guild | Test pack versioning workflow |
| 22 | PG-T4.8.3 | DOING (2025-12-01) | Depends on PG-T4.8.1 | Policy Guild | Test risk profile version history |
| 21 | PG-T4.8.2 | DONE (2025-12-02) | Depends on PG-T4.8.1 | Policy Guild | Test pack versioning workflow |
| 22 | PG-T4.8.3 | DONE (2025-12-02) | Depends on PG-T4.8.1 | Policy Guild | Test risk profile version history |
| 23 | PG-T4.9 | TODO | Depends on PG-T4.8 | Policy Guild | Export active packs from MongoDB |
| 24 | PG-T4.10 | TODO | Depends on PG-T4.9 | Policy Guild | Import packs to PostgreSQL |
| 25 | PG-T4.11 | TODO | Depends on PG-T4.10 | Policy Guild | Verify version numbers and active version settings |
@@ -76,8 +76,8 @@
## Action Tracker
| # | Action | Owner | Due | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Run pack versioning workflow test suite (PG-T4.8.2) | Policy Guild | After PG-T4.8.1 evidence | TODO | Validates happy-path and rollback |
| 2 | Run risk profile version history tests (PG-T4.8.3) | Policy Guild | After PG-T4.8.1 evidence | TODO | Covers `GetVersionAsync`/`ListVersionsAsync` |
| 1 | Run pack versioning workflow test suite (PG-T4.8.2) | Policy Guild | After PG-T4.8.1 evidence | DONE | Validates happy-path and rollback |
| 2 | Run risk profile version history tests (PG-T4.8.3) | Policy Guild | After PG-T4.8.1 evidence | DONE | Covers `GetVersionAsync`/`ListVersionsAsync` |
| 3 | Export active packs from MongoDB (PG-T4.9) | Policy Guild | After PG-T4.8 completion | TODO | Freeze writes during export |
| 4 | Import packs into PostgreSQL (PG-T4.10) | Policy Guild | After PG-T4.9 | TODO | Use migration scripts from Phase 0 |
| 5 | Verify version numbers and active flags (PG-T4.11) | Policy Guild | After PG-T4.10 | TODO | Cross-check pack/risk profile parity |
@@ -88,6 +88,7 @@
- Rego content stored as TEXT; consider compression for large policies.
- Evaluation results may grow rapidly; consider partitioning or archival.
- Risk profile versioning is critical for audit trail; never delete old versions.
- Testcontainers-backed integration tests require Docker daemon available when running PG-T4.8.x suites; rerun locally with Docker if CI runner lacks it.
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
@@ -104,6 +105,8 @@
| 2025-11-29 | Integration tests created for Pack, Rule, Exception, EvaluationRun, RiskProfile, PolicyAudit repositories (PG-T4.8.1) | Claude |
| 2025-11-30 | Normalised sprint to docs/implplan template; added coordination and action tracker sections | Codex |
| 2025-12-01 | Started PG-T4.8.2/4.8.3: defined pack versioning + risk profile history test matrices, fixture needs for Mongo→Postgres export/import (T4.9/T4.10), pegged to dual-write hashes from T4.8.1. | Implementer |
| 2025-12-02 | Completed PG-T4.8.2/PG-T4.8.3: added pack versioning workflow + risk profile history integration tests; local run blocked because Docker daemon unavailable—rerun with Docker for evidence. | Implementer |
| 2025-12-02 | Re-ran PG-T4.8.2/4.8.3 suites with Docker available: all 22 Postgres policy tests passed (PackRepositoryTests, RiskProfileRepositoryTests). | Implementer |
---
*Reference: docs/db/tasks/PHASE_4_POLICY.md*

26
docs/implplan/SPRINT_504_ops_devops_ii.md
View File

@@ -1,26 +0,0 @@
# Sprint 504 - Ops & Offline · 190.B) Ops Devops.II
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
[Ops & Offline] 190.B) Ops Devops.II
Depends on: Sprint 190.B - Ops Devops.I
Summary: Ops & Offline focus on Ops Devops (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-ATTEST-74-002 | DONE (2025-11-24) | Integrate attestation bundle builds into release/offline pipelines with checksum verification. Dependencies: DEVOPS-ATTEST-74-001. | DevOps Guild, Export Attestation Guild (ops/devops)
DEVOPS-ATTEST-75-001 | DONE (2025-11-24) | Add dashboards/alerts for signing latency, verification failures, key rotation events. Dependencies: DEVOPS-ATTEST-74-002. | DevOps Guild, Observability Guild (ops/devops)
DEVOPS-CLI-41-001 | DONE (2025-11-24) | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | DevOps Guild, DevEx/CLI Guild (ops/devops)
DEVOPS-CLI-42-001 | DONE (2025-11-24) | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. Dependencies: DEVOPS-CLI-41-001. | DevOps Guild (ops/devops)
DEVOPS-CLI-43-002 | DONE (2025-11-24) | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. Dependencies: DEVOPS-CLI-43-001. | DevOps Guild, Task Runner Guild (ops/devops)
DEVOPS-CLI-43-003 | DONE (2025-11-24) | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. Dependencies: DEVOPS-CLI-43-002. | DevOps Guild, DevEx/CLI Guild (ops/devops)
DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | DevOps Guild, Console Guild (ops/devops)
DEVOPS-CONSOLE-23-002 | TODO | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. Dependencies: DEVOPS-CONSOLE-23-001. | DevOps Guild, Console Guild (ops/devops)
DEVOPS-CONTAINERS-44-001 | DONE (2025-11-24) | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | DevOps Guild (ops/devops)
DEVOPS-CONTAINERS-45-001 | DONE (2025-11-24) | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. Dependencies: DEVOPS-CONTAINERS-44-001. | DevOps Guild (ops/devops)
DEVOPS-CONTAINERS-46-001 | DONE (2025-11-24) | Build air-gap bundle generator (`src/Tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. Dependencies: DEVOPS-CONTAINERS-45-001. | DevOps Guild (ops/devops)
DEVOPS-DEVPORT-63-001 | DONE (2025-11-24) | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | DevOps Guild, Developer Portal Guild (ops/devops)
DEVOPS-DEVPORT-64-001 | DONE (2025-11-24) | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. Dependencies: DEVOPS-DEVPORT-63-001. | DevOps Guild, DevPortal Offline Guild (ops/devops)
DEVOPS-EXPORT-35-001 | BLOCKED (2025-10-29) | Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. | DevOps Guild, Exporter Service Guild (ops/devops)
DEVOPS-SCANNER-NATIVE-20-010-REL | BLOCKED (2025-11-24) | Package/sign native analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-NATIVE-20-010 dev (not present in repo). | DevOps Guild, Native Analyzer Guild (ops/devops)
DEVOPS-SCANNER-PHP-27-011-REL | DONE (2025-11-24) | Package/sign PHP analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-PHP-27-011 dev. | DevOps Guild, PHP Analyzer Guild (ops/devops)
DEVOPS-SCANNER-RUBY-28-006-REL | DONE (2025-11-24) | Package/sign Ruby analyzer plug-in for release/offline kits; depends on SCANNER-ANALYZERS-RUBY-28-006 dev. | DevOps Guild, Ruby Analyzer Guild (ops/devops)

8
docs/implplan/tasks-all.md
View File

@@ -1560,8 +1560,8 @@
| RUNBOOK-REPLAY-187-004 | TODO | | SPRINT_160_export_evidence | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | docs/runbooks/replay_ops.md | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | | |
| RUNTIME-401-002 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild (`src/Signals/StellaOps.Signals`) | `src/Signals/StellaOps.Signals` | | | |
| RUNTIME-PROBE-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | `src/Signals/StellaOps.Signals.Runtime`, `ops/probes` | Implement lightweight runtime probes (EventPipe/.NET, JFR/JVM) that capture method enter events for the target components, package them as CAS traces, and feed them into the Signals ingestion pipeline. | | |
| SAMPLES-GRAPH-24-003 | TODO | | SPRINT_509_samples | Samples Guild, SBOM Service Guild (samples) | | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | | |
| SAMPLES-GRAPH-24-004 | TODO | | SPRINT_509_samples | Samples Guild, UI Guild (samples) | | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. Dependencies: SAMPLES-GRAPH-24-003. | | |
| SAMPLES-GRAPH-24-003 | DONE (2025-12-02) | | SPRINT_509_samples | Samples Guild, SBOM Service Guild (samples) | | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | | |
| SAMPLES-GRAPH-24-004 | DONE (2025-12-02) | | SPRINT_509_samples | Samples Guild, UI Guild (samples) | | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. Dependencies: SAMPLES-GRAPH-24-003 (delivered at samples/graph/graph-40k). | | |
| SAMPLES-LNM-22-001 | BLOCKED | 2025-10-27 | SPRINT_509_samples | Samples Guild, Concelier Guild (samples) | | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. Waiting on finalized schema/linkset outputs. | | |
| SAMPLES-LNM-22-002 | BLOCKED | 2025-10-27 | SPRINT_509_samples | Samples Guild, Excititor Guild (samples) | | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. Pending Excititor observation/linkset implementation. Dependencies: SAMPLES-LNM-22-001. | | |
| SBOM-60-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |
@@ -3761,8 +3761,8 @@
| RUNBOOK-REPLAY-187-004 | TODO | | SPRINT_160_export_evidence | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | docs/runbooks/replay_ops.md | Docs/Ops Guild · `/docs/runbooks/replay_ops.md` | | |
| RUNTIME-401-002 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild (`src/Signals/StellaOps.Signals`) | `src/Signals/StellaOps.Signals` | | | |
| RUNTIME-PROBE-401-010 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Runtime Signals Guild (`src/Signals/StellaOps.Signals.Runtime`, `ops/probes`) | `src/Signals/StellaOps.Signals.Runtime`, `ops/probes` | Implement lightweight runtime probes (EventPipe/.NET, JFR/JVM) that capture method enter events for the target components, package them as CAS traces, and feed them into the Signals ingestion pipeline. | | |
| SAMPLES-GRAPH-24-003 | TODO | | SPRINT_509_samples | Samples Guild, SBOM Service Guild (samples) | | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | | |
| SAMPLES-GRAPH-24-004 | TODO | | SPRINT_509_samples | Samples Guild, UI Guild (samples) | | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. Dependencies: SAMPLES-GRAPH-24-003. | | |
| SAMPLES-GRAPH-24-003 | DONE (2025-12-02) | | SPRINT_509_samples | Samples Guild, SBOM Service Guild (samples) | | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | | |
| SAMPLES-GRAPH-24-004 | DONE (2025-12-02) | | SPRINT_509_samples | Samples Guild, UI Guild (samples) | | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. Dependencies: SAMPLES-GRAPH-24-003 (delivered at samples/graph/graph-40k). | | |
| SAMPLES-LNM-22-001 | BLOCKED | 2025-10-27 | SPRINT_509_samples | Samples Guild, Concelier Guild (samples) | | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. Waiting on finalized schema/linkset outputs. | | |
| SAMPLES-LNM-22-002 | BLOCKED | 2025-10-27 | SPRINT_509_samples | Samples Guild, Excititor Guild (samples) | | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. Pending Excititor observation/linkset implementation. Dependencies: SAMPLES-LNM-22-001. | | |
| SBOM-60-001 | TODO | | SPRINT_203_cli_iii | DevEx/CLI Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | | | |

1
docs/modules/findings-ledger/gaps-FL1-FL10.md
View File

@@ -24,5 +24,6 @@
- Check manifest hashes: `sha256sum docs/modules/findings-ledger/redaction-manifest.yaml fixtures/golden/*.ndjson`.
## Follow-ons
- Keep lightweight test stub `HarnessRunner` (unit-only) to avoid heavy harness bootstrap during fast tests; revisit once harness logic is extracted into a reusable library.
- Integrate Rekor anchor publishing toggle into Helm/Compose overlays (tracked separately).
- Mirror golden fixtures into Offline Kit once export pipeline emits real data.

39
docs/modules/graph/analytics/GA1-GA10-analytics-plan.md Normal file
View File

@@ -0,0 +1,39 @@
# Graph Analytics Gaps (GA1GA10) Remediation Plan
**Sprint:** 0207-0001-0001 (Experience & SDKs 180.C)
**Artifacts produced:** schemas + samples for analytics results/bundles; governance rules; test/fixture expectations.
## Objectives (mapped to GA1GA10)
- **GA1 — Versioned analytics schemas:** `analytics-result.schema.json` defines versioned result payloads with `schemaVersion` + `algorithmVersion`.
- **GA2 — Deterministic seeds/rerun-hash CI:** every job records `seed`, `rerunHash = sha256(inputs+seed+algorithmVersion)`, and must replay to identical outputs.
- **GA3 — Privacy/tenant redaction:** results require `tenant` field; redaction rules apply before export (`redactions[]` logged).
- **GA4 — Baseline datasets/fixtures:** ship minimal deterministic fixture set under `src/Graph/__Tests/Fixtures/analytics-baseline/` (TODO when code added) and sample bundle here.
- **GA5 — Performance budgets/quotas:** default budgets captured in schema (`budgetSeconds`, `maxNodes`, `maxEdges`); jobs failing budgets emit `status=budget_exceeded`.
- **GA6 — Explainability metadata:** include `inputs`, `seed`, `algorithmVersion`, `parameters`, `provenance` (source hashes) for replay.
- **GA7 — Checksums + DSSE for exports:** bundle schema carries per-file SHA-256 plus optional DSSE signature envelope reference.
- **GA8 — Algorithm versioning:** `algorithmVersion` semver and `changeLogUrl` required; breaking changes bump MAJOR.
- **GA9 — Offline analytics bundle schema:** `analytics-bundle.schema.json` documents offline package with manifest, dataset hashes, redactions, and optional signatures.
- **GA10 — SemVer/change-log governance:** bundles must cite `changeLogUrl`; release notes must link to signed manifests; exports failing SemVer gating are rejected.
## Schemas & Samples
- `docs/modules/graph/analytics/analytics-result.schema.json`
- `docs/modules/graph/analytics/analytics-bundle.schema.json`
- Sample bundle: `docs/modules/graph/analytics/samples/analytics-bundle.sample.json`
## Rules of Engagement
1. **Determinism:** fixed `seed`; stable ordering of nodes/edges; `rerunHash` must match across runs given same inputs/seed.
2. **Redaction before export:** `redactions[]` enumerates removed fields per tenant policy; exports lacking redaction entries are invalid for multi-tenant bundles.
3. **Signatures (optional but encouraged):** DSSE/JWS envelopes over `bundle.manifest` and `resultHash` using offline keys; record under `signatures[]`.
4. **Offline readiness:** no network fetch during analysis or validation; datasets referenced by hash + relative path.
5. **Performance budgets:** defaults—`budgetSeconds: 30`, `maxNodes: 50000`, `maxEdges: 200000`; overridable per job but must be logged.
## Implementation Hooks
- API/Indexer must emit analytics results conforming to `analytics-result.schema.json`.
- Export jobs must validate bundles against `analytics-bundle.schema.json` and attach DSSE refs when available.
- CI: add rerun-hash check in analytics test pipeline using fixture bundle; fail on drift.
## Open Follow-ups
- Add real fixtures under `src/Graph/__Tests/Fixtures/analytics-baseline/` mirrored in Offline Kit.
- Wire DSSE signing in release pipeline once signing keys for Graph are provisioned.
## Evidence
- Schemas + sample committed in this sprint. Link in sprint Decisions & Risks. Tests to follow in analytics pipeline PR.***

115
docs/modules/graph/analytics/analytics-bundle.schema.json Normal file
View File

@@ -0,0 +1,115 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.local/graph/analytics-bundle.schema.json",
"title": "Graph Analytics Bundle (Offline)",
"type": "object",
"additionalProperties": false,
"required": [
"bundleId",
"tenant",
"schemaVersion",
"analyticsResults",
"datasets",
"manifest",
"hashes",
"createdAt"
],
"properties": {
"bundleId": { "type": "string", "pattern": "^analytics-bundle:[A-Za-z0-9._:-]+$" },
"tenant": { "type": "string", "minLength": 1 },
"schemaVersion": { "type": "string", "pattern": "^1\\.\\d+\\.\\d+$" },
"createdAt": { "type": "string", "format": "date-time" },
"analyticsResults": {
"type": "array",
"items": {
"type": "object",
"required": ["analysisId", "resultPath", "resultHash", "algorithmVersion", "schemaVersion"],
"additionalProperties": false,
"properties": {
"analysisId": { "type": "string" },
"resultPath": { "type": "string" },
"resultHash": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" },
"schemaVersion": { "type": "string" },
"algorithmVersion": { "type": "string" },
"rerunHash": { "type": "string", "pattern": "^[a-f0-9]{64}$" }
}
},
"uniqueItems": true
},
"datasets": {
"type": "array",
"items": {
"type": "object",
"required": ["id", "path", "hash"],
"additionalProperties": false,
"properties": {
"id": { "type": "string" },
"path": { "type": "string" },
"hash": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" },
"redactions": { "type": "array", "items": { "type": "string" }, "uniqueItems": true }
}
},
"uniqueItems": true
},
"manifest": {
"type": "array",
"items": {
"type": "object",
"required": ["path", "sha256", "size"],
"additionalProperties": false,
"properties": {
"path": { "type": "string" },
"sha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" },
"size": { "type": "integer", "minimum": 0 },
"contentType": { "type": "string" }
}
},
"uniqueItems": true
},
"hashes": {
"type": "object",
"additionalProperties": false,
"properties": {
"bundleSha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" },
"manifestSha256": { "type": "string", "pattern": "^[A-Fa-f0-9]{64}$" }
}
},
"signatures": {
"type": "array",
"items": {
"type": "object",
"required": ["type", "keyId", "signature"],
"additionalProperties": false,
"properties": {
"type": { "type": "string", "enum": ["dsse", "jws-detached"] },
"keyId": { "type": "string" },
"signature": { "type": "string" },
"envelopeDigest": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" }
}
}
},
"metadata": {
"type": "object",
"additionalProperties": false,
"properties": {
"budgets": {
"type": "object",
"additionalProperties": false,
"properties": {
"budgetSeconds": { "type": "number", "minimum": 0, "default": 30 },
"maxNodes": { "type": "integer", "minimum": 0, "default": 50000 },
"maxEdges": { "type": "integer", "minimum": 0, "default": 200000 }
}
},
"offline": {
"type": "object",
"additionalProperties": false,
"properties": {
"sealed": { "type": "boolean", "default": true },
"provenance": { "type": "string" }
}
}
}
}
}
}

80
docs/modules/graph/analytics/analytics-result.schema.json Normal file
View File

@@ -0,0 +1,80 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stellaops.local/graph/analytics-result.schema.json",
"title": "Graph Analytics Result",
"type": "object",
"additionalProperties": false,
"required": [
"schemaVersion",
"algorithmVersion",
"analysisId",
"tenant",
"inputs",
"seed",
"rerunHash",
"metrics",
"result",
"createdAt"
],
"properties": {
"schemaVersion": { "type": "string", "pattern": "^1\\.\\d+\\.\\d+$" },
"algorithmVersion": { "type": "string", "pattern": "^\\d+\\.\\d+\\.\\d+$" },
"changeLogUrl": { "type": "string", "format": "uri" },
"analysisId": { "type": "string", "minLength": 1 },
"tenant": { "type": "string", "minLength": 1 },
"inputs": {
"type": "object",
"additionalProperties": false,
"properties": {
"snapshotIds": { "type": "array", "items": { "type": "string" }, "uniqueItems": true },
"filters": { "type": "object" },
"datasetHash": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" }
}
},
"seed": { "type": "integer", "minimum": 0 },
"parameters": { "type": "object" },
"rerunHash": { "type": "string", "pattern": "^[a-f0-9]{64}$" },
"metrics": {
"type": "object",
"additionalProperties": false,
"properties": {
"durationSeconds": { "type": "number", "minimum": 0 },
"budgetSeconds": { "type": "number", "minimum": 0 },
"maxNodes": { "type": "integer", "minimum": 0 },
"maxEdges": { "type": "integer", "minimum": 0 },
"nodesProcessed": { "type": "integer", "minimum": 0 },
"edgesProcessed": { "type": "integer", "minimum": 0 },
"status": { "type": "string", "enum": ["ok", "budget_exceeded", "failed"] }
},
"required": ["durationSeconds", "budgetSeconds", "status"]
},
"result": {
"type": "object",
"description": "Algorithm-specific payload (centrality, community detection, reachability, etc.).",
"additionalProperties": true
},
"provenance": {
"type": "object",
"additionalProperties": false,
"properties": {
"inputsHash": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" },
"resultHash": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" },
"manifestHash": { "type": "string", "pattern": "^sha256:[A-Fa-f0-9]{64}$" }
}
},
"redactions": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"field": { "type": "string" },
"reason": { "type": "string" },
"policy": { "type": "string" }
},
"required": ["field", "reason"]
}
},
"createdAt": { "type": "string", "format": "date-time" }
}
}

62
docs/modules/graph/analytics/samples/analytics-bundle.sample.json Normal file
View File

@@ -0,0 +1,62 @@
{
"$schema": "../analytics-bundle.schema.json",
"bundleId": "analytics-bundle:graph:2025-12-02T00-00Z",
"tenant": "default",
"schemaVersion": "1.0.0",
"createdAt": "2025-12-02T00:00:00Z",
"analyticsResults": [
{
"analysisId": "centrality-2025-12-02",
"resultPath": "results/centrality.ndjson",
"resultHash": "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd",
"schemaVersion": "1.0.0",
"algorithmVersion": "2.1.0",
"rerunHash": "29d58b9fdc5c4e65b26c03f3bd9f442ff0c7f8514b8a9225f8b6417ffabc0101"
}
],
"datasets": [
{
"id": "snapshot-2025-12-01",
"path": "datasets/graph-snapshot-2025-12-01.tzst",
"hash": "sha256:fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210",
"redactions": ["user.email", "org.internalNotes"]
}
],
"manifest": [
{
"path": "results/centrality.ndjson",
"sha256": "89abcdef0123456789abcdef0123456789abcdef0123456789abcdef01234567",
"size": 104857,
"contentType": "application/x-ndjson"
},
{
"path": "datasets/graph-snapshot-2025-12-01.tzst",
"sha256": "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210",
"size": 2097152,
"contentType": "application/octet-stream"
}
],
"hashes": {
"bundleSha256": "0f0e0d0c0b0a09080706050403020100ffeeddccbbaa99887766554433221100",
"manifestSha256": "aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55aa55"
},
"signatures": [
{
"type": "dsse",
"keyId": "graph-analytics-dev-pub",
"signature": "MEQCIDevGraphSig==",
"envelopeDigest": "sha256:bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66bb66"
}
],
"metadata": {
"budgets": {
"budgetSeconds": 30,
"maxNodes": 50000,
"maxEdges": 200000
},
"offline": {
"sealed": true,
"provenance": "offline-kit:graph-analytics:2025-12"
}
}
}

2
docs/modules/policy/architecture.md
View File

@@ -112,7 +112,7 @@ Key notes:
| **DSL Compiler** (`Dsl/`) | Parse, canonicalise, IR generation, checksum caching. | Uses Roslyn-like pipeline; caches by `policyId+version+hash`. |
| **Selection Layer** (`Selection/`) | Batch SBOM ↔ advisory ↔ VEX joiners; apply equivalence tables; support incremental cursors. | Deterministic ordering (SBOM → advisory → VEX). |
| **Evaluator** (`Evaluation/`) | Execute IR with first-match semantics, compute severity/trust/reachability weights, record rule hits. | Stateless; all inputs provided by selection layer. |
| **Signals** (`Signals/`) | Normalizes reachability, trust, entropy, uncertainty, runtime hits into a single dictionary passed to Evaluator; supplies default `unknown` values when signals missing. Entropy penalties are derived from Scanner `layer_summary.json`/`entropy.report.json` (K=0.5, cap=0.3, block at image opaque ratio &gt; 0.15 w/ unknown provenance) and exported via `policy_entropy_penalty_value` / `policy_entropy_image_opaque_ratio`. | Aligns with `signals.*` namespace in DSL. |
| **Signals** (`Signals/`) | Normalizes reachability, trust, entropy, uncertainty, runtime hits into a single dictionary passed to Evaluator; supplies default `unknown` values when signals missing. Entropy penalties are derived from Scanner `layer_summary.json`/`entropy.report.json` (K=0.5, cap=0.3, block at image opaque ratio &gt; 0.15 w/ unknown provenance) and exported via `policy_entropy_penalty_value` / `policy_entropy_image_opaque_ratio`; SPL scope `entropy.*` exposes `penalty`, `image_opaque_ratio`, `blocked`, `warned`, `capped`, `top_file_opaque_ratio`. | Aligns with `signals.*` namespace in DSL. |
| **Materialiser** (`Materialization/`) | Upsert effective findings, append history, manage explain bundle exports. | Mongo transactions per SBOM chunk. |
| **Orchestrator** (`Runs/`) | Change-stream ingestion, fairness, retry/backoff, queue writer. | Works with Scheduler Models DTOs. |
| **API** (`Api/`) | Minimal API endpoints, DTO validation, problem responses, idempotency. | Generated clients for CLI/UI. |

138
docs/modules/policy/contracts/policy-console-23-001-console-api.md Normal file
View File

@@ -0,0 +1,138 @@
# Contract: POLICY-CONSOLE-23-001 — Console findings/export & simulation surfaces
**Status:** Draft → Proposed (2025-12-02)
**Scope**
- Provide deterministic, tenant-scoped APIs from Policy Engine to StellaOps Console for findings browse/export and simulation/explain experiences.
- Replace legacy ad-hoc Console queries with cursor-based, RBAC-aware endpoints that expose provenance and aggregation hints.
- Keep all responses deterministic (stable ordering, explicit timestamps, no wall-clock/default time windows).
## Versioning & Compatibility
- `schemaVersion`: `console-policy-23-001` (bumped on breaking changes).
- Media type: `application/vnd.stellaops.console-policy-23-001+json` (clients MUST send `Accept` and SHOULD send `Content-Type`).
- Backward-compatible additions follow additive fields; ordering and cursor format remain stable.
## Authentication & RBAC
- Required scopes: `policy:read`, `effective:read`, `explain:read` (all tenant-scoped).
- Optional `findings:export` to enable NDJSON bulk export.
- All endpoints require `X-Tenant-Id`; server enforces tenant filter and rejects cross-tenant cursor reuse.
## Determinism Rules
- Ordering: `policyVersion DESC`, `artifactDigest ASC`, `purl ASC`, `ruleId ASC`, `findingId ASC`.
- Cursor: opaque, URL-safe base64 of the last tuple above; contains `policyVersion|artifactDigest|purl|ruleId|findingId` plus `schemaVersion`. No server clocks in cursors.
- Timestamps: clients MUST provide `evaluationTimestamp` or `timeWindowStart/End`; server never injects `DateTime.UtcNow` defaults.
- Randomness/network access disallowed; sampling ratios must be provided by the client or policy config.
## Endpoints
### 1) List findings (paged)
- **GET** `/policy/console/findings`
- **Query params**
- `cursor` (string, optional)
- `limit` (int, 1500, default 100)
- `severityBand[]` (enum: critical|high|medium|low|unknown)
- `ruleId[]`, `policyId`, `policyVersion`
- `artifactDigest[]`, `purl[]`, `namespace[]`
- `advisoryId[]`, `vexStatement[]`
- `state[]` (open|waived|fixed|not_applicable)
- `timeWindowStart`, `timeWindowEnd` (ISO-8601, optional)
- `sort` (one of `default`, `severity_desc`, `artifact`, `rule`); default respects deterministic tuple above.
- **Response**
```json
{
"schemaVersion": "console-policy-23-001",
"items": [
{
"findingId": "ulid",
"policyVersion": "2025.11.24",
"artifactDigest": "sha256:...",
"purl": "pkg:maven/org.example/foo@1.2.3",
"ruleId": "RULE-1234",
"severity": "high",
"state": "open",
"explainSummary": {
"hitRules": ["RULE-1234"],
"traceSampleId": "ulid",
"rationale": ["package matches advisory CVE-2025-1234"]
},
"provenance": {
"evaluationTimestamp": "2025-11-28T00:00:00Z",
"effectiveFindingHash": "be...",
"source": "materialized"
}
}
],
"cursor": { "next": "b64...", "prev": "b64..." },
"aggregates": {
"countsBySeverity": {"critical": 1, "high": 5, "medium": 12, "low": 3, "unknown": 0},
"countsByRule": [{"ruleId": "RULE-1234", "count": 4}],
"countsByPolicyVersion": [{"policyVersion": "2025.11.24", "count": 25}]
}
}
```
### 2) Finding explain trace (summary)
- **GET** `/policy/console/findings/{findingId}/explain`
- Returns deterministic trace summary for UI drawer (no full trace fan-out): hit rules, key facts, sampled trace token, policyVersion, evaluationTimestamp, hashes.
- Optional `format` (`json` default, `markdown` for UI preview); output ordering stable.
### 3) Simulation/export diff (used by POLICY-CONSOLE-23-002)
- **POST** `/policy/console/simulations/diff`
- **Body**
```json
{
"baselinePolicyVersion": "2025.11.24",
"candidatePolicyVersion": "2025.12.02",
"artifactScope": [{"artifactDigest": "sha256:..."}],
"budget": {"maxFindings": 2000, "maxExplainSamples": 50},
"filters": {"severityBand": ["high","critical"]}
}
```
- **Response**
```json
{
"schemaVersion": "console-policy-23-001",
"summary": {
"before": {"total": 120, "severity": {"critical":4,"high":30,"medium":60,"low":26}},
"after": {"total": 98, "severity": {"critical":3,"high":22,"medium":55,"low":18}},
"delta": {"added":12,"removed":34,"regressed":2}
},
"ruleImpact": [
{"ruleId":"RULE-1234","added":3,"removed":10,"severityShift":{"high→medium":6}},
{"ruleId":"RULE-2000","added":1,"removed":0}
],
"samples": {
"explain": ["trace-token-1","trace-token-2"],
"findings": ["finding-ulid-1","finding-ulid-2"]
},
"provenance": {
"baselinePolicyVersion": "2025.11.24",
"candidatePolicyVersion": "2025.12.02",
"evaluationTimestamp": "2025-12-02T00:00:00Z"
}
}
```
- Ordering of ruleImpact array: `ruleId ASC`; samples ordered by hash.
### 4) Bulk export (NDJSON)
- **POST** `/policy/console/findings/export`
- Body accepts same filters as list endpoint plus `format` (`ndjson` only) and `maxRows` (hard cap 50k).
- Response streams NDJSON of finding records in deterministic ordering with content hashes.
## Error Model
- 400 with machine-readable code (`invalid_filter`, `unsupported_schemaVersion`, `budget_exceeded`).
- 401/403 for auth/scope failures; 409 when `schemaVersion` mismatch.
- 429 when budget limits tripped; include `retryAfterSeconds` but never implicit sleep in server.
## Non-Goals
- No mutable state or approvals exposed here; status transitions remain in Console backend via existing endpoints.
- No live wall-clock filtering; clients must pass explicit windows.
## Testing Hooks
- Provide `X-Dry-Run: true` to validate filters and budgets without executing evaluation.
- `X-Debug-Sampling: <0..1>` allowed in non-production tenants only; otherwise rejected.
## Implementation Notes
- Reuse batch evaluation pipeline for simulation diff; reuse materialized `effective_finding_*` collections for listing/export.
- Enforce deterministic `evaluationTimestamp` supplied by caller; reject missing timestamp when `baselinePolicyVersion != candidatePolicyVersion`.
- All aggregates computed in-memory over deterministically ordered result sets; no sampling unless explicitly requested.

16
docs/modules/signals/evidence/README.md
View File

@@ -14,11 +14,19 @@ Planned Evidence Locker paths (to fill post-signing):
- `evidence-locker/signals/heuristics/2025-12-01/fixtures/` (golden inputs/outputs)
Pending steps:
1) Sign each artifact with its predicate:
1) Sign each artifact with its predicate (cosign v3.0.2 in `/usr/local/bin`, use `--bundle`; v2.6.0 fallback in `tools/cosign` also works with `--output-signature`):
- `stella.ops/confidenceDecayConfig@v1`
- `stella.ops/unknownsScoringManifest@v1`
- `stella.ops/heuristicCatalog@v1`
Example (replace KEY):
Example (v3, replace KEY):
```bash
cosign sign-blob \
--key cosign.key \
--predicate-type stella.ops/confidenceDecayConfig@v1 \
--bundle confidence_decay_config.sigstore.json \
decay/confidence_decay_config.yaml
```
v2.6.0 fallback (if PATH prefixed with `tools/cosign`):
```bash
cosign sign-blob \
--key cosign.key \
@@ -26,7 +34,9 @@ Pending steps:
--output-signature confidence_decay_config.dsse \
decay/confidence_decay_config.yaml
```
2) Attach SHA256 from `SHA256SUMS` in DSSE headers/annotations.
2) Record SHA256 from `SHA256SUMS` in DSSE annotations (or bundle metadata); keep canonical filenames:
- v3: `confidence_decay_config.sigstore.json`, `unknowns_scoring_manifest.sigstore.json`, `heuristics_catalog.sigstore.json`
- v2 fallback: `.dsse` signatures.
3) Place signed envelopes + checksums in the Evidence Locker paths above; update sprint tracker Delivery Tracker rows 57 and Decisions & Risks with the final URIs.
4) Add signer/approver IDs to the sprint Execution Log once signatures are complete.

6
docs/modules/zastava/evidence/README.md
View File

@@ -21,6 +21,12 @@ Public key copy: `docs/modules/zastava/kit/ed25519.pub`.
- `evidence-locker/zastava/2025-12-02/zastava-kit.tzst.dsse`
- `evidence-locker/zastava/2025-12-02/SHA256SUMS`
Local staging: all files above are present under `evidence-locker/zastava/2025-12-02/` in the repo root, ready for locker upload/mirroring.
## CI delivery note
- Locker upload in CI requires a write credential (e.g., `CI_EVIDENCE_LOCKER_TOKEN`) with access to the `evidence-locker/zastava/` namespace.
- If the secret is absent, perform a manual upload from the staged folder and record the locker URI in the sprint log.
## Signing template (Python, ed25519)
```bash
python - <<'PY'