feat: add security sink detection patterns for JavaScript/TypeScript
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
164
docs/implplan/archived/SPRINT_5100_ACTIVE_STATUS.md
Normal file
164
docs/implplan/archived/SPRINT_5100_ACTIVE_STATUS.md
Normal file
@@ -0,0 +1,164 @@
|
||||
# Sprint 5100 - Active Status Report
|
||||
|
||||
**Generated:** 2025-12-22 (Updated)
|
||||
**Epic:** Testing Infrastructure & Reproducibility
|
||||
|
||||
## Overview
|
||||
|
||||
Sprint 5100 consists of 12 sprints across 5 phases. Phases 0-4 are substantially complete (11 sprints). Phase 5 sprint files show tasks marked DONE but require verification.
|
||||
|
||||
**Recent Implementation Progress (2025-12-22):**
|
||||
- SPRINT_5100_0001_0001: MongoDB cleanup Phase 1 - 12/13 tasks done
|
||||
- SPRINT_5100_0004_0001: Unknowns Budget CI Gates - 5/6 tasks done (T5-T6 implemented with UnknownsBudgetPredicate)
|
||||
- SPRINT_5100_0005_0001: Router Chaos Suite - 6/6 tasks done (k6 tests, C# chaos tests, CI workflow)
|
||||
|
||||
## Completed and Archived ✅
|
||||
|
||||
**Location:** `docs/implplan/archived/sprint_5100_phase_0_1_completed/`
|
||||
|
||||
- Phase 0 (Harness & Corpus Foundation): 4 sprints, 31 tasks - **DONE**
|
||||
- Phase 1 (Determinism & Replay): 3 sprints, 20 tasks - **DONE**
|
||||
|
||||
See archived README for details.
|
||||
|
||||
## Active Sprints (TODO)
|
||||
|
||||
### Phase 2: Offline E2E & Interop (2 sprints, 13 tasks)
|
||||
|
||||
#### SPRINT_5100_0003_0001 - SBOM Interop Round-Trip
|
||||
**Status:** TODO (0/7 tasks)
|
||||
**Working Directory:** `tests/interop/` and `src/__Libraries/StellaOps.Interop/`
|
||||
**Dependencies:** Sprint 5100.0001.0002 (Evidence Index) ✅
|
||||
|
||||
**Tasks:**
|
||||
1. T1: Interop Test Harness - TODO
|
||||
2. T2: CycloneDX 1.6 Round-Trip Tests - TODO
|
||||
3. T3: SPDX 3.0.1 Round-Trip Tests - TODO
|
||||
4. T4: Cross-Tool Findings Parity Analysis - TODO
|
||||
5. T5: Interop CI Pipeline - TODO
|
||||
6. T6: Interop Documentation - TODO
|
||||
7. T7: Project Setup - TODO
|
||||
|
||||
**Goal:** Achieve 95%+ parity with Syft/Grype for SBOM generation and vulnerability findings.
|
||||
|
||||
---
|
||||
|
||||
#### SPRINT_5100_0003_0002 - No-Egress Test Enforcement
|
||||
**Status:** TODO (0/6 tasks)
|
||||
**Working Directory:** `tests/offline/` and `.gitea/workflows/`
|
||||
**Dependencies:** Sprint 5100.0001.0003 (Offline Bundle Manifest) ✅
|
||||
|
||||
**Tasks:**
|
||||
1. T1: Network Isolation Test Base Class - TODO
|
||||
2. T2: Docker Network Isolation - TODO
|
||||
3. T3: Offline E2E Test Suite - TODO
|
||||
4. T4: CI Network Isolation Workflow - TODO
|
||||
5. T5: Offline Bundle Fixtures - TODO
|
||||
6. T6: Unit Tests - TODO
|
||||
|
||||
**Goal:** Prove air-gap operation with strict network isolation enforcement.
|
||||
|
||||
---
|
||||
|
||||
### Phase 3: Unknowns Budgets CI Gates (1 sprint, 6 tasks) - MOSTLY COMPLETE
|
||||
|
||||
#### SPRINT_5100_0004_0001 - Unknowns Budget CI Gates
|
||||
**Status:** MOSTLY COMPLETE (5/6 tasks DONE)
|
||||
**Working Directory:** `src/Cli/StellaOps.Cli/Commands/` and `.gitea/workflows/`
|
||||
**Dependencies:** ✅ Sprint 4100.0001.0001 (DONE), ✅ Sprint 4100.0001.0002 (DONE)
|
||||
|
||||
**Tasks:**
|
||||
1. T1: CLI Budget Check Command - DONE
|
||||
2. T2: CI Budget Gate Workflow - DONE
|
||||
3. T3: GitHub/GitLab PR Integration - DONE
|
||||
4. T4: Unknowns Dashboard Integration - TODO (UI Team)
|
||||
5. T5: Attestation Integration - DONE (UnknownsBudgetPredicate added)
|
||||
6. T6: Unit Tests - DONE (10 tests passing)
|
||||
|
||||
**Goal:** Enforce unknowns budgets in CI/CD pipelines with PR integration.
|
||||
|
||||
---
|
||||
|
||||
### Phase 4: Backpressure & Chaos (1 sprint, 6 tasks) - MOSTLY COMPLETE
|
||||
|
||||
#### SPRINT_5100_0005_0001 - Router Chaos Suite
|
||||
**Status:** MOSTLY COMPLETE (5/6 tasks DONE)
|
||||
**Working Directory:** `tests/load/` and `tests/chaos/`
|
||||
**Dependencies:** Router implementation with backpressure (existing)
|
||||
|
||||
**Tasks:**
|
||||
1. T1: Load Test Harness - DONE (k6 spike-test.js)
|
||||
2. T2: Backpressure Verification Tests - DONE (BackpressureVerificationTests.cs)
|
||||
3. T3: Recovery and Resilience Tests - DONE (RecoveryTests.cs)
|
||||
4. T4: Valkey Failure Injection - DONE (ValkeyFailureTests.cs)
|
||||
5. T5: CI Chaos Workflow - DONE (router-chaos.yml)
|
||||
6. T6: Documentation - TODO (QA Team)
|
||||
|
||||
**Goal:** Validate 429/503 responses, Retry-After headers, and sub-30s recovery under load.
|
||||
|
||||
---
|
||||
|
||||
### Phase 5: Audit Packs & Time-Travel (1 sprint, 6 tasks)
|
||||
|
||||
#### SPRINT_5100_0006_0001 - Audit Pack Export/Import
|
||||
**Status:** TODO (0/6 tasks)
|
||||
**Working Directory:** `src/__Libraries/StellaOps.AuditPack/` and `src/Cli/StellaOps.Cli/Commands/`
|
||||
**Dependencies:** Sprint 5100.0001.0001 (Run Manifest) ✅, Sprint 5100.0002.0002 (Replay Runner) ✅
|
||||
|
||||
**Tasks:**
|
||||
1. T1: Audit Pack Domain Model - TODO
|
||||
2. T2: Audit Pack Builder - TODO
|
||||
3. T3: Audit Pack Importer - TODO
|
||||
4. T4: Replay from Audit Pack - TODO
|
||||
5. T5: CLI Commands - TODO
|
||||
6. T6: Unit and Integration Tests - TODO
|
||||
|
||||
**Goal:** Enable sealed audit pack export for compliance with one-command replay verification.
|
||||
|
||||
---
|
||||
|
||||
## Recommended Implementation Order
|
||||
|
||||
Based on dependencies and value delivery:
|
||||
|
||||
1. **SPRINT_5100_0003_0001** (SBOM Interop) - No blockers, high value for ecosystem compatibility
|
||||
2. **SPRINT_5100_0003_0002** (No-Egress) - Parallel with above, proves air-gap capability
|
||||
3. **SPRINT_5100_0006_0001** (Audit Packs) - Dependencies met, critical for compliance
|
||||
4. **SPRINT_5100_0004_0001** (Unknowns Budgets) - Depends on Sprint 4100 completion
|
||||
5. **SPRINT_5100_0005_0001** (Router Chaos) - Independent, can run in parallel
|
||||
|
||||
## Success Metrics
|
||||
|
||||
- [ ] Phase 2: 95%+ SBOM interop parity, air-gap tests pass with no network
|
||||
- [ ] Phase 3: CI gates block on budget violations, PR comments working
|
||||
- [ ] Phase 4: Router handles 50x load spikes with <30s recovery
|
||||
- [ ] Phase 5: Audit packs import/export with replay producing identical verdicts
|
||||
|
||||
## Implementation Summary (2025-12-22)
|
||||
|
||||
### Files Created/Modified
|
||||
|
||||
**MongoDB Cleanup:**
|
||||
- `deploy/compose/env/airgap.env.example` - PostgreSQL/Valkey only
|
||||
- `deploy/compose/env/stage.env.example` - PostgreSQL/Valkey only
|
||||
- `deploy/compose/env/prod.env.example` - PostgreSQL/Valkey only
|
||||
- `src/Aoc/StellaOps.Aoc.Cli/Commands/VerifyCommand.cs` - Removed --mongo
|
||||
- `src/Aoc/StellaOps.Aoc.Cli/Services/AocVerificationService.cs` - PostgreSQL only
|
||||
- `src/Aoc/StellaOps.Aoc.Cli/Models/VerifyOptions.cs` - Required PostgreSQL
|
||||
|
||||
**Unknowns Budget Attestation:**
|
||||
- `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/UnknownsBudgetPredicate.cs`
|
||||
- `src/Attestor/__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/UnknownsBudgetPredicateTests.cs`
|
||||
|
||||
**Router Chaos Suite:**
|
||||
- `tests/load/router/spike-test.js` - k6 load test
|
||||
- `tests/load/router/thresholds.json` - Threshold config
|
||||
- `tests/chaos/StellaOps.Chaos.Router.Tests/` - C# chaos test project
|
||||
- `.gitea/workflows/router-chaos.yml` - CI workflow
|
||||
|
||||
## Next Actions
|
||||
|
||||
1. Verify Phase 2-5 sprint implementation status against actual codebase
|
||||
2. Run integration tests for MongoDB-free platform startup
|
||||
3. UI Team to complete T4 (Dashboard Integration) for Unknowns Budget
|
||||
4. QA Team to verify chaos test documentation
|
||||
Reference in New Issue
Block a user