stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

partly or unimplemented features - now implemented

Browse Source
This commit is contained in:
master
2026-02-09 08:53:51 +02:00
parent 1bf6bbf395
commit 4bdc298ec1
674 changed files with 90194 additions and 2271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
docs/architecture/integrations.md
View File

@@ -258,3 +258,67 @@ All operations log with:
- [CI/CD Gate Flow](../../flows/10-cicd-gate-flow.md)
- [Authority Architecture](../authority/architecture.md)
- [Scanner Architecture](../scanner/architecture.md)
## AI Code Guard Standalone Run (Sprint 20260208_040)
This sprint adds deterministic standalone execution for AI Code Guard checks in the Integrations WebService.
### API Surface
- Endpoint: `POST /api/v1/integrations/ai-code-guard/run`
- Mapped in: `src/Integrations/StellaOps.Integrations.WebService/IntegrationEndpoints.cs`
- Service contract: `IAiCodeGuardRunService` in `src/Integrations/StellaOps.Integrations.WebService/AiCodeGuard/AiCodeGuardRunService.cs`
The endpoint executes the equivalent of `stella guard run` behavior through an offline-safe API surface inside the Integrations module.
### YAML-Driven Configuration
Configuration is parsed by `AiCodeGuardPipelineConfigLoader`:
- `secrets` / `enableSecretsScan`
- `attribution` / `enableAttributionCheck`
- `license` / `enableLicenseHygiene`
- `maxFindings`
- `allowedSpdxLicenses` / `licenseAllowList`
- `customSecretPatterns` / `secretPatterns`
The loader is deterministic and rejects unsupported keys or invalid values with explicit `FormatException` errors.
### Scanning Behavior
`AiCodeGuardRunService` adds deterministic checks for:
- Secrets (built-in + optional custom regex patterns)
- Attribution markers
- SPDX license presence / allow-list validation
Output ordering is stable:
1. Severity descending
2. Path ordinal
3. Line number
4. Rule ID
5. Finding ID
### Contracts
New contracts in `src/Integrations/__Libraries/StellaOps.Integrations.Contracts/AiCodeGuardRunContracts.cs`:
- `AiCodeGuardRunRequest`
- `AiCodeGuardSourceFile`
- `AiCodeGuardRunConfiguration`
- `AiCodeGuardRunResponse`
### Test Evidence
Validated in `src/Integrations/__Tests/StellaOps.Integrations.Tests/AiCodeGuardRunServiceTests.cs`:
- Deterministic repeated output
- YAML configuration application and max-finding truncation
- Invalid YAML validation failure
Execution command:
- `dotnet test src/Integrations/__Tests/StellaOps.Integrations.Tests/StellaOps.Integrations.Tests.csproj -p:BuildProjectReferences=false --no-restore`
Result on 2026-02-08: passed (`37/37`).

134
docs/features/README.md
View File

@@ -2,102 +2,106 @@
Structured inventory of all Stella Ops features, organized for E2E verification tracking.
Generated: 2026-02-08
Generated: 2026-02-08 | Updated: 2026-02-09
## Summary
| Directory | Meaning | Count |
|-----------|---------|-------|
| `checked/` | Features verified by E2E tests | 0 |
| `unchecked/` | Implemented features needing E2E verification | 1,057 |
| `unimplemented/` | Partially implemented features | 99 |
| `dropped/` | Features not found in source code | 29 |
| **Total** | | **1,185** |
| `unchecked/` | Implemented features needing E2E verification | 1,144 |
| `unimplemented/` | Partially implemented features | 0 |
| `dropped/` | Features not found in source code | 22 |
| **Total** | | **1,166** |
Note: 73 features previously in `unimplemented/` were completed via SPRINT_20260208 sprints (archived in `docs-archived/implplan/`) and moved to `unchecked/` on 2026-02-09.
## How to Use
- **To verify a feature**: Pick a file from `unchecked/<module>/`, follow the E2E Test Plan, and if it passes, move the file to `checked/<module>/`.
- **To implement a missing feature**: Read a file from `unimplemented/<module>/`, review the "What's Missing" section, implement, then move to `unchecked/`.
- **To understand what was dropped**: Read files in `dropped/` for context on features that were planned but not implemented.
## Modules by Feature Count
### Large Modules (50+ features)
| Module | Unchecked | Unimplemented | Dropped | Total |
|--------|-----------|---------------|---------|-------|
| [Web](unchecked/web/) | 167 | 17 | 4 | 188 |
| [Attestor](unchecked/attestor/) | 153 | 27 | 2 | 182 |
| [Scanner](unchecked/scanner/) | 142 | 9 | 0 | 151 |
| [Cli](unchecked/cli/) | 97 | 7 | 0 | 104 |
| [Policy](unchecked/policy/) | 76 | 8 | 5 | 89 |
| Module | Unchecked | Dropped | Total |
|--------|-----------|---------|-------|
| [Web](unchecked/web/) | 178 | 0 | 178 |
| [Attestor](unchecked/attestor/) | 174 | 0 | 174 |
| [Scanner](unchecked/scanner/) | 147 | 0 | 147 |
| [Cli](unchecked/cli/) | 104 | 0 | 104 |
| [Policy](unchecked/policy/) | 88 | 0 | 88 |
### Medium Modules (10-49 features)
| Module | Unchecked | Unimplemented | Dropped | Total |
|--------|-----------|---------------|---------|-------|
| [ReleaseOrchestrator](unchecked/releaseorchestrator/) | 44 | 1 | 0 | 45 |
| [BinaryIndex](unchecked/binaryindex/) | 41 | 2 | 0 | 43 |
| [Concelier](unchecked/concelier/) | 34 | 2 | 0 | 36 |
| [Libraries](unchecked/libraries/) | 24 | 2 | 1 | 27 |
| [Router](unchecked/router/) | 18 | 0 | 0 | 18 |
| [Excititor](unchecked/excititor/) | 17 | 0 | 1 | 18 |
| [Signals](unchecked/signals/) | 13 | 4 | 1 | 18 |
| [EvidenceLocker](unchecked/evidencelocker/) | 17 | 0 | 0 | 17 |
| [AdvisoryAI](unchecked/advisoryai/) | 15 | 1 | 1 | 17 |
| [Orchestrator](unchecked/orchestrator/) | 14 | 1 | 0 | 15 |
| [Authority](unchecked/authority/) | 12 | 1 | 0 | 13 |
| [AirGap](unchecked/airgap/) | 9 | 3 | 0 | 12 |
| [Tests](unchecked/tests/) | 11 | 0 | 2 | 13 |
| [Integrations](unchecked/integrations/) | 10 | 1 | 0 | 11 |
| [Zastava](unchecked/zastava/) | 9 | 1 | 0 | 10 |
| Module | Unchecked | Dropped | Total |
|--------|-----------|---------|-------|
| [ReleaseOrchestrator](unchecked/releaseorchestrator/) | 45 | 0 | 45 |
| [BinaryIndex](unchecked/binaryindex/) | 43 | 0 | 43 |
| [Concelier](unchecked/concelier/) | 36 | 0 | 36 |
| [Libraries](unchecked/libraries/) | 26 | 0 | 26 |
| [Router](unchecked/router/) | 18 | 0 | 18 |
| [Excititor](unchecked/excititor/) | 18 | 0 | 18 |
| [EvidenceLocker](unchecked/evidencelocker/) | 17 | 0 | 17 |
| [AdvisoryAI](unchecked/advisoryai/) | 16 | 0 | 16 |
| [Orchestrator](unchecked/orchestrator/) | 15 | 0 | 15 |
| [Signals](unchecked/signals/) | 14 | 0 | 14 |
| [Authority](unchecked/authority/) | 13 | 0 | 13 |
| [Tests](unchecked/tests/) | 12 | 0 | 12 |
| [Integrations](unchecked/integrations/) | 11 | 0 | 11 |
| [Telemetry](unchecked/telemetry/) | 11 | 0 | 11 |
| [AirGap](unchecked/airgap/) | 10 | 0 | 10 |
### Small Modules (<10 features)
| Module | Unchecked | Unimplemented | Dropped | Total |
|--------|-----------|---------------|---------|-------|
| [Telemetry](unchecked/telemetry/) | 9 | 0 | 0 | 9 |
| [ReachGraph](unchecked/reachgraph/) | 7 | 2 | 0 | 9 |
| [Doctor](unchecked/doctor/) | 8 | 0 | 0 | 8 |
| [SbomService](unchecked/sbomservice/) | 7 | 1 | 0 | 8 |
| [Gateway](unchecked/gateway/) | 6 | 2 | 0 | 8 |
| [TaskRunner](unchecked/taskrunner/) | 7 | 0 | 0 | 7 |
| [VexLens](unchecked/vexlens/) | 6 | 0 | 1 | 7 |
| [Notifier](unchecked/notifier/) | 7 | 0 | 0 | 7 |
| [Findings](unchecked/findings/) | 7 | 0 | 0 | 7 |
| [Graph](unchecked/graph/) | 6 | 1 | 0 | 7 |
| [ExportCenter](unchecked/exportcenter/) | 6 | 1 | 0 | 7 |
| [Plugin](unchecked/plugin/) | 6 | 0 | 0 | 6 |
| [Platform](unchecked/platform/) | 6 | 0 | 0 | 6 |
| [Signer](unchecked/signer/) | 6 | 0 | 0 | 6 |
| [Cryptography](unchecked/cryptography/) | 5 | 0 | 1 | 6 |
| [Timeline](unchecked/timeline/) | 5 | 0 | 0 | 5 |
| [Tools](unchecked/tools/) | 4 | 0 | 0 | 4 |
| [Bench](unchecked/bench/) | 2 | 1 | 1 | 4 |
| [Scheduler](unchecked/scheduler/) | 3 | 0 | 0 | 3 |
| [RiskEngine](unchecked/riskengine/) | 2 | 0 | 1 | 3 |
| [Unknowns](unchecked/unknowns/) | 2 | 1 | 0 | 3 |
| [Replay](unchecked/replay/) | 2 | 1 | 0 | 3 |
| Module | Unchecked | Dropped | Total |
|--------|-----------|---------|-------|
| [Zastava](unchecked/zastava/) | 9 | 0 | 9 |
| [ReachGraph](unchecked/reachgraph/) | 9 | 0 | 9 |
| [SbomService](unchecked/sbomservice/) | 8 | 0 | 8 |
| [Gateway](unchecked/gateway/) | 8 | 0 | 8 |
| [Doctor](unchecked/doctor/) | 8 | 0 | 8 |
| [VexLens](unchecked/vexlens/) | 7 | 0 | 7 |
| [TaskRunner](unchecked/taskrunner/) | 7 | 0 | 7 |
| [Notifier](unchecked/notifier/) | 7 | 0 | 7 |
| [Graph](unchecked/graph/) | 7 | 0 | 7 |
| [Findings](unchecked/findings/) | 7 | 0 | 7 |
| [ExportCenter](unchecked/exportcenter/) | 7 | 0 | 7 |
| [Signer](unchecked/signer/) | 6 | 0 | 6 |
| [Plugin](unchecked/plugin/) | 6 | 0 | 6 |
| [Platform](unchecked/platform/) | 6 | 0 | 6 |
| [Cryptography](unchecked/cryptography/) | 6 | 0 | 6 |
| [Timeline](unchecked/timeline/) | 5 | 0 | 5 |
| [Tools](unchecked/tools/) | 4 | 0 | 4 |
| [Replay](unchecked/replay/) | 4 | 0 | 4 |
| [Scheduler](unchecked/scheduler/) | 3 | 0 | 3 |
| [RiskEngine](unchecked/riskengine/) | 3 | 0 | 3 |
| [Bench](unchecked/bench/) | 3 | 0 | 3 |
| [Unknowns](unchecked/unknowns/) | 2 | 0 | 2 |
| [Docs](unchecked/docs/) | 2 | 0 | 2 |
| [DevOps](unchecked/devops/) | 2 | 0 | 2 |
| [Api](unchecked/api/) | 2 | 0 | 2 |
### Single-Feature Modules
| Module | Status |
|--------|--------|
| [Aoc](unchecked/aoc/) | Unchecked |
| [Api](unchecked/api/) | Unchecked (2) |
| [Analyzers](unchecked/analyzers/) | Unchecked |
| [DevOps](unchecked/devops/) | Unchecked (2) |
| [DevPortal](unchecked/devportal/) | Unchecked |
| [Docs](unchecked/docs/) | Unchecked (2) |
| [Feedser](unchecked/feedser/) | Unchecked |
| [Mirror](unimplemented/mirror/) | Unimplemented |
| [Mirror](unchecked/mirror/) | Unchecked |
| [PacksRegistry](unchecked/packsregistry/) | Unchecked |
| [Provenance](unimplemented/provenance/) | Unimplemented |
| [RuntimeInstrumentation](unchecked/runtimeinstrumentation/) | Unchecked |
| [Sdk](unchecked/sdk/) | Unchecked |
| [SmRemote](unchecked/smremote/) | Unchecked |
| [VulnExplorer](unchecked/vulnexplorer/) | Unchecked |
### Dropped Features (22)
All dropped features are in `dropped/` with explanations for why they were not implemented.
## File Format
Each feature file follows a standard template:
@@ -110,14 +114,6 @@ Each feature file follows a standard template:
## E2E Test Plan (setup, action, verification steps)
```
### Unimplemented (PARTIALLY_IMPLEMENTED)
```
# Feature Name
## Module / ## Status / ## Description
## What's Implemented / ## What's Missing
## Implementation Plan
```
### Dropped (NOT_FOUND)
```
# Feature Name
@@ -132,5 +128,5 @@ This catalog was built from:
- 1,343 sprint archives (Phase 2)
- CLI + Web source code scan (Phase 3)
- Two deduplication passes reducing 1,600 entries to 1,185
See `FEATURE_CATALOG.md` in the repo root for the flat consolidated view.
- 73 SPRINT_20260208 sprints completing all PARTIALLY_IMPLEMENTED features
- Final state: 1,144 unchecked + 22 dropped = 1,166 total

0
docs/features/unimplemented/ai-codex-zastava-companion.md → docs/features/unchecked/advisoryai/ai-codex-zastava-companion.md
View File

2
docs/features/unimplemented/attestor/binary-fingerprint-store-and-trust-scoring.md → docs/features/unchecked/attestor/binary-fingerprint-store-and-trust-scoring.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Binary analysis commands exist in the CLI with score gating, confidence calculation is implemented in the Policy engine, and a Doctor plugin for binary analysis health checks exists. A full binary fingerprint database with ELF/PE section hashing, trust scores, and golden set as described is partially implemented through the existing binary analysis infrastructure.

2
docs/features/unimplemented/attestor/cas-for-sbom-vex-attestation-artifacts.md → docs/features/unchecked/attestor/cas-for-sbom-vex-attestation-artifacts.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Content-addressed identifiers are implemented for proof chain artifacts. EvidenceLocker provides bundle building. Full OCI/MinIO CAS for SBOM/VEX blobs is not fully visible.

2
docs/features/unimplemented/attestor/crypto-sovereign-design.md → docs/features/unchecked/attestor/crypto-sovereign-design.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
SigningKeyProfile supports crypto-sovereign configurations. SM2 tests exist for Chinese crypto support. The signing key registry supports multiple profiles. Full eIDAS/GOST/PQC implementations appear to be partially supported through the profile system but not all crypto backends are fully implemented.

2
docs/features/unimplemented/attestor/dsse-envelope-size-management-and-gateway-traversal.md → docs/features/unchecked/attestor/dsse-envelope-size-management-and-gateway-traversal.md
View File

@@ -4,7 +4,7 @@
Attestor (with CLI and Scanner integration)
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
DSSE envelope construction and Rekor submission exist, but no explicit size guardrails (70-100KB heuristic), automatic payload splitting/chunking, or gateway-aware sizing logic is implemented. The architecture stores full attestations internally and uses Rekor for hash-based inclusion proofs. Envelope size awareness exists in EPSS fetcher and delta-sig CLI commands, and bundling/queue options have configurable size limits.

2
docs/features/unimplemented/attestor/dsse-signed-exception-objects-with-recheck-policy.md → docs/features/unchecked/attestor/dsse-signed-exception-objects-with-recheck-policy.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Policy exceptions framework with models, repositories, and services exists. DSSE signing infrastructure is available. Full UI exception modal with recheck policy enforcement is partially complete.

2
docs/features/unimplemented/attestor/dsse-wrapped-reach-maps.md → docs/features/unchecked/attestor/dsse-wrapped-reach-maps.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Rich graphs and suppression witnesses exist with signing infrastructure available, but a specific "signed reach-map artifact" as a standalone DSSE-wrapped output is not distinctly implemented as described.

2
docs/features/unimplemented/attestor/evidence-coverage-score-for-ai-gating.md → docs/features/unchecked/attestor/evidence-coverage-score-for-ai-gating.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The concept of gating AI output behind evidence quality exists via the AIAuthorityClassifier which scores explanation, remediation, VEX draft, and policy draft quality. The specific UX badge component and coverage scoring service described in the advisory are not implemented as standalone features.

2
docs/features/unimplemented/attestor/evidence-subgraph-ui-visualization.md → docs/features/unchecked/attestor/evidence-subgraph-ui-visualization.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Backend proof graph model is implemented (nodes, edges, subgraphs, paths). Evidence panel e2e tests exist. Full frontend visualization component status unclear from source search alone.

2
docs/features/unimplemented/attestor/field-level-ownership-map-for-receipts-and-bundles.md → docs/features/unchecked/attestor/field-level-ownership-map-for-receipts-and-bundles.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Rekor entry and receipt models exist with structured fields, but a formal field-level ownership map document (checklist page) linking fields to specific module responsibilities was not found as a standalone artifact.

2
docs/features/unimplemented/attestor/idempotent-sbom-attestation-apis.md → docs/features/unchecked/attestor/idempotent-sbom-attestation-apis.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Content-addressed identification for artifacts is implemented. Full idempotent REST API endpoints (POST /sbom/ingest, POST /attest/verify) are not clearly visible as standalone web service endpoints.

2
docs/features/unimplemented/attestor/immutable-evidence-storage-and-regulatory-alignment.md → docs/features/unchecked/attestor/immutable-evidence-storage-and-regulatory-alignment.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The underlying evidence storage and proof chain infrastructure exists. Specific regulatory compliance mapping (NIS2, DORA, ISO-27001 report templates) not found as distinct modules.

2
docs/features/unimplemented/attestor/in-toto-link-attestation-capture.md → docs/features/unchecked/attestor/in-toto-link-attestation-capture.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The attestation pipeline supports DSSE-wrapped statements and proof chains, which follow in-toto patterns. However, the specific per-step in-toto link capture with `in-toto-run` wrappers as described is not directly implemented.

2
docs/features/unimplemented/attestor/monthly-bundle-rotation-and-re-signing.md → docs/features/unchecked/attestor/monthly-bundle-rotation-and-re-signing.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The attestation and signing infrastructure exists but the specific monthly bundle re-signing workflow is a planned sprint task.

2
docs/features/unimplemented/attestor/noise-ledger.md → docs/features/unchecked/attestor/noise-ledger.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Suppression witnesses and audit hash logging exist in the backend. CLI audit commands exist. A dedicated "Noise Ledger" UX component is not present, though the underlying audit/suppression infrastructure is in place.

2
docs/features/unimplemented/attestor/postgresql-persistence-layer.md → docs/features/unchecked/attestor/postgresql-persistence-layer.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
PostgreSQL persistence is implemented for Attestor, Scanner, Policy, and TrustVerdict modules with Npgsql, migrations, and repository patterns. Full blueprint (RLS scaffolds, temporal tables for Unknowns, materialized views for triage) is partially realized; not all modules have dedicated schemas.

0
docs/features/unimplemented/attestor/s3-minio-gcs-object-storage-for-tiles.md → docs/features/unchecked/attestor/s3-minio-gcs-object-storage-for-tiles.md
View File

2
docs/features/unimplemented/attestor/score-replay-and-verification.md → docs/features/unchecked/attestor/score-replay-and-verification.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Replay subsystem exists with a dedicated module, ProofChain replay models, and CLI commands. However, the specific `/score/{id}/replay` REST endpoint and DSSE-signed replay attestation with payload type `application/vnd.stella.score+json` are not yet wired up (sprint tasks TSF-011, TSF-007).

2
docs/features/unimplemented/attestor/snapshot-export-import-for-air-gap.md → docs/features/unchecked/attestor/snapshot-export-import-for-air-gap.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Offline verification and evidence pack serialization exists. Full standalone snapshot export/import bundle format (Level B/C portable snapshots) may still be evolving based on evidence pack infrastructure.

2
docs/features/unimplemented/attestor/unknowns-five-dimensional-triage-scoring.md → docs/features/unchecked/attestor/unknowns-five-dimensional-triage-scoring.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Unknowns aggregation with item model and aggregator service exist. The full five-dimensional weighted scoring formula (P/E/U/C/S) with Hot/Warm/Cold banding and Scheduler-driven triage automation is partially implemented.

2
docs/features/unimplemented/attestor/vex-findings-api-with-proof-artifacts.md → docs/features/unchecked/attestor/vex-findings-api-with-proof-artifacts.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
VEX verdict models, VEX delta predicates, and a VexProofSpineService exist in the backend, but the full API contract (GET /vex/findings/:id with proof artifacts) is not visible as a standalone endpoint.

2
docs/features/unimplemented/attestor/vex-receipt-sidebar.md → docs/features/unchecked/attestor/vex-receipt-sidebar.md
View File

@@ -4,7 +4,7 @@
Attestor
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Backend VEX receipt model and verdict receipt statement exist. VEX hub feature exists in frontend but a dedicated "sidebar" UX for individual VEX receipts is not a standalone component.

2
docs/features/unimplemented/authority/rfc-3161-tsa-client-for-ci-cd-timestamping.md → docs/features/unchecked/authority/rfc-3161-tsa-client-for-ci-cd-timestamping.md
View File

@@ -4,7 +4,7 @@
Authority
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
RFC 3161 TSA client infrastructure for CI/CD timestamping. A comprehensive TSA client library exists in the Authority module with ASN.1 encoding/decoding, multi-provider failover, response caching, and certificate chain verification. The eIDAS plugin adds additional compliance support. Some CI/CD-specific integration features are still missing.

2
docs/features/unimplemented/vendor-comparison-scanner-parity-tracking.md → docs/features/unchecked/bench/vendor-comparison-scanner-parity-tracking.md
View File

@@ -4,7 +4,7 @@
Bench
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Scanner analyzer benchmarks and golden-set diff comparisons exist, but a dedicated vendor-comparison dashboard or automated parity scoring system as described in the advisory is not visible.

2
docs/features/unimplemented/binaryindex/cross-distro-golden-set-for-backport-validation.md → docs/features/unchecked/binaryindex/cross-distro-golden-set-for-backport-validation.md
View File

@@ -4,7 +4,7 @@
BinaryIndex
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Golden set infrastructure exists in BinaryIndex with analysis pipeline and API. The advisory's detailed curated test cases (OpenSSL Heartbleed, sudo Baron Samedit, etc.) and specific database schema may not be fully populated yet.

2
docs/features/unimplemented/binaryindex/elf-normalization-and-delta-hashing.md → docs/features/unchecked/binaryindex/elf-normalization-and-delta-hashing.md
View File

@@ -4,7 +4,7 @@
BinaryIndex
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Low-entropy delta signatures over ELF segments with normalization (relocation zeroing, NOP canonicalization, jump table rewriting). Not yet implemented.

2
docs/features/unimplemented/cli/baseline-selection-logic.md → docs/features/unchecked/cli/baseline-selection-logic.md
View File

@@ -4,7 +4,7 @@
Cli
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Compare feature infrastructure exists with services and CLI builder. The specific baseline selection logic (last green verdict, previous release tag) and its visibility to users may be partially implemented.

2
docs/features/unimplemented/cli/cli-parity.md → docs/features/unchecked/cli/cli-parity.md
View File

@@ -4,7 +4,7 @@
Cli
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The CLI infrastructure is extensive but a dedicated `stella advise` command with `--evidence --no-action` flags as described is not explicitly found. However, the `stella advise ask` command does exist with these flags.

2
docs/features/unimplemented/cli/determinism-hash-signature-verification-in-ui.md → docs/features/unchecked/cli/determinism-hash-signature-verification-in-ui.md
View File

@@ -4,7 +4,7 @@
Cli
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Proofs and proof-studio UI features exist for browsing proof artifacts. Bundle verification exists in CLI. Full inline determinism hash and signature verification status display in the compare view may be partially wired up.

2
docs/features/unimplemented/cli/oci-referrers-for-evidence-storage.md → docs/features/unchecked/cli/oci-referrers-for-evidence-storage.md
View File

@@ -4,7 +4,7 @@
Cli
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Bundle export, verification, and CLI commands exist. The pattern for storing evidence as OCI referrers is partially implemented through the bundle system and verifier module.

2
docs/features/unimplemented/cli/unknowns-export-artifacts.md → docs/features/unchecked/cli/unknowns-export-artifacts.md
View File

@@ -4,7 +4,7 @@
Cli
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Backend unknowns ranking and proof emission services exist along with CLI command group. However, explicit export schema artifacts for reproducible offline export of unknowns data were not located as standalone schema documents.

2
docs/features/unimplemented/concelier/astra-linux-oval-feed-connector.md → docs/features/unchecked/concelier/astra-linux-oval-feed-connector.md
View File

@@ -4,7 +4,7 @@
Concelier
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Advisory feed connector for Astra Linux (Russian certified distro) implementing IFeedConnector interface. Includes OVAL XML feed research, plugin scaffold, AstraOptions configuration, and trust defaults. Reuses DebianVersionComparer for version comparison. OVAL XML parser is partially implemented.

2
docs/features/unimplemented/concelier/feed-snapshot-coordinator.md → docs/features/unchecked/concelier/feed-snapshot-coordinator.md
View File

@@ -4,7 +4,7 @@
Concelier
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Feed snapshot persistence and retrieval exists (repository, entity model). However, the advisory notes this as TODO (Feed Snapshot Coordinator for cross-platform pinning/coordination is still in progress).

2
docs/features/unimplemented/exportcenter/cli-ui-surfacing-of-hidden-backend-capabilities.md → docs/features/unchecked/exportcenter/cli-ui-surfacing-of-hidden-backend-capabilities.md
View File

@@ -4,7 +4,7 @@
ExportCenter
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The advisory itself identifies this as a gap - backend capabilities are rich but CLI/UI coverage needs surfacing work. This is a meta-advisory about exposing existing features.

2
docs/features/unimplemented/gateway/router-back-pressure-middleware.md → docs/features/unchecked/gateway/router-back-pressure-middleware.md
View File

@@ -4,7 +4,7 @@
Gateway
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Rate limiting is present in the Gateway and Graph API services. The advisory's highly detailed dual-window rate limiter with Redis/Valkey-backed environment limiter, ring counter, and custom circuit breaker pattern is not implemented as described. Standard ASP.NET rate limiting is used instead.

2
docs/features/unimplemented/gateway/stellarouter-performance-testing-pipeline.md → docs/features/unchecked/gateway/stellarouter-performance-testing-pipeline.md
View File

@@ -4,7 +4,7 @@
Gateway
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The StellaRouter gateway service exists but the advisory's proposed k6 performance testing scenarios (A-G), correlation ID instrumentation, and Prometheus metric dashboards for performance curve modeling are not present as source code artifacts. These may exist as devops artifacts outside src/.

2
docs/features/unimplemented/graph/graph-edge-metadata-with-reason-evidence-provenance.md → docs/features/unchecked/graph/graph-edge-metadata-with-reason-evidence-provenance.md
View File

@@ -4,7 +4,7 @@
Graph
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
EdgeReason and CallgraphEdge models exist in Signals with persistence projection, and EdgeBundle exists in Scanner reachability. However, the Graph module itself (src/Graph) does not contain EdgeReason/EdgeVia/ExplanationPayload types -- the human-readable explanation layer described in the advisory is not present in the Graph API.

2
docs/features/unimplemented/integrations/ai-code-guard.md → docs/features/unchecked/integrations/ai-code-guard.md
View File

@@ -4,7 +4,7 @@
Integrations
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
AI Code Guard has policy signal binding and annotation services. Evidence provider interfaces and annotation contracts exist. The advisory's proposed `stella guard run` CLI and full YAML-driven pipeline checks are partially represented through policy signal binding rather than a standalone CLI tool.

0
docs/features/unimplemented/advisory-lens.md → docs/features/unchecked/libraries/advisory-lens.md
View File

2
docs/features/unimplemented/libraries/provcache-signer-aware-invalidation-and-evidence-chunk-paging-with-air-gap-expor.md → docs/features/unchecked/libraries/provcache-signer-aware-invalidation-and-evidence-chunk-paging-with-air-gap-expor.md
View File

@@ -4,7 +4,7 @@
__Libraries (Provcache)
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Large multi-wave feature: evidence chunk storage (with SHA-256 per-chunk verification and ChunkManifest for lazy fetching), paged evidence API (GetChunkRangeAsync), minimal proof bundle export (lite/standard/strict density), signer-aware cache invalidation (InvalidationType.SignerSetHash), feed epoch invalidation (InvalidationType.FeedEpochOlderThan), lazy evidence fetch (HTTP + sneakernet), revocation ledger with replay service, and CLI commands (stella prov export/import). Most waves DONE, but messaging bus subscription tasks and CLI e2e tests are BLOCKED pending service integration.

2
docs/features/unimplemented/mirror/mirror-creator.md → docs/features/unchecked/mirror/mirror-creator.md
View File

@@ -4,7 +4,7 @@
Mirror
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Mirror creator module exists as a separate directory but appears to have limited implementation compared to the comprehensive AirGap module.

2
docs/features/unimplemented/orchestrator/quota-governance-and-circuit-breakers.md → docs/features/unchecked/orchestrator/quota-governance-and-circuit-breakers.md
View File

@@ -4,7 +4,7 @@
Orchestrator
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Job scheduling exists but dedicated quota governance services and circuit breaker automation were not found as separate implementations. May be embedded in scheduler logic.

0
docs/features/unimplemented/policy/delta-if-present-calculations-for-missing-signals.md → docs/features/unchecked/policy/delta-if-present-calculations-for-missing-signals.md
View File

2
docs/features/unimplemented/policy/deterministic-trust-score-algebra.md → docs/features/unchecked/policy/deterministic-trust-score-algebra.md
View File

@@ -4,7 +4,7 @@
Policy (with Attestor TrustVerdict integration)
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Comprehensive scoring infrastructure exists across Policy and Attestor modules: EWS engine, Determinization system with 6-dimension normalizers (RCH/RTS/BKP/XPL/SRC/MIT), K4Lattice trust algebra (Belnap four-valued logic), TrustScoreAggregator with uncertainty penalty, DecayedConfidenceCalculator, ClaimScoreMerger with conflict penalization, ScorePolicy model with basis-point weights, TrustVerdictService with composite scoring, and BackportProofGenerator confidence calculations. The unified facade API composing all scoring subsystems and the Score.v1 predicate format are not yet built.

2
docs/features/unimplemented/policy/evidence-weighted-score-model.md → docs/features/unchecked/policy/evidence-weighted-score-model.md
View File

@@ -4,7 +4,7 @@
Policy
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Scoring infrastructure with policy-driven weights, profiles, and explanations exists. The advisory proposed a new unified 6-dimension model (RCH/RTS/BKP/XPL/SRC/MIT) to replace 4 independent scoring systems. Core normalizers and guardrails engine appear partially built; full unification is in progress.

2
docs/features/unimplemented/policy/impact-scoring-for-unknowns.md → docs/features/unchecked/policy/impact-scoring-for-unknowns.md
View File

@@ -4,7 +4,7 @@
Policy
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The advisory proposed weighted impact scoring with factors like environment exposure, data sensitivity, fleet prevalence, SLA tier, and CVSS severity. UncertaintyScoreCalculator and TrustScoreAggregator with configurable SignalWeights exist in the Determinization library, and ReachabilityScoringService exists in Signals. The exact multi-factor impact formula (w_env * EnvExposure + w_data * DataSensitivity + ...) is partially reflected through the existing signal weights system, though the specific per-factor normalization described in the advisory is not confirmed.

2
docs/features/unimplemented/policy/policy-dsl.md → docs/features/unchecked/policy/policy-dsl.md
View File

@@ -4,7 +4,7 @@
Policy
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Policy loading and evaluation exist but the full `.stella` file DSL format with dedicated parser/compiler/simulator (stella policy lint/compile/simulate) was not found as a standalone tool. Policy evaluation is implemented through structured configuration. However, a full DSL parser/compiler exists in the `StellaOps.PolicyDsl` library.

2
docs/features/unimplemented/policy/policy-interop-framework.md → docs/features/unchecked/policy/policy-interop-framework.md
View File

@@ -4,7 +4,7 @@
Policy
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Policy interoperability framework enabling bidirectional JSON export/import of policy rules. OPA/Rego export was planned but only JSON export confirmed in source. Includes PolicyPack document format for portable policy bundles. Full interop library exists with JSON import/export, Rego code generation, and schema validation.

2
docs/features/unimplemented/policy/proof-studio-ux.md → docs/features/unchecked/policy/proof-studio-ux.md
View File

@@ -4,7 +4,7 @@
Policy
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Backend confidence calculation, verdict rationale rendering, and counterfactual engine exist. The advisory identified frontend proof studio UI as a remaining gap.

2
docs/features/unimplemented/policy/unknowns-decay-and-triage-queue.md → docs/features/unchecked/policy/unknowns-decay-and-triage-queue.md
View File

@@ -4,7 +4,7 @@
Policy
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Unknowns ranking and API endpoints exist. BlastRadius model present with database migration. The full time-based decay algorithm and containment signals ranking were identified as gaps in the archive manifest.

2
docs/features/unimplemented/policy/versioned-weight-manifests.md → docs/features/unchecked/policy/versioned-weight-manifests.md
View File

@@ -4,7 +4,7 @@
Policy
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Initial weight manifest file exists, but the weight manifest infrastructure (loading, versioning, hashing, CLI management) is marked TODO in the sprint (TSF-001).

2
docs/features/unimplemented/reachgraph/8-state-reachability-lattice.md → docs/features/unchecked/reachgraph/8-state-reachability-lattice.md
View File

@@ -4,7 +4,7 @@
ReachGraph
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Reachability infrastructure exists with triage integration, but the full 8-state lattice model (U/SR/SU/RO/RU/CR/CU/X) with mathematical state transitions as described is not fully implemented as a distinct subsystem.

2
docs/features/unimplemented/reachgraph/reachability-core-library-with-unified-query-interface.md → docs/features/unchecked/reachgraph/reachability-core-library-with-unified-query-interface.md
View File

@@ -4,7 +4,7 @@
ReachGraph
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
ReachGraph has a web service with store and slice services, but the unified `IReachabilityIndex` facade combining static + runtime evidence is not present as a distinct library.

2
docs/features/unimplemented/releaseorchestrator/release-orchestrator-performance-optimizations.md → docs/features/unchecked/releaseorchestrator/release-orchestrator-performance-optimizations.md
View File

@@ -4,7 +4,7 @@
ReleaseOrchestrator
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Performance optimization suite: batched OCI digest resolution, concurrent gate evaluation with configurable concurrency limits, predictive data prefetching for gate inputs/scan results/attestation data, connection pool management with idle timeouts, and performance baseline tracking with regression detection. Bulk digest resolver is partially implemented.

2
docs/features/unimplemented/replay/immutable-advisory-feed-snapshots.md → docs/features/unchecked/replay/immutable-advisory-feed-snapshots.md
View File

@@ -4,7 +4,7 @@
Replay
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The replay infrastructure supports input manifests and determinism tracking which conceptually align with point-in-time query capability, but a dedicated feed snapshotting system with per-provider immutable blobs and point-in-time advisory resolution is not directly implemented as described.

0
docs/features/unimplemented/replay/point-in-time-vulnerability-query.md → docs/features/unchecked/replay/point-in-time-vulnerability-query.md
View File

2
docs/features/unimplemented/riskengine/exploit-maturity-mapping.md → docs/features/unchecked/riskengine/exploit-maturity-mapping.md
View File

@@ -1,7 +1,7 @@
# Exploit Maturity Mapping
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
No dedicated exploit maturity mapping service found. The EPSS provider in RiskEngine may partially cover this.

2
docs/features/unimplemented/sbomservice/sbom-lineage-graph-visualization.md → docs/features/unchecked/sbomservice/sbom-lineage-graph-visualization.md
View File

@@ -4,7 +4,7 @@
SbomService
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
SBOM lineage graph with Git-like visualization. Architecture fully documented, UI components mostly built, but API endpoints not implemented and services use stubs.

2
docs/features/unimplemented/ground-truth-corpus-with-reachability-tiers.md → docs/features/unchecked/scanner/ground-truth-corpus-with-reachability-tiers.md
View File

@@ -4,7 +4,7 @@
Scanner
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
A curated corpus of small service applications ("toys") with manually-labeled reachability tiers (R0-R4) for every known vulnerability, enabling precision/recall measurement of the scanner's reachability analysis engine. Each toy service contains a known vulnerability at a specific reachability tier, with a labels.yaml defining the ground truth.

2
docs/features/unimplemented/scanner/idempotent-attestation-submission.md → docs/features/unchecked/scanner/idempotent-attestation-submission.md
View File

@@ -4,7 +4,7 @@
Scanner
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Ensures that attestation submissions (verdict push to OCI registry, Rekor transparency log entries) are idempotent: resubmitting the same attestation produces no duplicate entries and returns the existing entry reference. Handles transient failures with retry logic that avoids creating duplicate transparency log entries.

2
docs/features/unimplemented/scanner/stack-trace-exploit-path-view.md → docs/features/unchecked/scanner/stack-trace-exploit-path-view.md
View File

@@ -4,7 +4,7 @@
Scanner
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
A dedicated "Stack-Trace Lens" UX component that renders exploit paths as interactive stack-trace visualizations, allowing security engineers to trace the call chain from entrypoint to vulnerable function. Combines backend exploit path grouping with a frontend visualization component.

2
docs/features/unimplemented/scanner/vex-decision-filter-with-reachability.md → docs/features/unchecked/scanner/vex-decision-filter-with-reachability.md
View File

@@ -4,7 +4,7 @@
Scanner
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
A dedicated reachability-aware VEX decision filter that combines VEX consensus data (from VexLens) with reachability classification to produce filtered vulnerability lists. Findings with "not_affected" VEX status and "unreachable" reachability classification are automatically suppressed, while findings with "exploitable" VEX status and "confirmed reachable" classification are elevated.

2
docs/features/unimplemented/scanner/vulnerability-first-triage-ux-with-exploit-path-grouping.md → docs/features/unchecked/scanner/vulnerability-first-triage-ux-with-exploit-path-grouping.md
View File

@@ -4,7 +4,7 @@
Scanner (with Attestor proof bundle integration)
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
A vulnerability-first triage inbox where findings are grouped by exploit path similarity rather than by CVE or component. Security engineers see clusters of findings that share the same attack vector (entrypoint -> call chain -> sink), enabling batch triage. Backend triage service with DB context, reachability subgraph extraction, exploit path grouping, and proof generation exist. UI triage inbox and queue components are partially complete.

0
docs/features/unimplemented/telemetry/dora-metrics.md → docs/features/unchecked/telemetry/dora-metrics.md
View File

0
docs/features/unimplemented/telemetry/outcome-analytics-attribution.md → docs/features/unchecked/telemetry/outcome-analytics-attribution.md
View File

0
docs/features/unimplemented/vexlens/vexlens-truth-table-tests.md → docs/features/unchecked/vexlens/vexlens-truth-table-tests.md
View File

2
docs/features/unimplemented/web/audit-trail-why-am-i-seeing-this.md → docs/features/unchecked/web/audit-trail-why-am-i-seeing-this.md
View File

@@ -4,7 +4,7 @@
Web
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The advisory proposed a ReasonCapsuleComponent with per-row expandable explanations showing policy name, rule ID, graph revision ID, and inputs digest. Instead, verdict explanation is implemented via VerdictWhySummaryComponent (3-5 bullet driver explanations with evidence drill-down links) and WhySafePanels in the lineage feature. The exact ReasonCapsuleComponent name and API contract (/api/audit/reasons/:verdictId) were not found, but the concept is substantially realized under different component names.

2
docs/features/unimplemented/web/pack-registry-browser.md → docs/features/unchecked/web/pack-registry-browser.md
View File

@@ -4,7 +4,7 @@
Web
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
TaskRunner pack discovery and management with install/upgrade flows, compatibility checking, version history with changelogs, signature verification, and dependency graph. API client and models exist but dedicated feature module not found.

2
docs/features/unimplemented/web/pipeline-run-centric-view.md → docs/features/unchecked/web/pipeline-run-centric-view.md
View File

@@ -4,7 +4,7 @@
Web
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Runs feature exists in the frontend with first-signal card components and prefetch services, but a full pipeline-centric view as described in the advisory is only partially present.

2
docs/features/unimplemented/web/reachability-center-ui-view.md → docs/features/unchecked/web/reachability-center-ui-view.md
View File

@@ -4,7 +4,7 @@
Web
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Reachability Center view showing asset coverage, missing sensors, and stale reachability facts. Implemented with deterministic fixture data; pending official fixture bundle swap from Signals guild.

2
docs/features/unimplemented/sbom-graph-reachability-overlay-with-time-slider.md → docs/features/unchecked/web/sbom-graph-reachability-overlay-with-time-slider.md
View File

@@ -4,7 +4,7 @@
Web
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
Reachability halo overlay on SBOM graph visualization with time slider for temporal reachability exploration and state legend. Uses deterministic stub data pending fixture bundle.

2
docs/features/unimplemented/signals-runtime-dashboard.md → docs/features/unchecked/web/signals-runtime-dashboard.md
View File

@@ -4,7 +4,7 @@
Web
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
eBPF/ETW/dyld probe status monitoring, signal collection metrics, anomaly alerts, host coverage map, and real-time event stream. API client and models exist but dedicated feature UI module not found as standalone directory.

2
docs/features/unimplemented/web/vex-gate.md → docs/features/unchecked/web/vex-gate.md
View File

@@ -4,7 +4,7 @@
Web
## Status
PARTIALLY_IMPLEMENTED
IMPLEMENTED
## Description
The advisory proposed a VexGateButtonDirective that morphs primary action buttons into Green/Amber/Red gated actions with evidence sheets. VEX evidence and decision infrastructure exists (vex-evidence client, vex-decision-modal, evidence-ribbon). However, the specific VexGateButtonDirective and VexEvidenceSheetComponent with inline button morphing and tier-based gating were not found. The pattern is partially realized through separate VEX decision modals and evidence display components.

0
docs/features/unimplemented/.gitkeep Normal file
View File

83
docs/implplan/SPRINT_20260208_000_DOCS_sprint_index.md
View File

@@ -1,83 +0,0 @@
# Sprint SPRINT_20260208_000_DOCS_sprint_index - Sprint Index
## Topic & Scope
- Index of sprint files generated from docs/features/unimplemented/ gap analysis on 2026-02-08.
- Working directory: docs/implplan/.
- Expected evidence: one sprint per feature with task-ready implementation guidance.
## Sprint Catalog
| Sprint | Feature | Module | Task Count |
| --- | --- | --- | --- |
| docs/implplan/SPRINT_20260208_001___Libraries_advisory_lens.md | Advisory Lens (Core Library and UI) | __Libraries | 3 |
| docs/implplan/SPRINT_20260208_002___Libraries_provcache_signer_aware_invalidation_and_evidence_chunk_paging_wi.md | Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export | __Libraries | 3 |
| docs/implplan/SPRINT_20260208_003_AdvisoryAI_ai_codex_zastava_companion.md | AI Codex / Zastava Companion | AdvisoryAI | 3 |
| docs/implplan/SPRINT_20260208_004_Attestor_binary_fingerprint_store_and_trust_scoring.md | Binary Fingerprint Store and Trust Scoring | Attestor | 3 |
| docs/implplan/SPRINT_20260208_005_Attestor_cas_for_sbom_vex_attestation_artifacts.md | CAS for SBOM/VEX/Attestation Artifacts | Attestor | 3 |
| docs/implplan/SPRINT_20260208_006_Attestor_crypto_sovereign_design.md | Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC) | Attestor | 3 |
| docs/implplan/SPRINT_20260208_007_Attestor_dsse_envelope_size_management_and_gateway_traversal.md | DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness) | Attestor | 3 |
| docs/implplan/SPRINT_20260208_008_Attestor_dsse_signed_exception_objects_with_recheck_policy.md | DSSE-Signed Exception Objects with Recheck Policy | Attestor | 3 |
| docs/implplan/SPRINT_20260208_009_Attestor_dsse_wrapped_reach_maps.md | DSSE-Wrapped Reach-Maps | Attestor | 3 |
| docs/implplan/SPRINT_20260208_010_Attestor_evidence_coverage_score_for_ai_gating.md | Evidence Coverage Score for AI Gating | Attestor | 3 |
| docs/implplan/SPRINT_20260208_011_Attestor_evidence_subgraph_ui_visualization.md | Evidence Subgraph UI Visualization | Attestor | 3 |
| docs/implplan/SPRINT_20260208_012_Attestor_field_level_ownership_map_for_receipts_and_bundles.md | Field-Level Ownership Map for Receipts and Bundles | Attestor | 3 |
| docs/implplan/SPRINT_20260208_013_Attestor_idempotent_sbom_attestation_apis.md | Idempotent SBOM/Attestation APIs | Attestor | 3 |
| docs/implplan/SPRINT_20260208_014_Attestor_immutable_evidence_storage_and_regulatory_alignment.md | Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001) | Attestor | 3 |
| docs/implplan/SPRINT_20260208_015_Attestor_in_toto_link_attestation_capture.md | In-toto Link Attestation Capture | Attestor | 3 |
| docs/implplan/SPRINT_20260208_016_Attestor_monthly_bundle_rotation_and_re_signing.md | Monthly Bundle Rotation and Re-Signing | Attestor | 3 |
| docs/implplan/SPRINT_20260208_017_Attestor_noise_ledger.md | Noise Ledger (Audit Log of Suppressions) | Attestor | 3 |
| docs/implplan/SPRINT_20260208_018_Attestor_postgresql_persistence_layer.md | PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS) | Attestor | 3 |
| docs/implplan/SPRINT_20260208_019_Attestor_s3_minio_gcs_object_storage_for_tiles.md | S3/MinIO/GCS Object Storage for Tiles | Attestor | 3 |
| docs/implplan/SPRINT_20260208_020_Attestor_score_replay_and_verification.md | Score Replay and Verification | Attestor | 3 |
| docs/implplan/SPRINT_20260208_021_Attestor_snapshot_export_import_for_air_gap.md | Snapshot Export/Import for Air-Gap | Attestor | 3 |
| docs/implplan/SPRINT_20260208_022_Attestor_unknowns_five_dimensional_triage_scoring.md | Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands) | Attestor | 3 |
| docs/implplan/SPRINT_20260208_023_Attestor_vex_findings_api_with_proof_artifacts.md | VEX Findings API with Proof Artifacts | Attestor | 3 |
| docs/implplan/SPRINT_20260208_024_Attestor_vex_receipt_sidebar.md | VEX Receipt Sidebar | Attestor | 3 |
| docs/implplan/SPRINT_20260208_025_Authority_rfc_3161_tsa_client_for_ci_cd_timestamping.md | RFC-3161 TSA Client for CI/CD Timestamping | Authority | 3 |
| docs/implplan/SPRINT_20260208_026_Bench_vendor_comparison_scanner_parity_tracking.md | Vendor comparison / scanner parity tracking | Bench | 3 |
| docs/implplan/SPRINT_20260208_027_BinaryIndex_cross_distro_golden_set_for_backport_validation.md | Cross-Distro Golden Set for Backport Validation | BinaryIndex | 3 |
| docs/implplan/SPRINT_20260208_028_BinaryIndex_elf_normalization_and_delta_hashing.md | ELF Normalization and Delta Hashing | BinaryIndex | 3 |
| docs/implplan/SPRINT_20260208_029_Cli_baseline_selection_logic.md | Baseline Selection Logic (Last Green / Previous Release) | Cli | 3 |
| docs/implplan/SPRINT_20260208_030_Cli_cli_parity.md | CLI Parity (stella advise) | Cli | 3 |
| docs/implplan/SPRINT_20260208_031_Cli_determinism_hash_signature_verification_in_ui.md | Determinism Hash / Signature Verification in UI | Cli | 3 |
| docs/implplan/SPRINT_20260208_032_Cli_oci_referrers_for_evidence_storage.md | OCI Referrers for Evidence Storage (StellaBundle) | Cli | 3 |
| docs/implplan/SPRINT_20260208_033_Cli_unknowns_export_artifacts.md | Unknowns Export Artifacts | Cli | 3 |
| docs/implplan/SPRINT_20260208_034_Concelier_astra_linux_oval_feed_connector.md | Astra Linux OVAL Feed Connector | Concelier | 3 |
| docs/implplan/SPRINT_20260208_035_Concelier_feed_snapshot_coordinator.md | Feed Snapshot Coordinator | Concelier | 3 |
| docs/implplan/SPRINT_20260208_036_ExportCenter_cli_ui_surfacing_of_hidden_backend_capabilities.md | CLI/UI Surfacing of Hidden Backend Capabilities | ExportCenter | 3 |
| docs/implplan/SPRINT_20260208_037_Gateway_router_back_pressure_middleware.md | Router Back-Pressure Middleware (Dual-Window Rate Limiting + Circuit Breaker) | Gateway | 3 |
| docs/implplan/SPRINT_20260208_038_Gateway_stellarouter_performance_testing_pipeline.md | StellaRouter Performance Testing Pipeline (k6 + Prometheus + Correlation IDs) | Gateway | 3 |
| docs/implplan/SPRINT_20260208_039_Graph_graph_edge_metadata_with_reason_evidence_provenance.md | Graph Edge Metadata with Reason/Evidence/Provenance | Graph | 3 |
| docs/implplan/SPRINT_20260208_040_Integrations_ai_code_guard.md | AI Code Guard (Secrets Scanning + Attribution Check + License Hygiene) | Integrations | 3 |
| docs/implplan/SPRINT_20260208_041_Mirror_mirror_creator.md | Mirror Creator | Mirror | 3 |
| docs/implplan/SPRINT_20260208_042_Orchestrator_quota_governance_and_circuit_breakers.md | Quota Governance and Circuit Breakers | Orchestrator | 3 |
| docs/implplan/SPRINT_20260208_043_Policy_delta_if_present_calculations_for_missing_signals.md | Delta-If-Present Calculations for Missing Signals | Policy | 3 |
| docs/implplan/SPRINT_20260208_044_Policy_deterministic_trust_score_algebra.md | Deterministic Trust Score Algebra and Vulnerability Scoring | Policy | 3 |
| docs/implplan/SPRINT_20260208_045_Policy_evidence_weighted_score_model.md | Evidence-Weighted Score (EWS) Model (6-Dimension Scoring) | Policy | 3 |
| docs/implplan/SPRINT_20260208_046_Policy_impact_scoring_for_unknowns.md | Impact Scoring for Unknowns | Policy | 3 |
| docs/implplan/SPRINT_20260208_047_Policy_policy_dsl.md | Policy DSL (stella-dsl@1) | Policy | 3 |
| docs/implplan/SPRINT_20260208_048_Policy_policy_interop_framework.md | Policy Interop Framework (JSON Export/Import) | Policy | 3 |
| docs/implplan/SPRINT_20260208_049_Policy_proof_studio_ux.md | Proof Studio UX (Explainable Confidence Scoring) | Policy | 3 |
| docs/implplan/SPRINT_20260208_050_Policy_unknowns_decay_and_triage_queue.md | Unknowns Decay and Triage Queue | Policy | 3 |
| docs/implplan/SPRINT_20260208_051_Policy_versioned_weight_manifests.md | Versioned Weight Manifests | Policy | 3 |
| docs/implplan/SPRINT_20260208_052_ReachGraph_8_state_reachability_lattice.md | 8-State Reachability Lattice | ReachGraph | 3 |
| docs/implplan/SPRINT_20260208_053_ReachGraph_reachability_core_library_with_unified_query_interface.md | Reachability Core Library with Unified Query Interface | ReachGraph | 3 |
| docs/implplan/SPRINT_20260208_054_ReleaseOrchestrator_release_orchestrator_performance_optimizations.md | Release Orchestrator Performance Optimizations (Bulk Digest, Parallel Gates, Prefetch, Connection Pool, Baseline Tracking) | ReleaseOrchestrator | 3 |
| docs/implplan/SPRINT_20260208_055_Replay_immutable_advisory_feed_snapshots.md | Immutable Advisory Feed Snapshots | Replay | 3 |
| docs/implplan/SPRINT_20260208_056_Replay_point_in_time_vulnerability_query.md | Point-in-Time Vulnerability Query (As-Of Date) | Replay | 3 |
| docs/implplan/SPRINT_20260208_057_RiskEngine_exploit_maturity_mapping.md | Exploit Maturity Mapping | RiskEngine | 3 |
| docs/implplan/SPRINT_20260208_058_SbomService_sbom_lineage_graph_visualization.md | SBOM Lineage Graph Visualization | SbomService | 3 |
| docs/implplan/SPRINT_20260208_059_Scanner_ground_truth_corpus_with_reachability_tiers.md | Ground-Truth Corpus with Reachability Tiers (R0-R4) | Scanner | 3 |
| docs/implplan/SPRINT_20260208_060_Scanner_idempotent_attestation_submission.md | Idempotent Attestation Submission | Scanner | 3 |
| docs/implplan/SPRINT_20260208_061_Scanner_stack_trace_exploit_path_view.md | Stack-Trace/Exploit Path View | Scanner | 3 |
| docs/implplan/SPRINT_20260208_062_Scanner_vex_decision_filter_with_reachability.md | VEX Decision Filter with Reachability | Scanner | 3 |
| docs/implplan/SPRINT_20260208_063_Scanner_vulnerability_first_triage_ux_with_exploit_path_grouping.md | Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles | Scanner | 3 |
| docs/implplan/SPRINT_20260208_064_Telemetry_dora_metrics.md | DORA Metrics | Telemetry | 3 |
| docs/implplan/SPRINT_20260208_065_Telemetry_outcome_analytics_attribution.md | Outcome Analytics / Attribution | Telemetry | 3 |
| docs/implplan/SPRINT_20260208_066_VexLens_vexlens_truth_table_tests.md | VexLens Truth Table Tests | VexLens | 3 |
| docs/implplan/SPRINT_20260208_067_FE_audit_trail_why_am_i_seeing_this.md | Audit Trail "Why am I seeing this?" (Reason Capsule) | FE | 3 |
| docs/implplan/SPRINT_20260208_068_FE_pack_registry_browser.md | Pack Registry Browser | FE | 3 |
| docs/implplan/SPRINT_20260208_069_FE_pipeline_run_centric_view.md | Pipeline/Run-Centric View | FE | 3 |
| docs/implplan/SPRINT_20260208_070_FE_reachability_center_ui_view.md | Reachability Center UI View | FE | 3 |
| docs/implplan/SPRINT_20260208_071_FE_sbom_graph_reachability_overlay_with_time_slider.md | SBOM Graph Reachability Overlay with Time Slider | FE | 3 |
| docs/implplan/SPRINT_20260208_072_FE_signals_runtime_dashboard.md | Signals & Runtime Dashboard | FE | 3 |
| docs/implplan/SPRINT_20260208_073_FE_vex_gate.md | VEX Gate (Inline Gated Action with Evidence Tiers) | FE | 3 |

80
docs/implplan/SPRINT_20260208_001___Libraries_advisory_lens.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_001___Libraries_advisory_lens <20> Advisory Lens (Core Library and UI)
## Topic & Scope
- Close the remaining delivery gap for 'Advisory Lens (Core Library and UI)' using the existing implementation baseline already present in src/__Libraries/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/__Libraries/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/__Libraries/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/prov-cache/architecture.md (if it exists)
- Read: src/__Libraries/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/__Libraries/ and src/Web/ to cover the core gap: No `StellaOps.AdvisoryLens` library found under `src/__Libraries/` or anywhere in `src/`
- Implement deterministic service/model behavior for: No dedicated "Lens Panel", "Top 3 Suggestions", inline hint system, or playbook drawer components found in `src/Web/`
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Advisory Lens (Core Library and UI)' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/__Libraries/ and related module surfaces.
- Implement: The AdvisoryAI module (`src/AdvisoryAI/`) provides AI-powered explanation generation (evidence-anchored explanations, replay, prompt templates) but does not implement the "Advisory Lens" semantic case-matching copilot concept
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'NOT_FOUND'; verification found 5 referenced source path(s) present and 2 referenced path(s) absent.
- Source verification anchored on: src/__Libraries/, src/Web/, src/AdvisoryAI/
- Missing-surface probes in src/__Libraries/: StellaOps.AdvisoryLens:not-found, StellaOps:found, AdvisoryLens:not-found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/__Libraries/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_002___Libraries_provcache_signer_aware_invalidation_and_evidence_chunk_paging_wi.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_002___Libraries_provcache_signer_aware_invalidation_and_evidence_chunk_paging_wi <20> Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export
## Topic & Scope
- Close the remaining delivery gap for 'Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export' using the existing implementation baseline already present in src/__Libraries/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/__Libraries/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/__Libraries/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/prov-cache/architecture.md (if it exists)
- Read: src/__Libraries/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/__Libraries/StellaOps.Provcache/ProvcacheService.cs and src/__Libraries/StellaOps.Provcache/InvalidationRequest.cs to cover the core gap: **SignerRevokedEvent handler**: No event handler listening for signer revocation events and invalidating cached provenance records signed by the revoked key. The signer infrastructure and `InvalidationType.SignerSetHash` exist but the messaging bus fan-out is not wired.
- Implement deterministic service/model behavior for: **FeedEpochAdvancedEvent handler**: No event handler listening for feed epoch advancement and invalidating stale provenance cache entries referencing the previous epoch's advisory data.
- If a new type is required, create it adjacent to existing module code at src/__Libraries/StellaOps.Provcache and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/__Libraries/StellaOps.Provcache/ProvcacheService.cs and related module surfaces.
- Implement: **Cross-module event bus integration**: The event-driven fan-out requires integration with the broader event bus (likely via the Scheduler or Orchestrator) which is not yet connected.
- Apply implementation guidance from feature notes: Integrate messaging bus subscriptions for `SignerRevokedEvent` triggering `InvalidationRequest.BySignerSetHash()` and Integrate messaging bus subscriptions for `FeedEpochAdvancedEvent` triggering `InvalidationRequest.ByFeedEpochOlderThan()`
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 19 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/__Libraries/StellaOps.Provcache/ProvcacheService.cs, src/__Libraries/StellaOps.Provcache/InvalidationRequest.cs, src/__Libraries/StellaOps.Provcache/InvalidationType.cs
- Missing-surface probes in src/__Libraries/: InvalidationType.SignerSetHash:found, SignerRevokedEvent:found, InvalidationType:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/__Libraries/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_003_AdvisoryAI_ai_codex_zastava_companion.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_003_AdvisoryAI_ai_codex_zastava_companion <20> AI Codex / Zastava Companion
## Topic & Scope
- Close the remaining delivery gap for 'AI Codex / Zastava Companion' using the existing implementation baseline already present in src/AdvisoryAI/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/AdvisoryAI/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/AdvisoryAI/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/advisory-ai/architecture.md (if it exists)
- Read: src/AdvisoryAI/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/AdvisoryAI/ and src/Zastava/StellaOps.Zastava.Observer/ to cover the core gap: The specific "AI Codex" or "Zastava Companion" branding is not found, but substantial AI infrastructure exists:
- Implement deterministic service/model behavior for: `src/AdvisoryAI/` provides evidence-anchored explanation generation with `EvidenceAnchoredExplanationGenerator`, `ExplanationPromptTemplates`, replay golden tests, and a web service (`AdvisoryAI.WebService/Program.cs`)
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'AI Codex / Zastava Companion' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/AdvisoryAI/ and related module surfaces.
- Implement: `src/Zastava/StellaOps.Zastava.Observer/` exists as a runtime observer module
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'NOT_FOUND'; verification found 5 referenced source path(s) present and 1 referenced path(s) absent.
- Source verification anchored on: src/AdvisoryAI/, src/Zastava/StellaOps.Zastava.Observer/, src/AdvisoryAI
- Missing-surface probes in src/AdvisoryAI/: Codex:not-found, Zastava:not-found, Companion:not-found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/AdvisoryAI/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_004_Attestor_binary_fingerprint_store_and_trust_scoring.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_004_Attestor_binary_fingerprint_store_and_trust_scoring <20> Binary Fingerprint Store and Trust Scoring
## Topic & Scope
- Close the remaining delivery gap for 'Binary Fingerprint Store and Trust Scoring' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs to cover the core gap: **Dedicated binary fingerprint database**: No standalone fingerprint store with ELF/PE section-level hashing and content-addressed lookup. Current evidence is generated per-scan, not stored in a queryable fingerprint database.
- Implement deterministic service/model behavior for: **Golden set management**: No mechanism to define and maintain a "golden set" of known-good binary fingerprints for comparison.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Binary Fingerprint Store and Trust Scoring' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs and related module surfaces.
- Implement: **Section-level hashing**: ELF `.text`/`.rodata` section hashing and PE section-level fingerprinting are not distinctly implemented as reusable fingerprinting primitives.
- Apply implementation guidance from feature notes: Create a `BinaryFingerprintStore` service with content-addressed storage for section-level hashes and Implement ELF/PE section extraction and hashing as reusable utilities
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs
- Missing-surface probes in src/Attestor/: Dedicated:not-found, Current:found, Golden:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_005_Attestor_cas_for_sbom_vex_attestation_artifacts.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_005_Attestor_cas_for_sbom_vex_attestation_artifacts <20> CAS for SBOM/VEX/Attestation Artifacts
## Topic & Scope
- Close the remaining delivery gap for 'CAS for SBOM/VEX/Attestation Artifacts' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ to cover the core gap: **Unified CAS for all artifact types**: No single content-addressed storage service that handles SBOM, VEX, and attestation blobs uniformly. Current CAS is per-domain (tiles, OCI, proof chain IDs).
- Implement deterministic service/model behavior for: **MinIO/S3 backend**: No MinIO or S3-compatible object storage backend for CAS. Current storage is either OCI registry or filesystem.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'CAS for SBOM/VEX/Attestation Artifacts' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and related module surfaces.
- Implement: **Deduplication service**: No cross-artifact deduplication by content hash (e.g., same SBOM ingested twice should resolve to one stored blob).
- Apply implementation guidance from feature notes: Create a unified `IContentAddressedStore` interface with store/retrieve/exists operations and Implement MinIO/S3 backend and filesystem backend behind the interface
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/
- Missing-surface probes in src/Attestor/: Unified:not-found, SBOM:found, Current:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_006_Attestor_crypto_sovereign_design.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_006_Attestor_crypto_sovereign_design <20> Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)
## Topic & Scope
- Close the remaining delivery gap for 'Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs and src/Cryptography/ to cover the core gap: **Post-Quantum Cryptography (PQC)**: No CRYSTALS-Dilithium, SPHINCS+, or other PQC algorithm support. The profile system can model PQC keys but no backend implements them. This is the only major crypto profile gap.
- Implement deterministic service/model behavior for: **eIDAS qualified signature validation**: Plugin exists but validation that timestamps meet eIDAS Article 42 qualified timestamp requirements may not be complete.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs and related module surfaces.
- Implement: **Crypto provider integration with Attestor SigningKeyProfile**: The Cryptography plugin system and the Attestor `SigningKeyProfile` are not fully bridged -- Attestor signing uses its own key profiles rather than the Cryptography plugin registry.
- Apply implementation guidance from feature notes: Implement PQC plugin (CRYSTALS-Dilithium, SPHINCS+) following the existing CryptoPluginBase pattern and Bridge Cryptography plugin registry with Attestor SigningKeyProfile for unified key management
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 9 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs, src/Cryptography/, src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs
- Missing-surface probes in src/Attestor/: Post:found, Quantum:found, Cryptography:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_007_Attestor_dsse_envelope_size_management_and_gateway_traversal.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_007_Attestor_dsse_envelope_size_management_and_gateway_traversal <20> DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness)
## Topic & Scope
- Close the remaining delivery gap for 'DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness)' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs and src/Cli/StellaOps.Cli/Commands/Binary/DeltaSigCommandGroup.cs to cover the core gap: **Explicit size guardrails**: No pre-submission validation rejecting DSSE envelopes exceeding a configurable size limit (70-100KB) before Rekor submission.
- Implement deterministic service/model behavior for: **Hash-only mode fallback**: No automatic fallback to submitting only the payload hash (rather than full envelope) when size exceeds the limit.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness)' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs and related module surfaces.
- Implement: **Payload chunking/splitting**: No mechanism to split large DSSE payloads into smaller chunks with a manifest linking them, or Merkle-based sharding.
- Apply implementation guidance from feature notes: Add size validation step in `EnhancedRekorProofBuilder.Validate` checking against configurable size limit (default 100KB) and Implement hash-only submission mode as automatic fallback for oversized envelopes
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs, src/Cli/StellaOps.Cli/Commands/Binary/DeltaSigCommandGroup.cs, src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs
- Missing-surface probes in src/Attestor/: Explicit:found, DSSE:found, Rekor:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_008_Attestor_dsse_signed_exception_objects_with_recheck_policy.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_008_Attestor_dsse_signed_exception_objects_with_recheck_policy <20> DSSE-Signed Exception Objects with Recheck Policy
## Topic & Scope
- Close the remaining delivery gap for 'DSSE-Signed Exception Objects with Recheck Policy' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs to cover the core gap: **DSSE-signed exception objects**: Exceptions are not individually DSSE-signed as standalone attestation artifacts. They exist as records within larger predicates but are not independently verifiable.
- Implement deterministic service/model behavior for: **Recheck policy enforcement**: No automated recheck scheduling that re-evaluates exceptions at configured intervals (e.g., 30-day review cycle).
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'DSSE-Signed Exception Objects with Recheck Policy' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs and related module surfaces.
- Implement: **Exception expiry enforcement**: No automated enforcement of exception expiry dates with re-approval workflow.
- Apply implementation guidance from feature notes: Create `DsseSignedException` model wrapping exception objects in DSSE envelopes and Implement recheck policy with configurable intervals (Scheduler integration)
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs
- Missing-surface probes in src/Attestor/: DSSE:found, Exceptions:found, They:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_009_Attestor_dsse_wrapped_reach_maps.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_009_Attestor_dsse_wrapped_reach_maps <20> DSSE-Wrapped Reach-Maps
## Topic & Scope
- Close the remaining delivery gap for 'DSSE-Wrapped Reach-Maps' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs to cover the core gap: **Standalone reach-map artifact**: No dedicated reach-map document type that captures the full reachability graph (all functions, edges, and reachability status) as a single DSSE-wrapped artifact.
- Implement deterministic service/model behavior for: **Reach-map predicate type**: No registered predicate type URI (e.g., `https://stellaops.org/attestation/reachmap/v1`) for reach-map attestations.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'DSSE-Wrapped Reach-Maps' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs and related module surfaces.
- Implement: **Full graph serialization**: Reachability evidence is captured per-CVE (micro-witness) not as a complete call graph that can be independently verified.
- Apply implementation guidance from feature notes: Define a reach-map predicate type with full call graph serialization and Create a `ReachMapBuilder` that aggregates all micro-witness data into a single reach-map document
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs
- Missing-surface probes in src/Attestor/: Standalone:found, DSSE:found, Reach:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_010_Attestor_evidence_coverage_score_for_ai_gating.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_010_Attestor_evidence_coverage_score_for_ai_gating <20> Evidence Coverage Score for AI Gating
## Topic & Scope
- Close the remaining delivery gap for 'Evidence Coverage Score for AI Gating' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs to cover the core gap: **Evidence coverage scoring service**: No dedicated service that computes an overall evidence coverage score (0-100%) across all evidence types for a given subject.
- Implement deterministic service/model behavior for: **Coverage badge UX component**: No frontend badge component showing coverage level (e.g., green/yellow/red) based on evidence completeness.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Evidence Coverage Score for AI Gating' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs and related module surfaces.
- Implement: **AI gating policy**: No policy that blocks AI outputs below a configurable coverage threshold from being promoted to verdicts.
- Apply implementation guidance from feature notes: Create `EvidenceCoverageScorer` service computing coverage across all evidence types and Define coverage dimensions (reachability, binary analysis, SBOM completeness, VEX coverage, provenance)
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs
- Missing-surface probes in src/Attestor/: Evidence:found, Coverage:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_011_Attestor_evidence_subgraph_ui_visualization.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_011_Attestor_evidence_subgraph_ui_visualization <20> Evidence Subgraph UI Visualization
## Topic & Scope
- Close the remaining delivery gap for 'Evidence Subgraph UI Visualization' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs to cover the core gap: **Frontend graph visualization component**: No Angular component rendering the proof graph as an interactive visualization (nodes as circles/rectangles, edges as arrows).
- Implement deterministic service/model behavior for: **Interactive exploration**: No click-to-expand, zoom, pan, or filter functionality for graph navigation in the UI.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Evidence Subgraph UI Visualization' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs and related module surfaces.
- Implement: **Subgraph API endpoint**: The WebService controllers do not expose a dedicated endpoint for fetching proof graph subgraphs for a given subject.
- Apply implementation guidance from feature notes: Add a REST endpoint in `ProofChainController` for subgraph queries by subject and Create an Angular component using a graph visualization library (e.g., D3.js or Cytoscape.js)
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs
- Missing-surface probes in src/Attestor/: Frontend:not-found, Angular:not-found, Interactive:not-found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_012_Attestor_field_level_ownership_map_for_receipts_and_bundles.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_012_Attestor_field_level_ownership_map_for_receipts_and_bundles <20> Field-Level Ownership Map for Receipts and Bundles
## Topic & Scope
- Close the remaining delivery gap for 'Field-Level Ownership Map for Receipts and Bundles' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs to cover the core gap: **Field-level ownership map document**: No machine-readable or human-readable document mapping each field in receipts/bundles to the responsible module (e.g., "signature" -> Signing module, "inclusion_proof" -> Rekor module).
- Implement deterministic service/model behavior for: **Ownership validation**: No automated check that each field in a receipt/bundle is populated by its designated owner module.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Field-Level Ownership Map for Receipts and Bundles' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs and related module surfaces.
- Implement: **Ownership-aware serialization**: No serialization that tracks which module wrote each field for audit purposes.
- Apply implementation guidance from feature notes: Define a field-level ownership schema mapping fields to module responsibilities and Annotate receipt/bundle models with `[OwnedBy("ModuleName")]` attributes
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs
- Missing-surface probes in src/Attestor/: Field:found, Signing:found, Rekor:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_013_Attestor_idempotent_sbom_attestation_apis.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_013_Attestor_idempotent_sbom_attestation_apis <20> Idempotent SBOM/Attestation APIs
## Topic & Scope
- Close the remaining delivery gap for 'Idempotent SBOM/Attestation APIs' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ to cover the core gap: **Idempotent SBOM ingest endpoint**: No `POST /sbom/ingest` endpoint that accepts an SBOM and returns the same content-addressed ID on duplicate submissions without creating duplicate records.
- Implement deterministic service/model behavior for: **Idempotent attestation verify endpoint**: No `POST /attest/verify` endpoint that caches verification results by content hash for repeat submissions.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Idempotent SBOM/Attestation APIs' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and related module surfaces.
- Implement: **Idempotency key support**: No HTTP idempotency key header (`Idempotency-Key`) support for POST endpoints.
- Apply implementation guidance from feature notes: Add `POST /sbom/ingest` endpoint with content-hash-based deduplication and Add `POST /attest/verify` endpoint with cached verification results
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/
- Missing-surface probes in src/Attestor/: Idempotent:found, SBOM:found, POST:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_014_Attestor_immutable_evidence_storage_and_regulatory_alignment.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_014_Attestor_immutable_evidence_storage_and_regulatory_alignment <20> Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001)
## Topic & Scope
- Close the remaining delivery gap for 'Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001)' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, persistence tests with frozen fixtures, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs and src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs to cover the core gap: **NIS2 compliance report template**: No report template mapping evidence artifacts to NIS2 requirements (incident reporting, risk management, supply chain security).
- Implement deterministic service/model behavior for: **DORA compliance report template**: No report template for DORA requirements (ICT risk management, incident classification, third-party risk).
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001)' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs and related module surfaces.
- Implement: **ISO-27001 control mapping**: No mapping of evidence artifacts to ISO-27001 Annex A controls.
- Apply implementation guidance from feature notes: Define regulatory control mappings (NIS2, DORA, ISO-27001) as configuration and Implement report templates that map stored evidence to regulatory controls
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs
- Missing-surface probes in src/Attestor/: NIS2:found, DORA:not-found, Annex:not-found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_015_Attestor_in_toto_link_attestation_capture.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_015_Attestor_in_toto_link_attestation_capture <20> In-toto Link Attestation Capture
## Topic & Scope
- Close the remaining delivery gap for 'In-toto Link Attestation Capture' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs and src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs to cover the core gap: **`in-toto-run` wrapper**: No CLI wrapper that automatically captures materials before and products after command execution (analogous to `in-toto-run` from the reference implementation).
- Implement deterministic service/model behavior for: **Automatic link capture in CI**: No CI integration that automatically records links for each pipeline step.
- If a new type is required, create it adjacent to existing module code at src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'In-toto Link Attestation Capture' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs and related module surfaces.
- Implement: **Link storage and retrieval API**: No REST endpoint for storing and querying captured links by step name or functionary.
- Apply implementation guidance from feature notes: Implement an `in-toto-run` CLI command wrapping command execution with automatic material/product capture and Add CI step link capture via webhook or plugin integration
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs
- Missing-surface probes in src/Attestor/: in-toto-run:not-found, Automatic:found, Link:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_016_Attestor_monthly_bundle_rotation_and_re_signing.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_016_Attestor_monthly_bundle_rotation_and_re_signing <20> Monthly Bundle Rotation and Re-Signing
## Topic & Scope
- Close the remaining delivery gap for 'Monthly Bundle Rotation and Re-Signing' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs to cover the core gap: **Monthly rotation scheduler**: No scheduled job that triggers bundle rotation on a monthly cadence.
- Implement deterministic service/model behavior for: **Re-signing workflow**: No workflow that takes existing bundles, verifies them with the old key, and re-signs with a new key.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Monthly Bundle Rotation and Re-Signing' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs and related module surfaces.
- Implement: **Key rotation ceremony**: No key rotation ceremony process (generate new key, sign transition attestation, update trust anchors).
- Apply implementation guidance from feature notes: Create a `BundleRotationJob` scheduled monthly via Scheduler integration and Implement re-signing workflow (verify old -> sign with new -> update references)
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs
- Missing-surface probes in src/Attestor/: Monthly:found, Bundle:found, Automated:not-found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_017_Attestor_noise_ledger.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_017_Attestor_noise_ledger <20> Noise Ledger (Audit Log of Suppressions)
## Topic & Scope
- Close the remaining delivery gap for 'Noise Ledger (Audit Log of Suppressions)' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs to cover the core gap: **Dedicated Noise Ledger service**: No standalone service aggregating all suppression/noise decisions into a queryable ledger.
- Implement deterministic service/model behavior for: **Noise Ledger UI component**: No frontend page showing a filterable, sortable list of all suppressions with justifications and evidence.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Noise Ledger (Audit Log of Suppressions)' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs and related module surfaces.
- Implement: **Suppression statistics**: No aggregated statistics (suppressions per severity, per component, per time period).
- Apply implementation guidance from feature notes: Create `NoiseLedgerService` aggregating suppressions from VEX overrides, audit logs, and change traces and Add REST endpoints for querying the noise ledger with filtering/pagination
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs
- Missing-surface probes in src/Attestor/: Dedicated:not-found, Noise:not-found, Ledger:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_018_Attestor_postgresql_persistence_layer.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_018_Attestor_postgresql_persistence_layer <20> PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS)
## Topic & Scope
- Close the remaining delivery gap for 'PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS)' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs and src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs to cover the core gap: **Per-module schema isolation**: Not all modules use dedicated PostgreSQL schemas (e.g., `attestor.`, `verdict.`, `watchlist.`). Some share the default schema.
- Implement deterministic service/model behavior for: **Row-Level Security (RLS)**: RLS policies for multi-tenant isolation are not scaffolded. Tenant filtering relies on application-level WHERE clauses.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.Persistence and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS)' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs and related module surfaces.
- Implement: **Temporal tables for Unknowns**: No temporal table implementation for tracking unknown state over time with system-versioned history.
- Apply implementation guidance from feature notes: Implement per-module schema isolation with schema-qualified table names and Scaffold RLS policies for tenant isolation with PostgreSQL policies
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs
- Missing-surface probes in src/Attestor/: attestor.:found, verdict.:found, watchlist.:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_019_Attestor_s3_minio_gcs_object_storage_for_tiles.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_019_Attestor_s3_minio_gcs_object_storage_for_tiles <20> S3/MinIO/GCS Object Storage for Tiles
## Topic & Scope
- Close the remaining delivery gap for 'S3/MinIO/GCS Object Storage for Tiles' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, persistence tests with frozen fixtures, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/EvidenceLocker/ and src/Attestor to cover the core gap: No S3, MinIO, or GCS client libraries or storage providers found in `src/`
- Implement deterministic service/model behavior for: No object storage abstraction layer or blob storage service exists
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'S3/MinIO/GCS Object Storage for Tiles' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/EvidenceLocker/ and related module surfaces.
- Implement: The Attestor module stores artifacts using local filesystem and PostgreSQL persistence, not object storage
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'NOT_FOUND'; verification found 2 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/EvidenceLocker/, src/Attestor
- Missing-surface probes in src/Attestor/: MinIO:found, Attestor:found, PostgreSQL:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_020_Attestor_score_replay_and_verification.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_020_Attestor_score_replay_and_verification <20> Score Replay and Verification
## Topic & Scope
- Close the remaining delivery gap for 'Score Replay and Verification' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ to cover the core gap: **`/score/{id}/replay` REST endpoint**: No REST API endpoint for triggering score replay by verdict ID.
- Implement deterministic service/model behavior for: **DSSE-signed replay attestation**: No pipeline producing a DSSE-signed attestation with payload type `application/vnd.stella.score+json` for replayed scores.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Score Replay and Verification' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ and related module surfaces.
- Implement: **Score comparison service**: No service that compares original and replayed scores, quantifying divergence.
- Apply implementation guidance from feature notes: Add `/score/{id}/replay` endpoint to `VerdictController` or a new `ReplayController` and Implement score replay service that re-executes scoring with captured inputs
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/
- Missing-surface probes in src/Attestor/: REST:found, DSSE:found, Score:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_021_Attestor_snapshot_export_import_for_air_gap.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_021_Attestor_snapshot_export_import_for_air_gap <20> Snapshot Export/Import for Air-Gap
## Topic & Scope
- Close the remaining delivery gap for 'Snapshot Export/Import for Air-Gap' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs and src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs to cover the core gap: **Level B/C snapshot format**: No formalized snapshot level classification (Level B: evidence + verification material, Level C: full state including policies and trust anchors).
- Implement deterministic service/model behavior for: **Snapshot export CLI command**: No `stella snapshot export` command producing a portable archive.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Snapshot Export/Import for Air-Gap' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs and related module surfaces.
- Implement: **Snapshot import CLI command**: No `stella snapshot import` command ingesting a portable archive on an air-gapped system.
- Apply implementation guidance from feature notes: Define snapshot format specification with Level B/C classification and Implement `stella snapshot export` CLI command producing signed, portable archives
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs
- Missing-surface probes in src/Attestor/: Level:found, stella snapshot export:not-found, Snapshot:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_022_Attestor_unknowns_five_dimensional_triage_scoring.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_022_Attestor_unknowns_five_dimensional_triage_scoring <20> Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands)
## Topic & Scope
- Close the remaining delivery gap for 'Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands)' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs to cover the core gap: **Five-dimensional scoring formula**: No P (Probability) / E (Exposure) / U (Uncertainty) / C (Consequence) / S (Signal freshness) weighted scoring formula. Current ranking is severity-based only.
- Implement deterministic service/model behavior for: **Hot/Warm/Cold banding**: No classification of unknowns into temperature bands based on their composite score (Hot: requires immediate triage, Warm: scheduled review, Cold: archive).
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands)' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs and related module surfaces.
- Implement: **Configurable dimension weights**: No configuration for dimension weights (e.g., P=0.3, E=0.25, U=0.2, C=0.15, S=0.1).
- Apply implementation guidance from feature notes: Define five-dimensional scoring formula with configurable weights per dimension and Implement `UnknownsTriageScorer` computing P/E/U/C/S composite scores
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs
- Missing-surface probes in src/Attestor/: Five:not-found, Probability:found, Exposure:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

80
docs/implplan/SPRINT_20260208_023_Attestor_vex_findings_api_with_proof_artifacts.md
View File

@@ -1,80 +0,0 @@
# Sprint SPRINT_20260208_023_Attestor_vex_findings_api_with_proof_artifacts <20> VEX Findings API with Proof Artifacts
## Topic & Scope
- Close the remaining delivery gap for 'VEX Findings API with Proof Artifacts' using the existing implementation baseline already present in src/Attestor/.
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
- Working directory: src/Attestor/
- Cross-module touchpoints: None
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
## Dependencies & Concurrency
- Upstream: None
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
- Blocking: None
## Documentation Prerequisites
- Read: docs/modules/attestor/architecture.md (if it exists)
- Read: src/Attestor/AGENTS.md (if it exists)
- Read: docs/ARCHITECTURE_OVERVIEW.md
## Delivery Tracker
### T1 - Implement core feature slice and deterministic model updates
Status: TODO
Dependency: none
Owners: Developer
Task description:
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs to cover the core gap: **`GET /vex/findings/:id` endpoint**: No REST endpoint returning VEX findings with attached proof artifacts for a specific finding ID.
- Implement deterministic service/model behavior for: **Proof artifact packaging**: No service that packages proof artifacts (DSSE signatures, Rekor receipts, Merkle proofs) alongside VEX findings in API responses.
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates and keep namespace conventions aligned with the surrounding project structure.
Completion criteria:
- [ ] Core behavior for 'VEX Findings API with Proof Artifacts' is implemented behind existing module contracts without breaking current flows.
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
- [ ] Output is reproducible across repeated runs with identical inputs.
### T2 - Wire API/CLI/UI integration and persistence boundaries
Status: TODO
Dependency: T1
Owners: Developer
Task description:
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs and related module surfaces.
- Implement: **Finding-level proof resolution**: No resolver that collects all proof artifacts for a specific finding (CVE + component combination).
- Apply implementation guidance from feature notes: Add `GET /vex/findings/:id` endpoint returning finding details with proof artifacts and Create a proof artifact resolver collecting all proofs for a finding
Completion criteria:
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
### T3 - Complete verification, docs sync, and rollout guardrails
Status: TODO
Dependency: T2
Owners: Developer
Task description:
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
- Add regression guards for replayability, idempotency, and non-networked test execution.
Completion criteria:
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
- [ ] Execution log entry is added by the implementer when work starts/finishes.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
## Decisions & Risks
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs
- Missing-surface probes in src/Attestor/: REST:found, Proof:found, DSSE:found
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
## Next Checkpoints
- Implementation complete with passing tests
- Code review
- Documentation update verification

Some files were not shown because too many files have changed in this diff Show More