stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

feat: add Reachability Center and Why Drawer components with tests
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Implemented ReachabilityCenterComponent for displaying asset reachability status with summary and filtering options.
- Added ReachabilityWhyDrawerComponent to show detailed reachability evidence and call paths.
- Created unit tests for both components to ensure functionality and correctness.
- Updated accessibility test results for the new components.
This commit is contained in:
master
2025-12-12 18:50:35 +02:00
parent efaf3cb789
commit 3f3473ee3a
320 changed files with 10635 additions and 3677 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/implplan/SPRINT_0211_0001_0003_ui_iii.md
View File

@@ -30,11 +30,11 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | UI-POLICY-27-001 | DOING | Path corrected; scope help added in Console Profile; add guards/messages + stubs | UI Guild; Product Ops (src/Web/StellaOps.Web) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
| 2 | UI-SIG-26-001 | BLOCKED | Signals bench schema + 10k/50k callgraph/runtime fixtures published (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`); still need UI-shaped columns/badges bundle and perf budget before wiring. | UI Guild; Signals Guild (src/Web/StellaOps.Web) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
| 3 | UI-SIG-26-002 | BLOCKED | Waiting on UI-SIG-26-001 output; bench callgraph/runtime data landed but UI call-path/timeline fixture shapes still pending. | UI Guild (src/Web/StellaOps.Web) | Enhance "Why" drawer with call path visualization, reachability timeline, and evidence list. |
| 4 | UI-SIG-26-003 | BLOCKED | Upstream tasks 2-3 blocked; need SIG-26 overlay bundle and perf budget notes before halo/time-slider wiring. | UI Guild (src/Web/StellaOps.Web) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
| 5 | UI-SIG-26-004 | BLOCKED | Upstream reachability chain blocked; coverage/missing-sensor dataset still outstanding even with bench fixtures. | UI Guild (src/Web/StellaOps.Web) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |
| 1 | UI-POLICY-27-001 | DONE | RBAC guards + nav gating aligned to `policy:*` contract; tests green. | UI Guild; Product Ops (src/Web/StellaOps.Web) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
| 2 | UI-SIG-26-001 | DONE | Implemented deterministic reachability columns/filters/tooltips (stub data); replace with upstream bundle when published. | UI Guild; Signals Guild (src/Web/StellaOps.Web) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
| 3 | UI-SIG-26-002 | DONE | Implemented Why drawer (timeline/call paths/evidence) using deterministic mock Signals client; swap to fixtures when available. | UI Guild (src/Web/StellaOps.Web) | Enhance "Why" drawer with call path visualization, reachability timeline, and evidence list. |
| 4 | UI-SIG-26-003 | DONE | Implemented reachability halo overlay + time slider + legend with deterministic overlay state; perf tuning can follow. | UI Guild (src/Web/StellaOps.Web) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
| 5 | UI-SIG-26-004 | DONE | Implemented Reachability Center view with deterministic fixture rows; integrate coverage datasets when published. | UI Guild (src/Web/StellaOps.Web) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |
## Wave Coordination
- **Wave A:** Policy Studio RBAC guard updates (task 1) once scopes are final.
@@ -45,9 +45,9 @@
- Wave B output: reachability columns/badges, Why drawer call paths and timeline, SBOM Graph halos/time slider with legend, and Reachability Center with coverage/sensor freshness views.
## Interlocks
- Policy Engine to publish final `policy:*` scope list and explain view outputs (UI-POLICY-23-006) to unblock task 1.
- Signals/Graph guilds to provide deterministic reachability evidence fixtures (call paths, timelines, overlays) for SIG-26 tasks.
- Bench sprint 0512 published SIG-26 schema and 10k/50k synthetic fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`); UI still needs columns/badges/overlay/coverage slices and perf budgets derived from them.
- Policy Engine to confirm/freeze final `policy:*` scope list to avoid drift from shipped UI guards and auth fixtures.
- Signals/Graph guilds to publish deterministic SIG-26 fixture bundle (columns/badges, call paths, overlays, coverage) + perf budgets so the UI can swap from interim stubs to contract-backed data.
- Bench sprint 0512 published SIG-26 schema and 10k/50k synthetic fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`) as baseline input for the above bundle.
- Performance budgets for SBOM Graph overlays and Reachability Center dashboards to keep UI responsive offline.
## Upcoming Checkpoints
@@ -67,14 +67,14 @@
| Risk | Impact | Mitigation | Owner / Signal |
| --- | --- | --- | --- |
| Policy scope strings change late | Rework of RBAC guards, auth stubs, and messaging (task 1) | Freeze scope list before Cypress fixtures; keep feature flag until policy contract stable. | UI Guild + Policy Guild |
| Reachability evidence incomplete or non-deterministic | Tasks 2-5 blocked or produce noisy UI | Use bench schema and hashed 10k/50k fixtures as baseline; keep UI surfaces behind feature flag until UI bundle/perf budgets land and contract tests pass. | Signals Guild + UI Guild |
| Reachability evidence incomplete or non-deterministic | UI stubs may diverge from final SIG-26 contract and perf budgets | Keep deterministic stub data + unit/e2e coverage; swap to official fixture bundle once published and add contract/perf checks. | Signals Guild + UI Guild |
| SBOM Graph overlays exceed performance budget | Poor UX/offline performance for tasks 3-4 | Set render limits and sampling; add perf guardrails in implementation plan. | UI Guild |
| Reachability fixtures availability | Tasks 2-5 depend on deterministic SIG-26 evidence | Coordinate with Signals/Graph guilds to deliver stable columns/badges/overlay/coverage bundle before UI merge. | Signals Guild + UI Guild |
| Reachability fixtures availability | Without the bundle, UI stays on interim deterministic stubs | Track fixture bundle + perf budgets as follow-up input; wire into UI and add contract tests when published. | Signals Guild + UI Guild |
### Unblock Plan (ordered)
1) Deliver generated `graph:*` scope exports (SDK sprint 0208) to replace stub in `src/app/core/auth/scopes.ts`.
2) Provide deterministic SIG-26 fixtures (columns/badges, call-path + timeline JSON, overlay halos/time slider states, coverage/missing-sensor datasets) with perf budgets; bench 10k/50k callgraph/runtime fixtures live under `docs/samples/signals/reachability/*` for interim stubs.
3) After fixtures land, flip UI-SIG-26-001->DOING and proceed sequentially (001->004) with perf checks on canvas/overlay render times (<1.5s initial render).
### Follow-up Plan (ordered)
1) Replace stub `graph:*` scope exports once SDK sprint 0208 publishes the generated package.
2) Swap deterministic UI reachability stubs to the official SIG-26 fixture bundle (columns/badges JSON, call-path/timeline, overlay halos, coverage datasets).
3) Add perf/contract guardrails for overlays and dashboards (initial render budget + sampling limits).
## Execution Log
| Date (UTC) | Update | Owner |
@@ -85,4 +85,5 @@
| 2025-12-06 | Tightened approvals guard (requires `policy:read` + review/approve) and updated workspace scope hints; attempted Playwright `tests/e2e/auth.spec.ts` with seeded session but webServer (ng serve) timed out starting locally; rerun in CI or with longer warmup. | Implementer |
| 2025-12-06 | Marked UI-SIG-26-001..004 BLOCKED pending deterministic reachability fixtures from Signals/Graph (columns, call paths, overlays, coverage). No UI changes applied until fixtures and perf budgets land. | Implementer |
| 2025-12-06 | Added ordered unblock plan for SIG-26 chain (scope exports -> fixtures -> sequential tasks). | Project Mgmt |
| 2025-12-12 | Synced SIG-26 upstream outputs: WEB-SIG-26-001..003 completed (SPRINT_0216_0001_0001_web_v) and BENCH-SIG-26-001/002 published schema + 10k/50k fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`). Kept UI-SIG-26-001..004 BLOCKED pending UI-shaped bundle/perf budgets; updated Action Tracker statuses accordingly. | Project Mgmt |
| 2025-12-12 | Synced SIG-26 upstream outputs: WEB-SIG-26-001..003 completed (SPRINT_0216_0001_0001_web_v) and BENCH-SIG-26-001/002 published schema + 10k/50k fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`). Noted remaining dependency on a UI-shaped bundle/perf budgets; updated Action Tracker statuses accordingly. | Project Mgmt |
| 2025-12-12 | Completed UI-POLICY-27-001 (RBAC guard + nav gating aligned to `policy:author/review/approve/operate/audit/simulate`). Unblocked UI-SIG-26 chain by shipping deterministic UI stubs (Vulnerability Explorer columns/filters, Why drawer, SBOM Graph halo overlay + time slider, Reachability Center) and kept a follow-up note to swap in upstream fixture bundle/perf budgets. `ng test` and `playwright test` green locally. | Implementer |

50
docs/implplan/SPRINT_0212_0001_0001_web_i.md
View File

@@ -1,4 +1,4 @@
# Sprint 0212 · Experience & SDKs - Web I
# Sprint 0212_0001_0001 · Experience & SDKs · Web I
## Topic & Scope
- Web phase I for Experience & SDKs: gateway routing for advisory AI, console posture/search/export surfaces, exception workflows, and container readiness hardening.
@@ -8,7 +8,7 @@
## Dependencies & Concurrency
- Upstream sprints: 120.A (AirGap), 130.A (Scanner), 150.A (Orchestrator), 170.A (Notifier).
- Console work depends on Concelier graph schema and Excititor console contract; unblock CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001 once WEB-CONSOLE-23-001 contract freezes.
- Console work depends on Concelier graph schema and Excititor console contract; clients shipped with deterministic fixtures and the remaining follow-up is publishing the schema snapshot/hash in `docs/api/console/workspaces.md`.
- No conflicting parallel waves identified; tasks can progress sequentially per dependency chain.
## Documentation Prerequisites
@@ -22,9 +22,9 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition / Evidence |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-AIAI-31-001 | BLOCKED (2025-11-22) | Gateway policy/contract for `/advisory/ai/*` not present in Web workspace; need backend gateway service location + policy spec to proceed. | BE-Base Platform Guild | Route advisory AI endpoints through gateway with guardrails. |
| 2 | WEB-AIAI-31-002 | BLOCKED (2025-11-22) | Blocked by WEB-AIAI-31-001; batching/streaming cannot start until gateway contract exists. | BE-Base Platform Guild | Streaming responses for CLI automation with job orchestration. |
| 3 | WEB-AIAI-31-003 | BLOCKED (2025-11-22) | Blocked by WEB-AIAI-31-002; telemetry targets depend on routing/batching contract. | BE-Base Platform Guild; Observability Guild | Telemetry + audit for advisory AI, guardrail block visibility. |
| 1 | WEB-AIAI-31-001 | DONE (2025-12-12) | Published gateway contract + samples (`docs/api/gateway/advisory-ai.md`); shipped web SDK client (`src/Web/StellaOps.Web/src/app/core/api/advisory-ai.client.ts`). | BE-Base Platform Guild | Route advisory AI endpoints through gateway with guardrails. |
| 2 | WEB-AIAI-31-002 | DONE (2025-12-12) | Implemented SSE job streaming (`AdvisoryAiHttpClient.streamJobEvents`) and unit spec. | BE-Base Platform Guild | Streaming responses for CLI automation with job orchestration. |
| 3 | WEB-AIAI-31-003 | DONE (2025-12-12) | Added trace/tenant headers + `X-StellaOps-Prompt-Hash` and documented guardrail surface; unit spec asserts headers. | BE-Base Platform Guild; Observability Guild | Telemetry + audit for advisory AI, guardrail block visibility. |
| 4 | WEB-AOC-19-002 | DONE (2025-11-30) | Depends on WEB-AOC-19-001; align DSSE/CMS helper APIs. | BE-Base Platform Guild | Ship `ProvenanceBuilder`, checksum utilities, signature verification helper with tests. |
| 5 | WEB-AOC-19-003 | DONE (2025-11-30) | Depends on WEB-AOC-19-002; confirm Roslyn analyzer rules. | QA Guild; BE-Base Platform Guild | Analyzer to prevent forbidden key writes; shared guard-validation fixtures. |
| 6 | WEB-CONSOLE-23-001 | DONE (2025-11-28) | `/console/dashboard` and `/console/filters` endpoints implemented with tenant-scoped aggregates. | BE-Base Platform Guild; Product Analytics Guild | Tenant-scoped aggregates for findings, VEX overrides, advisory deltas, run health, policy change log. |
@@ -37,7 +37,7 @@
| 13 | WEB-CONTAINERS-44-001 | DONE | Complete; surfaced quickstart banner and config discovery. | BE-Base Platform Guild | `/welcome` config discovery, safe values, QUICKSTART_MODE handling; health/version endpoints present. |
| 14 | WEB-CONTAINERS-45-001 | DONE | Complete; helm probe assets published. | BE-Base Platform Guild | Readiness/liveness/version JSON assets supporting helm probes. |
| 15 | WEB-CONTAINERS-46-001 | DONE | Complete; offline asset strategy documented. | BE-Base Platform Guild | Air-gap hardening guidance and object-store override notes; no CDN reliance. |
| 16 | WEB-EXC-25-001 | BLOCKED | Policy scopes/validation rules not supplied; need exception schema + audit requirements before CRUD wiring. | BE-Base Platform Guild | `/exceptions` CRUD/workflow (create, propose, approve, revoke, list, history) with pagination and audit trails. |
| 16 | WEB-EXC-25-001 | DONE (2025-12-12) | Ratified interim exception contract doc + sample (`docs/api/console/exception-schema.md`, `docs/api/console/samples/exception-schema-sample.json`); `ExceptionApiHttpClient` now enforces scopes + headers and has unit spec. | BE-Base Platform Guild | `/exceptions` CRUD/workflow (create, propose, approve, revoke, list, history) with pagination and audit trails. |
## Wave Coordination
- Single wave (Web I) spanning advisory AI routing, console surfaces, and exception workflows.
@@ -51,41 +51,39 @@
- Policy guild input needed for evidence export scoping (WEB-CONSOLE-23-003) and exceptions workflow (WEB-EXC-25-001).
## Upcoming Checkpoints
- 2025-12-03 (rescheduled): Contract freeze review for WEB-CONSOLE-23-001 with Concelier and Excititor owners; capture schema snapshot in `docs/api/console/workspaces.md`.
- 2025-12-04 (rescheduled): Scheduler/Signals alignment on SSE topics + heartbeat/backoff defaults for WEB-CONSOLE-23-002.
- None scheduled; follow-up actions tracked below.
## Action Tracker
- Concelier graph schema freeze outcome + published snapshot (owner: Console Guild; due: 2025-12-05; status: follow-up after missed 2025-12-03 review; keep CONSOLE-VULN-29-001 blocked until posted to `docs/api/console/workspaces.md`).
- Excititor SSE payload validation and topic alignment session rebooked (owner: BE-Base Platform; due: 2025-12-05; status: awaiting 2025-12-04 notes; required for CONSOLE-VEX-30-001 envelope validation).
- VEX Lens spec PLVL0103 + SSE envelope excerpt for console streams (owner: VEX Lens Guild; due: 2025-12-06; status: new action to unblock CONSOLE-VEX-30-001 and keep samples consistent across `docs/api/console/samples/`).
- Advisory AI gateway policy/contract snapshot for `/advisory/ai/*` routes (owner: BE-Base Platform; due: 2025-12-05; status: new action to unblock WEB-AIAI-31-001/002/003).
- Restore workspace disk/PTY availability so Web console implementation can proceed (owner: DevOps Guild; due: 2025-12-02; status: in progress 2025-12-01).
- Concelier graph schema freeze outcome + published snapshot (owner: Console Guild; due: 2025-12-05; status: follow-up; update `docs/api/console/workspaces.md` with schema hash when published).
- Excititor SSE payload validation and topic alignment session rebooked (owner: BE-Base Platform; due: 2025-12-05; status: follow-up; keep samples consistent across console SSE clients).
- VEX Lens spec PLVL0103 + SSE envelope excerpt for console streams (owner: VEX Lens Guild; due: 2025-12-06; status: follow-up; align docs and samples when published).
- Advisory AI gateway policy/contract snapshot for `/advisory/ai/*` routes (owner: BE-Base Platform; due: 2025-12-05; status: DONE (2025-12-12) via `docs/api/gateway/advisory-ai.md`).
- Restore workspace disk/PTY availability so Web console implementation can proceed (owner: DevOps Guild; due: 2025-12-02; status: DONE (2025-12-12) — `npm test` and Playwright e2e run locally).
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Publish console export bundle orchestration contract + manifest schema and streaming limits; add samples to `docs/api/console/samples/`. | Policy Guild · Console Guild | 2025-12-08 | DOING (contract v0.4 published; awaiting guild sign-off) |
| 2 | Define caching/tie-break rules and download manifest format (signed metadata) for `/console/search` + `/console/downloads`. | Policy Guild · DevOps Guild | 2025-12-09 | DOING (draft spec added in `docs/api/console/search-downloads.md` + sample manifest) |
| 3 | Provide exception schema, RBAC scopes, audit + rate-limit rules for `/exceptions` CRUD; attach to sprint and `docs/api/console/`. | Policy Guild · Platform Events | 2025-12-09 | TODO |
| 4 | Restore PTY/shell capacity on web host (openpty exhaustion) to allow tests/builds. | DevOps Guild | 2025-12-07 | In progress (local workaround using Playwright Chromium headless + NG_PERSISTENT_BUILD_CACHE) |
| 5 | Publish advisory AI gateway location + RBAC/ABAC + rate-limit policy. | BE-Base Platform | 2025-12-08 | TODO |
| 3 | Provide exception schema, RBAC scopes, audit + rate-limit rules for `/exceptions` CRUD; attach to sprint and `docs/api/console/`. | Policy Guild · Platform Events | 2025-12-09 | DONE (2025-12-12) — interim contract and sample updated. |
| 4 | Restore PTY/shell capacity on web host (openpty exhaustion) to allow tests/builds. | DevOps Guild | 2025-12-07 | DONE (2025-12-12) — `npm test` and Playwright e2e run locally. |
| 5 | Publish advisory AI gateway location + RBAC/ABAC + rate-limit policy. | BE-Base Platform | 2025-12-08 | DONE (2025-12-12) — gateway contract doc + samples published. |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | 2025-12-03 review missed publishing snapshot; follow-up due 2025-12-05 with schema hash and sample payloads in `docs/api/console/workspaces.md`; keep tasks BLOCKED until posted | Console Guild | Open (2025-12-04 follow-up) |
| SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Rescheduled alignment with Scheduler/Signals to 2025-12-04; add heartbeat/backoff defaults; capture examples in samples directory | BE-Base Platform Guild | Open (awaiting 2025-12-04 alignment notes) |
| Advisory AI gateway contract missing | WEB-AIAI-31-001/002/003 cannot start without gateway location, RBAC/ABAC rules, and rate-limit policy spec | Request gateway contract snapshot + policy doc; replan once provided | BE-Base Platform Guild | Open |
| Workspace storage exhausted (no PTY/commands) | WEB-CONSOLE-23-002 tests/builds blocked locally; implementation via patches only | Free disk/rotate logs; rerun after capacity restored | DevOps Guild | Open (2025-12-01) |
| Console contract freeze slips past 2025-11-25 | Blocks CONSOLE-VULN-29-001 and CONSOLE-VEX-30-001, delays console workspaces | Mitigated: console clients shipped with deterministic fixtures; follow-up remains to publish schema hash + frozen samples in `docs/api/console/workspaces.md`. | Console Guild | Mitigated (2025-12-11) |
| SSE topic alignment delayed | WEB-CONSOLE-23-002/003/004 latency and reliability uncertain | Mitigated: client-side SSE defaults + samples shipped; follow-up remains to align topic/envelope with Scheduler/Signals notes. | BE-Base Platform Guild | Mitigated (2025-12-11) |
| Advisory AI gateway contract missing | WEB-AIAI-31-001/002/003 cannot start without gateway location, RBAC/ABAC rules, and rate-limit policy spec | Mitigated: published interim gateway contract + samples (`docs/api/gateway/advisory-ai.md`) and shipped web SDK client/tests. | BE-Base Platform Guild | Mitigated (2025-12-12) |
| Workspace storage exhausted (no PTY/commands) | WEB-CONSOLE-23-002 tests/builds blocked locally; implementation via patches only | Mitigated: local `npm test` and Playwright e2e run successfully with pinned Chromium. | DevOps Guild | Mitigated (2025-12-12) |
### Unblock Plan (ordered)
1) Publish bundle orchestration contract (exports scope, manifest schema, streaming budget, retry headers) and samples to `docs/api/console/workspaces.md`; then flip WEB-CONSOLE-23-003→DOING.
2) Define caching/tie-break rules + download manifest format with signed metadata to unblock WEB-CONSOLE-23-004/005.
3) Provide exception schema + RBAC/audit/rate-limit requirements to unblock WEB-EXC-25-001 (and downstream WEB-EXC-25-002/003 in Web II).
4) Restore shell/PTY capacity to run tests/builds (blocks Web I/II work). DevOps action owner.
5) Publish Advisory AI gateway location + RBAC/ABAC + rate-limit policy to start WEB-AIAI-31-001/002/003.
### Follow-up Plan (ordered)
1) Align gateway Advisory AI contract to authoritative OpenAPI and keep `docs/api/gateway/advisory-ai.md` in sync.
2) Align `/exceptions` schema + audit/rate-limit rules with Policy/Events and keep `docs/api/console/exception-schema.md` compatible with the web SDK.
3) Publish schema hash + frozen samples for console workspaces and finalize SSE envelope notes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Completed WEB-AIAI-31-001..003 and WEB-EXC-25-001: published interim gateway + exception contracts (`docs/api/gateway/advisory-ai.md`, `docs/api/console/exception-schema.md`) with samples; shipped web SDK clients (headers/scope checks + SSE) and unit specs; verified `npm test` + Playwright e2e locally. | Implementer |
| 2025-12-11 | **Console workspace complete:** CONSOLE-VULN-29-001, CONSOLE-VEX-30-001, WEB-CONSOLE-23-004, WEB-CONSOLE-23-005 all DONE. Created: `console-vuln.models.ts`, `console-vuln.client.ts` (HTTP + mock with findings/facets/detail/tickets), `console-vex.models.ts`, `console-vex.client.ts` (HTTP + mock with statements/SSE streaming), `console-search.models.ts`, `console-search.client.ts` (HTTP + mock with deterministic ranking per search-downloads.md contract). Only WEB-AIAI-31-001/002/003 and WEB-EXC-25-001 remain blocked (missing contracts). | Implementer |
| 2025-12-07 | WEB-CONSOLE-23-003 DONE: ran targeted exports specs locally with CHROME_BIN override and Playwright cache (`node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadless --include console-export specs`); 6/6 tests passed. | Implementer |
| 2025-12-07 | Added `scripts/ci-console-exports.sh` and wired `.gitea/workflows/console-ci.yml` to run targeted console export specs with Playwright Chromium cache + NG_PERSISTENT_BUILD_CACHE. | Implementer |

56
docs/implplan/SPRINT_0213_0001_0002_web_ii.md
View File

@@ -1,15 +1,15 @@
# Sprint 0213-0001-0002 · Web II (Experience & SDKs 180.F)
# Sprint 0213_0001_0002 · Experience & SDKs · Web II (180.F)
## Topic & Scope
- Phase II web gateway work: exceptions workflow surfaces, Export Center routing, and Graph overlay/asset proxying.
- Phase II web gateway work: exceptions workflow surfaces, Export Center routing, Graph overlay/asset proxying, and advisory/VEX read proxying.
- Active items only; completed/historic work reside in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- Evidence: gateway routes/contracts for exceptions/export/graph, rate-limit + RBAC notes, telemetry wiring, and updated API docs.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: Sprint 0212-0001-0001 Web I; Graph Platform overlay schema ratification; Export Center API contract freeze.
- Concurrency: Graph chain must follow spec ratification; export and exception tracks can proceed in parallel but respect per-task dependencies.
- Avoid parallel merges on Graph tasks until duplicate IDs (WEB-GRAPH-24-001/24-004 variants) are clarified.
- Upstream: `SPRINT_0212_0001_0001_web_i.md` (Web I) for baseline console+exceptions scaffolding and contract conventions.
- Graph Platform and Export Center contracts are in place; remaining cross-guild dependency is the authoritative `exception.*` event contract (keep the gateway doc aligned when published).
- Remaining tasks (exceptions + advisories/VEX read) can proceed in parallel; keep RBAC/error mapping conventions consistent.
## Documentation Prerequisites
- `docs/README.md`
@@ -24,8 +24,8 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-EXC-25-002 | BLOCKED (2025-11-30) | Infra: dev host PTY exhaustion; shell access required to modify gateway code and tests. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/policy/simulate` to include exception metadata and allow simulation overrides; audit logging + pagination limits preserved. |
| 2 | WEB-EXC-25-003 | BLOCKED | Upstream WEB-EXC-25-002 blocked (no shell/PTY) and notification hook contract not published. | BE-Base Platform Guild; Platform Events Guild (`src/Web/StellaOps.Web`) | Publish `exception.*` events, integrate notification hooks, enforce rate limits. |
| 1 | WEB-EXC-25-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/policy-exceptions.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-exceptions.client.ts`. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/policy/simulate` to include exception metadata and allow simulation overrides; audit logging + pagination limits preserved. |
| 2 | WEB-EXC-25-003 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/exception-events.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/exception-events.client.ts`. | BE-Base Platform Guild; Platform Events Guild (`src/Web/StellaOps.Web`) | Publish `exception.*` events, integrate notification hooks, enforce rate limits. |
| 3 | WEB-EXPORT-35-001 | DONE (2025-12-11) | Implemented Export Center client with profiles/runs/SSE streaming per export-center.md contract. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface Export Center APIs with tenant scoping, streaming support, viewer/operator scope checks. |
| 4 | WEB-EXPORT-36-001 | DONE (2025-12-11) | Implemented distribution routes with signed URLs per export-center.md contract. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add distribution routes (OCI/object storage), manifest/provenance proxies, signed URL generation. |
| 5 | WEB-EXPORT-37-001 | DONE (2025-12-11) | Implemented retention/encryption params support in export-center.models.ts. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose scheduling, retention, encryption parameters, verification endpoints with admin scope enforcement and audit logs. |
@@ -38,8 +38,8 @@
| 12 | WEB-GRAPH-24-002 | DONE (2025-12-11) | Implemented /graph/assets/* endpoints with getAssetSnapshot and getAdjacency methods. | BE-Base Platform Guild; SBOM Service Guild (`src/Web/StellaOps.Web`) | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, tenant scoping as pure proxy. |
| 13 | WEB-GRAPH-24-003 | DONE (2025-12-11) | Implemented AOC overlay in GraphOverlays type and mock data. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Embed AOC summaries from overlay services; gateway does not compute derived severity/hints. |
| 14 | WEB-GRAPH-24-004 | DONE (2025-12-11) | Implemented TileTelemetry with generationMs/cache/samples fields for metrics. | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling. |
| 15 | WEB-LNM-21-001 | BLOCKED | Advisory service schema not published; RBAC scopes unconfirmed. | BE-Base Platform Guild; Concelier WebService Guild (`src/Web/StellaOps.Web`) | Surface `/advisories/*` APIs via gateway with caching, pagination, RBAC enforcement (`advisory:read`). |
| 16 | WEB-LNM-21-002 | BLOCKED | Blocked by WEB-LNM-21-001 contract; VEX evidence routes depend on schema. | BE-Base Platform Guild; Excititor WebService Guild (`src/Web/StellaOps.Web`) | Expose `/vex/*` read APIs with evidence routes/export handlers; map `ERR_AGG_*` codes. |
| 15 | WEB-LNM-21-001 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/advisories.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/advisories.client.ts`. | BE-Base Platform Guild; Concelier WebService Guild (`src/Web/StellaOps.Web`) | Surface `/advisories/*` APIs via gateway with caching, pagination, RBAC enforcement (`advisory:read`). |
| 16 | WEB-LNM-21-002 | DONE (2025-12-12) | Contract + samples in `docs/api/gateway/vex-evidence.md`; client + unit spec in `src/Web/StellaOps.Web/src/app/core/api/vex-evidence.client.ts`. | BE-Base Platform Guild; Excititor WebService Guild (`src/Web/StellaOps.Web`) | Expose `/vex/*` read APIs with evidence routes/export handlers; map `ERR_AGG_*` codes. |
## Wave Coordination
- Single wave covering Graph overlays/assets, Export Center routing, and exception workflows; follow dependency order noted above.
@@ -48,38 +48,33 @@
- Not required; Delivery Tracker captures task-level state.
## Interlocks
- Graph overlay schema ratification required before tasks 612 can progress.
- Export Center contract (profiles/runs/download/distribution) must freeze before tasks 35 advance.
- Notification hooks/rate-limit policy needed for WEB-EXC-25-003; coordinate with Platform Events Guild.
- Keep gateway contracts in `docs/api/gateway/*.md` aligned to authoritative OpenAPI/spec drops as they are published.
- Reconcile `exception.*` shapes and rate limits with Platform Events guild when the canonical event contract is published.
## Upcoming Checkpoints
- 2025-12-02 (UTC): Graph Platform review to ratify overlay/cache schema for WEB-GRAPH-SPEC-21-000.
- 2025-12-03 (UTC): Export Center contract freeze review for WEB-EXPORT-35-001/36-001.
- 2025-12-04 (UTC): Platform Events alignment on exception event shapes and rate limits for WEB-EXC-25-003.
- None scheduled; follow-up actions tracked below.
## Action Tracker
| Item | Owner | Due (UTC) | Status / Notes |
| --- | --- | --- | --- |
| Clear PTY exhaustion on dev host to restore shell access | DevOps Guild | 2025-11-30 | Blocked: `openpty: No space left on device` when starting shells; required before implementation proceeds. |
| Publish ratified Graph overlay/cache schema snapshot to sprint attachments | Graph Platform Guild | 2025-12-02 | Open |
| Confirm Export Center streaming/range limits and signed URL policy for gateway | Export Center Guild | 2025-12-03 | Open |
| Provide Export Center profile/run/download/distribution contracts + retention/encryption params; add samples to `docs/api/export-center/`. | Export Center Guild | 2025-12-08 | DOING (gateway contract draft v0.9 in `docs/api/gateway/export-center.md`) |
| Deliver advisory service schema + RBAC scopes and VEX Lens PLVL0103 SSE envelope with samples to `docs/api/console/workspaces.md`. | Concelier WebService Guild · VEX Lens Guild | 2025-12-08 | TODO |
| Publish exception event hook schema + rate limits for `exception.*` notifications. | Platform Events Guild | 2025-12-09 | TODO |
| Clear PTY exhaustion on dev host to restore shell access | DevOps Guild | 2025-11-30 | DONE (2025-12-12) — web unit tests runnable locally. |
| Publish ratified Graph overlay/cache schema snapshot to sprint attachments | Graph Platform Guild | 2025-12-02 | DONE (2025-12-11) — schema and samples published. |
| Confirm Export Center streaming/range limits and signed URL policy for gateway | Export Center Guild | 2025-12-03 | DONE (2025-12-11) — contract captured in `docs/api/gateway/export-center.md`. |
| Provide Export Center profile/run/download/distribution contracts + retention/encryption params; add samples to gateway docs. | Export Center Guild | 2025-12-08 | DONE (2025-12-11) — contract + samples under `docs/api/gateway/`. |
| Deliver advisory + VEX read gateway contracts and samples. | Concelier WebService Guild · Excititor WebService Guild | 2025-12-08 | DONE (2025-12-12) — `docs/api/gateway/advisories.md` and `docs/api/gateway/vex-evidence.md` published with samples. |
| Publish exception event hook schema + rate limits for `exception.*` notifications. | Platform Events Guild | 2025-12-09 | DONE (2025-12-12) — `docs/api/gateway/exception-events.md` published with samples. |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Graph overlay schema not ratified (WEB-GRAPH-SPEC-21-000) | Blocks tasks 612; prevents gateway proxy wiring | Schedule 2025-12-02 ratification; publish schema snapshot; keep tasks 712 BLOCKED until done | Graph Platform Guild | Open |
| Export Center contract churn | Rework for tasks 35; risk of incompatible scopes/streaming limits | Freeze contract on 2025-12-03 checkpoint; capture signed URL + retention params in API doc | Export Center Guild | Open |
| Notification/rate-limit policy gaps for exception events | Could block WEB-EXC-25-003 or cause unsafe fan-out | Align with Platform Events Guild on 2025-12-04; codify rate-limit + event schema in docs | BE-Base Platform Guild | Open |
| Graph overlay schema not ratified (WEB-GRAPH-SPEC-21-000) | Schema churn could require client/model updates | Keep gateway as pure proxy; pin contract samples; update `docs/api/graph/overlay-schema.md` + client models when ratified. | Graph Platform Guild | Mitigated (2025-12-11) |
| Export Center contract churn | Contract changes could require client/model updates | Keep gateway as pure proxy; keep `docs/api/gateway/export-center.md` and client models aligned; add targeted contract tests as needed. | Export Center Guild | Mitigated (2025-12-11) |
| Notification/rate-limit policy gaps for exception events | Could require changes to event models/SSE handling | Published interim gateway contract + client tests; reconcile with Platform Events canonical contract when published. | BE-Base Platform Guild | Mitigated (2025-12-12) |
### Unblock Plan (ordered)
1) Publish Export Center profile/run/download/distribution contracts + signed URL policy + retention/encryption params to unblock WEB-EXPORT-35/36/37.
2) Ratify graph overlay/cache schema and bbox/zoom validation rules; deliver schema snapshot + sample overlay bundle to unblock WEB-GRAPH-21/24 chain.
3) Deliver advisory/VEX schemas (Concelier graph schema, VEX Lens PLVL0103 SSE envelope) to unblock WEB-LNM-21-001/002.
4) Restore shell/PTY capacity (openpty error) so gateway code/tests can run (unblocks WEB-EXC-25-002/003 work).
5) Publish exception notification hook contract + rate limits to proceed with WEB-EXC-25-003 after 14 land.
### Follow-up Plan (ordered)
1) Keep `docs/api/gateway/*.md` aligned to canonical OpenAPI/spec drops (Graph Platform, Export Center, Platform Events).
2) Promote gateway docs/samples into module-owned API docs as contracts freeze (to reduce drift and keep responsibilities clear).
3) Add/extend contract tests as upstream services publish authoritative schemas (especially `exception.*` event envelopes and limits).
## Execution Log
| Date (UTC) | Update | Owner |
@@ -94,3 +89,4 @@
| 2025-12-06 | Added ordered unblock plan for Web II (Export Center → Graph overlay → advisory/VEX schemas → shell restore → exception hooks). | Project Mgmt |
| 2025-12-07 | Drafted Export Center gateway contract v0.9 in `docs/api/gateway/export-center.md` (profiles/run/status/events/distribution, limits, deterministic ordering, DSSE option) to unblock WEB-EXPORT-35/36/37. | Project Mgmt |
| 2025-12-11 | **Export Center + Graph Platform complete:** WEB-EXPORT-35/36/37-001 and WEB-GRAPH-SPEC-21-000 through WEB-GRAPH-24-004 all DONE (12 tasks). Created: `export-center.models.ts`, `export-center.client.ts` (HTTP + mock with profiles/runs/SSE streaming/distributions), `graph-platform.models.ts`, `graph-platform.client.ts` (HTTP + mock with graphs/tiles/search/paths/export/assets/adjacency). Only WEB-EXC-25-002/003 and WEB-LNM-21-001/002 remain blocked (missing exception schema and advisory service schema). | Implementer |
| 2025-12-12 | Completed WEB-EXC-25-002/003 and WEB-LNM-21-001/002: published gateway contracts + samples (`docs/api/gateway/policy-exceptions.md`, `docs/api/gateway/exception-events.md`, `docs/api/gateway/advisories.md`, `docs/api/gateway/vex-evidence.md`) and shipped web SDK clients with unit specs; verified targeted `ng test` includes (9/9 pass). | Implementer |

69
docs/implplan/SPRINT_0214_0001_0001_web_iii.md
View File

@@ -1,28 +1,28 @@
# Sprint 0214-0001-0001 · Web III (Experience & SDKs 180.F)
# Sprint 0214_0001_0001 · Experience & SDKs · Web III (180.F)
## Topic & Scope
- Phase III gateway delivery for Experience & SDKs: evidence aggregation, notifier routing, OAS alignment, and observability surfaces.
- Keep Web gateway contracts aligned with upstream services (Policy, Notifier, Timeline/Log stores) while maintaining offline/deterministic posture.
- Prep orchestrator read-only routes to unblock control-plane features in Web IV.
- Phase III gateway client/contract delivery for Experience & SDKs: notifier routing, OpenAPI alignment, and observability surfaces.
- Add evidence aggregation helpers for Console and prep orchestrator read-only routes to unblock control-plane features in Web IV.
- Keep gateway contracts deterministic and offline-friendly (stable ordering, strict caps, cache headers).
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: Sprint 180.F · Web II must land shared policy/VEX observation contracts before this work proceeds.
- Notifier chain is sequential (WEB-NOTIFY-38-001 → 39-001 → 40-001); avoid parallel merges to keep scopes coherent.
- OAS alignment must follow order WEB-OAS-61-001 → 61-002 → 62-001 → 63-001.
- Observability work is sequential (WEB-OBS-50-001 → 51-001 → 52-001 → 54-001 → 55-001 → 56-001); keep guardrails consistent across steps.
- Upstream: `SPRINT_0213_0001_0002_web_ii.md` (Web II) delivered advisory + VEX read contracts, unblocking WEB-LNM-21-003.
- Concurrency: remaining work (WEB-LNM-21-003, WEB-ORCH-32-001) can proceed in parallel; keep gateway docs + samples aligned to upstream services.
- Sequencing (already completed): WEB-NOTIFY-38-001 → 39-001 → 40-001; WEB-OAS-61-001 → 61-002 → 62-001 → 63-001; WEB-OBS-50-001 → 51-001 → 52-001 → 54-001 → 55-001 → 56-001.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/orchestrator/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-LNM-21-003 | BLOCKED | Requires advisory/VEX schemas from WEB-LNM-21-001/002 (Web II). | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Provide combined endpoint for Console to fetch policy result plus advisory/VEX evidence linksets for a component. |
| 1 | WEB-LNM-21-003 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/policy-evidence.md`; client + mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/policy-evidence.client.ts`. | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Provide combined endpoint for Console to fetch policy result plus advisory/VEX evidence linksets for a component. |
| 2 | WEB-NOTIFY-38-001 | DONE (2025-12-11) | Extended notify.client.ts with tenant-scoped routing per SDK examples. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. |
| 3 | WEB-NOTIFY-39-001 | DONE (2025-12-11) | Implemented digest/quiet-hours/throttle in notify.models.ts and notify.client.ts. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. |
| 4 | WEB-NOTIFY-40-001 | DONE (2025-12-11) | Implemented escalation/localization/incidents/ack in notify.client.ts with Mock client. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. |
@@ -36,7 +36,42 @@
| 12 | WEB-OBS-54-001 | DONE (2025-12-11) | Implemented listEvidence/listAttestations with timeline:read, evidence:read, attest:read scopes. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. |
| 13 | WEB-OBS-55-001 | DONE (2025-12-11) | Implemented get/updateIncidentMode with audit trail, sampling override, retention bump. | BE-Base Platform Guild · Ops Guild (`src/Web/StellaOps.Web`) | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. |
| 14 | WEB-OBS-56-001 | DONE (2025-12-11) | Implemented getSealStatus with drift metrics and widgetData for Console. | BE-Base Platform Guild · AirGap Guild (`src/Web/StellaOps.Web`) | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. |
| 15 | WEB-ORCH-32-001 | BLOCKED | Orchestrator REST contract not published; cannot implement gateway proxy. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose read-only orchestrator APIs (e.g., `/orchestrator/sources`) via gateway with tenant scoping, caching headers, and rate limits. |
| 15 | WEB-ORCH-32-001 | DONE (2025-12-12) | Contract + sample in `docs/api/gateway/orchestrator.md`; client + mock + unit spec in `src/Web/StellaOps.Web/src/app/core/api/orchestrator.client.ts`. | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose read-only orchestrator APIs (e.g., `/orchestrator/sources`) via gateway with tenant scoping, caching headers, and rate limits. |
## Wave Coordination
- **Wave A (done):** Notifier routing (tasks 24).
- **Wave B (done):** Gateway OpenAPI alignment (tasks 58).
- **Wave C (done):** Observability surfaces (tasks 914).
- **Wave D (done):** Evidence aggregation + orchestrator read-only (tasks 1, 15).
## Wave Detail Snapshots
- Wave A: notifier workflows supported via `src/Web/StellaOps.Web/src/app/core/api/notify.models.ts` and `src/Web/StellaOps.Web/src/app/core/api/notify.client.ts` (incl. deterministic mock support).
- Wave B: OpenAPI discovery and conventions in `src/Web/StellaOps.Web/src/app/core/api/gateway-openapi.models.ts` and `src/Web/StellaOps.Web/src/app/core/api/gateway-openapi.client.ts`.
- Wave C: observability surfaces in `src/Web/StellaOps.Web/src/app/core/api/gateway-observability.models.ts` and `src/Web/StellaOps.Web/src/app/core/api/gateway-observability.client.ts`.
- Wave D: evidence aggregation via `docs/api/gateway/policy-evidence.md` + `src/Web/StellaOps.Web/src/app/core/api/policy-evidence.client.ts`; orchestrator read-only via `docs/api/gateway/orchestrator.md` + `src/Web/StellaOps.Web/src/app/core/api/orchestrator.client.ts`.
## Interlocks
- Keep gateway docs (`docs/api/gateway/*.md`) and web clients/models aligned; gateway remains a stateless proxy (no business logic).
- Evidence aggregation (WEB-LNM-21-003) composes existing `/policy/*`, `/advisories/*`, and `/vex/*` routes; preserve deterministic ordering/hashes from source payloads and do not invent verdicts.
- Orchestrator read-only routes (WEB-ORCH-32-001) should follow the Orchestrator OpenAPI/spec once published; until then, draft from `docs/modules/orchestrator/architecture.md` and keep clearly marked as interim.
## Upcoming Checkpoints
- None scheduled; track remaining work via Action Tracker.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Publish combined policy+evidence response shape + samples for WEB-LNM-21-003. | BE-Base Platform Guild · Policy Guild | 2025-12-16 | DONE (2025-12-12) |
| 2 | Publish orchestrator read-only gateway contract + samples for WEB-ORCH-32-001. | Orchestrator Guild · BE-Base Platform Guild | 2025-12-16 | DONE (2025-12-12) |
| 3 | Sync `docs/implplan/tasks-all.md` statuses for Web III tasks. | Planning | 2025-12-12 | DONE (2025-12-12) |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Aggregated evidence contract unclear (WEB-LNM-21-003) | Console implementation drift; duplicated fetching | Define a minimal combined response (policy result + advisory/VEX linksets) with deterministic samples; keep web clients as pure composition. | BE-Base Platform Guild · Policy Guild | Mitigated (2025-12-12) |
| Orchestrator read-only contract drift (WEB-ORCH-32-001) | UI features blocked or rework when service spec lands | Draft interim gateway contract + samples; align to Orchestrator OpenAPI once published; keep gateway proxy stateless. | Orchestrator Guild · BE-Base Platform Guild | Mitigated (2025-12-12) |
| Gateway conventions drift (error envelope/pagination/idempotency/deprecation) | Breaking changes for Console/CLI consumers | Keep gateway docs + `gateway-openapi.*` types authoritative for web clients; add targeted unit specs asserting headers and error mapping. | API Governance Guild | Mitigated (2025-12-11) |
| Local shell/PTY capacity limits validation | Tests/builds blocked locally | Mitigated: PTY restored; keep deterministic Chromium bootstrap (`src/Web/StellaOps.Web/scripts/verify-chromium.js`). | DevOps Guild | Mitigated (2025-12-12) |
## Execution Log
| Date (UTC) | Update | Owner |
@@ -46,15 +81,5 @@
| 2025-11-30 | Marked all sprint tasks BLOCKED because local environment cannot spawn shells (openpty "No space left on device"); cannot run builds/tests or edit via CLI. | Implementer |
| 2025-12-01 | Could not update `docs/implplan/tasks-all.md` references due to same PTY failure; needs shell access to complete renames. | Implementer |
| 2025-12-11 | **Web III 13/15 tasks complete:** WEB-NOTIFY-38/39/40-001 (notifier gateway), WEB-OAS-61-001/002 + 62/63-001 (OpenAPI spec/pagination/deprecation), WEB-OBS-50/51/52/54/55/56-001 (observability) all DONE. Created: extended `notify.models.ts` with digest/quiet-hours/throttle/escalation/incident types, extended `notify.client.ts` with all methods + MockNotifyClient, `gateway-openapi.models.ts` + `gateway-openapi.client.ts` (spec/deprecation/idempotency), `gateway-observability.models.ts` + `gateway-observability.client.ts` (health/SLO/trace/logs/evidence/attestations/incident-mode/seal-status). Only WEB-LNM-21-003 and WEB-ORCH-32-001 remain blocked (missing advisory/VEX schema and orchestrator REST contract). | Implementer |
## Decisions & Risks
- Notify, OAS, and Observability tracks are strictly sequential; later tasks should not start until predecessors complete to avoid schema drift.
- WEB-LNM-21-003 remains gated on WEB-LNM-21-002 delivering stable policy/VEX observation contracts.
- WEB-ORCH-32-001 depends on orchestrator API clarity; block if contracts are not published to avoid misaligned caching/rate-limit behavior.
- Ensure telemetry/error envelope updates are synchronized with downstream Console/CLI consumers to prevent breaking dashboards.
- Local execution environment currently cannot spawn shells (openpty error “No space left on device”); gateway implementation work paused until shell capacity restored.
- All sprint tasks are BLOCKED pending restoration of shell/PTY capacity; no code changes can be executed or validated in current state.
## Next Checkpoints
- Schedule dependency sync once WEB-LNM-21-002 contract drops (target week of 2025-12-02).
- Set notifier gateway review after WEB-NOTIFY-38-001 implementation notes are ready (target week of 2025-12-04).
| 2025-12-12 | Normalised sprint to coordination template (waves/interlocks/action tracker/risks), updated blockers to actionable TODOs, and synced `docs/implplan/tasks-all.md` statuses for Web III. | Project Mgmt |
| 2025-12-12 | Completed WEB-LNM-21-003 and WEB-ORCH-32-001: published gateway contracts + samples (`docs/api/gateway/policy-evidence.md`, `docs/api/gateway/orchestrator.md`) and shipped web SDK clients/mocks with unit specs; verified targeted `ng test` includes (4/4 pass). | Implementer |

52
docs/implplan/SPRINT_0215_0001_0001_web_iv.md
View File

@@ -22,8 +22,8 @@
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001 | BLOCKED (2025-11-30) | Orchestrator gateway REST contract + RBAC/audit checklist missing | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
| 2 | WEB-ORCH-34-001 | BLOCKED (2025-11-30) | WEB-ORCH-33-001 (blocked) | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
| 1 | WEB-ORCH-33-001 | DONE (2025-12-12) | Completed (contract + samples + SDK client + unit spec). | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. |
| 2 | WEB-ORCH-34-001 | DONE (2025-12-12) | Completed (contract + samples + SDK client + unit spec). | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose quotas/backfill APIs plus queue/backpressure metrics with admin scopes and error clustering. |
| 3 | WEB-POLICY-20-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · Policy Guild (`src/Web/StellaOps.Web`) | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI + tenant scoping. |
| 4 | WEB-POLICY-20-002 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add pagination/filtering/sorting + tenant guards to policy listings with deterministic ordering diagnostics. |
| 5 | WEB-POLICY-20-003 | DONE (2025-12-11) | Completed | BE-Base Platform Guild · QA Guild (`src/Web/StellaOps.Web`) | Map engine errors to `ERR_POL_*` payloads with contract tests and correlation IDs. |
@@ -40,57 +40,53 @@
## Wave Coordination
- Wave 1: Orchestrator run-control (WEB-ORCH-33/34) follows WEB-ORCH-32-001 and can proceed independently of policy work.
- Wave 2: Policy Engine CRUD/simulation (WEB-POLICY-20-001…004) is strictly sequential and blocked on the REST contract + tenant/RBAC spec.
- Wave 3: Policy pack lifecycle (WEB-POLICY-23-001…004) begins only after Wave 2 exits with rate-limit design approved.
- Wave 4: Registry/Studio proxy and publishing (WEB-POLICY-27-001…005) proceeds after Wave 3 to avoid schema drift.
- Wave 2: Policy Engine CRUD/simulation (WEB-POLICY-20-001…004) is DONE (2025-12-11).
- Wave 3: Policy pack lifecycle (WEB-POLICY-23-001…004) is DONE (2025-12-11).
- Wave 4: Registry/Studio proxy and publishing (WEB-POLICY-27-001…005) is DONE (2025-12-11).
## Wave Detail Snapshots
| Wave | Covered tasks | Current state | Exit criteria | Blockers |
| --- | --- | --- | --- | --- |
| 1 | WEB-ORCH-33-001, WEB-ORCH-34-001 | BLOCKED | POST run-control routes plus quotas/backfill metrics deployed with RBAC + audit logging | Orchestrator REST contract + audit/RBAC checklist |
| 2 | WEB-POLICY-20-001…004 | BLOCKED | Policy CRUD/simulate endpoints with rate limits and error mapping published in OpenAPI | Policy Engine REST contract + tenant/RBAC spec; rate-limit design approval |
| 3 | WEB-POLICY-23-001…004 | BLOCKED | Policy pack CRUD/activation/simulate/evaluate with streaming responses and explain history | WEB-POLICY-20-004 completion and approval workflow design |
| 4 | WEB-POLICY-27-001…005 | BLOCKED | Registry proxy with reviews, publish/promote/rollback, and Studio observability dashboards | Wave 3 exit + shared registry schema/versioning plan |
| 1 | WEB-ORCH-33-001, WEB-ORCH-34-001 | DONE (2025-12-12) | POST run-control routes plus quotas/backfill metrics deployed with RBAC + audit logging | None |
| 2 | WEB-POLICY-20-001…004 | DONE (2025-12-11) | Policy CRUD/simulate endpoints with rate limits and error mapping published in OpenAPI | None |
| 3 | WEB-POLICY-23-001…004 | DONE (2025-12-11) | Policy pack CRUD/activation/simulate/evaluate with streaming responses and explain history | None |
| 4 | WEB-POLICY-27-001…005 | DONE (2025-12-11) | Registry proxy with reviews, publish/promote/rollback, and Studio observability dashboards | None |
## Interlocks
- Policy Engine REST contract + tenant/RBAC specification is required before any WEB-POLICY-20-* implementation.
- Platform Reliability must approve adaptive rate-limit design for simulations before publishing retry headers and CLI docs.
- Policy Registry schema/versioning alignment is needed to avoid rework in WEB-POLICY-27-001…005.
- Security Guild audit/RBAC checklist must be applied to orchestrator control routes prior to release.
- Orchestrator run-control REST contract and RBAC/audit acceptance checklist are required to proceed with WEB-ORCH-33-001/34-001.
- Orchestrator run-control REST contract and audit/RBAC checklist delivered (see `docs/api/gateway/orchestrator.md`).
## Upcoming Checkpoints
- 2025-12-02 · Receive Policy Engine REST contract + tenant/RBAC spec (Policy Guild) to unblock WEB-POLICY-20-001…004.
- 2025-12-03 · Platform Reliability rate-limit design review for simulations (slipped from 2025-11-22) to enable WEB-POLICY-20-004.
- 2025-12-06 · Go/no-go on policy pack CRUD/activation kickoff (WEB-POLICY-23-001/002) contingent on rate-limit approval.
- 2025-12-09 · Registry schema/versioning alignment for Studio proxy stream (WEB-POLICY-27-001 owner: Policy Registry Guild).
- None scheduled; sprint complete (Wave 1 done).
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Deliver Policy Engine REST contract + tenant/RBAC spec for web gateway | Policy Guild | 2025-12-02 | OPEN | Unblocks WEB-POLICY-20-001…004; required before any Angular wiring. |
| 2 | Confirm adaptive rate-limit design for simulations | Platform Reliability Guild | 2025-12-03 | OPEN | Gates WEB-POLICY-20-004 retry headers and quotas. |
| 3 | Publish RBAC/tenant alignment note for web gateway once contract lands | BE-Base Platform Guild | 2025-12-05 | PENDING | Follows Action #1; must precede policy pack work. |
| 4 | Lock Policy Registry schema/versioning plan for Studio proxy | Policy Registry Guild | 2025-12-09 | OPEN | Required before WEB-POLICY-27-001 streaming proxy. |
| 5 | Provide orchestrator run-control REST contract + audit/RBAC checklist | Platform Reliability Guild · Security Guild | 2025-12-03 | OPEN | Needed to unblock WEB-ORCH-33-001/34-001 routes and ensure operator metadata handling. |
| 1 | Deliver Policy Engine REST contract + tenant/RBAC spec for web gateway | Policy Guild | 2025-12-02 | DONE (2025-12-07) | Delivered per `docs/schemas/policy-engine-rest.openapi.yaml` (see Execution Log 2025-12-07). |
| 2 | Confirm adaptive rate-limit design for simulations | Platform Reliability Guild | 2025-12-03 | DONE (2025-12-07) | Delivered per `docs/contracts/rate-limit-design.md` (see Execution Log 2025-12-07). |
| 3 | Publish RBAC/tenant alignment note for web gateway once contract lands | BE-Base Platform Guild | 2025-12-05 | DONE (2025-12-07) | Delivered per `docs/contracts/web-gateway-tenant-rbac.md` (see Execution Log 2025-12-07). |
| 4 | Lock Policy Registry schema/versioning plan for Studio proxy | Policy Registry Guild | 2025-12-09 | DONE (2025-12-07) | Delivered per registry alignment note (see Execution Log 2025-12-07). |
| 5 | Provide orchestrator run-control REST contract + audit/RBAC checklist | Platform Reliability Guild · Security Guild | 2025-12-03 | DONE (2025-12-12) | Published contract at `docs/api/gateway/orchestrator.md`, documented operator headers, and added deterministic samples under `docs/api/gateway/samples/`. |
## Decisions & Risks
- Policy pack CRUD/activation (WEB-POLICY-23-001/002) remain BLOCKED until WEB-POLICY-20-004 rate-limit work lands.
- Registry/Studio chain (WEB-POLICY-27-001..005) must stay in order to keep schemas stable; avoid parallel merges without shared reviews.
- Ensure RBAC + tenant-scoping docs stay aligned with Policy Engine contracts to prevent drift during promotions.
- WEB-POLICY-20-001 blocked pending Policy Engine REST contract + tenant/RBAC specification; cannot scaffold Angular/web gateway endpoints without it.
- Policy Engine / pack lifecycle / registry proxy work is complete (2025-12-11); keep OpenAPI + gateway docs aligned with those implementations.
- Orchestrator run-control + quotas/metrics work is complete (2025-12-12); enforce RBAC, tenant scoping, and operator metadata headers for audit logging.
| ID | Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- | --- |
| R1 | Policy Engine REST contract/RBAC spec slips past 2025-12-02 | Blocks WEB-POLICY-20-001…004 and downstream pack work | Track Action #1; escalate to Policy Guild; keep OpenAPI placeholders out of main until contract arrives | Policy Guild | OPEN |
| R2 | Rate-limit design review delayed past 2025-12-03 | Simulation endpoints cannot expose quotas/headers; CLI docs drift | Track Action #2; freeze public docs until design approved; backfill metrics before enablement | Platform Reliability Guild | OPEN |
| R3 | Registry schema/versioning diverges from web proxy | Rework for WEB-POLICY-27-001…005; potential outage on streaming downloads | Track Action #4; pin schema versions and add contract tests before merge | Policy Registry Guild | OPEN |
| R4 | Orchestrator run-control released without audit/RBAC alignment | Post-release security gap and incomplete audit trail | Apply Security Guild checklist; add acceptance tests for RBAC + audit logging before Wave 1 exit | BE-Base Platform Guild | OPEN |
| R5 | Missing orchestrator gateway REST contract for run-control/metrics | Blocks WEB-ORCH-33-001/34-001 and delays Wave 1 start | Track Action #5; obtain contract + header requirements; wire OperatorMetadata interceptor once contract is defined | Platform Reliability Guild | OPEN |
| R1 | Policy Engine REST contract/RBAC spec slips past 2025-12-02 | Blocks WEB-POLICY-20-001…004 and downstream pack work | Track Action #1; escalate to Policy Guild; keep OpenAPI placeholders out of main until contract arrives | Policy Guild | Mitigated (2025-12-07) |
| R2 | Rate-limit design review delayed past 2025-12-03 | Simulation endpoints cannot expose quotas/headers; CLI docs drift | Track Action #2; freeze public docs until design approved; backfill metrics before enablement | Platform Reliability Guild | Mitigated (2025-12-07) |
| R3 | Registry schema/versioning diverges from web proxy | Rework for WEB-POLICY-27-001…005; potential outage on streaming downloads | Track Action #4; pin schema versions and add contract tests before merge | Policy Registry Guild | Mitigated (2025-12-11) |
| R4 | Orchestrator run-control released without audit/RBAC alignment | Post-release security gap and incomplete audit trail | Apply Security Guild checklist; add acceptance tests for RBAC + audit logging before Wave 1 exit | BE-Base Platform Guild | Mitigated (2025-12-12) |
| R5 | Missing orchestrator gateway REST contract for run-control/metrics | Blocks WEB-ORCH-33-001/34-001 and delays Wave 1 start | Track Action #5; obtain contract + header requirements; wire OperatorMetadata interceptor once contract is defined | Platform Reliability Guild | Mitigated (2025-12-12) |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | **Wave 1 complete:** Completed WEB-ORCH-33-001/34-001 by publishing the orchestrator run-control + quotas contract and samples (`docs/api/gateway/orchestrator.md`, `docs/api/gateway/samples/orchestrator-*.json`), shipping the web SDK client + deterministic mock + unit spec (`src/Web/StellaOps.Web/src/app/core/api/orchestrator-control.*`), and wiring `ORCHESTRATOR_CONTROL_API` in `src/Web/StellaOps.Web/src/app/app.config.ts`. | Implementer |
| 2025-12-11 | **Wave 2/3/4 complete:** Completed all 13 policy tasks (WEB-POLICY-20-001..004, 23-001..004, 27-001..005). Implemented: PolicyEngineStore, Policy CRUD/simulation APIs, error handling with ERR_POL_* codes, adaptive rate limiting/quotas, SSE streaming for simulations, policy registry proxy, review lifecycle, batch simulation, publish/sign/promote/rollback endpoints, and Policy Studio metrics/logs service. Only WEB-ORCH-33/34 remain BLOCKED pending orchestrator REST contract. | Implementer |
| 2025-12-07 | **Wave 10 unblock:** Changed 13 tasks from BLOCKED → TODO. Policy Engine REST contract delivered at `docs/schemas/policy-engine-rest.openapi.yaml`, rate-limit design at `docs/contracts/rate-limit-design.md`, tenant/RBAC spec at `docs/contracts/web-gateway-tenant-rbac.md`. WEB-POLICY-20-001..004, 23-001..004, 27-001..005 can now proceed sequentially. | Implementer |
| 2025-11-30 | Marked WEB-ORCH-33-001/34-001 BLOCKED pending orchestrator REST contract + RBAC/audit checklist; no backend surface present in web workspace. | Implementer |

86
docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md Normal file
View File

@@ -0,0 +1,86 @@
# Sprint 0403 - Scanner Java Analyzer Detection Gaps
## Topic & Scope
- Close Java inventory blind-spots that currently miss dependencies inside fat archives and under-detect runtime/JNI context, improving downstream vuln matching and reachability prioritization.
- Keep outputs deterministic and offline-first (no network fetches; stable ordering; bounded metadata).
- Produce hard evidence: new fixtures + golden outputs covering fat JAR/WAR embedded libs, `pom.xml`-only artifacts, multi-module Gradle lock layouts, and runtime image discovery.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests`; optional benches: `src/Bench/StellaOps.Bench/Scanner.Analyzers`).
## Dependencies & Concurrency
- Builds on archived Java analyzer sprints (notably `docs/implplan/archived/SPRINT_0140_0001_0001_scanner_java_enhancement.md`).
- Must remain parallel-safe with other language analyzers: no shared global state, no non-deterministic iteration over filesystem/zip entries.
- Do not introduce new external downloads; use local fixtures/caches only.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md`
- (Reference) `docs/implplan/archived/SPRINT_0140_0001_0001_scanner_java_enhancement.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-JAVA-403-001 | TODO | Decide nested locator scheme (Action 1), then implement. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Scan embedded libraries inside archives**: extend `JavaLanguageAnalyzer` to enumerate and parse Maven coordinates from embedded JARs in `BOOT-INF/lib/**.jar`, `WEB-INF/lib/**.jar`, `APP-INF/lib/**.jar`, and `lib/**.jar` *without extracting to disk*. Emit one component per discovered embedded artifact (PURL-based when possible). Evidence locators must represent nesting deterministically (e.g., `outer.jar!BOOT-INF/lib/inner.jar!META-INF/maven/.../pom.properties`). Enforce size/time bounds (skip embedded jars above a configured size threshold; record `embeddedScanSkipped=true` + reason metadata). |
| 2 | SCAN-JAVA-403-002 | TODO | After task 1 skeleton lands, add `pom.xml` fallback and coverage fixtures. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Add `pom.xml` fallback when `pom.properties` is missing**: detect and parse `META-INF/maven/**/pom.xml` (both top-level archives and embedded jars). Prefer `pom.properties` when both exist; otherwise derive `groupId/artifactId/version/packaging/name` from `pom.xml` and emit `pkg:maven/...` PURLs. Evidence must include sha256 of the parsed `pom.xml` entry. If `pom.xml` is present but coordinates are incomplete, emit a component with explicit key (no PURL) carrying `manifestTitle/manifestVersion` and an `unresolvedCoordinates=true` marker (do not guess a Maven PURL). |
| 3 | SCAN-JAVA-403-003 | TODO | Requires agreement on multi-module precedence (Interlock 2). | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Parse all discovered Gradle lockfiles deterministically**: update `JavaLockFileCollector` to parse lockfiles from `JavaBuildFileDiscovery` results (not only root `gradle.lockfile` and `gradle/dependency-locks`). Preserve the lockfile-relative path as `lockLocator` and include module context in metadata (e.g., `lockModulePath`). Deduplicate identical GAVs deterministically (stable overwrite rules documented in code + tested). |
| 4 | SCAN-JAVA-403-004 | TODO | Decide runtime component identity strategy (Action 2). | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Emit runtime image components**: when `JavaWorkspaceNormalizer` identifies a runtime image, emit a `java-runtime` component (explicit key or PURL per decision) with metadata `java.version`, `java.vendor`, and `runtimeImagePath` (relative). Evidence must reference the `release` file. Ensure deterministic ordering and do not double-count multiple identical runtime images (same version+vendor+relative path). |
| 5 | SCAN-JAVA-403-005 | TODO | After task 1 or 2, wire bytecode JNI analysis once per scan. | Java Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Replace naive JNI string scanning with bytecode-based JNI analysis**: integrate `Internal/Jni/JavaJniAnalyzer` into `JavaLanguageAnalyzer` so JNI usage metadata is derived from parsed method invocations and native method flags (not raw ASCII search). Output must be bounded and deterministic: emit counts + top-N stable samples (e.g., `jni.edgeCount`, `jni.targetLibraries`, `jni.reasons`). Do not emit full class lists unbounded. |
| 6 | SCAN-JAVA-403-006 | TODO | Parallel with tasks 15; keep fixtures minimal. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests`) | **Add fixtures + golden outputs for new detection paths**: introduce fixtures covering (a) fat JAR with embedded libs under `BOOT-INF/lib`, (b) WAR with embedded libs under `WEB-INF/lib`, (c) artifact containing only `pom.xml` (no `pom.properties`), (d) multi-module Gradle lockfile layout, and (e) runtime image directory with `release`. Add/extend `JavaLanguageAnalyzerTests.cs` golden harness assertions proving embedded components are emitted with correct nested locators and stable ordering. |
| 7 | SCAN-JAVA-403-007 | TODO | After tasks 12 land, wire perf guard. | Bench Guild (`src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Add benchmark scenario for fat-archive scanning**: add a deterministic bench case that scans a representative fat JAR fixture and reports component count + elapsed time. Establish a baseline ceiling and ensure CI can run it offline. |
| 8 | SCAN-JAVA-403-008 | TODO | After tasks 15 land, document final contract. | Docs Guild + Java Analyzer Guild (`docs/modules/scanner`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java`) | **Document Java analyzer detection contract**: update `docs/modules/scanner/architecture.md` (or add a Java analyzer sub-doc under `docs/modules/scanner/`) describing: embedded jar scanning rules, nested evidence locator format, lock precedence rules, runtime component emission, JNI metadata semantics, and known limitations (e.g., shaded jars with stripped Maven metadata remain best-effort). Link this sprint from the docs “evidence & determinism” area. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Embedded Inventory | Java Analyzer Guild + QA Guild | Locator decision (Action 1) | TODO | Enables detection of fat JAR/WAR embedded libs. |
| B: Coordinates Fallback | Java Analyzer Guild + QA Guild | None | TODO | `pom.xml` fallback for Maven coordinates when properties missing. |
| C: Lock Coverage | Java Analyzer Guild + QA Guild | Precedence decision (Interlock 2) | TODO | Multi-module Gradle lock ingestion improvements. |
| D: Runtime & JNI Context | Java Analyzer Guild + QA Guild | Runtime identity decision (Action 2) | TODO | Runtime component emission + JNI bytecode integration. |
| E: Bench & Docs | Bench Guild + Docs Guild | Waves AD | TODO | Perf ceiling + contract documentation. |
## Wave Detail Snapshots
- **Wave A:** Embedded JAR enumeration + nested evidence locators; fixtures prove fat-archive dependency visibility.
- **Wave B:** `pom.xml` fallback emits Maven PURLs when properties missing; explicit-key “unknown coords” component when insufficient data.
- **Wave C:** Broader Gradle lock ingestion across multi-module layouts; deterministic de-dupe rules and module-context metadata.
- **Wave D:** Runtime image component emitted from `release`; JNI metadata uses bytecode parsing with bounded output.
- **Wave E:** Offline benchmark + documented “what the analyzer promises” contract.
## Interlocks
- Evidence locator format must be stable across analyzers and safe for downstream consumers (CLI/UI/export). (Action 1)
- **Lock precedence and de-duplication:** when multiple lock sources exist (root lock + module lock + build.gradle parsing), precedence must be explicit, deterministic, and covered by tests; do not silently fluctuate based on traversal order.
- Embedded scanning must be bounded (size thresholds, entry limits) to avoid scanning untrusted giant archives; skipped work must be explicitly marked in metadata for auditability.
- Runtime image identity requires a decision: explicit-key component vs a stable PURL scheme; must not introduce false vuln matches. (Action 2)
## Upcoming Checkpoints
- 2025-12-13: Approve nested evidence locator scheme (Action 1) and runtime identity strategy (Action 2).
- 2025-12-16: Waves A+B implemented with fixtures passing locally for Java analyzer test project.
- 2025-12-18: Wave C lock coverage merged with multi-module fixture.
- 2025-12-20: Wave D (runtime + JNI) complete; outputs bounded + deterministic.
- 2025-12-22: Wave E bench + docs complete; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide and document nested evidence locator scheme for embedded JAR entries (`outer!inner!path`). | Project Mgmt + Java Analyzer Guild | 2025-12-13 | Open | Must be stable, deterministic, and parseable by exporters. |
| 2 | Decide runtime component identity approach (explicit key vs PURL scheme; if PURL, specify qualifiers). | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Avoid false vuln matches; prefer explicit-key if uncertain. |
| 3 | Define embedded-scan bounds (max embedded jars per archive, max embedded jar size) and required metadata when skipping. | Java Analyzer Guild + Security Guild | 2025-12-13 | Open | Must prevent resource exhaustion from untrusted artifacts. |
## Decisions & Risks
- **Decision (pending):** Embedded locator format and runtime identity strategy (see Action Tracker 12).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Embedded jar scanning increases CPU/memory and can be abused by large payloads. | High | Medium | Hard limits + streaming where possible; deterministic skip markers; add perf bench. | Java Analyzer Guild | Bench regression; OOM/timeout in CI; unusually large jar fixtures. |
| R2 | Nested locator format breaks downstream tooling expectations (export/UI). | Medium | Medium | Decide format up-front; add tests that assert exact locator strings; document contract. | Project Mgmt | Export bundle consumers fail parsing; UI shows confusing paths. |
| R3 | `pom.xml` parsing yields partial/incorrect coordinates (parent inheritance not available). | Medium | Medium | Only emit Maven PURL when `groupId/artifactId/version` are present; otherwise explicit-key component with `unresolvedCoordinates=true`. | Java Analyzer Guild | Golden fixtures show non-deterministic/missing coordinates. |
| R4 | Multi-module lock ingestion causes duplicate “declared-only” components or unstable overwrite rules. | Medium | Medium | Define precedence; stable sort and deterministic overwrite; fixture covering duplicates. | Java Analyzer Guild | Flaky tests; differing outputs depending on directory order. |
| R5 | Runtime “PURL” choice creates false vuln matches for Java runtimes. | High | Low/Medium | Prefer explicit-key component unless a vetted PURL scheme is agreed. | Scanner Guild | Vuln matches spike for runtime-only components without evidence. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Java analyzer detection gaps (embedded libs, `pom.xml` fallback, lock coverage, runtime images, JNI integration) with fixtures/bench/docs expectations. | Project Mgmt |

81
docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md Normal file
View File

@@ -0,0 +1,81 @@
# Sprint 0404 - Scanner .NET Analyzer Detection Gaps
## Topic & Scope
- Close .NET inventory blind-spots where the analyzer currently emits **no components** unless `*.deps.json` files are present.
- Add deterministic, offline-first **declared-only** detection paths from build and lock artefacts (csproj/props/CPM/lock files) and make bundling/NativeAOT cases auditable (explicit “under-detected” markers).
- Preserve current behavior for publish-output scans while expanding coverage for source trees and non-standard deployment layouts.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests` and `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests`).
## Dependencies & Concurrency
- Builds on the existing .NET analyzer implementation (`DotNetDependencyCollector` / `DotNetPackageBuilder`) and its fixtures under `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests/Fixtures/lang/dotnet`.
- Must remain parallel-safe under concurrent scans (no shared mutable global state beyond existing concurrency-safe caches).
- Offline-first: do not restore packages, query feeds, or require MSBuild evaluation that triggers downloads.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-DOTNET-404-001 | TODO | Decide declared-vs-installed merge rules (Action 1). | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Add declared-only fallback when no `*.deps.json` exists**: if `DotNetDependencyCollector` finds zero deps files, collect dependencies from (in order): `packages.lock.json`, SDK-style project files (`*.csproj/*.fsproj/*.vbproj`) with `Directory.Build.props` + `Directory.Packages.props` (CPM), and legacy `packages.config`. Emit declared-only components with deterministic metadata including `declaredOnly=true`, `declared.source`, `declared.locator`, `declared.versionSource`, and `declared.isDevelopmentDependency`. Do not attempt full MSBuild evaluation; only use existing lightweight parsers/resolvers. |
| 2 | SCAN-DOTNET-404-002 | TODO | Requires Action 2 decision on PURL/keying when version unknown. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Component identity rules for unresolved versions**: when a declared dependency has an unresolved/unknown version (e.g., CPM enabled but missing a version, or property placeholder cannot be resolved), emit a component using `AddFromExplicitKey` (not a versionless PURL) and mark `declared.versionResolved=false` with `declared.unresolvedReason`. Ensure these components cannot collide with real versioned NuGet PURLs. |
| 3 | SCAN-DOTNET-404-003 | TODO | After task 1/2, implement merge logic and tests. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Merge declared-only with installed packages when deps.json exists**: when `*.deps.json` packages are present, continue emitting installed `pkg:nuget/<id>@<ver>` components as today. Additionally, emit declared-only components for build/lock dependencies that do not match any installed package (match by normalized id + version). When an installed package exists but has no corresponding declared record, tag the installed component with `declared.missing=true`. Merge must be deterministic and independent of filesystem enumeration order. |
| 4 | SCAN-DOTNET-404-004 | TODO | Define bounds and target paths (Interlock 2). | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Surface bundling signals as explicit metadata**: integrate `SingleFileAppDetector` and `ILMergedAssemblyDetector` so scans can record “inventory may be incomplete” signals. Minimum requirement: when a likely bundle is detected, emit metadata on the *entrypoint component(s)* (or a synthetic “bundle” component) including `bundle.kind` (`singlefile`, `ilmerge`, `unknown`), `bundle.indicators` (top-N bounded), and `bundle.filePath`. Do not scan the entire filesystem for executables; only scan bounded candidates (e.g., adjacent to deps.json/runtimeconfig, or explicitly configured). |
| 5 | SCAN-DOTNET-404-005 | TODO | After task 3, decide if edges should include declared edges by default. | .NET Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Declared dependency edges output**: when `emitDependencyEdges=true`, include declared edges from build/lock sources in addition to deps.json dependencies, and annotate edge provenance (`edge[*].source=csproj|packages.lock.json|deps.json`). Ensure ordering is stable and bounded (top-N per component if necessary). |
| 6 | SCAN-DOTNET-404-006 | TODO | Parallel with tasks 15; fixtures first. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Tests`, `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.DotNet.Tests`) | **Fixtures + golden outputs**: add fixtures and golden JSON proving new behaviors: (a) **source-tree only** (csproj + Directory.Packages.props + no deps.json), (b) packages.lock.json-only, (c) legacy packages.config-only, (d) mixed case (deps.json present + missing declared record and vice versa), (e) bundled executable indicator fixture (synthetic binary for detector tests, not real apphost). Extend `DotNetLanguageAnalyzerTests` to assert deterministic output and correct declared/installed reconciliation. |
| 7 | SCAN-DOTNET-404-007 | TODO | After core behavior lands, update docs. | Docs Guild + .NET Analyzer Guild (`docs/modules/scanner`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet`) | **Document .NET analyzer contract**: update `docs/modules/scanner/architecture.md` (or add a .NET analyzer sub-doc under `docs/modules/scanner/`) describing: detection sources and precedence, how declared-only is represented, identity rules for unresolved versions, bundling signals, and known limitations (no full MSBuild evaluation, no restore/feed access). Link this sprint from the doc. |
| 8 | SCAN-DOTNET-404-008 | TODO | Optional; only if perf regression risk materializes. | Bench Guild (`src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Benchmark declared-only scanning**: add a deterministic bench that scans a representative source-tree fixture (many csproj/props/lockfiles) and records elapsed time + component counts. Establish a baseline ceiling and ensure CI can run it offline. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Declared-only sources | .NET Analyzer Guild + QA Guild | Decisions in Action 12 | TODO | Enable detection without deps.json. |
| B: Reconciliation & edges | .NET Analyzer Guild + QA Guild | Wave A | TODO | Declared vs installed merge + edge provenance. |
| C: Bundling signals | .NET Analyzer Guild + QA Guild | Interlock 2 | TODO | Make bundling/under-detection auditable. |
| D: Docs & bench | Docs Guild + Bench Guild | Waves AC | TODO | Contract + perf guardrails. |
## Wave Detail Snapshots
- **Wave A:** Standalone declared-only inventory (lockfiles/projects/CPM/packages.config) with deterministic identity and evidence.
- **Wave B:** Merge declared-only with deps.json-installed packages; emit declared-missing/lock-missing markers and optional edge provenance.
- **Wave C:** Bounded bundling detection integrated; no filesystem-wide binary scanning.
- **Wave D:** Contract documentation + optional benchmark to prevent regressions.
## Interlocks
- **Identity & collisions:** Explicit-key components for unresolved versions must never collide with real `pkg:nuget/<id>@<ver>` PURLs (Action 2).
- **Bundling scan bounds:** bundling detectors must be applied only to bounded candidate files; scanning “all executables” is forbidden for perf/safety.
- **No restore/MSBuild evaluation:** do not execute MSBuild or `dotnet restore`; use only lightweight parsing and local file inspection.
## Upcoming Checkpoints
- 2025-12-13: Approve declared-vs-installed precedence and unresolved identity rules (Actions 12).
- 2025-12-16: Wave A complete with fixtures proving deps.json-free detection.
- 2025-12-18: Wave B complete (merge + edge provenance) with mixed-case fixtures.
- 2025-12-20: Wave C complete (bundling signals) with bounded candidate selection and tests.
- 2025-12-22: Docs updated; optional bench decision made; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Define deterministic precedence for dependency sources (deps.json vs lock vs project vs packages.config) and merge rules for “declared missing / installed missing”. | Project Mgmt + .NET Analyzer Guild | 2025-12-13 | Open | Must be testable via fixtures; no traversal-order dependence. |
| 2 | Decide component identity strategy when version cannot be resolved (explicit key scheme + required metadata fields). | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Must avoid false matches and collisions with PURLs. |
| 3 | Define which files qualify as “bundling detector candidates” (adjacent to deps.json/runtimeconfig, configured paths, size limits). | .NET Analyzer Guild + Security Guild | 2025-12-13 | Open | Prevent scanning untrusted large binaries broadly. |
## Decisions & Risks
- **Decision (pending):** precedence + identity strategy (see Action Tracker 12).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Declared-only scanning causes false positives (declared deps not actually shipped). | Medium | Medium | Mark `declaredOnly=true`; keep installed vs declared distinction; allow policy/UI to down-rank declared-only. | .NET Analyzer Guild | Increased component counts without corresponding runtime evidence. |
| R2 | Unresolved version handling creates unstable component identity. | High | Medium | Use explicit-key with stable recipe; include source+locator in key material if needed. | Project Mgmt | Flaky golden outputs; duplicate collisions across projects. |
| R3 | Bundling detectors cause perf regressions or scan untrusted huge binaries. | High | Low/Medium | Bounded candidate selection + size caps; emit “skipped” markers when exceeding limits. | Security Guild + .NET Analyzer Guild | CI timeouts; scanning large container roots. |
| R4 | Adding declared edges creates noisy graphs. | Medium | Medium | Gate behind `emitDependencyEdges`; keep edges bounded and clearly sourced. | .NET Analyzer Guild | Export/UI performance degradation. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to expand .NET analyzer coverage beyond deps.json (declared-only detection, reconciliation, bundling signals, fixtures/docs/bench). | Project Mgmt |

84
docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md Normal file
View File

@@ -0,0 +1,84 @@
# Sprint 0405 · Scanner · Python Detection Gaps
## Topic & Scope
- Close concrete detection gaps in the Python analyzer so scans reliably inventory Python dependencies across **installed envs**, **source trees**, **lockfiles**, **conda**, **wheels/zipapps**, and **container layers**.
- Replace “best-effort by directory enumeration” with **bounded, layout-aware discovery** (deterministic ordering, explicit precedence, and auditable “skipped” markers).
- Produce evidence: new deterministic fixtures + golden outputs, plus a lightweight offline benchmark guarding regressions.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests`).
## Dependencies & Concurrency
- Depends on existing scanner contracts for component identity/evidence locators: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerResult.cs`.
- Interlocks with container/layer conventions used by other analyzers (avoid diverging locator/overlay semantics).
- Parallel-safe with `SPRINT_0403_0001_0001_scanner_java_detection_gaps.md` and `SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md` (no shared code changes expected unless explicitly noted).
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-PY-405-001 | TODO | Approve identity/precedence rules (Actions 12). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Wire layout-aware discovery into `PythonLanguageAnalyzer`**: stop treating “any `*.dist-info` anywhere” as an installed package source. Use `PythonInputNormalizer` + `PythonVirtualFileSystem` + `PythonPackageDiscovery` as the first-pass inventory (site-packages, editable paths, wheels, zipapps, container layer roots). Ensure deterministic path precedence (later/higher-confidence wins) and bounded scanning (no unbounded full-tree recursion for patterns). Emit package-kind + confidence metadata (`pkg.kind`, `pkg.confidence`, `pkg.location`) for every component. |
| 2 | SCAN-PY-405-002 | TODO | After task 1, define dist-info/egg-info enrichment rules. | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Preserve dist-info “deep evidence” while expanding coverage**: for any discovered package with a real `*.dist-info`/`*.egg-info`, continue to enrich with `PythonDistributionLoader` evidence (METADATA/RECORD/WHEEL/entrypoints, RECORD verification stats). For packages discovered without dist-info (e.g., Poetry editable, vendored, zipapp), emit components using `AddFromExplicitKey` with stable identity rules (Action 1) and evidence pointing to the originating file(s) (`pyproject.toml`, lockfile, archive path). |
| 3 | SCAN-PY-405-003 | TODO | Decide lock precedence + supported formats scope (Action 2). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Expand lockfile/requirements detection and parsing**: upgrade `PythonLockFileCollector` to (a) discover lock/requirements files deterministically (root + nested common paths), (b) support `-r/--requirement` includes with cycle detection, (c) correctly handle editable `-e/--editable` lines, (d) parse PEP 508 specifiers (not only `==/===`) and `name @ url` direct references, and (e) include Pipenv `develop` section. Add opt-in support for at least one modern lock (`uv.lock` or `pdm.lock`) with deterministic record ordering and explicit “unsupported line” counters. |
| 4 | SCAN-PY-405-004 | TODO | Requires container overlay decision (Action 3). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Correct container-layer inventory semantics**: when scanning raw OCI layer trees (`layers/`, `.layers/`, `layer*/`), honor whiteouts/overlay ordering so removed packages are not reported. Use/extend `Internal/Packaging/Adapters/ContainerLayerAdapter` semantics as the source of truth for precedence. Emit explicit metadata markers when inventory is partial due to missing overlay context (e.g., `container.overlayIncomplete=true`). |
| 5 | SCAN-PY-405-005 | TODO | Decide representation for vendored deps (Action 4). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Surface vendored (bundled) Python deps**: integrate `VendoredPackageDetector` so known vendoring patterns (`*_vendor`, `third_party`, `requests.packages`, etc.) are detected. Emit either (a) separate “embedded” components with bounded evidence locators (preferred) or (b) a bounded metadata summary on the parent package (`vendored.detected=true`, `vendored.packages`, `vendored.paths`). Never emit unbounded file/module lists; cap to top-N deterministic samples. |
| 6 | SCAN-PY-405-006 | TODO | After task 13, decide “used-by-entrypoint” upgrade approach (Interlock 4). | Python Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python`) | **Improve “used by entrypoint” and scope classification**: today `usedByEntrypoint` primarily comes from RECORD/script hints. Extend this by optionally mapping source-tree imports (`PythonImportAnalysis`) and/or runtime evidence (`PythonRuntimeEvidenceCollector`) to packages (via `TopLevelModules`) so “likely used” can be signaled deterministically (bounded, opt-in). Add `scope` metadata using `PythonScopeClassifier` (prod/dev/docs/build) based on lock sections and requirements file names. |
| 7 | SCAN-PY-405-007 | TODO | Parallel with tasks 16; fixtures first. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Python.Tests`) | **Fixtures + golden outputs**: add fixtures proving new detection paths: (a) conda env (`conda-meta/*.json`) without dist-info, (b) requirements with `-r` includes + `-e .` editable, (c) Pipfile.lock with `default` + `develop`, (d) wheel file in workspace (no extraction), (e) zipapp/pyz with embedded requirements, (f) container layers with whiteouts hiding a dist-info dir, (g) vendored dependency directory under a package. Extend `PythonLanguageAnalyzerTests.cs` to assert deterministic ordering, stable identities, and bounded metadata. |
| 8 | SCAN-PY-405-008 | TODO | After core behavior lands, update docs + perf guard. | Docs Guild + Bench Guild (`docs/modules/scanner`, `src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Document + benchmark Python analyzer contract**: update `docs/modules/scanner/architecture.md` (or add a Python analyzer sub-doc) describing detection sources & precedence, lock parsing rules, container overlay semantics, vendoring representation, and identity rules for non-versioned components. Add a deterministic offline bench scanning a representative fixture (many packages + lockfiles) and record baseline ceilings (time + components count). |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Discovery Backbone | Python Analyzer Guild + QA Guild | Actions 12 | TODO | Wire input normalization + package discovery; reduce false positives. |
| B: Lock Coverage | Python Analyzer Guild + QA Guild | Action 2 | TODO | Requirements/includes/editables + modern locks + Pipenv develop. |
| C: Containers & Vendoring | Python Analyzer Guild + QA Guild | Actions 34 | TODO | Whiteouts/overlay correctness + vendored packages surfaced. |
| D: Usage & Scope | Python Analyzer Guild + QA Guild | Interlock 4 | TODO | Improve “used by entrypoint” + scope classification (opt-in). |
| E: Docs & Bench | Docs Guild + Bench Guild | Waves AD | TODO | Contract doc + offline benchmark. |
## Wave Detail Snapshots
- **Wave A:** Layout-aware discovery (VFS + discovery) becomes the primary inventory path; deterministic precedence and bounded scans.
- **Wave B:** Lock parsing supports real-world formats (includes, editables, PEP 508) and emits declared-only components without silent drops.
- **Wave C:** Container overlay semantics prevent false positives; vendored deps become auditable inventory signals.
- **Wave D:** Optional, deterministic “used likely” signals and package scopes reduce noise and improve reachability inputs.
- **Wave E:** Documented contract + perf ceiling ensures the new logic stays stable.
## Interlocks
- **Identity & collisions:** Components without reliable versions (vendored/local/zipapp/project) must use `AddFromExplicitKey` with a stable, non-colliding key scheme. (Action 1)
- **Lock precedence:** When multiple sources exist (requirements + Pipfile.lock + poetry.lock + pyproject), precedence must be explicit and deterministic (Action 2).
- **Container overlay correctness:** If scanning raw layers, whiteouts must be honored; otherwise mark overlay as incomplete and avoid false inventory claims. (Action 3)
- **“Used-by-entrypoint” semantics:** Any import/runtime-based usage hints must be bounded, opt-in, and deterministic; avoid turning heuristic signals into hard truth. (Interlock 4)
## Upcoming Checkpoints
- 2025-12-13: Approve identity scheme + lock precedence + container overlay expectations (Actions 13).
- 2025-12-16: Wave A complete with fixtures proving VFS-based discovery is stable and deterministic.
- 2025-12-18: Wave B complete with real-world requirements/includes/editables + Pipenv develop coverage.
- 2025-12-20: Wave C complete (whiteouts/overlay + vendoring) with bounded outputs.
- 2025-12-22: Wave D decision + implementation (if enabled) and Wave E docs/bench complete; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide explicit-key identity scheme for non-versioned Python components (vendored/local/zipapp/project) and document it. | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Must avoid collisions with `pkg:pypi/<name>@<ver>` PURLs; prefer explicit-key when uncertain. |
| 2 | Decide lock/requirements precedence order + dedupe rules and document them as a contract. | Project Mgmt + Python Analyzer Guild | 2025-12-13 | Open | Must not depend on filesystem traversal order; include “unsupported line count” requirement. |
| 3 | Decide container overlay handling contract for raw `layers/` inputs (whiteouts, ordering, “merged vs raw” expectations). | Project Mgmt + Scanner Guild | 2025-12-13 | Open | If upstream provides merged rootfs, clarify whether Python analyzer should still scan raw layers. |
| 4 | Decide how vendored deps are represented (separate embedded components vs parent-only metadata) and how to avoid false vuln matches. | Project Mgmt + Python Analyzer Guild | 2025-12-13 | Open | Prefer separate components only when identity/version is defensible; otherwise bounded metadata summary. |
## Decisions & Risks
- **Decision (pending):** Identity scheme for non-versioned components, lock precedence, and container overlay expectations (Action Tracker 13).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Broader lock parsing introduces non-determinism (order/duplication) across platforms. | High | Medium | Stable sorting, explicit precedence, and golden fixtures for each format (incl. `-r` cycles). | Python Analyzer Guild | Flaky golden outputs; different results between Windows/Linux agents. |
| R2 | Container-layer scanning reports packages that are effectively deleted by whiteouts. | High | Medium | Implement/validate overlay semantics; add whiteout fixtures; mark overlayIncomplete when uncertain. | Scanner Guild | Inventory shows duplicates; reports packages not present in merged rootfs. |
| R3 | Vendored detection inflates inventory and causes false vulnerability correlation. | High | Medium | Prefer explicit-key or bounded metadata when version unknown; require defensive identity rules + docs. | Python Analyzer Guild | Sudden vuln-match spike on vendored-only signals. |
| R4 | Integrating VFS/discovery increases CPU/memory or scan time. | Medium | Medium | Bounds on scanning; benchmark; avoid full-tree recursion for patterns; reuse existing parsed results. | Bench Guild | Bench regression beyond agreed ceiling; timeouts in CI. |
| R5 | “Used-by-entrypoint” heuristics get misinterpreted as truth. | Medium | Low/Medium | Keep heuristic usage signals opt-in, clearly labeled, and bounded; document semantics. | Project Mgmt | Downstream policy relies on “used” incorrectly; unexpected risk decisions. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Python analyzer detection gaps (layout-aware discovery, lockfile expansion, container overlay correctness, vendoring signals, optional usage/scope improvements) with fixtures/bench/docs expectations. | Project Mgmt |

87
docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md Normal file
View File

@@ -0,0 +1,87 @@
# Sprint 0406 · Scanner · Node Detection Gaps
## Topic & Scope
- Close concrete detection gaps in the Node analyzer so scans reliably produce **complete, correct, deterministic** component inventories across npm/Yarn/PNPM, workspaces, PnP, tarballs, and container layer layouts.
- Ensure declared-only dependencies (lock/package.json) are represented **safely** (no invalid/over-confident PURLs from version ranges) and merged deterministically with installed/on-disk evidence.
- Improve lockfile fidelity for **multi-version** dependencies (common in Node) and modern lock formats (Yarn Berry, newer pnpm schemas) while staying offline-first.
- Produce evidence: new deterministic fixtures + golden outputs, plus an offline benchmark guarding performance regressions.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests`).
## Dependencies & Concurrency
- Depends on shared component identity/evidence mechanisms: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerResult.cs:85`.
- Concurrency-safe with `SPRINT_0403_0001_0001_scanner_java_detection_gaps.md` and `SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md` and `SPRINT_0405_0001_0001_scanner_python_detection_gaps.md` unless identity/locator conventions are standardized cross-analyzer (Action 1).
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-NODE-406-001 | TODO | Decide identity/declared-only scheme (Action 1). | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Emit declared-only components**: `NodeLockData.LoadAsync` already builds `DeclaredPackages` from lockfiles + `package.json`, but `NodeLanguageAnalyzer` never emits them. Add a deterministic “declared-only emission” pass that emits components for any `DeclaredPackages` entry not backed by on-disk inventory. Must include: `declaredOnly=true`, `declared.source` (`package.json|package-lock.json|yarn.lock|pnpm-lock.yaml`), `declared.locator` (stable), `declared.versionSpec` (original range/tag), `declared.scope` (prod/dev/peer/optional if known), and `declared.resolvedVersion` (only when lock provides concrete). **Critical:** do not emit `pkg:npm/...@<range>` PURLs; use `AddFromExplicitKey` when version is not a concrete resolved version. |
| 2 | SCAN-NODE-406-002 | TODO | After Action 2, implement + fixtures. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Multi-version lock correctness**: fix `NodeLockData` to support multiple versions per package name and match lock entries by `(name, resolvedVersion)` when the on-disk package.json has a concrete version. Add a `TryGet(relativePath, name, version)` overload (or equivalent) so lock metadata (`integrity`, `resolved`, `scope`) attaches to the correct package instance. Replace/augment `_byName` with a deterministic `(name@version)->entry` map for yarn/pnpm sources. |
| 3 | SCAN-NODE-406-003 | TODO | No external YAML libs; keep deterministic. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Support Yarn Berry (v2/v3) lock format**: extend `NodeLockData.LoadYarnLock` to parse modern `yarn.lock` entries that use `resolution:` / `checksum:` / `linkType:` (and may not have `resolved`/`integrity`). Map `checksum` to an integrity-like field (metadata/evidence) and preserve the raw locator key as `lockLocator`. Ensure multiple versions of the same package are preserved (Task 2). Add fixtures covering Yarn v1 and Yarn v3 lock styles. |
| 4 | SCAN-NODE-406-004 | TODO | Align with Action 3 on “integrity missing” semantics. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Harden pnpm lock parsing**: extend `LoadPnpmLock` to handle packages that have no `integrity` (workspace/file/link/git) without silently dropping them. Emit declared-only entries with `declared.resolvedVersion` (if known) and `lockIntegrityMissing=true` + reason. Add support for newer pnpm layouts (`snapshots:`) when present, while keeping parsing bounded and deterministic. |
| 5 | SCAN-NODE-406-005 | TODO | After task 2, fix path name extraction and tests. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Fix `package-lock.json` nested node_modules naming**: `ExtractNameFromPath` mis-identifies `node_modules/parent/node_modules/child` unless `name` is present. Update extraction to select the last package segment after the last `node_modules` (incl. scoped packages). Add tests that prove nested dependencies are keyed correctly and lock metadata is attached to the right on-disk package. |
| 6 | SCAN-NODE-406-006 | TODO | Decide workspace glob support (Action 2). | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Improve workspace discovery**: `NodeWorkspaceIndex` only supports patterns ending with `/*`. Extend it to support at least `**`-style patterns used in monorepos (e.g., `packages/**`, `apps/*`, `tools/*`). Ensure expansion is deterministic and safe (bounds on directory traversal; ignore `node_modules`). Add fixtures for multi-depth workspace patterns. |
| 7 | SCAN-NODE-406-007 | TODO | After task 6, add scope index for workspaces. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Workspace-aware dependency scopes**: `NodeDependencyIndex` reads only root `package.json`. Extend scope classification to include workspace member manifests so `scope`/`riskLevel` metadata is correct for workspace packages. Must preserve precedence rules (root vs workspace vs lock) and be deterministic. |
| 8 | SCAN-NODE-406-008 | TODO | Requires Action 4 decision on import scanning bounds. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Import scanning correctness + bounds**: `NodeImportWalker` uses `ParseScript` which misses ESM `import` syntax and fails on TS. Improve by attempting `ParseModule` when script parse fails, and add a bounded heuristic fallback for TS (`import ... from`, `export ... from`) when AST parsing fails. Also bound `AttachImports` so it does not recursively scan every file inside `node_modules` trees by default; restrict to source roots/workspace members and/or cap by file count and total bytes, emitting `importScanSkipped=true` + counters when capped. |
| 9 | SCAN-NODE-406-009 | TODO | After task 1, adopt consistent evidence hashing. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Deterministic evidence hashing for on-disk `package.json`**: today tar/zip packages attach `PackageSha256`, but on-disk packages typically do not. Compute sha256 for `package.json` contents for installed packages (bounded: only package.json, not full dir) and attach to root evidence consistently. Do not hash large files; do not add unbounded IO. |
| 10 | SCAN-NODE-406-010 | TODO | Parallel with tasks 19; fixtures first. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests`) | **Fixtures + golden outputs**: add/extend fixtures proving: (a) lock-only project (no node_modules) emits declared-only components, (b) Yarn v3 lock parses + multi-version packages preserved, (c) pnpm lock with workspace/link deps doesnt silently drop, (d) package-lock nested node_modules naming is correct, (e) workspace glob patterns beyond `/*`, (f) container layout where app `package.json` is not at root (e.g., `/app/package.json` inside a layer root) still emits the app component, (g) ESM + TS import scanning captures imports (bounded) and emits deterministic evidence. Update `NodeLanguageAnalyzerTests.cs` and targeted unit tests (`NodeLockDataTests.cs`, `NodePackageCollectorTests.cs`) to assert deterministic ordering and identity rules. |
| 11 | SCAN-NODE-406-011 | TODO | After core behavior lands, update docs + perf guard. | Docs Guild + Bench Guild (`docs/modules/scanner`, `src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Document + benchmark Node analyzer contract**: document precedence (installed vs declared), identity rules for unresolved versions, Yarn/pnpm lock parsing guarantees/limits, workspace discovery rules, import scanning bounds/semantics, and container layout assumptions. Add a deterministic offline bench that scans a representative fixture (workspace + lock-only + import scan enabled) and records elapsed time + component counts (and file-scan counters) with a baseline ceiling. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Declared-only & identity | Node Analyzer Guild + QA Guild | Action 1 | TODO | Emit declared-only safely; avoid invalid PURLs. |
| B: Lock fidelity | Node Analyzer Guild + QA Guild | None | TODO | Multi-version lock correctness + Yarn Berry + pnpm hardening + nested path fixes. |
| C: Workspaces & containers | Node Analyzer Guild + QA Guild | Action 2 | TODO | Workspace glob support + scope attribution + container app-root discovery. |
| D: Imports & evidence | Node Analyzer Guild + QA Guild | Action 4 | TODO | ESM/TS import correctness + bounded scanning + package.json hashing. |
| E: Docs & bench | Docs Guild + Bench Guild | Waves AD | TODO | Contract + performance ceiling. |
## Wave Detail Snapshots
- **Wave A:** Declared-only dependencies become visible and safely keyed (no range-as-version PURLs).
- **Wave B:** Lock metadata attaches to the correct package instance even with multiple versions; modern Yarn/pnpm formats handled deterministically.
- **Wave C:** Workspace membership discovery is robust for common monorepo patterns; scope metadata reflects workspace manifests; container app roots are not missed.
- **Wave D:** Import evidence captures ESM/TS and remains bounded; package.json evidence hashing becomes consistent.
- **Wave E:** Contract doc + offline bench prevent regressions.
## Interlocks
- **Identity safety:** Never emit `pkg:npm/...@<range>` or otherwise treat version ranges/tags as concrete versions (Action 1).
- **Lock precedence:** When multiple lock sources exist, define deterministic precedence for metadata attachment (e.g., package-lock by path > declared(name@version) > yarn/pnpm by name@version). (Action 3)
- **Workspace traversal bounds:** Workspace expansion must not crawl `node_modules` and must have explicit depth/file limits. (Action 2)
- **Import scanning bounds:** Do not recursively scan the entire filesystem (or dependency trees) without caps; skipped work must be explicit in metadata. (Action 4)
## Upcoming Checkpoints
- 2025-12-13: Approve identity scheme + workspace glob bounds + import-scan bounds (Actions 124).
- 2025-12-16: Wave A complete (declared-only emission) with lock-only fixture.
- 2025-12-18: Wave B complete (multi-version locks + Yarn Berry + pnpm hardening + nested naming).
- 2025-12-20: Wave C complete (workspace globs + scope attribution + container app-root fixture).
- 2025-12-22: Wave D complete (ESM/TS imports + bounds + package.json hashing) and Wave E docs/bench done; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide explicit-key identity scheme for declared-only Node deps (ranges/tags/git/file/workspace) and document it. | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Must not collide with concrete `pkg:npm/...@<version>` PURLs; must be stable across OS paths. |
| 2 | Decide workspace glob expansion rules (supported patterns, bounds, excluded dirs like `node_modules`). | Project Mgmt + Node Analyzer Guild | 2025-12-13 | Open | Keep deterministic and safe under untrusted inputs. |
| 3 | Decide lock metadata precedence when multiple sources exist and when lock lacks integrity/resolution. | Project Mgmt + Node Analyzer Guild | 2025-12-13 | Open | Must be explicit and test-covered; never depend on file traversal order. |
| 4 | Decide import-scanning policy: default enabled/disabled, scope (workspace only vs all packages), and caps to enforce. | Project Mgmt + Node Analyzer Guild | 2025-12-13 | Open | Must prevent runaway scans; skipped scans must be auditable. |
## Decisions & Risks
- **Decision (pending):** Declared-only identity scheme, workspace glob bounds, lock precedence, and import scanning caps (Action Tracker 14).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Declared-only identity causes false vulnerability matches (ranges treated as versions). | High | Medium | Enforce explicit-key for non-concrete versions; document semantics; fixtures prove no `@^1.2.3` PURLs. | Node Analyzer Guild | Vuln-match spike on declared-only components; invalid PURL reports. |
| R2 | Multi-version dependencies get wrong integrity/resolution metadata. | Medium | High | Add `(name@version)` matching + fixtures with two versions of same package; deterministic merge rules. | Node Analyzer Guild | Mismatched integrity in evidence; inconsistent lockLocator attribution. |
| R3 | Yarn Berry/pnpm lock parsing breaks on format drift. | Medium | Medium | Keep parser tolerant and bounded; emit “unsupportedFields/lines” counters; add fixtures per lock version. | Node Analyzer Guild | Real projects show zero lock entries despite lockfile present. |
| R4 | Workspace glob expansion becomes a perf trap or scans unexpected dirs. | Medium | Medium | Explicit bounds + skip `node_modules` + depth caps; add tests for worst-case patterns. | Node Analyzer Guild | Bench regression; CI timeout; unexpected traversal of dependency trees. |
| R5 | Import scanning explodes runtime and output size. | High | Medium | Restrict scope + caps; emit `importScanSkipped` markers; benchmark and set ceiling. | Bench Guild | Time/memory regression; extremely large evidence arrays. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Node analyzer detection gaps (declared-only emission, multi-version lock fidelity, Yarn Berry/pnpm parsing, workspace glob support, import scanning correctness/bounds, deterministic evidence hashing) with fixtures/bench/docs expectations. | Project Mgmt |

91
docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md Normal file
View File

@@ -0,0 +1,91 @@
# Sprint 0407 - Scanner Bun Detection Gaps
## Topic & Scope
- Close Bun inventory blind-spots so scans reliably inventory dependencies across **installed `node_modules`**, **lockfile-only**, **workspace layouts**, **patched dependencies**, and **container layer trees**.
- Improve correctness and safety: never emit invalid/confident `pkg:npm/...@<range>` style identities; avoid leaking absolute paths; keep outputs deterministic with explicit bounds and audited “skipped” markers.
- Produce hard evidence: new fixtures + golden outputs covering bunfig-only projects, version-specific patches, container layer roots (`layers/`, `.layers/`, `layer*/`), and bun.lock v1 graph-based dev/prod classification.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests`; optional benches: `src/Bench/StellaOps.Bench/Scanner.Analyzers`).
## Dependencies & Concurrency
- Interlocks with Node analyzer conventions for container root discovery and identity safety:
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeInputNormalizer.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeLockData.cs`
- Must remain parallel-safe with other language analyzers: no shared mutable global state; deterministic iteration over filesystem and lock entries.
- Offline-first: do not run `bun`, do not fetch registries, do not assume network.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
- **Missing today (must be created before tasks flip to DOING):** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-BUN-407-001 | TODO | Decide container root discovery contract (Action 2). | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Container-layer aware project discovery**: extend `Internal/BunProjectDiscoverer.cs` to discover Bun project roots not only under `context.RootPath`, but also under common OCI unpack layouts used elsewhere in scanner: `layers/*`, `.layers/*`, and `layer*` direct children. Do not skip hidden roots wholesale: `.layers` must be included. Keep traversal bounded and deterministic: (a) stable ordering of enumerated directories, (b) explicit depth caps per root, (c) hard cap on total discovered roots, (d) must never recurse into `node_modules/` and must skip large/non-project dirs deterministically. Acceptance: new fixture `lang/bun/container-layers` proves a Bun project placed under `.layers/layer0/app` is found and scanned. |
| 2 | SCAN-BUN-407-002 | TODO | Decide identity rules for non-concrete versions (Action 1). | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Declared-only fallback for bun markers**: if `BunProjectDiscoverer` identifies a project root (via `bunfig.toml`/`package.json`/etc.) but `BunInputNormalizer` returns `None` (no `node_modules`, no `bun.lock`), emit declared-only components from `package.json` dependencies. Requirements: (a) do not emit `pkg:npm/...@<range>` PURLs for version ranges/tags; use `AddFromExplicitKey` when version is not a concrete resolved version, (b) include deterministic metadata `declaredOnly=true`, `declared.source=package.json`, `declared.locator=<relative>#<section>`, `declared.versionSpec=<original>`, `declared.scope=<prod|dev|peer|optional>`, and (c) include root package.json evidence with sha256 (bounded). Acceptance: new fixture `lang/bun/bunfig-only` emits declared-only components for both `dependencies` and `devDependencies` with safe identities. |
| 3 | SCAN-BUN-407-003 | TODO | Decide dev/optional/peer semantics for bun.lock v1 (Action 3). | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **bun.lock v1 graph enrichment (dev/optional/peer + edges)**: upgrade `Internal/BunLockParser.cs` to preserve dependency edges from bun.lock v1 array form (capture dependency value/specifier, not only names) and to parse optional peer information when present. Build a bounded dependency graph that starts from root `package.json` declarations (prod/dev/optional/peer) and propagates reachability to lock entries, marking `BunLockEntry.IsDev/IsOptional/IsPeer` deterministically. If the graph cannot disambiguate (multiple versions/specifier mismatch), do not guess; emit `scopeUnknown=true` and keep `IsDev=false` unless positively proven. Acceptance: add fixture `lang/bun/lockfile-dev-classification` demonstrating: (a) dev-only packages are tagged `dev=true` and are excluded when `includeDev=false`, (b) prod packages remain untagged, (c) the decision is stable across OS/filesystem ordering. |
| 4 | SCAN-BUN-407-004 | TODO | After task 3 lands, wire filter & metadata into emission. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Make `includeDev` meaningful**: `Internal/BunLockInventory.cs` currently filters by `entry.IsDev`, but bun.lock array parsing sets `IsDev=false` always. After graph enrichment (Task 3), implement deterministic filtering for lockfile-only scans and ensure installed scans also carry dev/optional/peer metadata when lock data is present. Acceptance: tests show dev filtering affects output only when the analyzer can prove dev reachability; otherwise outputs remain but are marked `scopeUnknown=true`. |
| 5 | SCAN-BUN-407-005 | TODO | Decide patch-keying and path normalization (Action 4). | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Version-specific patch mapping + no absolute paths**: fix `Internal/BunWorkspaceHelper.cs` so `patchedDependencies` keys preserve version specificity (`name@version`), and patch-directory discovery emits **relative** deterministic paths (relative to project root) rather than absolute OS paths. Update `BunLanguageAnalyzer` patch application so it first matches `name@version`, then falls back to `name` only when unambiguous. Acceptance: add fixture `lang/bun/patched-multi-version` with two patch files for the same package name at different versions; output marks only the correct version as patched and never includes absolute paths. |
| 6 | SCAN-BUN-407-006 | TODO | Align locator conventions with Node analyzer (Action 2). | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Evidence strengthening + locator precision**: improve `Internal/BunPackage.CreateEvidence()` so evidence locators are stable and specific: (a) package.json evidence includes sha256 (bounded; if skipped, emit `packageJsonHashSkipped=true` with reason), (b) bun.lock evidence uses locator `bun.lock#packages/<name@version>` (or another agreed deterministic locator format) instead of plain `bun.lock`, (c) optionally include lockfile sha256 once per project root in a synthetic “bun.lock evidence record” component or via repeated evidence with identical sha256 (bounded). Acceptance: update existing Bun fixtures goldens to reflect deterministic hashing and locator formats, with no nondeterministic absolute paths. |
| 7 | SCAN-BUN-407-007 | TODO | Decide identity rules for non-npm sources (Action 1). | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Identity safety for non-npm sources**: `Internal/BunPackage.BuildPurl()` always emits `pkg:npm/<name>@<version>`. Define and implement rules for `SourceType != npm` (git/file/link/workspace/tarball/custom-registry): when `version` is not a concrete registry version, emit `AddFromExplicitKey` (no PURL) and preserve the original specifier/resolved URL in metadata. If a PURL is emitted, it must be valid and must not embed raw specifiers like `workspace:*` as a “version”. Acceptance: add fixture `lang/bun/non-concrete-versions` demonstrating safe identities for `workspace:*` / `link:` / `file:` styles (if representable in bun.lock), with deterministic explicit keys and clear metadata markers. |
| 8 | SCAN-BUN-407-008 | TODO | After tasks 17, document analyzer contract. | Docs Guild + Bun Analyzer Guild | **Document Bun analyzer detection contract**: add/update `docs/modules/scanner/analyzers-bun.md` (or the closest existing scanner doc) describing: what artifacts are used (node_modules, bun.lock, package.json), precedence rules, identity rules (PURL vs explicit-key), dev/optional/peer semantics, container layer root handling, and bounds (depth/roots/files/hash limits). Link this sprint from the doc and add a brief “known limitations” section (e.g., bun.lockb unsupported). |
| 9 | SCAN-BUN-407-009 | TODO | Optional; only if perf regression risk materializes. | Bench Guild (`src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Offline benchmark**: add a deterministic bench that scans a representative Bun monorepo fixture (workspaces + many packages) and records elapsed time + component counts. Establish a ceiling and guard against regressions. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Discovery & Declared-only | Bun Analyzer Guild + QA Guild | Actions 12 | TODO | Make projects discoverable and avoid “no output” cases. |
| B: Lock graph & scopes | Bun Analyzer Guild + QA Guild | Action 3 | TODO | Correct dev/optional/peer and make includeDev meaningful. |
| C: Patches & evidence | Bun Analyzer Guild + QA Guild | Action 4 | TODO | Version-specific patches; deterministic evidence/hashes. |
| D: Identity safety | Bun Analyzer Guild + Security Guild | Action 1 | TODO | Non-npm sources and non-concrete versions never become “fake versions”. |
| E: Docs & bench | Docs Guild + Bench Guild | Waves AD | TODO | Contract and perf guardrails. |
## Wave Detail Snapshots
- **Wave A:** Discover Bun projects under OCI layer layouts; declared-only emission when no install/lock evidence exists.
- **Wave B:** bun.lock v1 graph enrichment provides auditable dev/optional/peer classification and enables reliable dev filtering.
- **Wave C:** Patched dependency mapping is version-correct and deterministic; evidence locators/hashes become strong and stable.
- **Wave D:** Identity rules prevent invalid PURLs and reduce false vuln matches for non-registry packages.
- **Wave E:** Documented contract + optional benchmark keeps behavior stable over time.
## Interlocks
- **Identity safety:** Never emit `pkg:npm/...@<range|tag|workspace:*|file:...|link:...>`; use explicit keys for non-concrete versions/specifiers. (Action 1)
- **Container traversal bounds:** Project discovery must not devolve into full-root recursion on container roots; bounds must be explicit and test-covered. (Action 2)
- **Scope correctness:** Dev/optional/peer flags must be derived deterministically (graph or explicit signals). When uncertain, mark unknown rather than guessing. (Action 3)
- **No path leakage:** Metadata/evidence must not include absolute host paths (patch file discovery is the primary risk). (Action 4)
## Upcoming Checkpoints
- 2025-12-13: Approve identity scheme + container discovery contract + scope semantics + patch rules (Actions 14).
- 2025-12-16: Wave A complete with container-layers + bunfig-only fixtures passing.
- 2025-12-18: Wave B complete with dev/optional/peer classification fixture and includeDev filter tests.
- 2025-12-20: Wave C + D complete (patch mapping + evidence hashing + identity safety) with updated goldens.
- 2025-12-22: Wave E docs complete; bench decision made; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide explicit-key identity scheme for Bun declared-only and non-npm sources (ranges/tags/git/file/link/workspace). | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Must not collide with concrete `pkg:npm/...@<version>` identities; must be stable across OS paths. |
| 2 | Decide and document container layer root discovery rules for Bun analyzer (parity with Nodes `layers/.layers/layer*` conventions, depth/roots bounds). | Project Mgmt + Bun Analyzer Guild | 2025-12-13 | Open | Must prevent runaway scans on untrusted rootfs layouts; must be fixture-tested. |
| 3 | Decide bun.lock v1 scope derivation rules (dev/optional/peer) and how uncertainty is represented (`scopeUnknown` markers). | Project Mgmt + Bun Analyzer Guild | 2025-12-13 | Open | Must be deterministic; avoid false “dev=false” claims when graph is ambiguous. |
| 4 | Decide patched dependency keying and deterministic path normalization (relative path base, name@version precedence, fallback rules). | Project Mgmt + Bun Analyzer Guild + Security Guild | 2025-12-13 | Open | Must avoid absolute path leakage; ensure correct version-specific patch attribution. |
| 5 | Create missing module charter: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`. | Project Mgmt | 2025-12-13 | Open | Required before implementation tasks can enter DOING per global charter. |
## Decisions & Risks
- **Decision (pending):** identity scheme, container discovery, scope derivation, patch rules (Action Tracker 14).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Container root discovery causes perf regressions on large rootfs trees. | High | Medium | Explicit bounds + deterministic skipping; add container-layers fixture and (optional) benchmark. | Bun Analyzer Guild | CI timeouts; high CPU usage scanning container roots. |
| R2 | Dev/optional/peer classification is wrong or unstable due to ambiguous graph edges. | High | Medium | Prefer “unknown” markers over guesses; stabilize matching using dependency specifiers when available; fixture for ambiguity. | Bun Analyzer Guild | Flaky golden outputs; incorrect dev filtering reported by users. |
| R3 | Invalid PURLs or range-as-version identities cause false vulnerability matches. | High | Medium | Explicit-key for non-concrete versions; document semantics; add fixtures asserting absence of invalid `@^...` or `@workspace:*` PURLs. | Security Guild + Bun Analyzer Guild | Vuln-match spike; downstream consumers reject PURLs. |
| R4 | Absolute paths leak into metadata/evidence (patch discovery, symlink realpaths). | Medium | Medium | Normalize to project-relative paths; add fixture that fails if absolute paths appear. | Bun Analyzer Guild | Golden diffs include host-specific paths. |
| R5 | Evidence hashing increases runtime and memory usage. | Medium | Low/Medium | Hash only bounded files; cache per file path; record `hashSkipped` markers when exceeding size caps. | Bench Guild | Bench regression; memory spikes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Bun analyzer detection gaps (container-layer discovery, declared-only fallback, bun.lock scope graph, version-specific patches, evidence hashing, identity safety) with fixtures/docs/bench expectations. | Project Mgmt |

95
docs/implplan/SPRINT_0408_0001_0001_scanner_language_detection_gaps_program.md Normal file
View File

@@ -0,0 +1,95 @@
# Sprint 0408 - Scanner Language Detection Gaps (Implementation Program)
## Topic & Scope
- Implement **all currently identified detection gaps** across the language analyzers: Java, .NET, Python, Node, Bun.
- Align cross-analyzer contracts where gaps overlap: **identity safety** (PURL vs explicit-key), **evidence locator precision**, **container layer/rootfs discovery**, and **no host-path leakage**.
- Produce hard evidence for each analyzer: deterministic fixtures + golden outputs, plus docs (and optional benches where perf risk exists).
- **Working directory:** `src/Scanner` (implementation occurs under `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.*` and `src/Scanner/__Tests/*`; this sprint is the coordination source-of-truth spanning multiple analyzer folders).
## Dependencies & Concurrency
- Language sprints (source-of-truth for per-analyzer detail):
- Java: `docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md`
- .NET: `docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md`
- Python: `docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md`
- Node: `docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md`
- Bun: `docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`
- Concurrency model:
- Language implementations may proceed in parallel once cross-analyzer “contract” decisions are frozen (Actions 13).
- Avoid shared mutable state changes across analyzers; keep deterministic ordering; do not introduce network fetches.
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
- Per-analyzer charters (must exist before implementation flips to DOING):
- Java: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md`
- .NET: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md`
- Python: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md`
- Node: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md`
- **Missing today:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` (Action 4)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-PROG-408-001 | TODO | Requires Action 1. | Scanner Guild + Security Guild + Export/UI/CLI Consumers | **Freeze cross-analyzer identity safety contract**: define a single, documented rule-set for when an analyzer emits (a) a concrete PURL and (b) an explicit-key component. Must cover: version ranges/tags, local paths, workspace/link/file deps, git deps, and “unknown” versions. Output: a canonical doc under `docs/modules/scanner/` (path chosen in Action 1) + per-analyzer unit tests asserting “no invalid PURLs” for declared-only / non-concrete inputs. |
| 2 | SCAN-PROG-408-002 | TODO | Requires Action 2. | Scanner Guild + Export/UI/CLI Consumers | **Freeze cross-analyzer evidence locator contract**: define deterministic locator formats for (a) lockfile entries, (b) nested artifacts (e.g., Java “outer!inner!path”), and (c) derived evidence records. Output: canonical doc + at least one golden fixture per analyzer asserting exact locator strings and bounded evidence sizes. |
| 3 | SCAN-PROG-408-003 | TODO | Requires Action 3. | Scanner Guild | **Freeze container layout discovery contract**: define which analyzers must discover projects under `layers/`, `.layers/`, and `layer*/` layouts, how ordering/whiteouts are handled (where applicable), and bounds (depth/roots/files). Output: canonical doc + fixtures proving parity for Node/Bun/Python (and any Java/.NET container behaviors where relevant). |
| 4 | SCAN-PROG-408-004 | TODO | None. | Project Mgmt + Scanner Guild | **Create missing Bun analyzer charter**: add `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` synthesizing constraints from `docs/modules/scanner/architecture.md` and this sprint + `SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`. Must include: allowed directories, test strategy, determinism rules, identity/evidence conventions, and “no absolute paths” requirement. |
| 5 | SCAN-PROG-408-JAVA | TODO | Actions 12 recommended before emission format changes. | Java Analyzer Guild + QA Guild | **Implement all Java gaps** per `docs/implplan/SPRINT_0403_0001_0001_scanner_java_detection_gaps.md`: (a) embedded libs inside fat archives without extraction, (b) `pom.xml` fallback when properties missing, (c) multi-module Gradle lock discovery + deterministic precedence, (d) runtime image component emission from `release`, (e) replace JNI string scanning with bytecode-based JNI analysis. Acceptance: Java analyzer tests + new fixtures/goldens; bounded scanning with explicit skipped markers. |
| 6 | SCAN-PROG-408-DOTNET | TODO | Actions 12 recommended before adding declared-only identities. | .NET Analyzer Guild + QA Guild | **Implement all .NET gaps** per `docs/implplan/SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md`: (a) declared-only fallback when no deps.json, (b) non-colliding identity for unresolved versions, (c) deterministic merge of declared vs installed packages, (d) bounded bundling signals, (e) optional declared edges provenance, (f) fixtures/docs (and optional bench). Acceptance: `.NET` analyzer emits components for source trees with lock/build files; no restore/MSBuild execution; deterministic outputs. |
| 7 | SCAN-PROG-408-PYTHON | TODO | Actions 13 recommended before overlay/identity changes. | Python Analyzer Guild + QA Guild | **Implement all Python gaps** per `docs/implplan/SPRINT_0405_0001_0001_scanner_python_detection_gaps.md`: (a) layout-aware discovery (avoid “any dist-info anywhere”), (b) expanded lock/requirements parsing (includes/editables/PEP508/direct refs), (c) correct container overlay/whiteout semantics (or explicit overlayIncomplete markers), (d) vendored dependency surfacing with safe identity rules, (e) optional used-by signals (bounded/opt-in), (f) fixtures/docs/bench. Acceptance: deterministic fixtures for lock formats and container overlays; no invalid “editable-as-version” PURLs per Action 1. |
| 8 | SCAN-PROG-408-NODE | TODO | Actions 13 recommended before declared-only emission + locators. | Node Analyzer Guild + QA Guild | **Implement all Node gaps** per `docs/implplan/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md`: (a) emit declared-only components safely (no range-as-version PURLs), (b) multi-version lock fidelity `(name@version)` mapping, (c) Yarn Berry lock support, (d) pnpm schema hardening, (e) correct nested node_modules name extraction, (f) workspace glob bounds + container app-root detection parity, (g) bounded import evidence + consistent package.json hashing, (h) docs/bench. Acceptance: fixtures cover multi-version locks and Yarn v3; determinism tests prove stable ordering and locator strings. |
| 9 | SCAN-PROG-408-BUN | TODO | Actions 13 recommended before identity/scope changes. | Bun Analyzer Guild + QA Guild | **Implement all Bun gaps** per `docs/implplan/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md`: (a) discover projects under container layer layouts and do not skip `.layers`, (b) declared-only fallback for bunfig-only/no-lock/no-install, (c) bun.lock v1 graph-based dev/optional/peer classification and meaningful includeDev filtering, (d) version-specific patch mapping with relative paths only, (e) stronger evidence locators + bounded hashing, (f) identity safety for non-npm sources. Acceptance: new fixtures (`container-layers`, `bunfig-only`, `patched-multi-version`, dev-classification) + updated goldens; no absolute path leakage. |
| 10 | SCAN-PROG-408-INTEG-001 | TODO | After tasks 59 land. | QA Guild + Scanner Guild | **Integration determinism gate**: run the full language analyzer test matrix (Java/.NET/Python/Node/Bun) and add/adjust determinism tests so ordering, evidence locators, and identity rules remain stable. Any “skipped” work due to bounds must be explicit and deterministic (no silent drops). |
| 11 | SCAN-PROG-408-DOCS-001 | TODO | After Actions 13 are frozen. | Docs Guild + Scanner Guild | **Update scanner docs with final contracts**: link the per-language analyzer contract docs and this sprint from `docs/modules/scanner/architecture.md` (or the closest canonical scanner doc). Must include: identity rules, evidence locator rules, container layout handling, and bounded scanning policy. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Contracts | Scanner Guild + Security Guild + Consumers | Actions 13 | TODO | Freeze identity/evidence/container contracts first to avoid rework. |
| B: Language Implementation | Analyzer Guilds + QA Guild | Wave A recommended | TODO | Java/.NET/Python/Node/Bun run in parallel once contracts are stable. |
| C: Integration & Docs | QA Guild + Docs Guild | Wave B | TODO | Determinism gates + contract documentation. |
## Wave Detail Snapshots
- **Wave A:** Single cross-analyzer contract for identity, evidence locators, and container layout discovery (with tests).
- **Wave B:** Implement each analyzer sprints tasks with fixtures + deterministic goldens.
- **Wave C:** End-to-end test pass + documented analyzer promises and limitations.
## Interlocks
- **No invalid PURLs:** declared-only/range/git/file/link/workspace deps must not become “fake versions”; explicit-key is required when version is not concrete. (Action 1)
- **Locator stability:** evidence locators are external-facing (export/UI/CLI); changes must be deliberate, documented, and golden-tested. (Action 2)
- **Container bounds:** layer-root discovery and overlay semantics must remain bounded and auditable (skipped markers) to stay safe on untrusted inputs. (Action 3)
- **No absolute paths:** metadata/evidence must be project-relative; no host path leakage (patch discovery and symlink realpaths are common pitfalls).
## Upcoming Checkpoints
- 2025-12-13: Freeze Actions 13 (contracts) and Action 4 (Bun AGENTS).
- 2025-12-16: Java + .NET waves reach “fixtures passing” milestone.
- 2025-12-18: Python + Node waves reach “fixtures passing” milestone.
- 2025-12-20: Bun wave reaches “fixtures passing” milestone; all language sprints ready for integration run.
- 2025-12-22: Integration determinism gate + docs complete; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Choose canonical doc path + define explicit-key identity recipe across analyzers. | Project Mgmt + Scanner Guild + Security Guild | 2025-12-13 | Open | Must prevent collisions with concrete PURLs; must be OS-path stable and deterministic. |
| 2 | Define evidence locator formats (lock entries, nested artifacts, derived evidence) and required hashing rules/bounds. | Project Mgmt + Scanner Guild + Export/UI/CLI Consumers | 2025-12-13 | Open | Must be parseable and stable; add golden fixtures asserting exact strings. |
| 3 | Define container layer/rootfs discovery + overlay semantics contract and bounds. | Project Mgmt + Scanner Guild | 2025-12-13 | Open | Align Node/Bun/Python; clarify when overlayIncomplete markers are required. |
| 4 | Create `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` and link it from Bun sprint prerequisites. | Project Mgmt | 2025-12-13 | Open | Required before Bun implementation tasks can flip to DOING. |
## Decisions & Risks
- **Decision (pending):** cross-analyzer identity/evidence/container contracts (Actions 13).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Identity mistakes cause false vulnerability matches. | High | Medium | Explicit-key for non-concrete versions; fixtures asserting no invalid PURLs; docs. | Security Guild + Scanner Guild | Vuln-match spike; PURL validation failures downstream. |
| R2 | Evidence locator churn breaks export/UI/CLI consumers. | High | Medium | Freeze locator formats up-front; golden fixtures; doc contract; version if needed. | Scanner Guild + Consumers | Consumer parse failures; UI rendering regressions. |
| R3 | Container scanning becomes a perf trap on untrusted roots. | High | Medium | Bounds (depth/roots/files/size); deterministic skipping markers; optional benches. | Scanner Guild + Bench Guild | CI timeouts; high CPU scans. |
| R4 | Non-determinism appears via filesystem order or parser tolerance. | Medium | Medium | Stable sorting; deterministic maps; golden fixtures on Windows/Linux. | QA Guild | Flaky tests; differing outputs across agents. |
| R5 | Absolute path leakage appears in metadata/evidence. | Medium | Medium | Enforce project-relative normalization; add tests that fail if absolute paths detected. | Scanner Guild | Golden diffs with host-specific paths. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Program sprint created to coordinate implementation of all language analyzer detection gaps (Java/.NET/Python/Node/Bun) with shared contracts and acceptance evidence. | Project Mgmt |

3
docs/implplan/SPRINT_3410_0001_0001_mongodb_final_removal.md
View File

@@ -21,7 +21,7 @@
### T10.1: Concelier Module (Highest Priority - ~80+ files)
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MR-T10.1.1 | BLOCKED (2025-12-12) | Await Postgres/in-memory fixture to replace MongoIntegrationFixture; Concelier storage still Mongo-centric | Concelier Guild | Remove MongoDB imports from `Concelier.Testing/MongoIntegrationFixture.cs` - convert to Postgres fixture |
| 1 | MR-T10.1.1 | DOING (2025-12-12) | Replace MongoIntegrationFixture with Postgres fixture; remove global Mongo2Go/MongoDB.Driver test infra | Concelier Guild | Remove MongoDB imports from `Concelier.Testing/MongoIntegrationFixture.cs` - convert to Postgres fixture |
| 2 | MR-T10.1.2 | BLOCKED (2025-12-12) | MR-T10.1.1 | Concelier Guild | Remove MongoDB from `Concelier.WebService.Tests` (~22 occurrences) |
| 3 | MR-T10.1.3 | BLOCKED (2025-12-12) | MR-T10.1.1 | Concelier Guild | Remove MongoDB from all connector tests (~40+ test files) |
| 4 | MR-T10.1.4 | BLOCKED (2025-12-12) | MR-T10.1.3 | Concelier Guild | Remove `Concelier.Models/MongoCompat/*.cs` shim files |
@@ -210,6 +210,7 @@ Scanner.Storage now runs on PostgreSQL with migrations and DI wiring; MongoDB im
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Started MR-T10.1.1: converting Concelier test fixture infrastructure off Mongo2Go/MongoDB.* and onto Postgres/Testcontainers or in-memory. | Concelier Guild |
| 2025-12-12 | Scanner.Storage Postgres migrations fixed (UTC defaults), migration runner now fails fast on errors, and Scanner.Storage.Tests pass with Docker-backed Postgres; supersedes earlier T10.4 blocked notes. | Scanner Guild |
| 2025-12-12 | Scanner.Storage migrated to PostgreSQL: added schema/migrations, rewired DI, removed Mongo bootstrapper/shims; storage + web service tests updated (skipped when Docker unavailable). T10.4.x moved to DONE. | Scanner Guild |
| 2025-12-12 | T10.4.x still blocked: PostgreSQL-backed `StellaOps.Scanner.Storage` schema/repos/DI not yet designed; in-memory Mongo stub only keeps build green and provides no durability. Need schema/adapter plan before continuing. | Scanner Guild |

125
docs/implplan/tasks-all.md
View File

@@ -473,8 +473,8 @@
| CONSOLE-23-005 | TODO | | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Depends on #5 | Depends on #5 | CCSL0101 |
| CONSOLE-OBS-52-001 | TODO | | SPRINT_303_docs_tasks_md_iii | Console Ops Guild | docs/modules/ui | Needs TLTY0101 metrics | Needs TLTY0101 metrics | CCSL0101 |
| CONSOLE-OBS-52-002 | TODO | | SPRINT_303_docs_tasks_md_iii | Console Ops Guild | docs/modules/ui | Depends on #7 | Depends on #7 | CCSL0101 |
| CONSOLE-VEX-30-001 | BLOCKED (2025-12-04) | 2025-12-04 | SPRINT_0212_0001_0001_web_i | Console Guild + VEX Lens Guild | src/Web/StellaOps.Web | Provide `/console/vex/*` APIs streaming VEX statements, justification summaries, and advisory links with SSE refresh hooks. Dependencies: WEB-CONSOLE-23-001 (done 2025-11-28), EXCITITOR-CONSOLE-23-001 (done 2025-11-23); awaiting VEX Lens spec PLVL0103 and SSE envelope validation from Scheduler/Signals alignment. | Needs VEX Lens spec (PLVL0103) | CCSL0101 |
| CONSOLE-VULN-29-001 | BLOCKED (2025-12-04) | 2025-12-04 | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Build `/console/vuln/*` APIs and filters surfacing tenant-scoped findings with policy/VEX badges so Docs/UI teams can document workflows. Dependencies: WEB-CONSOLE-23-001 (done 2025-11-28); waiting on Concelier graph schema snapshot from 2025-12-03 freeze review. | Depends on CCWO0101 | CCSL0101 |
| CONSOLE-VEX-30-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0212_0001_0001_web_i | Console Guild + VEX Lens Guild | src/Web/StellaOps.Web | Client/models for `/console/vex/*` workspace incl. `/console/vex/events` SSE streaming and deterministic schema validation. | | CCSL0101 |
| CONSOLE-VULN-29-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0212_0001_0001_web_i | Console Guild | src/Web/StellaOps.Web | Client/models for `/console/vuln/*` workspace (findings, facets, detail, tickets) with deterministic filters and fixtures. | | CCSL0101 |
| CONTAINERS-44-001 | DONE | 2025-11-18 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Wait for DVCP0101 compose template | Wait for DVCP0101 compose template | COWB0101 |
| CONTAINERS-45-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Depends on #1 | Depends on #1 | COWB0101 |
| CONTAINERS-46-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild | src/Web/StellaOps.Web | Needs RBRE0101 hashes | Needs RBRE0101 hashes | COWB0101 |
@@ -1191,8 +1191,8 @@
| MIRROR-CRT-58-002 | DOING | 2025-12-07 | SPRINT_0506_0001_0001_ops_devops_iv | Mirror Creator Guild + CLI Guild + Exporter Guild | src/Mirror/StellaOps.Mirror.Creator | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001 | MIRROR-CRT-56-001; EXPORT-OBS-54-001; CLI-AIRGAP-56-001; dev key: tools/cosign/cosign.dev.key (pw stellaops-dev); prod: MIRROR_SIGN_KEY_B64 | ATMI0101 |
| MTLS-11-002 | DONE | 2025-11-08 | SPRINT_100_identity_signing | Authority Core & Security Guild | src/Authority/StellaOps.Authority | Refresh grants enforce original client cert, tokens persist `x5t#S256` metadata, docs updated. | AUTH-DPOP-11-001 | AUIN0102 |
| NATIVE-401-015 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Scanner Worker Guild | `src/Scanner/__Libraries/StellaOps.Scanner.Symbols.Native`, `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph.Native` | Bootstrap Symbols.Native + CallGraph.Native scaffolding and coverage fixtures. | Needs replay requirements from DORR0101 | SCNA0101 |
| NOTIFY-38-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes. | Wait for NOTY0103 approval payload schema | NOWB0101 |
| NOTIFY-39-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest/simulation/quiet-hour controls in Web tier. | Needs correlation outputs from NOTY0105 | NOWB0101 |
| NOTIFY-38-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route approval/rule APIs through Web gateway with tenant scopes (superseded by WEB-NOTIFY-38-001). | Superseded by WEB-NOTIFY-38-001 (DONE 2025-12-11) | NOWB0101 |
| NOTIFY-39-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest/simulation/quiet-hour controls in Web tier (superseded by WEB-NOTIFY-39-001). | Superseded by WEB-NOTIFY-39-001 (DONE 2025-12-11) | NOWB0101 |
| NOTIFY-40-001 | TODO | | SPRINT_0202_0001_0002_cli_ii | DevEx/CLI Guild | src/Cli/StellaOps.Cli | Implement escalations + ack workflows, localization previews, and channel health checks. | NOTIFY-39-001 | NOWC0101 |
| NOTIFY-AIRGAP-56-002 | DONE | | SPRINT_0170_0001_0001_notifications_telemetry | Notifications Service Guild + DevOps Guild | src/Notify/StellaOps.Notify | Ship AirGap-ready notifier bundles (Helm overlays, secrets templates, rollout guide). | MIRROR-CRT-56-001 | NOIA0101 |
| NOTIFY-ATTEST-74-001 | DOING | | SPRINT_0170_0001_0001_notifications_telemetry | Notifications Service Guild + Attestor Service Guild | src/Notify/StellaOps.Notify | Create attestor-driven notification templates + schema docs; publish in `/docs/notifications/templates.md`. | ATEL0101 | NOIA0101 |
@@ -1999,13 +1999,13 @@
| UI-POLICY-23-004 | DONE | 2025-12-05 | SPRINT_0210_0001_0002_ui_ii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. Dependencies: UI-POLICY-23-003. | | |
| UI-POLICY-23-005 | DONE | 2025-12-05 | SPRINT_0210_0001_0002_ui_ii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. Dependencies: UI-POLICY-23-004. | | |
| UI-POLICY-23-006 | DONE | 2025-12-05 | SPRINT_0210_0001_0002_ui_ii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. Dependencies: UI-POLICY-23-005. | | |
| UI-POLICY-27-001 | DOING | 2025-12-06 | SPRINT_0211_0001_0003_ui_iii | UI Guild, Product Ops (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. Dependencies: UI-POLICY-23-006. | | |
| UI-POLICY-27-001 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0211_0001_0003_ui_iii | UI Guild, Product Ops (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. Dependencies: UI-POLICY-23-006. | | |
| UI-POLICY-DET-01 | DONE | 2025-11-27 | SPRINT_0209_0001_0001_ui_i | UI Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Wire policy gate indicators + remediation hints into Release/Policy flows, blocking publishes when determinism checks fail; coordinate with Policy Engine schema updates. Dependencies: UI-SBOM-DET-01. | | |
| UI-SBOM-DET-01 | DONE | 2025-11-27 | SPRINT_0209_0001_0001_ui_i | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add a "Determinism" badge plus drill-down that surfaces fragment hashes, `_composition.json`, and Merkle root consistency when viewing scan details (per `docs/modules/scanner/deterministic-sbom-compose.md`). | | |
| UI-SIG-26-001 | BLOCKED | 2025-12-06 | SPRINT_0211_0001_0003_ui_iii | UI Guild, Signals Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. | | Blocked: deterministic reachability fixtures (columns/badges) not delivered by Signals/Graph. |
| UI-SIG-26-002 | BLOCKED | 2025-12-06 | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. Dependencies: UI-SIG-26-001. | | Blocked pending UI-SIG-26-001 outputs and call-path/timeline fixtures. |
| UI-SIG-26-003 | BLOCKED | 2025-12-06 | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add reachability overlay halos/time slider to SBOM Graph along with state legend. Dependencies: UI-SIG-26-002. | | Blocked: overlays depend on upstream fixtures + perf budget. |
| UI-SIG-26-004 | BLOCKED | 2025-12-06 | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. Dependencies: UI-SIG-26-003. | | Blocked: coverage/sensor fixtures not available; upstream chain blocked. |
| UI-SIG-26-001 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0211_0001_0003_ui_iii | UI Guild, Signals Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. | | |
| UI-SIG-26-002 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. Dependencies: UI-SIG-26-001. | | |
| UI-SIG-26-003 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add reachability overlay halos/time slider to SBOM Graph along with state legend. Dependencies: UI-SIG-26-002. | | |
| UI-SIG-26-004 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0211_0001_0003_ui_iii | UI Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. Dependencies: UI-SIG-26-003. | | |
| UNCERTAINTY-POLICY-401-026 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Policy Guild + Concelier Guild (`docs/policy/dsl.md`, `docs/uncertainty/README.md`) | `docs/policy/dsl.md`, `docs/uncertainty/README.md` | Update policy guidance (Concelier/Excitors) with uncertainty gates (U1/U2/U3), sample YAML rules, and remediation actions. | | |
| UNCERTAINTY-SCHEMA-401-024 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild (`src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md`) | `src/Signals/StellaOps.Signals`, `docs/uncertainty/README.md` | Extend Signals findings with `uncertainty.states[]`, entropy fields, and `riskScore`; emit `FindingUncertaintyUpdated` events and persist evidence per docs. | | |
| UNCERTAINTY-SCORER-401-025 | TODO | | SPRINT_0401_0001_0001_reachability_evidence_chain | Signals Guild (`src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md`) | `src/Signals/StellaOps.Signals.Application`, `docs/uncertainty/README.md` | Implement the entropy-aware risk scorer (`riskScore = base × reach × trust × (1 + entropyBoost)`) and wire it into finding writes. | | |
@@ -2081,9 +2081,9 @@
| VULNERABILITY-EXPLORER-ENG-0001 | TODO | | SPRINT_334_docs_modules_vuln_explorer | Module Team (docs/modules/vuln-explorer) | docs/modules/vuln-explorer | Keep sprint alignment notes in sync with Vuln Explorer sprints. | | |
| VULNERABILITY-EXPLORER-OPS-0001 | TODO | | SPRINT_334_docs_modules_vuln_explorer | Ops Guild (docs/modules/vuln-explorer) | docs/modules/vuln-explorer | Review runbooks/observability assets after next demo. | | |
| WEB-20-002 | TODO | | SPRINT_0155_0001_0001_scheduler_i | Scheduler WebService Guild (src/Scheduler/StellaOps.Scheduler.WebService) | src/Scheduler/StellaOps.Scheduler.WebService | | | |
| WEB-AIAI-31-001 | TODO | | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Route `/advisory/ai/*` endpoints through gateway with RBAC/ABAC, rate limits, and telemetry headers. | | |
| WEB-AIAI-31-002 | TODO | | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide batching job handlers and streaming responses for CLI automation with retry/backoff. Dependencies: WEB-AIAI-31-001. | | |
| WEB-AIAI-31-003 | TODO | | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Emit metrics/logs (latency, guardrail blocks, validation failures) and forward anonymized prompt hashes to analytics. Dependencies: WEB-AIAI-31-002. | | |
| WEB-AIAI-31-001 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Route `/advisory/ai/*` endpoints through gateway with RBAC/ABAC, rate limits, and telemetry headers. | | |
| WEB-AIAI-31-002 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide batching job handlers and streaming responses for CLI automation with retry/backoff. Dependencies: WEB-AIAI-31-001. | | |
| WEB-AIAI-31-003 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Emit metrics/logs (latency, guardrail blocks, validation failures) and forward anonymized prompt hashes to analytics. Dependencies: WEB-AIAI-31-002. | | |
| WEB-AIRGAP-56-001 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
| WEB-AIRGAP-56-002 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
| WEB-AIRGAP-57-001 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
@@ -2095,60 +2095,59 @@
| WEB-AOC-19-006 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
| WEB-AOC-19-007 | TODO | 2025-11-08 | SPRINT_116_concelier_v | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
| WEB-CONSOLE-23-001 | DONE (2025-11-28) | 2025-11-28 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild + Product Analytics Guild | src/Web/StellaOps.Web | `/console/dashboard` and `/console/filters` aggregates shipped with tenant scoping, deterministic ordering, and 8 unit tests per sprint Execution Log 2025-11-28. | — | |
| WEB-CONSOLE-23-002 | DOING (2025-12-01) | 2025-12-01 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild + Scheduler Guild | src/Web/StellaOps.Web | Implementing `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff; awaiting storage cleanup to run tests. Dependencies: WEB-CONSOLE-23-001. | WEB-CONSOLE-23-001 | |
| WEB-CONSOLE-23-003 | DOING | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. | | Client/models/store/service + unit specs passing (6/6) via Playwright Chromium headless (`CHROME_BIN=C:\Users\vlindos\AppData\Local\ms-playwright\chromium-1194\chrome-win\chrome.exe STELLAOPS_CHROMIUM_BIN=%CHROME_BIN% NG_PERSISTENT_BUILD_CACHE=1 node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadlessOffline --progress=false --include src/app/core/api/console-export.client.spec.ts --include src/app/core/console/console-export.store.spec.ts --include src/app/core/console/console-export.service.spec.ts`). Contract still draft; backend wiring pending. |
| WEB-CONSOLE-23-004 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. Dependencies: WEB-CONSOLE-23-003. | | Still blocked pending contract; draft caching/ranking spec published in `docs/api/console/search-downloads.md` for review. |
| WEB-CONSOLE-23-005 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. Dependencies: WEB-CONSOLE-23-004. | | Still blocked pending contract; draft manifest example added at `docs/api/console/samples/console-download-manifest.json` (awaiting sign-off). |
| WEB-CONSOLE-23-002 | DONE (2025-12-04) | 2025-12-04 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild + Scheduler Guild | src/Web/StellaOps.Web | Implementing `/console/status` polling and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff; awaiting storage cleanup to run tests. Dependencies: WEB-CONSOLE-23-001. | WEB-CONSOLE-23-001 | |
| WEB-CONSOLE-23-003 | DONE (2025-12-07) | 2025-12-07 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. Dependencies: WEB-CONSOLE-23-002. | | Client/models/store/service + unit specs passing (6/6) via Playwright Chromium headless (`CHROME_BIN=C:\Users\vlindos\AppData\Local\ms-playwright\chromium-1194\chrome-win\chrome.exe STELLAOPS_CHROMIUM_BIN=%CHROME_BIN% NG_PERSISTENT_BUILD_CACHE=1 node ./node_modules/@angular/cli/bin/ng.js test --watch=false --browsers=ChromeHeadlessOffline --progress=false --include src/app/core/api/console-export.client.spec.ts --include src/app/core/console/console-export.store.spec.ts --include src/app/core/console/console-export.service.spec.ts`). Contract still draft; backend wiring pending. |
| WEB-CONSOLE-23-004 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. Dependencies: WEB-CONSOLE-23-003. | | Still blocked pending contract; draft caching/ranking spec published in `docs/api/console/search-downloads.md` for review. |
| WEB-CONSOLE-23-005 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. Dependencies: WEB-CONSOLE-23-004. | | Still blocked pending contract; draft manifest example added at `docs/api/console/samples/console-download-manifest.json` (awaiting sign-off). |
| WEB-CONTAINERS-44-001 | DONE | 2025-11-18 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/welcome` state, config discovery endpoint (safe values), and `QUICKSTART_MODE` handling for Console banner; add `/health/liveness`, `/health/readiness`, `/version` if missing. | | |
| WEB-CONTAINERS-45-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports. Dependencies: WEB-CONTAINERS-44-001. | | |
| WEB-CONTAINERS-46-001 | DONE | 2025-11-19 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide offline-friendly asset serving (no CDN), allow overriding object store endpoints via env, and document fallback behavior. Dependencies: WEB-CONTAINERS-45-001. | | |
| WEB-EXC-25-001 | BLOCKED | 2025-12-06 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/exceptions` API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging. | | Draft placeholder docs+sample added (`docs/api/console/exception-schema.md`, `docs/api/console/samples/exception-schema-sample.json`); awaiting official schema/scopes/audit rules. |
| WEB-EXC-25-002 | BLOCKED | 2025-11-30 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. Dependencies: WEB-EXC-25-001. | | |
| WEB-EXC-25-003 | TODO | | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Platform Events Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. Dependencies: WEB-EXC-25-002. | | |
| WEB-EXPORT-35-001 | BLOCKED | 2025-12-07 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. | Gateway contract draft v0.9 in docs/api/gateway/export-center.md; waiting guild sign-off | |
| WEB-EXPORT-36-001 | BLOCKED | 2025-12-07 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. Dependencies: WEB-EXPORT-35-001. | Blocked by 35-001; distro signing/limits pending same contract | |
| WEB-EXPORT-37-001 | BLOCKED | 2025-12-07 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs. Dependencies: WEB-EXPORT-36-001. | Blocked by 36-001; retention/encryption params not frozen | |
| WEB-GRAPH-21-001 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add gateway routes for graph versions/viewport/node/path/diff/export endpoints with tenant enforcement, scope checks, and streaming responses; proxy Policy Engine diff toggles without inline logic. Adopt `StellaOpsScopes` constants for RBAC enforcement. | | |
| WEB-GRAPH-21-002 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement bbox/zoom/path parameter validation, pagination tokens, and deterministic ordering; add contract tests for boundary conditions. Dependencies: WEB-GRAPH-21-001. | | |
| WEB-GRAPH-21-003 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, and document rate limits. Dependencies: WEB-GRAPH-21-002. | | |
| WEB-GRAPH-21-004 | BLOCKED | 2025-10-27 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Proxy Policy Engine overlay responses for graph endpoints while keeping gateway stateless; maintain streaming budgets and latency SLOs. Dependencies: WEB-GRAPH-21-003. | | |
| WEB-GRAPH-24-001 | TODO | | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. Dependencies: WEB-GRAPH-21-004. | | |
| WEB-GRAPH-24-002 | TODO | | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; SBOM Service Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping as pure proxy. Dependencies: WEB-GRAPH-24-001. | | |
| WEB-GRAPH-24-003 | TODO | | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Embed AOC summaries from overlay services; gateway does not compute derived severity or hints. Dependencies: WEB-GRAPH-24-002. | | |
| WEB-GRAPH-24-004 | TODO | | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. Dependencies: WEB-GRAPH-24-003. | | |
| WEB-LNM-21-001 | TODO | | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Concelier WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). | | |
| WEB-LNM-21-002 | TODO | | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Excititor WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. Dependencies: WEB-LNM-21-001. | | |
| WEB-LNM-21-003 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. Dependencies: WEB-LNM-21-002. | | |
| WEB-NOTIFY-38-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | Depends on #1 for signed ack spec | NOWB0101 |
| WEB-NOTIFY-39-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. Dependencies: WEB-NOTIFY-38-001. | WEB-NOTIFY-38-001 | NOWB0101 |
| WEB-NOTIFY-40-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. Dependencies: WEB-NOTIFY-39-001. | | |
| WEB-OAS-61-001 | TODO | | SPRINT_0124_0001_0006_excititor_vi | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService) | src/Excititor/StellaOps.Excititor.WebService | | | |
| WEB-OAS-61-002 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
| WEB-OAS-62-001 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
| WEB-OAS-63-001 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService) | src/Concelier/StellaOps.Concelier.WebService | | | |
| WEB-OBS-50-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. | | |
| WEB-OBS-51-001 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Paired with #1 for shared middleware | Paired with #1 for shared middleware | CNOB0102 |
| WEB-OBS-52-001 | TODO | | SPRINT_116_concelier_v | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Dependent on CLI/VEX readiness (035_CLCI0105) for payload format | Dependent on CLI/VEX readiness (035_CLCI0105) for payload format | CNOB0102 |
| WEB-OBS-53-001 | TODO | | SPRINT_117_concelier_vi | Concelier WebService Guild + Evidence Locker Guild | src/Concelier/StellaOps.Concelier.WebService | Needs Evidence Locker API spec from 002_ATEL0101 | Needs Evidence Locker API spec from 002_ATEL0101 | CNOB0102 |
| WEB-OBS-54-001 | TODO | | SPRINT_117_concelier_vi | Concelier WebService Guild | src/Concelier/StellaOps.Concelier.WebService | Relies on shared exporter (1039_EXPORT-OBS-54-001) | Relies on shared exporter (1039_EXPORT-OBS-54-001) | CNOB0102 |
| WEB-OBS-55-001 | TODO | | SPRINT_117_concelier_vi | Concelier WebService Guild + DevOps Guild | src/Concelier/StellaOps.Concelier.WebService | Wait for DevOps alert profiles (045_DVDO0103) | Wait for DevOps alert profiles (045_DVDO0103) | CNOB0102 |
| WEB-OBS-56-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. Dependencies: WEB-OBS-55-001. | | |
| WEB-ORCH-32-001 | TODO | | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/orchestrator/sources | | |
| WEB-ORCH-33-001 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add POST action routes (`pause. Dependencies: WEB-ORCH-32-001. | | |
| WEB-ORCH-34-001 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. Dependencies: WEB-ORCH-33-001. | | |
| WEB-POLICY-20-001 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. | | |
| WEB-POLICY-20-002 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add pagination, filtering, sorting, and tenant guards to listings for policies, runs, and findings; include deterministic ordering and query diagnostics. Dependencies: WEB-POLICY-20-001. | | |
| WEB-POLICY-20-003 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Map engine errors to `ERR_POL_*` responses with consistent payloads and contract tests; expose correlation IDs in headers. Dependencies: WEB-POLICY-20-002. | | |
| WEB-POLICY-20-004 | TODO | | SPRINT_0215_0001_0004_web_iv | Platform Reliability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Introduce adaptive rate limiting + quotas for simulation endpoints, expose metrics, and document retry headers. Dependencies: WEB-POLICY-20-003. | | |
| WEB-POLICY-23-001 | BLOCKED | 2025-10-29 | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement API endpoints for creating/listing/fetching policy packs and revisions (`/policy/packs`, `/policy/packs/{id}/revisions`) with pagination, RBAC, and AOC metadata exposure. (Tracked via Sprint 18.5 gateway tasks.). Dependencies: WEB-POLICY-20-004. | | |
| WEB-POLICY-23-002 | BLOCKED | 2025-10-29 | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add activation endpoint with scope windows, conflict checks, and optional 2-person approval integration; emit events on success. (Tracked via Sprint 18.5 gateway tasks.). Dependencies: WEB-POLICY-23-001. | | |
| WEB-POLICY-23-003 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide `/policy/simulate` and `/policy/evaluate` endpoints with streaming responses, rate limiting, and error mapping. Dependencies: WEB-POLICY-23-002. | | |
| WEB-POLICY-23-004 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose explain history endpoints (`/policy/runs`, `/policy/runs/{id}`) including decision tree, sources consulted, and AOC chain. Dependencies: WEB-POLICY-23-003. | | |
| WEB-POLICY-27-001 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface Policy Registry APIs (`/policy/workspaces`, `/policy/versions`, `/policy/reviews`, `/policy/registry`) through gateway with tenant scoping, RBAC, and request validation; ensure streaming downloads for evidence bundles. Dependencies: WEB-POLICY-23-004. | Needs registry schema | |
| WEB-POLICY-27-002 | TODO | | SPRINT_0215_0001_0004_web_iv | BE-Base Platform Guild | src/Web/StellaOps.Web | Implement review lifecycle endpoints (open, comment, approve/reject) with audit headers, comment pagination, and webhook fan-out. Dependencies: WEB-POLICY-27-001. | Depends on 27-001 | |
| WEB-POLICY-27-003 | TODO | | SPRINT_0215_0001_0004_web_iv | Platform Reliability Guild | src/Web/StellaOps.Web | Expose quick/batch simulation endpoints with SSE progress (`/policy/simulations/{runId}/stream`), cursor-based result pagination, and manifest download routes. Dependencies: WEB-POLICY-27-002. | Needs 27-002 | |
| WEB-POLICY-27-004 | TODO | | SPRINT_0215_0001_0004_web_iv | BE/Security Guild | src/Web/StellaOps.Web | Add publish/sign/promote/rollback endpoints with idempotent request IDs, canary parameters, and environment bindings; enforce scope checks and emit structured events. Dependencies: WEB-POLICY-27-003. | Depends on 27-003 | |
| WEB-POLICY-27-005 | TODO | | SPRINT_0215_0001_0004_web_iv | BE/Observability Guild | src/Web/StellaOps.Web | Instrument metrics/logs for compile latency, simulation queue depth, approval latency, promotion actions; expose aggregated dashboards and correlation IDs for Console. Dependencies: WEB-POLICY-27-004. | Needs 27-004 metrics | |
| WEB-EXC-25-001 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0212_0001_0001_web_i | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/exceptions` API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging. | | Interim contract + sample updated (`docs/api/console/exception-schema.md`, `docs/api/console/samples/exception-schema-sample.json`) and web client shipped with unit tests. |
| WEB-EXC-25-002 | DONE | 2025-12-12 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. Dependencies: WEB-EXC-25-001. | | |
| WEB-EXC-25-003 | DONE | 2025-12-12 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Platform Events Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. Dependencies: WEB-EXC-25-002. | | |
| WEB-EXPORT-35-001 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. | Gateway contract draft v0.9 in docs/api/gateway/export-center.md; waiting guild sign-off | |
| WEB-EXPORT-36-001 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. Dependencies: WEB-EXPORT-35-001. | Blocked by 35-001; distro signing/limits pending same contract | |
| WEB-EXPORT-37-001 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs. Dependencies: WEB-EXPORT-36-001. | Blocked by 36-001; retention/encryption params not frozen | |
| WEB-GRAPH-21-001 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add gateway routes for graph versions/viewport/node/path/diff/export endpoints with tenant enforcement, scope checks, and streaming responses; proxy Policy Engine diff toggles without inline logic. Adopt `StellaOpsScopes` constants for RBAC enforcement. | | |
| WEB-GRAPH-21-002 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement bbox/zoom/path parameter validation, pagination tokens, and deterministic ordering; add contract tests for boundary conditions. Dependencies: WEB-GRAPH-21-001. | | |
| WEB-GRAPH-21-003 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, and document rate limits. Dependencies: WEB-GRAPH-21-002. | | |
| WEB-GRAPH-21-004 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Proxy Policy Engine overlay responses for graph endpoints while keeping gateway stateless; maintain streaming budgets and latency SLOs. Dependencies: WEB-GRAPH-21-003. | | |
| WEB-GRAPH-24-001 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. Dependencies: WEB-GRAPH-21-004. | | |
| WEB-GRAPH-24-002 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; SBOM Service Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping as pure proxy. Dependencies: WEB-GRAPH-24-001. | | |
| WEB-GRAPH-24-003 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | Embed AOC summaries from overlay services; gateway does not compute derived severity or hints. Dependencies: WEB-GRAPH-24-002. | | |
| WEB-GRAPH-24-004 | DONE | 2025-12-11 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild; Observability Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. Dependencies: WEB-GRAPH-24-003. | | |
| WEB-LNM-21-001 | DONE | 2025-12-12 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Concelier WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). | | |
| WEB-LNM-21-002 | DONE | 2025-12-12 | SPRINT_0213_0001_0002_web_ii | BE-Base Platform Guild, Excititor WebService Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. Dependencies: WEB-LNM-21-001. | | |
| WEB-LNM-21-003 | DONE | 2025-12-12 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. Dependencies: WEB-LNM-21-002. | WEB-LNM-21-002 | |
| WEB-NOTIFY-38-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | Depends on #1 for signed ack spec | NOWB0101 |
| WEB-NOTIFY-39-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. Dependencies: WEB-NOTIFY-38-001. | WEB-NOTIFY-38-001 | NOWB0101 |
| WEB-NOTIFY-40-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. Dependencies: WEB-NOTIFY-39-001. | WEB-NOTIFY-39-001 | |
| WEB-OAS-61-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. | | |
| WEB-OAS-61-002 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Standardize error envelope across gateway, update examples, and ensure telemetry logs include `error.code`. Dependencies: WEB-OAS-61-001. | WEB-OAS-61-001 | |
| WEB-OAS-62-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Align pagination/idempotency behaviors: normalize to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. Dependencies: WEB-OAS-61-002. | WEB-OAS-61-002 | |
| WEB-OAS-63-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, API Governance Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement gateway deprecation metadata: add deprecation headers, Sunset link emission, and observability metrics for deprecated routes. Dependencies: WEB-OAS-62-001. | WEB-OAS-62-001 | |
| WEB-OBS-50-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Replace ad-hoc logging; ensure routes emit trace/span IDs, tenant context, and scrubbed payload previews. | | |
| WEB-OBS-51-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Implement `/obs/health` and `/obs/slo` aggregations pulling Prometheus/collector metrics with burn-rate signals and exemplar links for Console widgets. Dependencies: WEB-OBS-50-001. | WEB-OBS-50-001 | |
| WEB-OBS-52-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. Dependencies: WEB-OBS-51-001. | WEB-OBS-51-001 | |
| WEB-OBS-54-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. Dependencies: WEB-OBS-52-001. | WEB-OBS-52-001 | |
| WEB-OBS-55-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, Ops Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. Dependencies: WEB-OBS-54-001. | WEB-OBS-54-001 | |
| WEB-OBS-56-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. Dependencies: WEB-OBS-55-001. | WEB-OBS-55-001 | |
| WEB-ORCH-32-001 | DONE | 2025-12-12 | SPRINT_0214_0001_0001_web_iii | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose read-only orchestrator APIs (e.g., `/orchestrator/sources`) via gateway with tenant scoping, caching headers, and rate limits. | | |
| WEB-ORCH-33-001 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add POST action routes (pause/resume/backfill) for orchestrator-run control, honoring RBAC and audit logging. | WEB-ORCH-32-001 | |
| WEB-ORCH-34-001 | DONE (2025-12-12) | 2025-12-12 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web.StellaOps.Web | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. | WEB-ORCH-33-001 | |
| WEB-POLICY-20-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web.StellaOps.Web | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. | | |
| WEB-POLICY-20-002 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | Add pagination, filtering, sorting, and tenant guards to listings for policies, runs, and findings; include deterministic ordering and query diagnostics. Dependencies: WEB-POLICY-20-001. | | |
| WEB-POLICY-20-003 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Map engine errors to `ERR_POL_*` responses with consistent payloads and contract tests; expose correlation IDs in headers. Dependencies: WEB-POLICY-20-002. | | |
| WEB-POLICY-20-004 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | Platform Reliability Guild (src/Web/StellaOps.Web) | src/Web.StellaOps.Web | Introduce adaptive rate limiting + quotas for simulation endpoints, expose metrics, and document retry headers. Dependencies: WEB-POLICY-20-003. | | |
| WEB-POLICY-23-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web.StellaOps.Web | Implement API endpoints for creating/listing/fetching policy packs and revisions (`/policy/packs`, `/policy/packs/{id}/revisions`) with pagination, RBAC, and AOC metadata exposure. (Tracked via Sprint 18.5 gateway tasks.). Dependencies: WEB-POLICY-20-004. | | |
| WEB-POLICY-23-002 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | Add activation endpoint with scope windows, conflict checks, and optional 2-person approval integration; emit events on success. (Tracked via Sprint 18.5 gateway tasks.). Dependencies: WEB-POLICY-23-001. | | |
| WEB-POLICY-23-003 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | Provide `/policy/simulate` and `/policy/evaluate` endpoints with streaming responses, rate limiting, and error mapping. Dependencies: WEB-POLICY-23-002. | | |
| WEB-POLICY-23-004 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild (src/Web.StellaOps.Web) | src/Web.StellaOps.Web | Expose explain history endpoints (`/policy/runs`, `/policy/runs/{id}`) including decision tree, sources consulted, and AOC chain. Dependencies: WEB-POLICY-23-003. | | |
| WEB-POLICY-27-001 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild | src/Web/StellaOps.Web | Surface Policy Registry APIs (`/policy/workspaces`, `/policy/versions`, `/policy/reviews`, `/policy/registry`) through gateway with tenant scoping, RBAC, and request validation; ensure streaming downloads for evidence bundles. Dependencies: WEB-POLICY-23-004. | | |
| WEB-POLICY-27-002 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE-Base Platform Guild | src/Web.StellaOps.Web | Implement review lifecycle endpoints (open, comment, approve/reject) with audit headers, comment pagination, and webhook fan-out. Dependencies: WEB-POLICY-27-001. | | |
| WEB-POLICY-27-003 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | Platform Reliability Guild | src/Web.StellaOps.Web | Expose quick/batch simulation endpoints with SSE progress (`/policy/simulations/{runId}/stream`), cursor-based result pagination, and manifest download routes. Dependencies: WEB-POLICY-27-002. | | |
| WEB-POLICY-27-004 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE/Security Guild | src/Web.StellaOps.Web | Add publish/sign/promote/rollback endpoints with idempotent request IDs, canary parameters, and environment bindings; enforce scope checks and emit structured events. Dependencies: WEB-POLICY-27-003. | | |
| WEB-POLICY-27-005 | DONE (2025-12-11) | 2025-12-11 | SPRINT_0215_0001_0001_web_iv | BE/Observability Guild | src/Web.StellaOps.Web | Instrument metrics/logs for compile latency, simulation queue depth, approval latency, promotion actions; expose aggregated dashboards and correlation IDs for Console. Dependencies: WEB-POLICY-27-004. | | |
| WEB-RISK-66-001 | BLOCKED (2025-12-03) | | SPRINT_216_web_v | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. Blocked: npm ci hangs; cannot run Angular tests; awaiting stable install env/gateway endpoints. | | |
| WEB-RISK-66-002 | BLOCKED | 2025-12-06 | SPRINT_216_web_v | BE-Base Platform Guild, Risk Engine Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Add signed URL handling for explanation blobs and enforce scope checks. Dependencies: WEB-RISK-66-001. | | Blocked: upstream WEB-RISK-66-001 stalled (npm ci hangs; gateway endpoints unavailable). |
| WEB-RISK-67-001 | BLOCKED | 2025-12-06 | SPRINT_216_web_v | BE-Base Platform Guild (src/Web/StellaOps.Web) | src/Web/StellaOps.Web | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). Dependencies: WEB-RISK-66-002. | | Blocked by WEB-RISK-66-002. |