partly or unimplemented features - now implemented
This commit is contained in:
master
@@ -1,83 +0,0 @@
|
||||
# Sprint SPRINT_20260208_000_DOCS_sprint_index - Sprint Index
|
||||
|
||||
## Topic & Scope
|
||||
- Index of sprint files generated from docs/features/unimplemented/ gap analysis on 2026-02-08.
|
||||
- Working directory: docs/implplan/.
|
||||
- Expected evidence: one sprint per feature with task-ready implementation guidance.
|
||||
|
||||
## Sprint Catalog
|
||||
| Sprint | Feature | Module | Task Count |
|
||||
| --- | --- | --- | --- |
|
||||
| docs/implplan/SPRINT_20260208_001___Libraries_advisory_lens.md | Advisory Lens (Core Library and UI) | __Libraries | 3 |
|
||||
| docs/implplan/SPRINT_20260208_002___Libraries_provcache_signer_aware_invalidation_and_evidence_chunk_paging_wi.md | Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export | __Libraries | 3 |
|
||||
| docs/implplan/SPRINT_20260208_003_AdvisoryAI_ai_codex_zastava_companion.md | AI Codex / Zastava Companion | AdvisoryAI | 3 |
|
||||
| docs/implplan/SPRINT_20260208_004_Attestor_binary_fingerprint_store_and_trust_scoring.md | Binary Fingerprint Store and Trust Scoring | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_005_Attestor_cas_for_sbom_vex_attestation_artifacts.md | CAS for SBOM/VEX/Attestation Artifacts | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_006_Attestor_crypto_sovereign_design.md | Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC) | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_007_Attestor_dsse_envelope_size_management_and_gateway_traversal.md | DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness) | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_008_Attestor_dsse_signed_exception_objects_with_recheck_policy.md | DSSE-Signed Exception Objects with Recheck Policy | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_009_Attestor_dsse_wrapped_reach_maps.md | DSSE-Wrapped Reach-Maps | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_010_Attestor_evidence_coverage_score_for_ai_gating.md | Evidence Coverage Score for AI Gating | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_011_Attestor_evidence_subgraph_ui_visualization.md | Evidence Subgraph UI Visualization | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_012_Attestor_field_level_ownership_map_for_receipts_and_bundles.md | Field-Level Ownership Map for Receipts and Bundles | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_013_Attestor_idempotent_sbom_attestation_apis.md | Idempotent SBOM/Attestation APIs | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_014_Attestor_immutable_evidence_storage_and_regulatory_alignment.md | Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001) | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_015_Attestor_in_toto_link_attestation_capture.md | In-toto Link Attestation Capture | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_016_Attestor_monthly_bundle_rotation_and_re_signing.md | Monthly Bundle Rotation and Re-Signing | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_017_Attestor_noise_ledger.md | Noise Ledger (Audit Log of Suppressions) | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_018_Attestor_postgresql_persistence_layer.md | PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS) | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_019_Attestor_s3_minio_gcs_object_storage_for_tiles.md | S3/MinIO/GCS Object Storage for Tiles | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_020_Attestor_score_replay_and_verification.md | Score Replay and Verification | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_021_Attestor_snapshot_export_import_for_air_gap.md | Snapshot Export/Import for Air-Gap | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_022_Attestor_unknowns_five_dimensional_triage_scoring.md | Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands) | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_023_Attestor_vex_findings_api_with_proof_artifacts.md | VEX Findings API with Proof Artifacts | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_024_Attestor_vex_receipt_sidebar.md | VEX Receipt Sidebar | Attestor | 3 |
|
||||
| docs/implplan/SPRINT_20260208_025_Authority_rfc_3161_tsa_client_for_ci_cd_timestamping.md | RFC-3161 TSA Client for CI/CD Timestamping | Authority | 3 |
|
||||
| docs/implplan/SPRINT_20260208_026_Bench_vendor_comparison_scanner_parity_tracking.md | Vendor comparison / scanner parity tracking | Bench | 3 |
|
||||
| docs/implplan/SPRINT_20260208_027_BinaryIndex_cross_distro_golden_set_for_backport_validation.md | Cross-Distro Golden Set for Backport Validation | BinaryIndex | 3 |
|
||||
| docs/implplan/SPRINT_20260208_028_BinaryIndex_elf_normalization_and_delta_hashing.md | ELF Normalization and Delta Hashing | BinaryIndex | 3 |
|
||||
| docs/implplan/SPRINT_20260208_029_Cli_baseline_selection_logic.md | Baseline Selection Logic (Last Green / Previous Release) | Cli | 3 |
|
||||
| docs/implplan/SPRINT_20260208_030_Cli_cli_parity.md | CLI Parity (stella advise) | Cli | 3 |
|
||||
| docs/implplan/SPRINT_20260208_031_Cli_determinism_hash_signature_verification_in_ui.md | Determinism Hash / Signature Verification in UI | Cli | 3 |
|
||||
| docs/implplan/SPRINT_20260208_032_Cli_oci_referrers_for_evidence_storage.md | OCI Referrers for Evidence Storage (StellaBundle) | Cli | 3 |
|
||||
| docs/implplan/SPRINT_20260208_033_Cli_unknowns_export_artifacts.md | Unknowns Export Artifacts | Cli | 3 |
|
||||
| docs/implplan/SPRINT_20260208_034_Concelier_astra_linux_oval_feed_connector.md | Astra Linux OVAL Feed Connector | Concelier | 3 |
|
||||
| docs/implplan/SPRINT_20260208_035_Concelier_feed_snapshot_coordinator.md | Feed Snapshot Coordinator | Concelier | 3 |
|
||||
| docs/implplan/SPRINT_20260208_036_ExportCenter_cli_ui_surfacing_of_hidden_backend_capabilities.md | CLI/UI Surfacing of Hidden Backend Capabilities | ExportCenter | 3 |
|
||||
| docs/implplan/SPRINT_20260208_037_Gateway_router_back_pressure_middleware.md | Router Back-Pressure Middleware (Dual-Window Rate Limiting + Circuit Breaker) | Gateway | 3 |
|
||||
| docs/implplan/SPRINT_20260208_038_Gateway_stellarouter_performance_testing_pipeline.md | StellaRouter Performance Testing Pipeline (k6 + Prometheus + Correlation IDs) | Gateway | 3 |
|
||||
| docs/implplan/SPRINT_20260208_039_Graph_graph_edge_metadata_with_reason_evidence_provenance.md | Graph Edge Metadata with Reason/Evidence/Provenance | Graph | 3 |
|
||||
| docs/implplan/SPRINT_20260208_040_Integrations_ai_code_guard.md | AI Code Guard (Secrets Scanning + Attribution Check + License Hygiene) | Integrations | 3 |
|
||||
| docs/implplan/SPRINT_20260208_041_Mirror_mirror_creator.md | Mirror Creator | Mirror | 3 |
|
||||
| docs/implplan/SPRINT_20260208_042_Orchestrator_quota_governance_and_circuit_breakers.md | Quota Governance and Circuit Breakers | Orchestrator | 3 |
|
||||
| docs/implplan/SPRINT_20260208_043_Policy_delta_if_present_calculations_for_missing_signals.md | Delta-If-Present Calculations for Missing Signals | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_044_Policy_deterministic_trust_score_algebra.md | Deterministic Trust Score Algebra and Vulnerability Scoring | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_045_Policy_evidence_weighted_score_model.md | Evidence-Weighted Score (EWS) Model (6-Dimension Scoring) | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_046_Policy_impact_scoring_for_unknowns.md | Impact Scoring for Unknowns | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_047_Policy_policy_dsl.md | Policy DSL (stella-dsl@1) | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_048_Policy_policy_interop_framework.md | Policy Interop Framework (JSON Export/Import) | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_049_Policy_proof_studio_ux.md | Proof Studio UX (Explainable Confidence Scoring) | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_050_Policy_unknowns_decay_and_triage_queue.md | Unknowns Decay and Triage Queue | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_051_Policy_versioned_weight_manifests.md | Versioned Weight Manifests | Policy | 3 |
|
||||
| docs/implplan/SPRINT_20260208_052_ReachGraph_8_state_reachability_lattice.md | 8-State Reachability Lattice | ReachGraph | 3 |
|
||||
| docs/implplan/SPRINT_20260208_053_ReachGraph_reachability_core_library_with_unified_query_interface.md | Reachability Core Library with Unified Query Interface | ReachGraph | 3 |
|
||||
| docs/implplan/SPRINT_20260208_054_ReleaseOrchestrator_release_orchestrator_performance_optimizations.md | Release Orchestrator Performance Optimizations (Bulk Digest, Parallel Gates, Prefetch, Connection Pool, Baseline Tracking) | ReleaseOrchestrator | 3 |
|
||||
| docs/implplan/SPRINT_20260208_055_Replay_immutable_advisory_feed_snapshots.md | Immutable Advisory Feed Snapshots | Replay | 3 |
|
||||
| docs/implplan/SPRINT_20260208_056_Replay_point_in_time_vulnerability_query.md | Point-in-Time Vulnerability Query (As-Of Date) | Replay | 3 |
|
||||
| docs/implplan/SPRINT_20260208_057_RiskEngine_exploit_maturity_mapping.md | Exploit Maturity Mapping | RiskEngine | 3 |
|
||||
| docs/implplan/SPRINT_20260208_058_SbomService_sbom_lineage_graph_visualization.md | SBOM Lineage Graph Visualization | SbomService | 3 |
|
||||
| docs/implplan/SPRINT_20260208_059_Scanner_ground_truth_corpus_with_reachability_tiers.md | Ground-Truth Corpus with Reachability Tiers (R0-R4) | Scanner | 3 |
|
||||
| docs/implplan/SPRINT_20260208_060_Scanner_idempotent_attestation_submission.md | Idempotent Attestation Submission | Scanner | 3 |
|
||||
| docs/implplan/SPRINT_20260208_061_Scanner_stack_trace_exploit_path_view.md | Stack-Trace/Exploit Path View | Scanner | 3 |
|
||||
| docs/implplan/SPRINT_20260208_062_Scanner_vex_decision_filter_with_reachability.md | VEX Decision Filter with Reachability | Scanner | 3 |
|
||||
| docs/implplan/SPRINT_20260208_063_Scanner_vulnerability_first_triage_ux_with_exploit_path_grouping.md | Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles | Scanner | 3 |
|
||||
| docs/implplan/SPRINT_20260208_064_Telemetry_dora_metrics.md | DORA Metrics | Telemetry | 3 |
|
||||
| docs/implplan/SPRINT_20260208_065_Telemetry_outcome_analytics_attribution.md | Outcome Analytics / Attribution | Telemetry | 3 |
|
||||
| docs/implplan/SPRINT_20260208_066_VexLens_vexlens_truth_table_tests.md | VexLens Truth Table Tests | VexLens | 3 |
|
||||
| docs/implplan/SPRINT_20260208_067_FE_audit_trail_why_am_i_seeing_this.md | Audit Trail "Why am I seeing this?" (Reason Capsule) | FE | 3 |
|
||||
| docs/implplan/SPRINT_20260208_068_FE_pack_registry_browser.md | Pack Registry Browser | FE | 3 |
|
||||
| docs/implplan/SPRINT_20260208_069_FE_pipeline_run_centric_view.md | Pipeline/Run-Centric View | FE | 3 |
|
||||
| docs/implplan/SPRINT_20260208_070_FE_reachability_center_ui_view.md | Reachability Center UI View | FE | 3 |
|
||||
| docs/implplan/SPRINT_20260208_071_FE_sbom_graph_reachability_overlay_with_time_slider.md | SBOM Graph Reachability Overlay with Time Slider | FE | 3 |
|
||||
| docs/implplan/SPRINT_20260208_072_FE_signals_runtime_dashboard.md | Signals & Runtime Dashboard | FE | 3 |
|
||||
| docs/implplan/SPRINT_20260208_073_FE_vex_gate.md | VEX Gate (Inline Gated Action with Evidence Tiers) | FE | 3 |
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_001___Libraries_advisory_lens <20> Advisory Lens (Core Library and UI)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Advisory Lens (Core Library and UI)' using the existing implementation baseline already present in src/__Libraries/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/__Libraries/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/__Libraries/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/prov-cache/architecture.md (if it exists)
|
||||
- Read: src/__Libraries/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/__Libraries/ and src/Web/ to cover the core gap: No `StellaOps.AdvisoryLens` library found under `src/__Libraries/` or anywhere in `src/`
|
||||
- Implement deterministic service/model behavior for: No dedicated "Lens Panel", "Top 3 Suggestions", inline hint system, or playbook drawer components found in `src/Web/`
|
||||
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Advisory Lens (Core Library and UI)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/__Libraries/ and related module surfaces.
|
||||
- Implement: The AdvisoryAI module (`src/AdvisoryAI/`) provides AI-powered explanation generation (evidence-anchored explanations, replay, prompt templates) but does not implement the "Advisory Lens" semantic case-matching copilot concept
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 5 referenced source path(s) present and 2 referenced path(s) absent.
|
||||
- Source verification anchored on: src/__Libraries/, src/Web/, src/AdvisoryAI/
|
||||
- Missing-surface probes in src/__Libraries/: StellaOps.AdvisoryLens:not-found, StellaOps:found, AdvisoryLens:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/__Libraries/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_002___Libraries_provcache_signer_aware_invalidation_and_evidence_chunk_paging_wi <20> Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export' using the existing implementation baseline already present in src/__Libraries/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/__Libraries/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/__Libraries/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/prov-cache/architecture.md (if it exists)
|
||||
- Read: src/__Libraries/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/__Libraries/StellaOps.Provcache/ProvcacheService.cs and src/__Libraries/StellaOps.Provcache/InvalidationRequest.cs to cover the core gap: **SignerRevokedEvent handler**: No event handler listening for signer revocation events and invalidating cached provenance records signed by the revoked key. The signer infrastructure and `InvalidationType.SignerSetHash` exist but the messaging bus fan-out is not wired.
|
||||
- Implement deterministic service/model behavior for: **FeedEpochAdvancedEvent handler**: No event handler listening for feed epoch advancement and invalidating stale provenance cache entries referencing the previous epoch's advisory data.
|
||||
- If a new type is required, create it adjacent to existing module code at src/__Libraries/StellaOps.Provcache and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Provcache: Signer-Aware Invalidation, Evidence Chunk Paging, and Air-Gap Export' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/__Libraries/StellaOps.Provcache/ProvcacheService.cs and related module surfaces.
|
||||
- Implement: **Cross-module event bus integration**: The event-driven fan-out requires integration with the broader event bus (likely via the Scheduler or Orchestrator) which is not yet connected.
|
||||
- Apply implementation guidance from feature notes: Integrate messaging bus subscriptions for `SignerRevokedEvent` triggering `InvalidationRequest.BySignerSetHash()` and Integrate messaging bus subscriptions for `FeedEpochAdvancedEvent` triggering `InvalidationRequest.ByFeedEpochOlderThan()`
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 19 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/__Libraries/StellaOps.Provcache/ProvcacheService.cs, src/__Libraries/StellaOps.Provcache/InvalidationRequest.cs, src/__Libraries/StellaOps.Provcache/InvalidationType.cs
|
||||
- Missing-surface probes in src/__Libraries/: InvalidationType.SignerSetHash:found, SignerRevokedEvent:found, InvalidationType:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/__Libraries/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_003_AdvisoryAI_ai_codex_zastava_companion <20> AI Codex / Zastava Companion
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'AI Codex / Zastava Companion' using the existing implementation baseline already present in src/AdvisoryAI/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/AdvisoryAI/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/AdvisoryAI/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/advisory-ai/architecture.md (if it exists)
|
||||
- Read: src/AdvisoryAI/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/AdvisoryAI/ and src/Zastava/StellaOps.Zastava.Observer/ to cover the core gap: The specific "AI Codex" or "Zastava Companion" branding is not found, but substantial AI infrastructure exists:
|
||||
- Implement deterministic service/model behavior for: `src/AdvisoryAI/` provides evidence-anchored explanation generation with `EvidenceAnchoredExplanationGenerator`, `ExplanationPromptTemplates`, replay golden tests, and a web service (`AdvisoryAI.WebService/Program.cs`)
|
||||
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'AI Codex / Zastava Companion' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/AdvisoryAI/ and related module surfaces.
|
||||
- Implement: `src/Zastava/StellaOps.Zastava.Observer/` exists as a runtime observer module
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 5 referenced source path(s) present and 1 referenced path(s) absent.
|
||||
- Source verification anchored on: src/AdvisoryAI/, src/Zastava/StellaOps.Zastava.Observer/, src/AdvisoryAI
|
||||
- Missing-surface probes in src/AdvisoryAI/: Codex:not-found, Zastava:not-found, Companion:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/AdvisoryAI/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_004_Attestor_binary_fingerprint_store_and_trust_scoring <20> Binary Fingerprint Store and Trust Scoring
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Binary Fingerprint Store and Trust Scoring' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs to cover the core gap: **Dedicated binary fingerprint database**: No standalone fingerprint store with ELF/PE section-level hashing and content-addressed lookup. Current evidence is generated per-scan, not stored in a queryable fingerprint database.
|
||||
- Implement deterministic service/model behavior for: **Golden set management**: No mechanism to define and maintain a "golden set" of known-good binary fingerprints for comparison.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Binary Fingerprint Store and Trust Scoring' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs and related module surfaces.
|
||||
- Implement: **Section-level hashing**: ELF `.text`/`.rodata` section hashing and PE section-level fingerprinting are not distinctly implemented as reusable fingerprinting primitives.
|
||||
- Apply implementation guidance from feature notes: Create a `BinaryFingerprintStore` service with content-addressed storage for section-level hashes and Implement ELF/PE section extraction and hashing as reusable utilities
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs
|
||||
- Missing-surface probes in src/Attestor/: Dedicated:not-found, Current:found, Golden:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_005_Attestor_cas_for_sbom_vex_attestation_artifacts <20> CAS for SBOM/VEX/Attestation Artifacts
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'CAS for SBOM/VEX/Attestation Artifacts' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ to cover the core gap: **Unified CAS for all artifact types**: No single content-addressed storage service that handles SBOM, VEX, and attestation blobs uniformly. Current CAS is per-domain (tiles, OCI, proof chain IDs).
|
||||
- Implement deterministic service/model behavior for: **MinIO/S3 backend**: No MinIO or S3-compatible object storage backend for CAS. Current storage is either OCI registry or filesystem.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'CAS for SBOM/VEX/Attestation Artifacts' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and related module surfaces.
|
||||
- Implement: **Deduplication service**: No cross-artifact deduplication by content hash (e.g., same SBOM ingested twice should resolve to one stored blob).
|
||||
- Apply implementation guidance from feature notes: Create a unified `IContentAddressedStore` interface with store/retrieve/exists operations and Implement MinIO/S3 backend and filesystem backend behind the interface
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/
|
||||
- Missing-surface probes in src/Attestor/: Unified:not-found, SBOM:found, Current:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_006_Attestor_crypto_sovereign_design <20> Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs and src/Cryptography/ to cover the core gap: **Post-Quantum Cryptography (PQC)**: No CRYSTALS-Dilithium, SPHINCS+, or other PQC algorithm support. The profile system can model PQC keys but no backend implements them. This is the only major crypto profile gap.
|
||||
- Implement deterministic service/model behavior for: **eIDAS qualified signature validation**: Plugin exists but validation that timestamps meet eIDAS Article 42 qualified timestamp requirements may not be complete.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs and related module surfaces.
|
||||
- Implement: **Crypto provider integration with Attestor SigningKeyProfile**: The Cryptography plugin system and the Attestor `SigningKeyProfile` are not fully bridged -- Attestor signing uses its own key profiles rather than the Cryptography plugin registry.
|
||||
- Apply implementation guidance from feature notes: Implement PQC plugin (CRYSTALS-Dilithium, SPHINCS+) following the existing CryptoPluginBase pattern and Bridge Cryptography plugin registry with Attestor SigningKeyProfile for unified key management
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 9 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs, src/Cryptography/, src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs
|
||||
- Missing-surface probes in src/Attestor/: Post:found, Quantum:found, Cryptography:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_007_Attestor_dsse_envelope_size_management_and_gateway_traversal <20> DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness)' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs and src/Cli/StellaOps.Cli/Commands/Binary/DeltaSigCommandGroup.cs to cover the core gap: **Explicit size guardrails**: No pre-submission validation rejecting DSSE envelopes exceeding a configurable size limit (70-100KB) before Rekor submission.
|
||||
- Implement deterministic service/model behavior for: **Hash-only mode fallback**: No automatic fallback to submitting only the payload hash (rather than full envelope) when size exceeds the limit.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'DSSE Envelope Size Management (Guardrails, Chunking, Gateway Awareness)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs and related module surfaces.
|
||||
- Implement: **Payload chunking/splitting**: No mechanism to split large DSSE payloads into smaller chunks with a manifest linking them, or Merkle-based sharding.
|
||||
- Apply implementation guidance from feature notes: Add size validation step in `EnhancedRekorProofBuilder.Validate` checking against configurable size limit (default 100KB) and Implement hash-only submission mode as automatic fallback for oversized envelopes
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.cs, src/Cli/StellaOps.Cli/Commands/Binary/DeltaSigCommandGroup.cs, src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs
|
||||
- Missing-surface probes in src/Attestor/: Explicit:found, DSSE:found, Rekor:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_008_Attestor_dsse_signed_exception_objects_with_recheck_policy <20> DSSE-Signed Exception Objects with Recheck Policy
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'DSSE-Signed Exception Objects with Recheck Policy' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs to cover the core gap: **DSSE-signed exception objects**: Exceptions are not individually DSSE-signed as standalone attestation artifacts. They exist as records within larger predicates but are not independently verifiable.
|
||||
- Implement deterministic service/model behavior for: **Recheck policy enforcement**: No automated recheck scheduling that re-evaluates exceptions at configured intervals (e.g., 30-day review cycle).
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'DSSE-Signed Exception Objects with Recheck Policy' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs and related module surfaces.
|
||||
- Implement: **Exception expiry enforcement**: No automated enforcement of exception expiry dates with re-approval workflow.
|
||||
- Apply implementation guidance from feature notes: Create `DsseSignedException` model wrapping exception objects in DSSE envelopes and Implement recheck policy with configurable intervals (Scheduler integration)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs
|
||||
- Missing-surface probes in src/Attestor/: DSSE:found, Exceptions:found, They:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_009_Attestor_dsse_wrapped_reach_maps <20> DSSE-Wrapped Reach-Maps
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'DSSE-Wrapped Reach-Maps' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs to cover the core gap: **Standalone reach-map artifact**: No dedicated reach-map document type that captures the full reachability graph (all functions, edges, and reachability status) as a single DSSE-wrapped artifact.
|
||||
- Implement deterministic service/model behavior for: **Reach-map predicate type**: No registered predicate type URI (e.g., `https://stellaops.org/attestation/reachmap/v1`) for reach-map attestations.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'DSSE-Wrapped Reach-Maps' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs and related module surfaces.
|
||||
- Implement: **Full graph serialization**: Reachability evidence is captured per-CVE (micro-witness) not as a complete call graph that can be independently verified.
|
||||
- Apply implementation guidance from feature notes: Define a reach-map predicate type with full call graph serialization and Create a `ReachMapBuilder` that aggregates all micro-witness data into a single reach-map document
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs
|
||||
- Missing-surface probes in src/Attestor/: Standalone:found, DSSE:found, Reach:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_010_Attestor_evidence_coverage_score_for_ai_gating <20> Evidence Coverage Score for AI Gating
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Evidence Coverage Score for AI Gating' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs to cover the core gap: **Evidence coverage scoring service**: No dedicated service that computes an overall evidence coverage score (0-100%) across all evidence types for a given subject.
|
||||
- Implement deterministic service/model behavior for: **Coverage badge UX component**: No frontend badge component showing coverage level (e.g., green/yellow/red) based on evidence completeness.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Evidence Coverage Score for AI Gating' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs and related module surfaces.
|
||||
- Implement: **AI gating policy**: No policy that blocks AI outputs below a configurable coverage threshold from being promoted to verdicts.
|
||||
- Apply implementation guidance from feature notes: Create `EvidenceCoverageScorer` service computing coverage across all evidence types and Define coverage dimensions (reachability, binary analysis, SBOM completeness, VEX coverage, provenance)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs
|
||||
- Missing-surface probes in src/Attestor/: Evidence:found, Coverage:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_011_Attestor_evidence_subgraph_ui_visualization <20> Evidence Subgraph UI Visualization
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Evidence Subgraph UI Visualization' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs to cover the core gap: **Frontend graph visualization component**: No Angular component rendering the proof graph as an interactive visualization (nodes as circles/rectangles, edges as arrows).
|
||||
- Implement deterministic service/model behavior for: **Interactive exploration**: No click-to-expand, zoom, pan, or filter functionality for graph navigation in the UI.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Evidence Subgraph UI Visualization' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs and related module surfaces.
|
||||
- Implement: **Subgraph API endpoint**: The WebService controllers do not expose a dedicated endpoint for fetching proof graph subgraphs for a given subject.
|
||||
- Apply implementation guidance from feature notes: Add a REST endpoint in `ProofChainController` for subgraph queries by subject and Create an Angular component using a graph visualization library (e.g., D3.js or Cytoscape.js)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs
|
||||
- Missing-surface probes in src/Attestor/: Frontend:not-found, Angular:not-found, Interactive:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_012_Attestor_field_level_ownership_map_for_receipts_and_bundles <20> Field-Level Ownership Map for Receipts and Bundles
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Field-Level Ownership Map for Receipts and Bundles' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs to cover the core gap: **Field-level ownership map document**: No machine-readable or human-readable document mapping each field in receipts/bundles to the responsible module (e.g., "signature" -> Signing module, "inclusion_proof" -> Rekor module).
|
||||
- Implement deterministic service/model behavior for: **Ownership validation**: No automated check that each field in a receipt/bundle is populated by its designated owner module.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Field-Level Ownership Map for Receipts and Bundles' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs and related module surfaces.
|
||||
- Implement: **Ownership-aware serialization**: No serialization that tracks which module wrote each field for audit purposes.
|
||||
- Apply implementation guidance from feature notes: Define a field-level ownership schema mapping fields to module responsibilities and Annotate receipt/bundle models with `[OwnedBy("ModuleName")]` attributes
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs
|
||||
- Missing-surface probes in src/Attestor/: Field:found, Signing:found, Rekor:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_013_Attestor_idempotent_sbom_attestation_apis <20> Idempotent SBOM/Attestation APIs
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Idempotent SBOM/Attestation APIs' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ to cover the core gap: **Idempotent SBOM ingest endpoint**: No `POST /sbom/ingest` endpoint that accepts an SBOM and returns the same content-addressed ID on duplicate submissions without creating duplicate records.
|
||||
- Implement deterministic service/model behavior for: **Idempotent attestation verify endpoint**: No `POST /attest/verify` endpoint that caches verification results by content hash for repeat submissions.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Idempotent SBOM/Attestation APIs' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ and related module surfaces.
|
||||
- Implement: **Idempotency key support**: No HTTP idempotency key header (`Idempotency-Key`) support for POST endpoints.
|
||||
- Apply implementation guidance from feature notes: Add `POST /sbom/ingest` endpoint with content-hash-based deduplication and Add `POST /attest/verify` endpoint with cached verification results
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/
|
||||
- Missing-surface probes in src/Attestor/: Idempotent:found, SBOM:found, POST:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_014_Attestor_immutable_evidence_storage_and_regulatory_alignment <20> Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001)' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs and src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs to cover the core gap: **NIS2 compliance report template**: No report template mapping evidence artifacts to NIS2 requirements (incident reporting, risk management, supply chain security).
|
||||
- Implement deterministic service/model behavior for: **DORA compliance report template**: No report template for DORA requirements (ICT risk management, incident classification, third-party risk).
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Immutable Evidence Storage and Regulatory Alignment (NIS2/DORA/ISO-27001)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs and related module surfaces.
|
||||
- Implement: **ISO-27001 control mapping**: No mapping of evidence artifacts to ISO-27001 Annex A controls.
|
||||
- Apply implementation guidance from feature notes: Define regulatory control mappings (NIS2, DORA, ISO-27001) as configuration and Implement report templates that map stored evidence to regulatory controls
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Repositories/PostgresVerdictLedgerRepository.cs
|
||||
- Missing-surface probes in src/Attestor/: NIS2:found, DORA:not-found, Annex:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_015_Attestor_in_toto_link_attestation_capture <20> In-toto Link Attestation Capture
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'In-toto Link Attestation Capture' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs and src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs to cover the core gap: **`in-toto-run` wrapper**: No CLI wrapper that automatically captures materials before and products after command execution (analogous to `in-toto-run` from the reference implementation).
|
||||
- Implement deterministic service/model behavior for: **Automatic link capture in CI**: No CI integration that automatically records links for each pipeline step.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'In-toto Link Attestation Capture' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs and related module surfaces.
|
||||
- Implement: **Link storage and retrieval API**: No REST endpoint for storing and querying captured links by step name or functionary.
|
||||
- Apply implementation guidance from feature notes: Implement an `in-toto-run` CLI command wrapping command execution with automatic material/product capture and Add CI step link capture via webhook or plugin integration
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/InToto/InTotoLink.cs
|
||||
- Missing-surface probes in src/Attestor/: in-toto-run:not-found, Automatic:found, Link:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_016_Attestor_monthly_bundle_rotation_and_re_signing <20> Monthly Bundle Rotation and Re-Signing
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Monthly Bundle Rotation and Re-Signing' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs to cover the core gap: **Monthly rotation scheduler**: No scheduled job that triggers bundle rotation on a monthly cadence.
|
||||
- Implement deterministic service/model behavior for: **Re-signing workflow**: No workflow that takes existing bundles, verifies them with the old key, and re-signs with a new key.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Monthly Bundle Rotation and Re-Signing' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs and related module surfaces.
|
||||
- Implement: **Key rotation ceremony**: No key rotation ceremony process (generate new key, sign transition attestation, update trust anchors).
|
||||
- Apply implementation guidance from feature notes: Create a `BundleRotationJob` scheduled monthly via Scheduler integration and Implement re-signing workflow (verify old -> sign with new -> update references)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs
|
||||
- Missing-surface probes in src/Attestor/: Monthly:found, Bundle:found, Automated:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_017_Attestor_noise_ledger <20> Noise Ledger (Audit Log of Suppressions)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Noise Ledger (Audit Log of Suppressions)' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs to cover the core gap: **Dedicated Noise Ledger service**: No standalone service aggregating all suppression/noise decisions into a queryable ledger.
|
||||
- Implement deterministic service/model behavior for: **Noise Ledger UI component**: No frontend page showing a filterable, sortable list of all suppressions with justifications and evidence.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Noise Ledger (Audit Log of Suppressions)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs and related module surfaces.
|
||||
- Implement: **Suppression statistics**: No aggregated statistics (suppressions per severity, per component, per time period).
|
||||
- Apply implementation guidance from feature notes: Create `NoiseLedgerService` aggregating suppressions from VEX overrides, audit logs, and change traces and Add REST endpoints for querying the noise ledger with filtering/pagination
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs
|
||||
- Missing-surface probes in src/Attestor/: Dedicated:not-found, Noise:not-found, Ledger:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_018_Attestor_postgresql_persistence_layer <20> PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS)' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs and src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs to cover the core gap: **Per-module schema isolation**: Not all modules use dedicated PostgreSQL schemas (e.g., `attestor.`, `verdict.`, `watchlist.`). Some share the default schema.
|
||||
- Implement deterministic service/model behavior for: **Row-Level Security (RLS)**: RLS policies for multi-tenant isolation are not scaffolded. Tenant filtering relies on application-level WHERE clauses.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.Persistence and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'PostgreSQL Persistence Layer (Per-Module Schemas, Migrations, RLS)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs and related module surfaces.
|
||||
- Implement: **Temporal tables for Unknowns**: No temporal table implementation for tracking unknown state over time with system-versioned history.
|
||||
- Apply implementation guidance from feature notes: Implement per-module schema isolation with schema-qualified table names and Scaffold RLS policies for tenant isolation with PostgreSQL policies
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.Persistence/ProofChainDbContext.cs
|
||||
- Missing-surface probes in src/Attestor/: attestor.:found, verdict.:found, watchlist.:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_019_Attestor_s3_minio_gcs_object_storage_for_tiles <20> S3/MinIO/GCS Object Storage for Tiles
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'S3/MinIO/GCS Object Storage for Tiles' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/EvidenceLocker/ and src/Attestor to cover the core gap: No S3, MinIO, or GCS client libraries or storage providers found in `src/`
|
||||
- Implement deterministic service/model behavior for: No object storage abstraction layer or blob storage service exists
|
||||
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'S3/MinIO/GCS Object Storage for Tiles' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/EvidenceLocker/ and related module surfaces.
|
||||
- Implement: The Attestor module stores artifacts using local filesystem and PostgreSQL persistence, not object storage
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 2 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/EvidenceLocker/, src/Attestor
|
||||
- Missing-surface probes in src/Attestor/: MinIO:found, Attestor:found, PostgreSQL:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_020_Attestor_score_replay_and_verification <20> Score Replay and Verification
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Score Replay and Verification' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ to cover the core gap: **`/score/{id}/replay` REST endpoint**: No REST API endpoint for triggering score replay by verdict ID.
|
||||
- Implement deterministic service/model behavior for: **DSSE-signed replay attestation**: No pipeline producing a DSSE-signed attestation with payload type `application/vnd.stella.score+json` for replayed scores.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Score Replay and Verification' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ and related module surfaces.
|
||||
- Implement: **Score comparison service**: No service that compares original and replayed scores, quantifying divergence.
|
||||
- Apply implementation guidance from feature notes: Add `/score/{id}/replay` endpoint to `VerdictController` or a new `ReplayController` and Implement score replay service that re-executes scoring with captured inputs
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/
|
||||
- Missing-surface probes in src/Attestor/: REST:found, DSSE:found, Score:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_021_Attestor_snapshot_export_import_for_air_gap <20> Snapshot Export/Import for Air-Gap
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Snapshot Export/Import for Air-Gap' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs and src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs to cover the core gap: **Level B/C snapshot format**: No formalized snapshot level classification (Level B: evidence + verification material, Level C: full state including policies and trust anchors).
|
||||
- Implement deterministic service/model behavior for: **Snapshot export CLI command**: No `stella snapshot export` command producing a portable archive.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Snapshot Export/Import for Air-Gap' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs and related module surfaces.
|
||||
- Implement: **Snapshot import CLI command**: No `stella snapshot import` command ingesting a portable archive on an air-gapped system.
|
||||
- Apply implementation guidance from feature notes: Define snapshot format specification with Level B/C classification and Implement `stella snapshot export` CLI command producing signed, portable archives
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.Offline/Services/OfflineVerifier.cs
|
||||
- Missing-surface probes in src/Attestor/: Level:found, stella snapshot export:not-found, Snapshot:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_022_Attestor_unknowns_five_dimensional_triage_scoring <20> Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands)' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs to cover the core gap: **Five-dimensional scoring formula**: No P (Probability) / E (Exposure) / U (Uncertainty) / C (Consequence) / S (Signal freshness) weighted scoring formula. Current ranking is severity-based only.
|
||||
- Implement deterministic service/model behavior for: **Hot/Warm/Cold banding**: No classification of unknowns into temperature bands based on their composite score (Hot: requires immediate triage, Warm: scheduled review, Cold: archive).
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Unknowns Five-Dimensional Triage Scoring (P/E/U/C/S with Hot/Warm/Cold Bands)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs and related module surfaces.
|
||||
- Implement: **Configurable dimension weights**: No configuration for dimension weights (e.g., P=0.3, E=0.25, U=0.2, C=0.15, S=0.1).
|
||||
- Apply implementation guidance from feature notes: Define five-dimensional scoring formula with configurable weights per dimension and Implement `UnknownsTriageScorer` computing P/E/U/C/S composite scores
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/IUnknownsAggregator.cs
|
||||
- Missing-surface probes in src/Attestor/: Five:not-found, Probability:found, Exposure:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_023_Attestor_vex_findings_api_with_proof_artifacts <20> VEX Findings API with Proof Artifacts
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'VEX Findings API with Proof Artifacts' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs to cover the core gap: **`GET /vex/findings/:id` endpoint**: No REST endpoint returning VEX findings with attached proof artifacts for a specific finding ID.
|
||||
- Implement deterministic service/model behavior for: **Proof artifact packaging**: No service that packages proof artifacts (DSSE signatures, Rekor receipts, Merkle proofs) alongside VEX findings in API responses.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'VEX Findings API with Proof Artifacts' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs and related module surfaces.
|
||||
- Implement: **Finding-level proof resolution**: No resolver that collects all proof artifacts for a specific finding (CVE + component combination).
|
||||
- Apply implementation guidance from feature notes: Add `GET /vex/findings/:id` endpoint returning finding details with proof artifacts and Create a proof artifact resolver collecting all proofs for a finding
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexAttestationPredicate.cs
|
||||
- Missing-surface probes in src/Attestor/: REST:found, Proof:found, DSSE:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_024_Attestor_vex_receipt_sidebar <20> VEX Receipt Sidebar
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'VEX Receipt Sidebar' using the existing implementation baseline already present in src/Attestor/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Attestor/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Attestor/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/attestor/architecture.md (if it exists)
|
||||
- Read: src/Attestor/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs and src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs to cover the core gap: **VEX receipt sidebar Angular component**: No dedicated sidebar component showing VEX receipt details (decision, justification, evidence, verification status) when a VEX entry is selected.
|
||||
- Implement deterministic service/model behavior for: **Receipt detail API endpoint**: No API endpoint returning receipt details formatted for sidebar rendering.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'VEX Receipt Sidebar' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs and related module surfaces.
|
||||
- Implement: **Receipt verification status display**: No UI element showing whether the receipt's DSSE signature and Rekor inclusion have been verified.
|
||||
- Apply implementation guidance from feature notes: Create Angular sidebar component for VEX receipt display and Add API endpoint returning receipt details with verification status
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 1 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs
|
||||
- Missing-surface probes in src/Attestor/: Angular:not-found, Receipt:found, DSSE:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Attestor/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_025_Authority_rfc_3161_tsa_client_for_ci_cd_timestamping <20> RFC-3161 TSA Client for CI/CD Timestamping
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'RFC-3161 TSA Client for CI/CD Timestamping' using the existing implementation baseline already present in src/Authority/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Authority/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Authority/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/authority/architecture.md (if it exists)
|
||||
- Read: src/Authority/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Authority/__Libraries/StellaOps.Authority.Timestamping/HttpTsaClient.cs and src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampReqEncoder.cs to cover the core gap: **CI/CD pipeline integration hooks**: No dedicated middleware or service that automatically timestamps CI/CD build artifacts (e.g., SBOM, attestation, build log) as part of a pipeline step. The TSA client exists but is not wired into an automated CI/CD timestamping flow.
|
||||
- Implement deterministic service/model behavior for: **Timestamped artifact registry**: No storage for mapping artifact digests to their timestamp tokens, enabling lookup of "when was this artifact timestamped?" across the platform.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Authority/__Libraries/StellaOps.Authority.Timestamping and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'RFC-3161 TSA Client for CI/CD Timestamping' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Authority/__Libraries/StellaOps.Authority.Timestamping/HttpTsaClient.cs and related module surfaces.
|
||||
- Implement: **Pipeline-scoped timestamp policies**: No configuration for per-pipeline or per-environment timestamp requirements (e.g., "production releases require dual-provider timestamps").
|
||||
- Apply implementation guidance from feature notes: Create a `CiCdTimestampingService` that integrates with the Orchestrator/TaskRunner to automatically timestamp build artifacts and Add a timestamp artifact registry in the Evidence Locker for storing and querying artifact-to-timestamp mappings
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 11 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Authority/__Libraries/StellaOps.Authority.Timestamping/HttpTsaClient.cs, src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampReqEncoder.cs, src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampRespDecoder.cs
|
||||
- Missing-surface probes in src/Authority/: SBOM:found, Timestamped:not-found, Pipeline:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Authority/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_026_Bench_vendor_comparison_scanner_parity_tracking <20> Vendor comparison / scanner parity tracking
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Vendor comparison / scanner parity tracking' using the existing implementation baseline already present in src/Bench/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Bench/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Bench/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/bench/architecture.md (if it exists)
|
||||
- Read: src/Bench/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ and src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs to cover the core gap: **Vendor Comparison Dashboard**: No dedicated UI or API endpoint exists for side-by-side vendor scanner comparison. Current benchmarks evaluate StellaOps scanners against ground truth, but do not compare against third-party vendor scanner outputs.
|
||||
- Implement deterministic service/model behavior for: **Automated Parity Scoring**: No automated system computes a parity score between StellaOps scanner results and vendor scanner results (e.g., Snyk, Grype, Trivy) for the same input images.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Bench/StellaOps.Bench/Scanner.Analyzers and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Vendor comparison / scanner parity tracking' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ and related module surfaces.
|
||||
- Implement: **Vendor Result Ingestion**: No ingestion pipeline exists to import vendor scanner outputs (SARIF, JSON) as baseline comparisons alongside StellaOps results.
|
||||
- Apply implementation guidance from feature notes: Add a vendor result ingestion pipeline that imports SARIF/JSON from third-party scanners and normalizes findings to a common schema and Extend `BenchmarkScenarioReport` to include vendor comparison columns (StellaOps vs. vendor findings, unique to each, overlap percentage)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 8 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/, src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs, src/Bench/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs
|
||||
- Missing-surface probes in src/Bench/: Vendor:found, Comparison:found, Dashboard:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Bench/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_027_BinaryIndex_cross_distro_golden_set_for_backport_validation <20> Cross-Distro Golden Set for Backport Validation
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Cross-Distro Golden Set for Backport Validation' using the existing implementation baseline already present in src/BinaryIndex/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/BinaryIndex/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/BinaryIndex/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/binary-index/architecture.md (if it exists)
|
||||
- Read: src/BinaryIndex/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/ and src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/ to cover the core gap: Curated cross-distro test cases for high-impact CVEs (OpenSSL Heartbleed CVE-2014-0160, sudo Baron Samedit CVE-2021-3156, etc.) may not be fully populated in the golden set database
|
||||
- Implement deterministic service/model behavior for: Cross-distro coverage matrix (Alpine vs Debian vs RHEL backport variations for same CVE) may need population
|
||||
- If a new type is required, create it adjacent to existing module code at src/BinaryIndex/__Libraries and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Cross-Distro Golden Set for Backport Validation' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/ and related module surfaces.
|
||||
- Implement: Automated golden set population pipeline from NVD for new CVEs
|
||||
- Apply implementation guidance from feature notes: Populate golden set database with curated cross-distro test cases for high-impact CVEs and Validate backport detection accuracy across Alpine, Debian, and RHEL for each curated CVE
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.GoldenSet/, src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Analysis/, src/BinaryIndex/StellaOps.BinaryIndex.WebService/Controllers/
|
||||
- Missing-surface probes in src/BinaryIndex/: Curated:not-found, CVEs:found, OpenSSL:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/BinaryIndex/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_028_BinaryIndex_elf_normalization_and_delta_hashing <20> ELF Normalization and Delta Hashing
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'ELF Normalization and Delta Hashing' using the existing implementation baseline already present in src/BinaryIndex/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/BinaryIndex/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/BinaryIndex/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/binary-index/architecture.md (if it exists)
|
||||
- Read: src/BinaryIndex/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/ and src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/PatchDiffEngine.cs to cover the core gap: ELF segment-level normalization (relocation zeroing to eliminate position-dependent bytes)
|
||||
- Implement deterministic service/model behavior for: NOP canonicalization (normalizing NOP sled variations across compilers)
|
||||
- If a new type is required, create it adjacent to existing module code at src/BinaryIndex/__Libraries and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'ELF Normalization and Delta Hashing' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/ and related module surfaces.
|
||||
- Implement: Jump table rewriting (normalizing indirect jump table entries)
|
||||
- Apply implementation guidance from feature notes: Add ELF segment normalization pass to `ElfFeatureExtractor` or new `ElfNormalizer` class and Implement relocation zeroing: identify and zero-out position-dependent bytes (GOT/PLT entries, absolute addresses)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.DeltaSig/, src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Diff/PatchDiffEngine.cs, src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Core/Services/
|
||||
- Missing-surface probes in src/BinaryIndex/: Jump:found, Segment:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/BinaryIndex/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_029_Cli_baseline_selection_logic <20> Baseline Selection Logic (Last Green / Previous Release)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Baseline Selection Logic (Last Green / Previous Release)' using the existing implementation baseline already present in src/Cli/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Cli/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, CLI command/help contract updates, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Cli/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/cli/architecture.md (if it exists)
|
||||
- Read: src/Cli/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs and src/Cli/StellaOps.Cli/Commands/Scan/DeltaScanCommandGroup.cs to cover the core gap: **Automatic "last green" selection**: No command or flag like `--baseline last-green` that automatically selects the most recent scan digest with a passing verdict
|
||||
- Implement deterministic service/model behavior for: **Previous release tag resolution**: No `--baseline previous-release` that resolves the previous release tag from SCM/registry metadata
|
||||
- If a new type is required, create it adjacent to existing module code at src/Cli/StellaOps.Cli/Commands/Compare and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Baseline Selection Logic (Last Green / Previous Release)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs and related module surfaces.
|
||||
- Implement: **Baseline suggestion in output**: Compare results do not suggest a recommended baseline when none is specified
|
||||
- Apply implementation guidance from feature notes: Add `--baseline-strategy last-green|previous-release|explicit` option to compare and delta-scan commands and Implement `IBaselineResolver` service with strategies for "last green verdict" (query verdict store for latest pass) and "previous release" (query registry for previous tag)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 3 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs, src/Cli/StellaOps.Cli/Commands/Scan/DeltaScanCommandGroup.cs, src/Cli/StellaOps.Cli/Commands/VexGenCommandGroup.cs
|
||||
- Missing-surface probes in src/Cli/: --baseline last-green:not-found, Automatic:found, --baseline previous-release:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Cli/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_030_Cli_cli_parity <20> CLI Parity (stella advise)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'CLI Parity (stella advise)' using the existing implementation baseline already present in src/Cli/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Cli/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, CLI command/help contract updates, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Cli/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/cli/architecture.md (if it exists)
|
||||
- Read: src/Cli/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Cli/StellaOps.Cli/Commands/Advise/AdviseChatCommandGroup.cs and src/Cli/StellaOps.Cli/Commands/Advise/ChatRenderer.cs to cover the core gap: **Full parity check**: Need to verify all advisory operations available in Web UI are also exposed through CLI
|
||||
- Implement deterministic service/model behavior for: **Batch advisory queries**: No `--batch` or `--file` option for processing multiple queries from a file
|
||||
- If a new type is required, create it adjacent to existing module code at src/Cli/StellaOps.Cli/Commands/Advise and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'CLI Parity (stella advise)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Cli/StellaOps.Cli/Commands/Advise/AdviseChatCommandGroup.cs and related module surfaces.
|
||||
- Implement: **Advisory export**: No dedicated `stella advise export` for exporting advisory conversation history
|
||||
- Apply implementation guidance from feature notes: Audit Web UI advisory features against CLI surface for parity gaps and Add batch query support via `--file <queries.jsonl>` option
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 3 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Cli/StellaOps.Cli/Commands/Advise/AdviseChatCommandGroup.cs, src/Cli/StellaOps.Cli/Commands/Advise/ChatRenderer.cs, src/Cli/StellaOps.Cli/Services/Chat/
|
||||
- Missing-surface probes in src/Cli/: Full:found, Need:found, --batch:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Cli/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_031_Cli_determinism_hash_signature_verification_in_ui <20> Determinism Hash / Signature Verification in UI
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Determinism Hash / Signature Verification in UI' using the existing implementation baseline already present in src/Cli/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Cli/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, CLI command/help contract updates, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Cli/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/cli/architecture.md (if it exists)
|
||||
- Read: src/Cli/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs and src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs to cover the core gap: **Inline verification status in compare view**: The Web UI compare view does not display per-artifact hash verification status alongside diff results
|
||||
- Implement deterministic service/model behavior for: **Signature verification badges in UI**: No visual badge/icon showing DSSE signature verification pass/fail for each evidence artifact in the proof studio
|
||||
- If a new type is required, create it adjacent to existing module code at src/Cli/StellaOps.Cli/Commands and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Determinism Hash / Signature Verification in UI' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs and related module surfaces.
|
||||
- Implement: **Live re-verification**: No "re-verify now" button in UI that triggers determinism hash recomputation against stored evidence
|
||||
- Apply implementation guidance from feature notes: Add verification status column to Web UI compare view showing per-artifact hash match status and Add DSSE signature verification badge component to proof-studio evidence browser
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 4 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs, src/Cli/StellaOps.Cli/Commands/Compare/CompareCommandBuilder.cs, src/Cli/StellaOps.Cli/Commands/VerdictCommandGroup.cs
|
||||
- Missing-surface probes in src/Cli/: Inline:found, Signature:found, DSSE:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Cli/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_032_Cli_oci_referrers_for_evidence_storage <20> OCI Referrers for Evidence Storage (StellaBundle)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'OCI Referrers for Evidence Storage (StellaBundle)' using the existing implementation baseline already present in src/Cli/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Cli/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, CLI command/help contract updates, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Cli/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/cli/architecture.md (if it exists)
|
||||
- Read: src/Cli/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs and src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs to cover the core gap: **OCI Referrers API integration**: No direct `oras` or OCI Distribution API client for pushing/pulling evidence as OCI referrers (artifacts are stored as bundles, not native OCI referrers)
|
||||
- Implement deterministic service/model behavior for: **`stella evidence push-referrer`**: No command to push evidence artifacts as OCI referrers to a registry using the OCI Referrers API
|
||||
- If a new type is required, create it adjacent to existing module code at src/Cli/StellaOps.Cli/Commands and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'OCI Referrers for Evidence Storage (StellaBundle)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs and related module surfaces.
|
||||
- Implement: **`stella evidence list-referrers`**: No command to list all referrers attached to an OCI artifact digest
|
||||
- Apply implementation guidance from feature notes: Add OCI Distribution client with Referrers API support (v2 manifest list) and Implement `stella evidence push-referrer --image <ref> --artifact-type <type> --file <path>` for pushing evidence as OCI referrers
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 6 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Cli/StellaOps.Cli/Commands/BundleExportCommand.cs, src/Cli/StellaOps.Cli/Commands/BundleVerifyCommand.cs, src/Cli/StellaOps.Cli/Commands/BundleCommandGroup.cs
|
||||
- Missing-surface probes in src/Cli/: oras:found, Referrers:found, Distribution:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Cli/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_033_Cli_unknowns_export_artifacts <20> Unknowns Export Artifacts
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Unknowns Export Artifacts' using the existing implementation baseline already present in src/Cli/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Cli/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, CLI command/help contract updates, API endpoint contract tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Cli/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/cli/architecture.md (if it exists)
|
||||
- Read: src/Cli/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs and src/Unknowns/ to cover the core gap: **Export schema document**: No standalone JSON Schema or specification document for the unknowns export format
|
||||
- Implement deterministic service/model behavior for: **Deterministic export format**: Export output format not formally specified for reproducible offline comparison
|
||||
- If a new type is required, create it adjacent to existing module code at src/Cli/StellaOps.Cli/Commands and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Unknowns Export Artifacts' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs and related module surfaces.
|
||||
- Implement: **Export versioning**: No schema version header in exported data for forward compatibility
|
||||
- Apply implementation guidance from feature notes: Define formal JSON Schema for unknowns export format with version field and Add `--schema-version` and `--format` options to `stella unknowns export`
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 3 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Cli/StellaOps.Cli/Commands/UnknownsCommandGroup.cs, src/Unknowns/, src/Policy/__Libraries/StellaOps.Policy.Unknowns/
|
||||
- Missing-surface probes in src/Cli/: Export:found, JSON:found, Schema:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Cli/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_034_Concelier_astra_linux_oval_feed_connector <20> Astra Linux OVAL Feed Connector
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Astra Linux OVAL Feed Connector' using the existing implementation baseline already present in src/Concelier/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Concelier/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Concelier/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/concelier/architecture.md (if it exists)
|
||||
- Read: src/Concelier/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/AstraConnectorPlugin.cs and src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/AstraConnector.cs to cover the core gap: Full OVAL XML parser for Astra Linux specific advisory format
|
||||
- Implement deterministic service/model behavior for: Version comparison integration with DebianVersionComparer for Astra-specific version strings
|
||||
- If a new type is required, create it adjacent to existing module code at src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Astra Linux OVAL Feed Connector' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/AstraConnectorPlugin.cs and related module surfaces.
|
||||
- Implement: Test coverage with sample Astra Linux OVAL feeds
|
||||
- Apply implementation guidance from feature notes: Complete the OVAL XML parser to handle Astra Linux specific OVAL definitions and Integrate DebianVersionComparer for version range matching
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 3 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/AstraConnectorPlugin.cs, src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/AstraConnector.cs, src/Concelier/__Connectors/StellaOps.Concelier.Connector.Astra/IMPLEMENTATION_NOTES.md
|
||||
- Missing-surface probes in src/Concelier/: Full:found, OVAL:found, Astra:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Concelier/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_035_Concelier_feed_snapshot_coordinator <20> Feed Snapshot Coordinator
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Feed Snapshot Coordinator' using the existing implementation baseline already present in src/Concelier/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Concelier/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Concelier/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/concelier/architecture.md (if it exists)
|
||||
- Read: src/Concelier/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/FeedSnapshotRepository.cs and src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/FeedSnapshotEntity.cs to cover the core gap: Feed Snapshot Coordinator service that coordinates cross-platform feed pinning
|
||||
- Implement deterministic service/model behavior for: Snapshot version pinning across multiple Concelier instances (for consistency in federated deployments)
|
||||
- If a new type is required, create it adjacent to existing module code at src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Feed Snapshot Coordinator' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/FeedSnapshotRepository.cs and related module surfaces.
|
||||
- Implement: Automatic snapshot rollback on ingestion failure
|
||||
- Apply implementation guidance from feature notes: Create `FeedSnapshotCoordinator` service in `src/Concelier/__Libraries/StellaOps.Concelier.Core/` or `Federation/` and Implement cross-instance snapshot pinning using the `SyncLedgerRepository` for coordination
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Repositories/FeedSnapshotRepository.cs, src/Concelier/__Libraries/StellaOps.Concelier.Persistence/Postgres/Models/FeedSnapshotEntity.cs, src/Concelier/StellaOps.Concelier.WebService/Extensions/FeedSnapshotEndpointExtensions.cs
|
||||
- Missing-surface probes in src/Concelier/: Feed:found, Snapshot:found, Coordinator:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Concelier/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_036_ExportCenter_cli_ui_surfacing_of_hidden_backend_capabilities <20> CLI/UI Surfacing of Hidden Backend Capabilities
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'CLI/UI Surfacing of Hidden Backend Capabilities' using the existing implementation baseline already present in src/ExportCenter/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/ExportCenter/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/ExportCenter/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/export-center/architecture.md (if it exists)
|
||||
- Read: src/ExportCenter/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Api/ExportApiEndpoints.cs and src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Client/ExportCenterClient.cs to cover the core gap: CLI commands for export operations (risk bundles, OCI distribution, evidence cache management)
|
||||
- Implement deterministic service/model behavior for: Web UI pages/components for triggering and managing exports
|
||||
- If a new type is required, create it adjacent to existing module code at src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Api and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'CLI/UI Surfacing of Hidden Backend Capabilities' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Api/ExportApiEndpoints.cs and related module surfaces.
|
||||
- Implement: User-facing export wizard or dashboard surfacing available export types
|
||||
- Apply implementation guidance from feature notes: Add CLI commands wrapping ExportCenter SDK client operations and Build Web UI components for export management (list exports, trigger new exports, download artifacts)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 6 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Api/ExportApiEndpoints.cs, src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Client/ExportCenterClient.cs, src/ExportCenter/StellaOps.ExportCenter/StellaOps.ExportCenter.Client/Lifecycle/ExportJobLifecycleHelper.cs
|
||||
- Missing-surface probes in src/ExportCenter/: User:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/ExportCenter/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_037_Gateway_router_back_pressure_middleware <20> Router Back-Pressure Middleware (Dual-Window Rate Limiting + Circuit Breaker)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Router Back-Pressure Middleware (Dual-Window Rate Limiting + Circuit Breaker)' using the existing implementation baseline already present in src/Gateway/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Gateway/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Gateway/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/gateway/architecture.md (if it exists)
|
||||
- Read: src/Gateway/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs and src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs to cover the core gap: **Gateway integration with Router rate limiting**: The Router module has Valkey-backed rate limiting and circuit breaker, but the Gateway module does not consume these services. The Gateway still uses standard ASP.NET rate limiting.
|
||||
- Implement deterministic service/model behavior for: Dual-window rate limiter with sliding window algorithm in the Gateway
|
||||
- If a new type is required, create it adjacent to existing module code at src/Gateway/StellaOps.Gateway.WebService/Middleware and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Router Back-Pressure Middleware (Dual-Window Rate Limiting + Circuit Breaker)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs and related module surfaces.
|
||||
- Implement: Ring counter implementation for rate tracking in the Gateway
|
||||
- Apply implementation guidance from feature notes: Evaluate whether standard ASP.NET rate limiting is sufficient for current scale and If needed, implement Redis/Valkey-backed rate limiting for distributed deployment
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 8 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Gateway/StellaOps.Gateway.WebService/Middleware/RequestRoutingMiddleware.cs, src/Gateway/StellaOps.Gateway.WebService/Middleware/SenderConstraintMiddleware.cs, src/Gateway/StellaOps.Gateway.WebService/Configuration/GatewayOptions.cs
|
||||
- Missing-surface probes in src/Gateway/: Gateway:found, Router:found, Valkey:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Gateway/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_038_Gateway_stellarouter_performance_testing_pipeline <20> StellaRouter Performance Testing Pipeline (k6 + Prometheus + Correlation IDs)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'StellaRouter Performance Testing Pipeline (k6 + Prometheus + Correlation IDs)' using the existing implementation baseline already present in src/Gateway/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Gateway/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Gateway/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/gateway/architecture.md (if it exists)
|
||||
- Read: src/Gateway/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/ and src/Gateway/StellaOps.Gateway.WebService/ to cover the core gap: k6 performance testing scripts (scenarios A-G)
|
||||
- Implement deterministic service/model behavior for: Prometheus metric dashboards for performance curve modeling
|
||||
- If a new type is required, create it adjacent to existing module code at and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'StellaRouter Performance Testing Pipeline (k6 + Prometheus + Correlation IDs)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/ and related module surfaces.
|
||||
- Implement: These may exist under `devops/` rather than `src/` -- check `devops/` directory
|
||||
- Apply implementation guidance from feature notes: Create k6 test scripts for Gateway performance scenarios and Add Grafana/Prometheus dashboards for Gateway metrics visualization
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/, src/Gateway/StellaOps.Gateway.WebService/, src/Gateway/StellaOps.Gateway.WebService/Middleware/CorrelationIdMiddleware.cs
|
||||
- Missing-surface probes in src/Gateway/: Prometheus:found, These:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Gateway/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_039_Graph_graph_edge_metadata_with_reason_evidence_provenance <20> Graph Edge Metadata with Reason/Evidence/Provenance
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Graph Edge Metadata with Reason/Evidence/Provenance' using the existing implementation baseline already present in src/Graph/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Graph/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Graph/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/graph/architecture.md (if it exists)
|
||||
- Read: src/Graph/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Graph and src/Graph/StellaOps.Graph.Api/Services/ to cover the core gap: `EdgeReason`/`EdgeVia`/`ExplanationPayload` types in Graph API -- human-readable explanation layer for why edges exist
|
||||
- Implement deterministic service/model behavior for: Edge provenance metadata linking back to source evidence (SBOM provenance, scan evidence, attestation references)
|
||||
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Graph Edge Metadata with Reason/Evidence/Provenance' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Graph and related module surfaces.
|
||||
- Implement: Graph API endpoints to query edge-level metadata (reason, evidence, provenance)
|
||||
- Apply implementation guidance from feature notes: Add `EdgeReason`, `EdgeVia`, and `ExplanationPayload` types to `src/Graph/StellaOps.Graph.Api/` and Expose edge metadata through graph query and path APIs
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 10 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Graph, src/Graph/StellaOps.Graph.Api/Services/, src/Graph/StellaOps.Graph.Indexer/Documents/GraphSnapshot.cs
|
||||
- Missing-surface probes in src/Graph/: EdgeReason:not-found, EdgeVia:not-found, ExplanationPayload:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Graph/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_040_Integrations_ai_code_guard <20> AI Code Guard (Secrets Scanning + Attribution Check + License Hygiene)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'AI Code Guard (Secrets Scanning + Attribution Check + License Hygiene)' using the existing implementation baseline already present in src/Integrations/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Integrations/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Integrations/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/platform/architecture.md (if it exists)
|
||||
- Read: src/Integrations/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Integrations/__Libraries/StellaOps.Integrations.Contracts/AiCodeGuardAnnotationContracts.cs and src/Integrations/__Libraries/StellaOps.Integrations.Services/AiCodeGuard/AiCodeGuardAnnotationService.cs to cover the core gap: `stella guard run` CLI command for standalone execution
|
||||
- Implement deterministic service/model behavior for: YAML-driven pipeline check configuration
|
||||
- If a new type is required, create it adjacent to existing module code at src/Integrations/__Libraries/StellaOps.Integrations.Contracts and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'AI Code Guard (Secrets Scanning + Attribution Check + License Hygiene)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Integrations/__Libraries/StellaOps.Integrations.Contracts/AiCodeGuardAnnotationContracts.cs and related module surfaces.
|
||||
- Implement: Full secrets scanning engine (currently annotation-only)
|
||||
- Apply implementation guidance from feature notes: Add CLI command wrapping AI Code Guard annotation service and Implement YAML-driven check configuration loader
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 4 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Integrations/__Libraries/StellaOps.Integrations.Contracts/AiCodeGuardAnnotationContracts.cs, src/Integrations/__Libraries/StellaOps.Integrations.Services/AiCodeGuard/AiCodeGuardAnnotationService.cs, src/Integrations/__Libraries/__Tests/StellaOps.Integrations.Services.Tests/AiCodeGuard/AiCodeGuardAnnotationServiceTests.cs
|
||||
- Missing-surface probes in src/Integrations/: stella guard run:not-found, YAML:not-found, Full:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Integrations/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_041_Mirror_mirror_creator <20> Mirror Creator
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Mirror Creator' using the existing implementation baseline already present in src/Mirror/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Mirror/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Mirror/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/mirror/architecture.md (if it exists)
|
||||
- Read: src/Mirror/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Mirror/ and src/AirGap/ to cover the core gap: **Mirror Creator Service**: No core service implementation exists in `src/Mirror/` -- the directory is empty with no C# source files, project files, or service definitions.
|
||||
- Implement deterministic service/model behavior for: **Mirror Configuration**: No configuration models or API endpoints for defining mirror sources, schedules, or target registries.
|
||||
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Mirror Creator' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Mirror/ and related module surfaces.
|
||||
- Implement: **Mirror Sync Engine**: No synchronization engine for incrementally mirroring container images, SBOMs, VEX documents, or advisory feeds from upstream sources to local storage.
|
||||
- Apply implementation guidance from feature notes: Determine whether the Mirror module should be a standalone service or merged into the existing AirGap module (which already provides substantial mirroring capabilities) and If standalone: implement core mirror service with source configuration, sync engine, progress tracking, and attestation
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 2 referenced source path(s) present and 1 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Mirror/, src/AirGap/
|
||||
- Missing-surface probes in src/Mirror/: Mirror:found, Creator:found, Service:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Mirror/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_042_Orchestrator_quota_governance_and_circuit_breakers <20> Quota Governance and Circuit Breakers
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Quota Governance and Circuit Breakers' using the existing implementation baseline already present in src/Orchestrator/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Orchestrator/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Orchestrator/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/orchestrator/architecture.md (if it exists)
|
||||
- Read: src/Orchestrator/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs and src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/QuotaEndpoints.cs to cover the core gap: **Dedicated quota governance service**: No standalone `QuotaGovernanceService` enforcing cross-tenant quota allocation, burst capacity, and fair scheduling across tenants
|
||||
- Implement deterministic service/model behavior for: **Circuit breaker automation**: No automated circuit breaker that opens when a downstream service (e.g., scanner, attestor) fails repeatedly, preventing cascade failures across orchestrator jobs
|
||||
- If a new type is required, create it adjacent to existing module code at src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Quota Governance and Circuit Breakers' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs and related module surfaces.
|
||||
- Implement: **Quota allocation policies**: No configurable policies for quota allocation (e.g., proportional allocation, priority-based allocation, reserved capacity)
|
||||
- Apply implementation guidance from feature notes: Create `QuotaGovernanceService` enforcing cross-tenant allocation policies and Implement circuit breaker pattern for downstream services (scanner, attestor, policy engine)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 10 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Domain/Quota.cs, src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Endpoints/QuotaEndpoints.cs, src/Orchestrator/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Contracts/QuotaContracts.cs
|
||||
- Missing-surface probes in src/Orchestrator/: QuotaGovernanceService:not-found, Dedicated:not-found, Circuit:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Orchestrator/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_043_Policy_delta_if_present_calculations_for_missing_signals <20> Delta-If-Present Calculations for Missing Signals
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Delta-If-Present Calculations for Missing Signals' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalGap.cs and src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs to cover the core gap: The specific "delta-if-present" calculation (TSF-004) for showing hypothetical score changes is not implemented as a standalone feature
|
||||
- Implement deterministic service/model behavior for: However, related infrastructure exists in the Policy Determinization module:
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Determinization/Models and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Delta-If-Present Calculations for Missing Signals' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalGap.cs and related module surfaces.
|
||||
- Implement: `src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalGap.cs` -- models for missing/gap signals
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 9 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/SignalGap.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/PriorDistribution.cs
|
||||
- Missing-surface probes in src/Policy/: However:not-found, Policy:found, Determinization:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_044_Policy_deterministic_trust_score_algebra <20> Deterministic Trust Score Algebra and Vulnerability Scoring
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Deterministic Trust Score Algebra and Vulnerability Scoring' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/TrustScoreAggregator.cs and src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs to cover the core gap: **Unified facade API**: No single `ComputeTrustScore(artifact)` entry point composing TrustScoreAggregator + K4Lattice + ScorePolicy + TrustVerdictService into one deterministic pipeline (the "B+C+D composition" described in advisories)
|
||||
- Implement deterministic service/model behavior for: **Score.v1 predicate format**: No standalone Score.v1 schema combining all scoring dimensions into a single DSSE-signable attestation format
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Deterministic Trust Score Algebra and Vulnerability Scoring' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/TrustScoreAggregator.cs and related module surfaces.
|
||||
- Implement: **Basis-point fixed-point arithmetic**: Scoring uses floating-point doubles in some paths, not fixed-point basis-point representation for guaranteed bit-exact determinism across all dimensions
|
||||
- Apply implementation guidance from feature notes: Create `TrustScoreAlgebraFacade` composing TrustScoreAggregator + K4Lattice + ScorePolicy into a single deterministic pipeline and Define Score.v1 predicate schema with basis-point fixed-point representation
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 12 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/TrustScoreAggregator.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs
|
||||
- Missing-surface probes in src/Policy/: ComputeTrustScore(artifact):not-found, Unified:found, ComputeTrustScore:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_045_Policy_evidence_weighted_score_model <20> Evidence-Weighted Score (EWS) Model (6-Dimension Scoring)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Evidence-Weighted Score (EWS) Model (6-Dimension Scoring)' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs and src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs to cover the core gap: **Unified 6-dimension RCH/RTS/BKP/XPL/SRC/MIT model**: The weight manifest defines both "legacy" (6D) and "advisory" (5D) weight sets, but there is no single unified normalizer that maps all signal inputs to the canonical 6-dimension space
|
||||
- Implement deterministic service/model behavior for: **Dimension normalizers**: Individual signal-to-dimension normalization functions (e.g., raw EPSS probability -> XPL dimension score 0-100) are not formalized as pluggable normalizer interfaces
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Evidence-Weighted Score (EWS) Model (6-Dimension Scoring)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs and related module surfaces.
|
||||
- Implement: **Guardrails engine enforcement**: Weight manifest defines guardrails (notAffectedCap, runtimeFloor, speculativeCap) but the runtime engine that enforces these caps/floors during scoring is not confirmed as a standalone service
|
||||
- Apply implementation guidance from feature notes: Create `EwsDimensionNormalizer` interface with implementations for each of the 6 dimensions and Build `GuardrailsEngine` that applies caps/floors from the weight manifest after scoring
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 11 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs, src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs, src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringProfile.cs
|
||||
- Missing-surface probes in src/Policy/: Unified:found, Dimension:found, Individual:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_046_Policy_impact_scoring_for_unknowns <20> Impact Scoring for Unknowns
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Impact Scoring for Unknowns' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs and src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs to cover the core gap: **Multi-factor impact formula**: The advisory-specified formula `w_env * EnvExposure + w_data * DataSensitivity + w_fleet * FleetPrevalence + w_sla * SLATier + w_cvss * CVSSSeverity` is not implemented as a dedicated calculator
|
||||
- Implement deterministic service/model behavior for: **Environment exposure scoring**: No service that maps environment type (production/staging/dev) to a normalized exposure score (0.0-1.0)
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Impact Scoring for Unknowns' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs and related module surfaces.
|
||||
- Implement: **Data sensitivity classification**: No integration with data sensitivity labels (PII, financial, healthcare) for impact scoring
|
||||
- Apply implementation guidance from feature notes: Create `ImpactScoreCalculator` with pluggable factor providers (EnvironmentExposure, DataSensitivity, FleetPrevalence, SLATier, CVSSSeverity) and Integrate with existing `UncertaintyScoreCalculator` to combine entropy-based uncertainty with multi-factor impact
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/TrustScoreAggregator.cs
|
||||
- Missing-surface probes in src/Policy/: w_env * EnvExposure + w_data * DataSensitivity + w_fleet * FleetPrevalence + w_sla * SLATier + w_cvss * CVSSSeverity:not-found, Multi:found, EnvExposure:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_047_Policy_policy_dsl <20> Policy DSL (stella-dsl@1)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Policy DSL (stella-dsl@1)' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/StellaOps.PolicyDsl/DslTokenizer.cs and src/Policy/StellaOps.PolicyDsl/PolicyParser.cs to cover the core gap: **CLI commands**: No `stella policy lint`, `stella policy compile`, or `stella policy simulate` CLI commands wrapping the DSL library
|
||||
- Implement deterministic service/model behavior for: **`.stella` file format specification**: No formal grammar specification or documentation of the DSL syntax
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/StellaOps.PolicyDsl and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Policy DSL (stella-dsl@1)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/StellaOps.PolicyDsl/DslTokenizer.cs and related module surfaces.
|
||||
- Implement: **Policy simulation with DSL**: The `PolicySimulationEngine` in the policy engine does not integrate with DSL-compiled policies
|
||||
- Apply implementation guidance from feature notes: Add CLI commands (`stella policy lint/compile/simulate`) that wrap the PolicyDsl library and Create DSL grammar specification document
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 13 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/StellaOps.PolicyDsl/DslTokenizer.cs, src/Policy/StellaOps.PolicyDsl/PolicyParser.cs, src/Policy/StellaOps.PolicyDsl/PolicyCompiler.cs
|
||||
- Missing-surface probes in src/Policy/: stella policy lint:not-found, stella policy compile:not-found, stella policy simulate:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_048_Policy_policy_interop_framework <20> Policy Interop Framework (JSON Export/Import)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Policy Interop Framework (JSON Export/Import)' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Interop/Export/JsonPolicyExporter.cs and src/Policy/__Libraries/StellaOps.Policy.Interop/Import/JsonPolicyImporter.cs to cover the core gap: **YAML import/export**: Only JSON and Rego formats are supported; no YAML PolicyPack format
|
||||
- Implement deterministic service/model behavior for: **Policy diff/merge**: No tool to diff two PolicyPackDocuments and produce a delta or merge two packs
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Interop/Export and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Policy Interop Framework (JSON Export/Import)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Interop/Export/JsonPolicyExporter.cs and related module surfaces.
|
||||
- Implement: **CLI integration**: No `stella policy export --format rego` or `stella policy import` CLI commands wrapping the interop library
|
||||
- Apply implementation guidance from feature notes: Add CLI commands wrapping export/import operations and Build round-trip test suite (JSON -> Rego -> JSON identity check)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 13 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Interop/Export/JsonPolicyExporter.cs, src/Policy/__Libraries/StellaOps.Policy.Interop/Import/JsonPolicyImporter.cs, src/Policy/__Libraries/StellaOps.Policy.Interop/Rego/RegoCodeGenerator.cs
|
||||
- Missing-surface probes in src/Policy/: YAML:found, Only:found, JSON:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_049_Policy_proof_studio_ux <20> Proof Studio UX (Explainable Confidence Scoring)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Proof Studio UX (Explainable Confidence Scoring)' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationaleRenderer.cs and src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationale.cs to cover the core gap: **Proof graph visualization**: No visual representation of the full evidence graph (ProofGraphNode/Edge/Path) in the UI -- the proof-studio has confidence breakdown but not the graph
|
||||
- Implement deterministic service/model behavior for: **Interactive counterfactual explorer**: CounterfactualEngine exists in backend and `what-if-slider` component exists in proof-studio, but the full interactive "toggle what-if scenarios" UX may not be fully wired to the backend
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Explainability and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Proof Studio UX (Explainable Confidence Scoring)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationaleRenderer.cs and related module surfaces.
|
||||
- Implement: **Score breakdown dashboard**: ScoreExplanation data exists but no dashboard visualizing per-factor contributions with charts
|
||||
- Apply implementation guidance from feature notes: Wire what-if-slider to CounterfactualEngine backend API and Add proof graph visualization using D3.js or similar for evidence graph rendering
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 15 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationaleRenderer.cs, src/Policy/__Libraries/StellaOps.Policy.Explainability/VerdictRationale.cs, src/Policy/__Libraries/StellaOps.Policy.Explainability/IVerdictRationaleRenderer.cs
|
||||
- Missing-surface probes in src/Policy/: Proof:found, ProofGraphNode:not-found, Edge:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_050_Policy_unknowns_decay_and_triage_queue <20> Unknowns Decay and Triage Queue
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Unknowns Decay and Triage Queue' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs and src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs to cover the core gap: **Time-based decay triage queue**: No service that automatically re-queues unknowns for triage when their confidence decays below the staleness threshold
|
||||
- Implement deterministic service/model behavior for: **Triage queue UI**: No frontend triage interface showing unknowns sorted by decay urgency
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Unknowns Decay and Triage Queue' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs and related module surfaces.
|
||||
- Implement: **Automated re-analysis triggering**: ObservationDecay tracks staleness but no event-driven mechanism triggers re-analysis when an unknown becomes stale
|
||||
- Apply implementation guidance from feature notes: Create `UnknownTriageQueueService` that periodically evaluates ObservationDecay.CheckIsStale() and queues stale unknowns for re-analysis and Add event-driven triggers (e.g., background job or message queue) when confidence drops below threshold
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 3 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/DecayedConfidenceCalculator.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Models/ObservationDecay.cs, src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/UncertaintyScoreCalculator.cs
|
||||
- Missing-surface probes in src/Policy/: Time:found, Triage:found, Automated:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_051_Policy_versioned_weight_manifests <20> Versioned Weight Manifests
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Versioned Weight Manifests' using the existing implementation baseline already present in src/Policy/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Policy/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Policy/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/policy/architecture.md (if it exists)
|
||||
- Read: src/Policy/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs and src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs to cover the core gap: **CLI management commands**: No `stella weights list`, `stella weights validate`, `stella weights diff`, or `stella weights activate` CLI commands wrapping the existing loader/versioner
|
||||
- Implement deterministic service/model behavior for: **Content hash auto-compute at build**: Manifest has `"contentHash": "sha256:auto"` placeholder -- no build step replaces it with actual computed hash
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Versioned Weight Manifests' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs and related module surfaces.
|
||||
- Implement: **Unified binding**: FileBasedWeightManifestLoader is in Signals, ScoringManifestVersioner is in DeltaVerdict; no unified service in the Policy module that binds manifest loading, versioning, signing, and runtime configuration together
|
||||
- Apply implementation guidance from feature notes: Create `WeightManifestLoader` service that discovers manifests in `etc/weights/`, validates schema, computes/verifies content hash, and selects by `effectiveFrom` date and Add build step to compute content hash and replace `sha256:auto` placeholder
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 8 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy.Determinization/Scoring/SignalWeights.cs, src/Policy/__Libraries/StellaOps.Policy/Scoring/ScoringRulesSnapshot.cs, src/Policy/__Libraries/StellaOps.Policy/Scoring/ScorePolicyLoader.cs
|
||||
- Missing-surface probes in src/Policy/: stella weights list:not-found, stella weights validate:not-found, stella weights diff:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Policy/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_052_ReachGraph_8_state_reachability_lattice <20> 8-State Reachability Lattice
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for '8-State Reachability Lattice' using the existing implementation baseline already present in src/ReachGraph/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/ReachGraph/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/ReachGraph/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/reach-graph/architecture.md (if it exists)
|
||||
- Read: src/ReachGraph/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs and src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs to cover the core gap: The lattice state machine is implemented as a library but not fully integrated as a distinct subsystem with its own API surface for triage workflows
|
||||
- Implement deterministic service/model behavior for: Triage-specific UI for lattice state visualization and manual state overrides
|
||||
- If a new type is required, create it adjacent to existing module code at src/__Libraries/StellaOps.Reachability.Core and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for '8-State Reachability Lattice' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs and related module surfaces.
|
||||
- Implement: Lattice state persistence and audit trail for state transitions
|
||||
- Apply implementation guidance from feature notes: Expose lattice state transitions as an API for triage integration and Build UI for lattice state visualization and manual overrides
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/__Libraries/StellaOps.Reachability.Core/LatticeState.cs, src/__Libraries/StellaOps.Reachability.Core/ReachabilityLattice.cs, src/__Libraries/StellaOps.Reachability.Core/ConfidenceCalculator.cs
|
||||
- Missing-surface probes in src/ReachGraph/: Triage:not-found, Lattice:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/ReachGraph/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_053_ReachGraph_reachability_core_library_with_unified_query_interface <20> Reachability Core Library with Unified Query Interface
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Reachability Core Library with Unified Query Interface' using the existing implementation baseline already present in src/ReachGraph/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/ReachGraph/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/ReachGraph/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/reach-graph/architecture.md (if it exists)
|
||||
- Read: src/ReachGraph/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs and src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs to cover the core gap: The `IReachabilityIndex` facade exists but the ReachGraph web service (`src/ReachGraph/`) does not use it directly; the web service has its own store/slice/replay services
|
||||
- Implement deterministic service/model behavior for: Missing: adapter implementations that wire `IReachabilityIndex` to the ReachGraph store and Signals services
|
||||
- If a new type is required, create it adjacent to existing module code at src/__Libraries/StellaOps.Reachability.Core and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Reachability Core Library with Unified Query Interface' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs and related module surfaces.
|
||||
- Implement: Missing: unified query endpoint in the web service that delegates to `IReachabilityIndex`
|
||||
- Apply implementation guidance from feature notes: Implement `IReachGraphAdapter` backed by `IReachGraphStoreService` and Implement `ISignalsAdapter` backed by the Signals runtime data
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 9 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/__Libraries/StellaOps.Reachability.Core/IReachabilityIndex.cs, src/__Libraries/StellaOps.Reachability.Core/ReachabilityIndex.cs, src/__Libraries/StellaOps.Reachability.Core/IReachGraphAdapter.cs
|
||||
- Missing-surface probes in src/ReachGraph/: IReachabilityIndex:not-found, ReachGraph:found, Missing:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/ReachGraph/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_054_ReleaseOrchestrator_release_orchestrator_performance_optimizations <20> Release Orchestrator Performance Optimizations (Bulk Digest, Parallel Gates, Prefetch, Connection Pool, Baseline Tracking)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Release Orchestrator Performance Optimizations (Bulk Digest, Parallel Gates, Prefetch, Connection Pool, Baseline Tracking)' using the existing implementation baseline already present in src/ReleaseOrchestrator/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/ReleaseOrchestrator/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/ReleaseOrchestrator/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/release-orchestrator/architecture.md (if it exists)
|
||||
- Read: src/ReleaseOrchestrator/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Performance/ and src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Performance/Registry/BulkDigestResolver.cs to cover the core gap: **Predictive data prefetching**: service to prefetch gate inputs, scan results, and attestation data before they are needed
|
||||
- Implement deterministic service/model behavior for: **Connection pool management**: pool manager with idle timeouts for registry/agent connections
|
||||
- If a new type is required, create it adjacent to existing module code at src/ReleaseOrchestrator/__Libraries and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Release Orchestrator Performance Optimizations (Bulk Digest, Parallel Gates, Prefetch, Connection Pool, Baseline Tracking)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Performance/ and related module surfaces.
|
||||
- Implement: **Performance baseline tracking**: baseline recorder and regression detector comparing current metrics against historical baselines
|
||||
- Apply implementation guidance from feature notes: Implement `DataPrefetcher` service for predictive prefetching of gate inputs and scan results and Implement `ConnectionPoolManager` with configurable idle timeouts for registry and agent connections
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 3 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Performance/, src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Performance/Registry/BulkDigestResolver.cs, src/ReleaseOrchestrator/__Libraries/StellaOps.ReleaseOrchestrator.Performance/Gates/ParallelGateEvaluator.cs
|
||||
- Missing-surface probes in src/ReleaseOrchestrator/: Predictive:found, Connection:found, Performance:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/ReleaseOrchestrator/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_055_Replay_immutable_advisory_feed_snapshots <20> Immutable Advisory Feed Snapshots
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Immutable Advisory Feed Snapshots' using the existing implementation baseline already present in src/Replay/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Replay/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Replay/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/replay/architecture.md (if it exists)
|
||||
- Read: src/Replay/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Replay/StellaOps.Replay.WebService/VerdictReplayEndpoints.cs and src/Concelier/ to cover the core gap: **Per-Provider Feed Snapshots**: No system exists to capture immutable snapshots of advisory feeds on a per-provider basis (e.g., NVD snapshot at epoch T, GHSA snapshot at epoch T). The input manifest records which feed data was used but does not create addressable, immutable blob snapshots.
|
||||
- Implement deterministic service/model behavior for: **Point-in-Time Advisory Resolution**: No API exists to query "what was the advisory state for CVE-X at time T?" across all providers. Feed data is consumed in real-time; historical queries require replaying from input manifests.
|
||||
- If a new type is required, create it adjacent to existing module code at src/Replay/StellaOps.Replay.WebService and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Immutable Advisory Feed Snapshots' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Replay/StellaOps.Replay.WebService/VerdictReplayEndpoints.cs and related module surfaces.
|
||||
- Implement: **Feed Snapshot Storage**: No dedicated content-addressable storage for feed snapshots (e.g., immutable blobs with digest-based retrieval). Feed data flows through the pipeline but is not persisted as versioned snapshots.
|
||||
- Apply implementation guidance from feature notes: Design a per-provider feed snapshot format (content-addressable blob with provider ID, epoch timestamp, digest) and Implement a snapshot capture service that creates immutable blobs when feed data is ingested, storing them in content-addressable storage
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 4 referenced source path(s) present and 7 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Replay/StellaOps.Replay.WebService/VerdictReplayEndpoints.cs, src/Concelier/, src/Excititor/
|
||||
- Missing-surface probes in src/Replay/: Provider:found, Feed:found, Snapshots:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Replay/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_056_Replay_point_in_time_vulnerability_query <20> Point-in-Time Vulnerability Query (As-Of Date)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Point-in-Time Vulnerability Query (As-Of Date)' using the existing implementation baseline already present in src/Replay/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Replay/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Replay/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/replay/architecture.md (if it exists)
|
||||
- Read: src/Replay/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/__Libraries/StellaOps.Replay.Core/ and src/Unknowns/ to cover the core gap: No temporal/as-of-date vulnerability query API found in `src/`
|
||||
- Implement deterministic service/model behavior for: The Replay module (`src/__Libraries/StellaOps.Replay.Core/`) and Unknowns module (`src/Unknowns/`) track historical state but do not provide temporal advisory queries
|
||||
- If a new type is required, create it adjacent to existing module code at src/__Libraries and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Point-in-Time Vulnerability Query (As-Of Date)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/__Libraries/StellaOps.Replay.Core/ and related module surfaces.
|
||||
- Implement: The Unknowns persistence layer has SQL migrations with `point_in_time` references: `src/Unknowns/__Libraries/StellaOps.Unknowns.Persistence/Migrations/001_initial_schema.sql`
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 7 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/__Libraries/StellaOps.Replay.Core/, src/Unknowns/, src/Unknowns/__Libraries/StellaOps.Unknowns.Persistence/Migrations/001_initial_schema.sql
|
||||
- Missing-surface probes in src/Replay/: Replay:found, StellaOps:found, Core:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Replay/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_057_RiskEngine_exploit_maturity_mapping <20> Exploit Maturity Mapping
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Exploit Maturity Mapping' using the existing implementation baseline already present in src/RiskEngine/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/RiskEngine/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/RiskEngine/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/risk-engine/architecture.md (if it exists)
|
||||
- Read: src/RiskEngine/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs and src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs to cover the core gap: Dedicated "exploit maturity mapping" service consolidating all maturity signals (EPSS, KEV, in-the-wild reports) into a unified maturity level (e.g., POC/Active/Weaponized)
|
||||
- Implement deterministic service/model behavior for: Exploit maturity lifecycle tracking over time
|
||||
- If a new type is required, create it adjacent to existing module code at src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Exploit Maturity Mapping' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs and related module surfaces.
|
||||
- Implement: Integration of in-the-wild exploitation reports beyond KEV
|
||||
- Apply implementation guidance from feature notes: Create unified exploit maturity service that combines EPSS, KEV, and in-the-wild signals and Define maturity level taxonomy (POC/Active/Weaponized)
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 6 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/RiskEngine/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Providers/EpssProvider.cs, src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssProvider.cs, src/Scanner/StellaOps.Scanner.WebService/Endpoints/EpssEndpoints.cs
|
||||
- Missing-surface probes in src/RiskEngine/: Dedicated:not-found, EPSS:found, Active:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/RiskEngine/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_058_SbomService_sbom_lineage_graph_visualization <20> SBOM Lineage Graph Visualization
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'SBOM Lineage Graph Visualization' using the existing implementation baseline already present in src/SbomService/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/SbomService/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/SbomService/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/sbom-service/architecture.md (if it exists)
|
||||
- Read: src/SbomService/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/SbomService/StellaOps.SbomService/Services/SbomLineageGraphService.cs and src/SbomService/StellaOps.SbomService/Controllers/LineageController.cs to cover the core gap: Backend API endpoints may still use stub/in-memory data for some queries (full PostgreSQL-backed graph traversal for all operations)
|
||||
- Implement deterministic service/model behavior for: Real-time lineage update via WebSocket/SSE not confirmed
|
||||
- If a new type is required, create it adjacent to existing module code at src/SbomService/StellaOps.SbomService/Services and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'SBOM Lineage Graph Visualization' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/SbomService/StellaOps.SbomService/Services/SbomLineageGraphService.cs and related module surfaces.
|
||||
- Implement: Performance optimization for large lineage graphs (hundreds of nodes)
|
||||
- Apply implementation guidance from feature notes: Verify all lineage API endpoints return live PostgreSQL data (not stubs) and Ensure graph traversal queries perform efficiently at scale
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 9 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/SbomService/StellaOps.SbomService/Services/SbomLineageGraphService.cs, src/SbomService/StellaOps.SbomService/Controllers/LineageController.cs, src/SbomService/StellaOps.SbomService/Services/LineageCompareService.cs
|
||||
- Missing-surface probes in src/SbomService/: Backend:found, PostgreSQL:found, Real:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/SbomService/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_059_Scanner_ground_truth_corpus_with_reachability_tiers <20> Ground-Truth Corpus with Reachability Tiers (R0-R4)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Ground-Truth Corpus with Reachability Tiers (R0-R4)' using the existing implementation baseline already present in src/Scanner/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Scanner/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, schema/contract fixtures, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Scanner/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/scanner/architecture.md (if it exists)
|
||||
- Read: src/Scanner/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/ and src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/ to cover the core gap: **Toy Service Corpus**: No `/toys/svc-XX-<name>/` directory structure containing small service applications with known vulnerabilities at specific reachability tiers
|
||||
- Implement deterministic service/model behavior for: **labels.yaml Schema**: No `labels.yaml` file per toy service defining ground-truth reachability tier (R0=unreachable, R1=present-in-dependency, R2=imported-not-called, R3=called-not-reachable-from-entrypoint, R4=reachable-from-entrypoint) for each CVE
|
||||
- If a new type is required, create it adjacent to existing module code at src/Scanner/__Tests and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Ground-Truth Corpus with Reachability Tiers (R0-R4)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/ and related module surfaces.
|
||||
- Implement: **Precision/Recall Measurement**: No test harness that runs the scanner against the corpus and computes precision, recall, and F1 score per reachability tier
|
||||
- Apply implementation guidance from feature notes: Create `/toys/` directory with initial toy services: `svc-01-log4shell-java/`, `svc-02-prototype-pollution-node/`, `svc-03-pickle-deserialization-python/`, `svc-04-text-template-go/`, `svc-05-xmlserializer-dotnet/`, `svc-06-erb-injection-ruby/` and For each toy service, create minimal source code with a known CVE at a specific reachability tier
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 3 referenced source path(s) present and 1 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/, src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/, src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Surfaces/SurfaceAwareReachabilityAnalyzer.cs
|
||||
- Missing-surface probes in src/Scanner/: Service:found, Corpus:found, labels.yaml:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Scanner/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,93 +0,0 @@
|
||||
# Sprint SPRINT_20260208_060_Scanner_idempotent_attestation_submission — Idempotent Attestation Submission
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Idempotent Attestation Submission' using the existing implementation baseline already present in src/Scanner/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Scanner/
|
||||
- Cross-module touchpoints: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/, src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/, src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, schema/contract fixtures, persistence tests with frozen fixtures, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Scanner/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/scanner/architecture.md (if it exists)
|
||||
- Read: src/Scanner/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: DONE
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Scanner/StellaOps.Scanner.Worker/Processing/VerdictPushStageExecutor.cs and src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/VerdictOciPublisher.cs to cover the core gap: **Idempotency Key Generation**: No content-addressed idempotency key derived from attestation payload hash to detect duplicate submissions before sending to Rekor
|
||||
- Implement deterministic service/model behavior for: **Rekor Duplicate Detection**: No pre-submission check against Rekor search API to verify whether an attestation with the same content hash already exists in the log
|
||||
- If a new type is required, create it adjacent to existing module code at src/Scanner/StellaOps.Scanner.Worker/Processing and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Core behavior for 'Idempotent Attestation Submission' is implemented behind existing module contracts without breaking current flows.
|
||||
- [x] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [x] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: DONE
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Scanner/StellaOps.Scanner.Worker/Processing/VerdictPushStageExecutor.cs and related module surfaces.
|
||||
- Implement: **Retry with Deduplication**: `VerdictPushStageExecutor` lacks explicit retry logic that distinguishes between "already submitted" (success) and "transient failure" (retry) responses from Rekor/OCI
|
||||
- Apply implementation guidance from feature notes: Add `AttestationIdempotencyKey` generation in `StellaOps.Scanner.Evidence` using SHA-256 of the canonical DSSE envelope payload and Add Rekor search-by-hash pre-check in `EnhancedRekorProofBuilder` before submitting new entries
|
||||
- Implement cross-module Rekor hash pre-check in Attestor submission path before creating new log entries, preserving deterministic behavior and no-network test determinism.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [x] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [x] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: DONE
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [x] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [x] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [x] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
| 2026-02-08 | Implementation started for idempotency key generation, retry classification, and OCI dedupe flow. | Developer |
|
||||
| 2026-02-08 | T1 completed: added deterministic idempotency key generation, OCI tag/annotation dedupe short-circuit, verdict push retry classification/cache, and docs/tests updates. | Developer |
|
||||
| 2026-02-08 | Validation: `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Evidence.Tests/StellaOps.Scanner.Evidence.Tests.csproj --filter "Category=Unit"` (88 passed), `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Storage.Oci.Tests/StellaOps.Scanner.Storage.Oci.Tests.csproj -- --filter-trait "Category=Unit"` (17 passed), `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj -- --filter-class "StellaOps.Scanner.Worker.Tests.VerdictPushStageExecutorTests"` (3 passed). | Developer |
|
||||
| 2026-02-08 | T2 blocked on cross-module Rekor pre-check scope; requires sprint scope update or follow-up Attestor sprint. | Developer |
|
||||
| 2026-02-08 | T2 resumed by request with explicit cross-module touchpoints for Attestor Rekor pre-check implementation. | Developer |
|
||||
| 2026-02-08 | T2 completed: implemented Rekor hash pre-check and existing-entry reuse in `HttpRekorClient` with deterministic fallback to submit path. | Developer |
|
||||
| 2026-02-08 | Validation: `dotnet test src/Attestor/__Tests/StellaOps.Attestor.Infrastructure.Tests/StellaOps.Attestor.Infrastructure.Tests.csproj -- --filter-class "StellaOps.Attestor.Infrastructure.Tests.HttpRekorClientTests"` (9 passed), plus re-run of Scanner idempotency test slices (88/17/3 passed). | Developer |
|
||||
| 2026-02-08 | T3 completed: updated Attestor module docs with Rekor pre-check behavior and closed sprint tracker tasks. | Developer |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 6 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Scanner/StellaOps.Scanner.Worker/Processing/VerdictPushStageExecutor.cs, src/Scanner/__Libraries/StellaOps.Scanner.Storage.Oci/VerdictOciPublisher.cs, src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.Build.cs
|
||||
- Missing-surface probes in src/Scanner/: Idempotency:found, Generation:found, Rekor:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Scanner/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
- Implemented in this sprint: Scanner-side idempotency key generation, OCI dedupe/tagging, retry classification, deterministic receipt cache, and scanner architecture doc update.
|
||||
- Previous remaining gap (Rekor search-by-hash pre-check in Attestor path) is now closed via approved cross-module touchpoints.
|
||||
- Follow-up completed in cross-module touchpoint: Rekor hash pre-check now executes before submission in `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs`, reusing existing entries when present and preserving submit fallback when lookup is unavailable.
|
||||
- Broader `StellaOps.Attestor.Tests` slice is currently blocked by unrelated compile error in `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicateParser.ParsePredicate.cs` (`ILogger` `LogWarning` extension resolution), not introduced by this sprint.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_061_Scanner_stack_trace_exploit_path_view <20> Stack-Trace/Exploit Path View
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Stack-Trace/Exploit Path View' using the existing implementation baseline already present in src/Scanner/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Scanner/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Scanner/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/scanner/architecture.md (if it exists)
|
||||
- Read: src/Scanner/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs and src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs to cover the core gap: **Stack-Trace Lens UI Component**: No dedicated Angular component in `src/Web/` that renders exploit paths as interactive stack-trace visualizations with:
|
||||
- Implement deterministic service/model behavior for: Collapsible call-chain frames (entrypoint -> intermediate calls -> vulnerable function)
|
||||
- If a new type is required, create it adjacent to existing module code at src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Stack-Trace/Exploit Path View' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs and related module surfaces.
|
||||
- Implement: Syntax-highlighted source snippets at each frame (when source mapping is available)
|
||||
- Apply implementation guidance from feature notes: Create `ExploitPathViewComponent` in `src/Web/` as an Angular component consuming the TriageInboxEndpoints exploit path API and Implement collapsible stack-frame rendering with entrypoint -> call chain -> sink visualization
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 8 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs, src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs, src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Explanation/PathExplanationService.cs
|
||||
- Missing-surface probes in src/Scanner/: Stack:found, Trace:found, Lens:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Scanner/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_062_Scanner_vex_decision_filter_with_reachability <20> VEX Decision Filter with Reachability
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'VEX Decision Filter with Reachability' using the existing implementation baseline already present in src/Scanner/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Scanner/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Scanner/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/scanner/architecture.md (if it exists)
|
||||
- Read: src/Scanner/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Integration/IVexLensClient.cs and src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs to cover the core gap: **Dedicated VEX+Reachability Filter Component**: No standalone `VexReachabilityDecisionFilter` that combines VEX consensus status with reachability classification into a single filtering decision (the current VexGateService evaluates VEX rules but does not deeply integrate reachability slice confidence tiers)
|
||||
- Implement deterministic service/model behavior for: **Combined Score Matrix**: No explicit decision matrix mapping (VEX status x Reachability tier) -> filter action (suppress, elevate, pass-through, flag-for-review)
|
||||
- If a new type is required, create it adjacent to existing module code at src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Integration and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'VEX Decision Filter with Reachability' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Integration/IVexLensClient.cs and related module surfaces.
|
||||
- Implement: **Filter API Endpoint**: No REST endpoint that accepts a list of findings and returns the filtered list with VEX+reachability decision annotations
|
||||
- Apply implementation guidance from feature notes: Create `VexReachabilityDecisionFilter` in `StellaOps.Scanner.Gate` or a new `StellaOps.Scanner.VexFilter` library that combines `IVexLensClient` data with `ReachabilitySlice` classification and Define decision matrix: (not_affected + Unreachable) -> suppress, (exploitable + Confirmed) -> elevate, (not_affected + Confirmed) -> flag-for-review, etc.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 5 referenced source path(s) present and 2 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Scanner/__Libraries/StellaOps.Scanner.ChangeTrace/Integration/IVexLensClient.cs, src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGateService.cs, src/Scanner/__Libraries/StellaOps.Scanner.Gate/VexGatePolicyEvaluator.cs
|
||||
- Missing-surface probes in src/Scanner/: VexReachabilityDecisionFilter:not-found, Dedicated:not-found, Reachability:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Scanner/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_063_Scanner_vulnerability_first_triage_ux_with_exploit_path_grouping <20> Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles' using the existing implementation baseline already present in src/Scanner/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Scanner/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, API endpoint contract tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Scanner/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/scanner/architecture.md (if it exists)
|
||||
- Read: src/Scanner/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs and src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs to cover the core gap: **Triage Inbox UI Component**: No Angular component implementing the vulnerability-first triage inbox with exploit path cluster view, batch triage actions, cluster expansion, sort/filter by cluster size/severity/reachability
|
||||
- Implement deterministic service/model behavior for: **Exploit Path Similarity Algorithm**: The `IExploitPathGroupingService` interface exists but the clustering/similarity algorithm completeness is unclear
|
||||
- If a new type is required, create it adjacent to existing module code at src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Vulnerability-First Triage UX with Exploit Path Grouping and Proof Bundles' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs and related module surfaces.
|
||||
- Implement: **Batch Triage API**: No REST endpoint for applying a single triage decision to all findings in an exploit path cluster
|
||||
- Apply implementation guidance from feature notes: Complete exploit path similarity algorithm using common call-chain prefix grouping with configurable similarity threshold and Add `BatchTriageEndpoints` for applying triage decisions to entire exploit path clusters
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 9 referenced source path(s) present and 1 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Scanner/__Libraries/StellaOps.Scanner.Triage/Services/IExploitPathGroupingService.cs, src/Scanner/__Libraries/StellaOps.Scanner.Triage/Models/ExploitPath.cs, src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/
|
||||
- Missing-surface probes in src/Scanner/: Triage:found, Inbox:found, Component:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Scanner/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_064_Telemetry_dora_metrics <20> DORA Metrics
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'DORA Metrics' using the existing implementation baseline already present in src/Telemetry/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Telemetry/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, DSSE/Rekor verification checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Telemetry/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/telemetry/architecture.md (if it exists)
|
||||
- Read: src/Telemetry/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Policy/__Libraries/StellaOps.Policy/Gates/ and src/Telemetry/ to cover the core gap: No DORA metrics (Deployment Frequency, Lead Time for Changes, Change Failure Rate, MTTR) implementation found
|
||||
- Implement deterministic service/model behavior for: Search for DORA-related terms found only `EarnedCapacityReplenishment` in `src/Policy/__Libraries/StellaOps.Policy/Gates/` which is a policy gate concept, not DORA metrics
|
||||
- If a new type is required, create it adjacent to existing module code at src/Policy/__Libraries/StellaOps.Policy and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'DORA Metrics' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Policy/__Libraries/StellaOps.Policy/Gates/ and related module surfaces.
|
||||
- Implement: The Telemetry module (`src/Telemetry/`) tracks operational metrics (Time-to-Evidence, attestation metrics) but not standard DORA metrics
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 2 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Policy/__Libraries/StellaOps.Policy/Gates/, src/Telemetry/
|
||||
- Missing-surface probes in src/Telemetry/: DORA:not-found, Deployment:found, Frequency:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Telemetry/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_065_Telemetry_outcome_analytics_attribution <20> Outcome Analytics / Attribution
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Outcome Analytics / Attribution' using the existing implementation baseline already present in src/Telemetry/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Telemetry/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Telemetry/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/telemetry/architecture.md (if it exists)
|
||||
- Read: src/Telemetry/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Telemetry/ and src/Timeline/ to cover the core gap: No outcome analytics, MTTR/MTTA attribution, cohort analysis, or executive reporting found in `src/`
|
||||
- Implement deterministic service/model behavior for: No `OutcomeAnalytics` or `Attribution` modules or namespaces exist
|
||||
- If a new type is required, create it adjacent to existing module code at src and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Outcome Analytics / Attribution' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Telemetry/ and related module surfaces.
|
||||
- Implement: The Telemetry module (`src/Telemetry/`) tracks operational metrics but not outcome attribution
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 2 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Telemetry/, src/Timeline/
|
||||
- Missing-surface probes in src/Telemetry/: MTTR:not-found, MTTA:not-found, OutcomeAnalytics:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Telemetry/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_066_VexLens_vexlens_truth_table_tests <20> VexLens Truth Table Tests
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'VexLens Truth Table Tests' using the existing implementation baseline already present in src/VexLens/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/VexLens/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/VexLens/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/vex-lens/architecture.md (if it exists)
|
||||
- Read: src/VexLens/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/VexLens/__Tests/StellaOps.VexLens.Tests/ and src/VexLens/StellaOps.VexLens/__Tests/StellaOps.VexLens.Tests/ to cover the core gap: No systematic truth table tests for VEX lattice merge correctness found
|
||||
- Implement deterministic service/model behavior for: The VexLens test infrastructure does exist:
|
||||
- If a new type is required, create it adjacent to existing module code at src/VexLens/__Tests and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'VexLens Truth Table Tests' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/VexLens/__Tests/StellaOps.VexLens.Tests/ and related module surfaces.
|
||||
- Implement: `src/VexLens/__Tests/StellaOps.VexLens.Tests/` -- VexLens tests project
|
||||
- Apply implementation guidance from feature notes: Use existing module architecture patterns for service composition and dependency injection. and Expose capability through current API/CLI/UI entry points without network-dependent behavior in tests.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'NOT_FOUND'; verification found 6 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/VexLens/__Tests/StellaOps.VexLens.Tests/, src/VexLens/StellaOps.VexLens/__Tests/StellaOps.VexLens.Tests/, src/VexLens/StellaOps.VexLens/__Tests/StellaOps.VexLens.Core.Tests/
|
||||
- Missing-surface probes in src/VexLens/: VexLens:found, StellaOps:found, Tests:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/VexLens/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_067_FE_audit_trail_why_am_i_seeing_this <20> Audit Trail "Why am I seeing this?" (Reason Capsule)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Audit Trail "Why am I seeing this?" (Reason Capsule)' using the existing implementation baseline already present in src/Web/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Web/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, Angular feature module/components, API endpoint contract tests, DSSE/Rekor verification checks, accessibility + responsive checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Web/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/web/architecture.md (if it exists)
|
||||
- Read: src/Web/StellaOps.Web/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Web/StellaOps.Web/src/app/features/triage/components/ai-code-guard-badge/ai-code-guard-badge.component.ts and src/Web/StellaOps.Web/src/app/features/triage/components/ai-recommendation-panel/ai-recommendation-panel.component.ts to cover the core gap: **ReasonCapsuleComponent**: No per-row expandable component showing policy name, rule ID, graph revision ID, and inputs digest for each finding/verdict in table views
|
||||
- Implement deterministic service/model behavior for: **Audit reasons API**: No `/api/audit/reasons/:verdictId` endpoint returning structured reason data for display
|
||||
- If a new type is required, create it adjacent to existing module code at src/Web/StellaOps.Web/src/app/features/audit_trail_why_am_i_seeing_this/ and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Audit Trail "Why am I seeing this?" (Reason Capsule)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Web/StellaOps.Web/src/app/features/triage/components/ai-code-guard-badge/ai-code-guard-badge.component.ts and related module surfaces.
|
||||
- Implement: **Per-finding explanation inline**: VerdictWhySummaryComponent and WhySafePanels exist for verdict-level and lineage-level explanation, but no per-row inline "why" capsule in triage table views
|
||||
- Apply implementation guidance from feature notes: Create `ReasonCapsuleComponent` as expandable per-row explanation in triage/finding tables and Add `/api/audit/reasons/:verdictId` endpoint returning policy name, rule ID, graph revision, inputs digest
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 15 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Web/StellaOps.Web/src/app/features/triage/components/ai-code-guard-badge/ai-code-guard-badge.component.ts, src/Web/StellaOps.Web/src/app/features/triage/components/ai-recommendation-panel/ai-recommendation-panel.component.ts, src/Web/StellaOps.Web/src/app/features/triage/components/attestation-viewer/attestation-viewer.component.ts
|
||||
- Missing-surface probes in src/Web/: ReasonCapsuleComponent:not-found, Audit:found, VerdictWhySummaryComponent:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Web/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_068_FE_pack_registry_browser <20> Pack Registry Browser
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Pack Registry Browser' using the existing implementation baseline already present in src/Web/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Web/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, Angular feature module/components, API endpoint contract tests, DSSE/Rekor verification checks, accessibility + responsive checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Web/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/web/architecture.md (if it exists)
|
||||
- Read: src/Web/StellaOps.Web/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Web/StellaOps.Web/src/app/features/policy-studio/ai/conflict-visualizer.component.ts and src/Web/StellaOps.Web/src/app/features/policy-studio/ai/live-rule-preview.component.ts to cover the core gap: **Pack browser feature module**: No dedicated Angular feature module for browsing the TaskRunner pack registry (installed packs, available packs, version history)
|
||||
- Implement deterministic service/model behavior for: **Pack install/upgrade flow**: No UI flow for installing or upgrading TaskRunner packs with compatibility checks
|
||||
- If a new type is required, create it adjacent to existing module code at src/Web/StellaOps.Web/src/app/features/pack_registry_browser/ and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Pack Registry Browser' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Web/StellaOps.Web/src/app/features/policy-studio/ai/conflict-visualizer.component.ts and related module surfaces.
|
||||
- Implement: **Pack signature verification display**: No UI showing DSSE signature verification status for each pack
|
||||
- Apply implementation guidance from feature notes: Create `pack-registry` Angular feature module under `src/Web/StellaOps.Web/src/app/features/` and Implement pack list view with install/upgrade actions
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 13 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Web/StellaOps.Web/src/app/features/policy-studio/ai/conflict-visualizer.component.ts, src/Web/StellaOps.Web/src/app/features/policy-studio/ai/live-rule-preview.component.ts, src/Web/StellaOps.Web/src/app/features/policy-studio/ai/test-case-panel.component.ts
|
||||
- Missing-surface probes in src/Web/: Pack:found, Angular:found, TaskRunner:not-found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Web/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_069_FE_pipeline_run_centric_view <20> Pipeline/Run-Centric View
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Pipeline/Run-Centric View' using the existing implementation baseline already present in src/Web/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Web/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, Angular feature module/components, API endpoint contract tests, accessibility + responsive checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Web/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/web/architecture.md (if it exists)
|
||||
- Read: src/Web/StellaOps.Web/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-detail/approval-detail.component.ts and src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-queue/approval-queue.component.ts to cover the core gap: **Pipeline run detail view**: No dedicated "run detail" view showing a single pipeline execution with its stages, gates, evidence collection, and outcome
|
||||
- Implement deterministic service/model behavior for: **Run-centric navigation**: Components exist for approvals, deployments, and releases but no unified "runs" listing that ties them together as a single pipeline execution
|
||||
- If a new type is required, create it adjacent to existing module code at src/Web/StellaOps.Web/src/app/features/pipeline_run_centric_view/ and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Pipeline/Run-Centric View' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-detail/approval-detail.component.ts and related module surfaces.
|
||||
- Implement: **First-signal card integration**: First-signal card components exist in the `runs/` feature but may not be integrated into the pipeline-centric view
|
||||
- Apply implementation guidance from feature notes: Create a unified "pipeline run" detail view connecting scan, gate evaluation, approval, and deployment stages and Wire pipeline-overview component to backend API for live pipeline status
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 10 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-detail/approval-detail.component.ts, src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/approval-queue/approval-queue.component.ts, src/Web/StellaOps.Web/src/app/features/release-orchestrator/approvals/promotion-request/promotion-request.component.ts
|
||||
- Missing-surface probes in src/Web/: Pipeline:found, Components:found, First:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Web/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_070_FE_reachability_center_ui_view <20> Reachability Center UI View
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Reachability Center UI View' using the existing implementation baseline already present in src/Web/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Web/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, Angular feature module/components, API endpoint contract tests, accessibility + responsive checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Web/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/web/architecture.md (if it exists)
|
||||
- Read: src/Web/StellaOps.Web/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Web/StellaOps.Web/src/app/features/reachability/components/path-viewer/path-viewer.component.ts and src/Web/StellaOps.Web/src/app/features/reachability/components/risk-drift-card/risk-drift-card.component.ts to cover the core gap: **Official fixture bundle swap**: Currently using deterministic fixture data; pending official fixture bundle from Signals guild with real reachability data
|
||||
- Implement deterministic service/model behavior for: **Asset coverage summary**: No dashboard-level summary showing percentage of assets with reachability analysis coverage
|
||||
- If a new type is required, create it adjacent to existing module code at src/Web/StellaOps.Web/src/app/features/reachability_center_ui_view/ and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Reachability Center UI View' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Web/StellaOps.Web/src/app/features/reachability/components/path-viewer/path-viewer.component.ts and related module surfaces.
|
||||
- Implement: **Missing sensors indicator**: No visual indicator showing which assets lack runtime observation sensors
|
||||
- Apply implementation guidance from feature notes: Swap fixture data for live API integration once Signals guild provides official fixture bundle and Add asset coverage summary widget to reachability-center component
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 9 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Web/StellaOps.Web/src/app/features/reachability/components/path-viewer/path-viewer.component.ts, src/Web/StellaOps.Web/src/app/features/reachability/components/risk-drift-card/risk-drift-card.component.ts, src/Web/StellaOps.Web/src/app/features/reachability/poe-drawer.component.ts
|
||||
- Missing-surface probes in src/Web/: Official:found, Currently:found, Signals:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Web/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_071_FE_sbom_graph_reachability_overlay_with_time_slider <20> SBOM Graph Reachability Overlay with Time Slider
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'SBOM Graph Reachability Overlay with Time Slider' using the existing implementation baseline already present in src/Web/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Web/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, Angular feature module/components, API endpoint contract tests, accessibility + responsive checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Web/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/web/architecture.md (if it exists)
|
||||
- Read: src/Web/StellaOps.Web/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Web/StellaOps.Web/src/app/features/graph/graph-canvas.component.ts and src/Web/StellaOps.Web/src/app/features/graph/graph-explorer.component.ts to cover the core gap: **Reachability halo overlay**: Graph overlay components exist but no dedicated reachability state halo (color-coded rings around nodes showing lattice state: SR/SU/RO/RU/CR/CU/X)
|
||||
- Implement deterministic service/model behavior for: **Time slider for temporal reachability**: No time slider component enabling temporal exploration of how reachability states evolved over scan/signal events
|
||||
- If a new type is required, create it adjacent to existing module code at src/Web/StellaOps.Web/src/app/features/sbom_graph_reachability_overlay_with_time_slider/ and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'SBOM Graph Reachability Overlay with Time Slider' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Web/StellaOps.Web/src/app/features/graph/graph-canvas.component.ts and related module surfaces.
|
||||
- Implement: **Lattice state legend**: No legend component mapping halo colors to reachability lattice states
|
||||
- Apply implementation guidance from feature notes: Add reachability state halo overlay to graph-overlays component using lattice state colors and Create time slider component for temporal reachability exploration
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 7 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Web/StellaOps.Web/src/app/features/graph/graph-canvas.component.ts, src/Web/StellaOps.Web/src/app/features/graph/graph-explorer.component.ts, src/Web/StellaOps.Web/src/app/features/graph/graph-filters.component.ts
|
||||
- Missing-surface probes in src/Web/: Reachability:found, Graph:found, Time:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Web/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_072_FE_signals_runtime_dashboard <20> Signals & Runtime Dashboard
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'Signals & Runtime Dashboard' using the existing implementation baseline already present in src/Web/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Web/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, Angular feature module/components, API endpoint contract tests, accessibility + responsive checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Web/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/web/architecture.md (if it exists)
|
||||
- Read: src/Web/StellaOps.Web/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Web/StellaOps.Web/src/app/core/plugins/extension-slots/extension-slot.component.ts and src/Web/StellaOps.Web/src/app/core/analytics/evidence-panel-metrics.service.ts to cover the core gap: **Signals dashboard feature module**: No `src/Web/StellaOps.Web/src/app/features/signals/` directory with dedicated dashboard components
|
||||
- Implement deterministic service/model behavior for: **Probe status monitoring**: No component showing eBPF/ETW/dyld probe health status per host
|
||||
- If a new type is required, create it adjacent to existing module code at src/Web/StellaOps.Web/src/app/features/signals_runtime_dashboard/ and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'Signals & Runtime Dashboard' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Web/StellaOps.Web/src/app/core/plugins/extension-slots/extension-slot.component.ts and related module surfaces.
|
||||
- Implement: **Signal collection metrics**: No real-time metrics showing signals collected per second, error rates, latency
|
||||
- Apply implementation guidance from feature notes: Create `features/signals/` module with route registration and Build probe status monitoring dashboard showing per-host probe health
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 6 referenced source path(s) present and 1 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Web/StellaOps.Web/src/app/core/plugins/extension-slots/extension-slot.component.ts, src/Web/StellaOps.Web/src/app/core/analytics/evidence-panel-metrics.service.ts, src/Web/StellaOps.Web/src/app/core/api/gateway-metrics.service.ts
|
||||
- Missing-surface probes in src/Web/: Signals:found, StellaOps:found, Probe:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Web/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
@@ -1,80 +0,0 @@
|
||||
# Sprint SPRINT_20260208_073_FE_vex_gate <20> VEX Gate (Inline Gated Action with Evidence Tiers)
|
||||
|
||||
## Topic & Scope
|
||||
- Close the remaining delivery gap for 'VEX Gate (Inline Gated Action with Evidence Tiers)' using the existing implementation baseline already present in src/Web/.
|
||||
- Preserve deterministic/offline behavior while adding the missing workflow surface required for release-control decisions.
|
||||
- Ensure evidence, policy, and operator experience are aligned so this capability can be audited and replayed.
|
||||
- Working directory: src/Web/
|
||||
- Cross-module touchpoints: None
|
||||
- Expected evidence: deterministic unit tests, offline integration tests, Angular feature module/components, API endpoint contract tests, DSSE/Rekor verification checks, accessibility + responsive checks, docs update in module dossier
|
||||
|
||||
## Dependencies & Concurrency
|
||||
- Upstream: None
|
||||
- Safe to parallelize with: Any sprint that does not edit src/Web/
|
||||
- Blocking: None
|
||||
|
||||
## Documentation Prerequisites
|
||||
- Read: docs/modules/web/architecture.md (if it exists)
|
||||
- Read: src/Web/StellaOps.Web/AGENTS.md (if it exists)
|
||||
- Read: docs/ARCHITECTURE_OVERVIEW.md
|
||||
|
||||
## Delivery Tracker
|
||||
|
||||
### T1 - Implement core feature slice and deterministic model updates
|
||||
Status: TODO
|
||||
Dependency: none
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Extend existing implementation anchored by src/Web/StellaOps.Web/src/app/features/triage/components/ai-code-guard-badge/ai-code-guard-badge.component.ts and src/Web/StellaOps.Web/src/app/features/triage/components/ai-recommendation-panel/ai-recommendation-panel.component.ts to cover the core gap: **VexGateButtonDirective**: No Angular directive that morphs primary action buttons (e.g., "Promote", "Release") into Green/Amber/Red gated states based on VEX verdict evidence tiers
|
||||
- Implement deterministic service/model behavior for: **VexEvidenceSheetComponent**: No inline evidence sheet that expands from a gated button to show the VEX evidence supporting the gate decision
|
||||
- If a new type is required, create it adjacent to existing module code at src/Web/StellaOps.Web/src/app/features/vex_gate/ and keep namespace conventions aligned with the surrounding project structure.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Core behavior for 'VEX Gate (Inline Gated Action with Evidence Tiers)' is implemented behind existing module contracts without breaking current flows.
|
||||
- [ ] Unit tests cover happy path and failure/validation path with deterministic fixtures.
|
||||
- [ ] Output is reproducible across repeated runs with identical inputs.
|
||||
|
||||
### T2 - Wire API/CLI/UI integration and persistence boundaries
|
||||
Status: TODO
|
||||
Dependency: T1
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Integrate the core slice into existing entry points referenced by src/Web/StellaOps.Web/src/app/features/triage/components/ai-code-guard-badge/ai-code-guard-badge.component.ts and related module surfaces.
|
||||
- Implement: **Tier-based button color mapping**: No mapping from VEX evidence tier (Tier 1: full evidence, Tier 2: partial, Tier 3: no evidence) to button color states
|
||||
- Apply implementation guidance from feature notes: Create `VexGateButtonDirective` that wraps action buttons with VEX gate logic and color state and Create `VexEvidenceSheetComponent` for inline evidence display on gate button expansion
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Integration surface (API/CLI/UI/pipeline) exposes the new behavior end-to-end.
|
||||
- [ ] Integration tests validate tenant scoping, error mapping, and offline-friendly execution.
|
||||
- [ ] Existing related flows remain backward compatible or include explicit migration notes.
|
||||
|
||||
### T3 - Complete verification, docs sync, and rollout guardrails
|
||||
Status: TODO
|
||||
Dependency: T2
|
||||
Owners: Developer
|
||||
Task description:
|
||||
- Add or extend deterministic test coverage in existing test projects for this module and any required cross-module touchpoints.
|
||||
- Update module documentation and operator guidance to reflect exact runtime behavior, evidence artifacts, and constraints.
|
||||
- Add regression guards for replayability, idempotency, and non-networked test execution.
|
||||
|
||||
Completion criteria:
|
||||
- [ ] Test suite additions include deterministic unit/integration coverage and pass without external network dependencies.
|
||||
- [ ] Documentation is updated in docs/modules/** and linked from sprint Decisions & Risks.
|
||||
- [ ] Execution log entry is added by the implementer when work starts/finishes.
|
||||
|
||||
## Execution Log
|
||||
| Date (UTC) | Update | Owner |
|
||||
| --- | --- | --- |
|
||||
| 2026-02-08 | Sprint created from feature gap analysis. | Project Manager |
|
||||
|
||||
## Decisions & Risks
|
||||
- Feature file status was 'PARTIALLY_IMPLEMENTED'; verification found 15 referenced source path(s) present and 0 referenced path(s) absent.
|
||||
- Source verification anchored on: src/Web/StellaOps.Web/src/app/features/triage/components/ai-code-guard-badge/ai-code-guard-badge.component.ts, src/Web/StellaOps.Web/src/app/features/triage/components/ai-recommendation-panel/ai-recommendation-panel.component.ts, src/Web/StellaOps.Web/src/app/features/triage/components/attestation-viewer/attestation-viewer.component.ts
|
||||
- Missing-surface probes in src/Web/: VexGateButtonDirective:not-found, Angular:found, Promote:found
|
||||
- Risk: scope may expand if hidden dependencies are discovered in adjacent modules during integration.
|
||||
- Mitigation: keep implementation confined to src/Web/ first, then add narrowly-scoped cross-module edits with explicit tests.
|
||||
|
||||
## Next Checkpoints
|
||||
- Implementation complete with passing tests
|
||||
- Code review
|
||||
- Documentation update verification
|
||||
Reference in New Issue
Block a user