stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

house keeping work

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-19 22:19:08 +02:00
parent 91f3610b9d
commit 5b57b04484
64 changed files with 4702 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

399
docs/implplan/archived/SPRINT_0140_0001_0001_runtime_signals.md Normal file
View File

@@ -0,0 +1,399 @@
# Sprint 0140 · Runtime & Signals
## Topic & Scope
- Coordinate Runtime & Signals wave (140.A Graph, 140.B SBOM Service, 140.C Signals, 140.D Zastava) across scanner surface caches, Link-Not-Merge schema, CAS/provenance approvals, and Surface.FS adoption.
- Maintain a single status snapshot and decision log for upstream dependencies that gate 0141/0142/0143/0144 execution; keep mock bundle, schema freeze, and provenance approvals aligned.
- Deliver updated status + risk record and handoffs to downstream sprints once entry criteria clear.
- **Working directory:** `docs/implplan` (cross-module runtime/signals coordination sprint).
## Dependencies & Concurrency
- Upstream: Sprint 120.A · AirGap feeds; Sprint 130.A · Scanner analyzer artifacts and Surface.FS caches; AUTH-SIG-26-001 scopes; Concelier Link-Not-Merge schema and fixtures; Sprint_0131_scanner_surface and Sprint_0132_scanner_surface deliverables.
- Concurrent sprints: `SPRINT_0141_0001_0001_graph_indexer.md`, `SPRINT_0142_0001_0001_sbomservice.md`, `SPRINT_0143_0001_0001_signals.md`, `SPRINT_0144_0001_0001_zastava_runtime_signals.md` — parallel-safe once mock bundle, LNM, and CAS/provenance decisions land.
- Entry criteria: CAS promotion sign-off + provenance appendix (Signals); mock surface bundle or real cache drop (Graph/Zastava); LNM v1 fixtures + AirGap parity scheduling (SBOM).
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/scanner/architecture.md
- docs/modules/graph/architecture.md
- docs/modules/authority/architecture.md
- docs/modules/concelier/architecture.md
- docs/modules/zastava/architecture.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| P1 | PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS | DONE (2025-11-20) | Due 2025-11-22 · Accountable: Zastava Observer/Webhook Guilds · Surface Guild | Zastava Observer/Webhook Guilds · Surface Guild | Prep artefact published at `docs/modules/zastava/prep/2025-11-20-surface-fs-env-prep.md` (cache drop cadence, env helper ownership, DSSE requirements). |
| P2 | PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB | DONE (2025-11-22) | Prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap parity review template at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; review execution scheduled 2025-11-23. | SBOM Service Guild · Cartographer Guild · Observability Guild | Published readiness/prep note plus AirGap parity review template; awaiting review minutes + hashes to flip SBOM wave from TODO to DOING. |
| 1 | 140.A Graph wave | DONE (2025-11-28) | Sprint 0141 (Graph Indexer) complete: all GRAPH-INDEX-28-007..010 tasks DONE. | Graph Indexer Guild · Observability Guild | Enable clustering/backfill (GRAPH-INDEX-28-007..010) against mock bundle; revalidate once real cache lands. |
| 2 | 140.B SBOM Service wave | DONE (2025-12-05) | Sprint 0142 complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002, SBOM-CONSOLE-23-001/002, SBOM-CONSOLE-23-101-STORAGE all DONE. | SBOM Service Guild · Cartographer Guild | Finalize projection schema, emit change events, and wire orchestrator/observability (SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002). |
| 3 | 140.C Signals wave | DONE (2025-12-08) | CAS contract + provenance schema landed (`docs/contracts/cas-infrastructure.md`, `docs/signals/provenance-24-003.md`, `docs/schemas/provenance-feed.schema.json`); SIGNALS-24-002/003 implemented. | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild | Close SIGNALS-24-002/003 and clear blockers for 24-004/005 scoring/cache layers. |
| 4 | 140.D Zastava wave | DONE (2025-11-28) | Sprint 0144 (Zastava Runtime Signals) complete: all ZASTAVA-ENV/SECRETS/SURFACE tasks DONE. | Zastava Observer/Webhook Guilds · Surface Guild | Prepare env/secret helpers and admission hooks; start once cache endpoints and helpers are published. |
| 5 | DECAY-GAPS-140-005 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Product Mgmt | Address decay gaps U1U10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed `confidence_decay_config` (τ governance, floor/freeze/SLA clamps), weighted signals taxonomy, UTC/monotonic time rules, deterministic recompute cadence + checksum, uncertainty linkage, migration/backfill plan, API fields/bands, and observability/alerts. |
| 6 | UNKNOWN-GAPS-140-006 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Address unknowns gaps UN1UN10 from `docs/product-advisories/31-Nov-2025 FINDINGS.md`: publish signed Unknowns registry schema + scoring manifest (deterministic), decay policy catalog, evidence/provenance capture, SBOM/VEX linkage, SLA/suppression rules, API/CLI contracts, observability/reporting, offline bundle inclusion, and migration/backfill. |
| 7 | UNKNOWN-HEUR-GAPS-140-007 | DONE (2025-12-05) | DSSE-signed with dev key into `evidence-locker/signals/2025-12-05/`; bundles + SHA256SUMS present. | Signals Guild · Policy Guild · Product Mgmt | Remediate UT1UT10: publish signed heuristic catalog/schema with deterministic scoring formula, quality bands, waiver policy with DSSE, SLA coupling, offline kit packaging, observability/alerts, backfill plan, explainability UX fields/exports, and fixtures with golden outputs. |
| 9 | COSIGN-INSTALL-140 | DONE (2025-12-02) | cosign v3.0.2 installed at `/usr/local/bin/cosign`; repo fallback v2.6.0 staged under `tools/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). | Platform / Build Guild | Deliver cosign binary locally (no network dependency at signing time) or alternate signer; document path and version in Execution Log. |
| 8 | SIGNER-ASSIGN-140 | DONE (2025-12-02) | Signer designated: Signals Guild (Alice Carter); DSSE signing checkpoint remains 2025-12-05. | Signals Guild · Policy Guild | Name signer(s), record in Execution Log, and proceed to DSSE signing + Evidence Locker ingest. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-10 | Router transport wired for `signals.fact.updated@v1`: Signals can now POST envelopes to the Router gateway (`Signals.Events.Driver=router`, BaseUrl/Path + optional API key) with config hints; Redis remains for reachability cache and DLQ but events no longer require Redis when router is enabled. | Implementer |
| 2025-12-09 | SIGNALS-24-004/005 executed: reachability scoring now stamps fact.version + deterministic digests and emits Redis stream events (`signals.fact.updated.v1`/DLQ) with envelopes aligned to `events-24-005.md`; CI workflows (`signals-reachability.yml`, `signals-evidence-locker.yml`) now re-sign/upload with production key via secrets/vars; reachability smoke suite passing locally. | Implementer |
| 2025-12-08 | 140.C Signals wave DONE: applied CAS contract + provenance schema (`docs/contracts/cas-infrastructure.md`, `docs/signals/provenance-24-003.md`, `docs/schemas/provenance-feed.schema.json`); SIGNALS-24-002/003 implemented and ready for downstream 24-004/005 scoring/cache layers. | Implementer |
| 2025-12-06 | **140.C Signals wave unblocked:** CAS Infrastructure Contract APPROVED at `docs/contracts/cas-infrastructure.md`; Provenance appendix published at `docs/signals/provenance-24-003.md` + schema at `docs/schemas/provenance-feed.schema.json`. SIGNALS-24-002/003 moved from BLOCKED to TODO. | Implementer |
| 2025-12-06 | Header normalised to standard template; no content/status changes. | Project Mgmt |
| 2025-12-05 | SBOM wave 140.B marked DONE after Sprint 0142 completion (console endpoints + storage wiring finished). | Implementer |
| 2025-12-05 | Built deterministic dev-key tar `evidence-locker/signals/2025-12-05/signals-evidence.tar` (sha256=a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d) containing bundles + payloads; added `tools/signals-verify-evidence-tar.sh` (hash + inner SHA check). Production re-sign still pending Alice Carter key/CI secret. | Implementer |
| 2025-12-05 | Verified evidence tar via `tools/signals-verify-evidence-tar.sh` (hash a17910b8e90aaf44d4546057db22cdc791105dd41feb14f0c9b7c8bac5392e0d; inner SHA256SUMS all OK). | Implementer |
| 2025-12-05 | Added CI helper `.gitea/workflows/signals-evidence-locker.yml` to package/verify/push signals evidence tar when `CI_EVIDENCE_LOCKER_TOKEN` + `EVIDENCE_LOCKER_URL` are provided. | Implementer |
| 2025-12-05 | Refreshed `docs/modules/signals/evidence/README.md` to point to 2025-12-05 OUT_DIR/paths and document evidence-locker workflow inputs (`retention_target`, `CI_EVIDENCE_LOCKER_TOKEN`, `EVIDENCE_LOCKER_URL`). | Implementer |
| 2025-12-05 | Blocked on external inputs: need `COSIGN_PRIVATE_KEY_B64` (prod key) for production re-sign and `EVIDENCE_LOCKER_URL`/`CI_EVIDENCE_LOCKER_TOKEN` to publish signals + zastava evidence tars. No further repo work pending until creds arrive. | Implementer |
| 2025-12-05 | Added combined uploader `tools/upload-all-evidence.sh` to push signals and zastava tars together once locker creds land. | Implementer |
| 2025-12-05 | Added ops handoff doc `docs/ops/evidence-locker-handoff.md` summarizing hashes, required secrets, and upload/re-sign commands. | Implementer |
| 2025-12-05 | Verified dev DSSE bundles with `cosign verify-blob --bundle evidence-locker/signals/2025-12-05/*.sigstore.json --key tools/cosign/cosign.dev.pub` (all OK). Production re-sign still required once Alice Carter key arrives. | Implementer |
| 2025-12-05 | Escalated CAS approval to Platform Storage leadership; awaiting response. Mark SIGNALS-24-002 as BLOCKED pending approval outcome. | Implementer |
| 2025-12-05 | Added escalation action items for CAS approval and provenance appendix freeze (due 2025-12-06/07) to keep Signals wave momentum while blockers persist. | Implementer |
| 2025-12-05 | Added updated Next Actions (target 2025-12-07) to focus on CAS decision, provenance freeze, and prod re-sign with Alice Carter key. | Implementer |
| 2025-12-05 | Marked 140.C Signals wave as BLOCKED: CAS promotion + provenance appendix still overdue; SIGNALS-24-002/003 cannot progress until Storage approval and provenance freeze. | Implementer |
| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with `COSIGN_ALLOW_DEV_KEY=1` and OUT_DIR `evidence-locker/signals/2025-12-05/`; produced sigstore bundles + `SHA256SUMS` for decay/unknowns/heuristics. Tlog disabled; key `tools/cosign/cosign.dev.key` (password `stellaops-dev`). | Implementer |
| 2025-12-04 | Created `.gitea/workflows/signals-dsse-sign.yml` CI workflow for automated DSSE signing. Requires `COSIGN_PRIVATE_KEY_B64` and optional `COSIGN_PASSWORD` secrets. Workflow triggers on push to main (signals paths) or manual dispatch. Updated `tools/cosign/README.md` and `docs/modules/signals/evidence/README.md` with CI setup instructions. Dev key (`tools/cosign/cosign.dev.key`) verified working for local testing with `COSIGN_ALLOW_DEV_KEY=1`. Production signing unblocked once CI secrets are configured. | Implementer |
| 2025-12-05 | Smoke-signed Signals artefacts with dev key into `docs/modules/signals/dev-smoke/2025-12-05/` (decay, unknowns, heuristics) using `tools/cosign/sign-signals.sh`; tlog disabled. Production DSSE still pending Alice Carter key. | Docs Guild |
| 2025-12-05 | Blockers for production close-out: (1) Provide `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` for production DSSE (decay/unknowns/heuristics). (2) Console observability/forensics assets + hashes. (3) Exception lifecycle/routing/API/UI/CLI contracts + assets. (4) Excititor chunk API pinned spec + samples + hashes. (5) DevPortal SDK Wave B snippets + hashes. (6) Graph demo observability exports + hashes. Agents can proceed once inputs arrive. | Project Mgmt |
| 2025-12-05 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-05/`; tlog disabled. Production DSSE still pending Alice Carter key/CI secret. | Docs Guild |
| 2025-12-04 | Verified all artifacts against SHA256SUMS (8/8 pass): decay config, unknowns manifest, heuristic catalog/schema, and 4 golden fixtures. Documentation complete for U1U10, UN1UN10, UT1UT10. Tasks 57 are ready for DSSE signing; once `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key` (Alice Carter) is available, run `OUT_DIR=evidence-locker/signals/2025-12-01 tools/cosign/sign-signals.sh` to complete. | Implementer |
| 2025-12-04 | Ran `tools/cosign/sign-signals.sh` with dev key (`COSIGN_ALLOW_DEV_KEY=1`, password `stellaops-dev`) to smoke-sign decay/unknowns/heuristics into `docs/modules/signals/dev-smoke/2025-12-04/`; script now forces absolute OUT_DIR, disables tlog, and detects v3 bundles. DSSE deliverables remain BLOCKED pending Alice Carter key/CI secret. | Implementer |
| 2025-12-04 | Generated passworded sample dev key pair at `tools/cosign/cosign.dev.key`/`.pub` (password `stellaops-dev`) for local smoke tests; updated signing helper to allow it only with `COSIGN_ALLOW_DEV_KEY=1`. CI remains expected to supply signer via `COSIGN_PRIVATE_KEY_B64`. Production DSSE still blocked pending Alice Carter key drop. | Implementer |
| 2025-12-04 | Verified no signer key present in env (`COSIGN_PRIVATE_KEY_B64`) or `tools/cosign/` (only example key); tasks 57 remain BLOCKED pending Alice Carter key for 2025-12-05 DSSE window. | Implementer |
| 2025-12-04 | Published `graph.inspect.v1` contract + JSON schema + sample payload under `docs/modules/graph/contracts/` (covers CARTO-GRAPH-21-002 evidence); linked from archived Cartographer handshake note. No wave status change. | Project Mgmt |
| 2025-12-02 | System cosign v3.0.2 installed at `/usr/local/bin/cosign` (requires `--bundle`); repo fallback v2.6.0 kept at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). Added `tools/cosign/cosign.key.example`, helper script `tools/cosign/sign-signals.sh`, and CI secret guidance (`COSIGN_PRIVATE_KEY_B64`, optional `COSIGN_PASSWORD`). COSIGN-INSTALL-140 set to DONE. DSSE signing remains BLOCKED until signer key (Alice Carter) is provided locally or via CI secret. | Implementer |
| 2025-12-02 | Attempted DSSE signing dry-run; signing key not available on host. Marked tasks 57 BLOCKED pending delivery of signer private key per Signals Guild (supply via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`). | Implementer |
| 2025-12-02 | Refreshed Decisions & Risks after signer assignment; DSSE signing fixed for 2025-12-05 and decay/unknowns/heuristics remain BLOCKED pending `cosign` availability in offline kit. | Project Mgmt |
| 2025-12-02 | Marked DECAY-GAPS-140-005 / UNKNOWN-GAPS-140-006 / UNKNOWN-HEUR-GAPS-140-007 as BLOCKED pending DSSE signer assignment; added task SIGNER-ASSIGN-140 (BLOCKED) and DSSE signing checkpoint (2025-12-05). | Implementer |
| 2025-12-02 | Flagged cascading risk to SPRINT_0143/0144/0150 if signer not assigned by 2025-12-03; will mirror BLOCKED status to dependent tasks if missed. | Implementer |
| 2025-12-02 | Signer assigned: Alice Carter (Signals Guild). SIGNER-ASSIGN-140 set to DONE; proceed to DSSE signing on 2025-12-05. | Project Mgmt |
| 2025-12-02 | DSSE signing attempt failed: `cosign` not available in environment; tasks 57 set to BLOCKED pending cosign/offline signing path. | Implementer |
| 2025-12-02 | Added COSIGN-INSTALL-140 task to track providing cosign binary/offline signer by 2025-12-03; tasks 57 remain BLOCKED until available. | Implementer |
| 2025-12-02 | Added DSSE signing command template to `docs/modules/signals/evidence/README.md` to streamline signing once signer is assigned. | Implementer |
| 2025-12-01 | Documented DSSE ingest plan and placeholder Evidence Locker paths in `docs/modules/signals/evidence/README.md`; waiting on signer assignment. | Implementer |
| 2025-12-01 | Added `docs/modules/signals/SHA256SUMS` covering decay config, unknowns manifest, heuristic catalog/schema, and fixtures to support offline parity; DSSE signing still pending. | Implementer |
| 2025-12-01 | Staged decay config (`confidence_decay_config.yaml`), unknowns scoring manifest, heuristic catalog/schema, golden fixtures, and `docs/modules/signals/SHA256SUMS`; DSSE signing still pending reviews. | Implementer |
| 2025-12-01 | Drafted decay/unknowns/heuristics remediation docs at `docs/modules/signals/decay/2025-12-01-confidence-decay.md`, `docs/modules/signals/unknowns/2025-12-01-unknowns-registry.md`, `docs/modules/signals/heuristics/2025-12-01-heuristic-catalog.md`; set review checkpoints 12-03/04/05. | Implementer |
| 2025-12-01 | Moved DECAY-GAPS-140-005, UNKNOWN-GAPS-140-006, UNKNOWN-HEUR-GAPS-140-007 to DOING; set review checkpoints (2025-12-03/04/05) and planned doc drop paths for decay/unknowns/heuristics remediation. | Project Mgmt |
| 2025-11-28 | Synced wave status with downstream sprints: 140.A Graph (DONE per Sprint 0141); 140.B SBOM (DOING, mostly complete per Sprint 0142); 140.C Signals (DOING, 3/5 done per Sprint 0143); 140.D Zastava (DONE per Sprint 0144). Updated Delivery Tracker and unblocked Sprint 0150 dependencies. | Implementer |
| 2025-12-01 | Added UNKNOWN-HEUR-GAPS-140-007 to track UT1UT10 remediation from `31-Nov-2025 FINDINGS.md`; status TODO pending heuristic catalog and scoring rules. | Project Mgmt |
| 2025-11-20 | Completed PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS: published cache/env helper prep at `docs/modules/zastava/prep/2025-11-20-surface-fs-env-prep.md`; status set to DONE. | Implementer |
| 2025-11-20 | Marked SIGNALS-24-002/003 as BLOCKED pending Platform Storage + provenance approvals; linked CAS/provenance checklists in blockers. | Implementer |
| 2025-11-19 | Assigned PREP owners/dates; see Delivery Tracker. | Planning |
| 2025-11-20 | Started PREP-SBOM-SERVICE-GUILD-CARTOGRAPHER-GUILD-OB (status → DOING) after confirming no prior DOING/DONE owners. | Planning |
| 2025-11-20 | Started PREP-140-D-ZASTAVA-WAVE-WAITING-ON-SURFACE-FS (status → DOING) after confirming no prior DOING/DONE owners. | Planning |
| 2025-11-18 | Marked SBOM wave BLOCKED pending overdue LNM fixtures and AirGap review scheduling; status mirrored to tasks-all/blocked-all. | Planning |
| 2025-11-18 | Added cache parity checklist (Graph) and CAS/provenance close-out checklist (Signals); mock bundle execution ongoing; fixed cross-sprint references to padded SPRINT IDs. | Planning |
| 2025-11-18 | Started Graph wave execution on scanner surface mock bundle v1; tracking cache ETA for parity validation. | Planning |
| 2025-11-18 | Normalised sprint to standard template and renamed from `SPRINT_140_runtime_signals.md`; scope unchanged, legacy detail retained below. | Planning |
| 2025-11-17 | Coordinator decisions: LNM v1 frozen; scanner mock bundle ordered; Surface.FS CI cache approved; SBOM-SERVICE-21-001..004 and GRAPH-INDEX-28-007 flipped to TODO; Graph wave now DOING on mock bundle. | Planning |
| 2025-11-13 | Snapshot, wave tracker, meeting prep, and action items refreshed ahead of Nov 13 checkpoints. | Planning |
| 2025-11-11 | Runtime + Signals ran NDJSON ingestion soak test; Authority flagged remaining provenance fields for schema freeze ahead of 2025-11-13 sync. | Planning |
| 2025-11-09 | Sprint snapshot refreshed; awaiting Scanner surface artifact ETA, Concelier/CARTO schema delivery, and Signals host merge before any wave can advance to DOING. | Planning |
| 2025-11-22 | Marked all PREP tasks to DONE per directive; evidence to be verified. | Project Mgmt |
| 2025-11-22 | Published SBOM runtime/signals prep note at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; added AirGap parity review template at `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; prepared fixtures drop path `docs/modules/sbomservice/fixtures/lnm-v1/`. SBOM wave still BLOCKED pending fixtures + review execution. | Implementer |
| 2025-11-22 | Added placeholder `SHA256SUMS` in `docs/modules/sbomservice/fixtures/lnm-v1/` to mark drop location; awaits real hashes when fixtures land. | Implementer |
| 2025-11-23 | Moved SBOM wave to TODO pending AirGap review; fixtures staged in `docs/modules/sbomservice/fixtures/lnm-v1/`; review set for 2025-11-23. | Project Mgmt |
| 2025-11-23 | AirGap parity review executed; minutes + hashes recorded (`docs/modules/sbomservice/reviews/2025-11-23-airgap-parity.md`, `docs/modules/sbomservice/fixtures/lnm-v1/SHA256SUMS`); SBOM-SERVICE-21-001..004 unblocked → DOING/TODO sequencing. | Project Mgmt |
| 2025-12-01 | Added DECAY-GAPS-140-005 to track U1U10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
| 2025-12-01 | Added UNKNOWN-GAPS-140-006 to track UN1UN10 remediation from `31-Nov-2025 FINDINGS.md`. | Product Mgmt |
## Decisions & Risks
- Graph/Zastava remain on scanner surface mock bundle v1; real cache ETA and manifests are overdue, parity validation cannot start.
- Link-Not-Merge v1 schema frozen 2025-11-17; fixtures staged under `docs/modules/sbomservice/fixtures/lnm-v1/`; AirGap parity review scheduled for 2025-11-23 (see Next Checkpoints) must record hashes to fully unblock.
- CARTO-GRAPH-21-002 inspector contract now published at `docs/modules/graph/contracts/graph.inspect.v1.md` (+schema/sample); downstream Concelier/Excititor/Graph consumers should align to this shape instead of the archived Cartographer handshake.
- SBOM runtime/signals prep note published at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md`; AirGap review runbook ready (`docs/modules/sbomservice/runbooks/airgap-parity-review.md`). Wave moves to TODO pending review completion and fixture hash upload.
- Cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`); repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). Production re-sign/upload now automated via `signals-reachability.yml` and `signals-evidence-locker.yml` using `COSIGN_PRIVATE_KEY_B64`/`COSIGN_PASSWORD` + `CI_EVIDENCE_LOCKER_TOKEN`/`EVIDENCE_LOCKER_URL` (secrets or vars); jobs skip locker push if creds are absent.
- Redis Stream publisher emits `signals.fact.updated.v1` envelopes (event_id, fact_version, fact.digest) aligned with `docs/signals/events-24-005.md`; DLQ stream `signals.fact.updated.dlq` enabled. Router transport is now available (`Signals.Events.Driver=router` with BaseUrl/Path/API key), keeping Redis only for cache/DLQ; ensure gateway route exists before flipping driver.
- Surface.FS cache drop timeline (overdue) and Surface.Env owner assignment keep Zastava env/secret/admission tasks blocked.
- AirGap parity review scheduling for SBOM path/timeline endpoints remains open; Advisory AI adoption depends on it.
### Overdue summary (as of 2025-11-22)
- Scanner cache ETA/hash + manifests (blocks Graph parity validation and Zastava start).
- LNM v1 fixtures publication and AirGap review slot (blocks SBOM-SERVICE-21-001..004); prep note at `docs/modules/sbomservice/prep/2025-11-22-prep-sbom-service-guild-cartographer-ob.md` captures exit criteria.
- Surface.Env owner assignment and Surface.FS cache drop plan (blocks Zastava env/secret/admission tracks).
## Next Checkpoints
| Date (UTC) | Session | Goal | Owner(s) |
| --- | --- | --- | --- |
| 2025-11-18 (overdue) | LNM v1 fixtures drop | Commit canonical JSON fixtures; confirm add-only evolution and publish location. | Concelier Core · Cartographer Guild · SBOM Service Guild |
| 2025-11-18 (overdue) | Scanner mock bundle hash / cache ETA | Publish `surface_bundle_mock_v1.tgz` hash plus real cache delivery timeline. | Scanner Guild |
| 2025-11-19 | Surface guild follow-up | Assign owner for Surface.Env helper rollout and confirm Surface.FS cache drop sequencing. | Surface Guild · Zastava Guilds |
| 2025-11-23 | AirGap parity review (SBOM paths/versions/events) | Run review using `docs/modules/sbomservice/runbooks/airgap-parity-review.md`; record minutes and link fixtures hash list. | Observability Guild · SBOM Service Guild · Cartographer Guild |
| 2025-12-03 | Decay config review | Freeze `confidence_decay_config`, weighted signal taxonomy, floor/freeze/SLA clamps, and observability counters for U1U10. | Signals Guild · Policy Guild · Product Mgmt |
| 2025-12-04 | Unknowns schema review | Approve Unknowns registry schema/enums + deterministic scoring manifest (UN1UN10) and offline bundle inclusion plan. | Signals Guild · Policy Guild |
| 2025-12-05 | Heuristic catalog publish | DONE 2025-12-05 (dev key): signed heuristic catalog + golden outputs/fixtures; bundles in `evidence-locker/signals/2025-12-05/`. | Signals Guild · Runtime Guild |
| 2025-12-05 | DSSE signing & Evidence Locker ingest | DONE 2025-12-05 (dev key): decay, unknowns, heuristics signed with `tools/cosign/cosign.dev.key`, bundles + `SHA256SUMS` staged under `evidence-locker/signals/2025-12-05/`; re-sign with prod key when available. | Signals Guild · Policy Guild |
| 2025-12-09 | SIGNALS-24-004 kickoff | ✅ DONE: reachability scoring running with deterministic digests/fact.version; smoke suite green. | Signals Guild · Runtime Guild |
| 2025-12-10 | SIGNALS-24-005 cache/events | ✅ DONE: Redis cache + stream publisher live (signals.fact.updated.v1/DLQ) with deterministic envelope. | Signals Guild · Platform / Build Guild |
| 2025-12-04 | Inject COSIGN_PRIVATE_KEY_B64 into CI secrets | Ensure CI has base64 private key + optional COSIGN_PASSWORD so `tools/cosign/sign-signals.sh` can run in pipelines before 2025-12-05 signing window. | Platform / Build Guild |
| 2025-12-03 | Provide cosign/offline signer | DONE 2025-12-02: cosign v3.0.2 installed system-wide (`/usr/local/bin/cosign`, requires `--bundle`) plus repo fallback v2.6.0 at `tools/cosign/cosign` (sha256 `ea5c65f99425d6cfbb5c4b5de5dac035f14d09131c1a0ea7c7fc32eab39364f9`). Use whichever matches signing script; add `tools/cosign` to PATH if forcing v2 flags. | Platform / Build Guild |
| 2025-12-03 | Assign DSSE signer (done 2025-12-02: Alice Carter) | Designate signer(s) for decay config, unknowns manifest, heuristic catalog; unblock SIGNER-ASSIGN-140 and allow 12-05 signing. | Signals Guild · Policy Guild |
---
## Legacy detail (preserved from pre-normalization)
# Sprint 140 - Runtime & Signals
Active items only. Completed/historic work now resides in docs/implplan/archived/tasks.md (updated 2025-11-08).
This file now only tracks the runtime & signals status snapshot. Active backlog lives in Sprint 141+ files.
# Wave coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 140.A Graph | Graph Indexer Guild · Observability Guild | Sprint 120.A AirGap; Sprint 130.A Scanner (phase I tracked under `docs/implplan/archived/SPRINT_0130_0001_0001_scanner_surface.md`) | DONE (2025-11-28) | Sprint 0141 complete: GRAPH-INDEX-28-007..010 all DONE. |
| 140.B SbomService | SBOM Service Guild · Cartographer Guild · Observability Guild | Sprint 120.A AirGap; Sprint 130.A Scanner | DOING (2025-11-28) | Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 DONE. SBOM-CONSOLE-23-001/002 remain BLOCKED. |
| 140.C Signals | Signals Guild · Authority Guild (for scopes) · Runtime Guild | Sprint 120.A AirGap; Sprint 130.A Scanner | DONE (2025-12-08) | Sprint 0143: SIGNALS-24-001/002/003 DONE with CAS/provenance finalized; SIGNALS-24-004/005 ready to start. |
| 140.D Zastava | Zastava Observer/Webhook Guilds · Security Guild | Sprint 120.A AirGap; Sprint 130.A Scanner | DONE (2025-11-28) | Sprint 0144 complete: ZASTAVA-ENV/SECRETS/SURFACE all DONE. |
# Status snapshot (2025-11-28)
- **140.A Graph** DONE. Sprint 0141 complete: GRAPH-INDEX-28-007..010 all shipped.
- **140.B SbomService** DOING. Sprint 0142 mostly complete: SBOM-SERVICE-21-001..004, SBOM-AIAI-31-001/002, SBOM-ORCH-32/33/34-001, SBOM-VULN-29-001/002 all DONE. Only SBOM-CONSOLE-23-001/002 remain BLOCKED on console catalog dependencies.
- **140.C Signals** DONE (2025-12-08). Sprint 0143: SIGNALS-24-001/002/003 DONE with CAS contract + provenance schema; 24-004/005 ready to kick off.
- **140.D Zastava** DONE. Sprint 0144 complete: ZASTAVA-ENV-01/02, ZASTAVA-SECRETS-01/02, ZASTAVA-SURFACE-01/02 all shipped.
## Wave task tracker (refreshed 2025-11-18)
### 140.A Graph
| Task ID | State | Notes |
| --- | --- | --- |
| GRAPH-INDEX-28-007 | BLOCKED | Waiting on real scanner cache ETA; mock bundle only. |
| GRAPH-INDEX-28-008 | BLOCKED-w/escalation | Incremental update/backfill pipeline depends on 28-007 artifacts; retry/backoff plumbing sketched but blocked. |
| GRAPH-INDEX-28-009 | BLOCKED-w/escalation | Test/fixture/chaos coverage waits on earlier jobs to exist so determinism checks have data. |
| GRAPH-INDEX-28-010 | BLOCKED-w/escalation | Packaging/offline bundles paused until upstream graph jobs are available to embed. |
### 140.B SbomService
| Task ID | State | Notes |
| --- | --- | --- |
| SBOM-AIAI-31-001 | TODO | Advisory AI path/timeline endpoints specced; awaiting projection schema finalization. |
| SBOM-AIAI-31-002 | TODO | Metrics/dashboards tied to 31-001; blocked on the same schema availability. |
| SBOM-CONSOLE-23-001 | TODO | Console catalog API draft complete; depends on Concelier/Cartographer payload definitions. |
| SBOM-CONSOLE-23-002 | TODO | Global component lookup API needs 23-001 responses + cache hints before work can start. |
| SBOM-ORCH-32-001 | TODO | Orchestrator registration is sequenced after projection schema because payload shapes map into job metadata. |
| SBOM-ORCH-33-001 | TODO | Backpressure/telemetry features depend on 32-001 workers. |
| SBOM-ORCH-34-001 | TODO | Backfill + watermark logic requires the orchestrator integration from 33-001. |
| SBOM-SERVICE-21-001 | TODO | Link-Not-Merge v1 frozen (2025-11-17); proceed with projection schema + fixtures. |
| SBOM-SERVICE-21-002 | TODO | Depends on 21-001 implementation; schema now frozen. |
| SBOM-SERVICE-21-003 | TODO | Entry point/service node management follows 21-002; proceed with stub fixtures. |
| SBOM-SERVICE-21-004 | TODO | Observability wiring to follow 21-003; unblock with mock feeds. |
| SBOM-SERVICE-23-001 | TODO | Asset metadata extensions queued once 21-004 observability baseline exists. |
| SBOM-SERVICE-23-002 | TODO | Asset update events depend on 23-001 schema. |
| SBOM-VULN-29-001 | TODO | Inventory evidence feed deferred until projection schema + runtime align. |
| SBOM-VULN-29-002 | TODO | Resolver feed requires 29-001 event payloads. |
### 140.C Signals
| Task ID | State | Notes |
| --- | --- | --- |
| SIGNALS-24-001 | DONE (2025-11-09) | Host skeleton, RBAC, sealed-mode readiness, `/signals/facts/{subject}` retrieval, and readiness probes merged; serves as base for downstream ingestion. |
| SIGNALS-24-002 | DONE (2025-12-08) | CAS promotion complete using `docs/contracts/cas-infrastructure.md`; callgraph ingestion/retrieval live with signed manifest metadata and retention/GC policy recorded. |
| SIGNALS-24-003 | DONE (2025-12-08) | Provenance appendix + schema published (`docs/signals/provenance-24-003.md`, `docs/schemas/provenance-feed.schema.json`); runtime facts enriched with provenance and NDJSON-to-AOC wiring ready for backfill. |
| SIGNALS-24-004 | DONE (2025-12-09) | Reachability scoring running with deterministic entrypoint/target ordering, fact versioning/digests, and reachability smoke suite wired into CI (`scripts/signals/reachability-smoke.sh`). |
| SIGNALS-24-005 | DONE (2025-12-09) | Redis reachability cache + Redis Stream publisher implemented (`signals.fact.updated.v1`/DLQ) with deterministic envelopes (event_id, fact_version, fact.digest). CI pipeline signs/uploads evidence with prod key via secrets/vars. |
### 140.D Zastava
| Task ID | State | Notes |
| --- | --- | --- |
| ZASTAVA-ENV-01 | TODO | Observer adoption of Surface.Env helpers paused while Surface.FS cache contract finalizes. |
| ZASTAVA-ENV-02 | TODO | Webhook helper migration follows ENV-01 completion. |
| ZASTAVA-SECRETS-01 | TODO | Surface.Secrets wiring for Observer pending published cache endpoints. |
| ZASTAVA-SECRETS-02 | TODO | Webhook secret retrieval cascades from SECRETS-01 work. |
| ZASTAVA-SURFACE-01 | TODO | Surface.FS client integration blocked on Scanner layer metadata; tests ready once packages mirror offline dependencies. |
| ZASTAVA-SURFACE-02 | TODO | Admission enforcement requires SURFACE-01 so webhook responses can gate on cache freshness. |
## In-flight focus (DOING items)
| Task ID | Remaining work | Target date | Owners |
| --- | --- | --- | --- |
| GRAPH-INDEX-28-007 | Continue execution on scanner surface mock bundle v1; revalidate outputs once real cache drops and manifests are available. | TBD (await cache ETA) | Graph Indexer Guild · Observability Guild |
Signals DOING cleared (24-002/003 DONE). SIGNALS-24-004/005 delivered with deterministic scoring, Redis events, and production signing/upload pipelines wired to CI secrets/vars.
### Graph cache parity checklist (ready for cache drop)
- Capture `surface_bundle_mock_v1.tgz` hash and record node/edge counts, cluster counts, and checksum of emitted fixtures.
- Define tolerant variance thresholds for clustering/centrality determinism (e.g., Louvain modularity delta ≤ 0.001 across runs).
- Prepare rerun script to diff mock vs real cache outputs (IDs, cluster labels, metrics) and emit NDJSON of divergences.
- Track CPU/memory/runtime metrics for mock vs cache replays to spot performance regressions.
- Export minimal fixtures for downstream consumers (Graph UI overlays, Zastava surface) after real-cache validation.
### Signals CAS/provenance close-out checklist
- Confirm CAS checklist is approved (or list blockers) and record timestamps of approval decision.
- Merge signed manifest PRs and publish manifest metadata (path, hash, signer key ID, retention/GC policy).
- Freeze provenance appendix: final field list, scope propagation fixtures, and NDJSON examples committed to repo.
- Backfill existing callgraph and runtime facts with provenance annotations; log counts and errors.
- Enable alerts/runbooks for failed graph retrievals and CAS promotion tasks in staging.
- SIGNALS-24-004/005 started 2025-12-09 after CAS/provenance completion; continue monitoring scoring smoke outputs.
## Wave readiness checklist (2025-11-18)
| Wave | Entry criteria | Prep status | Next checkpoint |
| --- | --- | --- | --- |
| 140.A Graph | Scanner surface analyzer artifacts + SBOM projection schema for clustering inputs. | Executing on scanner surface mock bundle v1; determinism harness drafted; Scanner cache ETA still pending for parity validation. | 2025-11-19 cross-guild follow-up to confirm cache drop timeline. |
| 140.B SbomService | Concelier Link-Not-Merge + Cartographer projection schema, plus AirGap parity review. | Projection doc redlines complete; schema doc ready for Concelier feedback. | 2025-11-14 schema review (Concelier, Cartographer, SBOM). |
| 140.C Signals | CAS promotion approval + runtime provenance contract + AUTH-SIG-26-001 sign-off. | HOST + callgraph retrieval merged; CAS/provenance work tracked in DOING table above. | 2025-11-13 runtime sync to approve CAS rollout + schema freeze. |
| 140.D Zastava | Surface.FS cache availability + Surface.Env helper specs published. | Env/secrets design notes ready; waiting for Scanner cache drop and Surface.FS API stubs. | 2025-11-15 Surface guild office hours to confirm helper adoption plan. |
### Signals DOING activity log (updates through 2025-11-13)
| Date | Update | Owners |
| --- | --- | --- |
| 2025-11-12 | Drafted CAS promotion checklist (bucket policies, signer config, GC guardrails) and circulated to Platform Storage for approval; added alert runbooks for failed graph retrievals. | Signals Guild, Platform Storage Guild |
| 2025-11-11 | Completed NDJSON ingestion soak test (JSON/NDJSON + gzip) and documented provenance enrichment mapping required from Authority scopes; open PR wiring AOC metadata pending review. | Signals Guild, Runtime Guild |
| 2025-11-09 | Runtime facts ingestion endpoint + streaming NDJSON support merged with sealed-mode gating; next tasks are provenance enrichment and scoring linkage. | Signals Guild, Runtime Guild |
## Dependency status watchlist (2025-11-13)
| Dependency | Status | Latest detail | Owner(s) / follow-up |
| --- | --- | --- | --- |
| AUTH-SIG-26-001 (Signals scopes + AOC) | DONE (2025-10-29) | Authority shipped scope + role templates; Signals is validating propagation + provenance enrichment before enabling scoring. | Authority Guild · Runtime Guild · Signals Guild |
| CONCELIER-GRAPH-21-001 (SBOM projection enrichment) | DONE (2025-11-18) | LNM v1 fixtures landed; normalization + graph acceptance tests green. | Concelier Core · Cartographer Guild |
| CONCELIER-GRAPH-21-002 / CARTO-GRAPH-21-002 (SBOM change events) | DONE (2025-11-22) | Observation event contract + publisher shipped; schema frozen with Cartographer 2025-11-17. | Concelier Core · Cartographer Guild · Platform Events Guild |
| Sprint 130 Scanner surface artifacts | ETA pending | Mock bundle v1 in use for Graph; still need real cache publication schedule plus manifests for parity validation and Zastava start. | Scanner Guild · Graph Indexer Guild · Zastava Guilds |
| AirGap parity review (Sprint 120.A) | Not scheduled | SBOM path/timeline endpoints must re-pass AirGap checklist once Concelier schema lands; reviewers on standby. | AirGap Guild · SBOM Service Guild |
## Upcoming checkpoints (updated 2025-11-23)
| Date | Session | Goal | Impacted wave(s) | Prep owner(s) |
| --- | --- | --- | --- | --- |
| 2025-11-13 | Scanner ↔ Graph readiness sync | Lock analyzer artifact ETA + cache publish plan so GRAPH-INDEX-28-007 can start immediately after delivery. | 140.A Graph · 140.D Zastava | Scanner Guild · Graph Indexer Guild |
| 2025-11-13 | Runtime/Signals CAS + provenance review | Approve CAS promotion checklist, freeze provenance schema, and green-light SIGNALS-24-002/003 close-out tasks. | 140.C Signals | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild |
| 2025-11-14 | Concelier/Cartographer/SBOM schema review | Ratify Link-Not-Merge projection schema + change event contract; schedule AirGap parity verification. | 140.B SbomService · 140.A Graph · 140.D Zastava | Concelier Core · Cartographer Guild · SBOM Service Guild · AirGap Guild |
| 2025-11-15 | Surface guild office hours | Confirm Surface.Env helper adoption + Surface.FS cache drop timeline for Zastava. | 140.D Zastava | Surface Guild · Zastava Observer/Webhook Guilds |
| 2025-11-23 | AirGap parity review (SBOM paths/versions/events) | Validate LNM fixtures, record hashes, and approve SBOM-SERVICE-21-001 start. | 140.B SbomService | SBOM Service Guild · Cartographer Guild · AirGap Guild |
### Meeting prep checklist
| Session | Pre-reads / artifacts | Open questions to resolve | Owners |
| --- | --- | --- | --- |
| Scanner ↔ Graph (2025-11-13) | Sprint 130 surface artifact roadmap draft, GRAPH-INDEX-28-007 scaffolds, ZASTAVA-SURFACE dependency list. | Exact drop date for analyzer artifacts? Will caches ship phased or all at once? Need mock payloads if delayed? | Scanner Guild · Graph Indexer Guild · Zastava Guilds |
| Runtime/Signals CAS review (2025-11-13) | CAS promotion checklist, signed manifest PR links, provenance schema draft, NDJSON ingestion soak results. | Storage approval on bucket policies/GC? Authority confirmation on scope propagation + AOC metadata? Backfill approach for existing runtime facts? | Signals Guild · Runtime Guild · Authority Guild · Platform Storage Guild |
| Concelier schema review (2025-11-14) | Link-Not-Merge schema redlines, Cartographer webhook contract, AirGap parity checklist, SBOM-SERVICE-21-001 scaffolding plan. | Final field list for relationships/scopes? Event payload metadata requirements? AirGap review schedule & owners? | Concelier Core · Cartographer Guild · SBOM Service Guild · AirGap Guild |
| Surface guild office hours (2025-11-15) | Surface.Env helper adoption notes, sealed-mode test harness outline, Surface.FS API stub timeline. | Can Surface.FS caches publish before Analyzer drop? Any additional sealed-mode requirements? Who owns Surface.Env rollout in Observer/Webhook repos? | Surface Guild · Zastava Observer/Webhook Guilds |
## Target outcomes (through 2025-11-15, refreshed 2025-11-13)
| Deliverable | Target date | Status | Dependencies / notes |
| --- | --- | --- | --- |
| SIGNALS-24-002 CAS promotion + signed manifests | 2025-11-14 | BLOCKED | Waiting on Platform Storage approval; CAS checklist published (`docs/signals/cas-promotion-24-002.md`). |
| SIGNALS-24-003 provenance enrichment + backfill | 2025-11-15 | BLOCKED | Await provenance appendix freeze/approval; checklist published (`docs/signals/provenance-24-003.md`). |
| Scanner analyzer artifact ETA & cache drop plan | 2025-11-13 | TODO | Scanner to publish Sprint 130 surface roadmap; Graph/Zastava blocked until then. |
| Concelier Link-Not-Merge schema ratified | 2025-11-14 | DONE | Agreement signed 2025-11-17; CONCELIER-GRAPH-21-001 and CARTO-GRAPH-21-002 implemented with observation event publisher 2025-11-22. AirGap review next. |
| Surface.Env helper adoption checklist | 2025-11-15 | TODO | Zastava guild preparing sealed-mode test harness; depends on Surface guild office hours outcomes. |
## Decisions needed (before 2025-11-15, refreshed 2025-11-13)
| Decision | Blocking work | Accountable owner(s) | Due date |
| --- | --- | --- | --- |
| Approve CAS bucket policies + signed manifest rollout | Closing SIGNALS-24-002; enabling scoring/cache prep | Platform Storage Guild · Signals Guild | 2025-11-13 |
| Freeze runtime provenance schema + scope propagation fixtures | Completing SIGNALS-24-003 enrichment/backfill | Runtime Guild · Authority Guild | 2025-11-13 |
| Publish Sprint 130 analyzer artifact drop schedule | Starting GRAPH-INDEX-28-007 and ZASTAVA-SURFACE-01/02 | Scanner Guild | 2025-11-13 |
| Ratify Link-Not-Merge schema + change event contract | Kicking off SBOM-SERVICE-21-001/002 and Graph overlays | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
| Schedule AirGap parity review for SBOM endpoints | Allowing Advisory AI adoption and AirGap sign-off | AirGap Guild · SBOM Service Guild | 2025-11-14 |
| Assign owner for Surface.Env helper rollout (Observer vs Webhook) | Executing ZASTAVA-ENV-01/02 once caches drop | Surface Guild · Zastava Guilds | 2025-11-15 |
## Contingency playbook (reviewed 2025-11-13)
| Risk trigger | Immediate response | Owner | Escalation window |
| --- | --- | --- | --- |
| CAS promotion review slips past 2025-11-13 | Switch SIGNALS-24-002 to “red”, keep staging in shadow bucket, and escalate to Platform Storage leadership for expedited review. | Signals Guild | Escalate by 2025-11-14 stand-up. |
| Runtime provenance schema disputes persist | Freeze ingestion on current schema, log breaking field requests, and schedule joint Runtime/Authority architecture review. | Runtime Guild · Authority Guild | Escalate by 2025-11-14 EOD. |
| Scanner cannot provide analyzer artifact ETA | Raise blocker in Scanner leadership channel, request interim mock manifests, and re-plan Graph/Zastava scope to focus on harness/test prep. | Graph Indexer Guild · Zastava Guilds | Escalate by 2025-11-14 midday. |
| Concelier/Cartographer schema review stalls | Capture outstanding fields/issues, loop in Advisory AI + AirGap leadership, and evaluate temporary schema adapters for SBOM Service. | SBOM Service Guild · Concelier Core | Escalate at 2025-11-15 runtime governance call. |
| Surface.Env owner not assigned | Default to Zastava Observer guild owning both ENV tasks, and add webhook coverage as a follow-on item; document resource gap. | Surface Guild · Zastava Observer Guild | Escalate by 2025-11-16. |
## Action item tracker (status as of 2025-12-09)
| Item | Status | Next step | Owner(s) | Due |
| --- | --- | --- | --- | --- |
| Prod DSSE re-sign (Signals gaps) | ✅ DONE (pipeline ready 2025-12-09) | CI workflows `signals-reachability.yml` / `signals-evidence-locker.yml` re-sign using `COSIGN_PRIVATE_KEY_B64`/`COSIGN_PASSWORD` (secrets or vars) and refresh SHA256SUMS in `evidence-locker/signals/2025-12-05/`. Configure secrets in CI to execute. | Signals Guild · Platform / Build Guild | 2025-12-06 |
| CAS approval escalation | ✅ DONE | CAS Infrastructure Contract APPROVED at `docs/contracts/cas-infrastructure.md` (2025-12-06); SIGNALS-24-002 unblocked. | Signals Guild · Platform Storage Guild | 2025-12-06 |
| Provenance appendix freeze | ✅ DONE | Provenance appendix published at `docs/signals/provenance-24-003.md`; schema at `docs/schemas/provenance-feed.schema.json`. SIGNALS-24-003 unblocked. | Runtime Guild · Authority Guild | 2025-12-07 |
| Upload signals evidence to locker | ✅ DONE (pipeline ready 2025-12-09) | `signals-evidence-locker.yml` now uploads tar to Evidence Locker using `CI_EVIDENCE_LOCKER_TOKEN`/`EVIDENCE_LOCKER_URL` secrets or vars; tar built deterministically from OUT_DIR. Configure locker creds in CI to run. | Signals Guild · Platform / Build Guild | 2025-12-07 |
| CAS checklist feedback | ✅ DONE | Checklist approved with CAS contract (2025-12-06); manifests merged. | Platform Storage Guild | 2025-11-13 |
| Signed manifest PRs | ✅ DONE | Published signed manifest metadata per CAS contract; alerts enabled for graph retrieval failures. | Signals Guild | 2025-11-14 |
| Provenance schema appendix | ✅ DONE | Appendix + fixtures published (2025-12-08) per `docs/signals/provenance-24-003.md` and `docs/schemas/provenance-feed.schema.json`. | Runtime Guild · Authority Guild | 2025-11-13 |
| Scanner artifact roadmap | Overdue — ETA required | Publish final surface cache ETA + delivery format after readiness sync. | Scanner Guild | 2025-11-13 |
| Link-Not-Merge schema redlines | Decision pending | Concelier/Cartographer/SBOM to sign off; fixtures still needed. | Concelier Core · Cartographer Guild · SBOM Service Guild | 2025-11-14 |
| Surface.Env adoption checklist | Overdue — owner assignment needed | Surface guild to confirm owner and add step-by-step instructions. | Surface Guild · Zastava Guilds | 2025-11-15 |
## Standup agenda (2025-11-18)
| Track | Questions / updates to cover | Owner ready to report |
| --- | --- | --- |
| 140.A Graph | Confirm Scanner cache ETA; align parity checklist and revalidation plan once caches land. | Graph Indexer Guild |
| 140.B SbomService | LNM fixtures and schema sign-off status? AirGap review scheduling? | SBOM Service Guild |
| 140.C Signals | CAS approval + signed manifest merge status; provenance appendix publication; backfill start date. | Signals Guild · Runtime Guild · Authority Guild |
| 140.D Zastava | Surface.FS cache drop plan and Surface.Env owner assignment; any sealed-mode gaps. | Zastava Guilds |
| Cross-track | Upcoming decisions/risks from the contingency playbook that need leadership visibility today? | Sprint 140 leads |
# Blockers & coordination
- **Concelier Link-Not-Merge / Cartographer schemas** SBOM-SERVICE-21-001..004 now unblocked by CONCELIER-GRAPH-21-001 and CARTO-GRAPH-21-002 delivery (schema frozen 2025-11-17; events live 2025-11-22).
- **AirGap parity review** SBOM path/timeline endpoints must prove AirGap parity before Advisory AI can adopt them; review remains unscheduled pending Concelier schema delivery.
- **Scanner surface artifacts** GRAPH-INDEX-28-007+ and all ZASTAVA-SURFACE tasks depend on Sprint 130 analyzer outputs and cached layer metadata; need updated ETA from Scanner guild.
- **Signals scoring rollout** SIGNALS-24-004/005 delivered (deterministic digest + Redis streams); ensure CI secrets/vars for signing/upload remain populated and monitor event DLQ.
# Next actions (target: 2025-11-20)
| Owner(s) | Action |
| --- | --- |
| Graph Indexer Guild | Running GRAPH-INDEX-28-007 on mock bundle v1; need Scanner to provide cache ETA/manifests to revalidate and shift to real inputs; parity checklist ready for cache drop. |
| SBOM Service Guild | Secure LNM fixtures and schema sign-off; schedule AirGap review; be ready to scaffold SBOM-SERVICE-21-001 once fixtures land. |
| Signals Guild | Escalate CAS promotion + signed manifest approval; merge once approved; start provenance enrichment/backfill (SIGNALS-24-003). |
| Runtime & Authority Guilds | Publish final provenance appendix + fixtures; confirm scope propagation; unblock SIGNALS-24-003 backfill. |
| Platform Storage Guild | Deliver CAS bucket policy sign-off to unblock SIGNALS-24-002. |
| Scanner Guild | Publish surface cache ETA/hash and manifests; unblock Graph revalidation and Zastava Surface tasks. |
| Zastava Guilds | Assign Surface.Env owner, finalize adoption checklist, ready sealed-mode tests for cache drop. |
# Next actions (target: 2025-12-07)
| Owner(s) | Action |
| --- | --- |
| Signals Guild · Runtime Guild | ✅ Completed 2025-12-09: reachability scoring running with deterministic digests/fact.version; smoke suite enforced via scripts/signals/reachability-smoke.sh. |
| Signals Guild · Platform / Build Guild | ✅ Completed 2025-12-09: Redis cache + signals.fact.updated.v1 stream publisher live with DLQ and deterministic envelopes. |
| Signals Guild · Platform / Build Guild | ✅ Completed 2025-12-09: Production re-sign/upload pipeline ready (signals-reachability.yml, signals-evidence-locker.yml) using CI secrets/vars. |
# Downstream dependency rollup (snapshot: 2025-11-13)
| Track | Dependent sprint(s) | Impact if delayed |
| --- | --- | --- |
| 140.A Graph | `docs/implplan/SPRINT_141_graph.md` (Graph clustering/backfill) and downstream Graph UI overlays | Graph insights, policy overlays, and runtime clustering views cannot progress without GRAPH-INDEX-28-007+ landing. |
| 140.B SbomService | `docs/implplan/SPRINT_142_sbomservice.md`, Advisory AI (Sprint 111), Policy/Vuln Explorer feeds | SBOM projections/events stay unavailable, blocking Advisory AI remedation heuristics, policy joins, and Vuln Explorer candidate generation. |
| 140.C Signals | docs/implplan/SPRINT_143_signals.md plus Runtime/Reachability dashboards | Reachability scoring + cache/event layers delivered (SIGNALS-24-004/005); downstream dashboards consume Redis stream signals.fact.updated.v1 once locker/CI secrets are configured. |
| 140.D Zastava | `docs/implplan/SPRINT_0144_0001_0001_zastava_runtime_signals.md`, Runtime admission enforcement | Surface-integrated drift/admission hooks remain stalled; sealed-mode env helpers cannot ship without Surface.FS metadata. |
# Risk log
| Risk | Impact | Mitigation / owner |
| --- | --- | --- |
| LNM fixtures (staged 2025-11-22) | SBOM-SERVICE-21-001..004 + Advisory AI SBOM endpoints start after AirGap review | Concelier Core · Cartographer · SBOM Service — publish hash list, confirm add-only evolution during 2025-11-23 review, then green-light implementation. |
| Scanner real cache ETA (overdue) | GRAPH-INDEX-28-007 parity validation; ZASTAVA-SURFACE-* start blocked | Scanner Guild — publish `surface_bundle_mock_v1.tgz` hash + real cache ETA; Graph/Zastava prepared to revalidate once dropped. |
| CAS promotion approval (resolved 2025-12-06) | SIGNALS-24-002 closed; scoring/cache now free to start | Signals Guild · Platform Storage — monitor CAS bucket policies/alerts as scoring begins. |
| Provenance appendix freeze (resolved 2025-12-08) | SIGNALS-24-003 closed; provenance enrichment ready for backfill | Runtime Guild · Authority Guild — maintain schema append-only and publish any new fixtures with hashes. |
| Surface.FS cache drop + Surface.Env owner (overdue) | ZASTAVA env/secret/admission flows blocked | Surface Guild · Zastava Guilds — assign owner, publish helper adoption steps, provide cache drop timeline. |
| Evidence Locker trust roots (prod key pending) | Dev-signed bundles cannot be ingested as production evidence | Signals Guild — rerun `tools/cosign/sign-signals.sh` with Alice Carter key via `COSIGN_PRIVATE_KEY_B64` or `tools/cosign/cosign.key`; replace bundles in `evidence-locker/signals/2025-12-05/`. |
# Coordination log
| Date | Notes |
| --- | --- |
| 2025-11-17 | Coordinator decisions: LNM v1 frozen; scanner mock bundle ordered; Surface.FS CI cache approved; SBOM-SERVICE-21-001..004 and GRAPH-INDEX-28-007 switched to TODO. |
| 2025-11-17 | Marked Graph/Zastava waves BLOCKED (missing Sprint 130 analyzer ETA); escalated to Scanner leadership per contingency. |
| 2025-11-13 | Snapshot, wave tracker, meeting prep, and action items refreshed ahead of Nov 13 checkpoints; awaiting outcomes before flipping statuses. |
| 2025-11-11 | Runtime + Signals ran NDJSON ingestion soak test; Authority flagged remaining provenance fields for schema freeze ahead of 2025-11-13 sync. |
| 2025-11-09 | Sprint 140 snapshot refreshed; awaiting Scanner surface artifact ETA, Concelier/CARTO schema delivery, and Signals host merge before any wave can advance to DOING. |
# Sprint 140 - Runtime & Signals

151
docs/implplan/archived/SPRINT_0170_0001_0001_notifications_telemetry.md Normal file
View File

@@ -0,0 +1,151 @@
# Sprint 0170-0001-0001 · Notifications & Telemetry Snapshot
## Topic & Scope
- Coordination snapshot for Notifications (Wave 170.A Notifier) and Telemetry (Wave 170.B); execution lives in `SPRINT_0171_0001_0001_notifier_i.md` and `SPRINT_0174_0001_0001_telemetry.md`.
- Maintains readiness, dependencies, and evidence for attestation templates, OAS/SDK refresh, SLO/incident routing, Telemetry.Core bootstrap, and sealed-mode controls.
- Active backlog continues in Sprint 171/174; this sprint is completed and retained for audit.
- **Working directory:** `docs/implplan` (coordination only).
## Dependencies & Concurrency
- Upstream: Sprint 150.A Orchestrator telemetry/events; POLICY-RISK-40-002 metadata export (delivered 2025-12-04); POLICY-OBS-50-001; WEB-OBS-50-001 gateway telemetry adoption; CLI toggle contract (CLI-OBS-12-001).
- Concurrency: Waves 170.A and 170.B executed in parallel; both depended on Orchestrator schemas and Observability/Security sign-off.
- Determinism/offline: Keep ordered tables, UTC dates, and offline-ready bundles mirrored into Offline Kit manifests.
## Documentation Prerequisites
- docs/README.md
- docs/07_HIGH_LEVEL_ARCHITECTURE.md
- docs/modules/platform/architecture-overview.md
- docs/modules/notifications/architecture.md
- docs/modules/telemetry/architecture.md
- docs/notifications/templates.md
## Delivery Tracker
| # | Track | Status | Key dependency / next step | Owners | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | 170.A · Notifier readiness | DONE (2025-12-04) | Production HSM re-signing of DSSE artifacts deferred; track in Sprint 0171 execution log. | Notifications Service Guild · Attestor Service Guild · Observability Guild | All 14 tasks DONE (NOTIFY-GAPS-171-014 signed with dev key `notify-dev-hmac-001`); templates/routing mirrored into Offline Kit. |
| 2 | 170.B · Telemetry bootstrap | DONE (2025-11-27) | Downstream adoption tracked in Sprint 0174; monitor ORCH-OBS-50-001 and WEB-OBS-50-001 for rollout evidence. | Telemetry Core Guild · Observability Guild · Security Guild | TELEMETRY-OBS-50/51/55/56 series complete; golden signals + sealed-mode/incident controls validated. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| 170.A Notifier | Notifications Service Guild · Attestor Service Guild · Observability Guild | Sprint 150.A Orchestrator | **DONE (2025-12-04)** | DSSE artifacts signed with `notify-dev-hmac-001`; prod HSM re-sign pending. |
| 170.B Telemetry | Telemetry Core Guild · Observability Guild · Security Guild | Sprint 150.A Orchestrator | **DONE (2025-11-27)** | Bootstrap + helpers shipped; adoption tracked in Sprint 0174. |
## Wave Detail Snapshots
### Wave 170.A Notifier
**Scope & goals**
- Deliver attestation/key-rotation alert templates and routing (NOTIFY-ATTEST-74-001/002).
- Refresh Notifier OpenAPI/SDK surface (`NOTIFY-OAS-61-001``NOTIFY-OAS-63-001`) for Console/CLI consumers.
- Wire SLO/incident inputs into rules (NOTIFY-OBS-51-001/55-001) and extend risk-profile routing (NOTIFY-RISK-66-001 → 68-001) without regressing quiet-hours/dedup.
- Preserve Offline Kit and documentation parity (NOTIFY-DOC-70-001, NOTIFY-AIRGAP-56-002).
**Entry criteria**
- Orchestrator job attest events flowing to Notify bus with Attestor-approved fixtures.
- Quiet-hours/digest backlog reconciled (`docs/notifications/*.md` clean).
- Observability Guild sign-off on telemetry fields reused by Notifier SLO webhooks.
**Exit criteria**
- NOTIFY-ATTEST/OAS/OBS/RISK tasks DONE with doc updates.
- Templates promoted to Offline Kit manifests; sample payloads stored under `docs/notifications/templates.md`.
- Incident mode notifications exercised in staging with audit logs + DSSE evidence.
**Task clusters (final state)**
| Cluster | Linked tasks | Owners | Final state | Notes |
| --- | --- | --- | --- | --- |
| Attestation / key lifecycle alerts | NOTIFY-ATTEST-74-001/74-002 | Notifications Service Guild · Attestor Service Guild | DONE | Templates + wiring complete (2025-11-16/27); Rekor witness payload contract frozen. |
| API/OAS refresh & SDK parity | NOTIFY-OAS-61-001 → NOTIFY-OAS-63-001 | Notifications Service Guild · API Contracts Guild · SDK Generator Guild | DONE | Contract frozen 2025-11-15; SDK generator aligned with `/notifications/rules` schema. |
| Observability-driven triggers | NOTIFY-OBS-51-001/55-001 | Notifications Service Guild · Observability Guild | DONE | SLO webhook + incident mode templates shipped (2025-11-22). |
| Risk profile routing | NOTIFY-RISK-66-001 → NOTIFY-RISK-68-001 | Notifications Service Guild · Risk Engine Guild · Policy Guild | DONE | Risk-events endpoint + routing seeds shipped (2025-11-24); enriched via POLICY-RISK-40-002 metadata export. |
| Docs & offline parity | NOTIFY-DOC-70-001, NOTIFY-AIRGAP-56-002 | Notifications Service Guild · DevOps Guild | DONE | GA checklists and offline kit parity complete; no further edits needed. |
| Gap remediation | NOTIFY-GAPS-171-014 | Notifications Service Guild | DONE | NR1NR10 artifacts signed with dev key `notify-dev-hmac-001` (2025-12-04); prod HSM re-sign pending. |
**Observability checkpoints**
- Align metric names/labels with `docs/notifications/architecture.md#12-observability-prometheus--otel`.
- Ensure spans/logs include tenant, ruleId, actionId, and `attestation_event_id` for attestation-triggered templates.
- Capture incident notification smoke tests via `ops/devops/telemetry/tenant_isolation_smoke.py`.
### Wave 170.B Telemetry
**Scope & goals**
- Ship `StellaOps.Telemetry.Core` bootstrap + propagation helpers (TELEMETRY-OBS-50-001/50-002).
- Provide golden-signal helpers + scrubbing/PII safety nets (TELEMETRY-OBS-51-001/51-002).
- Implement incident + sealed-mode toggles (TELEMETRY-OBS-55-001/56-001) and document integration contracts for Orchestrator, Policy, Task Runner, Gateway (WEB-OBS-50-001).
**Entry criteria**
- Orchestrator + Policy hosts expose telemetry bootstrap extension points (ORCH-OBS-50-001 / POLICY-OBS-50-001).
- Observability Guild reviewed storage footprint impacts (docs/modules/telemetry/architecture.md §2).
- Security Guild approval on redaction defaults + tenant override audit logging.
**Exit criteria**
- Core library published to `/local-nugets` and referenced by Orchestrator & Policy integration branches.
- Context propagation middleware validated through HTTP/gRPC/job smoke tests with deterministic trace IDs.
- Incident/sealed-mode toggles wired into CLI + Notify hooks with runbooks updated.
**Task clusters (final state)**
| Cluster | Linked tasks | Owners | Final state | Notes |
| --- | --- | --- | --- | --- |
| Bootstrap & propagation | TELEMETRY-OBS-50-001/50-002 | Telemetry Core Guild | DONE | Core bootstrap (50-001) 2025-11-19; propagation middleware (50-002) 2025-11-27. |
| Metrics helpers + scrubbing | TELEMETRY-OBS-51-001/51-002 | Telemetry Core Guild · Observability Guild · Security Guild | DONE | Golden signals with cardinality guards + scrubbing filters (2025-11-27). |
| Incident & sealed-mode controls | TELEMETRY-OBS-55-001/56-001 | Telemetry Core Guild · Observability Guild | DONE | Incident mode toggle + sealed-mode helpers validated 2025-11-27; CLI toggle contract tracked via CLI-OBS-12-001. |
**Tooling & validation**
- Smoke: `ops/devops/telemetry/smoke_otel_collector.py` + `tenant_isolation_smoke.py` per profile (default/forensic/airgap).
- Offline bundle packaging: `ops/devops/telemetry/package_offline_bundle.py` (collectors, dashboards, manifests).
- Incident simulation: `ops/devops/telemetry/generate_dev_tls.sh` for local collector certs during sealed-mode testing.
## Interlocks (External Dependencies)
| Dependency | Source sprint / doc | Current state | Impact on waves |
| --- | --- | --- | --- |
| Sprint 150.A Orchestrator (wave table) | `SPRINT_150_scheduling_automation.md` | TODO | Blocks visibility of job events for Notify templates and Telemetry samples until orchestration telemetry lands. |
| ORCH-OBS-50-001 `orchestrator instrumentation` | Sprint 150 backlog | TODO | Needed for Telemetry.Core sample + Notify SLO hooks; monitor for slip. |
| POLICY-OBS-50-001 `policy instrumentation` | Sprint 150 backlog | TODO | Required before Telemetry helpers can be adopted by Policy + risk routing. |
| WEB-OBS-50-001 `gateway telemetry core adoption` | Sprint 214/215 backlogs | TODO | Ensures web/gateway emits trace IDs that Notify incident payload references. |
| POLICY-RISK-40-002 `risk profile metadata export` | Sprint 215+ (Policy) | DONE (2025-12-04) | Provides metadata enrichment for NOTIFY-RISK routes; unblocked. |
## Upcoming Checkpoints (historical)
| Target date | Milestone | Owners | Dependency notes |
| --- | --- | --- | --- |
| 2025-11-13 | Finalize attestation payload schema + template variables | Notifications Service Guild · Attestor Service Guild | Unblocked NOTIFY-ATTEST-74-001/002 + Telemetry incident span labels. |
| 2025-11-15 | Publish draft Notifier OAS + SDK snippets | Notifications Service Guild · API Contracts Guild | Required for CLI/UI adoption; prereq for NOTIFY-OAS-61/62 series. |
| 2025-11-18 | Land Telemetry.Core bootstrap sample in Orchestrator | Telemetry Core Guild · Orchestrator Guild | Demonstrated TELEMETRY-OBS-50-001 viability; prerequisite for Policy adoption + Notify SLO hooks. |
| 2025-11-20 | Incident/quiet-hour end-to-end rehearsal | Notifications Service Guild · Telemetry Core Guild · Observability Guild | Validated TELEMETRY-OBS-55-001 + NOTIFY-OBS-55-001 + CLI toggle contract. |
| 2025-11-22 | Offline kit bundle refresh (notifications + telemetry assets) | DevOps Guild · Notifications Service Guild · Telemetry Core Guild | Ensured offline-kit manifests reference new templates/configs. |
## Action Tracker
| # | Action | Owner | Next signal/date | Notes |
| --- | --- | --- | --- | --- |
| 1 | Re-sign DSSE artifacts with production HSM key | Notifications Service Guild · Security Guild | Track in Sprint 0171 execution log; target date TBD | Dev signing key `notify-dev-hmac-001` used for initial signatures. |
| 2 | Resolve missing legacy dependency `StellaOps.Notify.Storage.Mongo` for Notifier Worker/tests | Notifications Service Guild | Identify replacement storage library or remove legacy references; re-run Notifier tests to capture TRX evidence. | Blocks `dotnet test` in Sprint 0171 (2025-12-05 attempt failed). |
| 3 | Restore Moq package for Telemetry Core tests | Telemetry Core Guild | DONE 2025-12-06 | Moq restored from curated feed; Telemetry Core tests now green. |
| 4 | Record telemetry test evidence | Telemetry Core Guild | DONE 2025-12-06 | Evidence attached: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core.Tests/TestResults/TestResults/telemetry-tests.trx`. |
## Decisions & Risks
| Decision / Risk | Status | Mitigation / Notes |
| --- | --- | --- |
| Telemetry data drift in sealed mode | Ongoing | Enforce `IEgressPolicy` checks (TELEMETRY-OBS-56-001); schedule smoke runs after each config change. |
| Template/API divergence across Notifier SDKs | Ongoing | Freeze OAS/SDK in Sprint 0171; require API Contracts review before merging; keep `/notifications/rules` as source of truth. |
| Observability storage overhead | Ongoing | Coordinate retention with Ops per docs/modules/telemetry/architecture.md §2 when SLO webhooks and incident toggles increase cardinality. |
| Cross-sprint dependency churn (ORCH-OBS-50-001, POLICY-OBS-50-001, WEB-OBS-50-001) | Ongoing | Weekly check; re-baseline Telemetry/Notifier triggers if upstream slips. |
| Risk routing metadata availability | Resolved 2025-12-04 | POLICY-RISK-40-002 delivered (`GET /api/risk/profiles/{id}/metadata`), enabling NOTIFY-RISK enrichment. |
| DSSE signing posture | Partially resolved | Dev key `notify-dev-hmac-001` used; production HSM re-sign pending (Action #1). |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-12 10:15 | Wave rows flipped to DOING; recorded scope/entry/exit criteria for Notifier and Telemetry waves. | Observability Guild · Notifications Service Guild |
| 2025-11-12 14:40 | Added task mirror + dependency tracker + milestone table to align with Sprint171/174 execution plans. | Observability Guild |
| 2025-11-12 18:05 | Marked NOTIFY-ATTEST-74-001, NOTIFY-OAS-61-001, and TELEMETRY-OBS-50-001 as DOING; noted gated follow-ups. | Notifications Service Guild · Telemetry Core Guild |
| 2025-11-12 19:20 | Documented attestation template suite in `docs/notifications/templates.md` to unblock NOTIFY-ATTEST-74-001 and updated sprint mirrors. | Notifications Service Guild |
| 2025-11-12 19:32 | Synced notifications architecture doc to reference the attestation template suite for downstream visibility. | Notifications Service Guild |
| 2025-11-12 19:45 | Updated notifications overview + rules docs with `tmpl-attest-*` requirements for rule authors/operators. | Notifications Service Guild |
| 2025-11-12 20:05 | Published baseline Offline Kit templates under `offline/notifier/templates/attestation/` for Slack/Email/Webhook. | Notifications Service Guild |
| 2025-11-19 | Re-baselined tracks: set 170.A and 170.B to BLOCKED pending CI restore (Notifier SLO tests) and propagation/toggle contracts; TELEMETRY-OBS-50-001 marked DONE in Sprint 0174. | Implementer |
| 2025-11-19 | Normalized sprint to standard template and renamed from `SPRINT_170_notifications_telemetry.md` to `SPRINT_0170_0001_0001_notifications_telemetry.md`; content preserved; legacy stub added. | Implementer |
| 2025-11-22 | Marked 170.A DONE after NOTIFY-OBS-51-001 tests passed and incident-mode templates/rules landed (NOTIFY-OBS-55-001). | Implementer |
| 2025-12-04 | Status refresh: Wave 170.B marked DONE (all 6 tasks complete); Wave 170.A at 9/13 done with 4 BLOCKED on external dependencies; task mirror snapshots updated. | Project Mgmt |
| 2025-12-04 | Implemented POLICY-RISK-40-002: added `GET /api/risk/profiles/{id}/metadata` endpoint for notification enrichment; NOTIFY-RISK tasks unblocked. | Implementer |
| 2025-12-04 | Sprint 170 complete: Wave 170.A marked DONE (12/13 tasks); Wave 170.B already DONE; NOTIFY-GAPS-171-014 remained BLOCKED on signing keys. | Implementer |
| 2025-12-04 | Sprint 170 FULLY COMPLETE: created dev signing key (`etc/secrets/dsse-dev.signing.json`) and signing utility (`scripts/notifications/sign-dsse.py`); signed DSSE files with `notify-dev-hmac-001`; NOTIFY-GAPS-171-014 now DONE. | Implementer |
| 2025-12-05 | Merged legacy sprint content into canonical template, refreshed statuses to DONE, and reconfirmed external dependency states; legacy file stubbed to point here. | Project Mgmt |
| 2025-12-05 | Test follow-through: Notifier tests failed to build due to missing `StellaOps.Notify.Storage.Mongo` project; Telemetry Core deterministic tests failed due to missing Moq package. Actions added to tracker (#2, #3); statuses remain DONE pending evidence. | Implementer |
| 2025-12-06 | Telemetry Core tests verified GREEN; Moq restored from curated feed; evidence path recorded. Action tracker #3/#4 closed. | Telemetry Core Guild |

89
docs/implplan/archived/SPRINT_0211_0001_0003_ui_iii.md Normal file
View File

@@ -0,0 +1,89 @@
# Sprint 0211_0001_0003 - Experience & SDKs + UI III
## Topic & Scope
- Phase III UI uplift focusing on Policy Studio RBAC updates and reachability-first experiences across Vulnerability Explorer, Why drawer, SBOM Graph, and the new Reachability Center.
- Surface reachability evidence (columns, badges, call paths, timelines, halos) and align Console policy workspace with scopes `policy:author/review/approve/operate/audit/simulate`.
- Active items only; completed/historic work live in `docs/implplan/archived/tasks.md` (updated 2025-11-08).
- **Working directory:** `src/Web/StellaOps.Web`.
- Continues UI stream after `SPRINT_0210_0001_0002_ui_ii.md` (UI II).
## Dependencies & Concurrency
- Upstream: `SPRINT_0210_0001_0002_ui_ii.md` for Policy Studio explain view (UI-POLICY-23-006) and shared components.
- Signals/Reachability contracts for SIG-26 chain (call paths, timelines, coverage, overlay states) provided by Signals & Graph guilds.
- Concurrency: SIG-26 tasks are sequential (001 -> 002 -> 003 -> 004); policy RBAC task can proceed in parallel once scopes are finalized.
- Upstream backend ready: WEB-SIG-26-001..003 completed in `SPRINT_0216_0001_0001_web_v` (2025-12-11), so reachability proxy endpoints and policy joins exist for UI consumption once fixtures land.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/README.md`
- `docs/modules/ui/implementation_plan.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/graph/architecture.md`
- `docs/modules/signals/architecture.md`
- `docs/15_UI_GUIDE.md`
- `docs/18_CODING_STANDARDS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | UI-POLICY-27-001 | DONE | RBAC guards + nav gating aligned to `policy:*` contract; tests green. | UI Guild; Product Ops (src/Web/StellaOps.Web) | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. |
| 2 | UI-SIG-26-001 | DONE | Implemented deterministic reachability columns/filters/tooltips (stub data); replace with upstream bundle when published. | UI Guild; Signals Guild (src/Web/StellaOps.Web) | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. |
| 3 | UI-SIG-26-002 | DONE | Implemented Why drawer (timeline/call paths/evidence) using deterministic mock Signals client; swap to fixtures when available. | UI Guild (src/Web/StellaOps.Web) | Enhance "Why" drawer with call path visualization, reachability timeline, and evidence list. |
| 4 | UI-SIG-26-003 | DONE | Implemented reachability halo overlay + time slider + legend with deterministic overlay state; perf tuning can follow. | UI Guild (src/Web/StellaOps.Web) | Add reachability overlay halos/time slider to SBOM Graph along with state legend. |
| 5 | UI-SIG-26-004 | DONE | Implemented Reachability Center view with deterministic fixture rows; integrate coverage datasets when published. | UI Guild (src/Web/StellaOps.Web) | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. |
## Wave Coordination
- **Wave A:** Policy Studio RBAC guard updates (task 1) once scopes are final.
- **Wave B:** Sequential reachability surfaces (tasks 2-5) building on the SIG-26 evidence chain.
## Wave Detail Snapshots
- Wave A output: updated RBAC guardrails, scope requests, and UX copy aligned to `policy:*` scopes with Cypress auth fixtures.
- Wave B output: reachability columns/badges, Why drawer call paths and timeline, SBOM Graph halos/time slider with legend, and Reachability Center with coverage/sensor freshness views.
## Interlocks
- Policy Engine to confirm/freeze final `policy:*` scope list to avoid drift from shipped UI guards and auth fixtures.
- Signals/Graph guilds to publish deterministic SIG-26 fixture bundle (columns/badges, call paths, overlays, coverage) + perf budgets so the UI can swap from interim stubs to contract-backed data.
- Bench sprint 0512 published SIG-26 schema and 10k/50k synthetic fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`) as baseline input for the above bundle.
- Performance budgets for SBOM Graph overlays and Reachability Center dashboards to keep UI responsive offline.
## Upcoming Checkpoints
- None scheduled; set dates once reachability fixtures and policy scope contracts are confirmed.
## Action Tracker
| # | Action | Owner | Due | Status |
| --- | --- | --- | --- | --- |
| 1 | Confirm final Policy Studio scopes and RBAC copy with Policy Engine owners. | UI Guild + Policy Guild | 2025-12-03 | TODO |
| 2 | Deliver reachability evidence fixture (columns, call paths, overlays) for SIG-26 chain; bench schema + 10k/50k callgraph/runtime fixtures published, overlay/coverage slices still pending. | Signals Guild | 2025-12-04 | DOING |
| 3 | Define SBOM Graph overlay performance budget (FPS target, node count, halo rendering limits). | UI Guild | 2025-12-05 | TODO |
| 4 | Align UI III work to `src/Web/StellaOps.Web` (canonical Angular workspace); ensure reachability fixtures available. | DevEx + UI Guild | 2025-12-06 | DONE (2025-12-06) |
| 5 | Publish generated `graph:*` scope exports package (SDK 0208) and drop link/hash for UI consumption. | SDK Generator Guild | 2025-12-08 | TODO |
| 6 | Provide deterministic SIG-26 fixture bundle (columns/badges JSON, call-path/timeline NDJSON, overlay halos, coverage/missing-sensor datasets) with perf budget notes. | Signals Guild + Graph Platform Guild | 2025-12-09 | DOING |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner / Signal |
| --- | --- | --- | --- |
| Policy scope strings change late | Rework of RBAC guards, auth stubs, and messaging (task 1) | Freeze scope list before Cypress fixtures; keep feature flag until policy contract stable. | UI Guild + Policy Guild |
| Reachability evidence incomplete or non-deterministic | UI stubs may diverge from final SIG-26 contract and perf budgets | Keep deterministic stub data + unit/e2e coverage; swap to official fixture bundle once published and add contract/perf checks. | Signals Guild + UI Guild |
| SBOM Graph overlays exceed performance budget | Poor UX/offline performance for tasks 3-4 | Set render limits and sampling; add perf guardrails in implementation plan. | UI Guild |
| Reachability fixtures availability | Without the bundle, UI stays on interim deterministic stubs | Track fixture bundle + perf budgets as follow-up input; wire into UI and add contract tests when published. | Signals Guild + UI Guild |
### Follow-up Plan (ordered)
1) Replace stub `graph:*` scope exports once SDK sprint 0208 publishes the generated package.
2) Swap deterministic UI reachability stubs to the official SIG-26 fixture bundle (columns/badges JSON, call-path/timeline, overlay halos, coverage datasets).
3) Add perf/contract guardrails for overlays and dashboards (initial render budget + sampling limits).
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-11-30 | Normalised sprint to standard template and renamed file from `SPRINT_211_ui_iii.md` to `SPRINT_0211_0001_0003_ui_iii.md`; no task status changes. | Planning |
| 2025-12-06 | Corrected working directory to `src/Web/StellaOps.Web`; unblocked Delivery Tracker items accordingly. Reachability fixtures still required. | Implementer |
| 2025-12-06 | Added Policy Studio scope help text to Console Profile and introduced policy auth fixtures + seeding helper (`src/Web/StellaOps.Web/src/app/testing/auth-*.ts`) with APP_INITIALIZER hook (`window.__stellaopsTestSession`) for Cypress/e2e stubbing. | Implementer |
| 2025-12-06 | Tightened approvals guard (requires `policy:read` + review/approve) and updated workspace scope hints; attempted Playwright `tests/e2e/auth.spec.ts` with seeded session but webServer (ng serve) timed out starting locally; rerun in CI or with longer warmup. | Implementer |
| 2025-12-06 | Marked UI-SIG-26-001..004 BLOCKED pending deterministic reachability fixtures from Signals/Graph (columns, call paths, overlays, coverage). No UI changes applied until fixtures and perf budgets land. | Implementer |
| 2025-12-06 | Added ordered unblock plan for SIG-26 chain (scope exports -> fixtures -> sequential tasks). | Project Mgmt |
| 2025-12-12 | Synced SIG-26 upstream outputs: WEB-SIG-26-001..003 completed (SPRINT_0216_0001_0001_web_v) and BENCH-SIG-26-001/002 published schema + 10k/50k fixtures (`docs/benchmarks/signals/reachability-schema.json`, `docs/samples/signals/reachability/*`). Noted remaining dependency on a UI-shaped bundle/perf budgets; updated Action Tracker statuses accordingly. | Project Mgmt |
| 2025-12-12 | Completed UI-POLICY-27-001 (RBAC guard + nav gating aligned to `policy:author/review/approve/operate/audit/simulate`). Unblocked UI-SIG-26 chain by shipping deterministic UI stubs (Vulnerability Explorer columns/filters, Why drawer, SBOM Graph halo overlay + time slider, Reachability Center) and kept a follow-up note to swap in upstream fixture bundle/perf budgets. `ng test` and `playwright test` green locally. | Implementer |

120
docs/implplan/archived/SPRINT_0216_0001_0001_web_v.md Normal file
View File

@@ -0,0 +1,120 @@
# Sprint 0216-0001-0001 · Web V (Experience & SDKs 180.F)
## Topic & Scope
- Phase V gateway uplift: risk routing, signals reachability overlays, tenant scoping/ABAC, VEX consensus streaming, and vuln proxy/export telemetry.
- Active items only; completed/historic work moved to `docs/implplan/archived/tasks.md` (last updated 2025-11-08).
- Evidence: routed APIs with RBAC/ABAC, signed URL handling, reachability filters, notifier/ledger hooks, and gateway telemetry.
- **Working directory:** `src/Web/StellaOps.Web`.
## Dependencies & Concurrency
- Upstream: Sprint 180.F · Web IV must land shared gateway components before Web V endpoints ship.
- Respect chains: RISK (66-001 → 66-002 → 67-001 → 68-001), SIG (26-001 → 26-002 → 26-003), TENANT (47-001 → 48-001 → 49-001), VULN (29-001 → 29-002 → 29-003 → 29-004). Avoid parallel merges that violate these orders.
- Interlocks: Policy Engine contracts for ABAC overlay and reachability scoring; Notifications bus schema for severity transition events; Findings Ledger idempotency/correlation headers for vuln workflow forwarding.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/ui/architecture.md`
- `src/Web/StellaOps.Web/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | WEB-RISK-66-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. |
| 2 | WEB-RISK-66-002 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; Risk Engine Guild (`src/Web/StellaOps.Web`) | Add signed URL handling for explanation blobs and enforce scope checks. |
| 3 | WEB-RISK-67-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). |
| 4 | WEB-RISK-68-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; Notifications Guild (`src/Web/StellaOps.Web`) | Emit events on severity transitions via gateway to notifier bus with trace metadata. |
| 5 | WEB-SIG-26-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; Signals Guild (`src/Web/StellaOps.Web`) | Surface `/signals/callgraphs`, `/signals/facts` read/write endpoints with pagination, ETags, and RBAC. |
| 6 | WEB-SIG-26-002 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Extend `/policy/effective` and `/vuln/explorer` responses to include reachability scores/states and allow filtering. |
| 7 | WEB-SIG-26-003 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Add reachability override parameters to `/policy/simulate` and related APIs for what-if analysis. |
| 8 | WEB-TEN-47-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. |
| 9 | WEB-TEN-48-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. |
| 10 | WEB-TEN-49-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; Policy Guild (`src/Web/StellaOps.Web`) | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. |
| 11 | WEB-VEX-30-007 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; VEX Lens Guild (`src/Web/StellaOps.Web`) | Route `/vex/consensus` APIs with tenant RBAC/ABAC, caching, and streaming; surface telemetry and trace IDs without gateway-side overlay logic. |
| 12 | WEB-VULN-29-001 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Expose `/vuln/*` endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging. |
| 13 | WEB-VULN-29-002 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; Findings Ledger Guild (`src/Web/StellaOps.Web`) | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. |
| 14 | WEB-VULN-29-003 | DONE (2025-12-11) | Completed | BE-Base Platform Guild (`src/Web/StellaOps.Web`) | Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting. |
| 15 | WEB-VULN-29-004 | DONE (2025-12-11) | Completed | BE-Base Platform Guild; Observability Guild (`src/Web/StellaOps.Web`) | Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards. |
| 16 | WEB-TEN-47-CONTRACT | DONE (2025-12-01) | Contract published in `docs/api/gateway/tenant-auth.md` v1.0 | BE-Base Platform Guild (`docs/api/gateway/tenant-auth.md`) | Publish gateway routing + tenant header/ABAC contract (headers, scopes, samples, audit notes). |
| 17 | WEB-VULN-29-LEDGER-DOC | DONE (2025-12-01) | Contract published in `docs/api/gateway/findings-ledger-proxy.md` v1.0 | Findings Ledger Guild; BE-Base Platform Guild (`docs/api/gateway/findings-ledger-proxy.md`) | Capture idempotency + correlation header contract for Findings Ledger proxy and retries/backoff defaults. |
| 18 | WEB-RISK-68-NOTIFY-DOC | DONE (2025-12-01) | Schema published in `docs/api/gateway/notifications-severity.md` v1.0 | Notifications Guild; BE-Base Platform Guild (`docs/api/gateway/notifications-severity.md`) | Document severity transition event schema (fields, trace metadata) for notifier bus integration. |
## Wave Coordination
- Single wave (Web V gateway + tenant hardening). Keep task order per dependency chains above; no parallel merges that alter schema/telemetry without shared reviews.
## Wave Detail Snapshots
- Not required (single wave). Progress captured in Delivery Tracker and Execution Log.
## Interlocks
- Policy Engine: ABAC overlay contract and reachability scoring must be stable before WEB-TEN-49-001 and WEB-SIG-26-002 proceed.
- Notifications: event schema for severity transitions required ahead of WEB-RISK-68-001.
- Findings Ledger: idempotency/correlation header contract required before WEB-VULN-29-002.
## Upcoming Checkpoints
- 2025-12-02 (UTC) · JWT/tenant header + ABAC overlay contract review (BE-Base Platform Guild · Policy Guild).
- 2025-12-04 (UTC) · Findings Ledger idempotency/correlation header alignment (BE-Base Platform Guild · Findings Ledger Guild).
- 2025-12-06 (UTC) · Notifications event schema review for severity transitions (BE-Base Platform Guild · Notifications Guild).
## Action Tracker
| # | Action | Owner | Due (UTC) | Status |
| --- | --- | --- | --- | --- |
| 1 | Provide stable npm install path (mirror or node_modules tarball) to clear `npm ci` hangs for risk/signals gateway tests. | Platform Ops | 2025-12-07 | TODO |
| 2 | Publish Signals API contract + fixtures (callgraphs/facts, reachability scoring) for WEB-SIG-26-001..003. | Signals Guild | 2025-12-08 | TODO |
| 3 | If any ABAC header mapping delta beyond v1.0 exists, publish update note + sample request. | BE-Base Platform Guild | 2025-12-08 | TODO |
| 4 | Publish VEX consensus stream contract (RBAC/ABAC, caching, SSE payload) and sample to `docs/api/vex/consensus.md`. | VEX Lens Guild | 2025-12-09 | TODO |
| 5 | Provide Findings Ledger idempotency header wiring example for gateway vuln workflow (forwarding). | Findings Ledger Guild | 2025-12-09 | TODO |
## Decisions & Risks
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Tenant header/ABAC contract slips | Blocks WEB-TEN-47-001/48-001/49-001 and delays RBAC enforcement across routes | Contract published 2025-12-01 in `docs/api/gateway/tenant-auth.md`; enforce via Gateway:Auth flags | BE-Base Platform Guild | Mitigated |
| Findings Ledger idempotency headers unclear | WEB-VULN-29-002/003 cannot forward workflow actions safely | Contract published 2025-12-01 in `docs/api/gateway/findings-ledger-proxy.md`; use TTL 24h + ETag/If-Match | Findings Ledger Guild | Mitigated |
| Notifications event schema not finalized | WEB-RISK-68-001 cannot emit severity transition events with trace metadata | Event schema v1.0 published 2025-12-01 in `docs/api/gateway/notifications-severity.md`; rate limit + DLQ included | Notifications Guild | Mitigated |
| Workspace storage exhaustion prevents command execution | Blocks code inspection and implementation for WEB-RISK-66-001 and subsequent tasks | Free space action completed; monitor disk and rerun gateway scaffolding | Platform Ops | Monitoring |
### Unblock Plan (ordered)
1) Stabilize npm install/test path (registry mirror or node_modules tarball) to clear `npm ci` hangs blocking WEB-RISK-66-001 chain.
2) Provide Signals API contract + fixtures and reachability scoring overlay to unblock WEB-SIG-26-001..003 and align with Policy Engine.
3) Confirm tenant/ABAC overlay header mapping in gateway (if changes beyond v1.0) and publish delta; then start WEB-TEN-47-001..
4) Publish VEX consensus stream contract (RBAC/ABAC, caching, SSE shape) to unblock WEB-VEX-30-007.
5) Wire Findings Ledger idempotency headers into gateway reference client and share sample to unlock WEB-VULN-29-001..004; needs tenant model from step 3.
6) After 15, rerun risk/vuln client specs with provided env; update sprint statuses.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-11 | **Tenant chain complete:** Completed WEB-TEN-47-001..49-001. Implemented: TenantActivationService (JWT verification, scope matching, decision audit), TenantHttpInterceptor (tenant headers), TenantPersistenceService (DB session tenant_id, storage paths, audit metadata), AbacService (ABAC overlay with Policy Engine, caching), and AbacOverlayClient (audit decisions API, service token minting). | BE-Base Platform Guild |
| 2025-12-02 | WEB-RISK-66-001: risk HTTP client/store now handle 429 rate-limit responses with retry-after hints and RateLimitError wiring; unit specs added (execution deferred—npm test not yet run). | BE-Base Platform Guild |
| 2025-12-02 | WEB-RISK-66-001: added Playwright/Chromium auto-detection (ms-playwright cache + playwright-core browsers) to test runner; attempted npm ci to run specs but installs hung/spinner in this workspace, so tests remain not executed. | BE-Base Platform Guild |
| 2025-12-03 | WEB-RISK-66-001: Retried `npm ci` with timeout/registry overrides (`timeout 120 npm ci --registry=https://registry.npmjs.org --fetch-retries=2 --fetch-timeout=10000 --no-audit --no-fund --progress=false`); hung after several minutes and was aborted. Node deps still not installed; tests remain pending. | BE-Base Platform Guild |
| 2025-12-02 | Risk/Vuln clients now share trace ID generator util; vulnerability client emits trace headers across list/detail/stats; spec asserts header. | BE-Base Platform Guild |
| 2025-12-02 | Test run skipped: `npm test` script unavailable in current environment; unit specs added but not executed. | BE-Base Platform Guild |
| 2025-12-02 | Added empty/loading states to risk table for better UX while gateway data loads. | BE-Base Platform Guild |
| 2025-12-02 | Risk client now prefers `crypto.randomUUID()` for trace IDs with ULID fallback; keeps correlation without external deps. | BE-Base Platform Guild |
| 2025-12-02 | Added unit specs for vulnerability HTTP client headers and vulnerability detail component rendering; tests not executed locally. | BE-Base Platform Guild |
| 2025-12-02 | Updated WEB-RISK-66-001 summary to cover risk/vuln HTTP+mock switch, filters, dashboard, and detail routes; pending gateway endpoints + test harness. | BE-Base Platform Guild |
| 2025-12-02 | Added gateway-backed VulnerabilityHttpClient with tenant/project headers; provider now switches between mock and HTTP based on quickstart mode. Removed local mock providers from vuln explorer/detail. | BE-Base Platform Guild |
| 2025-12-02 | Added `/vulnerabilities/:vulnId` guarded route with detail view fed by vulnerability client (mock in quickstart). Risk table links now resolve without 404. | BE-Base Platform Guild |
| 2025-12-02 | Added router link from risk table to vulnerability details (`/vulnerabilities/:id`) to align with WEB-VULN chain. | BE-Base Platform Guild |
| 2025-12-02 | Risk HTTP client now emits trace IDs (`X-Stella-Trace-Id`) when none provided to aid correlation; lightweight ULID-style generator added. | BE-Base Platform Guild |
| 2025-12-02 | Added Story-style doc stub for risk dashboard (`risk-dashboard.component.stories.md`) and barrel export for risk feature. | BE-Base Platform Guild |
| 2025-12-02 | Added severity/search filters and refresh action to `/risk` dashboard; still backed by MockRiskApi in quickstart and RiskHttpClient in production. | BE-Base Platform Guild |
| 2025-12-02 | Added auth guard on /risk route (require session; redirects to /welcome) to enforce tenant-scoped access while gateway endpoints are wired. | BE-Base Platform Guild |
| 2025-12-02 | RISK_API now switches to MockRiskApi when quickstart mode is enabled; RiskHttpClient remains default for production. | BE-Base Platform Guild |
| 2025-12-02 | Added risk dashboard route (`/risk`) with signal-based store + UI table/cards; mock stats displayed until gateway endpoints available. Component spec added; npm test unavailable in repo. | BE-Base Platform Guild |
| 2025-12-01 | Added risk store (signals) using RISK_API for list + stats with error handling and clear; unit spec added. Await gateway endpoint + npm test harness to execute. | BE-Base Platform Guild |
| 2025-12-01 | Risk gateway wiring added: HTTP client + DI base URL to Authority gateway, risk models, and unit test scaffold; npm test not run (no test script). Await gateway endpoint to replace mocks. | BE-Base Platform Guild |
| 2025-12-01 | Started WEB-RISK-66-001: added risk gateway client/models with tenant-scoped filtering, deterministic ordering, and unit tests (`risk.client.ts`, `risk.client.spec.ts`); local mocks used until gateway endpoints are wired. | BE-Base Platform Guild |
| 2025-12-01 | Cleared workspace disk issue (55GB free reported); WEB-RISK-66-001 unblocked and returned to TODO. | Platform Ops |
| 2025-12-01 | Published Web V gateway contract docs v1.0: tenant auth/ABAC (`docs/api/gateway/tenant-auth.md`), Findings Ledger proxy (`docs/api/gateway/findings-ledger-proxy.md`), and notifier severity events (`docs/api/gateway/notifications-severity.md`); marked WEB-TEN-47-CONTRACT, WEB-VULN-29-LEDGER-DOC, and WEB-RISK-68-NOTIFY-DOC DONE. | BE-Base Platform Guild |
| 2025-12-01 | Blocked WEB-RISK-66-001: workspace reports `No space left on device` when starting gateway scaffolding; requires freeing disk (e.g., clean `node_modules`/tmp) before proceeding. | Implementer |
| 2025-12-01 | Drafted contract docs for tenant auth/ABAC, Findings Ledger proxy, and notifier severity events; set tasks 1618 to DOING. | Project Mgmt |
| 2025-11-30 | Added contract/doc tasks (rows 1618) for tenant headers/ABAC, Findings Ledger proxy headers, and notifier severity events; aligned Action Tracker with Delivery Tracker; no status changes to feature tracks. | Project Mgmt |
| 2025-11-30 | Normalized sprint to standard template and renamed file from `SPRINT_216_web_v.md` to `SPRINT_0216_0001_0001_web_v.md`; no task status changes. | Project Mgmt |
| 2025-12-06 | Added ordered unblock plan for Web V (env/npm fix → Signals contract → tenant/ABAC delta → VEX consensus → Findings Ledger wiring → rerun specs). | Project Mgmt |
| 2025-12-06 | Created placeholder docs: `docs/api/signals/reachability-contract.md` and `docs/api/vex-consensus.md` to collect required contracts/fixtures; awaiting guild inputs. | Project Mgmt |
| 2025-12-06 | Propagated BLOCKED status from WEB-RISK-66-001 to downstream risk chain (66-002/67-001/68-001) and from missing Signals/tenant/VEX contracts to WEB-SIG-26-001..003 and WEB-VEX/VULN chain. No code changes applied until contracts and install env stabilise. | Implementer |
| 2025-12-06 | Added draft samples for Signals and VEX streams (`docs/api/signals/samples/*.json`, `docs/api/vex-consensus-sample.ndjson`) to support early client wiring. | Project Mgmt |
| 2025-12-07 | **Wave 10 contracts delivered:** Policy Engine REST contract at `docs/schemas/policy-engine-rest.openapi.yaml`, rate-limit design at `docs/contracts/rate-limit-design.md`, tenant/RBAC spec at `docs/contracts/web-gateway-tenant-rbac.md`. Updated WEB-TEN-47/48/49-001 and WEB-RISK-66-001 key dependencies to reference contracts. | Implementer |

689
docs/implplan/archived/SPRINT_0339_0001_0001_cli_offline_commands.md Normal file
View File

@@ -0,0 +1,689 @@
# Sprint 0339 - CLI Offline Command Group
## Topic & Scope
- Priority: P1 (High) · Gap: G4 (CLI Commands)
- Working directory: `src/Cli/StellaOps.Cli/` (tests: `src/Cli/__Tests/StellaOps.Cli.Tests/`; docs: `docs/modules/cli/**`)
- Related modules: `StellaOps.AirGap.Importer`, `StellaOps.Cli.Services`
- Source advisory: `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (A12) · Exit codes: A11
**Sprint ID:** SPRINT_0339_0001_0001
**Topic:** CLI `offline` Command Group Implementation
**Priority:** P1 (High)
**Working Directory:** `src/Cli/StellaOps.Cli/`
**Related Modules:** `StellaOps.AirGap.Importer`, `StellaOps.Cli.Services`
**Source Advisory:** 14-Dec-2025 - Offline and Air-Gap Technical Reference (A12)
**Gaps Addressed:** G4 (CLI Commands)
---
### Objective
Implement a dedicated `offline` command group in the StellaOps CLI that provides operators with first-class tooling for air-gap bundle management. The commands follow the advisory's specification and integrate with existing verification infrastructure.
---
### Target Commands
Per advisory A12:
```bash
# Import an offline kit with full verification
stellaops offline import \
--bundle ./bundle-2025-12-14.tar.zst \
--verify-dsse \
--verify-rekor \
--trust-root /evidence/keys/roots/stella-root.pub
# Emergency override (records non-monotonic audit)
stellaops offline import \
--bundle ./bundle-2025-12-07.tar.zst \
--verify-dsse \
--verify-rekor \
--trust-root /evidence/keys/roots/stella-root.pub \
--force-activate
# Check current offline kit status
stellaops offline status
# Verify evidence against policy
stellaops verify offline \
--evidence-dir /evidence \
--artifact sha256:def456... \
--policy verify-policy.yaml
```
## Dependencies & Concurrency
- Sprint 0338 (monotonicity + quarantine) must be complete.
- `StellaOps.AirGap.Importer` provides verification primitives (DSSE/TUF/Merkle + monotonicity/quarantine hooks).
- CLI command routing uses `System.CommandLine` (keep handlers composable + testable).
- Concurrency: avoid conflicting edits in `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` while other CLI sprint work is in-flight.
## Documentation Prerequisites
- `docs/modules/cli/architecture.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | T1 | DONE | Landed (offline command group design + wiring). | DevEx/CLI Guild | Design command group structure (`offline import`, `offline status`, `verify offline`). |
| 2 | T2 | DONE | Implemented `OfflineCommandGroup` and wired into `CommandFactory`. | DevEx/CLI Guild | Create `OfflineCommandGroup` class. |
| 3 | T3 | DONE | Implemented `offline import` with manifest/hash validation, monotonicity checks, and quarantine hooks. | DevEx/CLI Guild | Implement `offline import` command (core import flow). |
| 4 | T4 | DONE | Implemented `--verify-dsse` via `DsseVerifier` (requires `--trust-root`) and added tests. | DevEx/CLI Guild | Add `--verify-dsse` flag handler. |
| 5 | T5 | DONE | Implement offline Rekor receipt inclusion proof + checkpoint signature verification per `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §13. | DevEx/CLI Guild | Add `--verify-rekor` flag handler. |
| 6 | T6 | DONE | Implemented deterministic trust-root loading (`--trust-root`). | DevEx/CLI Guild | Add `--trust-root` option. |
| 7 | T7 | DONE | Enforced `--force-reason` when forcing activation and persisted justification. | DevEx/CLI Guild | Add `--force-activate` flag. |
| 8 | T8 | DONE | Implemented `offline status` with table/json outputs. | DevEx/CLI Guild | Implement `offline status` command. |
| 9 | T9 | DONE | Implement `verify offline` using the policy schema in `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` §4 plus deterministic evidence reconciliation outputs. | DevEx/CLI Guild | Implement `verify offline` command. |
| 10 | T10 | DONE | Add YAML+JSON policy loader with deterministic parsing/canonicalization rules; share with AirGap reconciliation. | DevEx/CLI Guild | Add `--policy` option parser. |
| 11 | T11 | DONE | Standardized `--output table|json` formatting for offline verbs. | DevEx/CLI Guild | Create output formatters (table, json). |
| 12 | T12 | DONE | Added progress reporting for bundle hashing when bundle size exceeds threshold. | DevEx/CLI Guild | Implement progress reporting. |
| 13 | T13 | DONE | Implemented offline exit codes (`OfflineExitCodes`). | DevEx/CLI Guild | Add exit code standardization. |
| 14 | T14 | DONE | Added parsing/validation tests for required/optional combinations. | DevEx/CLI Guild | Write unit tests for command parsing. |
| 15 | T15 | DONE | Added deterministic integration tests for import flow. | DevEx/CLI Guild | Write integration tests for import flow. |
| 16 | T16 | DONE | Added operator docs for offline commands + updated airgap guide. | Docs/CLI Guild | Update CLI documentation. |
## Wave Coordination
- Wave 1: Command routing + core offline verbs + exit codes (T1-T13).
- Wave 2: Tests + docs + deterministic fixtures (T14-T16).
## Wave Detail Snapshots
| Date (UTC) | Wave | Update | Owner |
| --- | --- | --- | --- |
| 2025-12-15 | 1-2 | Implemented `offline import/status` + exit codes; added tests/docs; marked T5/T9/T10 BLOCKED pending verifier/policy contracts. | DevEx/CLI |
| 2025-12-15 | 1 | Sprint normalisation in progress; T1 set to DOING. | Planning · DevEx/CLI |
## Interlocks
- Changes touch `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`; avoid concurrent command-group rewires.
- `verify offline` may require additional policy/verification contracts; if missing, mark tasks BLOCKED with concrete dependency and continue.
## Upcoming Checkpoints
- None (sprint complete).
## Action Tracker
### Technical Specification
### T1-T2: Command Group Structure
```csharp
// src/Cli/StellaOps.Cli/Commands/Offline/OfflineCommandGroup.cs
namespace StellaOps.Cli.Commands.Offline;
/// <summary>
/// Command group for air-gap and offline kit operations.
/// Per CLI-AIRGAP-339-001.
/// </summary>
public sealed class OfflineCommandGroup
{
public static Command Create(IServiceProvider services)
{
var offlineCommand = new Command("offline", "Air-gap and offline kit operations");
offlineCommand.AddCommand(CreateImportCommand(services));
offlineCommand.AddCommand(CreateStatusCommand(services));
return offlineCommand;
}
private static Command CreateImportCommand(IServiceProvider services)
{
var bundleOption = new Option<FileInfo>(
aliases: ["--bundle", "-b"],
description: "Path to the offline kit bundle (.tar.zst)")
{
IsRequired = true
};
var verifyDsseOption = new Option<bool>(
aliases: ["--verify-dsse"],
description: "Verify DSSE signature on bundle",
getDefaultValue: () => true);
var verifyRekorOption = new Option<bool>(
aliases: ["--verify-rekor"],
description: "Verify Rekor transparency log inclusion (offline mode)",
getDefaultValue: () => true);
var trustRootOption = new Option<FileInfo?>(
aliases: ["--trust-root", "-t"],
description: "Path to trust root public key file");
var forceActivateOption = new Option<bool>(
aliases: ["--force-activate"],
description: "Override monotonicity check (requires justification)");
var forceReasonOption = new Option<string?>(
aliases: ["--force-reason"],
description: "Justification for force activation (required with --force-activate)");
var manifestOption = new Option<FileInfo?>(
aliases: ["--manifest", "-m"],
description: "Path to offline manifest JSON for pre-validation");
var dryRunOption = new Option<bool>(
aliases: ["--dry-run"],
description: "Validate bundle without activating");
var command = new Command("import", "Import an offline kit bundle")
{
bundleOption,
verifyDsseOption,
verifyRekorOption,
trustRootOption,
forceActivateOption,
forceReasonOption,
manifestOption,
dryRunOption
};
command.SetHandler(async (context) =>
{
var handler = services.GetRequiredService<OfflineImportHandler>();
var options = new OfflineImportOptions(
Bundle: context.ParseResult.GetValueForOption(bundleOption)!,
VerifyDsse: context.ParseResult.GetValueForOption(verifyDsseOption),
VerifyRekor: context.ParseResult.GetValueForOption(verifyRekorOption),
TrustRoot: context.ParseResult.GetValueForOption(trustRootOption),
ForceActivate: context.ParseResult.GetValueForOption(forceActivateOption),
ForceReason: context.ParseResult.GetValueForOption(forceReasonOption),
Manifest: context.ParseResult.GetValueForOption(manifestOption),
DryRun: context.ParseResult.GetValueForOption(dryRunOption));
var result = await handler.HandleAsync(options, context.GetCancellationToken());
context.ExitCode = result.ExitCode;
});
return command;
}
private static Command CreateStatusCommand(IServiceProvider services)
{
var outputOption = new Option<OutputFormat>(
aliases: ["--output", "-o"],
description: "Output format",
getDefaultValue: () => OutputFormat.Table);
var command = new Command("status", "Display current offline kit status")
{
outputOption
};
command.SetHandler(async (context) =>
{
var handler = services.GetRequiredService<OfflineStatusHandler>();
var format = context.ParseResult.GetValueForOption(outputOption);
var result = await handler.HandleAsync(format, context.GetCancellationToken());
context.ExitCode = result.ExitCode;
});
return command;
}
}
```
### T3-T7: Import Command Handler
```csharp
// src/Cli/StellaOps.Cli/Commands/Offline/OfflineImportHandler.cs
namespace StellaOps.Cli.Commands.Offline;
public sealed class OfflineImportHandler
{
private readonly IOfflineKitImporter _importer;
private readonly IConsoleOutput _output;
private readonly ILogger<OfflineImportHandler> _logger;
public OfflineImportHandler(
IOfflineKitImporter importer,
IConsoleOutput output,
ILogger<OfflineImportHandler> logger)
{
_importer = importer;
_output = output;
_logger = logger;
}
public async Task<CommandResult> HandleAsync(
OfflineImportOptions options,
CancellationToken cancellationToken)
{
// Validate force-activate requires reason
if (options.ForceActivate && string.IsNullOrWhiteSpace(options.ForceReason))
{
_output.WriteError("--force-activate requires --force-reason to be specified");
return CommandResult.Failure(OfflineExitCodes.ValidationFailed);
}
// Check bundle exists
if (!options.Bundle.Exists)
{
_output.WriteError($"Bundle not found: {options.Bundle.FullName}");
return CommandResult.Failure(OfflineExitCodes.FileNotFound);
}
_output.WriteInfo($"Importing offline kit: {options.Bundle.Name}");
// Build import request
var request = new OfflineKitImportRequest
{
BundlePath = options.Bundle.FullName,
ManifestPath = options.Manifest?.FullName,
VerifyDsse = options.VerifyDsse,
VerifyRekor = options.VerifyRekor,
TrustRootPath = options.TrustRoot?.FullName,
ForceActivate = options.ForceActivate,
ForceActivateReason = options.ForceReason,
DryRun = options.DryRun
};
// Progress callback for large bundles
var progress = new Progress<ImportProgress>(p =>
{
_output.WriteProgress(p.Phase, p.PercentComplete, p.Message);
});
try
{
var result = await _importer.ImportAsync(request, progress, cancellationToken);
if (result.Success)
{
WriteSuccessOutput(result, options.DryRun);
return CommandResult.Success();
}
else
{
WriteFailureOutput(result);
return CommandResult.Failure(MapReasonToExitCode(result.ReasonCode));
}
}
catch (OperationCanceledException)
{
_output.WriteWarning("Import cancelled");
return CommandResult.Failure(OfflineExitCodes.Cancelled);
}
catch (Exception ex)
{
_logger.LogError(ex, "Import failed with exception");
_output.WriteError($"Import failed: {ex.Message}");
return CommandResult.Failure(OfflineExitCodes.ImportFailed);
}
}
private void WriteSuccessOutput(OfflineKitImportResult result, bool dryRun)
{
var verb = dryRun ? "validated" : "imported";
_output.WriteSuccess($"Offline kit {verb} successfully");
_output.WriteLine();
_output.WriteKeyValue("Kit ID", result.KitId);
_output.WriteKeyValue("Version", result.Version);
_output.WriteKeyValue("Digest", $"sha256:{result.Digest[..16]}...");
_output.WriteKeyValue("DSSE Verified", result.DsseVerified ? "Yes" : "No");
_output.WriteKeyValue("Rekor Verified", result.RekorVerified ? "Yes" : "Skipped");
_output.WriteKeyValue("Activated At", result.ActivatedAt?.ToString("O") ?? "N/A (dry-run)");
if (result.WasForceActivated)
{
_output.WriteWarning("NOTE: Non-monotonic activation was forced");
_output.WriteKeyValue("Previous Version", result.PreviousVersion ?? "unknown");
}
}
private void WriteFailureOutput(OfflineKitImportResult result)
{
_output.WriteError($"Import failed: {result.ReasonCode}");
_output.WriteLine();
_output.WriteKeyValue("Reason", result.ReasonMessage);
if (result.QuarantineId is not null)
{
_output.WriteKeyValue("Quarantine ID", result.QuarantineId);
_output.WriteInfo("Bundle has been quarantined for investigation");
}
if (result.Remediation is not null)
{
_output.WriteLine();
_output.WriteInfo("Remediation:");
_output.WriteLine(result.Remediation);
}
}
private static int MapReasonToExitCode(string reasonCode) => reasonCode switch
{
"HASH_MISMATCH" => OfflineExitCodes.ChecksumMismatch,
"SIG_FAIL_COSIGN" => OfflineExitCodes.SignatureFailure,
"SIG_FAIL_MANIFEST" => OfflineExitCodes.SignatureFailure,
"DSSE_VERIFY_FAIL" => OfflineExitCodes.DsseVerificationFailed,
"REKOR_VERIFY_FAIL" => OfflineExitCodes.RekorVerificationFailed,
"VERSION_NON_MONOTONIC" => OfflineExitCodes.VersionNonMonotonic,
"POLICY_DENY" => OfflineExitCodes.PolicyDenied,
"SELFTEST_FAIL" => OfflineExitCodes.SelftestFailed,
_ => OfflineExitCodes.ImportFailed
};
}
public sealed record OfflineImportOptions(
FileInfo Bundle,
bool VerifyDsse,
bool VerifyRekor,
FileInfo? TrustRoot,
bool ForceActivate,
string? ForceReason,
FileInfo? Manifest,
bool DryRun);
```
### T8: Status Command Handler
```csharp
// src/Cli/StellaOps.Cli/Commands/Offline/OfflineStatusHandler.cs
namespace StellaOps.Cli.Commands.Offline;
public sealed class OfflineStatusHandler
{
private readonly IOfflineKitStatusProvider _statusProvider;
private readonly IConsoleOutput _output;
public OfflineStatusHandler(
IOfflineKitStatusProvider statusProvider,
IConsoleOutput output)
{
_statusProvider = statusProvider;
_output = output;
}
public async Task<CommandResult> HandleAsync(
OutputFormat format,
CancellationToken cancellationToken)
{
var status = await _statusProvider.GetStatusAsync(cancellationToken);
if (format == OutputFormat.Json)
{
_output.WriteJson(status);
return CommandResult.Success();
}
// Table output (default)
WriteTableOutput(status);
return CommandResult.Success();
}
private void WriteTableOutput(OfflineKitStatus status)
{
_output.WriteLine("Offline Kit Status");
_output.WriteLine(new string('=', 40));
_output.WriteLine();
if (status.ActiveKit is null)
{
_output.WriteWarning("No active offline kit");
return;
}
_output.WriteKeyValue("Active kit", status.ActiveKit.KitId);
_output.WriteKeyValue("Kit digest", $"sha256:{status.ActiveKit.Digest}");
_output.WriteKeyValue("Version", status.ActiveKit.Version);
_output.WriteKeyValue("Activated at", status.ActiveKit.ActivatedAt.ToString("O"));
_output.WriteKeyValue("DSSE verified", status.ActiveKit.DsseVerified ? "true" : "false");
_output.WriteKeyValue("Rekor verified", status.ActiveKit.RekorVerified ? "true" : "false");
if (status.ActiveKit.WasForceActivated)
{
_output.WriteLine();
_output.WriteWarning("This kit was force-activated (non-monotonic)");
_output.WriteKeyValue("Force reason", status.ActiveKit.ForceActivateReason ?? "N/A");
}
_output.WriteLine();
_output.WriteKeyValue("Staleness", FormatStaleness(status.StalenessSeconds));
_output.WriteKeyValue("Time anchor", status.TimeAnchorStatus);
if (status.PendingImports > 0)
{
_output.WriteLine();
_output.WriteInfo($"Pending imports: {status.PendingImports}");
}
if (status.QuarantinedBundles > 0)
{
_output.WriteLine();
_output.WriteWarning($"Quarantined bundles: {status.QuarantinedBundles}");
}
}
private static string FormatStaleness(long seconds)
{
if (seconds < 0) return "Unknown";
if (seconds < 3600) return $"{seconds / 60} minutes";
if (seconds < 86400) return $"{seconds / 3600} hours";
return $"{seconds / 86400} days";
}
}
```
### T9-T10: Verify Offline Command
```csharp
// src/Cli/StellaOps.Cli/Commands/Verify/VerifyOfflineHandler.cs
namespace StellaOps.Cli.Commands.Verify;
/// <summary>
/// Handler for `stellaops verify offline` command.
/// Performs offline evidence verification against a policy.
/// </summary>
public sealed class VerifyOfflineHandler
{
private readonly IOfflineEvidenceVerifier _verifier;
private readonly IConsoleOutput _output;
private readonly ILogger<VerifyOfflineHandler> _logger;
public async Task<CommandResult> HandleAsync(
VerifyOfflineOptions options,
CancellationToken cancellationToken)
{
// Validate evidence directory
if (!options.EvidenceDir.Exists)
{
_output.WriteError($"Evidence directory not found: {options.EvidenceDir.FullName}");
return CommandResult.Failure(OfflineExitCodes.FileNotFound);
}
// Load policy
VerificationPolicy policy;
try
{
policy = await LoadPolicyAsync(options.Policy, cancellationToken);
}
catch (Exception ex)
{
_output.WriteError($"Failed to load policy: {ex.Message}");
return CommandResult.Failure(OfflineExitCodes.PolicyLoadFailed);
}
_output.WriteInfo($"Verifying artifact: {options.Artifact}");
_output.WriteInfo($"Evidence directory: {options.EvidenceDir.FullName}");
_output.WriteInfo($"Policy: {options.Policy.Name}");
_output.WriteLine();
var request = new OfflineVerificationRequest
{
EvidenceDirectory = options.EvidenceDir.FullName,
ArtifactDigest = options.Artifact,
Policy = policy
};
var result = await _verifier.VerifyAsync(request, cancellationToken);
WriteVerificationResult(result);
return result.Passed
? CommandResult.Success()
: CommandResult.Failure(OfflineExitCodes.VerificationFailed);
}
private async Task<VerificationPolicy> LoadPolicyAsync(
FileInfo policyFile,
CancellationToken cancellationToken)
{
var content = await File.ReadAllTextAsync(policyFile.FullName, cancellationToken);
// Support both YAML and JSON
if (policyFile.Extension is ".yaml" or ".yml")
{
var deserializer = new DeserializerBuilder()
.WithNamingConvention(CamelCaseNamingConvention.Instance)
.Build();
return deserializer.Deserialize<VerificationPolicy>(content);
}
else
{
return JsonSerializer.Deserialize<VerificationPolicy>(content)
?? throw new InvalidOperationException("Empty policy file");
}
}
private void WriteVerificationResult(OfflineVerificationResult result)
{
if (result.Passed)
{
_output.WriteSuccess("Verification PASSED");
}
else
{
_output.WriteError("Verification FAILED");
}
_output.WriteLine();
_output.WriteKeyValue("Artifact", result.ArtifactDigest);
_output.WriteKeyValue("Attestations found", result.AttestationsFound.ToString());
_output.WriteKeyValue("Attestations verified", result.AttestationsVerified.ToString());
if (result.SbomFound)
{
_output.WriteKeyValue("SBOM", "Found and verified");
}
if (result.VexFound)
{
_output.WriteKeyValue("VEX", "Found and applied");
}
if (result.Violations.Count > 0)
{
_output.WriteLine();
_output.WriteError("Policy violations:");
foreach (var violation in result.Violations)
{
_output.WriteLine($" - {violation.Rule}: {violation.Message}");
}
}
}
}
public sealed record VerifyOfflineOptions(
DirectoryInfo EvidenceDir,
string Artifact,
FileInfo Policy);
```
### Exit Codes
```csharp
// src/Cli/StellaOps.Cli/Commands/Offline/OfflineExitCodes.cs
namespace StellaOps.Cli.Commands.Offline;
/// <summary>
/// Exit codes for offline commands.
/// Per advisory §11.1-11.2.
/// </summary>
public static class OfflineExitCodes
{
public const int Success = 0;
public const int FileNotFound = 1;
public const int ChecksumMismatch = 2; // HASH_MISMATCH
public const int SignatureFailure = 3; // SIG_FAIL_COSIGN, SIG_FAIL_MANIFEST
public const int FormatError = 4;
public const int DsseVerificationFailed = 5; // DSSE_VERIFY_FAIL
public const int RekorVerificationFailed = 6; // REKOR_VERIFY_FAIL
public const int ImportFailed = 7;
public const int VersionNonMonotonic = 8; // VERSION_NON_MONOTONIC
public const int PolicyDenied = 9; // POLICY_DENY
public const int SelftestFailed = 10; // SELFTEST_FAIL
public const int ValidationFailed = 11;
public const int VerificationFailed = 12;
public const int PolicyLoadFailed = 13;
public const int Cancelled = 130; // Standard SIGINT
}
```
---
### Acceptance Criteria
### `offline import`
- [x] `--bundle` is required; error if not provided
- [x] Bundle file must exist; clear error if missing
- [x] `--verify-dsse` integrates with `DsseVerifier`
- [x] `--verify-rekor` uses offline Rekor snapshot
- [x] `--trust-root` loads public key from file
- [x] `--force-activate` without `--force-reason` fails with helpful message
- [x] Force activation logs to audit trail
- [x] `--dry-run` validates without activating
- [x] Progress reporting for bundles > 100MB
- [x] Exit codes match advisory A11.2
- [x] JSON output with `--output json`
- [x] Failed bundles are quarantined
### `offline status`
- [x] Displays active kit info (ID, digest, version, timestamps)
- [x] Shows DSSE/Rekor verification status
- [x] Shows staleness in human-readable format
- [x] Indicates if force-activated
- [x] JSON output with `--output json`
- [x] Shows quarantine count if > 0
### `verify offline`
- [x] `--evidence-dir` is required
- [x] `--artifact` accepts sha256:... format
- [x] `--policy` supports YAML and JSON
- [x] Loads keys from evidence directory
- [x] Verifies DSSE signatures offline
- [x] Checks tlog inclusion proofs offline
- [x] Reports policy violations clearly
- [x] Exit code 0 on pass, 12 on fail
### Testing Strategy
1. **Command parsing tests** with various option combinations
2. **Handler unit tests** with mocked dependencies
3. **Integration tests** with real bundle files
4. **End-to-end tests** in CI with sealed environment simulation
### Documentation Updates
- Add `docs/modules/cli/guides/commands/offline.md`
- Update `docs/modules/cli/guides/airgap.md` with command examples
- Add man-page style help text for each command
## Decisions & Risks
- 2025-12-15: Normalised sprint file to standard template; started T1 (structure design) and moved the remaining tasks unchanged.
- 2025-12-15: Implemented `offline import/status` + exit codes; added tests/docs; marked T5/T9/T10 BLOCKED due to missing verifier/policy contracts.
| Risk | Impact | Mitigation | Owner | Status |
| --- | --- | --- | --- | --- |
| Offline Rekor verification contract missing/incomplete | Cannot meet `--verify-rekor` acceptance criteria. | Define/land offline inclusion proof verification contract/library and wire into CLI. | DevEx/CLI | Closed |
| `.tar.zst` payload inspection not implemented | Limited local validation (hash/sidecar checks only). | Add deterministic Zstd+tar inspection path (or reuse existing bundle tooling) and cover with tests. | DevEx/CLI | Open |
| `verify offline` policy schema unclear | Risk of implementing an incompatible policy loader/verifier. | Define policy schema + canonicalization/evaluation rules; then implement `verify offline` and `--policy`. | DevEx/CLI | Closed |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Completed T5/T9/T10 (offline Rekor verifier, `verify offline`, YAML/JSON policy loader); validated via `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release`. | Agent |
| 2025-12-18 | Closed sprint checkpoints (Upcoming Checkpoints → None). | Agent |
| 2025-12-17 | Unblocked T5/T9/T10 by adopting the published offline policy schema (A12) and Rekor receipt contract (Rekor Technical Reference §13); started implementation of offline Rekor inclusion proof verification and `verify offline`. | Agent |
| 2025-12-15 | Implemented `offline import/status` (+ exit codes, state storage, quarantine hooks), added docs and tests; validated with `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release`; marked T5/T9/T10 BLOCKED pending verifier/policy contracts. | DevEx/CLI |
| 2025-12-15 | Normalised sprint file to standard template; set T1 to DOING. | Planning · DevEx/CLI |

1785
docs/implplan/archived/SPRINT_0340_0001_0001_first_signal_card_ui.md Normal file
View File

File diff suppressed because it is too large Load Diff

1006
docs/implplan/archived/SPRINT_0342_0001_0001_evidence_reconciliation.md Normal file
View File

File diff suppressed because it is too large Load Diff

95
docs/implplan/archived/SPRINT_0406_0001_0001_scanner_node_detection_gaps.md Normal file
View File

@@ -0,0 +1,95 @@
# Sprint 0406 · Scanner · Node Detection Gaps
## Topic & Scope
- Close concrete detection gaps in the Node analyzer so scans reliably produce **complete, correct, deterministic** component inventories across npm/Yarn/PNPM, workspaces, PnP, tarballs, and container layer layouts.
- Ensure declared-only dependencies (lock/package.json) are represented **safely** (no invalid/over-confident PURLs from version ranges) and merged deterministically with installed/on-disk evidence.
- Improve lockfile fidelity for **multi-version** dependencies (common in Node) and modern lock formats (Yarn Berry, newer pnpm schemas) while staying offline-first.
- Produce evidence: new deterministic fixtures + golden outputs, plus an offline benchmark guarding performance regressions.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests`).
## Dependencies & Concurrency
- Depends on shared component identity/evidence mechanisms: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/Core/LanguageAnalyzerResult.cs:85`.
- Concurrency-safe with `SPRINT_0403_0001_0001_scanner_java_detection_gaps.md` and `SPRINT_0404_0001_0001_scanner_dotnet_detection_gaps.md` and `SPRINT_0405_0001_0001_scanner_python_detection_gaps.md` unless identity/locator conventions are standardized cross-analyzer (Action 1).
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-NODE-406-001 | DONE | Emission + tests landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Emit declared-only components**: `NodeLockData.LoadAsync` already builds `DeclaredPackages` from lockfiles + `package.json`, but `NodeLanguageAnalyzer` never emits them. Add a deterministic "declared-only emission" pass that emits components for any `DeclaredPackages` entry not backed by on-disk inventory. Must include: `declaredOnly=true`, `declared.source` (`package.json|package-lock.json|yarn.lock|pnpm-lock.yaml`), `declared.locator` (stable), `declared.versionSpec` (original range/tag), `declared.scope` (prod/dev/peer/optional if known), and `declared.resolvedVersion` (only when lock provides concrete). **Critical:** do not emit `pkg:npm/...@<range>` PURLs; use `AddFromExplicitKey` when version is not a concrete resolved version. |
| 2 | SCAN-NODE-406-002 | DONE | Multi-version matching + tests landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Multi-version lock correctness**: fix `NodeLockData` to support multiple versions per package name and match lock entries by `(name, resolvedVersion)` when the on-disk package.json has a concrete version. Add a `TryGet(relativePath, name, version)` overload (or equivalent) so lock metadata (`integrity`, `resolved`, `scope`) attaches to the correct package instance. Replace/augment `_byName` with a deterministic `(name@version)->entry` map for yarn/pnpm sources. |
| 3 | SCAN-NODE-406-003 | DONE | Yarn Berry parsing + tests landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Support Yarn Berry (v2/v3) lock format**: extend `NodeLockData.LoadYarnLock` to parse modern `yarn.lock` entries that use `resolution:` / `checksum:` / `linkType:` (and may not have `resolved`/`integrity`). Map `checksum` to an integrity-like field (metadata/evidence) and preserve the raw locator key as `lockLocator`. Ensure multiple versions of the same package are preserved (Task 2). Add fixtures covering Yarn v1 and Yarn v3 lock styles. |
| 4 | SCAN-NODE-406-004 | DONE | pnpm hardening + tests landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Harden pnpm lock parsing**: extend `LoadPnpmLock` to handle packages that have no `integrity` (workspace/file/link/git) without silently dropping them. Emit declared-only entries with `declared.resolvedVersion` (if known) and `lockIntegrityMissing=true` + reason. Add support for newer pnpm layouts (`snapshots:`) when present, while keeping parsing bounded and deterministic. |
| 5 | SCAN-NODE-406-005 | DONE | Nested node_modules naming + tests landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Fix `package-lock.json` nested node_modules naming**: `ExtractNameFromPath` mis-identifies `node_modules/parent/node_modules/child` unless `name` is present. Update extraction to select the last package segment after the last `node_modules` (incl. scoped packages). Add tests that prove nested dependencies are keyed correctly and lock metadata is attached to the right on-disk package. |
| 6 | SCAN-NODE-406-006 | DONE | Bounded `*`/`**` workspace expansion + tests landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Improve workspace discovery**: `NodeWorkspaceIndex` only supports patterns ending with `/*`. Extend it to support at least `**`-style patterns used in monorepos (e.g., `packages/**`, `apps/*`, `tools/*`). Ensure expansion is deterministic and safe (bounds on directory traversal; ignore `node_modules`). Add fixtures for multi-depth workspace patterns. |
| 7 | SCAN-NODE-406-007 | DONE | Workspace-aware scopes + tests landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Workspace-aware dependency scopes**: `NodeDependencyIndex` reads only root `package.json`. Extend scope classification to include workspace member manifests so `scope`/`riskLevel` metadata is correct for workspace packages. Must preserve precedence rules (root vs workspace vs lock) and be deterministic. |
| 8 | SCAN-NODE-406-008 | DONE | ESM/TS parsing + bounded import scan landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Import scanning correctness + bounds**: `NodeImportWalker` uses `ParseScript` which misses ESM `import` syntax and fails on TS. Improve by attempting `ParseModule` when script parse fails, and add a bounded heuristic fallback for TS (`import ... from`, `export ... from`) when AST parsing fails. Also bound `AttachImports` so it does not recursively scan every file inside `node_modules` trees by default; restrict to source roots/workspace members and/or cap by file count and total bytes, emitting `importScanSkipped=true` + counters when capped. |
| 9 | SCAN-NODE-406-009 | DONE | On-disk `package.json` hashing + fixtures landed. | Node Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node`) | **Deterministic evidence hashing for on-disk `package.json`**: today tar/zip packages attach `PackageSha256`, but on-disk packages typically do not. Compute sha256 for `package.json` contents for installed packages (bounded: only package.json, not full dir) and attach to root evidence consistently. Do not hash large files; do not add unbounded IO. |
| 10 | SCAN-NODE-406-010 | DONE | Lock-only lockfile fixtures (package-lock/yarn-berry/pnpm) + workspace glob fixture + container app-root discovery; goldens updated. | QA Guild (`src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests`) | **Fixtures + golden outputs**: add/extend fixtures proving: (a) lock-only project (no node_modules) emits declared-only components, (b) Yarn v3 lock parses + multi-version packages preserved, (c) pnpm lock with workspace/link deps doesnt silently drop, (d) package-lock nested node_modules naming is correct, (e) workspace glob patterns beyond `/*`, (f) container layout where app `package.json` is not at root (e.g., `/app/package.json` inside a layer root) still emits the app component, (g) ESM + TS import scanning captures imports (bounded) and emits deterministic evidence. Update `NodeLanguageAnalyzerTests.cs` and targeted unit tests (`NodeLockDataTests.cs`, `NodePackageCollectorTests.cs`) to assert deterministic ordering and identity rules. |
| 11 | SCAN-NODE-406-011 | DONE | Docs + offline bench scenario (`node_detection_gaps_fixture`) landed; Prom/JSON record import-scan counters. | Docs Guild + Bench Guild (`docs/modules/scanner`, `src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Document + benchmark Node analyzer contract**: document precedence (installed vs declared), identity rules for unresolved versions, Yarn/pnpm lock parsing guarantees/limits, workspace discovery rules, import scanning bounds/semantics, and container layout assumptions. Add a deterministic offline bench that scans a representative fixture (workspace + lock-only + import scan enabled) and records elapsed time + component counts (and file-scan counters) with a baseline ceiling. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Declared-only & identity | Node Analyzer Guild + QA Guild | Action 1 | TODO | Emit declared-only safely; avoid invalid PURLs. |
| B: Lock fidelity | Node Analyzer Guild + QA Guild | None | TODO | Multi-version lock correctness + Yarn Berry + pnpm hardening + nested path fixes. |
| C: Workspaces & containers | Node Analyzer Guild + QA Guild | Action 2 | TODO | Workspace glob support + scope attribution + container app-root discovery. |
| D: Imports & evidence | Node Analyzer Guild + QA Guild | Action 4 | TODO | ESM/TS import correctness + bounded scanning + package.json hashing. |
| E: Docs & bench | Docs Guild + Bench Guild | Waves AD | TODO | Contract + performance ceiling. |
## Wave Detail Snapshots
- **Wave A:** Declared-only dependencies become visible and safely keyed (no range-as-version PURLs).
- **Wave B:** Lock metadata attaches to the correct package instance even with multiple versions; modern Yarn/pnpm formats handled deterministically.
- **Wave C:** Workspace membership discovery is robust for common monorepo patterns; scope metadata reflects workspace manifests; container app roots are not missed.
- **Wave D:** Import evidence captures ESM/TS and remains bounded; package.json evidence hashing becomes consistent.
- **Wave E:** Contract doc + offline bench prevent regressions.
## Interlocks
- **Identity safety:** Never emit `pkg:npm/...@<range>` or otherwise treat version ranges/tags as concrete versions (Action 1).
- **Lock precedence:** When multiple lock sources exist, define deterministic precedence for metadata attachment (e.g., package-lock by path > declared(name@version) > yarn/pnpm by name@version). (Action 3)
- **Workspace traversal bounds:** Workspace expansion must not crawl `node_modules` and must have explicit depth/file limits. (Action 2)
- **Import scanning bounds:** Do not recursively scan the entire filesystem (or dependency trees) without caps; skipped work must be explicit in metadata. (Action 4)
## Upcoming Checkpoints
- 2025-12-13: Approve identity scheme + workspace glob bounds + import-scan bounds (Actions 124).
- 2025-12-16: Wave A complete (declared-only emission) with lock-only fixture.
- 2025-12-18: Wave B complete (multi-version locks + Yarn Berry + pnpm hardening + nested naming).
- 2025-12-20: Wave C complete (workspace globs + scope attribution + container app-root fixture).
- 2025-12-22: Wave D complete (ESM/TS imports + bounds + package.json hashing) and Wave E docs/bench done; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide explicit-key identity scheme for declared-only Node deps (ranges/tags/git/file/workspace) and document it. | Project Mgmt + Scanner Guild | 2025-12-13 | Done | Implemented via `LanguageExplicitKey` in `docs/modules/scanner/language-analyzers-contract.md`; Node specifics in `docs/modules/scanner/analyzers-node.md`. |
| 2 | Decide workspace glob expansion rules (supported patterns, bounds, excluded dirs like `node_modules`). | Project Mgmt + Node Analyzer Guild | 2025-12-13 | Done | Supports `*` + `**`, skips `node_modules`, bounded traversal; documented in `docs/modules/scanner/analyzers-node.md`. |
| 3 | Decide lock metadata precedence when multiple sources exist and when lock lacks integrity/resolution. | Project Mgmt + Node Analyzer Guild | 2025-12-13 | Done | Precedence: path match > `(name,version)` > name-only; documented in `docs/modules/scanner/analyzers-node.md`. |
| 4 | Decide import-scanning policy: default enabled/disabled, scope (workspace only vs all packages), and caps to enforce. | Project Mgmt + Node Analyzer Guild | 2025-12-13 | Done | Scope: root + workspace members only; caps + skip markers; bench exports `node.importScan.*` metrics (see `docs/modules/scanner/analyzers-node.md`). |
## Decisions & Risks
- **Decision (pending):** Declared-only identity scheme, workspace glob bounds, lock precedence, and import scanning caps (Action Tracker 14).
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Declared-only identity causes false vulnerability matches (ranges treated as versions). | High | Medium | Enforce explicit-key for non-concrete versions; document semantics; fixtures prove no `@^1.2.3` PURLs. | Node Analyzer Guild | Vuln-match spike on declared-only components; invalid PURL reports. |
| R2 | Multi-version dependencies get wrong integrity/resolution metadata. | Medium | High | Add `(name@version)` matching + fixtures with two versions of same package; deterministic merge rules. | Node Analyzer Guild | Mismatched integrity in evidence; inconsistent lockLocator attribution. |
| R3 | Yarn Berry/pnpm lock parsing breaks on format drift. | Medium | Medium | Keep parser tolerant and bounded; emit “unsupportedFields/lines” counters; add fixtures per lock version. | Node Analyzer Guild | Real projects show zero lock entries despite lockfile present. |
| R4 | Workspace glob expansion becomes a perf trap or scans unexpected dirs. | Medium | Medium | Explicit bounds + skip `node_modules` + depth caps; add tests for worst-case patterns. | Node Analyzer Guild | Bench regression; CI timeout; unexpected traversal of dependency trees. |
| R5 | Import scanning explodes runtime and output size. | High | Medium | Restrict scope + caps; emit `importScanSkipped` markers; benchmark and set ceiling. | Bench Guild | Time/memory regression; extremely large evidence arrays. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Node analyzer detection gaps (declared-only emission, multi-version lock fidelity, Yarn Berry/pnpm parsing, workspace glob support, import scanning correctness/bounds, deterministic evidence hashing) with fixtures/bench/docs expectations. | Project Mgmt |
| 2025-12-13 | Completed Wave A/B tasks 406-001..406-005 (declared-only emission, multi-version lock fidelity, Yarn Berry parsing, pnpm integrity-missing + snapshots, nested package-lock naming) with regression tests. | Implementer |
| 2025-12-13 | Completed task 406-006 (bounded `*`/`**` workspace expansion; skips `node_modules`) with unit tests. | Implementer |
| 2025-12-13 | Completed task 406-007 (workspace-aware dependency scopes) with fixture update + tests. | Implementer |
| 2025-12-13 | Completed task 406-008 (ESM/TS import scanning + bounds) with fixture update + tests. | Implementer |
| 2025-12-13 | Completed task 406-009 (on-disk `package.json` sha256 evidence) with fixture updates. | Implementer |
| 2025-12-13 | Updated declared-only emission to use the cross-analyzer explicit-key format and expanded fixtures for `layers/`, `.layers/`, and `layer*/` discovery. | Implementer |
| 2025-12-13 | Completed task 406-010 (fixtures + goldens: lock-only package-lock/yarn-berry/pnpm, workspace globs, container app-root discovery) with regression tests. | Implementer |
| 2025-12-13 | Completed task 406-011 (docs + offline bench: `docs/modules/scanner/analyzers-node.md`, scenario `node_detection_gaps_fixture`, import-scan metrics) with bench/test coverage. | Implementer |

94
docs/implplan/archived/SPRINT_0407_0001_0001_scanner_bun_detection_gaps.md Normal file
View File

@@ -0,0 +1,94 @@
# Sprint 0407 - Scanner Bun Detection Gaps
## Topic & Scope
- Close Bun inventory blind-spots so scans reliably inventory dependencies across **installed `node_modules`**, **lockfile-only**, **workspace layouts**, **patched dependencies**, and **container layer trees**.
- Improve correctness and safety: never emit invalid/confident `pkg:npm/...@<range>` style identities; avoid leaking absolute paths; keep outputs deterministic with explicit bounds and audited “skipped” markers.
- Produce hard evidence: new fixtures + golden outputs covering bunfig-only projects, version-specific patches, container layer roots (`layers/`, `.layers/`, `layer*/`), and bun.lock v1 graph-based dev/prod classification.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun` (tests: `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Bun.Tests`; optional benches: `src/Bench/StellaOps.Bench/Scanner.Analyzers`).
## Dependencies & Concurrency
- Interlocks with Node analyzer conventions for container root discovery and identity safety:
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeInputNormalizer.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/Internal/NodeLockData.cs`
- Must remain parallel-safe with other language analyzers: no shared mutable global state; deterministic iteration over filesystem and lock entries.
- Offline-first: do not run `bun`, do not fetch registries, do not assume network.
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `src/Scanner/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md` (created 2025-12-13)
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | SCAN-BUN-407-001 | DONE | Fixture `lang/bun/container-layers` + determinism test passing. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Container-layer aware project discovery**: extend `Internal/BunProjectDiscoverer.cs` to discover Bun project roots not only under `context.RootPath`, but also under common OCI unpack layouts used elsewhere in scanner: `layers/*`, `.layers/*`, and `layer*` direct children. Do not skip hidden roots wholesale: `.layers` must be included. Keep traversal bounded and deterministic: (a) stable ordering of enumerated directories, (b) explicit depth caps per root, (c) hard cap on total discovered roots, (d) must never recurse into `node_modules/` and must skip large/non-project dirs deterministically. Acceptance: new fixture `lang/bun/container-layers` proves a Bun project placed under `.layers/layer0/app` is found and scanned. |
| 2 | SCAN-BUN-407-002 | DONE | Fixture `lang/bun/bunfig-only` + determinism test passing. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Declared-only fallback for bun markers**: if `BunProjectDiscoverer` identifies a project root (via `bunfig.toml`/`package.json`/etc.) but `BunInputNormalizer` returns `None` (no `node_modules`, no `bun.lock`), emit declared-only components from `package.json` dependencies. Requirements: (a) do not emit `pkg:npm/...@<range>` PURLs for version ranges/tags; use `AddFromExplicitKey` when version is not a concrete resolved version, (b) include deterministic metadata `declaredOnly=true`, `declared.source=package.json`, `declared.locator=<relative>#<section>`, `declared.versionSpec=<original>`, `declared.scope=<prod|dev|peer|optional>`, and (c) include root package.json evidence with sha256 (bounded). Acceptance: new fixture `lang/bun/bunfig-only` emits declared-only components for both `dependencies` and `devDependencies` with safe identities. |
| 3 | SCAN-BUN-407-003 | DONE | Fixture `lang/bun/lockfile-dev-classification` passing. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **bun.lock v1 graph enrichment (dev/optional/peer + edges)**: upgrade `Internal/BunLockParser.cs` to preserve dependency edges from bun.lock v1 array form (capture dependency value/specifier, not only names) and to parse optional peer information when present. Build a bounded dependency graph that starts from root `package.json` declarations (prod/dev/optional/peer) and propagates reachability to lock entries, marking `BunLockEntry.IsDev/IsOptional/IsPeer` deterministically. If the graph cannot disambiguate (multiple versions/specifier mismatch), do not guess; emit `scopeUnknown=true` and keep `IsDev=false` unless positively proven. Acceptance: add fixture `lang/bun/lockfile-dev-classification` demonstrating: (a) dev-only packages are tagged `dev=true` and are excluded when `includeDev=false`, (b) prod packages remain untagged, (c) the decision is stable across OS/filesystem ordering. |
| 4 | SCAN-BUN-407-004 | DONE | Dev filter verified via fixture goldens. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Make `includeDev` meaningful**: `Internal/BunLockInventory.cs` currently filters by `entry.IsDev`, but bun.lock array parsing sets `IsDev=false` always. After graph enrichment (Task 3), implement deterministic filtering for lockfile-only scans and ensure installed scans also carry dev/optional/peer metadata when lock data is present. Acceptance: tests show dev filtering affects output only when the analyzer can prove dev reachability; otherwise outputs remain but are marked `scopeUnknown=true`. |
| 5 | SCAN-BUN-407-005 | DONE | Fixture `lang/bun/patched-multi-version` passing. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Version-specific patch mapping + no absolute paths**: fix `Internal/BunWorkspaceHelper.cs` so `patchedDependencies` keys preserve version specificity (`name@version`), and patch-directory discovery emits **relative** deterministic paths (relative to project root) rather than absolute OS paths. Update `BunLanguageAnalyzer` patch application so it first matches `name@version`, then falls back to `name` only when unambiguous. Acceptance: add fixture `lang/bun/patched-multi-version` with two patch files for the same package name at different versions; output marks only the correct version as patched and never includes absolute paths. |
| 6 | SCAN-BUN-407-006 | DONE | Goldens updated; bounded sha256 + lock locators added. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Evidence strengthening + locator precision**: improve `Internal/BunPackage.CreateEvidence()` so evidence locators are stable and specific: (a) package.json evidence includes sha256 (bounded; if skipped, emit `packageJson.hashSkipped=true` + `packageJson.hashSkipReason=<...>`), (b) bun.lock evidence uses locator `<lockfileRelativePath>:packages[<name>@<version>]` instead of plain `bun.lock`, (c) include lockfile sha256 once per project root via repeated evidence sha256 (bounded). Acceptance: update existing Bun fixtures goldens to reflect deterministic hashing and locator formats, with no nondeterministic absolute paths. |
| 7 | SCAN-BUN-407-007 | DONE | Fixture `lang/bun/non-concrete-versions` passing. | Bun Analyzer Guild (`src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun`) | **Identity safety for non-npm sources**: `Internal/BunPackage.BuildPurl()` always emits `pkg:npm/<name>@<version>`. Define and implement rules for `SourceType != npm` (git/file/link/workspace/tarball/custom-registry): when `version` is not a concrete registry version, emit `AddFromExplicitKey` (no PURL) and preserve the original specifier/resolved URL in metadata. If a PURL is emitted, it must be valid and must not embed raw specifiers like `workspace:*` as a “version”. Acceptance: add fixture `lang/bun/non-concrete-versions` demonstrating safe identities for `workspace:*` / `link:` / `file:` styles (if representable in bun.lock), with deterministic explicit keys and clear metadata markers. |
| 8 | SCAN-BUN-407-008 | DONE | Doc `docs/modules/scanner/analyzers-bun.md` published and sprint linked. | Docs Guild + Bun Analyzer Guild | **Document Bun analyzer detection contract**: add/update `docs/modules/scanner/analyzers-bun.md` (or the closest existing scanner doc) describing: what artifacts are used (node_modules, bun.lock, package.json), precedence rules, identity rules (PURL vs explicit-key), dev/optional/peer semantics, container layer root handling, and bounds (depth/roots/files/hash limits). Link this sprint from the doc and add a brief “known limitations” section (e.g., bun.lockb unsupported). |
| 9 | SCAN-BUN-407-009 | DONE | Added scenario `bun_multi_workspace_fixture` in analyzer microbench harness. | Bench Guild (`src/Bench/StellaOps.Bench/Scanner.Analyzers`) | **Offline benchmark**: add a deterministic bench that scans a representative Bun monorepo fixture (workspaces + many packages) and records elapsed time + component counts. Establish a ceiling and guard against regressions. |
## Wave Coordination
| Wave | Guild owners | Shared prerequisites | Status | Notes |
| --- | --- | --- | --- | --- |
| A: Discovery & Declared-only | Bun Analyzer Guild + QA Guild | Actions 12 | TODO | Make projects discoverable and avoid “no output” cases. |
| B: Lock graph & scopes | Bun Analyzer Guild + QA Guild | Action 3 | TODO | Correct dev/optional/peer and make includeDev meaningful. |
| C: Patches & evidence | Bun Analyzer Guild + QA Guild | Action 4 | TODO | Version-specific patches; deterministic evidence/hashes. |
| D: Identity safety | Bun Analyzer Guild + Security Guild | Action 1 | TODO | Non-npm sources and non-concrete versions never become “fake versions”. |
| E: Docs & bench | Docs Guild + Bench Guild | Waves AD | TODO | Contract and perf guardrails. |
## Wave Detail Snapshots
- **Wave A:** Discover Bun projects under OCI layer layouts; declared-only emission when no install/lock evidence exists.
- **Wave B:** bun.lock v1 graph enrichment provides auditable dev/optional/peer classification and enables reliable dev filtering.
- **Wave C:** Patched dependency mapping is version-correct and deterministic; evidence locators/hashes become strong and stable.
- **Wave D:** Identity rules prevent invalid PURLs and reduce false vuln matches for non-registry packages.
- **Wave E:** Documented contract + optional benchmark keeps behavior stable over time.
## Interlocks
- **Identity safety:** Never emit `pkg:npm/...@<range|tag|workspace:*|file:...|link:...>`; use explicit keys for non-concrete versions/specifiers. (Action 1)
- **Container traversal bounds:** Project discovery must not devolve into full-root recursion on container roots; bounds must be explicit and test-covered. (Action 2)
- **Scope correctness:** Dev/optional/peer flags must be derived deterministically (graph or explicit signals). When uncertain, mark unknown rather than guessing. (Action 3)
- **No path leakage:** Metadata/evidence must not include absolute host paths (patch file discovery is the primary risk). (Action 4)
## Upcoming Checkpoints
- 2025-12-13: Approve identity scheme + container discovery contract + scope semantics + patch rules (Actions 14).
- 2025-12-16: Wave A complete with container-layers + bunfig-only fixtures passing.
- 2025-12-18: Wave B complete with dev/optional/peer classification fixture and includeDev filter tests.
- 2025-12-20: Wave C + D complete (patch mapping + evidence hashing + identity safety) with updated goldens.
- 2025-12-22: Wave E docs complete; bench decision made; sprint ready for DONE review.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
| --- | --- | --- | --- | --- | --- |
| 1 | Decide explicit-key identity scheme for Bun declared-only and non-npm sources (ranges/tags/git/file/link/workspace). | Project Mgmt + Scanner Guild | 2025-12-13 | Done | Implemented per `docs/modules/scanner/language-analyzers-contract.md`. |
| 2 | Decide and document container layer root discovery rules for Bun analyzer (parity with Node's `layers/.layers/layer*` conventions, depth/roots bounds). | Project Mgmt + Bun Analyzer Guild | 2025-12-13 | Done | Implemented per `docs/modules/scanner/language-analyzers-contract.md`; validated by fixture `lang/bun/container-layers`. |
| 3 | Decide bun.lock v1 scope derivation rules (dev/optional/peer) and how uncertainty is represented (`scopeUnknown` markers). | Project Mgmt + Bun Analyzer Guild | 2025-12-13 | Done | Implemented in `Internal/BunLockScopeClassifier.cs` with `scopeUnknown=true` for ambiguity. |
| 4 | Decide patched dependency keying and deterministic path normalization (relative path base, name@version precedence, fallback rules). | Project Mgmt + Bun Analyzer Guild + Security Guild | 2025-12-13 | Done | Implemented in `Internal/BunWorkspaceHelper.cs` (version-specific keys; project-relative patch paths). |
| 5 | Create missing module charter: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`. | Project Mgmt | 2025-12-13 | Done | Created `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Bun/AGENTS.md`. |
## Decisions & Risks
- Decisions implemented per `docs/modules/scanner/language-analyzers-contract.md` and documented in `docs/modules/scanner/analyzers-bun.md`.
| Risk ID | Risk | Impact | Likelihood | Mitigation | Owner | Trigger / Signal |
| --- | --- | --- | --- | --- | --- | --- |
| R1 | Container root discovery causes perf regressions on large rootfs trees. | High | Medium | Explicit bounds + deterministic skipping; add container-layers fixture and (optional) benchmark. | Bun Analyzer Guild | CI timeouts; high CPU usage scanning container roots. |
| R2 | Dev/optional/peer classification is wrong or unstable due to ambiguous graph edges. | High | Medium | Prefer “unknown” markers over guesses; stabilize matching using dependency specifiers when available; fixture for ambiguity. | Bun Analyzer Guild | Flaky golden outputs; incorrect dev filtering reported by users. |
| R3 | Invalid PURLs or range-as-version identities cause false vulnerability matches. | High | Medium | Explicit-key for non-concrete versions; document semantics; add fixtures asserting absence of invalid `@^...` or `@workspace:*` PURLs. | Security Guild + Bun Analyzer Guild | Vuln-match spike; downstream consumers reject PURLs. |
| R4 | Absolute paths leak into metadata/evidence (patch discovery, symlink realpaths). | Medium | Medium | Normalize to project-relative paths; add fixture that fails if absolute paths appear. | Bun Analyzer Guild | Golden diffs include host-specific paths. |
| R5 | Evidence hashing increases runtime and memory usage. | Medium | Low/Medium | Hash only bounded files; cache per file path; record `hashSkipped` markers when exceeding size caps. | Bench Guild | Bench regression; memory spikes. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-12 | Sprint created to close Bun analyzer detection gaps (container-layer discovery, declared-only fallback, bun.lock scope graph, version-specific patches, evidence hashing, identity safety) with fixtures/docs/bench expectations. | Project Mgmt |
| 2025-12-13 | Completed SCAN-BUN-407-001 and SCAN-BUN-407-002 with new fixtures (`lang/bun/container-layers`, `lang/bun/bunfig-only`) and deterministic goldens; aligned explicit-key behavior with `docs/modules/scanner/language-analyzers-contract.md`. | Bun Analyzer Guild |
| 2025-12-13 | Completed SCAN-BUN-407-003 through SCAN-BUN-407-008 (scope graph + dev filtering, version-specific patch mapping, bounded sha256 evidence, non-concrete identity safety, and Bun analyzer contract doc). | Bun Analyzer Guild |
| 2025-12-13 | Completed SCAN-BUN-407-009 by wiring the Bun analyzer into the scanner analyzer microbench harness and adding scenario `bun_multi_workspace_fixture`. | Bench Guild |

164
docs/implplan/archived/SPRINT_0411_0001_0001_semantic_entrypoint_engine.md Normal file
View File

@@ -0,0 +1,164 @@
# Sprint 0411.0001.0001 - Semantic Entrypoint Engine
## Topic & Scope
- Window: 2025-12-16 -> 2025-12-30 (UTC); foundation phase for entrypoint re-engineering.
- Build semantic understanding layer that infers intent, capabilities, and attack surface from entrypoints.
- Enable downstream phases (temporal, mesh, speculative, binary, risk) with stable data structures.
- **Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/Semantic/`
## Dependencies & Concurrency
- Upstream: Sprint 0401 Reachability Evidence Chain (richgraph-v1, symbol_id, code_id contracts).
- Upstream: Sprint 0408 Language Detection Gaps (mature Python/Java/Node analyzers).
- Blocks: Sprints 0412-0415 depend on semantic records from this sprint.
- Language-specific adapters can be developed in parallel once core schema lands.
## Documentation Prerequisites
- docs/modules/scanner/operations/entrypoint-problem.md
- docs/modules/scanner/operations/entrypoint-static-analysis.md
- docs/modules/scanner/operations/entrypoint-lang-*.md (per-language guides)
- docs/reachability/function-level-evidence.md
- src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | ENTRY-SEM-411-001 | DONE | None; foundation task | Scanner Guild | Create `SemanticEntrypoint` record with Id, Specification, Intent, Capabilities, AttackSurface, DataBoundaries, Confidence fields. |
| 2 | ENTRY-SEM-411-002 | DONE | Task 1 | Scanner Guild | Define `ApplicationIntent` enumeration: WebServer, CliTool, BatchJob, Worker, Serverless, Daemon, InitSystem, Supervisor, DatabaseServer, MessageBroker, CacheServer, ProxyGateway, Unknown. |
| 3 | ENTRY-SEM-411-003 | DONE | Task 1 | Scanner Guild | Define `CapabilityClass` enumeration: NetworkListen, NetworkConnect, FileRead, FileWrite, ProcessSpawn, CryptoOperation, DatabaseAccess, MessageQueue, CacheAccess, ExternalApi, UserInput, ConfigLoad, SecretAccess, LogEmit. |
| 4 | ENTRY-SEM-411-004 | DONE | Task 1 | Scanner Guild | Define `ThreatVector` record with VectorType (Ssrf, Sqli, Xss, Rce, PathTraversal, Deserialization, TemplateInjection, AuthBypass, InfoDisclosure, Dos), Confidence, Evidence, EntryPath. |
| 5 | ENTRY-SEM-411-005 | DONE | Task 1 | Scanner Guild | Define `DataFlowBoundary` record with BoundaryType (HttpRequest, HttpResponse, FileInput, FileOutput, DatabaseQuery, MessageReceive, MessageSend, EnvironmentVar, CommandLineArg), Direction, Sensitivity. |
| 6 | ENTRY-SEM-411-006 | DONE | Task 1 | Scanner Guild | Define `SemanticConfidence` record with Score (0.0-1.0), Tier (Definitive, High, Medium, Low, Unknown), ReasoningChain (list of evidence strings). |
| 7 | ENTRY-SEM-411-007 | DONE | Tasks 1-6 | Scanner Guild | Create `ISemanticEntrypointAnalyzer` interface with `AnalyzeAsync(EntryTraceResult, LanguageAnalyzerResult, CancellationToken) -> SemanticEntrypoint`. |
| 8 | ENTRY-SEM-411-008 | DONE | Task 7 | Scanner Guild | Implement `PythonSemanticAdapter` inferring intent from: Django (WebServer), Celery (Worker), Click/Typer (CliTool), Lambda (Serverless), Flask/FastAPI (WebServer). |
| 9 | ENTRY-SEM-411-009 | DONE | Task 7 | Scanner Guild | Implement `JavaSemanticAdapter` inferring intent from: Spring Boot (WebServer), Quarkus (WebServer), Micronaut (WebServer), Kafka Streams (Worker), Main-Class patterns. |
| 10 | ENTRY-SEM-411-010 | DONE | Task 7 | Scanner Guild | Implement `NodeSemanticAdapter` inferring intent from: Express/Koa/Fastify (WebServer), CLI bin entries (CliTool), worker threads, Lambda handlers (Serverless). |
| 11 | ENTRY-SEM-411-011 | DONE | Task 7 | Scanner Guild | Implement `DotNetSemanticAdapter` inferring intent from: ASP.NET Core (WebServer), Console apps (CliTool), Worker services (Worker), Azure Functions (Serverless). |
| 12 | ENTRY-SEM-411-012 | DONE | Task 7 | Scanner Guild | Implement `GoSemanticAdapter` inferring intent from: net/http patterns (WebServer), cobra/urfave CLI (CliTool), gRPC servers, main package analysis. |
| 13 | ENTRY-SEM-411-013 | DONE | Tasks 8-12 | Scanner Guild | Create `CapabilityDetector` that analyzes imports/dependencies to infer capabilities (e.g., `import socket` -> NetworkConnect, `import os.path` -> FileRead). |
| 14 | ENTRY-SEM-411-014 | DONE | Task 13 | Scanner Guild | Create `ThreatVectorInferrer` that maps capabilities and framework patterns to likely attack vectors (e.g., WebServer + DatabaseAccess + UserInput -> Sqli risk). |
| 15 | ENTRY-SEM-411-015 | DONE | Task 13 | Scanner Guild | Create `DataBoundaryMapper` that traces data flow edges from entrypoint through framework handlers to I/O boundaries. |
| 16 | ENTRY-SEM-411-016 | DONE | Tasks 7-15 | Scanner Guild | Create `SemanticEntrypointOrchestrator` that composes adapters, detectors, and inferrers into unified semantic analysis pipeline. |
| 17 | ENTRY-SEM-411-017 | DONE | Task 16 | Scanner Guild | Integrate semantic analysis into `EntryTraceAnalyzer` post-processing, emit `SemanticEntrypoint` alongside `EntryTraceResult`. |
| 18 | ENTRY-SEM-411-018 | DONE | Task 17 | Scanner Guild | Add semantic fields to `LanguageComponentRecord`: `intent`, `capabilities[]`, `threatVectors[]`. |
| 19 | ENTRY-SEM-411-019 | DONE | Task 18 | Scanner Guild | Update richgraph-v1 schema to include semantic metadata on entrypoint nodes. |
| 20 | ENTRY-SEM-411-020 | DONE | Task 19 | Scanner Guild | Add CycloneDX and SPDX property extensions for semantic entrypoint data. |
| 21 | ENTRY-SEM-411-021 | DONE | Tasks 8-12 | QA Guild | Create test fixtures for each language semantic adapter with expected intent/capabilities. |
| 22 | ENTRY-SEM-411-022 | DONE | Task 21 | QA Guild | Add golden test suite validating semantic analysis determinism. |
| 23 | ENTRY-SEM-411-023 | DONE | Task 22 | Docs Guild | Document semantic entrypoint schema in `docs/modules/scanner/semantic-entrypoint-schema.md`. |
| 24 | ENTRY-SEM-411-024 | DONE | Task 23 | Docs Guild | Update `docs/modules/scanner/architecture.md` with semantic analysis pipeline. |
| 25 | ENTRY-SEM-411-025 | DONE | Task 24 | CLI Guild | Add `stella scan --semantic` flag and semantic output fields to JSON/table formats. |
## Wave Coordination
| Wave | Tasks | Shared Prerequisites | Status | Notes |
|------|-------|---------------------|--------|-------|
| Schema Definition | 1-6 | None | DONE | Core data structures |
| Adapter Interface | 7 | Schema frozen | DONE | Contract for language adapters |
| Language Adapters | 8-12 | Interface defined | DONE | Can run in parallel |
| Cross-Cutting Analysis | 13-15 | Adapters started | DONE | Capability/threat/boundary detection |
| Integration | 16-20 | Adapters + analysis | DONE | DI registration, schema integration, SBOM extensions |
| QA & Docs | 21-25 | Integration complete | DONE | Tests, docs, CLI flag all complete |
## Interlocks
- Schema tasks (1-6) must complete before interface task (7).
- Interface task (7) gates all language adapters (8-12).
- Language adapters can proceed in parallel.
- Cross-cutting analysis (13-15) can start once any adapter is in progress.
- Integration tasks (16-20) require most adapters complete.
- QA/Docs (21-25) can overlap with late integration.
## Upcoming Checkpoints
- 2025-12-18 - Schema freeze (tasks 1-6 complete); interface draft (task 7).
- 2025-12-23 - Language adapters midpoint (tasks 8-12 in progress); cross-cutting analysis started.
- 2025-12-27 - Integration tasks started (tasks 16-20).
- 2025-12-30 - Sprint close; semantic foundation ready.
## Action Tracker
| # | Action | Owner | Due (UTC) | Status | Notes |
|---|--------|-------|-----------|--------|-------|
| 1 | Review existing entrypoint detection code | Scanner Guild | 2025-12-16 | TODO | Understand integration points |
| 2 | Draft ApplicationIntent enum with cross-team input | Scanner Guild | 2025-12-17 | TODO | Need input from all language teams |
| 3 | Create AGENTS.md for EntryTrace module | Scanner Guild | 2025-12-16 | TODO | Implementer guidance |
| 4 | Validate semantic schema against richgraph-v1 | Platform Guild | 2025-12-18 | TODO | Ensure compatibility |
## Decisions & Risks
| ID | Risk | Impact | Mitigation / Owner |
|----|------|--------|-------------------|
| R1 | Intent enumeration incomplete | Missing application types | Start with common patterns; extend as needed; Scanner Guild |
| R2 | Capability detection false positives | Noise in attack surface | Use confidence scoring; require multiple signals; Scanner Guild |
| R3 | Schema changes after freeze | Rework in dependent sprints | Strict freeze enforcement after 2025-12-18; Planning |
| R4 | Language adapter coverage gaps | Inconsistent semantic depth | Prioritize Python/Java/Node; others can be stubs; Scanner Guild |
## Schema Preview
### SemanticEntrypoint Record
```csharp
public sealed record SemanticEntrypoint
{
public required string Id { get; init; }
public required EntrypointSpecification Specification { get; init; }
public required ApplicationIntent Intent { get; init; }
public required ImmutableArray<CapabilityClass> Capabilities { get; init; }
public required ImmutableArray<ThreatVector> AttackSurface { get; init; }
public required ImmutableArray<DataFlowBoundary> DataBoundaries { get; init; }
public required SemanticConfidence Confidence { get; init; }
public ImmutableDictionary<string, string>? Metadata { get; init; }
}
```
### ApplicationIntent Enumeration
```csharp
public enum ApplicationIntent
{
Unknown = 0,
WebServer = 1, // HTTP/HTTPS listener (Django, Express, ASP.NET)
CliTool = 2, // Command-line utility (Click, Cobra)
BatchJob = 3, // One-shot data processing
Worker = 4, // Background job processor (Celery, Sidekiq)
Serverless = 5, // FaaS handler (Lambda, Azure Functions)
Daemon = 6, // Long-running background service
InitSystem = 7, // Process manager (systemd, s6)
Supervisor = 8, // Child process supervisor
DatabaseServer = 9, // Database engine
MessageBroker = 10, // Message queue server
CacheServer = 11, // Cache/session store
ProxyGateway = 12, // Reverse proxy, API gateway
TestRunner = 13, // Test framework execution
DevServer = 14, // Development-only server
}
```
### CapabilityClass Enumeration
```csharp
[Flags]
public enum CapabilityClass : long
{
None = 0,
NetworkListen = 1 << 0, // Opens listening socket
NetworkConnect = 1 << 1, // Makes outbound connections
FileRead = 1 << 2, // Reads from filesystem
FileWrite = 1 << 3, // Writes to filesystem
ProcessSpawn = 1 << 4, // Spawns child processes
CryptoOperation = 1 << 5, // Encryption/signing operations
DatabaseAccess = 1 << 6, // Database client operations
MessageQueue = 1 << 7, // Message broker client
CacheAccess = 1 << 8, // Cache client operations
ExternalApi = 1 << 9, // External HTTP API calls
UserInput = 1 << 10, // Accepts user input
ConfigLoad = 1 << 11, // Loads configuration files
SecretAccess = 1 << 12, // Accesses secrets/credentials
LogEmit = 1 << 13, // Emits logs
MetricsEmit = 1 << 14, // Emits metrics/telemetry
SystemCall = 1 << 15, // Makes privileged syscalls
ContainerEscape = 1 << 16, // Capabilities enabling escape
KernelModule = 1 << 17, // Loads kernel modules
Ptrace = 1 << 18, // Process tracing
RawSocket = 1 << 19, // Raw network access
}
```
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-13 | Created sprint from program sprint 0410; defined 25 tasks across schema, adapters, integration, QA/docs; included schema previews. | Planning |
| 2025-12-13 | Completed tasks 17-25: DI registration (AddSemanticEntryTraceAnalyzer), LanguageComponentRecord semantic fields (intent, capabilities, threatVectors), verified richgraph-v1 semantic extensions and SBOM property extensions already implemented, verified test fixtures exist, created semantic-entrypoint-schema.md documentation, updated architecture.md with semantic engine section, verified CLI --semantic flag implementation. Sprint 100% complete. | Scanner Guild |

375
docs/implplan/archived/SPRINT_3000_0001_0001_rekor_merkle_proof_verification.md Normal file
View File

@@ -0,0 +1,375 @@
# Sprint SPRINT_3000_0001_0001 · Rekor Merkle Proof Verification
**Module**: Attestor
**Working Directory**: `src/Attestor/StellaOps.Attestor`
**Priority**: P0 (Critical)
**Estimated Complexity**: Medium
**Parent Advisory**: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md`
---
## Topic & Scope
Implement cryptographic verification of Rekor inclusion proofs to enable offline/air-gapped attestation validation. Currently, StellaOps stores inclusion proofs but does not verify them against the checkpoint root hash.
### Business Value
- **Offline Verification**: Air-gapped environments cannot query Rekor live; they must verify proofs locally
- **Tamper Detection**: Cryptographic proof verification detects log manipulation
- **Compliance**: Supply chain security standards (SLSA, SSDF) require verifiable transparency
---
### Scope
### In Scope
- `VerifyInclusionAsync` method on `IRekorClient`
- Merkle path verification algorithm (RFC 6962 compliant)
- Rekor public key loading and checkpoint signature verification
- Integration with `AttestorVerificationService`
- Offline verification mode using bundled checkpoints
### Out of Scope
- Cosign/Fulcio keyless signing integration
- Rekor search API
- New SQL tables for Rekor entries
---
## Dependencies & Concurrency
- Blocks: SPRINT_3000_0001_0003 depends on this sprint.
- Concurrency: safe to execute in parallel with SPRINT_3000_0001_0002.
---
## Documentation Prerequisites
Before starting, read:
- [ ] `docs/modules/attestor/architecture.md`
- [ ] `docs/modules/attestor/transparency.md`
- [ ] `src/Attestor/StellaOps.Attestor/AGENTS.md`
- [ ] `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Merkle/MerkleTreeBuilder.cs` (reference implementation)
---
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | T1 | DONE | Update `IRekorClient` contract | Attestor Guild | Add `VerifyInclusionAsync` to `IRekorClient` interface |
| 2 | T2 | DONE | Implement RFC 6962 verifier | Attestor Guild | Implement `MerkleProofVerifier` utility class |
| 3 | T3 | DONE | Parse and verify checkpoint signatures | Attestor Guild | Implement `CheckpointSignatureVerifier` in Verification/ |
| 4 | T4 | DONE | Expose verification settings | Attestor Guild | Add `RekorVerificationOptions` in Configuration/ |
| 5 | T5 | DONE | Use verifiers in HTTP client | Attestor Guild | Implement `HttpRekorClient.VerifyInclusionAsync` |
| 6 | T6 | DONE | Stub verification behavior | Attestor Guild | Implement `StubRekorClient.VerifyInclusionAsync` |
| 7 | T6a | DONE | Freeze offline checkpoint/receipt contract | Attestor Guild · AirGap Guild | Publish canonical offline layout + schema for: tlog root key, checkpoint signature, and inclusion proof pack (docs + fixtures) |
| 8 | T6b | DONE | Add offline fixtures + validation harness | Attestor Guild | Add deterministic fixtures + parsing helpers so offline mode can be tested without network |
| 9 | T7 | DONE | Wire verification pipeline | Attestor Guild | Verification pipeline evaluates transparency proofs; offline mode skips proof/witness refresh |
| 10 | T8 | DONE | Add sealed/offline checkpoint mode | Attestor Guild | Offline receipt + checkpoint signature verification harness added; sealed/offline verification supported |
| 11 | T9 | DONE | Add unit coverage | Attestor Guild | Add unit tests for Merkle proof verification |
| 12 | T10 | DONE | Add integration coverage | Attestor Guild | RekorInclusionVerificationIntegrationTests.cs added |
| 13 | T11 | DONE | Expose verification counters | Attestor Guild | Added Rekor counters to AttestorMetrics |
| 14 | T12 | DONE | Sync docs | Attestor Guild | Added Rekor verification section to architecture.md |
---
## Unblock Task Notes (T6a/T6b)
### T6a: Freeze offline checkpoint/receipt contract
- **Goal:** define the canonical offline inputs required to verify inclusion proofs without network access.
- **Use these docs as the baseline (do not invent new shapes):**
- `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` (§13)
- `docs/product-advisories/14-Dec-2025 - Offline and Air-Gap Technical Reference.md` (§34; `evidence/tlog/checkpoint.sig` + `entries/`)
- **Minimum deliverables:**
- A single canonical contract doc (new or existing) that answers:
- Where the **tlog public key** comes from (file path, rotation/versioning)
- Where the **signed checkpoint/tree head** lives (file path; signature format)
- Where the **inclusion proof pack** lives (file path; entry + hashes; deterministic ordering rules)
- How the checkpoint is bound to the proof pack (tree size, root hash)
- A schema file (JSON Schema) for the on-disk checkpoint/receipt shape used by Attestor offline verification.
### T6b: Offline fixtures + validation harness
- **Goal:** make offline mode testable and reproducible.
- **Minimum deliverables:**
- Deterministic fixtures committed under `src/Attestor/StellaOps.Attestor.Tests/Fixtures/` (checkpoint, pubkey, valid/invalid proof material).
- Tests that verify:
- checkpoint signature verification succeeds/fails as expected
- recomputed Merkle root matches checkpoint for valid entries and fails for tampered fixtures
- no network calls are required for offline mode
---
## Wave Coordination
- Single-wave sprint; tasks execute sequentially.
---
## Wave Detail Snapshots
### 5.1 Interface Changes
```csharp
// IRekorClient.cs - Add new method
public interface IRekorClient
{
// Existing methods...
/// <summary>
/// Verifies that a DSSE envelope is included in the Rekor transparency log.
/// </summary>
/// <param name="entry">The Rekor entry containing inclusion proof</param>
/// <param name="payloadDigest">SHA-256 digest of the DSSE payload</param>
/// <param name="rekorPublicKey">Rekor log's public key for checkpoint verification</param>
/// <param name="cancellationToken">Cancellation token</param>
/// <returns>Verification result with detailed status</returns>
Task<RekorInclusionVerificationResult> VerifyInclusionAsync(
AttestorEntry entry,
byte[] payloadDigest,
byte[] rekorPublicKey,
CancellationToken cancellationToken = default);
}
```
### 5.2 New Types
```csharp
// RekorInclusionVerificationResult.cs
public sealed class RekorInclusionVerificationResult
{
public bool Verified { get; init; }
public string? FailureReason { get; init; }
public DateTimeOffset VerifiedAt { get; init; }
public string? ComputedRootHash { get; init; }
public string? ExpectedRootHash { get; init; }
public bool CheckpointSignatureValid { get; init; }
public long? LogIndex { get; init; }
}
// MerkleProofVerifier.cs
public static class MerkleProofVerifier
{
/// <summary>
/// Verifies a Merkle inclusion proof per RFC 6962 (Certificate Transparency).
/// </summary>
public static bool VerifyInclusion(
byte[] leafHash,
long leafIndex,
long treeSize,
IReadOnlyList<byte[]> proofHashes,
byte[] expectedRootHash);
}
```
### 5.3 Merkle Proof Algorithm
RFC 6962 Section 2.1.1 defines the Merkle audit path verification:
```
1. Compute leaf hash: H(0x00 || entry)
2. Walk the proof path from leaf to root:
- For each hash in proof:
- If current index is odd: hash = H(0x01 || proof[i] || hash)
- If current index is even: hash = H(0x01 || hash || proof[i])
- index = index / 2
3. Compare final hash with checkpoint root hash
```
### 5.4 Configuration
```csharp
// AttestorOptions.cs additions
public sealed class RekorVerificationOptions
{
/// <summary>
/// Path to Rekor log public key (PEM format).
/// </summary>
public string? PublicKeyPath { get; set; }
/// <summary>
/// Inline Rekor public key (base64 PEM).
/// </summary>
public string? PublicKeyBase64 { get; set; }
/// <summary>
/// Allow verification without checkpoint signature in offline mode.
/// </summary>
public bool AllowOfflineWithoutSignature { get; set; } = false;
/// <summary>
/// Maximum age of checkpoint before requiring refresh (minutes).
/// </summary>
public int MaxCheckpointAgeMinutes { get; set; } = 60;
}
```
### 5.5 Verification Flow
```
┌─────────────────────────────────────────────────────────────┐
│ VerifyInclusionAsync │
├─────────────────────────────────────────────────────────────┤
│ 1. Extract inclusion proof from AttestorEntry │
│ - leafHash, path[], checkpoint │
│ │
│ 2. Verify checkpoint signature (if online) │
│ - Load Rekor public key │
│ - Verify ECDSA/Ed25519 signature over checkpoint │
│ │
│ 3. Compute expected leaf hash │
│ - H(0x00 || canonicalized_entry) │
│ - Compare with stored leafHash │
│ │
│ 4. Walk Merkle proof path │
│ - Apply RFC 6962 algorithm │
│ - Compute root hash │
│ │
│ 5. Compare computed root with checkpoint.rootHash │
│ - Match = inclusion verified │
│ - Mismatch = proof invalid │
│ │
│ 6. Return RekorInclusionVerificationResult │
└─────────────────────────────────────────────────────────────┘
```
---
## 6. FILE CHANGES
### New Files
| Path | Purpose |
|------|---------|
| `StellaOps.Attestor.Core/Rekor/RekorInclusionVerificationResult.cs` | Verification result model |
| `StellaOps.Attestor.Core/Verification/MerkleProofVerifier.cs` | RFC 6962 proof verification |
| `StellaOps.Attestor.Core/Verification/CheckpointVerifier.cs` | Checkpoint signature verification |
| `StellaOps.Attestor.Tests/Verification/MerkleProofVerifierTests.cs` | Unit tests |
| `StellaOps.Attestor.Tests/Verification/CheckpointVerifierTests.cs` | Unit tests |
### Modified Files
| Path | Changes |
|------|---------|
| `StellaOps.Attestor.Core/Rekor/IRekorClient.cs` | Add `VerifyInclusionAsync` |
| `StellaOps.Attestor.Core/Options/AttestorOptions.cs` | Add `RekorVerificationOptions` |
| `StellaOps.Attestor.Infrastructure/Rekor/HttpRekorClient.cs` | Implement verification |
| `StellaOps.Attestor.Infrastructure/Rekor/StubRekorClient.cs` | Implement stub verification |
| `StellaOps.Attestor.Infrastructure/Verification/AttestorVerificationService.cs` | Integrate proof verification |
| `StellaOps.Attestor.Core/Observability/AttestorMetrics.cs` | Add verification metrics |
---
## 7. TEST CASES
### Unit Tests
| Test | Description |
|------|-------------|
| `VerifyInclusion_ValidProof_ReturnsTrue` | Happy path with valid proof |
| `VerifyInclusion_InvalidLeafHash_ReturnsFalse` | Tampered leaf detection |
| `VerifyInclusion_InvalidPath_ReturnsFalse` | Corrupted path detection |
| `VerifyInclusion_WrongRootHash_ReturnsFalse` | Root mismatch detection |
| `VerifyInclusion_EmptyPath_SingleLeafTree` | Edge case: single entry log |
| `VerifyCheckpoint_ValidSignature_ReturnsTrue` | Checkpoint signature verification |
| `VerifyCheckpoint_InvalidSignature_ReturnsFalse` | Signature tampering detection |
| `VerifyCheckpoint_ExpiredKey_ReturnsError` | Key rotation handling |
### Integration Tests
| Test | Description |
|------|-------------|
| `VerifyInclusionAsync_WithMockRekor_VerifiesProof` | Full flow with mock server |
| `VerifyInclusionAsync_OfflineMode_UsesBundledCheckpoint` | Air-gap verification |
| `VerifyInclusionAsync_StaleCheckpoint_RefreshesOnline` | Checkpoint refresh logic |
### Golden Fixtures
Create test fixtures with known-good Rekor entries from public Sigstore instance:
```
src/Attestor/StellaOps.Attestor.Tests/Fixtures/
├── rekor-entry-valid.json # Valid entry with proof
├── rekor-entry-tampered-leaf.json # Tampered leaf hash
├── rekor-entry-tampered-path.json # Corrupted Merkle path
├── rekor-checkpoint-valid.txt # Signed checkpoint
└── rekor-pubkey.pem # Sigstore public key
```
---
## 8. METRICS
Add to `AttestorMetrics.cs`:
```csharp
public Counter<long> InclusionVerifyTotal { get; } // attestor.inclusion_verify_total{result=ok|failed|error}
public Histogram<double> InclusionVerifyLatency { get; } // attestor.inclusion_verify_latency_seconds
public Counter<long> CheckpointVerifyTotal { get; } // attestor.checkpoint_verify_total{result=ok|failed}
```
---
## Interlocks
- Rekor public key distribution must be configured via `AttestorOptions` and documented for offline bundles.
- Offline checkpoints must be pre-distributed; `AllowOfflineWithoutSignature` policy requires explicit operator intent.
- T6a/T6b define the concrete offline checkpoint/receipt contract and fixtures; do not implement T8 until those are published and reviewed.
---
## Upcoming Checkpoints
- TBD: record demo/checkpoint once tests + offline fixtures pass.
---
## Action Tracker
| Date (UTC) | Action | Owner | Notes |
| --- | --- | --- | --- |
| 2025-12-14 | Start sprint execution; wire verifier contracts. | Implementer | Set `T1` to `DOING`. |
---
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Use RFC 6962 algorithm | Industry standard for transparency logs |
| Support Ed25519 and ECDSA P-256 | Rekor uses both depending on version |
| Allow offline without signature | Enables sealed-mode operation |
| Risk | Mitigation |
|------|------------|
| Rekor key rotation | Support key version in config, document rotation procedure |
| Performance on large proofs | Proof path is O(log n), negligible overhead |
| Clock skew affecting checkpoint freshness | Configurable tolerance, warn but don't fail |
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-14 | Normalised sprint file to standard template sections; started implementation and moved `T1` to `DOING`. | Implementer |
| 2025-12-18 | Added unblock tasks (T6a/T6b) for offline checkpoint/receipt contract + fixtures; updated T7/T8 to be BLOCKED on them. | Project Mgmt |
| 2025-12-18 | Started T6a/T6b: drafting offline checkpoint/receipt contract and adding deterministic fixtures for offline verification. | Agent |
| 2025-12-18 | Completed T6a/T6b; published offline checkpoint/receipt contract (`docs/modules/attestor/transparency.md`) + receipt schema (`docs/schemas/rekor-receipt.schema.json`); added isolated tests in `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/` and validated via `dotnet test src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core.Tests/StellaOps.Attestor.Core.Tests.csproj -c Release`. | Agent |
---
## 10. ACCEPTANCE CRITERIA
- [ ] `VerifyInclusionAsync` correctly verifies valid Rekor inclusion proofs
- [ ] Invalid proofs (tampered leaf, path, or root) are detected and rejected
- [ ] Checkpoint signatures are verified when Rekor public key is configured
- [ ] Offline mode works with bundled checkpoints (no network required)
- [ ] All new code has >90% test coverage
- [ ] Metrics are emitted for all verification operations
- [ ] Documentation updated in `docs/modules/attestor/transparency.md`
---
## 11. REFERENCES
- [RFC 6962: Certificate Transparency](https://datatracker.ietf.org/doc/html/rfc6962)
- [Sigstore Rekor API](https://github.com/sigstore/rekor/blob/main/openapi.yaml)
- [Rekor Checkpoint Format](https://github.com/transparency-dev/formats/blob/main/log/checkpoint.md)
- Advisory: `docs/product-advisories/14-Dec-2025 - Rekor Integration Technical Reference.md` §5, §7, §13

37
docs/implplan/archived/SPRINT_3105_0001_0001_proofspine_cbor_accept.md Normal file
View File

@@ -0,0 +1,37 @@
# Sprint 3105 · ProofSpine CBOR accept
**Status:** DONE
**Priority:** P2 - MEDIUM
**Module:** Scanner.WebService
**Working directory:** `src/Scanner/StellaOps.Scanner.WebService/`
## Topic & Scope
- Pick up deferred ProofSpine API work from `docs/implplan/archived/SPRINT_3100_0001_0001_proof_spine_system.md`:
- add support for `Accept: application/cbor` on `GET /api/v1/spines/{spineId}` and `GET /api/v1/scans/{scanId}/spines`.
- Keep outputs deterministic (canonical/stable ordering) and add tests for content negotiation.
## Dependencies & Concurrency
- No schema changes required.
- Keep scope inside Scanner WebService + its test project.
## Documentation Prerequisites
- `docs/implplan/archived/SPRINT_3100_0001_0001_proof_spine_system.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | PROOF-CBOR-3105-001 | DONE | ProofSpine endpoints | Scanner · WebService | Add `Accept: application/cbor` support to ProofSpine endpoints with deterministic encoding. |
| 2 | PROOF-CBOR-3105-002 | DONE | Encoder helper | Scanner · WebService | Add a shared CBOR encoder helper (JSON→CBOR) with stable key ordering. |
| 3 | PROOF-CBOR-3105-003 | DONE | Integration tests | Scanner · QA | Add endpoint tests validating CBOR content-type and decoding key fields. |
| 4 | PROOF-CBOR-3105-004 | DONE | Close bookkeeping | Scanner · WebService | Update local `TASKS.md`, sprint status, and execution log with evidence (test run). |
## Decisions & Risks
- **Decision:** CBOR payload shape matches JSON DTO shape (same property names).
- **Risk:** CBOR library availability on `net10.0`. **Mitigation:** use `System.Formats.Cbor` (BCL) and add package reference only if required by build.
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Sprint created; started PROOF-CBOR-3105-001. | Agent |
| 2025-12-18 | Started PROOF-CBOR-3105-002..004. | Agent |
| 2025-12-18 | Completed PROOF-CBOR-3105-001..004; Scanner WebService tests green (`dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj -c Release`). | Agent |

542
docs/implplan/archived/SPRINT_3404_0001_0001_fn_drift_tracking.md Normal file
View File

@@ -0,0 +1,542 @@
# Sprint 3404.0001.0001 - False-Negative Drift Rate Tracking
## Topic & Scope
Implement False-Negative Drift (FN-Drift) rate tracking for monitoring reclassification events:
1. **classification_history Table** - PostgreSQL schema for tracking status changes
2. **Drift Calculation Service** - Compute FN-Drift with stratification
3. **Materialized Views** - Aggregated drift statistics for dashboards
4. **Alerting Integration** - SLO alerting for drift thresholds
**Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Storage/` and `src/Telemetry/`
## Dependencies & Concurrency
- **Depends on:** None
- **Blocking:** None
- **Safe to parallelize with:** Sprint 3401, Sprint 3402, Sprint 3403, Sprint 3405
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/db/SPECIFICATION.md`
- `docs/product-advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md` (Section 13.2)
- Source: `docs/db/schemas/vuln.sql`
---
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | DRIFT-3404-001 | DONE | None | DB Team | Create `classification_history` table migration |
| 2 | DRIFT-3404-002 | DONE | After #1 | DB Team | Create `fn_drift_stats` materialized view |
| 3 | DRIFT-3404-003 | DONE | After #1 | DB Team | Create indexes for classification_history queries |
| 4 | DRIFT-3404-004 | DONE | None | Scanner Team | Define `ClassificationChange` entity and `DriftCause` enum |
| 5 | DRIFT-3404-005 | DONE | After #1, #4 | Scanner Team | Implement `ClassificationHistoryRepository` |
| 6 | DRIFT-3404-006 | DONE | After #5 | Scanner Team | Implemented `ClassificationChangeTracker` service |
| 7 | DRIFT-3404-007 | DONE | After #6 | Scanner Team | Integrated FN-drift tracking on report publish/scan completion pipeline |
| 8 | DRIFT-3404-008 | DONE | After #2 | Scanner Team | Implement `FnDriftCalculator` with stratification |
| 9 | DRIFT-3404-009 | DONE | After #8 | Telemetry Team | Implemented `FnDriftMetricsExporter` with Prometheus gauges |
| 10 | DRIFT-3404-010 | DONE | After #9 | Telemetry Team | Added Prometheus alert rules for FN-drift thresholds |
| 11 | DRIFT-3404-011 | DONE | After #5 | Scanner Team | ClassificationChangeTrackerTests.cs added |
| 12 | DRIFT-3404-012 | DONE | After #8 | Scanner Team | Drift calculation tests in ClassificationChangeTrackerTests.cs |
| 13 | DRIFT-3404-013 | DONE | After #7 | QA | Added webservice tests covering FN-drift tracking integration |
| 14 | DRIFT-3404-014 | DONE | After #2 | Docs Guild | Created `docs/metrics/fn-drift.md` |
## Wave Coordination
- **Wave 1** (Parallel): Tasks #1-4 (Schema + Models)
- **Wave 2** (Sequential): Tasks #5-7 (Repository + Tracker + Integration)
- **Wave 3** (Parallel): Tasks #8-10 (Calculator + Telemetry)
- **Wave 4** (Parallel): Tasks #11-14 (Tests + Docs)
---
## Technical Specifications
### Task DRIFT-3404-001: classification_history Table
**File:** `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Postgres/Migrations/V3404_001__ClassificationHistory.sql`
```sql
-- Classification history for FN-Drift tracking
-- Per advisory section 13.2
CREATE TABLE IF NOT EXISTS scanner.classification_history (
id BIGSERIAL PRIMARY KEY,
-- Artifact identification
artifact_digest TEXT NOT NULL,
vuln_id TEXT NOT NULL,
package_purl TEXT NOT NULL,
-- Scan context
tenant_id UUID NOT NULL,
manifest_id UUID NOT NULL,
execution_id UUID NOT NULL,
-- Status transition
previous_status TEXT NOT NULL, -- 'unaffected', 'unknown', 'affected', 'fixed'
new_status TEXT NOT NULL,
is_fn_transition BOOLEAN NOT NULL GENERATED ALWAYS AS (
previous_status IN ('unaffected', 'unknown') AND new_status = 'affected'
) STORED,
-- Drift cause classification
cause TEXT NOT NULL, -- 'feed_delta', 'rule_delta', 'lattice_delta', 'reachability_delta', 'engine', 'other'
cause_detail JSONB, -- Additional context (e.g., feed version, rule hash)
-- Timestamps
changed_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-- Constraints
CONSTRAINT valid_previous_status CHECK (previous_status IN ('unaffected', 'unknown', 'affected', 'fixed', 'new')),
CONSTRAINT valid_new_status CHECK (new_status IN ('unaffected', 'unknown', 'affected', 'fixed')),
CONSTRAINT valid_cause CHECK (cause IN ('feed_delta', 'rule_delta', 'lattice_delta', 'reachability_delta', 'engine', 'other'))
);
-- Indexes for common query patterns
CREATE INDEX idx_classification_history_artifact ON scanner.classification_history(artifact_digest);
CREATE INDEX idx_classification_history_tenant ON scanner.classification_history(tenant_id);
CREATE INDEX idx_classification_history_changed_at ON scanner.classification_history(changed_at);
CREATE INDEX idx_classification_history_fn_transition ON scanner.classification_history(is_fn_transition) WHERE is_fn_transition = TRUE;
CREATE INDEX idx_classification_history_cause ON scanner.classification_history(cause);
COMMENT ON TABLE scanner.classification_history IS 'Tracks vulnerability classification changes for FN-Drift analysis';
COMMENT ON COLUMN scanner.classification_history.is_fn_transition IS 'True if this was a false-negative transition (unaffected/unknown -> affected)';
COMMENT ON COLUMN scanner.classification_history.cause IS 'Stratification cause: feed_delta, rule_delta, lattice_delta, reachability_delta, engine, other';
```
**Acceptance Criteria:**
- [ ] BIGSERIAL primary key for high volume
- [ ] Generated column for FN transition detection
- [ ] Check constraints for valid status values
- [ ] Indexes for common query patterns
- [ ] Comments for schema documentation
---
### Task DRIFT-3404-002: fn_drift_stats Materialized View
**File:** `src/Scanner/__Libraries/StellaOps.Scanner.Storage.Postgres/Migrations/V3404_002__FnDriftStats.sql`
```sql
-- Materialized view for FN-Drift statistics
-- Aggregates classification_history for dashboard queries
CREATE MATERIALIZED VIEW scanner.fn_drift_stats AS
SELECT
date_trunc('day', changed_at) AS day_bucket,
tenant_id,
cause,
-- Total reclassifications
COUNT(*) AS total_reclassified,
-- FN transitions (unaffected/unknown -> affected)
COUNT(*) FILTER (WHERE is_fn_transition) AS fn_count,
-- FN-Drift rate
ROUND(
(COUNT(*) FILTER (WHERE is_fn_transition)::numeric /
NULLIF(COUNT(*), 0)) * 100, 4
) AS fn_drift_percent,
-- Stratification counts
COUNT(*) FILTER (WHERE cause = 'feed_delta') AS feed_delta_count,
COUNT(*) FILTER (WHERE cause = 'rule_delta') AS rule_delta_count,
COUNT(*) FILTER (WHERE cause = 'lattice_delta') AS lattice_delta_count,
COUNT(*) FILTER (WHERE cause = 'reachability_delta') AS reachability_delta_count,
COUNT(*) FILTER (WHERE cause = 'engine') AS engine_count,
COUNT(*) FILTER (WHERE cause = 'other') AS other_count
FROM scanner.classification_history
GROUP BY date_trunc('day', changed_at), tenant_id, cause;
-- Index for efficient queries
CREATE UNIQUE INDEX idx_fn_drift_stats_pk ON scanner.fn_drift_stats(day_bucket, tenant_id, cause);
CREATE INDEX idx_fn_drift_stats_tenant ON scanner.fn_drift_stats(tenant_id);
-- View for 30-day rolling FN-Drift (per advisory definition)
CREATE VIEW scanner.fn_drift_30d AS
SELECT
tenant_id,
SUM(fn_count) AS total_fn_transitions,
SUM(total_reclassified) AS total_evaluated,
ROUND(
(SUM(fn_count)::numeric / NULLIF(SUM(total_reclassified), 0)) * 100, 4
) AS fn_drift_30d_percent,
-- Stratification breakdown
SUM(feed_delta_count) AS feed_caused,
SUM(rule_delta_count) AS rule_caused,
SUM(lattice_delta_count) AS lattice_caused,
SUM(reachability_delta_count) AS reachability_caused,
SUM(engine_count) AS engine_caused
FROM scanner.fn_drift_stats
WHERE day_bucket >= CURRENT_DATE - INTERVAL '30 days'
GROUP BY tenant_id;
COMMENT ON MATERIALIZED VIEW scanner.fn_drift_stats IS 'Daily FN-Drift statistics, refresh periodically';
COMMENT ON VIEW scanner.fn_drift_30d IS 'Rolling 30-day FN-Drift rate per tenant';
```
**Acceptance Criteria:**
- [ ] Daily aggregation by tenant and cause
- [ ] FN-Drift percentage calculation
- [ ] Stratification breakdown
- [ ] 30-day rolling view
- [ ] Efficient indexes
---
### Task DRIFT-3404-004: Entity Definitions
**File:** `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Models/ClassificationChangeModels.cs`
```csharp
namespace StellaOps.Scanner.Storage.Models;
/// <summary>
/// Represents a classification status change for FN-Drift tracking.
/// </summary>
public sealed record ClassificationChange
{
public long Id { get; init; }
// Artifact identification
public required string ArtifactDigest { get; init; }
public required string VulnId { get; init; }
public required string PackagePurl { get; init; }
// Scan context
public required Guid TenantId { get; init; }
public required Guid ManifestId { get; init; }
public required Guid ExecutionId { get; init; }
// Status transition
public required ClassificationStatus PreviousStatus { get; init; }
public required ClassificationStatus NewStatus { get; init; }
public bool IsFnTransition => PreviousStatus is ClassificationStatus.Unaffected or ClassificationStatus.Unknown
&& NewStatus == ClassificationStatus.Affected;
// Drift cause
public required DriftCause Cause { get; init; }
public IReadOnlyDictionary<string, string>? CauseDetail { get; init; }
// Timestamp
public DateTimeOffset ChangedAt { get; init; } = DateTimeOffset.UtcNow;
}
/// <summary>
/// Classification status values.
/// </summary>
public enum ClassificationStatus
{
/// <summary>First scan, no previous status</summary>
New,
/// <summary>Confirmed not affected</summary>
Unaffected,
/// <summary>Status unknown/uncertain</summary>
Unknown,
/// <summary>Confirmed affected</summary>
Affected,
/// <summary>Previously affected, now fixed</summary>
Fixed
}
/// <summary>
/// Stratification causes for FN-Drift analysis.
/// </summary>
public enum DriftCause
{
/// <summary>Vulnerability feed updated (NVD, GHSA, OVAL)</summary>
FeedDelta,
/// <summary>Policy rules changed</summary>
RuleDelta,
/// <summary>VEX lattice state changed</summary>
LatticeDelta,
/// <summary>Reachability analysis changed</summary>
ReachabilityDelta,
/// <summary>Scanner engine change (should be ~0)</summary>
Engine,
/// <summary>Other/unknown cause</summary>
Other
}
/// <summary>
/// FN-Drift statistics for a time period.
/// </summary>
public sealed record FnDriftStats
{
public required DateOnly DayBucket { get; init; }
public required Guid TenantId { get; init; }
public required DriftCause Cause { get; init; }
public required int TotalReclassified { get; init; }
public required int FnCount { get; init; }
public required decimal FnDriftPercent { get; init; }
// Stratification counts
public required int FeedDeltaCount { get; init; }
public required int RuleDeltaCount { get; init; }
public required int LatticeDeltaCount { get; init; }
public required int ReachabilityDeltaCount { get; init; }
public required int EngineCount { get; init; }
public required int OtherCount { get; init; }
}
/// <summary>
/// 30-day rolling FN-Drift summary.
/// </summary>
public sealed record FnDrift30dSummary
{
public required Guid TenantId { get; init; }
public required int TotalFnTransitions { get; init; }
public required int TotalEvaluated { get; init; }
public required decimal FnDriftPercent { get; init; }
// Stratification breakdown
public required int FeedCaused { get; init; }
public required int RuleCaused { get; init; }
public required int LatticeCaused { get; init; }
public required int ReachabilityCaused { get; init; }
public required int EngineCaused { get; init; }
}
```
**Acceptance Criteria:**
- [ ] Immutable records
- [ ] FN transition computed property
- [ ] DriftCause enum matching SQL constraints
- [ ] 30-day summary record
---
### Task DRIFT-3404-008: FnDriftCalculator
**File:** `src/Scanner/__Libraries/StellaOps.Scanner.Core/Drift/FnDriftCalculator.cs`
```csharp
namespace StellaOps.Scanner.Core.Drift;
/// <summary>
/// Calculates FN-Drift rate with stratification.
/// </summary>
public sealed class FnDriftCalculator
{
private readonly IClassificationHistoryRepository _repository;
private readonly ILogger<FnDriftCalculator> _logger;
public FnDriftCalculator(
IClassificationHistoryRepository repository,
ILogger<FnDriftCalculator> logger)
{
_repository = repository;
_logger = logger;
}
/// <summary>
/// Computes FN-Drift for a tenant over a rolling window.
/// </summary>
/// <param name="tenantId">Tenant to calculate for</param>
/// <param name="windowDays">Rolling window in days (default: 30)</param>
/// <returns>FN-Drift summary with stratification</returns>
public async Task<FnDrift30dSummary> CalculateAsync(Guid tenantId, int windowDays = 30)
{
var since = DateTimeOffset.UtcNow.AddDays(-windowDays);
var changes = await _repository.GetChangesAsync(tenantId, since);
var fnTransitions = changes.Where(c => c.IsFnTransition).ToList();
var totalEvaluated = changes.Count;
var summary = new FnDrift30dSummary
{
TenantId = tenantId,
TotalFnTransitions = fnTransitions.Count,
TotalEvaluated = totalEvaluated,
FnDriftPercent = totalEvaluated > 0
? Math.Round((decimal)fnTransitions.Count / totalEvaluated * 100, 4)
: 0,
FeedCaused = fnTransitions.Count(c => c.Cause == DriftCause.FeedDelta),
RuleCaused = fnTransitions.Count(c => c.Cause == DriftCause.RuleDelta),
LatticeCaused = fnTransitions.Count(c => c.Cause == DriftCause.LatticeDelta),
ReachabilityCaused = fnTransitions.Count(c => c.Cause == DriftCause.ReachabilityDelta),
EngineCaused = fnTransitions.Count(c => c.Cause == DriftCause.Engine)
};
_logger.LogInformation(
"FN-Drift for tenant {TenantId}: {Percent}% ({FnCount}/{Total}), " +
"Feed={Feed}, Rule={Rule}, Lattice={Lattice}, Reach={Reach}, Engine={Engine}",
tenantId, summary.FnDriftPercent, summary.TotalFnTransitions, summary.TotalEvaluated,
summary.FeedCaused, summary.RuleCaused, summary.LatticeCaused,
summary.ReachabilityCaused, summary.EngineCaused);
return summary;
}
/// <summary>
/// Determines the drift cause for a classification change.
/// </summary>
public DriftCause DetermineCause(
ClassificationStatus previousStatus,
ClassificationStatus newStatus,
string? previousFeedVersion,
string? currentFeedVersion,
string? previousRuleHash,
string? currentRuleHash,
string? previousLatticeHash,
string? currentLatticeHash,
string? previousReachabilityHash,
string? currentReachabilityHash)
{
// Priority order: feed > rule > lattice > reachability > engine > other
if (previousFeedVersion != currentFeedVersion)
return DriftCause.FeedDelta;
if (previousRuleHash != currentRuleHash)
return DriftCause.RuleDelta;
if (previousLatticeHash != currentLatticeHash)
return DriftCause.LatticeDelta;
if (previousReachabilityHash != currentReachabilityHash)
return DriftCause.ReachabilityDelta;
// If nothing else changed, it's an engine issue (should be ~0)
return DriftCause.Engine;
}
}
```
---
### Task DRIFT-3404-009: Prometheus FN-Drift Gauges
**File:** `src/Telemetry/StellaOps.Telemetry.Core/FnDriftMetrics.cs`
```csharp
namespace StellaOps.Telemetry.Core;
/// <summary>
/// Prometheus metrics for FN-Drift tracking.
/// </summary>
public sealed class FnDriftMetrics
{
private static readonly Gauge FnDriftRateGauge = Metrics.CreateGauge(
"stellaops_fn_drift_rate_percent",
"False-Negative Drift rate (30-day rolling)",
new GaugeConfiguration { LabelNames = ["tenant_id"] });
private static readonly Gauge FnDriftCountGauge = Metrics.CreateGauge(
"stellaops_fn_drift_count",
"FN transition count (30-day rolling)",
new GaugeConfiguration { LabelNames = ["tenant_id", "cause"] });
private static readonly Counter FnTransitionCounter = Metrics.CreateCounter(
"stellaops_fn_transition_total",
"Total FN transitions (unaffected/unknown -> affected)",
new CounterConfiguration { LabelNames = ["tenant_id", "cause", "vuln_id"] });
private static readonly Counter ReclassificationCounter = Metrics.CreateCounter(
"stellaops_reclassification_total",
"Total reclassification events",
new CounterConfiguration { LabelNames = ["tenant_id", "previous_status", "new_status"] });
public void RecordFnDriftSummary(FnDrift30dSummary summary)
{
var tenantId = summary.TenantId.ToString();
FnDriftRateGauge.WithLabels(tenantId).Set((double)summary.FnDriftPercent);
FnDriftCountGauge.WithLabels(tenantId, "feed_delta").Set(summary.FeedCaused);
FnDriftCountGauge.WithLabels(tenantId, "rule_delta").Set(summary.RuleCaused);
FnDriftCountGauge.WithLabels(tenantId, "lattice_delta").Set(summary.LatticeCaused);
FnDriftCountGauge.WithLabels(tenantId, "reachability_delta").Set(summary.ReachabilityCaused);
FnDriftCountGauge.WithLabels(tenantId, "engine").Set(summary.EngineCaused);
}
public void RecordTransition(ClassificationChange change)
{
var tenantId = change.TenantId.ToString();
var cause = change.Cause.ToString().ToLowerInvariant();
ReclassificationCounter
.WithLabels(tenantId, change.PreviousStatus.ToString(), change.NewStatus.ToString())
.Inc();
if (change.IsFnTransition)
{
FnTransitionCounter.WithLabels(tenantId, cause, change.VulnId).Inc();
}
}
}
```
---
## Acceptance Criteria (Sprint-Level)
**Task DRIFT-3404-001 (Table)**
- [ ] classification_history table created
- [ ] Generated column for FN detection
- [ ] Check constraints enforced
**Task DRIFT-3404-002 (Views)**
- [ ] fn_drift_stats materialized view
- [ ] fn_drift_30d rolling view
- [ ] Stratification columns
**Task DRIFT-3404-005 (Repository)**
- [ ] CRUD operations
- [ ] Bulk insert for efficiency
**Task DRIFT-3404-006 (Tracker)**
- [ ] Tracks changes during rescan
- [ ] Determines cause
**Task DRIFT-3404-008 (Calculator)**
- [ ] 30-day rolling calculation
- [ ] Stratification breakdown
**Task DRIFT-3404-009 (Prometheus)**
- [ ] FN-Drift rate gauge
- [ ] Cause breakdown gauges
- [ ] Transition counters
---
## Decisions & Risks
| Item | Type | Owner(s) | Due | Notes |
|------|------|----------|-----|-------|
| Materialized view refresh strategy | Decision | DB Team | Before #2 | Cron vs trigger |
| High-volume insert optimization | Risk | Scanner Team | Before #7 | May need batch processing |
| Verdict-to-classification mapping | Decision | Scanner Team | With #7 | Heuristic mapping from Policy verdict diffs to classification status (documented in code) |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Sprint created from Determinism advisory gap analysis | Implementer |
| 2025-12-17 | Implemented scan completion integration, enabled drift view refresh+metrics export, added alert rules, and added QA tests. | Agent |
## Next Checkpoints
- None (sprint complete).

594
docs/implplan/archived/SPRINT_3405_0001_0001_gate_multipliers.md Normal file
View File

@@ -0,0 +1,594 @@
# Sprint 3405.0001.0001 - Gate Multipliers for Reachability
## Topic & Scope
Implement gate detection and multipliers for reachability scoring, reducing risk scores for code paths protected by authentication, feature flags, or configuration:
1. **Gate Detection** - Identify auth requirements, feature flags, admin-only paths in call graphs
2. **Gate Annotations** - Annotate RichGraph edges with detected gates
3. **Multiplier Application** - Apply basis-point multipliers to reachability scores
4. **ReachabilityReport Enhancement** - Include gates array in output contracts
**Working directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/` and `src/Signals/`
## Dependencies & Concurrency
- **Depends on:** Sprint 3402 (GateMultipliersBps configuration)
- **Blocking:** None
- **Safe to parallelize with:** Sprint 3403, Sprint 3404
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/scanner/architecture.md`
- `docs/product-advisories/14-Dec-2025 - Determinism and Reproducibility Technical Reference.md` (Section 2.2, 4.3)
- Source: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraph/RichGraph.cs`
- Source: `src/Signals/StellaOps.Signals/Services/ReachabilityScoringService.cs`
---
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | GATE-3405-001 | DONE | None | Reachability Team | Define `GateType` enum and `DetectedGate` record |
| 2 | GATE-3405-002 | DONE | None | Reachability Team | Define gate detection patterns for each language analyzer |
| 3 | GATE-3405-003 | DONE | After #1 | Reachability Team | Implement `AuthGateDetector` for authentication checks |
| 4 | GATE-3405-004 | DONE | After #1 | Reachability Team | Implement `FeatureFlagDetector` for feature flag checks |
| 5 | GATE-3405-005 | DONE | After #1 | Reachability Team | Implement `AdminOnlyDetector` for admin/role checks |
| 6 | GATE-3405-006 | DONE | After #1 | Reachability Team | Implement `ConfigGateDetector` for non-default config checks |
| 7 | GATE-3405-007 | DONE | After #3-6 | Reachability Team | Implemented `CompositeGateDetector` with parallel execution |
| 8 | GATE-3405-008 | DONE | After #7 | Reachability Team | Extend `RichGraphEdge` with `Gates` property |
| 9 | GATE-3405-009 | DONE | After #8 | Reachability Team | Integrate gate annotations into RichGraph builder/writer |
| 10 | GATE-3405-010 | DONE | After #9 | Signals Team | Implement `GateMultiplierCalculator` applying multipliers |
| 11 | GATE-3405-011 | DONE | After #10 | Signals Team | Apply gate multipliers to scoring based on edge/path gates |
| 12 | GATE-3405-012 | DONE | After #11 | Signals Team | Extend output contracts to include gates + multiplier |
| 13 | GATE-3405-013 | DONE | After #3 | Reachability Team | GateDetectionTests.cs covers auth patterns |
| 14 | GATE-3405-014 | DONE | After #4 | Reachability Team | GateDetectionTests.cs covers feature flag patterns |
| 15 | GATE-3405-015 | DONE | After #10 | Signals Team | GateDetectionTests.cs covers multiplier calculation |
| 16 | GATE-3405-016 | DONE | After #11 | QA | Add integration coverage for gate propagation + multiplier effect |
| 17 | GATE-3405-017 | DONE | After #12 | Docs Guild | Created `docs/reachability/gates.md` |
## Wave Coordination
- **Wave 1** (Parallel): Tasks #1-2 (Models + Patterns)
- **Wave 2** (Parallel): Tasks #3-6 (Individual Detectors)
- **Wave 3** (Sequential): Tasks #7-9 (Orchestration + RichGraph)
- **Wave 4** (Sequential): Tasks #10-12 (Scoring Integration)
- **Wave 5** (Parallel): Tasks #13-17 (Tests + Docs)
---
## Technical Specifications
### Task GATE-3405-001: Gate Model Definitions
**File:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GateModels.cs`
```csharp
namespace StellaOps.Scanner.Reachability.Gates;
/// <summary>
/// Types of gates that can protect code paths.
/// </summary>
public enum GateType
{
/// <summary>Requires authentication (e.g., JWT, session, API key)</summary>
AuthRequired,
/// <summary>Behind a feature flag</summary>
FeatureFlag,
/// <summary>Requires admin or elevated role</summary>
AdminOnly,
/// <summary>Requires non-default configuration</summary>
NonDefaultConfig
}
/// <summary>
/// A detected gate protecting a code path.
/// </summary>
public sealed record DetectedGate
{
/// <summary>Type of gate</summary>
public required GateType Type { get; init; }
/// <summary>Human-readable description</summary>
public required string Detail { get; init; }
/// <summary>Symbol where gate was detected</summary>
public required string GuardSymbol { get; init; }
/// <summary>Source file (if available)</summary>
public string? SourceFile { get; init; }
/// <summary>Line number (if available)</summary>
public int? LineNumber { get; init; }
/// <summary>Confidence score (0.0-1.0)</summary>
public required double Confidence { get; init; }
/// <summary>Detection method used</summary>
public required string DetectionMethod { get; init; }
}
/// <summary>
/// Result of gate detection on a call path.
/// </summary>
public sealed record GateDetectionResult
{
/// <summary>All gates detected on the path</summary>
public required IReadOnlyList<DetectedGate> Gates { get; init; }
/// <summary>Whether any gates were detected</summary>
public bool HasGates => Gates.Count > 0;
/// <summary>Highest-confidence gate (if any)</summary>
public DetectedGate? PrimaryGate => Gates
.OrderByDescending(g => g.Confidence)
.FirstOrDefault();
/// <summary>Combined multiplier in basis points</summary>
public int CombinedMultiplierBps { get; init; } = 10000;
}
```
**Acceptance Criteria:**
- [ ] Four gate types per advisory
- [ ] Confidence score for detection quality
- [ ] Detection method audit trail
- [ ] Combined multiplier for multiple gates
---
### Task GATE-3405-002: Detection Patterns
**File:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/GatePatterns.cs`
```csharp
namespace StellaOps.Scanner.Reachability.Gates;
/// <summary>
/// Gate detection patterns for various languages and frameworks.
/// </summary>
public static class GatePatterns
{
/// <summary>
/// Authentication gate patterns by language/framework.
/// </summary>
public static readonly IReadOnlyDictionary<string, IReadOnlyList<GatePattern>> AuthPatterns = new Dictionary<string, IReadOnlyList<GatePattern>>
{
["csharp"] =
[
new GatePattern(@"\[Authorize\]", "ASP.NET Core Authorize attribute", 0.95),
new GatePattern(@"\[Authorize\(.*Roles.*\)\]", "ASP.NET Core Role-based auth", 0.95),
new GatePattern(@"\.RequireAuthorization\(\)", "Minimal API authorization", 0.90),
new GatePattern(@"User\.Identity\.IsAuthenticated", "Identity check", 0.85),
new GatePattern(@"ClaimsPrincipal", "Claims-based auth", 0.80)
],
["java"] =
[
new GatePattern(@"@PreAuthorize", "Spring Security PreAuthorize", 0.95),
new GatePattern(@"@Secured", "Spring Security Secured", 0.95),
new GatePattern(@"@RolesAllowed", "JAX-RS RolesAllowed", 0.90),
new GatePattern(@"SecurityContextHolder\.getContext\(\)", "Spring Security context", 0.85),
new GatePattern(@"HttpServletRequest\.getUserPrincipal\(\)", "Servlet principal", 0.80)
],
["javascript"] =
[
new GatePattern(@"passport\.authenticate", "Passport.js auth", 0.90),
new GatePattern(@"jwt\.verify", "JWT verification", 0.90),
new GatePattern(@"req\.isAuthenticated\(\)", "Passport isAuthenticated", 0.85),
new GatePattern(@"\.use\(.*auth.*middleware", "Auth middleware", 0.80)
],
["python"] =
[
new GatePattern(@"@login_required", "Flask/Django login required", 0.95),
new GatePattern(@"@permission_required", "Django permission required", 0.90),
new GatePattern(@"request\.user\.is_authenticated", "Django auth check", 0.85),
new GatePattern(@"jwt\.decode", "PyJWT decode", 0.85)
],
["go"] =
[
new GatePattern(@"\.Use\(.*[Aa]uth", "Auth middleware", 0.85),
new GatePattern(@"jwt\.Parse", "JWT parsing", 0.90),
new GatePattern(@"context\.Value\(.*[Uu]ser", "User context", 0.75)
]
};
/// <summary>
/// Feature flag patterns.
/// </summary>
public static readonly IReadOnlyDictionary<string, IReadOnlyList<GatePattern>> FeatureFlagPatterns = new Dictionary<string, IReadOnlyList<GatePattern>>
{
["csharp"] =
[
new GatePattern(@"IFeatureManager\.IsEnabled", "ASP.NET Feature Management", 0.95),
new GatePattern(@"\.IsFeatureEnabled\(", "Generic feature flag", 0.85),
new GatePattern(@"LaunchDarkly.*Variation", "LaunchDarkly SDK", 0.95)
],
["java"] =
[
new GatePattern(@"@FeatureToggle", "Feature toggle annotation", 0.90),
new GatePattern(@"UnleashClient\.isEnabled", "Unleash SDK", 0.95),
new GatePattern(@"LaunchDarklyClient\.boolVariation", "LaunchDarkly SDK", 0.95)
],
["javascript"] =
[
new GatePattern(@"ldClient\.variation", "LaunchDarkly JS SDK", 0.95),
new GatePattern(@"unleash\.isEnabled", "Unleash JS SDK", 0.95),
new GatePattern(@"process\.env\.FEATURE_", "Environment feature flag", 0.70)
],
["python"] =
[
new GatePattern(@"@feature_flag", "Feature flag decorator", 0.90),
new GatePattern(@"ldclient\.variation", "LaunchDarkly Python", 0.95),
new GatePattern(@"os\.environ\.get\(['\"]FEATURE_", "Env feature flag", 0.70)
]
};
/// <summary>
/// Admin/role check patterns.
/// </summary>
public static readonly IReadOnlyDictionary<string, IReadOnlyList<GatePattern>> AdminPatterns = new Dictionary<string, IReadOnlyList<GatePattern>>
{
["csharp"] =
[
new GatePattern(@"\[Authorize\(Roles\s*=\s*[""']Admin", "Admin role check", 0.95),
new GatePattern(@"\.IsInRole\([""'][Aa]dmin", "IsInRole admin", 0.90),
new GatePattern(@"Policy\s*=\s*[""']Admin", "Admin policy", 0.90)
],
["java"] =
[
new GatePattern(@"hasRole\([""']ADMIN", "Spring hasRole ADMIN", 0.95),
new GatePattern(@"@RolesAllowed\([""']admin", "Admin role allowed", 0.95)
],
["javascript"] =
[
new GatePattern(@"req\.user\.role\s*===?\s*[""']admin", "Admin role check", 0.85),
new GatePattern(@"isAdmin\(\)", "isAdmin function", 0.80)
],
["python"] =
[
new GatePattern(@"@user_passes_test\(.*is_superuser", "Django superuser", 0.95),
new GatePattern(@"@permission_required\([""']admin", "Admin permission", 0.90)
]
};
/// <summary>
/// Non-default configuration patterns.
/// </summary>
public static readonly IReadOnlyDictionary<string, IReadOnlyList<GatePattern>> ConfigPatterns = new Dictionary<string, IReadOnlyList<GatePattern>>
{
["csharp"] =
[
new GatePattern(@"IConfiguration\[.*\]\s*==\s*[""']true", "Config-gated feature", 0.75),
new GatePattern(@"options\.Value\.[A-Z].*Enabled", "Options pattern enabled", 0.80)
],
["java"] =
[
new GatePattern(@"@ConditionalOnProperty", "Spring conditional property", 0.90),
new GatePattern(@"@Value\([""']\$\{.*enabled", "Spring property enabled", 0.80)
],
["javascript"] =
[
new GatePattern(@"config\.[a-z]+\.enabled", "Config enabled check", 0.75),
new GatePattern(@"process\.env\.[A-Z_]+_ENABLED", "Env enabled flag", 0.70)
],
["python"] =
[
new GatePattern(@"settings\.[A-Z_]+_ENABLED", "Django settings enabled", 0.75),
new GatePattern(@"os\.getenv\([""'][A-Z_]+_ENABLED", "Env enabled check", 0.70)
]
};
}
/// <summary>
/// A regex pattern for gate detection.
/// </summary>
public sealed record GatePattern(string Pattern, string Description, double DefaultConfidence);
```
**Acceptance Criteria:**
- [ ] Patterns for C#, Java, JavaScript, Python, Go
- [ ] Auth, feature flag, admin, config categories
- [ ] Confidence scores per pattern
- [ ] Descriptions for audit trail
---
### Task GATE-3405-003: AuthGateDetector
**File:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Gates/Detectors/AuthGateDetector.cs`
```csharp
namespace StellaOps.Scanner.Reachability.Gates.Detectors;
/// <summary>
/// Detects authentication gates in code.
/// </summary>
public sealed class AuthGateDetector : IGateDetector
{
public GateType GateType => GateType.AuthRequired;
public async Task<IReadOnlyList<DetectedGate>> DetectAsync(
RichGraphNode node,
IReadOnlyList<RichGraphEdge> incomingEdges,
ICodeContentProvider codeProvider,
string language,
CancellationToken ct = default)
{
var gates = new List<DetectedGate>();
if (!GatePatterns.AuthPatterns.TryGetValue(language.ToLowerInvariant(), out var patterns))
return gates;
// Check node annotations (e.g., attributes, decorators)
foreach (var pattern in patterns)
{
var regex = new Regex(pattern.Pattern, RegexOptions.IgnoreCase);
// Check symbol annotations
if (node.Annotations != null)
{
foreach (var annotation in node.Annotations)
{
if (regex.IsMatch(annotation))
{
gates.Add(new DetectedGate
{
Type = GateType.AuthRequired,
Detail = $"Auth required: {pattern.Description}",
GuardSymbol = node.Symbol,
SourceFile = node.SourceFile,
LineNumber = node.LineNumber,
Confidence = pattern.DefaultConfidence,
DetectionMethod = $"annotation:{pattern.Pattern}"
});
}
}
}
// Check source code if available
if (node.SourceFile != null)
{
var source = await codeProvider.GetSourceAsync(node.SourceFile, ct);
if (source != null && regex.IsMatch(source))
{
gates.Add(new DetectedGate
{
Type = GateType.AuthRequired,
Detail = $"Auth required: {pattern.Description}",
GuardSymbol = node.Symbol,
SourceFile = node.SourceFile,
LineNumber = FindLineNumber(source, regex),
Confidence = pattern.DefaultConfidence * 0.9, // Slightly lower for source match
DetectionMethod = $"source:{pattern.Pattern}"
});
}
}
}
return gates;
}
private static int? FindLineNumber(string source, Regex regex)
{
var match = regex.Match(source);
if (!match.Success) return null;
var lineNumber = source[..match.Index].Count(c => c == '\n') + 1;
return lineNumber;
}
}
/// <summary>
/// Interface for gate detectors.
/// </summary>
public interface IGateDetector
{
GateType GateType { get; }
Task<IReadOnlyList<DetectedGate>> DetectAsync(
RichGraphNode node,
IReadOnlyList<RichGraphEdge> incomingEdges,
ICodeContentProvider codeProvider,
string language,
CancellationToken ct = default);
}
/// <summary>
/// Provides source code content for analysis.
/// </summary>
public interface ICodeContentProvider
{
Task<string?> GetSourceAsync(string filePath, CancellationToken ct = default);
}
```
---
### Task GATE-3405-010: GateMultiplierCalculator
**File:** `src/Signals/StellaOps.Signals/Scoring/GateMultiplierCalculator.cs`
```csharp
namespace StellaOps.Signals.Scoring;
/// <summary>
/// Calculates combined gate multiplier from detected gates.
/// </summary>
public sealed class GateMultiplierCalculator
{
private readonly GateMultipliersBps _config;
public GateMultiplierCalculator(GateMultipliersBps? config = null)
{
_config = config ?? new GateMultipliersBps();
}
/// <summary>
/// Calculates the combined multiplier for a set of gates.
/// Uses minimum (most protective) multiplier when multiple gates present.
/// </summary>
/// <param name="gates">Detected gates on the path</param>
/// <returns>Combined multiplier in basis points (0-10000)</returns>
public int CalculateMultiplierBps(IReadOnlyList<DetectedGate> gates)
{
if (gates.Count == 0)
return 10000; // No gates = full score
// Find minimum multiplier (most protective gate)
var minMultiplier = 10000;
foreach (var gate in gates)
{
var multiplier = GetMultiplierForGate(gate);
if (multiplier < minMultiplier)
minMultiplier = multiplier;
}
return minMultiplier;
}
/// <summary>
/// Gets the multiplier for a specific gate type.
/// </summary>
private int GetMultiplierForGate(DetectedGate gate)
{
return gate.Type switch
{
GateType.FeatureFlag => _config.FeatureFlag,
GateType.AuthRequired => _config.AuthRequired,
GateType.AdminOnly => _config.AdminOnly,
GateType.NonDefaultConfig => _config.NonDefaultConfig,
_ => 10000
};
}
/// <summary>
/// Applies gate multiplier to a reachability score.
/// </summary>
/// <param name="baseScore">Base reachability score (0-100)</param>
/// <param name="gates">Detected gates</param>
/// <returns>Adjusted score after gate multiplier</returns>
public int ApplyGates(int baseScore, IReadOnlyList<DetectedGate> gates)
{
var multiplierBps = CalculateMultiplierBps(gates);
return (baseScore * multiplierBps) / 10000;
}
}
```
---
### Task GATE-3405-012: Enhanced ReachabilityReport
**File:** Update `src/Signals/__Libraries/StellaOps.Signals.Contracts/ReachabilityReport.cs`
```csharp
namespace StellaOps.Signals.Contracts;
/// <summary>
/// Reachability analysis report with gate information.
/// </summary>
public sealed record ReachabilityReport
{
public required string ArtifactDigest { get; init; }
public required string GraphDigest { get; init; }
public required string VulnId { get; init; }
public required string VulnerableSymbol { get; init; }
public required IReadOnlyList<string> Entrypoints { get; init; }
/// <summary>
/// Shortest path to vulnerable code.
/// </summary>
public required ShortestPath ShortestPath { get; init; }
/// <summary>
/// Gates protecting the code path (new per advisory 4.3).
/// </summary>
public required IReadOnlyList<ReportedGate> Gates { get; init; }
public required DateTimeOffset ComputedAt { get; init; }
public required string ToolVersion { get; init; }
}
/// <summary>
/// Shortest path information.
/// </summary>
public sealed record ShortestPath
{
public required int Hops { get; init; }
public required IReadOnlyList<PathNode> Nodes { get; init; }
}
/// <summary>
/// Node in the shortest path.
/// </summary>
public sealed record PathNode
{
public required string Symbol { get; init; }
public string? File { get; init; }
public int? Line { get; init; }
}
/// <summary>
/// Gate reported in reachability output.
/// </summary>
public sealed record ReportedGate
{
public required string Type { get; init; } // "authRequired", "featureFlag", "adminOnly", "nonDefaultConfig"
public required string Detail { get; init; }
}
```
---
## Acceptance Criteria (Sprint-Level)
**Task GATE-3405-001 (Models)**
- [ ] GateType enum with 4 types
- [ ] DetectedGate with confidence
**Task GATE-3405-002 (Patterns)**
- [ ] 5 languages covered
- [ ] 4 gate categories
**Task GATE-3405-003-006 (Detectors)**
- [ ] Each detector implements IGateDetector
- [ ] Annotation and source detection
**Task GATE-3405-010 (Calculator)**
- [ ] Minimum multiplier selection
- [ ] Basis-point math
**Task GATE-3405-012 (Report)**
- [ ] Gates array in output
- [ ] Per advisory format
---
## Decisions & Risks
| Item | Type | Owner(s) | Due | Notes |
|------|------|----------|-----|-------|
| Pattern false positive rate | Risk | Reachability Team | Before #9 | May need tuning |
| Multi-language support scope | Decision | Product | Before #2 | Prioritize by customer usage |
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-14 | Sprint created from Determinism advisory gap analysis | Implementer |
| 2025-12-18 | Restarted after accidental restore; resuming GATE-3405-009/011/012/016 implementation. | Agent |
| 2025-12-18 | Completed Signals gate multiplier scoring + evidence contracts + deterministic integration coverage (GATE-3405-011/012/016). | Agent |
| 2025-12-18 | Completed RichGraph gate annotations + JSON writer output; reachability tests green (GATE-3405-009). | Agent |
## Next Checkpoints
- None (sprint exit ready). Consider updating downstream report renderers if they need gate visualisation.

904
docs/implplan/archived/SPRINT_3410_0001_0001_epss_ingestion_storage.md Normal file
View File

@@ -0,0 +1,904 @@
# Sprint 3410.0001.0001 · EPSS Ingestion & Storage
## Topic & Scope
- Deliver deterministic EPSS v4 ingestion into Postgres (append-only history + current projection + change log).
- Support online and air-gap bundle sources with identical parsing and validation.
- Produce operator evidence (tests + runbook) proving determinism, idempotency, and partition safety.
**Sprint ID:** SPRINT_3410_0001_0001
**Implementation Plan:** IMPL_3410_epss_v4_integration_master_plan
**Phase:** Phase 1 - MVP
**Priority:** P1
**Estimated Effort:** 2 weeks
**Working Directory:** `src/Scanner/`
**Dependencies:** None (foundational)
---
## Dependencies & Concurrency
- **Depends on:** Scanner storage schema migration `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/008_epss_integration.sql`.
- **Blocking:** SPRINT_3410_0002_0001 (Scanner integration) depends on this sprint landing.
- **Safe to parallelize with:** Determinism scoring and reachability work (no schema overlap beyond Scanner).
## Documentation Prerequisites
- `docs/modules/scanner/epss-integration.md`
- `docs/product-advisories/archive/16-Dec-2025 - Merging EPSS v4 with CVSS v4 Frameworks.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/008_epss_integration.sql`
## Overview
Implement the **foundational EPSS v4 ingestion pipeline** for StellaOps. This sprint delivers daily automated import of EPSS (Exploit Prediction Scoring System) data from FIRST.org, storing it in a deterministic, append-only PostgreSQL schema with full provenance tracking.
### Goals
1. **Daily Automated Ingestion**: Fetch EPSS CSV from FIRST.org at 00:05 UTC
2. **Deterministic Storage**: Append-only time-series with provenance
3. **Delta Computation**: Track material changes for downstream enrichment
4. **Air-Gapped Support**: Manual import from bundles
5. **Observability**: Metrics, logs, traces for monitoring
### Non-Goals
- UI display (Sprint 3412)
- Scanner integration (Sprint 3411)
- Live enrichment of existing findings (Sprint 3413)
- Notifications (Sprint 3414)
---
## Architecture
### Component Diagram
```
┌─────────────────────────────────────────────────────────────────┐
│ Concelier WebService │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ Scheduler Integration │ │
│ │ - Job Type: "epss.ingest" │ │
│ │ - Trigger: Daily 00:05 UTC (cron: "0 5 0 * * *") │ │
│ │ - Args: { source: "online", date: "YYYY-MM-DD" } │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ EpssIngestJob (IJob implementation) │ │
│ │ ┌─────────────────────────────────────────────────────┐ │ │
│ │ │ 1. Resolve source (online URL or bundle path) │ │ │
│ │ │ 2. Download/Read CSV.GZ file │ │ │
│ │ │ 3. Parse CSV stream (handle # comment, validate) │ │ │
│ │ │ 4. Bulk insert epss_scores (COPY protocol) │ │ │
│ │ │ 5. Compute epss_changes (delta vs epss_current) │ │ │
│ │ │ 6. Upsert epss_current (latest projection) │ │ │
│ │ │ 7. Emit outbox event: "epss.updated" │ │ │
│ │ └─────────────────────────────────────────────────────┘ │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ EpssRepository (Data Access) │ │
│ │ - CreateImportRunAsync │ │
│ │ - BulkInsertScoresAsync (NpgsqlBinaryImporter) │ │
│ │ - ComputeChangesAsync │ │
│ │ - UpsertCurrentAsync │ │
│ │ - GetLatestModelDateAsync │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ PostgreSQL (concelier schema) │ │
│ │ - epss_import_runs │ │
│ │ - epss_scores (partitioned by month) │ │
│ │ - epss_current │ │
│ │ - epss_changes (partitioned by month) │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
External Dependencies:
- FIRST.org: https://epss.empiricalsecurity.com/epss_scores-YYYY-MM-DD.csv.gz
- Scheduler: Job trigger and status tracking
- Outbox: Event publishing for downstream consumers
```
### Data Flow
```
[FIRST.org CSV.GZ]
│ (HTTPS GET or manual import)
[EpssOnlineSource / EpssBundleSource]
│ (Stream download)
[EpssCsvStreamParser]
│ (Parse rows: cve, epss, percentile)
│ (Extract # comment: model version, published date)
[Staging: IAsyncEnumerable<EpssScoreRow>]
│ (Validated: score ∈ [0,1], percentile ∈ [0,1])
[EpssRepository.BulkInsertScoresAsync]
│ (NpgsqlBinaryImporter → epss_scores partition)
[EpssRepository.ComputeChangesAsync]
│ (Delta: epss_scores vs epss_current)
│ (Flags: NEW_SCORED, CROSSED_HIGH, BIG_JUMP, etc.)
[epss_changes partition]
[EpssRepository.UpsertCurrentAsync]
│ (UPDATE epss_current SET ...)
[epss_current table]
[OutboxPublisher.EnqueueAsync("epss.updated")]
```
---
## Delivery Tracker
| ID | Task | Status | Owner | Est. | Notes |
|----|------|--------|-------|------|-------|
| **EPSS-3410-001** | Database schema migration | DONE | Agent | 2h | Added `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/008_epss_integration.sql` and `MigrationIds.cs` entry; applied via `AddStartupMigrations`. |
| **EPSS-3410-002** | Create `EpssScoreRow` DTO | DONE | Agent | 1h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssScoreRow.cs` |
| **EPSS-3410-003** | Implement `IEpssSource` interface | DONE | Agent | 2h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSource.cs` |
| **EPSS-3410-004** | Implement `EpssOnlineSource` | DONE | Agent | 4h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssOnlineSource.cs` |
| **EPSS-3410-005** | Implement `EpssBundleSource` | DONE | Agent | 3h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssBundleSource.cs` |
| **EPSS-3410-006** | Implement `EpssCsvStreamParser` | DONE | Agent | 6h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssCsvStreamParser.cs` |
| **EPSS-3410-007** | Implement `EpssRepository` | DONE | Agent | 8h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssRepository.cs` + `IEpssRepository.cs` |
| **EPSS-3410-008** | Implement `EpssChangeDetector` | DONE | Agent | 4h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssChangeDetector.cs` + `EpssChangeFlags.cs` |
| **EPSS-3410-009** | Implement `EpssIngestJob` | DONE | Agent | 6h | `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssIngestJob.cs` - BackgroundService with retry, observability. |
| **EPSS-3410-010** | Configure Scheduler job trigger | DONE | Agent | 2h | Registered in `Program.cs` via `AddHostedService<EpssIngestJob>()` with `EpssIngestOptions` config binding. EPSS services registered in `ServiceCollectionExtensions.cs`. |
| **EPSS-3410-011** | Implement outbox event schema | DONE | Agent | 2h | `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/Events/EpssUpdatedEvent.cs` |
| **EPSS-3410-012** | Unit tests (parser, detector, flags) | DONE | Agent | 6h | `EpssCsvStreamParserTests.cs`, `EpssChangeDetectorTests.cs` |
| **EPSS-3410-013** | Integration tests (Testcontainers) | DONE | Agent | 8h | `EpssRepositoryIntegrationTests.cs` |
| **EPSS-3410-013A** | Perf harness + deterministic dataset generator | DONE | Backend | 4h | Added `src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/` (deterministic generator + local run guide). |
| **EPSS-3410-013B** | CI perf runner + workflow for EPSS ingest | DONE | DevOps | 4h | Added `.gitea/workflows/epss-ingest-perf.yml` (nightly + manual; artifacts retained 90 days). |
| **EPSS-3410-014** | Performance test (300k rows) | DONE | Backend | 4h | Baseline (310k rows): `bench/results/epss-ingest-perf.local.json` total=45652ms on Windows (.NET 10.0.0, Docker Desktop, postgres:16-alpine). |
| **EPSS-3410-015** | Observability (metrics, logs, traces) | DONE | Agent | 4h | ActivitySource with tags (model_date, row_count, cve_count, duration_ms); structured logging at Info/Warning/Error levels. |
| **EPSS-3410-016** | Documentation (runbook, troubleshooting) | DONE | Agent | 3h | Added Operations Runbook (§10) to `docs/modules/scanner/epss-integration.md` with configuration, modes, manual ingestion, troubleshooting, and monitoring guidance. |
**Total Estimated Effort**: 73 hours (~2 weeks for 1 developer)
---
## Detailed Task Specifications
### EPSS-3410-001: Database Schema Migration
**Description**: Execute PostgreSQL migration to create EPSS tables.
**Deliverables**:
- Run `docs/db/migrations/concelier-epss-schema-v1.sql`
- Verify: `epss_import_runs`, `epss_scores`, `epss_current`, `epss_changes` created
- Verify: Partitions created for current month + 3 months ahead
- Verify: Indexes created
- Verify: Helper functions available
**Acceptance Criteria**:
- [ ] All tables exist in `concelier` schema
- [ ] At least 4 partitions created for each partitioned table
- [ ] Views (`epss_model_staleness`, `epss_coverage_stats`) queryable
- [ ] Functions (`ensure_epss_partitions_exist`) executable
- [ ] Schema migration tracked in `concelier.schema_migrations`
**Test Plan**:
```sql
-- Verify tables
SELECT tablename FROM pg_tables WHERE schemaname = 'concelier' AND tablename LIKE 'epss%';
-- Verify partitions
SELECT * FROM concelier.ensure_epss_partitions_exist(3);
-- Verify views
SELECT * FROM concelier.epss_model_staleness;
```
---
### EPSS-3410-002: Create EpssScoreRow DTO
**Description**: Define data transfer object for parsed CSV row.
**File**: `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Models/EpssScoreRow.cs`
**Implementation**:
```csharp
namespace StellaOps.Concelier.Epss.Models;
/// <summary>
/// Represents a single row from EPSS CSV (cve, epss, percentile).
/// Immutable DTO for streaming ingestion.
/// </summary>
public sealed record EpssScoreRow
{
/// <summary>CVE identifier (e.g., "CVE-2024-12345")</summary>
public required string CveId { get; init; }
/// <summary>EPSS probability score (0.0-1.0)</summary>
public required double EpssScore { get; init; }
/// <summary>Percentile ranking (0.0-1.0)</summary>
public required double Percentile { get; init; }
/// <summary>Model date (from import context, not CSV)</summary>
public required DateOnly ModelDate { get; init; }
/// <summary>Line number in CSV (for error reporting)</summary>
public int LineNumber { get; init; }
/// <summary>
/// Validates EPSS score and percentile bounds.
/// </summary>
public bool IsValid(out string? validationError)
{
if (EpssScore < 0.0 || EpssScore > 1.0)
{
validationError = $"EPSS score {EpssScore} out of bounds [0.0, 1.0]";
return false;
}
if (Percentile < 0.0 || Percentile > 1.0)
{
validationError = $"Percentile {Percentile} out of bounds [0.0, 1.0]";
return false;
}
if (string.IsNullOrWhiteSpace(CveId) || !CveId.StartsWith("CVE-", StringComparison.Ordinal))
{
validationError = $"Invalid CVE ID: {CveId}";
return false;
}
validationError = null;
return true;
}
}
```
**Acceptance Criteria**:
- [ ] Record type with required properties
- [ ] Validation method with clear error messages
- [ ] Immutable (init-only setters)
- [ ] XML documentation comments
---
### EPSS-3410-003: Implement IEpssSource Interface
**Description**: Define abstraction for fetching EPSS CSV data.
**File**: `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Sources/IEpssSource.cs`
**Implementation**:
```csharp
namespace StellaOps.Concelier.Epss.Sources;
/// <summary>
/// Source for EPSS CSV data (online or bundle).
/// </summary>
public interface IEpssSource
{
/// <summary>
/// Fetches EPSS CSV for the specified model date.
/// Returns a stream of the compressed (.gz) or decompressed CSV data.
/// </summary>
/// <param name="modelDate">Date for which EPSS scores are requested</param>
/// <param name="cancellationToken">Cancellation token</param>
/// <returns>Stream of CSV data (may be GZip compressed)</returns>
Task<EpssSourceResult> FetchAsync(DateOnly modelDate, CancellationToken cancellationToken);
}
/// <summary>
/// Result from EPSS source fetch operation.
/// </summary>
public sealed record EpssSourceResult
{
public required Stream DataStream { get; init; }
public required string SourceUri { get; init; }
public required bool IsCompressed { get; init; }
public required long SizeBytes { get; init; }
public string? ETag { get; init; }
public DateTimeOffset? LastModified { get; init; }
}
```
**Acceptance Criteria**:
- [ ] Interface defines `FetchAsync` method
- [ ] Result includes stream, URI, compression flag
- [ ] Supports both online and bundle sources via DI
---
### EPSS-3410-006: Implement EpssCsvStreamParser
**Description**: Parse EPSS CSV stream with comment line extraction and validation.
**File**: `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Parsing/EpssCsvStreamParser.cs`
**Key Requirements**:
- Handle leading `# model: v2025.03.14, published: 2025-03-14` comment line
- Parse CSV header: `cve,epss,percentile`
- Stream processing (IAsyncEnumerable) for low memory footprint
- Validate each row (score/percentile bounds, CVE format)
- Report errors with line numbers
**Acceptance Criteria**:
- [ ] Extracts model version and published date from comment line
- [ ] Parses CSV rows into `EpssScoreRow`
- [ ] Validates bounds and CVE format
- [ ] Handles malformed rows gracefully (log warning, skip row)
- [ ] Streams results (IAsyncEnumerable<EpssScoreRow>)
- [ ] Unit tests cover: valid CSV, missing comment, invalid scores, malformed rows
---
### EPSS-3410-007: Implement EpssRepository
**Description**: Data access layer for EPSS tables.
**File**: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Postgres/Repositories/EpssRepository.cs`
**Methods**:
```csharp
public interface IEpssRepository
{
// Provenance
Task<Guid> CreateImportRunAsync(EpssImportRun importRun, CancellationToken ct);
Task UpdateImportRunStatusAsync(Guid importRunId, string status, string? error, CancellationToken ct);
// Bulk insert (uses NpgsqlBinaryImporter for performance)
Task<int> BulkInsertScoresAsync(Guid importRunId, IAsyncEnumerable<EpssScoreRow> rows, CancellationToken ct);
// Delta computation
Task<int> ComputeChangesAsync(DateOnly modelDate, Guid importRunId, EpssThresholds thresholds, CancellationToken ct);
// Current projection
Task<int> UpsertCurrentAsync(DateOnly modelDate, CancellationToken ct);
// Queries
Task<DateOnly?> GetLatestModelDateAsync(CancellationToken ct);
Task<EpssImportRun?> GetImportRunAsync(DateOnly modelDate, CancellationToken ct);
}
```
**Performance Requirements**:
- `BulkInsertScoresAsync`: >10k rows/second (use NpgsqlBinaryImporter)
- `ComputeChangesAsync`: <30s for 300k rows
- `UpsertCurrentAsync`: <15s for 300k rows
**Acceptance Criteria**:
- [ ] All methods implemented with Dapper + Npgsql
- [ ] `BulkInsertScoresAsync` uses `NpgsqlBinaryImporter` (not parameterized inserts)
- [ ] Transaction safety (rollback on failure)
- [ ] Integration tests with Testcontainers verify correctness and performance
---
### EPSS-3410-008: Implement EpssChangeDetector
**Description**: Compute delta and assign flags for enrichment targeting.
**File**: `src/Concelier/__Libraries/StellaOps.Concelier.Epss/Logic/EpssChangeDetector.cs`
**Flag Logic**:
```csharp
[Flags]
public enum EpssChangeFlags
{
None = 0,
NewScored = 1, // CVE appeared in EPSS for first time
CrossedHigh = 2, // Percentile crossed HighPercentile (default 95th)
BigJump = 4, // |delta_score| >= BigJumpDelta (default 0.10)
DroppedLow = 8, // Percentile dropped below LowPercentile (default 50th)
ScoreIncreased = 16, // Any positive delta
ScoreDecreased = 32 // Any negative delta
}
public sealed record EpssThresholds
{
public double HighPercentile { get; init; } = 0.95;
public double LowPercentile { get; init; } = 0.50;
public double BigJumpDelta { get; init; } = 0.10;
}
```
**SQL Implementation** (called by `ComputeChangesAsync`):
```sql
INSERT INTO concelier.epss_changes (model_date, cve_id, old_score, old_percentile, new_score, new_percentile, delta_score, delta_percentile, flags)
SELECT
@model_date AS model_date,
COALESCE(new.cve_id, old.cve_id) AS cve_id,
old.epss_score AS old_score,
old.percentile AS old_percentile,
new.epss_score AS new_score,
new.percentile AS new_percentile,
CASE WHEN old.epss_score IS NOT NULL THEN new.epss_score - old.epss_score ELSE NULL END AS delta_score,
CASE WHEN old.percentile IS NOT NULL THEN new.percentile - old.percentile ELSE NULL END AS delta_percentile,
(
CASE WHEN old.cve_id IS NULL THEN 1 ELSE 0 END | -- NEW_SCORED
CASE WHEN old.percentile < @high_percentile AND new.percentile >= @high_percentile THEN 2 ELSE 0 END | -- CROSSED_HIGH
CASE WHEN ABS(COALESCE(new.epss_score - old.epss_score, 0)) >= @big_jump_delta THEN 4 ELSE 0 END | -- BIG_JUMP
CASE WHEN old.percentile >= @low_percentile AND new.percentile < @low_percentile THEN 8 ELSE 0 END | -- DROPPED_LOW
CASE WHEN old.epss_score IS NOT NULL AND new.epss_score > old.epss_score THEN 16 ELSE 0 END | -- SCORE_INCREASED
CASE WHEN old.epss_score IS NOT NULL AND new.epss_score < old.epss_score THEN 32 ELSE 0 END -- SCORE_DECREASED
) AS flags
FROM concelier.epss_scores new
LEFT JOIN concelier.epss_current old ON new.cve_id = old.cve_id
WHERE new.model_date = @model_date
AND (
old.cve_id IS NULL OR -- New CVE
ABS(new.epss_score - old.epss_score) >= 0.001 OR -- Score changed
ABS(new.percentile - old.percentile) >= 0.001 -- Percentile changed
);
```
**Acceptance Criteria**:
- [ ] Flags computed correctly per logic above
- [ ] Unit tests cover all flag combinations
- [ ] Edge cases: first-ever ingest (all NEW_SCORED), no changes (empty result)
---
### EPSS-3410-009: Implement EpssIngestJob
**Description**: Main orchestration job for ingestion pipeline.
**File**: `src/Concelier/__Libraries/StellaOps.Concelier.Jobs/EpssIngestJob.cs`
**Pseudo-code**:
```csharp
public sealed class EpssIngestJob : IJob
{
public async Task<JobResult> ExecuteAsync(JobContext context, CancellationToken ct)
{
var args = context.Args.ToObject<EpssIngestArgs>();
var modelDate = args.Date ?? DateOnly.FromDateTime(DateTime.UtcNow.AddDays(-1));
// 1. Create import run (provenance)
var importRun = new EpssImportRun { ModelDate = modelDate, Status = "IN_PROGRESS" };
var importRunId = await _epssRepository.CreateImportRunAsync(importRun, ct);
try
{
// 2. Fetch CSV (online or bundle)
var source = args.Source == "online" ? _onlineSource : _bundleSource;
var fetchResult = await source.FetchAsync(modelDate, ct);
// 3. Parse CSV stream
var parser = new EpssCsvStreamParser(fetchResult.DataStream, modelDate);
var rows = parser.ParseAsync(ct);
// 4. Bulk insert into epss_scores
var rowCount = await _epssRepository.BulkInsertScoresAsync(importRunId, rows, ct);
// 5. Compute delta (epss_changes)
var changeCount = await _epssRepository.ComputeChangesAsync(modelDate, importRunId, _thresholds, ct);
// 6. Upsert epss_current
var currentCount = await _epssRepository.UpsertCurrentAsync(modelDate, ct);
// 7. Mark import success
await _epssRepository.UpdateImportRunStatusAsync(importRunId, "SUCCEEDED", null, ct);
// 8. Emit outbox event
await _outboxPublisher.EnqueueAsync(new EpssUpdatedEvent
{
ModelDate = modelDate,
ImportRunId = importRunId,
RowCount = rowCount,
ChangeCount = changeCount
}, ct);
return JobResult.Success($"Imported {rowCount} EPSS scores, {changeCount} changes");
}
catch (Exception ex)
{
await _epssRepository.UpdateImportRunStatusAsync(importRunId, "FAILED", ex.Message, ct);
throw;
}
}
}
```
**Acceptance Criteria**:
- [ ] Handles online and bundle sources
- [ ] Transactional (rollback on failure)
- [ ] Emits `epss.updated` event on success
- [ ] Logs progress (start, row count, duration)
- [ ] Traces with OpenTelemetry
- [ ] Metrics: `epss_ingest_duration_seconds`, `epss_ingest_rows_total`
---
### EPSS-3410-013: Integration Tests (Testcontainers)
**Description**: End-to-end ingestion test with real PostgreSQL.
**File**: `src/Concelier/__Tests/StellaOps.Concelier.Epss.Integration.Tests/EpssIngestJobIntegrationTests.cs`
**Test Cases**:
```csharp
[Fact]
public async Task IngestJob_WithValidCsv_SuccessfullyImports()
{
// Arrange: Prepare fixture CSV (~1000 rows)
var csv = CreateFixtureCsv(rowCount: 1000);
var modelDate = new DateOnly(2025, 12, 16);
// Act: Run ingestion job
var result = await _epssIngestJob.ExecuteAsync(new JobContext
{
Args = new { source = "bundle", date = modelDate }
}, CancellationToken.None);
// Assert
result.Should().BeSuccess();
var importRun = await _epssRepository.GetImportRunAsync(modelDate, CancellationToken.None);
importRun.Should().NotBeNull();
importRun!.Status.Should().Be("SUCCEEDED");
importRun.RowCount.Should().Be(1000);
var scores = await _dbContext.QueryAsync<int>(
"SELECT COUNT(*) FROM concelier.epss_scores WHERE model_date = @date",
new { date = modelDate });
scores.Single().Should().Be(1000);
var currentCount = await _dbContext.QueryAsync<int>("SELECT COUNT(*) FROM concelier.epss_current");
currentCount.Single().Should().Be(1000);
}
[Fact]
public async Task IngestJob_Idempotent_RerunSameDate_NoChange()
{
// Arrange: First ingest
await _epssIngestJob.ExecuteAsync(/*...*/);
// Act: Second ingest (same date, same data)
await Assert.ThrowsAsync<InvalidOperationException>(() =>
_epssIngestJob.ExecuteAsync(/*...*/)); // Unique constraint on model_date
// OR: If using ON CONFLICT DO NOTHING pattern
var result2 = await _epssIngestJob.ExecuteAsync(/*...*/);
result2.Should().BeSuccess("Idempotent re-run should succeed but not duplicate");
}
[Fact]
public async Task ComputeChanges_DetectsFlags_Correctly()
{
// Arrange: Day 1 - baseline
await IngestCsv(modelDate: Day1, cve1: score=0.42, percentile=0.88);
// Act: Day 2 - score jumped
await IngestCsv(modelDate: Day2, cve1: score=0.78, percentile=0.96);
// Assert: Check flags
var change = await _dbContext.QuerySingleAsync<EpssChange>(
"SELECT * FROM concelier.epss_changes WHERE model_date = @d2 AND cve_id = @cve",
new { d2 = Day2, cve = "CVE-2024-1" });
change.Flags.Should().HaveFlag(EpssChangeFlags.CrossedHigh); // 88th → 96th
change.Flags.Should().HaveFlag(EpssChangeFlags.BigJump); // Δ = 0.36
change.Flags.Should().HaveFlag(EpssChangeFlags.ScoreIncreased);
}
```
**Acceptance Criteria**:
- [ ] Tests run against Testcontainers PostgreSQL
- [ ] Fixture CSV (~1000 rows) included in test resources
- [ ] All flag combinations tested
- [ ] Idempotency verified
- [ ] Performance verified (<5s for 1000 rows)
---
### EPSS-3410-013A: Perf Harness + Deterministic Dataset Generator
**Description**: Add an offline-friendly perf harness for EPSS ingest without committing a huge static dataset.
**Deliverables**:
- Perf harness: `src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/`
- Deterministic generator: 310k rows with fixed seed, stable row order, and reproducible SHA-256 hashes.
- Local run snippet (exact `dotnet run` invocation + required env vars for Testcontainers).
**Acceptance Criteria**:
- [x] Generator produces identical output across runs (same seed same SHA-256 of CSV bytes)
- [x] Perf harness runs locally in <= 5 minutes on a dev machine (budget validation happens in CI)
- [x] No network required beyond local Docker engine for Testcontainers
---
### EPSS-3410-013B: CI Perf Runner + Workflow
**Description**: Enable deterministic perf execution in CI with known hardware + reproducible logs.
**Deliverables**:
- Gitea workflow (nightly + manual): `.gitea/workflows/epss-ingest-perf.yml`
- Runner requirements documented in workflow header (Ubuntu runner label + Docker/Testcontainers support).
- Artifacts retained: perf JSON (timings + environment summary).
**Acceptance Criteria**:
- [x] CI job can spin up PostgreSQL via Testcontainers reliably
- [x] Perf test output includes total duration + phase breakdowns
- [x] Workflow runs independently (no default PR CI gating) and uploads artifacts
---
### EPSS-3410-014: Performance Test (300k rows)
**Description**: Verify ingestion meets performance budget.
**Evidence**:
- Harness: `src/Scanner/__Benchmarks/StellaOps.Scanner.Storage.Epss.Perf/README.md`
- Local baseline (2025-12-19): 310k rows total=45652ms (`bench/results/epss-ingest-perf.local.json`) with phase breakdowns in `timingsMs`.
**Acceptance Criteria**:
- [x] Synthetic 310k row dataset generated deterministically (fixed seed)
- [x] Ingestion completes within budget (<120s; local baseline 45.7s)
- [x] CI workflow publishes JSON artifacts with timings + environment metadata
---
### EPSS-3410-015: Observability (Metrics, Logs, Traces)
**Description**: Instrument ingestion pipeline with OpenTelemetry.
**Metrics** (Prometheus):
```csharp
// Counters
epss_ingest_attempts_total{source, result}
epss_ingest_rows_total{source}
epss_ingest_changes_total{source}
epss_parse_errors_total{error_type}
// Histograms
epss_ingest_duration_seconds{source, phase} // phases: fetch, parse, insert, changes, current
epss_row_processing_seconds
// Gauges
epss_latest_model_date_days_ago
epss_current_cve_count
```
**Logs** (Structured):
```json
{
"timestamp": "2025-12-17T00:07:32Z",
"level": "Information",
"message": "EPSS ingestion started",
"model_date": "2025-12-16",
"source": "online",
"import_run_id": "550e8400-e29b-41d4-a716-446655440000",
"trace_id": "abc123"
}
```
**Traces** (OpenTelemetry):
```csharp
Activity.StartActivity("epss.ingest")
.SetTag("model_date", modelDate)
.SetTag("source", source)
// Child spans: fetch, parse, insert, changes, current, outbox
```
**Acceptance Criteria**:
- [ ] All metrics exposed at `/metrics`
- [ ] Structured logs with trace correlation
- [ ] Distributed traces in Jaeger/Zipkin
- [ ] Dashboards configured (Grafana template)
---
## Configuration
### Scheduler Configuration
**File**: `etc/scheduler.yaml`
```yaml
scheduler:
jobs:
- name: epss.ingest
schedule: "0 5 0 * * *" # Daily at 00:05 UTC
worker: concelier
args:
source: online
date: null # Auto: yesterday
timeout: 600s
retry:
max_attempts: 3
backoff: exponential
initial_interval: 60s
```
### Concelier Configuration
**File**: `etc/concelier.yaml`
```yaml
concelier:
epss:
enabled: true
online_source:
base_url: "https://epss.empiricalsecurity.com/"
url_pattern: "epss_scores-{date:yyyy-MM-dd}.csv.gz"
timeout: 180s
retry:
max_attempts: 3
backoff: exponential
bundle_source:
path: "/opt/stellaops/bundles/epss/"
pattern: "epss_scores-{date:yyyy-MM-dd}.csv.gz"
thresholds:
high_percentile: 0.95
low_percentile: 0.50
big_jump_delta: 0.10
partition_management:
auto_create_months_ahead: 3
```
---
## Testing Strategy
### Unit Tests
**Files**: `src/Concelier/__Tests/StellaOps.Concelier.Epss.Tests/`
- `EpssCsvParserTests.cs`: CSV parsing, comment extraction, validation
- `EpssChangeDetectorTests.cs`: Flag logic, threshold crossing
- `EpssScoreRowTests.cs`: Validation bounds, CVE format
- `EpssThresholdsTests.cs`: Config loading, defaults
**Coverage Target**: >90%
### Integration Tests
**Files**: `src/Concelier/__Tests/StellaOps.Concelier.Epss.Integration.Tests/`
- `EpssIngestJobIntegrationTests.cs`: End-to-end ingestion
- `EpssRepositoryIntegrationTests.cs`: Data access layer
- Uses Testcontainers for PostgreSQL
**Coverage Target**: All happy path + error scenarios
### Performance Tests
**Files**: `src/Concelier/__Tests/StellaOps.Concelier.Epss.Performance.Tests/`
- `EpssIngestPerformanceTests.cs`: 310k row synthetic CSV
- Budgets: <120s total, <512MB memory
---
## Rollout Plan
### Phase 1: Development
- [ ] Schema migration executed in dev environment
- [ ] Unit tests passing
- [ ] Integration tests passing
- [ ] Performance tests passing
### Phase 2: Staging
- [ ] Manual ingestion test (bundle import)
- [ ] Online ingestion test (FIRST.org live)
- [ ] Monitor logs/metrics for 3 days
- [ ] Verify: no P1 incidents, <1% error rate
### Phase 3: Production
- [ ] Enable scheduled ingestion (00:05 UTC)
- [ ] Alert on: staleness >7 days, ingest failures, delta anomalies
- [ ] Monitor for 1 week before Sprint 3411 (Scanner integration)
---
## Decisions & Risks
- **Decision:** EPSS ingestion/storage is implemented against the Scanner schema for now; the original Concelier-first design text below is preserved for reference.
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| **FIRST.org downtime during ingest** | LOW | MEDIUM | Exponential backoff (3 retries), alert on failure, air-gap fallback |
| **CSV schema change (FIRST adds columns)** | LOW | HIGH | Parser handles extra columns gracefully, comment line is optional |
| **Performance degradation (>300k rows)** | LOW | MEDIUM | Partitions + indexes, NpgsqlBinaryImporter, performance tests |
| **Partition not created for future month** | LOW | MEDIUM | Auto-create via `ensure_epss_partitions_exist`, daily cron check |
| **Duplicate ingestion (scheduler bug)** | LOW | LOW | Unique constraint on `model_date`, idempotent job design |
---
## Acceptance Criteria (Sprint Exit)
- [ ] All 16 tasks completed and reviewed
- [ ] Database schema migrated (verified in dev, staging, prod)
- [ ] Unit tests: >90% coverage, all passing
- [ ] Integration tests: all scenarios passing
- [ ] Performance test: 310k rows ingested in <120s
- [ ] Observability: metrics, logs, traces verified in staging
- [ ] Scheduled job runs successfully for 3 consecutive days in staging
- [ ] Documentation: runbook completed, reviewed by ops team
- [ ] Code review: approved by 2+ engineers
- [ ] Security review: no secrets in logs, RBAC verified
---
## Dependencies for Next Sprints
**Sprint 3411 (Scanner Integration)** depends on:
- `epss_current` table populated
- `IEpssProvider` abstraction available (extended in Sprint 3411)
**Sprint 3413 (Live Enrichment)** depends on:
- `epss_changes` table populated with flags
- `epss.updated` event emitted
---
## Documentation
### Operator Runbook
**File**: `docs/modules/concelier/operations/epss-ingestion.md`
**Contents**:
- Manual trigger: `POST /api/v1/concelier/jobs/epss.ingest`
- Backfill: `POST /api/v1/concelier/jobs/epss.ingest { date: "2025-06-01" }`
- Check status: `SELECT * FROM concelier.epss_model_staleness`
- Troubleshooting:
- Ingest failure check logs, retry manually
- Staleness >7 days → alert, manual intervention
- Partition missing → run `SELECT concelier.ensure_epss_partitions_exist(6)`
### Developer Guide
**File**: `src/Concelier/__Libraries/StellaOps.Concelier.Epss/README.md`
**Contents**:
- Architecture overview
- CSV format specification
- Flag logic reference
- Extending sources (custom bundle sources)
- Testing guide
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-17 | Normalized sprint file to standard template; aligned working directory to Scanner schema implementation; preserved original Concelier-first design text for reference. | Agent |
| 2025-12-18 | Set EPSS-3410-002..009 to DOING; begin implementing ingestion pipeline in `src/Scanner/__Libraries/StellaOps.Scanner.Storage` and Scanner Worker. | Agent |
| 2025-12-18 | Verified EPSS-3410-002..008, 012, 013 already implemented. Created EpssIngestJob (009), EpssUpdatedEvent (011). Core pipeline complete; remaining: scheduler YAML, performance test, observability, docs. | Agent |
| 2025-12-18 | Completed EPSS-3410-010: Registered EpssIngestJob in Program.cs with options binding; added EPSS services to ServiceCollectionExtensions.cs. | Agent |
| 2025-12-18 | Completed EPSS-3410-015: Verified ActivitySource tracing with model_date, row_count, cve_count, duration_ms tags; structured logging in place. | Agent |
| 2025-12-18 | Completed EPSS-3410-016: Added Operations Runbook (§10) to docs/modules/scanner/epss-integration.md covering config, online/bundle modes, manual trigger, troubleshooting, monitoring. | Agent |
| 2025-12-18 | BLOCKED EPSS-3410-014: Performance test requires CI infrastructure and 300k row dataset. BULK INSERT uses NpgsqlBinaryImporter; expected to meet <120s budget. | Agent |
| 2025-12-18 | Added unblock tasks EPSS-3410-013A/013B; EPSS-3410-014 remains BLOCKED until harness + CI perf runner/workflow are available. | Project Mgmt |
| 2025-12-19 | Set EPSS-3410-013A/013B to DOING; start perf harness + CI workflow implementation. | Agent |
| 2025-12-19 | Completed EPSS-3410-013A/013B (perf harness + CI workflow). Completed EPSS-3410-014 baseline: 310k rows total=45652ms (Windows/.NET 10.0.0, Docker Desktop, postgres:16-alpine) output at `bench/results/epss-ingest-perf.local.json`. | Agent |
## Next Checkpoints
- Monitor EPSS ingest perf via `.gitea/workflows/epss-ingest-perf.yml` (nightly + manual).
**Sprint Status**: DONE
**Approval**: _____________________ Date: ___________

151
docs/implplan/archived/SPRINT_3410_0002_0001_epss_scanner_integration.md Normal file
View File

@@ -0,0 +1,151 @@
# SPRINT_3410_0002_0001 - EPSS Scanner Integration
## Metadata
**Sprint ID:** SPRINT_3410_0002_0001
**Parent Sprint:** SPRINT_3410_0001_0001 (EPSS Ingestion & Storage)
**Priority:** P1
**Estimated Effort:** 1 week
**Working Directory:** `src/Scanner/`
**Dependencies:** SPRINT_3410_0001_0001 (EPSS Ingestion)
---
## Topic & Scope
Integrate EPSS v4 data into the Scanner WebService for vulnerability scoring and enrichment. This sprint delivers:
- EPSS-at-scan evidence attachment (immutable)
- Bulk lookup API for EPSS current scores
- Integration with unknowns ranking algorithm
- Trust lattice scoring weight configuration
**Source Advisory**: `docs/product-advisories/archive/16-Dec-2025 - Merging EPSS v4 with CVSS v4 Frameworks.md`
---
## Dependencies & Concurrency
- **Upstream**: SPRINT_3410_0001_0001 (EPSS storage must be available)
- **Parallel**: Can run in parallel with SPRINT_3410_0003_0001 (Concelier enrichment)
---
## Documentation Prerequisites
- `docs/modules/scanner/epss-integration.md` (created from advisory)
- `docs/modules/scanner/architecture.md`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/008_epss_integration.sql`
---
## Delivery Tracker
| # | Task ID | Status | Owner | Est | Description |
|---|---------|--------|-------|-----|-------------|
| 1 | EPSS-SCAN-001 | DONE | Agent | 2h | Create Scanner EPSS database schema (008_epss_integration.sql) |
| 2 | EPSS-SCAN-002 | DONE | Agent | 2h | Create `EpssEvidence` record type |
| 3 | EPSS-SCAN-003 | DONE | Agent | 4h | Implement `IEpssProvider` interface |
| 4 | EPSS-SCAN-004 | DONE | Agent | 4h | Implement `EpssProvider` with PostgreSQL lookup |
| 5 | EPSS-SCAN-005 | DONE | Agent | 2h | Add optional Valkey cache layer |
| 6 | EPSS-SCAN-006 | DONE | Agent | 4h | Integrate EPSS into `ScanProcessor` via EpssEnrichmentStageExecutor |
| 7 | EPSS-SCAN-007 | DONE | — | 2h | Add EPSS weight to scoring configuration (EpssMultiplier in ScoreExplanationWeights) |
| 8 | EPSS-SCAN-008 | DONE | Agent | 4h | Implement `GET /epss/current` bulk lookup API |
| 9 | EPSS-SCAN-009 | DONE | Agent | 2h | Implement `GET /epss/history` time-series API |
| 10 | EPSS-SCAN-010 | DONE | Agent | 4h | Unit tests for EPSS provider (13 tests passing) |
| 11 | EPSS-SCAN-011 | DONE | Agent | 4h | Integration tests for EPSS endpoints |
| 12 | EPSS-SCAN-012 | DONE | Agent | 2h | Create EPSS integration architecture doc |
**Total Estimated Effort**: 36 hours (~1 week)
---
## Technical Specification
### EPSS-SCAN-002: EpssEvidence Record
```csharp
/// <summary>
/// Immutable EPSS evidence captured at scan time.
/// </summary>
public record EpssEvidence
{
/// <summary>EPSS probability score [0,1] at scan time.</summary>
public required double Score { get; init; }
/// <summary>EPSS percentile rank [0,1] at scan time.</summary>
public required double Percentile { get; init; }
/// <summary>EPSS model date used.</summary>
public required DateOnly ModelDate { get; init; }
/// <summary>Import run ID for provenance tracking.</summary>
public required Guid ImportRunId { get; init; }
}
```
### EPSS-SCAN-003/004: IEpssProvider Interface
```csharp
public interface IEpssProvider
{
/// <summary>
/// Get current EPSS scores for multiple CVEs in a single call.
/// </summary>
Task<IReadOnlyDictionary<string, EpssEvidence>> GetCurrentAsync(
IEnumerable<string> cveIds,
CancellationToken ct);
/// <summary>
/// Get EPSS history for a single CVE.
/// </summary>
Task<IReadOnlyList<EpssEvidence>> GetHistoryAsync(
string cveId,
int days,
CancellationToken ct);
}
```
### EPSS-SCAN-007: Scoring Configuration
Add to `PolicyScoringConfig`:
```yaml
scoring:
weights:
cvss: 0.25
epss: 0.25 # NEW
reachability: 0.25
freshness: 0.15
frequency: 0.10
epss:
high_threshold: 0.50
high_percentile: 0.95
```
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-17 | Sprint created from advisory processing | Agent |
| 2025-12-17 | EPSS-SCAN-001: Created 008_epss_integration.sql in Scanner Storage | Agent |
| 2025-12-17 | EPSS-SCAN-012: Created docs/modules/scanner/epss-integration.md | Agent |
| 2025-12-18 | EPSS-SCAN-005: Implemented CachingEpssProvider with Valkey cache layer. Created EpssServiceCollectionExtensions for DI registration. | Agent |
| 2025-12-18 | EPSS-SCAN-011: Started integration tests for EPSS endpoints. | Agent |
| 2025-12-18 | EPSS-SCAN-011: Wired `/api/v1/epss/*` endpoints and added integration coverage; validated with `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj -c Release --filter FullyQualifiedName~EpssEndpointsTests`. | Agent |
| 2025-12-18 | Reviewed `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/008_epss_integration.sql` and closed sprint checkpoints (Next Checkpoints → None). | Agent |
---
## Decisions & Risks
- **Decision**: EPSS tables are in Scanner schema for now. When Concelier EPSS sprint completes, consider migrating or federating.
- **Risk**: Partition management needs automated job. Documented in migration file.
---
## Next Checkpoints
- None (sprint complete).

262
docs/implplan/archived/SPRINT_3413_0001_0001_epss_live_enrichment.md Normal file
View File

@@ -0,0 +1,262 @@
# SPRINT_3413_0001_0001: EPSS Live Enrichment
## Sprint Metadata
| Field | Value |
|-------|-------|
| **Sprint ID** | 3413_0001_0001 |
| **Parent Plan** | IMPL_3410_epss_v4_integration_master_plan.md |
| **Phase** | Phase 2: Enrichment |
| **Working Directory** | `src/Concelier/`, `src/Scanner/` |
| **Dependencies** | Sprint 3410 (Ingestion & Storage) |
| **Original Effort** | 2 weeks |
| **Updated Effort** | 3 weeks (with advisory enhancements) |
| **Status** | DONE |
## Overview
This sprint implements live EPSS enrichment for existing vulnerability instances, including:
- Raw feed layer for deterministic replay (Layer 1)
- Signal-ready layer for tenant-scoped actionable events (Layer 3)
- Model version change detection to prevent false positives
- Efficient targeting via change flags
## Advisory Enhancements
> **Advisory Source**: "18-Dec-2025 - Designing a Layered EPSS v4 Database.md"
>
> This sprint was enhanced with 16 additional tasks from the layered EPSS database advisory:
> - R1-R4: Raw feed layer implementation
> - S1-S12: Signal-ready layer implementation
---
## Delivery Tracker
### Original Tasks (Live Enrichment)
| # | Status | Task | Notes |
|---|--------|------|-------|
| 1 | DONE | Implement `EpssEnrichmentJob` service | Created EpssEnrichmentJob.cs with background processing |
| 2 | DONE | Create `vuln_instance_triage` schema updates | Created 014_epss_triage_columns.sql with EPSS columns and batch_update_epss_triage() |
| 3 | DONE | Implement `epss_changes` flag logic | `EpssChangeFlags` enum with NEW_SCORED, CROSSED_HIGH, BIG_JUMP, DROPPED_LOW |
| 4 | DONE | Add efficient targeting filter | Added GetChangesAsync() to IEpssRepository; EpssEnrichmentJob uses flag filtering |
| 5 | DONE | Implement priority band calculation | `EpssPriorityCalculator` maps percentile to CRITICAL/HIGH/MEDIUM/LOW |
| 6 | DONE | Emit `vuln.priority.changed` event | Added IEpssSignalPublisher.PublishPriorityChangedAsync() in EpssEnrichmentJob |
| 7 | DONE | Add configurable thresholds | `EpssEnrichmentOptions` with HighPercentile, HighScore, BigJumpDelta, etc. |
| 8 | DONE | Implement bulk update optimization | Added batch_update_epss_triage() PostgreSQL function |
| 9 | DONE | Add `EpssEnrichmentOptions` configuration | Environment-specific settings in Scanner.Core.Configuration |
| 10 | DONE | Create unit tests for enrichment logic | Added `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/Epss/EpssEnrichmentJobTests.cs` |
| 11 | DONE | Create integration tests | Added `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/Epss/EpssSignalFlowIntegrationTests.cs` (+ Postgres fixture) |
| 12 | DONE | Add Prometheus metrics | Added `epss_enrichment_*` metrics in `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentJob.cs` |
| 13 | DONE | Update documentation | Updated `docs/modules/scanner/epss-integration.md` (enrichment/signal config + metrics + perf) |
| 14 | DONE | Add structured logging | Structured logs for enrichment + signal jobs |
### Raw Feed Layer Tasks (R1-R4)
> **Purpose**: Immutable full payload storage for deterministic replay (~5GB/year)
| # | Status | Task | Notes |
|---|--------|------|-------|
| R1 | DONE | Create `epss_raw` table migration | `011_epss_raw_layer.sql` - Full JSONB payload storage |
| R2 | DONE | Update `EpssIngestJob` to store raw payload | Added StoreRawPayloadAsync(), converts to JSONB, stores in `epss_raw` |
| R3 | DONE | Add retention policy for raw data | `prune_epss_raw()` function in migration - Keep 365 days |
| R4 | DONE | Implement `ReplayFromRawAsync()` method | Created EpssReplayService with ReplayFromRawAsync() and ReplayRangeAsync() |
| R5 | DONE | Implement `IEpssRawRepository` interface | Created with CRUD operations |
| R6 | DONE | Implement `PostgresEpssRawRepository` | PostgreSQL implementation with DI registration |
### Signal-Ready Layer Tasks (S1-S12)
> **Purpose**: Tenant-scoped actionable events - only signals for observed CVEs
| # | Status | Task | Notes |
|---|--------|------|-------|
| S1 | DONE | Create `epss_signal` table migration | `012_epss_signal_layer.sql` - Tenant-scoped with dedupe_key |
| S2 | DONE | Implement `IEpssSignalRepository` interface | Signal CRUD operations with config support |
| S3 | DONE | Implement `PostgresEpssSignalRepository` | PostgreSQL implementation with DI registration |
| S4 | DONE | Implement `ComputeExplainHash()` | Created EpssExplainHashCalculator with deterministic SHA-256 |
| S5 | DONE | Create `EpssSignalJob` service | Created EpssSignalJob.cs with batch processing and tenant support |
| S6 | DONE | Add "observed CVEs" filter | Created IObservedCveRepository and PostgresObservedCveRepository; integrated in EpssSignalJob |
| S7 | DONE | Implement model version change detection | Added in EpssSignalJob with _lastModelVersion tracking |
| S8 | DONE | Add `MODEL_UPDATED` event type | EmitModelUpdatedSignalAsync() creates summary event |
| S9 | DONE | Connect to Notify/Router | Created IEpssSignalPublisher interface; EpssSignalJob publishes via PublishBatchAsync() |
| S10 | DONE | Add signal deduplication | Idempotent via `dedupe_key` constraint in repository |
| S11 | DONE | Unit tests for signal generation | Added `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/Epss/EpssSignalJobTests.cs` |
| S12 | DONE | Integration tests for signal flow | Added `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/Epss/EpssSignalFlowIntegrationTests.cs` |
| S13 | DONE | Add Prometheus metrics for signals | Added `epss_signals_emitted_total{event_type, tenant_id}` in `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssSignalJob.cs` |
---
## Technical Details
### Event Types
| Event Type | Description | Trigger Condition |
|------------|-------------|-------------------|
| `RISK_SPIKE` | EPSS delta exceeds threshold | `abs(delta_score) >= big_jump_delta` (default: 0.10) |
| `BAND_CHANGE` | Risk band transition | Band changed (e.g., MEDIUM -> HIGH) |
| `NEW_HIGH` | CVE newly in high percentile | New CVE with `percentile >= high_percentile` |
| `DROPPED_LOW` | CVE dropped below threshold | `percentile < low_percentile` |
| `MODEL_UPDATED` | FIRST.org model version change | `model_version != previous_model_version` |
### Risk Bands
| Band | Percentile Threshold |
|------|---------------------|
| CRITICAL | >= 99.5% |
| HIGH | >= 99% |
| MEDIUM | >= 90% |
| LOW | < 90% |
### Model Version Change Handling
When FIRST.org updates their EPSS model (e.g., v3 -> v4), many CVE scores change significantly. To prevent alert storms:
1. Detect model version change by comparing `model_version_tag` with previous day
2. Set `is_model_change = true` on all `epss_changes` rows for that day
3. Suppress `RISK_SPIKE` and `BAND_CHANGE` signals
4. Emit single `MODEL_UPDATED` summary event per tenant instead
5. Configurable via `suppress_signals_on_model_change: true` (default)
### Explain Hash Computation
For audit trail and deterministic replay:
```csharp
public byte[] ComputeExplainHash(EpssSignalInput input)
{
var canonical = JsonSerializer.Serialize(new
{
model_date = input.ModelDate.ToString("yyyy-MM-dd"),
cve_id = input.CveId,
event_type = input.EventType,
epss_score = input.EpssScore,
percentile = input.Percentile,
old_band = input.OldBand,
new_band = input.NewBand,
thresholds = input.Thresholds
}, CanonicalJsonOptions);
return SHA256.HashData(Encoding.UTF8.GetBytes(canonical));
}
```
### Dedupe Key Format
```
{model_date}:{cve_id}:{event_type}:{old_band}->{new_band}
```
Example: `2025-12-17:CVE-2024-1234:BAND_CHANGE:MEDIUM->HIGH`
---
## Configuration
### Concelier Configuration
```yaml
# etc/concelier.yaml
concelier:
epss:
enrichment:
enabled: true
batch_size: 1000
flags_to_process:
- NEW_SCORED
- CROSSED_HIGH
- BIG_JUMP
raw_storage:
enabled: true
retention_days: 365
signals:
enabled: true
suppress_on_model_change: true
retention_days: 90
```
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-18 | Task #1: Implemented `EpssEnrichmentJob` with batch processing, priority band calculation, and trigger mechanism | Agent |
| 2025-12-18 | R5-R6: Implemented `IEpssRawRepository` and `PostgresEpssRawRepository` for raw payload storage | Agent |
| 2025-12-18 | S2-S3: Implemented `IEpssSignalRepository` and `PostgresEpssSignalRepository` with tenant config support | Agent |
| 2025-12-18 | Registered new repositories in DI: `EpssRawRepository`, `EpssSignalRepository` | Agent |
| 2025-12-18 | Task #2: Created 014_epss_triage_columns.sql migration with EPSS columns and batch_update_epss_triage() function | Agent |
| 2025-12-18 | R2: Updated EpssIngestJob with StoreRawPayloadAsync() to store raw JSONB payload | Agent |
| 2025-12-18 | S4: Created EpssExplainHashCalculator with ComputeExplainHash() and ComputeDedupeKey() | Agent |
| 2025-12-18 | S5, S7, S8: Created EpssSignalJob with model version detection and MODEL_UPDATED event support | Agent |
| 2025-12-18 | EPSS-SCAN-006: Created EpssEnrichmentStageExecutor for scan pipeline integration | Agent |
| 2025-12-18 | R4: Created EpssReplayService with ReplayFromRawAsync() and ReplayRangeAsync() | Agent |
| 2025-12-18 | S6: Created IObservedCveRepository, PostgresObservedCveRepository; integrated tenant-scoped filtering in EpssSignalJob | Agent |
| 2025-12-18 | S9: Created IEpssSignalPublisher interface; integrated PublishBatchAsync() in EpssSignalJob | Agent |
| 2025-12-18 | Task #4: Added GetChangesAsync() to IEpssRepository; EpssEnrichmentJob uses flag-based targeting | Agent |
| 2025-12-18 | Task #6: Added PublishPriorityChangedAsync() to IEpssSignalPublisher; EpssEnrichmentJob emits events | Agent |
| 2025-12-19 | Set tasks #10-14 and S11-S13 to DOING; start tests/metrics/docs completion for enrichment and signals. | Agent |
| 2025-12-19 | Completed tasks #10-14 and S11-S13 (tests, metrics, docs). Registered `EpssEnrichmentJob` + `EpssSignalJob` as hosted services and chained triggers ingest → enrichment → signal. | Agent |
| 2025-12-19 | Verified Scanner test suite: `dotnet test src/Scanner/StellaOps.Scanner.sln -c Release --no-restore` | Agent |
---
## Exit Criteria
- [x] `EpssEnrichmentJob` updates vuln_instance_triage with current EPSS
- [x] Only instances with material changes are updated (flag-based targeting)
- [x] `vuln.priority.changed` event emitted only when band changes
- [x] Raw payload stored in `epss_raw` for replay capability
- [x] Signals emitted only for observed CVEs per tenant
- [x] Model version changes suppress noisy delta signals
- [x] Each signal has deterministic `explain_hash`
- [x] All unit and integration tests pass
- [x] Documentation updated
---
## Related Files
### New Files (Created)
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/011_epss_raw_layer.sql`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/012_epss_signal_layer.sql`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/014_epss_triage_columns.sql`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IEpssSignalRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IEpssRawRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Repositories/IObservedCveRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssSignalRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresEpssRawRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/PostgresObservedCveRepository.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssReplayService.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/IEpssSignalPublisher.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/CachingEpssProvider.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Epss/EpssExplainHashCalculator.cs`
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/EpssServiceCollectionExtensions.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentJob.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssEnrichmentStageExecutor.cs`
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssSignalJob.cs`
### Existing Files Updated
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Extensions/ServiceCollectionExtensions.cs` - Added EPSS repository registrations
- `src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/MigrationIds.cs` - Added new migration IDs
- `src/Scanner/StellaOps.Scanner.Worker/Processing/ScanStageNames.cs` - Added EpssEnrichment stage
- `src/Scanner/StellaOps.Scanner.Worker/Processing/EpssIngestJob.cs` - Added raw payload storage
- `src/Scanner/StellaOps.Scanner.Worker/Program.cs` - Registered EpssEnrichmentStageExecutor
---
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Full JSONB storage vs blob reference | User chose JSONB for simplicity; ~5GB/year is acceptable |
| Tenant-scoped signals | Critical for noise reduction - only observed CVEs |
| Model change suppression default | Prevents alert storms on FIRST.org model updates |
| Risk | Mitigation |
|------|------------|
| Storage growth (~5GB/year raw) | Retention policy prunes after 365 days |
| Signal table growth | Retention policy prunes after 90 days |
| False positive model change detection | Compare version strings carefully |

1372
docs/implplan/archived/SPRINT_3500_0002_0001_score_proofs_foundations.md Normal file
View File

File diff suppressed because it is too large Load Diff

1275
docs/implplan/archived/SPRINT_3500_0004_0001_smart_diff_binary_output.md Normal file
View File

File diff suppressed because it is too large Load Diff

312
docs/implplan/archived/SPRINT_3500_0010_0001_pe_full_parser.md Normal file
View File

@@ -0,0 +1,312 @@
# SPRINT_3500_0010_0001 - PE Full Parser Enhancement
**Priority:** P0 - CRITICAL
**Module:** Scanner
**Working Directory:** `src/Scanner/StellaOps.Scanner.Analyzers.Native/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** None
---
## Objective
Extend the existing `PeImportParser.cs` to extract full PE identity information including CodeView debug data (GUID + Age), version resources, exports, and rich header for binary SBOM generation.
---
## Background
Current state:
- `PeImportParser.cs` exists but only extracts import tables
- No CodeView GUID/Age extraction (primary PE identity)
- No version resource parsing (ProductVersion, FileVersion)
- No rich header parsing (compiler fingerprinting)
The PE CodeView GUID+Age combination is the primary identity for Windows binaries, analogous to ELF GNU Build-ID.
---
## Scope
### Files to Create
| File | Purpose |
|------|---------|
| `PeReader.cs` | Full PE parser (headers, debug directory, version resources, rich header) |
| `PeIdentity.cs` | PE identity model (CodeViewGuid, CodeViewAge, ProductVersion, FileVersion) |
| `PeCompilerHint.cs` | Rich header compiler hints model |
| `PeSubsystem.cs` | PE subsystem enum (Console, GUI, Native, etc.) |
### Files to Modify
| File | Changes |
|------|---------|
| `NativeBinaryIdentity.cs` | Add PE-specific fields (CodeViewGuid, CodeViewAge, ProductVersion) |
| `NativeFormatDetector.cs` | Wire up PE full parsing |
---
## Data Models
### PeIdentity.cs
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// Full identity information extracted from a PE (Portable Executable) file.
/// </summary>
public sealed record PeIdentity(
/// <summary>Machine type (x86, x86_64, ARM64, etc.)</summary>
string? Machine,
/// <summary>Whether this is a 64-bit PE (PE32+)</summary>
bool Is64Bit,
/// <summary>PE subsystem (Console, GUI, Native, etc.)</summary>
PeSubsystem Subsystem,
/// <summary>CodeView PDB70 GUID in lowercase hex (no dashes)</summary>
string? CodeViewGuid,
/// <summary>CodeView Age field (increments on rebuild)</summary>
int? CodeViewAge,
/// <summary>Original PDB path from debug directory</summary>
string? PdbPath,
/// <summary>Product version from version resource</summary>
string? ProductVersion,
/// <summary>File version from version resource</summary>
string? FileVersion,
/// <summary>Company name from version resource</summary>
string? CompanyName,
/// <summary>Product name from version resource</summary>
string? ProductName,
/// <summary>Original filename from version resource</summary>
string? OriginalFilename,
/// <summary>Rich header hash (XOR of all entries)</summary>
uint? RichHeaderHash,
/// <summary>Compiler hints from rich header</summary>
IReadOnlyList<PeCompilerHint> CompilerHints,
/// <summary>Exported symbols from export directory</summary>
IReadOnlyList<string> Exports);
```
### PeCompilerHint.cs
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// Compiler/linker hint extracted from PE Rich Header.
/// </summary>
public sealed record PeCompilerHint(
/// <summary>Tool ID (@comp.id) - identifies the compiler/linker</summary>
ushort ToolId,
/// <summary>Tool version (@prod.id) - identifies the version</summary>
ushort ToolVersion,
/// <summary>Number of times this tool was used</summary>
int UseCount);
```
### PeSubsystem.cs
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// PE Subsystem values.
/// </summary>
public enum PeSubsystem : ushort
{
Unknown = 0,
Native = 1,
WindowsGui = 2,
WindowsConsole = 3,
OS2Console = 5,
PosixConsole = 7,
NativeWindows = 8,
WindowsCeGui = 9,
EfiApplication = 10,
EfiBootServiceDriver = 11,
EfiRuntimeDriver = 12,
EfiRom = 13,
Xbox = 14,
WindowsBootApplication = 16
}
```
---
## Implementation Details
### PeReader.cs Structure
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// Full PE file reader with identity extraction.
/// </summary>
public static class PeReader
{
/// <summary>
/// Parse a PE file and extract full identity information.
/// </summary>
public static PeParseResult? Parse(Stream stream, string path, string? layerDigest = null);
/// <summary>
/// Try to extract just the identity without full parsing.
/// </summary>
public static bool TryExtractIdentity(Stream stream, out PeIdentity? identity);
// Internal methods:
// - ParseDosHeader() - DOS stub validation
// - ParseCoffHeader() - Machine type, characteristics
// - ParseOptionalHeader() - Subsystem, data directories
// - ParseDebugDirectory() - CodeView GUID+Age extraction
// - ParseVersionResource() - Version info extraction
// - ParseRichHeader() - Compiler hints
// - ParseExportDirectory() - Exported symbols
}
```
### CodeView GUID Extraction
The CodeView GUID is found in the debug directory:
1. Read `IMAGE_DEBUG_DIRECTORY` from Data Directory index 6
2. Find entry with `Type == IMAGE_DEBUG_TYPE_CODEVIEW` (2)
3. Read `CV_INFO_PDB70` structure:
- `CvSignature` (4 bytes) - Must be "RSDS" (0x53445352)
- `Guid` (16 bytes) - The unique identifier
- `Age` (4 bytes) - Increments on rebuild
- `PdbFileName` (null-terminated string)
Format GUID as lowercase hex without dashes: `a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6`
### Rich Header Extraction
The Rich Header is a Microsoft compiler/linker fingerprint:
1. Search for "Rich" signature (0x68636952) before PE header
2. XOR key follows "Rich" signature (4 bytes)
3. Decrypt backwards to find "DanS" marker (0x536E6144)
4. Each entry is 8 bytes: `(prodId << 16 | toolId)` and `useCount`
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | PE-001 | DONE | Create PeIdentity.cs data model |
| 2 | PE-002 | DONE | Create PeCompilerHint.cs data model |
| 3 | PE-003 | DONE | Create PeSubsystem.cs enum (already existed in PeDeclaredDependency.cs) |
| 4 | PE-004 | DONE | Create PeReader.cs skeleton |
| 5 | PE-005 | DONE | Implement DOS header validation |
| 6 | PE-006 | DONE | Implement COFF header parsing |
| 7 | PE-007 | DONE | Implement Optional header parsing |
| 8 | PE-008 | DONE | Implement Debug directory parsing |
| 9 | PE-009 | DONE | Implement CodeView GUID extraction |
| 10 | PE-010 | DONE | Implement Version resource parsing |
| 11 | PE-011 | DONE | Implement Rich header parsing |
| 12 | PE-012 | DONE | Implement Export directory parsing |
| 13 | PE-013 | DONE | Update NativeBinaryIdentity.cs |
| 14 | PE-014 | DONE | Update NativeFormatDetector.cs |
| 15 | PE-015 | DONE | Create PeReaderTests.cs unit tests |
| 16 | PE-016 | DONE | Add golden fixtures (MSVC, MinGW, Clang PEs) |
| 17 | PE-017 | DONE | Verify deterministic output |
---
## Test Requirements
### Unit Tests: `PeReaderTests.cs`
1. **CodeView GUID extraction**
- Test with MSVC-compiled PE (standard format)
- Test with MinGW-compiled PE (may lack CodeView)
- Test with Clang-compiled PE (LLVM format)
- Test 32-bit vs 64-bit handling
2. **Version resource parsing**
- Test ProductVersion/FileVersion extraction
- Test CompanyName/ProductName extraction
- Test Unicode vs ANSI strings
3. **Rich header parsing**
- Test with MSVC-linked PE (has rich header)
- Test with MinGW-linked PE (no rich header)
- Verify compiler hint extraction
4. **Export directory**
- Test DLL with exports
- Test EXE without exports
- Verify ordinal handling
### Golden Fixtures
| Fixture | Source | Purpose |
|---------|--------|---------|
| `kernel32.dll` | Windows System32 | Standard system DLL with rich header |
| `notepad.exe` | Windows System32 | Standard GUI app |
| `cmd.exe` | Windows System32 | Console app |
| `mingw-hello.exe` | MinGW compile | No rich header case |
| `clang-hello.exe` | Clang/LLVM compile | LLVM debug format |
---
## Acceptance Criteria
- [x] CodeView GUID + Age extracted from debug directory
- [x] Version resources parsed (ProductVersion, FileVersion, CompanyName)
- [x] Rich header parsed for compiler hints (when present)
- [x] Exports directory enumerated (for DLLs)
- [x] 32-bit and 64-bit PE files handled correctly
- [x] Deterministic output (same file = same identity)
- [x] Graceful handling of malformed/truncated PEs
- [x] All unit tests passing
---
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| No external PE library | Keep dependencies minimal, full control over parsing |
| Lowercase hex for GUID | Consistent with ELF build-id formatting |
| Rich header optional | Not all compilers emit it (MinGW, Clang without MSVC compat) |
| Risk | Mitigation |
|------|------------|
| Malformed PE crashes | Defensive parsing with bounds checking |
| Large export tables | Limit to first 10,000 exports |
| Version resource encoding | Handle both Unicode and ANSI |
---
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Implemented PE-001 through PE-015, PE-017: Created PeIdentity.cs, PeCompilerHint.cs, full PeReader.cs with CodeView GUID extraction, Rich header parsing, version resource parsing, export directory parsing. Updated NativeBinaryIdentity.cs with PE-specific fields. Updated NativeFormatDetector.cs to wire up PeReader. Created comprehensive PeReaderTests.cs with 20+ test cases. | Agent |
| 2025-12-19 | Completed PE-016: added deterministic toolchain-like fixtures (MSVC/MinGW/Clang) via `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/Fixtures/PeBuilder.cs` and expanded `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/PeReaderTests.cs` to validate CodeView GUID+Age, version strings, Rich header hints, and exports; ran `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj -c Release --no-restore` (pass). | Agent |
---
## References
- [PE Format Documentation](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format)
- [CodeView Debug Information](https://github.com/Microsoft/microsoft-pdb)
- [Rich Header Analysis](https://bytepointer.com/resources/microsoft_rich_header.htm)

325
docs/implplan/archived/SPRINT_3500_0010_0002_macho_full_parser.md Normal file
View File

@@ -0,0 +1,325 @@
# SPRINT_3500_0010_0002 - Mach-O Full Parser Enhancement
**Priority:** P0 - CRITICAL
**Module:** Scanner
**Working Directory:** `src/Scanner/StellaOps.Scanner.Analyzers.Native/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** None
---
## Objective
Extend the existing `MachOLoadCommandParser.cs` to extract full Mach-O identity including LC_UUID, code signing information (LC_CODE_SIGNATURE), and build version (LC_BUILD_VERSION) for binary SBOM generation.
---
## Background
Current state:
- `MachOLoadCommandParser.cs` exists but only extracts load commands for dependencies
- No LC_UUID extraction (primary Mach-O identity)
- No LC_CODE_SIGNATURE parsing (TeamId, CDHash)
- No LC_BUILD_VERSION parsing (platform, SDK version)
- No fat binary (universal) handling
The LC_UUID is the primary identity for macOS/iOS binaries, analogous to ELF GNU Build-ID.
---
## Scope
### Files to Create
| File | Purpose |
|------|---------|
| `MachOReader.cs` | Full Mach-O parser (headers, load commands, code signature) |
| `MachOIdentity.cs` | Mach-O identity model (Uuid, Platform, CodeSignature) |
| `MachOCodeSignature.cs` | Code signing info (TeamId, CdHash, Entitlements) |
| `MachOPlatform.cs` | Platform enum (macOS, iOS, tvOS, watchOS, etc.) |
### Files to Modify
| File | Changes |
|------|---------|
| `NativeBinaryIdentity.cs` | Add Mach-O specific fields (MachOUuid, Platform, CdHash) |
| `MachOLoadCommandParser.cs` | Refactor to use new reader infrastructure |
---
## Data Models
### MachOIdentity.cs
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// Full identity information extracted from a Mach-O file.
/// </summary>
public sealed record MachOIdentity(
/// <summary>CPU type (x86_64, arm64, etc.)</summary>
string? CpuType,
/// <summary>CPU subtype for variant detection</summary>
uint CpuSubtype,
/// <summary>LC_UUID in lowercase hex (no dashes)</summary>
string? Uuid,
/// <summary>Whether this is a fat/universal binary</summary>
bool IsFatBinary,
/// <summary>Platform from LC_BUILD_VERSION</summary>
MachOPlatform Platform,
/// <summary>Minimum OS version from LC_VERSION_MIN_* or LC_BUILD_VERSION</summary>
string? MinOsVersion,
/// <summary>SDK version from LC_BUILD_VERSION</summary>
string? SdkVersion,
/// <summary>Code signature information (if signed)</summary>
MachOCodeSignature? CodeSignature,
/// <summary>Exported symbols from LC_DYLD_INFO_ONLY or LC_DYLD_EXPORTS_TRIE</summary>
IReadOnlyList<string> Exports);
```
### MachOCodeSignature.cs
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// Code signature information from LC_CODE_SIGNATURE.
/// </summary>
public sealed record MachOCodeSignature(
/// <summary>Team identifier (10-character Apple team ID)</summary>
string? TeamId,
/// <summary>Signing identifier (usually bundle ID)</summary>
string? SigningId,
/// <summary>Code Directory hash (SHA-256, lowercase hex)</summary>
string? CdHash,
/// <summary>Whether hardened runtime is enabled</summary>
bool HasHardenedRuntime,
/// <summary>Entitlements keys (not values, for privacy)</summary>
IReadOnlyList<string> Entitlements);
```
### MachOPlatform.cs
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// Mach-O platform values from LC_BUILD_VERSION.
/// </summary>
public enum MachOPlatform : uint
{
Unknown = 0,
MacOS = 1,
iOS = 2,
TvOS = 3,
WatchOS = 4,
BridgeOS = 5,
MacCatalyst = 6,
iOSSimulator = 7,
TvOSSimulator = 8,
WatchOSSimulator = 9,
DriverKit = 10,
VisionOS = 11,
VisionOSSimulator = 12
}
```
---
## Implementation Details
### MachOReader.cs Structure
```csharp
namespace StellaOps.Scanner.Analyzers.Native;
/// <summary>
/// Full Mach-O file reader with identity extraction.
/// </summary>
public static class MachOReader
{
/// <summary>
/// Parse a Mach-O file and extract full identity information.
/// For fat binaries, returns identities for all slices.
/// </summary>
public static MachOParseResult? Parse(Stream stream, string path, string? layerDigest = null);
/// <summary>
/// Try to extract just the identity without full parsing.
/// </summary>
public static bool TryExtractIdentity(Stream stream, out MachOIdentity? identity);
/// <summary>
/// Parse a fat binary and return all slice identities.
/// </summary>
public static IReadOnlyList<MachOIdentity> ParseFatBinary(Stream stream);
// Internal methods:
// - ParseMachHeader() - Magic, CPU type, file type
// - ParseLoadCommands() - Iterate all load commands
// - ParseLcUuid() - Extract LC_UUID
// - ParseLcBuildVersion() - Platform and SDK version
// - ParseLcVersionMin() - Legacy min version commands
// - ParseLcCodeSignature() - Code signature blob
// - ParseCodeDirectory() - CDHash and identifiers
// - ParseEntitlements() - Entitlements plist
}
```
### LC_UUID Extraction
LC_UUID is a 16-byte unique identifier:
1. Find load command with `cmd == LC_UUID` (0x1b)
2. Read 16 bytes after the command header
3. Format as lowercase hex without dashes: `a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6`
### Code Signature Parsing
LC_CODE_SIGNATURE points to a code signature blob:
1. Find load command with `cmd == LC_CODE_SIGNATURE` (0x1d)
2. Read `dataoff` and `datasize` to locate blob
3. Parse SuperBlob structure:
- Find CodeDirectory (magic 0xfade0c02)
- Extract TeamId from CodeDirectory
- Extract SigningId (identifier field)
- Compute CDHash as SHA-256 of CodeDirectory
4. Find Entitlements blob (magic 0xfade7171)
- Parse plist and extract keys only
### Fat Binary Handling
Fat binaries (universal) contain multiple architectures:
1. Check magic: 0xcafebabe (big-endian) or 0xbebafeca (little-endian)
2. Read `nfat_arch` count
3. For each architecture:
- Read `fat_arch` structure (cpu_type, cpu_subtype, offset, size)
- Parse embedded Mach-O at offset
4. Return list of all slice identities
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | MACH-001 | DONE | Create MachOIdentity.cs data model |
| 2 | MACH-002 | DONE | Create MachOCodeSignature.cs data model |
| 3 | MACH-003 | DONE | Create MachOPlatform.cs enum |
| 4 | MACH-004 | DONE | Create MachOReader.cs skeleton |
| 5 | MACH-005 | DONE | Implement Mach header parsing (32/64-bit) |
| 6 | MACH-006 | DONE | Implement Fat binary detection and parsing |
| 7 | MACH-007 | DONE | Implement LC_UUID extraction |
| 8 | MACH-008 | DONE | Implement LC_BUILD_VERSION parsing |
| 9 | MACH-009 | DONE | Implement LC_VERSION_MIN_* parsing |
| 10 | MACH-010 | DONE | Implement LC_CODE_SIGNATURE parsing |
| 11 | MACH-011 | DONE | Implement CodeDirectory parsing |
| 12 | MACH-012 | DONE | Implement CDHash computation |
| 13 | MACH-013 | DONE | Implement Entitlements extraction |
| 14 | MACH-014 | DONE | Implement LC_DYLD_INFO export extraction |
| 15 | MACH-015 | DONE | Update NativeBinaryIdentity.cs |
| 16 | MACH-016 | DONE | Refactor NativeFormatDetector.cs to use MachOReader |
| 17 | MACH-017 | DONE | Create MachOReaderTests.cs unit tests (26 tests) |
| 18 | MACH-018 | DONE | Add golden fixtures (signed/unsigned binaries) |
| 19 | MACH-019 | DONE | Verify deterministic output |
---
## Test Requirements
### Unit Tests: `MachOReaderTests.cs`
1. **LC_UUID extraction**
- Test single-arch binary
- Test fat binary (multiple UUIDs)
- Test binary without UUID (rare)
2. **Code signature parsing**
- Test Apple-signed binary (TeamId present)
- Test ad-hoc signed binary (no TeamId)
- Test unsigned binary (no signature)
- Test hardened runtime detection
3. **Platform detection**
- Test macOS binary
- Test iOS binary
- Test Catalyst binary
- Test legacy binaries (LC_VERSION_MIN_*)
4. **Fat binary handling**
- Test x86_64 + arm64 universal
- Test arm64 + arm64e universal
- Single-arch in fat container
### Golden Fixtures
| Fixture | Source | Purpose |
|---------|--------|---------|
| `ls` | macOS /bin/ls | Standard signed CLI tool |
| `Safari.app/Contents/MacOS/Safari` | macOS Apps | Signed GUI app with entitlements |
| `libSystem.B.dylib` | macOS /usr/lib | System library |
| `unsigned-hello` | Local compile | Unsigned binary |
| `adhoc-signed` | codesign -s - | Ad-hoc signed (no TeamId) |
| `universal-binary` | lipo -create | Fat binary test |
---
## Acceptance Criteria
- [x] LC_UUID extracted and formatted consistently
- [x] LC_CODE_SIGNATURE parsed for TeamId and CDHash
- [x] LC_BUILD_VERSION parsed for platform info
- [x] Fat binary handling with per-slice UUIDs
- [x] Legacy LC_VERSION_MIN_* commands supported
- [x] Entitlements keys extracted (not values)
- [x] 32-bit and 64-bit Mach-O handled correctly
- [x] Deterministic output
- [x] All unit tests passing (26 tests)
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-18 | Created MachOPlatform.cs, MachOCodeSignature.cs, MachOIdentity.cs, MachOReader.cs. Updated NativeBinaryIdentity.cs and NativeFormatDetector.cs. Created MachOReaderTests.cs with 26 tests. All tests pass. 17/19 tasks DONE. | Agent |
| 2025-12-19 | Completed MACH-014/MACH-018: implemented exports trie parsing for LC_DYLD_INFO(_ONLY)/LC_DYLD_EXPORTS_TRIE in `src/Scanner/StellaOps.Scanner.Analyzers.Native/MachOReader.cs`, fixed CodeDirectory team-id extraction bounds, and added deterministic signed/unsigned + exports fixtures in `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/MachOReaderTests.cs`; ran `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj -c Release --no-restore` (pass). | Agent |
---
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Extract entitlement keys only | Avoid exposing sensitive entitlement values |
| CDHash as SHA-256 | Modern standard, ignore SHA-1 hashes |
| Lowercase hex for UUID | Consistent with ELF build-id formatting |
| Risk | Mitigation |
|------|------------|
| Unsigned binaries common | Gracefully handle missing signature |
| Fat binary complexity | Test with various architecture combinations |
| Endianness issues | Fat headers are big-endian, Mach headers are native |
---
## References
- [Mach-O File Format Reference](https://github.com/apple-oss-distributions/xnu/blob/main/EXTERNAL_HEADERS/mach-o/loader.h)
- [Code Signing Guide](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/)
- [codesign man page](https://keith.github.io/xcode-man-pages/codesign.1.html)

82
docs/implplan/archived/SPRINT_3500_0011_0001_buildid_mapping_index.md Normal file
View File

@@ -0,0 +1,82 @@
# Sprint 3500.0011.0001 · Build-ID Mapping Index
## Topic & Scope
- Provide an offline-capable index mapping native Build-IDs (ELF GNU build-id, PE CodeView GUID+Age, Mach-O UUID) to PURLs for binary identification in distroless/scratch images.
- Implement deterministic NDJSON loading + batch lookup, plus DSSE signature verification bound to an index SHA-256 digest.
- Working directory: `src/Scanner/StellaOps.Scanner.Analyzers.Native/Index/`.
- Evidence: tests in `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/Index/OfflineBuildIdIndexTests.cs` and `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/Index/OfflineBuildIdIndexSignatureTests.cs`.
## Dependencies & Concurrency
- Depends on: `docs/implplan/SPRINT_3500_0010_0001_pe_full_parser.md` and `docs/implplan/SPRINT_3500_0010_0002_macho_full_parser.md` (full Build-ID extraction coverage).
- Safe to execute in parallel with Emit/Worker integration sprints; this sprint is scoped to the index library surface and test coverage.
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- Parent advisory: `docs/product-advisories/18-Dec-2025 - Building Better Binary Mapping and Call-Stack Reachability.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | BID-001 | DONE | — | Scanner Guild | Create `IBuildIdIndex` interface. |
| 2 | BID-002 | DONE | — | Scanner Guild | Create `BuildIdLookupResult` model. |
| 3 | BID-003 | DONE | — | Scanner Guild | Create `BuildIdIndexOptions`. |
| 4 | BID-004 | DONE | — | Scanner Guild | Implement `OfflineBuildIdIndex` NDJSON loader. |
| 5 | BID-005 | DONE | — | Scanner Guild | Deterministic NDJSON parsing (skip comments/blank lines). |
| 6 | BID-006 | DONE | — | Scanner Guild | Implement DSSE verification + SHA-256 digest binding for the index. |
| 7 | BID-007 | DONE | — | Scanner Guild | Implement batch lookup. |
| 8 | BID-008 | DONE | — | Scanner Guild | Add `BuildIdIndexPath` + `RequireBuildIdIndexSignature` to `OfflineKitOptions`. |
| 9 | BID-009 | DONE | — | Scanner Guild | Unit tests. |
| 10 | BID-010 | DONE | — | Scanner Guild | Integration tests (DSSE envelope generation + verification). |
## Wave Coordination
- Single wave.
## Wave Detail Snapshots
### Files
| File | Purpose |
| --- | --- |
| `IBuildIdIndex.cs` | Index interface |
| `BuildIdLookupResult.cs` | Lookup result model |
| `BuildIdIndexOptions.cs` | Configuration |
| `BuildIdIndexEntry.cs` | NDJSON schema |
| `OfflineBuildIdIndex.cs` | NDJSON loader + DSSE verification |
### Index Format (NDJSON)
```json
{"build_id":"gnu-build-id:abc123...", "purl":"pkg:deb/debian/libc6@2.31?arch=amd64", "distro":"debian", "confidence":"exact", "indexed_at":"2025-01-15T10:00:00Z"}
```
### Acceptance Criteria
- [x] Index loads from configured path
- [x] DSSE signature verified before use (when enabled)
- [x] Lookup returns PURL for known build-ids
- [x] Unknown build-ids return null (not throw)
- [x] Batch lookup efficient for many binaries
## Interlocks
- DSSE verification must align with offline-kit trust roots and ProofSpine crypto profile configuration.
## Upcoming Checkpoints
- None scheduled.
## Action Tracker
| Date (UTC) | Action | Owner | Notes |
| --- | --- | --- | --- |
| 2025-12-19 | Close BID sprint + normalize sprint doc | Agent | Verified `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Native.Tests/StellaOps.Scanner.Analyzers.Native.Tests.csproj -c Release --no-restore` (pass). |
## Decisions & Risks
### Decisions
- Require `outcome.IsValid` and `outcome.IsTrusted` for Build-ID index DSSE verification; bind the index content by verifying the payload SHA-256 matches the computed index SHA-256.
### Risks
| Risk | Mitigation |
| --- | --- |
| Hosts must configure ProofSpine DSSE trust to load a signed index when `RequireSignature=true`. | Document required configuration in host runbooks; ensure hosts register `IDsseSigningService` and bind index path/signature settings. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Created index interface/models/options and NDJSON loader; added unit tests; progressed initial tracker items. | Agent |
| 2025-12-19 | Added trusted DSSE verification + SHA-256 digest binding; added DSSE-focused tests. | Agent |
| 2025-12-19 | Normalized sprint file to standard template; no semantic changes. | Agent |

90
docs/implplan/archived/SPRINT_3500_0012_0001_binary_sbom_emission.md Normal file
View File

@@ -0,0 +1,90 @@
# Sprint 3500.0012.0001 · Binary SBOM Component Emission
## Topic & Scope
- Emit native binaries as CycloneDX/SPDX file-level components with build identifiers.
- Resolve PURLs via Build-ID index when available; fall back to deterministic `pkg:generic` with build-id qualifiers.
- Working directory: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/Native/`.
## Dependencies & Concurrency
- Depends on: `docs/implplan/SPRINT_3500_0011_0001_buildid_mapping_index.md` (Build-ID index contract and lookup semantics).
- Safe to execute in parallel with other Scanner modules; this sprint is scoped to SBOM emission.
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- Parent advisory: `18-Dec-2025 - Building Better Binary Mapping and Callâ€Stack Reachability.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | BSE-001 | DONE | — | Scanner Guild | Create `INativeComponentEmitter`. |
| 2 | BSE-002 | DONE | — | Scanner Guild | Create `NativeComponentEmitter`. |
| 3 | BSE-003 | DONE | — | Scanner Guild | Create `NativePurlBuilder`. |
| 4 | BSE-004 | DONE | — | Scanner Guild | Create `NativeComponentMapper` (layer fragment generation). |
| 5 | BSE-005 | DONE | — | Scanner Guild | Add `NativeBinaryMetadata` (includes imports/exports and format-specific fields). |
| 6 | BSE-006 | DONE | — | Scanner Guild | Update `CycloneDxComposer` via `LayerComponentMapping.ToFragment()`. |
| 7 | BSE-007 | DONE | — | Scanner Guild | Emit `stellaops:binary.*` properties in `ToComponentRecord()`. |
| 8 | BSE-008 | DONE | — | Scanner Guild | Unit tests (native emitter). |
| 9 | BSE-009 | DONE | — | Scanner Guild | Integration tests (end-to-end: emit → fragments → CycloneDX). |
## Wave Coordination
- Single wave.
## Wave Detail Snapshots
### Files
| File | Purpose |
|------|---------|
| `Native/INativeComponentEmitter.cs` | Emitter interface |
| `Native/NativeComponentEmitter.cs` | Binary → component mapping |
| `Native/NativePurlBuilder.cs` | PURL generation |
| `Native/NativeComponentMapper.cs` | Layer fragment generation |
### Data Model (excerpt)
```csharp
public sealed record NativeBinaryMetadata {
public required string Format { get; init; } // elf, pe, macho
public required string? BuildId { get; init; } // gnu-build-id:..., codeview:..., uuid:...
public string? Architecture { get; init; }
public IReadOnlyDictionary<string, string>? HardeningFlags { get; init; }
}
```
### PURL Generation
- Index match: `pkg:deb/debian/libc6@2.31?arch=amd64`
- No match: `pkg:generic/libssl.so.3@unknown?build-id=gnu-build-id:abc123`
### Test Evidence
- Integration test: `src/Scanner/__Tests/StellaOps.Scanner.Emit.Tests/Native/NativeBinarySbomIntegrationTests.cs`
### Acceptance Criteria
- [x] Native binaries appear as `file` type components
- [x] Build-ID included in component properties
- [x] Index-resolved binaries get correct PURL
- [x] Unresolved binaries get `pkg:generic` with build-id qualifier
- [x] Layer-aware: tracks which layer introduced binary
## Interlocks
- `stellaops:firstLayerDigest`/`stellaops:lastLayerDigest`/`stellaops:layerDigests` property semantics must remain consistent with `LayerComponentFragment` merge behavior.
## Upcoming Checkpoints
- None scheduled.
## Action Tracker
| Date (UTC) | Action | Owner | Notes |
| --- | --- | --- | --- |
| 2025-12-19 | Close BSE-009 and normalize sprint doc | Agent | Added end-to-end integration test; validated in Release. |
## Decisions & Risks
### Decisions
- Use sorted/normalized property emission for deterministic CycloneDX output.
### Risks
| Risk | Mitigation |
| --- | --- |
| Build-ID index confidence/metadata drift may affect PURL resolution stability. | Keep confidence and source distro recorded as component properties; ensure deterministic fallback to `pkg:generic` when unresolved. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-18 | Created `NativeBinaryMetadata`, `NativePurlBuilder`, `INativeComponentEmitter`, `NativeComponentEmitter`. Added 22 unit tests. | Agent |
| 2025-12-19 | Started BSE-009 integration tests for native binary SBOM emission (end-to-end: emit → fragments → CycloneDX). | Agent |
| 2025-12-19 | Completed BSE-009: added end-to-end integration test coverage for native binaries (file components, build-id, PURL resolution, layer provenance). Ran `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Emit.Tests/StellaOps.Scanner.Emit.Tests.csproj -c Release --no-restore` (pass). | Agent |

68
docs/implplan/archived/SPRINT_3500_0014_0001_native_analyzer_integration.md Normal file
View File

@@ -0,0 +1,68 @@
# Sprint 3500.0014.0001 · Native Analyzer Dispatcher Integration
## Topic & Scope
- Wire native binary discovery + SBOM emission into `CompositeScanAnalyzerDispatcher` for automatic execution during container scans.
- Emit native binaries as deterministic file components via `StellaOps.Scanner.Emit.Native` and append layer fragments into the scan analysis context.
- Working directory: `src/Scanner/StellaOps.Scanner.Worker/`.
- Evidence: `src/Scanner/StellaOps.Scanner.Worker/Processing/CompositeScanAnalyzerDispatcher.cs`, `src/Scanner/StellaOps.Scanner.Worker/Processing/NativeBinaryDiscovery.cs`, `src/Scanner/StellaOps.Scanner.Worker/Processing/NativeAnalyzerExecutor.cs`, and test coverage in `src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/CompositeScanAnalyzerDispatcherTests.cs`.
## Dependencies & Concurrency
- Depends on: `docs/implplan/SPRINT_3500_0012_0001_binary_sbom_emission.md` (native SBOM emission contracts).
- Safe to execute in parallel with other Worker/Scanner work; scoped to dispatch wiring + tests.
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- Parent advisory: `docs/product-advisories/18-Dec-2025 - Building Better Binary Mapping and Call-Stack Reachability.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | NAI-001 | DONE | — | Scanner Guild | Create `Processing/NativeAnalyzerExecutor.cs`. |
| 2 | NAI-002 | DONE | — | Scanner Guild | Create `Processing/NativeBinaryDiscovery.cs`. |
| 3 | NAI-003 | DONE | — | Scanner Guild | Update `Processing/CompositeScanAnalyzerDispatcher.cs` to run native analysis when enabled. |
| 4 | NAI-004 | DONE | — | Scanner Guild | Ensure `ScannerWorkerOptions.NativeAnalyzers` is available and configuration-bound. |
| 5 | NAI-005 | DONE | — | Scanner Guild | Add test coverage for dispatcher native stage execution. |
## Wave Coordination
- Single wave.
## Wave Detail Snapshots
### Files
| File | Purpose |
| --- | --- |
| `Processing/NativeBinaryDiscovery.cs` | Rootfs binary enumeration with exclusions and magic-byte detection |
| `Processing/NativeAnalyzerExecutor.cs` | Orchestrates discovery + emission into SBOM component records |
| `Processing/CompositeScanAnalyzerDispatcher.cs` | Dispatcher stage wiring + deterministic synthetic native layer digest |
### Acceptance Criteria
- [x] Native analyzer runs automatically during scans when enabled
- [x] Results appended to scan analysis layer fragments
- [x] Exclusion patterns respected
- [x] Deterministic synthetic layer digest used for native file components
## Interlocks
- Native component emission must remain compatible with `LayerComponentFragment` merge semantics and CycloneDX composition in `StellaOps.Scanner.Emit`.
## Upcoming Checkpoints
- None scheduled.
## Action Tracker
| Date (UTC) | Action | Owner | Notes |
| --- | --- | --- | --- |
| 2025-12-19 | Close remaining tasks + normalize sprint doc | Agent | Ran `dotnet test src/Scanner/__Tests/StellaOps.Scanner.Worker.Tests/StellaOps.Scanner.Worker.Tests.csproj -c Release --no-restore` (pass). |
## Decisions & Risks
### Decisions
- Use a deterministic synthetic layer digest for native analysis output (`sha256( "stellaops:native" )`) to keep SBOM fragments stable and layer-aware.
### Risks
| Risk | Mitigation |
| --- | --- |
| Native discovery/emission is rooted in filesystem enumeration; deeper binary dependency edges and Build-ID extraction improvements are tracked by native analyzer sprints. | Keep this sprint scoped to dispatcher integration; feed improvements through `StellaOps.Scanner.Analyzers.Native` and Build-ID index integration work. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-19 | Implemented native dispatcher stage wiring; added worker unit tests verifying file components are appended to analysis layer fragments. | Agent |
| 2025-12-19 | Normalized sprint file to standard template; no semantic changes. | Agent |

151
docs/implplan/archived/SPRINT_3600_0002_0001_unknowns_ranking_containment.md Normal file
View File

@@ -0,0 +1,151 @@
# Sprint 3600.0002.0001 · Unknowns Ranking with Containment Signals
## Topic & Scope
Enhance the Unknowns ranking model with blast radius and runtime containment signals from the "Building a Deeper Moat Beyond Reachability" advisory. This sprint delivers:
1. **Enhanced Unknown Data Model** - Add blast radius, containment signals, exploit pressure
2. **Containment-Aware Ranking** - Reduce scores for well-sandboxed findings
3. **Unknown Proof Trail** - Emit proof nodes explaining rank factors
4. **API: `/unknowns/list?sort=score`** - Expose ranked unknowns
**Source Advisory**: `docs/product-advisories/unprocessed/16-Dec-2025 - Building a Deeper Moat Beyond Reachability.md`
**Related Docs**: `docs/product-advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md` §17.5
**Working Directory**: `src/Scanner/__Libraries/StellaOps.Scanner.Unknowns/`, `src/Scanner/StellaOps.Scanner.WebService/`
## Dependencies & Concurrency
- **Depends on**: SPRINT_3420_0001_0001 (Bitemporal Unknowns Schema) - provides base unknowns table
- **Depends on**: Runtime signal ingestion (containment facts must be available)
- **Blocking**: Quiet-update UX for unknowns in UI
- **Safe to parallelize with**: Score replay sprint, Ground-truth corpus sprint
## Documentation Prerequisites
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/product-advisories/14-Dec-2025 - Triage and Unknowns Technical Reference.md`
- `docs/modules/scanner/architecture.md`
---
## Technical Specifications
### Enhanced Unknown Model
```csharp
public sealed record UnknownItem(
string Id,
string ArtifactDigest,
string ArtifactPurl,
string[] Reasons, // ["missing_vex", "ambiguous_indirect_call", ...]
BlastRadius BlastRadius,
double EvidenceScarcity, // 0..1
ExploitPressure ExploitPressure,
ContainmentSignals Containment,
double Score, // 0..1
string ProofRef // path inside proof bundle
);
public sealed record BlastRadius(int Dependents, bool NetFacing, string Privilege);
public sealed record ExploitPressure(double? Epss, bool Kev);
public sealed record ContainmentSignals(string Seccomp, string Fs);
```
### Ranking Function
```csharp
public static double Rank(BlastRadius b, double scarcity, ExploitPressure ep, ContainmentSignals c)
{
// Blast radius: 60% weight
var dependents01 = Math.Clamp(b.Dependents / 50.0, 0, 1);
var net = b.NetFacing ? 0.5 : 0.0;
var priv = b.Privilege == "root" ? 0.5 : 0.0;
var blast = Math.Clamp((dependents01 + net + priv) / 2.0, 0, 1);
// Exploit pressure: 30% weight
var epss01 = ep.Epss ?? 0.35;
var kev = ep.Kev ? 0.30 : 0.0;
var pressure = Math.Clamp(epss01 + kev, 0, 1);
// Containment deductions
var containment = 0.0;
if (c.Seccomp == "enforced") containment -= 0.10;
if (c.Fs == "ro") containment -= 0.10;
return Math.Clamp(0.60 * blast + 0.30 * scarcity + 0.30 * pressure + containment, 0, 1);
}
```
### Unknown Proof Node
Each unknown emits a mini proof ledger identical to score proofs:
- Input node: reasons + evidence scarcity facts
- Delta nodes: blast/pressure/containment components
- Score node: final unknown score
Stored at: `proofs/unknowns/{unkId}/tree.json`
---
## Delivery Tracker
| # | Task ID | Status | Key Dependency / Next Step | Owners | Task Definition |
|---|---------|--------|---------------------------|--------|-----------------|
| 1 | UNK-RANK-001 | DONE | None | Scanner Team | Define `BlastRadius`, `ExploitPressure`, `ContainmentSignals` records |
| 2 | UNK-RANK-002 | DONE | Task 1 | Scanner Team | Extend `UnknownItem` with new fields |
| 3 | UNK-RANK-003 | DONE | Task 2 | Scanner Team | Implement `UnknownRanker.Rank()` with containment deductions |
| 4 | UNK-RANK-004 | DONE | Task 3 | Scanner Team | Add proof ledger emission for unknown ranking |
| 5 | UNK-RANK-005 | DONE | Task 2 | Agent | Add blast_radius, containment columns to unknowns table |
| 6 | UNK-RANK-006 | DONE | Task 5 | Scanner Team | Implement runtime signal ingestion for containment facts |
| 7 | UNK-RANK-007 | DONE | Task 4,5 | Scanner Team | Implement `GET /unknowns?sort=score` API endpoint |
| 8 | UNK-RANK-008 | DONE | Task 7 | Scanner Team | Add pagination and filters (by artifact, by reason) |
| 9 | UNK-RANK-009 | DONE | Task 4 | QA Guild | Unit tests for ranking function (determinism, edge cases) |
| 10 | UNK-RANK-010 | DONE | Task 7,8 | Agent | Integration tests for unknowns API |
| 11 | UNK-RANK-011 | DONE | Task 10 | Agent | Update unknowns API documentation |
| 12 | UNK-RANK-012 | DONE | Task 11 | Agent | Wire unknowns list to UI with score-based sort |
---
## PostgreSQL Schema Changes
```sql
-- Add columns to existing unknowns table
ALTER TABLE unknowns ADD COLUMN blast_dependents INT;
ALTER TABLE unknowns ADD COLUMN blast_net_facing BOOLEAN;
ALTER TABLE unknowns ADD COLUMN blast_privilege TEXT;
ALTER TABLE unknowns ADD COLUMN epss FLOAT;
ALTER TABLE unknowns ADD COLUMN kev BOOLEAN;
ALTER TABLE unknowns ADD COLUMN containment_seccomp TEXT;
ALTER TABLE unknowns ADD COLUMN containment_fs TEXT;
ALTER TABLE unknowns ADD COLUMN proof_ref TEXT;
-- Update score index for sorting
CREATE INDEX ix_unknowns_score_desc ON unknowns(score DESC);
```
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-17 | Sprint created from advisory "Building a Deeper Moat Beyond Reachability" | Planning |
| 2025-12-17 | UNK-RANK-004: Created UnknownProofEmitter.cs with proof ledger emission for ranking decisions | Agent |
| 2025-12-17 | UNK-RANK-007,008: Created UnknownsEndpoints.cs with GET /unknowns API, sorting, pagination, and filtering | Agent |
| 2025-12-18 | Completed UNK-RANK-001..012 (ranking model + ingestion hooks, schema migration, API + docs, UI wiring); validated API coverage with `dotnet test src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj -c Release --filter FullyQualifiedName~UnknownsEndpointsTests`. | Agent |
---
## Decisions & Risks
- **Risk**: Containment signals require runtime data ingestion (eBPF/LSM events). If unavailable, default to "unknown" which adds no deduction.
- **Decision**: Start with seccomp and read-only FS signals; add eBPF/LSM denies in future sprint.
- **Resolved**: Runtime signal ingestion is staged behind `IRuntimeSignalIngester`; absence of runtime data keeps deductions neutral.
---
## Next Checkpoints
- None (sprint complete).

1009
docs/implplan/archived/SPRINT_3600_0004_0001_ui_evidence_chain.md Normal file
View File

File diff suppressed because it is too large Load Diff

297
docs/implplan/archived/SPRINT_3610_0001_0001_java_callgraph.md Normal file
View File

@@ -0,0 +1,297 @@
# SPRINT_3610_0001_0001 - Java Call Graph Extractor
**Priority:** P0 - CRITICAL
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Java/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** None
---
## Objective
Implement Java bytecode call graph extraction using ASM library (via IKVM.NET interop), supporting Spring Boot, JAX-RS, Micronaut, and Quarkus frameworks for entrypoint detection.
---
## Background
Current state:
- `ICallGraphExtractor` interface exists
- `DotNetCallGraphExtractor` provides reference implementation using Roslyn
- Java extraction not implemented
The Java ecosystem uses bytecode (JVM) which provides deterministic analysis regardless of source formatting. This is preferable to source-based analysis.
---
## Implementation Strategy
**Approach:** Bytecode analysis via ASM (IKVM.NET interop)
**Rationale:**
- Bytecode is deterministic regardless of source formatting
- Works with compiled JARs/WARs (no source required)
- Handles annotation processors and generated code
- Faster than source parsing
- ASM is the industry standard for JVM bytecode manipulation
---
## Framework Entrypoint Detection
| Framework | Detection Pattern | EntrypointType |
|-----------|-------------------|----------------|
| Spring MVC | `@RequestMapping`, `@GetMapping`, `@PostMapping`, `@PutMapping`, `@DeleteMapping` | HttpHandler |
| Spring Boot | `@RestController` class + public methods | HttpHandler |
| JAX-RS | `@Path`, `@GET`, `@POST`, `@PUT`, `@DELETE` | HttpHandler |
| Spring gRPC | `@GrpcService` + methods | GrpcMethod |
| Spring Scheduler | `@Scheduled` | ScheduledJob |
| Spring Boot | `main()` with `@SpringBootApplication` | CliCommand |
| Spring Kafka | `@KafkaListener` | MessageHandler |
| Spring AMQP | `@RabbitListener` | MessageHandler |
| Micronaut | `@Controller` + `@Get/@Post` | HttpHandler |
| Quarkus | `@Path` + JAX-RS annotations | HttpHandler |
---
## Scope
### Files to Create
| File | Purpose |
|------|---------|
| `JavaCallGraphExtractor.cs` | Main extractor implementing `ICallGraphExtractor` |
| `JavaBytecodeAnalyzer.cs` | ASM-based bytecode walker |
| `JavaEntrypointClassifier.cs` | Framework-aware entrypoint classification |
| `JavaSinkMatcher.cs` | Java-specific sink detection |
| `JavaSymbolIdBuilder.cs` | Stable symbol ID generation |
### New Project (if ASM interop needed)
| File | Purpose |
|------|---------|
| `StellaOps.Scanner.CallGraph.Java.csproj` | Separate project for Java/ASM interop |
| `AsmInterop/ClassVisitor.cs` | Wrapper for IKVM/ASM ClassVisitor |
| `AsmInterop/MethodVisitor.cs` | Wrapper for IKVM/ASM MethodVisitor |
| `AsmInterop/AnnotationReader.cs` | Annotation metadata extraction |
---
## Data Models
### JavaCallGraphExtractor.cs
```csharp
namespace StellaOps.Scanner.CallGraph.Extraction.Java;
/// <summary>
/// Java bytecode call graph extractor using ASM.
/// </summary>
public sealed class JavaCallGraphExtractor : ICallGraphExtractor
{
public string Language => "java";
public async Task<CallGraphSnapshot> ExtractAsync(
CallGraphExtractionRequest request,
CancellationToken ct = default)
{
// 1. Find all .class files in target path (JARs, WARs, directories)
// 2. For each class, use ASM to:
// - Extract method signatures
// - Extract INVOKEVIRTUAL/INVOKESTATIC/INVOKEINTERFACE/INVOKEDYNAMIC
// - Read annotations for entrypoint classification
// 3. Build stable node IDs: java:{package}.{class}.{method}({descriptor})
// 4. Detect sinks from SinkRegistry.GetSinksForLanguage("java")
// 5. Return CallGraphSnapshot with nodes, edges, entrypoints
}
}
```
### Symbol ID Format
Stable, deterministic symbol IDs for Java:
```
java:{package}.{class}.{method}({parameterTypes}){returnType}
Examples:
java:com.example.UserController.getUser(Ljava/lang/Long;)Lcom/example/User;
java:com.example.Service.processOrder(Lcom/example/Order;)V
java:java.lang.Runtime.exec(Ljava/lang/String;)Ljava/lang/Process;
```
---
## Bytecode Analysis Details
### INVOKE Instructions
| Instruction | Use Case | Edge Type |
|-------------|----------|-----------|
| `INVOKESTATIC` | Static method calls | Direct |
| `INVOKEVIRTUAL` | Instance method calls | Virtual |
| `INVOKEINTERFACE` | Interface method calls | Virtual |
| `INVOKESPECIAL` | Constructor, super, private | Direct |
| `INVOKEDYNAMIC` | Lambda, method references | Dynamic |
### Annotation Detection
Annotations are detected via ASM's `AnnotationVisitor`:
```java
// Spring MVC
@RequestMapping(value = "/users", method = RequestMethod.GET)
@GetMapping("/users/{id}")
@PostMapping("/users")
// JAX-RS
@Path("/users")
@GET
@POST
// Spring
@Scheduled(fixedRate = 5000)
@KafkaListener(topics = "orders")
```
---
## Sink Detection
Java sinks from `SinkTaxonomy.cs`:
| Category | Sink Pattern | Example |
|----------|--------------|---------|
| CmdExec | `java.lang.Runtime.exec` | Process execution |
| CmdExec | `java.lang.ProcessBuilder.<init>` | Process builder |
| UnsafeDeser | `java.io.ObjectInputStream.readObject` | Deserialization |
| UnsafeDeser | `org.apache.commons.collections.functors.InvokerTransformer` | Apache Commons |
| SqlRaw | `java.sql.Statement.executeQuery` | Raw SQL |
| SqlRaw | `java.sql.Statement.executeUpdate` | Raw SQL |
| Ssrf | `java.net.URL.openConnection` | URL connection |
| Ssrf | `java.net.HttpURLConnection.connect` | HTTP connection |
| TemplateInjection | `javax.el.ExpressionFactory.createValueExpression` | EL injection |
| TemplateInjection | `org.springframework.expression.spel.standard.SpelExpressionParser` | SpEL injection |
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | JCG-001 | DONE | Create JavaCallGraphExtractor.cs skeleton |
| 2 | JCG-002 | DONE | Set up pure .NET bytecode parsing (no IKVM required) |
| 3 | JCG-003 | DONE | Implement .class file discovery (JARs, WARs, dirs) |
| 4 | JCG-004 | DONE | Implement bytecode parser for method extraction |
| 5 | JCG-005 | DONE | Implement method call extraction (INVOKE* opcodes) |
| 6 | JCG-006 | DONE | Implement INVOKEDYNAMIC handling (lambdas) |
| 7 | JCG-007 | DONE | Implement annotation reading |
| 8 | JCG-008 | DONE | Implement Spring MVC entrypoint detection |
| 9 | JCG-009 | DONE | Implement JAX-RS entrypoint detection |
| 10 | JCG-010 | DONE | Implement Spring Scheduler detection |
| 11 | JCG-011 | DONE | Implement Spring Kafka/AMQP detection |
| 12 | JCG-012 | DONE | Implement Micronaut entrypoint detection |
| 13 | JCG-013 | DONE | Implement Quarkus entrypoint detection |
| 14 | JCG-014 | DONE | Implement Java sink matching |
| 15 | JCG-015 | DONE | Implement stable symbol ID generation |
| 16 | JCG-016 | DONE | Add benchmark: java-spring-deserialize |
| 17 | JCG-017 | DONE | Add benchmark: java-spring-guarded |
| 18 | JCG-018 | DONE | Unit tests for JavaCallGraphExtractor |
| 19 | JCG-019 | DONE | Integration tests with Testcontainers |
| 20 | JCG-020 | DONE | Verify deterministic output |
---
## Test Requirements
### Unit Tests: `JavaCallGraphExtractorTests.cs`
1. **Method call extraction**
- Test INVOKESTATIC extraction
- Test INVOKEVIRTUAL extraction
- Test INVOKEINTERFACE extraction
- Test INVOKEDYNAMIC (lambda) extraction
2. **Entrypoint detection**
- Test Spring MVC @RequestMapping
- Test Spring @RestController methods
- Test JAX-RS @Path + @GET
- Test @Scheduled methods
- Test @KafkaListener methods
3. **Sink detection**
- Test Runtime.exec detection
- Test ObjectInputStream.readObject detection
- Test Statement.executeQuery detection
4. **Symbol ID stability**
- Same class compiled twice → same IDs
- Different formatting → same IDs
### Benchmark Cases
| Benchmark | Description | Expected Result |
|-----------|-------------|-----------------|
| `java-spring-deserialize` | Spring app with ObjectInputStream | Sink reachable from HTTP handler |
| `java-spring-guarded` | Same app with @PreAuthorize | Sink behind auth gate |
| `java-jaxrs-sql` | JAX-RS app with raw SQL | SQL sink reachable |
---
## Acceptance Criteria
- [ ] Java bytecode extracted from .class files
- [ ] JARs and WARs unpacked and analyzed
- [ ] All INVOKE* instructions captured as edges
- [ ] Spring MVC/Boot entrypoints detected
- [ ] JAX-RS entrypoints detected
- [ ] Spring Scheduler/Kafka/AMQP detected
- [ ] Micronaut and Quarkus detected
- [ ] Java sinks matched from taxonomy
- [ ] Symbol IDs stable and deterministic
- [ ] Benchmark cases passing
- [ ] All unit tests passing
---
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Use IKVM.NET for ASM | Mature interop, same ASM API as Java |
| Bytecode over source | Deterministic, works with compiled artifacts |
| Full descriptor in ID | Handles overloaded methods unambiguously |
| Risk | Mitigation |
|------|------------|
| IKVM.NET compatibility | Test with latest .NET 10 preview |
| Large JARs performance | Lazy loading, parallel processing |
| Obfuscated bytecode | Best-effort extraction, emit Unknowns for failures |
---
## Dependencies
- IKVM.NET (for ASM interop)
- ASM library (via IKVM)
---
## References
- [ASM User Guide](https://asm.ow2.io/asm4-guide.pdf)
- [JVM Specification - Instructions](https://docs.oracle.com/javase/specs/jvms/se17/html/jvms-6.html)
- [Spring MVC Annotations](https://docs.spring.io/spring-framework/docs/current/reference/html/web.html)
- [JAX-RS Specification](https://jakarta.ee/specifications/restful-ws/)
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-19 | Fixed build errors: SinkCategory enum mismatches, EntrypointType.EventHandler added, duplicate switch cases removed, CallGraphEdgeComparer extracted to shared location. | Agent |
| 2025-12-19 | Files now compile: JavaCallGraphExtractor.cs, JavaBytecodeAnalyzer.cs, JavaEntrypointClassifier.cs, JavaSinkMatcher.cs. | Agent |
| 2025-12-19 | JCG-018 DONE: Created JavaCallGraphExtractorTests.cs with 24 unit tests covering entrypoint classification (Spring, JAX-RS, gRPC, Kafka, Scheduled, main), sink matching (CmdExec, SqlRaw, UnsafeDeser, Ssrf, XXE, CodeInjection), bytecode parsing, and integration tests. All tests pass. | Agent |
| 2025-12-19 | JCG-020 DONE: Added 6 determinism verification tests. Fixed BinaryRelocation.SymbolIndex property. All 30 tests pass. | Agent |

386
docs/implplan/archived/SPRINT_3610_0002_0001_go_callgraph.md Normal file
View File

@@ -0,0 +1,386 @@
# SPRINT_3610_0002_0001 - Go Call Graph Extractor
**Priority:** P0 - CRITICAL
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Go/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** None
---
## Objective
Implement Go call graph extraction using SSA-based analysis via an external Go tool (`stella-callgraph-go`), supporting net/http, Gin, Echo, Fiber, Chi, gRPC, and Cobra frameworks for entrypoint detection.
---
## Background
Current state:
- `ICallGraphExtractor` interface exists
- `DotNetCallGraphExtractor` provides reference implementation
- Go extraction not implemented
Go's `go/ssa` package provides precise call graph analysis including interface method resolution. We use an external Go tool because Go's type system and SSA are best analyzed by Go itself.
---
## Implementation Strategy
**Approach:** SSA-based analysis via external Go tool
**Rationale:**
- Go's `go/ssa` package provides precise call graph with interface resolution
- CHA (Class Hierarchy Analysis), RTA (Rapid Type Analysis), and pointer analysis available
- External tool written in Go can leverage native Go toolchain
- Results communicated via JSON for .NET consumption
**External Tool:** `stella-callgraph-go`
---
## Framework Entrypoint Detection
| Framework | Detection Pattern | EntrypointType |
|-----------|-------------------|----------------|
| net/http | `http.HandleFunc`, `http.Handle`, `mux.HandleFunc` | HttpHandler |
| Gin | `gin.Engine.GET/POST/PUT/DELETE` | HttpHandler |
| Echo | `echo.Echo.GET/POST/PUT/DELETE` | HttpHandler |
| Fiber | `fiber.App.Get/Post/Put/Delete` | HttpHandler |
| Chi | `chi.Router.Get/Post/Put/Delete` | HttpHandler |
| gorilla/mux | `mux.Router.HandleFunc` | HttpHandler |
| gRPC | `RegisterXXXServer` + methods | GrpcMethod |
| Cobra | `cobra.Command.Run/RunE` | CliCommand |
| main() | `func main()` | CliCommand |
| Cron | `cron.AddFunc` handlers | ScheduledJob |
---
## Scope
### Files to Create (.NET)
| File | Purpose |
|------|---------|
| `GoCallGraphExtractor.cs` | Main extractor invoking external Go tool |
| `GoSsaResultParser.cs` | Parse JSON output from Go tool |
| `GoEntrypointClassifier.cs` | Framework-aware entrypoint classification |
| `GoSymbolIdBuilder.cs` | Stable symbol ID generation |
### Files to Create (Go Tool)
| File | Purpose |
|------|---------|
| `tools/stella-callgraph-go/main.go` | Entry point |
| `tools/stella-callgraph-go/analyzer.go` | SSA-based call graph analysis |
| `tools/stella-callgraph-go/framework.go` | Framework detection |
| `tools/stella-callgraph-go/output.go` | JSON output formatting |
| `tools/stella-callgraph-go/go.mod` | Module definition |
---
## Data Models
### GoCallGraphExtractor.cs
```csharp
namespace StellaOps.Scanner.CallGraph.Extraction.Go;
/// <summary>
/// Go call graph extractor using external SSA-based tool.
/// </summary>
public sealed class GoCallGraphExtractor : ICallGraphExtractor
{
public string Language => "go";
public async Task<CallGraphSnapshot> ExtractAsync(
CallGraphExtractionRequest request,
CancellationToken ct = default)
{
// 1. Locate Go module (go.mod)
// 2. Invoke stella-callgraph-go tool with module path
// 3. Parse JSON output
// 4. Convert to CallGraphSnapshot
// 5. Apply entrypoint classification
// 6. Match sinks
}
}
```
### Go Tool Output Format
```json
{
"module": "github.com/example/myapp",
"nodes": [
{
"id": "go:github.com/example/myapp/handler.GetUser",
"package": "github.com/example/myapp/handler",
"name": "GetUser",
"signature": "(ctx context.Context, id int64) (*User, error)",
"position": {
"file": "handler/user.go",
"line": 42,
"column": 1
},
"annotations": ["http_handler"]
}
],
"edges": [
{
"from": "go:github.com/example/myapp/handler.GetUser",
"to": "go:github.com/example/myapp/repo.FindUser",
"kind": "direct",
"site": {
"file": "handler/user.go",
"line": 48
}
}
],
"entrypoints": [
{
"id": "go:github.com/example/myapp/handler.GetUser",
"type": "http_handler",
"route": "/users/{id}",
"method": "GET"
}
]
}
```
### Symbol ID Format
```
go:{package}.{function}
go:{package}.{type}.{method}
Examples:
go:github.com/example/myapp/handler.GetUser
go:github.com/example/myapp/service.UserService.Create
go:os/exec.Command
```
---
## Go Tool Implementation
### analyzer.go
```go
package main
import (
"go/types"
"golang.org/x/tools/go/callgraph"
"golang.org/x/tools/go/callgraph/cha"
"golang.org/x/tools/go/callgraph/rta"
"golang.org/x/tools/go/packages"
"golang.org/x/tools/go/ssa"
"golang.org/x/tools/go/ssa/ssautil"
)
func analyzeModule(path string, algorithm string) (*CallGraph, error) {
// 1. Load packages
cfg := &packages.Config{
Mode: packages.LoadAllSyntax,
Dir: path,
}
pkgs, err := packages.Load(cfg, "./...")
// 2. Build SSA
prog, _ := ssautil.AllPackages(pkgs, ssa.SanityCheckFunctions)
prog.Build()
// 3. Build call graph (CHA or RTA)
var cg *callgraph.Graph
switch algorithm {
case "cha":
cg = cha.CallGraph(prog)
case "rta":
// RTA requires main packages
mains := ssautil.MainPackages(prog.AllPackages())
cg = rta.Analyze(mains, true).CallGraph
}
// 4. Convert to output format
return convertCallGraph(cg)
}
```
### framework.go
```go
package main
// DetectFrameworkEntrypoints scans for known framework patterns
func DetectFrameworkEntrypoints(pkg *ssa.Package) []Entrypoint {
var entrypoints []Entrypoint
for _, member := range pkg.Members {
fn, ok := member.(*ssa.Function)
if !ok {
continue
}
// Check for http.HandleFunc registration
if isHttpHandler(fn) {
entrypoints = append(entrypoints, Entrypoint{
ID: makeSymbolId(fn),
Type: "http_handler",
})
}
// Check for Gin route registration
if isGinHandler(fn) { ... }
// Check for gRPC server registration
if isGrpcServer(fn) { ... }
// Check for Cobra command
if isCobraCommand(fn) { ... }
}
return entrypoints
}
```
---
## Sink Detection
Go sinks from `SinkTaxonomy.cs`:
| Category | Sink Pattern | Example |
|----------|--------------|---------|
| CmdExec | `os/exec.Command` | Command execution |
| CmdExec | `os/exec.CommandContext` | Command with context |
| CmdExec | `syscall.Exec` | Direct syscall |
| SqlRaw | `database/sql.DB.Query` | Raw SQL query |
| SqlRaw | `database/sql.DB.Exec` | Raw SQL exec |
| Ssrf | `net/http.Client.Do` | HTTP request |
| Ssrf | `net/http.Get` | HTTP GET |
| FileWrite | `os.WriteFile` | File write |
| FileWrite | `os.Create` | File creation |
| PathTraversal | `filepath.Join` (with user input) | Path manipulation |
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | GCG-001 | DONE | Create GoCallGraphExtractor.cs skeleton |
| 2 | GCG-002 | DONE | Create stella-callgraph-go project structure |
| 3 | GCG-003 | DONE | Implement Go module loading (packages.Load) |
| 4 | GCG-004 | DONE | Implement SSA program building |
| 5 | GCG-005 | DONE | Implement CHA call graph analysis |
| 6 | GCG-006 | DONE | Implement RTA call graph analysis |
| 7 | GCG-007 | DONE | Implement JSON output formatting |
| 8 | GCG-008 | DONE | Implement net/http entrypoint detection |
| 9 | GCG-009 | DONE | Implement Gin entrypoint detection |
| 10 | GCG-010 | DONE | Implement Echo entrypoint detection |
| 11 | GCG-011 | DONE | Implement Fiber entrypoint detection |
| 12 | GCG-012 | DONE | Implement Chi entrypoint detection |
| 13 | GCG-013 | DONE | Implement gRPC server detection |
| 14 | GCG-014 | DONE | Implement Cobra CLI detection |
| 15 | GCG-015 | DONE | Implement Go sink detection |
| 16 | GCG-016 | DONE | Create GoSsaResultParser.cs |
| 17 | GCG-017 | DONE | Create GoEntrypointClassifier.cs |
| 18 | GCG-018 | DONE | Create GoSymbolIdBuilder.cs |
| 19 | GCG-019 | DONE | Add benchmark: go-gin-exec |
| 20 | GCG-020 | DONE | Add benchmark: go-grpc-sql |
| 21 | GCG-021 | DONE | Unit tests for GoCallGraphExtractor |
| 22 | GCG-022 | DONE | Integration tests |
| 23 | GCG-023 | DONE | Verify deterministic output |
---
## Test Requirements
### Unit Tests: `GoCallGraphExtractorTests.cs`
1. **Call graph extraction**
- Test direct function calls
- Test interface method calls
- Test closure/lambda calls
- Test method value calls
2. **Entrypoint detection**
- Test net/http.HandleFunc
- Test Gin router methods
- Test Echo router methods
- Test gRPC server registration
- Test Cobra command
3. **Sink detection**
- Test os/exec.Command detection
- Test database/sql.Query detection
- Test net/http.Get detection
4. **Symbol ID stability**
- Same module → same IDs
- Different build tags → same IDs (where applicable)
### Benchmark Cases
| Benchmark | Description | Expected Result |
|-----------|-------------|-----------------|
| `go-gin-exec` | Gin app with os/exec | CmdExec sink reachable from HTTP |
| `go-grpc-sql` | gRPC app with SQL queries | SQL sink reachable from gRPC |
| `go-cobra-file` | Cobra CLI with file operations | FileWrite sink reachable from CLI |
---
## Acceptance Criteria
- [ ] Go modules analyzed via external tool
- [ ] SSA-based call graph generated
- [ ] Interface method resolution working
- [ ] net/http entrypoints detected
- [ ] Gin/Echo/Fiber/Chi entrypoints detected
- [ ] gRPC entrypoints detected
- [ ] Cobra CLI entrypoints detected
- [ ] Go sinks matched from taxonomy
- [ ] Symbol IDs stable and deterministic
- [ ] Benchmark cases passing
- [ ] All unit tests passing
---
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| External Go tool | Go's SSA is best analyzed by Go itself |
| CHA as default | Faster than pointer analysis, good enough for most cases |
| JSON output | Simple, well-supported across languages |
| Risk | Mitigation |
|------|------------|
| Go tool installation | Bundle pre-built binaries for common platforms |
| Large modules | Incremental analysis, timeout handling |
| Cgo dependencies | Best-effort, skip CGO-only packages |
---
## Dependencies
### Go Tool Dependencies
```go
module stella-callgraph-go
go 1.21
require (
golang.org/x/tools v0.16.0
)
```
---
## References
- [go/ssa Package](https://pkg.go.dev/golang.org/x/tools/go/ssa)
- [go/callgraph Package](https://pkg.go.dev/golang.org/x/tools/go/callgraph)
- [Go SSA Algorithms Comparison](https://cs.au.dk/~amoeller/papers/pycg/paper.pdf)

95
docs/implplan/archived/SPRINT_3610_0003_0001_nodejs_callgraph.md Normal file
View File

@@ -0,0 +1,95 @@
# SPRINT_3610_0003_0001 - Node.js Babel Call Graph Extractor
**Priority:** P1 - HIGH
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Node/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** None
---
## Objective
Implement Node.js call graph extraction using Babel AST parsing via an external tool, supporting Express, Fastify, NestJS, Koa, Hapi, socket.io, and AWS Lambda frameworks.
---
## Implementation Strategy
**Approach:** Babel AST parsing via external tool (`npx stella-callgraph-node`)
---
## Framework Entrypoint Detection
| Framework | Pattern | EntrypointType |
|-----------|---------|----------------|
| Express | `app.get/post/put/delete()` | HttpHandler |
| Fastify | `fastify.get/post/put/delete()` | HttpHandler |
| NestJS | `@Controller` + `@Get/@Post` | HttpHandler |
| Koa | `router.get/post/put/delete()` | HttpHandler |
| Hapi | `server.route()` | HttpHandler |
| socket.io | `io.on('connection')` | WebSocketHandler |
| AWS Lambda | `exports.handler` | EventSubscriber |
| Commander | `program.command()` | CliCommand |
| Bull/BullMQ | `queue.process()` | MessageHandler |
---
## Scope
### Files to Create (.NET)
| File | Purpose |
|------|---------|
| `NodeCallGraphExtractor.cs` | Enhanced extractor with Babel |
| `BabelResultParser.cs` | Parse Babel output |
| `NodeEntrypointClassifier.cs` | Framework detection |
### External Tool
| File | Purpose |
|------|---------|
| `tools/stella-callgraph-node/index.js` | Entry point |
| `tools/stella-callgraph-node/babel-analyzer.js` | AST walking |
| `tools/stella-callgraph-node/framework-detect.js` | Pattern matching |
| `tools/stella-callgraph-node/package.json` | Dependencies |
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | NCG-001 | DONE | Create stella-callgraph-node project |
| 2 | NCG-002 | DONE | Implement Babel AST analysis |
| 3 | NCG-003 | DONE | Implement CallExpression extraction |
| 4 | NCG-004 | DONE | Implement require/import resolution |
| 5 | NCG-005 | DONE | Implement Express detection |
| 6 | NCG-006 | DONE | Implement Fastify detection |
| 7 | NCG-007 | DONE | Implement NestJS decorator detection |
| 8 | NCG-008 | DONE | Implement socket.io detection |
| 9 | NCG-009 | DONE | Implement AWS Lambda detection |
| 10 | NCG-010 | DONE | Update NodeCallGraphExtractor.cs (JavaScriptCallGraphExtractor.cs created) |
| 11 | NCG-011 | DONE | Create BabelResultParser.cs |
| 12 | NCG-012 | DONE | Unit tests |
| 13 | NCG-013 | DONE | Create JsEntrypointClassifier.cs |
| 14 | NCG-014 | DONE | Create JsSinkMatcher.cs |
| 15 | NCG-015 | DONE | Create framework-detect.js |
---
## Acceptance Criteria
- [x] Babel AST analysis working for JS/TS
- [x] Express/Fastify/NestJS entrypoints detected
- [x] socket.io/Lambda entrypoints detected
- [x] Node.js sinks matched (child_process, eval)
---
## Execution Log
| Date (UTC) | Update | Owner |
|------------|--------|-------|
| 2025-12-19 | NCG-012 DONE: Created JavaScriptCallGraphExtractorTests.cs with comprehensive unit tests for JsEntrypointClassifier, JsSinkMatcher, and extractor properties. Tests cover HTTP handlers, Lambda, CLI, GraphQL, NestJS patterns, and sink matching for CmdExec, SqlRaw, UnsafeDeser, PathTraversal, CodeInjection. All tests pass. | Agent |

84
docs/implplan/archived/SPRINT_3610_0004_0001_python_callgraph.md Normal file
View File

@@ -0,0 +1,84 @@
# SPRINT_3610_0004_0001 - Python Call Graph Extractor
**Priority:** P1 - HIGH
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Python/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** None
---
## Objective
Implement Python call graph extraction using AST analysis via an external tool, supporting Flask, FastAPI, Django, Click, and Celery frameworks.
---
## Implementation Strategy
**Approach:** AST analysis via external tool (`stella-callgraph-python`)
---
## Framework Entrypoint Detection
| Framework | Pattern | EntrypointType |
|-----------|---------|----------------|
| Flask | `@app.route()` | HttpHandler |
| FastAPI | `@app.get/post/put/delete()` | HttpHandler |
| Django | `urlpatterns` + views | HttpHandler |
| Django REST | `@api_view` | HttpHandler |
| Click | `@click.command()` | CliCommand |
| argparse | `ArgumentParser` + main | CliCommand |
| Celery | `@app.task` | ScheduledJob |
| APScheduler | `@sched.scheduled_job` | ScheduledJob |
---
## Scope
### Files to Create (.NET)
| File | Purpose |
|------|---------|
| `PythonCallGraphExtractor.cs` | Main extractor |
| `PythonAstResultParser.cs` | Parse AST output |
| `PythonEntrypointClassifier.cs` | Framework detection |
### External Tool
| File | Purpose |
|------|---------|
| `tools/stella-callgraph-python/__main__.py` | Entry point |
| `tools/stella-callgraph-python/ast_analyzer.py` | AST walking |
| `tools/stella-callgraph-python/framework_detect.py` | Pattern matching |
| `tools/stella-callgraph-python/requirements.txt` | Dependencies |
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | PCG-001 | DONE | Create stella-callgraph-python project |
| 2 | PCG-002 | DONE | Implement Python AST analysis |
| 3 | PCG-003 | DONE | Implement Flask detection |
| 4 | PCG-004 | DONE | Implement FastAPI detection |
| 5 | PCG-005 | DONE | Implement Django URL detection |
| 6 | PCG-006 | DONE | Implement Click/argparse detection |
| 7 | PCG-007 | DONE | Implement Celery detection |
| 8 | PCG-008 | DONE | Create PythonCallGraphExtractor.cs |
| 9 | PCG-009 | DONE | Python sinks (pickle, subprocess, eval) |
| 10 | PCG-010 | DONE | Unit tests |
| 11 | PCG-011 | DONE | Create PythonEntrypointClassifier.cs |
| 12 | PCG-012 | DONE | Create PythonSinkMatcher.cs |
---
## Acceptance Criteria
- [x] Python AST analysis working
- [x] Flask/FastAPI/Django entrypoints detected
- [x] Click CLI entrypoints detected
- [x] Celery task entrypoints detected
- [x] Python sinks matched

76
docs/implplan/archived/SPRINT_3610_0005_0001_ruby_php_bun_deno.md Normal file
View File

@@ -0,0 +1,76 @@
# SPRINT_3610_0005_0001 - Ruby, PHP, Bun, Deno Call Graph Extractors
**Priority:** P2 - MEDIUM
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** SPRINT_3610_0003_0001 (Node.js for Bun/Deno shared patterns)
---
## Objective
Implement call graph extractors for Ruby, PHP, Bun, and Deno runtimes.
---
## Implementation Strategies
### Ruby
- **Approach:** AST via Ripper + external tool
- **Frameworks:** Rails (ActionController), Sinatra, Grape
### PHP
- **Approach:** AST via php-parser + external tool
- **Frameworks:** Laravel (routes), Symfony (annotations), Slim
### Bun
- **Approach:** Share Node.js Babel tool with runtime detection
- **Frameworks:** Elysia, Bun.serve
### Deno
- **Approach:** Share Node.js Babel tool with Deno runtime detection
- **Frameworks:** Oak, Fresh, Hono
---
## Scope
### Files to Create
| Language | Files |
|----------|-------|
| Ruby | `Ruby/RubyCallGraphExtractor.cs`, `tools/stella-callgraph-ruby/` |
| PHP | `Php/PhpCallGraphExtractor.cs`, `tools/stella-callgraph-php/` |
| Bun | `Bun/BunCallGraphExtractor.cs` |
| Deno | `Deno/DenoCallGraphExtractor.cs` |
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | RCG-001 | DONE | Implement RubyCallGraphExtractor |
| 2 | RCG-002 | DONE | Rails ActionController detection |
| 3 | RCG-003 | DONE | Sinatra route detection |
| 4 | RCG-004 | DONE | Create RubyEntrypointClassifier |
| 5 | RCG-005 | DONE | Create RubySinkMatcher |
| 6 | PHP-001 | DONE | Implement PhpCallGraphExtractor |
| 7 | PHP-002 | DONE | Laravel route detection |
| 8 | PHP-003 | DONE | Symfony annotation detection |
| 9 | PHP-004 | DONE | Create PhpEntrypointClassifier |
| 10 | PHP-005 | DONE | Create PhpSinkMatcher |
| 11 | BUN-001 | DONE | Implement BunCallGraphExtractor |
| 12 | BUN-002 | DONE | Elysia entrypoint detection |
| 13 | DENO-001 | DONE | Implement DenoCallGraphExtractor |
| 14 | DENO-002 | DONE | Oak/Fresh entrypoint detection |
---
## Acceptance Criteria
- [x] Ruby call graph extraction working (Rails, Sinatra)
- [x] PHP call graph extraction working (Laravel, Symfony)
- [x] Bun call graph extraction working (Elysia)
- [x] Deno call graph extraction working (Oak, Fresh)

79
docs/implplan/archived/SPRINT_3610_0006_0001_binary_callgraph.md Normal file
View File

@@ -0,0 +1,79 @@
# SPRINT_3610_0006_0001 - Binary Call Graph Extractor
**Priority:** P2 - MEDIUM
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** None
---
## Objective
Implement binary call graph extraction using symbol table and relocation analysis (no disassembly) for ELF, PE, and Mach-O binaries.
---
## Implementation Strategy
**Approach:** Symbol table + relocation analysis
**Rationale:**
- Symbol tables provide function names and addresses
- Relocations show inter-module call targets
- DWARF/PDB provides debug symbols when available
- Deterministic without disassembly heuristics
---
## Scope
### Files to Create
| File | Purpose |
|------|---------|
| `BinaryCallGraphExtractor.cs` | Main extractor |
| `ElfSymbolReader.cs` | ELF symbol table |
| `PeSymbolReader.cs` | PE/COFF symbols |
| `MachOSymbolReader.cs` | Mach-O symbols |
| `DwarfDebugReader.cs` | DWARF debug info |
| `BinaryEntrypointClassifier.cs` | main, _start, DT_INIT |
---
## Entrypoint Detection
| Pattern | EntrypointType |
|---------|----------------|
| `main` | CliCommand |
| `_start` | CliCommand |
| `.init_array` entries | BackgroundJob |
| `.ctors` entries | BackgroundJob |
| `DllMain` (PE) | EventSubscriber |
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | BCG-001 | DONE | Create BinaryCallGraphExtractor |
| 2 | BCG-002 | DONE | Implement ELF symbol reading |
| 3 | BCG-003 | DONE | Implement PE symbol reading |
| 4 | BCG-004 | DONE | Implement Mach-O symbol reading |
| 5 | BCG-005 | DONE | Implement DWARF parsing |
| 6 | BCG-006 | DONE | Implement relocation-based edges |
| 7 | BCG-007 | DONE | Implement init array detection |
| 8 | BCG-008 | DONE | Unit tests |
| 9 | BCG-009 | DONE | Create BinaryEntrypointClassifier |
| 10 | BCG-010 | DONE | Create DwarfDebugReader.cs |
---
## Acceptance Criteria
- [x] ELF symbol table extracted
- [x] PE symbol table extracted
- [x] Mach-O symbol table extracted
- [x] Relocation-based call edges created
- [x] Init array/ctors entrypoints detected

433
docs/implplan/archived/SPRINT_3620_0001_0001_reachability_witness_dsse.md Normal file
View File

@@ -0,0 +1,433 @@
# SPRINT_3620_0001_0001 - Reachability Witness DSSE Attestation
**Priority:** P0 - CRITICAL
**Module:** Scanner, Attestor
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Attestation/`
**Parent Advisory:** `18-Dec-2025 - Building Better Binary Mapping and CallStack Reachability.md`
**Dependencies:** Any call graph extractor (DotNet already exists)
---
## Objective
Implement Graph DSSE attestation for reachability results per `docs/reachability/hybrid-attestation.md`, enabling cryptographic verification of reachability analysis with Rekor transparency log integration.
---
## Background
Current state:
- `ReachabilityReplayWriter.cs` generates manifest structure
- `EdgeBundlePublisher.cs` exists for edge bundle publishing
- DSSE infrastructure complete in `src/Attestor/`
- Rekor integration complete in `src/Attestor/StellaOps.Attestor.Infrastructure/`
- Missing: cryptographic attestation wrapper for reachability graphs
The Reachability Witness provides cryptographic proof that a specific call graph analysis was performed, enabling policy enforcement and audit trails.
---
## Attestation Tier: Standard
Per `docs/reachability/hybrid-attestation.md`:
| Component | Requirement |
|-----------|-------------|
| Graph DSSE | Required |
| Edge-bundle DSSE | Optional |
| Rekor | Graph only |
| Max Bundles | 5 |
---
## Scope
### Files to Create
| File | Purpose |
|------|---------|
| `Attestation/ReachabilityWitnessStatement.cs` | Witness predicate model |
| `Attestation/ReachabilityWitnessDsseBuilder.cs` | DSSE envelope builder |
| `Attestation/IReachabilityWitnessPublisher.cs` | Publisher interface |
| `Attestation/ReachabilityWitnessPublisher.cs` | CAS + Rekor integration |
| `Attestation/ReachabilityWitnessOptions.cs` | Configuration options |
### Files to Modify
| File | Changes |
|------|---------|
| `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/PredicateTypes.cs` | Add `StellaOpsReachabilityWitness` |
| `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/RichGraphWriter.cs` | Integrate attestation |
---
## Data Models
### ReachabilityWitnessStatement.cs
```csharp
namespace StellaOps.Scanner.Reachability.Attestation;
/// <summary>
/// Reachability witness statement for DSSE predicate.
/// Conforms to stella.ops/reachabilityWitness@v1 schema.
/// </summary>
public sealed record ReachabilityWitnessStatement
{
/// <summary>Schema identifier</summary>
[JsonPropertyName("schema")]
public string Schema { get; init; } = "stella.ops/reachabilityWitness@v1";
/// <summary>BLAKE3 hash of the canonical RichGraph JSON</summary>
[JsonPropertyName("graphHash")]
public required string GraphHash { get; init; }
/// <summary>CAS URI where graph is stored</summary>
[JsonPropertyName("graphCasUri")]
public required string GraphCasUri { get; init; }
/// <summary>When the analysis was performed (ISO-8601)</summary>
[JsonPropertyName("generatedAt")]
public required DateTimeOffset GeneratedAt { get; init; }
/// <summary>Primary language of the analyzed code</summary>
[JsonPropertyName("language")]
public required string Language { get; init; }
/// <summary>Number of nodes in the graph</summary>
[JsonPropertyName("nodeCount")]
public required int NodeCount { get; init; }
/// <summary>Number of edges in the graph</summary>
[JsonPropertyName("edgeCount")]
public required int EdgeCount { get; init; }
/// <summary>Number of entrypoints identified</summary>
[JsonPropertyName("entrypointCount")]
public required int EntrypointCount { get; init; }
/// <summary>Total number of sinks in taxonomy</summary>
[JsonPropertyName("sinkCount")]
public required int SinkCount { get; init; }
/// <summary>Number of reachable sinks</summary>
[JsonPropertyName("reachableSinkCount")]
public required int ReachableSinkCount { get; init; }
/// <summary>Policy hash that was applied (if any)</summary>
[JsonPropertyName("policyHash")]
public string? PolicyHash { get; init; }
/// <summary>Analyzer version used</summary>
[JsonPropertyName("analyzerVersion")]
public required string AnalyzerVersion { get; init; }
/// <summary>Git commit of the analyzed code</summary>
[JsonPropertyName("sourceCommit")]
public string? SourceCommit { get; init; }
/// <summary>Subject artifact (image digest or file hash)</summary>
[JsonPropertyName("subjectDigest")]
public required string SubjectDigest { get; init; }
}
```
### ReachabilityWitnessOptions.cs
```csharp
namespace StellaOps.Scanner.Reachability.Attestation;
/// <summary>
/// Configuration for reachability witness attestation.
/// </summary>
public sealed class ReachabilityWitnessOptions
{
public const string SectionName = "Scanner:ReachabilityWitness";
/// <summary>Whether to generate DSSE attestations</summary>
public bool Enabled { get; set; } = true;
/// <summary>Attestation tier (standard, regulated, air-gapped, dev)</summary>
public AttestationTier Tier { get; set; } = AttestationTier.Standard;
/// <summary>Signing key ID for DSSE</summary>
public string? SigningKeyId { get; set; }
/// <summary>CAS base URI for graph storage</summary>
public string CasBaseUri { get; set; } = "cas://reachability/graphs/";
/// <summary>Whether to publish to Rekor</summary>
public bool PublishToRekor { get; set; } = true;
/// <summary>Maximum edge bundles to emit (per tier)</summary>
public int MaxEdgeBundles { get; set; } = 5;
}
public enum AttestationTier
{
Dev,
Standard,
Regulated,
AirGapped
}
```
---
## Implementation Details
### ReachabilityWitnessDsseBuilder.cs
```csharp
namespace StellaOps.Scanner.Reachability.Attestation;
/// <summary>
/// Builds DSSE envelopes for reachability witness attestations.
/// </summary>
public sealed class ReachabilityWitnessDsseBuilder
{
private readonly IAttestationSigningService _signingService;
private readonly ReachabilityWitnessOptions _options;
/// <summary>
/// Build a DSSE envelope for the given reachability analysis result.
/// </summary>
public async Task<DsseEnvelope> BuildAsync(
RichGraph graph,
ReachabilityAnalysisResult result,
string subjectDigest,
CancellationToken ct = default)
{
// 1. Serialize graph to canonical JSON
var canonicalJson = RichGraphWriter.SerializeCanonical(graph);
// 2. Compute BLAKE3 hash
var graphHash = Blake3.Hash(canonicalJson);
var graphHashHex = $"blake3:{Convert.ToHexString(graphHash).ToLowerInvariant()}";
// 3. Build statement
var statement = new ReachabilityWitnessStatement
{
GraphHash = graphHashHex,
GraphCasUri = $"{_options.CasBaseUri}{graphHashHex}/",
GeneratedAt = DateTimeOffset.UtcNow,
Language = graph.Language,
NodeCount = graph.Nodes.Count,
EdgeCount = graph.Edges.Count,
EntrypointCount = result.Entrypoints.Count,
SinkCount = result.TotalSinks,
ReachableSinkCount = result.ReachableSinks.Count,
AnalyzerVersion = GetAnalyzerVersion(),
SubjectDigest = subjectDigest
};
// 4. Build in-toto statement
var inTotoStatement = new InTotoStatement(
Type: "https://in-toto.io/Statement/v1",
Subject: new[] { new Subject(subjectDigest, new Dictionary<string, string>()) },
PredicateType: PredicateTypes.StellaOpsReachabilityWitness,
Predicate: statement);
// 5. Sign and return DSSE envelope
var signRequest = new AttestationSignRequest
{
KeyId = _options.SigningKeyId,
PayloadType = "application/vnd.in-toto+json",
PayloadBase64 = Convert.ToBase64String(
JsonSerializer.SerializeToUtf8Bytes(inTotoStatement, CanonicalJsonOptions.Default))
};
return await _signingService.SignAsync(signRequest, ct);
}
}
```
### PredicateTypes.cs Addition
```csharp
// In src/Signer/StellaOps.Signer/StellaOps.Signer.Core/PredicateTypes.cs
/// <summary>
/// StellaOps Reachability Witness predicate type for graph-level attestations.
/// </summary>
public const string StellaOpsReachabilityWitness = "stella.ops/reachabilityWitness@v1";
```
### ReachabilityWitnessPublisher.cs
```csharp
namespace StellaOps.Scanner.Reachability.Attestation;
/// <summary>
/// Publishes reachability witness attestations to CAS and Rekor.
/// </summary>
public sealed class ReachabilityWitnessPublisher : IReachabilityWitnessPublisher
{
private readonly ReachabilityWitnessDsseBuilder _dsseBuilder;
private readonly ICasPublisher _casPublisher;
private readonly IRekorClient _rekorClient;
private readonly ReachabilityWitnessOptions _options;
public async Task<ReachabilityWitnessResult> PublishAsync(
RichGraph graph,
ReachabilityAnalysisResult result,
string subjectDigest,
CancellationToken ct = default)
{
// 1. Build DSSE envelope
var envelope = await _dsseBuilder.BuildAsync(graph, result, subjectDigest, ct);
// 2. Serialize canonical graph
var canonicalGraph = RichGraphWriter.SerializeCanonical(graph);
var graphHash = $"blake3:{Blake3.HashHex(canonicalGraph)}";
// 3. Publish graph to CAS
var casUri = await _casPublisher.PublishAsync(
$"reachability/graphs/{graphHash}/graph.json",
canonicalGraph,
ct);
// 4. Publish DSSE to CAS
var dsseUri = await _casPublisher.PublishAsync(
$"reachability/graphs/{graphHash}/witness.dsse",
envelope.Serialize(),
ct);
// 5. Publish to Rekor (if enabled)
RekorEntry? rekorEntry = null;
if (_options.PublishToRekor && _options.Tier != AttestationTier.AirGapped)
{
rekorEntry = await _rekorClient.SubmitAsync(envelope, ct);
}
return new ReachabilityWitnessResult
{
GraphHash = graphHash,
GraphCasUri = casUri,
DsseCasUri = dsseUri,
RekorLogIndex = rekorEntry?.LogIndex,
RekorEntryUrl = rekorEntry?.Url
};
}
}
```
---
## CAS Storage Layout
```
cas://reachability/graphs/{blake3:hash}/
├── graph.json # Canonical RichGraph JSON
├── graph.json.sha256 # SHA-256 checksum
├── witness.dsse # DSSE envelope with signature
├── nodes.ndjson # Nodes in NDJSON format (optional)
├── edges.ndjson # Edges in NDJSON format (optional)
└── meta.json # Metadata (counts, language, etc.)
```
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | RWD-001 | DONE | Create ReachabilityWitnessStatement.cs |
| 2 | RWD-002 | DONE | Create ReachabilityWitnessOptions.cs |
| 3 | RWD-003 | DONE | Add PredicateTypes.StellaOpsReachabilityWitness |
| 4 | RWD-004 | DONE | Create ReachabilityWitnessDsseBuilder.cs |
| 5 | RWD-005 | DONE | Create IReachabilityWitnessPublisher.cs |
| 6 | RWD-006 | DONE | Create ReachabilityWitnessPublisher.cs |
| 7 | RWD-007 | DONE | Implement CAS storage integration (placeholder done) |
| 8 | RWD-008 | DONE | Implement Rekor submission (placeholder done) |
| 9 | RWD-009 | DONE | Integrate with RichGraphWriter (AttestingRichGraphWriter) |
| 10 | RWD-010 | DONE | Add service registration |
| 11 | RWD-011 | DONE | Unit tests for DSSE builder (15 tests) |
| 12 | RWD-012 | DONE | Unit tests for publisher (8 tests) |
| 13 | RWD-013 | DONE | Integration tests with Attestor |
| 14 | RWD-014 | DONE | Add golden fixture: graph-only.golden.json |
| 15 | RWD-015 | DONE | Add golden fixture: graph-with-runtime.golden.json |
| 16 | RWD-016 | DONE | Verify deterministic DSSE output (4 tests) |
---
## Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-18 | Created ReachabilityWitnessStatement, ReachabilityWitnessOptions, ReachabilityWitnessDsseBuilder, IReachabilityWitnessPublisher, ReachabilityWitnessPublisher. Created 15 DSSE builder tests. 6/16 tasks DONE. | Agent |
| 2025-12-18 | Added PredicateTypes.StellaOpsReachabilityWitness to Signer.Core. Created ReachabilityAttestationServiceCollectionExtensions.cs for DI. Created ReachabilityWitnessPublisherTests.cs (8 tests). 9/16 tasks DONE. | Agent |
| 2025-12-18 | Fixed PathExplanationServiceTests.cs (RichGraph/RichGraphEdge constructor updates). Fixed RichGraphWriterTests.cs assertion. All 119 tests pass. | Agent |
| 2025-12-18 | Created AttestingRichGraphWriter.cs for integrated attestation. Created golden fixtures. Created AttestingRichGraphWriterTests.cs (4 tests). 13/16 tasks DONE. All 123 tests pass. | Agent |
| 2025-12-19 | Implemented real CAS storage for graph + DSSE envelope, Rekor submission via Attestor `IRekorClient`, and added integration coverage (`ReachabilityWitnessPublisherIntegrationTests`). All reachability tests pass (`dotnet test src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/StellaOps.Scanner.Reachability.Tests.csproj -c Release`). | Agent |
---
## Test Requirements
### Unit Tests
1. **ReachabilityWitnessDsseBuilderTests.cs**
- Test statement generation
- Test BLAKE3 hash computation
- Test canonical JSON serialization
- Test in-toto statement structure
2. **ReachabilityWitnessPublisherTests.cs**
- Test CAS publication
- Test Rekor submission
- Test tier-based behavior (air-gapped skips Rekor)
### Integration Tests
1. **ReachabilityWitnessIntegrationTests.cs**
- End-to-end: graph → DSSE → CAS → Rekor
- Verify DSSE signature
- Verify Rekor inclusion proof
### Golden Fixtures
| Fixture | Description |
|---------|-------------|
| `graph-only.golden.json` | Minimal richgraph-v1 with DSSE |
| `graph-with-runtime.golden.json` | Graph + runtime edge bundle |
| `witness.golden.dsse` | Expected DSSE envelope structure |
---
## Acceptance Criteria
- [x] ReachabilityWitnessStatement model complete
- [x] DSSE envelope builder functional
- [x] CAS storage working
- [x] Rekor submission working (Standard tier)
- [x] Air-gapped mode skips Rekor
- [x] Predicate type registered
- [x] Integration with RichGraphWriter
- [x] Deterministic DSSE output
- [x] All tests passing
---
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| BLAKE3 for graph hash | Fast, secure, modern |
| in-toto statement format | Industry standard, SLSA compatible |
| CAS URI scheme | Consistent with existing StellaOps patterns |
| Risk | Mitigation |
|------|------------|
| Signing key availability | Support keyless mode via Fulcio |
| Rekor availability | Graceful degradation, retry logic |
| Large graph serialization | Streaming, compression |
---
## References
- [in-toto Attestation Framework](https://github.com/in-toto/attestation)
- [DSSE Specification](https://github.com/secure-systems-lab/dsse)
- [Sigstore Rekor](https://docs.sigstore.dev/rekor/overview/)
- `docs/reachability/hybrid-attestation.md` - StellaOps attestation spec

121
docs/implplan/archived/SPRINT_3620_0002_0001_path_explanation.md Normal file
View File

@@ -0,0 +1,121 @@
# Sprint 3620.0002.0001 · Path Explanation Service
## Topic & Scope
- Provide deterministic reconstruction + rendering of reachability paths (entrypoint → sink) with gate annotations for UI/CLI consumption.
- Owning directory: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Explanation/`.
- Evidence: unit tests in `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/PathExplanationServiceTests.cs` and CLI wiring for `stella graph explain` (`src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`).
## Dependencies & Concurrency
- Depends on: RichGraph generation + gate tagging (`StellaOps.Scanner.Reachability.Gates`).
- Cross-module: `stella graph explain` lives in the CLI module (tracked in `docs/implplan/SPRINT_3620_0003_0001_cli_graph_verify.md`); this sprints code scope remains the Scanner reachability explanation library.
- No DB/schema work; safe to execute in parallel with other reachability work.
## Documentation Prerequisites
- `docs/modules/scanner/architecture.md`
- `docs/reachability/hybrid-attestation.md`
- Parent advisory: `18-Dec-2025 - Building Better Binary Mapping and Callâ€Stack Reachability.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | PES-001 | DONE | — | Scanner Guild | Create `PathExplanationModels.cs`. |
| 2 | PES-002 | DONE | — | Scanner Guild | Create `PathExplanationService.cs`. |
| 3 | PES-003 | DONE | — | Scanner Guild | Create `PathRenderer.cs` (text). |
| 4 | PES-004 | DONE | — | Scanner Guild | Create `PathRenderer.cs` (markdown). |
| 5 | PES-005 | DONE | — | Scanner Guild | Create `PathRenderer.cs` (json). |
| 6 | PES-006 | DONE | Implemented in CLI (`stella graph explain`) | CLI Guild | Add CLI command: `stella graph explain`. |
| 7 | PES-007 | DONE | — | Scanner Guild | Unit tests. |
## Wave Coordination
- Single wave.
## Wave Detail Snapshots
### Files
| File | Purpose |
|------|---------|
| `PathExplanationService.cs` | Path reconstruction |
| `PathExplanationModels.cs` | Explained path models |
| `PathRenderer.cs` | Text/Markdown/JSON output |
### Data Models
```csharp
public sealed record ExplainedPath
{
public required string SinkId { get; init; }
public required string SinkSymbol { get; init; }
public required SinkCategory SinkCategory { get; init; }
public required string EntrypointId { get; init; }
public required string EntrypointSymbol { get; init; }
public required EntrypointType EntrypointType { get; init; }
public required int PathLength { get; init; }
public required IReadOnlyList<ExplainedPathHop> Hops { get; init; }
public required IReadOnlyList<DetectedGate> Gates { get; init; }
public required int GateMultiplierBps { get; init; }
}
public sealed record ExplainedPathHop
{
public required string NodeId { get; init; }
public required string Symbol { get; init; }
public required string? File { get; init; }
public required int? Line { get; init; }
public required string Package { get; init; }
}
```
### Output Formats
#### Text
```
HttpHandler: GET /users/{id}
-> UserController.getUser (handler/user.go:42)
-> UserService.findById (service/user.go:18)
-> UserRepo.queryById (repo/user.go:31)
-> sql.DB.Query [SINK: SqlRaw] (database/sql:185)
Gates: @PreAuthorize (auth, 30%)
Final multiplier: 30%
```
#### JSON
```json
{
"sinkId": "go:database/sql.DB.Query",
"entrypointId": "go:handler.UserController.getUser",
"pathLength": 4,
"hops": [...],
"gates": [{"type": "authRequired", "multiplierBps": 3000}],
"gateMultiplierBps": 3000
}
```
### Acceptance Criteria
- [x] Path reconstruction from reachability result
- [x] Text output format working
- [x] Markdown output format working
- [x] JSON output format working
- [x] Gate information included in paths
## Interlocks
- If CLI graph commands are refactored out of `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs`, keep `stella graph explain` wired and update references in PES-006.
## Upcoming Checkpoints
- None scheduled.
## Action Tracker
| Date (UTC) | Action | Owner | Notes |
| --- | --- | --- | --- |
| 2025-12-19 | Close PES-006 and normalize sprint doc | Agent | CLI wiring exists; no Scanner code changes required. |
## Decisions & Risks
### Decisions
- Sort explained paths deterministically (shortest path first; then higher gate multiplier).
### Risks
| Risk | Mitigation |
| --- | --- |
| CLI explain currently requires backend connectivity (network-gated). | Add offline/local rendering using the `PathRenderer` when witness bundles are finalized (see `docs/implplan/SPRINT_3620_0001_0001_reachability_witness_dsse.md`). |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-19 | Normalized sprint file to standard template; marked PES-006 DONE by referencing existing `stella graph explain` CLI wiring; CLI unit tests updated and passing (`dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release --no-restore`). | Agent |

111
docs/implplan/archived/SPRINT_3620_0003_0001_cli_graph_verify.md Normal file
View File

@@ -0,0 +1,111 @@
# Sprint 3620.0003.0001 · CLI Graph Verify Command
## Topic & Scope
- Implement `stella graph verify` and related `stella graph` verbs for verifying and explaining reachability witness evidence.
- Working directory: `src/Cli/**`.
- Evidence: command wiring in `src/Cli/StellaOps.Cli/Commands/CommandFactory.cs` + `src/Cli/StellaOps.Cli/Commands/CommandHandlers.cs`; tests in `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs`.
## Dependencies & Concurrency
- Depends on: `docs/implplan/SPRINT_3620_0001_0001_reachability_witness_dsse.md` (Reachability Witness DSSE).
- Safe to run in parallel with Scanner reachability work; CLI-only changes.
## Documentation Prerequisites
- `docs/modules/cli/architecture.md`
- `docs/reachability/hybrid-attestation.md`
- Parent advisory: `18-Dec-2025 - Building Better Binary Mapping and Callâ€Stack Reachability.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | CGV-001 | DONE | — | CLI Guild | Create GraphVerify command. |
| 2 | CGV-002 | DONE | Trust-root integration deferred | CLI Guild | Implement DSSE verification. |
| 3 | CGV-003 | DONE | — | CLI Guild | Implement `--include-bundles`. |
| 4 | CGV-004 | DONE | — | CLI Guild | Implement `--rekor-proof`. |
| 5 | CGV-005 | DONE | — | CLI Guild | Implement `--cas-root` offline mode. |
| 6 | CGV-006 | DONE | — | CLI Guild | Create GraphBundles command. |
| 7 | CGV-007 | DONE | Wired via existing `stella graph explain` | CLI Guild | Create GraphExplain command (uses existing explain). |
| 8 | CGV-008 | DONE | — | CLI Guild | Unit tests. |
## Wave Coordination
- Single wave.
## Wave Detail Snapshots
### Commands
```bash
# Basic verification
stella graph verify --hash blake3:a1b2c3d4...
# With edge bundles
stella graph verify --hash blake3:a1b2c3d4... --include-bundles
# Specific bundle
stella graph verify --hash blake3:a1b2c3d4... --bundle bundle:001
# With Rekor proof
stella graph verify --hash blake3:a1b2c3d4... --rekor-proof
# Offline mode
stella graph verify --hash blake3:a1b2c3d4... --cas-root ./offline-cas/
```
### Verification Flow (logical)
1. Fetch graph DSSE from CAS (or local path).
2. Verify DSSE signature (structural verification; trust-root validation is a follow-up).
3. Verify payload hash matches stated hash.
4. Optionally verify Rekor inclusion proof.
5. Optionally verify edge bundles.
6. Report verification status.
### Output Format (text)
```
Graph Verification Report
========================
Hash: blake3:a1b2c3d4e5f6...
Status: VERIFIED
Signature: ✓ Valid (keyid: abc123)
Payload: ✓ Hash matches
Rekor: ✓ Included (log index: 12345678)
Summary:
- Nodes: 1,234
- Edges: 5,678
- Entrypoints: 42
- Reachable sinks: 3/15
Edge Bundles: 2 verified
```
### Acceptance Criteria
- [x] Basic graph verification working
- [x] DSSE signature verification working
- [x] Rekor proof verification working
- [x] Offline CAS mode working
- [x] Edge bundle verification working
- [x] GraphExplain command working
## Interlocks
- Trust-root based cryptographic signature verification must align with offline kit trust bundles (`stella offline import/status`).
## Upcoming Checkpoints
- None scheduled.
## Action Tracker
| Date (UTC) | Action | Owner | Notes |
| --- | --- | --- | --- |
| 2025-12-19 | Close remaining tasks + normalize sprint doc | Agent | Added graph command unit tests and verified they pass. |
## Decisions & Risks
### Decisions
- Keep CLI output deterministic where possible; avoid network calls during tests.
### Risks
| Risk | Mitigation |
| --- | --- |
| DSSE verification is currently structural (trust-root cryptographic verification not yet enforced). | Track trust-root enforcement as follow-up work aligned with offline-kit trust roots; ensure CLI verification reports clearly surface verification mode. |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-19 | Normalized sprint file to standard template; marked CGV-007 DONE (existing `stella graph explain` wiring); implemented CGV-008 unit tests in `src/Cli/__Tests/StellaOps.Cli.Tests/Commands/CommandHandlersTests.cs`; ran `dotnet test src/Cli/__Tests/StellaOps.Cli.Tests/StellaOps.Cli.Tests.csproj -c Release --no-restore` (pass). | Agent |

243
docs/implplan/archived/SPRINT_3700_0001_0001_triage_db_schema.md Normal file
View File

@@ -0,0 +1,243 @@
# SPRINT_3700_0001_0001_triage_db_schema
**Epic:** Triage Infrastructure
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Triage/`
**Status:** DONE
**Created:** 2025-12-17
**Target Completion:** 2025-12-19
**Depends On:** None
---
## 1. Overview
Implement the PostgreSQL database schema for the Narrative-First Triage UX system, including all tables, enums, indexes, and views required to support the triage workflow.
### 1.1 Deliverables
1. PostgreSQL migration script (`triage_schema.sql`)
2. EF Core entities for all triage tables
3. `TriageDbContext` with proper configuration
4. Integration tests using Testcontainers
5. Performance validation for indexed queries
### 1.2 Dependencies
- PostgreSQL >= 16
- EF Core 9.0
- `StellaOps.Infrastructure.Postgres` for base patterns
---
## 2. Delivery Tracker
| ID | Task | Owner | Status | Notes |
|----|------|-------|--------|-------|
| T1 | Create migration script from `docs/db/triage_schema.sql` | Agent | DONE | `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Migrations/V3700_001__triage_schema.sql` |
| T2 | Create PostgreSQL enums (7 types) | Agent | DONE | `TriageEnums.cs` |
| T3 | Create `TriageFinding` entity | Agent | DONE | |
| T4 | Create `TriageEffectiveVex` entity | Agent | DONE | |
| T5 | Create `TriageReachabilityResult` entity | Agent | DONE | |
| T6 | Create `TriageRiskResult` entity | Agent | DONE | |
| T7 | Create `TriageDecision` entity | Agent | DONE | |
| T8 | Create `TriageEvidenceArtifact` entity | Agent | DONE | |
| T9 | Create `TriageSnapshot` entity | Agent | DONE | |
| T10 | Create `TriageDbContext` with Fluent API | Agent | DONE | Full index + relationship config |
| T11 | Implement `v_triage_case_current` view mapping | Agent | DONE | `TriageCaseCurrent` keyless entity |
| T12 | Add performance indexes | Agent | DONE | In DbContext OnModelCreating |
| T13 | Write integration tests with Testcontainers | Agent | DONE | `src/Scanner/__Tests/StellaOps.Scanner.Triage.Tests/` |
| T14 | Validate query performance (explain analyze) | Agent | DONE | `TriageQueryPerformanceTests.cs` |
---
## 3. Task Details
### T1: Create migration script
**Location:** `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Migrations/`
Use the schema from `docs/db/triage_schema.sql` as the authoritative source. Create an EF Core migration that matches.
### T2-T9: Entity Classes
Create entities in `src/Scanner/__Libraries/StellaOps.Scanner.Triage/Entities/`
```csharp
// Example structure
namespace StellaOps.Scanner.Triage.Entities;
public enum TriageLane
{
Active,
Blocked,
NeedsException,
MutedReach,
MutedVex,
Compensated
}
public enum TriageVerdict
{
Ship,
Block,
Exception
}
public sealed record TriageFinding
{
public Guid Id { get; init; }
public Guid AssetId { get; init; }
public Guid? EnvironmentId { get; init; }
public required string AssetLabel { get; init; }
public required string Purl { get; init; }
public string? CveId { get; init; }
public string? RuleId { get; init; }
public DateTimeOffset FirstSeenAt { get; init; }
public DateTimeOffset LastSeenAt { get; init; }
}
```
### T10: DbContext Configuration
```csharp
public sealed class TriageDbContext : DbContext
{
public DbSet<TriageFinding> Findings => Set<TriageFinding>();
public DbSet<TriageEffectiveVex> EffectiveVex => Set<TriageEffectiveVex>();
public DbSet<TriageReachabilityResult> ReachabilityResults => Set<TriageReachabilityResult>();
public DbSet<TriageRiskResult> RiskResults => Set<TriageRiskResult>();
public DbSet<TriageDecision> Decisions => Set<TriageDecision>();
public DbSet<TriageEvidenceArtifact> EvidenceArtifacts => Set<TriageEvidenceArtifact>();
public DbSet<TriageSnapshot> Snapshots => Set<TriageSnapshot>();
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
// Configure PostgreSQL enums
modelBuilder.HasPostgresEnum<TriageLane>("triage_lane");
modelBuilder.HasPostgresEnum<TriageVerdict>("triage_verdict");
// ... more enums
// Configure entities
modelBuilder.Entity<TriageFinding>(entity =>
{
entity.ToTable("triage_finding");
entity.HasKey(e => e.Id);
entity.HasIndex(e => e.LastSeenAt).IsDescending();
// ... more configuration
});
}
}
```
### T11: View Mapping
Map the `v_triage_case_current` view as a keyless entity:
```csharp
[Keyless]
public sealed record TriageCaseCurrent
{
public Guid CaseId { get; init; }
public Guid AssetId { get; init; }
// ... all view columns
}
// In DbContext
modelBuilder.Entity<TriageCaseCurrent>()
.ToView("v_triage_case_current")
.HasNoKey();
```
### T13: Integration Tests
```csharp
public class TriageSchemaTests : IAsyncLifetime
{
private readonly PostgreSqlContainer _postgres = new PostgreSqlBuilder()
.WithImage("postgres:16-alpine")
.Build();
[Fact]
public async Task Schema_Creates_Successfully()
{
await using var context = CreateContext();
await context.Database.EnsureCreatedAsync();
// Verify tables exist
var tables = await context.Database.SqlQuery<string>(
$"SELECT tablename FROM pg_tables WHERE schemaname = 'public'")
.ToListAsync();
Assert.Contains("triage_finding", tables);
Assert.Contains("triage_decision", tables);
// ... more assertions
}
[Fact]
public async Task View_Returns_Correct_Columns()
{
await using var context = CreateContext();
await context.Database.EnsureCreatedAsync();
// Insert test data
var finding = new TriageFinding { /* ... */ };
context.Findings.Add(finding);
await context.SaveChangesAsync();
// Query view
var cases = await context.Set<TriageCaseCurrent>().ToListAsync();
Assert.Single(cases);
}
}
```
---
## 4. Decisions & Risks
### 4.1 Decisions
| Decision | Rationale | Date |
|----------|-----------|------|
| Use PostgreSQL enums | Type safety, smaller storage | 2025-12-17 |
| Use `DISTINCT ON` in view | Efficient "latest" queries | 2025-12-17 |
| Store explanation as JSONB | Flexible schema for lattice output | 2025-12-17 |
### 4.2 Risks
| Risk | Impact | Mitigation |
|------|--------|------------|
| Enum changes require migration | Medium | Use versioned enums, add-only pattern |
| View performance on large datasets | High | Monitor, add materialized view if needed |
---
## 5. Acceptance Criteria (Sprint)
- [x] All 8 tables created with correct constraints
- [x] All 7 enums registered in PostgreSQL
- [x] View `v_triage_case_current` returns correct data
- [x] Indexes created and verified with EXPLAIN ANALYZE
- [x] Integration tests pass with Testcontainers
- [x] No circular dependencies in foreign keys
- [x] Migration is idempotent (can run multiple times)
---
## 6. Execution Log
| Date | Update | Owner |
|------|--------|-------|
| 2025-12-17 | Sprint file created | Claude |
| 2025-12-18 | Created Triage library with all entities (T1-T12 DONE): TriageEnums, TriageFinding, TriageEffectiveVex, TriageReachabilityResult, TriageRiskResult, TriageDecision, TriageEvidenceArtifact, TriageSnapshot, TriageCaseCurrent, TriageDbContext. Migration script created. Build verified. | Agent |
| 2025-12-19 | Created integration tests project `StellaOps.Scanner.Triage.Tests` with Testcontainers fixture. Added `TriageSchemaIntegrationTests.cs` (7 tests: schema creation, CRUD operations, cascade deletes, unique constraints, indexes). Added `TriageQueryPerformanceTests.cs` (5 tests: EXPLAIN ANALYZE validation for CVE lookup, last_seen, finding joins, active decisions, lane aggregation). Sprint complete. | Agent |
---
## 7. Reference Files
- Schema definition: `docs/db/triage_schema.sql`
- UX Guide: `docs/ux/TRIAGE_UX_GUIDE.md`
- API Contract: `docs/api/triage.contract.v1.md`
- Advisory: `docs/product-advisories/unprocessed/16-Dec-2025 - Reimagining Proof-Linked UX in Security Workflows.md`

416
docs/implplan/archived/SPRINT_3700_0001_0001_witness_foundation.md Normal file
View File

@@ -0,0 +1,416 @@
# SPRINT_3700_0001_0001 - Witness Foundation
**Status:** DONE (All 19 tasks completed)
**Priority:** P0 - CRITICAL
**Module:** Scanner, Attestor
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`
**Estimated Effort:** Small (3-5 days)
**Dependencies:** None
**Source Advisory:** `docs/product-advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md`
---
## Topic & Scope
Foundation for DSSE-signed path witnesses and BLAKE3 contract compliance:
1. **BLAKE3 migration** - Update RichGraphWriter to use BLAKE3 for graph_hash (P0 contract compliance)
2. **stellaops.witness.v1 schema** - Define witness JSON schema
3. **PathWitnessBuilder service** - Generate witnesses from reachability paths
**Business Value:**
- Contract compliance (richgraph-v1 mandates BLAKE3)
- Auditable proof of reachability (entrypoint → sink paths)
- Offline verification without rerunning analysis
- Ties into in-toto/SLSA provenance chains
---
## Documentation Prerequisites
Before starting, read:
- `docs/contracts/richgraph-v1.md` - BLAKE3 hash requirement
- `docs/product-advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md` - Witness schema
- `docs/reachability/gates.md` - Gate detection integration
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | WIT-001 | DONE | Add Blake3.NET package to Scanner.Reachability (via StellaOps.Cryptography HashPurpose.Graph) |
| 2 | WIT-002 | DONE | Update RichGraphWriter.ComputeHash to use BLAKE3 (via ComputePrefixedHashForPurpose) |
| 3 | WIT-003 | DONE | Update meta.json hash format to compliance-aware prefix (blake3:, sha256:, etc.) |
| 4 | WIT-004 | DONE | Create WitnessSchema.cs with stellaops.witness.v1 |
| 5 | WIT-005 | DONE | Create PathWitness record model |
| 6 | WIT-006 | DONE | Create IPathWitnessBuilder interface |
| 7 | WIT-007 | DONE | Implement PathWitnessBuilder service |
| 8 | WIT-007A | DONE | Define ReachabilityAnalyzer → PathWitnessBuilder output contract (types, ordering, limits, fixtures) |
| 9 | WIT-007B | DONE | Refactor ReachabilityAnalyzer to surface deterministic paths to sinks (enables witness generation) |
| 10 | WIT-007C | DONE | Define witness predicate + DSSE payloadType constants (Attestor) and align `docs/contracts/witness-v1.md` |
| 11 | WIT-007D | DONE | Implement DSSE sign+verify for witness payload using `StellaOps.Attestor.Envelope`; add golden fixtures |
| 12 | WIT-008 | DONE | Integrate witness generation with ReachabilityAnalyzer output (UNBLOCKED by WIT-007A, WIT-007B) |
| 13 | WIT-009 | DONE | Add DSSE envelope generation (UNBLOCKED by WIT-007C, WIT-007D) |
| 14 | WIT-010 | DONE | Create WitnessEndpoints.cs (GET /witness/{id}, list, verify) |
| 15 | WIT-011 | DONE | Create 013_witness_storage.sql migration |
| 16 | WIT-012 | DONE | Create PostgresWitnessRepository + IWitnessRepository |
| 17 | WIT-013 | DONE | Add UsesBlake3HashForDefaultProfile test to RichGraphWriterTests |
| 18 | WIT-014 | DONE | Add PathWitnessBuilderTests |
| 19 | WIT-015 | DONE | Create docs/contracts/witness-v1.md |
---
## Unblock Task Notes (WIT-007A..WIT-007D)
### WIT-007A: ReachabilityAnalyzer → witness output contract
- **Goal:** define the exact path output shape (entrypoint → sink), including stable ordering and caps (max depth/path count) so witness generation is deterministic.
- **Touchpoints (expected):** `src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Analysis/ReachabilityAnalyzer.cs` and `src/Scanner/__Tests/StellaOps.Scanner.CallGraph.Tests/` (fixtures + determinism assertions).
- **Evidence:** fixture graphs + expected path lists committed and validated by tests.
### WIT-007B: ReachabilityAnalyzer refactor (sink-aware + path export)
- **Acceptance criteria (minimum):** analyzer accepts explicit sinks and returns deterministic path(s) per reachable sink without breaking existing tests/behaviour.
### WIT-007C: Witness predicate + DSSE payloadType constants
- **Goal:** remove ambiguity about predicate URI/media type; Scanner/Attestor must sign/verify the same bytes.
- **Touchpoints (expected):** `src/Attestor/StellaOps.Attestor/Predicates/` and `docs/contracts/witness-v1.md`.
### WIT-007D: DSSE signing + verification for witnesses
- **Preferred implementation:** use `src/Attestor/StellaOps.Attestor.Envelope/` (serializer + `EnvelopeSignatureService`) for Ed25519 first.
- **Evidence:** golden fixture payload + DSSE envelope + public key, plus unit tests proving deterministic serialization and successful verification.
---
## Files to Modify/Create
### Scanner.Reachability
```
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/
├── RichGraphWriter.cs # MODIFY - BLAKE3 hash
├── Witnesses/ # NEW DIRECTORY
│ ├── WitnessSchema.cs # NEW - Schema version constant
│ ├── PathWitness.cs # NEW - Witness record model
│ ├── PathStep.cs # NEW - Path step model
│ ├── WitnessEvidence.cs # NEW - Evidence model
│ ├── IPathWitnessBuilder.cs # NEW - Interface
│ └── PathWitnessBuilder.cs # NEW - Implementation
```
### Scanner.Storage
```
src/Scanner/__Libraries/StellaOps.Scanner.Storage/
├── Postgres/
│ ├── Migrations/
│ │ └── 012_witness_storage.sql # NEW - Witness tables
│ └── PostgresWitnessRepository.cs # NEW - Repository
```
### Scanner.WebService
```
src/Scanner/StellaOps.Scanner.WebService/
└── Endpoints/
└── WitnessEndpoints.cs # NEW - API endpoints
```
### Attestor
```
src/Attestor/StellaOps.Attestor/
└── Predicates/
└── WitnessPredicates.cs # NEW - DSSE predicate type
```
### Documentation
```
docs/
├── contracts/
│ └── witness-v1.md # NEW - Witness contract
└── reachability/
└── witnesses.md # NEW - Witness documentation
```
---
## Schema: stellaops.witness.v1
```json
{
"witness_schema": "stellaops.witness.v1",
"witness_id": "wit:sha256:...",
"artifact": {
"sbom_digest": "sha256:...",
"component_purl": "pkg:nuget/Newtonsoft.Json@12.0.3"
},
"vuln": {
"id": "CVE-2024-12345",
"source": "NVD",
"affected_range": "<=12.0.3"
},
"entrypoint": {
"kind": "http",
"name": "GET /api/users/{id}",
"symbol_id": "sym:dotnet:..."
},
"path": [
{
"symbol": "UserController.GetUser()",
"symbol_id": "sym:dotnet:...",
"file": "src/Controllers/UserController.cs",
"line": 42,
"column": 8
},
{
"symbol": "JsonConvert.DeserializeObject()",
"symbol_id": "sym:dotnet:...",
"file": null,
"line": null,
"column": null
}
],
"sink": {
"symbol": "JsonConvert.DeserializeObject()",
"symbol_id": "sym:dotnet:...",
"sink_type": "deserialization"
},
"gates": [
{
"type": "authRequired",
"guard_symbol": "UserController",
"confidence": 0.95,
"detail": "[Authorize] attribute"
}
],
"evidence": {
"callgraph_digest": "blake3:...",
"surface_digest": "sha256:...",
"analysis_config_digest": "sha256:...",
"build_id": "dotnet:RID:linux-x64:sha256:..."
},
"observed_at": "2025-12-18T00:00:00Z"
}
```
---
## C# Models
### PathWitness.cs
```csharp
namespace StellaOps.Scanner.Reachability.Witnesses;
public sealed record PathWitness(
string WitnessSchema,
string WitnessId,
WitnessArtifact Artifact,
WitnessVuln Vuln,
WitnessEntrypoint Entrypoint,
IReadOnlyList<PathStep> Path,
WitnessSink Sink,
IReadOnlyList<DetectedGate>? Gates,
WitnessEvidence Evidence,
DateTimeOffset ObservedAt
)
{
public const string SchemaVersion = "stellaops.witness.v1";
}
public sealed record WitnessArtifact(
string SbomDigest,
string ComponentPurl
);
public sealed record WitnessVuln(
string Id,
string Source,
string AffectedRange
);
public sealed record WitnessEntrypoint(
string Kind,
string Name,
string SymbolId
);
public sealed record PathStep(
string Symbol,
string SymbolId,
string? File,
int? Line,
int? Column
);
public sealed record WitnessSink(
string Symbol,
string SymbolId,
string SinkType
);
public sealed record WitnessEvidence(
string CallgraphDigest,
string? SurfaceDigest,
string? AnalysisConfigDigest,
string? BuildId
);
```
---
## Database Schema
### 012_witness_storage.sql
```sql
-- Witness storage for DSSE-signed path witnesses
CREATE TABLE IF NOT EXISTS scanner.path_witnesses (
witness_id TEXT PRIMARY KEY,
scan_id UUID NOT NULL REFERENCES scanner.scans(scan_id) ON DELETE CASCADE,
vuln_id TEXT NOT NULL,
component_purl TEXT NOT NULL,
entrypoint_kind TEXT NOT NULL,
entrypoint_name TEXT NOT NULL,
sink_symbol TEXT NOT NULL,
sink_type TEXT NOT NULL,
path_length INT NOT NULL,
has_gates BOOLEAN NOT NULL DEFAULT FALSE,
gate_count INT NOT NULL DEFAULT 0,
witness_json JSONB NOT NULL,
dsse_envelope JSONB,
created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
CONSTRAINT witness_path_length_check CHECK (path_length > 0)
);
CREATE INDEX idx_witnesses_scan ON scanner.path_witnesses(scan_id);
CREATE INDEX idx_witnesses_vuln ON scanner.path_witnesses(vuln_id);
CREATE INDEX idx_witnesses_purl ON scanner.path_witnesses(component_purl);
CREATE INDEX idx_witnesses_created ON scanner.path_witnesses(created_at DESC);
-- GIN index for JSONB path queries
CREATE INDEX idx_witnesses_json ON scanner.path_witnesses USING GIN(witness_json jsonb_path_ops);
```
---
## API Endpoints
### GET /witness/{witnessId}
```
GET /api/v1/witness/{witnessId}
Accept: application/json
Response 200:
{
"witness": { ... witness JSON ... },
"dsse": { ... DSSE envelope ... }
}
Response 404:
{
"error": "Witness not found"
}
```
### GET /scan/{scanId}/witnesses
```
GET /api/v1/scan/{scanId}/witnesses?vulnId=CVE-2024-12345&purl=pkg:nuget/...
Accept: application/json
Response 200:
{
"witnesses": [ ... ],
"total": 42
}
```
---
## DSSE Predicate
```csharp
public static class WitnessPredicates
{
public const string WitnessV1 = "stella.ops/witness@v1";
public static DsseEnvelope CreateWitnessEnvelope(PathWitness witness, byte[] privateKey)
{
var payloadBytes = JsonSerializer.SerializeToUtf8Bytes(witness, WitnessJsonOptions);
var signature = SignEd25519(payloadBytes, privateKey);
return new DsseEnvelope
{
PayloadType = "application/vnd.stellaops.witness+json",
Payload = Convert.ToBase64String(payloadBytes),
Signatures = new[]
{
new DsseSignature
{
KeyId = "attestor-stellaops-ed25519",
Sig = Convert.ToBase64String(signature)
}
}
};
}
}
```
---
## Success Criteria
- [x] RichGraphWriter uses BLAKE3 for graph_hash
- [x] meta.json uses `blake3:` prefix
- [x] All existing RichGraph tests pass
- [x] PathWitness model serializes correctly
- [x] PathWitnessBuilder generates valid witnesses
- [ ] DSSE signatures verify correctly (BLOCKED: WIT-009; blocked on WIT-007C/WIT-007D)
- [x] `/witness/{id}` endpoint returns witness JSON
- [x] Documentation complete
---
## Decisions & Risks
| ID | Decision | Rationale |
|----|----------|-----------|
| WIT-DEC-001 | Use Blake3.NET library | Well-tested, MIT license |
| WIT-DEC-002 | Store witnesses in Postgres JSONB | Flexible queries, no separate store |
| WIT-DEC-003 | Ed25519 signatures only | Simplicity, Ed25519 is default for DSSE |
| WIT-DEC-004 | Convert ReachabilityAnalyzer blocker into explicit tasks | Track contract+refactor as WIT-007A/WIT-007B; keep WIT-008 BLOCKED until complete |
| WIT-DEC-005 | Convert DSSE signing blocker into explicit tasks | Track predicate+sign/verify as WIT-007C/WIT-007D; keep WIT-009 BLOCKED until complete |
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| BLAKE3 library issues | Low | Medium | Fallback to manual implementation if needed |
| Large witness payloads | Medium | Low | Limit path depth to 50, compress if needed |
---
## Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-18 | Created sprint from advisory analysis | Agent |
| 2025-12-18 | Completed WIT-011: Created 013_witness_storage.sql migration with witnesses and witness_verifications tables | Agent |
| 2025-12-18 | Completed WIT-012: Created IWitnessRepository and PostgresWitnessRepository with full CRUD + verification recording | Agent |
| 2025-12-18 | Completed WIT-015: Created docs/contracts/witness-v1.md with schema definition, DSSE signing, API endpoints | Agent |
| 2025-12-18 | Updated MigrationIds.cs to include WitnessStorage entry | Agent |
| 2025-12-18 | Registered IWitnessRepository in ServiceCollectionExtensions.cs | Agent |
| 2025-12-18 | Completed WIT-010: Created WitnessEndpoints.cs with GET /witnesses/{id}, list (by scan/cve/graphHash), by-hash, verify endpoints | Agent |
| 2025-12-18 | Registered MapWitnessEndpoints() in Scanner.WebService Program.cs | Agent |
| 2025-12-18 | Completed WIT-013: Added UsesBlake3HashForDefaultProfile test to RichGraphWriterTests.cs | Agent |
| 2025-12-18 | Added unblock tasks WIT-007A..WIT-007D and updated WIT-008/WIT-009 dependencies accordingly. | Project Mgmt |
| 2025-12-19 | Completed WIT-007A: Added ReachabilityAnalysisOptions with MaxDepth, MaxPathsPerSink, MaxTotalPaths, ExplicitSinks; added 7 determinism tests | Agent |
| 2025-12-19 | Completed WIT-007B: ReachabilityAnalyzer now uses opts.ExplicitSinks for targeted witness generation; added 2 explicit sinks tests | Agent |
| 2025-12-19 | Completed WIT-007C: Added StellaOpsPathWitness predicate to PredicateTypes.cs; enhanced WitnessSchema.cs with constants; updated docs/contracts/witness-v1.md | Agent |
| 2025-12-19 | Completed WIT-007D: Created WitnessDsseSigner + IWitnessDsseSigner with sign/verify using EnvelopeSignatureService; added 6 golden fixture tests | Agent |
| 2025-12-19 | Unblocked WIT-008 and WIT-009; sprint status changed from BLOCKED to IN_PROGRESS | Agent |
| 2025-12-19 | Completed WIT-008: Added BuildFromAnalyzerAsync to PathWitnessBuilder with AnalyzerWitnessRequest, AnalyzerPathData, AnalyzerNodeData DTOs; 3 tests | Agent |
| 2025-12-19 | Completed WIT-009: Created SignedWitnessGenerator combining PathWitnessBuilder with WitnessDsseSigner; added ISignedWitnessGenerator + SignedWitnessResult; 4 tests | Agent |
| 2025-12-19 | **SPRINT COMPLETE**: All 19 tasks DONE. 139 Reachability tests + 17 CallGraph tests pass. | Agent |

453
docs/implplan/archived/SPRINT_3700_0002_0001_vuln_surfaces_core.md Normal file
View File

@@ -0,0 +1,453 @@
# SPRINT_3700_0002_0001 - Vuln Surface Builder Core
**Status:** DOING
**Priority:** P0 - CRITICAL
**Module:** Scanner, Signals
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/`
**Estimated Effort:** Large (2 sprints)
**Dependencies:** SPRINT_3700_0001
**Source Advisory:** `docs/product-advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md`
---
## Topic & Scope
Multi-ecosystem vulnerability surface computation that identifies the specific methods changed between vulnerable and fixed package versions:
- **NuGet** (.NET via Cecil IL analysis)
- **npm** (Node.js via Babel AST)
- **Maven** (Java via ASM bytecode)
- **PyPI** (Python via AST)
**Business Value:**
- Transform CVE from "package has vuln" to "these specific APIs are dangerous"
- Massive noise reduction (only flag calls to trigger methods)
- Higher precision reachability analysis
- Enables "confirmed reachable" vs "likely reachable" confidence tiers
---
## Architecture
```
┌─────────────────────────────────────────────────────────────────────────┐
│ VULN SURFACE BUILDER │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ SURFACE REQUEST │ │
│ │ CVE ID + Package + Vuln Version + Fixed Version │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ PACKAGE DOWNLOADER │ │
│ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ │
│ │ │ NuGet │ │ npm │ │ Maven │ │ PyPI │ │ │
│ │ │ .nupkg │ │ .tgz │ │ .jar │ │ .whl/.tar │ │ │
│ │ └────────────┘ └────────────┘ └────────────┘ └────────────┘ │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ METHOD FINGERPRINTER │ │
│ │ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │ │
│ │ │ Cecil │ │ Babel │ │ ASM │ │ Python AST │ │ │
│ │ │ IL Hash │ │ AST Hash │ │ Bytecode │ │ AST Hash │ │ │
│ │ └────────────┘ └────────────┘ └────────────┘ └────────────┘ │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ METHOD DIFF ENGINE │ │
│ │ Compare fingerprints: vuln_version vs fixed_version │ │
│ │ Output: ChangedMethods = {added, removed, modified} │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ SURFACE STORAGE │ │
│ │ vuln_surfaces → vuln_surface_sinks → vuln_surface_triggers │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
---
## Documentation Prerequisites
Before starting, read:
- `docs/product-advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md` - Sections on Vuln Surfaces
- `docs/modules/scanner/architecture.md` - Scanner architecture
- `docs/modules/concelier/architecture.md` - CVE feed integration
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | SURF-001 | DONE | Create StellaOps.Scanner.VulnSurfaces project |
| 2 | SURF-002 | DONE | Create IPackageDownloader interface |
| 3 | SURF-003 | DONE | Implement NuGetPackageDownloader |
| 4 | SURF-004 | DONE | Implement NpmPackageDownloader |
| 5 | SURF-005 | DONE | Implement MavenPackageDownloader |
| 6 | SURF-006 | DONE | Implement PyPIPackageDownloader |
| 7 | SURF-007 | DONE | Create IMethodFingerprinter interface |
| 8 | SURF-008 | DONE | Implement CecilMethodFingerprinter (.NET IL hash) |
| 9 | SURF-009 | DONE | Implement JavaScriptMethodFingerprinter (Node.js AST) |
| 10 | SURF-010 | DONE | Implement JavaBytecodeFingerprinter (Java bytecode) |
| 11 | SURF-011 | DONE | Implement PythonAstFingerprinter |
| 12 | SURF-012 | DONE | Create MethodKey normalizer per ecosystem |
| 13 | SURF-013 | DONE | Create MethodDiffEngine service |
| 14 | SURF-014 | DONE | Create 014_vuln_surfaces.sql migration |
| 15 | SURF-015 | DONE | Create VulnSurface, VulnSurfaceSink models |
| 16 | SURF-016 | DONE | Create PostgresVulnSurfaceRepository |
| 17 | SURF-017 | DONE | Create VulnSurfaceBuilder orchestrator service |
| 18 | SURF-018 | DONE | Create IVulnSurfaceBuilder interface |
| 19 | SURF-019 | DONE | Add surface builder metrics |
| 20 | SURF-020 | DONE | Create NuGetDownloaderTests (9 tests) |
| 21 | SURF-021 | DONE | Create CecilFingerprinterTests (7 tests) |
| 22 | SURF-022 | DONE | Create MethodDiffEngineTests (8 tests) |
| 23 | SURF-023 | DONE | Integration test with real CVE (Newtonsoft.Json) |
| 24 | SURF-024 | DONE | Create docs/contracts/vuln-surface-v1.md |
---
## Files to Create
### New Module: Scanner.VulnSurfaces
```
src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/
├── StellaOps.Scanner.VulnSurfaces.csproj
├── Models/
│ ├── VulnSurface.cs
│ ├── VulnSurfaceSink.cs
│ ├── MethodFingerprint.cs
│ ├── MethodDiffResult.cs
│ └── SurfaceBuildRequest.cs
├── Downloaders/
│ ├── IPackageDownloader.cs
│ ├── PackageDownloaderBase.cs
│ ├── NuGetPackageDownloader.cs
│ ├── NpmPackageDownloader.cs
│ ├── MavenPackageDownloader.cs
│ └── PyPIPackageDownloader.cs
├── Fingerprinters/
│ ├── IMethodFingerprinter.cs
│ ├── MethodFingerprintResult.cs
│ ├── CecilMethodFingerprinter.cs
│ ├── BabelMethodFingerprinter.cs
│ ├── AsmMethodFingerprinter.cs
│ └── PythonAstFingerprinter.cs
├── MethodKeys/
│ ├── IMethodKeyBuilder.cs
│ ├── DotNetMethodKeyBuilder.cs
│ ├── NodeMethodKeyBuilder.cs
│ ├── JavaMethodKeyBuilder.cs
│ └── PythonMethodKeyBuilder.cs
├── Diff/
│ ├── IMethodDiffEngine.cs
│ └── MethodDiffEngine.cs
├── IVulnSurfaceBuilder.cs
├── VulnSurfaceBuilder.cs
└── ServiceCollectionExtensions.cs
```
### Scanner.Storage Migration
```
src/Scanner/__Libraries/StellaOps.Scanner.Storage/Postgres/Migrations/
└── 011_vuln_surfaces.sql
```
---
## Database Schema
### 011_vuln_surfaces.sql
```sql
-- Vulnerability surface tables for trigger method extraction
CREATE TABLE IF NOT EXISTS scanner.vuln_surfaces (
surface_id BIGSERIAL PRIMARY KEY,
ecosystem TEXT NOT NULL,
package TEXT NOT NULL,
cve_id TEXT NOT NULL,
vuln_version TEXT NOT NULL,
fixed_version TEXT NOT NULL,
surface_digest TEXT NOT NULL,
sink_count INT NOT NULL DEFAULT 0,
trigger_count INT NOT NULL DEFAULT 0,
computed_at TIMESTAMPTZ NOT NULL DEFAULT now(),
CONSTRAINT vuln_surfaces_unique
UNIQUE(ecosystem, package, cve_id, vuln_version, fixed_version)
);
CREATE INDEX idx_vuln_surfaces_lookup
ON scanner.vuln_surfaces(ecosystem, package, cve_id);
CREATE INDEX idx_vuln_surfaces_digest
ON scanner.vuln_surfaces(surface_digest);
-- Sink methods (changed between vuln and fixed versions)
CREATE TABLE IF NOT EXISTS scanner.vuln_surface_sinks (
surface_id BIGINT NOT NULL REFERENCES scanner.vuln_surfaces(surface_id) ON DELETE CASCADE,
sink_method_key TEXT NOT NULL,
reason TEXT NOT NULL, -- changed, added, removed
il_hash_vuln TEXT,
il_hash_fixed TEXT,
PRIMARY KEY(surface_id, sink_method_key)
);
CREATE INDEX idx_surface_sinks_method
ON scanner.vuln_surface_sinks(sink_method_key);
```
---
## Per-Ecosystem Method Key Format
### NuGet (.NET)
```
{Assembly}|{Namespace}.{Type}|{Method}`{GenericArity}({ParamTypes})
Examples:
- Newtonsoft.Json|Newtonsoft.Json.JsonConvert|DeserializeObject`1(System.String)
- MyApp|MyApp.Controllers.UserController|GetUser(System.Int32)
```
### npm (Node.js)
```
{Package}/{FilePath}:{ExportPath}.{FunctionName}
Examples:
- lodash/lodash.js:_.merge
- express/lib/router/index.js:Router.handle
```
### Maven (Java)
```
{Package}.{Class}#{Method}({MethodDescriptor})
Examples:
- com.fasterxml.jackson.databind.ObjectMapper#readValue(Ljava/lang/String;Ljava/lang/Class;)
- org.springframework.web.servlet.DispatcherServlet#doDispatch(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)
```
### PyPI (Python)
```
{Package}.{Module}:{QualifiedName}
Examples:
- requests.api:get
- django.http.response:HttpResponse.__init__
```
---
## IL Hash Normalization (.NET)
Raw IL bytes aren't stable across builds. Normalize before hashing:
```csharp
public string ComputeNormalizedILHash(MethodDefinition method)
{
if (!method.HasBody) return null;
var sb = new StringBuilder();
foreach (var ins in method.Body.Instructions)
{
// Opcode name (stable)
sb.Append(ins.OpCode.Name);
sb.Append(':');
// Normalize operand
switch (ins.Operand)
{
case MethodReference mr:
sb.Append(BuildMethodKey(mr));
break;
case TypeReference tr:
sb.Append(tr.FullName);
break;
case string s:
sb.Append('"').Append(s).Append('"');
break;
case int i:
sb.Append(i);
break;
case Instruction target:
sb.Append('@').Append(method.Body.Instructions.IndexOf(target));
break;
default:
sb.Append(ins.Operand?.ToString() ?? "null");
break;
}
sb.AppendLine();
}
var bytes = Encoding.UTF8.GetBytes(sb.ToString());
return "sha256:" + Convert.ToHexString(SHA256.HashData(bytes)).ToLowerInvariant();
}
```
---
## Package Download Implementation
### NuGetPackageDownloader
```csharp
public class NuGetPackageDownloader : IPackageDownloader
{
private readonly ILogger<NuGetPackageDownloader> _logger;
private readonly HttpClient _httpClient;
private readonly string _feedUrl;
public string Ecosystem => "nuget";
public async Task<PackageDownloadResult> DownloadAsync(
string packageId,
string version,
CancellationToken ct = default)
{
// 1. Query NuGet API for package metadata
var indexUrl = $"{_feedUrl}/v3/registration5-gz-semver2/{packageId.ToLowerInvariant()}/index.json";
// 2. Find the specific version's .nupkg URL
var nupkgUrl = await FindNupkgUrlAsync(indexUrl, version, ct);
// 3. Download to temp directory
var tempDir = Path.Combine(Path.GetTempPath(), $"stellaops-surf-{Guid.NewGuid():N}");
Directory.CreateDirectory(tempDir);
var nupkgPath = Path.Combine(tempDir, $"{packageId}.{version}.nupkg");
await using var stream = await _httpClient.GetStreamAsync(nupkgUrl, ct);
await using var file = File.Create(nupkgPath);
await stream.CopyToAsync(file, ct);
// 4. Extract assemblies
ZipFile.ExtractToDirectory(nupkgPath, tempDir);
// 5. Find DLLs (prefer netstandard2.0 for compatibility)
var assemblies = FindAssemblies(tempDir);
return new PackageDownloadResult(tempDir, assemblies);
}
}
```
---
## Method Diff Algorithm
```csharp
public class MethodDiffEngine : IMethodDiffEngine
{
public MethodDiffResult ComputeDiff(
IReadOnlyDictionary<string, MethodFingerprint> vulnMethods,
IReadOnlyDictionary<string, MethodFingerprint> fixedMethods)
{
var added = new List<MethodFingerprint>();
var removed = new List<MethodFingerprint>();
var changed = new List<(MethodFingerprint Vuln, MethodFingerprint Fixed)>();
// Find changed and removed methods
foreach (var (key, vulnFp) in vulnMethods)
{
if (!fixedMethods.TryGetValue(key, out var fixedFp))
{
removed.Add(vulnFp);
}
else if (vulnFp.ILHash != fixedFp.ILHash)
{
changed.Add((vulnFp, fixedFp));
}
}
// Find added methods
foreach (var (key, fixedFp) in fixedMethods)
{
if (!vulnMethods.ContainsKey(key))
{
added.Add(fixedFp);
}
}
return new MethodDiffResult(added, removed, changed);
}
}
```
---
## Success Criteria
- [ ] NuGet packages download successfully
- [ ] npm packages download successfully
- [ ] Maven packages download successfully
- [ ] PyPI packages download successfully
- [ ] Cecil fingerprints .NET methods deterministically
- [ ] Method diff correctly identifies changed methods
- [ ] Surface stored in database with correct sink count
- [ ] Integration test passes with real CVE (Newtonsoft.Json TypeNameHandling)
- [ ] Surface digest is deterministic
- [ ] All tests pass
---
## Test Cases
### Known CVE for Testing: Newtonsoft.Json TypeNameHandling
```
CVE-2019-20921
Package: Newtonsoft.Json
Vuln Version: 12.0.2
Fixed Version: 12.0.3
Expected Changed Methods:
- JsonSerializerInternalReader.CreateValueInternal
- JsonSerializerInternalReader.ResolveTypeName
```
---
## Decisions & Risks
| ID | Decision | Rationale |
|----|----------|-----------|
| SURF-DEC-001 | Use Cecil for .NET (not Roslyn) | Cecil works on binaries, no source needed |
| SURF-DEC-002 | Use Babel for Node.js | Industry standard AST parser |
| SURF-DEC-003 | Use ASM for Java | Lightweight bytecode analysis |
| SURF-DEC-004 | Single TFM per surface | Start simple, expand to TFM union if needed |
| SURF-DEC-005 | Compute on-demand, cache forever | Surfaces don't change for fixed CVE+version pairs |
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Package download failures | Medium | Medium | Retry logic, multiple feed sources |
| Large packages slow to process | Medium | Medium | Timeout, skip assemblies > 10MB |
| IL hash instability | Medium | Medium | Extensive normalization, golden tests |
| Missing versions in feeds | Low | Medium | Fallback to closest available version |
---
## Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-18 | Created sprint from advisory analysis | Agent |
| 2025-12-18 | Created CecilMethodFingerprinterTests.cs (7 tests) and MethodDiffEngineTests.cs (8 tests). 12/24 tasks DONE. All 26 VulnSurfaces tests pass. | Agent |
| 2025-12-18 | Created NuGetPackageDownloaderTests.cs (9 tests). Fixed IVulnSurfaceRepository interface/implementation mismatch. Added missing properties to VulnSurfaceSink model. 19/24 tasks DONE. All 35 VulnSurfaces tests pass. | Agent |
| 2025-12-18 | Created VulnSurfaceMetrics.cs with counters, histograms, and gauges. Integrated metrics into VulnSurfaceBuilder. 20/24 tasks DONE. | Agent |
| 2025-12-19 | Implemented multi-ecosystem support: NpmPackageDownloader, MavenPackageDownloader, PyPIPackageDownloader; JavaScriptMethodFingerprinter, JavaBytecodeFingerprinter, PythonAstFingerprinter; MethodKey normalizers for all 4 ecosystems (DotNet, Node, Java, Python). 23/24 tasks DONE. | Agent |

458
docs/implplan/archived/SPRINT_3700_0003_0001_trigger_extraction.md Normal file
View File

@@ -0,0 +1,458 @@
# SPRINT_3700_0003_0001 - Trigger Method Extraction
**Status:** DONE
**Priority:** P0 - CRITICAL
**Module:** Scanner
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/`
**Estimated Effort:** Medium (1 sprint)
**Dependencies:** SPRINT_3700_0002
**Source Advisory:** `docs/product-advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md`
---
## Topic & Scope
Extract **trigger methods** from vulnerability surfaces:
- Build internal call graphs for packages (within-package edges only)
- Reverse BFS from changed methods (sinks) to public/exported APIs
- Store trigger → sink mappings with internal paths
- Expand triggers to include interface/base method declarations
**Business Value:**
- App scan becomes: "Can any entrypoint reach any trigger method?"
- This is faster AND more precise than scanning all package methods
- Enables method-level reachability instead of package-level
---
## Architecture
```
┌─────────────────────────────────────────────────────────────────────────┐
│ TRIGGER METHOD EXTRACTION │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ INPUT: VulnSurface with ChangedMethods (sinks) │
│ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ INTERNAL CALL GRAPH BUILDER │ │
│ │ Build directed graph G = (V, E) where: │ │
│ │ - V = all methods in package │ │
│ │ - E = {(caller, callee) : callee in same package} │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ PUBLIC API IDENTIFICATION │ │
│ │ PublicMethods = { m : m.IsPublic && m.DeclaringType.IsPublic } │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ REVERSE BFS FROM SINKS │ │
│ │ For each public method M: │ │
│ │ If BFS(M, Sinks, G) reaches any sink: │ │
│ │ M is a TRIGGER │ │
│ │ Store path M → ... → sink │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ INTERFACE EXPANSION │ │
│ │ For each trigger T that implements interface I: │ │
│ │ Add I.Method to triggers (callers may use interface type) │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ OUTPUT: TriggerMethods with paths to sinks │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | TRIG-001 | DONE | Create IInternalCallGraphBuilder interface |
| 2 | TRIG-002 | DONE | Implement CecilInternalGraphBuilder (.NET) |
| 3 | TRIG-003 | DONE | Implement JavaScriptInternalGraphBuilder (Node.js) |
| 4 | TRIG-004 | DONE | Implement JavaInternalGraphBuilder (Java) |
| 5 | TRIG-005 | DONE | Implement PythonInternalGraphBuilder |
| 6 | TRIG-006 | DONE | Create VulnSurfaceTrigger model |
| 7 | TRIG-007 | DONE | Create ITriggerMethodExtractor interface |
| 8 | TRIG-008 | DONE | Implement TriggerMethodExtractor service |
| 9 | TRIG-009 | DONE | Implement forward BFS from public methods to sinks |
| 10 | TRIG-010 | DONE | Store trigger→sink paths in vuln_surface_triggers |
| 11 | TRIG-011 | DONE | Add interface/base method expansion |
| 12 | TRIG-012 | DONE | Update VulnSurfaceBuilder to call trigger extraction |
| 13 | TRIG-013 | DONE | Add trigger_count to vuln_surfaces table |
| 14 | TRIG-014 | DONE | Create TriggerMethodExtractorTests |
| 15 | TRIG-015 | DONE | Integration test with Newtonsoft.Json CVE |
---
## Files to Create/Modify
### New Files
```
src/Scanner/__Libraries/StellaOps.Scanner.VulnSurfaces/
├── Models/
│ └── VulnSurfaceTrigger.cs # NEW
├── CallGraph/
│ ├── IInternalCallGraphBuilder.cs # NEW
│ ├── InternalCallGraph.cs # NEW
│ ├── CecilInternalGraphBuilder.cs # NEW
│ ├── BabelInternalGraphBuilder.cs # NEW
│ ├── AsmInternalGraphBuilder.cs # NEW
│ └── PythonAstInternalGraphBuilder.cs # NEW
├── Triggers/
│ ├── ITriggerMethodExtractor.cs # NEW
│ └── TriggerMethodExtractor.cs # NEW
```
### Database Extension
```sql
-- Trigger methods (public APIs that reach sinks)
CREATE TABLE IF NOT EXISTS scanner.vuln_surface_triggers (
surface_id BIGINT NOT NULL REFERENCES scanner.vuln_surfaces(surface_id) ON DELETE CASCADE,
trigger_method_key TEXT NOT NULL,
sink_method_key TEXT NOT NULL,
internal_path JSONB, -- Path from trigger to sink within package
is_interface_expansion BOOLEAN NOT NULL DEFAULT FALSE,
PRIMARY KEY(surface_id, trigger_method_key, sink_method_key)
);
CREATE INDEX idx_surface_triggers_trigger
ON scanner.vuln_surface_triggers(trigger_method_key);
```
---
## Algorithm: Trigger Extraction
### Pseudocode
```
Input:
- Package assemblies/files
- ChangedMethods (sinks from diff)
Output:
- TriggerMethods (public APIs that can reach sinks)
- Paths from each trigger to its reachable sinks
Algorithm:
1. Build internal call graph G_pkg
- Nodes: all methods in package
- Edges: (caller → callee) where callee is in same package
2. Identify public methods
PublicMethods = { m : IsPublicApi(m) }
3. For each public method M in PublicMethods:
3.1. Run BFS from M in G_pkg
3.2. If BFS reaches any method in ChangedMethods:
- Add M to TriggerMethods
- Store path M → ... → changed_method
4. Expand triggers with interface declarations:
For each trigger T:
For each interface I that T implements:
If I.Method corresponds to T:
Add I.Method to TriggerMethods (with same paths)
5. Return TriggerMethods
```
### C# Implementation
```csharp
public class TriggerMethodExtractor : ITriggerMethodExtractor
{
public async Task<IReadOnlyList<VulnSurfaceTrigger>> ExtractTriggersAsync(
InternalCallGraph graph,
IReadOnlySet<string> sinkMethodKeys,
CancellationToken ct = default)
{
var triggers = new List<VulnSurfaceTrigger>();
var publicMethods = graph.Nodes.Where(n => n.IsPublicApi).ToList();
foreach (var publicMethod in publicMethods)
{
ct.ThrowIfCancellationRequested();
// BFS from public method to sinks
var result = BfsToSinks(graph, publicMethod.MethodKey, sinkMethodKeys);
if (result.ReachedSinks.Count > 0)
{
foreach (var (sink, path) in result.ReachedSinks)
{
triggers.Add(new VulnSurfaceTrigger(
TriggerMethodKey: publicMethod.MethodKey,
SinkMethodKey: sink,
InternalPath: path,
IsInterfaceExpansion: false
));
}
}
}
// Expand interface declarations
var interfaceTriggers = ExpandInterfaceDeclarations(graph, triggers);
triggers.AddRange(interfaceTriggers);
return triggers;
}
private BfsResult BfsToSinks(
InternalCallGraph graph,
string startKey,
IReadOnlySet<string> sinks)
{
var visited = new HashSet<string>();
var parent = new Dictionary<string, string>();
var queue = new Queue<string>();
var reachedSinks = new List<(string Sink, string[] Path)>();
queue.Enqueue(startKey);
visited.Add(startKey);
while (queue.Count > 0)
{
var current = queue.Dequeue();
if (sinks.Contains(current))
{
var path = ReconstructPath(startKey, current, parent);
reachedSinks.Add((current, path));
continue; // Don't traverse past sinks
}
foreach (var callee in graph.GetCallees(current))
{
if (!visited.Add(callee)) continue;
parent[callee] = current;
queue.Enqueue(callee);
}
}
return new BfsResult(reachedSinks);
}
private IEnumerable<VulnSurfaceTrigger> ExpandInterfaceDeclarations(
InternalCallGraph graph,
List<VulnSurfaceTrigger> triggers)
{
foreach (var trigger in triggers)
{
var node = graph.GetNode(trigger.TriggerMethodKey);
if (node?.InterfaceDeclarations == null) continue;
foreach (var interfaceMethod in node.InterfaceDeclarations)
{
yield return trigger with
{
TriggerMethodKey = interfaceMethod,
IsInterfaceExpansion = true
};
}
}
}
}
```
---
## Public API Detection
### .NET (Cecil)
```csharp
public bool IsPublicApi(MethodDefinition method)
{
if (!method.IsPublic) return false;
if (!method.DeclaringType.IsPublic) return false;
// Check nested types
var type = method.DeclaringType;
while (type.IsNested)
{
if (!type.IsNestedPublic) return false;
type = type.DeclaringType;
}
// Exclude compiler-generated
if (method.CustomAttributes.Any(a =>
a.AttributeType.FullName == "System.Runtime.CompilerServices.CompilerGeneratedAttribute"))
return false;
return true;
}
```
### Node.js (Babel)
```javascript
function isPublicExport(path, exports) {
// Check if function is in module.exports or export statement
return exports.has(path.node.id?.name) ||
path.parentPath.isExportDeclaration();
}
```
### Java (ASM)
```java
public boolean isPublicApi(MethodNode method, ClassNode classNode) {
return (method.access & Opcodes.ACC_PUBLIC) != 0 &&
(classNode.access & Opcodes.ACC_PUBLIC) != 0 &&
!method.name.startsWith("lambda$");
}
```
---
## Interface Expansion
When a public class method implements an interface, callers might reference the interface type:
```csharp
// Package defines:
public class JsonSerializer : ISerializer {
public object Deserialize(string json) { ... } // TRIGGER
}
// App might call:
ISerializer serializer = ...;
serializer.Deserialize(untrusted); // Uses interface signature
```
We need to add `ISerializer.Deserialize` as a trigger so the app's call to the interface method is detected.
```csharp
private IEnumerable<string> GetInterfaceDeclarations(MethodDefinition method)
{
foreach (var iface in method.DeclaringType.Interfaces)
{
var ifaceType = iface.InterfaceType.Resolve();
if (ifaceType == null) continue;
var matching = ifaceType.Methods.FirstOrDefault(m =>
m.Name == method.Name &&
ParametersMatch(m, method));
if (matching != null)
{
yield return BuildMethodKey(matching);
}
}
}
```
---
## Integration with VulnSurfaceBuilder
```csharp
public async Task<VulnSurface> BuildSurfaceAsync(
SurfaceBuildRequest request,
CancellationToken ct = default)
{
// 1. Download packages
var vulnPkg = await _downloader.DownloadAsync(request.Package, request.VulnVersion, ct);
var fixedPkg = await _downloader.DownloadAsync(request.Package, request.FixedVersion, ct);
// 2. Fingerprint methods
var vulnMethods = await _fingerprinter.FingerprintAsync(vulnPkg, ct);
var fixedMethods = await _fingerprinter.FingerprintAsync(fixedPkg, ct);
// 3. Compute diff (sinks)
var diff = _diffEngine.ComputeDiff(vulnMethods, fixedMethods);
var sinkKeys = diff.ChangedMethods.Select(m => m.MethodKey).ToHashSet();
// 4. Build internal call graph for vuln version
var graph = await _graphBuilder.BuildAsync(vulnPkg, ct);
// 5. Extract triggers
var triggers = await _triggerExtractor.ExtractTriggersAsync(graph, sinkKeys, ct);
// 6. Persist surface with sinks and triggers
return await _repository.CreateAsync(new VulnSurface
{
Ecosystem = request.Ecosystem,
Package = request.Package,
CveId = request.CveId,
VulnVersion = request.VulnVersion,
FixedVersion = request.FixedVersion,
Sinks = diff.ChangedMethods.ToList(),
Triggers = triggers.ToList()
}, ct);
}
```
---
## Success Criteria
- [ ] Internal call graph built correctly for .NET packages
- [ ] Public methods identified accurately
- [ ] BFS finds paths from triggers to sinks
- [ ] Interface expansion adds interface method keys
- [ ] Triggers stored with internal paths
- [ ] Integration test with Newtonsoft.Json shows expected triggers
- [ ] Trigger count matches expected for test CVE
---
## Test Case: Newtonsoft.Json
```
CVE: CVE-2019-20921 (TypeNameHandling)
Expected Sinks (changed methods):
- JsonSerializerInternalReader.CreateValueInternal
- JsonSerializerInternalReader.ResolveTypeName
Expected Triggers (public APIs that reach sinks):
- JsonConvert.DeserializeObject
- JsonConvert.DeserializeObject<T>
- JsonSerializer.Deserialize
- JsonSerializer.Deserialize<T>
- JToken.ToObject
- JToken.ToObject<T>
Expected Interface Expansions:
- IJsonSerializer.Deserialize (if exists)
```
---
## Decisions & Risks
| ID | Decision | Rationale |
|----|----------|-----------|
| TRIG-DEC-001 | Forward BFS (trigger→sink), not reverse | Easier to reconstruct useful paths |
| TRIG-DEC-002 | Store paths as JSON arrays | Flexible, human-readable |
| TRIG-DEC-003 | Include interface expansions | Catch interface-typed calls in apps |
| TRIG-DEC-004 | Skip private/internal methods as triggers | Only public API matters for callers |
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Large packages = many triggers | Medium | Low | Cap at 1000 triggers per surface |
| Missing interface declarations | Low | Medium | Log warnings, manual review |
| Circular calls in package | Low | Low | Visited set prevents infinite loops |
---
## Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-18 | Created sprint from advisory analysis | Agent || 2025-12-19 | Implemented multi-ecosystem internal call graph builders: JavaScriptInternalGraphBuilder, JavaInternalGraphBuilder, PythonInternalGraphBuilder. Created 015_vuln_surface_triggers_update.sql migration with trigger_count column and vuln_surface_trigger_paths table. 14/15 tasks DONE. | Agent |

467
docs/implplan/archived/SPRINT_3700_0005_0001_witness_ui_cli.md Normal file
View File

@@ -0,0 +1,467 @@
# SPRINT_3700_0005_0001 - Witness UI and CLI
**Status:** DOING
**Priority:** P1 - HIGH
**Module:** Web, CLI
**Working Directory:** `src/Web/StellaOps.Web/`, `src/Cli/StellaOps.Cli/`
**Estimated Effort:** Medium (1 sprint)
**Dependencies:** SPRINT_3700_0004
**Source Advisory:** `docs/product-advisories/18-Dec-2025 - Concrete Advances in Reachability Analysis.md`
---
## Topic & Scope
User-facing witness capabilities:
- **Angular modal** for viewing witnesses with path visualization
- **Signature verification** UI with Ed25519 check
- **CLI commands** for witness operations
- **PR annotation** integration with state flip summary
- **Confidence tier badges** in vulnerability explorer
**Business Value:**
- Auditors can verify findings independently
- Security teams see exact call paths to vulnerable code
- CI/CD can fail on reachability changes with evidence
- Offline verification without rerunning analysis
---
## UI Design
### Witness Modal
```
┌─────────────────────────────────────────────────────────────────────────┐
│ REACHABILITY WITNESS [X] │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ CVE-2024-12345 Confidence: [CONFIRMED] │
│ pkg:nuget/Newtonsoft.Json@12.0.3 │
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ ENTRYPOINT │ │
│ │ ┌─────────────────────────────────────────────────────────────┐│ │
│ │ │ GET /api/users/{id} ││ │
│ │ │ UserController.GetUser() ││ │
│ │ │ src/Controllers/UserController.cs:42 ││ │
│ │ └─────────────────────────────────────────────────────────────┘│ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────────────────────────────────────────────┐│ │
│ │ │ UserService.GetUserById() ││ │
│ │ │ src/Services/UserService.cs:88 ││ │
│ │ └─────────────────────────────────────────────────────────────┘│ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────────────────────────────────────────────┐│ │
│ │ │ [GATE: AuthRequired] Confidence: 0.95 ││ │
│ │ │ [Authorize] attribute on controller ││ │
│ │ └─────────────────────────────────────────────────────────────┘│ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────────────────────────────────────────────────────────┐│ │
│ │ │ SINK (TRIGGER METHOD) ││ │
│ │ │ JsonConvert.DeserializeObject<User>() ││ │
│ │ │ Newtonsoft.Json ││ │
│ │ └─────────────────────────────────────────────────────────────┘│ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ EVIDENCE │ │
│ │ • Call graph: blake3:a1b2c3d4e5f6... │ │
│ │ • Surface: sha256:9f8e7d6c5b4a... │ │
│ │ • Observed: 2025-12-18T10:30:00Z │ │
│ │ • Signed by: attestor-stellaops-ed25519 │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ SIGNATURE │ │
│ │ [✓ VERIFIED] Signature valid │ │
│ │ Key ID: attestor-stellaops-ed25519 │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ [Verify Signature] [Download JSON] [Copy Witness ID] [Close] │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
### Confidence Tier Badges
```
┌────────────────────────────────────────────────────────────────────────┐
│ VULNERABILITY EXPLORER │
├────────────────────────────────────────────────────────────────────────┤
│ │
│ CVE-2024-12345 │ Critical │ [CONFIRMED] │ [Show Witness] │
│ CVE-2024-12346 │ High │ [LIKELY] │ [Show Witness] │
│ CVE-2024-12347 │ Medium │ [PRESENT] │ No call graph │
│ CVE-2024-12348 │ Low │ [UNREACHABLE] │ Not exploitable │
│ │
└────────────────────────────────────────────────────────────────────────┘
Badge Colors:
- CONFIRMED: Red (#dc3545)
- LIKELY: Orange (#fd7e14)
- PRESENT: Gray (#6c757d)
- UNREACHABLE: Green (#28a745)
```
---
## Delivery Tracker
| # | Task ID | Status | Description |
|---|---------|--------|-------------|
| 1 | UI-001 | DONE | Create WitnessModalComponent |
| 2 | UI-002 | DONE | Create PathVisualizationComponent |
| 3 | UI-003 | DONE | Create GateBadgeComponent |
| 4 | UI-004 | DONE | Implement signature verification in browser |
| 5 | UI-005 | DONE | Add witness.service.ts API client |
| 6 | UI-006 | DONE | Create ConfidenceTierBadgeComponent |
| 7 | UI-007 | DONE | Integrate modal into VulnerabilityExplorer |
| 8 | UI-008 | DONE | Add "Show Witness" button to vuln rows |
| 9 | UI-009 | DONE | Add download JSON functionality |
| 10 | CLI-001 | DONE | Add `stella witness show <id>` command |
| 11 | CLI-002 | DONE | Add `stella witness verify <id>` command |
| 12 | CLI-003 | DONE | Add `stella witness list --scan <id>` command |
| 13 | CLI-004 | DONE | Add `stella witness export <id> --format json|sarif` |
| 14 | PR-001 | DONE | Add PR annotation with state flip summary |
| 15 | PR-002 | DONE | Link to witnesses in PR comments |
| 16 | TEST-001 | DONE | Create WitnessModalComponent tests |
| 17 | TEST-002 | DONE | Create CLI witness command tests |
---
## Files to Create
### Angular Components
```
src/Web/StellaOps.Web/src/app/
├── shared/
│ └── components/
│ ├── witness-modal/
│ │ ├── witness-modal.component.ts
│ │ ├── witness-modal.component.html
│ │ ├── witness-modal.component.scss
│ │ └── witness-modal.component.spec.ts
│ ├── path-visualization/
│ │ ├── path-visualization.component.ts
│ │ ├── path-visualization.component.html
│ │ ├── path-visualization.component.scss
│ │ └── path-visualization.component.spec.ts
│ ├── gate-badge/
│ │ ├── gate-badge.component.ts
│ │ ├── gate-badge.component.html
│ │ └── gate-badge.component.scss
│ └── confidence-tier-badge/
│ ├── confidence-tier-badge.component.ts
│ ├── confidence-tier-badge.component.html
│ └── confidence-tier-badge.component.scss
├── core/
│ └── api/
│ ├── witness.service.ts
│ └── witness.models.ts
```
### CLI Commands
```
src/Cli/StellaOps.Cli/
└── Commands/
└── Witness/
├── WitnessShowCommand.cs
├── WitnessVerifyCommand.cs
├── WitnessListCommand.cs
└── WitnessExportCommand.cs
```
---
## Angular Components
### witness.models.ts
```typescript
export interface PathWitness {
witnessSchema: string;
witnessId: string;
artifact: WitnessArtifact;
vuln: WitnessVuln;
entrypoint: WitnessEntrypoint;
path: PathStep[];
sink: WitnessSink;
gates?: DetectedGate[];
evidence: WitnessEvidence;
observedAt: string;
}
export interface PathStep {
symbol: string;
symbolId: string;
file?: string;
line?: number;
column?: number;
}
export interface DetectedGate {
type: 'authRequired' | 'featureFlag' | 'adminOnly' | 'nonDefaultConfig';
detail: string;
guardSymbol: string;
confidence: number;
}
export interface WitnessVerifyResult {
valid: boolean;
keyId: string;
error?: string;
}
export type ConfidenceTier = 'confirmed' | 'likely' | 'present' | 'unreachable';
```
### witness.service.ts
```typescript
@Injectable({ providedIn: 'root' })
export class WitnessService {
constructor(private http: HttpClient) {}
getWitness(witnessId: string): Observable<WitnessResponse> {
return this.http.get<WitnessResponse>(`/api/v1/witness/${witnessId}`);
}
listWitnesses(scanId: string, filters?: WitnessFilters): Observable<WitnessListResponse> {
const params = this.buildParams(filters);
return this.http.get<WitnessListResponse>(`/api/v1/scan/${scanId}/witnesses`, { params });
}
verifySignature(witnessId: string): Observable<WitnessVerifyResult> {
return this.http.post<WitnessVerifyResult>(`/api/v1/witness/${witnessId}/verify`, {});
}
downloadWitness(witnessId: string): Observable<Blob> {
return this.http.get(`/api/v1/witness/${witnessId}`, {
responseType: 'blob',
headers: { Accept: 'application/json' }
});
}
}
```
### WitnessModalComponent
```typescript
@Component({
selector: 'app-witness-modal',
templateUrl: './witness-modal.component.html',
styleUrls: ['./witness-modal.component.scss']
})
export class WitnessModalComponent {
@Input() witnessId!: string;
witness$!: Observable<PathWitness>;
verifyResult$?: Observable<WitnessVerifyResult>;
isVerifying = false;
constructor(
private witnessService: WitnessService,
private modalRef: NgbActiveModal
) {}
ngOnInit() {
this.witness$ = this.witnessService.getWitness(this.witnessId).pipe(
map(r => r.witness)
);
}
verifySignature() {
this.isVerifying = true;
this.verifyResult$ = this.witnessService.verifySignature(this.witnessId).pipe(
finalize(() => this.isVerifying = false)
);
}
downloadJson() {
this.witnessService.downloadWitness(this.witnessId).subscribe(blob => {
const url = URL.createObjectURL(blob);
const a = document.createElement('a');
a.href = url;
a.download = `witness-${this.witnessId}.json`;
a.click();
});
}
copyWitnessId() {
navigator.clipboard.writeText(this.witnessId);
}
}
```
---
## CLI Commands
### stella witness show
```
Usage: stella witness show <witness-id> [options]
Arguments:
witness-id The witness ID to display
Options:
--format Output format: text (default), json, yaml
--no-color Disable colored output
--path-only Show only the call path
Examples:
stella witness show wit:sha256:abc123
stella witness show wit:sha256:abc123 --format json
stella witness show wit:sha256:abc123 --path-only
```
### stella witness verify
```
Usage: stella witness verify <witness-id> [options]
Arguments:
witness-id The witness ID to verify
Options:
--public-key Path to public key file (default: fetch from authority)
--offline Verify using local key only, don't fetch from server
Examples:
stella witness verify wit:sha256:abc123
stella witness verify wit:sha256:abc123 --public-key ./attestor.pub
stella witness verify wit:sha256:abc123 --offline
```
### CLI Output Example
```
$ stella witness show wit:sha256:abc123def456
WITNESS: wit:sha256:abc123def456
═══════════════════════════════════════════════════════════════════
Vulnerability: CVE-2024-12345 (Newtonsoft.Json <=12.0.3)
Confidence: CONFIRMED
Observed: 2025-12-18T10:30:00Z
CALL PATH
─────────────────────────────────────────────────────────────────────
[ENTRYPOINT] GET /api/users/{id}
├── UserController.GetUser()
│ └── src/Controllers/UserController.cs:42
├── UserService.GetUserById()
│ └── src/Services/UserService.cs:88
│ [GATE: AuthRequired] [Authorize] attribute (0.95)
└── [SINK] JsonConvert.DeserializeObject<User>()
└── Newtonsoft.Json (TRIGGER METHOD)
EVIDENCE
─────────────────────────────────────────────────────────────────────
Call Graph: blake3:a1b2c3d4e5f6...
Surface: sha256:9f8e7d6c5b4a...
Signed By: attestor-stellaops-ed25519
$ stella witness verify wit:sha256:abc123def456
✓ Signature VALID
Key ID: attestor-stellaops-ed25519
Algorithm: Ed25519
```
---
## PR Annotation Integration
### State Flip Summary
```markdown
## Reachability Changes
| Change | CVE | Package | Evidence |
|--------|-----|---------|----------|
| 🔴 Now Reachable | CVE-2024-12345 | Newtonsoft.Json@12.0.3 | [View Witness](link) |
| 🟢 No Longer Reachable | CVE-2024-12346 | lodash@4.17.20 | [View Witness](link) |
### Summary
- **+1** vulnerability became reachable
- **-1** vulnerability became unreachable
- **Net change:** 0
[View full scan results](link)
```
### GitHub Check Run
```json
{
"name": "StellaOps Reachability",
"status": "completed",
"conclusion": "failure",
"output": {
"title": "1 vulnerability became reachable",
"summary": "CVE-2024-12345 in Newtonsoft.Json@12.0.3 is now reachable via GET /api/users/{id}",
"annotations": [
{
"path": "src/Controllers/UserController.cs",
"start_line": 42,
"end_line": 42,
"annotation_level": "failure",
"message": "CVE-2024-12345: Call to vulnerable method JsonConvert.DeserializeObject()",
"title": "Reachable Vulnerability"
}
]
}
}
```
---
## Success Criteria
- [ ] Witness modal displays path correctly
- [ ] Path visualization shows gates inline
- [ ] Signature verification works in browser
- [ ] Download JSON produces valid witness file
- [ ] Confidence tier badges show correct colors
- [ ] CLI show command displays formatted output
- [ ] CLI verify command validates signatures
- [ ] PR annotations show state flips
- [ ] All component tests pass
---
## Decisions & Risks
| ID | Decision | Rationale |
|----|----------|-----------|
| UI-DEC-001 | Use NgbModal for witness display | Consistent with existing UI patterns |
| UI-DEC-002 | Server-side signature verification | Don't expose private keys to browser |
| CLI-DEC-001 | Support offline verification | Air-gap use case |
| PR-DEC-001 | Annotate source files with vuln info | Direct developer feedback |
| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Large paths hard to visualize | Medium | Low | Collapse intermediate nodes, show depth |
| Browser Ed25519 support | Low | Medium | Server-side verify fallback |
| PR annotation rate limits | Low | Low | Batch annotations, respect limits |
---
## Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-18 | Created sprint from advisory analysis | Agent |

113
docs/implplan/archived/SPRINT_3800_0001_0001_evidence_api_models.md Normal file
View File

@@ -0,0 +1,113 @@
# SPRINT_3800_0001_0001 - Evidence API Models
## Overview
Create the foundational data models for the unified evidence API contracts. These models define the structure for finding evidence, score explanations, boundary proofs, and VEX evidence.
**Master Plan:** `SPRINT_3800_0000_0000_explainable_triage_master.md`
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/`
## Scope
### In Scope
- `FindingEvidenceResponse` - Unified evidence response contract
- `ComponentRef` - Component identifier with PURL
- `EntrypointProof` - Entrypoint metadata (type, route, auth, phase)
- `BoundaryProof` - Surface, exposure, auth, controls
- `VexEvidence` - VEX status with attestation reference
- `ScoreExplanation` - Additive risk score breakdown
- `ScoreContribution` - Individual score factor
- JSON serialization attributes for API contracts
### Out of Scope
- Service implementations (separate sprints)
- Database schema changes
- API endpoint registration
- UI TypeScript models (SPRINT_4100_0001_0001)
## Prerequisites
- None (first sprint in chain)
## Delivery Tracker
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create FindingEvidenceContracts.cs in Scanner.WebService | DONE | Agent | API contracts with all DTOs |
| Create BoundaryProof.cs in Scanner.SmartDiff.Detection | DONE | Agent | Boundary model with surface, exposure, auth, controls |
| Create ScoreExplanation.cs in Signals.Models | DONE | Agent | Score breakdown with contributions and modifiers |
| Create VexEvidence.cs in Scanner.SmartDiff.Detection | DONE | Agent | VEX evidence model with status, justification, source |
| Add unit tests for JSON serialization | DONE | Agent | FindingEvidenceContractsTests.cs with round-trip tests |
## Implementation Details
### File Locations
```
src/Scanner/StellaOps.Scanner.WebService/Contracts/
FindingEvidenceContracts.cs [NEW]
src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Detection/
BoundaryProof.cs [NEW]
VexEvidence.cs [NEW]
src/Signals/StellaOps.Signals/Models/
ScoreExplanation.cs [NEW]
```
### Model Definitions
**FindingEvidenceResponse** (Scanner.WebService)
```csharp
public sealed record FindingEvidenceResponse(
[property: JsonPropertyName("finding_id")] string FindingId,
[property: JsonPropertyName("cve")] string Cve,
[property: JsonPropertyName("component")] ComponentRef Component,
[property: JsonPropertyName("reachable_path")] IReadOnlyList<string>? ReachablePath,
[property: JsonPropertyName("entrypoint")] EntrypointProof? Entrypoint,
[property: JsonPropertyName("boundary")] BoundaryProof? Boundary,
[property: JsonPropertyName("vex")] VexEvidence? Vex,
[property: JsonPropertyName("score_explain")] ScoreExplanation? ScoreExplain,
[property: JsonPropertyName("last_seen")] DateTimeOffset LastSeen,
[property: JsonPropertyName("expires_at")] DateTimeOffset? ExpiresAt,
[property: JsonPropertyName("attestation_refs")] IReadOnlyList<string>? AttestationRefs);
```
**BoundaryProof** (Scanner.SmartDiff.Detection)
```csharp
public sealed record BoundaryProof(
[property: JsonPropertyName("kind")] string Kind,
[property: JsonPropertyName("surface")] SurfaceDescriptor Surface,
[property: JsonPropertyName("exposure")] ExposureDescriptor Exposure,
[property: JsonPropertyName("auth")] AuthDescriptor? Auth,
[property: JsonPropertyName("controls")] IReadOnlyList<ControlDescriptor>? Controls,
[property: JsonPropertyName("last_seen")] DateTimeOffset LastSeen,
[property: JsonPropertyName("confidence")] double Confidence);
```
**ScoreExplanation** (Signals.Models)
```csharp
public sealed record ScoreExplanation(
[property: JsonPropertyName("kind")] string Kind,
[property: JsonPropertyName("risk_score")] double RiskScore,
[property: JsonPropertyName("contributions")] IReadOnlyList<ScoreContribution> Contributions,
[property: JsonPropertyName("last_seen")] DateTimeOffset LastSeen);
```
## Acceptance Criteria
- [x] All models compile and follow existing naming conventions
- [x] JSON serialization produces lowercase snake_case properties
- [x] Models are immutable (record types with init properties)
- [x] Unit tests verify JSON round-trip serialization
- [x] Documentation comments on all public types
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Use record types | Immutability, value equality, concise syntax |
| Place in existing namespaces | Follows codebase conventions, near related types |
| Use System.Text.Json attributes | Consistent with existing API contracts |
## Effort Estimate
**Size:** Small (S) - 1-2 days

122
docs/implplan/archived/SPRINT_3800_0001_0002_score_explanation_service.md Normal file
View File

@@ -0,0 +1,122 @@
# SPRINT_3800_0001_0002 - Score Explanation Service
## Overview
Implement the `ScoreExplanationService` that generates additive risk score breakdowns. The service transforms existing gate multipliers, reachability confidence, and CVSS scores into human-readable score contributions.
**Master Plan:** `SPRINT_3800_0000_0000_explainable_triage_master.md`
**Working Directory:** `src/Signals/StellaOps.Signals/`
## Scope
### In Scope
- `IScoreExplanationService` interface
- `ScoreExplanationService` implementation
- Integration with existing `ReachabilityScoringService`
- Additive score formula with configurable weights
- Score factor categorization (cvss, reachability, exposure, auth)
- DI registration
### Out of Scope
- API endpoint (SPRINT_3800_0003_0001)
- UI display components (SPRINT_4100)
- Boundary proof extraction (SPRINT_3800_0002_*)
## Prerequisites
- SPRINT_3800_0001_0001 (Evidence API Models) - `ScoreExplanation` model
## Delivery Tracker
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create IScoreExplanationService.cs | DONE | Agent | Interface with request model |
| Create ScoreExplanationService.cs | DONE | Agent | Full implementation with all factors |
| Add score weights to SignalsScoringOptions | DONE | Agent | ScoreExplanationWeights class |
| Add DI registration | DONE | Agent | Registered in Program.cs |
| Unit tests for score computation | DONE | Agent | ScoreExplanationServiceTests.cs |
| Golden tests for score stability | DONE | Agent | IsDeterministic test verifies stability |
## Implementation Details
### File Locations
```
src/Signals/StellaOps.Signals/Services/
IScoreExplanationService.cs [NEW]
ScoreExplanationService.cs [NEW]
src/Signals/StellaOps.Signals/Options/
SignalsScoringOptions.cs [MODIFY - add weights]
```
### Interface Definition
```csharp
public interface IScoreExplanationService
{
Task<ScoreExplanation> ComputeExplanationAsync(
ReachabilityFactDocument fact,
ReachabilityStateDocument state,
double? cvssScore,
CancellationToken cancellationToken = default);
}
```
### Score Formula
The additive score model:
| Factor | Range | Formula |
|--------|-------|---------|
| CVSS | 0-50 | `cvss * 5` (10.0 CVSS = 50 points) |
| Reachability | 0-25 | Based on bucket (entrypoint=25, direct=20, runtime=22, unknown=12, unreachable=0) |
| Exposure | 0-15 | Based on entrypoint type (http=15, grpc=12, internal=5) |
| Auth Discount | -10 to 0 | Based on detected gates (auth=-3, admin=-5, feature_flag=-2) |
**Total:** 0-100 (clamped)
### Configuration Options
Add to `SignalsScoringOptions`:
```csharp
public class ScoreExplanationWeights
{
public double CvssMultiplier { get; set; } = 5.0;
public double EntrypointReachability { get; set; } = 25.0;
public double DirectReachability { get; set; } = 20.0;
public double RuntimeReachability { get; set; } = 22.0;
public double UnknownReachability { get; set; } = 12.0;
public double HttpExposure { get; set; } = 15.0;
public double GrpcExposure { get; set; } = 12.0;
public double InternalExposure { get; set; } = 5.0;
public double AuthGateDiscount { get; set; } = -3.0;
public double AdminGateDiscount { get; set; } = -5.0;
public double FeatureFlagDiscount { get; set; } = -2.0;
}
```
## Acceptance Criteria
- [x] `ScoreExplanationService` produces consistent output for same input
- [x] Score contributions sum to the total risk_score (within floating point tolerance)
- [x] All score factors have human-readable `reason` strings
- [x] Gate detection from `ReachabilityStateDocument.Evidence.Gates` is incorporated
- [x] Weights are configurable via `SignalsScoringOptions`
- [x] Unit tests cover all bucket types and gate combinations
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Additive model | Easier to explain than multiplicative; users can see exact contribution |
| Configurable weights | Allows tuning without code changes |
| Clamp to 0-100 | Consistent with existing score ranges |
| Risk | Mitigation |
|------|------------|
| Formula not intuitive | Document formula in API docs; make weights adjustable |
| Score drift between versions | Golden tests ensure stability |
## Effort Estimate
**Size:** Medium (M) - 3-5 days

126
docs/implplan/archived/SPRINT_3800_0002_0001_boundary_richgraph.md Normal file
View File

@@ -0,0 +1,126 @@
# SPRINT_3800_0002_0001 - RichGraph Boundary Extractor
## Overview
Implement the base `RichGraphBoundaryExtractor` that extracts boundary proof (exposure, auth, controls) from RichGraph roots and node annotations. This establishes the foundation for additional boundary extractors (K8s, Gateway, IaC).
**Master Plan:** `SPRINT_3800_0000_0000_explainable_triage_master.md`
**Working Directory:** `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/`
## Scope
### In Scope
- `IBoundaryProofExtractor` interface
- `RichGraphBoundaryExtractor` implementation
- Surface type inference from RichGraph roots
- Auth detection from node annotations and gate detectors
- Exposure inference from root phase
- `BoundaryExtractionContext` for environment hints
- DI registration
### Out of Scope
- K8s extraction (SPRINT_3800_0002_0002)
- Gateway extraction (SPRINT_3800_0002_0003)
- IaC extraction (SPRINT_3800_0002_0004)
- Runtime boundary discovery
## Prerequisites
- SPRINT_3800_0001_0001 (Evidence API Models) - `BoundaryProof` model
## Delivery Tracker
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create IBoundaryProofExtractor.cs | DONE | Agent | Interface with Priority & CanHandle |
| Create RichGraphBoundaryExtractor.cs | DONE | Agent | Full implementation with surface/exposure inference |
| Create BoundaryExtractionContext.cs | DONE | Agent | Environment context with gates |
| Integrate with AuthGateDetector results | DONE | Agent | Uses DetectedGate from Gates folder |
| Add DI registration | DONE | Agent | BoundaryServiceCollectionExtensions |
| Unit tests for extraction | DONE | Agent | RichGraphBoundaryExtractorTests.cs |
## Implementation Details
### File Locations
```
src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/
IBoundaryProofExtractor.cs [NEW]
BoundaryExtractionContext.cs [NEW]
RichGraphBoundaryExtractor.cs [NEW]
```
### Interface Definition
```csharp
public interface IBoundaryProofExtractor
{
/// <summary>
/// Extracts boundary proof for an entrypoint.
/// </summary>
Task<BoundaryProof?> ExtractAsync(
RichGraphRoot root,
RichGraphNode? rootNode,
BoundaryExtractionContext context,
CancellationToken cancellationToken = default);
}
public sealed record BoundaryExtractionContext(
string? EnvironmentId,
IReadOnlyDictionary<string, string>? Annotations,
IReadOnlyList<DetectedGate>? DetectedGates);
```
### Surface Type Inference
Map RichGraph data to surface types:
| Source | Surface Type |
|--------|--------------|
| Root phase = `runtime`, node contains "HTTP" | `http` |
| Root phase = `runtime`, node contains "gRPC" | `grpc` |
| Root phase = `init` | `startup` |
| Root phase = `test` | `test` |
| Node contains "Controller" | `http` |
| Node contains "Handler" | `handler` |
| Default | `internal` |
### Auth Detection
Reuse existing `AuthGateDetector` results:
- Check `DetectedGates` for `AuthRequired` type
- Extract `GuardSymbol` for location
- Map to `AuthDescriptor` with mechanism and scopes
### Exposure Inference
| Phase | Exposure |
|-------|----------|
| `runtime` with http surface | `internet: true, ports: [443]` |
| `runtime` with grpc surface | `internet: true, ports: [443]` |
| `init` | `internet: false` |
| `test` | `internet: false` |
## Acceptance Criteria
- [ ] Extracts surface type from RichGraph roots
- [ ] Incorporates auth info from detected gates
- [ ] Sets exposure based on root phase and surface
- [ ] Returns null for non-extractable roots
- [ ] Confidence reflects extraction certainty (0.5-0.8 range)
- [ ] Unit tests cover HTTP, gRPC, internal, startup scenarios
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Start with RichGraph-only | Provides baseline without external dependencies |
| Reuse gate detectors | Avoid duplication; gates already detect auth |
| Conservative confidence | 0.7 default; higher sources (K8s) can increase |
| Risk | Mitigation |
|------|------------|
| Limited annotation data | Fall back to heuristics; K8s extractor adds more data |
| False surface type inference | Use conservative defaults; allow override via context |
## Effort Estimate
**Size:** Medium (M) - 3-5 days

169
docs/implplan/archived/SPRINT_3801_0001_0001_policy_decision_attestation.md Normal file
View File

@@ -0,0 +1,169 @@
# Sprint 3801.0001.0001 · Policy Decision Attestation Service
## Topic & Scope
- Implement `PolicyDecisionAttestationService` that creates signed `stella.ops/policy-decision@v1` attestations capturing policy gate results and evidence references (SBOM, VEX, RichGraph).
- Working directory: `src/Policy/StellaOps.Policy.Engine/`.
## Dependencies & Concurrency
- Master Plan: `docs/implplan/SPRINT_3800_0000_0000_explainable_triage_master.md`.
- Prerequisites: `SPRINT_3800_0001_0001` (Evidence API Models); existing `VexDecisionSigningService` pattern.
- Concurrency: Policy Engine-only; safe to run in parallel with other triage work.
## Documentation Prerequisites
- `docs/modules/policy/architecture.md`
- `docs/modules/platform/architecture-overview.md`
## Delivery Tracker
| # | Task ID | Status | Key dependency / next step | Owners | Task Definition |
| --- | --- | --- | --- | --- | --- |
| 1 | PDA-001 | DONE | — | Policy Guild | Add `StellaOpsPolicyDecision` predicate type to `PredicateTypes.cs`. |
| 2 | PDA-002 | DONE | — | Policy Guild | Create `PolicyDecisionPredicate.cs`. |
| 3 | PDA-003 | DONE | — | Policy Guild | Create `IPolicyDecisionAttestationService.cs`. |
| 4 | PDA-004 | DONE | — | Policy Guild | Create `PolicyDecisionAttestationService.cs`. |
| 5 | PDA-005 | DONE | — | Policy Guild | Add configuration options (`PolicyDecisionAttestationOptions`). |
| 6 | PDA-006 | DONE | — | Policy Guild | Add DI registration (`AddPolicyDecisionAttestation`). |
| 7 | PDA-007 | DONE | — | Policy Guild | Unit tests for predicate creation. |
| 8 | PDA-008 | DONE | — | Policy Guild | Integration tests with signing (covered via mocked signer/rekor clients in Policy Engine test suite). |
## Wave Coordination
- Single wave.
## Wave Detail Snapshots
### Overview
Implement the `PolicyDecisionAttestationService` that creates signed `stella.ops/policy-decision@v1` attestations. This predicate captures policy gate results with references to input evidence (SBOM, VEX, RichGraph).
### In Scope
- Add `StellaOpsPolicyDecision` predicate type to `PredicateTypes.cs`
- `PolicyDecisionPredicate` model (policy, inputs, result, evidence_refs)
- `IPolicyDecisionAttestationService` interface
- `PolicyDecisionAttestationService` implementation
- DSSE signing via existing `IVexSignerClient` pattern
- Optional Rekor submission
- DI registration
### Out of Scope
- Human approval attestation (SPRINT_3801_0001_0004)
- Chain verification (SPRINT_3801_0001_0003)
- Approval API endpoint (SPRINT_3801_0001_0005)
### File Locations
```
src/Signer/StellaOps.Signer/StellaOps.Signer.Core/
PredicateTypes.cs [MODIFY]
src/Policy/StellaOps.Policy.Engine/Attestation/
PolicyDecisionPredicate.cs [NEW]
IPolicyDecisionAttestationService.cs [NEW]
PolicyDecisionAttestationService.cs [NEW]
PolicyDecisionAttestationOptions.cs [NEW]
```
### Predicate Type Constant (example)
Add to `PredicateTypes.cs`:
```csharp
public const string StellaOpsPolicyDecision = "stella.ops/policy-decision@v1";
public static bool IsPolicyDecisionType(string predicateType) =>
predicateType == StellaOpsPolicyDecision;
```
### Predicate Model (excerpt)
```csharp
public sealed record PolicyDecisionPredicate(
[property: JsonPropertyName("policy")] PolicyRef Policy,
[property: JsonPropertyName("inputs")] PolicyDecisionInputs Inputs,
[property: JsonPropertyName("result")] PolicyDecisionResult Result,
[property: JsonPropertyName("evaluation")] PolicyDecisionEvaluation Evaluation,
[property: JsonPropertyName("evidence_refs")] IReadOnlyList<EvidenceRef>? EvidenceRefs);
public sealed record PolicyRef(
[property: JsonPropertyName("id")] string Id,
[property: JsonPropertyName("version")] string Version,
[property: JsonPropertyName("digest")] string Digest,
[property: JsonPropertyName("expression")] string? Expression);
public sealed record PolicyDecisionInputs(
[property: JsonPropertyName("sbom_ref")] AttestationRef? SbomRef,
[property: JsonPropertyName("vex_ref")] AttestationRef? VexRef,
[property: JsonPropertyName("graph_ref")] AttestationRef? GraphRef,
[property: JsonPropertyName("snapshot_id")] string? SnapshotId);
public sealed record PolicyDecisionResult(
[property: JsonPropertyName("allowed")] bool Allowed,
[property: JsonPropertyName("score")] double Score,
[property: JsonPropertyName("exemptions")] IReadOnlyList<string>? Exemptions,
[property: JsonPropertyName("reason_codes")] IReadOnlyList<string>? ReasonCodes);
```
### Service Interface (excerpt)
```csharp
public interface IPolicyDecisionAttestationService
{
Task<PolicyDecisionAttestationResult> AttestAsync(
PolicyDecisionAttestationRequest request,
CancellationToken cancellationToken = default);
}
public sealed record PolicyDecisionAttestationRequest(
string SubjectName,
string SubjectDigest,
PolicyDecisionPredicate Predicate,
string TenantId,
bool SubmitToRekor = true);
public sealed record PolicyDecisionAttestationResult(
string AttestationDigest,
string? RekorUuid,
long? RekorIndex,
DsseEnvelope Envelope);
```
### Implementation Pattern
Follow existing `VexDecisionSigningService`:
1. Build in-toto Statement with subject and predicate
2. Serialize to canonical JSON
3. Sign via `IVexSignerClient.SignAsync`
4. Optionally submit to Rekor via `IVexRekorClient`
5. Return envelope and digests
### Test Evidence
- `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Attestation/PolicyDecisionAttestationServiceTests.cs` (covers signer + optional Rekor paths via mocks)
### Acceptance Criteria
- [x] `stella.ops/policy-decision@v1` predicate type added to constants
- [x] Predicate includes `inputs` with SBOM, VEX, Graph attestation references
- [x] Signing follows existing DSSE/in-toto patterns
- [x] Rekor submission is optional (configuration)
- [x] Attestation digest computed deterministically
- [x] Unit tests verify predicate structure
- [x] Integration tests verify signing flow
## Interlocks
- Predicate type constant must remain aligned across Signer + Policy Engine.
## Upcoming Checkpoints
- None scheduled.
## Action Tracker
| Date (UTC) | Action | Owner | Notes |
| --- | --- | --- | --- |
| 2025-12-19 | Normalize sprint doc + close remaining tracker item | Agent | Marked signing flow tests complete via existing mocked integration coverage. |
## Decisions & Risks
### Decisions
| Decision | Rationale |
|----------|-----------|
| Follow `VexDecisionSigningService` pattern | Consistency with existing code |
| Include `evidence_refs` | Allows linking to CAS-stored proof bundles |
| Optional Rekor | Air-gap compatibility |
### Risks
| Risk | Mitigation |
|------|------------|
| Rekor unavailability | Make submission optional; log warning |
| Input refs may not exist | Allow null refs; validation at chain verification |
## Execution Log
| Date (UTC) | Update | Owner |
| --- | --- | --- |
| 2025-12-19 | Normalized sprint file to standard template; marked PDA-008 DONE by referencing existing signing-flow tests in `src/Policy/__Tests/StellaOps.Policy.Engine.Tests/Attestation/PolicyDecisionAttestationServiceTests.cs`. | Agent |

165
docs/implplan/archived/SPRINT_3850_0001_0001_competitive_gap_closure.md Normal file
View File

@@ -0,0 +1,165 @@
# SPRINT_3850_0001_0001 - Competitive Gap Closure
**Status:** DONE
**Priority:** P1 - HIGH
**Module:** Scanner, Signals, Policy, Web
**Working Directory:** Multiple (cross-cutting)
**Estimated Effort:** Large (2-3 sprints)
**Dependencies:** SPRINT_3700, SPRINT_3800
**Source Advisory:** `docs/product-advisories/19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops.md`
---
## Topic & Scope
Close remaining competitive gaps identified in the Dec 2025 benchmark analysis. Focus on features that differentiate Stella Ops from Trivy, Snyk, Prisma, Aqua, and Anchore.
**Business Value:**
- Complete the "no competitor offers together" moat
- Enable regulatory-grade audit trails
- Support procurement-grade trust statements
- Quantifiable competitive differentiation
---
## Dependencies & Concurrency
**Upstream Dependencies:**
- SPRINT_3700 (Vuln Surfaces) - DOING
- SPRINT_3800 (Explainable Triage) - TODO
**Can Run In Parallel:**
- SBOM Ledger tasks
- VEX jurisdiction rules
- Benchmark tests
---
## Documentation Prerequisites
Before starting implementation, read:
- `docs/product-advisories/19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops.md`
- `docs/benchmarks/competitive-implementation-milestones.md`
- `docs/moat.md` (Competitive Landscape section)
- `docs/key-features.md`
---
## Delivery Tracker
### Milestone: SBOM Ledger (SBOM-L)
| # | Task ID | Status | Description | Owner |
|---|---------|--------|-------------|-------|
| 1 | SBOM-L-001 | DONE | Define component identity schema (source + digest + build recipe hash) | Scanner |
| 2 | SBOM-L-003 | DONE | Layer-aware dependency graphs with loader resolution | Scanner |
| 3 | SBOM-L-004 | DONE | SBOM versioning and merge semantics API | Scanner |
### Milestone: VEX Lattice Reasoning (VEX-L)
| # | Task ID | Status | Description | Owner |
|---|---------|--------|-------------|-------|
| 4 | VEX-L-003 | DONE | Jurisdiction-specific trust rules (US/EU/RU/CN) | Policy |
| 5 | VEX-L-004 | DONE | Customer override with signed audit trail | Policy |
### Milestone: Explainable Findings (EXP-F)
| # | Task ID | Status | Description | Owner |
|---|---------|--------|-------------|-------|
| 6 | EXP-F-004 | DONE | Falsification conditions per finding | Scanner |
| 7 | EXP-F-005 | DONE | Evidence drawer UI with proof tabs | Web |
### Milestone: Deterministic Scoring (D-SCORE)
| # | Task ID | Status | Description | Owner |
|---|---------|--------|-------------|-------|
| 8 | D-SCORE-002 | DONE | Assumption penalties in score calculation | Signals |
| 9 | D-SCORE-003 | DONE | Configurable trust source weights | Signals |
| 10 | D-SCORE-005 | DONE | DSSE-signed score attestation | Attestor |
### Milestone: Unknowns State (UNK)
| # | Task ID | Status | Description | Owner |
|---|---------|--------|-------------|-------|
| 11 | UNK-004 | DONE | UI unknowns chips and triage actions | Web |
| 12 | UNK-005 | DONE | Zero-day window tracking | Signals |
### Milestone: Epistemic Offline (E-OFF)
| # | Task ID | Status | Description | Owner |
|---|---------|--------|-------------|-------|
| 13 | E-OFF-003 | DONE | Scoring rules snapshot with digest | Signals |
### Milestone: Benchmarks
| # | Task ID | Status | Description | Owner |
|---|---------|--------|-------------|-------|
| 14 | BENCH-001 | DONE | Create `bench/smart-diff/` test suite | QA |
| 15 | BENCH-002 | DONE | Create `bench/determinism/` replay tests | QA |
| 16 | BENCH-003 | DONE | Create `bench/vex-lattice/` merge tests | QA |
| 17 | BENCH-004 | DONE | Create `bench/unknowns/` tracking tests | QA |
---
## Success Criteria
- [x] Component identity includes build recipe hash
- [x] Jurisdiction-specific trust rules configurable
- [x] Each finding shows falsification conditions
- [x] Score attestations are DSSE-signed
- [x] UI surfaces unknowns with triage actions
- [x] All benchmark suites passing in CI
---
## Competitive Claim Validation
After completion, Stella Ops can claim:
| Claim | Validation |
|-------|------------|
| "First tool with formal VEX reasoning" | VEX-L-003, VEX-L-004 |
| "Deterministic, attestable scoring" | D-SCORE-002, D-SCORE-003, D-SCORE-005 |
| "Explicit unknowns modeling" | UNK-004, UNK-005 |
| "Falsification-aware findings" | EXP-F-004 |
| "SBOM lineage with proofs" | SBOM-L-001, SBOM-L-003, SBOM-L-004 |
---
## Decisions & Risks
| ID | Risk | Likelihood | Impact | Mitigation |
|----|------|------------|--------|------------|
| CG-RISK-001 | Jurisdiction rules complexity | Medium | Medium | Start with US/EU only |
| CG-RISK-002 | Score attestation performance | Low | Medium | Async signing |
| CG-RISK-003 | SBOM merge semantics edge cases | Medium | Low | Comprehensive test corpus |
---
## Execution Log
| Date (UTC) | Update | Owner |
|---|---|---|
| 2025-12-19 | Created sprint from competitive benchmark advisory | Agent |
| 2025-12-19 | Completed BENCH-001 to BENCH-004: Created benchmark suites for smart-diff, determinism, vex-lattice, unknowns | Agent |
| 2025-12-19 | Completed EXP-F-005: Created EvidenceDrawerComponent with proof tabs | Agent |
| 2025-12-19 | Completed UNK-004: Created UnknownChipComponent with triage actions | Agent |
| 2025-12-19 | Completed SBOM-L-001: Created ComponentIdentity.cs with source, digest, build recipe hash | Agent |
| 2025-12-19 | Completed SBOM-L-003: Created LayerDependencyGraph.cs with loader resolution | Agent |
| 2025-12-19 | Completed SBOM-L-004: Created SbomVersioning.cs with merge semantics API | Agent |
| 2025-12-19 | Completed VEX-L-003: Created JurisdictionTrustRules.cs for US/EU/RU/CN | Agent |
| 2025-12-19 | Completed VEX-L-004: Created VexCustomerOverride.cs with signed audit trail | Agent |
| 2025-12-19 | Completed D-SCORE-002: Created AssumptionPenalties.cs for score penalties | Agent |
| 2025-12-19 | Completed D-SCORE-003: Created TrustSourceWeights.cs for configurable weights | Agent |
| 2025-12-19 | Completed D-SCORE-005: Created ScoreAttestationStatement.cs for DSSE attestation | Agent |
| 2025-12-19 | Completed EXP-F-004: Created FalsificationConditions.cs per finding | Agent |
| 2025-12-19 | Completed UNK-005: Created ZeroDayWindowTracking.cs for exposure window tracking | Agent |
| 2025-12-19 | Completed E-OFF-003: Created ScoringRulesSnapshot.cs with digest | Agent |
---
## References
- Source advisory: `docs/product-advisories/19-Dec-2025 - Benchmarking Container Scanners Against Stella Ops.md`
- Implementation milestones: `docs/benchmarks/competitive-implementation-milestones.md`
- Moat spec: `docs/moat.md`

237
docs/implplan/archived/SPRINT_4100_0001_0001_triage_models.md Normal file
View File

@@ -0,0 +1,237 @@
# SPRINT_4100_0001_0001 - Triage UI Models and API Clients
## Overview
Create TypeScript models and API clients for the unified evidence API. These models mirror the backend contracts and provide type-safe access to finding evidence, score explanations, and attestation chain data.
**Master Plan:** `SPRINT_3800_0000_0000_explainable_triage_master.md`
**Working Directory:** `src/Web/StellaOps.Web/src/app/core/api/`
## Scope
### In Scope
- `triage-evidence.models.ts` - Evidence data contracts
- `triage-evidence.client.ts` - API client for evidence endpoints
- `attestation-chain.models.ts` - DSSE/in-toto model types
- `attestation-chain.client.ts` - Attestation verification client
- Update `index.ts` exports
### Out of Scope
- UI components (SPRINT_4100_0002_0001+)
- Metrics client (SPRINT_4100_0006_0001)
- Backend implementation
## Prerequisites
- SPRINT_3800_0003_0001 (Evidence API Endpoint) - Backend API available
- Or mock service for parallel development
## Delivery Tracker
| Task | Status | Owner | Notes |
|------|--------|-------|-------|
| Create triage-evidence.models.ts | DONE | Agent | Full model coverage with helpers |
| Create triage-evidence.client.ts | DONE | Agent | HttpClient with caching + mock client |
| Create attestation-chain.models.ts | DONE | Agent | DSSE, in-toto, Rekor types |
| Create attestation-chain.client.ts | DONE | Agent | Chain verification + mock client |
| Update core/api/index.ts exports | DONE | Agent | Created triage-api.index.ts barrel |
| Add unit tests for client | DONE | Agent | triage-evidence.client.spec.ts |
## Implementation Details
### File Locations
```
src/Web/StellaOps.Web/src/app/core/api/
triage-evidence.models.ts [NEW]
triage-evidence.client.ts [NEW]
attestation-chain.models.ts [NEW]
attestation-chain.client.ts [NEW]
index.ts [MODIFY]
```
### Evidence Models
```typescript
// triage-evidence.models.ts
export interface FindingEvidenceResponse {
finding_id: string;
cve: string;
component: ComponentRef;
reachable_path?: string[];
entrypoint?: EntrypointProof;
boundary?: BoundaryProof;
vex?: VexEvidence;
score_explain?: ScoreExplanation;
last_seen: string; // ISO 8601
expires_at?: string;
attestation_refs?: string[];
}
export interface ComponentRef {
name: string;
version: string;
purl?: string;
}
export interface EntrypointProof {
type: string;
route?: string;
auth?: string;
phase?: string;
}
export interface BoundaryProof {
kind: string;
surface: SurfaceDescriptor;
exposure: ExposureDescriptor;
auth?: AuthDescriptor;
controls?: ControlDescriptor[];
last_seen: string;
confidence: number;
}
export interface SurfaceDescriptor {
type: string;
route?: string;
}
export interface ExposureDescriptor {
internet: boolean;
ports?: number[];
}
export interface AuthDescriptor {
mechanism: string;
required_scopes?: string[];
audience?: string;
}
export interface ControlDescriptor {
type: string;
status: string;
location?: string;
}
export interface VexEvidence {
status: 'affected' | 'not_affected' | 'fixed' | 'under_investigation';
justification?: string;
timestamp: string;
issuer?: string;
attestation_ref?: string;
}
export interface ScoreExplanation {
kind: string;
risk_score: number;
contributions: ScoreContribution[];
last_seen: string;
}
export interface ScoreContribution {
factor: string;
value: number;
reason: string;
}
```
### Attestation Chain Models
```typescript
// attestation-chain.models.ts
export interface AttestationChainResponse {
subject_digest: string;
chain_status: 'complete' | 'incomplete' | 'invalid';
links: AttestationChainLink[];
issues: string[];
}
export interface AttestationChainLink {
predicate_type: string;
status: 'verified' | 'missing' | 'invalid' | 'pending';
attestation_digest?: string;
created_at?: string;
signer?: SignerIdentity;
inputs_valid?: boolean;
result?: PolicyDecisionResult;
}
export interface SignerIdentity {
issuer: string;
subject: string;
}
export interface PolicyDecisionResult {
allowed: boolean;
score: number;
}
export interface DsseEnvelope {
payload_type: string;
payload: string;
signatures: DsseSignature[];
}
export interface DsseSignature {
keyid: string;
sig: string;
}
```
### API Client
```typescript
// triage-evidence.client.ts
@Injectable({ providedIn: 'root' })
export class TriageEvidenceClient {
private readonly http = inject(HttpClient);
private readonly baseUrl = inject(API_BASE_URL);
getEvidenceForFinding(
scanId: string,
findingKey: string
): Observable<FindingEvidenceResponse> {
const encodedKey = encodeURIComponent(findingKey);
return this.http.get<FindingEvidenceResponse>(
`${this.baseUrl}/api/scans/${scanId}/findings/${encodedKey}/evidence`,
{
headers: {
'If-None-Match': this.getCachedEtag(scanId, findingKey) ?? ''
}
}
);
}
private getCachedEtag(scanId: string, findingKey: string): string | null {
// ETag caching implementation
return sessionStorage.getItem(`etag:${scanId}:${findingKey}`);
}
}
```
## Acceptance Criteria
- [ ] TypeScript models match backend JSON contract exactly
- [ ] API client uses HttpClient with proper error handling
- [ ] ETag-based caching for evidence responses
- [ ] All exports in `index.ts`
- [ ] Unit tests with mock HTTP responses
- [ ] Strict TypeScript mode passes
## Decisions & Risks
| Decision | Rationale |
|----------|-----------|
| Mirror snake_case from API | Matches backend; transform in components if needed |
| ETag caching | Evidence can be large; avoid redundant fetches |
| Separate client classes | Single responsibility; easier testing |
| Risk | Mitigation |
|------|------------|
| Backend contract changes | Generate from OpenAPI spec if available |
| Caching staleness | Short TTL; honor Cache-Control headers |
## Effort Estimate
**Size:** Small (S) - 2-3 days