stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity

Add sample proof bundle configurations and verification script
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Console CI / console-ci (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
VEX Proof Bundles / verify-bundles (push) Has been cancelled
Details

Browse Source 
- Introduced sample proof bundle configuration files for testing, including `sample-proof-bundle-config.dsse.json`, `sample-proof-bundle.dsse.json`, and `sample-proof-bundle.json`.
- Implemented a verification script `test_verify_sample.sh` to validate proof bundles against specified schemas and catalogs.
- Updated existing proof bundle configurations with new metadata, including versioning, created timestamps, and justification details.
- Enhanced evidence entries with expiration dates and hashes for better integrity checks.
- Ensured all new configurations adhere to the defined schema for consistency and reliability in testing.
This commit is contained in:
StellaOps Bot
2025-12-04 08:54:32 +02:00
parent e1262eb916
commit 4dc7cf834a
76 changed files with 3051 additions and 355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/implplan/SPRINT_0116_0001_0005_concelier_v.md
View File

@@ -43,10 +43,12 @@
| 13 | CONCELIER-WEB-OAS-63-001 | BLOCKED | Depends on 62-001 | WebService · API Governance | Emit deprecation headers/notifications steering clients to LNM APIs. |
| 14 | CONCELIER-WEB-OBS-51-001 | DONE (2025-11-23) | Schema 046_TLTY0101 published 2025-11-23 | WebService Guild | `/obs/concelier/health` for ingest health/queue/SLO status. |
| 15 | CONCELIER-WEB-OBS-52-001 | DONE (2025-11-24) | Depends on 51-001 | WebService Guild | SSE `/obs/concelier/timeline` with paging tokens, audit logging. |
| 16 | CONCELIER-AIAI-31-002 | BLOCKED (2025-12-04) | No linkset store/cache backend exists; choose Mongo vs Postgres target and add cache collection/index + read-through wiring. | Concelier Core · Concelier WebService Guilds | Implement Link-Not-Merge linkset cache per `docs/modules/concelier/operations/lnm-cache-plan.md`, expose read-through on `/v1/lnm/linksets`, add metrics `lnm.cache.*`, and cover with deterministic tests. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Added CONCELIER-AIAI-31-002 to Delivery Tracker and marked BLOCKED; cache plan exists but no linkset store/cache backend (Mongo/Postgres) is registered, so Link-Not-Merge cache cannot be implemented yet. | Project Mgmt |
| 2025-12-03 | Added Wave Coordination (A observability done; B AirGap blocked; C AOC regression blocked on validator; D OAS alignment blocked). No status changes. | Project Mgmt |
| 2025-11-25 | AOC validator (WEB-AOC-19-002) missing; blocked chain noted. | Implementer |
| 2025-11-23 | OBS-52-001 done: SSE timeline stream shipped; audit logging active. | WebService |
@@ -58,6 +60,7 @@
- AirGap tasks blocked until sealed-mode + staleness metadata defined; do not expose bundles without provenance.
- AOC regression chain blocked pending validator (WEB-AOC-19-002); large-batch tests must wait.
- OAS envelope change (WEB-OAS-61-002) is a prereq for examples/deprecation; avoid duplicating client envelopes until unified.
- Linkset cache (CONCELIER-AIAI-31-002) cannot proceed until a concrete store exists (Mongo vs Postgres) and cache collection/index contract is picked; current services register only `NullLinksetLookup`, so `/v1/lnm/linksets` lacks cache backing.
## Next Checkpoints
- None scheduled; add when validator and AirGap prerequisites land.

6
docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md
View File

@@ -49,6 +49,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Removed deprecated duplicate sprint file `docs/implplan/SPRINT_124_policy_reasoning.md`; canonical remains `docs/implplan/SPRINT_0124_0001_0001_policy_reasoning.md`. Updated console diff determinism test to compare serialized payloads; reran `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -c Release --filter ConsoleSimulationDiffServiceTests` (pass: 1/1, 0.5s). | Implementer |
| 2025-12-03 | Added Wave Coordination (Wave A core/storages done; Wave B Console simulation/export done; no open tasks). No status changes. | Project Mgmt |
| 2025-12-02 | Fixed selection join canonical ordering (PurlEquivalence canonical now derived from sorted list, not hashset); `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -c Release --no-build` now passes (211/211, 5.0s). | Implementer |
| 2025-12-02 | Reran `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -c Release --no-build`; failed 1/211 tests (`SelectionJoinTests.GetCanonical_ReturnsFirstLexicographically` expected `pkg:npm/a-package` but returned `pkg:npm/b-package`). Build duration 13.5s. Needs follow-up fix. | Implementer |
@@ -70,11 +71,12 @@
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
## Decisions & Risks
- 2025-12-04: Console simulation diff determinism test now asserts serialized equality; targeted test run succeeded (1/1). Duplicate sprint file removed to enforce single source of truth.
- 2025-12-02: POLICY-CONSOLE-23-001 contract published (`docs/modules/policy/contracts/policy-console-23-001-console-api.md`); POLICY-CONSOLE-23-002 unblocked—implement per contract with deterministic cursors/aggregates.
- 2025-12-02: Selection join canonical ordering fixed (lexicographic first via ordered list). Regression resolved; full Policy Engine tests now passing.
- Release test suite for Policy Engine now green (2025-12-02); keep enforcing deterministic inputs (explicit evaluationTimestamp) on batch evaluation requests to avoid non-deterministic clocks.
- 2025-12-02: Targeted test run for new Console diff endpoint aborted after prolonged initial build; rerun `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests/StellaOps.Policy.Engine.Tests.csproj -c Release --filter ConsoleSimulationDiffServiceTests` once build cache is warm.
## Next Checkpoints
- Provide Console export/simulation contract for 23-001 to unblock 23-002.
- Rerun `dotnet test src/Policy/__Tests/StellaOps.Policy.Engine.Tests` after workspace cleanup; capture results in Execution Log.
- No pending checkpoints; Console contract delivered and console diff regression test rerun on 2025-12-04.
- Monitor future advisories or Console contract deltas; open new wave if scope changes.

7
docs/implplan/SPRINT_0136_0001_0001_scanner_surface.md
View File

@@ -59,7 +59,7 @@
| 38 | SURFACE-FS-06 | DONE (2025-11-28) | SURFACE-FS-02..05 | Docs Guild | Update scanner-engine guide and offline kit docs with Surface.FS workflow. |
| 39 | SCANNER-SURFACE-01 | BLOCKED (2025-11-25) | Task definition absent | Scanner Guild | Placeholder task; scope/contract required before implementation. |
| 40 | SCANNER-SURFACE-04 | DONE (2025-12-02) | SCANNER-SURFACE-01, SURFACE-FS-03 | Scanner Worker Guild (`src/Scanner/StellaOps.Scanner.Worker`) | DSSE-sign every `layer.fragments` payload, emit `_composition.json`/`composition.recipe` URI, and persist DSSE envelopes for deterministic offline replay (see `deterministic-sbom-compose.md` §2.1). |
| 41 | SURFACE-FS-07 | TODO | SCANNER-SURFACE-04 | Scanner Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS`) | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec (legacy TODO; superseded by row 42). |
| 41 | SURFACE-FS-07 | DONE (2025-12-02, superseded by #42) | SCANNER-SURFACE-04 | Scanner Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS`) | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec (legacy TODO; superseded by row 42). |
| 42 | SURFACE-FS-07 | DONE (2025-12-02) | SCANNER-SURFACE-04 | Scanner Guild | Surface.FS manifest schema carries composition recipe/DSSE attestations and determinism metadata; determinism verifier added for offline replay. |
| 43 | SCANNER-EMIT-15-001 | DONE (2025-12-02) | SCANNER-SURFACE-04 | Scanner Emit Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Emit`) | CycloneDX artifacts carry content hash + Merkle root (= recipe hash), composition recipe URI, emit `_composition.json` + DSSE envelopes; DSSE signing now uses HMAC secret (Surface.Secrets or appsettings) with deterministic fallback logging. |
| 44 | SCANNER-SORT-02 | DONE (2025-12-01) | SCANNER-EMIT-15-001 | Scanner Core Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Core`) | Layer fragment ordering by digest implemented in ComponentGraphBuilder; determinism regression test added. |
@@ -72,6 +72,7 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Ran `dotnet test` for `StellaOps.Scanner.Surface.FS.Tests` (Release, 7 tests) to validate SURFACE-FS-07 determinism verifier and schema updates; all passing. | Implementer |
| 2025-12-02 | Merged legacy `SPRINT_136_scanner_surface.md` content into canonical file; added missing tasks/logs; converted legacy file to stub to prevent divergence. | Project Mgmt |
| 2025-12-02 | SCANNER-SURFACE-04 completed: manifest stage emits composition recipe + DSSE envelopes, attaches attestations to artifacts, and records determinism Merkle root/recipe metadata. | Implementer |
| 2025-12-02 | SURFACE-FS-07 completed: Surface.FS manifest schema now includes determinism metadata, composition recipe attestation fields, determinism verifier, and docs updated. Targeted determinism tests added; test run pending due to long restore/build in monorepo runner. | Implementer |
@@ -128,12 +129,12 @@
| 2025-10-26 | Initial sprint plan captured; dependencies noted across Scheduler/Surface/Cartographer. | Planning |
## Decisions & Risks
- SCANNER-LNM-21-001 delivered with Concelier shared-library resolver; linkset enrichment returns data when Concelier linkset store is configured, otherwise responses omit the `linksets` field (fallback null provider).
- SCANNER-LNM-21-001 delivered with Concelier shared-library resolver; linkset enrichment returns data when Concelier linkset store is configured, otherwise responses omit the `linksets` field (fallback null provider).
- SURFACE-SECRETS-06 BLOCKED pending Ops Helm/Compose patterns for Surface.Secrets provider configuration (kubernetes/file/inline).
- SCANNER-EVENTS-16-301 BLOCKED awaiting orchestrator envelope contract + Notifier ingestion test plan.
- SCANNER-SURFACE-01 lacks scoped contract; placeholder must be defined or retired before new dependencies are added.
- SCANNER-EMIT-15-001 DOING: HMAC-backed DSSE signer added with deterministic fallback; enable by providing `Scanner:Worker:Signing:SharedSecret` (or file) + `KeyId`. Full scanner test suite still pending after cancelled long restore/build.
- Long restore/build times in monorepo runners delayed determinism test runs for SURFACE-FS-07 and new signer; rerun targeted scanner worker tests in CI.
- Long restore/build times in monorepo runners delayed determinism test runs for SURFACE-FS-07 and new signer; Surface.FS determinism tests now passing locally (Release); broader scanner suite still pending in CI.
- Scheduler worker build/tests not run locally after manifest prefetch wiring (NuGet restore timeout); verify in CI.
## Next Checkpoints

10
docs/implplan/SPRINT_0142_0001_0001_sbomservice.md
View File

@@ -26,7 +26,7 @@
| 2 | SBOM-AIAI-31-002 | DONE | Metrics + cache-hit tagging implemented; Grafana starter dashboard added; build/test completed locally. | SBOM Service Guild; Observability Guild | Instrument metrics for path/timeline queries and surface dashboards. |
| 3 | SBOM-CONSOLE-23-001 | DONE (2025-12-03) | DEVOPS-SBOM-23-001 feed delivered; console catalog endpoint implemented and tested (`dotnet test ... --filter Console_`). | SBOM Service Guild; Cartographer Guild | Provide Console-focused SBOM catalog API. |
| 4 | SBOM-CONSOLE-23-002 | DONE (2025-12-03) | Component lookup endpoint validated (tests passing with pagination/filtering); using vetted feed and seeded data until storage wiring lands. | SBOM Service Guild | Deliver component lookup endpoints for search and overlays. |
| 16 | SBOM-CONSOLE-23-101-STORAGE | TODO | Follow-up to replace seeded catalog/component lookup with Mongo-backed storage and update docs/tests. | SBOM Service Guild | Wire console catalog + component lookup to storage/outbox and refresh fixtures/docs for release. |
| 16 | SBOM-CONSOLE-23-101-STORAGE | DONE (2025-12-04) | Follow-up to replace seeded catalog/component lookup with Mongo-backed storage and update docs/tests. | SBOM Service Guild | Wire console catalog + component lookup to storage/outbox and refresh fixtures/docs for release. |
| 5 | SBOM-ORCH-32-001 | DONE (2025-11-23) | In-memory orchestrator source registry with deterministic seeds + idempotent registration exposed at `/internal/orchestrator/sources`. | SBOM Service Guild | Register SBOM ingest/index sources with orchestrator. |
| 6 | SBOM-ORCH-33-001 | DONE (2025-11-23) | Pause/throttle/backpressure controls added via `/internal/orchestrator/control`; metrics emitted; states deterministic per-tenant. | SBOM Service Guild | Report backpressure metrics and handle orchestrator control signals. |
| 7 | SBOM-ORCH-34-001 | DONE (2025-11-23) | Watermark store + endpoints (`/internal/orchestrator/watermarks`) added to track backfill/watermark reconciliation; deterministic ordering. | SBOM Service Guild | Implement orchestrator backfill + watermark reconciliation. |
@@ -52,6 +52,8 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | SBOM-CONSOLE-23-101-STORAGE marked DONE: Mongo-backed catalog + component lookup with configurable collections; docs updated; tests (`dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --nologo`) pass. | Implementer |
| 2025-12-04 | SBOM-CONSOLE-23-101-STORAGE moved to DOING; starting Mongo-backed wiring for console catalog/component lookup. | Project Mgmt |
| 2025-12-03 | SBOM-CONSOLE-23-002 marked DONE after component lookup pagination/filter tests (`dotnet test ... --filter Console_|Components_lookup_requires_purl_and_paginates --no-build`) passed; endpoint validated with vetted feed + seeded data. | Project Mgmt |
| 2025-12-03 | SBOM-CONSOLE-23-001 marked DONE after console endpoint tests (`dotnet test src/SbomService/StellaOps.SbomService.Tests/StellaOps.SbomService.Tests.csproj --no-build --filter Console_`) passed. SBOM-CONSOLE-23-002 moved to DOING. | Project Mgmt |
| 2025-12-03 | Ran targeted console endpoint test (`dotnet test ... --filter Console_sboms_supports_filters_and_cursor --no-build`); passes. SBOM-CONSOLE-23-001 remains DOING. | Implementer |
@@ -111,8 +113,8 @@
## Decisions & Risks
- LNM v1 fixtures staged (2025-11-22) and approved; hash recorded in `docs/modules/sbomservice/fixtures/lnm-v1/SHA256SUMS`. SBOM-SERVICE-21-001/002/003/004 are DONE.
- DEVOPS-SBOM-23-001 delivered 2025-11-30 (Sprint 503) providing vetted offline feed + CI proof; SBOM-CONSOLE-23-001 and SBOM-CONSOLE-23-002 are DONE (2025-12-03) using vetted feed + seeded data; storage-backed version still to follow.
- Console endpoints validated via tests; current implementation uses in-memory/catalog seeds—replace with Mongo-backed projections before release and update docs accordingly. Track storage wiring as follow-up (new task below).
- DEVOPS-SBOM-23-001 delivered 2025-11-30 (Sprint 503) providing vetted offline feed + CI proof; SBOM-CONSOLE-23-001 and SBOM-CONSOLE-23-002 are DONE (2025-12-03) using vetted feed + seeded data.
- SBOM-CONSOLE-23-101-STORAGE (2025-12-04): `/console/sboms` and `/components/lookup` now use Mongo-backed repositories when `SbomService:Mongo:ConnectionString` is set (configurable database/collection names); fallback to fixture/in-memory seeds remains for air-gapped runs. Docs updated in `docs/modules/sbomservice/architecture.md`.
- Projection endpoint validated (400 without tenant, 200 with fixture data) via WebApplicationFactory; WAF configured with fixture path + in-memory component repo fallback.
- `sbom.version.created` now emitted via in-memory publisher with `/internal/sbom/events` + backfill endpoint; production outbox/queue wiring still required before release.
- Component lookup pagination now returns deterministic `nextCursor` for seeded data (fixed null cursor bug).
@@ -123,8 +125,6 @@
- Orchestrator control/backpressure/watermarks implemented in-memory; replace with real orchestrator contract before release.
- Current Advisory AI endpoints use deterministic in-memory seeds; must be replaced with Mongo-backed projections before release.
- Metrics exported but dashboards and cache-hit tagging are pending; coordinate with Observability Guild before release.
- Console catalog (`/console/sboms`) remains stubbed with seed data; needs storage/schema wiring for release despite tests now passing.
- Component lookup endpoint is stubbed; SBOM-CONSOLE-23-002 remains blocked on storage wiring rather than build/test infra.
- SBOM-AIAI-31-002 stays pending dashboards + validated metrics; feeds/builds now healthy after offline cache fixes.
- `AGENTS.md` for `src/SbomService` added 2025-11-18; implementers must read before coding.
- AirGap parity review template published at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; review execution still required for air-gapped signoff on SBOM-SERVICE-21-002..004 (21-001 implementation validated locally).

4
docs/implplan/SPRINT_0161_0001_0001_evidencelocker.md
View File

@@ -36,7 +36,7 @@
| 4 | RUNBOOK-REPLAY-187-004 | BLOCKED | PREP-RUNBOOK-REPLAY-187-004-DEPENDS-ON-RETENT | Docs Guild · Ops Guild | Publish `/docs/runbooks/replay_ops.md` coverage for retention enforcement, RootPack rotation, verification drills. |
| 5 | CRYPTO-REGISTRY-DECISION-161 | DONE | Decision recorded in `docs/security/crypto-registry-decision-2025-11-18.md`; publish contract defaults. | Security Guild · Evidence Locker Guild | Capture decision from 2025-11-18 review; emit changelog + reference implementation for downstream parity. |
| 6 | EVID-CRYPTO-90-001 | DONE | Implemented; `MerkleTreeCalculator` now uses `ICryptoProviderRegistry` for sovereign crypto routing. | Evidence Locker Guild · Security Guild | Route hashing/signing/bundle encryption through `ICryptoProviderRegistry`/`ICryptoHash` for sovereign crypto providers. |
| 7 | EVID-GAPS-161-007 | TODO | None; informs tasks 16. | Product Mgmt · Evidence Locker Guild · CLI Guild | Address EB1EB10 from `docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`: publish `bundle.manifest.schema.json` + `checksums.schema.json` (canonical JSON), hash/Merkle recipe doc, mandatory DSSE predicate/log policy, replay provenance block, chunking/CAS rules, incident-mode signed activation/exit, tenant isolation + redaction manifest, offline verifier script (`docs/modules/evidence-locker/verify-offline.md`), golden bundles/replay fixtures under `tests/EvidenceLocker/Bundles/Golden`, and SemVer/change-log updates. |
| 7 | EVID-GAPS-161-007 | DOING (2025-12-04) | See EB1EB10 plan `docs/modules/evidence-locker/eb-gaps-161-007-plan.md`; schemas + offline guide drafted. | Product Mgmt · Evidence Locker Guild · CLI Guild | Address EB1EB10 from `docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`: publish `bundle.manifest.schema.json` + `checksums.schema.json` (canonical JSON), hash/Merkle recipe doc, mandatory DSSE predicate/log policy, replay provenance block, chunking/CAS rules, incident-mode signed activation/exit, tenant isolation + redaction manifest, offline verifier script (`docs/modules/evidence-locker/verify-offline.md`), golden bundles/replay fixtures under `tests/EvidenceLocker/Bundles/Golden`, and SemVer/change-log updates. |
## Action Tracker
| Action | Owner(s) | Due | Status |
@@ -59,6 +59,7 @@
| Schema readiness | BLOCKED | Waiting on AdvisoryAI + orchestrator envelopes; no DOING until frozen. |
| Crypto routing approval | DONE | Defaults recorded in `docs/security/crypto-registry-decision-2025-11-18.md`; implement in EvidenceLocker/CLI. |
| Template & filename normalization | DONE (2025-11-17) | Renamed to `SPRINT_0161_0001_0001_evidencelocker.md`; structure aligned to sprint template. |
| EB1EB10 policy freeze | OPEN | Gap plan at `docs/modules/evidence-locker/eb-gaps-161-007-plan.md`; DSSE predicate/log policy, redaction map, and chunking rules still need sign-off. |
### Risk table
| Risk | Severity | Mitigation / Owner |
@@ -88,3 +89,4 @@
| 2025-11-27 | Completed EVID-CRYPTO-90-001: Extended `ICryptoProviderRegistry` with `ContentHashing` capability and `ResolveHasher` method; created `ICryptoHasher` interface with `DefaultCryptoHasher` implementation; wired `MerkleTreeCalculator` to use crypto registry for sovereign crypto routing; added `EvidenceCryptoOptions` for algorithm/provider configuration. | Implementer |
| 2025-12-01 | Added EVID-GAPS-161-007 to capture EB1EB10 remediation from `docs/product-advisories/28-Nov-2025 - Evidence Bundle and Replay Contracts.md`. | Product Mgmt |
| 2025-12-02 | Scoped EVID-GAPS-161-007 deliverables: schemas + DSSE, Merkle recipe, replay provenance, chunk/CAS rules, incident governance, tenant redaction, offline verifier doc, golden fixtures path, and SemVer/change-log updates. | Project Mgmt |
| 2025-12-04 | Moved EVID-GAPS-161-007 to DOING; drafted EB1/EB2 schemas, offline verifier guide, gap plan, and golden fixtures path. | Project Mgmt |

4
docs/implplan/SPRINT_0162_0001_0001_exportcenter_i.md
View File

@@ -51,7 +51,7 @@
| 10 | EXPORT-OAS-61-001 | BLOCKED | PREP-EXPORT-OAS-61-001-NEEDS-STABLE-EXPORT-SU | Exporter Service Guild · API Contracts Guild | Update Exporter OAS covering profiles/runs/downloads with standard error envelope + examples. |
| 11 | EXPORT-OAS-61-002 | BLOCKED | PREP-EXPORT-OAS-61-002-DEPENDS-ON-61-001 | Exporter Service Guild | `/.well-known/openapi` discovery endpoint with version metadata and ETag. |
| 12 | EXPORT-OAS-62-001 | BLOCKED | PREP-EXPORT-OAS-62-001-DEPENDS-ON-61-002 | Exporter Service Guild · SDK Generator Guild | Ensure SDKs include export profile/run clients with streaming helpers; add smoke tests. |
| 13 | EXPORT-GAPS-162-013 | TODO | None; informs tasks 112. | Product Mgmt · Exporter Guild · Evidence Locker Guild | Address EC1EC10 from `docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md`: publish signed ExportProfile + manifest schemas with selector validation; define per-adapter determinism rules + rerun-hash CI; mandate DSSE/SLSA attestation with log metadata; enforce cross-tenant approval flow; require distribution integrity headers + OCI annotations; pin Trivy schema versions; formalize mirror delta/tombstone rules; document encryption/recipient policy; set quotas/backpressure; and produce offline export kit + verify script under `docs/modules/export-center/determinism.md` with fixtures in `src/ExportCenter/__fixtures`. |
| 13 | EXPORT-GAPS-162-013 | DONE (2025-12-04) | None; informs tasks 112. | Product Mgmt · Exporter Guild · Evidence Locker Guild | Address EC1EC10 from `docs/product-advisories/28-Nov-2025 - Export Center and Reporting Strategy.md`: publish signed ExportProfile + manifest schemas with selector validation; define per-adapter determinism rules + rerun-hash CI; mandate DSSE/SLSA attestation with log metadata; enforce cross-tenant approval flow; require distribution integrity headers + OCI annotations; pin Trivy schema versions; formalize mirror delta/tombstone rules; document encryption/recipient policy; set quotas/backpressure; and produce offline export kit + verify script under `docs/modules/export-center/determinism.md` with fixtures in `src/ExportCenter/__fixtures`. |
## Action Tracker
| Action | Owner(s) | Due | Status |
@@ -82,6 +82,7 @@
| EvidenceLocker contract dependency | BLOCKED | All export tasks wait on sealed bundle spec + DSSE layout. |
| Orchestrator/Notifications envelope dependency | BLOCKED | Notifications and timeline events cannot commence until schema lands. |
| Crypto routing plan | PENDING | To be validated at 2025-11-18 review (`EXPORT-CRYPTO-90-001`). |
| EC1EC10 remediation | DONE (2025-12-04) | Schemas, determinism rules, Trivy pinning, mirror delta tombstones, approval/quotas, integrity headers, and offline verify script with fixtures recorded. |
### Risk table
| Risk | Severity | Mitigation / Owner |
@@ -113,3 +114,4 @@
| 2025-11-12 | Snapshot captured (pre-template) with tasks TODO. | Planning |
| 2025-11-17 | Renamed to template-compliant filename, normalized structure, and set tasks BLOCKED pending upstream contracts. | Implementer |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-12-04 | Closed EXPORT-GAPS-162-013: added signed profile/manifest schemas, determinism + rerun-hash rules, DSSE/SLSA log metadata, cross-tenant approval/quotas, mirror delta tombstone policy, Trivy schema pinning, and offline verify script with fixtures. | Project Mgmt |

4
docs/implplan/SPRINT_0171_0001_0001_notifier_i.md
View File

@@ -34,11 +34,12 @@
| 11 | NOTIFY-RISK-68-001 | BLOCKED (2025-11-22) | Depends on 67-001. | Notifications Service Guild | Per-profile routing, quiet hours, dedupe for risk alerts; integrate CLI/Console preferences. |
| 12 | NOTIFY-DOC-70-001 | DONE (2025-11-02) | — | Notifications Service Guild | Document split between legacy `src/Notify` libs and new `src/Notifier` runtime; update architecture docs. |
| 13 | NOTIFY-AIRGAP-56-002 | DONE | — | Notifications Service Guild · DevOps Guild | Bootstrap Pack notifier configs with deterministic secrets handling and offline validation. |
| 14 | NOTIFY-GAPS-171-014 | TODO | Close NR1NR10 from `31-Nov-2025 FINDINGS.md`; depends on schema/catalog refresh | Notifications Service Guild / src/Notifier/StellaOps.Notifier | Remediate NR1NR10: publish signed schemas + canonical JSON, enforce tenant scoping/approvals, deterministic rendering, quotas/backpressure + DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulations + evidence for rule/template changes. |
| 14 | NOTIFY-GAPS-171-014 | BLOCKED (2025-12-04) | Waiting on NR1NR10 details in `31-Nov-2025 FINDINGS.md` + schema/catalog refresh | Notifications Service Guild / src/Notifier/StellaOps.Notifier | Remediate NR1NR10: publish signed schemas + canonical JSON, enforce tenant scoping/approvals, deterministic rendering, quotas/backpressure + DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulations + evidence for rule/template changes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Marked NOTIFY-GAPS-171-014 BLOCKED pending publication of NR1NR10 details in `31-Nov-2025 FINDINGS.md` and schema/catalog refresh. | Implementer |
| 2025-11-19 | Fixed PREP-NOTIFY-OBS-51-001 Task ID (removed trailing hyphen) so dependency lookup works. | Project Mgmt |
| 2025-12-01 | Added NOTIFY-GAPS-171-014 (NR1NR10 from `31-Nov-2025 FINDINGS.md`) to track advisory gap remediation; status TODO pending schema/catalog refresh. | Project Mgmt |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
@@ -71,6 +72,7 @@
- Risk alerts depend on POLICY-RISK-40-002 export; schedule slip would re-baseline RISK tasks.
- Keep Offline Kit parity for templates and secrets handling before enabling new endpoints.
- Advisory gap remediation (NR1NR10) added as NOTIFY-GAPS-171-014; requires schema/catalog refresh, tenant/approval enforcement, deterministic rendering, quotas/backpressure/DLQ, retry/idempotency policy, webhook/ack security, redaction/PII limits, observability SLO alerts, offline notify-kit with DSSE, and mandatory simulation evidence before activation.
- NOTIFY-GAPS-171-014 is currently blocked because NR1NR10 findings are not yet defined in `31-Nov-2025 FINDINGS.md`; schema/catalog refresh must accompany that publication before remediation can start.
## Next Checkpoints
| Date (UTC) | Milestone | Owner(s) |

6
docs/implplan/SPRINT_0209_0001_0001_ui_i.md
View File

@@ -47,7 +47,7 @@
| 17 | UI-POLICY-DET-01 | DONE | UI-SBOM-DET-01 | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Wire policy gate indicators and remediation hints into Release/Policy flows, blocking publishes when determinism checks fail; coordinate with Policy Engine schema updates. |
| 18 | UI-ENTROPY-40-001 | DONE | - | UI Guild (src/UI/StellaOps.UI) | Visualise entropy analysis per image (layer donut, file heatmaps, "Why risky?" chips) in Vulnerability Explorer and scan details, including opaque byte ratios and detector hints. |
| 19 | UI-ENTROPY-40-002 | DONE | UI-ENTROPY-40-001 | UI Guild; Policy Guild (src/UI/StellaOps.UI) | Add policy banners/tooltips explaining entropy penalties (block/warn thresholds, mitigation steps) and link to raw `entropy.report.json` evidence downloads. |
| 20 | UI-MICRO-GAPS-0209-011 | TODO | 30-Nov-2025 Micro-Interactions advisory; requires token catalog and a11y test harness | UI Guild; UX Guild; Accessibility Guild | Close MI1MI10: define motion tokens + reduced-motion rules, perf budgets, offline/latency/error patterns, component mapping, telemetry schema/flags, deterministic seeds/snapshots, micro-copy localisation, and theme/contrast guidance; add Storybook/Playwright checks. |
| 20 | UI-MICRO-GAPS-0209-011 | BLOCKED | Canonical 30-Nov-2025 UI Micro-Interactions advisory missing; Angular workspace absent; requires token catalog and a11y test harness | UI Guild; UX Guild; Accessibility Guild | Close MI1MI10: define motion tokens + reduced-motion rules, perf budgets, offline/latency/error patterns, component mapping, telemetry schema/flags, deterministic seeds/snapshots, micro-copy localisation, and theme/contrast guidance; add Storybook/Playwright checks. |
## Wave Coordination
- Single-wave execution; coordinate with UI II/III only for shared component changes and accessibility tokens.
@@ -74,6 +74,8 @@
| 3 | Deliver entropy evidence fixture snapshot for UI-ENTROPY-40-001 | Scanner Guild | 2025-11-28 | BLOCKED (fixtures unavailable locally; workspace missing) |
| 4 | Provide AOC verifier endpoint parity notes for UI-AOC-19-003 | Notifier Guild | 2025-11-27 | BLOCKED (UI workspace unavailable to consume parity notes) |
| 5 | Receive SDK parity matrix (Wave B, SPRINT_0208_0001_0001_sdk) to unblock Console data providers and scope exports | UI Guild · SDK Generator Guild | 2025-12-16 | BLOCKED (awaiting SDK parity delivery + workspace restore) |
| 6 | Publish canonical UI Micro-Interactions advisory (MI1MI10) with motion tokens, reduced-motion rules, and fixtures referenced by this sprint | Product Mgmt · UX Guild | 2025-12-06 | TODO |
| 7 | Restore Angular workspace under `src/UI/StellaOps.UI` to enable Storybook/Playwright harness and token catalog | UI Guild | 2025-12-05 | TODO |
## Decisions & Risks
| Risk | Impact | Mitigation / Next Step |
@@ -82,10 +84,12 @@
| Policy determinism schema changes late | UI-POLICY-DET-01 cannot ship with gates | Coordinate with Policy Engine owners (Action #2) and keep UI feature-flagged. |
| Entropy evidence format changes | Rework for UI-ENTROPY-* views | Lock to `docs/modules/scanner/entropy.md`; add contract test fixtures before UI wiring. |
| Angular workspace missing | UI-GRAPH-24-* blocked | Restore Angular workspace under `src/UI/StellaOps.UI` and deliver generated `graph:*` scope exports before continuing Graph UI work. |
| Canonical UI Micro-Interactions advisory missing | UI-MICRO-GAPS-0209-011 cannot be scoped; MI1MI10 acceptance unclear | Action #6 to publish advisory; keep task BLOCKED until canonical document and fixtures land. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Began UI-MICRO-GAPS-0209-011; canonical 30-Nov-2025 UI Micro-Interactions advisory is missing and Angular workspace `src/UI/StellaOps.UI` is empty. Marked task BLOCKED; added Actions #6#7 to publish advisory and restore workspace before scoping MI1MI10 tokens/tests. | Project mgmt |
| 2025-12-03 | Marked UI-GRAPH-24-001/002/003/004/006 BLOCKED: Angular workspace is absent under `src/UI/StellaOps.UI` and generated `graph:*` scope SDK exports are missing; cannot render canvas or overlays until workspace and SDK parity land. | Implementer |
| 2025-11-27 | UI-GRAPH-21-001: Created stub `StellaOpsScopes` exports and integrated auth configuration into Graph Explorer. Created `scopes.ts` with: typed scope constants (`GRAPH_READ`, `GRAPH_WRITE`, `GRAPH_ADMIN`, `GRAPH_EXPORT`, `GRAPH_SIMULATE` and scopes for SBOM, Scanner, Policy, Exception, Release, AOC, Admin domains), scope groupings (`GRAPH_VIEWER`, `GRAPH_EDITOR`, `GRAPH_ADMIN`, `RELEASE_MANAGER`, `SECURITY_ADMIN`), human-readable labels, and helper functions (`hasScope`, `hasAllScopes`, `hasAnyScope`). Created `auth.service.ts` with `AuthService` interface and `MockAuthService` implementation providing: user info with tenant context, scope-based permission methods (`canViewGraph`, `canEditGraph`, `canExportGraph`, `canSimulate`). Integrated into `GraphExplorerComponent` via `AUTH_SERVICE` injection token: added computed signals for scope-based permissions (`canViewGraph`, `canEditGraph`, `canExportGraph`, `canSimulate`, `canCreateException`), current user info, and user scopes list. Stub implementation allows Graph Explorer development to proceed; will be replaced by generated SDK exports from SPRINT_0208_0001_0001_sdk. Files added: `src/app/core/auth/scopes.ts`, `src/app/core/auth/auth.service.ts`, `src/app/core/auth/index.ts`. Files updated: `graph-explorer.component.ts`. | UI Guild |
| 2025-11-27 | UI-AOC-19-001/002/003: Implemented Sources dashboard with AOC metrics tiles, violation drill-down, and "Verify last 24h" action. Created domain models (`aoc.models.ts`) for AocDashboardSummary, AocPassFailSummary, AocViolationCode, IngestThroughput, AocSource, AocCheckResult, VerificationRequest, ViolationDetail, OffendingField, and ProvenanceMetadata. Created mock API service (`aoc.client.ts`) with fixtures showing pass/fail metrics, 5 violation codes (AOC-001 through AOC-020), 4 tenant throughput records, 4 sources (registry, pipeline, manual), and sample check results. Built `AocDashboardComponent` (`/sources` route) with 3 tiles: (1) Pass/Fail tile with large pass rate percentage, trend indicator (improving/stable/degrading), mini 7-day chart, passed/failed/pending counts; (2) Recent Violations tile with severity badges, violation codes, names, counts, and modal detail view; (3) Ingest Throughput tile with total documents/bytes and per-tenant breakdown table. Added Sources section showing source cards with type icons, pass rates, recent violation chips, and last check time. Implemented "Verify Last 24h" button triggering verification endpoint with progress feedback and CLI parity command display (`stella aoc verify --since 24h --output json`). Created `ViolationDetailComponent` (`/sources/violations/:code` route) showing all occurrences of a violation code with: offending fields list (JSON path, expected vs actual values, reason), provenance metadata (source type/URI, build ID, commit SHA, pipeline URL), and suggested fix. Files added: `src/app/core/api/aoc.{models,client}.ts`, `src/app/features/sources/aoc-dashboard.component.{ts,html,scss}`, `violation-detail.component.ts`, `index.ts`. Routes registered at `/sources` and `/sources/violations/:code`. | UI Guild |

7
docs/implplan/SPRINT_0301_0001_0001_docs_md_i.md
View File

@@ -4,6 +4,7 @@
- Establish the first milestone (`Md.I`) for docs process reform covering Advisory AI guardrails, air-gap guides, and deterministic scanner documentation.
- Capture cross-guild prerequisites so downstream module dossiers can start once Md.I closes.
- Keep deliverables deterministic (golden outputs, reproducible screenshots, signed fixtures).
- **Working directory:** `docs/` (fixtures under `docs/assets/advisory-ai/console/`; JSON samples under `docs/api/console/samples/`).
## Dependencies & Concurrency
- Requires upstream artefacts from Sprint 110.A (Advisory AI), Sprint 120 (Policy knobs), Sprint 136 (Scanner determinism), Sprint 160 (Evidence Locker), and Sprint 190 (Ops deployment).
@@ -21,7 +22,7 @@
| Task ID | Status | Owner(s) | Dependencies | Notes |
| --- | --- | --- | --- | --- |
| DOCS-UNBLOCK-CLI-KNOBS-301 | DONE (2025-11-25) | CLI Guild · Policy Guild · DevEx Guild | CLI-VULN-29-001; CLI-VEX-30-001; POLICY-ENGINE-31-001 delivered 2025-11-24. | Packaged fixtures/changelogs consumed by DOCS-AIAI-31-005..009. |
| DOCS-AIAI-31-004 | DONE (2025-12-03) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 delivered. | Guardrail console guide refreshed with deterministic capture/payload + hashes (`docs/advisory-ai/console.md`). |
| DOCS-AIAI-31-004 | DONE (2025-12-04) | Docs Guild · Console Guild | CONSOLE-VULN-29-001; CONSOLE-VEX-30-001; SBOM-AIAI-31-003 delivered. | Guardrail console guide refreshed with deterministic capture/payload + consolidated hash manifest (`docs/advisory-ai/console-fixtures.sha256`) and verification steps. |
| DOCS-AIAI-31-005 | DONE (2025-11-25) | Docs Guild · DevEx/CLI Guild | DOCS-AIAI-31-004; CLI-VULN-29-001; CLI-VEX-30-001 | CLI guide published with exit codes + offline hashes (`docs/advisory-ai/cli.md`). |
| DOCS-AIAI-31-006 | DONE (2025-11-25) | Docs Guild · Policy Guild | DOCS-AIAI-31-005; POLICY-ENGINE-31-001 | Assistant parameter doc refreshed (`docs/policy/assistant-parameters.md`). |
| DOCS-AIAI-31-008 | DONE (2025-11-25) | Docs Guild · SBOM Service Guild | DOCS-AIAI-31-007; SBOM-AIAI-31-001 | Remediation heuristics documented with fixtures (`docs/sbom/remediation-heuristics.md`). |
@@ -39,6 +40,9 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | DOCS-AIAI-31-004 DONE: added `docs/advisory-ai/console-fixtures.sha256`, hash table + verification snippet to console guide. | Docs Guild |
| 2025-12-04 | Moved DOCS-AIAI-31-004 to DOING to add hash manifest/table for console fixtures; kept determinism protocol. | Docs Guild |
| 2025-12-04 | Reopened DOCS-AIAI-31-004 to add fixture hash verification and renumber publication section; added `docs/AGENTS.md` for docs working directory; republished doc and kept task at DONE. | Docs Guild |
| 2025-12-03 | Renamed sprint file to `SPRINT_0301_0001_0001_docs_md_i.md` to match naming template; no content removed. | Project Mgmt |
| 2025-12-03 | Reopened DOCS-AIAI-31-004 and DOCS-SCANNER-DET-01 for final publication using newly generated deterministic fixtures/captures. | Project Mgmt |
| 2025-12-03 | DOCS-AIAI-31-004 DONE: guardrail console doc updated with validated guardrail sample, deterministic list-view payload/svg + hashes, and regeneration steps. | Docs Guild |
@@ -63,6 +67,7 @@
### Decisions
| Decision | Owner(s) | Due | Notes |
| --- | --- | --- | --- |
| Documented docs working agreement | Docs Guild | 2025-12-04 | Added `docs/AGENTS.md` covering scope, determinism, and sprint status rules for docs work. |
| Confirm Advisory AI asset delivery dates | SBOM Service · CLI · Policy · DevOps Guilds | 2025-11-14 | Closed 2025-11-25: SBOM/CLI/Policy/DevOps artefacts delivered; DOCS-AIAI-31-004/005/006/008/009 published (see Execution Log 2025-12-03). |
| Approve Scanner determinism fixture scope | Scanner Guild | 2025-11-16 | Closed 2025-12-03: fixture bundle published at `docs/modules/scanner/fixtures/deterministic-compose/`; DOCS-SCANNER-DET-01 signed off. |
| Provide AirGap time anchor policy draft | AirGap Time Guild | 2025-11-19 | Closed 2025-11-23: inputs delivered for DOCS-AIRGAP-57-001/002 publication. |

6
docs/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md
View File

@@ -94,7 +94,7 @@
| 59 | NATIVE-CALLGRAPH-INGEST-401-059 | BLOCKED (2025-11-30) | Depends on task 1 graph schema + native symbolizer readiness; hold until 2025-12-02 checkpoint. | Scanner Guild (`src/Scanner/StellaOps.Scanner.CallGraph.Native`, `tests/reachability`) | Port minimal C# callgraph readers/CFG snippets from archived binary advisories; add ELF/PE fixtures and golden outputs covering purl-resolved edges and symbol digests; ensure deterministic hashing and CAS emission. |
| 60 | CORPUS-MERGE-401-060 | BLOCKED (2025-11-30) | After 58 schema settled; blocked until dataset freeze post 2025-12-02 checkpoint. | QA Guild · Scanner Guild (`tests/reachability`, `docs/reachability/corpus-plan.md`) | Merge archived multi-runtime corpus (Go/.NET/Python/Rust) with new PHP/JS/C# set; unify EXPECT → Signals ingest format; add deterministic runners and coverage gates; document corpus map. |
| 61 | DOCS-BENCH-401-061 | DONE (2025-11-26) | Blocks on outputs from 5760. | Docs Guild (`docs/benchmarks/signals/bench-determinism.md`, `docs/reachability/corpus-plan.md`) | Author how-to for determinism bench + reachability dataset runs (local/CI/offline), list hashed inputs, and link to advisories; include small code samples inline only where necessary; cross-link to sprint Decisions & Risks. |
| 62 | VEX-GAPS-401-062 | DOING (2025-12-03) | Draft playbook posted; schema/fixtures pending freeze. | Policy Guild · Excititor Guild · Docs Guild | Address VEX1VEX10: publish signed justification catalog; define `proofBundle.schema.json` with DSSE refs; require entry-point coverage %, negative tests, config/flag hash enforcement + expiry; mandate DSSE/Rekor for VEX outputs; add RBAC + re-eval triggers on SBOM/graph/runtime change; include uncertainty gating; and canonical OpenVEX serialization. Draft playbook at `docs/benchmarks/vex-evidence-playbook.md`; fixtures to land under `tests/Vex/ProofBundles/`. |
| 62 | VEX-GAPS-401-062 | DONE (2025-12-04) | Schema/catalog frozen; fixtures + verifier landed. | Policy Guild · Excititor Guild · Docs Guild | Address VEX1VEX10: publish signed justification catalog; define `proofBundle.schema.json` with DSSE refs; require entry-point coverage %, negative tests, config/flag hash enforcement + expiry; mandate DSSE/Rekor for VEX outputs; add RBAC + re-eval triggers on SBOM/graph/runtime change; include uncertainty gating; and canonical OpenVEX serialization. Playbook + schema at `docs/benchmarks/vex-evidence-playbook.{md,schema.json}`; catalog at `docs/benchmarks/vex-justifications.catalog.json` (+ DSSE); fixtures under `tests/Vex/ProofBundles/`; offline verifier `scripts/vex/verify_proof_bundle.py`; CI guard `.gitea/workflows/vex-proof-bundles.yml`. |
| 63 | GRAPHREV-GAPS-401-063 | TODO | None; informs tasks 1, 11, 3741. | Platform Guild · Scanner Guild · Policy Guild · UI/CLI Guilds | Address graph revision gaps GR1GR10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: manifest schema + canonical hash rules, mandated BLAKE3-256 encoding, append-only storage, lineage/diff metadata, cross-artifact digests (SBOM/VEX/policy/tool), UI/CLI surfacing of full/short IDs, shard/tenant context, pin/audit governance, retention/tombstones, and inclusion in offline kits. |
| 64 | EXPLAIN-GAPS-401-064 | TODO | None; informs tasks 1315, 21, 47. | Policy Guild · UI/CLI Guild · Docs Guild · Signals Guild | Address explainability gaps EX1EX10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: schema/canonicalization + hashes, DSSE predicate/signing policy, CAS storage rules for evidence, link to decision/policy and graph_revision_id, export/replay bundle format, PII/redaction rules, size budgets, versioning, and golden fixtures/tests. |
| 65 | EDGE-GAPS-401-065 | TODO | None; informs tasks 1, 15, 47. | Scanner Guild · Policy Guild · UI/CLI Guild · Docs Guild | Address edge explainability gaps EG1EG10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: reason enum governance, canonical edge schema with hash rules, evidence limits/redaction, confidence rubric, detector/rule provenance, API/CLI parity, deterministic fixtures, propagation into explanation graphs/VEX, localization guidance, and backfill plan. |
@@ -130,6 +130,8 @@
## Decisions & Risks
- File renamed to `SPRINT_0401_0001_0001_reachability_evidence_chain.md` and normalized to template on 2025-11-22; scope unchanged.
- VEX proof bundle schema/catalog frozen on 2025-12-04 with verifier + fixtures at `docs/benchmarks/` and `tests/Vex/ProofBundles/`; DSSE and CAS hashes enforced for RBAC/reeval/uncertainty gates.
- CI guard `.gitea/workflows/vex-proof-bundles.yml` validates all proof bundles with pinned deps to keep VEX-GAPS-401-062 controls from regressing.
| ID | Risk | Impact | Mitigation / Owner |
| --- | --- | --- | --- |
@@ -144,6 +146,8 @@
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-04 | Added second VEX proof bundle fixture (`sample-proof-bundle-config.json` + DSSE/OpenVEX) and wired CI guard `.gitea/workflows/vex-proof-bundles.yml` running `scripts/vex/verify_proof_bundle.py` across `tests/Vex/ProofBundles`; verifier dependencies pinned in `scripts/vex/requirements.txt`. | Docs Guild |
| 2025-12-04 | Finished VEX-GAPS-401-062: froze VEX proof bundle schema/catalog; added DSSE-signed catalog, OpenVEX fixture, CAS evidence set, offline verifier (`scripts/vex/verify_proof_bundle.py`), and sample proof bundle/test under `tests/Vex/ProofBundles/`; status → DONE. | Docs Guild |
| 2025-12-03 | Started VEX-GAPS-401-062: drafted VEX Evidence Playbook (`docs/benchmarks/vex-evidence-playbook.md`) with proof bundle schema outline, justification catalog rules, determinism, and offline verifier plan; status → DOING. | Product Mgmt |
| 2025-12-01 | Extended BLOCKED status to tasks 19, 22, 2627, 3741, 4851 pending 2025-12-02 schema/hash alignment and upstream Signals readiness. | Project Mgmt |
| 2025-11-30 | Marked tasks 510, 1315, 1718, 2021, 23, 25, 4647, 5260 BLOCKED pending 2025-12-02 schema/hash alignment and upstream Signals/graph readiness. | Project Mgmt |

42
docs/implplan/SPRINT_124_policy_reasoning.md
View File

@@ -1,42 +0,0 @@
# Sprint 124 - Policy & Reasoning
_Last updated: November 28, 2025. Implementation order is DOING → TODO → BLOCKED._
Focus areas below were split out of the previous combined sprint; execute sections in order unless noted.
## Policy.II
Dependency: Sprint 120.C - Policy.I (must land before this track).
Focus: Policy & Reasoning focus on Policy (phase II).
| # | Task ID & handle | State | Key dependency / next step | Owners |
| --- | --- | --- | --- | --- |
| P1 | PREP-POLICY-ENGINE-20-002-BUILD-DETERMINISTIC | DONE (2025-11-20) | Prep doc at `docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md`; captures evaluator constraints. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). <br><br> Document artefact/deliverable for POLICY-ENGINE-20-002 and publish location so downstream tasks can proceed. |
| 1 | POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions (Deps: POLICY-CONSOLE-23-001) | Policy Guild, Product Ops / src/Policy/StellaOps.Policy.Engine |
| 2 | POLICY-ENGINE-20-002 | DONE (2025-11-27) | Design doc at `docs/modules/policy/design/deterministic-evaluator.md`; samples and test vectors at `docs/modules/policy/samples/deterministic-evaluator/`; code changes in `PolicyEvaluationContext.cs` and `PolicyExpressionEvaluator.cs` | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 3 | POLICY-ENGINE-20-003 | DONE (2025-11-27) | SelectionJoin models, PurlEquivalence table, and SelectionJoinService implemented in `src/Policy/StellaOps.Policy.Engine/SelectionJoin/` | Policy Guild, Concelier Core Guild, Excititor Core Guild / src/Policy/StellaOps.Policy.Engine |
| 4 | POLICY-ENGINE-20-004 | DONE (2025-11-27) | Materialization writer implemented in `src/Policy/StellaOps.Policy.Engine/Materialization/` with `EffectiveFinding` models, append-only history, tenant scoping, and trace references | Policy Guild, Platform Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 5 | POLICY-ENGINE-20-005 | DONE (2025-11-27) | Determinism guard implemented in `src/Policy/StellaOps.Policy.Engine/DeterminismGuard/` with static analyzer (`ProhibitedPatternAnalyzer`), runtime sandbox (`DeterminismGuardService`, `EvaluationScope`), and guarded evaluator integration (`GuardedPolicyEvaluator`) | Policy Guild, Security Engineering / src/Policy/StellaOps.Policy.Engine |
| 6 | POLICY-ENGINE-20-006 | DONE (2025-11-27) | Incremental orchestrator implemented in `src/Policy/StellaOps.Policy.Engine/IncrementalOrchestrator/` with `PolicyChangeEvent` models (advisory/VEX/SBOM change types), `IncrementalPolicyOrchestrator` (batching, deduplication, retry logic), and `IncrementalOrchestratorBackgroundService` (continuous processing, metrics) | Policy Guild, Scheduler Worker Guild / src/Policy/StellaOps.Policy.Engine |
| 7 | POLICY-ENGINE-20-007 | DONE (2025-11-27) | Structured traces implemented in `src/Policy/StellaOps.Policy.Engine/Telemetry/` with `RuleHitTrace.cs` (trace models, statistics), `RuleHitTraceCollector.cs` (sampling controls, exporters), and `ExplainTraceExport.cs` (JSON/NDJSON/Text/Markdown export formats) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 8 | POLICY-ENGINE-20-008 | DONE (2025-11-28) | Unit test suites added in `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/` for DeterminismGuard, SelectionJoin, IncrementalOrchestrator, Materialization, and Telemetry components (99 tests passing) | Policy Guild, QA Guild / src/Policy/StellaOps.Policy.Engine |
| 9 | POLICY-ENGINE-20-009 | DONE (2025-11-28) | MongoDB schemas implemented in `src/Policy/StellaOps.Policy.Engine/Storage/Mongo/` with document classes (`PolicyDocuments.cs`, `PolicyRunDocument.cs`, `EffectiveFindingDocument.cs`, `PolicyAuditDocument.cs`), options (`PolicyEngineMongoOptions.cs`), context (`PolicyEngineMongoContext.cs`), migrations (`EnsurePolicyCollectionsMigration.cs`, `EnsurePolicyIndexesMigration.cs`, `EffectiveFindingCollectionInitializer.cs`), migration runner, and tenant enforcement (`TenantFilterBuilder.cs`) | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 10 | POLICY-ENGINE-27-001 | TODO | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes (Deps: POLICY-ENGINE-20-009) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 11 | POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims (Deps: POLICY-ENGINE-27-001) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 12 | POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (`POST /policy/eval/batch`) returning determinations + rationale chain for sets of `(artifact,purl,version,advisory)` tuples; support pagination and cost budgets (Deps: POLICY-ENGINE-27-004) | Policy Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-27-004 | DONE (2025-10-19) | Completed in Sprint 120; see archived tasks note. | Policy Guild / src/Policy/StellaOps.Policy.Engine | Update golden/property tests to cover coverage metadata, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. |
| 13 | POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation (Deps: POLICY-ENGINE-29-001) | Policy Guild, Findings Ledger Guild / src/Policy/StellaOps.Policy.Engine |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-28 | POLICY-ENGINE-20-009: Completed MongoDB storage layer - document schemas for policies, policy_revisions, policy_bundles, policy_runs, effective_finding_*, effective_finding_history_*, and policy_audit collections. Created `PolicyEngineMongoOptions.cs` (connection/collection configuration with TTL settings), `PolicyEngineMongoContext.cs` (database access with read/write concerns), migration infrastructure (`IPolicyEngineMongoMigration`, `PolicyEngineMigrationRunner`, `PolicyEngineMongoInitializer`), `EnsurePolicyCollectionsMigration.cs` (creates base collections), `EnsurePolicyIndexesMigration.cs` (indexes for policies, revisions, bundles, runs, audit), `EffectiveFindingCollectionInitializer.cs` (dynamic per-policy collection creation with indexes), `TenantFilterBuilder.cs` (tenant enforcement utilities), and `ServiceCollectionExtensions.cs` (DI registration). Status → DONE. | Implementer |
| 2025-11-28 | POLICY-ENGINE-20-008: Completed unit test suites - `DeterminismGuardTests.cs` (static analyzer, runtime sandbox, guarded evaluator), `SelectionJoinTests.cs` (PURL equivalence, tuple resolution, VEX overlay), `IncrementalOrchestratorTests.cs` (event processing, deduplication, priority batching), `MaterializationTests.cs` (deterministic IDs, content hashing), `TelemetryTests.cs` (trace factory, statistics, sampling). 99 tests passing. Status → DONE. | Implementer |
| 2025-11-27 | POLICY-ENGINE-20-007: Completed structured traces - `RuleHitTrace.cs` (trace models, factory, statistics aggregation), `RuleHitTraceCollector.cs` (sampling controls with VEX/severity-aware rates, incident mode, exporters), `ExplainTraceExport.cs` (JSON/NDJSON/Text/Markdown formats, builder pattern). Status → DONE. | Implementer |
| 2025-11-27 | POLICY-ENGINE-20-006: Completed incremental orchestrator - `PolicyChangeEvent.cs` (change event models with factory for advisory/VEX/SBOM changes, deterministic content hashing, batching), `IncrementalPolicyOrchestrator.cs` (event processing with idempotency, retry logic, priority-based batching), `IncrementalOrchestratorBackgroundService.cs` (continuous processing with metrics). Status → DONE. | Implementer |
| 2025-11-27 | POLICY-ENGINE-20-005: Completed determinism guard - `DeterminismViolation.cs` (violation models/options), `ProhibitedPatternAnalyzer.cs` (static analysis with regex patterns for DateTime.Now, Random, Guid.NewGuid, HttpClient, File.Read, etc.), `DeterminismGuardService.cs` (runtime sandbox with EvaluationScope, DeterministicTimeProvider), `GuardedPolicyEvaluator.cs` (integration layer). Status → DONE. | Implementer |
| 2025-11-27 | POLICY-ENGINE-20-004: Completed materialization writer - `EffectiveFindingModels.cs` (document schema), `EffectiveFindingWriter.cs` (upsert + append-only history). Tenant-scoped collections, trace references, content hash deduplication. Status → DONE. | Implementer |
| 2025-11-27 | POLICY-ENGINE-20-003: Completed selection joiners - `SelectionJoinModels.cs` (tuple models), `PurlEquivalence.cs` (equivalence table with package key extraction), `SelectionJoinService.cs` (deterministic batching, multi-index lookup). Status → DONE. | Implementer |
| 2025-11-27 | POLICY-ENGINE-20-002: Completed. Created design doc, sample config, test vectors. Added `EvaluationTimestamp`/`now` for deterministic timestamps. Status → DONE. | Implementer |
| 2025-11-20 | Published deterministic evaluator prep note (`docs/modules/policy/prep/2025-11-20-policy-engine-20-002-prep.md`); set PREP-POLICY-ENGINE-20-002 to DONE. | Implementer |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-25 | Reconciled POLICY-ENGINE-27-004 as DONE (completed 2025-10-19 in Sprint 120); added to Delivery Tracker for traceability. | Project Mgmt |

19
docs/implplan/SPRINT_126_policy_reasoning.md
View File

@@ -24,12 +24,12 @@ Focus: Policy & Reasoning focus on Policy (phase IV).
| 10 | POLICY-ENGINE-60-002 | DONE | Expose simulation bridge for Graph What-if APIs, supporting hypothetical SBOM diffs and draft policies without persisting results (Deps: POLICY-ENGINE-60-001) | Policy Guild, BE-Base Platform Guild / src/Policy/StellaOps.Policy.Engine |
| 11 | POLICY-ENGINE-70-002 | DONE | Design and create Mongo collections (`exceptions`, `exception_reviews`, `exception_bindings`) with indexes and migrations; expose repository APIs (Deps: POLICY-ENGINE-60-002) | Policy Guild, Storage Guild / src/Policy/StellaOps.Policy.Engine |
| 12 | POLICY-ENGINE-70-003 | DONE | Build Redis exception decision cache (`exceptions_effective_map`) with warm/invalidation logic reacting to `exception.*` events (Deps: POLICY-ENGINE-70-002) | Policy Guild, Runtime Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-70-004 | TODO | Extend metrics/tracing/logging for exception application (latency, counts, expiring events) and include AOC references in logs (Deps: POLICY-ENGINE-70-003) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 14 | POLICY-ENGINE-70-005 | TODO | Provide APIs/workers hook for exception activation/expiry (auto start/end) and event emission (`exception.activated/expired`) (Deps: POLICY-ENGINE-70-004) | Policy Guild, Scheduler Worker Guild / src/Policy/StellaOps.Policy.Engine |
| 15 | POLICY-ENGINE-80-001 | TODO | Integrate reachability/exploitability inputs into evaluation pipeline (state/score/confidence) with caching and explain support (Deps: POLICY-ENGINE-70-005) | Policy Guild, Signals Guild / src/Policy/StellaOps.Policy.Engine |
| 16 | POLICY-RISK-90-001 | TODO | Ingest entropy penalty inputs from Scanner (`entropy.report.json`, `layer_summary.json`), extend trust algebra with configurable weights/caps, and expose explanations/metrics for opaque ratio penalties (`docs/modules/scanner/entropy.md`). | Policy Guild, Scanner Guild / src/Policy/StellaOps.Policy.Engine |
| 13 | POLICY-ENGINE-70-004 | DONE | Delivered 2025-12-01: exception application metrics/logging with AOC references (Deps: POLICY-ENGINE-70-003) | Policy Guild, Observability Guild / src/Policy/StellaOps.Policy.Engine |
| 14 | POLICY-ENGINE-70-005 | DONE | Delivered 2025-12-01: exception activation/expiry worker emits `exception.activated/expired` events and warms cache (Deps: POLICY-ENGINE-70-004) | Policy Guild, Scheduler Worker Guild / src/Policy/StellaOps.Policy.Engine |
| 15 | POLICY-ENGINE-80-001 | DONE | Delivered 2025-12-01: reachability auto-enrichment integrated; exploitability signal schema follow-on pending (Deps: POLICY-ENGINE-70-005) | Policy Guild, Signals Guild / src/Policy/StellaOps.Policy.Engine |
| 16 | POLICY-RISK-90-001 | DONE | Delivered 2025-12-02: entropy penalty ingestion (`entropy.report.json`, `layer_summary.json`) with configurable weights/caps and metrics | Policy Guild, Scanner Guild / src/Policy/StellaOps.Policy.Engine |
## Notes & Risks (2025-11-27)
## Notes & Risks (2025-12-02)
- POLICY-ENGINE-40-003 implementation complete: Added `PolicyDecisionModels.cs`, `PolicyDecisionService.cs`, `PolicyDecisionEndpoint.cs`, and `PolicyDecisionServiceTests.cs`. Service registered in `Program.cs`. All 9 tests pass.
- POLICY-ENGINE-50-001 implementation complete: Extended SPL compiler with AOC (Attestation of Compliance) metadata support:
- Added `PolicyAocMetadata`, `PolicyProvenance`, `PolicyAttestationRef` records to `PolicyPackRecord.cs`
@@ -43,6 +43,10 @@ Focus: Policy & Reasoning focus on Policy (phase IV).
- `StellaOps.Policy.RiskProfile`: Fixed JsonSchema.Net v5 API changes (`ValidationResults``EvaluationResults`), `JsonDocument.Parse` signature.
- `StellaOps.Policy.Engine`: Fixed OpenTelemetry Meter API changes (observeValues parameter, nullable returns), SamplingResult API changes, parameter casing fixes.
- Test project: Added `Microsoft.Extensions.TimeProvider.Testing` package, fixed using directives, fixed parameter casing.
- POLICY-ENGINE-70-004 delivered: exception application metrics (counts/latency) and structured logs now include AOC references.
- POLICY-ENGINE-70-005 delivered: exception lifecycle worker auto-activates/auto-expires exceptions and emits cache-warming events; in-memory defaults remain for offline runs.
- POLICY-ENGINE-80-001 delivered: reachability auto-enrichment integrated into evaluation with cache keys including reachability metadata; exploitability signal contract still pending from Signals guild.
- POLICY-RISK-90-001 delivered: entropy penalty ingestion from Scanner with configurable weights/caps; telemetry `policy_entropy_penalty_value` and `policy_entropy_image_opaque_ratio` surfaced; explanations highlight opaque ratio contributors.
## Execution Log
| Date (UTC) | Update | Owner |
@@ -60,3 +64,8 @@ Focus: Policy & Reasoning focus on Policy (phase IV).
| 2025-11-28 | Implemented POLICY-ENGINE-60-002: What-If simulation bridge for Graph APIs. Created `WhatIfSimulation/WhatIfSimulationModels.cs` with comprehensive request/response models (`WhatIfSimulationRequest`, `WhatIfSimulationResponse`, `WhatIfDraftPolicy`, `WhatIfSbomDiff`, `WhatIfDecisionChange`, `WhatIfDecision`, `WhatIfExplanation`, `WhatIfSummary`, `WhatIfImpact`, `WhatIfPolicyRef`). Created `WhatIfSimulation/WhatIfSimulationService.cs` supporting: hypothetical SBOM diffs (add/remove/upgrade/downgrade operations), draft policy comparison, baseline decision lookup from effective decision map, simulated decision computation considering VEX status and reachability, change detection and diff computation, impact assessment with risk delta recommendations. Service integrates with `IEffectiveDecisionMap` for baseline lookups, `IPolicyPackRepository` for policy retrieval, `PolicyCompilationService` for potential on-the-fly compilation. Added `AddWhatIfSimulation()` DI extension. Telemetry via existing `RecordSimulation()` counter. All 181 core tests pass. POLICY-ENGINE-60-002 marked DONE. | Implementer |
| 2025-11-28 | Implemented POLICY-ENGINE-70-002: MongoDB collections for policy exceptions with indexes and repository APIs. Created `Storage/Mongo/Documents/PolicyExceptionDocuments.cs` with `PolicyExceptionDocument` (exceptions with scope, risk assessment, compensating controls, workflow states), `ExceptionScopeDocument` (advisory/CVE/PURL/asset targeting), `ExceptionRiskAssessmentDocument` (risk levels, justification), `ExceptionReviewDocument` (multi-reviewer approval workflow), `ReviewDecisionDocument` (individual decisions with conditions), `ExceptionBindingDocument` (asset-specific bindings with time ranges). Created `Storage/Mongo/Repositories/IExceptionRepository.cs` interface with CRUD operations for exceptions, reviews, and bindings; query options for filtering/pagination; methods for finding applicable exceptions, pending activations, expiring exceptions. Created `Storage/Mongo/Repositories/MongoExceptionRepository.cs` MongoDB implementation with tenant scoping. Added collection names to `PolicyEngineMongoOptions` (exceptions, exception_reviews, exception_bindings). Created `Storage/Mongo/Migrations/EnsureExceptionIndexesMigration.cs` with comprehensive indexes: tenant+status, tenant+type+status, tenant+created, tenant+tags, scope.advisoryIds, scope.assetIds, scope.cveIds, expiry tracking, reviewer queues, binding lookups. Added `policy_exception_operations_total` telemetry counter with `RecordExceptionOperation()` method. Registered migration and repository in `ServiceCollectionExtensions`. All 196 core tests pass. POLICY-ENGINE-70-002 marked DONE. | Implementer |
| 2025-11-28 | Implemented POLICY-ENGINE-70-003: Redis exception decision cache with warm/invalidation logic. Created `ExceptionCache/ExceptionCacheModels.cs` with `ExceptionCacheEntry` (cached exception for fast lookup with priority, decision override, expiry), `ExceptionCacheQueryResult` (query results with cache metadata), `ExceptionCacheSummary` (tenant summary with counts by type/decision), `ExceptionCacheOptions` (TTL, auto-warm, max entries), `ExceptionCacheStats` (hit/miss counts, memory usage). Created `ExceptionCache/IExceptionEffectiveCache.cs` interface with `GetForAssetAsync`, `GetBatchAsync`, `SetAsync`, `SetBatchAsync`, `InvalidateExceptionAsync`, `InvalidateAssetAsync`, `InvalidateTenantAsync`, `WarmAsync`, `HandleExceptionEventAsync` for event-driven invalidation; `ExceptionEvent` record for exception lifecycle events (activated, expired, revoked, updated, created, deleted). Created `ExceptionCache/RedisExceptionEffectiveCache.cs` Redis implementation with key structure: `stellaops:exc:{tenant}:a:{asset}:{advisory}` for asset entries, `stellaops:exc:{tenant}:idx:e:{exceptionId}` for exception-to-asset index, `stellaops:exc:{tenant}:v` for version counter. Warm logic loads from `IExceptionRepository` for active/pending exceptions. Invalidation reacts to exception events. Added `ExceptionCacheOptions` to `PolicyEngineOptions`. Added `policy_exception_cache_operations_total` telemetry counter with `RecordExceptionCacheOperation()` method. Added `AddExceptionEffectiveCache()` DI extension. All 197 core tests pass. POLICY-ENGINE-70-003 marked DONE. | Implementer |
| 2025-12-01 | Implemented POLICY-ENGINE-70-004: added exception application metrics (counts/latency histogram) and structured logs with AOC compilation IDs; marked DONE. | Implementer |
| 2025-12-01 | Implemented POLICY-ENGINE-70-005: exception lifecycle worker auto-activates/auto-expires exceptions, emits `exception.activated/expired` events, and warms cache; in-memory defaults retained for offline mode. Marked DONE. | Implementer |
| 2025-12-01 | Implemented POLICY-ENGINE-80-001: reachability auto-enrichment in runtime evaluation with cache keys including reachability metadata; added reachability-driven rule test. Exploitability schema still pending; marked DONE. | Implementer |
| 2025-12-02 | Implemented POLICY-RISK-90-001: entropy penalty calculator consuming `layer_summary.json`/`entropy.report.json`, configurable weights/caps under `PolicyEngine:Entropy`, telemetry for penalty/opaque ratio; added unit tests; marked DONE. | Implementer |
| 2025-12-02 | Ran targeted policy-engine test slices with `DOTNET_DISABLE_BUILTIN_GRAPH=1`; fixed DTO optional-parameter ordering and DI wiring during entropy integration. | Implementer |

12
docs/implplan/tasks-all.md
View File

@@ -778,7 +778,7 @@
| DOCS-SCANNER-BENCH-62-006 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. | Needs determinism harness from 137_SCDT0101 | DOSB0101 |
| DOCS-SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates + fixture bundle (`docs/modules/scanner/fixtures/deterministic-compose/`). | Fixtures published via Sprint 0136; harness verified. | DOSB0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
| DOCS-SEC-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
@@ -1683,7 +1683,7 @@
| SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 | |
| SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | | | |
| SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | Deterministic compose fixtures landed; docs published. | |
| SCANNER-DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. | | |
| SCANNER-EMIT-15-001 | TODO | | SPRINT_136_scanner_surface | Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | src/Scanner/__Libraries/StellaOps.Scanner.Emit | Enforce canonical JSON (`stella.contentHash`, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in `docs/modules/scanner/deterministic-sbom-compose.md` §2.2. | SCANNER-SURFACE-04 | |
| SCANNER-ENG-0001 | TODO | | SPRINT_327_docs_modules_scanner | Module Team (docs/modules/scanner) | docs/modules/scanner | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | | |
@@ -1870,7 +1870,7 @@
| SURFACE-FS-04 | TODO | | SPRINT_136_scanner_surface | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Integrate Surface.FS reader into Zastava Observer runtime drift loop. | SURFACE-FS-02 | |
| SURFACE-FS-05 | TODO | | SPRINT_136_scanner_surface | Scanner Guild, Scheduler Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. | SURFACE-FS-03 | |
| SURFACE-FS-06 | TODO | | SPRINT_136_scanner_surface | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Update scanner-engine guide and offline kit docs with Surface.FS workflow. | SURFACE-FS-02 | |
| SURFACE-FS-07 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec. | SCANNER-SURFACE-04 | |
| SURFACE-FS-07 | DONE | 2025-12-04 | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec. | SCANNER-SURFACE-04 | |
| SURFACE-SECRETS-01 | DOING | 2025-11-02 | SPRINT_136_scanner_surface | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | Produce `surface-secrets.md` defining secret reference schema, storage backends, scopes, and rotation rules. | | |
| SURFACE-SECRETS-02 | DOING | 2025-11-02 | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | Implement `StellaOps.Scanner.Surface.Secrets` core provider interfaces, secret models, and in-memory test backend. | SURFACE-SECRETS-01 | |
| SURFACE-SECRETS-03 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | SURFACE-SECRETS-02 | SCSS0101 |
@@ -2995,7 +2995,7 @@
| DOCS-SCANNER-BENCH-62-006 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Product Guild | docs/modules/scanner/benchmarks | Document Rust fingerprint enrichment guidance and policy examples. | Requires updated benchmarks from SCSA0601 | DOSB0101 |
| DOCS-SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · Platform Data Guild | docs/modules/scanner/benchmarks | Publish EntryTrace explain/heuristic maintenance guide. | Wait for replay hooks (RPRC0101) | DOSB0101 |
| DOCS-SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild · DevEx/CLI Guild | docs/modules/scanner/benchmarks | Produce SAST integration documentation (connector framework, policy templates). | Depends on CLI samples (132_CLCI0110) | DOSB0101 |
| DOCS-SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates. | Needs determinism harness from 137_SCDT0101 | DOSB0101 |
| DOCS-SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | docs/modules/scanner/benchmarks | `/docs/modules/scanner/deterministic-sbom-compose.md` plus scan guide updates + fixture bundle (`docs/modules/scanner/fixtures/deterministic-compose/`). | Fixtures published via Sprint 0136; harness verified. | DOSB0101 |
| DOCS-SDK-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · SDK Generator Guild | docs/sdk | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Need SDK toolchain notes from SDKG0101 | DOSK0101 |
| DOCS-SEC-62-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Need security ADR from DVDO0110 | DOSE0101 |
| DOCS-SEC-OBS-50-001 | TODO | | SPRINT_309_docs_tasks_md_ix | Docs Guild · Security Guild | docs/security | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Depends on PLOB0101 metrics | DOSE0101 |
@@ -3883,7 +3883,7 @@
| SCANNER-BENCH-62-008 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, EntryTrace Guild (docs) | | | | |
| SCANNER-BENCH-62-009 | TODO | | SPRINT_310_docs_tasks_md_x | Docs Guild, Policy Guild (docs) | | | | |
| SCANNER-CLI-0001 | DONE | 2025-11-10 | SPRINT_0138_0000_0001_scanner_ruby_parity | CLI Guild, Ruby Analyzer Guild (src/Cli/StellaOps.Cli) | src/Cli/StellaOps.Cli | Coordinate CLI UX/help text for new Ruby verbs and update CLI docs/golden outputs. | SCANNER-ENG-0019 | |
| SCANNER-DET-01 | BLOCKED (2025-11-23) | 2025-11-23 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | | | |
| SCANNER-DET-01 | DONE (2025-12-03) | 2025-12-03 | SPRINT_0301_0001_0001_docs_md_i | Docs Guild · Scanner Guild | | Deterministic compose fixtures landed; docs published. | |
| SCANNER-DOCS-0003 | TODO | | SPRINT_327_docs_modules_scanner | Docs Guild, Product Guild (docs/modules/scanner) | docs/modules/scanner | Gather Windows/macOS analyzer demand signals and record findings in `docs/benchmarks/scanner/windows-macos-demand.md` for marketing + product readiness. | | |
| SCANNER-EMIT-15-001 | TODO | | SPRINT_136_scanner_surface | Scanner Emit Guild (src/Scanner/__Libraries/StellaOps.Scanner.Emit) | src/Scanner/__Libraries/StellaOps.Scanner.Emit | Enforce canonical JSON (`stella.contentHash`, Merkle root metadata, zero timestamps) for fragments and composed CycloneDX inventory/usage BOMs. Documented in `docs/modules/scanner/deterministic-sbom-compose.md` §2.2. | SCANNER-SURFACE-04 | |
| SCANNER-ENG-0001 | TODO | | SPRINT_327_docs_modules_scanner | Module Team (docs/modules/scanner) | docs/modules/scanner | Cross-check implementation plan milestones against `/docs/implplan/SPRINT_*.md` and update module readiness checkpoints. | | |
@@ -4070,7 +4070,7 @@
| SURFACE-FS-04 | TODO | | SPRINT_136_scanner_surface | Zastava Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Integrate Surface.FS reader into Zastava Observer runtime drift loop. | SURFACE-FS-02 | |
| SURFACE-FS-05 | TODO | | SPRINT_136_scanner_surface | Scanner Guild, Scheduler Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. | SURFACE-FS-03 | |
| SURFACE-FS-06 | TODO | | SPRINT_136_scanner_surface | Docs Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Update scanner-engine guide and offline kit docs with Surface.FS workflow. | SURFACE-FS-02 | |
| SURFACE-FS-07 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec. | SCANNER-SURFACE-04 | |
| SURFACE-FS-07 | DONE | 2025-12-04 | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS | Extend Surface.FS manifest schema with `composition.recipe`, fragment attestation metadata, and verification helpers per deterministic SBOM spec. | SCANNER-SURFACE-04 | |
| SURFACE-SECRETS-01 | DOING | 2025-11-02 | SPRINT_136_scanner_surface | Scanner Guild, Security Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | Produce `surface-secrets.md` defining secret reference schema, storage backends, scopes, and rotation rules. | | |
| SURFACE-SECRETS-02 | DOING | 2025-11-02 | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | Implement `StellaOps.Scanner.Surface.Secrets` core provider interfaces, secret models, and in-memory test backend. | SURFACE-SECRETS-01 | |
| SURFACE-SECRETS-03 | TODO | | SPRINT_136_scanner_surface | Scanner Guild (src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets) | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | SURFACE-SECRETS-02 | SCSS0101 |