stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat: Enhance Task Runner with simulation and failure policy support
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Added tests for output projection and failure policy population in TaskPackPlanner.
- Introduced new failure policy manifest in TestManifests.
- Implemented simulation endpoints in the web service for task execution.
- Created TaskRunnerServiceOptions for configuration management.
- Updated appsettings.json to include TaskRunner configuration.
- Enhanced PackRunWorkerService to handle execution graphs and state management.
- Added support for parallel execution and conditional steps in the worker service.
- Updated documentation to reflect new features and changes in execution flow.
This commit is contained in:
master
2025-11-04 19:05:50 +02:00
parent 2eb6852d34
commit 3bd0955202
83 changed files with 15161 additions and 10678 deletions
Download Patch File Download Diff File Expand all files Collapse all files

295
docs/implplan/SPRINTS.md
View File

@@ -1,31 +1,32 @@
# Sprint Index
Follow the sprint files below in order. Update task status in both `SPRINTS` and module `TASKS.md` as you progress.
- [Identity & Signing](./SPRINT_100_identity_signing.md)
- [Ingestion & Evidence](./SPRINT_110_ingestion_evidence.md)
- [Policy & Reasoning](./SPRINT_120_policy_reasoning.md)
- [Scanner & Surface](./SPRINT_130_scanner_surface.md)
- [Runtime & Signals](./SPRINT_140_runtime_signals.md)
- [Scheduling & Automation](./SPRINT_150_scheduling_automation.md)
- [Export & Evidence](./SPRINT_160_export_evidence.md)
- [Notifications & Telemetry](./SPRINT_170_notifications_telemetry.md)
- [Experience & SDKs](./SPRINT_180_experience_sdks.md)
- [Ops & Offline](./SPRINT_190_ops_offline.md)
- [Documentation & Process](./SPRINT_200_documentation_process.md)
> 2025-11-03: ATTESTOR-72-003 moved to DOING (Attestor Service Guild) running live TTL validation against local MongoDB/Redis processes (manual hosts, no Docker).
> 2025-11-03: ATTESTOR-72-003 marked DONE (Attestor Service Guild) Mongo/Redis TTL expiry logs archived under `docs/modules/attestor/evidence/2025-11-03-*.txt` with summary in `docs/modules/attestor/ttl-validation.md`.
> 2025-11-03: AIAI-31-004B moved to DOING (Advisory AI Guild) starting prompt assembler/guardrail plumbing, cache persistence contract, and DSSE provenance wiring.
> 2025-11-03: PLG7.RFC marked DONE (Auth Plugin Guild, Security Guild) LDAP plugin RFC accepted; review log stored at `docs/notes/2025-11-03-authority-plugin-ldap-review.md`, follow-up PLG7.IMPL-001..005 queued.
> 2025-11-03: PLG7.IMPL-001 marked DONE (Auth Plugin Guild) new `StellaOps.Authority.Plugin.Ldap` project/tests scaffolded with configuration normalization & validation; sample manifest refreshed and smoke tests run (`dotnet test`).
> 2025-11-03: AIAI-31-004B marked DONE (Advisory AI Guild) prompt assembler, guardrail hooks, DSSE-ready output persistence, and golden prompt tests landed.
> 2025-11-03: AIAI-31-005 moved to DOING (Advisory AI Guild) beginning guardrail enforcement (redaction, injection defence, output validator) implementation.
> 2025-11-03: AIAI-31-006 moved to DOING (Advisory AI Guild) starting Advisory AI REST API surface work (RBAC, rate limits, batching contract).
> 2025-11-03: EVID-OBS-53-001 moved to DOING (Evidence Locker Guild) bootstrapping Evidence Locker schema and storage abstractions.
> 2025-11-03: GRAPH-INDEX-28-002 marked DONE (Graph Indexer Guild) SBOM ingest transformer, processor, and metrics landed with refreshed fixtures/tests for license and base artifact determinism.
> 2025-11-03: GRAPH-INDEX-28-003 marked DONE (Graph Indexer Guild) advisory linkset snapshot model repaired, transformer finalized with dedupe/canonical provenance, fixtures refreshed, and overlay tests passing across the graph suite.
> 2025-11-03: GRAPH-INDEX-28-004 moved to DOING (Graph Indexer Guild) beginning VEX overlay integration with precedent/justification metadata.
# Sprint Index
Follow the sprint files below in order. Update task status in both `SPRINTS` and module `TASKS.md` as you progress.
- [Identity & Signing](./SPRINT_100_identity_signing.md)
- [Ingestion & Evidence](./SPRINT_110_ingestion_evidence.md)
- [Policy & Reasoning](./SPRINT_120_policy_reasoning.md)
- [Scanner & Surface](./SPRINT_130_scanner_surface.md)
- [Runtime & Signals](./SPRINT_140_runtime_signals.md)
- [Scheduling & Automation](./SPRINT_150_scheduling_automation.md)
- [Export & Evidence](./SPRINT_160_export_evidence.md)
- [Notifications & Telemetry](./SPRINT_170_notifications_telemetry.md)
- [Experience & SDKs](./SPRINT_180_experience_sdks.md)
- [Ops & Offline](./SPRINT_190_ops_offline.md)
- [Documentation & Process](./SPRINT_200_documentation_process.md)
<<<<<<< Updated upstream
> 2025-11-03: ATTESTOR-72-003 moved to DOING (Attestor Service Guild) running live TTL validation against local MongoDB/Redis processes (manual hosts, no Docker).
> 2025-11-03: ATTESTOR-72-003 marked DONE (Attestor Service Guild) Mongo/Redis TTL expiry logs archived under `docs/modules/attestor/evidence/2025-11-03-*.txt` with summary in `docs/modules/attestor/ttl-validation.md`.
> 2025-11-03: AIAI-31-004B moved to DOING (Advisory AI Guild) starting prompt assembler/guardrail plumbing, cache persistence contract, and DSSE provenance wiring.
> 2025-11-03: PLG7.RFC marked DONE (Auth Plugin Guild, Security Guild) LDAP plugin RFC accepted; review log stored at `docs/notes/2025-11-03-authority-plugin-ldap-review.md`, follow-up PLG7.IMPL-001..005 queued.
> 2025-11-03: PLG7.IMPL-001 marked DONE (Auth Plugin Guild) new `StellaOps.Authority.Plugin.Ldap` project/tests scaffolded with configuration normalization & validation; sample manifest refreshed and smoke tests run (`dotnet test`).
> 2025-11-03: AIAI-31-004B marked DONE (Advisory AI Guild) prompt assembler, guardrail hooks, DSSE-ready output persistence, and golden prompt tests landed.
> 2025-11-03: AIAI-31-005 moved to DOING (Advisory AI Guild) beginning guardrail enforcement (redaction, injection defence, output validator) implementation.
> 2025-11-03: AIAI-31-006 moved to DOING (Advisory AI Guild) starting Advisory AI REST API surface work (RBAC, rate limits, batching contract).
> 2025-11-03: EVID-OBS-53-001 moved to DOING (Evidence Locker Guild) bootstrapping Evidence Locker schema and storage abstractions.
> 2025-11-03: GRAPH-INDEX-28-002 marked DONE (Graph Indexer Guild) SBOM ingest transformer, processor, and metrics landed with refreshed fixtures/tests for license and base artifact determinism.
> 2025-11-03: GRAPH-INDEX-28-003 marked DONE (Graph Indexer Guild) advisory linkset snapshot model repaired, transformer finalized with dedupe/canonical provenance, fixtures refreshed, and overlay tests passing across the graph suite.
> 2025-11-03: GRAPH-INDEX-28-004 moved to DOING (Graph Indexer Guild) beginning VEX overlay integration with precedent/justification metadata.
> 2025-11-03: GRAPH-INDEX-28-004 marked DONE (Graph Indexer Guild) VEX snapshot/transformer merged with deterministic overlays, fixtures refreshed, and graph indexer tests passing.
> 2025-11-03: GRAPH-INDEX-28-005 moved to DOING (Graph Indexer Guild, Policy Guild) starting policy overlay hydration (`governs_with` nodes/edges) with explain hash references.
> 2025-11-03: GRAPH-INDEX-28-005 marked DONE (Graph Indexer Guild, Policy Guild) policy overlay snapshot/transformer landed with deterministic nodes/edges and fixture-backed tests; Mongo writer tests now probe `STELLAOPS_TEST_MONGO_URI`/localhost before falling back to Mongo2Go and skip when no mongod is reachable.
@@ -34,119 +35,125 @@ Follow the sprint files below in order. Update task status in both `SPRINTS` and
> 2025-11-03: EVID-OBS-53-001 marked DONE (Evidence Locker Guild) Postgres migrations, RLS policies, filesystem/S3 stores, and compliance checklist landed with tests.
> 2025-11-03: EVID-OBS-53-002 moved to DOING (Evidence Locker Guild, Orchestrator Guild) assembling evaluation/job/export bundle builders with Merkle manifest contract.
> 2025-11-03: EVID-OBS-53-002 marked DONE (Evidence Locker Guild, Orchestrator Guild) deterministic bundle builders persisted root hashes and landed manifest tests/docs stubs.
> 2025-11-03: AIRGAP-POL-57-002 confirmed DOING (AirGap Policy Guild, Task Runner Guild) continuing Task Runner sealed-mode egress validation and test sweep.
> 2025-11-03: AIRGAP-POL-57-002 marked DONE (AirGap Policy Guild, Task Runner Guild) worker now injects `IEgressPolicy`, filesystem dispatcher enforces sealed-mode egress, planner grants normalized, sealed-mode dispatcher test added; follow-up queued to lift remaining dispatchers/executors onto the shared policy before sealing the full worker loop.
> 2025-11-03: MERGE-LNM-21-001 moved to DOING (BE-Merge, Architecture Guild) drafting `no-merge` migration playbook outline and capturing rollout/backfill checkpoints.
> 2025-11-03: MERGE-LNM-21-001 marked DONE published `docs/migration/no-merge.md` with rollout, backfill, validation, and rollback guidance for the LNM cutover.
> 2025-11-04: GRAPH-INDEX-28-011 marked DONE (Graph Indexer Guild) SBOM ingest DI wiring now emits graph snapshots by default, snapshot root configurable via `STELLAOPS_GRAPH_SNAPSHOT_DIR`, and Graph Indexer tests exercised with Mongo URI guidance.
> 2025-11-03: MERGE-LNM-21-002 moved to DOING (BE-Merge) auditing `AdvisoryMergeService` call sites to scope removal and analyzer enforcement.
> 2025-11-03: DOCS-LNM-22-008 moved to DOING (Docs Guild, DevOps Guild) aligning migration playbook structure and readiness checklist.
> 2025-11-03: DOCS-LNM-22-008 marked DONE `/docs/migration/no-merge.md` published for DevOps/Export Center planning with checklist for cutover readiness.
> 2025-11-03: SCHED-CONSOLE-27-001 marked DONE (Scheduler WebService Guild, Policy Registry Guild) policy simulation endpoints now emit SSE retry/heartbeat, enforce metadata normalization, support Mongo-backed integration, and ship auth/stream coverage.
> 2025-11-03: SCHED-CONSOLE-27-002 moved to DOING (Scheduler WebService Guild, Observability Guild) wiring policy simulation telemetry endpoints, OTEL metrics, and Registry webhooks on completion/failure.
> 2025-11-03: FEEDCONN-KISA-02-008 moved to DOING (BE-Conn-KISA, Models) starting Hangul firmware range normalization and provenance mapping for KISA advisories.
> 2025-11-03: FEEDCONN-KISA-02-008 progress SemVer normalization wired through KISA mapper with provenance slugs, exclusive marker handling, and fresh connector tests for `이상`/`미만`/`초과` scenarios plus non-numeric fallback; follow-up review queued for additional phrasing coverage before closing. Captured current detail pages via `scripts/kisa_capture_html.py` so offline HTML is available under `seed-data/kisa/html/`.
> 2025-11-03: FEEDCONN-ICSCISA-02-012 marked DONE (BE-Conn-ICS-CISA) ICS CISA connector now emits semver-aware affected.version ranges with `ics-cisa` provenance, SourceFetchService RSS fallback passes the AOC guard, and the Fetch/Parse/Map integration test is green.
> 2025-11-01: SCANNER-ANALYZERS-LANG-10-308R marked DONE (Language Analyzer Guild) heuristics fixtures, benchmarks, and coverage comparison published.
> 2025-11-01: SCANNER-ANALYZERS-LANG-10-309R marked DONE (Language Analyzer Guild) Rust analyzer packaged with offline kit smoke tests and docs.
> 2025-11-01: ENTRYTRACE-SURFACE-01 moved to DOING (EntryTrace Guild) wiring Surface.Validation and Surface.FS reuse ahead of EntryTrace runs.
> 2025-11-01: AUTH-OBS-50-001 (Sprint 50 Observability & Forensics) moved to DOING (Authority Core & Security Guild).
> 2025-11-01: AUTH-PACKS-41-001 moved to DOING (Authority Core & Security Guild) add Packs.* scopes to Authority.
> 2025-11-01: AUTH-OBS-55-001 (Sprint 55 Observability & Forensics) moved to DOING (Authority Core & Security Guild, Ops Guild).
> 2025-11-01: TASKRUN-41-001 moved to DOING (Task Runner Guild) request packs.* scopes when calling Authority.
> 2025-11-01: PACKS-REG-41-001 moved to DOING (Packs Registry Guild) enforce packs.* scopes for registry publish/run flows.
> 2025-11-01: ATTEST-VERIFY-74-001 re-opened and set to DOING to unblock build/test regressions (Verification Guild, Observability Guild).
> 2025-11-01: ATTEST-VERIFY-74-001 marked DONE after configuration and test fixes (Verification Guild, Observability Guild).
> 2025-11-01: AUTH-AIAI-31-001 marked DONE (Authority Core & Security Guild) Advisory AI scopes published and remote inference toggles documented.
> 2025-11-01: AUTH-AIRGAP-56-001 moved to DOING (Authority Core & Security Guild) add airgap scope catalogue and defaults.
> 2025-11-01: AUTH-AIRGAP-56-002 moved to DOING (Authority Core & Security Guild) implement airgap audit endpoint and logging.
> 2025-11-01: ISSUER-30-001 marked DONE (Issuer Directory Guild) Issuer Directory service scaffolded with CRUD APIs, audit sink, CSAF seed import, and unit tests.
> 2025-11-01: ISSUER-30-002 marked DONE (Issuer Directory Guild, Security Guild) Key management domain, Mongo persistence, CRUD/rotate/revoke endpoints, validation, and tests delivered.
> 2025-11-01: ISSUER-30-004 marked DONE (Issuer Directory Guild, VEX Lens Guild) Excititor worker consumes issuer directory client for key/trust lookup with cached offline support.
> 2025-11-01: ISSUER-30-005 marked DONE (Issuer Directory Guild, Observability Guild) Issuer Directory service emits structured logs + metrics for issuer/key flows with OTEL meter.
> 2025-11-02: SURFACE-ENV-01 moved to DOING (Surface Env Guild) drafting shared environment spec for Scanner/Zastava.
> 2025-11-02: SURFACE-ENV-02 moved to DOING (Surface Env Guild) implementing typed environment resolver and unit tests.
> 2025-11-02: SURFACE-VAL-01 moved to DOING (Surface Validation Guild) aligning design document with implementation plan.
> 2025-11-02: SURFACE-FS-01 moved to DOING (Surface FS Guild) finalising cache layout and manifest spec.
> 2025-11-02: SURFACE-FS-02 moved to DOING (Surface FS Guild) building core abstractions and deterministic serializers.
> 2025-11-02: SURFACE-SECRETS-01 moved to DOING (Surface Secrets Guild) updating secrets design for provider matrix.
> 2025-11-02: SURFACE-SECRETS-02 moved to DOING (Surface Secrets Guild) implementing base providers + tests.
> 2025-11-02: AUTH-POLICY-27-002 marked DONE (Authority Core & Security Guild) interactive-only policy publish/promote scopes delivered with metadata, fresh-auth enforcement, and audit/docs updates.
> 2025-11-02: SCANNER-ENTRYTRACE-18-506 moved to DOING (EntryTrace Guild, Scanner WebService Guild) surfacing EntryTrace results via WebService/CLI with confidence metadata.
> 2025-11-02: ATTESTOR-74-001 marked DONE (Attestor Service Guild) witness client integration, repository schema, and verification/reporting updates landed with tests.
> 2025-11-02: AUTH-OAS-63-001 moved to DOING (Authority Core & Security Guild, API Governance Guild) verifying legacy `/oauth/*` deprecation signalling and notifications ahead of sunset.
> 2025-11-02: AUTH-OAS-63-001 marked DONE (Authority Core & Security Guild, API Governance Guild) legacy shims emit Deprecation/Sunset/Warning headers, audit event coverage validated, and migration guide published.
> 2025-11-02: AUTH-NOTIFY-40-001 marked DONE (Authority Core & Security Guild) `/notify/ack-tokens/rotate` (notify.admin) now rotates DSSE keys with audit trails and integration tests.
> 2025-11-02: AUTH-OAS-62-001 moved to DOING (Authority Core & Security Guild, SDK Generator Guild) wiring SDK helpers for OAuth2/PAT flows and tenancy override header.
> 2025-11-02: AUTH-OAS-62-001 marked DONE (Authority Core & Security Guild, SDK Generator Guild) HttpClient auth helper (OAuth2/PAT) shipped with tenant header support and unit tests.
> 2025-11-02: AUTH-OBS-50-001 moved to DOING (Authority Core & Security Guild) defining observability scopes and updating discovery/offline defaults.
> 2025-11-02: AUTH-OBS-52-001 moved to DOING (Authority Core & Security Guild) rolling observability scopes through resource server policies and audit wiring.
> 2025-11-02: AUTH-OBS-55-001 marked DONE (Authority Core & Security Guild, Ops Guild) incident-mode tokens now require fresh auth, audit records expose `incident.reason`, and `/authority/audit/incident` verification path documented.
> 2025-11-02: AUTH-ORCH-34-001 marked DONE (Authority Core & Security Guild) `orch:backfill` scope enforced with reason/ticket metadata, Authority + CLI updated, docs/config refreshed for Orchestrator admins.
> 2025-11-02: AUTH-PACKS-41-001 moved to DOING (Authority Core & Security Guild) defining packs scope catalogue, issuer templates, and offline defaults.
> 2025-11-02: AUTH-PACKS-41-001 added shared OpenSSL 1.1 test libs so Authority & Signals Mongo2Go suites run on OpenSSL 3.
> 2025-11-02: AUTH-NOTIFY-42-001 moved to DOING (Authority Core & Security Guild) investigating `/notify/ack-tokens/rotate` 500 responses when key metadata missing.
> 2025-11-02: AUTH-NOTIFY-42-001 marked DONE (Authority Core & Security Guild) bootstrap rotate defaults fixed, `StellaOpsBearer` test alias added, and notify ack rotation regression passes.
> 2025-11-03: AUTH-TEN-49-001 marked DONE (Authority Core & Security Guild) service account delegation (`act` chain) shipped with quota/audit coverage; Authority tests green.
> 2025-11-03: AUTH-VULN-29-003 marked DONE (Authority Core & Docs Guild) Vuln Explorer security docs, samples, and release notes refreshed for roles, ABAC policies, attachment signing, and ledger verification.
> 2025-11-03: ISSUER-30-003 marked DONE (Issuer Directory Guild, Policy Guild) trust override APIs/client finalized with cache invalidation/failure-path tests; Issuer Directory suite passing.
> 2025-11-03: AUTH-AIRGAP-56-001/56-002 marked DONE (Authority Core & Security Guild) air-gap scope catalog surfaced in discovery/OpenAPI and `/authority/audit/airgap` endpoint shipped with tests.
> 2025-11-03: AUTH-PACKS-41-001 marked DONE (Authority Core & Security Guild) packs scope bundle now emitted via discovery metadata, reflected in OpenAPI, and covered by Authority tests.
> 2025-11-03: AUTH-POLICY-27-003 marked DONE (Authority Core & Docs Guild) Policy Studio docs/config updated for publish/promote signing workflow, CLI commands, and compliance checklist.
> 2025-11-02: ENTRYTRACE-SURFACE-02 moved to DOING (EntryTrace Guild) replacing direct env/secret access with Surface.Secrets provider for EntryTrace runs.
> 2025-11-02: ENTRYTRACE-SURFACE-01 marked DONE (EntryTrace Guild) Surface.Validation + Surface.FS cache now drive EntryTrace reuse with regression tests.
> 2025-11-02: ENTRYTRACE-SURFACE-02 marked DONE (EntryTrace Guild) EntryTrace environment placeholders resolved via Surface.Secrets with updated docs/tests.
> 2025-11-02: SCANNER-ENTRYTRACE-18-506 marked DONE (EntryTrace Guild, Scanner WebService Guild) EntryTrace graph surfaced via WebService and CLI with confidence metadata.
> 2025-11-02: SCANNER-ENTRYTRACE-18-509 moved to DOING (EntryTrace Guild, QA Guild) adding regression coverage for EntryTrace surfaces and NDJSON hashing.
> 2025-11-02: SCANNER-ENTRYTRACE-18-509 marked DONE (EntryTrace Guild, QA Guild) regression coverage landed for result store/WebService/CLI with NDJSON hashing snapshot.
> 2025-11-02: SCANNER-ENTRYTRACE-18-507 marked DONE (EntryTrace Guild) fallback candidate discovery now covers history, supervisor configs, service directories, and entrypoint scripts with tests.
> 2025-11-02: SCANNER-ENTRYTRACE-18-508 marked DONE (EntryTrace Guild) wrapper catalogue expanded for bundle, docker-php-entrypoint, npm, yarn, pipenv, and poetry with wrapper metadata assertions.
> 2025-11-02: CONCELIER-WEB-OAS-61-001 moved to DOING (Concelier WebService Guild) implementing discovery endpoint for `.well-known/openapi` with version metadata and ETag.
> 2025-11-02: CONCELIER-WEB-OAS-61-001 marked DONE (Concelier WebService Guild) discovery endpoint now serves signed OpenAPI 3.1 document with ETag support.
> 2025-11-02: DOCS-SCANNER-BENCH-62-001 moved to DOING (Docs Guild, Scanner Guild) refreshing Trivy/Grype/Snyk comparison docs and ecosystem matrix with source-linked coverage.
> 2025-11-02: DOCS-SCANNER-BENCH-62-001 marked DONE (Docs Guild, Scanner Guild) matrix updated with Windows/macOS coverage row and secret detection techniques; deep dives cite Trivy/Grype/Snyk sources.
> 2025-11-02: DOCS-SCANNER-BENCH-62-003 added (Docs Guild, Product Guild) recording Python lockfile/editable-install demand signals for policy guidance follow-up.
> 2025-11-02: DOCS-SCANNER-BENCH-62-004 added (Docs Guild, Java Analyzer Guild) documenting Java lockfile ingestion plan and policy templates.
> 2025-11-02: DOCS-SCANNER-BENCH-62-005 added (Docs Guild, Go Analyzer Guild) documenting Go stripped-binary fallback enrichment guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-006 added (Docs Guild, Rust Analyzer Guild) documenting Rust fingerprint enrichment guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-007 added (Docs Guild, Security Guild) documenting secret leak detection guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-008 added (Docs Guild, EntryTrace Guild) documenting EntryTrace heuristic maintenance guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-009 added (Docs Guild, Ruby Analyzer Guild) deepening Ruby gap analysis with detection tables; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-010 added (Docs Guild, PHP Analyzer Guild) documenting PHP analyzer parity gaps; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-011 added (Docs Guild, Language Analyzer Guild) capturing Deno runtime gap analysis; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-012 added (Docs Guild, Language Analyzer Guild) expanding Dart ecosystem comparison; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-013 added (Docs Guild, Swift Analyzer Guild) expanding Swift coverage analysis; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-014 added (Docs Guild, Runtime Guild) detailing Kubernetes/VM coverage plan; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-015 added (Docs Guild, Export Center Guild) outlining DSSE/Rekor operator enablement guidance; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-009 marked DONE (Docs Guild, Ruby Analyzer Guild) Ruby gap section delivered with detection tables and backlog links.
> 2025-11-02: DOCS-SCANNER-BENCH-62-010 marked DONE (Docs Guild, PHP Analyzer Guild) PHP gap analysis updated with implementation notes.
> 2025-11-02: DOCS-SCANNER-BENCH-62-011 marked DONE (Docs Guild, Language Analyzer Guild) Deno plan documented with detection technique table.
> 2025-11-02: DOCS-SCANNER-BENCH-62-012 marked DONE (Docs Guild, Language Analyzer Guild) Dart coverage section fleshed out with detection strategies.
> 2025-11-02: DOCS-SCANNER-BENCH-62-013 marked DONE (Docs Guild, Swift Analyzer Guild) Swift analyzer roadmap captured with policy hooks.
> 2025-11-02: DOCS-SCANNER-BENCH-62-014 marked DONE (Docs Guild, Runtime Guild) Kubernetes/VM alignment section published.
> 2025-11-02: DOCS-SCANNER-BENCH-62-015 marked DONE (Docs Guild, Export Center Guild) DSSE/Rekor enablement guidance appended to gap doc.
> 2025-11-02: SCANNER-ENG-0009 moved to DOING (Ruby Analyzer Guild) drafting Ruby analyzer parity design package.
> 2025-11-02: SCANNER-ENG-0016 added (Ruby Analyzer Guild) implementing Ruby lock collector & vendor cache ingestion.
> 2025-11-02: SCANNER-ENG-0016 moved to DOING (Ruby Analyzer Guild) lockfile parser skeleton committed with initial Gemfile.lock parsing.
> 2025-11-02: SCANNER-ENG-0017 added (Ruby Analyzer Guild) building runtime require/autoload graph builder.
> 2025-11-02: SCANNER-ENG-0018 added (Ruby Analyzer Guild) emitting Ruby capability and framework signals.
> 2025-11-02: SCANNER-ENG-0019 added (Ruby Analyzer Guild, CLI Guild) delivering Ruby CLI verbs and Offline Kit packaging.
> 2025-11-02: SCANNER-LIC-0001 added (Scanner Guild, Legal Guild) vetting tree-sitter Ruby licensing/offline packaging.
> 2025-11-02: SCANNER-LIC-0001 moved to DOING (Scanner Guild, Legal Guild) SPDX review in progress.
> 2025-11-02: SCANNER-POLICY-0001 added (Policy Guild, Ruby Analyzer Guild) defining Ruby capability predicates in Policy Engine.
> 2025-11-02: SCANNER-CLI-0001 added (CLI Guild, Ruby Analyzer Guild) coordinating CLI UX/docs for Ruby verbs.
> 2025-11-02: AIAI-31-011 moved to DOING (Advisory AI Guild) implementing Excititor VEX document provider.
> 2025-11-02: AIAI-31-011 marked DONE (Advisory AI Guild) Excititor VEX provider + OpenVEX chunking shipped with tests.
> 2025-11-02: AIAI-31-002 moved to DOING (Advisory AI Guild, SBOM Service Guild) building SBOM context retriever for timelines/paths/blast radius.
> 2025-11-02: AIAI-31-002 progressing SBOM context models/tests landed; awaiting SBOM guild client hookup.
> 2025-11-02: AIAI-31-003 moved to DOING kicking off deterministic tooling (comparators, dependency lookup). First drop covers semver range evaluator + RPM EVR comparator.
> 2025-11-02: AIAI-31-004 moved to DOING starting deterministic orchestration pipeline (summary/conflict/remediation flow).
> 2025-11-02: ISSUER-30-006 moved to DOING (Issuer Directory Guild, DevOps Guild) deployment manifests, backup/restore, secret handling, and offline kit docs in progress.
> 2025-11-04: EVID-OBS-55-001 moved to DOING (Evidence Locker Guild, DevOps Guild) enabling incident mode retention extension, debug artefacts, and timeline/notifier hooks.
> 2025-11-04: EVID-OBS-55-001 marked DONE (Evidence Locker Guild, DevOps Guild) incident mode retention, timeline events, notifier stubs, and incident artefact packaging shipped with tests/docs.
> 2025-11-04: EVID-OBS-60-001 moved to DOING (Evidence Locker Guild) starting sealed-mode portable evidence export flow with redacted bundle packaging and offline verification guidance.
> 2025-11-04: EVID-OBS-60-001 marked DONE (Evidence Locker Guild) `/evidence/{id}/portable` now emits `portable-bundle-v1.tgz` with sanitized metadata, offline verification script, docs (`docs/airgap/portable-evidence.md`) and unit/web coverage.
> 2025-11-04: DVOFF-64-001 moved to DOING (DevPortal Offline Guild, Exporter Guild) beginning `devportal --offline` export job bundling portal HTML, specs, SDKs, and changelog assets.
> 2025-11-04: SCHED-WEB-21-004 resumed (Scheduler WebService Guild, Scheduler Storage Guild) implementing Mongo lifecycle persistence, completion event emission, and Cartographer webhook contract validation.
> 2025-11-04: SCHED-WEB-21-004 marked DONE (Scheduler WebService Guild, Scheduler Storage Guild) Mongo lifecycle persistence, single-shot completion events/webhooks, and idempotent result URI refresh landed with unit/integration coverage.
> 2025-11-04: TASKRUN-42-001 resumed (Task Runner Guild) planning loops/conditionals/maxParallel execution upgrades, simulation mode, policy gate wiring, and deterministic retry/abort handling.
> 2025-11-04: TASKRUN-42-001 progress update execution graph + simulation endpoints wired; retry windows now persisted for orchestration clients.
> 2025-11-03: AIRGAP-POL-57-002 confirmed DOING (AirGap Policy Guild, Task Runner Guild) continuing Task Runner sealed-mode egress validation and test sweep.
> 2025-11-03: AIRGAP-POL-57-002 marked DONE (AirGap Policy Guild, Task Runner Guild) worker now injects `IEgressPolicy`, filesystem dispatcher enforces sealed-mode egress, planner grants normalized, sealed-mode dispatcher test added; follow-up queued to lift remaining dispatchers/executors onto the shared policy before sealing the full worker loop.
> 2025-11-03: MERGE-LNM-21-001 moved to DOING (BE-Merge, Architecture Guild) drafting `no-merge` migration playbook outline and capturing rollout/backfill checkpoints.
> 2025-11-03: MERGE-LNM-21-001 marked DONE published `docs/migration/no-merge.md` with rollout, backfill, validation, and rollback guidance for the LNM cutover.
> 2025-11-04: GRAPH-INDEX-28-011 marked DONE (Graph Indexer Guild) SBOM ingest DI wiring now emits graph snapshots by default, snapshot root configurable via `STELLAOPS_GRAPH_SNAPSHOT_DIR`, and Graph Indexer tests exercised with Mongo URI guidance.
> 2025-11-03: MERGE-LNM-21-002 moved to DOING (BE-Merge) auditing `AdvisoryMergeService` call sites to scope removal and analyzer enforcement.
> 2025-11-03: DOCS-LNM-22-008 moved to DOING (Docs Guild, DevOps Guild) aligning migration playbook structure and readiness checklist.
> 2025-11-03: DOCS-LNM-22-008 marked DONE `/docs/migration/no-merge.md` published for DevOps/Export Center planning with checklist for cutover readiness.
> 2025-11-03: SCHED-CONSOLE-27-001 marked DONE (Scheduler WebService Guild, Policy Registry Guild) policy simulation endpoints now emit SSE retry/heartbeat, enforce metadata normalization, support Mongo-backed integration, and ship auth/stream coverage.
> 2025-11-03: SCHED-CONSOLE-27-002 moved to DOING (Scheduler WebService Guild, Observability Guild) wiring policy simulation telemetry endpoints, OTEL metrics, and Registry webhooks on completion/failure.
> 2025-11-03: FEEDCONN-KISA-02-008 moved to DOING (BE-Conn-KISA, Models) starting Hangul firmware range normalization and provenance mapping for KISA advisories.
> 2025-11-03: FEEDCONN-KISA-02-008 progress SemVer normalization wired through KISA mapper with provenance slugs, exclusive marker handling, and fresh connector tests for `이상`/`미만`/`초과` scenarios plus non-numeric fallback; follow-up review queued for additional phrasing coverage before closing. Captured current detail pages via `scripts/kisa_capture_html.py` so offline HTML is available under `seed-data/kisa/html/`.
> 2025-11-03: FEEDCONN-ICSCISA-02-012 marked DONE (BE-Conn-ICS-CISA) ICS CISA connector now emits semver-aware affected.version ranges with `ics-cisa` provenance, SourceFetchService RSS fallback passes the AOC guard, and the Fetch/Parse/Map integration test is green.
> 2025-11-01: SCANNER-ANALYZERS-LANG-10-308R marked DONE (Language Analyzer Guild) heuristics fixtures, benchmarks, and coverage comparison published.
> 2025-11-01: SCANNER-ANALYZERS-LANG-10-309R marked DONE (Language Analyzer Guild) Rust analyzer packaged with offline kit smoke tests and docs.
> 2025-11-01: ENTRYTRACE-SURFACE-01 moved to DOING (EntryTrace Guild) wiring Surface.Validation and Surface.FS reuse ahead of EntryTrace runs.
> 2025-11-01: AUTH-OBS-50-001 (Sprint 50 Observability & Forensics) moved to DOING (Authority Core & Security Guild).
> 2025-11-01: AUTH-PACKS-41-001 moved to DOING (Authority Core & Security Guild) add Packs.* scopes to Authority.
> 2025-11-01: AUTH-OBS-55-001 (Sprint 55 Observability & Forensics) moved to DOING (Authority Core & Security Guild, Ops Guild).
> 2025-11-01: TASKRUN-41-001 moved to DOING (Task Runner Guild) request packs.* scopes when calling Authority.
> 2025-11-01: PACKS-REG-41-001 moved to DOING (Packs Registry Guild) enforce packs.* scopes for registry publish/run flows.
> 2025-11-01: ATTEST-VERIFY-74-001 re-opened and set to DOING to unblock build/test regressions (Verification Guild, Observability Guild).
> 2025-11-01: ATTEST-VERIFY-74-001 marked DONE after configuration and test fixes (Verification Guild, Observability Guild).
> 2025-11-01: AUTH-AIAI-31-001 marked DONE (Authority Core & Security Guild) Advisory AI scopes published and remote inference toggles documented.
> 2025-11-01: AUTH-AIRGAP-56-001 moved to DOING (Authority Core & Security Guild) add airgap scope catalogue and defaults.
> 2025-11-01: AUTH-AIRGAP-56-002 moved to DOING (Authority Core & Security Guild) implement airgap audit endpoint and logging.
> 2025-11-01: ISSUER-30-001 marked DONE (Issuer Directory Guild) Issuer Directory service scaffolded with CRUD APIs, audit sink, CSAF seed import, and unit tests.
> 2025-11-01: ISSUER-30-002 marked DONE (Issuer Directory Guild, Security Guild) Key management domain, Mongo persistence, CRUD/rotate/revoke endpoints, validation, and tests delivered.
> 2025-11-01: ISSUER-30-004 marked DONE (Issuer Directory Guild, VEX Lens Guild) Excititor worker consumes issuer directory client for key/trust lookup with cached offline support.
> 2025-11-01: ISSUER-30-005 marked DONE (Issuer Directory Guild, Observability Guild) Issuer Directory service emits structured logs + metrics for issuer/key flows with OTEL meter.
> 2025-11-02: SURFACE-ENV-01 moved to DOING (Surface Env Guild) drafting shared environment spec for Scanner/Zastava.
> 2025-11-02: SURFACE-ENV-02 moved to DOING (Surface Env Guild) implementing typed environment resolver and unit tests.
> 2025-11-02: SURFACE-VAL-01 moved to DOING (Surface Validation Guild) aligning design document with implementation plan.
> 2025-11-02: SURFACE-FS-01 moved to DOING (Surface FS Guild) finalising cache layout and manifest spec.
> 2025-11-02: SURFACE-FS-02 moved to DOING (Surface FS Guild) building core abstractions and deterministic serializers.
> 2025-11-02: SURFACE-SECRETS-01 moved to DOING (Surface Secrets Guild) updating secrets design for provider matrix.
> 2025-11-02: SURFACE-SECRETS-02 moved to DOING (Surface Secrets Guild) implementing base providers + tests.
> 2025-11-02: AUTH-POLICY-27-002 marked DONE (Authority Core & Security Guild) interactive-only policy publish/promote scopes delivered with metadata, fresh-auth enforcement, and audit/docs updates.
> 2025-11-02: SCANNER-ENTRYTRACE-18-506 moved to DOING (EntryTrace Guild, Scanner WebService Guild) surfacing EntryTrace results via WebService/CLI with confidence metadata.
> 2025-11-02: ATTESTOR-74-001 marked DONE (Attestor Service Guild) witness client integration, repository schema, and verification/reporting updates landed with tests.
> 2025-11-02: AUTH-OAS-63-001 moved to DOING (Authority Core & Security Guild, API Governance Guild) verifying legacy `/oauth/*` deprecation signalling and notifications ahead of sunset.
> 2025-11-02: AUTH-OAS-63-001 marked DONE (Authority Core & Security Guild, API Governance Guild) legacy shims emit Deprecation/Sunset/Warning headers, audit event coverage validated, and migration guide published.
> 2025-11-02: AUTH-NOTIFY-40-001 marked DONE (Authority Core & Security Guild) `/notify/ack-tokens/rotate` (notify.admin) now rotates DSSE keys with audit trails and integration tests.
> 2025-11-02: AUTH-OAS-62-001 moved to DOING (Authority Core & Security Guild, SDK Generator Guild) wiring SDK helpers for OAuth2/PAT flows and tenancy override header.
> 2025-11-02: AUTH-OAS-62-001 marked DONE (Authority Core & Security Guild, SDK Generator Guild) HttpClient auth helper (OAuth2/PAT) shipped with tenant header support and unit tests.
> 2025-11-02: AUTH-OBS-50-001 moved to DOING (Authority Core & Security Guild) defining observability scopes and updating discovery/offline defaults.
> 2025-11-02: AUTH-OBS-52-001 moved to DOING (Authority Core & Security Guild) rolling observability scopes through resource server policies and audit wiring.
> 2025-11-02: AUTH-OBS-55-001 marked DONE (Authority Core & Security Guild, Ops Guild) incident-mode tokens now require fresh auth, audit records expose `incident.reason`, and `/authority/audit/incident` verification path documented.
> 2025-11-02: AUTH-ORCH-34-001 marked DONE (Authority Core & Security Guild) `orch:backfill` scope enforced with reason/ticket metadata, Authority + CLI updated, docs/config refreshed for Orchestrator admins.
> 2025-11-02: AUTH-PACKS-41-001 moved to DOING (Authority Core & Security Guild) defining packs scope catalogue, issuer templates, and offline defaults.
> 2025-11-02: AUTH-PACKS-41-001 added shared OpenSSL 1.1 test libs so Authority & Signals Mongo2Go suites run on OpenSSL 3.
> 2025-11-02: AUTH-NOTIFY-42-001 moved to DOING (Authority Core & Security Guild) investigating `/notify/ack-tokens/rotate` 500 responses when key metadata missing.
> 2025-11-02: AUTH-NOTIFY-42-001 marked DONE (Authority Core & Security Guild) bootstrap rotate defaults fixed, `StellaOpsBearer` test alias added, and notify ack rotation regression passes.
> 2025-11-03: AUTH-TEN-49-001 marked DONE (Authority Core & Security Guild) service account delegation (`act` chain) shipped with quota/audit coverage; Authority tests green.
> 2025-11-03: AUTH-VULN-29-003 marked DONE (Authority Core & Docs Guild) Vuln Explorer security docs, samples, and release notes refreshed for roles, ABAC policies, attachment signing, and ledger verification.
> 2025-11-03: ISSUER-30-003 marked DONE (Issuer Directory Guild, Policy Guild) trust override APIs/client finalized with cache invalidation/failure-path tests; Issuer Directory suite passing.
> 2025-11-03: AUTH-AIRGAP-56-001/56-002 marked DONE (Authority Core & Security Guild) air-gap scope catalog surfaced in discovery/OpenAPI and `/authority/audit/airgap` endpoint shipped with tests.
> 2025-11-03: AUTH-PACKS-41-001 marked DONE (Authority Core & Security Guild) packs scope bundle now emitted via discovery metadata, reflected in OpenAPI, and covered by Authority tests.
> 2025-11-03: AUTH-POLICY-27-003 marked DONE (Authority Core & Docs Guild) Policy Studio docs/config updated for publish/promote signing workflow, CLI commands, and compliance checklist.
> 2025-11-02: ENTRYTRACE-SURFACE-02 moved to DOING (EntryTrace Guild) replacing direct env/secret access with Surface.Secrets provider for EntryTrace runs.
> 2025-11-02: ENTRYTRACE-SURFACE-01 marked DONE (EntryTrace Guild) Surface.Validation + Surface.FS cache now drive EntryTrace reuse with regression tests.
> 2025-11-02: ENTRYTRACE-SURFACE-02 marked DONE (EntryTrace Guild) EntryTrace environment placeholders resolved via Surface.Secrets with updated docs/tests.
> 2025-11-02: SCANNER-ENTRYTRACE-18-506 marked DONE (EntryTrace Guild, Scanner WebService Guild) EntryTrace graph surfaced via WebService and CLI with confidence metadata.
> 2025-11-02: SCANNER-ENTRYTRACE-18-509 moved to DOING (EntryTrace Guild, QA Guild) adding regression coverage for EntryTrace surfaces and NDJSON hashing.
> 2025-11-02: SCANNER-ENTRYTRACE-18-509 marked DONE (EntryTrace Guild, QA Guild) regression coverage landed for result store/WebService/CLI with NDJSON hashing snapshot.
> 2025-11-02: SCANNER-ENTRYTRACE-18-507 marked DONE (EntryTrace Guild) fallback candidate discovery now covers history, supervisor configs, service directories, and entrypoint scripts with tests.
> 2025-11-02: SCANNER-ENTRYTRACE-18-508 marked DONE (EntryTrace Guild) wrapper catalogue expanded for bundle, docker-php-entrypoint, npm, yarn, pipenv, and poetry with wrapper metadata assertions.
> 2025-11-02: CONCELIER-WEB-OAS-61-001 moved to DOING (Concelier WebService Guild) implementing discovery endpoint for `.well-known/openapi` with version metadata and ETag.
> 2025-11-02: CONCELIER-WEB-OAS-61-001 marked DONE (Concelier WebService Guild) discovery endpoint now serves signed OpenAPI 3.1 document with ETag support.
> 2025-11-02: DOCS-SCANNER-BENCH-62-001 moved to DOING (Docs Guild, Scanner Guild) refreshing Trivy/Grype/Snyk comparison docs and ecosystem matrix with source-linked coverage.
> 2025-11-02: DOCS-SCANNER-BENCH-62-001 marked DONE (Docs Guild, Scanner Guild) matrix updated with Windows/macOS coverage row and secret detection techniques; deep dives cite Trivy/Grype/Snyk sources.
> 2025-11-02: DOCS-SCANNER-BENCH-62-003 added (Docs Guild, Product Guild) recording Python lockfile/editable-install demand signals for policy guidance follow-up.
> 2025-11-02: DOCS-SCANNER-BENCH-62-004 added (Docs Guild, Java Analyzer Guild) documenting Java lockfile ingestion plan and policy templates.
> 2025-11-02: DOCS-SCANNER-BENCH-62-005 added (Docs Guild, Go Analyzer Guild) documenting Go stripped-binary fallback enrichment guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-006 added (Docs Guild, Rust Analyzer Guild) documenting Rust fingerprint enrichment guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-007 added (Docs Guild, Security Guild) documenting secret leak detection guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-008 added (Docs Guild, EntryTrace Guild) documenting EntryTrace heuristic maintenance guidance.
> 2025-11-02: DOCS-SCANNER-BENCH-62-009 added (Docs Guild, Ruby Analyzer Guild) deepening Ruby gap analysis with detection tables; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-010 added (Docs Guild, PHP Analyzer Guild) documenting PHP analyzer parity gaps; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-011 added (Docs Guild, Language Analyzer Guild) capturing Deno runtime gap analysis; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-012 added (Docs Guild, Language Analyzer Guild) expanding Dart ecosystem comparison; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-013 added (Docs Guild, Swift Analyzer Guild) expanding Swift coverage analysis; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-014 added (Docs Guild, Runtime Guild) detailing Kubernetes/VM coverage plan; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-015 added (Docs Guild, Export Center Guild) outlining DSSE/Rekor operator enablement guidance; status set to DOING.
> 2025-11-02: DOCS-SCANNER-BENCH-62-009 marked DONE (Docs Guild, Ruby Analyzer Guild) Ruby gap section delivered with detection tables and backlog links.
> 2025-11-02: DOCS-SCANNER-BENCH-62-010 marked DONE (Docs Guild, PHP Analyzer Guild) PHP gap analysis updated with implementation notes.
> 2025-11-02: DOCS-SCANNER-BENCH-62-011 marked DONE (Docs Guild, Language Analyzer Guild) Deno plan documented with detection technique table.
> 2025-11-02: DOCS-SCANNER-BENCH-62-012 marked DONE (Docs Guild, Language Analyzer Guild) Dart coverage section fleshed out with detection strategies.
> 2025-11-02: DOCS-SCANNER-BENCH-62-013 marked DONE (Docs Guild, Swift Analyzer Guild) Swift analyzer roadmap captured with policy hooks.
> 2025-11-02: DOCS-SCANNER-BENCH-62-014 marked DONE (Docs Guild, Runtime Guild) Kubernetes/VM alignment section published.
> 2025-11-02: DOCS-SCANNER-BENCH-62-015 marked DONE (Docs Guild, Export Center Guild) DSSE/Rekor enablement guidance appended to gap doc.
> 2025-11-02: SCANNER-ENG-0009 moved to DOING (Ruby Analyzer Guild) drafting Ruby analyzer parity design package.
> 2025-11-02: SCANNER-ENG-0016 added (Ruby Analyzer Guild) implementing Ruby lock collector & vendor cache ingestion.
> 2025-11-02: SCANNER-ENG-0016 moved to DOING (Ruby Analyzer Guild) lockfile parser skeleton committed with initial Gemfile.lock parsing.
> 2025-11-02: SCANNER-ENG-0017 added (Ruby Analyzer Guild) building runtime require/autoload graph builder.
> 2025-11-02: SCANNER-ENG-0018 added (Ruby Analyzer Guild) emitting Ruby capability and framework signals.
> 2025-11-02: SCANNER-ENG-0019 added (Ruby Analyzer Guild, CLI Guild) delivering Ruby CLI verbs and Offline Kit packaging.
> 2025-11-02: SCANNER-LIC-0001 added (Scanner Guild, Legal Guild) vetting tree-sitter Ruby licensing/offline packaging.
> 2025-11-02: SCANNER-LIC-0001 moved to DOING (Scanner Guild, Legal Guild) SPDX review in progress.
> 2025-11-02: SCANNER-POLICY-0001 added (Policy Guild, Ruby Analyzer Guild) defining Ruby capability predicates in Policy Engine.
> 2025-11-02: SCANNER-CLI-0001 added (CLI Guild, Ruby Analyzer Guild) coordinating CLI UX/docs for Ruby verbs.
> 2025-11-02: AIAI-31-011 moved to DOING (Advisory AI Guild) implementing Excititor VEX document provider.
> 2025-11-02: AIAI-31-011 marked DONE (Advisory AI Guild) Excititor VEX provider + OpenVEX chunking shipped with tests.
> 2025-11-02: AIAI-31-002 moved to DOING (Advisory AI Guild, SBOM Service Guild) building SBOM context retriever for timelines/paths/blast radius.
> 2025-11-02: AIAI-31-002 progressing SBOM context models/tests landed; awaiting SBOM guild client hookup.
> 2025-11-04: AIAI-31-002 marked DONE SBOM context HTTP client + DI wiring delivered, retriever integrated, HTTP unit tests added.
> 2025-11-02: AIAI-31-003 moved to DOING kicking off deterministic tooling (comparators, dependency lookup). First drop covers semver range evaluator + RPM EVR comparator.
> 2025-11-04: AIAI-31-003 marked DONE deterministic toolset now DI-registered with SBOM context client, added semver/EVR comparison & range tests, and dependency analysis feeds orchestrator metadata.
> 2025-11-02: AIAI-31-004 moved to DOING starting deterministic orchestration pipeline (summary/conflict/remediation flow).
> 2025-11-02: ISSUER-30-006 moved to DOING (Issuer Directory Guild, DevOps Guild) deployment manifests, backup/restore, secret handling, and offline kit docs in progress.
> 2025-11-04: EVID-OBS-55-001 moved to DOING (Evidence Locker Guild, DevOps Guild) enabling incident mode retention extension, debug artefacts, and timeline/notifier hooks.
> 2025-11-04: EVID-OBS-55-001 marked DONE (Evidence Locker Guild, DevOps Guild) incident mode retention, timeline events, notifier stubs, and incident artefact packaging shipped with tests/docs.
> 2025-11-04: EVID-OBS-60-001 moved to DOING (Evidence Locker Guild) starting sealed-mode portable evidence export flow with redacted bundle packaging and offline verification guidance.
> 2025-11-04: EVID-OBS-60-001 marked DONE (Evidence Locker Guild) `/evidence/{id}/portable` now emits `portable-bundle-v1.tgz` with sanitized metadata, offline verification script, docs (`docs/airgap/portable-evidence.md`) and unit/web coverage.
> 2025-11-04: DVOFF-64-001 moved to DOING (DevPortal Offline Guild, Exporter Guild) beginning `devportal --offline` export job bundling portal HTML, specs, SDKs, and changelog assets.