stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add unit tests for AST parsing and security sink detection

Browse Source 
- Created `StellaOps.AuditPack.Tests.csproj` for unit testing the AuditPack library.
- Implemented comprehensive unit tests in `index.test.js` for AST parsing, covering various JavaScript and TypeScript constructs including functions, classes, decorators, and JSX.
- Added `sink-detect.test.js` to test security sink detection patterns, validating command injection, SQL injection, file write, deserialization, SSRF, NoSQL injection, and more.
- Included tests for taint source detection in various contexts such as Express, Koa, and AWS Lambda.
This commit is contained in:
StellaOps Bot
2025-12-23 09:23:42 +02:00
parent 7e384ab610
commit 56e2dc01ee
96 changed files with 8555 additions and 1455 deletions
Download Patch File Download Diff File Expand all files Collapse all files

200
docs/implplan/archived/SPRINT_4300_MOAT_SUMMARY.md Normal file
View File

@@ -0,0 +1,200 @@
# SPRINT_4300 MOAT HARDENING: Verdict Attestation & Epistemic Mode
## Topic & Scope
- Coordinate Moat 5/4 initiatives for verdict attestations and epistemic/air-gap workflows.
- Track delivery across the five moat-focused sprints in this series.
- Provide a single reference for decisions, dependencies, and risks.
- **Working directory:** `docs/implplan`.
## Dependencies & Concurrency
- Depends on ProofSpine + VerdictReceiptStatement readiness.
- All child sprints can run in parallel; coordination required for shared CLI and attestor contracts.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- 19-Dec-2025 advisory referenced in the Program Overview.
## Program Overview
| Field | Value |
|-------|-------|
| **Program ID** | 4300 (Moat Series) |
| **Theme** | Moat Hardening: Signed Verdicts & Epistemic Operations |
| **Priority** | P0-P1 (Critical to High) |
| **Total Effort** | ~9 weeks |
| **Advisory Source** | 19-Dec-2025 - Stella Ops candidate features mapped to moat strength |
---
## Strategic Context
This sprint program addresses the highest-moat features identified in the competitive analysis advisory. The goal is to harden StellaOps' structural advantages in:
1. **Signed, replayable risk verdicts (Moat 5)** — The anchor differentiator
2. **Unknowns as first-class state (Moat 4)** — Governance primitive
3. **Air-gapped epistemic mode (Moat 4)** — Reproducibility moat
---
## Sprint Breakdown
### P0 Sprints (Critical)
| Sprint ID | Title | Effort | Moat |
|-----------|-------|--------|------|
| 4300_0001_0001 | OCI Verdict Attestation Referrer Push | 2 weeks | 5 |
| 4300_0001_0002 | One-Command Audit Replay CLI | 2 weeks | 5 |
**Outcome**: Verdicts become portable "ship tokens" that can be pushed to registries and replayed offline.
### P1 Sprints (High)
| Sprint ID | Title | Effort | Moat |
|-----------|-------|--------|------|
| 4300_0002_0001 | Unknowns Budget Policy Integration | 2 weeks | 4 |
| 4300_0002_0002 | Unknowns Attestation Predicates | 1 week | 4 |
| 4300_0003_0001 | Sealed Knowledge Snapshot Export/Import | 2 weeks | 4 |
**Outcome**: Uncertainty becomes actionable through policy gates and attestable for audits. Air-gap customers get sealed knowledge bundles.
---
## Related Sprint Programs
| Program | Theme | Moat Focus |
|---------|-------|------------|
| **4400** | Delta Verdicts & Reachability Attestations | Smart-Diff, Reachability |
| **4500** | VEX Hub & Trust Scoring | VEX Distribution Network |
| **4600** | SBOM Lineage & BYOS | SBOM Ledger |
---
## Dependency Graph
```
SPRINT_4300_0001_0001 (OCI Verdict Push)
├──► SPRINT_4300_0001_0002 (Audit Replay CLI)
└──► SPRINT_4400_0001_0001 (Signed Delta Verdict)
SPRINT_4300_0002_0001 (Unknowns Budget)
└──► SPRINT_4300_0002_0002 (Unknowns Attestation)
SPRINT_4300_0003_0001 (Sealed Snapshot)
└──► [Standalone, enables air-gap scenarios]
```
---
## Success Metrics
| Metric | Target | Measurement |
|--------|--------|-------------|
| Verdict push success rate | >99% | OTEL metrics |
| Audit replay pass rate | 100% on same inputs | CI tests |
| Unknown budget violations detected | >0 in test suite | Integration tests |
| Air-gap import success rate | >99% | Manual testing |
---
## Risks & Dependencies
| Risk | Impact | Mitigation |
|------|--------|------------|
| OCI registry incompatibility | Cannot push verdicts | Fallback to tag-based |
| Bundle size too large | Transfer issues | Streaming, compression |
| Key management complexity | Security | Document rotation procedures |
---
## Timeline Recommendation
**Phase 1 (Weeks 1-4)**: P0 Sprints
- OCI Verdict Push + Audit Replay
**Phase 2 (Weeks 5-7)**: P1 Sprints
- Unknowns Budget + Attestations
**Phase 3 (Weeks 8-9)**: P1 Sprints
- Sealed Knowledge Snapshots
---
## Documentation Deliverables
- [ ] `docs/operations/verdict-attestation-guide.md`
- [ ] `docs/operations/audit-replay-guide.md`
- [ ] `docs/operations/unknown-budgets-guide.md`
- [ ] `docs/operations/airgap-knowledge-sync.md`
- [ ] Update attestation type catalog
- [ ] Update CLI reference
---
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | MOAT-4300-0001 | DONE | SPRINT_4300_0001_0001 (24/24) | Agent | Track OCI verdict attestation push sprint. |
| 2 | MOAT-4300-0002 | DONE | SPRINT_4300_0001_0002 (28/28) | Agent | Track one-command audit replay CLI sprint. |
| 3 | MOAT-4300-0003 | DONE | SPRINT_4300_0002_0001 (20/20) | Agent | Track unknowns budget policy sprint. |
| 4 | MOAT-4300-0004 | DONE | SPRINT_4300_0002_0002 (8/8) | Agent | Track unknowns attestation predicates sprint. |
| 5 | MOAT-4300-0005 | DONE | SPRINT_4300_0003_0001 (20/20) | Agent | Track sealed knowledge snapshot sprint. |
## Wave Coordination
- Phase 1: Verdict push + audit replay.
- Phase 2: Unknowns budget + attestations.
- Phase 3: Sealed knowledge snapshots.
## Wave Detail Snapshots
- See "Timeline Recommendation" for phase detail.
## Interlocks
- CLI verification depends on verdict referrer availability.
- Air-gap snapshot import depends on Concelier/Excititor policy data compatibility.
## Upcoming Checkpoints
| Date (UTC) | Checkpoint | Owner |
| --- | --- | --- |
| 2025-12-22 | Moat summary normalized to sprint template. | Agent |
## Action Tracker
| Date (UTC) | Action | Owner | Status |
| --- | --- | --- | --- |
| 2025-12-22 | Normalize summary file to standard template. | Agent | DONE |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-22 | Moat summary created from 19-Dec-2025 advisory. | Agent |
| 2025-12-22 | Normalized summary file to standard template; no semantic changes. | Agent |
| 2025-12-23 | All 5 moat sprints substantially complete: OCI Verdict (24/24), Audit Replay (27/28), Unknowns Budget (20/20), Unknowns Attestation (8/8), Sealed Snapshot (17/20). Total: 96/100 tasks. | Agent |
| 2025-12-23 | Unit tests added for AuditPack services: AuditBundleWriterTests (8), AirGapTrustStoreIntegrationTests (14). All 22 tests passing. | Agent |
| 2025-12-23 | UNBLOCKED: Completed REPLAY-028 (E2E tests, 6 tests passing) + SEAL-015/016/017 (module import adapters). Created KnowledgeSnapshotImporter.cs with module-specific targets: ConcelierAdvisoryImportTarget, ExcititorVexImportTarget, PolicyRegistryImportTarget. Total: 100/100 tasks (100%). | Agent |
## Decisions & Risks
| Item | Type | Owner | Notes |
| --- | --- | --- | --- |
| Moat focus | Decision | Planning | Emphasize signed verdicts and epistemic workflows. |
| Risk | Impact | Mitigation |
| --- | --- | --- |
| Registry referrers compatibility | Verdict push unavailable | Tag-based fallback and documentation. |
**Sprint Series Status:** DONE (100/100 tasks complete - 100%)
**Created:** 2025-12-22
**Origin:** Gap analysis of 19-Dec-2025 moat strength advisory
**Completed:** 2025-12-23