stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

stabilize tests

Browse Source
This commit is contained in:
master
2026-02-01 21:37:40 +02:00
parent 55744f6a39
commit 5d5e80b2e4
6435 changed files with 33984 additions and 13802 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/Scanner/AGENTS.md
View File

@@ -1,4 +1,4 @@
# AGENTS · Scanner Module
# AGENTS ?? Scanner Module
## Roles
- **Backend / Analyzer Engineer**: .NET 10 (preview) for analyzers, worker, web service, plug-ins; keep outputs deterministic.
@@ -10,16 +10,16 @@
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/scanner/architecture.md`
- `docs/modules/reach-graph/guides/DELIVERY_GUIDE.md` (sections 5.55.9 for native/JS/PHP updates)
- `docs/modules/reach-graph/guides/DELIVERY_GUIDE.md` (sections 5.5???5.9 for native/JS/PHP updates)
- `docs/modules/reach-graph/guides/purl-resolved-edges.md`
- `docs/modules/reach-graph/guides/patch-oracles.md`
- `docs/product/advisories/14-Dec-2025 - Smart-Diff Technical Reference.md` (for Smart-Diff predicates)
- Current sprint file (e.g., `docs/implplan/SPRINT_401_reachability_evidence_chain.md`).
- `docs-archived/product/advisories/2025-12-21-moat-gap-closure/14-Dec-2025 - Smart-Diff Technical Reference.md` (for Smart-Diff predicates)
- Current sprint file (e.g., `docs-archived/implplan/SPRINT_0401_0001_0001_reachability_evidence_chain.md`).
## Working Directory & Boundaries
- Primary scope: `src/Scanner/**` (analyzers, worker, web service, plugins, __Libraries, __Tests, __Benchmarks, docs).
- Avoid cross-module edits unless sprint explicitly permits; note any cross-module change in sprint tracker.
- Keep fixtures minimal/deterministic; store under `src/Scanner/__Tests/Fixtures` or `__Benchmarks`.
- Keep fixtures minimal/deterministic; store under `src/Scanner/__Tests/__Datasets` or `__Benchmarks`.
## Smart-Diff Contracts (Sprint 3500)
@@ -37,7 +37,7 @@ The Scanner module now includes Smart-Diff foundation primitives:
### Predicate Schema
- URI: `stellaops.dev/predicates/smart-diff@v1`
- Schema: `docs/schemas/stellaops-smart-diff.v1.schema.json`
- Schema: `src/Attestor/StellaOps.Attestor.Types/schemas/stellaops-smart-diff.v1.schema.json`
- DSSE-signed predicates for evidence chain
### Integration Points
@@ -58,7 +58,7 @@ Reachability Drift Detection tracks function-level reachability changes between
- `ReachabilityDriftResult` - Drift analysis output (newly reachable, mitigated paths)
- `DriftedSink` - Sink that changed reachability state with cause attribution
- `DriftCause` - Causal explanation (guard removed, new route, code change)
- `CompressedPath` - Compact path representation (entrypoint key nodes sink)
- `CompressedPath` - Compact path representation (entrypoint ??? key nodes ??? sink)
- `ReachabilityConfidenceTier` - Confirmed/Likely/Present/Unreachable tiers
### Predicate Schema
@@ -156,17 +156,17 @@ Layered binary reachability with attestable slices for CVE triage:
### Sprint Summary
- **3800**: Binary call-edge enhancement (disassembly, PLT/IAT, dynamic loading)
- **3810**: CVESymbol mapping and slice format
- **3810**: CVE???Symbol mapping and slice format
- **3820**: Slice query and replay APIs
- **3830**: VEX integration and policy binding
- **3840**: Runtime trace merge (eBPF/ETW)
- **3850**: OCI storage and CLI commands
See: `docs/implplan/SPRINT_3800_0000_0000_summary.md`
See: `docs-archived/implplan/SPRINT_3800_0000_0000_summary.md`
### Libraries
- `StellaOps.Scanner.Reachability.Slices` - Slice extraction, DSSE signing, verdict computation
- `StellaOps.Scanner.Advisory` - CVEsymbol mapping integration with Concelier
- `StellaOps.Scanner.Advisory` - CVE???symbol mapping integration with Concelier
- `StellaOps.Scanner.Runtime` - eBPF/ETW runtime trace collectors
- `StellaOps.Scanner.Storage.Oci` - OCI artifact storage for slices
@@ -174,7 +174,7 @@ See: `docs/implplan/SPRINT_3800_0000_0000_summary.md`
- `ReachabilitySlice` - Minimal attestable proof unit for CVE reachability
- `SliceQuery` - Query parameters (CVE, symbols, entrypoints, policy)
- `SliceVerdict` - Result status (reachable/unreachable/unknown/gated)
- `VulnSurfaceResult` - CVEsymbol mapping result with confidence
- `VulnSurfaceResult` - CVE???symbol mapping result with confidence
### Predicate Schema
- URI: `stellaops.dev/predicates/reachability-slice@v1`
@@ -193,8 +193,8 @@ See: `docs/implplan/SPRINT_3800_0000_0000_summary.md`
- `stella binary verify` - Verify attestation
### Documentation
- `docs/modules/reach-graph/guides/slice-schema.md` - Slice format specification
- `docs/modules/reach-graph/guides/cve-symbol-mapping.md` - CVEsymbol service design
- `docs/modules/reach-graph/schemas/slice-schema.md` - Slice format specification
- `docs/modules/reach-graph/guides/cve-symbol-mapping.md` - CVE???symbol service design
- `docs/modules/reach-graph/guides/replay-verification.md` - Replay workflow guide
## Engineering Rules
@@ -203,7 +203,7 @@ See: `docs/implplan/SPRINT_3800_0000_0000_summary.md`
- Determinism: stable ordering, UTC ISO-8601 timestamps, no `DateTime.Now`/random without seed; normalize path separators.
- Logging: structured (`ILogger` message templates); avoid secrets/paths leakage.
- Security: no executing untrusted payloads; keep analyzers pure; include redaction guidance for runtime capture adapters.
- Native analyzers: capture `.note.gnu.build-id` when present and thread into `SymbolID`/`code_id`; add synthetic roots for `.preinit_array/.init_array/_init`; emit purl+symbol-digest on call edges; emit Unknowns when symbolpurl or edges are unresolved.
- Native analyzers: capture `.note.gnu.build-id` when present and thread into `SymbolID`/`code_id`; add synthetic roots for `.preinit_array/.init_array/_init`; emit purl+symbol-digest on call edges; emit Unknowns when symbol???purl or edges are unresolved.
- Tests: keep patch-oracle fixtures deterministic (strip binaries; stable compilers); add/maintain `tests/reachability/patch-oracles/**` when touching native analyzers.
## Testing & Verification
@@ -214,6 +214,7 @@ See: `docs/implplan/SPRINT_3800_0000_0000_summary.md`
- Smart-Diff: Run schema validation tests (`SmartDiffSchemaValidationTests`) for predicate contract changes.
## Workflow Expectations
- Mirror task state in sprint tracker (`TODO DOING DONE/BLOCKED`); note blockers with the specific decision needed.
- Mirror task state in sprint tracker (`TODO ??? DOING ??? DONE/BLOCKED`); note blockers with the specific decision needed.
- Keep resolvers/analyzers parametric on environment data (RID, TFM, search paths); avoid host-global state.
- When adding DI/manifest registrations, ensure restart-time and worker compatibility; update module docs if contracts change.