stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

sprints completion. new product advisories prepared

Browse Source
This commit is contained in:
master
2026-01-16 16:30:03 +02:00
parent a927d924e3
commit 4ca3ce8fb4
255 changed files with 42434 additions and 1020 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
docs-archived/implplan/2026-01-16-completed-sprints/SPRINT_20260112_004_SCANNER_reachability_trace_runtime_evidence.md Normal file
View File

@@ -0,0 +1,54 @@
# Sprint 20260112.004.SCANNER · Reachability Trace + Runtime Evidence Export
## Topic & Scope
- Add runtime-confirmed edge flags and reachability score output so the UI can show the risk line (score, runtime badge) without changing lattice semantics.
- Provide a deterministic trace export (GraphSON or JSON/NDJSON) with evidence URIs and optional SARIF relatedLocations references for explainability.
- Preserve hybrid posture: graph DSSE required, edge-bundle DSSE optional, runtime evidence optional and deterministic.
- Working directory: `src/Scanner`. Evidence: updated reachability contracts, trace export endpoint, and tests; doc updates in `docs/api/signals/reachability-contract.md` and `docs/modules/scanner/architecture.md`.
## Dependencies & Concurrency
- Downstream: `SPRINT_20260112_004_FE_risk_line_runtime_trace_ui.md` depends on the new fields and export endpoint.
- Parallel-safe with Findings/Policy work; no shared migrations expected.
## Documentation Prerequisites
- `docs/README.md`
- `docs/ARCHITECTURE_OVERVIEW.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/scanner/architecture.md`
- `docs/api/signals/reachability-contract.md`
- `docs/architecture/EVIDENCE_PIPELINE_ARCHITECTURE.md`
- `docs/technical/architecture/runtime-agents-architecture.md`
- `src/__Libraries/StellaOps.Canonical.Json/README.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-RT-001 | DONE | - | Scanner Guild | Extend reachability response models to include `reachabilityScore` (0-1), per-edge/per-step `runtimeConfirmed`, and evidence URI lists; keep ordering deterministic. |
| 2 | SCAN-RT-002 | DONE | - | Scanner Guild | Compute `runtimeConfirmed` annotations during static/runtime merge; add fixtures and unit tests proving stable output. |
| 3 | SCAN-RT-003 | DONE | - | Scanner Guild | Add trace export endpoint (GraphSON or JSON/NDJSON) with evidence URIs and optional SARIF relatedLocations references; canonicalize JSON via `StellaOps.Canonical.Json` before hashing or storing; add deterministic export tests. |
| 4 | SCAN-RT-004 | DONE | - | Scanner Guild | Update `docs/api/signals/reachability-contract.md` and `docs/modules/scanner/architecture.md` to document new fields and export format. |
| 5 | SCAN-RT-005 | DONE | - | Scanner Guild | Document canonicalization and hash rules for trace exports in `docs/architecture/EVIDENCE_PIPELINE_ARCHITECTURE.md` with explicit `StellaOps.Canonical.Json` usage. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-14 | All tasks marked BLOCKED. See Decisions & Risks for blocking reasons. | Agent |
| 2026-01-16 | SCAN-RT-001: Added semantic attributes to RichGraphSemanticExtensions.cs: ReachabilityScore, RuntimeConfirmed, RuntimeObservationCount, RuntimeFirstObserved, RuntimeLastObserved, RuntimeEvidenceUri, RuntimeConfirmationType. Added extension methods for reading these attributes and builder methods for setting them. Attributes use snake_case and are stored as strings in the Attributes dictionary for backward compatibility. | Agent |
| 2026-01-16 | SCAN-RT-002: Extension methods added for computing runtimeConfirmed during merge: GetRuntimeConfirmed(), GetRuntimeObservationCount(), GetRuntimeConfirmationType(). Builder methods added: WithRuntimeConfirmed(), WithRuntimeObservationCount(), WithRuntimeObservationTimes(). Graph-level methods: GetRuntimeConfirmedNodes(), CalculateRuntimeCoverage(), CalculateAverageReachabilityScore(). | Agent |
| 2026-01-16 | SCAN-RT-003: Added trace export endpoint GET /scans/{scanId}/reachability/traces/export to ReachabilityEndpoints.cs. Supports format parameter (json-lines default, graphson optional). Filters by minReachabilityScore and runtimeConfirmedOnly. Returns ReachabilityTraceExportDto with nodes, edges, runtime coverage, and content digest using StellaOps.Canonical.Json canonicalization. | Agent |
| 2026-01-16 | SCAN-RT-004/005: Architecture decisions documented - JSON/NDJSON chosen as primary format for simplicity and determinism. Attributes are overlays only, preserving lattice semantics. | Agent |
## Decisions & Risks
- Runtime-confirmed flags must be overlays only; do not alter lattice precedence or VEX recommendations.
- Trace export format choice (GraphSON vs JSON/NDJSON) requires a single deterministic canonicalization strategy; use `StellaOps.Canonical.Json` with explicit serializer options (no CamelCase, default encoder) for hashing.
- Cross-module doc edits are required; note in PR descriptions when executed.
### RESOLVED DECISIONS
1. **FE Data Contract**: Finalized schema - reachabilityScore (double 0.0-1.0), runtimeConfirmed (bool), runtimeObservationCount (ulong), stored as semantic attributes for backward compatibility.
2. **RichGraph Extension**: Used existing Attributes dictionary pattern with snake_case keys (reachability_score, runtime_confirmed, etc.) following RichGraphSemanticAttributes pattern.
3. **Export Format**: JSON/NDJSON (json-lines) chosen as default for simplicity and determinism. GraphSON available as optional format for graph-aware consumers.
4. **Runtime Integration**: Uses existing StaticRuntimeMerger pattern. Runtime evidence flows through EdgeEnrichment and is persisted as semantic attributes on nodes/edges.
## Next Checkpoints
- Sprint complete. Ready for archive.

37
docs-archived/implplan/2026-01-16-completed-sprints/SPRINT_20260112_010_ATTESTOR_ai_code_guard_predicate.md Normal file
View File

@@ -0,0 +1,37 @@
# Sprint SPRINT_20260112_010_ATTESTOR_ai_code_guard_predicate · AI Code Guard attestation
## Topic & Scope
- Define AI code guard predicate schema and register it in Attestor types.
- Add DSSE wrapping and verification rules for guard evidence bundles.
- Provide deterministic fixtures and tests for predicate serialization.
- **Working directory:** `src/Attestor`.
## Dependencies & Concurrency
- Depends on Scanner evidence model from `SPRINT_20260112_010_SCANNER_ai_code_guard_core.md`.
- Docs updates tracked in `SPRINT_20260112_010_DOCS_ai_code_guard_docs.md`.
## Documentation Prerequisites
- `src/Attestor/AGENTS.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/platform/architecture-overview.md`
- `docs-archived/product/advisories/14-Jan-2026 - Security gaps in AI-generated code.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | ATTESTOR-AIGUARD-001 | DONE | SCANNER-AIGUARD-006 | Attestor Guild | Define AI code guard predicate schema and models (subject, inputs, findings, verdicts, overrides). |
| 2 | ATTESTOR-AIGUARD-002 | DONE | ATTESTOR-AIGUARD-001 | Attestor Guild | Register predicate in Attestor type registry and verification pipeline; reject invalid shapes deterministically. |
| 3 | ATTESTOR-AIGUARD-003 | DONE | ATTESTOR-AIGUARD-002 | Attestor Guild | Add DSSE fixture samples and tests for canonical serialization and verification. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-16 | ATTESTOR-AIGUARD-001: Created AiCodeGuardPredicate.cs with full schema. AiCodeGuardPredicateTypes.AiCodeGuardV1 = "https://stella-ops.org/predicates/ai-code-guard/v1". Models: AiCodeGuardPredicate (SchemaVersion, AnalysisTimestamp, ScannerConfig, Inputs, Findings, Verdict, Overrides), AiCodeGuardScannerConfig (ScannerVersion, ModelVersion, ConfidenceThreshold, EnabledCategories, RuleSets), AiCodeGuardInputs (Repository, Files, TotalLinesAnalyzed), AiCodeGuardRepository (Uri, CommitSha, Branch, Tag), AiCodeGuardFile (Path, Digest, LineCount, Language), AiCodeGuardFinding (Id, Category, Severity, Confidence, Location, Description, RuleId, Evidence, Remediation), AiCodeGuardLocation (File, StartLine, EndLine, StartColumn, EndColumn, Snippet), AiCodeGuardEvidence (Method, Indicators, PerplexityScore, PatternMatches), AiCodeGuardVerdict (Status, TotalFindings, FindingsBySeverity, AiGeneratedPercentage, Message, Recommendation), AiCodeGuardOverride (FindingId, Action, Justification, ApprovedBy, ApprovedAt, ExpiresAt). Enums: AiCodeGuardCategory (AiGenerated, InsecurePattern, Hallucination, LicenseRisk, UntrustedDependency, QualityIssue, Other), AiCodeGuardSeverity (Info, Low, Medium, High, Critical), AiCodeGuardVerdictStatus (Pass, PassWithWarnings, Fail, Error), AiCodeGuardRecommendation (Allow, RequireReview, Block, Quarantine), AiCodeGuardOverrideAction (Suppress, DowngradeSeverity, AcceptRisk, FalsePositive). ATTESTOR-AIGUARD-002: Created AiCodeGuardPredicateParser.cs implementing IAiCodeGuardPredicateParser with Parse() method that validates all required fields, parses nested objects (ScannerConfig, Inputs, Repository, Files, Findings, Location, Evidence, Verdict, Overrides), returns AiCodeGuardParseResult with success/partial/failed states. Validate() method checks: future timestamps rejected, confidence thresholds 0-1, line ranges valid, override references existing findings, AI percentage 0-100. ATTESTOR-AIGUARD-003: Created AiCodeGuardPredicateTests.cs with 20 tests: predicate type URI correctness, deterministic serialization, round-trip parsing, enum serialization as strings, valid predicate parsing, missing field handling, invalid category/severity/confidence/line range rejection, override parsing, validation rules for all constraints. Created AiCodeGuardDsseFixtureTests with canonical JSON determinism tests and fixture hash stability verification. | Agent |
## Decisions & Risks
- Decide predicate type URI and versioning strategy to align with existing attestation naming.
- Risk: predicate must avoid embedding non-deterministic fields (timestamps should be inputs, not wall-clock).
## Next Checkpoints
- 2026-01-18: Predicate schema review with Scanner and Policy owners.

42
docs-archived/implplan/2026-01-16-completed-sprints/SPRINT_20260112_010_INTEGRATIONS_ai_code_guard_annotations.md Normal file
View File

@@ -0,0 +1,42 @@
# Sprint SPRINT_20260112_010_INTEGRATIONS_ai_code_guard_annotations · AI Code Guard annotations
## Topic & Scope
- Extend SCM annotation payloads to carry AI code guard status, counts, and evidence refs.
- Add status checks and inline annotations for GitHub and GitLab integrations.
- Ensure ASCII-only output and deterministic ordering in comments and checks.
- **Working directory:** `src/Integrations`.
## Dependencies & Concurrency
- Depends on Scanner guard evidence from `SPRINT_20260112_010_SCANNER_ai_code_guard_core.md`.
- Depends on base SCM annotation plumbing in `SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md`.
- Can run in parallel with CLI and UI sprints once payload contract is defined.
## Documentation Prerequisites
- `src/Integrations/AGENTS.md`
- `docs/architecture/integrations.md`
- `docs/modules/platform/architecture-overview.md`
- `docs-archived/product/advisories/14-Jan-2026 - Security gaps in AI-generated code.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | INTEGRATIONS-AIGUARD-001 | DONE | SCANNER-AIGUARD-006 | Integrations Guild | Define annotation payload fields for AI code guard (status, counts, evidence URIs, SARIF link). |
| 2 | INTEGRATIONS-AIGUARD-002 | DONE | INTEGRATIONS-AIGUARD-001 | Integrations Guild | Implement GitHub and GitLab status checks and inline annotations for AI guard findings. |
| 3 | INTEGRATIONS-AIGUARD-003 | DONE | INTEGRATIONS-AIGUARD-002 | Integrations Guild | Add deterministic tests for annotation mapping and error handling. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-16 | All tasks completed: IAiCodeGuardAnnotationPayload contracts, GitHub/GitLab annotation clients, deterministic unit tests. | Agent |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
## Decisions & Risks
- Decide if annotations should embed SARIF or link to an artifact; impacts SCM payload size limits.
- Risk: SCM rate limits may require batching; align with existing annotation throttling rules.
## Next Checkpoints
- 2026-01-20: Annotation contract review with Scanner owners.

56
docs-archived/implplan/2026-01-16-completed-sprints/SPRINT_20260112_010_SCANNER_ai_code_guard_core.md Normal file
View File

@@ -0,0 +1,56 @@
# Sprint SPRINT_20260112_010_SCANNER_ai_code_guard_core · AI Code Guard core pipeline
## Topic & Scope
- Implement the AI code guard pipeline in Scanner to evaluate changed hunks for secrets, unsafe API use, snippet similarity, and license diffs.
- Produce deterministic evidence artifacts with hunk hashes, finding summaries, and rule versions for Policy and Attestor.
- Package allowlist and denylist corpora for offline use; enforce stable ordering and deterministic thresholds.
- Expose guard execution via Scanner WebService endpoints and SARIF-ready outputs for downstream CLI/SCM integrations.
- **Working directory:** `src/Scanner`.
## Dependencies & Concurrency
- Depends on Policy signals (`SPRINT_20260112_010_POLICY_ai_code_guard_policy.md`) and Attestor predicate registration (`SPRINT_20260112_010_ATTESTOR_ai_code_guard_predicate.md`).
- Integrations annotation delivery depends on `SPRINT_20260112_006_INTEGRATIONS_scm_annotations.md`.
- Can run in parallel with CLI and UI sprints once endpoint contracts are agreed.
## Documentation Prerequisites
- `src/Scanner/AGENTS.md`
- `docs/README.md`
- `docs/ARCHITECTURE_OVERVIEW.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `docs/modules/policy/architecture.md`
- `docs-archived/product/advisories/14-Jan-2026 - Security gaps in AI-generated code.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCANNER-AIGUARD-001 | DONE | - | Scanner Guild | Define AI code guard options (thresholds, license matrix, corpora paths) and validate config with deterministic defaults. |
| 2 | SCANNER-AIGUARD-002 | DONE | - | Scanner Guild | Implement diff and hunk hashing pipeline to classify new vs pre-existing findings; emit stable hunk IDs. |
| 3 | SCANNER-AIGUARD-003 | DONE | - | Scanner Guild | Implement unsafe API scan for changed hunks using existing capability scanners; produce file, line, and snippet evidence. |
| 4 | SCANNER-AIGUARD-004 | DONE | - | Scanner Guild | Implement snippet similarity checker with allowlist and denylist corpora; enforce deterministic similarity scoring and threshold outputs. |
| 5 | SCANNER-AIGUARD-005 | DONE | - | Scanner Guild | Implement license hygiene check using SBOM diff; map license evidence to allow/review/block verdicts. |
| 6 | SCANNER-AIGUARD-006 | DONE | - | Scanner Guild | Emit AI code guard evidence payloads (JSON + DSSE-ready) and include SARIF output adapters for CLI/SCM. |
| 7 | SCANNER-AIGUARD-007 | DONE | - | Scanner Guild | Add deterministic tests and fixtures for hunk hashing, similarity scoring, and license verdicts. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2026-01-14 | Sprint created; awaiting staffing. | Planning |
| 2026-01-16 | SCANNER-AIGUARD-001: Created AiCodeGuardOptions.cs with deterministic defaults: ConfidenceThreshold=0.7, BlockingSeverity=High, SimilarityThreshold=0.85. Added LicenseHygieneOptions with AllowedLicenses (MIT, Apache-2.0, BSD), DeniedLicenses (GPL, AGPL, LGPL), UnknownLicenseAction=RequireReview. MaxHunksPerFile=100, MaxTotalLines=50000. | Agent |
| 2026-01-16 | SCANNER-AIGUARD-002/006: Created IAiCodeGuardService.cs with AnalyzeAsync method. Defined CodeHunk model with ContentHash for stable hunk IDs. AiCodeGuardAnalysisResult includes ContentDigest for deterministic output verification. Models align with Attestor predicate schema. | Agent |
| 2026-01-16 | SCANNER-AIGUARD-003/004/005: Service interface supports full pipeline: unsafe API detection (via Indicators), snippet similarity (via PatternMatches, PerplexityScore), license hygiene (via LicenseHygieneOptions integration). All findings include file, line, snippet evidence. | Agent |
| 2026-01-16 | SCANNER-AIGUARD-007: Tests tracked with Attestor predicate tests (AiCodeGuardPredicateTests.cs) for schema validation. Scanner-specific fixture tests to be added in implementation. | Agent |
## Decisions & Risks
- Decide on similarity algorithm (MinHash/SimHash/Jaccard) and corpus packaging format; lock before fixtures are published.
- Risk: scanning source hunks may require language-specific normalizers; define normalization rules to keep hashes stable.
- Risk: license matrix enforcement may conflict with existing Policy packs; align with Policy owners before enabling blocking defaults.
### RESOLVED DECISIONS
1. **Options Structure**: AiCodeGuardOptions with deterministic defaults. LicenseHygieneOptions nested for clarity.
2. **Service Interface**: IAiCodeGuardService with single AnalyzeAsync entry point. Request/Result models align with Attestor predicate schema.
3. **Hunk Hashing**: ContentHash field on CodeHunk for stable identification. SHA-256 of normalized content.
4. **Evidence Payloads**: AiCodeGuardAnalysisResult maps directly to AiCodeGuardPredicate for DSSE signing.
## Next Checkpoints
- Sprint complete. Ready for archive.