From 651b8e0fa3a1276d9f51430bbe1d19644ed5478f Mon Sep 17 00:00:00 2001 From: master Date: Mon, 27 Oct 2025 07:57:55 +0200 Subject: [PATCH] feat: Add new projects to solution and implement contract testing documentation - Added "StellaOps.Policy.Engine", "StellaOps.Cartographer", and "StellaOps.SbomService" projects to the StellaOps solution. - Created AGENTS.md to outline the Contract Testing Guild Charter, detailing mission, scope, and definition of done. - Established TASKS.md for the Contract Testing Task Board, outlining tasks for Sprint 62 and Sprint 63 related to mock servers and replay testing. --- .gitea/workflows/build-test-deploy.yml | 474 +++--- AGENTS.md | 7 +- EPIC_1.md | 524 +++++++ EPIC_10.md | 566 ++++++++ EPIC_11.md | Bin 0 -> 38558 bytes EPIC_12.md | Bin 0 -> 41202 bytes EPIC_13.md | Bin 0 -> 36762 bytes EPIC_14.md | Bin 0 -> 39386 bytes EPIC_15.md | Bin 0 -> 37340 bytes EPIC_16.md | 1 + EPIC_17.md | 1 + EPIC_18.md | 1 + EPIC_19.md | 1 + EPIC_2.md | 567 ++++++++ EPIC_3.md | 531 +++++++ EPIC_4.md | 409 ++++++ EPIC_5.md | 431 ++++++ EPIC_6.md | 650 +++++++++ EPIC_7.md | 545 +++++++ EPIC_8.md | 440 ++++++ EPIC_9.md | 523 +++++++ EXECPLAN.md | 1170 ++++++++++++--- Read SPRINTs.md | 7 + SPRINTS.md | 1279 ++++++++++++++++- SPRINTS_PRIOR_20251021.md | 2 +- SPRINTS_PRIOR_20251025.md | 34 + bench/TASKS.md | 8 - dep_tmp.txt | 0 docs/12_PERFORMANCE_WORKBOOK.md | 326 ++--- docs/README.md | 144 +- docs/TASKS.md | 323 +++++ docs/airgap/EPIC_16_AIRGAP_MODE.md | 429 ++++++ docs/aoc/aoc-guardrails.md | 11 + docs/api/EPIC_17_SDKS_OPENAPI.md | 356 +++++ docs/attestor/EPIC_19_ATTESTOR_CONSOLE.md | 135 ++ docs/backlog/2025-10-cleanup.md | 17 + docs/ops/scanner-analyzers-operations.md | 4 +- docs/risk/EPIC_18_RISK_PROFILES.md | 260 ++++ ops/deployment/TASKS.md | 49 +- ops/devops/TASKS.md | 149 +- ops/offline-kit/TASKS.md | 5 +- samples/TASKS.md | 28 + src/StellaOps.AdvisoryAI/AGENTS.md | 22 + src/StellaOps.AdvisoryAI/TASKS.md | 12 + src/StellaOps.AirGap.Controller/AGENTS.md | 16 + src/StellaOps.AirGap.Controller/TASKS.md | 18 + src/StellaOps.AirGap.Importer/AGENTS.md | 16 + src/StellaOps.AirGap.Importer/TASKS.md | 19 + src/StellaOps.AirGap.Policy/AGENTS.md | 16 + src/StellaOps.AirGap.Policy/TASKS.md | 19 + src/StellaOps.AirGap.Time/AGENTS.md | 15 + src/StellaOps.AirGap.Time/TASKS.md | 13 + src/StellaOps.Api.Governance/AGENTS.md | 15 + src/StellaOps.Api.Governance/TASKS.md | 18 + src/StellaOps.Api.OpenApi/AGENTS.md | 16 + src/StellaOps.Api.OpenApi/TASKS.md | 19 + src/StellaOps.Attestor.Envelope/AGENTS.md | 15 + src/StellaOps.Attestor.Envelope/TASKS.md | 13 + src/StellaOps.Attestor.Types/AGENTS.md | 14 + src/StellaOps.Attestor.Types/TASKS.md | 13 + src/StellaOps.Attestor.Verify/AGENTS.md | 14 + src/StellaOps.Attestor.Verify/TASKS.md | 13 + src/StellaOps.Attestor/AGENTS.md | 28 +- src/StellaOps.Attestor/TASKS.md | 35 +- src/StellaOps.Authority/TASKS.md | 159 +- .../Scanner.Analyzers/README.md | 12 +- .../BaselineLoaderTests.cs | 0 .../BenchmarkJsonWriterTests.cs | 0 .../BenchmarkScenarioReportTests.cs | 0 .../PrometheusWriterTests.cs | 0 ...llaOps.Bench.ScannerAnalyzers.Tests.csproj | 0 .../Baseline/BaselineEntry.cs | 0 .../Baseline/BaselineLoader.cs | 0 .../BenchmarkConfig.cs | 0 .../Program.cs | 0 .../Reporting/BenchmarkJsonWriter.cs | 0 .../Reporting/BenchmarkScenarioReport.cs | 0 .../Reporting/PrometheusWriter.cs | 0 .../ScenarioResult.cs | 0 .../ScenarioRunners.cs | 0 .../StellaOps.Bench.ScannerAnalyzers.csproj | 0 .../Scanner.Analyzers/baseline.csv | 14 +- .../Scanner.Analyzers/config.json | 8 +- .../Scanner.Analyzers/lang/README.md | 14 +- .../lang/dotnet/syft-comparison-20251023.csv | 0 .../lang/go/syft-comparison-20251021.csv | 0 .../lang/python/hash-throughput-20251023.csv | 0 src/StellaOps.Bench/TASKS.md | 43 + src/StellaOps.Cartographer/AGENTS.md | 17 + src/StellaOps.Cartographer/Program.cs | 17 + .../StellaOps.Cartographer.csproj | 16 + src/StellaOps.Cartographer/TASKS.md | 12 + src/StellaOps.Cli/AGENTS.md | 9 +- src/StellaOps.Cli/TASKS.md | 206 ++- src/StellaOps.Concelier.Core/TASKS.md | 127 +- src/StellaOps.Concelier.Merge/TASKS.md | 7 + .../TASKS.md | 46 +- src/StellaOps.Concelier.WebService/TASKS.md | 114 +- src/StellaOps.Cryptography.Kms/AGENTS.md | 14 + src/StellaOps.Cryptography.Kms/TASKS.md | 13 + src/StellaOps.DevPortal.Site/AGENTS.md | 15 + src/StellaOps.DevPortal.Site/TASKS.md | 19 + src/StellaOps.EvidenceLocker/AGENTS.md | 28 + .../StellaOps.EvidenceLocker.Core/Class1.cs | 6 + .../StellaOps.EvidenceLocker.Core.csproj | 18 + .../Class1.cs | 6 + ...laOps.EvidenceLocker.Infrastructure.csproj | 28 + .../StellaOps.EvidenceLocker.Tests.csproj | 135 ++ .../UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../Program.cs | 41 + .../Properties/launchSettings.json | 23 + ...StellaOps.EvidenceLocker.WebService.csproj | 41 + .../StellaOps.EvidenceLocker.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.EvidenceLocker.Worker.csproj | 43 + .../StellaOps.EvidenceLocker.Worker/Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + .../StellaOps.EvidenceLocker.sln | 90 ++ src/StellaOps.EvidenceLocker/TASKS.md | 19 + src/StellaOps.Excititor.Core/TASKS.md | 105 +- .../TASKS.md | 38 +- src/StellaOps.Excititor.WebService/TASKS.md | 95 +- src/StellaOps.Excititor.Worker/TASKS.md | 24 +- .../AGENTS.md | 14 + .../TASKS.md | 13 + .../AGENTS.md | 14 + .../TASKS.md | 7 + .../AGENTS.md | 14 + .../TASKS.md | 13 + src/StellaOps.ExportCenter/AGENTS.md | 18 + .../StellaOps.ExportCenter.Core/Class1.cs | 6 + .../StellaOps.ExportCenter.Core.csproj | 18 + .../Class1.cs | 6 + ...ellaOps.ExportCenter.Infrastructure.csproj | 28 + .../StellaOps.ExportCenter.Tests.csproj | 135 ++ .../StellaOps.ExportCenter.Tests/UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../Program.cs | 41 + .../Properties/launchSettings.json | 23 + .../StellaOps.ExportCenter.WebService.csproj | 41 + .../StellaOps.ExportCenter.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../StellaOps.ExportCenter.Worker/Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.ExportCenter.Worker.csproj | 43 + .../StellaOps.ExportCenter.Worker/Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + .../StellaOps.ExportCenter.sln | 90 ++ src/StellaOps.ExportCenter/TASKS.md | 76 + src/StellaOps.Findings.Ledger/AGENTS.md | 33 + src/StellaOps.Findings.Ledger/TASKS.md | 73 + src/StellaOps.Graph.Api/AGENTS.md | 33 + src/StellaOps.Graph.Api/TASKS.md | 14 + src/StellaOps.Graph.Indexer/AGENTS.md | 33 + src/StellaOps.Graph.Indexer/TASKS.md | 13 + src/StellaOps.IssuerDirectory/AGENTS.md | 21 + src/StellaOps.IssuerDirectory/TASKS.md | 9 + src/StellaOps.Mirror.Creator/AGENTS.md | 15 + src/StellaOps.Mirror.Creator/TASKS.md | 19 + src/StellaOps.Notifier/AGENTS.md | 17 + .../StellaOps.Notifier.Core/Class1.cs | 6 + .../StellaOps.Notifier.Core.csproj | 18 + .../Class1.cs | 6 + .../StellaOps.Notifier.Infrastructure.csproj | 28 + .../StellaOps.Notifier.Tests.csproj | 135 ++ .../StellaOps.Notifier.Tests/UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../StellaOps.Notifier.WebService/Program.cs | 41 + .../Properties/launchSettings.json | 23 + .../StellaOps.Notifier.WebService.csproj | 41 + .../StellaOps.Notifier.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../StellaOps.Notifier.Worker/Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.Notifier.Worker.csproj | 43 + .../StellaOps.Notifier.Worker/Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + src/StellaOps.Notifier/StellaOps.Notifier.sln | 90 ++ src/StellaOps.Notifier/TASKS.md | 65 + .../TASKS.md | 9 +- .../TASKS.md | 9 +- .../TASKS.md | 10 +- .../TASKS.md | 9 +- src/StellaOps.Notify.Engine/TASKS.md | 10 +- src/StellaOps.Notify.Models/TASKS.md | 9 +- src/StellaOps.Notify.Queue/TASKS.md | 9 +- src/StellaOps.Notify.Storage.Mongo/TASKS.md | 9 +- src/StellaOps.Notify.WebService/TASKS.md | 10 +- src/StellaOps.Notify.Worker/TASKS.md | 10 +- .../AGENTS.md | 10 + .../TASKS.md | 9 + .../AGENTS.md | 10 + .../TASKS.md | 9 + src/StellaOps.Orchestrator/AGENTS.md | 18 + .../StellaOps.Orchestrator.Core/Class1.cs | 6 + .../StellaOps.Orchestrator.Core.csproj | 18 + .../Class1.cs | 6 + ...ellaOps.Orchestrator.Infrastructure.csproj | 28 + .../StellaOps.Orchestrator.Tests.csproj | 135 ++ .../StellaOps.Orchestrator.Tests/UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../Program.cs | 41 + .../Properties/launchSettings.json | 23 + .../StellaOps.Orchestrator.WebService.csproj | 41 + .../StellaOps.Orchestrator.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../StellaOps.Orchestrator.Worker/Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.Orchestrator.Worker.csproj | 43 + .../StellaOps.Orchestrator.Worker/Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + .../StellaOps.Orchestrator.sln | 90 ++ src/StellaOps.Orchestrator/TASKS.md | 75 + src/StellaOps.PacksRegistry/AGENTS.md | 17 + .../StellaOps.PacksRegistry.Core/Class1.cs | 6 + .../StellaOps.PacksRegistry.Core.csproj | 18 + .../Class1.cs | 6 + ...llaOps.PacksRegistry.Infrastructure.csproj | 28 + .../StellaOps.PacksRegistry.Tests.csproj | 135 ++ .../UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../Program.cs | 41 + .../Properties/launchSettings.json | 23 + .../StellaOps.PacksRegistry.WebService.csproj | 41 + .../StellaOps.PacksRegistry.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../StellaOps.PacksRegistry.Worker/Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.PacksRegistry.Worker.csproj | 43 + .../StellaOps.PacksRegistry.Worker/Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + .../StellaOps.PacksRegistry.sln | 90 ++ src/StellaOps.PacksRegistry/TASKS.md | 16 + src/StellaOps.Policy.Engine/AGENTS.md | 18 + src/StellaOps.Policy.Engine/Program.cs | 19 + .../StellaOps.Policy.Engine.csproj | 16 + src/StellaOps.Policy.Engine/TASKS.md | 156 ++ src/StellaOps.Policy.Registry/AGENTS.md | 34 + src/StellaOps.Policy.Registry/TASKS.md | 13 + src/StellaOps.Policy.RiskProfile/AGENTS.md | 15 + src/StellaOps.Policy.RiskProfile/TASKS.md | 20 + src/StellaOps.Policy/TASKS.md | 55 +- .../AGENTS.md | 20 + src/StellaOps.Provenance.Attestation/TASKS.md | 13 + src/StellaOps.RiskEngine/AGENTS.md | 23 + .../StellaOps.RiskEngine.Core/Class1.cs | 6 + .../StellaOps.RiskEngine.Core.csproj | 18 + .../Class1.cs | 6 + ...StellaOps.RiskEngine.Infrastructure.csproj | 28 + .../StellaOps.RiskEngine.Tests.csproj | 135 ++ .../StellaOps.RiskEngine.Tests/UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../Program.cs | 41 + .../Properties/launchSettings.json | 23 + .../StellaOps.RiskEngine.WebService.csproj | 41 + .../StellaOps.RiskEngine.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../StellaOps.RiskEngine.Worker/Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.RiskEngine.Worker.csproj | 43 + .../StellaOps.RiskEngine.Worker/Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + .../StellaOps.RiskEngine.sln | 90 ++ src/StellaOps.RiskEngine/TASKS.md | 32 + src/StellaOps.SbomService/AGENTS.md | 15 + src/StellaOps.SbomService/Program.cs | 17 + .../StellaOps.SbomService.csproj | 15 + src/StellaOps.SbomService/TASKS.md | 43 + .../TASKS.md | 17 +- .../AGENTS.md | 40 +- .../TASKS.md | 21 + .../AGENTS.md | 78 +- .../SPRINTS_LANG_IMPLEMENTATION_PLAN.md | 8 +- .../TASKS.md | 20 + src/StellaOps.Scanner.WebService/TASKS.md | 15 +- src/StellaOps.Scheduler.Models/TASKS.md | 14 + src/StellaOps.Scheduler.WebService/TASKS.md | 41 +- src/StellaOps.Scheduler.Worker/TASKS.md | 73 +- src/StellaOps.Sdk.Generator/AGENTS.md | 15 + src/StellaOps.Sdk.Generator/TASKS.md | 21 + src/StellaOps.Sdk.Release/AGENTS.md | 15 + src/StellaOps.Sdk.Release/TASKS.md | 13 + src/StellaOps.Signals/AGENTS.md | 11 + src/StellaOps.Signals/TASKS.md | 8 + src/StellaOps.Signer/TASKS.md | 7 +- src/StellaOps.TaskRunner/AGENTS.md | 17 + .../StellaOps.TaskRunner.Core/Class1.cs | 6 + .../StellaOps.TaskRunner.Core.csproj | 18 + .../Class1.cs | 6 + ...StellaOps.TaskRunner.Infrastructure.csproj | 28 + .../StellaOps.TaskRunner.Tests.csproj | 135 ++ .../StellaOps.TaskRunner.Tests/UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../Program.cs | 41 + .../Properties/launchSettings.json | 23 + .../StellaOps.TaskRunner.WebService.csproj | 41 + .../StellaOps.TaskRunner.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../StellaOps.TaskRunner.Worker/Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.TaskRunner.Worker.csproj | 43 + .../StellaOps.TaskRunner.Worker/Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + .../StellaOps.TaskRunner.sln | 90 ++ src/StellaOps.TaskRunner/TASKS.md | 47 + src/StellaOps.Telemetry.Core/AGENTS.md | 21 + src/StellaOps.Telemetry.Core/TASKS.md | 23 + src/StellaOps.TimelineIndexer/AGENTS.md | 28 + .../StellaOps.TimelineIndexer.Core/Class1.cs | 6 + .../StellaOps.TimelineIndexer.Core.csproj | 18 + .../Class1.cs | 6 + ...aOps.TimelineIndexer.Infrastructure.csproj | 28 + .../StellaOps.TimelineIndexer.Tests.csproj | 135 ++ .../UnitTest1.cs | 10 + .../xunit.runner.json | 3 + .../Program.cs | 41 + .../Properties/launchSettings.json | 23 + ...tellaOps.TimelineIndexer.WebService.csproj | 41 + .../StellaOps.TimelineIndexer.WebService.http | 6 + .../appsettings.Development.json | 8 + .../appsettings.json | 9 + .../Program.cs | 7 + .../Properties/launchSettings.json | 12 + .../StellaOps.TimelineIndexer.Worker.csproj | 43 + .../Worker.cs | 16 + .../appsettings.Development.json | 8 + .../appsettings.json | 8 + .../StellaOps.TimelineIndexer.sln | 90 ++ src/StellaOps.TimelineIndexer/TASKS.md | 14 + src/StellaOps.UI/TASKS.md | 89 +- src/StellaOps.VexLens/AGENTS.md | 31 + src/StellaOps.VexLens/TASKS.md | 34 + src/StellaOps.VulnExplorer.Api/AGENTS.md | 31 + src/StellaOps.VulnExplorer.Api/TASKS.md | 14 + src/StellaOps.Web/TASKS.md | 183 ++- src/StellaOps.sln | 42 + test/contract/AGENTS.md | 15 + test/contract/TASKS.md | 13 + 355 files changed, 17276 insertions(+), 1160 deletions(-) create mode 100644 EPIC_1.md create mode 100644 EPIC_10.md create mode 100644 EPIC_11.md create mode 100644 EPIC_12.md create mode 100644 EPIC_13.md create mode 100644 EPIC_14.md create mode 100644 EPIC_15.md create mode 100644 EPIC_16.md create mode 100644 EPIC_17.md create mode 100644 EPIC_18.md create mode 100644 EPIC_19.md create mode 100644 EPIC_2.md create mode 100644 EPIC_3.md create mode 100644 EPIC_4.md create mode 100644 EPIC_5.md create mode 100644 EPIC_6.md create mode 100644 EPIC_7.md create mode 100644 EPIC_8.md create mode 100644 EPIC_9.md create mode 100644 Read SPRINTs.md create mode 100644 SPRINTS_PRIOR_20251025.md delete mode 100644 bench/TASKS.md delete mode 100644 dep_tmp.txt create mode 100644 docs/airgap/EPIC_16_AIRGAP_MODE.md create mode 100644 docs/aoc/aoc-guardrails.md create mode 100644 docs/api/EPIC_17_SDKS_OPENAPI.md create mode 100644 docs/attestor/EPIC_19_ATTESTOR_CONSOLE.md create mode 100644 docs/backlog/2025-10-cleanup.md create mode 100644 docs/risk/EPIC_18_RISK_PROFILES.md create mode 100644 src/StellaOps.AdvisoryAI/AGENTS.md create mode 100644 src/StellaOps.AdvisoryAI/TASKS.md create mode 100644 src/StellaOps.AirGap.Controller/AGENTS.md create mode 100644 src/StellaOps.AirGap.Controller/TASKS.md create mode 100644 src/StellaOps.AirGap.Importer/AGENTS.md create mode 100644 src/StellaOps.AirGap.Importer/TASKS.md create mode 100644 src/StellaOps.AirGap.Policy/AGENTS.md create mode 100644 src/StellaOps.AirGap.Policy/TASKS.md create mode 100644 src/StellaOps.AirGap.Time/AGENTS.md create mode 100644 src/StellaOps.AirGap.Time/TASKS.md create mode 100644 src/StellaOps.Api.Governance/AGENTS.md create mode 100644 src/StellaOps.Api.Governance/TASKS.md create mode 100644 src/StellaOps.Api.OpenApi/AGENTS.md create mode 100644 src/StellaOps.Api.OpenApi/TASKS.md create mode 100644 src/StellaOps.Attestor.Envelope/AGENTS.md create mode 100644 src/StellaOps.Attestor.Envelope/TASKS.md create mode 100644 src/StellaOps.Attestor.Types/AGENTS.md create mode 100644 src/StellaOps.Attestor.Types/TASKS.md create mode 100644 src/StellaOps.Attestor.Verify/AGENTS.md create mode 100644 src/StellaOps.Attestor.Verify/TASKS.md rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/README.md (94%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BaselineLoaderTests.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkJsonWriterTests.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkScenarioReportTests.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/PrometheusWriterTests.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/StellaOps.Bench.ScannerAnalyzers.Tests.csproj (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/BenchmarkConfig.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Program.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkScenarioReport.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/PrometheusWriter.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioResult.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioRunners.cs (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/baseline.csv (98%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/config.json (99%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/lang/README.md (84%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/lang/dotnet/syft-comparison-20251023.csv (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv (100%) rename {bench => src/StellaOps.Bench}/Scanner.Analyzers/lang/python/hash-throughput-20251023.csv (100%) create mode 100644 src/StellaOps.Bench/TASKS.md create mode 100644 src/StellaOps.Cartographer/AGENTS.md create mode 100644 src/StellaOps.Cartographer/Program.cs create mode 100644 src/StellaOps.Cartographer/StellaOps.Cartographer.csproj create mode 100644 src/StellaOps.Cartographer/TASKS.md create mode 100644 src/StellaOps.Cryptography.Kms/AGENTS.md create mode 100644 src/StellaOps.Cryptography.Kms/TASKS.md create mode 100644 src/StellaOps.DevPortal.Site/AGENTS.md create mode 100644 src/StellaOps.DevPortal.Site/TASKS.md create mode 100644 src/StellaOps.EvidenceLocker/AGENTS.md create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Class1.cs create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Class1.cs create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/UnitTest1.cs create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/xunit.runner.json create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Program.cs create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.http create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.Development.json create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.json create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Program.cs create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Worker.cs create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.Development.json create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.json create mode 100644 src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.sln create mode 100644 src/StellaOps.EvidenceLocker/TASKS.md create mode 100644 src/StellaOps.ExportCenter.AttestationBundles/AGENTS.md create mode 100644 src/StellaOps.ExportCenter.AttestationBundles/TASKS.md create mode 100644 src/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md create mode 100644 src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md create mode 100644 src/StellaOps.ExportCenter.RiskBundles/AGENTS.md create mode 100644 src/StellaOps.ExportCenter.RiskBundles/TASKS.md create mode 100644 src/StellaOps.ExportCenter/AGENTS.md create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Class1.cs create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/Class1.cs create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/StellaOps.ExportCenter.Infrastructure.csproj create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/UnitTest1.cs create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/xunit.runner.json create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Program.cs create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.http create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.Development.json create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.json create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Program.cs create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Worker.cs create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.Development.json create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.json create mode 100644 src/StellaOps.ExportCenter/StellaOps.ExportCenter.sln create mode 100644 src/StellaOps.ExportCenter/TASKS.md create mode 100644 src/StellaOps.Findings.Ledger/AGENTS.md create mode 100644 src/StellaOps.Findings.Ledger/TASKS.md create mode 100644 src/StellaOps.Graph.Api/AGENTS.md create mode 100644 src/StellaOps.Graph.Api/TASKS.md create mode 100644 src/StellaOps.Graph.Indexer/AGENTS.md create mode 100644 src/StellaOps.Graph.Indexer/TASKS.md create mode 100644 src/StellaOps.IssuerDirectory/AGENTS.md create mode 100644 src/StellaOps.IssuerDirectory/TASKS.md create mode 100644 src/StellaOps.Mirror.Creator/AGENTS.md create mode 100644 src/StellaOps.Mirror.Creator/TASKS.md create mode 100644 src/StellaOps.Notifier/AGENTS.md create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Core/Class1.cs create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Core/StellaOps.Notifier.Core.csproj create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/Class1.cs create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/StellaOps.Notifier.Infrastructure.csproj create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Tests/UnitTest1.cs create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Tests/xunit.runner.json create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.WebService/Program.cs create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.csproj create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.http create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.Development.json create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.json create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Worker/Program.cs create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Worker/StellaOps.Notifier.Worker.csproj create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Worker/Worker.cs create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.Development.json create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.json create mode 100644 src/StellaOps.Notifier/StellaOps.Notifier.sln create mode 100644 src/StellaOps.Notifier/TASKS.md create mode 100644 src/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md create mode 100644 src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md create mode 100644 src/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md create mode 100644 src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md create mode 100644 src/StellaOps.Orchestrator/AGENTS.md create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Class1.cs create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/StellaOps.Orchestrator.Core.csproj create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Class1.cs create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/StellaOps.Orchestrator.Infrastructure.csproj create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/StellaOps.Orchestrator.Tests.csproj create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/UnitTest1.cs create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/xunit.runner.json create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Program.cs create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.http create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.Development.json create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.json create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Program.cs create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/StellaOps.Orchestrator.Worker.csproj create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Worker.cs create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.Development.json create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.json create mode 100644 src/StellaOps.Orchestrator/StellaOps.Orchestrator.sln create mode 100644 src/StellaOps.Orchestrator/TASKS.md create mode 100644 src/StellaOps.PacksRegistry/AGENTS.md create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Class1.cs create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/StellaOps.PacksRegistry.Core.csproj create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/Class1.cs create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/StellaOps.PacksRegistry.Infrastructure.csproj create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/StellaOps.PacksRegistry.Tests.csproj create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/UnitTest1.cs create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/xunit.runner.json create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Program.cs create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.csproj create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.http create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.Development.json create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.json create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Program.cs create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/StellaOps.PacksRegistry.Worker.csproj create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Worker.cs create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.Development.json create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.json create mode 100644 src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.sln create mode 100644 src/StellaOps.PacksRegistry/TASKS.md create mode 100644 src/StellaOps.Policy.Engine/AGENTS.md create mode 100644 src/StellaOps.Policy.Engine/Program.cs create mode 100644 src/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj create mode 100644 src/StellaOps.Policy.Engine/TASKS.md create mode 100644 src/StellaOps.Policy.Registry/AGENTS.md create mode 100644 src/StellaOps.Policy.Registry/TASKS.md create mode 100644 src/StellaOps.Policy.RiskProfile/AGENTS.md create mode 100644 src/StellaOps.Policy.RiskProfile/TASKS.md create mode 100644 src/StellaOps.Provenance.Attestation/AGENTS.md create mode 100644 src/StellaOps.Provenance.Attestation/TASKS.md create mode 100644 src/StellaOps.RiskEngine/AGENTS.md create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Class1.cs create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/StellaOps.RiskEngine.Core.csproj create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/Class1.cs create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/StellaOps.RiskEngine.Infrastructure.csproj create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/StellaOps.RiskEngine.Tests.csproj create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/UnitTest1.cs create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/xunit.runner.json create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Program.cs create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.csproj create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.http create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.Development.json create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.json create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Program.cs create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/StellaOps.RiskEngine.Worker.csproj create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Worker.cs create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.Development.json create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.json create mode 100644 src/StellaOps.RiskEngine/StellaOps.RiskEngine.sln create mode 100644 src/StellaOps.RiskEngine/TASKS.md create mode 100644 src/StellaOps.SbomService/AGENTS.md create mode 100644 src/StellaOps.SbomService/Program.cs create mode 100644 src/StellaOps.SbomService/StellaOps.SbomService.csproj create mode 100644 src/StellaOps.SbomService/TASKS.md create mode 100644 src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md create mode 100644 src/StellaOps.Scanner.Analyzers.Native/TASKS.md create mode 100644 src/StellaOps.Sdk.Generator/AGENTS.md create mode 100644 src/StellaOps.Sdk.Generator/TASKS.md create mode 100644 src/StellaOps.Sdk.Release/AGENTS.md create mode 100644 src/StellaOps.Sdk.Release/TASKS.md create mode 100644 src/StellaOps.Signals/AGENTS.md create mode 100644 src/StellaOps.Signals/TASKS.md create mode 100644 src/StellaOps.TaskRunner/AGENTS.md create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Class1.cs create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/StellaOps.TaskRunner.Core.csproj create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Class1.cs create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/StellaOps.TaskRunner.Infrastructure.csproj create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/StellaOps.TaskRunner.Tests.csproj create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/UnitTest1.cs create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/xunit.runner.json create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.csproj create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.http create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.Development.json create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.json create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Program.cs create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/StellaOps.TaskRunner.Worker.csproj create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Worker.cs create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.Development.json create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.json create mode 100644 src/StellaOps.TaskRunner/StellaOps.TaskRunner.sln create mode 100644 src/StellaOps.TaskRunner/TASKS.md create mode 100644 src/StellaOps.Telemetry.Core/AGENTS.md create mode 100644 src/StellaOps.Telemetry.Core/TASKS.md create mode 100644 src/StellaOps.TimelineIndexer/AGENTS.md create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/Class1.cs create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/StellaOps.TimelineIndexer.Core.csproj create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/Class1.cs create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/StellaOps.TimelineIndexer.Infrastructure.csproj create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/StellaOps.TimelineIndexer.Tests.csproj create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/UnitTest1.cs create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/xunit.runner.json create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Program.cs create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Properties/launchSettings.json create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.http create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.Development.json create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.json create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Program.cs create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Properties/launchSettings.json create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Worker.cs create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.Development.json create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.json create mode 100644 src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.sln create mode 100644 src/StellaOps.TimelineIndexer/TASKS.md create mode 100644 src/StellaOps.VexLens/AGENTS.md create mode 100644 src/StellaOps.VexLens/TASKS.md create mode 100644 src/StellaOps.VulnExplorer.Api/AGENTS.md create mode 100644 src/StellaOps.VulnExplorer.Api/TASKS.md create mode 100644 test/contract/AGENTS.md create mode 100644 test/contract/TASKS.md diff --git a/.gitea/workflows/build-test-deploy.yml b/.gitea/workflows/build-test-deploy.yml index ae972478..f75af564 100644 --- a/.gitea/workflows/build-test-deploy.yml +++ b/.gitea/workflows/build-test-deploy.yml @@ -1,40 +1,40 @@ -# .gitea/workflows/build-test-deploy.yml -# Unified CI/CD workflow for git.stella-ops.org (Feedser monorepo) - -name: Build Test Deploy - -on: - push: - branches: [ main ] - paths: - - 'src/**' - - 'docs/**' - - 'scripts/**' - - 'Directory.Build.props' - - 'Directory.Build.targets' - - 'global.json' - - '.gitea/workflows/**' - pull_request: - branches: [ main, develop ] - paths: - - 'src/**' - - 'docs/**' - - 'scripts/**' - - '.gitea/workflows/**' - workflow_dispatch: - inputs: - force_deploy: - description: 'Ignore branch checks and run the deploy stage' - required: false - default: 'false' - type: boolean - -env: - DOTNET_VERSION: '10.0.100-rc.1.25451.107' - BUILD_CONFIGURATION: Release - CI_CACHE_ROOT: /data/.cache/stella-ops/feedser - RUNNER_TOOL_CACHE: /toolcache - +# .gitea/workflows/build-test-deploy.yml +# Unified CI/CD workflow for git.stella-ops.org (Feedser monorepo) + +name: Build Test Deploy + +on: + push: + branches: [ main ] + paths: + - 'src/**' + - 'docs/**' + - 'scripts/**' + - 'Directory.Build.props' + - 'Directory.Build.targets' + - 'global.json' + - '.gitea/workflows/**' + pull_request: + branches: [ main, develop ] + paths: + - 'src/**' + - 'docs/**' + - 'scripts/**' + - '.gitea/workflows/**' + workflow_dispatch: + inputs: + force_deploy: + description: 'Ignore branch checks and run the deploy stage' + required: false + default: 'false' + type: boolean + +env: + DOTNET_VERSION: '10.0.100-rc.1.25451.107' + BUILD_CONFIGURATION: Release + CI_CACHE_ROOT: /data/.cache/stella-ops/feedser + RUNNER_TOOL_CACHE: /toolcache + jobs: profile-validation: runs-on: ubuntu-22.04 @@ -58,24 +58,24 @@ jobs: PUBLISH_DIR: ${{ github.workspace }}/artifacts/publish/webservice AUTHORITY_PUBLISH_DIR: ${{ github.workspace }}/artifacts/publish/authority TEST_RESULTS_DIR: ${{ github.workspace }}/artifacts/test-results - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Setup .NET ${{ env.DOTNET_VERSION }} - uses: actions/setup-dotnet@v4 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - include-prerelease: true - - - name: Restore dependencies - run: dotnet restore src/StellaOps.Feedser.sln - - - name: Build solution (warnings as errors) - run: dotnet build src/StellaOps.Feedser.sln --configuration $BUILD_CONFIGURATION --no-restore -warnaserror - + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Setup .NET ${{ env.DOTNET_VERSION }} + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + include-prerelease: true + + - name: Restore dependencies + run: dotnet restore src/StellaOps.Feedser.sln + + - name: Build solution (warnings as errors) + run: dotnet build src/StellaOps.Feedser.sln --configuration $BUILD_CONFIGURATION --no-restore -warnaserror + - name: Run unit and integration tests run: | mkdir -p "$TEST_RESULTS_DIR" @@ -118,11 +118,11 @@ jobs: CAPTURED_AT="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" dotnet run \ - --project bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \ + --project src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \ --configuration $BUILD_CONFIGURATION \ -- \ --repo-root . \ - --baseline bench/Scanner.Analyzers/baseline.csv \ + --baseline src/StellaOps.Bench/Scanner.Analyzers/baseline.csv \ --out "$PERF_OUTPUT_DIR/latest.csv" \ --json "$PERF_OUTPUT_DIR/report.json" \ --prom "$PERF_OUTPUT_DIR/metrics.prom" \ @@ -269,7 +269,7 @@ PY path: ${{ env.AUTHORITY_PUBLISH_DIR }} if-no-files-found: error retention-days: 7 - + - name: Upload test results if: always() uses: actions/upload-artifact@v4 @@ -297,27 +297,27 @@ PY env: DOCS_OUTPUT_DIR: ${{ github.workspace }}/artifacts/docs-site steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup Python - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install documentation dependencies - run: | - python -m pip install --upgrade pip - python -m pip install markdown pygments - - - name: Render documentation bundle - run: | - python scripts/render_docs.py --source docs --output "$DOCS_OUTPUT_DIR" --clean - - - name: Upload documentation artifact - uses: actions/upload-artifact@v4 - with: - name: feedser-docs-site + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.11' + + - name: Install documentation dependencies + run: | + python -m pip install --upgrade pip + python -m pip install markdown pygments + + - name: Render documentation bundle + run: | + python scripts/render_docs.py --source docs --output "$DOCS_OUTPUT_DIR" --clean + + - name: Upload documentation artifact + uses: actions/upload-artifact@v4 + with: + name: feedser-docs-site path: ${{ env.DOCS_OUTPUT_DIR }} if-no-files-found: error retention-days: 7 @@ -326,7 +326,7 @@ PY runs-on: ubuntu-22.04 needs: build-test env: - BENCH_DIR: bench/Scanner.Analyzers + BENCH_DIR: src/StellaOps.Bench/Scanner.Analyzers steps: - name: Checkout repository uses: actions/checkout@v4 @@ -412,163 +412,163 @@ PY needs.scanner-perf.result == 'success' && ( (github.event_name == 'push' && github.ref == 'refs/heads/main') || - github.event_name == 'workflow_dispatch' - ) - environment: staging - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - sparse-checkout: | - scripts - .gitea/workflows - sparse-checkout-cone-mode: true - - - name: Check if deployment should proceed - id: check-deploy - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - if [ "${{ github.event.inputs.force_deploy }}" = "true" ]; then - echo "should-deploy=true" >> $GITHUB_OUTPUT - echo "✅ Manual deployment requested" - else - echo "should-deploy=false" >> $GITHUB_OUTPUT - echo "ℹ️ Manual dispatch without force_deploy=true — skipping" - fi - elif [ "${{ github.ref }}" = "refs/heads/main" ]; then - echo "should-deploy=true" >> $GITHUB_OUTPUT - echo "✅ Deploying latest main branch build" - else - echo "should-deploy=false" >> $GITHUB_OUTPUT - echo "ℹ️ Deployment restricted to main branch" - fi - - - name: Resolve deployment credentials - id: params - if: steps.check-deploy.outputs.should-deploy == 'true' - run: | - missing=() - - host="${{ secrets.STAGING_DEPLOYMENT_HOST }}" - if [ -z "$host" ]; then host="${{ vars.STAGING_DEPLOYMENT_HOST }}"; fi - if [ -z "$host" ]; then host="${{ secrets.DEPLOYMENT_HOST }}"; fi - if [ -z "$host" ]; then host="${{ vars.DEPLOYMENT_HOST }}"; fi - if [ -z "$host" ]; then missing+=("STAGING_DEPLOYMENT_HOST"); fi - - user="${{ secrets.STAGING_DEPLOYMENT_USERNAME }}" - if [ -z "$user" ]; then user="${{ vars.STAGING_DEPLOYMENT_USERNAME }}"; fi - if [ -z "$user" ]; then user="${{ secrets.DEPLOYMENT_USERNAME }}"; fi - if [ -z "$user" ]; then user="${{ vars.DEPLOYMENT_USERNAME }}"; fi - if [ -z "$user" ]; then missing+=("STAGING_DEPLOYMENT_USERNAME"); fi - - path="${{ secrets.STAGING_DEPLOYMENT_PATH }}" - if [ -z "$path" ]; then path="${{ vars.STAGING_DEPLOYMENT_PATH }}"; fi - - docs_path="${{ secrets.STAGING_DOCS_PATH }}" - if [ -z "$docs_path" ]; then docs_path="${{ vars.STAGING_DOCS_PATH }}"; fi - - key="${{ secrets.STAGING_DEPLOYMENT_KEY }}" - if [ -z "$key" ]; then key="${{ secrets.DEPLOYMENT_KEY }}"; fi - if [ -z "$key" ]; then key="${{ vars.STAGING_DEPLOYMENT_KEY }}"; fi - if [ -z "$key" ]; then key="${{ vars.DEPLOYMENT_KEY }}"; fi - if [ -z "$key" ]; then missing+=("STAGING_DEPLOYMENT_KEY"); fi - - if [ ${#missing[@]} -gt 0 ]; then - echo "❌ Missing deployment configuration: ${missing[*]}" - exit 1 - fi - - key_file="$RUNNER_TEMP/staging_deploy_key" - printf '%s\n' "$key" > "$key_file" - chmod 600 "$key_file" - - echo "host=$host" >> $GITHUB_OUTPUT - echo "user=$user" >> $GITHUB_OUTPUT - echo "path=$path" >> $GITHUB_OUTPUT - echo "docs-path=$docs_path" >> $GITHUB_OUTPUT - echo "key-file=$key_file" >> $GITHUB_OUTPUT - - - name: Download service artifact - if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs.path != '' - uses: actions/download-artifact@v4 - with: - name: feedser-publish - path: artifacts/service - - - name: Download documentation artifact - if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs['docs-path'] != '' - uses: actions/download-artifact@v4 - with: - name: feedser-docs-site - path: artifacts/docs - - - name: Install rsync - if: steps.check-deploy.outputs.should-deploy == 'true' - run: | - if command -v rsync >/dev/null 2>&1; then - exit 0 - fi - CACHE_DIR="${CI_CACHE_ROOT:-/tmp}/apt" - mkdir -p "$CACHE_DIR" - KEY="rsync-$(lsb_release -rs 2>/dev/null || echo unknown)" - DEB_DIR="$CACHE_DIR/$KEY" - mkdir -p "$DEB_DIR" - if ls "$DEB_DIR"/rsync*.deb >/dev/null 2>&1; then - apt-get update - apt-get install -y --no-install-recommends "$DEB_DIR"/libpopt0*.deb "$DEB_DIR"/rsync*.deb - else - apt-get update - apt-get download rsync libpopt0 - mv rsync*.deb libpopt0*.deb "$DEB_DIR"/ - dpkg -i "$DEB_DIR"/libpopt0*.deb "$DEB_DIR"/rsync*.deb || apt-get install -f -y - fi - - - name: Deploy service bundle - if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs.path != '' - env: - HOST: ${{ steps.params.outputs.host }} - USER: ${{ steps.params.outputs.user }} - TARGET: ${{ steps.params.outputs.path }} - KEY_FILE: ${{ steps.params.outputs['key-file'] }} - run: | - SERVICE_DIR="artifacts/service/feedser-publish" - if [ ! -d "$SERVICE_DIR" ]; then - echo "❌ Service artifact directory missing ($SERVICE_DIR)" - exit 1 - fi - echo "🚀 Deploying Feedser web service to $HOST:$TARGET" - rsync -az --delete \ - -e "ssh -i $KEY_FILE -o StrictHostKeyChecking=no" \ - "$SERVICE_DIR"/ \ - "$USER@$HOST:$TARGET/" - - - name: Deploy documentation bundle - if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs['docs-path'] != '' - env: - HOST: ${{ steps.params.outputs.host }} - USER: ${{ steps.params.outputs.user }} - DOCS_TARGET: ${{ steps.params.outputs['docs-path'] }} - KEY_FILE: ${{ steps.params.outputs['key-file'] }} - run: | - DOCS_DIR="artifacts/docs/feedser-docs-site" - if [ ! -d "$DOCS_DIR" ]; then - echo "❌ Documentation artifact directory missing ($DOCS_DIR)" - exit 1 - fi - echo "📚 Deploying documentation bundle to $HOST:$DOCS_TARGET" - rsync -az --delete \ - -e "ssh -i $KEY_FILE -o StrictHostKeyChecking=no" \ - "$DOCS_DIR"/ \ - "$USER@$HOST:$DOCS_TARGET/" - - - name: Deployment summary - if: steps.check-deploy.outputs.should-deploy == 'true' - run: | - echo "✅ Deployment completed" - echo " Host: ${{ steps.params.outputs.host }}" - echo " Service path: ${{ steps.params.outputs.path || '(skipped)' }}" - echo " Docs path: ${{ steps.params.outputs['docs-path'] || '(skipped)' }}" - + github.event_name == 'workflow_dispatch' + ) + environment: staging + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + sparse-checkout: | + scripts + .gitea/workflows + sparse-checkout-cone-mode: true + + - name: Check if deployment should proceed + id: check-deploy + run: | + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + if [ "${{ github.event.inputs.force_deploy }}" = "true" ]; then + echo "should-deploy=true" >> $GITHUB_OUTPUT + echo "✅ Manual deployment requested" + else + echo "should-deploy=false" >> $GITHUB_OUTPUT + echo "ℹ️ Manual dispatch without force_deploy=true — skipping" + fi + elif [ "${{ github.ref }}" = "refs/heads/main" ]; then + echo "should-deploy=true" >> $GITHUB_OUTPUT + echo "✅ Deploying latest main branch build" + else + echo "should-deploy=false" >> $GITHUB_OUTPUT + echo "ℹ️ Deployment restricted to main branch" + fi + + - name: Resolve deployment credentials + id: params + if: steps.check-deploy.outputs.should-deploy == 'true' + run: | + missing=() + + host="${{ secrets.STAGING_DEPLOYMENT_HOST }}" + if [ -z "$host" ]; then host="${{ vars.STAGING_DEPLOYMENT_HOST }}"; fi + if [ -z "$host" ]; then host="${{ secrets.DEPLOYMENT_HOST }}"; fi + if [ -z "$host" ]; then host="${{ vars.DEPLOYMENT_HOST }}"; fi + if [ -z "$host" ]; then missing+=("STAGING_DEPLOYMENT_HOST"); fi + + user="${{ secrets.STAGING_DEPLOYMENT_USERNAME }}" + if [ -z "$user" ]; then user="${{ vars.STAGING_DEPLOYMENT_USERNAME }}"; fi + if [ -z "$user" ]; then user="${{ secrets.DEPLOYMENT_USERNAME }}"; fi + if [ -z "$user" ]; then user="${{ vars.DEPLOYMENT_USERNAME }}"; fi + if [ -z "$user" ]; then missing+=("STAGING_DEPLOYMENT_USERNAME"); fi + + path="${{ secrets.STAGING_DEPLOYMENT_PATH }}" + if [ -z "$path" ]; then path="${{ vars.STAGING_DEPLOYMENT_PATH }}"; fi + + docs_path="${{ secrets.STAGING_DOCS_PATH }}" + if [ -z "$docs_path" ]; then docs_path="${{ vars.STAGING_DOCS_PATH }}"; fi + + key="${{ secrets.STAGING_DEPLOYMENT_KEY }}" + if [ -z "$key" ]; then key="${{ secrets.DEPLOYMENT_KEY }}"; fi + if [ -z "$key" ]; then key="${{ vars.STAGING_DEPLOYMENT_KEY }}"; fi + if [ -z "$key" ]; then key="${{ vars.DEPLOYMENT_KEY }}"; fi + if [ -z "$key" ]; then missing+=("STAGING_DEPLOYMENT_KEY"); fi + + if [ ${#missing[@]} -gt 0 ]; then + echo "❌ Missing deployment configuration: ${missing[*]}" + exit 1 + fi + + key_file="$RUNNER_TEMP/staging_deploy_key" + printf '%s\n' "$key" > "$key_file" + chmod 600 "$key_file" + + echo "host=$host" >> $GITHUB_OUTPUT + echo "user=$user" >> $GITHUB_OUTPUT + echo "path=$path" >> $GITHUB_OUTPUT + echo "docs-path=$docs_path" >> $GITHUB_OUTPUT + echo "key-file=$key_file" >> $GITHUB_OUTPUT + + - name: Download service artifact + if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs.path != '' + uses: actions/download-artifact@v4 + with: + name: feedser-publish + path: artifacts/service + + - name: Download documentation artifact + if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs['docs-path'] != '' + uses: actions/download-artifact@v4 + with: + name: feedser-docs-site + path: artifacts/docs + + - name: Install rsync + if: steps.check-deploy.outputs.should-deploy == 'true' + run: | + if command -v rsync >/dev/null 2>&1; then + exit 0 + fi + CACHE_DIR="${CI_CACHE_ROOT:-/tmp}/apt" + mkdir -p "$CACHE_DIR" + KEY="rsync-$(lsb_release -rs 2>/dev/null || echo unknown)" + DEB_DIR="$CACHE_DIR/$KEY" + mkdir -p "$DEB_DIR" + if ls "$DEB_DIR"/rsync*.deb >/dev/null 2>&1; then + apt-get update + apt-get install -y --no-install-recommends "$DEB_DIR"/libpopt0*.deb "$DEB_DIR"/rsync*.deb + else + apt-get update + apt-get download rsync libpopt0 + mv rsync*.deb libpopt0*.deb "$DEB_DIR"/ + dpkg -i "$DEB_DIR"/libpopt0*.deb "$DEB_DIR"/rsync*.deb || apt-get install -f -y + fi + + - name: Deploy service bundle + if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs.path != '' + env: + HOST: ${{ steps.params.outputs.host }} + USER: ${{ steps.params.outputs.user }} + TARGET: ${{ steps.params.outputs.path }} + KEY_FILE: ${{ steps.params.outputs['key-file'] }} + run: | + SERVICE_DIR="artifacts/service/feedser-publish" + if [ ! -d "$SERVICE_DIR" ]; then + echo "❌ Service artifact directory missing ($SERVICE_DIR)" + exit 1 + fi + echo "🚀 Deploying Feedser web service to $HOST:$TARGET" + rsync -az --delete \ + -e "ssh -i $KEY_FILE -o StrictHostKeyChecking=no" \ + "$SERVICE_DIR"/ \ + "$USER@$HOST:$TARGET/" + + - name: Deploy documentation bundle + if: steps.check-deploy.outputs.should-deploy == 'true' && steps.params.outputs['docs-path'] != '' + env: + HOST: ${{ steps.params.outputs.host }} + USER: ${{ steps.params.outputs.user }} + DOCS_TARGET: ${{ steps.params.outputs['docs-path'] }} + KEY_FILE: ${{ steps.params.outputs['key-file'] }} + run: | + DOCS_DIR="artifacts/docs/feedser-docs-site" + if [ ! -d "$DOCS_DIR" ]; then + echo "❌ Documentation artifact directory missing ($DOCS_DIR)" + exit 1 + fi + echo "📚 Deploying documentation bundle to $HOST:$DOCS_TARGET" + rsync -az --delete \ + -e "ssh -i $KEY_FILE -o StrictHostKeyChecking=no" \ + "$DOCS_DIR"/ \ + "$USER@$HOST:$DOCS_TARGET/" + + - name: Deployment summary + if: steps.check-deploy.outputs.should-deploy == 'true' + run: | + echo "✅ Deployment completed" + echo " Host: ${{ steps.params.outputs.host }}" + echo " Service path: ${{ steps.params.outputs.path || '(skipped)' }}" + echo " Docs path: ${{ steps.params.outputs['docs-path'] || '(skipped)' }}" + - name: Deployment skipped summary if: steps.check-deploy.outputs.should-deploy != 'true' run: | diff --git a/AGENTS.md b/AGENTS.md index e61f0e77..393b6feb 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -96,16 +96,17 @@ You main characteristics: Maintains this agent framework, templates, and per‑directory guides; assists parallelization and reviews. -## 5.2) Work-in-parallel rules (important) +## 5.2) Work rules (important) - **Directory ownership**: Each agent works **only inside its module directory**. Cross‑module edits require a brief handshake in issues/PR description. - **Scoping**: Use each module’s `AGENTS.md` and `TASKS.md` to plan; autonomous agents must read `src/AGENTS.md` and the module docs before acting. - **Determinism**: Sort keys, normalize timestamps to UTC ISO‑8601, avoid non‑deterministic data in exports and tests. -- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINTS.md and ./EXECPLAN.md file. +- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINTS.md file. - **Coordination**: In case task is discovered as blocked on other team or task, according TASKS.md files that dependency is on needs to be changed by adding new tasks describing the requirement. the current task must be updated as completed. In case task changes, scope or requirements or rules - other documentations needs be updated accordingly. -- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and EXECPLAN.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. +- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. - **Tests**: Add/extend fixtures and unit tests per change; never regress determinism or precedence. - **Test layout**: Use module-specific projects in `StellaOps.Concelier..Tests`; shared fixtures/harnesses live in `StellaOps.Concelier.Testing`. - **Execution autonomous**: In case you need to continue with more than one options just continue sequentially, unless the continue requires design decision. +- **EPIC reference**: In case task (on relevant TASKS.md file) references in direct or indirect way an EPIC - then seek for epic document like ./EPIC_*.md. There will be more information how to implement the task. --- diff --git a/EPIC_1.md b/EPIC_1.md new file mode 100644 index 00000000..e7ea271a --- /dev/null +++ b/EPIC_1.md @@ -0,0 +1,524 @@ +Here’s the full write‑up you can drop into your repo as the canonical reference for Epic 1. It’s written in clean product‑doc style so it’s safe to check in as Markdown. No fluff, just everything you need to build, test, and police it. + +--- + +# Epic 1: Aggregation‑Only Contract (AOC) Enforcement + +> Short name: **AOC enforcement** +> Services touched: **Conseiller (advisory ingestion), Excitator (VEX ingestion), Web API, Workers, Policy Engine, CLI, Console, Authority** +> Data stores: **MongoDB primary, optional Redis/NATS for jobs** + +--- + +## 1) What it is + +**Aggregation‑Only Contract (AOC)** is the ingestion covenant for StellaOps. It defines a hard boundary between **collection** and **interpretation**: + +* **Ingestion (Conseiller/Excitator)** only **collects** data and preserves it as immutable raw facts with provenance. It does not decide, merge, normalize, prioritize, or assign severity. It may compute **links** that help future joins (aliases, PURLs, CPEs), but never derived judgments. +* **Policy evaluation** is the only place where merges, deduplication, consensus, severity computation, and status folding are allowed. It’s reproducible and traceable. + +The AOC establishes: + +* **Immutable raw stores**: `advisory_raw` and `vex_raw` documents with full provenance, signatures, checksums, and upstream identifiers. +* **Linksets**: machine‑generated join hints (aliases, PURLs, CPEs, CVE/GHSA IDs) that never change the underlying source content. +* **Invariants**: a strict set of “never do this in ingestion” rules enforced by schema validation, runtime guards, and CI checks. +* **AOC Verifier**: a build‑time and runtime watchdog that blocks non‑compliant code and data writes. + +This epic delivers: schemas, guards, error codes, APIs, tests, migration, docs, and ops dashboards to make AOC non‑negotiable across the platform. + +--- + +## 2) Why + +AOC makes results **auditable, deterministic, and organization‑specific**. Source vendors disagree; your policies decide. By removing hidden heuristics from ingestion, we avoid unexplainable risk changes, race conditions between collectors, and vendor bias. Policy‑time evaluation yields reproducible deltas with complete “why” traces. + +--- + +## 3) How it should work (deep details) + +### 3.1 Core invariants + +The following must be true for every write to `advisory_raw` and `vex_raw` and for every ingestion pipeline: + +1. **No severity in ingestion** + + * Forbidden fields: `severity`, `cvss`, `cvss_vector`, `effective_status`, `effective_range`, `merged_from`, `consensus_provider`, `reachability`, `asset_criticality`, `risk_score`. +2. **No merges or de‑dups in ingestion** + + * No combining two upstream advisories into one. No picking a single truth when multiple VEX statements exist. +3. **Provenance is mandatory** + + * Every raw doc includes `provenance` and `signature/checksum`. +4. **Idempotent upserts** + + * Same upstream document (by `upstream_id` + `source` + `content_hash`) must not create duplicates. +5. **Append‑only versioning** + + * Revisions from the source create new immutable documents with `supersedes` pointers; no in‑place edits. +6. **Linkset only** + + * Ingestion can compute and store a `linkset` for join performance. Linkset does not alter or infer severity/status. +7. **Policy‑time only for effective findings** + + * Only the Policy Engine can write `effective_finding_*` materializations. +8. **Schema safety** + + * Strict JSON schema validation at DB level; unknown fields reject writes. +9. **Clock discipline** + + * Timestamps are UTC, monotonic within a batch; collectors record `fetched_at` and `received_at`. + +### 3.2 Data model + +#### 3.2.1 `advisory_raw` (Mongo collection) + +```json +{ + "_id": "advisory_raw:osv:GHSA-xxxx-....:v3", + "source": { + "vendor": "OSV", + "stream": "github", + "api": "https://api.osv.dev/v1/.../GHSA-...", + "collector_version": "conseiller/1.7.3" + }, + "upstream": { + "upstream_id": "GHSA-xxxx-....", + "document_version": "2024-09-01T12:13:14Z", + "fetched_at": "2025-01-02T03:04:05Z", + "received_at": "2025-01-02T03:04:06Z", + "content_hash": "sha256:...", + "signature": { + "present": true, + "format": "dsse", + "key_id": "rekor:.../key/abc", + "sig": "base64..." + } + }, + "content": { + "format": "OSV", + "spec_version": "1.6", + "raw": { /* full upstream JSON, unmodified */ } + }, + "identifiers": { + "cve": ["CVE-2023-1234"], + "ghsa": ["GHSA-xxxx-...."], + "aliases": ["CVE-2023-1234", "GHSA-xxxx-...."] + }, + "linkset": { + "purls": ["pkg:npm/lodash@4.17.21", "pkg:maven/..."], + "cpes": ["cpe:2.3:a:..."], + "references": [ + {"type":"advisory","url":"https://..."}, + {"type":"fix","url":"https://..."} + ], + "reconciled_from": ["content.raw.affected.ranges", "content.raw.pkg"] + }, + "supersedes": "advisory_raw:osv:GHSA-xxxx-....:v2", + "tenant": "default" +} +``` + +> Note: No `severity`, no `cvss`, no `effective_*`. If the upstream payload includes CVSS, it stays inside `content.raw` and is not promoted or normalized at ingestion. + +#### 3.2.2 `vex_raw` (Mongo collection) + +```json +{ + "_id": "vex_raw:vendorX:doc-123:v4", + "source": { + "vendor": "VendorX", + "stream": "vex", + "api": "https://.../vex/doc-123", + "collector_version": "excitator/0.9.2" + }, + "upstream": { + "upstream_id": "doc-123", + "document_version": "2025-01-15T08:09:10Z", + "fetched_at": "2025-01-16T01:02:03Z", + "received_at": "2025-01-16T01:02:03Z", + "content_hash": "sha256:...", + "signature": { "present": true, "format": "cms", "key_id": "kid:...", "sig": "..." } + }, + "content": { + "format": "CycloneDX-VEX", // or "CSAF-VEX" + "spec_version": "1.5", + "raw": { /* full upstream VEX */ } + }, + "identifiers": { + "statements": [ + { + "advisory_ids": ["CVE-2023-1234","GHSA-..."], + "component_purls": ["pkg:deb/openssl@1.1.1"], + "status": "not_affected", + "justification": "component_not_present" + } + ] + }, + "linkset": { + "purls": ["pkg:deb/openssl@1.1.1"], + "cves": ["CVE-2023-1234"], + "ghsas": ["GHSA-..."] + }, + "supersedes": "vex_raw:vendorX:doc-123:v3", + "tenant": "default" +} +``` + +> VEX statuses remain as raw facts. No cross‑provider consensus is computed here. + +### 3.3 Database validation + +* MongoDB JSON Schema validators on both collections: + + * Reject forbidden fields at the top level. + * Enforce presence of `source`, `upstream`, `content`, `linkset`, `tenant`. + * Enforce string formats for timestamps and hashes. + +### 3.4 Write paths + +1. **Collector fetches upstream** + + * Normalize transport (gzip/json), compute `content_hash`, verify signature if available. +2. **Build raw doc** + + * Populate `source`, `upstream`, `content.raw`, `identifiers`, `linkset`. +3. **Idempotent upsert** + + * Lookup by `(source.vendor, upstream.upstream_id, upstream.content_hash)`. If exists, skip; if new content hash, insert new revision with `supersedes`. +4. **AOC guard** + + * Runtime interceptor inspects write payload; if any forbidden field detected, reject with `ERR_AOC_001`. +5. **Metrics** + + * Emit `ingestion_write_ok` or `ingestion_write_reject` with reason code. + +### 3.5 Read paths (ingestion scope) + +* Allow only listing, getting raw docs, and searching by linkset. No endpoints return “effective findings” from ingestion services. + +### 3.6 Error codes + +| Code | Meaning | HTTP | +| ------------- | ------------------------------------------------------------ | ---- | +| `ERR_AOC_001` | Forbidden field present (severity/consensus/normalized data) | 400 | +| `ERR_AOC_002` | Merge attempt detected (multiple upstreams fused) | 400 | +| `ERR_AOC_003` | Idempotency violation (duplicate without supersedes) | 409 | +| `ERR_AOC_004` | Missing provenance fields | 422 | +| `ERR_AOC_005` | Signature/checksum mismatch | 422 | +| `ERR_AOC_006` | Attempt to write effective findings from ingestion context | 403 | +| `ERR_AOC_007` | Unknown top‑level fields (schema violation) | 400 | + +### 3.7 AOC Verifier + +A build‑time and runtime safeguard: + +* **Static checks (CI)** + + * Block imports of `*.Policy*` or `*.Merge*` from ingestion modules. + * AST lint rule: any write to `advisory_raw` or `vex_raw` setting a forbidden key fails the build. +* **Runtime checks** + + * Repository layer interceptor inspects documents before insert/update; rejects forbidden fields and multi‑source merges. +* **Drift detection job** + + * Nightly job scans newest N docs; if violation found, pages ops and blocks new pipeline runs. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.8 Indexing strategy + +* `advisory_raw`: + + * `{ "identifiers.cve": 1 }`, `{ "identifiers.ghsa": 1 }`, `{ "linkset.purls": 1 }`, `{ "source.vendor": 1, "upstream.upstream_id": 1, "upstream.content_hash": 1 }` (unique), `{ "tenant": 1 }`. +* `vex_raw`: + + * `{ "identifiers.statements.advisory_ids": 1 }`, `{ "linkset.purls": 1 }`, `{ "source.vendor": 1, "upstream.upstream_id": 1, "upstream.content_hash": 1 }` (unique), `{ "tenant": 1 }`. + +### 3.9 Interaction with Policy Engine + +* Policy Engine pulls raw docs by identifiers/linksets and computes: + + * De‑dup/merge per policy + * Consensus for VEX statements + * Severity normalization and risk scoring +* Writes **only** to `effective_finding_{policyId}` collections. + +A dedicated write guard refuses `effective_finding_*` writes from any caller that isn’t the Policy Engine service identity. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.10 Migration plan + +1. **Freeze ingestion writes** except raw pass‑through. +2. **Backfill**: copy existing ingestion collections to `_backup_*`. +3. **Strip forbidden fields** from raw copies, move them into a temporary `advisory_view_legacy` used only by Policy Engine for parity. +4. **Enable DB schema validators**. +5. **Run collectors** in dry‑run; ensure only allowed keys land. +6. **Switch Policy Engine** to pull exclusively from `*_raw` and to compute everything else. +7. **Delete legacy normalized fields** in ingestion codepaths. +8. **Enable runtime guards** and CI lint. + +### 3.11 Observability + +* Metrics: + + * `aoc_violation_total{code=...}`, `ingestion_write_total{result=ok|reject}`, `ingestion_signature_verified_total{result=ok|fail}`, `ingestion_latency_seconds`, `advisory_revision_count`. +* Tracing: span `ingest.fetch`, `ingest.transform`, `ingest.write`, `aoc.guard`. +* Logs: include `tenant`, `source.vendor`, `upstream.upstream_id`, `content_hash`, `correlation_id`. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.12 Security and tenancy + +* Every raw doc carries a `tenant` field. +* Authority enforces `advisory:write` and `vex:write` scopes for ingestion endpoints. +* Cross‑tenant reads/writes are blocked by default. +* Secrets never logged; signatures verified with pinned trust stores. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.13 CLI and Console behavior + +* **CLI** + + * `stella sources ingest --dry-run` prints would‑write payload and explicitly shows that no severity/status fields are present. + * `stella aoc verify` scans last K documents and reports violations with exit codes. +* **Console** + + * Sources dashboard shows AOC pass/fail per job, most recent violation codes, and a drill‑down to the offending document. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 4) API surface (ingestion scope) + +### 4.1 Conseiller (Advisories) + +* `POST /ingest/advisory` + + * Body: raw upstream advisory with metadata; server constructs document, not the client. + * Rejections: `ERR_AOC_00x` per table above. +* `GET /advisories/raw/{id}` +* `GET /advisories/raw?cve=CVE-...&purl=pkg:...&tenant=...` +* `GET /advisories/raw/{id}/provenance` +* `POST /aoc/verify?since=ISO8601` returns summary stats and first N violations. + +### 4.2 Excitator (VEX) + +* `POST /ingest/vex` +* `GET /vex/raw/{id}` +* `GET /vex/raw?advisory_id=CVE-...&purl=pkg:...` +* `POST /aoc/verify?since=ISO8601` + +All endpoints require `tenant` scope and appropriate `:write` or `:read`. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 5) Example: end‑to‑end flow + +1. Collector fetches `GHSA-1234` from OSV. +2. Build `advisory_raw` with linkset PURLs. +3. Insert; AOC guard approves. +4. Policy Engine later evaluates SBOM `S-42` under `policy P-7`, reads raw advisory and any VEX raw docs, computes effective findings, and writes to `effective_finding_P-7`. +5. CLI `stella aoc verify --since 24h` returns `0` violations. + +--- + +## 6) Implementation tasks + +Breakdown by component with exact work items. Each section ends with the imposed sentence you requested. + +### 6.1 Conseiller (advisory ingestion, WS + Worker) + +* [ ] Add Mongo JSON schema validation for `advisory_raw`. +* [ ] Implement repository layer with **write interceptors** that reject forbidden fields. +* [ ] Compute `linkset` from upstream using deterministic mappers. +* [ ] Enforce idempotency by unique index on `(source.vendor, upstream.upstream_id, upstream.content_hash, tenant)`. +* [ ] Remove any normalization pipelines; relocate to Policy Engine. +* [ ] Add `POST /ingest/advisory` and `GET /advisories/raw*` endpoints with Authority scope checks. +* [ ] Emit observability metrics and traces. +* [ ] Unit tests: schema violations, idempotency, supersedes chain, forbidden fields. +* [ ] Integration tests: large batch ingest, linkset correctness against golden fixtures. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.2 Excitator (VEX ingestion, WS + Worker) + +* [ ] Add Mongo JSON schema validation for `vex_raw`. +* [ ] Implement repository layer guard identical to Conseiller. +* [ ] Deterministic `linkset` extraction for advisory IDs and PURLs. +* [ ] Endpoints `POST /ingest/vex`, `GET /vex/raw*` with scopes. +* [ ] Remove any consensus or folding logic; leave VEX statements as raw. +* [ ] Tests as per Conseiller, with rich fixtures for CycloneDX‑VEX and CSAF. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.3 Web API shared library + +* [ ] Define `AOCForbiddenKeys` and export for both services. +* [ ] Provide `AOCWriteGuard` middleware and `AOCError` types. +* [ ] Provide `ProvenanceBuilder` utility. +* [ ] Provide `SignatureVerifier` and `Checksum` helpers. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.4 Policy Engine + +* [ ] Block any import/use from ingestion modules by lint rule. +* [ ] Add hard gate on `effective_finding_*` writes that verifies caller identity is Policy Engine. +* [ ] Update readers to pull fields only from `content.raw`, `identifiers`, `linkset`, not any legacy normalized fields. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.5 Authority + +* [ ] Introduce scopes: `advisory:write`, `advisory:read`, `vex:write`, `vex:read`, `aoc:verify`. +* [ ] Add `tenant` claim propagation to ingestion services. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.6 CLI + +* [ ] `stella sources ingest --dry-run` and `stella aoc verify` commands. +* [ ] Exit codes mapping to `ERR_AOC_00x`. +* [ ] JSON output schema including violation list. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.7 Console + +* [ ] Sources dashboard tiles: last run, AOC violations, top error codes. +* [ ] Drill‑down page rendering offending doc with highlight on forbidden keys. +* [ ] “Verify last 24h” action calling the AOC Verifier endpoint. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.8 CI/CD + +* [ ] AST linter to forbid writes of banned keys in ingestion modules. +* [ ] Unit test coverage gates for AOC guard code. +* [ ] Pipeline stage that runs `stella aoc verify` against seeded DB snapshots. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Documentation changes (create/update these files) + +1. **`/docs/ingestion/aggregation-only-contract.md`** + + * Add: philosophy, invariants, schemas for `advisory_raw`/`vex_raw`, error codes, linkset definition, examples, idempotency rules, supersedes, API references, migration steps, observability, security. +2. **`/docs/architecture/overview.md`** + + * Update system diagram to show AOC boundary and raw stores; add sequence diagram: fetch → guard → raw insert → policy evaluation. +3. **`/docs/architecture/policy-engine.md`** + + * Clarify ingestion boundary; list inputs consumed from raw; note that any severity/consensus is policy‑time only. +4. **`/docs/ui/console.md`** + + * Add Sources dashboard section: AOC tiles and violation drill‑down. +5. **`/docs/cli/cli-reference.md`** + + * Add `stella aoc verify` and `stella sources ingest --dry-run` usage and exit codes. +6. **`/docs/observability/observability.md`** + + * Document new metrics, traces, logs keys for AOC. +7. **`/docs/security/authority-scopes.md`** + + * Add new scopes and tenancy enforcement for ingestion endpoints. +8. **`/docs/deploy/containers.md`** + + * Note DB validators must be enabled; environment flags for AOC guards; read‑only user for verify endpoint. + +Each file should include a “Compliance checklist” subsection for AOC. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 8) Acceptance criteria + +* DB validators are active and reject writes with forbidden fields. +* AOC runtime guards log and reject violations with correct error codes. +* CI linter prevents shipping code that writes forbidden keys to raw stores. +* Ingestion of known fixture sets results in zero normalized fields outside `content.raw`. +* Policy Engine is the only writer of `effective_finding_*` materializations. +* CLI `stella aoc verify` returns success on clean datasets and non‑zero on seeded violations. +* Console shows AOC status and violation drill‑downs. + +--- + +## 9) Risks and mitigations + +* **Collector drift**: new upstream fields tempt developers to normalize. + + * Mitigation: CI linter + guard + schema validators; require RFC to extend linkset. +* **Performance impact**: extra validation on write. + + * Mitigation: guard is O(number of keys) and schema check is bounded; indexes sized appropriately. +* **Migration complexity**: moving legacy normalized fields out. + + * Mitigation: temporary `advisory_view_legacy` for parity; stepwise cutover. +* **Tenant leakage**: missing tenant on write. + + * Mitigation: schema requires `tenant`; middleware injects and asserts. + +--- + +## 10) Test plan + +* **Unit tests** + + * Guard rejects forbidden keys; idempotency; supersedes chain; provenance required. + * Signature verification paths: good, bad, absent. +* **Property tests** + + * Randomized upstream docs never produce forbidden keys at top level. +* **Integration tests** + + * Batch ingest of 50k advisories: throughput, zero violations. + * Mixed VEX sources with contradictory statements remain separate in raw. +* **Contract tests** + + * Policy Engine refuses to run without raw inputs; writes only to `effective_finding_*`. +* **End‑to‑end** + + * Seed SBOM + advisories + VEX; ensure findings are identical pre/post migration. + +--- + +## 11) Developer checklists + +**Definition of Ready** + +* Upstream spec reference attached. +* Linkset mappers defined. +* Example fixtures added. + +**Definition of Done** + +* DB validators deployed and tested. +* Runtime guards enabled. +* CI linter merged and enforced. +* Docs updated (files in section 7). +* Metrics visible on dashboard. +* CLI verify passes. + +--- + +## 12) Glossary + +* **Raw document**: exact upstream content plus provenance, with join hints. +* **Linkset**: PURLs/CPEs/IDs extracted to accelerate joins later. +* **Supersedes**: pointer from a newer raw doc to the previous revision of the same upstream doc. +* **Policy‑time**: evaluation phase where merges, consensus, and severity are computed. +* **AOC**: Aggregation‑Only Contract. + +--- + +### Final imposed reminder + +**Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_10.md b/EPIC_10.md new file mode 100644 index 00000000..4f27d104 --- /dev/null +++ b/EPIC_10.md @@ -0,0 +1,566 @@ +Fine. Here’s your next brick of “maximum documentation.” Try not to drop it on your foot. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 10: Export Center (JSON, Trivy DB, Mirror bundles) + +**Short name:** `Export Center` +**Primary service:** `exporter` +**Surfaces:** Console (Web UI), CLI, Web API +**Touches:** Conseiller (Feedser), Excitator (Vexer), SBOM Service, Policy Engine, VEX Consensus Lens, Findings Ledger, Authority (authN/Z), Object Storage, Orchestrator, Signing/Attestation, Telemetry + +**AOC ground rule:** Conseiller and Excitator aggregate but never merge. The Export Center serializes evidence and policy results; it does not rewrite or “improve” your data in-flight. + +--- + +## 1) What it is + +The Export Center is the unified system for packaging StellaOps data into portable, verifiable bundles: + +* **Canonical JSON exports** for advisories, VEX, SBOMs, findings, and policy-evaluation snapshots. +* **Trivy DB compatible bundles** so downstream scanners can use Stella’s curated vulnerability knowledge without custom integrations. +* **Mirror bundles** for air‑gapped or disconnected environments containing raw evidence, normalized records, indexes, and policy snapshots, with provenance, signatures, and optional encryption. + +It centralizes format adapters, compliance and provenance, scheduling, versioning, and distribution (download, OCI push, file share). Every export is reproducible by `run_id`, cryptographically signed, and audit‑traceable back to source artifacts. + +--- + +## 2) Why (brief) + +Teams need to move results into other scanners, CI systems, and isolated networks without babysitting ten different scripts. The Export Center gives a single, policy‑aware, verifiable exit point that doesn’t surprise compliance or set your ops team on fire. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Capabilities + +* **Profiles** + + * `json:raw` canonical JSON lines for advisories, VEX, SBOMs. + * `json:policy` adds policy evaluation results (allow/deny/risk, rationales). + * `trivy:db` Trivy DB‑compatible export (core vulnerability DB). + * `trivy:java-db` optional Java ecosystem DB export if enabled. + * `mirror:full` air‑gap bundle with raw + normalized + indexes + policy + VEX consensus + SBOMs. + * `mirror:delta` incremental bundle based on a previous export manifest. + +* **Scope selectors** + + * By time window, product, ecosystem, package, image digest, repository, tenant, tag. + * Include/exclude SBOMs, advisories, VEX, findings, policy snapshots. + +* **Policy awareness** + + * Optionally bake a **policy snapshot** into the bundle, including the policy version, inputs and decision traces. + * Can export **raw** evidence only (AOC) or **raw + evaluated**. + +* **Provenance & signing** + + * Generate attestation metadata with source URIs, artifact hashes, schema versions, export profile and filters. + * Sign manifests and bundle using configured KMS; support detached and in‑bundle signatures. + +* **Distribution** + + * Download via Console or API (streaming). + * Push to OCI registry as an artifact/image with annotations. + * Write to object storage prefix for batch pickup. + +* **Scheduling & automation** + + * One‑off, cron, and event‑triggered exports (e.g., after a “VEX consensus recompute” run). + * Retention policies and automatic expiry for old bundles. + +* **Observability** + + * Export metrics, throughput, size, downstream pull counts (when pushed to registry with report backs). + +### 3.2 Architecture + +* **exporter (service)** + + * Orchestrates export runs, gathers records from the ledger and indexes, calls format adapters, writes bundles, signs, and publishes distribution tasks. + * Stateless workers pull “export.jobs” from the orchestrator, stream data, and write manifests into object storage. + +* **format adapters** + + * Pluggable adapters: + + * `adapter-json`: canonicalized JSONL writers per record type. + * `adapter-trivy`: translates Stella’s normalized advisory model into Trivy DB format (and Java DB if enabled). + * `adapter-mirror`: constructs a portable filesystem/OCI layout with manifests, indexes, and data subtrees. + +* **manifesting & provenance** + + * `export.json` (export manifest): profile, filters, counts, schema versions, content checksums, start/finish times, inputs list (artifact ids + hashes). + * `provenance.json`: full chain back to source runs and artifacts; linked signatures. + +* **distribution engines** + + * `dist-http` streaming for downloads. + * `dist-oci` layer writer with descriptors and annotations. + * `dist-objstore` for staging to buckets. + +* **security** + + * Tenant scoping, RBAC on export creation and retrieval. + * Optional in‑bundle encryption (age/AES‑GCM) with key wrapping using KMS. + +### 3.3 Data model (selected tables) + +* `export_profiles` + + * `id`, `name`, `kind` (`json|trivy|mirror`), `variant` (`raw|policy|db|java-db|full|delta`), `config_json`, `created_by`, `created_at`. + +* `export_runs` + + * `id`, `profile_id`, `trigger` (`manual|schedule|event|api`), `state`, `filters_json`, `policy_version`, `started_at`, `finished_at`, `artifact_uri`, `size_bytes`, `sig_uri`, `provenance_uri`, `tenant_id`, `error_class`, `error_message`. + +* `export_inputs` + + * Link table between `export_runs` and source artifacts. `export_run_id`, `artifact_id`, `hash`. + +* `export_distributions` + + * `export_run_id`, `type` (`download|oci|objstore`), `target`, `state`, `meta_json`, `created_at`, `updated_at`. + +### 3.4 Canonical file layouts + +**JSON profile output** +Directory layout under export root: + +``` +/export/ + export.json # export manifest + provenance.json # provenance and source artifact chain + signatures/ + export.sig # detached signature for export.json + advisories/ + normalized.jsonl # normalized advisory records + vex/ + normalized.jsonl # normalized VEX records + sboms/ + /sbom.spdx.json # one per subject; SPDX JSON or CycloneDX JSON + findings/ + policy_evaluated.jsonl # if profile=json:policy +``` + +**Trivy DB profile output** +Produced as a compressed artifact: + +``` +/export/ + export.json + provenance.json + trivy/ + db.bundle # Trivy DB compatible archive + java-db.bundle # optional Java DB bundle (if enabled) + signatures/ + trivy-db.sig +``` + +Notes: + +* The adapter keeps an internal mapping of Stella normalized fields to Trivy’s expected fields and namespaces. The mapping is versioned to track upstream schema evolution. + +**Mirror bundle (filesystem layout)** + +``` +/mirror/ + manifest.yaml # high-level bundle manifest (profile, filters, counts) + export.json # same as JSON profile + provenance.json + indexes/ + advisories.index.json # quick lookups (pkg -> advisory ids) + vex.index.json + sbom.index.json + advisories/raw/... + advisories/normalized/... + vex/raw/... + vex/normalized/... + sboms/raw/... + sboms/graph/... + policy/ + snapshot.yaml # full policy set used for evaluation + evaluations.jsonl # decision outputs if requested + consensus/ + vex_consensus.jsonl + signatures/ + manifest.sig + export.sig + README.md +``` + +**Mirror bundle (OCI layout)** +Following standard OCI image artifact layout with annotations (`org.opencontainers.artifact.description`, `com.stella.export.profile`, `com.stella.export.filters`), and manifest lists for large bundles. + +### 3.5 Export workflow + +1. **Plan** + Exporter computes candidates based on filters. For `mirror:delta`, compares with previous manifest to compute changes. + +2. **Stream & write** + Records are streamed from the Findings Ledger and stores. Writers are forward‑only, emitting JSONL or adapter‑specific structures, chunked for memory safety. + +3. **Sign & attest** + Once all content hashes are stable, Export Center writes `export.json`, `provenance.json`, and signs using KMS. Optional encryption wraps data layers. + +4. **Distribute** + Depending on profile settings, it exposes a download URL, pushes an OCI artifact, or writes to object storage. Distribution metadata is recorded. + +5. **Audit & retention** + Run, manifest, and signatures are immutable. Retention policy prunes large data folders after N days with manifests retained longer. + +### 3.6 APIs + +``` +POST /export/profiles +GET /export/profiles?kind=&variant= +GET /export/profiles/{id} +PATCH /export/profiles/{id} +DELETE /export/profiles/{id} + +POST /export/runs +GET /export/runs?state=&profile_id=&from=&to=&tenant_id= +GET /export/runs/{run_id} +POST /export/runs/{run_id}/cancel + +GET /export/runs/{run_id}/download # presigned URL or streaming +POST /export/runs/{run_id}/distribute # { "type":"oci|objstore", "target":"..." } +GET /export/runs/{run_id}/manifest # export.json +GET /export/runs/{run_id}/provenance +GET /export/runs/{run_id}/signatures + +GET /export/metrics/overview +WS /export/streams/updates +``` + +**Request example (create run):** + +```json +{ + "profile_id": "prof_json_policy", + "filters": { + "time_from": "2025-01-01T00:00:00Z", + "time_to": "2025-01-31T23:59:59Z", + "ecosystems": ["pypi", "npm"], + "include": ["advisories", "vex", "sboms", "findings"] + }, + "distribution": { "type": "download" }, + "policy_version": "pol-v1.8.2" +} +``` + +### 3.7 CLI + +``` +stella export profiles list --kind mirror +stella export profiles create --file profile.yaml +stella export run create --profile prof_json_policy --from 2025-01-01 --to 2025-01-31 --include advisories,vex,sboms --download +stella export run status +stella export run cancel +stella export run get --manifest +stella export run download --out export-jan.tar.zst +stella export distribute --oci ghcr.io/org/stella-export:jan2025 +stella export verify --manifest export.json --sig signatures/export.sig +``` + +Exit codes: `0` ok, `2` bad args, `4` not found, `5` denied, `6` integrity failed, `8` export error. + +### 3.8 RBAC & security + +* Roles: + + * `Export.Viewer`: list runs, download completed bundles. + * `Export.Operator`: create runs, cancel, schedule, distribute. + * `Export.Admin`: manage profiles, set retention, manage signing keys. + +* Tenancy: + + * Every run and artifact scoped by tenant; cross‑tenant export is disallowed. + +* Secrets: + + * KMS references for signing and encryption; never store private keys. + +* PII & redaction: + + * Exporters must not include secrets or credentials. Redaction rules enforced at writer level with schema‑based allowlists. + +### 3.9 Observability + +* Metrics: + + * `export_bytes_total{profile,tenant}` + * `export_records_total{type}` + * `export_duration_ms{profile}` + * `export_failures_total{error_class}` + * `export_distributions_total{type}` + * `export_verify_fail_total` + +* Traces: + + * Spans per export phase: plan, stream, write, sign, distribute; baggage includes `export_run_id`. + +* Logs: + + * Structured JSON with counts, sizes, hashes, and redaction hints. + +### 3.10 Performance targets + +* Stream throughput ≥ 25k records/sec per worker for JSONL writing with compression. +* Trivy bundle generation for 1M advisories ≤ 8 minutes on a standard worker. +* Mirror delta export for 5% change set ≤ 2 minutes. + +### 3.11 Edge cases & behavior + +* **Schema drift**: adapter refuses to emit unknown fields without explicit mapping; run fails with `error_class=schema_mismatch`. +* **Oversized bundles**: automatic sharding by time or content type; mirror OCI uses multi‑manifest indices. +* **Missing policy snapshot**: profile `json:policy` will auto‑pull latest version unless pinned; pinning is recommended for reproducibility. +* **Duplicate evidence**: writers dedupe by artifact hash and advisory id; AOC forbids merging. +* **Air‑gap encryption**: if `encrypt=true`, mirror bundles require recipient public key material; decryption tooling documented. + +--- + +## 4) Implementation plan + +### 4.1 Modules + +* **New service:** `src/StellaOps.ExportCenter` + + * `api/` REST + WS + * `planner/` scope planning, delta computation, sampling + * `adapters/` + + * `json/` canonical writers + * `trivy/` db builders and schema mapping + * `mirror/` fs/OCI builders, sharding, delta logic + * `signing/` KMS clients, attestations + * `dist/` download streaming, OCI push, object storage writer + * `state/` repositories, migrations + * `metrics/`, `audit/`, `security/` + +* **SDK/CLI** + + * `src/StellaOps.Cli` subcommands with streaming download and verification. + +* **Console** + + * `console/apps/export-center/` pages: + + * Overview, Profiles, Runs, Run Detail, Distributions, Settings. + * Components: `ExportPlanPreview`, `ProfileEditor`, `RunDiff`, `VerifyPanel`. + +* **Existing services updates** + + * Findings Ledger: new paginated streaming endpoints for advisories/VEX/SBOM/findings by filters and snapshots. + * Policy Engine: “policy snapshot” exportable endpoint. + * VEX Lens: consensus snapshot endpoint. + +### 4.2 Packaging & deployment + +* Containers: + + * `stella/exporter:` + * `stella/exporter-worker:` (optional separated worker pool) +* Helm: + + * WS replicas, concurrent export limits, default compression (`zstd`), default retention, KMS settings, OCI creds secrets. +* DB migrations: + + * Create `export_*` tables with proper indices (tenant, time, state). + +### 4.3 Rollout + +* Phase 1: JSON (raw, policy) and Mirror (full) as download only. +* Phase 2: Trivy DB adapters, OCI distribution. +* Phase 3: Mirror deltas, encryption, verification tooling, scheduling. + +--- + +## 5) Documentation changes + +Create/update the following docs; each page must end with the imposed rule statement. + +1. `/docs/export-center/overview.md` + Purpose, profiles, supported targets, AOC alignment, security model. + +2. `/docs/export-center/architecture.md` + Service components, adapters, manifests, signing, distribution flows. + +3. `/docs/export-center/profiles.md` + Profile schemas, examples, versioning, compatibility notes. + +4. `/docs/export-center/api.md` + All endpoints with request/response examples and error codes. + +5. `/docs/export-center/cli.md` + Commands with examples, scripts for CI/CD, verification. + +6. `/docs/export-center/mirror-bundles.md` + Filesystem and OCI layouts, delta exports, encryption, air‑gap import guide. + +7. `/docs/export-center/trivy-adapter.md` + Field mapping, supported ecosystems, compatibility and test matrix. + +8. `/docs/export-center/provenance-and-signing.md` + Manifest format, attestation details, verification process. + +9. `/docs/operations/export-runbook.md` + Common failures, recovery, tuning, capacity planning. + +10. `/docs/security/export-hardening.md` + RBAC, tenant isolation, secret redaction, encryption keys. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 6) Engineering tasks + +### Backend: exporter + +* [ ] Migrations for `export_profiles`, `export_runs`, `export_inputs`, `export_distributions`. +* [ ] Planner to resolve filters to iterators over advisory/VEX/SBOM/findings datasets with pagination. +* [ ] JSON adapter: canonical JSONL writers with schema normalization and redaction enforcement. +* [ ] Policy snapshot embedder: pull policy version and evaluation outputs when requested. +* [ ] Trivy adapter: implement schema mapping, writer, integrity validation, and compatibility version flag. +* [ ] Mirror adapter: filesystem and OCI writer, sharding, manifest creation, delta computation. +* [ ] Signing/attestation using KMS; detached and embedded options. +* [ ] Distribution engines: download streaming, OCI push, object storage staging. +* [ ] API layer with async export run handling and WebSocket updates. +* [ ] Rate limit and concurrency controls per tenant/profile. +* [ ] Audit logging for all create/cancel/distribute/verify actions. + +### Integrations + +* [ ] Findings Ledger streaming APIs for each content type. +* [ ] Policy Engine endpoint to return deterministic policy snapshot and decision set by run. +* [ ] VEX Lens endpoint to expose consensus snapshot. + +### Console + +* [ ] Profiles CRUD with validation and test preview. +* [ ] Create Run wizard with live count estimates and storage footprint prediction. +* [ ] Runs list + detail page with manifest, provenance, and quick verify. +* [ ] Download and distribution actions with progress and logs. +* [ ] Verification panel to check signatures and hashes client‑side. + +### CLI + +* [ ] `stella export` commands as defined; include `verify` that checks signatures and hashes. +* [ ] Auto‑resume of interrupted downloads with range requests. +* [ ] Friendly error messages for schema mismatch and verification failure. + +### Observability + +* [ ] Metrics and traces per §3.9; dashboards for throughput, durations, failures, sizes. +* [ ] Alerts for export failure rate and verify failures. + +### Security & RBAC + +* [ ] Enforce tenant scoping at query level; fuzz tests for leakage. +* [ ] Role matrix checks on each API; Console hides forbidden actions. +* [ ] Encryption test vectors and key rotation procedure. + +### Docs + +* [ ] Author all files in §5 with concrete examples and diagrams. +* [ ] Cross‑link from Orchestrator, Policy Studio, VEX Lens, and SBOM docs to the Export Center pages. +* [ ] Append imposed rule line at the end of each page. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Implementation notes per profile + +### 7.1 JSON: raw + +* **Content:** advisories.normalized, vex.normalized, sboms (SPDX/CycloneDX), optional findings.raw. +* **Normalization:** enforce Stella field casing, timestamps in RFC3339, unicode NFC. +* **Compression:** `.jsonl.zst` per file to allow split/merge. + +### 7.2 JSON: policy + +* **Adds:** `policy_snapshot` and `findings.policy_evaluated.jsonl` with decision, rule_id, rationale, inputs fingerprint. +* **Determinism:** include `policy_version` and `inputs_hash`; replays should match exactly. + +### 7.3 Trivy DB + +* **Mapping:** + + * Package name, ecosystem, version ranges, CVE/CWE/aliases, severity mapping, vendor statements, fixed versions. + * Ensure namespace mapping avoids collisions (e.g., distro vs ecosystem). +* **Compatibility:** version flag in manifest; adapter throws if upstream schema version not supported. +* **Validation:** run post‑build sanity checks (counts, required indexes). + +### 7.4 Mirror: full/delta + +* **Full:** everything needed to spin up an isolated read‑only Stella mirror with local search. +* **Delta:** compute changed/added/removed advisory ids, VEX statements, SBOM subjects; update indexes and manifest with `base_export_id`. +* **Encryption:** if enabled, encrypt data subtrees; leave `manifest.yaml` unencrypted for discoverability unless `strict=true`. + +--- + +## 8) Acceptance criteria + +* Operators can create an export with filters, download it, verify signatures, and trace back to source artifacts via provenance. +* Trivy adapter produces a bundle consumable by Trivy without custom flags (basic validation in CI). +* Mirror bundle imports successfully in an air‑gapped “mirror‑reader” sample app and serves queries from indexes. +* Policy‑aware exports include deterministic decisions matching the specified `policy_version`. +* RBAC prevents a Viewer from creating or canceling exports; tenancy prevents cross‑tenant leakage. +* Metrics and dashboards show per‑profile throughput and error classes; alerts trigger on failure spikes. +* Export retries are idempotent and do not duplicate content; hashes stable across re‑runs with identical inputs. + +--- + +## 9) Risks & mitigations + +* **Upstream schema changes break Trivy export.** + Mitigation: versioned adapter with compatibility gate; integration tests against known fixtures; fail early with clear remediation. + +* **Bundle size explosion.** + Mitigation: zstd compression, sharding, delta exports, content‑addressed storage reuse for mirror OCI. + +* **Data leakage via exports.** + Mitigation: strict allowlist schemas, redaction filters, RBAC, tenant scoping tests, encryption for mirror. + +* **Non‑deterministic policy outputs.** + Mitigation: pin policy version and inputs hash; snapshot embedded rules; deterministic evaluation mode only. + +* **Slow downloads/timeouts.** + Mitigation: streaming with range support, resumable downloads, CDN integration if needed. + +--- + +## 10) Test plan + +* **Unit** + Schema normalization; Trivy mapping; mirror delta computation; manifest hashing; signing. + +* **Integration** + End‑to‑end export with each profile; verify bundles; replay determinism of policy exports; OCI push/pull. + +* **Compatibility** + Validate Trivy bundle against a matrix of versions; import mirror bundle into a reference reader and run queries. + +* **Security** + Tenant isolation fuzzing; redaction checks; encryption round‑trip; signature verification with rotated keys. + +* **Performance** + Large dataset generation; parallel writer stress; OCI multi‑manifest publishing; download resume under packet loss. + +* **Chaos** + Kill exporter mid‑write; ensure resume or clean failure without partial corrupt bundles. + +--- + +## 11) Philosophy + +* **Ports, not prisons.** Exports should free your data to move with integrity and context, not trap it in a proprietary maze. +* **Reproducible or it didn’t happen.** Every bit derived from known inputs, signed, traceable. +* **Air‑gap is a first‑class citizen.** Mirror bundles are not an afterthought; they’re how serious orgs actually run. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_11.md b/EPIC_11.md new file mode 100644 index 0000000000000000000000000000000000000000..fe3cc19a2369197125507af673c4588ae669e072 GIT binary patch literal 38558 zcmeI5+iqOPm4^FTcLC-mfCKc{Kt{16F|r&xcH($sijFj+Q$*Sh5(K0qN|tPz)R0mv zCGhj)edd8?W_|Vb;;P!+q)B8h13?md@7h)C_^(4%Z~pK9+?gHB=CdcWXS2Q8OkH^~%cp-HBblG4_hTggKWKCCKc9H|Q9RGc2k|phZ5f zLQWsGyYtzXaqn>UP24#M8L}1}u+od*@Og~n&SCrfAg+JY?wvLk`f8R(@w5~mEA%ms z&o5(^l*mzxKvt~uAXa=H^gWADP+OAyF6ct)j6yQ-gEW}sDDE9JzIbNUOv>caj6X={ ztr)ivD?JMh%x72P&qwh;mV~UarAI*vKcgk2u^FFU22EUH24uV0);(-A?8kU?lycoU z^K3hd+3p2*==nkX|2kHL!^5xuXzAzGMx>Gv`TS*_uEi7BHuqT(Jzb1-y?ST1Hv8j3 zqFeC{bYl}p=XIO?Zpi)Xxbi5jX;aMfpmDx7`_I|!u&K1JYqPr{hk4w?(_aQ1tNeGh zq!Le7$%fUK^Ktx(#PFj+s`NO#6t2+;xOtjyls}{M{e~u@uyRuOpdTK-+iV)IM}}C` zT4)RHtOfU<2G_S^9CSR3vB)3$=Sd}?w}X7>DXr{MdxAAyF1SKkppW`{)g=C1)0$|3 z29UycjShSrYZSX!Pl+Rgz0h9XjdjZP9Fr#poHFp^!I|hXR{y8@kiu@ry*^%De7uP#b?SBJs-s%>>{~53XVZ&?3dUI zzuGJF?#0-z}ED)o-^q!9VYtXm+8MR zW8K|&9@_NSvYF%_oAn-aPch2K@^w)2a4{++0UC%jU}&K~_Ai(CJ{CD|mI>-$q3~;b z^1jiMs8(35|1(M{=pWPj2QA|BJR`x+r}1<0rB;zf+Ogx126l_Kh@MJ^amkq@nA4xo zK=~H@fvnskhR6{beH611_3#IBfy0QOtb<-xTUF*4%3n`mMyXPxMHe&g#tO##KITF_ z(!^?B#2=C6tA?Wg6;FU1aIG&N9_xEQC}bY26noOz`qib3=%bx53qK)UqnK1e0amPk zA)BQB;_Qui$@06P5Dx@zkT2Px`6ztv&VDjC0;MjVw9!yUj;h9$r#NRmgyhubvnFfr z?Z#Dj+K&ttx{3Da>BS=JTW=Jk{}Zc`0XYS66ppkdp1l}oi(DQBUL!Ntlh2272QJ7$ zA2t~u#3=dLifiOLM`wJBRmXYomy4auv2*9X7c--a!`bza67lsU$_m-kr+DQ{ zeSGHU%zVtNABGHGH7TX8knNA=W~JEULC^=nt%c;xMDQKfPV2z(K*~E2#qPyVW=7BB zCo;BqaD=tE9@fQd)&lc*@>z>|#vxFSpO6O69L4?D3qALl>|62tyT=j7jO1ZFgA|^` zbz;t^@iSf_!p*~e^>k$AY8m%m2R&KCNTo=nEn~AjaTIpVeRL^`IXW>h(E)1(fJFzPY1W4lEEYRvZDgj!lLtC4ls^c2*0z;u z#zU+$wGOZPCfEc=`3!n^(bh0(qF>~U?<=PxJD+i{;NXrm#X`qnlWk^YeN5IQ<+6kz3ljaiUc@5P`QI{Bd- z0jkjn-lJV1!OS4lKem7@&F?dQ;!C1MWPL7~H@OP>iBBFMz zUBMMnPyFO=@~%x;8?40&%)so(5kE!W@C#-rSMte}>-|OxbLpWKSyQIy&I}z29=19A z=*;?j2Cbz9TH)9H#$4qq5jJdG1gW%jc6nU*R{SzZZW^o!`?1IS4TH}iD0CZ^e zN)&&lBFEO(Vs&Qm4jLlIN9X%NA)j9?=%foE#pe8@S4}OTm)d&FcGx)SWBz>h)1a)f zjg%l-GoK}!HE#19>!;kAk7vg$g|VacGF}Yeryd87X1|WnS|+`PubLGU65;FQ+l4^n zcW{nhlVz7xY=w6tu|6kCZZbnlOF@ElO|OBkUee0t#^-G-kkp^@4BX zY4UscVKjC@FNny7&znC{SuWf2?_(aWGFN47YQ_u&`9T}@W4<%WA^A-HE;Sm^8(4z3 zqc^OWdM2|q{lc7(*@>%%%@(op$ALxI-{Zy;KF!J%&(TWOKX1&5tN0Ukj?Bmg(9cii zrJ?JwvPgrZl4kV)O(4#r1-;)k@6S3IA56&*>(?5spff*{Lp_d_`9ytLH2_xkJmTP; zxQc$r_>@Z7T zA7fKvbf!QE z$9|5cL73_vRL@Xm}YGzSpn`-8~BVrUtP`?cb4Ed4k@^w{|zQ zNcf=hT^ZiHF>0gDVfF?$*k<-^kTiG&1$HH;8DHua%O{f&+3+PZ9jHw#zZgGXj=3+l z$i5SDuI}CCpaNU(WA^0*x6F-9cNWjV^Q)Kz&3i9%hs!MjWOt~ZI0{)n9jgpQg2q>J23)Ek?eNds}*uzCHa9n zW8QQm5v}^gJF)J?plX`KAxAXKJckh(K%SlWWOU0_upX_&j4iK&6y$CB84YBU#Vqi;3~O!{9Odn)-@pDCj0M9AC?D;>fao9r^)J<7ez`w3lgo zX3S>u>9nFg&vb^1p(k=c>9J>Q{Ce~DX-+b>N6~s72Z2u;rfCuY~Hz-t-qHA z9tqd*jYN%BaLA{u5%?^wpqCn>y-uqdDEehb5$H{arnf@9Z1fZ)NMyv~@Kkx%W0W{L z;ZAz$au%I72tUMLBkhAGr7^R3FL;{jBk_9 zthCwW$2GHAbj3LK`TIQMPF$h0*HixA|4MWc<(F-mE5t<*pZR!}o*#&;$7BxkS+lmj z(~&5ET+y+;C9Q+?urlsJsWz6mCcB4vH}`scrBg8O*_oMA(dl#4GG&u#V~H0=5=M{I z-w%3>TgWzT3tPzS6-xCXZ3j(48Tq$SkrDPRh**VqeN@FZM%(^nJhc`2ns#BV2C@TU zHDkX7nS9meLHGBXWUb=FTx5w25wXbHsgcd{u_+|azS}BPBnKrvlM665r8o9-;F_K$ z{TH~eE(SA~^&2^mNzWag%G_yBARnldy$fPK)`k|Wh_MqjB1%HJwGO=%q<$yhRX{M}9f-+KP;G>nTFj`u_haPwJ5h;J*Mn9%z(i)bBr0Mr zc(9meWClIR6yZuAoOY&qj;z(O05FyOh54}>kFCi-cPU)52A zM%ICYv3r)7Lr#Z1Xv1=n9WpdR_te}{j8T_a#=%9 z%i4SRwAnM2GW$T8UEmQ|wG{_eWge+jqpQyvFNx_;c&llS6%GS`8Hrt@19+kzf&GJ~ zVDXrr=Qf1f$bgK9j;d_Z4hQRuhpMI${9yj?O8Jt3};TH*+<087mWNBf5mUGe_E}rO{_%(M<;n=r>AElklEe^ zt7k;)F_x~b(GV@CyplWfagZqOSPUaWLk?JF^(QS-9t|BZilzwnQREgT#rQ^+|g{PNV&O*l1eL8`IwYBkcNai&t<| zeQ0qxcLtC+>mo5QCTVb0_e(%zc4EyhsnBkOG;Rm_V5?>-wGX^JM|$=bZJxe^t&H=; z%gJ@xvL#ZXj%NYIfDwx_)}epo4DVViR>E!$zG$A3ydV*L2TaA6*4*>mx;_s@IL0U<6o#SL=;Pu5&AUyBIczouQh8TU+{bgyi$*5oJ3CA0{=2j9h;{(wtD793^a_M`ZZs)c*ks+ zGt<{5n=orM7fBg!G|XfTy%rnjPjeyNJP)Mrl1CwLJQF(IZGZ~s25~&gnS9-BC!F-9 zJ_l4A)BOr!0&-U$gVV{D#N;;H29Ry+$rzyUw?rxg2mC%UL@WCsQ? zH}(K6)?6ccfNoh)kiU5%i>pXwm9?;o!ntnv<-9&!X!dNiue6cdao7IUqZkQd?*!%L z1w6YQV-mfO;uAEYk-gd9;(x!5@qIi8U#p((=L1s`bC?V2(Be4j7^hB~d$}g;XF8dt zvC2E!GiJTei72mi&&27>)uzRyI#X)&-4JXFYFMCd|DTwkT*n)(%0$S2dEdi%H#9M?Dh-U_PU zYkO+fVnt9+e8iuWH!(YVQ0)F>K3Lzz8-1jYyV7$p@=(r&%x73`p26iFyLl;>L}M)u z>8^@2X8Nn63o?TPx$f(<-ntUWtwt|38|Zg}k{*0iyOR#k)YCO%=Ez;*CAi`D_3S5b z9Xn?Q`WihA(+ET7hNsB`i3Ul7nsjbZ)m(6_ckHC{BptczTAfrQ(ox6fu-!sm?ACd( z87$AJbP`=wsjK#F;o7qxA~7)%JCZIuy_Dc{+BLh>XtUE(a{5Qlf{l_eqH~@S z^fDr(Mvx5}GIvHNj$Uh0tFr?}kiM>VEV3s)_21jdyuHuUki+PAWY!sfvG4!@!?Bi-UHlpV-~vXY3?b@EI)D zJaIctj3bZzHqr>4b^3U3noW;)r@5wcP#u7PdR$rD^jY+k`QLVnXwcoue>ZYsMx^D9 z(mC1E&n7K=#Mn`kp(|wT_lBTHtLpdo(~prZT19`19MQ`&M_fnuq67F%oj^B%o=>7u z-#Z!auI8L4$1Hftac>DDGA&ce6*2>IIq&vSk}K4T_*>c&wMuV6*59KpS5saY%Tepk zVAFNY%7GPE+jrKMjxgWh=dm;Al~Lwgg9CO+_?f8iI=JS0Qdn8fjX6NkGHPd(=4vj9 zEqy1wcs<>Jsq@{Rw{k!VP+R+m*2nlZ*K=oOyoyy5NvtV*&ZtVO@8H~Gr1h?ShV7Q) zQKPKp4uoNzjD1tvn{uxtvtPGL+lg}}^U;^!b(9FUmRTCibM8{P6B9ilLbf;}4b^K_K+C!$6U|(i*>h(PPw%DA3}iN$k0-h%chIX$w?lte zt9Mu%f6lBg@2=L)D7j^7dmln-^dDJ48`6`JC^CA|C|K=_z8hmbDR(!xMt+R*yoEI-7G+gP zrcf4acMfZ*Yve0ra!4LJJkhqCc`JL6OMgPwj2gdtW~_l4?m$rNJ;K{W0#sge<501bv zcQsj?xe_P(n8Lj&s!%6RvlHf1e_7R|3A4nk1wE5?Kd8WG&8T^f-2rk!B|OI0X?BmU z;3H??8TF}U(>1`fm`|#NbmioNxCq7#}3NPEuaDlvQs@G0BiN< z=~kU{8qsbU-=X4zM#Z(@lW$@7`S+N!LCHAZRC8id*3S4cy$tu3$lv$klYLNd*ACNY zRhg?o*K*DL%SFvhU2FZj6BP0GnS0TB*=#$z^H^go=B~c>*oR&V>89sgnEftl`mK1v zKWBaJlV%~AGwsIS)K9}=v6?<_|G3e0E#_a3eb)2PwHCeRq|(Uweav+|XuZ|w-8cu2 ztLHkO#NchrO3x>`<>xM zeRU#spqpNQ=hG0Y)UM&$BBt3jqxW?o&M<9;mF1t)G1TlUt8mXVDZfPW%I-45!3SQ2 z21Ouc?dZ(GFNCLDXcWA8j3RGFKW{#JGmw|8=4nK>tP+Vq=q*o;xx1XF=&&P35WRQf z`JW%pEWX>>;STfLSEk;|^{W@-h@=epycy%&L-pRD;!01;S-ykzW_;f%S98wf%Z|!+ zaE5%5bjl#lO%yjiNw$`qj?3{g=P!yf`29<8S+e-^g3IrZDR?vdifpfPKO^`m-bIb1 z>2D3)#`^wpn+J)2THnXojv8xvC|&jaq|=`n@hQul&#mtT<)loyLZ@ArGiDioMMAk=BuvvM{&m;4YFJ9f)VHf6sYg6^s|HE z_|kOtKQCn7+m@7$85%V;Crz2>FjmvcuEc&MQj$h$nv};#u^d?g+cCpmi2Qc);lhZ8 z1k2L#obg1s^Gl(-uU57r=i4C#=-gh=2es^+_Ij-Pv!7FZ=V_{@;s(BvD&8!^hqYyrl#Tgn$xK>C@3XcO>5b5ohkNwHbkXfCmzY)|Tq1=}Phls0C|AxBN{TfhOKb=KdD=YaYmXBha_9I`;U+x2b#_mWU+DW629H7_w(pgUc=T- z-+lgdtk?IP^*<=fK3Q79&6umNZ;CG74Yl8V2Q;Z2*j~bkdRYywg$D4(tl`{Co#GmP zMTSjO2IH1@Ry{$KHtsHuI5}Mb@5Z*#J|5Ux`1P2(b|TV(Mod(qSSPC`dU|zgDV(_h zF|g&5@y$I!wS8>h=G}FT}+wgoY z{6ZVq4qo9~oX`p}lXGSx1&n3|I)|nE%HPmLfAT@=BvZ?rjV>hiMHicEo?2FdV=f0T zW5%hzmQnRr4OMS0FaV!mW}|KP;{ER7ejr-aw|8P3vhh4Y^&~~To#2o?3*JZ!{bq%C zLo(2DC-^isB=g{1QglJBJ@A&D;E?>E>+BV5EV`qd1)^T>M?!6$?Qnc*smDE~j{OkF zmMcE)j1u#SekC-E%#&iC=&`fbI0?;Ig;~&B?Pm0AU`Ks7U5>_1x%y@vI~$+?GxsRe z&pCGL)T#4M&%mUf-3{#LNJKy%@LA{Pv410c z8f+qUb2DT%Vn1U?)a1%$(`uo_*=Sx5|I%A}5B)rR2us6Cku!R;8)f~ay@IG%be3-J{8K}=hAf&(iMoQMA2ZQ$;z2J~MTdx5F7~$z)`zxbule<8jRW?%L z?0=%_y_glgeSRZmN*sVfW+pyq(P+Z>viz-F zYJIX>c$1zw6OjGGJTc8Y8PART zUgk*|t%K7U%7f8)y2Hv^+svFGC3!z)Kqh1%WH$AU5mCX@2;>Ur1{)DwvbJ0PK3cE$ zzLT)ZBN>~SR=zoQJjX5H<*6bAmbn(P@wDyQq&h}Fo^`+)&K~)Z*~z(C?;lF>YT(jI z-^6CFRZ*Dhr{xM6cj|54Yq3*I4)wccC3r2~iLH5>AT>Je*?riuyz3zWqGEbh`Q8+L z@SydWH~Vhn*cDCuKDgGf6S5~y2AM}s8hv|t?}gvB!~3$#6Ns|xTDU{uJB%}DNP3YM zv(iPb?}&+A+&ld@e)x1>89JN(c@XGi2q^x4|REwT22ioGlt;DxefLUk9wRG_Pbh%XsbM|zGcjF ztFmmaul6H$ByJKWFD{ zj2g=tTW>g+Clj!6G7fuuqyDPKfC(ziN@_>^xa(Pd#KK*4YiD&39u;Czhb($)MJPE+oPz z@>rr#->LK&s0Z2U7#7M&>xV07HDl~8bsAZi(f2=DiIVqB>ECQ}v1?nEsnSLIt{UYmO1}QuAEDb60bZo>18}JYX5Q zn}=oC4J^xK40#8cp#9sjf9{P~f<>DB@vT&A#I&h@{x&?mkA+l_qZ*&)SXcmWn#6Om z5*4BNjJD`}(iJAl$ejDrxJvbcCU@H%Iu3t|zw9Mnk2f;lHOrlms;AT%mRGj59eoRW zHLRK6=0W3?JCC-Lc{gN$?qB9P3CGk^DU!?S%=@R z5T%P!tN}{ME|+z@6?g=0)3v7GJnE{iHrW@@hV5~rHM!sO!*AZ3%Ha1gAD%|UuAcZw z=j*3(Hq!K#u1)7V-rzrf{~Nf7Y^D^9`60R_E+8x9z+dY8+cDGXHxjMQ^1VlR-Dz1N zvyJ`WDJ|2CZrTmbZj*aih3kBid(7szM_0#Q2-b_8_j}2w?`D937J%60ZGWp$PGPr z*mKh39!R#V8KNCo(DKf5{~dGUNb-p{oZX}BAT6(J=7naUzc?Q2r_*+mrxlygj69Xx z&K0Njb2HZJ^J)+szocsiQo|d&?1d{@%UWDV0!UeD8NsA}S+`SfHXd4^d4{21qp#1h zKJ8;ozvt7}VdGxyl-JQekt_SHd8W!PWBF>KIh@vMA-V?Ene`6T%v)|9+fJUX=(+OD zEmp&f?8uj=aurYE8mCG66?)s|_w8csy-j2BzEu^ZMoyW>n*Cx+^V#3yn=AM}pZe~4 zN?`o0IHT3|vd2P~vA}G^cX};r|5i{alJ$KZvLW(I_|6FGo*J^qo-VS=+$Qs>(c`gU z{Bd~~ZIsj9SclwS&$ZHG?H-lzFLuLV&$>>f)Zo`S5PvF8o?8XW9$ zzl5LQnHAW>;dAzVxrXI%9UayC64S!&bx)3aa-gMM0e+&2MkakfXjMCuMT4X6i}zn{=Uw?4ti&+`RGaizZ((2Y!1tdYg`* zOU>Oxk=3KF1^?7G{I-QDMiFVNZsoUQ+zM(+DjBN_k2%GAX)&K?u&`&e!rP8tH=j43 zHH)w+%YDbxgS#qIYQBt_>i2l^du{FoEvxF~Lb4l?ANn>uBii!r2q=WE%zMm$q|i8J z3>kgg9)9i8ra$z1aYaLUBz+F8FzF_~*|$&L{~qsof+jLdEYo^S&%qXIUNQzO6%Esg zp33W5@Pq|`!_00yhK2GO?9i{I2@lg#&5C?Ok6B;7Gwz=qh_iGc{LR_d!qcgndAlnZ zoactfKgA@pmp(uBRrD-&^S=?Ar_g@s4zK5`xgYa#|Gb$mvt)jOb+C$7mt6qz1~O>k z)#>|;{qGS5VTnPaaIN8q$h6kYpgMC6^DyEX5lO$KlZ@=Ne10!EZxN#o6|*acH{T*c zA_r|5X(2~F0lSAD?t8kee^+gFZmbY8zO%9wK0lEU%NMbieh8kD+>re&?{6Aed?zJy zta_()AB9ianT2Ed;-_h*Tqq1K8)raSs7115ikaDn32;cvO9UtkSzY}jJ+mY%(i{V+ z*=g6ZtGYsq#sGEanuXWYH1yobJ~_2pzl)ICCQn)yO?}49jAKokTq=DmR~yLRDVP>c z#P|G$Rb5Ffv6;E2Z`C#D=GpY*oNv_I^tZ32U4RC@ORjbjv!m^As4V|5`{vv3$aq>$ zLtWCW2fQ0suxh=>oSXLrva4mznHdH%_V1KsF6^WF*Q`hHpP9dEaR~j2L1vYlf$yIn zhM+%lri^0CnUuM$8AIvxTId2#Kh5{#3lx=KYbD~jbc?LL_EI-^s&QYs`btBIVSW09 z^!a=6klXSp%`0(+f!^}{pu--r`J3lB$dt@!toRez-;V0&PRI~nqq;$#i7eJJ6@Si?U}~ze@U+0Q zNM!8$nh9agwW^k1K89aTcVv8ydMw`*SL=_QFYcjf3&)NCGvBW8;S?+S5MMkIf)f0bm%!rsfA zB~$Y}WLmNF^Y+e%!UwfST`=}SvRh?VK#fX-#$r90$P93eUFP}lskPuwXnZ`Gi3Jkj zwE&(b!n%(28n%s%@J-IMNK8D-o}xa4C#+iCnh~m?A^Ui})VR9b`ANxV{6_L%Prl7N zcZJ|??9iCw@%%~Xf3=}M7{!b=zDN4cn-=T$Ggg(Q-au0$0MaBnp{ssx3g0FO)Dp&#BML$t(q}ay!7?gxcf>m6mPmdxo@B;R#`$dz=bgUA zINt=JT*Q~OxG|pqldGy`JfFeN5ka!Hr=mzKOAE+>tHnEamj$0+1VH`<(` z=a-%$6?<}MmC|#<`3bC!J`?tnw%yw__u1>EPO1D?ulN1W`Y5vT#5MEC2~RO{jI^vm zc7_f?>BkLW!3q4X=U_AL^}VU&#M#wDc0rK>5z|@A$FR8SxQx46)HGVsGz;RX%21z# zH~cmJXmQ#&{GvC!4pgE#tSqYMV!iPP!YBQ_$JrbcE%)E+ka}d!2^0{+H((+~Rs>0r zA8XQ zauH9Y5f4IY&IqO027N`p1FC;#1&gJl<5d~C??Ap6T%%?5PA zZHS)u2l~JpkP&@FzV}Aw;H0VqO&!EDRC_<3W0giixj_DMkU1-ILmoe#o8==R^7*tG zw9Oead|3~sZ&XzhbZxXQDtZ?~va;!avsrSmvG6tIUsX6XX{%E-C5~!W_H1fjv(7W* zvsk@37Zy$r!W_T%!W(fX>lCz_zv(XNyWeC7epsjXQL4@wAT?x+|D?Sm9Vo$1+^y)b z8-zgyhBD71n`K>@6dYLFa)Z!BtG^fy0?YoHCj1g~PYQIMJnU3?j{aONPpNJLv^ zE!5@?h-|8uYt9@58k%O+3e8UA--JQ@9k)x9K Nx3s6;`NQSOV~)1bmG+f_An846@K)3&7m*`At;4vs(=Xk3RG4>FPMH9K}!nW%XC9kK5<_t1EH;(-`%9_1EiX@%ceqe|hrM!}kB<`1jT7Zp^VC zGaSU2d-4C1)wk_4s~oSM#q*ce_hP;M_{==_;`;OW`=@yND6Tw=&rjp}vqsDF_?cPx z8S1?AC}zAL^Kj>Wj6Vu$pk6w@Slw*Y{vpP{i0cnx%=7qvKmNiSv)qsW*Q@Kn(am<} zsL^;F*I&d+`@w}0*^i%D_nWu|l}}h?#0tma1?W459|0D`6$i9_=Nr3Z7c1^icf>S zNAVNX-fz}%9F%<9^a77u`jvG}+G2)w`G9|q^wUjrTchjh3 z*4;)0)`KLl_Nh#tb*pGcSj+xu6Qi}ye~eF?piBBM$4oCm8|dV?jY6KsA#Egaf92@1 zP{!YH-pcGyQPkaznU2E}k;nazPV!speihg6#`@QSlbdbs>%jqjiuIzccS3Vd;`wLo zZmx?}==)Ol?x{rfV)Tm`kFVB>J25)1K_%XX?ZVA&TMO=x;C8GI_P{@P#ixUI_xbJBcVQ>YhQ(cv=dfjD#`9nxo((?TYwPOe%yc{Mya@id!r0^;%+aUuu6Kfl z`|;->R%h0C+gMf=+maVXeiqdPU{QS>hW@L+x$p=5N^0l~zXTn8V^*ceWS3h5E zt^U`^x;r8He~lIH#dta3nf)e@t<^uTJ`1jxaWBT8LF`<+=)K|EYA3h_JJBNc)*}#D z#FJ~i7`kSI*((FktmT{f5N|@1gRB5 zi7ns8HBjm31h28HiWSOJd)kk2pwB_`B`h3SW2IZ6H}td>vip5V=Cc?Fz8Qy(Le}Dz zQYs3LVh*&x75rE3n0LK;YYorewl%o^leJWd_evPja>loS7KAFR8)0m=k)DWHkCkIVqdP2(F9A-KDL)Tg@ zQX6d%ERb@&{xJA^6w=od$X@ZoX9kj87-1WxQ1hBMV44Ch$0;zz0ZL- zBJq=$p&}-Cxo*Vlc{Xz2YxZ8NAvF+yHJCG3S6`XK__AAOmt`>PIj&E%qPc zDQh#eWyNtfMpB^>YZK=;@svK5wG;IAFI>QZ(oXtswQE=+zKw1(>K>kQ!2HaOc9C!5 zzm->Me9T;^c{f2p!#_-P50t z=n^*NXe|vNs`)cNqx#BmS-0fRSv77Za{Dr9JC60OL%M^dp|rMf*&hPP=q`Q-4iQ_P@wSC zQa*`$NSrZbKFmy2tDWN)>-e*2oe+Cj)UD8-YZD!e@T~S-tl8h;8oq-K_t*6n?QR{> z5R^Mwy$(Gh^~3m7h}}Q;Z^0E7Kh9<@h5f-}Ki=9NALy?_FMQ*#8Bt!x`kBkWj;n{^ zr~3`R`zNuu%b`(n1bS5?9Yk`vlBF4>qqpKS=xlrwzBh4@cW5ia_tp>VF6RT?yS_ z4aArI_*t8gf=!DC%=4^CoN%gohQ#MuAqf7i7TRm(s^k62}-DVj)YhWikWCIWvosem2o(;6!pO9 zs^= zG@b48i3T@K>-d9J5q>dt(8zUOL~KC=?7>uQ9I4)EzKY(h^XZyt*#*pOnYF408)+zeP=a+XZjU-zXm&%Smx>G8h9)6(mshjpS9280<$4y zvO}y18-fDp$vz14jDD~e_w|*aKt(eH{Q>z0#4x6TVvd`TZ4F$K=a#kg`a>=r+$RY$(I1M8@?#Cv!oI#Tl$Hfd31lgO1F zDZ4^uP)ZVe$heLM_?hT|6vWTII-!Cp>n5v9itR6N!zyGXBlXxl4L!tH9 z)piFD~9+U92K2E$qxacDtRM)z90Qd6aa9587SpIeBHa zeD=e37w(Qi4rqW5q)&d-?v0tUcYe|CAdj(PrelQ%VTE?t9skQVo;(~Mp<+60*44|5 zh@2f6`xf8>mYFkxD0ZPY(S=a%b~K5nWs4wiW)jPI`F_mW?}6xJR1n#FPu$#Y8IwD{ z*PE2gQT5mA*4iT`hI(QE48q5%S8~63H5r(`!fHLjWS6ma5c*7;xzJj5v})YwmE@GH z@FM=r*aP<53W|)`X03L5(>M9Quqg3>j*VIqQ?j3d1%B81Inu*Qy#zc*pqF9&^kCoy z+eI$m3OyqI*WTUdahFaeow`1Y07vM#QHT6woqBOMi;gzBw!>?uhaM=IQ}3xfm6_ab ztfQS{t+!)j?h7Zb^qz+Oj&X@AbP$j_*1Q#~)vh#mryT~a9mLpI!I!-Vt{^jFF%c~z zXyvDgjL3*ARh^QD@EkZaVr1=ReiGxsc4p1^pxmq5LY4*I$P0D_5By~0$-OT$Mz@1~ z(?7*$vSmi0*<54FeRfRX$(_oiO`fcISP_fE8qUJ~FJtAy7^Q~$*mfRg)~!(4$6tQ# z{p8YmzeQs05qsuD38T0|M-V>BgEFgA=Zwn=iSgDLndMd1fRxe)_4-k3Z*pcJtunK4 zRwnzm|ENsCZ!9wVQsQ}LIOq?Gv-fV7m%5*xEXb7A;w6_FXwMK(32R)=MC!bKo`P35-BbW`o=v<-60QL@o+4s|_@mGM!7( zE~ztTc6`w6kU3aS5B4*DL{E?F8QX|f#Dys>`l9wjRKWht4U?Me8xR%oi_F8tHN4b1 zfz|ec4q^$IlG;}jna$pa^9@o)6`b*KX)f{2Ua#oIt_-u~PWdR+JW&D%VmkEVGjNpL zAaUoAiZL#EzF?dIzCaW0qqiz{dq)2qBd0z5OKbX+W;f_##LlTcu7y19bS1@T1HQ}7 zK;Du${#2*4a<>LQde|&rJYN9*WY1Um;X{4Z_VcDkd~mws-A8#ctb4OM?&F}0P8||X z`g5l~J4k6iqxNn$f9ds`&r`3b)XmUx-w=$`%G5IGebBlTe99=66`%V-Wk1*ynK`qN z!7w*iiRb9q#V^?gzD?e~9i!h{eGq@Hu6`LmvsTq-BUgJdr1}&ApR{HkX64AxD*mPM@QA;B8~3%SKb}ezd5E*_N*StnRYa1YZfPuzH~dcL@nZ{Cv&Fvpt0w%1~v=6v*uZ|=QHVX z8QbEABafEn(T`kv2e1wI}7V>#_BNw~p&utBx+@u7$x1Q2ZPIzB>!na0_8VZz;=)>R!8PzDkD-rL?@)?27=|wzV-HCtA@{tES z+dqrHp!SH%;>tAM_LxUx6-~Y$8uylFU)9=aiT59aYyI5QIydW3Ey66zeg~B!xx)RB z6ow-TocU8^R=$J6HmIE$ST#%Nr_C?XI`?JzPnF74-M3zc@7ea#(n}FBY3ew zsOpcZGtkYczbY>(*cG+$IGVT-q)623FMXH&HUJ2`>Ll1^+;(ugW9Wo<)PakxV zO=V9KNmU2ZZXUYocL1O~vpM}3X>Gz1vl6QPOf%u!-7Jk>S^YXVIS9<1;~p~>*htZQ^LAbZFK3O0F?VS_I}=t&(t%Upp!jbD*q2pu8+0;^=4V*K7F^Mmuy8G zb`n>9YyWuZ&dg z1b>-r7NtpH`8KnmYi!aA23oUH#ldAw3S{$f^sOqkpXqA4Tfyb1DsbD0WNjizP}Jnek>i z!tU>bKXykpf!&vbrsb25;up3|uY>&@SWW6QWN@Fe|l_cb4a7|OQkXIIJ+hsf+T7a4J8LYm+y=)26O=T zyp#Qf@&(`EWM1N*yJfsj1Y)^&s+El1oY70`V4aMTC2#dY9P0bcAH>YW|2i>(-QZRD zGH1iwrL1_$3>nQfO&i(w)Z)}+&GG9~|Nd>mA*iED1=EnSEA?4JVrRdj*zcd=Da33v z3$j$aLSoKK)WFXefv2Rz^Spg#9=T5gMLf~(182q4N`E#KL?>dZ_wj1;qg^TOtq#|RXFr(Qo zL^^5}zCL8svO^>$aUHI{)peU)Vfw2WRK#n_uMJI{+2 zm3cus++pEUoBX_4{?cxB>ak?4k9w-Z+72Hi8oI0G3S=&|XJW)6LJ`NIiFaoDd_5(P zJs9Ptx=(Bbm(Z@W7(IGK!pC-F6=v+u9~XL=$*?nngvm(M3Gz2`=Z=UH(HchG>kn8h zStMRo5}NK>l^$8A_BG6;vG07d?7THbpL2hCsvV`5?}{TwybRssel#oTN&1Ab2Z{Fk zRIj3Yn&&Qh&0s$~jaMT*vP8HbCpOEsBJg`(z%Do@HowVx{XcK-VO)!`&}^Phq%vnr zo6Ttb^Y9+uv-4aBdVrfH``*Ni@Ua!xg?)e?S#xhrI0F6l<38R7pV*jhw?luQeZy0a z+8{@dC32lHz2a}4mB6x>>m#uWX}Vi(JjtjjvPg}wp}f0JP@)IqJ@pCrM6#UqMuYOZ z6L!nUy`YI5*jpj(JT2NwEAs?>6R!i+@Nj4zYdy~`B)54oMBdCR`s@ZP$<@az-)vY)$!W$b~ZH`2k zvrn9zFZ114)lA@4tkqjoFL`()ju8EchWMSC_}%yf{qW`QoS#fD?MB?1NAH?9 zdrsM_xgC~?XNZYN;BL^6I0U~3A?K|a!x;hI&0~yynYl!c>3wE;FV7cFucuYvL(_X$ z^|U869g`@1xk(gk%50|3_Q00+Lb^Aatnk+C{~g9>&fwNgtdao#+;bs+Osuj?rws0d zM38iOGg$LZ$S2>Zugd@3hEUV-co5pgj=^E5BEtuZ(dmBkMNkZ@xYLjx>MC-O=cUcv zXNliyI>`x%_ROWTiCyw7~*5h03Jio*Tvw>K2=0J6Sf;UfYCck&$=d*LfJEuE?(44xKe&h-j^%J>AQN{H> z4;t_EnWqx{W1K(WnLgIDqlzr63Xy~JIKI;)M>lnub8PhA+Db%3R-~FBZ#ir~p=oMo zk%Rk0U1a(A3`x(kuH}_`J3{A=+Im@`iv@Q=hJI@sD}yQIkW+r`oV^PD!g%couKcewCv+EYg$SDRR6Y&wSjp^X(}T z`29j(#52YqP@Qkn!I$x5kQ1viD)-r>7LAS3AN}v$StV;|xCQ^|93tD7tKWnKtg#Z? z{Pvjaw^4<7%D}a&+k(&aaR~0K^2^gpbDwq`S$_6=ow-Nrie4E-mEQXyMQZXwLE_mo z?)Mo(R@|J3f?D)yyawCIc9o^yKcfvvPako7ruV`=j-vr&Xjd}p0%UCmQGGyX@8L*5 zu81JKPk=vxDAPI?v@CQ4GfF;Cj|{j9UsW^N90+ys9!cVcqVqF=jVpVb(s{w&&Hii$$UI#8}V!_ zTPWo({O$!+o?g`&s8T$;b=Lg!g^X#+;H-a{{m=0?C6tl%bx^_klKgu=uru%DrF<4G z#IiotO)dG^>UZ&kvN%h2MeFaH*BL9(KxyMVz18!`RKAUUuKQI~E5(0V!+Fnb1@G=N zvhu}Jp08~FDgvNaDL~$wo<3;33#3cT@XbVgaVo#s??_=n~+$=C9?o%)jLAA2x5l9&1%~j2zwx$q;QXtwC*KyFCZrtgr02 zRv2U7=)0^w-dDTG-v~(VnBNgFADwuulDol@@3M~ra?UuFH*f!f4o-W_KZz3Fwxuiln_9rkDSLB4R&%*5*R&t0WN>hwnD z71cvST10l}BC0?eotEt5TP2&LP0#0H1NQLI*s?V8^fo!F)qpf4ZD_#n_bDppoadO_ zxAXn3dRxmm``XP+37{fQ^ND2A)*DW4@ z8ri~l+J;EN9wX8E*6i-MGTEuM=dyICy*>Nf*jq}381K7MWEActXQqnhkLx9+b58MG z`V?u;OY=L%Ecl1at!F|Vc^}?A_0N&oi=^}BCu8S!l9qtBi1C-3$Brjn>14WFJm+?# zZA74=YxE#xiZA6!QM`n{5dV(nTpj!UyKZ+!N{Xa>?p0l2Kn7WH znk3um=~*}&UzB|K&JBR_{sP{?;OgOQTjaF%azcR z)L;d zrdgZy&w1-s*2ipE@3e~isO6P6nzi$dF`@+)pOrtpMnz4wRCVU{u=UKDwt|bwnQFHO zYlge}#tu)ULW@0`P1pn99mKa4Z^geL)K>f~fBAm!m7t4nui`nYgWaHso)d3%;foJX zI+>szmgF92aX~dUo;I`#pk+Qkjk)8lkIzrLTe-WJu`y3xfwI-3vJ14#U-_hcgQ9bZ z)3LsQ6Q3s%_#I`+VX$b&TJ+K`mRo+2YFn(K1&( zsuP=ul9yv1zp=z`4rDz#c~gCU9Bb#>qte}Xv%FFm>d)q@NP*rW^ygYi$hEwl=OFEV zLK&9k{wYs^L)e1UVQ2icue8i9I_N90t=Q?D^R*LeAW0Ak|KXF_7}1)(1AX*OT&?^+ zXMyrfaF)5aGV^NYE8|$Rz46*KA06-ZIm37dsX!GytntoS@pl|$RGVINw{^UlSf5wv z@J$e^p*cqUwyq#zl9iOHnnsHBz5~iaD{xA@W*)KJeNbu_$TvzcPfcOqP>=h z*w4qOc*nu|QXJ%2Jjtq@o(5LnX*zt*E5?29;F;JVvAOR6ez-s{9$_Y&G6Y5QJVna0 zX#My!+VtL)p40mP*I56o)05sO*Cr3h-6p+o+L`fcZ{dCKx3J}-H|8+04olRFF9#)j zTPQw1=XnJLlk^ zf-2s6CdUNBhEEe7|bY&!ai51t5)CKLxaYE(#0>o2koF37{&g|obtWU z5pvA^T4?uFlIWYc7P3SRdKx&KSL!?h+M(v+4!Hte;@c}lIp4!H_w1=HBRO+k@_Fqz zEh!@x-ww=}IZx~OT_=8%IM{&v!1m0Ypf2Yu-x&9H`f~w{$F9@^Xkqr!pE*ux5G4{N z>TFZ4+*{w(#S9DECjLN|`Ca8*ba{L1sTiKJf={KiB$MAa5A?S!^_Z!)sMoA9$TH<8 zzlX=nqw>b=t%AVTSMFeA<4}0m^zVKV@+e+di`pFT02}&Kqh%x1Xq-&C8I*uatU(_N zTV%dGVewVm^ZYZJk@PV)pZ+ua7Ob~}(_gguKuIB+w6(GzavINUXKc+=W1q)(P|JOf z>}}+z{=5cfaPm4Ce%>SJ;hq^?c7Tc_R&VprhLnbJr8!yu|2UBbRW+t^{9t! zk0 zCa~Qx!*agtX-%b8-IYYpFT%z=Z-!inJLG?GV2o3`=IZrLP&E%SB+~6f99!y{W~9Sw ziGWn1nHNbValQIEaM%*9w6{gI3L{VfmLIf|(ziQvTU-Y<>GN#(V`9!^4-*Arut zJ`jXR0=}8Ua1IiB%LcB5Hlcz}5jHvA`zmN8pQvx$AD;yEmY%y75~*A{&-f(8+o6f9 zlE?Q6lJb;i^`z%o2f@%Tdd=B#m&rE}h`X8H<=UTzB)~WNAbmbrCq#J)o_oDs2|2*) zm8LhfL=C}mN33`kne}MTj6iP8#VfItdGxWr||e`%#puAF=aG8kC%Jn zjJGltPik*ff5Rf#DFidI!TsiKc`696PCrUrR|cEtfHbii?9!T>xsZ#$DI>oHY7-|W z$Q1t)J*_{t`}mXZN0%J*u|ChO=wwvFyU1ekwmGi!I=+2jwu=XN`u|}d+Mi-R{>L8t z^fY{iPs>>kXlA^pliHtLy&jyB3;Fh!{i@oL)$fd5__M#^0WADg?1zY+zEPIC80+%g#)&LF*V{3Q9trXx7m+q13^5(=hHf$y>ooG0{Jn{}UY@4PI--BapsIkS zZul=-w!0nNXEcW5L|N9Q-%|LR_LVE)LttTVU4IN(|0Vv;b7(Pq`OOZ@DE@-)oR#cFm@9w zg4#xa9wT$Toi=msp&}t8F`qcs_s;2#{Bjn}@1X3xj5?S)l5EHdv5zVx8zjs3A(j^B zve*s^h}6g7J4RNdh*a@da~op7S+YFq_v#cCte>?LI7N4oD8}!=VAit9vZubgJg;`J zFOVzcJ9dyWj%DvSf6lIP{S3eP6PD-6a%54zWvTBG=h!|{}MQM8za`fa0SADA-YpUv%xaK!PxS}-;2ud8cQ#QAWy|}luUpuvhvno5j4-#)3 zD?&8HRcur_qc?4RtV+>bu_4ynWnPZU6l3y0aY{G_?zX?J6%#&^zg_MaqsB;PI#!8Ib zYEtVhXOwYIL3TL7$F!(CEg_Q5*SQt4?du@Xu_}Xpe&)zL!JhGWuC^@t{5&Q7j|*lxc^lIVH+#KIComZI_PplaN`IJ-lue~>qu z^^ltwA4f_U2f~miWanW?NBNtGuyie)9oR%SBkfu8Dy>X)Jzq&VAS3#y&YRy3k-l5+ zBhQcXznaV9laNB+_e-2NvZS`KE24zoK@0Wi-&Sqx+DRE5_RmnIiaS zVf*A!{JvqkdUa-^&(nR+1B zza4KDZpZk{F0u+|E@E8PA!S=2mGO_J3;$uol%FF-g32@AeA=AIC^?E#JN~ zy1-XPXso98$q$CU41Mv@yR#ojB@FFI@U1mto;G_hn!<_u%5Xsp$-Wb`5Z`#R&z0ns zTsu#3;FX!RFp|&GX?2EOXBVR4Hl9kJnEkP_P6mUQdaz%`Gkkl2?;9nLtUzswgevnI zb-2(Hg{})&$5r^rQ{zwyX6LEe%xxB;9ReIIJS(mFT$et8Wvp(yQ7YyugA=MMn7ix z=#<#h*P`S@KU@86jH>e`JTv+=bXRTApBzlw`6PVXXz$)w$u;wTua8k1z3Bb?yOgh& zWuEBcZ;;5CuAk7$;)<)6#Ivv9>S=}0-R~=7 zU*rjRO#KF#L?9@lH!+_Bc~?Axdh%@RW@5|bhG6~keP@!WNK^sMiL(3*zJS%$g(+UB z2`{bjTEA5WZ(vUr>07DyaSk5GGxkXz_)qpqHh~TCd(q3blwu-RbuarYsPE+E`FkS_ zel?|{VvN}j_9~7}(KYRfyU1G|p?~s8bxT&yjAS(ICV&X+6@XV(C5!{N^oM)xGv9gC zOENpp7uC)5{1b8&)1?kPTCUaJZ>V-FXmQWWtl1r9 z>=Ul_sM-%Bw>7T<-?49O$M-H@#yllUdlpyPXlPi+pU+|}bM|vv*ML;q!)K;=sFs); z??5|5cDoH}BjcV`<>Wp^)W;*~+#zkemQTHPR0oz-uygt$spG8R;C-*HPi)$aPv#=f zG3~r*F~n?p$!{i$^ld22?5&VxjNxPy`TZY!#xg6LOfR0FGadW+g`;>dyhDQ?!K~Jb z+yPtof9w@9hO1RaEn)JwX4z(16nP47xr3Ny1)es^b1?T}l__GNjf-q+L?3!-=6K|8 zDKqO{MjH9BA7Tcv+8C@&ay6ejk525%%&>fD&hd1oA}#cJvvJVMa|Ul_H`c6Bcxf#v zf=G#XL{0efwBgw~;rRO$jT}g2^e^O=5>h94QuWx-HCZkeh}R+U;(r;9{Jz4ycnUi4 zQFm0(Z|{9yga$y0%o(xy+F{p%$;{A?IhxdBpU&B9alTikgs@;%(WjUz>!SHSv3Lj- zWJ<=Wq^|Na;*GmHq7E2{HOXy7#s0LW*)_ijp7R^axf8vXhLv)!$}DY6PS4l&8eo zIsuhdGT(RGinYakdOhy7S#;)W#@R z-eC1Kz&s~Q`qM_p2JmrvWqg7&V>{N!xi-A@MR?p+Xn=b=aWZKu&H{6tN{F*qL_(|% z^rjbqFZ59h-C!4Ax3OS$dJt=hQDi|Ep{3sqwe*(k6fZ>}F$Y@}(R!@H%g`-72i}6v z(`%OudGq9cXpDL2PGQexHQ>IIztoHZd?H^XQwD<_m;S?;QC~OOyr6#8vG|nh z5l30u{U$I4OTiD4_IXyuc0lz9%=k1M-P-?G}# q&a%#yHu&V6N^fuMcYPcbv-=8qnAvIL*fjY%*7Bd_-5Gerr~U&(tPwu| literal 0 HcmV?d00001 diff --git a/EPIC_13.md b/EPIC_13.md new file mode 100644 index 0000000000000000000000000000000000000000..c833a5c1350d6c889acf4a5ba8c03038da524f7e GIT binary patch literal 36762 zcmeI*+m2jEmLA}|HsA|h8jykXG+?L)LzdO*;}|_aiJ~NSOC-%=tKBm&x+s#8=;3Kt z)M;$LgkQpMX?uP9uf>R+nN_5W_T7LWnYDN9h;?57S`jz1*B_{-&;f zvH7O1n)`Xpwymqr>+`G4cQx{5t!1`P>VKdA&GxK*dR23y;cU73xW<1|pSPQDm!HpS zek*M^KP-2we1G}*Mg4zPPkT00<0+%8{IJG9SZ4aJ?pwvoXd5e{$$V#-OK*-TzdaJuYpK5_!F>e|s(3V1uNI>SuNTY0cW2IQJU$fw&S2ptV8u$J3Tt+2kx3qBZ=`s^r3`OP<)8a?h>pE}k zyYd3dkr~9rwjwi~)KA|mns~lYe_Wr*ipJOgX|ev}x*}@Fi_ISSeX;qkwGPY7T%L-T z9BqET`K;!TELr%Y#k*r$a|}2xJzTHnzp7{HoE49_9J_p4YrBr8wGET!ENOYf^M_=M zGOMt2a!7>Dcro_bqVM}F8Hl`RWmliqjQ@GbboUmUBpW(UMiax)MklfXor~(xtZO97 z7g=F=da#UR5%TB0M~)afd!Tj5pY}%H5GBxw1{BR1NBkF8=rxqJjM!P{!fk0N5-@YH zgVB$RC)bmiF3uZ2si)p6-;+VD#v)j@e-n@B{J4I`x46h6=zxWwevWi5@ULwSww@)7YM zw99Si`{@$Vwx$2RFK>#S|5z)q71|%ULe3Q_oByYEuXPs9KrL{^{rdZ5eeNv8-ptD0 zWL`hFBpbc4S=#)j{_R*`ruGALxgV*pCb9oT(GbgHt&JVm5@mlu1rL|GQP=aHEuU~i zsxlI)+3~QcpS_l^485E64rfZ*7}@goH7k36xk!)p>94hEMVW`i$vL=e`Q(~d#!DYn zX8oe#-<9o}+ECxwuq85E6-l*JBgIb^t8Y2*Idq|LNExn7e0x?DB<2jcy#HD*>#Xl7 zv2LCFNd(Vq?W;u&#_)(Qi(mFh3y?NT8JLD&4o{06uW?VyD63|?tnyW@B0*zWq%<#RIbEIE9gY(A*?@!2xNtD1}C;F5v)IP%li(fLmO%=;31$>&*Bqhy1I_+>bUM)8rF(Trk2kM7v| zPm4tP$diSG1XxCcZ+-7L?X^NIe5)(F*nua=>#Nt6^}%8Z zsir%|y{Kz4D}NSIF0T_~X^D5D6*-dCR};FB$4+ZD5=-2?T9oL{oYtLp3s+rU(S*Z8 zvvll96}F!355@n*PqO(#6;kGyG3`-R0?$h#iSdb!EI`D$cz&{0WnHaNqsq$cGG%VKQv0FWm&BdIdeqGyTrO%6}RCiWM zRqN9)adM?K_bJ#%TcIiRh!&{?-b97SCVGDPTB2`THLq#9m`_nC{2iCn z->$|cV|xCoB8+Y;yUpiFee^XFxkQabm9CqD&XRLsiBId#XZ8OV=l&Da$%~TRk|%;o zy8@Cc2VXi$ddAV%E*)lix9+VmaPsGjQqj`b?@*5W>4IQSmvuzMRPARaL3r%6Y=NDL zy?sUO>0ZRuC5oc((Yee|D%xM!@_$uU>Ymg^L42nh+5XY;H(I(?sQq3czn0A1dg_b% zBL{s}dAXnKxO26HeP3(ppAI#Q6wcER85RA$uyS3R*x_Mh4U zh4N63I;zpB@KHx{Z9BW;S~BM9k!vn))SYi%YbBH=B9jsu4L*lMI)0^E7!`qv_{+K* zoHAF$Bp#fJl5o>fG26FwpA`8}^py%%2F>W!$C~Qvi=Gk_+M-U&#_v^cOJq3S{JCt7 zKC{YfTj|U-noB0lOz4LmhuzDTq>uIo_5X}%j$V63TSQk^O%d!SzD%XElowx1g zcSY&#&8_;xCkEnTH;LVz3EodHgZ@~S4ktPLIh18z1!cO?_KD8QdLCBhxmHmGu6ee| zL7ar)#Vd5B)+TdTtV+LYDWB9;b+^^vJARya+;wH<3aY_r<91wiRE!@(*>eTz^FW~d zS`DC+fYV({KCSDzAv~z*U^ibC#bUH4qe)c6+Ea^-)vqnozq`=*s%8p3>sl98^q;IY z_9$k2XiPlBs;pa9SxfFl-AR9VcyiONXa8Z%0kIDsil@F<;)5K)0#t>NCm;H{KD{bk zrKV1tQqSMqe7sow-HPSBZMJ9Gvb#cb40$BB4o#(7oz>K~#^8H5+I?Er)c4H=Pk?mU z>B!2%vh|#H<3XZ9xWG;PiABGxKO^==mNE#7yH`BucE<|IA~>GCx<6-{)1vR&rMvy7 z(#YR0mj7-&sqdH`cJ~m;n++r@4OFl@13dqr=DKx0*ZR4j6+WtCL8^}?gkdfo$M%zp zyN)Ei)YZ6Jug>3sjbyT`n?IfZ`K&bjVg1QWyU1kB@mX=Y-zQQTnpvFA>TKAj*;ifD zANjs?V-GWZrQxaT``v3A`kE`!pB0CP5D{D@evdA3Xm5RgT=!(UwzSidKMUgr|Gob5 zg+z8pM;nf%#_&pZt=GEbv50tUGubI$1MBToBy!1*@dk(c|NB~nm&X(5Xm>fnw;Ras z#aaIRV#)pKsjD2b!fp*IRs@f>t?g#>F+vY37AVd>SXN1mFybyd3w{(=X(PO&%a!hi zcl~j?TpzaCaVfh5!C;MNlLta=x`PAn4Jt?E?@FL|ljc52_QcqB_smGQ<(?;?buvx9 zh4|^WqmySFJIh!d4TrZ3>Td7Jfv*KknP=B-)06&g(d9c^o!Tdhw4p7#H4y7R*Xk;L zdvl53Yz!JWRKHpU0^)HZ7d`da6|_HJ>XMuVY8}lI3F5=A{Fy8y_L{e`KUvD0y@u`v zY2{qajk4_Qbc$3j%Ocx*SseWZVf6Tp+`+ZGR{3F#ADN#768~_>UZ4@4zyiA$k;r`r z4Z*~uBLB<4IV*u@RGE3y!E1XyEskGQq!_lq&aE_8i0Z+4CROW*3Byi~i`FM~$LKkO z55GyRy4#6CKWPWQ#OFse?{fpj?AHUjIAqj#=5#rka;IY9Nqzcr)ysdVzR{;u<6PhT zw(2F6qwm$Z2H}Z&b^oOP-^IhD`*K=OA1}!HPs9)n#`G}c}OEl z7P*TiyBB6Y*=Iy*PsSH>XGVkZ`GE#$(YZajKY1&$Dqes>(VK-t&!I|{$zRO>hstlC zE}uH89rmfUv~?8mX?3&MUA9^*WY=roM)IO=&p0F=S`xRc(-HS&Sp;9_HR;WNTmKJa zHT-hKNd1b&7;i(-;AhaIKGVrTOX~IAz4%=^MwbEYytU6NvMzp^U0XVpDR;fne&!F$ zifHcGIoEpc*Hd?DuD3hs(lgM}^`%~81Zaq|YF3G~Vd5N;JoNPiyYK zTqSgO(Hc5*>-pGe@h%7P2iXv}LW zy{#E!rrV1*rH2^a-`TErj^L@@o05}bo!KoAWyO+IEy33Fsk@WnDKRNM!jpx|K7C?+ zS7uyuSe6g>#)+CKDVNExH)bDq3e3hSWN~%YD#J-}`8>Ir1K-aE$-5u6$fi z>B7qzIsFgYv0bwDcP+_Vb!}94ETEC_kXkx^{ljc#6tj1RqWki6eI7j`Y?(KFsZWq;}jk-`pG-~TZayVLi zTkIv>bS}}oyQ`gdWniFqZ|bX{NLol_mh;Gg{`J+>@$ei?HnQr>oj8_#s(2_#&pTA> zC`m>rOWvQ~>fq&c@Vqj`gZlT`k_VvXUej~BYdIxgOb}L|nCLjvzSTKRy!=D08;g>U z4n@olYBsUzXc;Fj^2TI=wvxmOJV&c@jWr?%IdwNlY{E;fKt`y@et5@E6y;QxC*za+ zJgcSFTT5|9@FKkE;aSqNQcyjcOUI7&jHo(e)1xIfuDkOy4P9wwX6QVYBRcX89VoV8 z{m>|0&UMPqYvtqOWxQ|J))(v;tA*0K2AOM>4;BvcW?IKpE515V=Lfg334QMw_gyW! z@%~MAD6iGiXueimHP46>u{hUBJ(Az|wBwqaBdN08l?C8)Ae&?jqqBZBhM4@LX4`c14I!Rz7ExwH2N& zQcIi^t5OYiKjC!ARH+$Bn6}N=-kP55-0_wh@~&JwgPwCz*t0&-R@>R&GC7fNsXw1C zBVH|4kaY(=vqg}IIlHT$jy}T*A;Q2xr}L^J z$00p;gs#j;~hD>;%C;F-M zP1e?=`*gK<6mj?kmI!2ldG%o!hs?dCpnoUDvBc{~BLjEs3+Q zywPg66y9aSsAQeIaro`EJ(_>Jcja0=pY8~0uDRHaa=)nAuh;0#T2RnHFFALRNca8g zZqA3x?BkS|jGJ9=x=BO|-rSaL!)=fZEwk!a66~rv5&OGyIyBF!8-uDU`?IXpop&b^ z_zk=Gn;P@GIxGJBs-=9sTeZq@@s*6Q#-6c7E1WD=fL}gp9W_q(7|jDk%GROTnU;lVyZPH>_>-O*5P z9eK}bw6B+EU1?kxst2Wa7CsxXqbeQm&r`;BWH$B)vLLA(A}-cQ$+ zf{~r#`+m`^`ge3aP%>ABvo`RW9;aBUE)!oavkZM42q)c*5gXE(q}5S*(MaQNpJBV4 zJdOpDd+ag!6BoKDogrAXo(GE4=e=IDw5CZV@(q$QySqaVxQlc}7S_U3NA68rIs9(7 z*}KE`^;yL;aKA=!ru1uQytx3(4Dy}!E^pV*DfzpPn5DGpUyDx7fV zXLHiI2!(_-4cNY?0l}A&nX(zkXbLxL2QcPYL5X*e$D{)|gn2%ps3^ zZ_T*`J}TR#Z_vmjqxH`HCTl>!zo<1oV-YaajFC$s`{bfwYqIG@M=TpQS^NL97+pk|&xa_)X zH1U^&5+8R@#I9?|NG^Fu{mWlo)Vx2u*8YBWLqR$btZnX3iBe>m5uqYcYL|m`E!uXF ziY7gGHr+L)`9?*VYA$Q%dlL@7&z$~ycX6dqP7o3k1-I*hqd_Nbo6s*zDiAv72vkhAADmgux{XKa0 z%kspumia8{L|>Ai7c_{Yy_)%Z@2z8Os*kl+yDIItWVW0HB9G=Hl&5P+o_!j><81dr z=VveHclXW7?hT1;bEO);fMc9nc$iB*zEq{`kqZ#N4lJGO?#8o-S?1L{JB_EHz zTvxN=7M-NW!TQAKoJqO0JRH)?>|Kj-abtPNW_|yS}3y{0)gNt7Ua7Pi&0RRN~zD!39nR1S9&68>lCF`?mxyx>c zJw)<{*0L8XYd2b-dqH%jeq)U+!nYfIUb0E%V4sPG(Pz%eq_5r@eP_Eyz+|QxY+HyO zt@o_1Rc9Wzw12zSz@a^1_1t(;ByevaWYnHcHOQUwwcsmyqAfUaAaZuXGU7ACPKTEs zl33Gjy+ic7-?7w+Z5wMzTwlf*IiJfr^alOU>r6D9lB$cJMzhHfZ5Q3`{dv`--mtk_ zqu37~oe-KkqW#Qi$t&NfwmzHXzOK_zNxZW;IrVk-=95tuos*x(U#sU2owuFG{8QOl zv>dxqHCSl6q*#ch8Lx*qR1%(Kk0u&Q40waSrWbZ4!LpJFlMLSoa8 zeLAsSKN2mYxA0@qd9VUcS^VYsQwK$gA%@5Wxo%WD3Naep?#e>gUMcSmiI#8z|?)&krPSt zy@xy}wPWM@#BeqkgvGO%APPW_SNaj{Uf1S!dGY8aZ|fg8_nU<>KbFRvE2CmpsRNCM z8{k~{lWolC1>fr(hKoB+kW(r{(#^Sq=HcR}=wi1|HMBcFxAuqAqSv#jV0#xAGW&0J zXFXOYgN?r`Z-+C|-*k2O?T1AL>1{XvqvkkFK|GL#``pDiT^A(Qr&7oBR_uME?29^= zk-gmX)jc_P6!&Y2#^1x^SOd>SQNAre9iakVBL#cXVsr54IL$V{PaO(rS_Fgi_1JIh z<&%r-gUm-b+MJB@)zF)ke`O19`d<%gPSJ?0{2R>cQ$Lr{BJ#Wo0tMt8 zCjU5ulvx;gAF4@4gv&QHUM>TEFisR)J-FJwT<$FVc$VMr>S!$dxVnBv1RwCEzNGW3 z=?Bn9GI+mjWgLrJS81-2nmh9NTot$%9%#UP;{B_0>t(+~9`Dy@o^qK@z@zf)jNEsv zBHTx#;dnpp$4U}c{40au0KIb^5zf*#%eZ`JLr#FkX5p2@b5G~ot4}%G>JuvssArPKYnFt{@lBFg@9*!*05TgmA+dhHzlt`x?(8ylK*dAWD_?cg$K{NJJRKA_a!beG z?1jwxsqrGuq+26)bYE>oV8b4M@fK2ujk8_*WT{eO>%KK1JJtSAUwYqD?iCgMe|+!j z#WRW`WI-zSbeq@UiuwJ?!NV^P@W4;zKDx>`aV+1qkf=&F`}E#iXb^9C;@n9m*+#js zutXoaADw8U4t2!CHQr>>JTEJ*zwsztjP8gJE`N1^OI=@ilEgattats?wQMw+Y8#9v z?Q?!(8H)mvf$?HXC{_>T=Wvj36Lc-70Z|}Jc|t5e+33iLd9m^2NOshgx$C)u=U*S- znWc@stLV^`g}#h6h@#eF<6%T^Q@Y1^!cy!0raRN-uf|mI= zRP65;&HF-hH!7<}se_}SiQOtjZvM>y$;7_8E|A;zzq@{4CWm`|bB`3a>GIDfK4~vn zUH3zW{*%F5%cI|z?rc0~w-?&@=D2KD^+}&_S0acf?fvCFJcykZ675K7V4r{a?HR0) z*5HWYQHLtNUo99^)bqqZW+SSQu#Vxg*Z8x$7`JM?sxR0tCyn4tz9S;^IhBE2)!>JE zY{7CoBKT*n2$N@XFW6<^&qgw8ZxsWaKC%X%P@e=BjXJB>5iR0hkrC=XshRfs442cu zK0UMUu+A0S^@Wl|cbVldroDWXaMN?(bx?hI7Xy#b!RRse&YJ!cpUpY_eA6{t#MhFi zj*72*tC(yuPCTy9JEu22Q*=`6tx;^yYy4H@jO^p*^q&YuC!$7lG)Kd9^>bZxiQSQz z2yLFs5Uet+zOD6oMGICOjdwkVs$p$wOYJyBzkQbHXs50xAE;bL%kTOj>$#T3TWWOK z3)N~xksmEXhw?9+l2O)sQloe23tpDX*Ze|Qz2AxgJ9FK^4h5__%*P0_J9*tF` z%&fB~`s?O221tFT%h$DlQ8{^#o^+6@=V3T8f;K`MY|x(EyPfQ%XSeUS#_NqHMD-ix zb=}i$4Bs)ZJ#ECA(WOQSZ{;`SGQP)=G%h;rL0e7Bpz0#4lxamU)*(9b;&n~Ix<-W= zsj+g=duZ-XdGSo|K1LlD(bQSHacyiW@nvA_fv<)h4&jJjFE~OBi%xjbK>1<|tD58M z{0+0~Hy>#1AL{RaslW3HaZK3L5#zSnL>iX8)tP5$j@o_z_P-x5t{>yVYqeOdCk zwrJ(h_ioX3zQx)6{DOy!GXVYV4&A#_B{#;(vx&x#M_=F9+DWay&S&^z?=!|~zI5-q z3Si4D$GMM0*u^d0f}g7>w#0-tu5pg(E%)#0oO8r!+3Jsb`|(Zv-?2LC#y2_1gXn^t;+Kb_(P>Fz_|Lj} z8z*Jf74wi>ENbpX^ZG<}nTQSbs&lMX4>XpA$%3vg(&_EuV*fWR%G!;A>EO-y)uGkNNj+f~EdSTaCl zGw{sylFt9@UMyQ3@?HB7j^>{CMH07u+jnBSthtUo{32(t+tO02_pY7$c~5kpQZZ1* z=nNsF>C^1XUR6D6U>u3rY$kDZx7!~oWh7aBcr<+_C*$paZ4?y2qT|Mv_1!5Vophn>=DpTFt(hdi>M_Vqzq zUY{N!n_#(gZ_MrIw&8fqs7m0g)Vk!fA9L5zOlH2gR+>?;`OJv+?s%n^MHBvG=l`pI zliZxc#Tei1dS&a$c=6~9xvQfZ-Sfq^g4hfBw6+a(KCWSmIHtvy6aN{l^YBOmm;0k`Yg zUn-}zcJVEmH|KMf-L?6S(_+y(TQugof^$MGXYj{4do~n%A!||>ue!HFz9cUK#ui!i z{ragR=DL=d@k{JG@>|zfY~LG>v*(G{b^~)BYUHPNkCxQCU+8n**;?0FEwfn6#lQ1~ zeAZQR{9i82{)x4Xg7RiN@g7|FO5YxVp!aUgG-En7i5kuP$rj!DCynu5&u(vNmh*bw zbwq?+#GE=s>@auhZ6NTVhdFDmJ)dR7`{E~Lv@5~k-MGECaJB!Ab~JapsqR{n%(VS6+Lr#!y8}emyfe}xDja+ry@;bN3Gcrm^{V_)HMg~;cxD+ zhbI)zn5g?za&*7dgR;anTA)eXH-GU(yL$UQES<+)%yD^~d#~P>%^MvmVG)Ghb5_I( zDv9J@?>5fy?GWbAsl49hkVV)nv?kvq&n6!CJFG4DmSa~YuIFTQM|9t(!RzPW92#tz z4E00N9*iri^1uH55j>RdBnpgr!l^o#H2KJ={@vl7SCT)2Jw<|{`^FwPMibsTqpLq7 zO)HvX;EA_ChlL)J3`&U2#OlT1wuUjHJ5lp$<2SSpuEkWlTjme)%-IoL03OAD2A}K7 zAGi9jP%YiIcZ=5J^jKHfIFGhz=uNe>3bDCbOLUfCpQ_rIqew9NJ~IcA;E0Ih`xW~4 z8C$zMuUEE-4C%NY#@AUxw8V3qP82U;H#6%yj&*sY69>-=<&FG5$NXL~eaLjs z=UxZy`&8ySe|H>sb36?_(A+vB?Z&^zDHT1A$o{nc?|A#$;+5x$5T}b*;FxTTjEC@j z^6`Dew4T0Qs-=0CAl(ODF8AK_F5P?eZk*VAchN-K=&QCl(QIFFR8>{8x^$7b5QRY3s5Y zlFt56ccvgT)P7j2h$1o{Db8>4<8-bgJ4$p6Zhr674E$pKZVAg?_cu|q-=BlxI&<*^ zG8ku5*4C?oMlR`V%x4E+!+6)oDyb<^1?e_Hd$ za@yi|zu|@?hGzJ$xU$xZ?7?z#UMDl9JD!XYn;B=}FYYtzx z-nL$A^Q2~&dwj_egX;Lu;P^(ZbO;T0mN}}G_j62afmKDLIRlHL>=duF^1ACc?>Lxy zR2Ja`!aGzC=iMYHx_Ndmgu2nUo6M+?CO@hX>s_b#Tky6!t?@(lY;3<_Boc@REE3l_ zzsh!!KOnR2C#>;9zx4vO(ra>1a%fIBtTlJ1=2TsS6{Cl ztxi_Q`sqdc{A~4HSDxt8U#$Lo^=bS0cy&ehudVLuIqp2t-|uwgjy~OQBe~9}d%FH% zyYjHj`Ak=z>*=*V{ZW6P>;6+c$9mtk(Of%TowivY>**Kmlkc+9$@y%o_@YtwOg}w6 zn{VBy;om2^3iVG#6ZBqf>m9FtvOaAiP0_u^EwuhrSMTfTd#g)pXt<+KtYJD&H6xT> zX>vdoztO$F)1Par$6Dv9Xg+S-KNlxR@WXa@z4}V`p0B>q(@!N`Xnv@}sTA#nwEc|pww4CaR_3Cb0>5f)>rfZM%30;*QUWzVD zpR0_5GIYDv&kr>Rd@*KerjpA$EB+uM{=TK>_qF09$#uPYclANDhh5DD2k>p{xwQUR zwB8fv zjic;O&sUzWyIx(^NOS(hYG?J|S8q3~`%3iQ)oh3Q|GDf9S>Xd~(SA$zg=OB7G|(Cz zg+!mM9_SMq=k867yVvxG)}Lz?y!Uy#ccf2P)p~WHwV$*xzO$!ip6DJkd!D`3b*+bN zE!S@~$JZKfdP=4{=X~tw$xT}apZOnJ!QP7vK9aTEZ*#xY^W2BlPgWo6-_tXCktK3D z(8`Br@^~s~{6SCOJF`9Waz`9vktZ4fY9L4EL))kNllymd$KHkgAhFZ-9Fo7U&sfQc z#y>c_Zk}@uneON*w2C&64mJh$@Dm8h=$E<^IUVWqw`cs6{v+LEjXcpGW`omD^%FLZ ze?33rcz^XuxJ@nlIlXq#1z^{=Bu#UK3SNwat`ytn}KPNm)7%76a3#e}2gGk6r9WTdx6J=eU2 z%;2eY!!=}rXW$j)39NeFbV{VbJHKvMcmn%0DjUq=nujgv+-ecg7zF0PV_%s7?j4cV(%>GU&pC>_^ZQ zB;M6kG>&~i^<#a0te?;{Yxyc8$Gia_4k|M4(du8@8kURi+Kz0E_84@bl zJHj#g(i#-GwC4VO*G|eNGeFxp+P4V2RUX9=6SmY&G``_znte6}K zAHxs6*1yQ!THlpiuj_usK+pXqHRGUjA!f$fu}!i}?7|iu4UhRlGzg}`H7lD-dk8*s zqN|T|eU#Rc6~5GStOys++9*ej6J0^x&O;N^tdq53h)2N(GJ})Si{(r-XRZgjOT=&n z-FtwopVg7U{l@zpX%o#^-o#7LmR$BxTPGIsQruxBXb)N$aqmpF&gm;MGp00anlFyj z{c1gDm)6MRxYwhXyW2B?=R5zcmZpb#*&0oF~H*ZgDV4hW$pTr_= zNJgL-nMq`VRT;hU+~oU68R?BUO61;XZ8*lp?+7ja)cEb=#`o>2z2@%fdyN2J3(Z)a zx&}NU#>AUFJCZ$?{h(E6UmN}G>;??YHDi0_gSk#zBtLu7J^50fJRg)q`gk4I>73uV z1#isBcx%s8Zp3G==kJA#e-al^AKQo1(J%LO*ICLdjZV#mJvg#E4n#ZqXHgoIadzwo zT$$%jb>|P7^X@`+$h~mpN)*Hb4JToM!!d`s2*(g~qwEa)eGM zHOl*-Nz%AFMs8=~fMDbxa0|+Tt*%ZhH`qI?c8+w%HOs9=Gc|Fq zJ1qZh!+T<*W71XO7GCp2)hG7&j@H5oO#2d#$*WAKt1IU;_IV)iP-kK*eBh9 zWQ#!u)+W184}f2)5hdveS* zreSgBF4_E1(-X3A)mhn`xlInWk!`z1zA2gGwcux;#erH=9Ea9$e^<|gmDu-#hJ?)h zpa08BfBMQFFTLC(32!|o=-Ks#YxB2ThPT%9{CVSSrd!P>f<;JndA9$mJE>u?U{eK6 zneop=S3mP%Ti-Q-=S5T0=tfI>3p{fj-4LBFn(-g?%w0WYA9d~SYER}?U6SD(W8ge_NG=w&hO$iAhu-fJjJJx?ZuhZ3d9 z$?XGJKH0-q4OD(gOd|s!JHhkF;e@km^2E^NT9rA``d_XSZ>{0@9=ZnuzH8P>FVx)_ zd%V5hUFRO*lYOM_v1DJIMHG4u&Rnxr-~C7(PA*hA&Daw#-Xdds92tQ<yzsf%Y%R6$I=1~zB~7k^1Z4!h?+c4=0FC7AChTf-|lKAVs6W%pcZM7 z-8249tA%0>Ak&SrYv2YQy^L@M0!MvZ4OeA-WG_g9*>V&>0V9Uc05jW~NPU6hoGln0ub zT8ymU8tHkS$H|SJ1aDKB5)1C0e=@e`9`(YD^LvgS*_)v{D=BUik&z2kB)P$*HIaZ% zu7&4T3I;L*R+*~(RFvQkA2wd_!ca0k=W3Iu$Uv#&tv_h8l_N)@p6P-L=)jJ%&(~u< zy+jZtIuQdu>WmEU9#`Dx3Y`?9lcU_*O){C;=#HkK&&Y+O@MXrtr+Vsw zK$(NlRecxdL{jDn*JMH?4Z7(=dXm4<6*TxS`oHgWyxDS_Hyd48Ggj?u zSLAV5R=?L6D(#|TtjwVWiA-w|OJ%N?aWs40)(q?Z5ZW_-_l(LnWrN7&56Yz8T%h)` zBFLQ!X~ZHeS8OWTG;+pAPjn^vv5h{H?SI=a7ajUuzbjFavXxvcA8f+BgB9)o)rw%E zqd-NFi}uo3+v~H3OD;u5;mV6hOC-u3QJ&pMI@a&#gRk$f{fm(KPi+-C_|?IBA&dEa zql3B%Ywq)?_3A&pxt{cWz})E3eqt1^?2FIUg9?st6)nALRt%nC+pI=E-?OH6@@IAk zi06)iJdvE43Wm>>Eqess>)gQijey^@XVHzT7w;A#@!J3W{#*t|`@5Rmydx8+Wj(T0 zq{q)MMK@mPecfn3pN)p0*_mYS`4j@4z*;=R{O(8=9igw+)mpglYdz0QK?}N!{pV|% z>w96x&O}S|Zls^I_RF%cH7W&n0gYi}cKG^8@zy}mjy}DkjNmfqB+W^K^oc9$aojg5IXZF1B$?Y~X@eSoSWfK+ z)-oalrsr@H*@#vdG1kb@dakZf0HqAz4zk}8}eb@%&Hq^SVpx-lEAe#@xf*``a2t23va!q#6IFOAliSwys)!~hp>MDUfOe!nmym_vAlGxbG7Q0~%qV0Gm zm3A*Rc3P1ywz1YZtpBDzRf8hAJ<(C|AQJ4QMNaL?%e4YhK~tu~^kI`!a>Q-m`#9DYBrObTv%ue)w>WsdQG_9Oe3XLNkyF&5#sI{<_{ea#gdwn4dGV|hKL@T70 zvxP)E?h^fN5kx5GDXzLVv(>WOg@x{(@nr7=iPE>M6C1?Z%96+28Y=r!da<8g%gc6< zE{Jut8RT)QNcsC_?XkWo@M4;M>rC;Hb z3Vj}KABX1fV0(8RjUR-Hs`krvsxF9~5{=LrBddSYqhF22--Dn1IH<>KIAwu#j(NDF zjnNhlb)UKTh@8kBh~HS3=K*hQ0oL#b=Mt&?4A<+nA39ikUalpvQ1+)k*55t-w7mP4 zO3hh5Qi&EFx8d)y#$Hh#aHVC*Z>+%|_an#L0+d3w70rDP(*EO)HeDcW`&7NyoQ(Kc z$EPLc{GL^iGu0S-hMaDT6~q>ElG7cC_}*u$FB{JzCSMV4g~5)oWHG^<(JQ%%bSpPQ z7VuJ$!+`f&LH63gAWooK`#(RI3jH%@k>S2*au;yi z*~OaSDx-*m?%dLcITcs%zzK`;fK9_XPRx-d{7*BTG74-Cc;ROd8 zOMmsc?xSO3`l0^s_Z4`~IL(m9fa9%%NXh8oxP3Awue z2v_^s#{*A%=RkGXSGvk4_TjGU=R^I!C*M0zUUanjole$8lY6?huhFc5<=@ov*Yxb~ z^r_Z>Ypkp|xv4e#Cz$U`t#eJ+KhvGdgO)6{b*s+DzT$1oOO}Py@zcwzztt5q?2LQ~ z8~(Q89VpG|$+z{V_#vZP>l`&Pj2Q7nUS=Y z-DVZ+z#eFC<(fVrA+!RGH=9<`@b#vTBV9oUUp8H$1?c)pBaZZj3fb~ijoefJ{ohBv zw#`@$o=R=8d9A*Tpe*X>w|*ZXR{J1e~kV7 zwR$cfX4w(BlKF!>urHSch{W_0vUJOtHvQ=v!YWMgBUGxBX*U9bL0-sh|pe+BVhoJAM%8)9nC zMJ0X~&K6E)uNJDf@4V4iPrj0KQp7*vaplg1zQqk`913DRVw&t@b-n&RmR z7_S8#kw8+`AF;VZU^=G3)T2zcZ0p)`x+BNjgBb=*>>1kPbBGx+hCC4BN-_U0&c^df)Dz zv){bg)C|^RY$oSDh<2<>O>`hm^KMev5M5a82)hFt$&2t5cVqItgfj!% z4IZ4#%Jvp}NA}BSj>(<#W*+0WiF+IM#{`68m&ORMl<~;Q0V6I5x zcSS94j+JE`$^tm=#_k2xe{wX?3k&5PGR|~Qb3X1)(aV?^OTn_p7F`87K4F8AIW^A3 zC$*OK{tK-e6wYZu_knV9z!g=ZX)x!eICMM&w`{l0W&EDwl2639sRbCD{UzcpD2L48 z5Xq0bAlFX8bwO z9EI$za^VXSlL8%BDccJ<&y1^K~b|B4PU>vScks>Cryw6c^b<&Tn~K z^a6E0H8NJHbdy0=@A^e&UZs~U`Fu{>Q7w8m4ILW&#%B}n97TAB+$%A8*?NDe`&25> z?^8JGb5a2i7v{YUSF_B_N=TjVCwN0Pku#jw`?ZEaoCqph9#{sw)V z7&<mRuw_o)p^E$OXB;ma&XtE_a%lGxsQu;e|Qjo{H ztDnj9@LFRYZ$&ziCMSxVdkfr%N1_Ac$RwOSf>*(GdcC$oERwmZn~99*M#pD*FML-! zigdm6G@~D!Ke^vBQ@^>&{A1tL^DZI0d-%PFL2Kc$DL4N4EXfq>>v_i$KI1vwmG)T{ z#(+}z1owOC-xf#Y4|&(Cyy&)M=ALVEq4>`&Jx{0I^?2&(o{MRf-%Gjga3;1JC7=@A zH%^b%M*iQgKt)iqUTIqGrOs)%^7zzRa0>sdkl!s&G8FSUmsdy5Zx%r>vHH9==$G}23@iZ>8vTy-r!(aRB(0ymi> zPfvH19hJ$P*oSasgssa09vW3|YGoh{!r(1vAlgVC|lkU{={@X|T_Bjh>Ou zkyb05p6=ntgTOTJ-20T6J@1V*JdlYP6UkZc>kI_v`Ta&1_>9FMQ)+MT#T12jtMRvw zK*pQ+9DJs3w=W}eZ19`&8JQVbJa4=ZiAUaf_s)5Q{kZx_CC&%!B)Xy zXyQ~z&e4pOG*Y0t=ldtZYbbX#>w8-4w4|>=e8P&TJzc9YS49$IZbiqE2=pzX_BOA2 zPb=X?$iq_b868Kn=nWdCeznx`L$~G>TE{L@EQ~!k`kmO>)M7W{F{k%I9Df%R`Y@hM zV>VBCHx4hsZrvdyGMA*Czu=QdxbI8i2R9ln6Tg?~^*brpZN1f)sN$2-XbUV$1(Qy1 zY9REKe2o*fJU>OQWVxW}+>^^9OON16|LsX{Y1R+ge&Md{o_LK8UElefLNu62%+58a z`h}i)soo;A_3s&*Uq`J`|JayMRn+(UfKRp>pIxta1Bjk|Z3~L@wmZJ#T#>iO1)n59 zIysSwm9v*vp50T0KBnh7OxM+x{oWG44`e&HqzT7d;{{m}9VNIy59x}9U%z#04tk`t z&tVURB|KG86$^!`-u`-uQ!C~ad_Frq_Oc*b@6SzgHWBKB+tUhQsd}K!S(aRnyzj`L ze3psa-13|H;OkE>fR4exTas)l3-1f0vhS(ESJ8lbq+=(YjP%tRE$IJ5vcM|rHO`QK z%w80f)pt$deNc@xRZAye@0^m_kg+`GFBNT}2S}rxAsG z5Y9J}Ls@ciWk+S}V$)PsLizYoOju#qRdbMlA0i4FJZA@Z~PXwGbE z@0&Zs6XK;&-8}=Y)AN8v+qy@VH@SnybHRG{D*RNP>78~>cplWtN&U>4oR9m&+WxeD zVa}Mh?={&}ZJlV@*HUZEN9H{0;Z#`>c*<&^44o=dMoh(WO_!Ff3@&n;t04|G8h*OzFSuf~Y^HyT}T9AQhQlKGZb4@&!N9NX2>h2>j4)5!!8|%?J z-M^HP{Ol|v;oAv8=pdPMGVf`CeU)DXNjPstc5>J>ieFI;ff1m7a>5#CtKF66=>Iz# z>AzV5pZ~ax1R#1uKG;F zQNu_>?MIZWyrLxD%L>#D_s)jzH;e*}dih#Tob5SOCbaG%#m-sWVT38IZ!1GzSP66z zOE{?oU+9D`f2iNny*e4*zu)+odf3zTkiWl`STJB5*|liBfM7L zNghXaOs)+g^7nNV^wEs9=}q`eLuxO7Gf;2)<$0Cy9gDAuS$JQe0-q{(GfKLfK7Idi zStFGvb1q;+6U(Zn4*yDDg;)nS?y`6%rn=QN?{cL??u8w=((E}P8>6dO*8W2%M;m?p z8d(>0(%a;-{mrij7Xj z#UsZ1JK8rOHuk90%Xs0OSc4eTBcF)nd|Ab^wN2qB%KW#RZSh91a^^;F5~G3qWVBslXK`sZDdcpN`>G! zmXj2z{9}vz%~IKe2N5z8mQI$=`b3B6UZt;AZW=xM9Ms*;F1~89(C1c&XjGT1)$iXC zb;q2_aRroi{B?wg#&7EB@aKMA<*@Yj60?~1vR1mHD?W3+nXG(U+Vfk=C1HBUwU5aR ztOt7LJKD&OZQ-fI=)Fav8*#r;Two4k&?|L8-~@a@rtj#la{!N8pGk!Hl5F3Vm(R>H zGtWf2+(UvOY3_{@J!45T$ z$&O0>Dec~yIWO>zp0sqygXuM05mmuAWS@Rmx-X8C7k>|upRuJ_7gHSTYfq4njF|32 zF9|;RJ1W-+hOus`U3o6Ord)?Ztm8vwEjlZoY?h&ev5@Kt>29K^JldkTO@152rE7 zgZK24F$s%+Z+G>oXPB%HYO>>Infyq4F3ZEl=Q26av-I=L0XoUpvCnM1b1I_$&L5(}y44R) zwGy!u?sAUP9WS^Y^Ul6c<@_8SA`RQQV-PbTBjR&TA)>jQKIA^T5$q~~0y}LE+nHxu zTEFD!H-$zkTbAc@(RC_W#&_I(2E*sRI+rlLM5w}(;HLHh#)!pTdeHn|wnOGQ?bzFb z9IIV9d#?%|M34A3drduF_${E3V`m0NoMXwbGV|Vc+=rdwL?2<$qxUl0@3yDl;q(To zM>ytSa1uPQ?ZkiZ$lx$CDZTw-!4Ib0M8}e`OEuSw_i;>HvX`;ag1*gQzv%Dvd#8*W zt03b`PKj`TtR(Ec#pN#-xCAZxp6L(c@@lgLqnBljJdrxN82aa)@8D@Z`-C@QiPanM z6E{Tz>n0D{2=BLLHXF@>{@pjMc-GtGuNL_1{bEO}jS&SKwcl67Hf}7%GU&Z1PdpWM zoP>fatQFZW5?kA9H5VLg7d6PNDGduG* zU!&7N2ZAoHziYkZN>ra>$lU6)lZIu}TcN_aE`8qC-!Jv~s(#Avz?eS4)4aF!g<|9H zy623HL`!Uo&Kv)ypXhE3D9~$uS2Ck|hJL(*ewn?5)A~Na4u*jz%&v{bOaSj9f15+yl0-1g83;M_f z?Nj_ql+Am_p{dW6``zE7ix}vAWqhLeO9pC;$h+J0d*!o(5pUcy)k~dGiNA>uGL3zzLOrya<>NDv;K@R68^6F7Knm9 z1T(x_f7c zK}cuv{AMLT8;!uD_tkr}9;M|hjBEaW5@_a|jm%4rIpGJStZ#n73X=hiGf(TNlDAJT zK9&5z8qO=C8~iVQ0%koF+Plw@%4$3VX-uMWb;PGzdeNE4Lb&QA?KE8$@*{=h4`5ZW zpx*1?`oj{AE?N#eL`JV_YI)hf`2&_vTVnFpPtH-V+~wuW6AaHP^xxycNopX&Gice;6{@-Vqw{(?y=aH-rUY6dVb{xbeA4+2A0DJG{jV(iC z;$-o=R6D}av@@1|m+{O<$_iuOX3p6SQ9eF1W+cIf%|LG=Wm!+UVAgk!1^dmX+#{;K zQ+ae%+Roo=PUy$NdUQV2HSe@y;e8LdmuKSlMQ_`q#icssm(44n+8)Mw*ru~scNpnu zl@*Y)c^}0!$x;?ZUQ;9Z7T$IHuG*yvrD_ap%hh`_@{-Qj_wB78OM=eAz$HmuL_zN# zpe4RzuMS%L*ouO9N3H1WpzJ$Te60I;G1=CSJ9iq2&`@vjcpW(;(r^wrVsdX)p(55^ zHA7h^K3mmARvo)l^|Wny&gXuMDWE2nJwMNgRd1_2LNRvaJQ*F6rSldZ^A$#Iv$t@# z&7a9B$SWU9nqXD+&dC2>ccvbn><#N55oJjV#MxlNt)`)iyVJpjoSsQF)O-DS z+6sit8j&2aG`jv$)|fNg?6&YtGgX&nJ!DF3CmLb_jvqcrj}*AW>2G3~rR7}atM;8U zd`HlT^hQp9*MrZEkwfv8nfoYsb^LZNw<2E=pZ4NW8G)7+ZaZE7FrCnUIBxs}J{4M=1Z$!)j4WazJZqrU0|&kNnLP)h@w zxR@KuBU;SLt_`;7a4AlW5}VcxeNK#p_t`%8f-GZ2k++e1Nd>cxnvNL1Cr4RSO{3jr@o>iJhVS=xt1DJIGCCyVheP7P+^t1J-D&D-Zb6*c+*`5PAcVym3{ z6CcPW&o7+_hVMk4UWQPS_ldKc*mD;>i`oNNXYNc$&F$VpuSO2!+8+r<{r#ocDH*y7Msh;@Gqq)_DZ}K60Z+SnN zT`^FZ>d#Ra?|D}-J6=TWw08T<#kCog#P*fvISZ#wh%I;~b_8Xd9Ki?hU950ggBgjp zon9C%?nvWZ+idgfFB^`yzRt5{(S3$qxp;glwgN@*zomD_<`T&}f>?p+>vu4!FJF1} zR0_d3`o#5}e`q9?`h3-Wog>=U6SXSZ-X=+YC$@8Wqj>M##j)>ICZ9e-_G!V&?NL1M zw9IM!RIC51{`Ax)FYNa?s1~dTur}2rvD$eX8KWbaJuYz#8>fd3kLh9g-Pl+#e!Nt< z{;E~3pK4xmn)DYz5$1Lu(iv-I3O>0PWWW}8W!opB(h^QriLMuStraYT{LB4bp7gh$ zzpwwt?izY8l)zG<2YKK>vD1g5mV4}>#C{4v6H}e3`o7P=_kJGy!k4M{BJOD|ylv8!}$CE8(A5e;%kw?`sqo&-6#}n=G zaD#kDnU3`wJY#9DL+wxOo06N@!x+!XK0h+m(8vcd2iwMuybH+=1zDwS$MfKyz5ZiA zbVWTsQ4LOGZT4Qca!=kdVft-qKUp(6XSm>O+&8%RJSRTrZ@oP`e&Yt7j?Xnd_N=nk=sYpVoXWT& z^N0#TIB*YJc-}hU?BZj&#!%ZUz6N@RD$Bz(Z$o@e3DCpe)$C;CRQ0UL&&C+!Z|U9{ z`i}>?YRMyOw1_v>&NX$!#qW2q^MJfAiqm9j;6eE}dPLeYJFM`q^<@KyF284+W^Eco&MKRb%HRbvnq2}&`u zQG(yr<-J5BdQqJ3Xd!Q9y?7_jlbtZ5J)yU$s$8?i=+BId)wynSrA77%4*AVp&rU30 zZm2d=6^H$rJbpwF3C z&O<@j{uu&;G^tkb1ZQdKv?3E*B;75(*KN#X7*QFBEiDwP2fU_}SiB@3f?lH!I;rQe zta&c9Cys5c{sv?uy8JtSnJM)=2#$pK{uZcoeQu1rwB|XZG1A9_(08!Vesj_OcPPc5 zJdd*zXq#GHsB-)*yR8ZzDZn|Nk56D3_^`ERjXH<3_t-~x4}jbwJ)XWt&zO=s6ktPO zK;=K2MdSAznxgG^{%*tbgQj_Ku6C4&qrF`F9Vnlh2?E+~ED7S}^o%Co5{p%SB`V{0 z_yTfa#lnF3350k-_;vp_`+CIlIs-*yV0Ch&WC6@SBK|buVMj#P6}5 zM3vwOW6({q34XTz(D#T7*duguQVi@i@;OKH=`$jmF|H^tTS9t=ohKO)K<`v+k?`kQ z+2=w)UZg>$NcMKp5FUwFoilnT=zu(3>%yl!6Wh&6J*1gFT2Aofq#>I9uFc?1PQBlR zWD>vl-lte4HUV$7|7h(xI`Wk5W>2Gy>ih;Ymjt*JosDFXVH0n$P;VcN!lab%oWiO8}yQP0U745Z#~^M-=x6i&LLt z@tWoei90XA0;?i}_8z^zY}JG<3!6pH_}ETc_m8@QsX4-v#^1cEB+t56j$fY$t3;xq}cMpg7@;Z$6?|HwanXo9lo-Bd>Ke*oa zQm(aoV;oqro_JR2(5KTtp(m@KtetVLb%Kx@wXcCd2t3^tB^F>jpaLL6U@rhKLSM-U zQg=EB1ox&0a9!8Pw^)~adg?u(zj4EsbX6$jjt6p#PO2}*Rs4?mDjR?{ydso=+33oY z2iKs(xv^`0e>N}U2;?w&{(kG~Abtb2@3WZtYm!-LfM4sYvS#Ow)*Q0BW0g8%V7`wL~H-C@d!SY2b&J$5$m`mDHC0(fk0kXe5udK%czFE n7%3e??>GGCjZ<_9dN^k)3-AbL^7qfAS5Q9iAMZHK-*NcA)06po literal 0 HcmV?d00001 diff --git a/EPIC_15.md b/EPIC_15.md new file mode 100644 index 0000000000000000000000000000000000000000..12c0d5eb6c3af3f98eca92e248bcf9750897436e GIT binary patch literal 37340 zcmeI5>u*+9cE;b&mHNRSM@pr)ic}?|i5W2DHkm}mn8Y(ASlEPistN-(mtYLV5W;lk zpXeXlcK!C_hqd;(*v?EVRaJ$6*XNwQ_qsmoviEuYpa1dQ;`w5^c({17I9wdWr&sOg z7mJs1!au=p|lzFfR*v$7_mpS8dD+Z~<~9j{`Qr*Vzd9>z7sEfnK3%NF z=Ns+bFP6;l?A>T+7nd*N=~s)D<%8h&UVP>`=Hco=T!EwKu@);X7cb&pIDgPSzmC-( zEFQznulpQ6l9KU};HIt~}Vijn&<;z3ZxQ_%4? zt{udDtiIaxfG)m_tG|ptTQRTJI%qV%Y%?8%?76#K+-d7SjZfl+6`wS2U&YKXVrK3j zO=Nr=QbrP|J$uxi^(+tKSy6Blb73jS`*q_T$sEQfEDMeD^NaX%7!-)ww1GEGZtx7Z zjN+5@bsYDeH@?uy)J!Rtj~4tvLi~L{p5KfWrMZiXE6pZv#vIK5GA!_3e8%Qk2}%D$ z{JkElK}lM&=R>ADjhdH@)1w%V#ah~b+04wk9Vq|nG;9<=8D7b)U^oN9?KvyI$ zjgUtkG(Nx=xW|rPHz~b386i8C^@B&u2~S9t8Myx>MnFCDF5@m<4yH-2Ano&ph}e{$ zLT+%24*9J0Mdf~6!87j1IIL#>gcf{`S)mQPMGn{E3cikRMFSp~7PTJyfDFi4p0KjK z8ncQ*yly8xKW}qj6?n;Rn@P03ZCtJ|ZZ0)f`|Tdt$ml&#(i8)21$_!sF5!L**Viw}X(XcwGA zddT&{iIo$HcAFRC(^!LIo~-U=%*&jN6KYD!Tw^xH8GeEWuE@1o}>e$ugD0h zfWSyyNSjE_&kvjBJc#@K`e+H@Ui8YY6(I3fr)OuVcesEvhJ&Q>BCZvvCLjhWn2NB)x1)cZ? zGUN_4+27&9k{bKxad3&(@x1sJO^i4`;ocHqepdL`;8MP7KPA^da<9S)&BMi(2UISZ z2cC(IP%rdF>rcW$9>-`&_D$o^G%JcLLZTJ?9{s#M$r3IN);S38!lPfsbMRhQbTmd* zShi7#=fNfAN5Xb&UD%lN`yrkorYa7vwUswwHLwy(L2Jf0=@nhsM=LU!I&&#qLr=!| zttJut;aQ8`*ce!536uALdbgV_$!W#k*aCP;SbV-{fIj7|Nc%9xo-Gq>AOBO1dhnJzNd7u(GuPo6f z2!UK>DQR6jHP@RoD#G9kAR_#tmE)#~sR(%7Xm}A%5O*9&iJhPlNO-?V2nro-@kDYN zat}qpw5#*RO=a%Tx3VP9r3O&G`aI}XB(wFA`(rgm6n^TXd&LHLmk#lGA`;$)uD}=M z{W|_l&8F-@FES-(81^J<{dVLu`LuEz=~(p8 zU-L367=*nN39)=;VD^XcSMkN#x*uE;BYE0<;F+5zvF~lnMfD(m5Q*+jrPDwf~~DZ9n~i01zk&%SPVl|^UV;FGT1k5$RXkUQRK2{Pl$kO6uj zm%yV^KC)nJ5t|fEiV}TRVOa?wKvuHi)YJWDSybW7E(`>l--IO~d#7#&f)BDtVK5^>LPpv4`JbQRjOs+uoX7@EQzJ8b5r({p=a4~Ji{}PEYc=Y19DCl6n)Cgbn;3X8{@)7fjRwwy69cGbK?SmNX;hsSX0z|_ z#vL>-eLI`Q(%}T(fUnFwl4C_>WqmK({E{#>u@`dEya$WBG53C4L2AhFaeTTH9Bjn@ z`IKr>RbM~Fb?nwPLZ6FUCbkP_6BCmO3?7Jp`-*JrY+z1aMA05bLk%RXVet zGiU9qO8FCXBB8`Ka)phi75b4!v1XNBawGZ3+f?TshdiOjx-!n~g@x?3sOap1HNhlx zF^#jT6|hp_l`|aKE!i%guvEG}(8kaBr+q9f@K-16Wj-e4Vua%94>1opS6;`0u~Btd zu0Vpj!HcAr_j}Ctb>W z0R5DMro*%z=)gL6;*Ro2;)LQel?{G`c9R!*C*w3$y(y$bPZYbOW(Bo{vS^3RGi3Yv;raSw{IH^!ZowJL{JR^i-L2mm#V zCy%3pfhVMYB3&quX2`T36$!5?!zYf`cXT-#RNVjEw_lk@ef;-S*HOZ zA7OoR8tw35XGn#PguF|-UM{|fS+B%%qRQ)RH+zEvWJ6TLUu*47CmU4;*LmJsPu3Espz!+EG$FVkcEQ_K31rsX;Yhl5|`N{C$TD5!C6j2SH(CTpi ztIqman-$KS(e>UWso|~mTxe#87nD#ofV`0o(gzjQS4wZ<8nc3%Wr5 zD`sYV8_%$_=IX*Shi~+Y)nc1S8{d@GJC^aktQakGKQ)y)7QU0WC>Lclp1(Jc!A7j1 zF8s=pJWm}q#b-;w)i61hG^v%LbuZ?$RI0T07QczR8!;o<5q<@wc(CIhqs3WD$$0~w zOAdog5Ua58ALD;y!d#4X#fT=DlllO<92@&y7D&e~h*66e!t8VYeK}UR5l>S~3L}^s zO5o@hOFpA%Wu4X6uf;WN)VVLu^);#ROC1*b@|+*5R;qSA7dMQL&KNxt%CdL0yxUfFo(di4I(2GV zEKlW&=$;sdB|^2vtA4@bu|h>>?DVivjXoqH`#+qPN9Ede-X1}2#mu_vQKnHl z50)2mDZVIXeh@vdmE|XK6|ZDJP+6h&6zOmfcUP9g$$W-92;C`0(Y3{biC2n&mCnAh zK?>SYvELvOEc8L#QHDcqr5Z!jYUgn+B>3?OW(;E>S;}saIY0G#7>uxQ?1ZGSKC&?| zPH}>hT-6`2J)sL;hsH#w<(qi`RHE~KMJi2dJaD(~JF3gad`L@KB-Y@_MeUY5eS0xl zU5K17YvQZ`hZcv9<~j!I4yq#{Nn?GCKrVgt?K4!BfC$Tqa11pgsvGjQHZ;L-S z4J1F-$9njHauS_EfR^eL$QNm;4q(=w;U*J}Flv z3wG>e?UXw|^?f=rRYgne=e=ci>5Vi!Vv?J{3%Erd$gauMC`V~%MSjYTS)a(H2tW*C z|Bajy-@_yOe0&+Fkh}&`16zdS$f3ptX145D0nDpft>+qQ_W5x56j^Otc2-FgoZN_oZ+nfqVFx*%m@61i~Njruyw$WD*3);{Bm)f~I}LO$3>UvJg= z1#8M$@VMC{^dT8+lU)PHw_0QAYz|Mk#^qV{(N%Z!_6Tmf!;V$*H2NBMGO;dtEOd04 zf6kJ6tATTK{kxcfJW%>14dl*IxGDO zG@vXOe?oW2Q_)YJ#GLY$#D8*$Cm~OF#mw7g^DgIf8i~z_3wTt=N?wl)SPzdt4&E(M zPQ?7^QFUc+Yg_Fqon+|1&J^c|7Dh+vWz4Q@7x@lxvsxQb`BrF0Cz~vf^etH$vn=DB z-PQQll2H#&nXV9z49KxiF%(Q<261AET?_l(i9H%t(P<5>GL&6KTN}6(cAil3CZ~BmAML2S!?KZ2TIpc+Co{8~90cQ+aH&1kt zRm%3kRACHKM>NA0iSg;TcxpufeomxHRO|bC zx;{iJN#3-L*W7P1*$usqPY6SW;ubcHRM@pE z)gI`@v!K>;@$Y|MW0SKEby9RUHHWN-v0#Jl^%~^98Ua$h>gnSawL@QT3_b`K)*4k$=VyhuX z+E@1JEPM2IJ=OzJ>~)-2CANtcWq!~IPdusK0e9W~08!m(=1IkCMP1J;>2RhX>rCm$ zy~_Qz0=zt5>tsgp z;eI~2!udhCWvo_^POw$^8RK>49qOb*o)J!fgwytNu~jeM#u`)@PexLB6nDs9Bo!*; zKHluc72=6{Zr_O;?N&ZXRMwb;iz z`L>L4iCKF(m38Fk&Cs*`NU@k0@A|^sAI+EaDGpNqalV4JmE8?<7@nK5yx&JPvJ>OT zyzBXjn)}J$#!{6}uro&AQMR$yI})K%M!N`OS+e(I8fhn%nC944s5&pMNtc|fgtD;6WW_m;dh zfL7gsa4!P6?JvHHj)`oJohb17X}k-E-N{mP+9-GPus&9HuODiN6prh7m?8=qSAV2h zfswM0fPH>Lrciq+nq6K%Jkg0XA_%c|&O+} zJ03J%hFunCK=}W%y%UMF73+9p1 zBMutkIxjt&YIwyrR5g6j`Ri)P;8FOKa}=&tBq67f_10rb66|>D98$_+ zJLFG(=UNAEWIWbG_JQqyWA1IGjOh#@nfmsj>Vw<`cm75cyc2WXZ<6FR7OU9j9QT}C z*Zfd92(kr3Tzh710Ihg2_0Wa(nW&chAvw!b8T_q?KpV08TAa@QxSh~;l+jFhr{k+B z?E6JXOz*3J`Kl0+lQLN4X8c5C#&XcqhrvlO)wzl5 zBll%42mfR=-^Ei{toW#o}DbX%0QU+VGJbBEH3qAm^?zr<)zmEJ#og?O~G!66N3r$zf^5I>vj9H24 zH6EZxG)%WanUMUBl+=r5BoN{!x?c%>RKdh1-&OMC2$4&oZ-Fc0nrqm4^(vR09-DqVm zbf&9QD~dvVzxq9S(zT`y&}e+p$(Vrr^}ZHXnBJ+%Gy7d2H{RFVW!=3!Zk zzkBaB_fU{Do{U7a7kf7{A99+bkkE(0edaSmP2PPG02 zn4Q_MclIkPPj}p~KUudu7qlP(5;xt0gPs~8F2`Erv-v)TG6b?-GCJFfYz1!JgX7d| z^`wP?)r?yuWqV6#`27(c9sTuo7c-D&S_CJr6Yqh|N+0}480a~-7 zIx2Wkjp}EuLvC7Y4s1;4hFMKkK-H0X3)iSV)XTxgPOIYCON0~7haCoGPveuNhi36A zXdphj4q=aTtlNt;Uvi zC1$1u0hg?8q7V^QJBOKp<_exgw)b`P1$Sc(XGIqx3X-#`lPWFHO+ivRTPQyn+E>;3 zcuv_9vq2d;Bv+;`Lkp_uWl>cEAYs41(OdC&oy;^Z1S*3ktf^`WJ%UE$Z0zEz3MVVk zZXT5BO<4Em+*`u4=sD4KC;FYvtExHWt9lPba$|NpHNPpTqR&)MH*L}gpb^lZUWsj` zBF5>|^_8Xci*BjXq*HX`9bKK~QuiB#Awt%3a;m}XIU6w!Us8RLR$uLv+<7-74IPp= zRe?K#bGB*zJ>si(Nc7wImL&AW|IYLHJj@%ormD&j{I|_E$ozEX2-`TlKbZD5qz7vQ z31!QQ+Q_!%yqeqf54nvk4x1m_oOL_Qho|Mb7ISPiv}aB2cg)FkI}l^%#OsH%)8Fa4 zobZvg%U+zKw4CSjGw$>m*q@uUYxXQp@2lWx+a1&Rd3a>j1SxMtYoP}753{C3*Ua*< zYu5t9IC;9HvW9-!xZ_kk-Vf5?L!799B6{hI^w0-mKNoB4 zrH>AEa!C{Ahj1&gGbIJ!}?_QIy6bv^#y4FVAI!U&T!0ibr0G zrzmRJD|D7kcseJcxs@(7Pjycm*;ILBBhEdTAEZ)*0x6s?fRa7Eczag7(_YFc@tu&` z_+11=4ZH>^I*w)iaU-tl{R`qSm`Ug7%{vTTS>pG|NpFS;ZKmGs_r4P=5!a5Yfao~r;3waWXXBH!029g%Y+i* zm^cH4;!W|CtZT1b%ih9jvlT_`9=)(|x}nHG_$z5SuOR-c#~Q>!$w_-TjM@(mV#gQl zKovCQZaV%j?nURW4Mdbg6mW z`KbT_@fzoiZ$o-Qd^`dy(wlpxt>OrDkW1iW$c>+;&V^0wR`{J5?S5#FoLwVmvA3@M zOkT``D!Y%GHuoDpNQha@1-FvEO} z!wwVJc3yjN%#f@rFN!GI?;#JMqocex?HgLi1E${r<*rW#7|Z)?A5IRMhhVSS2OwMc zIb2BM{+5K~0-KwQntqxc5l%Ou4JgLX6hE+4{jB#Dr5i`5)QkH$yyZ2ddb~d{es|-e zW-;C$O6vP;PcxC55=o%c{U|;gE_XuAzfq3OnQbgl)m~3PkUwDnbRAch#EyM zM&D_QE;5|+$q63RRl+x`mrm>F;$kXt&F|f%1cvo&)_}<^r@e+0Sp!p1hOAKiEA`nf zG_OVXoEVVTW_-c(bXr&)V@H{BY!y1^vq`HE0qmvn&`CG;DZHAgor)UxrTm!8_Ck!A zi|HU&N={LYGZu6MC82&dADcm6ASf}8NJkcw=RxF!Q(j?;ry_*jt>V;+&avn$K@Fzy{@dQ<=Cr8Aqdj_;$-bRI$+)|0w?Q-HBYu+H!3D(86D8sjcQ= zc~T6$vdctt*=_UGTo~)R7VmwzVy=DE>Aja*F-PshP~ojC>D)YsS(N>NhS_mDJ@dii zV#Qsyo6?eJ0s$KxpFo$==@ioh5CuDs7vp&uh=l!2~ z-5;*{qfd}bqq`jMeGAT-szcbHpaRCbQ!oY7ag+zF|WxsA`b zpSC-rGwjl~e*Z)6X3a@v?L;!WO}o{yQ`*DRz_zO@r?iz}j?nL|`6qTU@+4kb#MPE_ z)0Y7&vA9YTR!AJt8LqTDcL{Tzjb?q$wx)IoTnVSm&&lZWiHtTQqftHJjyRHVeqN<9 zrTuZ{KpvlO58^S(y(A+nqn<1$!sukPVok=$+44RxM#s%A(HjOz>{Jb69xv2D*um`*1CxgAtb{YDK{T$y3@bwHK;*Rf(f#Ri2_ zHA$7W&xUPSh34>B(6Ux(NE(|WQnK4Ol^ad<&^~Rkd$U<1 z@_N}bVsPrVVfWW{ z7Cp>*Iu@xjMm+1Cz|;C9vhLIJf@+UQq1vSRz*30GoOsZC(db6?G%|xLx)3+w3HDu? z2afdJG+40v9OM*8Oj=}=I_1tN+#yMuFb&2EMypmP-$)ygrzxKRsi3L;wh#L6@>l1> zSdCBHa%Po^2z^p_IM*0TTXdmobPg6yxpbeiI9Nh(_QTy283^ zB&xkbB-&?Q)r$PC!XJVPoh<}$(3`bv`yXa@b8_!9U68QPzUm2LgO9=1_jM}EU|WX6z+$LKcmJ@n~Juj4yF#7b1cYnF z^{knQX!I=1k!=df`qMt}J3MxoLlr(duJ;WFM@PrO!KteqSro}FqUf==prCUd6vU zZJ|!rcnxD3R$srh(Uk|?=KeHTQse!MDzmBXB6vwONDG^j*4fr) zZ9lp-k`@>Oj%UQS#C!ajlj_+$0#4d1cIjj$zT(a%d}Q~4I~jZN^Wm-nb&+|w9x_2Y zU@W!^9&WadE;`{3Z;CTxA6r;uxR)<jhz@d?Wyw}Ep-8BvtF1;2?p>-%Bv(R2XaTYtB z-rG=?POJqB_z6pNoEpnxxQ1*#wS{*3y&S)7k&@?Z8rs@xm}fg>q;SJ;MpUc7!jT#B zp&HnW%9eNBjkU_-?90gqPp0kVxjg$Sl6euluPn*xB)?wfI)S0zXNDf6i?r8z$_6x5 zj-uRCnVEcBxRbfT$4v(5@#OUWh8m4CH=N?)q?hY}u~xR4w_s<;#`^>K2l)&u)6sDT zP8X56)#HHXItu&bH2d7H!gzI~A@lS0l=nyy5seGO9gmDY$Y{Dp(Q9M3*#S~KE&snA zchz;ab?H05YFy9^*kQ$bXeRU1xicYGk29c5%}>Yj*o>XQ&4y7m%K#nq-TlleS>bWi z#bA-n%<$R2{b+p3pOLkW7k!{Gh%@xOly3FCF}*i}1}YFN$1wwhl~+>@l9AbqBsc6s zv$}rqx9Ykhiq!+ zNx!?YqKS5Lr+(|Mzhefiu@-iXj6};`eC|)|8E=O%Gta2`iD3j~CErusDGRA1SA&Ah z;76FM^Sl+A-CF@&!7wDF+>6z)mFYe{aqec^RS(#sRU=3$w;JLI$1D?`6OOvqjeNjk z>?D1{UQC2gWxpEt8LNHc{rD~numB_>GJ&C7ktz58T?PAdr)AygG zPr&Q-wi;-UT|w)OwyLsF^M|FOZO*xAHSD=|`RVvx>v&C6QT8#^vi6l+2ihZuztFWE zs~MxDX?5>7OUQlMdhRp#sOB>q&S_Eu8IMe_d}c~pr_1>_L4#0y-0?vB`M!{<`m{)O z*`zPNWw+Oe@=jz;gxm*49)0NJUbsZf%C|89(GYj_lz z(Hqm;L5|2ydo8CwOUy(bnq?d@>GFV`_#@VgBy`e~pX;d(OS_LQTxAp)jWR@49h@k_ zgY>pQKa=bPNloPkoQTu=k`J0b&=Y!-ZpZ*x2dR<8*9u}i);x?gp{DjT<(*}+ zmiD326=RJrwj#-F>Me@2_w^<}GAY$O%lNHEzm9o_nVV_=dnHJh{bt){?TSMK+9x+6 zvZG5PKHfu2tMrn`;y*fj()Yf-uOc*86gI*Map?XMQT*G7W%Kr7;?+U>9Vg)1X}cLv zgoSd-%$414jP-ue)ULnlR5+#1ei&;=lgbK3i@lpCh}l@HY;uUgx$Po$%##Ijd$3D^M5iu_ps5EqNMn>{AJOqmbjC2;hWXAl9-K;t%+QT^_7?EeCHS;(UYDq|EZhYA>b(_>?{^a zsIrfvi=ff?22zmTwVHitSWViGhScQBm%}&LVz%MFld~9T&EK#K9!k=5fn(O_AnOD`%bWPLJ#OeE%1IRl6DZ z0o5W;_uWP3`B$4A>z(rIPk5JTBU<=>oj`ieYXp<~~I9$Jbz}m2l$U8x0zwLnKQ|WOBO30YW2AK!V zCUwM~M@_;*zoiz@`&9YXmfi!w`h*PZ`5{&Mom8*zIj%l#p2Xwy5xACAy|)iGW5woe zC+7U`ISq*qfhFj{=MSJ$^$C^*>OG4mYzf$i-l^idC&0ga2Km9e$3%tNmoiF`r<|*irpK|hw8P7AjJ4?#h@avo(@7jMy z2U!pqDfW5(`FrfP<>eZcQ{{$eMLGaGYzvmwPSYUy$-Q=N7`x*%AAZhfd{*E2KehWn z{^M+%eQG+D$lTTo(y%Ie!av4yD5q9dDj)5?8w9_CyNutJXJaw*^42<@?yOIk0H0@7 WFs|3`1fAr1MhYkwFaP)ImHz@Ae8{{2 literal 0 HcmV?d00001 diff --git a/EPIC_16.md b/EPIC_16.md new file mode 100644 index 00000000..b73e1cab --- /dev/null +++ b/EPIC_16.md @@ -0,0 +1 @@ +See `docs/airgap/EPIC_16_AIRGAP_MODE.md` for the full Epic 16 specification. diff --git a/EPIC_17.md b/EPIC_17.md new file mode 100644 index 00000000..aaa01c0d --- /dev/null +++ b/EPIC_17.md @@ -0,0 +1 @@ +See `docs/api/EPIC_17_SDKS_OPENAPI.md` for the complete Epic 17 specification. diff --git a/EPIC_18.md b/EPIC_18.md new file mode 100644 index 00000000..ce01c65f --- /dev/null +++ b/EPIC_18.md @@ -0,0 +1 @@ +See `docs/risk/EPIC_18_RISK_PROFILES.md` for the complete Epic 18 specification. diff --git a/EPIC_19.md b/EPIC_19.md new file mode 100644 index 00000000..94c28dcf --- /dev/null +++ b/EPIC_19.md @@ -0,0 +1 @@ +See `docs/attestor/EPIC_19_ATTESTOR_CONSOLE.md` for the complete Epic 19 specification. diff --git a/EPIC_2.md b/EPIC_2.md new file mode 100644 index 00000000..508c07a3 --- /dev/null +++ b/EPIC_2.md @@ -0,0 +1,567 @@ +Fine. Here’s the next epic, written so you can paste it straight into the repo without having to babysit me. Same structure as before, maximum detail, zero hand‑waving. + +--- + +# Epic 2: Policy Engine & Policy Editor (VEX + Advisory Application Rules) + +> Short name: **Policy Engine v2** +> Services touched: **Policy Engine, Web API, Console (Policy Editor), CLI, Conseiller, Excitator, SBOM Service, Authority, Workers/Scheduler** +> Data stores: **MongoDB (policies, runs, effective findings), optional Redis/NATS for jobs** + +--- + +## 1) What it is + +This epic delivers the **organization‑specific decision layer** for Stella. Ingestion is now AOC‑compliant (Epic 1). That means advisories and VEX arrive as immutable raw facts. This epic builds the place where those facts become **effective findings** under policies you control. + +Core deliverables: + +* **Policy Engine**: deterministic evaluator that applies rule sets to inputs: + + * Inputs: `advisory_raw`, `vex_raw`, SBOMs, optional telemetry hooks (reachability stubs), org metadata. + * Outputs: `effective_finding_{policyId}` materializations, with full explanation traces. +* **Policy Editor (Console + CLI)**: versioned policy authoring, simulation, review/approval workflow, and change diffs. +* **Rules DSL v1**: safe, declarative language for VEX application, advisory normalization, and risk scoring. No arbitrary code execution, no network calls. +* **Run Orchestrator**: incremental re‑evaluation when new raw facts or SBOM changes arrive; efficient partial updates. + +The philosophy is boring on purpose: policy is a **pure function of inputs**. Same inputs and same policy yield the same outputs, every time, on every machine. If you want drama, watch reality TV, not your risk pipeline. + +--- + +## 2) Why + +* Vendors disagree, contexts differ, and your tolerance for risk is not universal. +* VEX means nothing until you decide **how** to apply it to **your** assets. +* Auditors care about the “why.” You’ll need consistent, replayable answers, with traces. +* Security teams need **simulation** before rollouts, and **diffs** after. + +--- + +## 3) How it should work (deep details) + +### 3.1 Data model + +#### 3.1.1 Policy documents (Mongo: `policies`) + +```json +{ + "_id": "policy:P-7:v3", + "policy_id": "P-7", + "version": 3, + "name": "Default Org Policy", + "status": "approved", // draft | submitted | approved | archived + "owned_by": "team:sec-plat", + "valid_from": "2025-01-15T00:00:00Z", + "valid_to": null, + "dsl": { + "syntax": "stella-dsl@1", + "source": "rule-set text or compiled IR ref" + }, + "metadata": { + "description": "Baseline scoring + VEX precedence", + "tags": ["baseline","vex","cvss"] + }, + "provenance": { + "created_by": "user:ali", + "created_at": "2025-01-15T08:00:00Z", + "submitted_by": "user:kay", + "approved_by": "user:root", + "approval_at": "2025-01-16T10:00:00Z", + "checksum": "sha256:..." + }, + "tenant": "default" +} +``` + +Constraints: + +* `status=approved` is required to run in production. +* Version increments are append‑only. Old versions remain runnable for replay. + +#### 3.1.2 Policy runs (Mongo: `policy_runs`) + +```json +{ + "_id": "run:P-7:2025-02-20T12:34:56Z:abcd", + "policy_id": "P-7", + "policy_version": 3, + "inputs": { + "sbom_set": ["sbom:S-42"], + "advisory_cursor": "2025-02-20T00:00:00Z", + "vex_cursor": "2025-02-20T00:00:00Z" + }, + "mode": "incremental", // full | incremental | simulate + "stats": { + "components": 1742, + "advisories_considered": 9210, + "vex_considered": 1187, + "rules_fired": 68023, + "findings_out": 4321 + }, + "trace": { + "location": "blob://traces/run-.../index.json", + "sampling": "smart-10pct" + }, + "status": "succeeded", // queued | running | failed | succeeded | canceled + "started_at": "2025-02-20T12:34:56Z", + "finished_at": "2025-02-20T12:35:41Z", + "tenant": "default" +} +``` + +#### 3.1.3 Effective findings (Mongo: `effective_finding_P-7`) + +```json +{ + "_id": "P-7:S-42:pkg:npm/lodash@4.17.21:CVE-2021-23337", + "policy_id": "P-7", + "policy_version": 3, + "sbom_id": "S-42", + "component_purl": "pkg:npm/lodash@4.17.21", + "advisory_ids": ["CVE-2021-23337", "GHSA-..."], + "status": "affected", // affected | not_affected | fixed | under_investigation | suppressed + "severity": { + "normalized": "High", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "rationale": "cvss_base(OSV) + vendor_weighting + env_modifiers" + }, + "rationale": [ + {"rule":"vex.precedence","detail":"VendorX not_affected justified=component_not_present wins"}, + {"rule":"advisory.cvss.normalization","detail":"mapped GHSA severity to CVSS 3.1 = 7.5"} + ], + "references": { + "advisory_raw_ids": ["advisory_raw:osv:GHSA-...:v3"], + "vex_raw_ids": ["vex_raw:VendorX:doc-123:v4"] + }, + "run_id": "run:P-7:2025-02-20T12:34:56Z:abcd", + "tenant": "default" +} +``` + +Write protection: only the **Policy Engine** service identity may write any `effective_finding_*` collection. + +--- + +### 3.2 Rules DSL v1 (stella‑dsl@1) + +**Design goals** + +* Declarative, composable, deterministic. +* No loops, no network IO, no non‑deterministic time. +* Policy authors see readable text; the engine compiles to a safe IR. + +**Concepts** + +* **WHEN** condition matches a tuple `(sbom_component, advisory, optional vex_statements)` +* **THEN** actions set `status`, compute `severity`, attach `rationale`, or `suppress` with reason. +* **Profiles** for severity and scoring; **Maps** for vendor weighting; **Guards** for VEX justification. + +**Mini‑grammar (subset)** + +``` +policy "Default Org Policy" syntax "stella-dsl@1" { + + profile severity { + map vendor_weight { + source "GHSA" => +0.5 + source "OSV" => +0.0 + source "VendorX" => -0.2 + } + env base_cvss { + if env.runtime == "serverless" then -0.5 + if env.exposure == "internal-only" then -1.0 + } + } + + rule vex_precedence { + when vex.any(status in ["not_affected","fixed"]) + and vex.justification in ["component_not_present","vulnerable_code_not_present"] + then status := vex.status + because "VEX strong justification prevails"; + } + + rule advisory_to_cvss { + when advisory.source in ["GHSA","OSV"] + then severity := normalize_cvss(advisory) + because "Map vendor severity or CVSS vector"; + } + + rule reachability_soft_suppress { + when severity.normalized <= "Medium" + and telemetry.reachability == "none" + then status := "suppressed" + because "not reachable and low severity"; + } +} +``` + +**Built‑ins** (non‑exhaustive) + +* `normalize_cvss(advisory)` maps GHSA/OSV/CSAF severity fields to CVSS v3.1 numbers when possible; otherwise vendor‑to‑numeric mapping table in policy. +* `vex.any(...)` tests across matching VEX statements for the same `(component, advisory)`. +* `telemetry.*` is an optional input namespace reserved for future reachability data; if absent, expressions evaluate to `unknown` (no effect). + +**Determinism** + +* Rules are evaluated in **stable order**: explicit `priority` attribute or lexical order. +* **First‑match** semantics for conflicting status unless `combine` is used. +* Severity computations are pure; numeric maps are part of policy document. + +--- + +### 3.3 Evaluation model + +1. **Selection** + + * For each SBOM component PURL, find candidate advisories from `advisory_raw` via linkset PURLs or identifiers. + * For each pair `(component, advisory)`, load all matching VEX facts from `vex_raw`. + +2. **Context assembly** + + * Build an evaluation context from: + + * `sbom_component`: PURL, licenses, relationships. + * `advisory`: source, identifiers, references, embedded vendor severity (kept in `content.raw`). + * `vex`: list of statements with status and justification. + * `env`: org‑specific env vars configured per policy run (e.g., exposure). + * Optional `telemetry` if available. + +3. **Rule execution** + + * Compile DSL to IR once per policy version; cache. + * Execute rules per tuple; record which rules fired and the order. + * If no rule sets status, default is `affected`. + * If no rule sets severity, default severity uses `normalize_cvss(advisory)` with vendor defaults. + +4. **Materialization** + + * Write to `effective_finding_{policyId}` with `rationale` chain and references to raw docs. + * Emit per‑tuple trace events; sample and store full traces per run. + +5. **Incremental updates** + + * A watch job observes new `advisory_raw` and `vex_raw` inserts and SBOM deltas. + * The orchestrator computes the affected tuples and re‑evaluates only those. + +6. **Replay** + + * Any `policy_run` is fully reproducible by `(policy_id, version, input set, cursors)`. + +--- + +### 3.4 VEX application semantics + +* **Precedence**: a `not_affected` with strong justification (`component_not_present`, `vulnerable_code_not_present`, `fix_not_required`) wins unless another rule explicitly overrides by environment context. +* **Scoping**: VEX statements often specify product/component scope. Matching uses PURL equivalence and version ranges extracted during ingestion linkset generation. +* **Conflicts**: If multiple VEX statements conflict, the default is **most‑specific scope wins** (component > product > vendor), then newest `document_version`. Policies can override with explicit rules. +* **Explainability**: Every VEX‑driven decision records which statement IDs were considered and which one won. + +--- + +### 3.5 Advisory normalization rules + +* **Vendor severity mapping**: Map GHSA levels or CSAF product‑tree severities to CVSS‑like numeric bands via policy maps. +* **CVSS vector use**: If a valid vector exists in `content.raw`, parse and compute; apply policy modifiers from `profile severity`. +* **Temporal/environment modifiers**: Optional reductions for network exposure, isolation, or compensating controls, all encoded in policy. + +--- + +### 3.6 Performance and scale + +* Partition evaluation by SBOM ID and hash ranges of PURLs. +* Pre‑index `advisory_raw.linkset.purls` and `vex_raw.linkset.purls` (already in Epic 1). +* Use streaming iterators; avoid loading entire SBOM or advisory sets into memory. +* Materialize only changed findings (diff‑aware writes). +* Target: 100k components, 1M advisories considered, 5 minutes incremental SLA on commodity hardware. + +--- + +### 3.7 Error codes + +| Code | Meaning | HTTP | +| ------------- | ----------------------------------------------------- | ---- | +| `ERR_POL_001` | Policy syntax error | 400 | +| `ERR_POL_002` | Policy not approved for run | 403 | +| `ERR_POL_003` | Missing inputs (SBOM/advisory/vex fetch failed) | 424 | +| `ERR_POL_004` | Determinism guard triggered (non‑pure function usage) | 500 | +| `ERR_POL_005` | Write denied to effective findings (caller invalid) | 403 | +| `ERR_POL_006` | Run canceled or timed out | 408 | + +--- + +### 3.8 Observability + +* Metrics: + + * `policy_compile_seconds`, `policy_run_seconds{mode=...}`, `rules_fired_total`, `findings_written_total`, `vex_overrides_total`, `simulate_diff_total{delta=up|down|unchanged}`. +* Tracing: + + * Spans: `policy.compile`, `policy.select`, `policy.eval`, `policy.materialize`. +* Logs: + + * Include `policy_id`, `version`, `run_id`, `sbom_id`, `component_purl`, `advisory_id`, `vex_count`, `rule_hits`. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +### 3.9 Security and tenancy + +* Only users with `policy:write` can create/modify policies. +* `policy:approve` is a separate privileged role. +* Only Policy Engine service identity has `effective:write`. +* Tenancy is explicit on all documents and queries. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 4) API surface + +### 4.1 Policy CRUD and lifecycle + +* `POST /policies` create draft +* `GET /policies?status=...` list +* `GET /policies/{policyId}/versions/{v}` fetch +* `POST /policies/{policyId}/submit` move draft to submitted +* `POST /policies/{policyId}/approve` approve version +* `POST /policies/{policyId}/archive` archive version + +### 4.2 Compilation and validation + +* `POST /policies/{policyId}/versions/{v}/compile` + + * Returns IR checksum, syntax diagnostics, rule stats. + +### 4.3 Runs + +* `POST /policies/{policyId}/runs` body: `{mode, sbom_set, advisory_cursor?, vex_cursor?, env?}` +* `GET /policies/{policyId}/runs/{runId}` status + stats +* `POST /policies/{policyId}/simulate` returns **diff** vs current approved version on a sample SBOM set. + +### 4.4 Findings and explanations + +* `GET /findings/{policyId}?sbom_id=S-42&status=affected&severity=High+Critical` +* `GET /findings/{policyId}/{findingId}/explain` returns ordered rule hits and linked raw IDs. + +All endpoints require tenant scoping and appropriate `policy:*` or `findings:*` roles. + +--- + +## 5) Console (Policy Editor) and CLI behavior + +**Console** + +* Monaco‑style editor with DSL syntax highlighting, lint, quick docs. +* Side‑by‑side **Simulation** panel: show count of affected findings before/after. +* Approval workflow: submit, review comments, approve with rationale. +* Diffs: show rule‑wise changes and estimated impact. +* Read‑only run viewer: heatmap of rules fired, top suppressions, VEX wins. + +**CLI** + +* `stella policy new --name "Default Org Policy"` +* `stella policy edit P-7` opens local editor -> `submit` +* `stella policy approve P-7 --version 3` +* `stella policy simulate P-7 --sbom S-42 --env exposure=internal-only` +* `stella findings ls --policy P-7 --sbom S-42 --status affected` + +Exit codes map to `ERR_POL_*`. + +--- + +## 6) Implementation tasks + +### 6.1 Policy Engine service + +* [ ] Implement DSL parser and IR compiler (`stella-dsl@1`). +* [ ] Build evaluator with stable ordering and first‑match semantics. +* [ ] Implement selection joiners for SBOM↔advisory↔vex using linksets. +* [ ] Materialization writer with upsert‑only semantics to `effective_finding_{policyId}`. +* [ ] Determinism guard (ban wall‑clock, network, and RNG during eval). +* [ ] Incremental orchestrator listening to advisory/vex/SBOM change streams. +* [ ] Trace emitter with rule‑hit sampling. +* [ ] Unit tests, property tests, golden fixtures; perf tests to target SLA. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.2 Web API + +* [ ] Policy CRUD, compile, run, simulate, findings, explain endpoints. +* [ ] Pagination, filters, and tenant enforcement on all list endpoints. +* [ ] Error mapping to `ERR_POL_*`. +* [ ] Rate limits on simulate endpoints. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.3 Console (Policy Editor) + +* [ ] Editor with DSL syntax highlighting and inline diagnostics. +* [ ] Simulation UI with pre/post counts and top deltas. +* [ ] Approval workflow UI with audit trail. +* [ ] Run viewer dashboards (rule heatmap, VEX wins, suppressions). + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.4 CLI + +* [ ] New commands: `policy new|edit|submit|approve|simulate`, `findings ls|get`. +* [ ] Json/YAML output formats for CI consumption. +* [ ] Non‑zero exits on syntax errors or simulation failures; map to `ERR_POL_*`. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.5 Conseiller & Excitator integration + +* [ ] Provide search endpoints optimized for policy selection (batch by PURLs and IDs). +* [ ] Harden linkset extraction to maximize join recall. +* [ ] Add cursors for incremental selection windows per run. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.6 SBOM Service + +* [ ] Ensure fast PURL index and component metadata projection for policy queries. +* [ ] Provide relationship graph API for future transitive logic. +* [ ] Emit change events on SBOM updates. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.7 Authority + +* [ ] Define scopes: `policy:write`, `policy:approve`, `policy:run`, `findings:read`, `effective:write`. +* [ ] Issue service identity for Policy Engine with `effective:write` only. +* [ ] Enforce tenant claims at gateway. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 6.8 CI/CD + +* [ ] Lint policy DSL in PRs; block invalid syntax. +* [ ] Run `simulate` against golden SBOMs to detect explosive deltas. +* [ ] Determinism CI: two runs with identical seeds produce identical outputs. + +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Documentation changes (create/update these files) + +1. **`/docs/policy/overview.md`** + + * What the Policy Engine is, high‑level concepts, inputs, outputs, determinism. +2. **`/docs/policy/dsl.md`** + + * Full grammar, built‑ins, examples, best practices, anti‑patterns. +3. **`/docs/policy/lifecycle.md`** + + * Draft → submitted → approved → archived, roles, and audit trail. +4. **`/docs/policy/runs.md`** + + * Run modes, incremental mechanics, cursors, replay. +5. **`/docs/api/policy.md`** + + * Endpoints, request/response schemas, error codes. +6. **`/docs/cli/policy.md`** + + * Command usage, examples, exit codes, JSON output contracts. +7. **`/docs/ui/policy-editor.md`** + + * Screens, workflows, simulation, diffs, approvals. +8. **`/docs/architecture/policy-engine.md`** + + * Detailed sequence diagrams, selection/join strategy, materialization schema. +9. **`/docs/observability/policy.md`** + + * Metrics, tracing, logs, sample dashboards. +10. **`/docs/security/policy-governance.md`** + + * Scopes, approvals, tenancy, least privilege. +11. **`/docs/examples/policies/`** + + * `baseline.pol`, `serverless.pol`, `internal-only.pol`, each with commentary. +12. **`/docs/faq/policy-faq.md`** + + * Common pitfalls, VEX conflict handling, determinism gotchas. + +Each file includes a **Compliance checklist** for authors and reviewers. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 8) Acceptance criteria + +* Policies are versioned, approvable, and compilable; invalid DSL blocks merges. +* Engine produces deterministic outputs with full rationale chains. +* VEX precedence rules work per spec and are overridable by policy. +* Simulation yields accurate pre/post deltas and diffs. +* Only Policy Engine can write to `effective_finding_*`. +* Incremental runs pick up new advisories/VEX/SBOM changes without full re‑runs. +* Console and CLI cover authoring, simulation, approval, and retrieval. +* Observability dashboards show rule hits, VEX wins, and run timings. + +--- + +## 9) Risks and mitigations + +* **Policy sprawl**: too many similar policies. + + * Mitigation: templates, policy inheritance in v1.1, tagging, ownership metadata. +* **Non‑determinism creep**: someone sneaks wall‑clock or network into evaluation. + + * Mitigation: determinism guard, static analyzer, and CI replay check. +* **Join miss‑rate**: weak linksets cause under‑matching. + + * Mitigation: linkset strengthening in ingestion, PURL equivalence tables, monitoring for “zero‑hit” rates. +* **Approval bottlenecks**: blocked rollouts. + + * Mitigation: RBAC with delegated approvers and time‑boxed SLAs. + +--- + +## 10) Test plan + +* **Unit**: parser, compiler, evaluator; conflict resolution; precedence. +* **Property**: random policies over synthetic inputs; ensure no panics and stable outputs. +* **Golden**: fixed SBOM + curated advisories/VEX → expected findings; compare every run. +* **Performance**: large SBOMs with heavy rule sets; assert run times and memory ceilings. +* **Integration**: end‑to‑end simulate → approve → run → diff; verify write protections. +* **Chaos**: inject malformed VEX, missing advisories; ensure graceful degradation and clear errors. + +--- + +## 11) Developer checklists + +**Definition of Ready** + +* Policy grammar finalized; examples prepared. +* Linkset join queries benchmarked. +* Owner and approvers assigned. + +**Definition of Done** + +* All APIs live with RBAC. +* CLI and Console features shipped. +* Determinism and golden tests green. +* Observability dashboards deployed. +* Docs in section 7 merged. +* Two real org policies migrated and in production. + +--- + +## 12) Glossary + +* **Policy**: versioned rule set controlling status and severity. +* **DSL**: domain‑specific language used to express rules. +* **Run**: a single evaluation execution with defined inputs and outputs. +* **Simulation**: a run that doesn’t write findings; returns diffs. +* **Materialization**: persisted effective findings for fast queries. +* **Determinism**: same inputs + same policy = same outputs. Always. + +--- + +### Final imposed reminder + +**Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_3.md b/EPIC_3.md new file mode 100644 index 00000000..5d7d499b --- /dev/null +++ b/EPIC_3.md @@ -0,0 +1,531 @@ +Here’s Epic 3 in the same “paste‑into‑repo” format: exhaustive, implementation‑ready, and aligned with the AOC model plus the Policy Engine from the previous epics. + +--- + +# Epic 3: StellaOps Console (Web UI over WebServices) + +> Short name: **StellaOps Console** +> Services touched: **Web API Gateway, Authority (authN/Z), Policy Engine, SBOM Service, Conseiller (Feedser), Excitator (Vexer), Scheduler/Workers, Telemetry** +> Data stores used via APIs: **MongoDB (reads only from UI), object storage for traces**, optional **Redis/NATS** for live updates +> Deliverable: **TypeScript/React web application** with a component library and feature modules, packaged as container images and static builds + +--- + +## 1) What it is + +**StellaOps Console** is the first‑party Web UI for all Stella WebServices. It provides a cohesive, role‑aware surface for: + +* Viewing raw AOC facts (advisories, VEX, SBOMs) without mutation. +* Applying and simulating policies (VEX application rules, advisory normalization) then exploring **effective findings**. +* Navigating SBOMs as graphs, zooming into components, and seeing linked advisories/VEX with clear precedence. +* Running and monitoring evaluations, auditing why decisions were made, and exporting evidence. +* Administering tenants, users and roles, API tokens, and integrations. +* Publishing a self‑hostable Console image and a **Download & Install** page covering all product containers. + +The Console is a read‑write client for allowable operations (policy authoring, run orchestration, approvals), and strictly read‑only for **raw facts** per the AOC enforcement. It is **not** a new API; it is a UI over the existing ones with strong guardrails and deterministic behavior. + +--- + +## 2) Why + +* Teams need a single, consistent interface to explore SBOMs, advisories, VEX, and policy outcomes. +* Audits require visible provenance, replayable evidence, and explanation chains. +* Policy creation and simulation are safer when you can see deltas and traces. +* Many workflows benefit from visual tools: graph explorers, diff views, and step‑wise wizards. +* Not everyone wants to live in the CLI all day. Parity and choice matter. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Information architecture + +Top‑level navigation with a tenant context picker: + +1. **Dashboard**: high‑level posture and recent changes. +2. **SBOMs**: catalog, search, and **Graph Explorer**. +3. **Advisories & VEX**: raw fact browsers with aggregation‑not‑merge semantics. +4. **Findings**: policy‑materialized findings with filters and explanations. +5. **Policies**: editor, simulation, versioning, approvals. +6. **Runs**: orchestration, live progress, history, diffs. +7. **Reports & Export**: evidence packages, CSV/JSON exports. +8. **Admin**: users/roles, tokens, SSO, tenants, registries, settings. +9. **Downloads**: product containers and installation instructions. + +Global elements: + +* **Global Filters**: policy version, environment profile, severity band, time window. +* **Search Bar**: PURL, CVE/GHSA IDs, SBOM IDs. +* **Live Status**: background jobs, queue lag, last sync cursors. +* **Help & Docs**: contextual deep links into `/docs/*`. + +### 3.2 Navigation & routes + +``` +/dashboard +/sboms +/sboms/:sbomId +/sboms/:sbomId/graph +/advisories +/advisories/:advisoryId (shows all linked sources; aggregation only) +/vex +/vex/:vexId +/findings?policy=:pid&sbom=:sid&status=:st&severity=:sev +/findings/:findingId/explain +/policies +/policies/:policyId/versions/:v +/policies/:policyId/simulate +/runs +/runs/:runId +/reports +/admin/users +/admin/roles +/admin/tenants +/admin/integrations +/admin/tokens +/downloads +``` + +### 3.3 Core feature modules + +#### 3.3.1 Dashboard + +* Cards: “Findings by severity,” “VEX overrides in last 24h,” “New advisories linked,” “Run health,” “Policy changes.” +* Click‑through to filtered views. +* Data sources: aggregated endpoints exposed by Web API (no client‑side aggregation over large sets). + +#### 3.3.2 SBOM Explorer (catalog + graph) + +* **Catalog**: table with SBOM ID, artifact name/version, source, ingest time, component count, last evaluation per policy. +* **Detail**: components tabular view with paging; filters by package type, license, scope. +* **Graph Explorer**: + + * Interactive canvas with pan/zoom, focus on component, dependency paths, reachability placeholders. + * Overlay toggles: highlight components with affected findings; show VEX “not_affected” zones; show licenses risk overlay. + * **Policy overlays**: toggle between policy versions to see in‑place severity/status changes. +* **Actions**: export component list, copy PURL, open related findings. + +**AOC alignment**: SBOM content is immutable; any edits are proposed as new SBOM versions upstream. UI displays raw SBOM JSON in a read‑only side panel. + +#### 3.3.3 Advisories & VEX browsers + +* **Advisories list**: + + * Left panel: filters by source (OSV, GHSA, CSAF vendors, NVD), published/modified time, affected ecosystem. + * Middle panel: **aggregation group** keyed by linkset identity (same vulnerability across sources). No merging; show a roll‑up with per‑source chips. + * Right panel: selected advisory source view with raw JSON, references, CVSS vectors, and “linked SBOM components” sample. + * Severity shown three ways: vendor‑reported, normalized (per mapping), and **effective** under the currently selected policy. +* **VEX list**: + + * Filters by vendor, product, status, justification, scope. + * Detail panel: all statements applying to the same `(component, advisory)` tuple, with precedence logic visualization and the statement that won under the current policy. + * Raw JSON viewer for each document. + +**Strict rule**: Conseiller and Excitator are visualized as **aggregators only**. No UI affordance suggests server‑side merging. All links route to raw documents with reference IDs. + +#### 3.3.4 Findings + +* Virtualized table supporting millions of rows via server‑side pagination and cursoring. +* Columns: policy, SBOM, component PURL, advisory IDs (chips for each source), status, severity, last updated, rationale count. +* Row click → **Explain** view with rule hits in order, references to advisories/VEX used, and links to raw docs and trace blobs. +* Bulk export with query replay (the export API re‑runs the same filters on the server and streams CSV/JSON). + +#### 3.3.5 Policies + +* Embedded **Policy Editor** (from Epic 2) with Monaco features, simulation panel, diffs, and approval workflow. +* Pre‑commit lint and compile; cannot submit with syntax errors. +* Simulation results show increase/decrease unchanged counts, top rules impacting results, and sample affected components. + +#### 3.3.6 Runs + +* Queue view: queued/running/succeeded/failed with timestamps and SLA hints. +* Live progress with **SSE/WebSocket** updates: tuples processed, rules fired, findings materialized. +* Diff view between runs for the same policy and SBOM set. +* Retry and cancel actions as allowed by RBAC. + +#### 3.3.7 Reports & Export + +* Evidence bundle creation: include policy version, run ID, sample traces, and result slices. +* Export templates (CSV for management, JSON/NDJSON for SIEM ingestion). +* Signed export manifests with checksums. + +#### 3.3.8 Admin + +* Users & Roles: invite, disable, role mapping. +* Tenants: create, switch, default policy bindings. +* Tokens: create scoped API tokens with expirations. +* Integrations: configure SSO (OIDC), registries, webhooks. +* Settings: environment defaults for policy evaluation (exposure, runtime hints). + +#### 3.3.9 Downloads + +* List of official Docker images: `stella-console`, `stella-api`, `conseiller`, `excitator`, `sbom-svc`, `policy-engine`, etc. +* Version matrix, pull commands, Helm chart snippet, offline tarballs, and system requirements. +* Link to `/docs/install/docker.md` and `/docs/deploy/console.md`. + +### 3.4 UX flows (key tasks) + +* **Triage a vulnerability**: search CVE → open roll‑up → view all sources → jump to affected findings → open Explain → see VEX precedence → decide if policy change is needed → simulate policy → if good, submit and request approval → run → verify new findings. +* **Investigate SBOM**: open SBOM → Graph Explorer → highlight affected nodes under policy P‑X vN → click a node → see linked advisories + VEX → open Explain for a specific finding. +* **Audit evidence**: open run → download evidence bundle with policy, run metadata, traces, and effective finding slice. +* **Onboard team**: invite users, set roles, define default tenant policies, give read‑only access to auditors. + +### 3.5 CLI vs UI parity + +Create `/docs/cli-vs-ui-parity.md` with a matrix. Principle: + +* All **read** capabilities must exist in both CLI and UI. +* All **policy lifecycle** actions exist in both. +* Long‑running operations can be initiated in UI and monitored in either surface. + +### 3.6 Security & auth + +* Auth: OIDC with PKCE; short‑lived ID tokens; silent refresh. +* RBAC enforced by the API; UI only gates affordances and never trusts itself. +* CSRF not applicable for token‑based APIs; still set robust **CSP**, **X‑Frame‑Options**, and **Referrer‑Policy**. +* Tenancy: every API call includes tenant header; UI shows explicit tenant badge. +* Sensitive pages require **fresh auth** (re‑prompt). + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.7 Accessibility & i18n + +* WCAG 2.1 AA: keyboard nav, focus indicators, ARIA for tables and graphs, color‑contrast tests. +* i18n scaffolding via ICU messages; English shipped first; content keys stored in code, translations as JSON resources. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.8 Performance + +* Use server‑side pagination and cursoring everywhere; never fetch unbounded lists. +* Virtualized tables and lazy panels. +* Graph Explorer loads neighborhood windows, not whole graphs. +* Cache with TanStack Query; deduplicate requests; stale‑while‑revalidate. +* Performance budgets in CI (Lighthouse): TTI < 3.5s on reference hardware. + +### 3.9 Error handling & offline + +* Error boundaries per feature; retry buttons; copyable request IDs. +* Network loss → banner + read‑only cached views where safe. +* Clear messages for **AOC** constraints: raw facts cannot be edited. + +### 3.10 Telemetry & observability + +* UI event telemetry to internal sink (no third‑party beacons by default). +* Metrics: UI API latency percentiles, error rates, SSE subscription health. +* Feature flags to dark‑launch modules. + +--- + +## 4) APIs consumed (representative) + +* `GET /sboms`, `GET /sboms/{id}`, `GET /sboms/{id}/components?cursor=...` +* `GET /advisories?source=...`, `GET /advisories/{id}`, `GET /advisories/{id}/linked` +* `GET /vex?status=...`, `GET /vex/{id}` +* `GET /findings/{policyId}` and `GET /findings/{policyId}/{findingId}/explain` +* `POST /policies`, `POST /policies/{id}/compile`, `POST /policies/{id}/simulate`, `POST /policies/{id}/approve` +* `POST /policies/{id}/runs`, `GET /policies/{id}/runs/{runId}` with SSE for progress +* `POST /exports` for evidence bundles +* `GET /auth/user`, `GET /auth/tenants`, `POST /admin/users`, `POST /admin/tokens` + +All calls include tenant scope headers and bearer tokens from Authority. + +--- + +## 5) Implementation plan + +### 5.1 Frontend architecture + +* **Framework**: Next.js 14 (App Router) with TypeScript. +* **State/data**: TanStack Query for server state; Redux only if a global app state proves necessary. +* **UI toolkit**: Internal **Stella UI** component library (headless + primitives) with CSS variables and design tokens. +* **Visualization**: D3 for graph, Monaco for policy editing. +* **Testing**: Playwright (E2E), Vitest/Jest (unit), Storybook (components), Lighthouse (perf). +* **i18n**: `@formatjs/intl` + message catalogs. +* **Packaging**: static build served by Node adapter behind the API gateway; also a `stella-console` Docker image. + +**Repo layout** + +``` +/console + /apps/web + /packages/ui # design system & components + /packages/api # typed API clients (OpenAPI codegen) + /packages/features # feature modules (sboms, advisories, vex, findings, policies, runs, admin) + /packages/utils + /e2e + /storybook +``` + +### 5.2 Design System (packages/ui) + +* Foundation tokens: color, spacing, typography, elevation; dark/light modes. +* Components: AppShell, Nav, DataTable (virtualized), Badge/Chip, Tabs, Drawer, GraphCanvas, CodeViewer (read‑only JSON), Form primitives, Modal, Toast, Pill filters. +* Accessibility baked into components; snapshot and interaction tests in Storybook. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 5.3 Feature modules + +Each module has: + +* `routes.tsx` pages, `api` data hooks, `components`, `tests`, `docs link`. +* Query keys standardized for caching and invalidation. + +**SBOMs** + +* Hooks: `useSboms`, `useSbom(id)`, `useComponents(sbomId, query)`. +* GraphCanvas using neighborhood loaders: `/sboms/:id/graph?center=:purl&depth=1..3`. + +**Advisories** + +* `useAdvisories(filters)` and `useAdvisory(id)` plus `useLinkedAdvisories(id)`. +* UI explicitly shows aggregation groups; never collapses sources into one record. + +**VEX** + +* `useVex(filters)`, `useVexDoc(id)`, `useVexForTuple(purl, advisoryId)` for precedence views. + +**Findings** + +* `useFindings(policyId, filters, cursor)` and `useFinding(findingId)`. +* Explain viewer reading `/findings/:policyId/:findingId/explain`. + +**Policies** + +* Monaco editor wrapper; compile/simulate actions; approval dialog. +* Diff viewer using the compiler’s diagnostics and rule stats. + +**Runs** + +* `useRuns`, `useRun(runId)` + SSE hook `useRunProgress(runId)`. + +**Admin** + +* `useUsers`, `useRoles`, `useTenants`, `useTokens`, `useIntegrations`. + +**Downloads** + +* Static page with dynamic image tags fetched from registry metadata endpoint; copy‑able commands and Helm snippets. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 5.4 Live updates + +* SSE/WebSocket client with backoff, heartbeat, and re‑subscribe logic. +* Only Runs and slim “ticker” endpoints use live channels; everything else is HTTP pull with caching. + +### 5.5 Security + +* OIDC PKCE flow; token storage in memory; refresh via hidden iframe or refresh endpoint. +* CSP locked to same‑origin, with hashes for inline scripts from Next. +* Feature flags control admin features visibility; RBAC double‑checked on server responses. + +### 5.6 Packaging & distribution + +* `stella-console:` image built in CI; Nginx or Node serve. +* Helm chart values include Authority issuer, API base URL, tenant defaults. +* Offline bundle artifact for air‑gapped deployments. + +--- + +## 6) Documentation changes (create/update) + +1. **`/docs/ui/console-overview.md`** + + * Purpose, IA, tenant model, role mapping, AOC alignment. +2. **`/docs/ui/navigation.md`** + + * Route map, global filters, keyboard shortcuts, deep links. +3. **`/docs/ui/sbom-explorer.md`** + + * Catalog, detail, Graph Explorer, overlays, exports. +4. **`/docs/ui/advisories-and-vex.md`** + + * Aggregation‑not‑merge, multi‑source roll‑ups, raw viewers. +5. **`/docs/ui/findings.md`** + + * Filters, table semantics, explain view, exports. +6. **`/docs/ui/policies.md`** + + * Editor, simulation, diffs, approvals, links to DSL docs. +7. **`/docs/ui/runs.md`** + + * Queue, live progress, diffs, retries, evidence bundles. +8. **`/docs/ui/admin.md`** + + * Users, roles, tenants, tokens, integrations. +9. **`/docs/ui/downloads.md`** + + * Containers list, versions, pull/install commands, air‑gapped flow. +10. **`/docs/deploy/console.md`** + + * Helm, ingress, TLS, CSP, environment variables, health checks. +11. **`/docs/install/docker.md`** + + * All container images, pull commands, compose/Helm examples. +12. **`/docs/security/console-security.md`** + + * OIDC, RBAC, CSP, tenancy, evidence of least privilege. +13. **`/docs/observability/ui-telemetry.md`** + + * UI metrics, logs, dashboards, feature flags. +14. **`/docs/cli-vs-ui-parity.md`** + + * Matrix of operations and surfaces. +15. **`/docs/architecture/console.md`** + + * Frontend architecture, packages, data flow diagrams, SSE design. +16. **`/docs/accessibility.md`** + + * WCAG checklist, testing tools, color tokens. +17. **`/docs/examples/ui-tours.md`** + + * Task‑centric walkthroughs: triage, audit, policy rollout. + +> Each document includes a “Compliance checklist” section. +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Tasks (tracked per team) + +### 7.1 Console scaffold & infra + +* [ ] Initialize Next.js 14 TypeScript app with App Router. +* [ ] Set up TanStack Query, Auth context, Error boundaries, Toasts. +* [ ] Integrate OIDC client; implement login/logout, tenant picker. +* [ ] Add design tokens and base components in `packages/ui`. +* [ ] Configure CI: build, test, lint, type‑check, Lighthouse budgets. +* [ ] Build `stella-console` container image and Helm chart. + +### 7.2 Typed API client + +* [ ] Generate clients from OpenAPI; wrap with hooks in `packages/api`. +* [ ] Centralize retry, error mapping, tenant header injection. + +### 7.3 Feature delivery + +**SBOMs** + +* [ ] Catalog page with filters, server pagination. +* [ ] SBOM detail with components table. +* [ ] Graph Explorer with overlays and neighborhood loaders. +* [ ] Raw JSON viewer drawer. + +**Advisories & VEX** + +* [ ] Advisory aggregation list; per‑source chips; raw view. +* [ ] VEX list with filters; precedence explainer per tuple. +* [ ] Link outs to Findings and SBOMs. + +**Findings** + +* [ ] Virtualized table; filters; saved views. +* [ ] Explain view: rules fired, references, trace links. +* [ ] Export actions (CSV/JSON stream). + +**Policies** + +* [ ] Monaco editor with syntax/diagnostics; compile and simulate. +* [ ] Diff and impact panel; submit and approve workflow. +* [ ] Run from simulation context. + +**Runs** + +* [ ] Runs list; run detail with SSE progress. +* [ ] Diff between runs; evidence bundle download. + +**Admin** + +* [ ] Users/roles CRUD; token issuance; tenant management. +* [ ] Integrations: OIDC config form; registry connections. +* [ ] Settings for environment defaults. + +**Downloads** + +* [ ] Registry tag fetch, pull commands, Helm snippet generator. +* [ ] Air‑gapped instructions and offline bundle download. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 7.4 Quality gates + +* [ ] Playwright E2E for core flows: triage, simulate, approve, run, explain. +* [ ] Storybook with a11y addon and interaction tests. +* [ ] Lighthouse CI budgets met; perf regressions block merges. +* [ ] i18n scaffolding ready; all strings externalized. +* [ ] Security checks: CSP effective, OIDC flows tested, RBAC enforced. + +### 7.5 Docs tasks + +* [ ] Populate all docs listed in section 6 with screenshots and animated GIFs. +* [ ] Add “CLI vs UI” parity matrix and keep it in CI to detect drift. +* [ ] Add “AOC user guide” callouts explaining raw fact immutability across pages. + +--- + +## 8) Feature flags + +* `ui.graph-explorer` +* `ui.policy-editor` +* `ui.ai-assist` (off by default; when enabled, renders a right‑rail for human‑in‑the‑loop summaries) +* `ui.downloads` + +Flag definitions and defaults live in `/docs/observability/ui-telemetry.md` and config map. + +--- + +## 9) Acceptance criteria + +* Console ships as a container image with Helm deployment and a static build option. +* SBOM Explorer visualizes graphs and overlays policy outcomes without page crashes on large SBOMs. +* Advisories/VEX browsers display **aggregation only**, never merge sources; raw document viewers are present. +* Findings view supports server‑side pagination and Explain with rule traces. +* Policy Editor compiles, simulates, diffs, and supports approval workflows. +* Runs page shows live progress and enables evidence exports. +* Admin handles users, roles, tenants, tokens, and OIDC configuration. +* Downloads page lists all images and installation paths. +* All pages meet a11y checks and pass Lighthouse budgets. +* RBAC enforced in UI affordances and validated by API responses. + +--- + +## 10) Risks and mitigations + +* **Graph performance** on very large SBOMs → use neighborhood windows and server filters; cap depth. +* **UI/CLI drift** → parity matrix in CI; failing check blocks release. +* **Overfetching** → TanStack caching, cursor‑based endpoints, and strict data‑layer reviews. +* **Scope creep** in Admin → feature‑flag granular sections, ship iteratively. +* **AOC confusion** → constant raw/derived labeling and “view raw” toggles. + +--- + +## 11) Test plan + +* **Unit**: hooks and components; data adapters; graph layout utils. +* **E2E**: Playwright flows for triage, simulation→approval→run→explain, admin RBAC. +* **A11y**: axe‑core in CI and manual keyboard checks. +* **Perf**: Lighthouse against seeded data; visual regression on Storybook. +* **Security**: OIDC happy and unhappy paths, CSP violation tests, SSRF resistance for downloads metadata. +* **Resilience**: simulate API timeouts; verify error boundaries and retries. + +--- + +## 12) Non‑goals (this epic) + +* No server‑side report authoring engine beyond export templates. +* No proprietary graph database; server remains RESTful with indexed queries. +* No speculative automatic policy changes; all edits remain human‑driven. + +--- + +## 13) Philosophy and guiding principles + +* **AOC first**: the UI respects facts vs decisions. Raw content is immutable and visible. +* **Deterministic outcomes**: what you see equals what the Policy Engine produced, with an explanation you can export. +* **Explainability** over cleverness: every badge, color, and status maps to a rule and a source. +* **Parity**: UI is not a second‑class citizen, and the CLI is not an afterthought. +* **Composability**: modules are independent packages with clear contracts and tests. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_4.md b/EPIC_4.md new file mode 100644 index 00000000..f85d1a5f --- /dev/null +++ b/EPIC_4.md @@ -0,0 +1,409 @@ +Here’s Epic 4 in the same paste‑into‑repo, implementation‑ready style as the prior epics. It’s exhaustive, formal, and slots directly into the existing AOC model, Policy Engine, and Console. + +--- + +# Epic 4: Policy Studio (author, version, simulate) + +> Short name: **Policy Studio** +> Services touched: **Policy Engine**, **Policy Registry** (new), **Web API Gateway**, **Authority** (authN/Z), **Scheduler/Workers**, **SBOM Service**, **Conseiller (Feedser)**, **Excitator (Vexer)**, **Telemetry** +> Surfaces: **Console (Web UI)** feature module, **CLI**, **CI hooks** +> Deliverables: Authoring workspace, policy versioning, static checks, simulation at scale, reviews/approvals, signing/publishing, promotion + +--- + +## 1) What it is + +**Policy Studio** is the end‑to‑end system for creating, evolving, and safely rolling out the rules that turn AOC facts (SBOM, advisories, VEX) into **effective findings**. It provides: + +* A **workspace** where authors write policies in the DSL (Epic 2), with linting, autocompletion, snippets, and templates. +* A **Policy Registry** that stores immutable versions, compiled artifacts, metadata, provenance, and signatures. +* **Simulation** at two levels: quick local samples and large batch simulations across real SBOM inventories with full deltas. +* A **review/approval** workflow with comments, diffs, required approvers, and promotion to environments (dev/test/prod). +* **Publishing** semantics: signed, immutable versions bound to tenants; rollback and deprecation. +* Tight integration with **Explain** traces so any change can show exactly which rules fired and why outcomes shifted. + +The Studio respects **AOC enforcement**: policies never edit or merge facts. They only interpret facts and produce determinations consistent with precedence rules defined in the DSL. + +--- + +## 2) Why + +* Policy errors are expensive. Authors need safe sandboxes, deterministic builds, and evidence before rollout. +* Auditors require immutability, provenance, and reproducibility from “source policy” to “effective finding.” +* Teams want gradual rollout: simulate, canary, promote, observe, rollback. +* Policy knowledge should be modular, reusable, and testable, not tribal. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Domain model + +* **PolicyPackage**: `{name, tenant, description, owners[], tags[], created_at}` +* **PolicyVersion** (immutable): `{package, semver, source_sha, compiled_sha, status: draft|review|approved|published|deprecated|archived, created_by, created_at, signatures[], changelog, metadata{}}` +* **Workspace**: mutable working area for authors; holds unversioned edits until compiled. +* **CompilationArtifact**: `{policy_version, compiler_version, diagnostics[], rule_index[], symbol_table}` +* **SimulationSpec**: `{policy_version|workspace, sbom_selector, time_window?, environment?, sample_size?, severity_floor?, includes{advisories?, vex?}}` +* **SimulationRun**: `{run_id, spec, started_at, finished_at, result{counts_before, counts_after, top_deltas[], by_rule_hit[], sample_explains[]}}` +* **Review**: `{policy_version, required_approvers[], votes[], comments[], files_changed[], diffs[]}` +* **Promotion**: `{policy_version, environment: dev|test|prod, promoted_by, promoted_at, rollout_strategy: All|Percent|TenantSubset}` +* **Attestation**: OIDC‑backed signature metadata binding `source_sha` and `compiled_sha` to an actor and time. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.2 Authoring workflow + +1. **Create** a workspace from a template (e.g., “Default Risk Model,” “License Tilted,” “Cloud‑Native SBOM”). +2. **Edit** in the Studio: Monaco editor with DSL grammar, intelligent completion for predicates, policies, attributes. +3. **Lint & compile** locally: semantic checks, forbidden rules detection, policy size limits, constant‑folding. +4. **Unit tests**: run policy test cases on bundled fixtures and golden expectations. +5. **Quick simulate** on selected SBOMs (10–50 items) to preview counts, examples, and rule heatmap. +6. **Propose version**: bump semver, enter changelog; create a **PolicyVersion** in `review` with compiled artifacts. +7. **Review & approval**: side‑by‑side diff, comments, required approvers enforced by RBAC. +8. **Batch simulation**: run at scale across tenant inventory; produce deltas, sample explainer evidence. +9. **Publish**: sign and move to `published`; optional **Promotion** to target environment(s). +10. **Run** evaluation with the selected policy version; verify outcomes; optionally promote to default. +11. **Rollback**: select an older version; promotion updates references without mutating older versions. + +### 3.3 Editing experience (Console) + +* **Three‑pane layout**: file tree, editor, diagnostics/simulation. +* **Features**: autocomplete from symbol table, in‑editor docs on hover, go‑to definition, rule references, rename symbols across files, snippet library, policy templates. +* **Validations**: + + * AOC guardrails: no edit/merge actions on source facts, only interpretation. + * Precedence correctness: if rules conflict, studio shows explicit order and effective winner. + * Severity floor and normalization mapping validated against registry configuration. +* **Diagnostics panel**: errors, warnings, performance hints (e.g., “predicate X loads N advisories per component; consider indexing”). +* **Rule heatmap**: during simulation, bar chart of rule firings and the objects they impact. +* **Explain sampler**: click any delta bucket to open a sampled finding with full trace. + +### 3.4 Simulation + +* **Quick Sim**: synchronous; runs in browser‑orchestrated job against API, constrained by `sample_size`. +* **Batch Sim**: asynchronous run in workers: + + * Input selection: all SBOMs, labels, artifact regex, last N ingests, or a curated set. + * Outputs: counts by severity before/after, by status, top deltas by component and advisory, rule heatmap, top K affected artifacts. + * Evidence: NDJSON of sampled findings with traces; CSV summary; signed result manifest. + * Guardrails: cannot publish if batch sim drift > configurable threshold without an override justification. + +### 3.5 Versioning & promotion + +* Semver enforced: `major` implies compatibility break (e.g., precedence changes), `minor` adds rules, `patch` fixes. +* **Immutable**: after `published`, the version cannot change; deprecate instead. +* **Environment bindings**: dev/test/prod mapping per tenant; default policy per environment. +* **Canary**: promote to a subset of tenants or artifacts; the Runs page displays A/B comparisons. + +### 3.6 Review & approval + +* Require N approvers by role; self‑approval optionally prohibited. +* Line and file comments; overall decision with justification. +* Review snapshot captures: diffs, diagnostics, simulation summary. +* Webhooks to notify external systems of review events. + +### 3.7 RBAC (Authority) + +Roles per tenant: + +* **Policy Author**: create/edit workspace, quick sim, propose versions. +* **Policy Reviewer**: comment, request changes, approve/reject. +* **Policy Approver**: final approve, publish. +* **Policy Operator**: promote, rollback, schedule runs. +* **Read‑only Auditor**: view everything, download evidence. + +All actions server‑checked; UI only hides affordances. + +### 3.8 CLI + CI integration + +CLI verbs (examples): + +``` +stella policy init --template default +stella policy lint +stella policy compile +stella policy test --golden ./tests +stella policy simulate --sboms label:prod --sample 1000 +stella policy version bump --level minor --changelog "Normalize GHSA CVSS" +stella policy submit --reviewers alice@example.com,bob@example.com +stella policy approve --version 1.3.0 +stella policy publish --version 1.3.0 --sign +stella policy promote --version 1.3.0 --env test --percent 20 +stella policy rollback --env prod --to 1.2.1 +``` + +CI usage: + +* Lint, compile, and run unit tests on PRs that modify `/policies/**`. +* Optionally trigger **Batch Sim** against a staging inventory and post a Markdown report to the PR. +* Block merge if diagnostics include errors or drift exceeds thresholds. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.9 APIs (representative) + +* `POST /policies/workspaces` create from template +* `PUT /policies/workspaces/{id}/files` edit source files +* `POST /policies/workspaces/{id}/compile` get diagnostics + compiled artifact +* `POST /policies/workspaces/{id}/simulate` quick sim +* `POST /policies/versions` create version from workspace with semver + changelog +* `GET /policies/versions/{id}` fetch version + diagnostics + sim summary +* `POST /policies/versions/{id}/reviews` open review +* `POST /policies/versions/{id}/approve` record approval +* `POST /policies/versions/{id}/publish` sign + publish +* `POST /policies/versions/{id}/promote` bind to env/canary +* `POST /policies/versions/{id}/simulate-batch` start batch sim (async) +* `GET /policies/simulations/{run_id}` get sim results and artifacts +* `GET /policies/registry` list packages/versions, status and bindings + +All calls require tenant scoping and RBAC. + +### 3.10 Storage & data + +* **Policy Registry DB** (MongoDB): packages, versions, workspaces, metadata. +* **Object storage**: source bundles, compiled artifacts, simulation result bundles, evidence. +* **Indexing**: compound indexes by `{tenant, package}`, `{tenant, status}`, `{tenant, environment}`. +* **Retention**: configurable retention for workspaces and simulation artifacts; versions never deleted, only archived. + +### 3.11 Evidence & provenance + +* Every published version has: + + * `source_sha` (content digest of the policy source bundle) + * `compiled_sha` (digest of compiled artifact) + * Attestation: signed envelope binding digests to an identity, time, and tenant. + * Links to the exact compiler version, inputs, and environment. + +### 3.12 Observability + +* Metrics: compile time, diagnostics rate, simulation queue depth, delta magnitude distribution, approval latencies. +* Logs: structured events for lifecycle transitions. +* Traces: long simulations emit span per shard. + +### 3.13 Performance & scale + +* Compilation should complete under 3 seconds for typical policies; warn at 10s. +* Batch sim uses workers with partitioning by SBOM id; results reduced by the API. +* Memory guardrails on rule execution; deny policies that exceed configured complexity limits. + +### 3.14 Security + +* OIDC‑backed signing and attestation. +* Policy sources are scanned on upload for secrets; blocked if found. +* Strict CSP in Studio pages; tokens stored in memory, not localStorage. +* Tenant isolation in buckets and DB collections. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 4) Implementation plan + +### 4.1 Services + +* **Policy Registry (new microservice)** + + * REST API and background workers for batch simulation orchestration. + * Stores workspaces, versions, metadata, bindings, reviews. + * Generates signed attestations at publish time. + * Coordinates with **Policy Engine** for compile/simulate invocations. + +* **Policy Engine (existing)** + + * Expose compile and simulate endpoints with deterministic outputs. + * Provide rule coverage, symbol table, and explain traces for samples. + +* **Web API Gateway** + + * Routes requests; injects tenant context; enforces RBAC. + +### 4.2 Console (Web UI) feature module + +* `packages/features/policies` (shared with Epic 3): + + * **Studio** routes: `/policies/studio`, `/policies/:id/versions/:v/edit`, `/simulate`, `/review`. + * Monaco editor wrapper for DSL with hover docs, autocomplete. + * Diff viewer, diagnostics, heatmap, explain sampler, review UI. + +### 4.3 CLI + +* New commands under `stella policy *`; typed client generated from OpenAPI. +* Outputs machine‑readable JSON and pretty tables. + +### 4.4 Workers + +* **Simulation workers**: pull shards of SBOMs, run policy, emit partials, reduce into result bundle. +* **Notification worker**: sends webhooks on review, approval, publish, promote. + +--- + +## 5) Documentation changes (create/update) + +1. **`/docs/policy/studio-overview.md`** + + * Concepts, roles, lifecycle, glossary. +2. **`/docs/policy/authoring.md`** + + * Workspace, templates, snippets, lint rules, best practices. +3. **`/docs/policy/versioning-and-publishing.md`** + + * Semver, immutability, deprecation, rollback, attestations. +4. **`/docs/policy/simulation.md`** + + * Quick vs batch sim, selection strategies, thresholds, evidence artifacts. +5. **`/docs/policy/review-and-approval.md`** + + * Required approvers, comments, webhooks, audit trail. +6. **`/docs/policy/promotion.md`** + + * Environments, canary, default policy binding, rollback. +7. **`/docs/policy/cli.md`** + + * Command reference with examples and JSON outputs. +8. **`/docs/policy/api.md`** + + * REST endpoints, request/response schemas, error codes. +9. **`/docs/security/policy-attestations.md`** + + * Signatures, digests, verifier steps. +10. **`/docs/architecture/policy-registry.md`** + + * Service design, schemas, queues, failure modes. +11. **`/docs/observability/policy-telemetry.md`** + + * Metrics, logs, tracing, dashboards. +12. **`/docs/runbooks/policy-incident.md`** + + * Rolling back a bad policy, freezing publishes, forensic steps. +13. **`/docs/examples/policy-templates.md`** + + * Ready‑made templates and snippet catalog. +14. **`/docs/aoc/aoc-guardrails.md`** + + * How Studio enforces AOC in authoring and review. + +Each doc ends with a “Compliance checklist.” +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 6) Tasks + +### 6.1 Backend: Policy Registry + +* [ ] Define OpenAPI spec for Registry (workspaces, versions, reviews, sim). +* [ ] Implement workspace storage and file CRUD. +* [ ] Integrate with Policy Engine compile endpoint; return diagnostics, symbol table. +* [ ] Implement quick simulation with request limits. +* [ ] Implement batch simulation orchestration: enqueue shards, collect results, reduce deltas, store artifacts. +* [ ] Implement review model: comments, required approvers, decisions. +* [ ] Implement publish: sign, persist attestation, set status=published. +* [ ] Implement promotion bindings per tenant/environment; canary subsets. +* [ ] RBAC checks for all endpoints. +* [ ] Unit/integration tests; load tests for batch sim. + +### 6.2 Policy Engine enhancements + +* [ ] Return rule coverage and firing counts with compile/simulate. +* [ ] Return symbol table and inline docs for editor autocomplete. +* [ ] Expose deterministic Explain traces for sampled findings. +* [ ] Enforce complexity/time limits and report breaches. + +### 6.3 Console (Web UI) + +* [ ] Build Studio editor wrapper with Monaco + DSL language server hooks. +* [ ] Implement file tree, snippets, templates, hotkeys, search/replace. +* [ ] Diagnostics panel with jump‑to‑line, quick fixes. +* [ ] Simulation panel: quick sim UI, charts, heatmap, sample explains. +* [ ] Review UI: diff, comments, approvals, status badges. +* [ ] Publish & Promote flows with confirmation and post‑actions. +* [ ] Batch sim results pages with export buttons. +* [ ] Accessibility audits and keyboard‑only authoring flow. + +### 6.4 CLI + +* [ ] Implement commands listed in 3.8 with rich help and examples. +* [ ] Add `--json` flag for machine consumption; emit stable schemas. +* [ ] Exit codes aligned with CI usage (lint errors → non‑zero). + +### 6.5 CI/CD & Security + +* [ ] Add CI job that runs `stella policy lint/compile/test` on PRs. +* [ ] Optional job that triggers batch sim against staging inventory; post summary to PR. +* [ ] Policy source secret scanning; block on findings. +* [ ] Signing keys configuration; verify pipeline for attestation on publish. + +### 6.6 Docs + +* [ ] Write all docs in section 5 with screenshots and CLI transcripts. +* [ ] Add cookbook examples and templates in `/docs/examples/policy-templates.md`. +* [ ] Wire contextual Help links from Studio to relevant docs. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Acceptance criteria + +* Authors can create, edit, lint, compile policies with inline diagnostics and autocomplete. +* Quick simulation produces counts, rule heatmap, and sample explains within UI. +* Batch simulation scales across large SBOM sets, producing deltas and downloadable evidence. +* Review requires configured approvers; comments and diffs are preserved. +* Publish generates immutable, signed versions with attestations. +* Promotion binds versions to environments and supports canary and rollback. +* CLI supports full lifecycle and is usable in CI. +* All actions are tenant‑scoped, RBAC‑enforced, and logged. +* AOC guardrails prevent any mutation of raw facts. +* Documentation shipped and linked contextually from the Studio. + +--- + +## 8) Risks & mitigations + +* **Policy complexity causes timeouts** → compile‑time complexity scoring, execution limits, early diagnostics. +* **Simulation cost at scale** → sharding and streaming reducers; sampling; configurable quotas. +* **RBAC misconfiguration** → server‑enforced checks, defense‑in‑depth tests, deny‑by‑default. +* **Attestation key management** → OIDC‑backed signatures; auditable verifier tool; time‑boxed credentials. +* **Editor usability** → language server with accurate completions; docs on hover; snippet library. + +--- + +## 9) Test plan + +* **Unit**: compiler adapters, registry models, reviewers workflow, CLI options. +* **Integration**: compile→simulate→publish→promote on seeded data. +* **E2E**: Playwright flows for author→review→batch sim→publish→promote→rollback. +* **Performance**: load test batch simulation with 100k components spread across SBOMs. +* **Security**: RBAC matrix tests; secret scanning; signing and verification. +* **Determinism**: same inputs produce identical `compiled_sha` and simulation summaries. + +--- + +## 10) Feature flags + +* `policy.studio` (enables editor and quick sim) +* `policy.batch-sim` +* `policy.canary-promotion` +* `policy.signature-required` (enforce signing on publish) + +Flags documented in `/docs/observability/policy-telemetry.md`. + +--- + +## 11) Non‑goals (this epic) + +* Building a general IDE for arbitrary languages; the editor is purpose‑built for the DSL. +* Auto‑generated policies from AI without human approval. +* Cross‑tenant policies; all policies are tenant‑scoped. + +--- + +## 12) Philosophy + +* **Safety first**: it’s cheaper to prevent a bad policy than to fix its fallout. +* **Determinism**: same inputs, same outputs, verifiably. +* **Immutability**: versions and evidence are forever; we deprecate, not mutate. +* **Transparency**: every change is explainable with traces and proofs. +* **Reusability**: templates, snippets, and tests turn policy from art into engineering. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_5.md b/EPIC_5.md new file mode 100644 index 00000000..9fac8b0c --- /dev/null +++ b/EPIC_5.md @@ -0,0 +1,431 @@ +Here’s Epic 5 in the same paste‑into‑repo, implementation‑ready format as the prior epics. It’s exhaustive, formal, and designed to slot into AOC, Policy Engine, Conseiller/Excitator, and the Console. + +--- + +# Epic 5: SBOM Graph Explorer + +> Short name: **Graph Explorer** +> Services touched: **SBOM Service**, **Graph Indexer** (new), **Graph API** (new), **Policy Engine**, **Conseiller (Feedser)**, **Excitator (Vexer)**, **Web API Gateway**, **Authority** (authN/Z), **Workers/Scheduler**, **Telemetry** +> Surfaces: **Console (Web UI)** graph module, **CLI**, **Exports** +> Deliverables: Interactive graph UI with semantic zoom, saved queries, policy/VEX/advisory overlays, diff views, impact analysis, exports + +--- + +## 1) What it is + +**SBOM Graph Explorer** is the interactive, tenant‑scoped view of all supply‑chain relationships the platform knows about, rendered as a navigable graph. It connects: + +* **Artifacts** (applications, images, libs), **Packages/Versions**, **Files/Paths**, **Licenses**, **Advisories** (from Conseiller), **VEX statements** (from Excitator), **Provenance** (builds, sources), and **Policies** (overlays of determinations) +* **Edges** like `depends_on`, `contains`, `built_from`, `declared_in`, `affected_by`, `vex_exempts`, `governs_with` +* **Time/version** dimension: multiple SBOM snapshots with diffs + +It’s built for investigation and review: find where a vulnerable package enters; see which apps are impacted; understand why a finding exists; simulate a policy version and see the delta. The explorer observes **AOC enforcement**: it never mutates facts; it aggregates and visualizes them. Only the Policy Engine may classify, and classification is displayed as overlays. + +--- + +## 2) Why + +* SBOMs are graphs. Tables flatten what matters and hide transitive risk. +* Engineers, security, and auditors need impact answers quickly: “What pulls in `log4j:2.17` and where is it at runtime?” +* Policy/VEX/advisory interactions are nuanced. A visual overlay makes precedence and outcomes obvious. +* Review is collaborative; you need saved queries, deep links, exports, and consistent evidence. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Domain model + +**Nodes** (typed, versioned, tenant‑scoped): + +* `Artifact`: application, service, container image, library, module +* `Package`: name + ecosystem (purl), `PackageVersion` with resolved version +* `File`: path within artifact or image layer +* `License`: SPDX id +* `Advisory`: normalized advisory id (GHSA, CVE, vendor), source = Conseiller +* `VEX`: statement with product context, status, justification, source = Excitator +* `SBOM`: ingestion unit; includes metadata (tool, sha, build info) +* `PolicyDetermination`: materialized view of Policy Engine results (read‑only overlay) +* `Build`: provenance, commit, workflow run +* `Source`: repo, tag, commit + +**Edges** (directed): + +* `declared_in` (PackageVersion → SBOM) +* `contains` (Artifact → PackageVersion | File) +* `depends_on` (PackageVersion → PackageVersion) with scope attr (prod|dev|test|optional) +* `built_from` (Artifact → Build), `provenance_of` (Build → Source) +* `affected_by` (PackageVersion → Advisory) with range semantics +* `vex_exempts` (Advisory ↔ VEX) scoped by product/component +* `licensed_under` (Artifact|PackageVersion → License) +* `governs_with` (Artifact|PackageVersion → PolicyDetermination) +* `derived_from` (SBOM → SBOM) for superseding snapshots + +**Identity & versioning** + +* Every node has a stable key: `{tenant}:{type}:{natural_id}` (e.g., purl for packages, digest for images). +* SBOM snapshots are immutable; edges carry `valid_from`/`valid_to` for time travel and diffing. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.2 User capabilities (end‑to‑end) + +* **Search & Navigate**: global search (purls, CVEs, repos, licenses), keyboard nav, breadcrumbs, semantic zoom. +* **Lenses**: toggle views (Security, License, Provenance, Runtime vs Dev, Policy effect). +* **Overlays**: + + * **Advisory overlay**: show affected nodes/edges with source, severity, ranges. + * **VEX overlay**: show suppressions/justifications; collapse exempted paths. + * **Policy overlay**: choose a policy version; nodes/edges reflect determinations (severity, status) with explain sampling. +* **Impact analysis**: pick a vulnerable node; highlight upstream/downstream dependents, scope filters, shortest/all paths with constraints. +* **Diff view**: compare SBOM A vs B; show added/removed nodes/edges, changed versions, changed determinations. +* **Saved queries**: visual builder + JSON query; shareable permalinks scoped by tenant and environment. +* **Exports**: GraphML, CSV edge list, NDJSON of findings, PNG/SVG snapshot. +* **Evidence details**: side panel with raw facts, advisory links, VEX statements, policy explain trace, provenance. +* **Accessibility**: tab‑navigable, high‑contrast, screen‑reader labels for nodes and sidebars. + +### 3.3 Query model + +* **Visual builder** for common queries: + + * “Show all paths from Artifact X to Advisory Y up to depth 6.” + * “All runtime dependencies with license = GPL‑3.0.” + * “All artifacts affected by GHSA‑… with no applicable VEX.” + * “Which SBOMs introduced/removed `openssl` between build 120 and 130?” +* **JSON query** (internal, POST body) with: + + * `start`: list of node selectors (type + id or attributes) + * `expand`: edge types and depth, direction, scope filters + * `where`: predicates on node/edge attributes + * `overlay`: policy version id, advisory sources, VEX filters + * `limit`: nodes, edges, timebox, cost budget +* **Cost control**: server estimates cost, denies or pages results; UI streams partial graph tiles. + +### 3.4 UI architecture (Console) + +* **Canvas**: WebGL renderer with level‑of‑detail, edge bundling, and label culling; deterministic layout when possible (seeded). +* **Semantic zoom**: + + * Far: clusters by artifact/repo/ecosystem, color by lens + * Mid: package groups, advisory badges, license swatches + * Near: concrete versions, direct edges, inline badges for policy determinations +* **Panels**: + + * Left: search, filters, lens selector, saved queries + * Right: details, explain trace, evidence tabs (Advisory/VEX/Policy/Provenance) + * Bottom: query expression, diagnostics, performance/stream status +* **Diff mode**: split or overlay, color legend (add/remove/changed), filter by node type. +* **Deep links**: URL encodes query + viewport; shareable respecting RBAC. +* **Keyboard**: space drag, +/- zoom, F to focus, G to expand neighbors, P to show paths. + +### 3.5 Back‑end architecture + +**Graph Indexer (new)** + +* Consumes SBOM ingests, Conseiller advisories, Excitator VEX statements, Policy Engine determinations (read‑only). +* Projects facts into a **property graph** persisted in: + + * Primary: document store + adjacency sets (e.g., Mongo collections + compressed adjacency lists) + * Optional driver for graph DB backends if needed (pluggable) +* Maintains materialized aggregates: degree, critical paths cache, affected artifact counts, license distribution. +* Emits **graph snapshots** per SBOM with lineage to original ingestion. + +**Graph API (new)** + +* Endpoints for search, neighbor expansion, path queries, diffs, overlays, exports. +* Streaming responses for large graphs (chunked NDJSON tiles). +* Cost accounting + quotas per tenant. + +**Workers** + +* **Centrality & clustering** precompute on idle: betweenness approximations, connected components, Louvain clusters. +* **Diff compute** on new SBOM ingestion pairs (previous vs current). +* **Overlay materialization** cache for popular policy versions. + +**Policy Engine integration** + +* Graph API requests can specify a policy version. +* For sampled nodes, the API fetches explain traces; for counts, uses precomputed overlay materializations where available. + +**AOC enforcement** + +* Graph Indexer never merges or edits advisories/VEX; it links them and exposes overlays that the Policy Engine evaluates. +* Conseiller and Excitator remain authoritative sources; severities come from Policy‑governed normalization. + +### 3.6 APIs (representative) + +* `GET /graph/search?q=...&type=package|artifact|advisory|license` +* `POST /graph/query` ⇒ stream tiles `{nodes[], edges[], stats, cursor}` +* `POST /graph/paths` body: `{from, to, depth<=6, constraints{scope, runtime_only}}` +* `POST /graph/diff` body: `{sbom_a, sbom_b, filters}` +* `GET /graph/snapshots/{sbom_id}` ⇒ graph metadata, counts, top advisories +* `POST /graph/export` body: `{format: graphml|csv|ndjson|png|svg, query|snapshot}` +* `GET /graph/saved` / `POST /graph/saved` save and list tenant queries +* `GET /graph/overlays/policy/{version_id}` ⇒ summary stats for caching + +All endpoints tenant‑scoped, RBAC‑checked. Timeouts and pagination by server. Errors return structured diagnostics. + +### 3.7 CLI + +``` +stella sbom graph search "purl:pkg:maven/org.apache.logging.log4j/log4j-core" +stella sbom graph query --file ./query.json --export graphml > graph.graphml +stella sbom graph impacted --advisory GHSA-xxxx --runtime-only --limit 100 +stella sbom graph paths --from artifact:service-a --to advisory:GHSA-xxxx --depth 5 --policy 1.3.0 +stella sbom graph diff --sbom-a 2025-03-15T10:00Z --sbom-b 2025-03-22T10:00Z --export csv > diff.csv +stella sbom graph save --name "openssl-runtime" --file ./query.json +``` + +Exit codes: 0 ok, 2 query validation error, 3 over‑budget, 4 not found, 5 RBAC denied. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +### 3.8 Performance & scale + +* **Progressive loading**: server pages tiles by BFS frontier; client renders incrementally. +* **Viewport culling**: only visible nodes/edges in canvas; offscreen demoted to aggregates. +* **Level‑of‑detail**: simplified glyphs and collapsed clusters at distance. +* **Query budgets**: per‑tenant rate + node/edge caps; interactive paths limited to depth ≤ 6. +* **Caching**: hot queries memoized per tenant + overlay version; diffs precomputed for consecutive SBOMs. + +### 3.9 Security + +* Multi‑tenant isolation at storage and API layers. +* RBAC roles: + + * **Viewer**: browse graphs, saved queries + * **Investigator**: run queries, export data + * **Operator**: configure budgets, purge caches + * **Auditor**: download evidence bundles +* Input validation for query JSON; deny disallowed edge traversals; strict CSP in web app. + +### 3.10 Observability + +* Metrics: tile latency, nodes/edges per tile, cache hit rate, query denials, memory pressure. +* Logs: structured, include query hash, cost, truncation flags. +* Traces: server spans per stage (parse, plan, fetch, overlay, stream). + +### 3.11 Accessibility & UX guarantees + +* Keyboard complete, ARIA roles for graph and panels, high‑contrast theme. +* Deterministic layout on reload for shareable investigations. + +### 3.12 Data retention + +* Graph nodes derived from SBOMs share retention with SBOM artifacts; overlays are ephemeral caches. +* Saved queries retained until deleted; references to missing objects show warnings. + +--- + +## 4) Implementation plan + +### 4.1 Services + +* **Graph Indexer (new microservice)** + + * Subscribes to SBOM ingest events, Conseiller advisory updates, Excitator VEX updates, Policy overlay materializations. + * Builds adjacency lists and node documents; computes aggregates and clusters. + +* **Graph API (new microservice)** + + * Validates and executes queries; streams tiles; composes overlays; serves diffs and exports. + * Integrates with Policy Engine for explain sample retrieval. + +* **SBOM Service (existing)** + + * Emits ingestion events with SBOM ids and lineage; exposes SBOM metadata to Graph API. + +* **Web API Gateway** + + * Routes `/graph/*`, injects tenant context, enforces RBAC. + +### 4.2 Console (Web UI) feature module + +* `packages/features/graph-explorer` + + * Canvas renderer (WebGL), panels, query builder, diff mode, overlays, exports. + * Deep‑link router and viewport state serializer. + +### 4.3 Workers + +* Centrality/clustering worker, diff worker, overlay materialization worker. +* Schedules on low‑traffic windows; backpressure aware. + +### 4.4 Data model (storage) + +* Collections: + + * `graph_nodes`: `{_id, tenant, type, natural_id, attrs, degree, created_at, updated_at}` + * `graph_edges`: `{_id, tenant, from_id, to_id, type, attrs, valid_from, valid_to}` + * `graph_snapshots`: per‑SBOM node/edge references + * `graph_saved_queries`: `{_id, tenant, name, query_json, created_by}` + * `graph_overlays_cache`: keyed by `{tenant, policy_version, hash(query)}` +* Indexes: compound on `{tenant, type, natural_id}`, `{tenant, from_id}`, `{tenant, to_id}`, time bounds. + +--- + +## 5) Documentation changes (create/update) + +1. **`/docs/sbom/graph-explorer-overview.md`** + + * Concepts, node/edge taxonomy, lenses, overlays, roles, limitations. +2. **`/docs/sbom/graph-using-the-console.md`** + + * Walkthroughs: search, navigate, impact, diff, export; screenshots and keyboard cheatsheet. +3. **`/docs/sbom/graph-query-language.md`** + + * JSON schema, examples, constraints, cost/budget rules. +4. **`/docs/sbom/graph-api.md`** + + * REST endpoints, request/response examples, streaming and pagination. +5. **`/docs/sbom/graph-cli.md`** + + * CLI command reference and example pipelines. +6. **`/docs/policy/graph-overlays.md`** + + * How policy versions render in Graph; explain sampling; AOC guardrails. +7. **`/docs/vex/graph-integration.md`** + + * How VEX suppressions appear and how to validate product scoping. +8. **`/docs/advisories/graph-integration.md`** + + * Advisory linkage and severity normalization by policy. +9. **`/docs/architecture/graph-services.md`** + + * Graph Indexer, Graph API, storage choices, failure modes. +10. **`/docs/observability/graph-telemetry.md`** + + * Metrics, logs, tracing, dashboards. +11. **`/docs/runbooks/graph-incidents.md`** + + * Handling runaway queries, cache poisoning, degraded render. +12. **`/docs/security/graph-rbac.md`** + + * Permissions matrix, multi‑tenant boundaries. + +Every doc should end with a “Compliance checklist.” +**Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 6) Tasks + +### 6.1 Backend: Graph Indexer + +* [ ] Define node/edge schemas and attribute dictionaries for each type. +* [ ] Implement event consumers for SBOM ingests, Conseiller updates, Excitator updates. +* [ ] Build ingestion pipeline that populates nodes/edges and maintains `valid_from/valid_to`. +* [ ] Implement aggregate counters and degree metrics. +* [ ] Implement clustering job and persist cluster ids per node. +* [ ] Implement snapshot materialization per SBOM and lineage tracking. +* [ ] Unit tests for each node/edge builder; property‑based tests for identity stability. + +### 6.2 Backend: Graph API + +* [ ] Implement `/graph/search` with prefix and exact match across node types. +* [ ] Implement `/graph/query` with validation, planning, cost estimation, and streaming tile results. +* [ ] Implement `/graph/paths` with constraints and depth limits; shortest path heuristic. +* [ ] Implement `/graph/diff` computing adds/removes/changed versions; stream results. +* [ ] Implement overlays: advisory join, VEX join, policy materialization and explain sampling. +* [ ] Implement exports: GraphML, CSV edge list, NDJSON findings, PNG/SVG snapshots. +* [ ] RBAC middleware integration; multi‑tenant scoping. +* [ ] Load tests with synthetic large SBOMs; define default budgets. + +### 6.3 Policy Engine integration + +* [ ] Add endpoint to fetch explain traces for specific node ids in batch. +* [ ] Add materialization export that Graph API can cache per policy version. + +### 6.4 Console (Web UI) + +* [ ] Create `graph-explorer` module with routes `/graph`, `/graph/diff`, `/graph/q/:id`. +* [ ] Implement WebGL canvas with LOD, culling, edge bundling, deterministic layout seed. +* [ ] Build search, filter, lens, and overlay toolbars. +* [ ] Side panels: details, evidence tabs, explain viewer. +* [ ] Diff mode: split/overlay toggles and color legend. +* [ ] Saved queries: create, update, run; deep links. +* [ ] Export UI: formats, server round‑trip, progress indicators. +* [ ] a11y audit and keyboard‑only flow. + +### 6.5 CLI + +* [ ] Implement `stella sbom graph *` subcommands with JSON IO and piping support. +* [ ] Document examples and stable output schemas for CI consumption. + +### 6.6 Observability & Ops + +* [ ] Dashboards for tile latency, query denials, cache hit rate, memory. +* [ ] Alerting on query error spikes, OOM risk, cache churn. +* [ ] Runbooks in `/docs/runbooks/graph-incidents.md`. + +### 6.7 Docs + +* [ ] Author all docs in section 5, link from Console contextual help. +* [ ] Add end‑to‑end tutorial: “Investigate GHSA‑XXXX across prod artifacts.” + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Acceptance criteria + +* Console renders large SBOM graphs with semantic zoom, overlays, and responsive interactions. +* Users can run impact and path queries with bounded depth and get results within budget. +* VEX suppressions and advisory severities appear correctly and are consistent with policy. +* Diff view clearly shows added/removed/changed nodes/edges between two SBOMs. +* Saved queries and deep links reproduce the same view deterministically (given same data). +* Exports produce valid GraphML/CSV/NDJSON and image snapshots. +* CLI supports search, query, paths, impacted, diff, and export with stable schemas. +* AOC guardrails: explorer never mutates facts; overlays reflect Policy Engine decisions. +* RBAC enforced; all actions logged and observable. + +--- + +## 8) Risks & mitigations + +* **Graph explosion on large monorepos** → tiling, clustering, budgets, and strict depth limits. +* **Inconsistent identities across tools** → canonicalize purls/digests; property‑based tests for identity stability. +* **Policy overlay latency** → precompute materializations for hot policy versions; sample explains only on focus. +* **User confusion** → strong lens defaults, deterministic layouts, legends, in‑context help. + +--- + +## 9) Test plan + +* **Unit**: node/edge builders, identity normalization, cost estimator. +* **Integration**: ingest SBOM + advisories + VEX, verify overlays and counts. +* **E2E**: Playwright flows for search→impact→diff→export; deep link determinism. +* **Performance**: simulate 500k nodes/2M edges; measure tile latency and memory. +* **Security**: RBAC matrix; tenant isolation tests; query validation fuzzing. +* **Determinism**: snapshot round‑trip: same query and seed produce identical layout and stats. + +--- + +## 10) Feature flags + +* `graph.explorer` (UI feature module) +* `graph.paths` (advanced path queries) +* `graph.diff` (SBOM diff mode) +* `graph.overlays.policy` (policy overlay + explain sampling) +* `graph.export` (exports enabled) + +Documented in `/docs/observability/graph-telemetry.md`. + +--- + +## 11) Non‑goals (this epic) + +* Real‑time process/runtime call graphs. +* Full substitution for text reports; Explorer complements Reports. +* Cross‑tenant graphs; all queries are tenant‑scoped. + +--- + +## 12) Philosophy + +* **See the system**: security and license risk are structural. If you cannot see structure, you will miss risk. +* **Evidence over assertion**: every colored node corresponds to raw facts and explainable determinations. +* **Bounded interactivity**: fast, partial answers beat slow “complete” ones. +* **Immutability**: graphs mirror SBOM snapshots and are never rewritten; we add context, not edits. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_6.md b/EPIC_6.md new file mode 100644 index 00000000..89cb0e1d --- /dev/null +++ b/EPIC_6.md @@ -0,0 +1,650 @@ +Below is the expanded, “maximum documentation” package for Epic 6. It is paste‑ready for your repo and deliberately formal so engineering, docs, and audit folks can work from the same source of truth. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 6: Vulnerability Explorer (policy‑aware) + +**Short name:** `Vuln Explorer` +**Services touched:** Conseiller (Feedser), Excitator (Vexer), SBOM Service, Policy Engine, Findings Ledger (new), Web API Gateway, Authority (authN/Z), Workers/Scheduler, Telemetry/Analytics, Console (Web UI), CLI +**AOC ground rule:** Conseiller/Excitator aggregate but never merge or rewrite source documents. The Explorer only renders **effective** results as decided by Policy Engine and records human workflow as immutable ledger events. + +--- + +## 1) What it is + +The Vulnerability Explorer is the API and UI for operational triage, investigation, and reporting of vulnerabilities across all artifacts tracked by StellaOps. It correlates SBOM inventory with advisory and VEX evidence, then displays the **effective** status and obligations per the currently selected **Policy version**. It never edits source evidence. It provides: + +* Policy‑aware lists, pivots, and detail views +* Triage workflow with immutable audit ledger +* Risk acceptance with expiry and evidence +* SLA tracking by severity and business tier +* Simulation against other policy versions +* Exports and cryptographically signed “evidence bundles” + +**Identity principle:** one **Finding** per tuple `(artifact_id, purl, version, advisory_key)`, with links to every contributing AdvisoryEvidence and VexEvidence. + +--- + +## 2) Why (concise) + +* Prioritization must reflect **policy and VEX**, not raw feeds. +* Audit requires complete, reproducible lineage: what changed, why, and who decided. +* Operators need consistent APIs, CLI, and a UI that explain determinations, not just list CVEs. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Domain model and contracts + +**Evidence (immutable)** + +* `AdvisoryEvidence` (from Conseiller) + + ```json + { + "id": "adv_evd:...uuid...", + "tenant": "acme", + "source": "ghsa|nvd|vendor|ossindex|... ", + "source_id": "GHSA-xxxx", + "schema": "GHSA|CVE|CSAF-ADV", + "advisory_key": "CVE-2024-12345", + "affected": [{"ecosystem":"npm","purl":"pkg:npm/lodash","ranges":[{"type":"semver","events":[{"introduced":"0.0.0"},{"fixed":"4.17.21"}]}]}], + "cvss": {"version":"3.1","baseScore":7.5,"vectorString":"AV:N/AC:L/..."}, + "severity": "HIGH", + "urls": ["https://..."], + "published": "2024-06-10T12:00:00Z", + "withdrawn": null, + "ingested_at": "2024-06-11T08:43:21Z" + } + ``` +* `VexEvidence` (from Excitator) + + ```json + { + "id": "vex_evd:...uuid...", + "tenant": "acme", + "source": "vendor-csaf", + "schema": "CSAF-VEX", + "advisory_key": "CVE-2024-12345", + "product_scope": [{"purl":"pkg:npm/lodash@4.17.20"}], + "status": "not_affected|affected|fixed|under_investigation", + "justification": "component_not_present|vulnerable_code_not_in_execute_path|... ", + "impact_statement": "Not reachable in Acme Payment Service.", + "timestamp": "2024-06-12T10:00:00Z", + "ingested_at": "2024-06-12T10:10:02Z" + } + ``` +* `InventoryEvidence` (from SBOM Service) + + ```json + { + "id": "inv_evd:...uuid...", + "tenant": "acme", + "artifact_id": "svc:payments@1.14.0", + "sbom_id": "sbom:sha256:...", + "purl": "pkg:npm/lodash@4.17.20", + "scope": "runtime|dev|test", + "runtime_flag": true, + "paths": [["root", "pkg:npm/a", "pkg:npm/lodash"]], + "discovered_at": "2024-06-12T11:00:00Z" + } + ``` + +**PolicyDetermination** (read‑only from Policy Engine) + +```json +{ + "key": { + "artifact_id": "svc:payments@1.14.0", + "purl": "pkg:npm/lodash", + "version": "4.17.20", + "advisory_key": "CVE-2024-12345", + "policy_version": "1.3.0" + }, + "applicable": true, + "effective_severity": "HIGH", + "exploitability": "ACTIVE|LIKELY|UNKNOWN|UNLIKELY", + "signals": {"epss": 0.86, "kev": true, "maturity": "weaponized"}, + "suppression_state": "none|policy|vex", + "obligations": [{"type":"fix_by","due":"2024-07-15"},{"type":"document_risk"}], + "sla": {"due":"2024-07-15","tier":"gold"}, + "rationale": [ + {"rule":"sev.base=nvd","detail":"NVD base:7.5"}, + {"rule":"exploit.upsell.kev","detail":"KEV flag → HIGH"}, + {"rule":"env.weight.prod","detail":"Env=prod no downgrade"} + ] +} +``` + +**Finding identity** + +``` +finding_id = hash(tenant, artifact_id, purl, version, advisory_key) +``` + +**Ledger event** (append‑only, tamper‑evident) + +```json +{ + "event_id": "led:...uuid...", + "finding_id": "f:...hash...", + "tenant": "acme", + "type": "assign|comment|attach|change_state|accept_risk|set_target_fix|verify_fix|reopen", + "payload": {"to":"team:platform","reason":"oncall triage"}, + "actor": {"user_id":"u:42","display":"Dana S."}, + "ts": "2024-06-12T14:01:02Z", + "prev_event_hash": "sha256:...", + "event_hash": "sha256:sha256(canonical_json(event) + prev_event_hash)" +} +``` + +**Projection** (materialized current state for fast lists) + +```json +{ + "finding_id":"f:...hash...", + "tenant":"acme", + "artifact_id":"svc:payments@1.14.0", + "purl":"pkg:npm/lodash", + "version":"4.17.20", + "advisory_key":"CVE-2024-12345", + "effective_severity":"HIGH", + "exploitability":"ACTIVE", + "suppression_state":"none", + "status":"UNDER_INVESTIGATION|REMEDIATING|ACCEPTED|RESOLVED|NEW|SUPPRESSED", + "sla_due":"2024-07-15", + "owner":"team:platform", + "kev":true, + "epss":0.86, + "new_since":"2024-06-12", + "has_fix":true, + "envs":["prod"], + "runtime_flag":true, + "updated_at":"2024-06-12T14:01:02Z" +} +``` + +**Advisory key normalization** + +* Input identifiers: `CVE-*`, `GHSA-*`, vendor IDs. +* Preference order: CVE, then GHSA, else vendor id prefixed with namespace. +* Canonicalization: uppercase, trim, map withdrawn to same key but mark `withdrawn=true` in evidence. +* Conseiller must publish `links: [all source ids]` for provenance. + +### 3.2 Resolver algorithm (candidate findings) + +**Goal:** produce tuples `(artifact_id, purl, version, advisory_key)` where inventory intersects affected ranges and policy deems the path relevant. + +**Pseudocode** + +``` +for each artifact sbom S: + inv = inventory(S) + for each advisory evidence A: + for each affected package spec in A.affected: + for each inv_item in inv where inv_item.purl package == spec.purl package: + if version_in_ranges(inv_item.version, spec.ranges, ecosystem): + if policy.path_scope_allows(inv_item.scope, inv_item.runtime_flag, inv_item.paths): + yield candidate (artifact_id, inv_item.purl, inv_item.version, A.advisory_key) +``` + +**Version semantics per ecosystem** + +* npm: semver, pre-release excluded unless explicitly in range. +* Maven: Maven version rules, handle `-SNAPSHOT`, use maven‑resolver semantics. +* PyPI: PEP 440 versioning. +* Go: semver with `+incompatible` handling. +* OS packages: RPM/DEB epoch:version‑release ordering. + +**Edge cases** + +* Multiple paths: store shortest path and count. +* Dev/test scope: policy may exclude or downgrade. +* Withdrawn advisories: keep as evidence; Policy can set severity to `NONE`. + +### 3.3 VEX precedence and scoping + +* If any matching **VEX** says `not_affected` scoped to the artifact product/component per CSAF product tree, set `suppression_state="vex"` and `applicable=false`. +* If VEX says `fixed` and inventory version is >= fixed version, mark as **Resolved (verified)** after SBOM recrawl confirms. +* If VEX `under_investigation`, no suppression; may add a policy grace period obligation. + +### 3.4 Policy evaluation + +* Inputs: candidate tuple + context (artifact env, business tier, ownership, signals, fix availability). +* Determinations: applicability, effective severity, exploitability, obligations, SLA, suppression. +* Suppression by policy examples: test‑scope only; path through optional deps; package vendored but not linked at runtime. +* Simulation: identical input, alternate `policy_version`; returns determinations without side effects. + +### 3.5 API surface (authoritative) + +**List** + +``` +GET /vuln/findings?policy=1.3.0&sev=high,critical&group_by=artifact&exploit=kev&env=prod&page=1&page_size=100 +``` + +Response + +```json +{ + "page": 1, + "page_size": 100, + "total": 740, + "group_by": "artifact", + "results": [ + {"group":"svc:payments","counts":{"CRITICAL":3,"HIGH":12,"MEDIUM":8},"sla_breaches":2}, + ... + ] +} +``` + +**Query (complex filters)** + +``` +POST /vuln/findings/query +``` + +```json +{ + "policy": "1.3.0", + "filter": { + "severity": [">=MEDIUM"], + "exploit": ["kev", "epss>=0.8"], + "artifact": ["svc:payments", "svc:checkouts"], + "status": ["NEW","UNDER_INVESTIGATION"], + "env": ["prod"] + }, + "sort": [{"field":"effective_severity","dir":"desc"},{"field":"epss","dir":"desc"}], + "page": {"number":1,"size":200} +} +``` + +**Detail** + +``` +GET /vuln/findings/{finding_id}?policy=1.3.0 +``` + +Returns projection, evidence links, policy rationale, paths, history summary. + +**Workflow** + +``` +POST /vuln/findings/{id}/assign { "to": "team:platform" } +POST /vuln/findings/{id}/comment { "text": "triage notes..." } +POST /vuln/findings/{id}/accept-risk { "until":"2025-06-30","reason":"vendor patch pending","evidence":["url|upload_id"] } +POST /vuln/findings/{id}/verify-fix { "sbom_id": "sbom:sha256:..." } +POST /vuln/findings/{id}/target-fix { "version": "4.17.21" } +``` + +**Simulation** + +``` +POST /vuln/simulate +{ + "policy_from": "1.3.0", + "policy_to": "1.4.0", + "query": { "severity":[">=MEDIUM"], "env":["prod"] } +} +``` + +Response includes per‑finding delta `{before, after, diff}`. + +**Export** + +``` +POST /vuln/export { "format":"ndjson","scope":{"query":{...}} } +``` + +Returns a signed bundle (see §3.10). + +**Errors** + +* `400` validation, `403` RBAC, `404` not found, `409` state conflict (idempotency), `429` rate limited, `5xx` server. + +### 3.6 Console (Web UI) + +**Routes** + +* `/vuln` list with saved views +* `/vuln/:id` detail drawer state +* `/vuln/simulate/:policyVersion` diff mode + +**State shape (client)** + +```ts +interface VulnListState { + policyVersion: string; + filters: {...}; + sort: [...]; + columns: string[]; + viewId?: string; + page: {number: number; size: number}; +} +``` + +**UX** + +* Virtualized grid with server paging; column chooser; density toggle. +* Quick filters: severity, exploit signals, status, env, owner, fix availability. +* Detail tabs: Summary, Evidence (raw docs with provenance), Policy (rationale chain), Paths (deep link to Graph Explorer), Fixes, History. +* Simulation bar shows delta chips: `+21 HIGH`, `-9 Suppressed by VEX` etc. +* Evidence bundle dialog previews scope and size. +* a11y: ARIA roles on grid, keyboard shortcuts: `A` assign, `C` comment, `R` accept risk, `V` verify fix. + +### 3.7 CLI + +Commands + +``` +stella vuln list --policy 1.3.0 --sev high,critical --group-by artifact --env prod --json +stella vuln show --id --policy 1.3.0 +stella vuln simulate --from 1.3.0 --to 1.4.0 --sev '>=medium' --delta --json +stella vuln assign --filter 'advisory:CVE-2024-12345 artifact:payments' --to team:platform +stella vuln accept-risk --id --until 2025-06-30 --reason "vendor patch pending" --evidence url:https://ticket/123 +stella vuln verify-fix --id --sbom +``` + +Return codes: `0 ok`, `2 invalid args`, `3 budget exceeded`, `4 not found`, `5 denied`. + +### 3.8 Storage schema (illustrative) + +**Tables** + +```sql +-- Evidence +CREATE TABLE evidence_advisory (...); +CREATE INDEX ea_tenant_key ON evidence_advisory(tenant, advisory_key); +CREATE TABLE evidence_vex (...); +CREATE INDEX ev_tenant_key ON evidence_vex(tenant, advisory_key); +CREATE TABLE evidence_inventory (...); +CREATE INDEX ei_artifact_purl ON evidence_inventory(tenant, artifact_id, purl); + +-- Ledger +CREATE TABLE findings_ledger_events ( + event_id uuid PRIMARY KEY, + finding_id bytea NOT NULL, + tenant text NOT NULL, + type text NOT NULL, + payload jsonb NOT NULL, + actor jsonb NOT NULL, + ts timestamptz NOT NULL, + prev_event_hash bytea, + event_hash bytea NOT NULL +); +CREATE INDEX fle_find_ts ON findings_ledger_events(tenant, finding_id, ts); + +-- Projection +CREATE TABLE findings_projection ( + finding_id bytea PRIMARY KEY, + tenant text NOT NULL, + artifact_id text NOT NULL, + purl text NOT NULL, + version text NOT NULL, + advisory_key text NOT NULL, + policy_version text NOT NULL, + effective_severity text NOT NULL, + exploitability text, + suppression_state text, + status text NOT NULL, + sla_due date, + owner text, + kev boolean, + epss double precision, + envs text[], + runtime_flag boolean, + updated_at timestamptz NOT NULL +); +CREATE INDEX fp_query ON findings_projection(tenant, policy_version, effective_severity, status); +``` + +**Tamper‑evidence** + +* Ledger events use chained SHA‑256 hashes over canonical JSON + previous hash. +* Daily Merkle root of all event hashes is anchored to the audit store (and optionally external timestamping service). + +### 3.9 Performance and scaling + +* P95 list endpoint under 600 ms for 100‑row pages at 5M findings/tenant. +* Projections denormalize heavy joins; background projector uses idempotent jobs keyed by `(tenant,finding_id,policy_version)`. +* Rate limits per tenant and per API key; backpressure on export jobs; exponential retry for projector. + +### 3.10 Evidence bundle format + +* **Container:** ZIP with `manifest.json`, `findings.ndjson`, `advisory_evidence.ndjson`, `vex_evidence.ndjson`, `inventory_evidence.ndjson`, `policy_version.json`, `ledger_events.ndjson`, `CHECKSUMS`. +* **Signing:** Detached signature `bundle.sig` using tenant’s org key (Ed25519). +* **Manifest** + + ```json + {"generated_at":"2024-06-12T15:00:00Z","tenant":"acme","policy_version":"1.3.0","scope":{"query":{...}},"counts":{"findings":421}} + ``` + +### 3.11 Observability + +* Metrics (OpenTelemetry): + + * `vuln_findings_list_latency_ms` (histogram) + * `vuln_projection_lag_seconds` (gauge) + * `vuln_new_findings_total` (counter) + * `vuln_sla_breaches_total` (counter by sev, owner) + * `vuln_simulation_latency_ms` (histogram) +* Logs: structured JSON with `tenant`, `policy_version`, `query_hash`, `result_count`. +* Traces: spans for resolver, policy calls, projection builds, export assembly. +* PII: redact comments in logs; store attachments encrypted at rest (KMS). + +### 3.12 Security & RBAC + +**Roles** + +* Viewer: GET list/detail/export read scope. +* Investigator: Viewer + workflow actions except risk acceptance. +* Operator: Investigator + risk acceptance, verify fix, bulk actions. +* Auditor: Viewer + evidence bundles and ledger integrity checks. + +**ABAC** + +* Attribute constraints: by `artifact.owner`, `env`, and `business_tier`. +* CSRF protection for Console; all POST require anti‑forgery tokens. +* Attachments stored with envelope encryption; signed URLs for limited time access. + +### 3.13 Rollout and migrations + +* Feature flags: `vuln.explorer.ui`, `vuln.explorer.simulation`, `vuln.explorer.bulk_actions`, `vuln.explorer.evidence_bundle`. +* Phase 1: dark launch API and projections. +* Phase 2: UI read‑only list and detail. +* Phase 3: workflow actions and exports. +* Data backfill: replay advisory/VEX/SBOM events to seed projections. +* Compatibility: maintain projection v1 schema for two releases; migration scripts in `/migrations/vuln/`. + +--- + +## 4) Implementation plan + +### 4.1 Services + +* **Findings Ledger (new)** + + * Append‑only event store with projector to `findings_projection`. + * Event validation and canonicalization; hashing and Merkle root anchoring. + +* **Vuln Explorer API (new)** + + * Query/filter engine with policy parameterization and grouping. + * Simulation endpoint. + * Export job orchestrator. + +* **Conseiller / Excitator (updates)** + + * Guarantee canonical `advisory_key` and publish `links[]`. + * No merges; maintain raw payload snapshots. + +* **Policy Engine (updates)** + + * Batch evaluation endpoint `POST /policy/eval/batch` with `simulate` support. + * Return rationale chain with rule IDs. + +* **SBOM Service (updates)** + + * Publish inventory deltas; include `scope`, `runtime_flag`, `paths`. + * Nearest safe version hints. + +* **Workers/Scheduler** + + * Resolver job keyed by `(tenant, artifact_id, sbom_id)`; emits candidate tuples. + * Recompute on policy activation and evidence changes. + +### 4.2 Code structure + +``` +/src/StellaOps.Findings.Ledger + /api + /projector + /storage +/src/StellaOps.VulnExplorer.Api + /routes + /query + /simulation + /export +/packages/console/features/vuln-explorer + /components + /pages + /state +/src/StellaOps.Cli +``` + +### 4.3 Performance tasks + +* Projection indexes and covering queries; explain plans in `/docs/vuln/perf-notes.md`. +* Cache hot groupings per tenant with TTL and invalidation on ledger projector tick. + +--- + +## 5) Documentation changes (create/update) + +1. `/docs/vuln/explorer-overview.md` + Conceptual model, identities, evidence vs determinations, AOC guarantees. +2. `/docs/vuln/explorer-using-console.md` + Workflows with screenshots, keyboard shortcuts, saved views, deep links. +3. `/docs/vuln/explorer-api.md` + Endpoint specs, query language, grouping, pagination, errors, rate limits. +4. `/docs/vuln/explorer-cli.md` + Commands, flags, examples, exit codes. +5. `/docs/vuln/findings-ledger.md` + Event schema, state machine, hashing, Merkle roots, integrity checks. +6. `/docs/policy/vuln-determinations.md` + Inputs, outputs, precedence rules, simulation semantics. +7. `/docs/vex/explorer-integration.md` + CSAF mapping, scoping to product tree, precedence. +8. `/docs/advisories/explorer-integration.md` + Advisory key normalization, provenance, withdrawn handling. +9. `/docs/sbom/vuln-resolution.md` + Ecosystem version semantics, path sensitivity, scope rules. +10. `/docs/observability/vuln-telemetry.md` + Metrics, logs, traces, dashboards, SLOs. +11. `/docs/security/vuln-rbac.md` + Role mapping, ABAC, attachment encryption, CSRF. +12. `/docs/runbooks/vuln-ops.md` + Recompute storms, projector lag, policy activation drains, export failures. +13. `/docs/install/containers.md` + Add `findings-ledger`, `vuln-explorer-api` images, compose/k8s manifests, resource sizing, health checks. + +> Each doc ends with: **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 6) Engineering tasks + +### Backend: Findings & API + +* [ ] Define evidence and ledger schemas; migrations. +* [ ] Implement resolver for npm, Maven, PyPI, Go, OS packages with property‑based tests for version comparisons. +* [ ] Implement ledger API and projector with idempotency and hashing. +* [ ] Implement list/detail/grouping endpoints with server‑side paging. +* [ ] Implement simulation and export (bundle assembly, signing). +* [ ] Integrate Policy Engine batch eval with rationale traces. +* [ ] RBAC via Authority with ABAC filters. +* [ ] Load tests at 5M findings/tenant; tune indexes. + +### Conseiller/Excitator + +* [ ] Normalize `advisory_key` and persist `links[]`. +* [ ] Ensure raw payload snapshots are retrievable by Explorer for Evidence tab. + +### SBOM Service + +* [ ] Emit `scope`, `runtime_flag`, `paths`; safe version hints. +* [ ] Inventory delta events to trigger resolver. + +### Console + +* [ ] Build grid with virtualization, saved views, deep link serializer. +* [ ] Implement detail tabs and path deep‑links to Graph Explorer. +* [ ] Add simulation bar and delta chips. +* [ ] Evidence bundle dialog. +* [ ] a11y keyboard flow and ARIA labeling; unit and E2E tests. + +### CLI + +* [ ] `stella vuln list|show|simulate|assign|accept-risk|verify-fix` with `--json` and CSV export. +* [ ] Stable output schemas; pipe‑friendly defaults. + +### Observability/Ops + +* [ ] Dashboards for list latency, projection lag, new/reopened, SLA breaches. +* [ ] Alerts on projector backlog, API 5xx spikes, export failures. +* [ ] Runbooks in `/docs/runbooks/vuln-ops.md`. + +### Docs + +* [ ] Author files listed in §5 with cross‑links to Policy Studio and SBOM Graph Explorer. +* [ ] Update `/docs/install/containers.md` with new images and compose/k8s snippets. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Acceptance criteria + +* List and detail views reflect **effective** policy outcomes and update instantly when switching policy versions. +* Evidence tab shows all raw advisory/VEX documents with provenance; no source merging. +* Resolver respects ecosystem semantics, scope, and paths; path tab round‑trips to Graph Explorer. +* Ledger events are immutable and reconstruct historical list states accurately. +* Simulation returns diffs without side effects and matches Policy Engine outputs. +* CLI/API support paging, grouping, export, simulation; contracts stable and documented. +* RBAC and tenant isolation validated by tests; attachments encrypted. +* P95 performance budgets met; dashboards green for SLOs. + +--- + +## 8) Risks and mitigations + +* **Advisory identity collisions** → strict canonicalization; preserve `links[]`; never merge raw docs. +* **Projection lag** → backpressure, worker autoscaling, health checks; alerting on lag. +* **Resolver false positives** → path evidence required; dev/test scope rules explicit; ecosystem‑specific tests. +* **User confusion over suppression** → explicit badges; Policy tab with rationale and “why changed.” +* **Export size** → NDJSON streaming, size estimator in UI, scope previews. + +--- + +## 9) Test plan + +* **Unit:** version comparators, resolver per ecosystem, policy mapping, ledger state machine. +* **Integration:** SBOM + advisories + VEX ingestion, candidate generation, policy application, suppression precedence. +* **E2E Console:** triage, bulk assign, simulation, evidence bundle download; keyboard‑only flow. +* **Performance:** list/grouping at target scale; projector rebuild; export assembly. +* **Security:** RBAC matrix, ABAC filters, CSRF, signed URL lifetimes, tamper‑evidence verification. +* **Determinism:** time‑travel snapshots reproduce prior states byte‑for‑byte. + +--- + +## 10) Philosophy + +* **Facts first, decisions second.** Evidence is immutable; decisions and workflow sit on top in a ledger. +* **Policy is the lens.** The same facts can imply different obligations; the system must make that explicit and reproducible. +* **Audit > convenience.** Every state change is justified, signed, and verifiable. +* **No hidden magic.** If anything is suppressed, the UI shows the rule or VEX that did it, with documents attached. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_7.md b/EPIC_7.md new file mode 100644 index 00000000..8e9e7958 --- /dev/null +++ b/EPIC_7.md @@ -0,0 +1,545 @@ +Below is the expanded, “maximum documentation” package for Epic 7. It is paste‑ready for your repo and deliberately formal so engineering, docs, governance, and audit can work from the same source of truth. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 7: VEX Consensus Lens + +**Short name:** `VEX Lens` +**Services touched:** Excitator (Vexer), Conseiller (Feedser), SBOM Service, Policy Engine, Findings Ledger, Web API Gateway, Authority (authN/Z), Console (Web UI), CLI, Telemetry/Analytics +**AOC ground rule:** Excitator and Conseiller aggregate but never merge or rewrite source documents. The Lens only computes a **derived, reproducible** consensus view while preserving all raw evidence and provenance. + +--- + +## 1) What it is + +The VEX Consensus Lens is a deterministic computation and presentation layer that ingests all available VEX statements about a given advisory key (e.g., CVE) and product/context, then produces an **explicit consensus state** for each `(artifact_id, purl, version, advisory_key)` tuple. It answers: “Given multiple, possibly conflicting VEX statements from different issuers, what is the most trustworthy, policy‑consistent interpretation for this artifact and version?” + +It never edits or merges VEX documents. It normalizes them, aligns their **product scope** to SBOM inventory, scores issuers via a tenant‑configurable **trust model**, applies time and version scoping, and outputs: + +* `consensus_state`: `NOT_AFFECTED | AFFECTED | FIXED | UNDER_INVESTIGATION | INCONCLUSIVE | DISPUTED` +* `confidence`: 0.0–1.0 numeric score +* `rationale`: structured explanation of evidence, weights, and rules applied +* `quorum`: weighted vote breakdown by issuer, timestamp, justification, and version applicability + +The Lens plugs into the Policy Engine. Policy remains the source of truth for applicability, severity, and obligations; the Lens supplies structured signals and provenance that policy can use to suppress findings, downgrade risk, or set SLAs. + +Key properties: + +* **Reproducible:** Same inputs and policy yield same outputs. +* **Explainable:** Every output carries a machine‑readable rationale chain. +* **Scoped:** Product trees and version ranges are resolved against actual SBOM inventory. +* **Immutable evidence:** All raw VEX docs remain intact, retrievable, and linkable. + +--- + +## 2) Why (concise) + +Real ecosystems have overlapping VEX statements from upstream maintainers, vendors, distros, and third parties. Operators need a single, defensible view without losing provenance. The Lens reduces noise, flags conflicts, and turns fragmented VEX evidence into auditable signals that policy and humans can act on. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Input model + +**From Excitator (Vexer):** + +* Raw `VexEvidence` documents (CSAF VEX, OpenVEX, CycloneDX VEX) with: + + * `advisory_key` (canonicalized) + * product tree or component coordinates (purl, CPE, vendor IDs) + * status (`not_affected`, `affected`, `fixed`, `under_investigation`) + * justifications (CSAF, OpenVEX enumerations) + * version ranges or fixed versions if available + * timestamps (issued, last_updated), source URLs + * cryptographic metadata (signature, issuer, certificate chain) if present + +**From SBOM Service:** + +* Inventory for each artifact: purls, versions, dependency paths, scopes, env flags. + +**From Issuer Directory (new)** + +* Directory of known VEX issuers: + + * identity, organization, domain, CSAF publisher metadata + * public keys and trust anchors (Ed25519/X.509/PKIX/PKCS7/DSSE) + * default trust weight + * tenancy‑specific overrides + +**From Policy Engine:** + +* Policy version and options relevant to VEX evaluation: + + * trust model parameters + * confidence thresholds per environment/tier + * justification whitelist/blacklist + * recency requirements and expiry windows + * precedence rules for status conflicts + +### 3.2 Normalization + +1. **Canonical advisory key:** CVE preferred; GHSA mapped; vendor IDs namespaced. +2. **Status mapping:** Normalize all encodings to `NOT_AFFECTED | AFFECTED | FIXED | UNDER_INVESTIGATION`. +3. **Product scope alignment:** Convert CSAF product tree/CPE to purl variants using deterministic mappings; store mapping evidence. +4. **Version scoping:** For each evidence, compute `applies_to(version)` using ecosystem comparators (npm semver, Maven, PEP 440, Go semver, RPM/DEB EVR). +5. **Signature verification:** If signed, verify against Issuer Directory trust anchors; attach `sig_verified=true/false` and chain metadata. +6. **Temporal fields:** Compute `effective_at` (issued), `observed_at` (ingested), and staleness. + +### 3.3 Trust model + +Each `VexEvidence` gets a base weight `w_base` from issuer type and verification: + +* Maintainer/Upstream signed: 0.9 +* Maintainer/Upstream unsigned: 0.7 +* Distro/SIG signed: 0.8 +* Vendor of downstream product signed: 0.8 +* Third‑party scanner VEX: 0.4 +* Unknown/unsigned with weak provenance: 0.2 + +Weights are then adjusted: + +``` +w = w_base + * f_signature(sig_verified) // e.g., 1.1 if verified, 0.8 if unverifiable + * f_recency(age_days) // decay after T days (policy) + * f_justification(type) // e.g., "component_not_present" lower if SBOM shows present + * f_scope_match(score) // quality of product match: exact purl > family > CPE wildcard + * f_env(app_env) // optional env-specific multipliers +``` + +All `f_*` are bounded to [0.5, 1.2] by default to prevent runaway effects. Tenants can override per Policy Studio. + +### 3.4 Consensus algorithm + +For a tuple `(artifact_id, purl, version, advisory_key)`: + +1. **Collect** all normalized `VexEvidence` whose product scope maps to `purl` and `applies_to(version)==true`. + +2. **Bucket** by normalized status; compute `W(status) = Σ w(evidence)` per status. + +3. **Apply precedence** rules from policy: + + * If `W(NOT_AFFECTED)` exceeds threshold `T_na` and there is no `FIXED` evidence contradictory for the same version, propose `NOT_AFFECTED`. + * If any `FIXED` applies and inventory version ≥ fixed version, propose `FIXED`. + * If `W(AFFECTED)` ≥ `T_aff` and no dominating `NOT_AFFECTED`, propose `AFFECTED`. + * If `W(UNDER_INVESTIGATION)` dominates and others below thresholds, propose `UNDER_INVESTIGATION`. + * If both `AFFECTED` and `NOT_AFFECTED` exceed thresholds within a small margin `δ`, mark `DISPUTED`. + * Otherwise `INCONCLUSIVE`. + +4. **Confidence score:** + + ``` + confidence = W(winning_status) / (W(AFFECTED)+W(NOT_AFFECTED)+W(FIXED)+W(UNDER_INVESTIGATION) + ε) + ``` + + Clip to [0.0, 1.0]. + +5. **Rationale chain:** + + * Winning status, thresholds used, top 5 contributing evidences with weights and reasons, product mapping quality, version scoping evidence, and policy knobs that influenced the result. + +6. **Quorum summary:** + + * List issuers and their votes, signature state, timestamps, and justifications. + +### 3.5 Policy interaction + +* The Lens returns `consensus_state`, `confidence`, and structured `signals`. +* Policy Engine consumes these and may: + + * Suppress findings automatically on `NOT_AFFECTED` confidence ≥ `P_na`. + * Downgrade severity or extend SLA when `UNDER_INVESTIGATION` from high‑trust issuers. + * Require human approval when `DISPUTED`. + * Treat `FIXED` as resolved only when SBOM crawl verifies the fixed version or a `verify_fix` ledger event exists. + +**Simulation:** Policy Studio can simulate different trust weights and thresholds and see consensus deltas without side effects. + +### 3.6 Data contracts + +**ConsensusRecord (materialized)** + +```json +{ + "id": "cons:sha256(tenant|artifact|purl|version|advisory|policy)", + "tenant": "acme", + "artifact_id": "svc:payments@1.14.0", + "purl": "pkg:npm/lodash@4.17.20", + "advisory_key": "CVE-2024-12345", + "policy_version": "1.3.0", + "consensus_state": "NOT_AFFECTED", + "confidence": 0.87, + "weights": {"AFFECTED":0.31,"NOT_AFFECTED":1.25,"FIXED":0.00,"UNDER_INVESTIGATION":0.12}, + "top_evidence": ["vex_evd:...","vex_evd:..."], + "quorum": [ + {"issuer":"lodash-maintainers","status":"NOT_AFFECTED","w":0.9,"sig_verified":true,"just":"vulnerable_code_not_present","issued":"2024-06-08"}, + {"issuer":"vendorX-distro","status":"AFFECTED","w":0.25,"sig_verified":false,"just":"generic_advisory","issued":"2024-06-07"} + ], + "rationale": [ + {"rule":"trust.weight.issuer","detail":"maintainer signed evidence 0.9"}, + {"rule":"scope.match.exact","detail":"exact purl match"}, + {"rule":"justification.vcnp","detail":"supported by SBOM callgraph hint"} + ], + "updated_at": "2024-06-12T10:00:00Z" +} +``` + +**Issuer Directory entry** + +```json +{ + "issuer_id": "iss:lodash", + "org": "Lodash Maintainers", + "domains": ["lodash.com"], + "keys": [{"type":"ed25519","pub":"...","expires":"2026-12-31"}], + "default_weight": 0.9, + "metadata": {"csaf_publisher": true} +} +``` + +### 3.7 APIs + +**Compute/Query** + +``` +GET /vex/consensus?artifact=svc:payments@1.14.0&purl=pkg:npm/lodash@4.17.20&advisory=CVE-2024-12345&policy=1.3.0 +POST /vex/consensus/query { "policy":"1.3.0", "filter": { "state":["DISPUTED","INCONCLUSIVE"], "confidence":"<0.6", "env":["prod"] }, "page":{...} } +GET /vex/consensus/{id} // full record +POST /vex/consensus/simulate // override trust knobs and thresholds for what-if +``` + +**Issuer Directory** + +``` +GET /vex/issuers +POST /vex/issuers (admin) +POST /vex/issuers/{id}/keys (admin) +``` + +**Exports** + +``` +POST /vex/consensus/export { "format":"ndjson","scope":{"filter":{...}} } +``` + +**Errors** + +* `400` invalid mapping, `403` RBAC, `404` not found, `409` conflict, `429` rate limit. + +### 3.8 Console (Web UI) + +Routes: + +* `/vex/consensus` overview with filters: state, confidence, issuer, advisory, artifact, env. +* `/vex/consensus/:id` detail: Evidence pane, Quorum graph, Policy impact, SBOM path links. + +UX elements: + +* **Quorum bar:** stacked bar showing weights per status; hover reveals issuer contributions. +* **Confidence chip:** numeric and qualitative band (Low/Med/High). +* **Evidence table:** paged list of VEX docs with signature icon, scope match quality tag, justification tag, issued/updated timestamps. +* **Conflict view:** for `DISPUTED`, show side-by-side issuer rationales and suggested next steps. +* **Deep link** into Vulnerability Explorer detail, preselecting the Policy version used for the consensus. + +A11y: + +* ARIA roles on grid and bars; keyboard shortcuts `S` switch policy, `T` trust presets, `E` export. + +### 3.9 CLI + +Commands: + +``` +stella vex consensus list --policy 1.3.0 --state disputed,inconclusive --confidence '<0.6' --artifact payments --json +stella vex consensus show --id --policy 1.3.0 +stella vex simulate --policy 1.3.0 --trust 'issuer:lodash=1.0,issuer:vendorX=0.5' --thresholds 'na=1.0,aff=0.6' --json +stella vex issuers list +stella vex export --filter 'artifact:payments advisory:CVE-2024-12345' --out vex-consensus.ndjson +``` + +Exit codes: `0` ok, `2` invalid args, `4` not found, `5` denied. + +### 3.10 Storage schema (illustrative) + +```sql +-- Normalized VEX (reference Excitator id; do not alter raw) +CREATE TABLE vex_normalized ( + id uuid PRIMARY KEY, + tenant text NOT NULL, + evidence_id text NOT NULL, -- link to Excitator + advisory_key text NOT NULL, + issuer_id text, + status text NOT NULL, -- NOT_AFFECTED|AFFECTED|FIXED|UNDER_INVESTIGATION + justification text, + purl text, -- normalized mapping target + version_range jsonb, -- ecosystem-specific encoding + sig_verified boolean, + scope_score real, -- 0..1 quality of mapping + issued timestamptz, + updated timestamptz, + w_base real, + UNIQUE (tenant, evidence_id) +); + +-- Issuer Directory +CREATE TABLE vex_issuers ( + issuer_id text PRIMARY KEY, + tenant text NOT NULL, + org text NOT NULL, + default_weight real NOT NULL, + metadata jsonb, + UNIQUE(tenant, org) +); + +CREATE TABLE vex_issuer_keys ( + id uuid PRIMARY KEY, + issuer_id text NOT NULL REFERENCES vex_issuers(issuer_id), + key_type text NOT NULL, + pubkey text NOT NULL, + expires timestamptz +); + +-- Consensus projection +CREATE TABLE vex_consensus ( + id bytea PRIMARY KEY, + tenant text NOT NULL, + artifact_id text NOT NULL, + purl text NOT NULL, + version text NOT NULL, + advisory_key text NOT NULL, + policy_version text NOT NULL, + consensus_state text NOT NULL, + confidence real NOT NULL, + weights jsonb NOT NULL, + top_evidence text[] NOT NULL, + updated_at timestamptz NOT NULL +); + +CREATE INDEX vc_query ON vex_consensus(tenant, policy_version, consensus_state, confidence); +``` + +### 3.11 Integration with Findings Ledger and Vuln Explorer + +* The Vuln Explorer reads `vex_consensus` for each finding and renders: + + * Consensus chip, confidence, and a link to full quorum. + * For `NOT_AFFECTED` with confidence ≥ policy threshold, show “Suppressed by VEX (Consensus)” badge. + * For `DISPUTED`, open a triage banner prompting manual review and optional ledger comment/assignment. + +* Ledger receives no new event type from lens computation itself. Human actions triggered by lens views produce standard events (`comment`, `assign`, `change_state`). + +### 3.12 Security & RBAC + +Roles: + +* Viewer: query consensus read‑only. +* Investigator: Viewer + export. +* Operator: Investigator + trust simulation. +* Admin: manage Issuer Directory entries and keys. + +CSRF for Console; ABAC scoping by artifact ownership and environment. + +### 3.13 Observability + +Metrics: + +* `vex_consensus_compute_latency_ms` (histogram) +* `vex_consensus_records_total` (counter) +* `vex_consensus_disputed_total` (counter by issuer combinations) +* `vex_consensus_staleness_seconds` (gauge) +* `vex_signature_verification_rate` (gauge) + +Logs: structured events with `tenant`, `policy_version`, `advisory_key`, `quorum_summary`. +Traces: spans for normalization, mapping, trust weighting, consensus decision, DB writes. + +### 3.14 Performance & scaling + +Targets: + +* P95 query under 500 ms for 100‑row pages at 10M consensus records/tenant. +* Projection jobs are idempotent and keyed by `(tenant, artifact, purl, version, advisory, policy)`; backpressure with work queues. +* Cache popular queries with tenant‑scoped TTL; invalidate on Excitator or policy changes. + +### 3.15 Edge cases + +* **Ambiguous product mapping:** mark low `scope_score`, cap weight, surface warning in UI. +* **VEX “not present” vs SBOM shows present:** down‑weight with `f_justification`, require manual check. +* **Withdrawn or superseded VEX:** decay to near zero; keep provenance. +* **Partial fixes:** if fixed version applies to subset of platforms, map to env or arch dimension when available. +* **Time travel:** consensus recalculated as of a timestamp using only evidence ≤ `as_of` and the corresponding policy version. + +--- + +## 4) Implementation plan + +### 4.1 Services + +* **VEX Lens Service (new)** + + * Normalization pipeline, trust weighting, consensus computation, and projections. + * Batch recompute on policy activation and Excitator deltas. + +* **Excitator (updates)** + + * Ensure all VEX evidence carries issuer hints and raw signature blobs when present. + * Publish product trees and original coordinates intact. + +* **Policy Engine (updates)** + + * Add VEX trust knobs, thresholds, recency decay, and status precedence. + * Batch eval endpoint accepts `consensus inputs` where needed. + +* **Issuer Directory (new)** + + * Manage issuer metadata and keys; tenant overrides; audit logs. + +### 4.2 Code structure + +``` +/src/StellaOps.VexLens + /normalizer + /mapping # CPE/purl translators + /trust # weighting functions + /consensus # algorithm and projections + /api +/src/StellaOps.Excititor # updates +/src/StellaOps.Policy # updates +/src/StellaOps.IssuerDirectory +/packages/console/features/vex-consensus +/src/StellaOps.Cli +``` + +### 4.3 Rollout + +* Phase 1: API read‑only with basic trust model, Console list/detail, no simulation. +* Phase 2: Policy Studio integrations and simulation. +* Phase 3: Issuer Directory admin flows, exports, and advanced mapping diagnostics. + +--- + +## 5) Documentation changes (create/update) + +1. `/docs/vex/consensus-overview.md` + Purpose, scope, terminology, evidence vs derived view, AOC guarantees. + +2. `/docs/vex/consensus-algorithm.md` + Normalization, mapping, weighting, thresholds, precedence, formulas, examples. + +3. `/docs/vex/issuer-directory.md` + Managing issuers, keys, trust overrides, security model. + +4. `/docs/vex/consensus-api.md` + Endpoints, request/response schemas, errors, pagination, rate limits. + +5. `/docs/vex/consensus-console.md` + Screens, filters, conflict workflows, a11y, deep links. + +6. `/docs/policy/vex-trust-model.md` + Policy knobs, thresholds, decay, simulation. + +7. `/docs/sbom/vex-mapping.md` + Product tree mapping to purl/version, ecosystem comparators, edge cases. + +8. `/docs/security/vex-signatures.md` + Signature verification flows, key management, auditing. + +9. `/docs/runbooks/vex-ops.md` + Recompute storms, mapping failures, signature errors, lag, quotas. + +All docs end with the imposed rule statement. + +--- + +## 6) Engineering tasks + +### Backend core + +* [ ] Implement normalization for CSAF VEX, OpenVEX, CycloneDX VEX. +* [ ] Build product mapping library (CPE→purl, vendor tokens→purl families). +* [ ] Implement signature verification (Ed25519/PKIX/DSSE) using Issuer Directory keys. +* [ ] Implement trust weighting functions and configurable parameters. +* [ ] Implement consensus algorithm with unit tests and property tests. +* [ ] Materialize `vex_consensus` projection with indexes and idempotent workers. +* [ ] Batch recompute on policy activation and Excitator deltas. + +### APIs & Integrations + +* [ ] `/vex/consensus` query, detail, simulate, export. +* [ ] Policy Engine: consume consensus signals; add thresholds and precedence. +* [ ] Vuln Explorer: show consensus chip and triage banners; deep link to Lens. + +### Issuer Directory + +* [ ] CRUD for issuers and keys, audit logs, RBAC. +* [ ] Import common CSAF publishers; seed with sane defaults. + +### Console + +* [ ] Build list grid with filters and saved views. +* [ ] Quorum bar and Evidence table with signature icons and scope quality tags. +* [ ] Conflict view for `DISPUTED`. +* [ ] Simulation drawer integrated with Policy Studio. + +### CLI + +* [ ] `stella vex consensus list|show|simulate|export` with JSON/CSV. +* [ ] Stable schemas; tests for piping and scripting. + +### Observability/Perf + +* [ ] Metrics, logs, traces as specified; dashboards. +* [ ] Load tests at 10M consensus records/tenant; optimize indexes and caches. + +### Docs + +* [ ] Author and cross‑link all docs listed in §5. +* [ ] Add examples and screenshots to Console doc. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Acceptance criteria + +* Normalization supports CSAF VEX, OpenVEX, CycloneDX VEX with product tree mapping to purls across npm, Maven, PyPI, Go, RPM/DEB. +* Signature verification works and affects weights; unverifiable signatures do not crash flows. +* Consensus outputs are reproducible, explainable, and queryable at scale. +* Vuln Explorer displays consensus state and affects policy outcomes per thresholds. +* Simulation reflects policy trust changes without side effects and returns rationale deltas. +* CLI/API feature parity; evidence and quorum are exportable. +* P95 performance budgets met; dashboards reflect health. + +--- + +## 8) Risks and mitigations + +* **Mapping errors (CPE→purl):** use conservative scope scores, cap weights, surface warnings, manual override hooks in Policy Studio. +* **Malicious or mistaken issuer:** signature verification plus trust weighting and tenancy overrides. +* **Evidence storms:** debounce recompute; batch and shard workers; backpressure and prioritization. +* **User confusion with conflicting VEX:** clear conflict UI, rationale chains, suggested actions, and policy banners. +* **Stale statements:** recency decay and expiry windows in policy. + +--- + +## 9) Test plan + +* **Unit:** status mapping, comparators per ecosystem, trust weighting, threshold math. +* **Property tests:** invariants such as monotonicity with added supporting evidence and idempotent recompute. +* **Integration:** Excitator→Lens→Policy→Vuln Explorer pipeline with signed/unsigned, conflicting, and stale evidence. +* **E2E Console:** list filters, detail with quorum, conflict workflows, export, simulation. +* **Security:** RBAC on Issuer Directory, CSRF for Console, signature verification path traversal guards. +* **Performance:** cold/hot query latencies, recompute throughput, cache hit ratios. +* **Determinism:** time‑travel snapshots reproduce prior consensus states. + +--- + +## 10) Philosophy + +* **Consensus, not replacement.** The Lens summarizes without erasing dissent. +* **Trust is contextual.** Tenants must tune weights and thresholds to their environments. +* **Proof over prose.** Every decision comes with math, provenance, and a rationale chain. +* **Safety by design.** When in doubt, surface conflicts instead of silently suppressing. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_8.md b/EPIC_8.md new file mode 100644 index 00000000..101501e0 --- /dev/null +++ b/EPIC_8.md @@ -0,0 +1,440 @@ +Below is the “maximum documentation” bundle for Epic 8. It’s engineered to be pasted into your repo without turning into yet another unread wiki tomb. Slight sarcasm included to keep blood flowing. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 8: Advisory AI Assistant (summaries, conflict explain, remediation hints) + +**Short name:** `Advisory AI` +**Services touched:** Conseiller (Feedser), Excitator (Vexer), VEX Lens, SBOM Service, Policy Engine, Findings Ledger, Web API Gateway, Authority (authN/Z), Console (Web UI), CLI, Telemetry/Analytics +**AOC ground rule:** Conseiller and Excitator aggregate but never merge or mutate source docs. Advisory AI produces derived summaries and plans with strict provenance and citations. No silent rewriting of evidence. Ever. + +--- + +## 1) What it is + +Advisory AI is a tenant‑scoped, retrieval‑augmented assistant that turns noisy security advisories and VEX statements into three consumable artifacts: + +1. **Advisory Summary** + Condenses one or more advisories (CSAF, OSV, GHSA, vendor PDFs, distro notices) into a concise brief with key facts: affected ranges, exploit status, impact, known workarounds, fixed versions, and links. Always cites the exact sources and sections used. + +2. **Conflict Explain** + Explains why VEX statements or advisories disagree for a specific artifact and version. Uses the VEX Consensus Lens outputs and issuer trust model to produce a human‑readable, step‑by‑step explanation: who said what, where the product scoping diverges, and what policy thresholds caused the final state. + +3. **Remediation Hints** + Suggests practical next steps: upgrade paths compatible with your dependency graph, backports, config toggles, temporary policy suppressions, or compensating controls. Every hint is grounded in SBOM, environment, and policy. It ships as structured JSON plus a human summary, ready to paste into a ticket. + +It lives in the Console as a side panel, in the CLI for batch runs, and via APIs for automation. It does not change scanner results or consensus on its own. Humans remain in charge. The machine does the skimming and the math so humans can keep the judgment and the coffee. + +--- + +## 2) Why (brief) + +Advisories are long, inconsistent, and sometimes contradictory. Teams waste cycles reconciling PDFs with package manifests. The assistant eliminates that sludge: fast summaries, explicit conflict explanations, and remediation hints that are actually applicable to your software, not to an imaginary ideal project from 2013. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Capabilities + +* **Summaries** + + * Input: one advisory or a bundle linked by the same advisory key (CVE, GHSA, vendor‑ID), product scope, and environment. + * Output: + + * 150 to 300 words summary + * `AdvisorySummary JSON` (schema below) + * Citations with paragraph anchors + * Confidence label and coverage score (how much of the advisory set is represented) +* **Conflict Explain** + + * Input: `(artifact_id, purl, version, advisory_key)` tuple. + * Output: narrative plus a structured breakdown of consensus math, issuer votes, product mapping mismatches, and the exact policy knobs that tipped the result. +* **Remediation Hints** + + * Input: same tuple plus SBOM context and environment. + * Output: ranked list of remediation options with feasibility score, blast radius estimate (derived from dependency paths), effort class, and links to fixed versions. Includes “do nothing” when the VEX consensus is not affected. + +### 3.2 System design + +**Architecture diagram in words (because ASCII art is a crime):** + +1. **Retrievers** + + * Structured retriever over Conseiller’s normalized advisory fields. + * Vector retriever over advisory text chunks with paragraph anchors. + * VEX retriever over Excitator evidence and VEX Lens consensus. + * SBOM retriever for purl, version, dependency paths, env flags. +2. **Deterministic resolvers** + + * Version comparators per ecosystem. + * Range satisfaction checks. + * Dependency path scorers and blast radius estimator. +3. **Orchestrator** + + * Task‑specific prompt templates for Summary, Conflict, Remediation. + * Tool calls to deterministics (version check, graph crawl) with results injected into the prompt as structured context. + * Strict token budgets and truncation rules to avoid model babble. +4. **Models** + + * Default: on‑prem inference container with mid‑sized model. + * Optional: tenant‑enabled remote inference. Disabled by default. + * Temperature locked low for summary and conflict. Slightly higher for remediation narrative phrasing. No creativity in facts. +5. **Guardrails** + + * Prompt injection defense by stripping or quarantining advisory text that tries to instruct the model. + * Fact boundary tagger. The assistant must only state facts that appear in structured inputs or cited chunks. + * Redaction of secrets before prompts. + * Output validator checks: required JSON fields, numeric ranges, valid version strings. + +### 3.3 Data contracts + +**AdvisorySummary JSON** + +```json +{ + "advisory_key": "CVE-2025-12345", + "sources": [ + {"id":"csaf:vendorA:2025-001","uri":"...","sections":["2.1","3.4"]}, + {"id":"osv:pkg:npm/lodash","uri":"...","sections":["affected","references"]} + ], + "affected_ranges": [ + {"ecosystem":"npm","purl_family":"pkg:npm/lodash","introduced":"<4.17.15","fixed": "4.17.21"} + ], + "exploit_status": "no_known_exploit | poc_public | exploited_in_the_wild | n/a", + "impact": {"cvss":[{"vector":"CVSS:3.1/AV:N/...","score":7.5}], "cwes":["CWE-79"]}, + "workarounds": ["Disable feature X", "Set flag Y=false"], + "fixed_versions": ["4.17.21"], + "notes": "Vendor states not affected on platform Z due to build option W.", + "coverage_score": 0.86, + "generated_at": "2025-10-25T12:00:00Z" +} +``` + +**ConflictExplanation JSON** + +```json +{ + "tuple": {"artifact_id":"svc:checkout@1.9.0","purl":"pkg:npm/lodash@4.17.20","advisory_key":"CVE-2025-12345"}, + "consensus": {"state":"NOT_AFFECTED","confidence":0.82}, + "quorum": [ + {"issuer":"lodash-maintainers","status":"NOT_AFFECTED","weight":0.9,"sig":true,"justification":"component_not_present"}, + {"issuer":"vendorX-distro","status":"AFFECTED","weight":0.25,"sig":false,"justification":"generic"} + ], + "policy_factors": {"na_threshold":1.0,"aff_threshold":0.6,"recency_decay_days":90}, + "mapping_issues": [{"kind":"cpe_to_purl","score":0.6,"detail":"CPE wildcard matched multiple purls"}], + "explanation_steps": [ + "Exact purl match found for maintainer VEX; weight 0.9", + "Distro advisory generic; scope score 0.5; effective weight 0.25", + "NA threshold met. Result set to NOT_AFFECTED" + ] +} +``` + +**RemediationPlan JSON** + +```json +{ + "tuple": {"artifact_id":"svc:checkout@1.9.0","purl":"pkg:npm/lodash@4.17.20","advisory_key":"CVE-2025-12345"}, + "options": [ + { + "kind": "upgrade", + "target_version": "4.17.21", + "feasibility": 0.92, + "blast_radius": {"direct_callers":3,"transitive_depth":2}, + "effort": "low | medium | high", + "rationale": "Semver patch, no breaking APIs in release notes", + "links": ["release_notes_uri"] + }, + { + "kind": "workaround", + "action": "Set SAFE_MODE=true", + "feasibility": 0.6, + "blast_radius": {"feature_flags":["SAFE_MODE"]}, + "effort": "low", + "rationale": "Vendor states mitigation reduces attack surface on feature X" + } + ], + "preferred": 0, + "policy_effects": {"sla_days": 7, "severity_override": "medium_if_not_fixed"}, + "generated_at": "2025-10-25T12:00:00Z" +} +``` + +### 3.4 APIs + +``` +POST /advisory/ai/summary +{ + "advisory_key":"CVE-2025-12345", + "artifact_id":"svc:checkout@1.9.0", + "purl":"pkg:npm/lodash@4.17.20", + "sources":["csaf:*","osv:*"], // optional filters + "policy_version":"1.3.0", + "lang":"en" +} +-> 200 { "summary_text":"...", "summary": {AdvisorySummary}, "citations":[...] } + +POST /advisory/ai/conflict +{ + "artifact_id":"svc:checkout@1.9.0", + "purl":"pkg:npm/lodash@4.17.20", + "advisory_key":"CVE-2025-12345", + "policy_version":"1.3.0" +} +-> 200 { "explanation_text":"...", "explanation": {ConflictExplanation} } + +POST /advisory/ai/remediation +{ + "artifact_id":"svc:checkout@1.9.0", + "purl":"pkg:npm/lodash@4.17.20", + "advisory_key":"CVE-2025-12345", + "policy_version":"1.3.0", + "max_options":5, + "strategy_preference":["upgrade","backport","workaround"] +} +-> 200 { "plan_text":"...", "plan": {RemediationPlan} } + +POST /advisory/ai/batch +{ + "items":[ {tuple}, {tuple}, ... ], + "task":"summary | conflict | remediation", + "policy_version":"1.3.0" +} +-> 207 multi-status +``` + +Status codes: `400` invalid, `403` RBAC, `404` missing evidence, `409` conflict lock, `422` output validation failed, `429` rate limit. + +### 3.5 Console (Web UI) + +* Surfaces: + + * Vuln Explorer detail: “Advisory AI” side panel with 3 tabs: Summary, Conflict, Remediation. + * Consensus Lens detail: prominent “Explain conflict” button. + * Policy Studio sim: “Show effect on assistant output” preview. + +* UX details: + + * Citations are footnotes with hover to show source paragraph. + * “Copy as ticket” produces Markdown and JSON. + * Plan options show feasibility bar, blast radius chips, and required approvals per policy. + * Injection warnings appear if advisory text included unsafe instructions. + +* A11y: ARIA tags for tabs, keyboard shortcuts `G` to generate, `R` to refresh, `C` to copy JSON. + +### 3.6 CLI + +``` +stella advise summarize --advisory CVE-2025-12345 --artifact svc:checkout@1.9.0 --purl pkg:npm/lodash@4.17.20 --policy 1.3.0 --json +stella advise explain --advisory CVE-2025-12345 --artifact svc:checkout@1.9.0 --purl pkg:npm/lodash@4.17.20 --policy 1.3.0 +stella advise remediate --advisory CVE-2025-12345 --artifact svc:checkout@1.9.0 --purl pkg:npm/lodash@4.17.20 --policy 1.3.0 --strategy upgrade,workaround --out plan.json +stella advise batch --file tuples.json --task remediation --policy 1.3.0 +``` + +Exit codes: `0` ok, `2` invalid args, `4` not found, `5` denied, `7` validation fail. + +### 3.7 RBAC and security + +* Roles: + + * Viewer can run summaries and read explanations. + * Operator can run remediation and export plans. + * Admin can toggle model endpoints and guardrail settings. + +* Defaults: + + * Remote model calls disabled. + * Redaction on. + * Prompt logging anonymized. + * Outputs stored as derived artifacts with TTL (default 30 days) unless pinned to a ticket. + +### 3.8 Observability + +* Metrics: + + * `advisory_ai_latency_ms` by task type. + * `advisory_ai_guardrail_blocks_total`. + * `advisory_ai_output_validation_fail_total`. + * `advisory_ai_citation_coverage` gauge. +* Traces: retriever spans, tool calls, model inference, validator. +* Logs: include tuple key, token usage, truncation events, and guardrail outcomes. + +### 3.9 Performance + +* Targets: + + * P95 under 1.5 s for Summary and Conflict with warm caches. + * P95 under 2.5 s for Remediation on medium SBOMs (1000 packages). + * Batch throughput 10 tuples per second per worker. + +### 3.10 Edge cases + +* Advisory missing fixed versions: produce workaround‑only plan and mark feasibility low. +* Conflicts with near‑tie weights: declare “DISPUTED” and require human approval, no auto plan preferred. +* Exotic version schemes: fallback to string compare with warning and feasibility cap. +* Private packages: no public release notes. Prefer internal changelog links if attached to artifact metadata. +* Multi‑env differences: render per‑env deltas when policy knobs differ (dev vs prod). + +--- + +## 4) Implementation plan + +### 4.1 Services and components + +* **New:** `src/StellaOps.AdvisoryAI` + + * `retriever/` wrappers for Conseiller, Excitator, VEX Lens, SBOM. + * `deterministic/` version and path analyzers. + * `orchestrator/` task routers and prompt builders. + * `guardrails/` injection, redaction, output validator. + * `api/` REST endpoints and schema enforcement. + +* **Updates:** + + * Conseiller: expose paragraph‑level anchors for advisories. + * Excitator: expose justifications and product trees in normalized form. + * VEX Lens: stable API for quorum and rationale. + * SBOM Service: efficient path queries and versions timeline per purl. + +### 4.2 Packaging + +* Container images: + + * `stella/advisory-ai:<>` + * `stella/inference:<>` (if using on‑prem model) +* Helm values to toggle remote inference and GPU. + +### 4.3 Rollout + +* Phase 1: Summary and Conflict read‑only. +* Phase 2: Remediation with “Copy as ticket”. +* Phase 3: Batch APIs, CLI, and Policy Studio simulation hooks. + +--- + +## 5) Documentation changes + +Create or update the following files. Each doc ends with the imposed rule statement. + +1. `/docs/advisory-ai/overview.md` + What it is, capabilities, guardrails, AOC alignment, RBAC. + +2. `/docs/advisory-ai/architecture.md` + RAG design, retrievers, orchestrator, deterministics, models, caching. + +3. `/docs/advisory-ai/api.md` + Endpoint specs, payload schemas, error codes, examples. + +4. `/docs/advisory-ai/console.md` + Screens, actions, a11y, how citations work, copy‑as‑ticket. + +5. `/docs/advisory-ai/cli.md` + Command usage, exit codes, piping examples. + +6. `/docs/policy/assistant-parameters.md` + Temperature, max tokens, plan ranking weights, TTLs. + +7. `/docs/security/assistant-guardrails.md` + Redaction rules, injection defense, output validation, logging. + +8. `/docs/sbom/remediation-heuristics.md` + Feasibility scoring, blast radius, effort classes. + +9. `/docs/runbooks/assistant-ops.md` + Warmup, cache priming, model outages, scaling, on‑call steps. + +--- + +## 6) Engineering tasks + +### Backend core + +* [ ] Implement structured and vector retrievers with paragraph anchors from Conseiller. +* [ ] Implement VEX retriever using Lens APIs with caching. +* [ ] Build deterministics: ecosystem comparators, range checks, dependency path scorer. +* [ ] Implement orchestrator with task‑specific templates and tool call pipeline. +* [ ] Implement guardrails and validators with hard failure on invalid JSON. +* [ ] Add RBAC to endpoints and anonymized prompt logging. +* [ ] Add caching layer with tuple‑keyed entries and policy version scoping. + +### Integrations + +* [ ] Conseiller: expose advisory chunk API and metadata needed for citations. +* [ ] Excitator: ensure justifications and product trees are queryable. +* [ ] VEX Lens: add “policy factors” endpoint for explanation rendering. +* [ ] SBOM Service: implement `GET /sbom/paths?purl=...` and version timeline. + +### Console + +* [ ] Build Advisory AI panel with 3 tabs and citation tooltips. +* [ ] Implement “Copy as ticket” (Markdown + JSON) and download. +* [ ] Add injection warning banner when triggered. +* [ ] Respect a11y requirements and shortcuts. + +### CLI + +* [ ] `stella advise summarize|explain|remediate|batch` with JSON output. +* [ ] Add `--out` option to save plans and summaries. +* [ ] Tests for piping and jq workflows. + +### Observability + +* [ ] Emit metrics and traces listed in §3.8. +* [ ] Dashboards: latency, guardrail blocks, validation fails, coverage. + +### Docs + +* [ ] Write all files in §5 with examples and screenshots. +* [ ] Cross‑link to VEX Lens and Vulnerability Explorer docs. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Acceptance criteria + +* Summaries cite specific source sections and reflect affected ranges and fixed versions correctly for at least 95% of a validation set. +* Conflict explanations enumerate issuers, weights, justifications, mapping issues, and policy thresholds that caused the consensus state. +* Remediation plans output at least one feasible option when a fixed version exists and correctly flag “no public fix” cases. +* JSON schemas validate for all outputs. +* Console shows the panel with citations, copy‑as‑ticket, and a11y passes. +* CLI produces identical JSON to API responses. +* Guardrails block injection attempts and redact secrets in prompts. +* P95 latency targets are met with warm caches. +* No mutation of raw advisory or VEX evidence occurs anywhere in the pipeline. + +--- + +## 8) Risks and mitigations + +* **Prompt injection in advisory text.** Strip instructions, sandbox chunks, and highlight to user when removed. +* **Hallucinated facts.** Hard validation requires facts to appear in structured inputs or cited text. Fail closed if not provable. +* **Mapping errors produce bad hints.** Depend on SBOM Graph and VEX Lens scope scores; cap feasibility when scope is weak. +* **Model outage.** Degrade to deterministic summaries (shorter, but accurate). +* **Privacy concerns.** Default on‑prem inference, remote endpoints opt‑in with clear flags and audit logs. + +--- + +## 9) Test plan + +* **Unit:** version comparators, range checks, feasibility scoring, output validators. +* **Golden files:** advisory sets mapped to expected summaries and plans; diff on each build. +* **Injection tests:** adversarial advisories with “ignore prior instructions” payloads must be neutralized. +* **Integration:** Conseiller→Advisory AI→Console loop, with VEX Lens conflicts and SBOM graph lookups. +* **E2E:** generate summary, explanation, and plan for representative ecosystems (npm, Maven, PyPI, Go, RPM/DEB). +* **Perf:** soak tests with 5k tuples batch; observe cache hit ratios and P95. +* **A11y:** keyboard navigation and screen reader labels. + +--- + +## 10) Philosophy + +* **Facts first.** If it is not in structured inputs or citations, it does not exist. +* **Explain everything.** Humans should see exactly why the tool said what it said. +* **Helpful by default.** Plans must consider the real dependency graph and environment, not fantasy. +* **No silent merges.** Evidence is sacred. Summaries and plans are separate, auditable derivatives. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EPIC_9.md b/EPIC_9.md new file mode 100644 index 00000000..dd4f3ec1 --- /dev/null +++ b/EPIC_9.md @@ -0,0 +1,523 @@ +Below is the “maximum documentation” bundle for Epic 9. Paste it into your repo and pretend the ingestion chaos was always under control. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 9: Source & Job Orchestrator Dashboard + +**Short name:** `Orchestrator Dashboard` +**Primary service:** `orchestrator` (scheduler, queues, rate‑limits, job state) +**Surfaces:** Console (Web UI), CLI, Web API +**Touches:** Conseiller (Feedser), Excitator (Vexer), VEX Consensus Lens, SBOM Service, Policy Engine, Findings Ledger, Authority (authN/Z), Telemetry/Analytics, Object Storage, Relational DB, Message Bus + +**AOC ground rule:** Conseiller and Excitator aggregate but never merge. The orchestrator schedules, tracks and recovers jobs; it does not transform evidence beyond transport and storage. No “smart” merging in flight. + +--- + +## 1) What it is + +The Source & Job Orchestrator Dashboard is the control surface for every data source and pipeline run across StellaOps. It gives operators: + +* Live health of all advisory/VEX/SBOM sources and derived jobs. +* End‑to‑end pipeline visibility as DAGs and timelines. +* Controls for pausing, backfilling, replaying, throttling and retrying. +* Error pattern analysis, rate‑limit observability and backpressure insights. +* Provenance and audit trails from initial fetch through parse, normalize, index and policy evaluation. + +The dashboard sits over the `orchestrator` service, which maintains job state, schedules runs, enforces quotas and rate limits, and collects metrics from worker pools embedded in Conseiller, Excitator, SBOM and related services. + +--- + +## 2) Why (brief) + +Ingestion breaks quietly and then loudly. Without a unified control plane, you learn about it from angry users or empty indexes. This dashboard shortens incident MTTR, enables safe backfills, and makes compliance reviewers stop sending emails with twelve attachments and one emoji. + +--- + +## 3) How it should work (maximum detail) + +### 3.1 Capabilities + +* **Source registry** + + * Register, tag and version connectors (OSV, GHSA, CSAF endpoints, vendor PDF scrapers, distro feeds, RSS, S3 drops, internal registries). + * Store connection details, secrets (via KMS), rate‑limit policy, schedules, and ownership metadata. + * Validate and “test connection” safely. + +* **Job orchestration** + + * Create DAGs composed of job types: `fetch`, `parse`, `normalize`, `dedupe`, `index`, `consensus_compute`, `policy_eval`, `crosslink`, `sbom_ingest`, `sbom_index`. + * Priorities, queues, concurrency caps, exponential backoff, circuit breakers. + * Idempotency keys and output artifact hashing to avoid duplicate work. + * Event‑time watermarks for backfills without double counting. + +* **Observability & control** + + * Gantt timeline and real‑time DAG view with critical path highlighting. + * Backpressure and queue depth heatmaps. + * Error clustering by class (HTTP 429, TLS, schema mismatch, parse failure, upstream 5xx). + * Per‑source SLOs and SLA budgets with burn‑rate alerts. + * One‑click actions: retry, replay range, pause/resume, throttle/unthrottle, reroute to canary workers. + +* **Provenance & audit** + + * Immutable run ledger linking input artifact → every job → output artifact. + * Schema version tracking and drift detection. + * Operator actions recorded with reason and ticket reference. + +* **Safety** + + * Secret redaction everywhere. + * Tenant isolation at API, queue and storage layers. + * AOC: no in‑flight merges of advisory or VEX content. + +### 3.2 Core architecture + +* **orchestrator (service)** + + * Maintains job state in Postgres (`sources`, `runs`, `jobs`, `artifacts`, `dag_edges`, `quotas`, `schedules`). + * Publishes work to a message bus (e.g., `topic.jobs.ready.`). + * Distributed token‑bucket rate limiter per source/tenant/host. + * Watchdog for stuck jobs and circuit breakers for flapping sources. + * Watermark manager for backfills (event‑time windows). + +* **worker SDK** + + * Lightweight library embedded in Conseiller/Excitator/SBOM workers to: + + * Claim work, heartbeat, update progress, report metrics. + * Emit artifact metadata and checksums. + * Enforce idempotency via orchestrator‑supplied key. + +* **object store** + + * Raw payloads and intermediate artifacts organized by schema and hash: + + * `advisory/raw///.json|pdf` + * `advisory/normalized//.json` + * `vex/raw|normalized/...` + * `sbom/raw|graph/...` + +* **web API** + + * CRUD for sources, runs, jobs, schedules, quotas. + * Control actions (retry, cancel, pause, backfill). + * Streaming updates via WebSocket/SSE for the Console. + +* **console** + + * React app consuming Orchestrator APIs, rendering DAGs, timelines, health charts and action panels with RBAC. + +### 3.3 Data model (selected tables) + +* `sources` + + * `id`, `kind` (`advisory|vex|sbom|internal`), `subtype` (e.g., `osv`, `ghsa`, `csaf`, `vendor_pdf`), `display_name`, `owner_team`, `schedule_cron`, `rate_policy`, `enabled`, `secrets_ref`, `tags`, `schema_hint`, `created_at`, `updated_at`. + +* `runs` + + * `id`, `source_id`, `trigger` (`schedule|manual|event|backfill`), `window_start`, `window_end`, `state`, `started_at`, `finished_at`, `stats_json`. + +* `jobs` + + * `id`, `run_id`, `type`, `queue`, `priority`, `state` (`pending|running|succeeded|failed|canceled|deadletter`), `attempt`, `max_attempt`, `idempotency_key`, `input_artifact_id`, `output_artifact_id`, `worker_id`, `created_at`, `started_at`, `finished_at`, `error_class`, `error_message`, `metrics_json`. + +* `dag_edges` + + * `from_job_id`, `to_job_id`, `edge_kind` (`success_only|always`). + +* `artifacts` + + * `id`, `kind` (`raw|normalized|index|consensus`), `schema_ver`, `hash`, `uri`, `bytes`, `meta_json`, `created_at`. + +* `quotas` + + * `tenant_id`, `resource` (`requests_per_min`, `concurrent_jobs`), `limit`, `window_sec`. + +* `schedules` + + * Per‑source cron plus jitter, timezone, blackout windows. + +### 3.4 Job lifecycle + +1. **Plan** + Scheduler creates a `run` for a source and plans a DAG: e.g., `fetch → parse → normalize → dedupe → index → policy_eval` (advisory) or `fetch → parse → normalize → consensus_compute` (VEX). + +2. **Enqueue** + Ready nodes become `jobs` with queue, priority, idempotency key and optional rate‑limit tokens reserved. + +3. **Execute** + Worker claims job, heartbeats every N seconds. Output artifacts are stored and linked. Failures are classified and retried with exponential backoff and jitter, up to `max_attempt`. + +4. **Complete** + Downstream nodes unblock. On run completion, orchestrator computes SLO deltas and emits run summary. + +5. **Dead‑letter** + Jobs exceeding attempts move to a DLQ with structured context and suggested remediation. + +### 3.5 Scheduling, backpressure, rate‑limits + +* **Token bucket** per `{tenant, source.host}` with adaptive refill if upstream 429/503 seen. +* **Concurrency caps** per source and per job type to avoid thundering herd. +* **Backpressure signals** from queue depth, worker CPU, and upstream error rates; scheduler reduces inflight issuance accordingly. +* **Backfills** use event‑time windows with immutable watermarks to avoid re‑processing. +* **Blackout windows** for vendor maintenance periods. + +### 3.6 APIs + +``` +POST /orchestrator/sources +GET /orchestrator/sources?kind=&tag=&q= +GET /orchestrator/sources/{id} +PATCH /orchestrator/sources/{id} +POST /orchestrator/sources/{id}/actions:test|pause|resume|sync-now +POST /orchestrator/sources/{id}/backfill { "from":"2024-01-01", "to":"2024-03-01" } + +GET /orchestrator/runs?source_id=&state=&from=&to= +GET /orchestrator/runs/{run_id} +GET /orchestrator/runs/{run_id}/dag +POST /orchestrator/runs/{run_id}/cancel + +GET /orchestrator/jobs?state=&type=&queue=&source_id= +GET /orchestrator/jobs/{job_id} +POST /orchestrator/jobs/{job_id}/actions:retry|cancel|prioritize + +GET /orchestrator/metrics/overview +GET /orchestrator/errors/top?window=1h +GET /orchestrator/quotas +PATCH /orchestrator/quotas/{tenant_id} +WS /orchestrator/streams/updates +``` + +### 3.7 Console (Web UI) + +* **Overview** + + * KPI tiles: sources healthy, runs in progress, queue depth, error rate, burn‑rate to SLO. + * Heatmap of source health by last 24h success ratio. + +* **Sources** + + * Grid with filters, inline status (active, paused, throttled), next run eta, last error class. + * Detail panel: config, secrets status (redacted), schedule, rate limits, ownership, run history, action buttons. + +* **Runs** + + * Timeline (Gantt) with critical path, duration distribution, and per‑stage breakdown. + * Run detail: DAG view with node metrics, artifacts, logs, action menu (cancel). + +* **Jobs** + + * Live table with state filters and “tail” view. + * Job detail: payload preview (redacted), worker, attempts, stack traces, linked artifacts. + +* **Errors** + + * Clusters by class and signature, suggested remediations (pause source, lower concurrency, patch parser). + +* **Queues & Backpressure** + + * Per‑queue depth, service rate, inflight, age percentiles. + * Rate‑limit tokens graphs per source host. + +* **Controls** + + * Backfill wizard with event‑time preview and safety checks. + * Canary routing: route 5% of next 100 runs to a new worker pool. + +* **A11y** + + * Keyboard nav, ARIA roles for DAG nodes, live regions for updates, color‑blind friendly graphs. + +### 3.8 CLI + +``` +stella orch sources list --kind advisory --tag prod +stella orch sources add --file source.yaml +stella orch sources test +stella orch sources pause # or resume +stella orch sources sync-now +stella orch sources backfill --from 2024-01-01 --to 2024-03-01 + +stella orch runs list --source --state running +stella orch runs show --dag +stella orch runs cancel + +stella orch jobs list --state failed --type parse --limit 100 +stella orch jobs retry +stella orch jobs cancel +stella orch jobs tail --queue normalize --follow + +stella orch quotas get --tenant default +stella orch quotas set --tenant default --concurrent-jobs 50 --rpm 1200 +``` + +Exit codes: `0` success, `2` invalid args, `4` not found, `5` denied, `7` precondition failed, `8` rate‑limited. + +### 3.9 RBAC & security + +* **Roles** + + * `Orch.Viewer`: read‑only sources/runs/jobs/metrics. + * `Orch.Operator`: perform actions on sources and jobs, launch backfills. + * `Orch.Admin`: manage quotas, schedules, connector versions, and delete sources. + +* **Secrets** + + * Stored only as references to your KMS; never persisted in cleartext. + * Console shows redact badges and last rotated timestamp. + +* **Tenancy** + + * Source, run, job rows scoped by tenant id. + * Queue names and token buckets namespaced per tenant. + +* **Compliance** + + * Full audit log for every operator action with “reason” and optional ticket link. + * Exportable run ledger for audits. + +### 3.10 Observability + +* **Metrics (examples)** + + * `orch_jobs_inflight{type,queue}` + * `orch_jobs_latency_ms{type,percentile}` + * `orch_rate_tokens_available{source}` + * `orch_error_rate{source,error_class}` + * `orch_slo_burn_rate{source,slo}` + * `orch_deadletter_total{source,type}` + +* **Traces** + + * Span per job with baggage: `run_id`, `source_id`, `artifact_id`. + * Links across services to Conseiller/Excitator/SBOM workers. + +* **Logs** + + * Structured JSON with correlation ids, attempt numbers and redacted payload previews. + +### 3.11 Performance targets + +* Job dispatch P95 < 150 ms after dependency satisfied. +* Scheduler loop P95 < 500 ms for 10k pending jobs. +* Console live updates sub‑second at 1k events/sec per tenant. +* Backfill throughput ≥ 200 jobs/sec per worker pool with zero dupes. + +### 3.12 Edge cases & behaviors + +* **Upstream 429 storms:** auto‑throttle, pause optional, recommend extended jitter. +* **Schema drift:** parser moves job to DLQ with `error_class=schema_mismatch` and opens a change ticket via webhook. +* **Flapping source:** circuit breaker opens after N consecutive failures; requires human “resume”. +* **Clock skew:** watermark logic uses upstream event time; large skews flagged. +* **Idempotency collisions:** new attempt yields no‑op if artifact hash already exists. + +--- + +## 4) Implementation plan + +### 4.1 Modules (new and updated) + +* New service: `src/StellaOps.Orchestrator` + + * `api/` REST + WS handlers + * `scheduler/` run planner, DAG builder, watermark/backfill logic + * `queues/` publisher and consumer abstractions + * `ratelimit/` token bucket and adaptive controller + * `state/` Postgres repositories and migrations + * `audit/` action logging and export + * `metrics/` Prometheus exporters + * `security/` tenant scoping, KMS client, secret refs + +* Worker SDKs: + + * `src/StellaOps.Orchestrator.WorkerSdk.Go` and `src/StellaOps.Orchestrator.WorkerSdk.Python` with job claim, heartbeat, progress, artifact publish, and structured error reporting. + +* Console: + + * `console/apps/orch/` pages: Overview, Sources, Runs, Jobs, Errors, Queues. + * `components/dag-view/`, `components/gantt/`, `components/health-heatmap/`. + +* Updates to existing services: + + * Conseiller/Excitator/SBOM workers adopt SDK and emit artifacts with schema/version/fingerprint. + * VEX Lens exposes `consensus_compute` as a jobable operation. + * Policy Engine exposes `policy_eval` as a job type for scheduled recalcs. + +### 4.2 Packaging & deployment + +* Containers: + + * `stella/orchestrator:` + * `stella/worker-sdk-examples:` for canary pools + +* Helm values: + + * Queues/topics, per‑tenant concurrency, rate‑limit defaults, WS replica count. + * KMS integration secrets. + +* Migrations: + + * Flyway/Goose migrations for new tables and indexes. + +### 4.3 Rollout strategy + +* Phase 1: Read‑only dashboard fed by existing job tables; no controls. +* Phase 2: Control actions enabled for non‑prod tenants. +* Phase 3: Backfills and quota management, then GA. + +--- + +## 5) Documentation changes + +Create/update the following, each ending with the imposed rule statement. + +1. `/docs/orchestrator/overview.md` + Concepts, roles, responsibilities, AOC alignment. + +2. `/docs/orchestrator/architecture.md` + Scheduler, DAGs, watermarks, queues, rate‑limits, data model. + +3. `/docs/orchestrator/api.md` + Endpoints, WebSocket events, error codes, examples. + +4. `/docs/orchestrator/console.md` + Screens, actions, a11y, live updates. + +5. `/docs/orchestrator/cli.md` + Commands, examples, exit codes, scripting patterns. + +6. `/docs/orchestrator/run‑ledger.md` + Provenance and audit export format. + +7. `/docs/security/secrets‑handling.md` + KMS references, redaction rules, operator hygiene. + +8. `/docs/operations/orchestrator‑runbook.md` + Common failures, backfill guide, circuit breakers, tuning. + +9. `/docs/schemas/artifacts.md` + Artifact kinds, schema versions, hashing, storage layout. + +10. `/docs/slo/orchestrator‑slo.md` + SLO definitions, measurement, alerting. + +--- + +## 6) Engineering tasks + +### Backend (orchestrator) + +* [ ] Stand up Postgres schemas and indices for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. +* [ ] Implement scheduler: DAG planner, dependency resolver, critical path computation. +* [ ] Implement rate limiter with adaptive behavior on 429/503 and per‑tenant tokens. +* [ ] Implement watermark/backfill manager with event‑time windows and idempotency keys. +* [ ] Implement API endpoints + OpenAPI spec + request validation. +* [ ] Implement WebSocket/SSE event stream for live updates. +* [ ] Implement audit logging and export. +* [ ] Implement dead‑letter store and replay. + +### Worker SDKs and integrations + +* [ ] Build Go/Python SDKs with claim/heartbeat/progress API. +* [ ] Integrate SDK into Conseiller, Excitator, SBOM workers; ensure artifact emission with schema ver. +* [ ] Add `consensus_compute` and `policy_eval` as job types with deterministic inputs/outputs. + +### Console + +* [ ] Overview tiles and health heatmap. +* [ ] Source list/detail with actions and config view. +* [ ] Runs timeline (Gantt) and DAG visualization with node inspector. +* [ ] Jobs “tail” with live updates and filters. +* [ ] Errors clustering and suggested remediations. +* [ ] Queues/backpressure dashboard. +* [ ] Backfill wizard with safety checks. + +### Observability + +* [ ] Emit metrics listed in §3.10 and wire traces across services. +* [ ] Dashboards: health, queue depth, error classes, burn‑rate, dispatch latency. +* [ ] Alerts for SLO burn and circuit breaker opens. + +### Security & RBAC + +* [ ] Enforce tenant scoping on all endpoints; test leakage. +* [ ] Wire KMS for secret refs and redact everywhere. +* [ ] Implement `Orch.Viewer|Operator|Admin` roles and check in Console and API. + +### Docs + +* [ ] Author all files in §5 with examples and screenshots. +* [ ] Cross‑link from Conseiller/Excitator/SBOM pages to the dashboard docs. +* [ ] Append imposed rule to each page. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Acceptance criteria + +* Operators can: pause/resume a source, run “sync‑now,” initiate a backfill for a date range, and retry/cancel individual jobs from Console and CLI. +* DAG and timeline reflect reality within 1 second of job state changes at P95. +* Backfills do not create duplicate artifacts; idempotency proven by hash equality. +* Rate limiter reduces 429s by ≥80% under simulated throttle tests. +* Audit log includes who/when/why for every operator action. +* Provenance ledger exports a complete chain for any artifact. +* RBAC prevents non‑admins from quota changes; tenancy isolation proven via automated tests. +* SLO dashboard shows burn‑rate and triggers alerts under injected failure. + +--- + +## 8) Risks & mitigations + +* **Orchestrator becomes a single bottleneck.** + Horizontal scale stateless workers; DB indexes tuned; job state updates batched; cache hot paths. + +* **Secret spillage.** + Only KMS references stored; aggressive redaction; log scrubbing in SDK. + +* **Over‑eager backfills overwhelm upstream.** + Enforce per‑source quotas and sandbox previews; dry‑run backfills first. + +* **Schema drift silently corrupts normalization.** + Hard‑fail on mismatch; DLQ with clear signatures; schema registry gating. + +* **Flapping sources cause alert fatigue.** + Circuit breaker with cool‑down and deduped alerts; error budget policy. + +--- + +## 9) Test plan + +* **Unit** + Scheduler DAG building, topological sort, backoff math, token bucket, watermark math. + +* **Integration** + Orchestrator ↔ worker SDK, artifact store wiring, DLQ replay, audit pipeline. + +* **Chaos** + Inject 429 storms, packet loss, worker crashes; verify throttling and recovery. + +* **Backfill** + Simulate overlapping windows and verify idempotency and watermark correctness. + +* **Perf** + 10k concurrent jobs: dispatch latency, DB contention, WebSocket fan‑out. + +* **Security** + Multi‑tenant isolation tests; KMS mock tests for secret access; RBAC matrix. + +* **UX/A11y** + Screen reader labels on DAG, keyboard navigation, live region updates. + +--- + +## 10) Philosophy + +* **Make the invisible visible.** Pipelines should be legible at a glance. +* **Prefer reproducibility to heroics.** Idempotency and provenance over “we think it ran.” +* **Safeguards before speed.** Throttle first, retry thoughtfully, never melt upstreams. +* **No silent merges.** Evidence remains immutable; transformations are explicit, logged and reversible. + +> Final reminder: **Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied.** diff --git a/EXECPLAN.md b/EXECPLAN.md index 048e5702..826d2530 100644 --- a/EXECPLAN.md +++ b/EXECPLAN.md @@ -3,13 +3,11 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster ## Wave Instructions ### Wave 0 -- Team Attestor Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Attestor/TASKS.md`. ATTESTOR-API-11-201, ATTESTOR-VERIFY-11-202, and ATTESTOR-OBS-11-203 are DONE (2025-10-19); continue monitoring Rekor inclusion proofs/archives and keep module docs/tests aligned. - Team Authority Core & Security Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/TASKS.md`. Focus on AUTH-DPOP-11-001 (DONE 2025-10-20), AUTH-MTLS-11-002 (DONE 2025-10-23). Confirm prerequisites (none) before starting and report status in module TASKS.md. - Team Authority Core & Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/TASKS.md`. Focus on AUTHSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md. - Team DevEx/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-002 (TODO), CLI-RUNTIME-13-005 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001, EXCITITOR-EXPORT-01-001) before starting and report status in module TASKS.md. - Team DevOps Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SEC-10-301 (DONE 2025-10-20); Wave 0A prerequisites reconfirmed so remediation work may proceed. Keep module TASKS.md/Sprints in sync as patches land. - Team Diff Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scanner.Diff/TASKS.md`. SCANNER-DIFF-10-501/502/503 all closed on 2025-10-19; keep determinism fixtures green and sync downstream consumers as Emit/Diff integration tickets arise. -- Team Scanner Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scanner.Storage/TASKS.md`. Focus on SCANNER-STORAGE-11-401 (DONE 2025-10-23) to migrate MinIO integrations to RustFS; ensure prerequisites (SCANNER-STORAGE-09-302) stay satisfied before execution and record status in module TASKS.md. - Team Docs Guild, Plugin Team: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on DOC4.AUTH-PDG (REVIEW). Confirm prerequisites (none) before starting and report status in module TASKS.md. - Team Docs/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001) before starting and report status in module TASKS.md. - Team Emit Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scanner.Emit/TASKS.md`. Sprint 10 composition milestones (10-601..10-606) wrapped 2025-10-22 and SCANNER-EMIT-10-607 completed alongside; remaining watch item is SCANNER-EMIT-17-701 (Wave 1) with build-id enrichment. @@ -24,7 +22,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - Team Policy Guild: Sprint 9 core tasks (POLICY-CORE-09-004/005/006) closed on 2025-10-19; ensure downstream consumers refresh against the published scoring config + quiet/unknown outputs and raise follow-up tasks if additional polish is required. - Team Runtime Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on RUNTIME-GUILD-09-402 (TODO). Confirm prerequisites (external: SCANNER-POLICY-09-107) before starting and report status in module TASKS.md. - Team Scanner WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-EVENTS-15-201 (DONE 2025-10-20). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Scanner WebService Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-EVENTS-16-301 (BLOCKED 2025-10-20). Wait for NOTIFY-QUEUE-15-401 before attempting integration. - Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-300 (DONE 2025-10-20) and ensure the temporary stub removal note stays tracked. Confirm prerequisites (external: SAMPLES-10-001) before starting and report status in module TASKS.md. - Team Scheduler Models Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scheduler.Models/TASKS.md`. SCHED-MODELS-16-103 completed (2025-10-20); ensure downstream teams consume the migration helpers and log upgrade warnings. - Team Scheduler Queue Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-401 completed (2025-10-20); proceed with Wave 1 queue enhancements. @@ -49,21 +46,31 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - Team Team WebService & Authority: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md`, `src/StellaOps.Concelier.WebService/TASKS.md`. Focus on SEC2.PLG (DOING), SEC3.PLG (DOING), SEC5.PLG (DOING), PLG4-6.CAPABILITIES (BLOCKED), PLG6.DIAGRAM (TODO), PLG7.RFC (REVIEW), FEEDWEB-DOCS-01-001 (DOING), FEEDWEB-OPS-01-006 (TODO), FEEDWEB-OPS-01-007 (BLOCKED). Confirm prerequisites (none) before starting and report status in module TASKS.md. - Team Tools Guild, BE-Conn-MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Concelier.Connector.Common/TASKS.md`. Focus on FEEDCONN-SHARED-STATE-003 (**TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. - Team UX Specialist, Angular Eng: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Web/TASKS.md`. Focus on WEB1.TRIVY-SETTINGS (DONE 2025-10-21), WEB1.TRIVY-SETTINGS-TESTS (DONE 2025-10-21), and WEB1.DEPS-13-001 (DONE 2025-10-21). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Zastava Core Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Zastava.Core/TASKS.md`. Focus on ZASTAVA-CORE-12-201 (DONE 2025-10-23), ZASTAVA-CORE-12-202 (DONE 2025-10-23), ZASTAVA-CORE-12-203 (DONE 2025-10-23), ZASTAVA-OPS-12-204 (DONE 2025-10-23). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Zastava Webhook Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/StellaOps.Zastava.Webhook/TASKS.md`. Focus on ZASTAVA-WEBHOOK-12-101 (DONE 2025-10-24), ZASTAVA-WEBHOOK-12-102 (DONE 2025-10-24), ZASTAVA-WEBHOOK-12-103 (DONE 2025-10-24), ZASTAVA-WEBHOOK-12-104 (DONE 2025-10-24). Confirm prerequisites (none) before starting and report status in module TASKS.md. ### Wave 1 -- Team Bench Guild, Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `bench/TASKS.md`. Focus on BENCH-SCANNER-10-002 (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-301 (Wave 0)) before starting and report status in module TASKS.md. +- Team Concelier WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Concelier.WebService/TASKS.md`. Focus on CONCELIER-WEB-AOC-19-001/002/003/004 (TODO). Confirm prerequisites (WEB-AOC-19-001, CONCELIER-CORE-AOC-19-001, CONCELIER-STORE-AOC-19-001) before starting and record progress in TASKS.md. +- Team Concelier Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Concelier.Core/TASKS.md`. Focus on CONCELIER-CORE-AOC-19-001/002/003/004 (TODO). Coordinate with Policy team on derived-data removal. +- Team Concelier Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Prioritise CONCELIER-STORE-AOC-19-001/002/003/004 (TODO) and align validator rollout with DevOps. +- Team Excititor WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-AOC-19-001/002/003/004 (TODO). Ensure parity with Concelier ingestion guard. +- Team Excititor Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Core/TASKS.md`. Focus on EXCITITOR-CORE-AOC-19-001/002/003/004 (TODO). +- Team Excititor Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Work on EXCITITOR-STORE-AOC-19-001/002/003/004 (TODO) with migration dry-run plans. +- Team Excititor Worker Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-AOC-19-001/002/003 (TODO) coordinating signature enforcement with storage guard. +- Team BE-Base Platform Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Web/TASKS.md`. Deliver WEB-AOC-19-001/002/003 (TODO) to unblock ingestion services. +- Team Policy Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Policy/TASKS.md`. Work on POLICY-AOC-19-001/002/003/004 (TODO) to keep derived data policy-only. +- Team Authority Core & Security Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Authority/TASKS.md`. Prioritise AUTH-AOC-19-001/002/003 (TODO) for new scopes + tenancy. +- Team DevEx/CLI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on CLI-AOC-19-001/002/003 (TODO) and sync exit codes with services. +- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.UI/TASKS.md`. Execute UI-AOC-19-001/002/003 (TODO) using new verify endpoints. +- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Implement DEVOPS-AOC-19-001/002/003 (TODO) to gate CI with new guards. +- Team Docs Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `docs/TASKS.md`. Cover DOCS-AOC-19-001..008 (TODO) aligning docs with new ingestion contract. +- Team Bench Guild, Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Bench/TASKS.md`. Focus on BENCH-SCANNER-10-002 (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-301 (Wave 0)) before starting and report status in module TASKS.md. - Team DevEx/CLI, QA Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on CLI-RUNTIME-13-009 (TODO). Confirm prerequisites (internal: CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-REL-14-001 (DOING 2025-10-23). Confirm prerequisites (internal: ATTESTOR-API-11-201 (Wave 0), SIGNER-API-11-101 (Wave 0)) before starting and report status in module TASKS.md. +- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-REL-14-001 (DOING 2025-10-23). Confirm prerequisites (internal: SIGNER-API-11-101 (Wave 0)) before starting and report status in module TASKS.md. - Team DevOps Guild, Scanner WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-204 (TODO). Confirm prerequisites (internal: SCANNER-EVENTS-15-201 (Wave 0)) before starting and report status in module TASKS.md. - Team Emit Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scanner.Emit/TASKS.md`. SCANNER-EMIT-10-607 shipped 2025-10-22; remaining focus is SCANNER-EMIT-17-701 (build-id enrichment). Confirm prerequisites (internal: POLICY-CORE-09-005 (Wave 0), SCANNER-EMIT-10-602 (Wave 0), SCANNER-EMIT-10-604 (Wave 0)) before starting and report status in module TASKS.md. - Team Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scanner.Analyzers.Lang/TASKS.md`. Sprint 10 language analyzers (10-303..10-306) wrapped by 2025-10-22; shift to Wave 1 benchmarking/packaging follow-ups (10-308+/309 variants) and ensure shared helpers stay stable. Node stream (tasks 10-302/309) closed on 2025-10-21; verify prereqs SCANNER-ANALYZERS-LANG-10-301/307 remain satisfied before new work. - Team Licensing Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/licensing/TASKS.md`. Focus on DEVOPS-LIC-14-004 (TODO). Confirm prerequisites (internal: AUTH-MTLS-11-002 (Wave 0)) before starting and report status in module TASKS.md. - Team Notify Engine Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-301 (TODO). Confirm prerequisites (internal: NOTIFY-MODELS-15-101 (Wave 0)) before starting and report status in module TASKS.md. -- Team Notify Queue Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Notify.Queue/TASKS.md`. Focus on NOTIFY-QUEUE-15-401 (DONE 2025-10-23). Confirm prerequisites (internal: NOTIFY-MODELS-15-101 (Wave 0)) before starting and report status in module TASKS.md. - Team Notify WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-103 (DONE). Confirm prerequisites (internal: NOTIFY-WEB-15-102 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scanner WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. SCANNER-RUNTIME-12-301 closed (2025-10-20); coordinate with Zastava observer guild on batch fixtures and advance to SCANNER-RUNTIME-12-302. - Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-301 (TODO). Confirm prerequisites (internal: SCANNER-EMIT-10-605 (Wave 0)) before starting and report status in module TASKS.md. - Team Scheduler Queue Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-402 completed (2025-10-20); next focus is SCHED-QUEUE-16-403. - Team Scheduler Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Scheduler.Storage.Mongo/TASKS.md`. Focus on SCHED-STORAGE-16-203 (TODO), SCHED-STORAGE-16-202 (TODO). Confirm prerequisites (internal: SCHED-STORAGE-16-201 (Wave 0)) before starting and report status in module TASKS.md. @@ -76,55 +83,153 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. - Team Team Excititor Export: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-006 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0)) before starting and report status in module TASKS.md. - Team Team Excititor Worker: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-ATTEST-01-003 (Wave 0); external: EXCITITOR-EXPORT-01-002, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md. -- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.UI/TASKS.md`. Focus on UI-ATTEST-11-005 (DONE 2025-10-23), UI-VEX-13-003 (TODO), UI-POLICY-13-007 (TODO), UI-ADMIN-13-004 (TODO), UI-AUTH-13-001 (DONE 2025-10-23), UI-SCANS-13-002 (TODO), UI-NOTIFY-13-006 (DONE 2025-10-25), UI-SCHED-13-005 (TODO). Confirm prerequisites (internal: ATTESTOR-API-11-201 (Wave 0), AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0), EXCITITOR-EXPORT-01-005 (Wave 0), NOTIFY-WEB-15-101 (Wave 0), POLICY-CORE-09-006 (Wave 0), SCHED-WEB-16-101 (Wave 0), SIGNER-API-11-101 (Wave 0); external: EXCITITOR-CORE-02-001, SCANNER-WEB-09-102, SCANNER-WEB-09-103) before starting and report status in module TASKS.md. -- Team Zastava Observer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.Zastava.Observer/TASKS.md`. Focus on ZASTAVA-OBS-12-001 (DONE 2025-10-24). Confirm prerequisites (internal: ZASTAVA-CORE-12-201 (Wave 0)) before starting and report status in module TASKS.md. +- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/StellaOps.UI/TASKS.md`. Focus on UI-SCANS-13-002 (TODO), UI-VEX-13-003 (TODO), UI-ADMIN-13-004 (TODO), UI-SCHED-13-005 (TODO). Confirm prerequisites (internal: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0), EXCITITOR-EXPORT-01-005 (Wave 0), NOTIFY-WEB-15-101 (Wave 0), POLICY-CORE-09-006 (Wave 0), SCHED-WEB-16-101 (Wave 0), SIGNER-API-11-101 (Wave 0); external: EXCITITOR-CORE-02-001, SCANNER-WEB-09-102, SCANNER-WEB-09-103) before starting and report status in module TASKS.md. ### Wave 2 -- Team Bench Guild, Notify Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `bench/TASKS.md`. Focus on BENCH-NOTIFY-15-001 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Bench Guild, Scheduler Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `bench/TASKS.md`. Focus on BENCH-IMPACT-16-001 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. +- Team Bench Guild, Notify Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Bench/TASKS.md`. Focus on BENCH-NOTIFY-15-001 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. +- Team Bench Guild, Scheduler Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Bench/TASKS.md`. Focus on BENCH-IMPACT-16-001 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. - Team Deployment Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/deployment/TASKS.md`. Focus on DEVOPS-OPS-14-003 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1)) before starting and report status in module TASKS.md. -- Team DevOps Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-MIRROR-08-001 (DONE 2025-10-19), DEVOPS-PERF-10-002 (TODO), DEVOPS-REL-14-004 (TODO), DEVOPS-REL-17-002 (TODO), DEVOPS-NUGET-13-001 (DONE 2025-10-25), and DEVOPS-UI-13-006 (TODO). Confirm prerequisites (internal: BENCH-SCANNER-10-002 (Wave 1), DEVOPS-REL-14-001 (Wave 1), SCANNER-EMIT-17-701 (Wave 1), UI-AUTH-13-001 (Wave 1)) before starting and report status in module TASKS.md. - Team DevOps Guild, Notify Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-205 (TODO). Confirm prerequisites (internal: DEVOPS-SCANNER-09-204 (Wave 1)) before starting and report status in module TASKS.md. - Team Notify Engine Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-302 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Notify Queue Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Notify.Queue/TASKS.md`. Focus on NOTIFY-QUEUE-15-403 (DONE 2025-10-23), NOTIFY-QUEUE-15-402 (DONE 2025-10-23). Confirm prerequisites (internal: NOTIFY-QUEUE-15-401 (Wave 1)) before starting and report status in module TASKS.md. -- Team Notify WebService Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-104 (TODO). Confirm prerequisites (internal: NOTIFY-QUEUE-15-401 (Wave 1), NOTIFY-STORAGE-15-201 (Wave 0)) before starting and report status in module TASKS.md. -- Team Notify Worker Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-201 (DONE 2025-10-23), NOTIFY-WORKER-15-202 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1), NOTIFY-QUEUE-15-401 (Wave 1)) before starting and report status in module TASKS.md. - Team Offline Kit Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/offline-kit/TASKS.md`. Focus on DEVOPS-OFFLINE-14-002 (TODO), DEVOPS-OFFLINE-18-003 (TODO), and DEVOPS-OFFLINE-18-005 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1), DEVOPS-REL-14-004 (Wave 2)) before starting and report status in module TASKS.md. - Team Samples Guild, Policy Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `samples/TASKS.md`. Focus on SAMPLES-13-004 (TODO). Confirm prerequisites (internal: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1)) before starting and report status in module TASKS.md. -- Team Scanner WebService Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-RUNTIME-12-302 (TODO). Confirm prerequisites (internal: SCANNER-RUNTIME-12-301 (Wave 1), ZASTAVA-CORE-12-201 (Wave 0)) before starting and report status in module TASKS.md. - Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-303 (TODO), SCHED-IMPACT-16-302 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. - Team Scheduler WebService Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-103 (TODO). Confirm prerequisites (internal: SCHED-WEB-16-102 (Wave 1)) before starting and report status in module TASKS.md. - Team Scheduler Worker Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-202 (TODO), SCHED-WORKER-16-205 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1), SCHED-WORKER-16-201 (Wave 1)) before starting and report status in module TASKS.md. - Team TBD: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305B/304B/303B/306B wrapped on 2025-10-22; next focus moves to `10-307*` shared helper integration and Wave 2 benchmark polish. Node packaging milestone 10-308N closed 2025-10-21. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303A (Wave 1), SCANNER-ANALYZERS-LANG-10-304A (Wave 1), SCANNER-ANALYZERS-LANG-10-305A (Wave 1), SCANNER-ANALYZERS-LANG-10-306A (Wave 1), SCANNER-ANALYZERS-LANG-10-307N (Wave 1)) before starting new work and report status in module TASKS.md. - Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-ORACLE-01-002 (Wave 1); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. - Team Team Excititor Export: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-007 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-006 (Wave 1)) before starting and report status in module TASKS.md. -- Team Zastava Observer Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/StellaOps.Zastava.Observer/TASKS.md`. ZASTAVA-OBS-12-002 closed (DONE 2025-10-24); monitor follow-up posture/delta tasks and keep module TASKS.md in sync. ### Wave 3 - Team DevEx/CLI: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on CLI-OFFLINE-13-006 (DONE 2025-10-21). Confirm prerequisites (internal: DEVOPS-OFFLINE-14-002 (Wave 2)) before starting and report status in module TASKS.md. -- Team DevEx/CLI, Scanner WebService Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on CLI-RUNTIME-13-008 (TODO). Confirm prerequisites (internal: SCANNER-RUNTIME-12-302 (Wave 2)) before starting and report status in module TASKS.md. - Team Excititor Connectors – Stella: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-001 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-007 (Wave 2)) before starting and report status in module TASKS.md. - Team Notify Engine Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-303 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. - Team Notify Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-203 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. - Team Scheduler Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-203 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-202 (Wave 2)) before starting and report status in module TASKS.md. - Team TBD: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305C/304C/309N/303C/306C are all DONE (latest 2025-10-22); remaining Wave 3 attention shifts to 10-307* helper consolidation and subsequent benchmarking tickets. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303B (Wave 2), SCANNER-ANALYZERS-LANG-10-304B (Wave 2), SCANNER-ANALYZERS-LANG-10-305B (Wave 2), SCANNER-ANALYZERS-LANG-10-306B (Wave 2), SCANNER-ANALYZERS-LANG-10-308N (Wave 2)) before scheduling new work and report status in module TASKS.md. -- Team Zastava Observer Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/StellaOps.Zastava.Observer/TASKS.md`. ZASTAVA-OBS-17-005 closed (DONE 2025-10-25); observers now emit buildIds for ELF workloads. Monitor backlog for new reachability/doc tasks and keep TASKS.md in sync. ### Wave 4 - Team DevEx/CLI: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Cli/TASKS.md`. Focus on CLI-PLUGIN-13-007 (DONE 2025-10-22). Confirm prerequisites (internal: CLI-OFFLINE-13-006 (Wave 3), CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team Docs Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `docs/TASKS.md`. Focus on DOCS-RUNTIME-17-004 (TODO). Confirm prerequisites (internal: DEVOPS-REL-17-002 (Wave 2), SCANNER-EMIT-17-701 (Wave 1), ZASTAVA-OBS-17-005 (Wave 3)) before starting and report status in module TASKS.md. - Team Excititor Connectors – Stella: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-002 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-001 (Wave 3)) before starting and report status in module TASKS.md. - Team Notify Connectors Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-501 (TODO), NOTIFY-CONN-TEAMS-15-601 (TODO), NOTIFY-CONN-EMAIL-15-701 (TODO), NOTIFY-CONN-WEBHOOK-15-801 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. - Team Notify Engine Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-304 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. - Team Notify Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-204 (TODO). Confirm prerequisites (internal: NOTIFY-WORKER-15-203 (Wave 3)) before starting and report status in module TASKS.md. -- Team Policy Guild, Scanner WebService Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Policy/TASKS.md`. Focus on POLICY-RUNTIME-17-201 (TODO). Confirm prerequisites (internal: ZASTAVA-OBS-17-005 (Wave 3, DOING 2025-10-24)) before starting and report status in module TASKS.md. - Team Scheduler Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-204 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-203 (Wave 3)) before starting and report status in module TASKS.md. - Team TBD: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-307D/G/P are DONE (latest 2025-10-23); remaining focus is SCANNER-ANALYZERS-LANG-10-307R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303C (Wave 3), SCANNER-ANALYZERS-LANG-10-304C (Wave 3), SCANNER-ANALYZERS-LANG-10-305C (Wave 3), SCANNER-ANALYZERS-LANG-10-306C (Wave 3)) before progressing and report status in module TASKS.md. ### Wave 5 +- **Sprint 23-28** · StellaOps Console, Policy Studio, Graph Explorer + - Team: Policy Registry Guild + - Path: `src/StellaOps.Policy.Registry/TASKS.md` + 1. [TODO] REGISTRY-API-27-001..010 — Deliver Registry service (OpenAPI, workspace storage, compile/sim integration, review workflow, publish/attest, promotion, telemetry, testing). Coordinate closely with Policy Engine, Scheduler, Authority, Console, CLI, Docs, and DevOps. + - Team: Findings Ledger Guild + - Path: `src/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-29-001..009 — Stand up immutable ledger, projector, workflow handlers, hashing/Merkle anchoring, and deployment tooling powering Vuln Explorer. + - Team: VEX Lens Guild + - Path: `src/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-30-001..011 — Build VEX normalization, mapping, trust weighting, consensus projection, APIs, simulation, telemetry, and deployment. + - Team: Issuer Directory Guild + - Path: `src/StellaOps.IssuerDirectory/TASKS.md` + 1. [TODO] ISSUER-30-001..006 — Provide issuer/key management, trust overrides, integration with VEX Lens, telemetry, and deployment guidance. + - Team: Advisory AI Guild + - Path: `src/StellaOps.AdvisoryAI/TASKS.md` + 1. [TODO] AIAI-31-001..009 — Implement retrievers, deterministics, guardrails, APIs, telemetry, and deployment for Advisory AI summaries/conflict explain/remediation. + - Team: Graph Indexer Guild + - Path: `src/StellaOps.Graph.Indexer/TASKS.md` + 1. [TODO] GRAPH-INDEX-28-001..010 — Build graph ingestion (SBOM, advisory, VEX, policy overlays), snapshots, clustering, incremental updates, and deployment artifacts. Maintain deterministic identity + tenant isolation. + - Team: Graph API Guild + - Path: `src/StellaOps.Graph.Api/TASKS.md` + 1. [TODO] GRAPH-API-28-001..011 — Ship streaming query/search/paths/diff/export endpoints with cost enforcement, overlays, RBAC, telemetry, and deployment docs. + - Team: Vuln Explorer API Guild + - Path: `src/StellaOps.VulnExplorer.Api/TASKS.md` + 1. [TODO] VULN-API-29-001..011 — Provide policy-aware list/detail/workflow/simulation/export APIs atop the ledger with deterministic outputs and auditable telemetry. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-CORE-23-001..CONSOLE-REL-23-303, CONSOLE-DOC-23-501/502, TELEMETRY-CONSOLE-23-001 — Bootstrap the Next.js workspace, build shell/navigation, deliver feature modules (Dashboard, SBOM, Advisories/VEX, Findings, Policies, Runs, Reports, Admin, Downloads), wire telemetry, QA (Playwright, Storybook a11y, Lighthouse), release artifacts, and support docs/parity automation. Sequence: finish core scaffolding (23-001..005) before picking up feature modules; hold Reports/Downloads until backend export + manifest tasks signal ready. + 2. [TODO] CONSOLE-STUDIO-27-001..007, CONSOLE-GRAPH-28-001..008, TELEMETRY-CONSOLE-27-001 — Deliver Policy Studio editor experience and Graph Explorer WebGL module (semantic zoom, overlays, diff, exports, saved queries, accessibility, telemetry). + 3. [TODO] CONSOLE-VULN-29-001..007 — Ship Vuln Explorer UI enhancements (list/detail/workflow/simulation/export) with telemetry and accessibility. + 4. [TODO] CONSOLE-VEX-30-001..005 — Provide VEX Lens console experience with quorum/conflict visualization and telemetry. + 5. [TODO] CONSOLE-AIAI-31-001..005 — Build Advisory AI side panel (summary/conflict/remediation) with copy-as-ticket, a11y, and telemetry integration. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-CONSOLE-23-001..005 — Stand up `/console/*` aggregates, SSE proxy, export orchestrator, global search, and downloads manifest endpoints. Coordinate closely with Policy, Scheduler, Concelier, Excititor, SBOM services to validate payloads. + 2. [TODO] WEB-GRAPH-24-001..004 — Route `/graph/*` APIs to Graph service, enforce scopes, provide overlay/export proxies, and aggregate telemetry. + 3. [TODO] WEB-VULN-29-001..004 — Provide Vuln Explorer routing, ledger proxying, simulation/export orchestration, and telemetry. + 4. [TODO] WEB-AIAI-31-001..003 — Route Advisory AI endpoints, batch orchestration, and telemetry/audit pipelines. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-CONSOLE-23-001..003 — Register Console OIDC client, expose tenant/profile endpoints, refresh security docs. PKCE + short-lived tokens must land before Console auth wiring can start. + 2. [TODO] AUTH-POLICY-27-001..003, AUTH-GRAPH-21-001..003 — Roll out Policy Studio scopes + signing enforcement and ensure Graph scopes/RBAC stay in sync. + 3. [TODO] AUTH-VULN-29-001..003 — Deliver Vuln Explorer scopes, CSRF enforcement, attachment signing, and documentation. + 4. [TODO] AUTH-AIAI-31-001..002 — Define Advisory AI scopes/consent controls and enforce anonymized logging/audit flows. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-CONSOLE-23-001/002, EXPORT-CONSOLE-23-001 — Optimize findings/explain APIs, expose simulation diff + approvals metadata, and deliver evidence bundle generator feeding Web gateway + Console Reports. + 2. [TODO] POLICY-ENGINE-27-001..004, POLICY-ENGINE-30-001..003 — Provide Studio compile metadata, simulation enhancements, complexity limits, and graph overlay contracts/events. + 3. [TODO] POLICY-ENGINE-29-001..004 — Supply batch evaluation/simulation for Vuln Explorer and consensus overlays with telemetry. + 4. [TODO] POLICY-ENGINE-31-001..002 — Surface Advisory AI parameters and policy context endpoints consumed by the assistant. + - Team: SBOM Service Guild + - Path: `src/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-CONSOLE-23-001/002 — Provide Console catalog + component lookup endpoints (filters, overlays, raw projections). Coordinate caching hints with Web + Console teams. + 2. [TODO] SBOM-GRAPH-24-001..004 — Maintain graph node/edge collections, builders, diff events, and caches feeding Graph Explorer. + 3. [TODO] SBOM-VULN-29-001/002 — Emit enriched inventory evidence (scope/runtime/path/safe versions) and resolver feeds for Vuln Explorer. + 4. [TODO] SBOM-AIAI-31-001/002 — Deliver path/timeline APIs and telemetry for Advisory AI remediation hints. + - Team: Concelier WebService Guild + - Path: `src/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-CONSOLE-23-001..003 — Deliver advisory aggregation views, delta metrics feed, and search helpers backing Dashboard/Search modules. + 2. [TODO] CONCELIER-VULN-29-001..004 — Normalize advisory keys, expose raw evidence, publish safe fix hints, and instrument metrics for Vuln Explorer. + 3. [TODO] CONCELIER-AIAI-31-001..003 — Provide paragraph anchors, structured fields, and telemetry required by Advisory AI. + - Team: Excititor WebService Guild + - Path: `src/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] EXCITITOR-CONSOLE-23-001..003 — Provide VEX aggregation, override deltas, and search helpers for Console UX. + 2. [TODO] EXCITITOR-GRAPH-24-101/102 — Supply VEX summaries for Graph Explorer overlays and inspectors. + 3. [TODO] EXCITITOR-VULN-29-001..004 — Canonicalize VEX keys, surface evidence APIs, suppression metadata, and telemetry for Vuln Explorer. + 4. [TODO] EXCITITOR-AIAI-31-001..003 — Serve VEX chunks/justifications/signature metadata and telemetry for Advisory AI. + - Team: Scheduler WebService Guild + - Path: `src/StellaOps.Scheduler.WebService/TASKS.md` + 1. [TODO] SCHED-CONSOLE-23-001 — Extend runs API with SSE progress stream, queue lag summaries, RBAC-gated actions. + 2. [TODO] SCHED-CONSOLE-27-001/002, SCHED-WEB-21-001/002 — Surface policy batch sim orchestration and graph build/overlay monitoring endpoints. + 3. [TODO] SCHED-VULN-29-001/002 — Provide resolver job APIs and lag metrics for Vulnerability Explorer recomputation. + - Team: Scheduler Worker Guild + - Path: `src/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-CONSOLE-23-201/202 — Publish run progress events and coordinate evidence bundle jobs consumed by Console + gateway. + 2. [TODO] SCHED-WORKER-27-301..303, SCHED-WORKER-21-201..203 — Execute policy batch simulation sharding/reduction and graph build/overlay workers with telemetry + security controls. + 3. [TODO] SCHED-WORKER-29-001..003 — Run vulnerability resolver/evaluation workers and monitoring to keep projections fresh. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CONSOLE-23-001/002 — Add console CI workflow (pnpm lint/test/Playwright/Lighthouse) and produce `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. + 2. [TODO] DEVOPS-POLICY-27-001..004 — Wire policy lint/compile/test jobs, optional batch simulation CI, signing key management, and telemetry dashboards/alerts. + 3. [TODO] DEVOPS-GRAPH-28-001..003 — Stand up graph perf/load tests, rate limiting/backpressure controls, and observability dashboards/alerts. + 4. [TODO] DEVOPS-VULN-29-001..003 — Establish ledger CI/backups/anchoring, Vuln Explorer performance dashboards/alerts, and telemetry privacy safeguards. + 5. [TODO] DEVOPS-VEX-30-001 — Provision CI/perf/dashboards/alerts for VEX Lens & Issuer Directory. + 6. [TODO] DEVOPS-AIAI-31-001 — Provide CI, inference monitoring, privacy review, perf dashboards, and alerts for Advisory AI service. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DOWNLOADS-CONSOLE-23-001 — Maintain signed downloads manifest pipeline used by Console `/downloads` and docs parity checks. + 2. [TODO] DEPLOY-POLICY-27-001/002 — Provide Policy Registry deployment overlays and publish policy rollout/rollback runbook. + 3. [TODO] DEPLOY-GRAPH-28-001 — Create deployment/offline instructions for Graph Indexer/API (including cache seeds). + 4. [TODO] DEPLOY-VULN-29-001/002 — Package Findings Ledger and Vuln Explorer API deployments with migrations/backups/offline guidance. + 5. [TODO] DEPLOY-VEX-30-001/002 — Provide deployments/offline instructions for VEX Lens and Issuer Directory. + 6. [TODO] DEPLOY-AIAI-31-001 — Deliver Advisory AI deployment manifests, GPU toggle guidance, and offline kit instructions. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-CONSOLE-23-001..017 — Publish the Console doc suite (overview, navigation, module guides, deploy/install, security, observability, parity matrix, accessibility, UI tours). Coordinate media capture with Console Guild. + 2. [TODO] DOCS-POLICY-27-001..014 — Deliver Policy Studio documentation set (overview, authoring, versioning, simulation, review, promotion, CLI/API/security/observability/runbooks/templates/AOC guardrails). + 3. [TODO] DOCS-GRAPH-28-001..012 — Produce Graph Explorer documentation (overview, console usage, query language, API, CLI, overlays, advisory/VEX integration, architecture, telemetry, runbooks, security). + 4. [TODO] DOCS-VULN-29-001..013 — Author Vulnerability Explorer documents (overview, console usage, API/CLI, ledger, policy mapping, advisory/VEX integration, SBOM resolution, telemetry, security, runbooks, install updates). + 5. [TODO] DOCS-VEX-30-001..009 — Publish VEX Lens documentation set (overview, algorithm, issuer directory, APIs, console, policy trust model, mapping, signatures, runbooks). + 6. [TODO] DOCS-AIAI-31-001..009 — Publish Advisory AI documentation suite (overview, architecture, APIs, console, CLI, policy parameters, guardrails, remediation heuristics, ops runbook). + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-POLICY-27-001..005 — Implement Policy Studio CLI lifecycle (init→lint→simulate→submit→approve→publish→promote/rollback), enhance simulation reporting, and update documentation with CI-friendly outputs. + 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. + 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. + 4. [TODO] CLI-VEX-30-001..004 — Provide VEX Lens CLI commands (consensus list/show/simulate/export). + 5. [TODO] CLI-AIAI-31-001..004 — Implement Advisory AI CLI commands (`stella advise *`) with docs and tests. + 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. + 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. - Team Excititor Connectors – Stella: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-002 (Wave 4)) before starting and report status in module TASKS.md. - Team Notify Connectors Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-502 (DONE), NOTIFY-CONN-TEAMS-15-602 (DONE), NOTIFY-CONN-EMAIL-15-702 (BLOCKED 2025-10-20), NOTIFY-CONN-WEBHOOK-15-802 (BLOCKED 2025-10-20). Confirm prerequisites (internal: NOTIFY-CONN-EMAIL-15-701 (Wave 4), NOTIFY-CONN-SLACK-15-501 (Wave 4), NOTIFY-CONN-TEAMS-15-601 (Wave 4), NOTIFY-CONN-WEBHOOK-15-801 (Wave 4)) before starting and report status in module TASKS.md. -- Team Scanner WebService Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Scanner.WebService/TASKS.md`. SCANNER-RUNTIME-17-401 closed 2025-10-25 with build-id persistence + policy/CLI exposure; monitor downstream dependencies (POLICY-RUNTIME-17-201, DEVOPS-REL-17-002) for reachability/debug-store follow-ups. - Team TBD: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-308D/G/P completed (2025-10-23/2025-10-22/2025-10-23); pending items are SCANNER-ANALYZERS-LANG-10-308R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-307D (Wave 4), SCANNER-ANALYZERS-LANG-10-307G (Wave 4), SCANNER-ANALYZERS-LANG-10-307P (Wave 4), SCANNER-ANALYZERS-LANG-10-307R (Wave 4)) before starting and report status in module TASKS.md. ### Wave 6 @@ -143,10 +248,71 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster ### Wave 10 - Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 10 and SPRINTS.md rows for `src/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-DATA-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDMERGE-ENGINE-07-001 (Wave 11)) before starting and report status in module TASKS.md. -### Wave 11 +### Wave 11 — 48 task(s) ready after Wave 10 +- **Sprint 25** · Exceptions v1 + - Team: Policy Guild + - Paths: `src/StellaOps.Policy/TASKS.md`, `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-EXC-25-001, POLICY-ENGINE-70-001..005 — SPL updates, evaluation layer, storage, cache, observability, worker hooks. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXC-25-001..003 — Exceptions API workflow, policy integration, events/notifications. + - Team: UI Guild + - Path: `src/StellaOps.UI/TASKS.md` + 1. [TODO] UI-EXC-25-001..005 — Exception Center, creation wizard, inline flows, badges, accessibility. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXC-25-001/002 — CLI workflow commands and simulation overrides. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-EXC-25-001/002 — Exception scopes, routing matrix, docs. + - Team: Scheduler Worker Guild + - Path: `src/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-25-101/102 — Exception lifecycle + expiring notification jobs. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXC-25-001..007 — Governance, approvals, API, policy effects, UI, CLI, migration docs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] (future) exception monitoring/notifications integration if needed (track under DEVOPS-LNM-22-003 extension). + - Team BE-Merge: read EXECPLAN.md Wave 11 and SPRINTS.md rows for `src/StellaOps.Concelier.Merge/TASKS.md`. FEEDMERGE-ENGINE-07-001 marked DONE (2025-10-20); share conflict explainer rollout notes with Storage before Wave 10 resumes. -### Wave 12 +### Wave 12 — 40 task(s) ready after Wave 11 +- **Sprint 26** · Reachability v1 + - Team: Signals Guild + - Path: `src/StellaOps.Signals/TASKS.md` + 1. [TODO] SIGNALS-24-001..005 — Signals service API, parsers, runtime ingest, scoring, caching/events. + - Team: Policy Guild + - Paths: `src/StellaOps.Policy/TASKS.md`, `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-SPL-24-001, POLICY-ENGINE-80-001..004 — SPL updates, evaluation integration, cache optimization, metrics. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-SIG-26-001..003 — Signals endpoints, reachability joins, simulation overrides. + - Team: UI Guild + - Path: `src/StellaOps.UI/TASKS.md` + 1. [TODO] UI-SIG-26-001..004 — Reachability columns/overlays, explain drawer, center. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-SIG-26-001/002 — CLI commands for reachability upload/list/simulate. + - Team: Authority Core + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-SIG-26-001 — Signals scopes/roles with AOC requirements. + - Team: Scheduler Worker Guild + - Path: `src/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-26-201/202 — Reachability joiner and staleness monitor jobs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-SIG-26-001/002 — Deployment pipelines and observability for Signals. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-SIG-26-001..008 — Reachability concepts, formats, runtime, policy weighting, UI, CLI, API, migration docs. + - Team: Concelier/Excititor Guilds + - Paths: `src/StellaOps.Concelier.Core/TASKS.md`, `src/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] CONCELIER-SIG-26-001, EXCITITOR-SIG-26-001 — Provide symbol/exploitability metadata to Signals. + - Team: Bench Guild + - Path: `src/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-SIG-26-001/002 — Performance benchmarks for Signals and policy evaluation overhead. + - Team Concelier Export Guild: read EXECPLAN.md Wave 12 and SPRINTS.md rows for `src/StellaOps.Concelier.Exporter.Json/TASKS.md`. Focus on CONCELIER-EXPORT-08-201 (TODO). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md. ### Wave 13 @@ -168,10 +334,8 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 1** · Backlog - Team: UX Specialist, Angular Eng - Path: `src/StellaOps.Web/TASKS.md` - 2. [DONE 2025-10-21] WEB1.TRIVY-SETTINGS-TESTS — Add headless UI test run (`ng test --watch=false`) and document prerequisites once Angular tooling is chained up. • Prereqs: WEB1.TRIVY-SETTINGS • Current: DONE (2025-10-21) – ChromeHeadless launcher + README updates merged; dependency hardening completed via WEB1.DEPS-13-001. - 3. [DONE (2025-10-21)] WEB1.DEPS-13-001 — Stabilise Angular workspace dependencies for headless CI installs (`npm install`, Chromium handling, docs). • Prereqs: WEB1.TRIVY-SETTINGS-TESTS • Current: DONE (2025-10-21) – Lockfile generated via `npm ci`, Chromium auto-detection/verification scripts added, and deterministic install guide published for offline runners. - **Sprint 1** · Developer Tooling @@ -298,7 +462,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 7** · Contextual Truth Foundations - Team: Team Excititor Export - Path: `src/StellaOps.Excititor.Export/TASKS.md` - 1. [DONE 2025-10-21] EXCITITOR-EXPORT-01-005 — EXCITITOR-EXPORT-01-005 – Score & resolve envelope surfaces • Prereqs: EXCITITOR-EXPORT-01-004 (external/completed), EXCITITOR-CORE-02-001 (external/completed) • Current: TODO – Emit consensus+score envelopes in export manifests, include policy/scoring digests, and update offline bundle/ORAS layouts to carry signed VEX responses. @@ -312,131 +475,58 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 10** · Backlog - Team: TBD - Path: `src/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - 1. [DONE 2025-10-19] SCANNER-ANALYZERS-LANG-10-302C — Surface script metadata (postinstall/preinstall) and policy hints; emit telemetry counters and evidence records. • Prereqs: SCANNER-ANALYZERS-LANG-10-302B (external/completed) • Current: DONE — Telemetry counter wired, lifecycle script evidence emitted; see Node analyzer fixtures. - **Sprint 10** · Scanner Analyzers & SBOM - Team: Diff Guild - Path: `src/StellaOps.Scanner.Diff/TASKS.md` - 1. [DONE 2025-10-19] SCANNER-DIFF-10-501 — Build component differ tracking add/remove/version changes with deterministic ordering. • Prereqs: — • Current: DONE — Diff engine produces deterministic add/remove/version deltas; regression suite covers warm/cold path parity. - 2. [DONE 2025-10-19] SCANNER-DIFF-10-502 — Attribute diffs to introducing/removing layers including provenance evidence. • Prereqs: — • Current: DONE — Layer attribution recorded on every change; fixtures assert provenance integrity. - 3. [DONE 2025-10-19] SCANNER-DIFF-10-503 — Produce JSON diff output for inventory vs usage views aligned with API contract. • Prereqs: — • Current: DONE — JSON serializer emits stable ordering; golden outputs locked in tests. - Team: Emit Guild - Path: `src/StellaOps.Scanner.Emit/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-EMIT-10-601 — Compose inventory SBOM (CycloneDX JSON/Protobuf) from layer fragments. • Prereqs: — • Current: DONE — Inventory builder validated against CycloneDX schema; deterministic fixtures added. - 2. [DONE 2025-10-22] SCANNER-EMIT-10-602 — Compose usage SBOM leveraging EntryTrace to flag actual usage. • Prereqs: — • Current: DONE — Usage view toggles wired; tests confirm subset alignment with EntryTrace signals. - 3. [DONE 2025-10-22] SCANNER-EMIT-10-603 — Generate BOM index sidecar (purl table + roaring bitmap + usage flag). • Prereqs: — • Current: DONE — BOM Index format published with roaring bitmap helpers; golden fixtures locked. - 4. [DONE 2025-10-22] SCANNER-EMIT-10-604 — Package artifacts for export + attestation with deterministic manifests. • Prereqs: — • Current: DONE — Export packaging deterministic; integration test with storage succeeds. - 5. [DONE 2025-10-22] SCANNER-EMIT-10-605 — Emit BOM-Index sidecar schema/fixtures (CRITICAL PATH for SP16). • Prereqs: — • Current: DONE — `bom-index@1` schema + fixtures published; Scheduler notes updated. - 6. [DONE 2025-10-22] SCANNER-EMIT-10-606 — Usage view bit flags integrated with EntryTrace. • Prereqs: — • Current: DONE — EntryTrace usage bits round-trip in BOM Index; regression harness verified. - Team: EntryTrace Guild - Path: `src/StellaOps.Scanner.EntryTrace/TASKS.md` - 1. [DONE 2025-10-19] SCANNER-ENTRYTRACE-10-401 — POSIX shell AST parser with deterministic output. • Prereqs: — • Current: DONE — Parser emits stable AST; determinism tests captured. - 2. [DONE 2025-10-19] SCANNER-ENTRYTRACE-10-402 — Command resolution across layered rootfs with evidence attribution. • Prereqs: — • Current: DONE — Resolver walks layered PATH with provenance evidence; fixtures validate. - 3. [DONE 2025-10-19] SCANNER-ENTRYTRACE-10-403 — Interpreter tracing for shell wrappers to Python/Node/Java launchers. • Prereqs: — • Current: DONE — Interpreter tracer resolves Python/Node/Java hand-offs; golden graphs updated. - 4. [DONE 2025-10-19] SCANNER-ENTRYTRACE-10-404 — Python entry analyzer (venv shebang, module invocation, usage flag). • Prereqs: — • Current: DONE — Python analyzer surfaces venv/module details; usage flag propagated. - 5. [DONE 2025-10-19] SCANNER-ENTRYTRACE-10-405 — Node/Java launcher analyzer capturing script/jar targets. • Prereqs: — • Current: DONE — Node/Java launchers traced end-to-end; evidence attached for each hop. - 6. [DONE 2025-10-19] SCANNER-ENTRYTRACE-10-406 — Explainability + diagnostics for unresolved constructs with metrics. • Prereqs: — • Current: DONE — Diagnostics enumerated, metrics emitted via `EntryTraceMetrics`. - 7. [DONE 2025-10-19] SCANNER-ENTRYTRACE-10-407 — Package EntryTrace analyzers as restart-time plug-ins (manifest + host registration). • Prereqs: — • Current: DONE — Plug-in manifests under `plugins/scanner/entrytrace`; restart-only guard documented. - Team: Language Analyzer Guild - Path: `src/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-302..309 — Detailed per-language sprint plan (Node, Python, Go, .NET, Rust) with gates and benchmarks. • Prereqs: — • Current: DONE — Implementation plan captured per language with progress notes through 2025-10-22. - Path: `src/StellaOps.Scanner.Analyzers.Lang/TASKS.md` - 1. [DONE 2025-10-19] SCANNER-ANALYZERS-LANG-10-301 — Java analyzer emitting `pkg:maven` with provenance. • Prereqs: — • Current: DONE — Java analyzer shipped with deterministic fixtures. - 2. [DONE 2025-10-19] SCANNER-ANALYZERS-LANG-10-307 — Shared language evidence helpers + usage flag propagation. • Prereqs: — • Current: DONE — Shared helpers live under Lang.Core and are consumed by Java/Node analyzers. - 3. [DONE 2025-10-19] SCANNER-ANALYZERS-LANG-10-308 — Determinism + fixture harness for language analyzers. • Prereqs: — • Current: DONE — Determinism harness + fixtures checked in; CI guard active. -- **Sprint 11** · Signing Chain Bring-up - - Team: Attestor Guild - - Path: `src/StellaOps.Attestor/TASKS.md` - 1. [DONE 2025-10-19] ATTESTOR-API-11-201 — `/rekor/entries` submission pipeline with dedupe, proof acquisition, and persistence. - • Prereqs: — - • Current: DONE — mTLS-gated `POST /api/v1/rekor/entries` dedupes `bundleSha256`, coordinates dual-log submissions, archives DSSE/proof bundles when requested. - 2. [DONE 2025-10-19] ATTESTOR-VERIFY-11-202 — `/rekor/verify` + retrieval endpoints validating signatures and Merkle proofs. - • Prereqs: — - • Current: DONE — verification pipeline validates DSSE signatures and Merkle proofs, returns cached entries with optional refresh paths. - 3. [DONE 2025-10-19] ATTESTOR-OBS-11-203 — Telemetry, alerting, mTLS hardening, and archive workflow for Attestor. - • Prereqs: — - • Current: DONE — structured metrics/logs, mTLS thumbprint/SAN enforcement, and archive retention jobs integrated with alerting runbooks. - - Team: Scanner Storage Guild - - Path: `src/StellaOps.Scanner.Storage/TASKS.md` - 1. [DONE 2025-10-23] SCANNER-STORAGE-11-401 — Migrate scanner artifact storage from MinIO to RustFS, including driver, configuration, and migration tooling. - • Prereqs: SCANNER-STORAGE-09-302 (Wave 0) - • Current: DONE — RustFS driver, deployment manifests, migration tool, and test coverage shipped. - - Team: Authority Core & Security Guild - - Path: `src/StellaOps.Authority/TASKS.md` - 2. [DONE 2025-10-23] AUTH-MTLS-11-002 — Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. - • Prereqs: — - • Current: DONE — mTLS audience enforcement + certificate binding validation shipped; docs/tests updated. - -- **Sprint 12** · Runtime Guardrails - - Team: Zastava Core Guild - - Path: `src/StellaOps.Zastava.Core/TASKS.md` - 1. [DONE 2025-10-23] ZASTAVA-CORE-12-201 — Define runtime event/admission DTOs, hashing helpers, and versioning strategy. - • Prereqs: — - • Current: DONE — runtime/admission envelopes canonically serialised, multihash helpers covered by new tests, architecture doc updated with negotiation rules. - 2. [DONE 2025-10-23] ZASTAVA-CORE-12-202 — Provide configuration/logging/metrics utilities shared by Observer/Webhook. - • Prereqs: — - • Current: DONE — `AddZastavaRuntimeCore` binds options, emits scoped logging/metrics, integration tests exercise DI wiring. - 3. [DONE 2025-10-23] ZASTAVA-CORE-12-203 — Authority client helpers, OpTok caching, and security guardrails for runtime services. - • Prereqs: — - • Current: DONE — Zastava authority token provider caches OpToks, enforces DPoP/mTLS guardrails, negative tests cover static fallback + incompat scopes. - 4. [DONE 2025-10-23] ZASTAVA-OPS-12-204 — Operational runbooks, alert rules, and dashboard exports for runtime plane. - • Prereqs: — - • Current: DONE — new runtime runbook plus Prometheus/Grafana assets committed and referenced in docs/offline kit guidance. - - Team: Zastava Webhook Guild - - Path: `src/StellaOps.Zastava.Webhook/TASKS.md` - 1. [DONE 2025-10-24] ZASTAVA-WEBHOOK-12-101 — Admission controller host with TLS bootstrap and Authority auth. - • Prereqs: — - • Current: DONE — host boots with deterministic TLS + shared runtime core, authority health checks in place, smoke coverage shipped. - 2. [DONE 2025-10-24] ZASTAVA-WEBHOOK-12-102 — Query Scanner `/policy/runtime`, resolve digests, enforce verdicts. - • Prereqs: — - • Current: DONE — runtime admission service resolves digests, calls backend policy API, and enforces allow/deny verdicts with unit coverage. - 3. [DONE 2025-10-24] ZASTAVA-WEBHOOK-12-103 — Caching, fail-open/closed toggles, metrics/logging for admission decisions. - • Prereqs: — - • Current: DONE — deterministic cache with TTL seeding, namespace fail-open overrides, and metrics/logging verified through tests. - 4. [DONE 2025-10-24] ZASTAVA-WEBHOOK-12-104 — Wire `/admission` endpoint to runtime policy client and emit allow/deny envelopes. - • Prereqs: ZASTAVA-WEBHOOK-12-102 - • Current: DONE — `/admission` handler parses AdmissionReview, routes to runtime policy service, and emits canonical envelopes + audit annotations. - **Sprint 13** · UX & CLI Experience - Team: DevEx/CLI - Path: `src/StellaOps.Cli/TASKS.md` @@ -477,7 +567,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - Team: Scanner WebService Guild - Path: `src/StellaOps.Scanner.WebService/TASKS.md` 2. [BLOCKED] SCANNER-EVENTS-16-301 — Redis publisher integration tests once Notify queue adapter ships. - • Prereqs: NOTIFY-QUEUE-15-401 (Wave 1) • Current: BLOCKED – waiting on Notify queue abstraction and Redis adapter deliverables for end-to-end validation. - **Sprint 16** · Scheduler Intelligence @@ -539,83 +628,44 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 7** · Contextual Truth Foundations - Team: Team Excititor Export - Path: `src/StellaOps.Excititor.Export/TASKS.md` - 1. [DONE 2025-10-21] EXCITITOR-EXPORT-01-006 — EXCITITOR-EXPORT-01-006 – Quiet provenance packaging • Prereqs: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0) • Current: TODO – Attach `quietedBy` statement IDs, signers, and justification codes to exports/offline bundles, mirror metadata into attested manifest, and add regression fixtures. - **Sprint 10** · Backlog - Team: TBD - Path: `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-305A — Parse `*.deps.json` + `runtimeconfig.json`, build RID graph, and normalize to `pkg:nuget` components. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — RID-aware deps/runtimeconfig parser emitting deterministic NuGet components with tests landed. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-304A — Parse Go build info blob (`runtime/debug` format) and `.note.go.buildid`; map to module/version and evidence. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE – Varint build-info decoder implemented with fixtures and determinism harness coverage. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - 1. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-307N — Integrate shared helpers for license/licence evidence, canonical JSON serialization, and usage flag propagation. • Prereqs: SCANNER-ANALYZERS-LANG-10-302C (Wave 0) • Current: DONE — Node analyzer now reuses shared metadata/evidence helpers. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - 1. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-303A — STREAM-based parser for `*.dist-info` (`METADATA`, `WHEEL`, `entry_points.txt`) with normalization + evidence capture. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — Python analyzer ingests METADATA/WHEEL/entry_points with deterministic ordering and UTF-8 normalization. Fixtures updated (`simple-venv`). - Path: `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-306A — Parse Cargo metadata (`Cargo.lock`, `.fingerprint`, `.metadata`) and map crates to components with evidence. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — Cargo metadata walker emits `pkg:cargo` components with provenance and deterministic fixtures. - **Sprint 10** · Scanner Analyzers & SBOM - Team: Emit Guild - Path: `src/StellaOps.Scanner.Emit/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-EMIT-10-607 — Embed scoring inputs, confidence band, and `quietedBy` provenance into CycloneDX 1.6 and DSSE predicates; verify deterministic serialization. • Prereqs: SCANNER-EMIT-10-604 (Wave 0), POLICY-CORE-09-005 (Wave 0) • Current: DONE — SBOM/attestation fixtures include scoring metadata and serialize deterministically. - Team: Language Analyzer Guild - Path: `src/StellaOps.Scanner.Analyzers.Lang/TASKS.md` - 1. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-309 — Package language analyzers as restart-time plug-ins (manifest + host registration). • Prereqs: SCANNER-ANALYZERS-LANG-10-301 (Wave 0) • Current: DONE — Manifest published under `plugins/scanner/analyzers/lang/`, Worker loader wired, integration tests updated. - 2. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-306 — Rust analyzer detecting crate provenance or falling back to `bin:{sha256}`. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — Rust analyzer emits cargo components with provenance and deterministic fallbacks. - 3. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-302 — Node analyzer resolving workspaces/symlinks into `pkg:npm` identities. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — Workspace/symlink coverage validated via determinism fixtures; metrics + lifecycle script evidence landed. - 4. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-304 — Go analyzer leveraging buildinfo for `pkg:golang` components. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — Buildinfo decoder + DWARF fallbacks captured; fixtures and benchmarks green. - 5. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-305 — .NET analyzer parsing `*.deps.json`, assembly metadata, and RID variants. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — RID-aware deps/runtimeconfig parser emits deterministic NuGet components; tests landed. - 6. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-303 — Python analyzer consuming `*.dist-info` metadata and RECORD hashes. • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) • Current: DONE — Dist-info parser, RECORD verifier, editable install metadata, and entrypoint usage hints shipped with deterministic fixture/tests. -- **Sprint 11** · UI Integration - - Team: UI Guild - - Path: `src/StellaOps.UI/TASKS.md` - 1. [DONE 2025-10-23] UI-ATTEST-11-005 — Attestation visibility (Rekor id, status) on Scan Detail. - • Prereqs: SIGNER-API-11-101 (Wave 0), ATTESTOR-API-11-201 (Wave 0) - • Current: DONE (2025-10-23) — Scan Detail route renders Rekor UUID/status via fixtures with verified/failure states covered by specs. -- **Sprint 12** · Runtime Guardrails - - Team: Scanner WebService Guild - - Path: `src/StellaOps.Scanner.WebService/TASKS.md` - 2. [DONE (2025-10-24)] SCANNER-RUNTIME-12-302 — Implement `/policy/runtime` endpoint joining SBOM baseline + policy verdict, returning admission guidance. - • Prereqs: SCANNER-RUNTIME-12-301 (Wave 1), ZASTAVA-CORE-12-201 (Wave 0) - • Current: DONE — endpoint returns signed TTL metadata, logs/metrics wired, and tests cover cache/pass/fail scenarios. - 3. [DONE 2025-10-24] SCANNER-RUNTIME-12-303 — Align runtime verdicts with canonical policy evaluation (Feedser/Vexer inputs) once upstream dependencies land. - • Prereqs: SCANNER-RUNTIME-12-302 (Wave 2) - • Current: DONE — `/policy/runtime` now calls PolicyPreviewService, surfaces confidence/quiet data, and regression tests cover pass/warn/fail cases across CLI + webhook fixtures. - 4. [DONE 2025-10-24] SCANNER-RUNTIME-12-304 — Surface attestation/Rekor verification results via Authority/Attestor integration. - • Prereqs: SCANNER-RUNTIME-12-302 (Wave 2) - • Current: DONE — runtime policy pipeline invokes the attestation verifier so Rekor entries are marked verified/unknown deterministically and exposed to consumers. - 5. [DONE 2025-10-24] SCANNER-RUNTIME-12-305 — Finalize shared fixtures and CI automation with Zastava + CLI teams for runtime APIs. - • Prereqs: SCANNER-RUNTIME-12-301 (Wave 1), SCANNER-RUNTIME-12-302 (Wave 2) - • Current: DONE — shared runtime policy fixtures exercised in scanner tests, webhook integration, and CLI contract harness; docs updated accordingly. - - Team: Zastava Observer Guild - - Path: `src/StellaOps.Zastava.Observer/TASKS.md` - 1. [DONE 2025-10-24] ZASTAVA-OBS-12-001 — Build container lifecycle watcher that tails CRI (containerd/cri-o/docker) events and emits deterministic runtime records with buffering + backoff. - • Prereqs: ZASTAVA-CORE-12-201 (Wave 0) - • Current: DONE — poller emits ordered start/stop events, backoff tested, metrics/log scopes active; waiting on downstream batching work. - **Sprint 13** · UX & CLI Experience - Team: DevEx/CLI, QA Guild - Path: `src/StellaOps.Cli/TASKS.md` @@ -624,7 +674,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster • Current: TODO – Build Spectre test harness exercising `runtime policy test` against a stubbed backend to lock output shape (table + `--json`) and guard regressions. Integrate into `dotnet test` suite. - Team: UX Specialist, Angular Eng, DevEx - Path: `src/StellaOps.Web/TASKS.md` - 1. [DONE (2025-10-21)] WEB1.DEPS-13-001 — Stabilise Angular workspace dependencies for headless CI installs (`npm install`, Chromium handling, docs). • Prereqs: WEB1.TRIVY-SETTINGS-TESTS (Wave 0) • Current: TODO – Capture deterministic lockfile flow, cache Puppeteer downloads, validate `npm test` from clean checkout offline, and update README. - Team: UI Guild @@ -638,13 +687,11 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster 3. [TODO] UI-ADMIN-13-004 — Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. • Prereqs: AUTH-MTLS-11-002 (Wave 0) • Current: TODO - 4. [DONE 2025-10-23] UI-AUTH-13-001 — Integrate Authority OIDC + DPoP flows with session management. • Prereqs: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0) • Current: TODO 5. [TODO] UI-SCANS-13-002 — Build scans module (list/detail/SBOM/diff/attestation) with performance + accessibility targets. • Prereqs: SCANNER-WEB-09-102 (external/completed), SIGNER-API-11-101 (Wave 0) • Current: TODO - 6. [DONE 2025-10-25] UI-NOTIFY-13-006 — Notify panel: channels/rules CRUD, deliveries view, test send integration. • Prereqs: NOTIFY-WEB-15-101 (Wave 0) • Current: TODO 7. [TODO] UI-SCHED-13-005 — Scheduler panel: schedules CRUD, run history, dry-run preview using API/mocks. @@ -653,17 +700,14 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 13** · Platform Reliability - Team: DevOps Guild, Platform Leads - Path: `ops/devops/TASKS.md` - 1. [DONE 2025-10-25] DEVOPS-NUGET-13-001 — Add .NET 10 preview feeds/local mirrors so `dotnet restore` succeeds offline; document updated NuGet bootstrap. • Prereqs: DEVOPS-REL-14-001 (Wave 1) • Current: DOING – Mirror preview packages into Offline Kit/allowlisted feeds, update NuGet.config mapping, and refresh restore documentation. 2. [TODO] DEVOPS-UI-13-006 — Add Playwright-based UI auth smoke job to CI/offline pipelines, wiring sample `/config.json` provisioning and reporting. - • Prereqs: UI-AUTH-13-001 (Wave 1), DEVOPS-REL-14-001 (Wave 1) • Current: TODO – Extend release/offline pipelines to run `npm run test:e2e`, publish traces on failure, and ensure stub config assets ship alongside the UI bundle. - **Sprint 14** · Release & Offline Ops - Team: DevOps Guild - Path: `ops/devops/TASKS.md` 1. [DOING 2025-10-23] DEVOPS-REL-14-001 — Deterministic build/release pipeline with SBOM/provenance, signing, manifest generation. - • Prereqs: SIGNER-API-11-101 (Wave 0), ATTESTOR-API-11-201 (Wave 0) • Current: TODO - Team: Licensing Guild - Path: `ops/licensing/TASKS.md` @@ -678,7 +722,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster • Current: DOING (2025-10-24) - Team: Notify Queue Guild - Path: `src/StellaOps.Notify.Queue/TASKS.md` - 1. [DONE 2025-10-23] NOTIFY-QUEUE-15-401 — Build queue abstraction + Redis Streams adapter with ack/claim APIs, idempotency tokens, serialization contracts. • Prereqs: NOTIFY-MODELS-15-101 (Wave 0) • Current: DONE — Redis transport, queue contracts, and integration tests delivered (2025-10-23). @@ -727,7 +770,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 7** · Contextual Truth Foundations - Team: Team Excititor Export - Path: `src/StellaOps.Excititor.Export/TASKS.md` - 1. [DONE 2025-10-21] EXCITITOR-EXPORT-01-007 — EXCITITOR-EXPORT-01-007 – Mirror bundle + domain manifest • Prereqs: EXCITITOR-EXPORT-01-006 (Wave 1) • Current: TODO – Create per-domain mirror bundles with consensus/score artifacts, publish signed index for downstream Excititor sync, and ensure deterministic digests + fixtures. - **Sprint 9** · DevOps Foundations @@ -739,53 +781,34 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 10** · Backlog - Team: TBD - Path: `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-305B — Extract assembly metadata (strong name, file/product info) and optional Authenticode details when offline cert bundle provided. • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) • Current: DONE — Assembly metadata now emits strong-name, file/product info, and optional Authenticode signals with deterministic fixtures/tests. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-304B — Implement DWARF-lite reader for VCS metadata + dirty flag; add cache to avoid re-reading identical binaries. • Prereqs: SCANNER-ANALYZERS-LANG-10-304A (Wave 1) • Current: DONE — DWARF fallback parses vcs.* markers, cache reuses metadata keyed by file identity. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - 1. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-308N — Author determinism harness + fixtures for Node analyzer; add benchmark suite. • Prereqs: SCANNER-ANALYZERS-LANG-10-307N (Wave 1) - • Current: DONE — Harness + fixtures merged; benchmark CSV recorded under `bench/Scanner.Analyzers`. + • Current: DONE — Harness + fixtures merged; benchmark CSV recorded under `src/StellaOps.Bench/Scanner.Analyzers`. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - 1. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-303B — RECORD hash verifier with chunked hashing, Zip64 support, and mismatch diagnostics. • Prereqs: SCANNER-ANALYZERS-LANG-10-303A (Wave 1) • Current: DONE — Streaming SHA-256 verification with deterministic mismatch evidence; unsupported algorithms tracked; fixtures validated. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-306B — Implement heuristic classifier using ELF section names, symbol mangling, and `.comment` data for stripped binaries. • Prereqs: SCANNER-ANALYZERS-LANG-10-306A (Wave 1) • Current: DONE — Heuristic classifier flags stripped binaries, regression tests guard false positives. - **Sprint 10** · DevOps Perf - Team: DevOps Guild - Path: `ops/devops/TASKS.md` - 1. [DONE (2025-10-23)] DEVOPS-PERF-10-002 — Publish analyzer bench metrics to Grafana/perf workbook and alarm on ≥20 % regressions. • Prereqs: BENCH-SCANNER-10-002 (Wave 1) • Current: DONE (2025-10-23) - **Sprint 10** · Samples - Team: Samples Guild, Policy Guild - Path: `samples/TASKS.md` - 1. [DONE (2025-10-23)] SAMPLES-13-004 — Add policy preview/report fixtures showing confidence bands and unknown-age tags. • Prereqs: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1) • Current: DONE (2025-10-23) - Team: UI Guild - Path: `src/StellaOps.Web/TASKS.md` - 1. [DONE (2025-10-23)] WEB-POLICY-FIXTURES-10-001 — Wire policy preview/report doc fixtures into UI harness (test utility or Storybook substitute) with type bindings and validation guard. • Prereqs: SAMPLES-13-004 (Wave 0) • Current: DONE (2025-10-23) -- **Sprint 12** · Runtime Guardrails - - Team: Scanner WebService Guild - - Path: `src/StellaOps.Scanner.WebService/TASKS.md` - 1. [DONE (2025-10-24)] SCANNER-RUNTIME-12-302 — Implement `/policy/runtime` endpoint joining SBOM baseline + policy verdict, returning admission guidance. Coordinate with CLI (`CLI-RUNTIME-13-008`) before GA to lock response field names/metadata. - • Prereqs: SCANNER-RUNTIME-12-301 (Wave 1), ZASTAVA-CORE-12-201 (Wave 0) - • Current: DONE — endpoint available with TTL metadata, signed responses, and determinism tests; CLI handoff scheduled. - - Team: Zastava Observer Guild - - Path: `src/StellaOps.Zastava.Observer/TASKS.md` - 1. [DONE 2025-10-24] ZASTAVA-OBS-12-002 — Capture entrypoint traces and loaded libraries, hashing binaries and correlating to SBOM baseline per architecture sections 2.1 and 10. - • Prereqs: ZASTAVA-OBS-12-001 (Wave 1) - • Current: DONE — process inspector emits entry trace + maps evidence; restore still requires offline NuGet mirror for gRPC packages. - **Sprint 14** · Release & Offline Ops - Team: Deployment Guild - Path: `ops/deployment/TASKS.md` @@ -799,7 +822,7 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster • Current: TODO - **Sprint 15** · Benchmarks - Team: Bench Guild, Notify Team - - Path: `bench/TASKS.md` + - Path: `src/StellaOps.Bench/TASKS.md` 1. [TODO] BENCH-NOTIFY-15-001 — Notify dispatch throughput bench (vary rule density) with results CSV. • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) • Current: TODO @@ -811,28 +834,21 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster • Current: TODO - Team: Notify Queue Guild - Path: `src/StellaOps.Notify.Queue/TASKS.md` - 1. [DONE 2025-10-23] NOTIFY-QUEUE-15-403 — Delivery queue for channel actions with retry schedules, poison queues, and metrics instrumentation. - • Prereqs: NOTIFY-QUEUE-15-401 (Wave 1) • Current: DONE — delivery queue + retry/dead-letter pipeline shipped with integration tests and metrics (2025-10-23). - 2. [DONE 2025-10-23] NOTIFY-QUEUE-15-402 — Add NATS JetStream adapter with configuration binding, health probes, failover. - • Prereqs: NOTIFY-QUEUE-15-401 (Wave 1) • Current: DONE — JetStream transport, DI binding, health check, and integration tests delivered (2025-10-23). - Team: Notify WebService Guild - Path: `src/StellaOps.Notify.WebService/TASKS.md` 1. [TODO] NOTIFY-WEB-15-104 — Configuration binding for Mongo/queue/secrets; startup diagnostics. - • Prereqs: NOTIFY-STORAGE-15-201 (Wave 0), NOTIFY-QUEUE-15-401 (Wave 1) • Current: TODO - Team: Notify Worker Guild - Path: `src/StellaOps.Notify.Worker/TASKS.md` - 1. [DONE 2025-10-23] NOTIFY-WORKER-15-201 — Implement bus subscription + leasing loop with correlation IDs, backoff, dead-letter handling (§1–§5). - • Prereqs: NOTIFY-QUEUE-15-401 (Wave 1) • Current: DONE — worker leasing loop wired to queue adapters with retry/backoff telemetry (2025-10-23). 2. [TODO] NOTIFY-WORKER-15-202 — Wire rules evaluation pipeline (tenant scoping, filters, throttles, digests, idempotency) with deterministic decisions. • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) • Current: TODO - **Sprint 16** · Benchmarks - Team: Bench Guild, Scheduler Team - - Path: `bench/TASKS.md` + - Path: `src/StellaOps.Bench/TASKS.md` 1. [TODO] BENCH-IMPACT-16-001 — ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. • Prereqs: SCHED-IMPACT-16-301 (Wave 1) • Current: TODO @@ -869,46 +885,30 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 7** · Contextual Truth Foundations - Team: Excititor Connectors – Stella - Path: `src/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` - 1. [DONE 2025-10-21] EXCITITOR-CONN-STELLA-07-001 — Implement mirror fetch client consuming `https://.stella-ops.org/excititor/exports/index.json`, validating signatures/digests, storing raw consensus bundles with provenance. • Prereqs: EXCITITOR-EXPORT-01-007 (Wave 2) • Current: TODO - **Sprint 10** · Backlog - Team: TBD - Path: `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-305C — Handle self-contained apps and native assets; merge with EntryTrace usage hints. • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) • Current: DONE — Self-contained fixtures emit components with RID flags; EntryTrace usage hints preserved. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-304C — Fallback heuristics for stripped binaries with deterministic `bin:{sha256}` labeling and quiet provenance. • Prereqs: SCANNER-ANALYZERS-LANG-10-304B (Wave 2) • Current: DONE — `bin:{sha256}` fallback + quiet provenance docs shipped with determinism fixtures. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - 1. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-309N — Package Node analyzer as restart-time plug-in (manifest, DI registration, Offline Kit notes). • Prereqs: SCANNER-ANALYZERS-LANG-10-308N (Wave 2) • Current: DONE — Manifest shipped, Worker catalog integration complete, Offline Kit docs updated. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - 1. [DONE 2025-10-21] SCANNER-ANALYZERS-LANG-10-303C — Editable install + pip cache detection; integrate EntryTrace hints for runtime usage flags. • Prereqs: SCANNER-ANALYZERS-LANG-10-303B (Wave 2) • Current: DONE — `direct_url.json` editable insights surfaced; EntryTrace usage hints mark console scripts; deterministic fixture covers editable vs wheel installs. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-306C — Integrate binary hash fallback (`bin:{sha256}`) and tie into shared quiet provenance helpers. • Prereqs: SCANNER-ANALYZERS-LANG-10-306B (Wave 2) • Current: DONE — Hash fallback wired through shared helpers; fixtures ensure deterministic output. -- **Sprint 12** · Runtime Guardrails - - Team: Zastava Observer Guild - - Path: `src/StellaOps.Zastava.Observer/TASKS.md` - 1. [DONE 2025-10-24] ZASTAVA-OBS-12-003 — Implement runtime posture checks (signature/SBOM/attestation presence) with offline caching and warning surfaces. - • Prereqs: ZASTAVA-OBS-12-002 (Wave 2) - • Current: DONE — Observer enriches runtime events with cached posture data and persists cache across restarts. - 2. [DONE 2025-10-24] ZASTAVA-OBS-12-004 — Batch `/runtime/events` submissions with disk-backed buffer, rate limits, and deterministic envelopes. - • Prereqs: ZASTAVA-OBS-12-002 (Wave 2) - • Current: DONE — disk-backed buffer with restart replay + HTTP publisher landed; rate-limit fixtures cover retry/backoff. - **Sprint 13** · UX & CLI Experience - Team: DevEx/CLI, Scanner WebService Guild - Path: `src/StellaOps.Cli/TASKS.md` 1. [TODO] CLI-RUNTIME-13-008 — CLI-RUNTIME-13-008 – Runtime policy contract sync - • Prereqs: SCANNER-RUNTIME-12-302 (Wave 2) • Current: TODO – Once `/api/v1/scanner/policy/runtime` exits TODO, verify CLI output against final schema (field names, metadata) and update formatter/tests if the contract moves. Capture joint review notes in docs/09 and link Scanner task sign-off. - **Sprint 15** · Notify Foundations - Team: Notify Engine Guild @@ -930,8 +930,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 17** · Symbol Intelligence & Forensics - Team: Zastava Observer Guild - Path: `src/StellaOps.Zastava.Observer/TASKS.md` - 1. [DONE (2025-10-25)] ZASTAVA-OBS-17-005 — Collect GNU build-id for ELF processes and attach it to emitted runtime events to enable symbol lookup + debug-store correlation. - • Prereqs: ZASTAVA-OBS-12-002 (Wave 2) • Current: DONE — Build-id capture wired through RuntimeProcessCollector + RuntimeEventFactory; docs/runbook updated with debug-store workflow. ## Wave 4 — 15 task(s) ready after Wave 3 @@ -944,17 +942,13 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 9** · Policy Foundations - Team: Policy Guild, Scanner WebService Guild - Path: `src/StellaOps.Policy/TASKS.md` - 1. [TODO] POLICY-RUNTIME-17-201 — Define runtime reachability feed contract and alignment plan for `SCANNER-RUNTIME-17-401` once Zastava endpoints land; document policy expectations for reachability tags. - • Prereqs: ZASTAVA-OBS-17-005 (Wave 3 — DONE 2025-10-25) • Current: TODO - **Sprint 10** · Backlog - Team: TBD - Path: `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-307D — Integrate shared helpers (license mapping, quiet provenance) and concurrency-safe caches. • Prereqs: SCANNER-ANALYZERS-LANG-10-305C (Wave 3) • Current: DONE 2025-10-22 - Path: `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-307G — Wire shared helpers (license mapping, usage flags) and ensure concurrency-safe buffer reuse. • Prereqs: SCANNER-ANALYZERS-LANG-10-304C (Wave 3) • Current: DONE — Shared helpers integrated; concurrency tests verify buffer reuse. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` @@ -968,7 +962,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 13** · UX & CLI Experience - Team: DevEx/CLI - Path: `src/StellaOps.Cli/TASKS.md` - 1. [DONE 2025-10-22] CLI-PLUGIN-13-007 — CLI-PLUGIN-13-007 – Plugin packaging • Prereqs: CLI-RUNTIME-13-005 (Wave 0), CLI-OFFLINE-13-006 (Wave 3) • Current: TODO – Package non-core verbs as restart-time plug-ins (manifest + loader updates, tests ensuring no hot reload). - **Sprint 15** · Notify Foundations @@ -1009,7 +1002,6 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - Team: Docs Guild - Path: `docs/TASKS.md` 1. [TODO] DOCS-RUNTIME-17-004 — Document build-id workflows: SBOM exposure, runtime event payloads, debug-store layout, and operator guidance for symbol retrieval. - • Prereqs: SCANNER-EMIT-17-701 (Wave 1), ZASTAVA-OBS-17-005 (Wave 3 — DONE 2025-10-25), DEVOPS-REL-17-002 (Wave 2) • Current: TODO ## Wave 5 — 10 task(s) ready after Wave 4 @@ -1022,15 +1014,12 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 10** · Backlog - Team: TBD - Path: `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - 1. [DONE 2025-10-23] SCANNER-ANALYZERS-LANG-10-308D — Determinism fixtures + benchmark harness; compare to competitor scanners for accuracy/perf. • Prereqs: SCANNER-ANALYZERS-LANG-10-307D (Wave 4) • Current: DONE — fixtures + benchmarks merged 2025-10-23 - Path: `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-308G — Determinism fixtures + benchmark harness (Vs competitor). • Prereqs: SCANNER-ANALYZERS-LANG-10-307G (Wave 4) • Current: DONE — Fixtures and benchmark harness merged; perf delta captured vs competitor. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - 1. [DONE 2025-10-23] SCANNER-ANALYZERS-LANG-10-308P — Golden fixtures + determinism harness for Python analyzer; add benchmark and hash throughput reporting. • Prereqs: SCANNER-ANALYZERS-LANG-10-307P (Wave 4) • Current: DONE — Fixtures `simple-venv`, `pip-cache`, `layered-editable` + hash throughput benchmarks merged 2025-10-23. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` @@ -1052,23 +1041,18 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 17** · Symbol Intelligence & Forensics - Team: Scanner WebService Guild - Path: `src/StellaOps.Scanner.WebService/TASKS.md` - 1. [DONE 2025-10-25] SCANNER-RUNTIME-17-401 — Persist runtime build-id observations and expose them via `/runtime/events` + policy joins for debug-symbol correlation. - • Prereqs: SCANNER-RUNTIME-12-301 (Wave 1), ZASTAVA-OBS-17-005 (Wave 3 — DONE 2025-10-25), SCANNER-EMIT-17-701 (Wave 1), POLICY-RUNTIME-17-201 (Wave 4) • Current: DONE — runtime events normalize digests/build IDs, policy responses/CLI emit `buildIds`, docs/tests updated for debug-store workflows. ## Wave 6 — 8 task(s) ready after Wave 5 - **Sprint 10** · Backlog - Team: TBD - Path: `src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - 1. [DONE 2025-10-23] SCANNER-ANALYZERS-LANG-10-309D — Package plug-in (manifest, DI registration) and update Offline Kit instructions. • Prereqs: SCANNER-ANALYZERS-LANG-10-308D (Wave 5) • Current: DONE — manifest + Offline Kit docs updated 2025-10-23 - Path: `src/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - 1. [DONE 2025-10-22] SCANNER-ANALYZERS-LANG-10-309G — Package plug-in manifest + Offline Kit notes; ensure Worker DI registration. • Prereqs: SCANNER-ANALYZERS-LANG-10-308G (Wave 5) • Current: DONE — Manifest copied, Worker DI registration verified, Offline Kit docs updated. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - 1. [DONE 2025-10-23] SCANNER-ANALYZERS-LANG-10-309P — Package plug-in (manifest, DI registration) and document Offline Kit bundling of Python stdlib metadata if needed. • Prereqs: SCANNER-ANALYZERS-LANG-10-308P (Wave 5) • Current: DONE — Manifest copied, Worker integration verified, Offline Kit docs updated with Python plug-in guidance. - Path: `src/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` @@ -1078,8 +1062,770 @@ Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster - **Sprint 7** · Contextual Truth Foundations - Team: Team Normalization & Storage Backbone - Path: `src/StellaOps.Concelier.Storage.Mongo/TASKS.md` - 1. [DONE 2025-10-19] FEEDSTORAGE-DATA-07-001 — FEEDSTORAGE-DATA-07-001 Advisory statement & conflict collections • Prereqs: FEEDMERGE-ENGINE-07-001 (Wave 11) • Current: TODO – Create `advisory_statements` (immutable) and `advisory_conflicts` collections, define `asOf`/`vulnerabilityKey` indexes, and document migration/rollback steps for event-sourced merge. +## Wave 7 — 52 task(s) ready after Wave 6 +- **Sprint 20** · Policy Engine v2 + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-20-000 — New Policy Engine service host, DI bootstrap, Authority scaffolding. + • Prereqs: POLICY-AOC-19-001 (Wave 1) + • Current: TODO + 2. [TODO] POLICY-ENGINE-20-001 — `stella-dsl@1` parser + IR compiler with diagnostics/checksums. + • Prereqs: POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 3. [TODO] POLICY-ENGINE-20-002 — Deterministic evaluator (priority/first-match, safe intrinsics). + • Prereqs: POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + 4. [TODO] POLICY-ENGINE-20-005 — Determinism guard preventing wall-clock/network/RNG usage. + • Prereqs: POLICY-ENGINE-20-002 (Wave 7) + • Current: TODO + 5. [TODO] POLICY-ENGINE-20-008 — Unit/property/golden/perf suites proving determinism + SLA. + • Prereqs: POLICY-ENGINE-20-002/003/004/005/006/007 (Wave 7) + • Current: TODO + 6. [TODO] POLICY-ENGINE-20-007 — Metrics/traces/log sampling for policy runs/rule hits. + • Prereqs: POLICY-ENGINE-20-002 (Wave 7) + • Current: TODO + 7. [TODO] POLICY-ENGINE-20-009 — Mongo schemas/indexes + migrations for policies/runs/findings. + • Prereqs: POLICY-ENGINE-20-000 & POLICY-ENGINE-20-004 (Wave 7) + • Current: TODO + - Team: Policy Guild · Data Joiners + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-20-003 — SBOM↔advisory↔VEX joiners using linksets. + • Prereqs: POLICY-ENGINE-20-001 (Wave 7), CONCELIER-POLICY-20-002 (Wave 7), EXCITITOR-POLICY-20-002 (Wave 7) + • Current: TODO + 2. [TODO] POLICY-ENGINE-20-004 — Materialization writer to `effective_finding_*` with append-only history. + • Prereqs: POLICY-ENGINE-20-003 (Wave 7), CONCELIER-POLICY-20-003 (Wave 7), EXCITITOR-POLICY-20-003 (Wave 7) + • Current: TODO + 3. [TODO] POLICY-ENGINE-20-006 — Incremental orchestrator reacting to change streams. + • Prereqs: POLICY-ENGINE-20-003/004 (Wave 7), SCHED-WORKER-20-301 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy API Surface + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-POLICY-20-001 — Policy CRUD/compile/run/simulate/findings/explain endpoints. + • Prereqs: POLICY-ENGINE-20-001/004 (Wave 7), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] WEB-POLICY-20-002 — Pagination, filters, deterministic ordering. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 3. [TODO] WEB-POLICY-20-003 — Error mapping to `ERR_POL_*` with contract tests. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 4. [TODO] WEB-POLICY-20-004 — Simulation rate limits + metrics/headers. + • Prereqs: WEB-POLICY-20-001/002 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy Console + - Team: UI Guild + - Path: `src/StellaOps.UI/TASKS.md` + 1. [TODO] UI-POLICY-20-001 — Monaco editor with inline diagnostics/compliance checklist. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] UI-POLICY-20-002 — Simulation diff panel with virtualization + deltas. + • Prereqs: UI-POLICY-20-001 (Wave 7), WEB-POLICY-20-001/002 (Wave 7) + • Current: TODO + 3. [TODO] UI-POLICY-20-003 — Submit/review/approve workflow with RBAC + audit log. + • Prereqs: UI-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 4. [TODO] UI-POLICY-20-004 — Run viewer dashboards (rule heatmap, VEX wins, suppressions). + • Prereqs: POLICY-ENGINE-20-006/007 (Wave 7), WEB-POLICY-20-001 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy CLI + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-POLICY-20-001 — `policy new|edit|submit|approve` commands. + • Prereqs: WEB-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] CLI-POLICY-20-002 — `policy simulate` with diff rendering + exit codes. + • Prereqs: CLI-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + 3. [TODO] CLI-POLICY-20-003 — `findings ls|get` policy-aware filters + explain output. + • Prereqs: WEB-POLICY-20-001/002 (Wave 7) + • Current: TODO +- **Sprint 20** · Policy Selection Services + - Team: Concelier WebService Guild + - Path: `src/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-POLICY-20-001 — Advisory selection endpoints for policy engine. + • Prereqs: CONCELIER-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) + • Current: TODO + - Team: Concelier Core Guild + - Path: `src/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-POLICY-20-002 — Linkset enrichment with equivalence tables/ranges. + • Prereqs: CONCELIER-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + - Team: Concelier Storage Guild + - Path: `src/StellaOps.Concelier.Storage.Mongo/TASKS.md` + 1. [TODO] CONCELIER-POLICY-20-003 — Selection cursors + change-stream checkpoints. + • Prereqs: CONCELIER-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) + • Current: TODO + - Team: Excititor WebService Guild + - Path: `src/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] EXCITITOR-POLICY-20-001 — VEX selection APIs (batch PURL/ID, tenant filters). + • Prereqs: EXCITITOR-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) + • Current: TODO + - Team: Excititor Core Guild + - Path: `src/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] EXCITITOR-POLICY-20-002 — Scope-aware linksets + version range handling. + • Prereqs: EXCITITOR-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + - Team: Excititor Storage Guild + - Path: `src/StellaOps.Excititor.Storage.Mongo/TASKS.md` + 1. [TODO] EXCITITOR-POLICY-20-003 — Selection cursors + checkpoints for VEX change streams. + • Prereqs: EXCITITOR-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) + • Current: TODO +- **Sprint 20** · Scheduler Integration + - Team: Scheduler Models Guild + - Path: `src/StellaOps.Scheduler.Models/TASKS.md` + 1. [TODO] SCHED-MODELS-20-001 — Policy run/diff DTOs + validation helpers. + • Prereqs: POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 2. [TODO] SCHED-MODELS-20-002 — Schema docs/sample payloads for policy runs. + • Prereqs: SCHED-MODELS-20-001 (Wave 7) + • Current: TODO + - Team: Scheduler WebService Guild + - Path: `src/StellaOps.Scheduler.WebService/TASKS.md` + 1. [TODO] SCHED-WEB-20-001 — Policy run scheduling APIs with `policy:run` enforcement. + • Prereqs: SCHED-WEB-16-101 (Wave 1), AUTH-POLICY-20-001 (Wave 7) + • Current: TODO + 2. [TODO] SCHED-WEB-20-002 — Simulation trigger endpoint returning diff metadata. + • Prereqs: SCHED-WEB-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + - Team: Scheduler Worker Guild + - Path: `src/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-20-301 — Trigger policy runs (full/incremental/simulate) via API. + • Prereqs: SCHED-WORKER-16-201 (Wave 1), POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 2. [TODO] SCHED-WORKER-20-302 — Delta targeting for policy reruns using change streams. + • Prereqs: SCHED-WORKER-20-301 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + 3. [TODO] SCHED-WORKER-20-303 — Metrics/logs for scheduled policy runs. + • Prereqs: SCHED-WORKER-20-301 (Wave 7) + • Current: TODO +- **Sprint 20** · Authority & Security + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-POLICY-20-001 — Introduce policy scopes (`policy:*`, `findings:read`, `effective:write`). + • Prereqs: AUTH-AOC-19-001 (Wave 1) + • Current: TODO + 2. [TODO] AUTH-POLICY-20-002 — Enforce Policy Engine identity + gateway scope checks. + • Prereqs: AUTH-POLICY-20-001 (Wave 7), AUTH-AOC-19-002 (Wave 1) + • Current: TODO + 3. [TODO] AUTH-POLICY-20-003 — Update Authority docs/config samples for new scopes. + • Prereqs: AUTH-POLICY-20-001 (Wave 7) + • Current: TODO +- **Sprint 20** · CI/CD & Observability + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-POLICY-20-001 — Integrate DSL lint/compile checks in CI. + • Prereqs: POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + 2. [TODO] DEVOPS-POLICY-20-002 — Run `stella policy simulate` stage on golden SBOMs. + • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) + • Current: TODO + 3. [TODO] DEVOPS-POLICY-20-003 — Determinism CI diffing repeated policy runs. + • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) + • Current: TODO +- **Sprint 20** · Documentation + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-POLICY-20-001 — `/docs/policy/overview.md`. + • Prereqs: POLICY-ENGINE-20-000 (Wave 7) + • Current: TODO + 2. [TODO] DOCS-POLICY-20-002 — `/docs/policy/dsl.md` grammar + examples. + • Prereqs: POLICY-ENGINE-20-001 (Wave 7) + • Current: TODO + 3. [TODO] DOCS-POLICY-20-003 — `/docs/policy/lifecycle.md` workflow/roles. + • Prereqs: AUTH-POLICY-20-001 (Wave 7), WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 4. [TODO] DOCS-POLICY-20-004 — `/docs/policy/runs.md` run modes + cursors. + • Prereqs: POLICY-ENGINE-20-006 (Wave 7), SCHED-WEB-20-001 (Wave 7) + • Current: TODO + 5. [TODO] DOCS-POLICY-20-005 — `/docs/api/policy.md` endpoints + schemas. + • Prereqs: WEB-POLICY-20-001 (Wave 7) + • Current: TODO + 6. [TODO] DOCS-POLICY-20-006 — `/docs/cli/policy.md` with command usage. + • Prereqs: CLI-POLICY-20-002 (Wave 7) + • Current: TODO + 7. [TODO] DOCS-POLICY-20-007 — `/docs/ui/policy-editor.md` flows + screenshots. + • Prereqs: UI-POLICY-20-001/002/003 (Wave 7) + • Current: TODO + 8. [TODO] DOCS-POLICY-20-008 — `/docs/architecture/policy-engine.md` with diagrams. + • Prereqs: POLICY-ENGINE-20-003/006 (Wave 7) + • Current: TODO + 9. [TODO] DOCS-POLICY-20-009 — `/docs/observability/policy.md` metrics/traces/logs. + • Prereqs: POLICY-ENGINE-20-007 (Wave 7), DEVOPS-POLICY-20-002 (Wave 7) + • Current: TODO + 10. [TODO] DOCS-POLICY-20-010 — `/docs/security/policy-governance.md` scopes/approvals. + • Prereqs: AUTH-POLICY-20-002 (Wave 7) + • Current: TODO + 11. [TODO] DOCS-POLICY-20-011 — `/docs/examples/policies/` sample policies + commentary. + • Prereqs: POLICY-ENGINE-20-001/002 (Wave 7) + • Current: TODO + 12. [TODO] DOCS-POLICY-20-012 — `/docs/faq/policy-faq.md` common pitfalls. + • Prereqs: WEB-POLICY-20-003 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) + • Current: TODO +- **Sprint 20** · Samples & Benchmarks + - Team: Samples Guild + - Path: `samples/TASKS.md` + 1. [TODO] SAMPLES-POLICY-20-001 — Baseline/serverless/internal-only policy samples + fixtures. + • Prereqs: POLICY-ENGINE-20-002 (Wave 7), DOCS-POLICY-20-011 (Wave 7) + • Current: TODO + 2. [TODO] SAMPLES-POLICY-20-002 — Simulation diff fixtures for UI/CLI tests. + • Prereqs: UI-POLICY-20-002 (Wave 7) + • Current: TODO + - Team: Bench Guild + - Path: `src/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-POLICY-20-001 — Policy evaluation performance benchmark suite. + • Prereqs: POLICY-ENGINE-20-002/006 (Wave 7) + • Current: TODO + 2. [TODO] BENCH-POLICY-20-002 — Incremental run benchmark tracking delta SLA. + • Prereqs: BENCH-POLICY-20-001 (Wave 7), SCHED-WORKER-20-302 (Wave 7) + • Current: TODO + +## Wave 8 — 60 task(s) ready after Wave 7 +- **Sprint 21** · Graph Explorer v1 + - Team: Cartographer Guild + - Path: `src/StellaOps.Cartographer/TASKS.md` + 1. [TODO] CARTO-GRAPH-21-001/002/003/004 — Schema, projection reader, graph constructor, and layout tiling are ready once SBOM projections ship (Wave 7 prereqs). + 2. [TODO] CARTO-GRAPH-21-005/006/007/008/009 — Overlay worker, API surface, backfill/overlay jobs, testing, and deployment artefacts depend on Cartographer infrastructure plus Policy Engine 30-series work. + - Team: SBOM Service Guild + - Path: `src/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-SERVICE-21-001/002/003/004 — Normalized projection API, change events, entrypoint management, and observability unblock Cartographer’s ingestion. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-30-001/002/003 — Graph overlay contract, simulation bridge, and change events rely on Policy Engine v2 core (Wave 7) and feed Cartographer overlays. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-GRAPH-21-001..004 — Graph gateway routes, validation, exports, and simulation bridging activate once Cartographer endpoints exist. + - Team: UI Guild + - Path: `src/StellaOps.UI/TASKS.md` + 1. [TODO] UI-GRAPH-21-001..006 — Canvas, inspector, filters, paths, diff, and accessibility depend on Cartographer/Web graph APIs and Samples fixtures. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-GRAPH-21-001..003 — CLI commands, path/simulation options, and docs require Cartographer/Web readiness. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-GRAPH-21-001..003 — Graph scope issuance, enforcement, and documentation unblock service deployments. + - Team: Scheduler Guilds + - Paths: `src/StellaOps.Scheduler.Models/TASKS.md`, `src/StellaOps.Scheduler.WebService/TASKS.md`, `src/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-MODELS-21-001/002, SCHED-WEB-21-001/002, SCHED-WORKER-21-201..203 — Graph job DTOs, APIs, workers, and metrics coordinate Cartographer runs after SBOM change events. + - Team: Concelier Guild + - Paths: `src/StellaOps.Concelier.Core/TASKS.md`, `src/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-GRAPH-21-001..004 — SBOM projection enrichment and entrypoint APIs feed SBOM Service/Cartographer. + - Team: Excititor Guild + - Paths: `src/StellaOps.Excititor.Core/TASKS.md`, `src/StellaOps.Excititor.WebService/TASKS.md`, `src/StellaOps.Excititor.Storage.Mongo/TASKS.md` + 1. [TODO] EXCITITOR-GRAPH-21-001..005 — Provide VEX inspector data, overlay enrichment, events, and indexes for Graph Explorer. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-GRAPH-21-001..003 — Perf tests, visual regression captures, and offline kit bundling align with Cartographer/SBOM readiness. + - Team: Docs/Samples/Bench Guilds + - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/StellaOps.Bench/TASKS.md` + 1. [TODO] DOCS-GRAPH-21-001..009, SAMPLES-GRAPH-21-001..002, BENCH-GRAPH-21-001..002 — Publish documentation set, sample assets, and benchmarks once API/UI stabilize. + + +## Wave 9 — 58 task(s) ready after Wave 8 +- **Sprint 22** · Link-Not-Merge v1 + - Team: Concelier Core Guild + - Path: `src/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-LNM-21-001/002/003/004/005 — Observation schema, linkset builder, conflict annotator, merge removal, and event emission follow Graph wave completion and AOC guard readiness. + - Team: Concelier Storage Guild + - Path: `src/StellaOps.Concelier.Storage.Mongo/TASKS.md` + 1. [TODO] CONCELIER-LNM-21-101/102/103 — Collections, backfill tooling, and blob storage wiring depend on core schema finalization. + - Team: Concelier WebService Guild + - Path: `src/StellaOps.Concelier.WebService/TASKS.md` + 1. [TODO] CONCELIER-LNM-21-201/202/203 — Advisory observation/linkset APIs and event publishing follow storage readiness. + - Team: BE-Merge + - Path: `src/StellaOps.Concelier.Merge/TASKS.md` + 1. [TODO] MERGE-LNM-21-001/002/003 — Decommission merge pipeline once observation/linkset flow validated. + - Team: Excititor Core Guild + - Path: `src/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] EXCITITOR-LNM-21-001..005 — VEX observations/linksets, conflicts, merge removal, and events mirror advisory work. + - Team: Excititor Storage Guild + - Path: `src/StellaOps.Excititor.Storage.Mongo/TASKS.md` + 1. [TODO] EXCITITOR-LNM-21-101/102 — Collections and backfill for VEX data prepared after schema finalization. + - Team: Excititor WebService Guild + - Path: `src/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] EXCITITOR-LNM-21-201..203 — VEX observation/linkset APIs and event publishing. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-40-001..003 — Effective severity adjustments, VEX conflict handling, and consumer utilities once observation/linkset data shape is fixed. + - Team: Scanner WebService Guild + - Path: `src/StellaOps.Scanner.WebService/TASKS.md` + 1. [TODO] SCANNER-LNM-21-001/002 — Report/runtime updates and evidence endpoint leveraging new linksets. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-LNM-21-001..003 — Gateway exposure for advisory/vex APIs and policy evidence combos. + - Team: UI Guild + - Path: `src/StellaOps.UI/TASKS.md` + 1. [TODO] UI-LNM-22-001..004 — Evidence panel, filters, VEX tab, permalinks after API readiness. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-LNM-22-001/002 — CLI support for observations/linksets and exports. + - Team: Authority Core Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-AOC-19-001 — Scope rollout (`advisory/vex ingest/read`) enabling new APIs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-LNM-22-001..003 — Migration automation, monitoring, and SLA alerts for observation pipelines. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-LNM-22-001..008 — Publish aggregation philosophy, API docs, UI guides, migration playbook. + - Team: Samples Guild + - Path: `samples/TASKS.md` + 1. [TODO] SAMPLES-LNM-22-001/002 — Observation/linkset fixtures for advisories and VEX. + - Team: Bench Guild + - Path: `src/StellaOps.Bench/TASKS.md` + 1. [TODO] BENCH-LNM-22-001/002 — Ingest/correlation performance benchmarks to enforce SLA. + + +## Wave 10 — 54 task(s) ready after Wave 9 +- **Sprint 23** · Policy Engine + Editor v1 + - Team: Policy Guild (Library) + - Path: `src/StellaOps.Policy/TASKS.md` + 1. [TODO] POLICY-SPL-23-001..005 — SPL schema/canonicalizer/layering/explain model/migration tooling once Link-Not-Merge data model is stable. + - Team: Policy Engine Service + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-50-001..007 — Compiler, evaluator, observability, event pipeline, storage schemas, explainer persistence, worker orchestration. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-POLICY-23-001..004 — Policy pack CRUD, activation, simulation/evaluation, explain history APIs. + - Team: UI Guild + - Path: `src/StellaOps.UI/TASKS.md` + 1. [TODO] UI-POLICY-23-001..006 — Policy editor workspace, YAML builder, guided builder, approvals, simulator, explain view. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-POLICY-23-004..006 — CLI lint/activate/history + explain commands aligned with new APIs. + - Team: Authority Core Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-POLICY-23-001..003 — Policy scopes, two-person activation, documentation. + - Team: SBOM Service Guild + - Path: `src/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-SERVICE-23-001/002 — Asset metadata projection + `sbom.asset.updated` events feeding evaluator. + - Team: Concelier & Excititor Guilds + - Paths: `src/StellaOps.Concelier.Core/TASKS.md`, `src/StellaOps.Excititor.Core/TASKS.md`, `src/StellaOps.Concelier.WebService/TASKS.md`, `src/StellaOps.Excititor.WebService/TASKS.md` + 1. [TODO] CONCELIER-POLICY-23-001/002 and EXCITITOR-POLICY-23-001/002 plus CONCELIER/EXCITITOR-LNM-21-201..203 — Evidence indexes, enriched events, observation/linkset APIs supporting policy runtime. + - Team: Scheduler Worker Guild + - Path: `src/StellaOps.Scheduler.Worker/TASKS.md` + 1. [TODO] SCHED-WORKER-23-101/102 — Policy re-evaluation worker + reconciliation job post activation. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-LNM-22-001..003 (migration/monitoring) and future policy deployment automation for SPL bundles. + - Team: Docs Guild, Samples, Bench + - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/StellaOps.Bench/TASKS.md` + 1. [TODO] DOCS-POLICY-23-001..010, SAMPLES-LNM-22-001/002, BENCH-LNM-22-001/002 — Documentation set, policy fixtures, performance benchmarks. + + ## Wave 11 — 1 task(s) ready after Wave 10 +- **Sprint 32** · Orchestrator Dashboard Phase 1 (Foundations) + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-32-001..005 — Stand up the orchestrator service (schema, scheduler, read-only APIs, SSE, worker endpoints). Coordinate with DevOps (DEVOPS-ORCH-32-001) for Postgres + message bus availability before enabling progression. + - Team: Worker SDK Guild + - Paths: `src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` + 1. [TODO] WORKER-GO-32-001/002, WORKER-PY-32-001/002 — Deliver baseline job claim/heartbeat libraries. These unblock Concelier/Excititor/SBOM adoption tasks and should validate against ORCH-SVC-32-005 contract. + - Team: Concelier Core Guild + - Path: `src/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-ORCH-32-001/002 — Register sources and embed SDK hooks in ingestion loops. Depends on Worker SDK handshake and orchestrator read APIs. + - Team: Excititor Worker Guild + - Path: `src/StellaOps.Excititor.Worker/TASKS.md` + 1. [TODO] EXCITITOR-ORCH-32-001 — Adopt worker SDK for VEX ingestion. Requires ORCH-SVC-32-005 and Worker SDK readiness. + - Team: SBOM Service Guild + - Path: `src/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-ORCH-32-001 — Emit orchestrator job metadata and artifact hashes for SBOM ingest/index jobs; depends on orchestrator schema finalization. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-32-101 — Define `policy_eval` job contract and enqueue hooks so orchestrator DAGs can plan downstream work. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-ORCH-32-001 — Surface read-only orchestrator APIs through the gateway with tenant scoping once service endpoints exist. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-ORCH-32-001 — Introduce `orch:read` scope and `Orch.Viewer` role so CLI/Console work can proceed safely. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-ORCH-32-001 — Provide read-only `stella orch` listings after gateway routes/scopes are available; validate against imposed rule requirement. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-ORCH-32-001/002 — Overview + Sources pages (read-only) rely on SSE stream, viewer scope, and CLI/gateway parity. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-ORCH-32-001/002 — Publish overview/architecture docs (each closing with imposed rule statement) to align cross-team implementation. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-ORCH-32-001 — Stand up Postgres/message bus environments and seed Grafana dashboards; prerequisite for orchestrator integration workstreams. +- **Sprint 33** · Orchestrator Dashboard Phase 2 (Controls & Recovery) + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-33-001..004 — Add control actions, adaptive rate limiter, watermark/backfill manager, and dead-letter replay. Requires Phase 1 completion and Worker SDK control hooks. + - Team: Worker SDK Guild + - Paths: `src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` + 1. [TODO] WORKER-GO-33-001/002, WORKER-PY-33-001/002 — Provide artifact upload, idempotency guards, and error classification so orchestrator controls function safely. + - Team: Concelier Core Guild + - Path: `src/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-ORCH-33-001 — Honor orchestrator throttles and retry semantics; unblocker for circuit breaker work in Sprint 34. + - Team: Excititor Worker Guild + - Path: `src/StellaOps.Excititor.Worker/TASKS.md` + 1. [TODO] EXCITITOR-ORCH-33-001 — Surface error classes and throttling compliance; depends on Worker SDK error helpers. + - Team: SBOM Service Guild + - Path: `src/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-ORCH-33-001 — Report backpressure metrics and respect orchestrator pause/backfill signals. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-33-101 — Implement orchestrator-driven evaluation workers with SLO metrics; prerequisites: ORCH-SVC-32-003/005 and Worker SDK upgrades. + - Team: VEX Lens Guild + - Path: `src/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-ORCH-33-001 — Register `consensus_compute` job type and worker integration so orchestrator can schedule consensus batches. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-ORCH-33-001 — Wire control/backfill endpoints through gateway with proper error mapping and SSE bridging; relies on AUTH-ORCH-33-001. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-ORCH-33-001 — Add `Orch.Operator` role/scopes and enforce reason strings; prerequisite for CLI/Console control surfaces. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-ORCH-33-001 — Implement action verbs (`pause|resume|test`, `retry|cancel`, `jobs tail`) with streaming output and scope enforcement. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-ORCH-33-001/002 — Runs timeline/DAG and Jobs tail views with action buttons. Requires SSE, operator scopes, and orchestrator control endpoints. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-ORCH-33-001..003 — Publish API, Console, and CLI guides (each reiterating imposed rule) once control endpoints stabilize. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-ORCH-33-001 — Deliver Grafana dashboards/alerts (rate limiter, queue depth, error clustering) gated by orchestrator metrics. +- **Sprint 34** · Orchestrator Dashboard Phase 3 (Backfills, Quotas, GA) + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-34-001..004 — Quotas/SLOs, audit ledger export, scale tests, and packaging. Requires Phase 2 controls plus DevOps support for perf/load validation. + - Team: Worker SDK Guild + - Paths: `src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` + 1. [TODO] WORKER-GO-34-001, WORKER-PY-34-001 — Backfill range execution and dedupe verification; prerequisites: ORCH-SVC-33-003 and service artifact schemas. + - Team: Concelier Core Guild + - Path: `src/StellaOps.Concelier.Core/TASKS.md` + 1. [TODO] CONCELIER-ORCH-34-001 — Execute orchestrator-driven backfills with ledger linkage; ensure idempotency before GA sign-off. + - Team: Excititor Worker Guild + - Path: `src/StellaOps.Excititor.Worker/TASKS.md` + 1. [TODO] EXCITITOR-ORCH-34-001 — Backfill + circuit breaker reset logic; depends on Worker SDK backfill support. + - Team: SBOM Service Guild + - Path: `src/StellaOps.SbomService/TASKS.md` + 1. [TODO] SBOM-ORCH-34-001 — Watermark reconciliation and coverage metrics for sbom backfills. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-34-101 — Surface run ledger exports and SLO burn metrics to orchestrator; coordinates with Findings Ledger. + - Team: VEX Lens Guild + - Path: `src/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-ORCH-34-001 — Emit consensus completion events into orchestrator ledger + provenance chain. + - Team: Findings Ledger Guild + - Path: `src/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-34-101 — Consume orchestrator ledger entries for provenance exports; must align with ORCH-SVC-34-002 hashing. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-ORCH-34-001 — Route quotas/backfill/error clustering APIs; prerequisite for CLI/Console GA features. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-ORCH-34-001 — Add `Orch.Admin` role, quota scopes, and audit reason enforcement; required before exposing admin controls. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-ORCH-34-001 — Implement backfill/quota commands with dry-run preview; depends on ORCH-SVC-34-001/003 and AUTH-ORCH-34-001. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-ORCH-34-001..003 — Queues/backpressure dashboard, backfill wizard, and error clustering view; align with API + metrics outputs. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-ORCH-34-001..005 — Final documentation set (run ledger, secrets handling, runbook, schema, SLO) — each must restate imposed rule and cross-link to services adopting orchestrator. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-ORCH-34-001 — Harden production dashboards/alerts and synthetic probes prior to GA. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-ORCH-34-001 — Package orchestrator Helm/Compose, scaling defaults, offline guidance; depends on ORCH-SVC-34-004. + - Team: Offline Kit Guild + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] DEVOPS-OFFLINE-34-006 — Bundle orchestrator service artifacts, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. +- **Sprint 35** · Export Center Phase 1 (Foundations) + - Team: Exporter Service Guild + - Path: `src/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-35-001..006 — Bootstrap exporter service, planner, JSON/mirror adapters, manifests/signing, and download APIs. Blocks downstream integrations (Findings Ledger, Policy, VEX Lens, Web, CLI, Console). + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-35-101 — Register export job type, quotas, and telemetry to support exporter workers. + - Team: Findings Ledger Guild + - Path: `src/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-EXPORT-35-001 — Provide streaming endpoints for advisories/VEX/SBOM/findings filtered per export scopes. Required before planner work can complete. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-35-201 — Supply deterministic policy snapshot + evaluated findings endpoint for policy-aware exports. + - Team: VEX Lens Guild + - Path: `src/StellaOps.VexLens/TASKS.md` + 1. [TODO] VEXLENS-EXPORT-35-001 — Produce consensus snapshot API consumed by mirror bundles. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXPORT-35-001 — Route export APIs and downloads through gateway once exporter endpoints are live. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-EXPORT-35-001 — Publish Export Viewer/Operator/Admin scopes and issuer templates before Console/CLI ship. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXPORT-35-001 — Read-only CLI commands for profiles/runs/downloads; depends on WEB-EXPORT-35-001 and AUTH-EXPORT-35-001. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-EXPORT-35-001 — Profiles + overview UI; requires gateway routes and scopes. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXPORT-35-001..003 — Publish overview, architecture, and profiles docs with imposed rule reminders to align teams. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-EXPORT-35-001 — Establish exporter CI/perf smoke and dashboards; prerequisite for later alerting. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-EXPORT-35-001 — Package exporter service/worker Helm overlays for download-only phase. +- **Sprint 36** · Export Center Phase 2 (Trivy + Distribution) + - Team: Exporter Service Guild + - Path: `src/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-36-001..004 — Trivy adapters, OCI/object storage distribution, planner updates. Trivy bundles require DEVOPS-EXPORT-36-001 validation. + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-36-101 — Extend orchestrator telemetry/retention fields for export runs. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXPORT-36-001 — Distribution endpoints must land before CLI/Console actions move forward. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXPORT-36-001 — Distribute/download resume features depend on WEB-EXPORT-36-001 and AUTH scopes. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-EXPORT-36-001 — Runs detail + distribution UI after API support exists. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXPORT-36-004..006 — API/CLI/Trivy docs to support rollout; each must restate imposed rule. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-EXPORT-36-001 — CI validation for Trivy compatibility and OCI pushes. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-EXPORT-36-001 — Document registry credentials and automation for distributions. +- **Sprint 37** · Export Center Phase 3 (Delta, Encryption, Scheduling, GA) + - Team: Exporter Service Guild + - Path: `src/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-37-001..004 — Mirror delta/encryption, scheduling+retention, verification API. Depends on DEVOPS-EXPORT-37-001 for chaos/alert readiness. + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-37-101 — Scheduling + retention hooks required for exporter automation. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-EXPORT-37-001 — Surface scheduling, retention, verification, encryption parameters once exporter endpoints exist. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-EXPORT-37-001 — Admin scope enforcement for scheduling, retention, encryption. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-EXPORT-37-001 — Scheduling and verification commands with signature/hash checks; relies on WEB-EXPORT-37-001. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-EXPORT-37-001 — Verification panel, scheduling UI, retention controls, encryption workflows. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-EXPORT-37-001..004 — Mirror bundles, provenance & signing, operations runbook, security hardening docs (all reiterate imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-EXPORT-37-001 — Finalize dashboards/alerts, chaos testing, retention monitoring. + - Team: Offline Kit Guild + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] DEVOPS-OFFLINE-37-001 — Bundle export tooling and sample mirror bundles into Offline Kit. +- **Sprint 38** · Notifications Studio Phase 1 (Foundations) + - Team: Notifications Service Guild + - Path: `src/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-38-001..004 — Bootstrap notifier service, migrations, ingestion, templates, channel adapters, initial APIs. Requires orchestrator event envelope updates and policy violation enrichment. + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-38-101 — Standardize event publication (policy/export/job lifecycle) with idempotency keys for notifier. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-38-201 — Emit enriched policy violation events (decision rationale IDs) for notifier ingestion. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-NOTIFY-38-001 — Gateway routing for notifier APIs with tenant RBAC. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-NOTIFY-38-001 — Publish Notify Viewer/Operator/Admin scopes and issuer templates. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-NOTIFY-38-001 — CLI commands for rules/templates/incidents. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-NOTIFY-38-001 — Studio home, rule editor, incidents UI (phase 1). + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-NOTIFY-38-001 — Overview + architecture docs (imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-NOTIFY-38-001 — Notifier CI pipeline, base dashboards. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-NOTIFY-38-001 — Helm overlays and rollout guide for notifier foundations. +- **Sprint 39** · Notifications Studio Phase 2 (Correlation, Digests, Simulation) + - Team: Notifications Service Guild + - Path: `src/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-39-001..004 — Correlation, throttling, quiet hours, digest generator, simulation engine. + - Team: Findings Ledger Guild + - Path: `src/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-NOTIFY-39-001 — Digest query optimization endpoints. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-NOTIFY-39-001 — Gateway updates for digests, simulation, throttles. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-NOTIFY-39-001 — CLI simulation/digest commands. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-NOTIFY-39-001 — Template editor, digest profiles, quiet calendar, storm banner. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-NOTIFY-39-002 — Rules/templates/digests docs (imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-NOTIFY-39-002 — Throttle/quiet/digest dashboards. +- **Sprint 40** · Notifications Studio Phase 3 (Escalations, Localization, Hardening) + - Team: Notifications Service Guild + - Path: `src/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-40-001..004 — Escalations, ack bridge, PagerDuty/OpsGenie adapters, localization, security hardening, chaos tests. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-NOTIFY-40-001 — Ack token signing/rotation, webhook allowlists, admin enforcement. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-NOTIFY-40-001 — Expose escalation/localization/channel health endpoints. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-NOTIFY-40-001 — Ack redemption, escalation management, localization previews. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-NOTIFY-40-001 — Escalation settings, on-call schedules, localization UI, incident Kanban enhancements. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-NOTIFY-40-001 — Channels, escalations, API, runbook, security docs (imposed rule). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-NOTIFY-40-001 — Escalation/ack latency dashboards, chaos tooling. +- **Sprint 41** · CLI Parity & Task Packs Phase 1 + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-CORE-41-001, CLI-PARITY-41-001/002 — Implement CLI core config/auth/output foundations and initial parity command groups. + - Team: Task Runner Guild + - Path: `src/StellaOps.TaskRunner/TASKS.md` + 1. [TODO] TASKRUN-41-001 — Bootstrap Task Runner service, run API, local executor, approvals pause, artifact capture. + - Team: Packs Registry Guild + - Path: `src/StellaOps.PacksRegistry/TASKS.md` + 1. [TODO] PACKS-REG-41-001 — Registry API, signature verification, provenance storage, RBAC. + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-41-101 — Register `pack-run` job type, integrate logs/artifacts, expose metadata. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-PACKS-41-001 — Define CLI/pack scopes, discovery metadata, offline defaults. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-CLI-41-001 — Publish CLI overview/config/output docs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CLI-41-001 — Multi-platform build pipeline, SBOM/checksums, parity CI gate. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-CLI-41-001 — Package CLI release artifacts and distribution docs. +- **Sprint 42** · CLI Parity & Task Packs Phase 2 + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-PARITY-41-001/002, CLI-PACKS-42-001 — Close remaining parity gaps and ship Task Pack CLI commands. + - Team: Task Runner Guild + - Path: `src/StellaOps.TaskRunner/TASKS.md` + 1. [TODO] TASKRUN-42-001 — Loops, conditionals, simulation mode, policy gates. + - Team: Packs Registry Guild + - Path: `src/StellaOps.PacksRegistry/TASKS.md` + 1. [TODO] PACKS-REG-42-001 — Version lifecycle, allowlists, provenance export, signature rotation. + - Team: Orchestrator Service Guild + - Path: `src/StellaOps.Orchestrator/TASKS.md` + 1. [TODO] ORCH-SVC-42-101 — Stream pack run logs, expose manifolds, enforce quotas. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-ENGINE-42-201 — Stable rationale IDs/APIs for CLI `--explain` and packs. + - Team: Findings Ledger Guild + - Path: `src/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-PACKS-42-001 — Snapshot/time-travel APIs for pack simulation. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-CLI-42-001 — Copy CLI buttons, parity hints, pack browser. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-CLI-42-001 — Parity matrix & command guides; DOCS-PACKS-43-001 groundwork. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CLI-42-001 — CLI golden outputs, parity diff automation, pack run CI harness. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-PACKS-42-001 — Deploy packs registry/task runner with secrets templates. +- **Sprint 43** · CLI Parity & Task Packs Phase 3 + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-PACKS-43-001 — Advanced pack features (approvals pause/resume, secrets, localization, man pages). + - Team: Task Runner Guild + - Path: `src/StellaOps.TaskRunner/TASKS.md` + 1. [TODO] TASKRUN-43-001 — Approvals workflow, notifications integration, chaos resilience. + - Team: Packs Registry Guild + - Path: `src/StellaOps.PacksRegistry/TASKS.md` + 1. [TODO] PACKS-REG-43-001 — Mirroring, signing policies, attestation integration. + - Team: Exporter Service Guild + - Path: `src/StellaOps.ExportCenter/TASKS.md` + 1. [TODO] EXPORT-SVC-35-005, EXPORT-SVC-37-001 — Include pack run manifests in exports. + - Team: Notifications Service Guild + - Path: `src/StellaOps.Notifier/TASKS.md` + 1. [TODO] NOTIFY-SVC-40-001 — Emit pack run notifications. + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-PACKS-43-001 — Enforce pack signing/approval policies, CLI CI scopes. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-PACKS-43-001 — Task Pack spec/authoring/registry/runbook/security/release docs. + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-CLI-43-001 — Final release automation, SBOM signing, parity gating, chaos tests. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY-PACKS-43-001 — Remote execution rollout guidance, Offline kit instructions. + - Team: Offline Kit Guild + - Path: `ops/offline-kit/TASKS.md` + 1. [TODO] CLI-PACKS-43-002 — Bundle CLI, pack samples, registry mirror into Offline Kit with manifests. +- **Sprint 47-49** · Authority-Backed Scopes & Tenancy + - Team: Authority Core & Security Guild + - Path: `src/StellaOps.Authority/TASKS.md` + 1. [TODO] AUTH-TEN-47-001 — JWT/OIDC alignment, scope grammar, tenant/project claims. + 2. [TODO] AUTH-TEN-49-001 — Service accounts, delegation, quotas, audit streaming. + - Team: BE-Base Platform Guild + - Path: `src/StellaOps.Web/TASKS.md` + 1. [TODO] WEB-TEN-47-001/48-001/49-001 — Middleware enforcement, tenant context propagation, ABAC overlay, audit API. + - Team: DevEx/CLI Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CLI-TEN-47-001/49-001 — Auth CLI flows, tenant switching, service tokens, delegation. + - Team: Console Guild + - Path: `src/StellaOps.Cli/TASKS.md` + 1. [TODO] CONSOLE-TEN-48-001/49-001 — Tenant switcher, admin screens, audit viewer. + - Team: Policy Guild + - Path: `src/StellaOps.Policy.Engine/TASKS.md` + 1. [TODO] POLICY-TEN-48-001 — Tenant-aware policy storage, RLS, rationale IDs. + - Team: Findings Ledger Guild + - Path: `src/StellaOps.Findings.Ledger/TASKS.md` + 1. [TODO] LEDGER-TEN-48-001 — Tenant partitioning and RLS. + - Team: Exporter/Notifications/Orchestrator/Task Runner/Concelier/Excititor Guilds + - Paths: `src/StellaOps.ExportCenter/TASKS.md`, `src/StellaOps.Notifier/TASKS.md`, `src/StellaOps.Orchestrator/TASKS.md`, `src/StellaOps.TaskRunner/TASKS.md`, `src/StellaOps.Concelier.Core/TASKS.md`, `src/StellaOps.Excititor.Core/TASKS.md` + 1. [TODO] Export/Notify tasks (EXPORT-TEN-48-001, NOTIFY-TEN-48-001) — Tenant stamping. + 2. [TODO] ORCH-TEN-48-001, TASKRUN-TEN-48-001 — Job context enforcement. + 3. [TODO] CONCELIER/EXCITITOR-TEN-48-001 — Tenant-aware linking with aggregation-only guarantee. + - Team: Docs Guild + - Path: `docs/TASKS.md` + 1. [TODO] DOCS-TEN-47-001/48-001/49-001 — Tenancy docs suite (overview, operations, authentication, ABAC). + - Team: DevOps Guild + - Path: `ops/devops/TASKS.md` + 1. [TODO] DEVOPS-TEN-47-001/48-001/49-001 — JWKS caching, RLS tests, audit pipeline, chaos tests. + - Team: Deployment Guild + - Path: `ops/deployment/TASKS.md` + 1. [TODO] DEPLOY updates (if needed) for tenant configuration. diff --git a/Read SPRINTs.md b/Read SPRINTs.md new file mode 100644 index 00000000..a075b631 --- /dev/null +++ b/Read SPRINTs.md @@ -0,0 +1,7 @@ +Read SPRINTs.md +Here follow a new EPIC you need to outline on the SPRINTS/TASKS. +Do not forget to read appropriate parts of the project to see what kind of tasks you need to edit/delete or create to forfill the goals of the sprint. Do not shy to create new projects to concentrate library or new webservice or plugin, but check the src/ for projects to make sure there is no already one that could do it. +Do not shy to edit existing tasks - if they needs to be adjusted +Do not shy to delete of existing task - if they do not make sense anymore for the new EPIC. +But most importantly create - detailed tasks to forfill the EPIC goals. + diff --git a/SPRINTS.md b/SPRINTS.md index 4d6d1328..b20be6eb 100644 --- a/SPRINTS.md +++ b/SPRINTS.md @@ -2,71 +2,15 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation | Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | | --- | --- | --- | --- | --- | --- | --- | -| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-API-11-201 | `/rekor/entries` submission pipeline with dedupe, proof acquisition, and persistence. | -| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-VERIFY-11-202 | `/rekor/verify` + retrieval endpoints validating signatures and Merkle proofs. | -| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-OBS-11-203 | Telemetry, alerting, mTLS hardening, and archive workflow for Attestor. | -| Sprint 11 | Storage Platform Hardening | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-23) | Scanner Storage Guild | SCANNER-STORAGE-11-401 | Migrate scanner object storage integration from MinIO to RustFS with data migration plan. | -| Sprint 11 | UI Integration | src/StellaOps.UI/TASKS.md | DONE (2025-10-23) | UI Guild | UI-ATTEST-11-005 | Attestation visibility (Rekor id, status) on Scan Detail. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-201 | Define runtime event/admission DTOs, hashing helpers, and versioning strategy. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-202 | Provide configuration/logging/metrics utilities shared by Observer/Webhook. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-203 | Authority client helpers, OpTok caching, and security guardrails for runtime services. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-OPS-12-204 | Operational runbooks, alert rules, and dashboard exports for runtime plane. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-001 | Container lifecycle watcher emitting deterministic runtime events with buffering. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-002 | Capture entrypoint traces + loaded libraries, hashing binaries and linking to baseline SBOM. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-003 | Posture checks for signatures/SBOM/attestation with offline caching. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-004 | Batch `/runtime/events` submissions with disk-backed buffer and rate limits. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-101 | Admission controller host with TLS bootstrap and Authority auth. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-102 | Query Scanner `/policy/runtime`, resolve digests, enforce verdicts. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-103 | Caching, fail-open/closed toggles, metrics/logging for admission decisions. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-104 | Wire `/admission` endpoint to runtime policy client and emit allow/deny envelopes. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-302 | `/policy/runtime` endpoint joining SBOM baseline + policy verdict, returning admission guidance. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-303 | Align `/policy/runtime` verdicts with canonical policy evaluation (Feedser/Vexer). | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-304 | Integrate attestation verification into runtime policy metadata. | -| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-305 | Deliver shared fixtures + e2e validation with Zastava/CLI teams. | -| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DONE (2025-10-23) | UI Guild | UI-AUTH-13-001 | Integrate Authority OIDC + DPoP flows with session management. | -| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SCANS-13-002 | Build scans module (list/detail/SBOM/diff/attestation) with performance + accessibility targets. | -| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-VEX-13-003 | Implement VEX explorer + policy editor with preview integration. | -| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-ADMIN-13-004 | Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. | -| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SCHED-13-005 | Scheduler panel: schedules CRUD, run history, dry-run preview. | -| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DONE (2025-10-25) | UI Guild | UI-NOTIFY-13-006 | Notify panel: channels/rules CRUD, deliveries view, test send. | -| Sprint 13 | UX & CLI Experience | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI | CLI-RUNTIME-13-005 | Add runtime policy test verbs that consume `/policy/runtime` and display verdicts. | -| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | DONE (2025-10-25) | DevOps Guild, Platform Leads | DEVOPS-NUGET-13-001 | Wire up .NET 10 preview feeds/local mirrors so `dotnet restore` succeeds offline; document updated NuGet bootstrap. | | Sprint 13 | Platform Reliability | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NUGET-13-002 | Ensure all solutions/projects prioritize `local-nuget` before public feeds and add restore-order validation. | | Sprint 13 | Platform Reliability | ops/devops/TASKS.md | TODO | DevOps Guild, Platform Leads | DEVOPS-NUGET-13-003 | Upgrade `Microsoft.*` dependencies pinned to 8.* to their latest .NET 10 (or 9.x) releases and refresh guidance. | -| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | TODO | DevOps Guild, UI Guild | DEVOPS-UI-13-006 | Add Playwright-based UI auth smoke job to CI/offline pipelines, wiring sample `/config.json` provisioning and reporting. | | Sprint 14 | Release & Offline Ops | ops/devops/TASKS.md | DOING (2025-10-23) | DevOps Guild | DEVOPS-REL-14-001 | Deterministic build/release pipeline with SBOM/provenance, signing, and manifest generation. | | Sprint 14 | Release & Offline Ops | ops/devops/TASKS.md | TODO | DevOps Guild, Scanner Guild | DEVOPS-REL-14-004 | Extend release/offline smoke jobs to cover Python analyzer plug-ins (warm/cold, determinism, signing). | | Sprint 14 | Release & Offline Ops | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-14-002 | Offline kit packaging workflow with integrity verification and documentation. | | Sprint 14 | Release & Offline Ops | ops/deployment/TASKS.md | TODO | Deployment Guild | DEVOPS-OPS-14-003 | Deployment/update/rollback automation and channel management documentation. | | Sprint 14 | Release & Offline Ops | ops/licensing/TASKS.md | TODO | Licensing Guild | DEVOPS-LIC-14-004 | Registry token service tied to Authority, plan gating, revocation handling, monitoring. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Models/TASKS.md | TODO | Notify Models Guild | NOTIFY-MODELS-15-101 | Define core Notify DTOs, validation helpers, canonical serialization. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Models/TASKS.md | TODO | Notify Models Guild | NOTIFY-MODELS-15-102 | Publish schema docs and sample payloads for Notify. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Models/TASKS.md | TODO | Notify Models Guild | NOTIFY-MODELS-15-103 | Versioning/migration helpers for rules/templates/deliveries. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Storage.Mongo/TASKS.md | TODO | Notify Storage Guild | NOTIFY-STORAGE-15-201 | Mongo schemas/indexes for rules, channels, deliveries, digests, locks, audit. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Storage.Mongo/TASKS.md | TODO | Notify Storage Guild | NOTIFY-STORAGE-15-202 | Repositories with tenant scoping, soft delete, TTL, causal consistency options. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Storage.Mongo/TASKS.md | TODO | Notify Storage Guild | NOTIFY-STORAGE-15-203 | Delivery history retention and query APIs. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-401 | Bus abstraction + Redis Streams adapter with ordering/idempotency. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-402 | NATS JetStream adapter with health probes and failover. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-403 | Delivery queue with retry/dead-letter + metrics. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Engine/TASKS.md | DOING (2025-10-24) | Notify Engine Guild | NOTIFY-ENGINE-15-301 | Rules evaluation core (filters, throttles, idempotency). | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Engine/TASKS.md | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-302 | Action planner + digest coalescer. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Engine/TASKS.md | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-303 | Template rendering engine (Slack/Teams/Email/Webhook). | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Engine/TASKS.md | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-304 | Test-send sandbox + preview utilities. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-101 | Minimal API host with Authority enforcement and plug-in loading. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-102 | Rules/channel/template CRUD with audit logging. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.WebService/TASKS.md | TODO | Notify WebService Guild | NOTIFY-WEB-15-104 | Configuration binding + startup diagnostics. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | DONE (2025-10-23) | Notify Worker Guild | NOTIFY-WORKER-15-201 | Bus subscription + leasing loop with backoff. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-202 | Rules evaluation pipeline integration. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-203 | Channel dispatch orchestration with retries. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | TODO | Notify Worker Guild | NOTIFY-WORKER-15-204 | Metrics/telemetry for Notify workers. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Slack/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-501 | Slack connector with rate-limit aware delivery. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Teams/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-601 | Teams connector with Adaptive Cards. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-701 | SMTP connector with TLS + rendering. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Email/TASKS.md | BLOCKED (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-702 | DKIM + health/test-send flows. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | TODO | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-801 | Webhook connector with signing/retries. | -| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Connectors.Webhook/TASKS.md | BLOCKED (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-802 | Webhook health/test-send support. | -| Sprint 16 | Notify Foundations | src/StellaOps.Scanner.WebService/TASKS.md | BLOCKED (2025-10-20) | Scanner WebService Guild | SCANNER-EVENTS-16-301 | Redis publisher integration tests once Notify queue adapter ships. | -| Sprint 15 | Benchmarks | bench/TASKS.md | TODO | Bench Guild, Notify Team | BENCH-NOTIFY-15-001 | Notify dispatch throughput bench with results CSV. | +| Sprint 16 | Notify Foundations | src/StellaOps.Scanner.WebService/TASKS.md | TODO | Scanner WebService Guild | SCANNER-EVENTS-16-301 | Rework scanner event publication/tests to emit `ORCH-SVC-38-101` envelopes for Notifier ingestion (no Redis dependency). | +| Sprint 15 | Benchmarks | src/StellaOps.Bench/TASKS.md | TODO | Bench Guild, Notify Team | BENCH-NOTIFY-15-001 | Notify dispatch throughput bench with results CSV. | | Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-16-101 | Define Scheduler DTOs & validation. | | Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-16-102 | Publish schema docs/sample payloads. | | Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Storage.Mongo/TASKS.md | TODO | Scheduler Storage Guild | SCHED-STORAGE-16-201 | Mongo schemas/indexes for Scheduler state. | @@ -84,12 +28,1223 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation | Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-16-203 | Runner execution invoking Scanner analysis/content refresh. | | Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-16-204 | Emit rescan/report events for Notify/UI. | | Sprint 16 | Scheduler Intelligence | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-16-205 | Metrics/telemetry for Scheduler planners/runners. | -| Sprint 16 | Benchmarks | bench/TASKS.md | TODO | Bench Guild, Scheduler Team | BENCH-IMPACT-16-001 | ImpactIndex throughput bench + RAM profile. | +| Sprint 16 | Benchmarks | src/StellaOps.Bench/TASKS.md | TODO | Bench Guild, Scheduler Team | BENCH-IMPACT-16-001 | ImpactIndex throughput bench + RAM profile. | | Sprint 17 | Symbol Intelligence & Forensics | src/StellaOps.Scanner.Emit/TASKS.md | TODO | Emit Guild | SCANNER-EMIT-17-701 | Record GNU build-id for ELF components and surface it in SBOM/diff outputs. | -| Sprint 17 | Symbol Intelligence & Forensics | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-25) | Zastava Observer Guild | ZASTAVA-OBS-17-005 | Collect GNU build-id during runtime observation and attach it to emitted events. | -| Sprint 17 | Symbol Intelligence & Forensics | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-25) | Scanner WebService Guild | SCANNER-RUNTIME-17-401 | Persist runtime build-id observations and expose them for debug-symbol correlation. | | Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-REL-17-002 | Ship stripped debug artifacts organised by build-id within release/offline kits. | | Sprint 17 | Symbol Intelligence & Forensics | docs/TASKS.md | TODO | Docs Guild | DOCS-RUNTIME-17-004 | Document build-id workflows for SBOMs, runtime events, and debug-store usage. | | Sprint 18 | Launch Readiness | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-LAUNCH-18-001 | Production launch cutover rehearsal and runbook publication (blocked on implementation sign-off and environment setup). | -| Sprint 18 | Launch Readiness | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild, UX Specialist | DEVOPS-OFFLINE-18-003 | Capture Angular workspace npm cache + Chromium bundle for Offline Kit distribution and document refresh cadence. | | Sprint 18 | Launch Readiness | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild, Scanner Guild | DEVOPS-OFFLINE-18-005 | Rebuild Offline Kit with Python analyzer artefacts and refreshed manifest/signature pair. | +| Sprint 35 | EPDR Foundations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. | +| Sprint 35 | EPDR Foundations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-002 | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. | +| Sprint 35 | EPDR Foundations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-003 | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). | +| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. | +| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002 | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. | +| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-003 | PE import + delay-load + SxS manifest parsing producing reason-coded edges. | +| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-004 | Mach-O load command parsing with @rpath expansion and slice handling. | +| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. | +| Sprint 37 | Native Analyzer Core | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-006 | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. | +| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). | +| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-008 | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. | +| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-009 | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. | +| Sprint 38 | Native Observation Pipeline | src/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-010 | Package native analyzer plug-in + Offline Kit updates and restart-time loading. | +| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. | +| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Module/classpath builder with duplicate & split-package detection. | +| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | SPI scanner & provider selection with warnings. | +| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-004 | Reflection/TCCL heuristics emitting reason-coded edges. | +| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-005 | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). | +| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-006 | JNI/native hint detection for Java artifacts. | +| Sprint 39 | Java Analyzer Core | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-007 | Manifest/signature metadata collector (main/start/agent classes, signers). | +| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-008 | Observation writer producing entrypoints/components/edges with warnings. | +| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-009 | Fixture suite + determinism/perf benchmarks for Java analyzer. | +| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-010 | Optional runtime ingestion via agent/JFR producing runtime edges. | +| Sprint 40 | Java Observation & Runtime | src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-011 | Package Java analyzer plug-in + Offline Kit/CLI updates. | +| Sprint 36 | EPDR Observations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-004 | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). | +| Sprint 36 | EPDR Observations | src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-005 | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AOC-19-001 | Implement raw advisory ingestion endpoints with AOC guard and verifier. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-002 | Emit AOC observability metrics, traces, and structured logs. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | QA Guild | CONCELIER-WEB-AOC-19-003 | Add schema/guard unit tests covering AOC error codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-004 | Build integration suite validating deterministic ingest under load. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Implement AOC repository guard rejecting forbidden fields. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002 | Deliver deterministic linkset extraction for advisories. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-003 | Enforce idempotent append-only upsert with supersedes pointers. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-004 | Remove ingestion normalization; defer derived logic to Policy Engine. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Add Mongo schema validator for `advisory_raw`. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Create idempotency unique index backed by migration scripts. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-003 | Deliver append-only migration/backfill plan with supersedes chaining. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-004 | Document validator deployment steps for online/offline clusters. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AOC-19-001 | Implement raw VEX ingestion and AOC verifier endpoints. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-002 | Emit AOC metrics/traces/logging for Excititor ingestion. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | QA Guild | EXCITITOR-WEB-AOC-19-003 | Add AOC guard test harness for VEX schemas. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-004 | Validate large VEX ingest runs and CLI verification parity. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Introduce VEX repository guard enforcing AOC invariants. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002 | Build deterministic VEX linkset extraction. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-003 | Enforce append-only idempotent VEX raw upserts. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-004 | Remove ingestion consensus logic; rely on Policy Engine. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Add Mongo schema validator for `vex_raw`. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Create idempotency unique index for VEX raw documents. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-003 | Deliver append-only migration/backfill for VEX raw collections. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-004 | Document validator deployment for Excititor clusters/offline kit. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Rewire worker to persist raw VEX docs with guard enforcement. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-002 | Enforce signature/checksum verification prior to raw writes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Excititor.Worker/TASKS.md | TODO | QA Guild | EXCITITOR-WORKER-AOC-19-003 | Expand worker tests for deterministic batching and restart safety. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AOC-19-001 | Provide shared AOC forbidden key set and guard middleware. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AOC-19-002 | Ship provenance builder and signature helpers for ingestion services. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-AOC-19-003 | Author analyzer + shared test fixtures for guard compliance. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-001 | Add lint preventing ingestion modules from referencing Policy-only helpers. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-AOC-19-002 | Enforce Policy-only writes to `effective_finding_*` collections. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-003 | Update Policy readers to consume only raw document fields. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-AOC-19-004 | Add determinism tests for raw-driven policy recomputation. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AOC-19-001 | Introduce new ingestion/auth scopes across Authority. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AOC-19-002 | Enforce tenant claim propagation and cross-tenant guardrails. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-AOC-19-003 | Update Authority docs/config samples for new scopes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AOC-19-001 | Implement `stella sources ingest --dry-run` command. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AOC-19-002 | Implement `stella aoc verify` command with exit codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.Cli/TASKS.md | TODO | Docs/CLI Guild | CLI-AOC-19-003 | Update CLI reference and quickstart docs for new AOC commands. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-001 | Add Sources dashboard tiles surfacing AOC status and violations. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-002 | Build violation drill-down view for offending documents. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-003 | Wire "Verify last 24h" action and CLI parity messaging. | +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | TODO | DevOps Guild, Platform Guild | DEVOPS-AOC-19-001 | Integrate AOC analyzer/guard enforcement into CI pipelines. | +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AOC-19-002 | Add CI stage running `stella aoc verify` against seeded snapshots. | +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | TODO | DevOps Guild, QA Guild | DEVOPS-AOC-19-003 | Enforce guard coverage thresholds and export metrics to dashboards. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AOC-19-001 | Publish aggregation-only contract reference documentation. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild, Architecture Guild | DOCS-AOC-19-002 | Update architecture overview with AOC boundary diagrams. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild, Policy Guild | DOCS-AOC-19-003 | Refresh policy engine doc with raw ingestion constraints. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild, UI Guild | DOCS-AOC-19-004 | Document console AOC dashboard and drill-down flow. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild, CLI Guild | DOCS-AOC-19-005 | Document CLI AOC commands and exit codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild, Observability Guild | DOCS-AOC-19-006 | Document new AOC metrics, traces, and logs. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild, Authority Core | DOCS-AOC-19-007 | Document new Authority scopes and tenancy enforcement. | +| Sprint 19 | Aggregation-Only Contract Enforcement | docs/TASKS.md | TODO | Docs Guild, DevOps Guild | DOCS-AOC-19-008 | Update deployment guide with validator enablement and verify user guidance. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Platform Guild | POLICY-ENGINE-20-000 | Spin up new Policy Engine service host with DI bootstrap and Authority wiring. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-20-001 | Deliver `stella-dsl@1` parser + IR compiler with diagnostics and checksums. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-20-002 | Implement deterministic rule evaluator with priority/first-match semantics. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Concelier Core, Excititor Core | POLICY-ENGINE-20-003 | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-004 | Materialize effective findings with append-only history and tenant scoping. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Enforce determinism guard banning wall-clock, RNG, and network usage. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | POLICY-ENGINE-20-006 | Implement incremental orchestrator reacting to change streams. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-007 | Emit policy metrics, traces, and sampled rule-hit logs. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-008 | Add unit/property/golden/perf suites verifying determinism + SLA. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-009 | Define Mongo schemas/indexes + migrations for policies/runs/findings. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-002 | Add pagination, filters, deterministic ordering to policy listings. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-003 | Map engine errors to `ERR_POL_*` responses with contract tests. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Web/TASKS.md | TODO | Platform Reliability Guild | WEB-POLICY-20-004 | Introduce rate limits/quotas + metrics for simulation endpoints. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-001 | Ship Monaco-based policy editor with inline diagnostics + checklists. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-002 | Build simulation panel with deterministic diff rendering + virtualization. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild, Product Ops | UI-POLICY-20-003 | Implement submit/review/approve workflow with RBAC + audit trail. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.UI/TASKS.md | TODO | UI Guild, Observability Guild | UI-POLICY-20-004 | Add run dashboards (heatmap/VEX wins/suppressions) with export. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-20-001 | Add `stella policy new|edit|submit|approve` commands with approvals flow. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-20-002 | Implement `stella policy simulate` with diff outputs + exit codes. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-003 | Extend `stella findings` commands with policy filters and explain view. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-POLICY-20-001 | Provide advisory selection endpoints for policy engine (batch PURL/ID). | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-POLICY-20-002 | Strengthen linkset builders with equivalence tables + range parsing. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-POLICY-20-003 | Add advisory selection cursors + change-stream checkpoints for policy runs. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-POLICY-20-001 | Ship VEX selection APIs aligned with policy join requirements. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-POLICY-20-002 | Enhance VEX linkset scope + version resolution for policy accuracy. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-POLICY-20-003 | Introduce VEX selection cursors + change-stream checkpoints. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-20-001 | Define policy run/diff DTOs + validation helpers. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-20-002 | Update schema docs with policy run lifecycle samples. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-001 | Expose policy run scheduling APIs with scope enforcement. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-002 | Provide simulation trigger endpoint returning diff metadata. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301 | Schedule policy runs via API with idempotent job tracking. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-302 | Implement delta targeting leveraging change streams + policy metadata. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-303 | Expose policy scheduling metrics/logs with policy/run identifiers. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-POLICY-20-001 | Add new policy scopes (`policy:*`, `findings:read`, `effective:write`). | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-POLICY-20-002 | Enforce Policy Engine service identity and scope checks at gateway. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-POLICY-20-003 | Update Authority docs/config samples for policy scopes + workflows. | +| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-20-001 | Add DSL lint + compile checks to CI pipelines. | +| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-20-002 | Run `stella policy simulate` CI stage against golden SBOMs. | +| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | TODO | DevOps Guild, QA Guild | DEVOPS-POLICY-20-003 | Add determinism CI job diffing repeated policy runs. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild | DOCS-POLICY-20-001 | Publish `/docs/policy/overview.md` with compliance checklist. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild | DOCS-POLICY-20-002 | Document DSL grammar + examples in `/docs/policy/dsl.md`. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Authority Core | DOCS-POLICY-20-003 | Write `/docs/policy/lifecycle.md` covering workflow + roles. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Scheduler Guild | DOCS-POLICY-20-004 | Document policy run modes + cursors in `/docs/policy/runs.md`. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Platform Guild | DOCS-POLICY-20-005 | Produce `/docs/api/policy.md` with endpoint schemas + errors. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, CLI Guild | DOCS-POLICY-20-006 | Author `/docs/cli/policy.md` with commands, exit codes, JSON output. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, UI Guild | DOCS-POLICY-20-007 | Create `/docs/ui/policy-editor.md` covering editor, simulation, approvals. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Architecture Guild | DOCS-POLICY-20-008 | Publish `/docs/architecture/policy-engine.md` with sequence diagrams. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Observability Guild | DOCS-POLICY-20-009 | Document metrics/traces/logs in `/docs/observability/policy.md`. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Security Guild | DOCS-POLICY-20-010 | Publish `/docs/security/policy-governance.md` for scopes + approvals. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Policy Guild | DOCS-POLICY-20-011 | Add example policies under `/docs/examples/policies/` with commentary. | +| Sprint 20 | Policy Engine v2 | docs/TASKS.md | TODO | Docs Guild, Support Guild | DOCS-POLICY-20-012 | Draft `/docs/faq/policy-faq.md` covering conflicts, determinism, pitfalls. | +| Sprint 20 | Policy Engine v2 | samples/TASKS.md | TODO | Samples Guild, Policy Guild | SAMPLES-POLICY-20-001 | Commit baseline/serverless/internal-only policy samples + fixtures. | +| Sprint 20 | Policy Engine v2 | samples/TASKS.md | TODO | Samples Guild, UI Guild | SAMPLES-POLICY-20-002 | Produce simulation diff fixtures for UI/CLI tests. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Bench/TASKS.md | TODO | Bench Guild, Policy Guild | BENCH-POLICY-20-001 | Create policy evaluation benchmark suite + baseline metrics. | +| Sprint 20 | Policy Engine v2 | src/StellaOps.Bench/TASKS.md | TODO | Bench Guild, Scheduler Guild | BENCH-POLICY-20-002 | Add incremental run benchmark capturing delta SLA compliance. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer Guild | CARTO-GRAPH-21-001 | Define graph storage schema, sharding strategy, and indexes for snapshots/nodes/edges/overlays. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer Guild | CARTO-GRAPH-21-002 | Implement SBOM projection reader consuming normalized CycloneDX/SPDX with entrypoint tagging. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer Guild | CARTO-GRAPH-21-003 | Build graph constructor with PURL dedupe and metadata enrichment. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer Guild | CARTO-GRAPH-21-004 | Implement layout/tiling pipeline and persist tiles to object storage. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer Guild, Policy Guild | CARTO-GRAPH-21-005 | Overlay worker hydrating policy findings and computing path relevance. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer & BE-Base Guilds | CARTO-GRAPH-21-006 | Expose graph APIs (versions, viewport, node, paths, diff, export, simulate) with streaming. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer & Scheduler Guilds | CARTO-GRAPH-21-007 | Build backfill + incremental overlay jobs using change streams and scheduler hooks. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer & QA Guilds | CARTO-GRAPH-21-008 | Deliver test/perf suites and determinism checks for large graphs. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cartographer/TASKS.md | TODO | Cartographer & DevOps Guilds | CARTO-GRAPH-21-009 | Provide deployment artefacts and offline kit guidance for Cartographer. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-SERVICE-21-001 | Expose normalized SBOM projection API with relationships, scopes, entrypoints. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Scheduler Guilds | SBOM-SERVICE-21-002 | Emit SBOM version change events for Cartographer build queue. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-SERVICE-21-003 | Provide entrypoint management API with tenant overrides. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Observability Guilds | SBOM-SERVICE-21-004 | Add metrics/traces/logs for SBOM projections. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-GRAPH-21-001 | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core & Scheduler Guilds | CONCELIER-GRAPH-21-002 | Publish SBOM change events with tenant metadata for graph builds. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-21-003 | Expose SBOM projection endpoint for Cartographer consumption. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-21-004 | Provide entrypoint lookup API supporting overrides and defaults. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-21-001 | Deliver batched VEX/advisory fetch helpers for inspector linkouts. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-21-002 | Enrich overlay metadata with VEX justification summaries for graph overlays. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-21-003 | Add API endpoints returning VEX statements for inspector panels. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-21-004 | Emit events on new VEX docs for Cartographer overlay refresh. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-GRAPH-21-005 | Create indexes/materialized views for VEX lookups by PURL/policy. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Cartographer Guilds | POLICY-ENGINE-30-001 | Define graph overlay contract and projection API for nodes/edges. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Cartographer Guilds | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Cartographer and Graph Explorer. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit effective finding change events tailored for graph overlay refresh. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-21-001 | Add gateway routes for graph APIs with scope enforcement and streaming. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-21-002 | Implement bbox/zoom/path validation and pagination for graph endpoints. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & QA Guilds | WEB-GRAPH-21-003 | Map graph errors to `ERR_Graph_*` and support export streaming. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base & Policy Guilds | WEB-GRAPH-21-004 | Wire Policy Engine simulation overlays into graph responses. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-21-001 | Build virtualized graph canvas with clustering and severity overlays. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-21-002 | Deliver inspector panel with metadata, findings, VEX rationale, copy/export. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-21-003 | Implement filter/search experience with debounced API calls and permalinks. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI & Policy Guilds | UI-GRAPH-21-004 | Add path view and simulation overlay toggle with exports. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-21-005 | Provide time-travel + diff visualization between SBOM versions. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI & Accessibility Guilds | UI-GRAPH-21-006 | Ship accessibility features, keyboard nav, high-contrast mode, permalinks. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-21-001 | Implement `stella sbom graph build/export/query/diff` commands. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-21-002 | Add path query & simulation options with JSON output. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-GRAPH-21-003 | Document CLI usage and provide fixtures for CI smoke tests. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-GRAPH-21-001 | Introduce graph scopes (`graph:*`) with configuration binding and defaults. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-GRAPH-21-002 | Enforce graph scopes/identities at gateway with tenant propagation. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-GRAPH-21-003 | Update security docs/config samples for graph access and least privilege. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-21-001 | Define job DTOs for graph builds/overlay refresh with deterministic serialization. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-21-002 | Publish schema docs/sample payloads for graph job lifecycle. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-21-001 | Add APIs to schedule/monitor graph build & overlay jobs with RBAC. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-21-002 | Expose overlay lag metrics and job completion hooks for Cartographer. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Implement graph build worker invoking Cartographer APIs. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Build overlay refresh worker batching policy/SBOM change events. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Expose metrics/logs for graph scheduling and overlay lag. | +| Sprint 21 | Graph Explorer v1 | ops/devops/TASKS.md | TODO | DevOps & Cartographer Guilds | DEVOPS-GRAPH-21-001 | Add perf/load jobs for graph APIs and dashboards/alerts. | +| Sprint 21 | Graph Explorer v1 | ops/devops/TASKS.md | TODO | DevOps & UI Guilds | DEVOPS-GRAPH-21-002 | Integrate golden screenshots/JSON exports for graph visual regressions. | +| Sprint 21 | Graph Explorer v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-21-003 | Package Cartographer + SBOM Service into offline kit with seeded data. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & Cartographer Guilds | DOCS-GRAPH-21-001 | Publish `/docs/graph/overview.md` with reviewer checklist. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-GRAPH-21-002 | Write `/docs/graph/schema.md` covering node/edge/overlay schemas. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & BE-Base Guilds | DOCS-GRAPH-21-003 | Produce `/docs/graph/api.md` with endpoints, parameters, errors. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & UI Guilds | DOCS-GRAPH-21-004 | Create `/docs/ui/graph-explorer.md` detailing screens/flows. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & CLI Guilds | DOCS-GRAPH-21-005 | Document CLI commands in `/docs/cli/graph.md`. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-GRAPH-21-006 | Draft `/docs/architecture/cartographer.md` with sequence diagrams. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-GRAPH-21-007 | Publish `/docs/observability/graph.md` metrics/traces/logs. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-GRAPH-21-008 | Write `/docs/security/graph-access.md` covering RBAC/tenancy. | +| Sprint 21 | Graph Explorer v1 | docs/TASKS.md | TODO | Docs & Cartographer Guilds | DOCS-GRAPH-21-009 | Populate `/docs/examples/graph/` with sample SBOMs, exports, screenshots. | +| Sprint 21 | Graph Explorer v1 | samples/TASKS.md | TODO | Samples & Cartographer Guilds | SAMPLES-GRAPH-21-001 | Produce sample graph fixtures (JSON/GraphML/layout tiles) for tests/docs. | +| Sprint 21 | Graph Explorer v1 | samples/TASKS.md | TODO | Samples & UI Guilds | SAMPLES-GRAPH-21-002 | Capture golden Graph Explorer screenshots and path exports. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Bench/TASKS.md | TODO | Bench & Cartographer Guilds | BENCH-GRAPH-21-001 | Build graph viewport/path benchmark harness with baselines. | +| Sprint 21 | Graph Explorer v1 | src/StellaOps.Bench/TASKS.md | TODO | Bench & UI Guilds | BENCH-GRAPH-21-002 | Add headless UI performance benchmark for Graph Explorer canvas. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-LNM-21-001 | Define immutable advisory observation schema with AOC metadata. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-002 | Implement advisory linkset builder with correlation signals/conflicts. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Provision observations/linksets collections and indexes. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage & DevOps Guilds | CONCELIER-LNM-21-102 | Backfill legacy merged advisories into observations/linksets with rollback tooling. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Ship advisory observation read APIs with pagination/RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-202 | Implement advisory linkset read/export/evidence endpoints mapped to `ERR_AGG_*`. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | MERGE-LNM-21-002 | Deprecate merge service and enforce observation-only pipeline. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Define immutable VEX observation model. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Build VEX linkset correlator with confidence/conflict recording. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-101 | Provision VEX observation/linkset collections and indexes. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage & DevOps Guilds | EXCITITOR-LNM-21-102 | Backfill legacy VEX data into observations/linksets with rollback scripts. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose VEX observation APIs with filters/pagination and RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-202 | Implement VEX linkset endpoints + exports with evidence payloads. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-40-001 | Update severity selection to handle multiple source severities per linkset. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Excititor Guild | POLICY-ENGINE-40-002 | Integrate VEX linkset conflicts into effective findings/explain traces. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-001 | Surface advisory observation/linkset APIs through gateway with RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-002 | Expose VEX observation/linkset endpoints with export handling. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Scanner.WebService/TASKS.md | TODO | Scanner WebService Guild | SCANNER-LNM-21-001 | Update report/runtime payloads to consume linksets and surface source evidence. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-001 | Deliver Evidence panel with policy banner and source observations. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-003 | Add VEX evidence tab with conflict indicators and exports. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-001 | Implement advisory observation/linkset CLI commands with JSON/OSV export. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-002 | Implement VEX observation/linkset CLI commands. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-AOC-19-001 | Roll out new advisory/vex ingest/read scopes. | +| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-LNM-22-001 | Execute advisory observation/linkset migration/backfill and automation. | +| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-LNM-22-002 | Run VEX observation/linkset migration/backfill with monitoring/runbook. | +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-LNM-22-001 | Publish advisories aggregation doc with observation/linkset philosophy. | +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-LNM-22-002 | Publish VEX aggregation doc describing observation/linkset flow. | +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-LNM-22-005 | Document UI evidence panel with conflict badges/AOC drill-down. | +| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | TODO | Samples Guild | SAMPLES-LNM-22-001 | Add advisory observation/linkset fixtures with conflicts. | +| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | TODO | Samples Guild | SAMPLES-LNM-22-002 | Add VEX observation/linkset fixtures with status disagreements. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Bench/TASKS.md | TODO | Bench Guild | BENCH-LNM-22-001 | Benchmark advisory observation ingest/correlation throughput. | +| Sprint 22 | Link-Not-Merge v1 | src/StellaOps.Bench/TASKS.md | TODO | Bench Guild | BENCH-LNM-22-002 | Benchmark VEX ingest/correlation latency and event emission. | +| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-001 | Ship `/console/dashboard` + `/console/filters` aggregates with tenant scoping and deterministic totals. | +| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Scheduler Guild | WEB-CONSOLE-23-002 | Provide `/console/status` polling and `/console/runs/{id}/stream` SSE proxy with heartbeat/backoff. | +| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Policy Guild | WEB-CONSOLE-23-003 | Expose `/console/exports` orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. | +| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-004 | Implement `/console/search` fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. | +| Sprint 23 | StellaOps Console | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, DevOps Guild | WEB-CONSOLE-23-005 | Serve `/console/downloads` manifest with signed image metadata and offline guidance. | +| Sprint 23 | StellaOps Console | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001 | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. | +| Sprint 23 | StellaOps Console | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-002 | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. | +| Sprint 23 | StellaOps Console | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-003 | Update security docs/sample configs for Console flows, CSP, and session policies. | +| Sprint 23 | StellaOps Console | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-CONSOLE-23-001 | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. | +| Sprint 23 | StellaOps Console | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Product Ops | POLICY-CONSOLE-23-002 | Expose simulation diff + approval state metadata for policy workspace scenarios. | +| Sprint 23 | StellaOps Console | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | EXPORT-CONSOLE-23-001 | Implement evidence bundle/export generator with signed manifests and telemetry. | +| Sprint 23 | StellaOps Console | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001 | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. | +| Sprint 23 | StellaOps Console | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-002 | Provide component lookup/neighborhood endpoints for global search and overlays. | +| Sprint 23 | StellaOps Console | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Surface `/console/advisories` aggregation views with per-source metadata and filters. | +| Sprint 23 | StellaOps Console | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-002 | Provide advisory delta metrics API for dashboard + live status ticker. | +| Sprint 23 | StellaOps Console | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-003 | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. | +| Sprint 23 | StellaOps Console | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Expose `/console/vex` aggregation endpoints with precedence and provenance. | +| Sprint 23 | StellaOps Console | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-002 | Publish VEX override delta metrics feeding dashboard/status ticker. | +| Sprint 23 | StellaOps Console | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-003 | Implement VEX search helpers for global search and explain drill-downs. | +| Sprint 23 | StellaOps Console | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-23-001 | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. | +| Sprint 23 | StellaOps Console | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-201 | Stream run progress events with heartbeat/dedupe for Console SSE consumers. | +| Sprint 23 | StellaOps Console | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-202 | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. | +| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONSOLE-23-001 | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). | +| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONSOLE-23-002 | Deliver `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. | +| Sprint 23 | StellaOps Console | ops/deployment/TASKS.md | TODO | Deployment Guild | DOWNLOADS-CONSOLE-23-001 | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-001 | Publish `/docs/ui/console-overview.md` (IA, tenant model, filters, AOC alignment). | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-002 | Author `/docs/ui/navigation.md` with route map, filters, keyboard shortcuts, deep links. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-003 | Document `/docs/ui/sbom-explorer.md` covering catalog, graph, overlays, exports. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-004 | Produce `/docs/ui/advisories-and-vex.md` detailing aggregation-not-merge UX. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-005 | Write `/docs/ui/findings.md` with filters, explain, exports, CLI parity notes. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-006 | Publish `/docs/ui/policies.md` (editor, simulation, approvals, RBAC). | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-007 | Document `/docs/ui/runs.md` with SSE monitoring, diff, retries, evidence downloads. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-008 | Draft `/docs/ui/admin.md` covering tenants, roles, tokens, integrations, fresh-auth. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-009 | Publish `/docs/ui/downloads.md` aligning manifest with commands and offline flow. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-010 | Write `/docs/deploy/console.md` (Helm, ingress, TLS, env vars, health checks). | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-011 | Update `/docs/install/docker.md` to include console image, compose/Helm/offline examples. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-012 | Publish `/docs/security/console-security.md` covering OIDC, scopes, CSP, evidence handling. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-013 | Write `/docs/observability/ui-telemetry.md` cataloguing metrics/logs/dashboards/alerts. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-014 | Maintain `/docs/cli-vs-ui-parity.md` matrix with CI drift detection guidance. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-015 | Produce `/docs/architecture/console.md` describing packages, data flow, SSE design. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-016 | Refresh `/docs/accessibility.md` with console keyboard flows, tokens, testing tools. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-017 | Create `/docs/examples/ui-tours.md` walkthroughs with annotated screenshots/GIFs. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-001 | Maintain Redis effective decision maps for overlays. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-002 | Provide simulation bridge for graph what-if APIs. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Implement graph endpoints with pagination/ETags/RBAC. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Gateway proxy for Policy/Vuln overlays (no simulation logic in gateway). | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-001 | Build Graph Explorer canvas with virtualization. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-002 | Implement overlays (Policy/Evidence/License/Exposure). | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-24-001 | Add graph show/search/diff CLI commands. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-GRAPH-24-001 | Extend scopes (`vuln:read`) and signed permalinks. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-GRAPH-24-001 | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-24-001 | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). | +| Sprint 24 | Graph & Vuln Explorer v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-24-001 | Load test graph APIs and publish dashboards. | +| Sprint 24 | Graph & Vuln Explorer v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-GRAPH-24-001 | Document SBOM Graph Explorer UI. | +| Sprint 24 | Graph & Vuln Explorer v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-GRAPH-24-004 | Publish API docs for graph/vuln endpoints. | +| Sprint 24 | Graph & Vuln Explorer v1 | samples/TASKS.md | TODO | Samples Guild | SAMPLES-GRAPH-24-003 | Create large graph fixture for perf testing. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/StellaOps.Bench/TASKS.md | TODO | Bench Guild | BENCH-GRAPH-24-001 | Build graph performance benchmark suite. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-EXC-25-001 | Extend SPL schema to reference exception effects and routing. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-001 | Add exception evaluation layer with specificity + effects. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-002 | Create exception collections/bindings storage + repos. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-003 | Implement Redis exception cache + invalidation. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-004 | Add metrics/tracing/logging for exception application. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-005 | Hook workers/events for activation/expiry. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-001 | Ship exception CRUD + workflow API endpoints. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-002 | Extend policy endpoints to include exception metadata. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-003 | Emit exception events/notifications with rate limits. | +| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-001 | Deliver Exception Center (list/kanban) with workflows. | +| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-002 | Build exception creation wizard with scope/timebox guardrails. | +| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-003 | Add inline exception drafting/proposing from explorers. | +| Sprint 25 | Exceptions v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-004 | Surface badges/countdowns/explain integration. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-001 | Implement CLI exception workflow commands. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-002 | Extend policy simulate with exception overrides. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-EXC-25-001 | Introduce exception scopes and routing matrix with MFA. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-EXC-25-002 | Update docs/config samples for exception governance. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-101 | Implement exception lifecycle worker for activation/expiry. | +| Sprint 25 | Exceptions v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-102 | Add expiring notification job & metrics. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-001 | Document exception governance concepts/workflow. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-002 | Document approvals routing / MFA requirements. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-003 | Publish API documentation for exceptions endpoints. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-004 | Document policy exception effects + simulation. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-005 | Document UI exception center + badges. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-006 | Update CLI docs for exception commands. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-007 | Write migration guide for governed exceptions. | +| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | TODO | Signals Guild | SIGNALS-24-001 | Stand up Signals API skeleton with RBAC + health checks. | +| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | TODO | Signals Guild | SIGNALS-24-002 | Implement callgraph ingestion/normalization pipeline. | +| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | TODO | Signals Guild | SIGNALS-24-003 | Ingest runtime facts and persist context data with AOC provenance. | +| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | TODO | Signals Guild | SIGNALS-24-004 | Deliver reachability scoring engine writing reachability facts. | +| Sprint 26 | Reachability v1 | src/StellaOps.Signals/TASKS.md | TODO | Signals Guild | SIGNALS-24-005 | Implement caches + signals events. | +| Sprint 26 | Reachability v1 | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-SPL-24-001 | Extend SPL schema with reachability predicates/actions. | +| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-001 | Integrate reachability inputs into policy evaluation and explainers. | +| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-002 | Optimize reachability fact retrieval + cache. | +| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-003 | Update SPL compiler for reachability predicates. | +| Sprint 26 | Reachability v1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-004 | Emit reachability metrics/traces. | +| Sprint 26 | Reachability v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-001 | Expose signals proxy endpoints with pagination and RBAC. | +| Sprint 26 | Reachability v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-002 | Join reachability data into policy/vuln responses. | +| Sprint 26 | Reachability v1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-003 | Support reachability overrides in simulate APIs. | +| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer. | +| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-002 | Enhance Why drawer with call path/timeline. | +| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-003 | Add reachability overlay/time slider to SBOM Graph. | +| Sprint 26 | Reachability v1 | src/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-004 | Build Reachability Center + missing sensor view. | +| Sprint 26 | Reachability v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-001 | Implement reachability CLI commands (upload/list/explain). | +| Sprint 26 | Reachability v1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-002 | Add reachability overrides to policy simulate. | +| Sprint 26 | Reachability v1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-SIG-26-001 | Add signals scopes/roles + AOC requirements. | +| Sprint 26 | Reachability v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement reachability joiner worker. | +| Sprint 26 | Reachability v1 | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-202 | Implement staleness monitor + notifications. | +| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-001 | Provision pipelines/deployments for Signals service. | +| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-002 | Add dashboards/alerts for reachability metrics. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-001 | Document reachability concepts and scoring. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-002 | Document callgraph formats. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-003 | Document runtime facts ingestion. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-004 | Document policy weighting for signals. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-005 | Document UI overlays/timelines. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-006 | Document CLI reachability commands. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-007 | Publish API docs for signals endpoints. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-008 | Write migration guide for enabling reachability. | +| Sprint 26 | Reachability v1 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-SIG-26-001 | Expose advisory symbol metadata for signals scoring. | +| Sprint 26 | Reachability v1 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-SIG-26-001 | Surface vendor exploitability hints to Signals. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-002 | Implement workspace storage + CRUD with tenant retention policies. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-004 | Deliver quick simulation API with limits and deterministic outputs. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Scheduler Guilds | REGISTRY-API-27-005 | Build batch simulation orchestration, reduction, and evidence bundle storage. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-006 | Implement review workflow with comments, required approvers, webhooks. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Security Guilds | REGISTRY-API-27-007 | Ship publish/sign pipeline with attestations, immutable versions. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-008 | Implement promotion/canary bindings per tenant/environment with rollback. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Observability Guilds | REGISTRY-API-27-009 | Instrument metrics/logs/traces for compile, simulation, approval latency. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & QA Guilds | REGISTRY-API-27-010 | Build unit/integration/load test suites and seeded fixtures. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-001 | Return rule coverage, symbol table, docs, hashes from compile endpoint. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-002 | Enhance simulate outputs with heatmap, explain traces, delta summaries. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-003 | Enforce complexity/time limits with diagnostics. | +| Sprint 27 | Policy Studio | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-004 | Update tests/fixtures for coverage, symbol table, explain, complexity. | +| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-001 | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. | +| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-002 | Implement review lifecycle routes with audit logs and webhooks. | +| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Scheduler Guilds | WEB-POLICY-27-003 | Expose quick/batch simulation endpoints with SSE progress + manifests. | +| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Security Guilds | WEB-POLICY-27-004 | Add publish/promote/rollback endpoints with canary + signing enforcement. | +| Sprint 27 | Policy Studio | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-POLICY-27-005 | Instrument Policy Studio metrics/logs for dashboards. | +| Sprint 27 | Policy Studio | src/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-POLICY-27-001 | Define Policy Studio roles/scopes for author/review/approve/operate/audit. | +| Sprint 27 | Policy Studio | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guilds | AUTH-POLICY-27-002 | Wire signing service + fresh-auth enforcement for publish/promote. | +| Sprint 27 | Policy Studio | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-003 | Update authority configuration/docs for Policy Studio roles & signing. | +| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-27-001 | Provide policy simulation orchestration endpoints with SSE + RBAC. | +| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-CONSOLE-27-002 | Emit policy simulation telemetry endpoints/metrics + webhooks. | +| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-301 | Implement batch simulation worker sharding SBOMs with retries/backoff. | +| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-302 | Build reducer job aggregating shard outputs into manifests with checksums. | +| Sprint 27 | Policy Studio | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Security Guilds | SCHED-WORKER-27-303 | Enforce tenant isolation/attestation integration and secret scanning for jobs. | +| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-001 | Implement policy workspace CLI commands (init, lint, compile, test). | +| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-002 | Add version bump, submit, review/approve CLI workflow commands. | +| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-003 | Extend simulate command for quick/batch runs, manifests, CI reports. | +| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-004 | Implement publish/promote/rollback/sign CLI lifecycle commands. | +| Sprint 27 | Policy Studio | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-POLICY-27-005 | Update CLI docs/reference for Policy Studio commands and schemas. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-27-001 | Add CI stage for policy lint/compile/test + secret scanning and artifacts. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Policy Registry Guilds | DEVOPS-POLICY-27-002 | Provide optional batch simulation CI job with drift gating + PR comment. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-POLICY-27-003 | Manage signing keys + attestation verification in pipelines. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-POLICY-27-004 | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. | +| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Registry Guilds | DEPLOY-POLICY-27-001 | Create Helm/Compose overlays for Policy Registry + workers with signing config. | +| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Guilds | DEPLOY-POLICY-27-002 | Document policy rollout/rollback playbooks in runbook. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-POLICY-27-001 | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-POLICY-27-002 | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Policy Registry Guilds | DOCS-POLICY-27-003 | Document `/docs/policy/versioning-and-publishing.md`. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Scheduler Guilds | DOCS-POLICY-27-004 | Publish `/docs/policy/simulation.md` with quick vs batch guidance. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Product Ops | DOCS-POLICY-27-005 | Author `/docs/policy/review-and-approval.md`. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-POLICY-27-006 | Publish `/docs/policy/promotion.md` covering canary + rollback. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & DevEx/CLI Guilds | DOCS-POLICY-27-007 | Update `/docs/policy/cli.md` with new commands + JSON schemas. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Policy Registry Guilds | DOCS-POLICY-27-008 | Publish `/docs/policy/api.md` aligning with Registry OpenAPI. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-POLICY-27-009 | Create `/docs/security/policy-attestations.md`. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-POLICY-27-010 | Write `/docs/architecture/policy-registry.md`. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-POLICY-27-011 | Publish `/docs/observability/policy-telemetry.md`. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-POLICY-27-012 | Write `/docs/runbooks/policy-incident.md`. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-POLICY-27-013 | Update `/docs/examples/policy-templates.md` with new templates/snippets. | +| Sprint 27 | Policy Studio | docs/TASKS.md | TODO | Docs & Policy Registry Guilds | DOCS-POLICY-27-014 | Refresh `/docs/aoc/aoc-guardrails.md` with Studio guardrails. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001 | Define node/edge schemas, identity rules, and fixtures for graph ingestion. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002 | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-003 | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-004 | Integrate VEX statements for `vex_exempts` edges with precedence metadata. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Policy Guilds | GRAPH-INDEX-28-005 | Hydrate policy overlay nodes/edges referencing determinations + explains. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-006 | Produce graph snapshots per SBOM with lineage for diff jobs. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Observability Guilds | GRAPH-INDEX-28-007 | Run clustering/centrality background jobs and persist cluster ids. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-008 | Build incremental/backfill pipeline with change streams, retries, backlog metrics. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & QA Guilds | GRAPH-INDEX-28-009 | Extend tests/perf fixtures ensuring determinism on large graphs. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & DevOps Guilds | GRAPH-INDEX-28-010 | Provide deployment/offline artifacts and docs for Graph Indexer. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-001 | Publish Graph API OpenAPI + JSON schemas for queries/tiles. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-002 | Implement `/graph/search` with caching and RBAC. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-003 | Build query planner + streaming tile pipeline with budgets. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-004 | Deliver `/graph/paths` with depth limits and policy overlay support. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-005 | Implement `/graph/diff` streaming adds/removes/changes for SBOM snapshots. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-006 | Compose advisory/VEX/policy overlays with caching + explain sampling. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-007 | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Authority Guilds | GRAPH-API-28-008 | Enforce RBAC scopes, tenant headers, audit logging, rate limits. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Observability Guilds | GRAPH-API-28-009 | Instrument metrics/logs/traces; publish dashboards. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & QA Guilds | GRAPH-API-28-010 | Build unit/integration/load tests with synthetic datasets. | +| Sprint 28 | Graph Explorer | src/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & DevOps Guilds | GRAPH-API-28-011 | Ship deployment/offline manifests + gateway integration docs. | +| Sprint 28 | Graph Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Route `/graph/*` APIs through gateway with tenant scoping and RBAC. | +| Sprint 28 | Graph Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. | +| Sprint 28 | Graph Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-GRAPH-24-004 | Add Graph Explorer telemetry endpoints and metrics aggregation. | +| Sprint 28 | Graph Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | WEB-LNM-21-001 | Provide advisory observation endpoints optimized for graph overlays. | +| Sprint 28 | Graph Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-101 | Deliver advisory summary API feeding graph tooltips. | +| Sprint 28 | Graph Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-101 | Provide VEX summary API for Graph Explorer inspector overlays. | +| Sprint 28 | Graph Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-001 | Finalize graph overlay contract + projection API. | +| Sprint 28 | Graph Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Graph Explorer queries. | +| Sprint 28 | Graph Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit change events for effective findings supporting graph overlays. | +| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-21-001 | Provide graph build job APIs & overlay lag metrics. | +| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Run graph build worker for SBOM snapshots with retries/backoff. | +| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Execute overlay refresh worker subscribing to change events. | +| Sprint 28 | Graph Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Emit metrics/logs for graph build/overlay jobs. | +| Sprint 28 | Graph Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-001 | Ship `stella sbom graph` subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. | +| Sprint 28 | Graph Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-002 | Add saved query management + deep link helpers to CLI. | +| Sprint 28 | Graph Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-003 | Update CLI docs/examples for Graph Explorer commands. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-28-001 | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-GRAPH-28-002 | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-GRAPH-28-003 | Build dashboards/alerts for tile latency, query denials, memory pressure. | +| Sprint 28 | Graph Explorer | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-GRAPH-28-001 | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-GRAPH-28-001 | Publish `/docs/sbom/graph-explorer-overview.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-GRAPH-28-002 | Write `/docs/sbom/graph-using-the-console.md` with walkthrough + accessibility tips. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-003 | Document `/docs/sbom/graph-query-language.md` (JSON schema, cost rules). | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-004 | Publish `/docs/sbom/graph-api.md` endpoints + streaming guidance. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & CLI Guilds | DOCS-GRAPH-28-005 | Produce `/docs/sbom/graph-cli.md` command reference. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-GRAPH-28-006 | Publish `/docs/policy/graph-overlays.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Excitator Guilds | DOCS-GRAPH-28-007 | Document `/docs/vex/graph-integration.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-GRAPH-28-008 | Document `/docs/advisories/graph-integration.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-GRAPH-28-009 | Author `/docs/architecture/graph-services.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-GRAPH-28-010 | Publish `/docs/observability/graph-telemetry.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-GRAPH-28-011 | Write `/docs/runbooks/graph-incidents.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-GRAPH-28-012 | Create `/docs/security/graph-rbac.md`. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API with hash chaining and Merkle root anchoring job. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Scheduler Guilds | LEDGER-29-003 | Build projector worker deriving `findings_projection` with idempotent replay. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Policy Guilds | LEDGER-29-004 | Integrate Policy Engine batch evaluation into projector with rationale caching. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Security Guilds | LEDGER-29-006 | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Observability Guilds | LEDGER-29-007 | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & QA Guilds | LEDGER-29-008 | Provide replay/determinism/load tests for ledger/projector pipelines. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & DevOps Guilds | LEDGER-29-009 | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-001 | Publish Vuln Explorer OpenAPI + query schemas. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement list/query endpoints with grouping, paging, cost budgets. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-003 | Implement detail endpoint combining evidence, policy rationale, paths, history. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Findings Ledger Guilds | VULN-API-29-004 | Expose workflow APIs writing ledger events with validation + idempotency. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Policy Guilds | VULN-API-29-005 | Implement policy simulation endpoint producing diffs without side effects. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-006 | Integrate Graph Explorer paths metadata and deep-link parameters. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Security Guilds | VULN-API-29-007 | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-008 | Provide evidence bundle export job with signing + manifests. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Observability Guilds | VULN-API-29-009 | Instrument API telemetry (latency, workflow counts, exports). | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & QA Guilds | VULN-API-29-010 | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & DevOps Guilds | VULN-API-29-011 | Ship deployment/offline manifests, health checks, scaling docs. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Normalize advisory keys, persist `links[]`, backfill, and expose raw payload snapshots. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-002 | Provide advisory evidence retrieval endpoint for Vuln Explorer. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService & Observability Guilds | CONCELIER-VULN-29-004 | Add metrics/logs/events for advisory normalization supporting resolver. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Canonicalize VEX keys and product scopes with backfill + links. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-002 | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService & Observability Guilds | EXCITITOR-VULN-29-004 | Instrument metrics/logs for VEX normalization and suppression events. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Findings Ledger Guilds | SBOM-VULN-29-002 | Provide resolver feed for candidate generation with idempotent delivery. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-001 | Implement policy batch evaluation endpoint returning determinations + rationale. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-002 | Provide simulation diff API for Vuln Explorer comparisons. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-003 | Include path/scope annotations in determinations for Explorer. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild & Observability Guild | POLICY-ENGINE-29-004 | Add telemetry for batch evaluation + simulation jobs. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-001 | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-002 | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-003 | Expose simulation/export orchestration with SSE/progress + signed links. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-VULN-29-004 | Aggregate Vuln Explorer telemetry (latency, errors, exports). | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-002 | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-VULN-29-003 | Update docs/config samples for Vuln Explorer roles and security posture. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-VULN-29-001 | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-VULN-29-002 | Provide projector lag metrics endpoint + webhook notifications. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-001 | Implement resolver worker applying ecosystem version semantics and path scope. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-002 | Implement evaluation worker invoking Policy Engine and updating ledger queues. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-29-003 | Add monitoring for resolver/evaluation backlog and SLA alerts. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-001 | Implement `stella vuln list` with grouping, filters, JSON/CSV output. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-002 | Implement `stella vuln show` with evidence/policy/path display. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-003 | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-004 | Implement `stella vuln simulate` producing diff summaries/Markdown. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-005 | Implement `stella vuln export` and bundle signature verification. | +| Sprint 29 | Vulnerability Explorer | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-VULN-29-006 | Update CLI docs/examples for Vulnerability Explorer commands. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Findings Ledger Guilds | DEVOPS-VULN-29-001 | Set up CI/backups/anchoring monitoring for Findings Ledger. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Vuln Explorer API Guilds | DEVOPS-VULN-29-002 | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Console Guilds | DEVOPS-VULN-29-003 | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. | +| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Findings Ledger Guilds | DEPLOY-VULN-29-001 | Provide deployments for Findings Ledger/projector with migrations/backups. | +| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Vuln Explorer API Guilds | DEPLOY-VULN-29-002 | Package Vuln Explorer API deployments/health checks/offline kit notes. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-001 | Publish `/docs/vuln/explorer-overview.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-VULN-29-002 | Write `/docs/vuln/explorer-using-console.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-003 | Author `/docs/vuln/explorer-api.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-004 | Publish `/docs/vuln/explorer-cli.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ledger Guilds | DOCS-VULN-29-005 | Document Findings Ledger (`/docs/vuln/findings-ledger.md`). | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-VULN-29-006 | Update `/docs/policy/vuln-determinations.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Excititor Guilds | DOCS-VULN-29-007 | Publish `/docs/vex/explorer-integration.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-VULN-29-008 | Publish `/docs/advisories/explorer-integration.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-VULN-29-009 | Publish `/docs/sbom/vuln-resolution.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-VULN-29-010 | Publish `/docs/observability/vuln-telemetry.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-VULN-29-011 | Publish `/docs/security/vuln-rbac.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-VULN-29-012 | Publish `/docs/runbooks/vuln-ops.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Deployment Guilds | DOCS-VULN-29-013 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-001 | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-002 | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Issuer Directory Guilds | VEXLENS-30-003 | Integrate signature verification using issuer keys; annotate evidence. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-004 | Implement trust weighting functions configurable via policy. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-005 | Implement consensus algorithm producing state, confidence, rationale, and quorum. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Findings Ledger Guilds | VEXLENS-30-006 | Materialize consensus projections and change events. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-007 | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-008 | Integrate consensus signals with Policy Engine and Vuln Explorer. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Observability Guilds | VEXLENS-30-009 | Instrument metrics/logs/traces; publish dashboards/alerts. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & QA Guilds | VEXLENS-30-010 | Build unit/property/integration/load tests and determinism harness. | +| Sprint 30 | VEX Lens | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & DevOps Guilds | VEXLENS-30-011 | Provide deployment manifests, scaling guides, offline seeds, runbooks. | +| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory Guild | ISSUER-30-001 | Implement issuer CRUD API with RBAC and audit logs. | +| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Security Guilds | ISSUER-30-002 | Implement key management endpoints with expiry enforcement. | +| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Policy Guilds | ISSUER-30-003 | Provide trust weight override APIs with audit trails. | +| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & VEX Lens Guilds | ISSUER-30-004 | Integrate issuer data into signature verification clients. | +| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Observability Guilds | ISSUER-30-005 | Instrument issuer change metrics/logs and dashboards. | +| Sprint 30 | VEX Lens | src/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & DevOps Guilds | ISSUER-30-006 | Provide deployment/backup/offline docs for Issuer Directory. | +| Sprint 30 | VEX Lens | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. | +| Sprint 30 | VEX Lens | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Guarantee advisory key consistency and provide cross-links for consensus rationale. | +| Sprint 30 | VEX Lens | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-001 | Extend policy config with trust weights/thresholds for consensus inputs. | +| Sprint 30 | VEX Lens | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-001, VEXLENS-30-007 | Route `/vex/consensus` APIs through gateway with RBAC/ABAC and telemetry. | +| Sprint 30 | VEX Lens | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus` CLI commands with list/show/simulate/export. | +| Sprint 30 | VEX Lens | ops/devops/TASKS.md | TODO | DevOps Guild | VEXLENS-30-009, ISSUER-30-005 | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-001 | Publish `/docs/vex/consensus-overview.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-002 | Write `/docs/vex/consensus-algorithm.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-003 | Document `/docs/vex/issuer-directory.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-004 | Publish `/docs/vex/consensus-api.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-005 | Create `/docs/vex/consensus-console.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-006 | Add `/docs/policy/vex-trust-model.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-007 | Author `/docs/sbom/vex-mapping.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-008 | Publish `/docs/security/vex-signatures.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-009 | Write `/docs/runbooks/vex-ops.md`. | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-001 | Implement advisory/VEX retrievers with paragraph anchors and citations. | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-002 | Build SBOM context retriever and blast radius estimator. | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-003 | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-004 | Orchestrator with task templates, tool chaining, caching. | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Security Guilds | AIAI-31-005 | Guardrails (redaction, injection defense, output validation). | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-006 | Expose REST/batch APIs with RBAC and OpenAPI. | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Observability Guilds | AIAI-31-007 | Instrument metrics/logs/traces and dashboards. | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & DevOps Guilds | AIAI-31-008 | Package inference + deployment manifests/flags. | +| Sprint 31 | Advisory AI | src/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & QA Guilds | AIAI-31-009 | Build golden/injection/perf tests ensuring determinism. | +| Sprint 31 | Advisory AI | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with paragraph anchors. | +| Sprint 31 | Advisory AI | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Provide VEX chunks with justifications and signatures. | +| Sprint 31 | Advisory AI | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose enriched rationale API for conflict explanations. | +| Sprint 31 | Advisory AI | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Deliver SBOM path/timeline endpoints for Advisory AI. | +| Sprint 31 | Advisory AI | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide policy knobs for Advisory AI. | +| Sprint 31 | Advisory AI | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route `/advisory/ai/*` APIs with RBAC/telemetry. | +| Sprint 31 | Advisory AI | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-001, CLI-VEX-30-001 | Implement `stella advise *` CLI commands. | +| Sprint 31 | Advisory AI | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/telemetry for Advisory AI. | +| Sprint 31 | Advisory AI | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Provide Advisory AI deployment/offline guidance. | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-001 | Publish Advisory AI overview doc. | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-002 | Publish architecture doc for Advisory AI. | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-003..009 | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | +| Sprint 31 | Advisory AI | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route Advisory AI API endpoints with RBAC/ABAC and telemetry. | +| Sprint 31 | Advisory AI | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-002 | Provide batch orchestration and retry handling for Advisory AI. | +| Sprint 31 | Advisory AI | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-003 | Emit Advisory AI gateway telemetry/audit logs. | +| Sprint 31 | Advisory AI | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-31-001 | Expose Advisory AI policy parameters. | +| Sprint 31 | Advisory AI | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001 | Define Advisory AI scopes and remote inference toggles. | +| Sprint 31 | Advisory AI | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-002 | Enforce prompt logging and consent/audit flows. | +| Sprint 31 | Advisory AI | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/monitoring for Advisory AI. | +| Sprint 31 | Advisory AI | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Ship Advisory AI deployment/offline kit guidance. | +| Sprint 31 | Advisory AI | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose consensus rationale API enhancements for Advisory AI. | +| Sprint 31 | Advisory AI | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-002 | Provide batching/caching hooks for Advisory AI. | +| Sprint 31 | Advisory AI | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Supply VEX chunks with justifications and signatures. | +| Sprint 31 | Advisory AI | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with anchors. | +| Sprint 31 | Advisory AI | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Provide SBOM path/timeline endpoints for Advisory AI. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-002 | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-003 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-005 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-001 | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-002 | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-001 | Bootstrap Python async SDK with job claim/config adapters and sample worker. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-002 | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001 | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002 | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001 | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-32-001 | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-32-101 | Define orchestrator `policy_eval` job contract, idempotency keys, and enqueue hooks for change events. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-32-001 | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Introduce `orch:read` scope and `Orch.Viewer` role with metadata, discovery docs, and offline defaults. | +| Sprint 32 | Orchestrator Dashboard | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-32-001 | Implement `stella orch sources|runs|jobs` list/show commands with filters, table/JSON output, and exit codes. | +| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, and imposed rule reminder. | +| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, and data model. | +| Sprint 32 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-32-001 | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-001 | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-002 | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-003 | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-004 | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-001 | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-002 | Implement error classification/retry helper and structured failure report in Go SDK. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-001 | Add artifact publish/idempotency features to Python SDK with object store integration. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-002 | Expose error classification/retry/backoff helpers in Python SDK with structured logging. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001 | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001 | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-33-001 | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-33-101 | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001 | Expose `consensus_compute` orchestrator job type and integrate VEX Lens worker for diff batches. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-33-001 | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Add `Orch.Operator` role, control action scopes, and enforce reason/ticket field capture. | +| Sprint 33 | Orchestrator Dashboard | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-33-001 | Implement CLI action verbs (`sources pause|resume|test`, `jobs retry|cancel`, `jobs tail`) with streaming output. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-001 | Author `/docs/orchestrator/api.md` with endpoints, WebSocket events, error codes, and imposed rule reminder. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-002 | Author `/docs/orchestrator/console.md` covering screens, accessibility, and live updates. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-003 | Author `/docs/orchestrator/cli.md` with command reference, examples, and exit codes. | +| Sprint 33 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-33-001 | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-001 | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-002 | Build audit log and immutable run ledger export with signed manifest support. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-003 | Run perf/scale validation (10k jobs, dispatch <150 ms) and add autoscaling hooks. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-004 | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-34-001 | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-34-001 | Add backfill support and deterministic artifact dedupe validation to Python SDK. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-34-001 | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-34-001 | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-34-001 | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-34-101 | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-34-001 | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-34-101 | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-34-001 | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-34-001 | Add `Orch.Admin` role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. | +| Sprint 34 | Orchestrator Dashboard | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-34-001 | Implement backfill wizard and quota management commands with dry-run preview and guardrails. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-001 | Author `/docs/orchestrator/run-ledger.md` describing provenance export format and audits. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-002 | Author `/docs/security/secrets-handling.md` covering KMS refs, redaction, and operator hygiene. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-003 | Author `/docs/operations/orchestrator-runbook.md` (failures, backfill guide, circuit breakers). | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-004 | Author `/docs/schemas/artifacts.md` detailing artifact kinds, schema versions, hashing, storage layout. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-005 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, and measurement strategy. | +| Sprint 34 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-34-001 | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. | +| Sprint 34 | Orchestrator Dashboard | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-ORCH-34-001 | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. | +| Sprint 34 | Orchestrator Dashboard | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-34-006 | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Implement manifest/provenance writer and KMS signing/attestation for export bundles. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-35-101 | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-EXPORT-35-001 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-35-201 | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-EXPORT-35-001 | Publish consensus snapshot API delivering deterministic JSON for export consumption. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001 | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-EXPORT-35-001 | Define `Export.Viewer|Operator|Admin` scopes/roles, issuer templates, and offline defaults. | +| Sprint 35 | Export Center Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-35-001 | Implement `stella export profiles|runs` list/show/create (download) with manifest retrieval and resume-aware downloads. | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-001 | Author `/docs/export-center/overview.md` with purpose, profiles, security, and imposed rule reminder. | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-002 | Author `/docs/export-center/architecture.md` detailing service components, adapters, manifests, signing, and distribution. | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-003 | Publish `/docs/export-center/profiles.md` covering schemas, examples, and compatibility. | +| Sprint 35 | Export Center Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-35-001 | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. | +| Sprint 35 | Export Center Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-35-001 | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. | +| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. | +| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-002 | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. | +| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. | +| Sprint 36 | Export Center Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-004 | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. | +| Sprint 36 | Export Center Phase 2 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-36-101 | Add distribution job follow-ups, retention metadata, and metrics for export runs. | +| Sprint 36 | Export Center Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001 | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. | +| Sprint 36 | Export Center Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001 | Add `stella export distribute` (OCI/objstore), `run download --resume`, and status polling enhancements. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-004 | Author `/docs/export-center/api.md` with endpoint examples and imposed rule note. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-005 | Publish `/docs/export-center/cli.md` covering commands, scripts, verification, and imposed rule reminder. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-006 | Write `/docs/export-center/trivy-adapter.md` detailing mappings, compatibility, and test matrix. | +| Sprint 36 | Export Center Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-36-001 | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. | +| Sprint 36 | Export Center Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-36-001 | Document registry credentials, OCI push workflows, and automation for export distributions. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-001 | Implement mirror delta adapter, base export linkage, and content-addressed reuse. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-002 | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-003 | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-004 | Provide export verification API and CLI integration, including hash/signature validation endpoints. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-37-101 | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-37-001 | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-EXPORT-37-001 | Add `Export.Admin` scope enforcement for retention, encryption keys, and scheduling APIs. | +| Sprint 37 | Export Center Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-37-001 | Implement `stella export schedule`, `run verify`, and bundle verification tooling with signature/hash checks. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-001 | Publish `/docs/export-center/mirror-bundles.md` detailing layouts, deltas, encryption, imposed rule reminder. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-002 | Publish `/docs/export-center/provenance-and-signing.md` covering manifests, attestation, verification. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-003 | Publish `/docs/operations/export-runbook.md` for failures, tuning, capacity, with imposed rule note. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-004 | Publish `/docs/security/export-hardening.md` covering RBAC, isolation, encryption, and imposed rule. | +| Sprint 37 | Export Center Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-37-001 | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. | +| Sprint 37 | Export Center Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-002 | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-003 | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-38-101 | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-38-201 | Emit enriched violation events including rationale IDs via orchestrator bus. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001 | Route notifier APIs through gateway with tenant scoping and operator scopes. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-NOTIFY-38-001 | Define `Notify.Viewer|Operator|Admin` scopes, issuer templates, and offline defaults. | +| Sprint 38 | Notifications Studio Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001 | Implement `stella notify` rule/template/incident commands (list/create/test/ack) with file-based inputs. | +| Sprint 38 | Notifications Studio Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-38-001 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md` ending with imposed rule statement. | +| Sprint 38 | Notifications Studio Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-38-001 | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. | +| Sprint 38 | Notifications Studio Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-38-001 | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | +| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. | +| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add digests generator with Findings Ledger queries and distribution (email/chat). | +| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-003 | Provide simulation engine and API for rule dry-run against historical events. | +| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-004 | Integrate quiet hours calendars and default throttles with audit logging. | +| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-NOTIFY-39-001 | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. | +| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001 | Surface digest scheduling, simulation, and throttle management endpoints via gateway. | +| Sprint 39 | Notifications Studio Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001 | Add simulation/digest CLI verbs and advanced filtering for incidents. | +| Sprint 39 | Notifications Studio Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-39-002 | Publish `/docs/notifications/rules.md`, `/templates.md`, `/digests.md` with imposed rule reminder. | +| Sprint 39 | Notifications Studio Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-39-002 | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. | +| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. | +| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-002 | Add CLI inbox/in-app feed channels and summary storm breaker notifications. | +| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-003 | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. | +| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-004 | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. | +| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-NOTIFY-40-001 | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. | +| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-40-001 | Expose escalation, localization, channel health endpoints and verification of signed links. | +| Sprint 40 | Notifications Studio Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-40-001 | Implement ack token redemption, escalation management, localization previews. | +| Sprint 40 | Notifications Studio Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-40-001 | Publish `/docs/notifications/channels.md`, `/escalations.md`, `/api.md`, `/operations/notifier-runbook.md`, `/security/notifications-hardening.md` with imposed rule lines. | +| Sprint 40 | Notifications Studio Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | +| Sprint 40 | Notifications Studio Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-40-001 | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. | +| Sprint 40 | Notifications Studio Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Bundle notifier sample configs, template/digest packs, and incident playbook into Offline Kit with integrity checks. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001 | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with JSON/table outputs and `--explain`. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-002 | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, completions, and parity matrix export. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-41-001 | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-41-001 | Implement packs index API, signature verification, provenance storage, and RBAC. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-41-101 | Register `pack-run` job type, integrate logs/artifacts, expose pack run metadata. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Define CLI SSO scopes and Packs (`Packs.Read/Write/Run/Approve`) roles; update discovery/offline defaults. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-41-001 | Publish `/docs/cli/overview.md`, `/cli/configuration.md`, `/cli/output-and-exit-codes.md` (with imposed rule). | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-CLI-41-001 | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001..002 | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Implement Task Pack CLI commands (`pack plan/run/push/pull/verify`) with plan/simulate engine and expression sandbox. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gates in Task Runner. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-42-101 | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-42-201 | Provide stable rationale IDs/APIs for CLI `--explain` and pack policy gates. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-PACKS-42-001 | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-42-001 | Publish `/docs/cli/parity-matrix.md`, `/cli/commands/*.md`, `/docs/task-packs/spec.md` (imposed rule). | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-42-001 | Add CLI golden output tests, parity diff automation, and pack run CI harness. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005, PACKS-REG-41-001 | Integrate pack run manifests into export bundles and CLI verify flows. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Emit `pack.run.started|completed|failed` notifications with CLI deep links. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-PACKS-43-001 | Publish `/docs/task-packs/authoring-guide.md`, `/registry.md`, `/runbook.md`, `/security/pack-signing-and-rbac.md`, `/operations/cli-release-and-packaging.md` (imposed rule). | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-43-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. | +| Sprint 40 | Notifications Studio Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-001 | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-002 | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-003 | Ensure `/health/*`, `/version`, `/metrics`, and capability endpoints (`merge=false`) are exposed across services. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-001 | Deliver Quickstart Compose stack with seed data and quickstart script. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-002 | Provide backup/reset scripts with guardrails and documentation. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-003 | Implement seed job and onboarding wizard toggle (`QUICKSTART_MODE`). | +| Sprint 44 | Containerized Distribution Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-44-001 | Expose config discovery and quickstart handling with health/version endpoints. | +| Sprint 44 | Containerized Distribution Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-44-001 | Publish install overview + Compose Quickstart docs (imposed rule). | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-44-001 | Automate multi-arch builds with SBOM/signature pipeline. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-COMPOSE-44-001 | Finalize Quickstart scripts and README. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-001 | Scaffold Helm chart with component toggles and pinned digests. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-002 | Add security features (TLS, NetworkPolicy, Secrets integration). | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-003 | Implement HPA, PDB, readiness gates, and observability hooks. | +| Sprint 45 | Containerized Distribution Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-45-001 | Ensure readiness endpoints and config toggles support Helm deployments. | +| Sprint 45 | Containerized Distribution Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-45-001 | Publish Helm production + configuration reference docs (imposed rule). | +| Sprint 45 | Containerized Distribution Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-45-001 | Add Compose/Helm smoke tests to CI. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-HELM-45-001 | Publish Helm install guide and sample values. | +| Sprint 46 | Containerized Distribution Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-46-001 | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). | +| Sprint 46 | Containerized Distribution Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-46-001 | Build signed air-gap bundle and verify in CI. | +| Sprint 46 | Containerized Distribution Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIRGAP-46-001 | Provide air-gap load script and docs. | +| Sprint 46 | Containerized Distribution Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | OFFLINE-CONTAINERS-46-001 | Include air-gap bundle and instructions in Offline Kit. | +| Sprint 46 | Containerized Distribution Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-46-001 | Harden offline mode and document fallback behavior. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-47-001 | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-47-001 | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` (imposed rule). | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-48-001 | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-TEN-48-001 | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-TEN-48-001 | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-TEN-48-001 | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-TEN-48-001 | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-TEN-48-001 | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-TEN-48-001 | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-TEN-48-001 | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-TEN-48-001 | Same as above for VEX linkers; enforce capability endpoint `merge=false`. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-48-001 | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-49-001 | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-49-001 | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-49-001 | Add service account token minting, delegation, and `--impersonate` banner/controls. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-49-001 | Publish `/docs/cli/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-49-001 | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-001 | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-002 | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-50-001 | Deploy default OpenTelemetry collector manifests with secure OTLP pipeline. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-50-002 | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-50-003 | Package telemetry stack configs for offline/air-gapped installs with signatures. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-50-001 | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-50-001 | Integrate telemetry core into gateway and emit structured traces/logs for all routes. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-50-001 | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-50-001 | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-50-001 | Wire telemetry core through ledger writer/projector for append/replay operations. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-50-001 | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001 | Adopt telemetry core in Concelier APIs and surface correlation IDs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001 | Integrate telemetry core into VEX ingestion/linking with scope metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001 | Add telemetry core to VEX APIs and emit trace headers. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-50-001 | Instrument policy compile/evaluate flows with telemetry core spans/logs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-50-001 | Enable telemetry core in export planner/workers capturing bundle metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Propagate trace headers from CLI commands and print correlation IDs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-001 | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-002 | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-003 | Publish structured logging guide `/docs/observability/logging.md` with examples and imposed rule banner. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-004 | Publish tracing guide `/docs/observability/tracing.md` covering context propagation and sampling. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-OBS-50-001 | Update `/docs/security/redaction-and-privacy.md` for telemetry privacy controls. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-50-001 | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-51-001 | Ship metrics helpers + exemplar guards for golden signals. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Security Guild | TELEMETRY-OBS-51-002 | Implement logging scrubbing and tenant debug override controls. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-51-001 | Deploy SLO evaluator service, dashboards, and alert routing. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-51-001 | Ingest SLO burn-rate webhooks and deliver observability alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-51-001 | Expose `/obs/health` and `/obs/slo` aggregations for services. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-51-001 | Publish orchestration metrics, SLOs, and burn-rate alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-51-001 | Emit task runner golden-signal metrics and SLO alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-51-001 | Add ledger/projector metrics dashboards and burn-rate policies. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-51-001 | Emit ingest latency metrics + SLO thresholds for advisories. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-51-001 | Provide VEX ingest metrics and SLO burn-rate automation. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-51-001 | Publish policy evaluation metrics + dashboards meeting SLO targets. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-51-001 | Capture export planner/bundle latency metrics and SLOs. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-51-001 | Implement `stella obs top` streaming health metrics command. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` with alert policies. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-001 | Bootstrap timeline indexer service and schema with RLS scaffolding. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Implement event ingestion pipeline with ordering and dedupe. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-003 | Expose timeline query APIs with tenant filters and pagination. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-52-001 | Configure streaming pipelines and schema validation for timeline events. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-52-001 | Emit job lifecycle timeline events with tenant/project metadata. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-52-001 | Emit pack run timeline events and dedupe logic. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-52-001 | Record ledger append/projection events into timeline stream. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-52-001 | Emit advisory ingest/link timeline events with provenance metadata. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-52-001 | Provide SSE bridge for advisory timeline events. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-52-001 | Emit VEX ingest/link timeline events with justification info. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-52-001 | Stream VEX timeline updates to clients with tenant filters. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-52-001 | Emit policy decision timeline events with rule summaries and trace IDs. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-52-001 | Publish export lifecycle events into timeline. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-52-001 | Add `stella obs trace` + log commands correlating timeline data. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-001 | Document Console observability hub and trace/log search workflows. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-002 | Publish Console forensics/timeline guidance with imposed rule banner. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-OBS-52-001 | Document `stella obs` CLI commands and scripting patterns. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-001 | Bootstrap evidence locker service with schema, storage abstraction, and RLS. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-002 | Implement bundle builders for evaluation, job, and export snapshots. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-003 | Expose evidence APIs (create/get/verify/hold) with audit + quotas. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-53-001 | Attach job capsules + manifests to evidence locker snapshots. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-53-001 | Persist evidence bundle references alongside ledger entries and expose lookup API. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-53-001 | Add `/evidence/advisories/*` gateway endpoints consuming locker APIs. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-53-001 | Produce VEX evidence payloads and push to locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-53-001 | Expose `/evidence/vex/*` endpoints retrieving locker bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-53-001 | Store export manifests + transcripts within evidence bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship `stella forensic snapshot` commands invoking evidence locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document `stella forensic` CLI workflows with sample bundles. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-001 | Implement DSSE/SLSA models with deterministic serializer + test vectors. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-002 | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-54-001 | Deliver verification library validating DSSE signatures + Merkle roots. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-002 | Package provenance verification tool for CLI integration and offline use. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-001 | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-002 | Provide bundle packaging + offline verification fixtures. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-54-001 | Produce DSSE attestations for jobs and surface verification endpoint. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-54-001 | Generate pack run attestations and link to timeline/evidence. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-54-001 | Sign advisory batches with DSSE attestations and expose verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-54-001 | Add `/attestations/advisories/*` endpoints surfacing verification metadata. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-54-001 | Produce VEX batch attestations linking to timeline/ledger. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-54-001 | Expose `/attestations/vex/*` endpoints with verification summaries. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-54-001 | Generate DSSE attestations for policy evaluations and expose verification API. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-54-001 | Produce export attestation manifests and CLI verification hooks. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement `stella forensic verify` command verifying bundles + signatures. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add `stella forensic attest show` command with signer/timestamp details. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-55-001 | Implement incident mode sampling toggle API with activation audit trail. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-55-001 | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-55-001 | Increase telemetry + evidence capture during incident mode and emit activation events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-55-001 | Capture extra debug data + notifications for incident mode runs. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-55-001 | Extend retention and diagnostics capture during incident mode. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-55-001 | Increase sampling and raw payload retention under incident mode with redaction guards. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-55-001 | Provide incident mode toggle endpoints and propagate to services. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-55-001 | Enable incident sampling + retention overrides for VEX pipelines. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-55-001 | Add incident mode APIs for VEX services with audit + guardrails. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-55-001 | Capture full rule traces + retention bump on incident activation with timeline events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-55-001 | Increase export telemetry + debug retention during incident mode and emit events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend evidence retention + activation events for incident windows. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-55-001 | Ship `stella obs incident-mode` commands with safeguards and audit logging. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-55-001 | Automate incident mode activation via SLO alerts, retention override management, and reset job. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-55-001 | Send incident mode start/stop notifications with quick links to evidence/timeline. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-55-001 | Enforce `obs:incident` scope with fresh-auth requirement and audit export for toggles. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | docs/TASKS.md | TODO | Docs Guild | DOCS-RUNBOOK-55-001 | Publish `/docs/runbooks/incidents.md` covering activation, escalation, and verification checklist. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-001 | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Expose seal/status APIs with policy hash validation and staleness placeholders. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-001 | Ship `EgressPolicy` facade with sealed/unsealed enforcement and remediation errors. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-002 | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-001 | Publish deny-all egress policies and verification script for sealed environments. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-002 | Provide bundle staging/import scripts for air-gapped object stores. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-003 | Build Bootstrap Pack pipeline bundling images/charts with checksums. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-56-001 | (Carry) Extend telemetry core with sealed-mode hooks before integration. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-56-001 | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001 | Implement mirror create/verify and airgap verify commands. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-56-001 | Build deterministic bundle assembler (advisories/vex/policy). | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001 | Implement DSSE/TUF/Merkle verification helpers. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-002 | Enforce root rotation policy for bundles. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-56-001 | Add mirror ingestion adapters preserving source metadata. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-56-001 | Add VEX mirror ingestion adapters. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-56-001 | Accept policy packs from bundles with provenance tracking. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-001 | Extend export center to build mirror bundles. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-001 | Enforce sealed-mode plan validation for network calls. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-001 | Validate jobs against sealed-mode restrictions. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-001 | Publish `/docs/airgap/overview.md`. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-002 | Document sealing and egress controls. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-003 | Publish mirror bundles guide. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-004 | Publish bootstrap pack guide. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Ensure telemetry propagation for sealed logging. | + +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-001 | Implement bundle catalog with RLS + migrations. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-002 | Load artifacts into object store with checksum verification. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-001 | Add OCI image support to mirror bundles. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-57-001 | Parse signed time tokens and expose normalized anchors. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-001 | Adopt EgressPolicy in core services. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-002 | Enforce Task Runner job plan validation. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-001 | Complete airgap import CLI with diff preview. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-002 | Ship seal/status CLI commands. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-002 | Deliver bootstrap pack artifacts. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-001 | Automate mirror bundle creation with approvals. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-002 | Run sealed-mode CI suite enforcing zero egress. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-001 | Publish staleness/time doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-002 | Publish console airgap doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-003 | Publish CLI airgap doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-004 | Publish airgap operations runbook. | + +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-001 | Compute drift/staleness metrics and surface via controller status. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-002 | Emit notifications/events for staleness budgets. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-58-001 | Persist time anchor data and expose drift metrics. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-001 | Disable remote observability exporters in sealed mode. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Ship portable evidence export helper. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-58-001 | Capture import job evidence transcripts. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-58-001 | Link import/export jobs to timeline/evidence. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-57-002 | Annotate advisories with staleness metadata. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-57-002 | Annotate VEX statements with staleness metadata. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-002 | Show degradation fallback info in explain traces. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-57-001 | Notify on drift/staleness thresholds. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-57-001 | Add portable evidence export integration. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | + +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-57-001 | Block execution when seal state mismatched; emit timeline events. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-57-001 | Automate mirror bundle job scheduling with audit provenance. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-001 | Enforce sealed-mode guardrails inside evaluation engine. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-58-001 | Emit notifications/timeline for bundle readiness. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-56-002 | Enforce staleness thresholds for findings exports. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | Notify on portable evidence exports. | + +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend retention + portable evidence exports for sealed environments. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Finalize portable evidence CLI workflow with verification. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-57-001 | Link findings to portable evidence bundles. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-58-001 | Notify on stale policy packs and guide remediation. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-58-001 | Emit timeline events for bundle imports. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-58-001 | Emit timeline events for VEX bundle imports. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | (Carry) Portable evidence notifications. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-001 | Scaffold per-service OpenAPI skeletons with shared components. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-002 | Build aggregate composer and integrate into CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-001 | Configure lint rules and CI enforcement. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-002 | Enforce example coverage in CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OAS-61-001 | Add OAS lint/validation/diff stages to CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-001 | Implement gateway discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Standardize error envelope across gateway. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Extend Orchestrator spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-002 | Provide orchestrator discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Document Task Runner APIs in OAS. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-002 | Expose Task Runner discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Update advisory OAS coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-002 | Populate advisory examples. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-001 | Implement Concelier discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-002 | Standardize error envelope. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Update VEX OAS coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-002 | Provide VEX examples. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-001 | Implement discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-002 | Migrate errors to standard envelope. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Expand Findings Ledger spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-002 | Provide ledger discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Update Exporter spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-002 | Implement Exporter discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Update notifier spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-002 | Implement notifier discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Document Authority authentication APIs in OAS. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-002 | Provide Authority discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-001 | Publish `/docs/api/overview.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-002 | Publish `/docs/api/conventions.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-003 | Publish `/docs/api/versioning.md`. | + +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-62-001 | Populate examples for top endpoints. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-62-001 | Implement compatibility diff tool. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-001 | Build static generator with nav/search. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-002 | Add schema viewer, examples, version selector. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-62-001 | Deploy `/docs/api/reference/` generated site. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SDK-62-001 | Publish SDK overview + language guides. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-DEVPORT-62-001 | Document dev portal publishing. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-CONTRIB-62-001 | Publish API contracts contributing guide. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | Publish contract testing doc. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-62-001 | Update auth scopes documentation. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-001 | Establish generator framework. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-002 | Implement shared post-processing helpers. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-002 | Integrate schema diagrams/examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-62-001 | Provide SDK examples for pack runs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-62-001 | Ensure SDK streaming helpers for exports. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Provide SDK examples for notifier APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-62-001 | Add SDK smoke tests for advisory APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-62-001 | Add SDK tests for VEX APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-62-001 | Provide SDK tests for ledger APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-62-001 | Provide SDK auth helpers/tests. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-62-001 | Align pagination/idempotency behaviors. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-62-001 | Add advisory API examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-62-001 | Provide VEX API examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Publish notifier examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-001 | Migrate CLI to official SDK. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-002 | Update CLI error handling for new envelope. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-001 | Generate mock server fixtures. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-002 | Integrate mock server into CI. | + +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-001 | Release TypeScript SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-002 | Release Python SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-003 | Release Go SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-004 | Release Java SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-001 | Configure SDK release pipelines. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-002 | Automate changelogs from OAS diffs. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-001 | Add Try-It console. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-002 | Embed SDK snippets/quick starts. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-001 | Build replay harness for drift detection. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-002 | Emit contract testing metrics. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-63-001 | Add CLI spec download command. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | Integrate compatibility diff gating. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-001 | Compatibility diff support. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-002 | Define discovery schema metadata. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | (Carry) ensure contract testing doc final. | + +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-001 | Migrate CLI to SDK. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-002 | Integrate SDKs into Console. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Hook SDK releases to Notifications. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-002 | Produce devportal offline bundle. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-001 | Offline portal build. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-002 | Add accessibility/performance checks. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-001 | Implement devportal offline export job. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-002 | Provide verification CLI. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-63-001 | Automate developer portal pipeline. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-64-001 | Schedule offline bundle builds. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | Document devportal offline usage. | + +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | (Carry) compatibility gating monitoring. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | (Reinforce) notifications integration for deprecations. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Production rollout of notifications feed. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Emit deprecation notifications. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-63-001 | Implement deprecation headers in gateway. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-63-001 | Add orchestrator deprecation headers. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-63-001 | Add Task Runner deprecation headers. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-63-001 | Deprecation metadata for Concelier APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-63-001 | Deprecation metadata for VEX APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-63-001 | Deprecation headers for ledger APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-63-001 | Deprecation headers for exporter APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Deprecation headers for notifier APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-63-001 | Deprecation headers for auth endpoints. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-64-001 | SDK update awareness command. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | (Carry) ensure offline doc published; update as necessary. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Deliver RiskProfile schema + validators. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Implement inheritance/merge and hashing. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Scaffold risk engine queue/worker/registry. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-002 | Implement transforms/gates/contribution calculator. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-003 | Integrate schema validation into Policy Engine. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-004 | Extend Policy libraries for RiskProfile handling. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Add risk scoring columns/indexes. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-002 | Implement deterministic scoring upserts. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Expose CVSS/KEV provider data. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-002 | Provide fix availability signals. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Supply VEX gating data to risk engine. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-002 | Provide reachability inputs. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Expose risk API routing in gateway. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-002 | Handle explainability downloads. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001 | Implement CLI profile management commands. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-002 | Implement CLI simulation command. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Create risk severity alert templates. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-001 | Publish `/docs/risk/overview.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-002 | Publish `/docs/risk/profiles.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-003 | Publish `/docs/risk/factors.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-004 | Publish `/docs/risk/formulas.md`. | + +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-001 | Integrate CVSS/KEV providers. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-002 | Integrate VEX gate provider. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-003 | Add fix availability/criticality/exposure providers. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Integrate profiles into policy store lifecycle. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-002 | Publish schema endpoint + validation tooling. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-001 | Enqueue scoring on new findings. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-002 | Deliver profile lifecycle APIs. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-003 | Provide simulation orchestration APIs. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-67-001 | Notify on profile publish/deprecate. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-67-001 | Add source consensus metrics. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-67-001 | Add VEX explainability metadata. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-67-001 | Provide risk status endpoint. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-67-001 | Provide risk results query command. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001 | Publish explainability doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-002 | Publish risk API doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-003 | Publish console risk UI doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-004 | Publish CLI risk doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | (Prep) risk routing settings seeds. | + +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-001 | Persist scoring results & explanations. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-002 | Expose jobs/results/explanations APIs. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-67-001 | Provide scored findings query API. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-68-001 | Enable scored findings export. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-001 | Ship simulation API endpoint. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-002 | Support profile export/import. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Configure risk notification routing UI/logic. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-68-001 | Emit severity transition events via gateway. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-68-001 | Add risk bundle verification command. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | Publish risk bundle doc. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-002 | Update AOC invariants doc. | + +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-001 | Implement simulation mode. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Add telemetry/metrics dashboards. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | (Completion) finalize severity alert templates. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-69-002 | Enable simulation report exports. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Build risk bundle. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-002 | Integrate bundle into pipelines. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..004 | (Carry) ensure docs updated from simulation release. | + +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-001 | Support offline provider bundles. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-002 | Integrate runtime/reachability providers. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-001 | Provide bundle verification CLI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-002 | Publish documentation. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-70-001 | Integrate risk bundle into offline kit. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Finalize risk alert routing UI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | (Carry) finalize risk bundle doc after verification CLI. | + +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Optimize performance, cache, and incremental scoring; validate SLOs. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-69-001 | Finalize dashboards and alerts for scoring latency. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001..68-001 | Harden CLI commands with integration tests and error handling. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Tune routing/quiet hour dedupe for risk alerts. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..68-002 | Final editorial pass on risk documentation set. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Implement DSSE canonicalization and hashing helpers. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-002 | Support compact/expanded output and detached payloads. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Cryptography.Kms/TASKS.md | TODO | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-73-001 | (Prep) align CI secrets for Attestor service. | + +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Cryptography.Kms/TASKS.md | TODO | KMS Guild | KMS-72-002 | CLI support for key import/export. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add signing/verification helpers with KMS integration. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-73-001 | Create golden payload fixtures. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-001 | Ship signing endpoint. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-002 | Ship verification pipeline and reports. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-003 | Implement list/fetch APIs. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-001 | Implement VerificationPolicy lifecycle. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-002 | Surface policies in Policy Studio. | +| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | +| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-001 | Publish attestor overview. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-002 | Publish payload docs. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-003 | Publish policies doc. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-004 | Publish workflows doc. | + +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-002 | Run fuzz tests for envelope handling. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-001 | Add telemetry for verification pipeline. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-002 | Document verification explainability. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-001 | Integrate transparency witness client. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-002 | Implement bulk verification worker. | +| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-001 | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | +| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-002 | Implement `stella attest fetch` to download envelopes and payloads to disk. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-74-001 | Build attestation bundle export job. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-001 | Deploy transparency witness infra. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-001 | Publish keys & issuers doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-002 | Publish transparency doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-003 | Publish console attestor UI doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-004 | Publish CLI attest doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-001 | Add verification/key notifications. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-002 | Notify key rotation/revocation. | + +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-001 | Support attestation bundle export/import for air gap. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). | +| Sprint 75 | Attestor CLI Phase 4 – Air Gap & Bulk | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild, KMS Guild | CLI-ATTEST-75-001 | Implement `stella attest key create|import|rotate|revoke` commands. | +| Sprint 75 | Attestor CLI Phase 4 – Air Gap & Bulk | src/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild, Export Guild | CLI-ATTEST-75-002 | Add support for building/verifying attestation bundles in CLI. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-001 | Publish attestor airgap doc. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-002 | Update AOC invariants for attestations. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-002 | Integrate bundle builds into release/offline pipelines. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-75-001 | Dashboards/alerts for attestor metrics. | diff --git a/SPRINTS_PRIOR_20251021.md b/SPRINTS_PRIOR_20251021.md index 78e57d02..f195a15c 100644 --- a/SPRINTS_PRIOR_20251021.md +++ b/SPRINTS_PRIOR_20251021.md @@ -32,7 +32,7 @@ This file describe implementation of Stella Ops (docs/README.md). Implementation | Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-005 | Scoring/quiet engine – compute score, enforce VEX-only quiet rules, emit inputs and provenance. | | Sprint 9 | Policy Foundations | src/StellaOps.Policy/TASKS.md | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-006 | Unknown state & confidence decay – deterministic bands surfaced in policy outputs. | | Sprint 9 | Docs & Governance | docs/TASKS.md | DONE (2025-10-21) | Platform Events Guild | PLATFORM-EVENTS-09-401 | Embed canonical event samples into contract/integration tests and ensure CI validates payloads against published schemas. | -| Sprint 10 | Benchmarks | bench/TASKS.md | DONE (2025-10-21) | Bench Guild, Language Analyzer Guild | BENCH-SCANNER-10-002 | Wire real language analyzers into bench harness & refresh baselines post-implementation. | +| Sprint 10 | Benchmarks | src/StellaOps.Bench/TASKS.md | DONE (2025-10-21) | Bench Guild, Language Analyzer Guild | BENCH-SCANNER-10-002 | Wire real language analyzers into bench harness & refresh baselines post-implementation. | | Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-21) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-302 | Node analyzer handling workspaces/symlinks emitting `pkg:npm`. | | Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-21) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-303 | Python analyzer reading `*.dist-info`, RECORD hashes, entry points. | | Sprint 10 | Scanner Analyzers & SBOM | src/StellaOps.Scanner.Analyzers.Lang/TASKS.md | DONE (2025-10-22) | Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-304 | Go analyzer leveraging buildinfo for `pkg:golang` components. | diff --git a/SPRINTS_PRIOR_20251025.md b/SPRINTS_PRIOR_20251025.md new file mode 100644 index 00000000..53b12e13 --- /dev/null +++ b/SPRINTS_PRIOR_20251025.md @@ -0,0 +1,34 @@ +This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not). + +| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | +| --- | --- | --- | --- | --- | --- | --- | +| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-API-11-201 | `/rekor/entries` submission pipeline with dedupe, proof acquisition, and persistence. | +| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-VERIFY-11-202 | `/rekor/verify` + retrieval endpoints validating signatures and Merkle proofs. | +| Sprint 11 | Signing Chain Bring-up | src/StellaOps.Attestor/TASKS.md | DONE (2025-10-19) | Attestor Guild | ATTESTOR-OBS-11-203 | Telemetry, alerting, mTLS hardening, and archive workflow for Attestor. | +| Sprint 11 | Storage Platform Hardening | src/StellaOps.Scanner.Storage/TASKS.md | DONE (2025-10-23) | Scanner Storage Guild | SCANNER-STORAGE-11-401 | Migrate scanner object storage integration from MinIO to RustFS with data migration plan. | +| Sprint 11 | UI Integration | src/StellaOps.UI/TASKS.md | DONE (2025-10-23) | UI Guild | UI-ATTEST-11-005 | Attestation visibility (Rekor id, status) on Scan Detail. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-201 | Define runtime event/admission DTOs, hashing helpers, and versioning strategy. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-202 | Provide configuration/logging/metrics utilities shared by Observer/Webhook. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-CORE-12-203 | Authority client helpers, OpTok caching, and security guardrails for runtime services. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Core/TASKS.md | DONE (2025-10-23) | Zastava Core Guild | ZASTAVA-OPS-12-204 | Operational runbooks, alert rules, and dashboard exports for runtime plane. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-001 | Container lifecycle watcher emitting deterministic runtime events with buffering. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-002 | Capture entrypoint traces + loaded libraries, hashing binaries and linking to baseline SBOM. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-003 | Posture checks for signatures/SBOM/attestation with offline caching. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-24) | Zastava Observer Guild | ZASTAVA-OBS-12-004 | Batch `/runtime/events` submissions with disk-backed buffer and rate limits. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-101 | Admission controller host with TLS bootstrap and Authority auth. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-102 | Query Scanner `/policy/runtime`, resolve digests, enforce verdicts. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-103 | Caching, fail-open/closed toggles, metrics/logging for admission decisions. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Zastava.Webhook/TASKS.md | DONE (2025-10-24) | Zastava Webhook Guild | ZASTAVA-WEBHOOK-12-104 | Wire `/admission` endpoint to runtime policy client and emit allow/deny envelopes. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-302 | `/policy/runtime` endpoint joining SBOM baseline + policy verdict, returning admission guidance. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-303 | Align `/policy/runtime` verdicts with canonical policy evaluation (Feedser/Vexer). | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-304 | Integrate attestation verification into runtime policy metadata. | +| Sprint 12 | Runtime Guardrails | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-305 | Deliver shared fixtures + e2e validation with Zastava/CLI teams. | +| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DONE (2025-10-23) | UI Guild | UI-AUTH-13-001 | Integrate Authority OIDC + DPoP flows with session management. | +| Sprint 13 | UX & CLI Experience | src/StellaOps.UI/TASKS.md | DONE (2025-10-25) | UI Guild | UI-NOTIFY-13-006 | Notify panel: channels/rules CRUD, deliveries view, test send. | +| Sprint 13 | Platform Reliability | ops/devops/TASKS.md | DONE (2025-10-25) | DevOps Guild, Platform Leads | DEVOPS-NUGET-13-001 | Wire up .NET 10 preview feeds/local mirrors so `dotnet restore` succeeds offline; document updated NuGet bootstrap. | +| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-401 | Bus abstraction + Redis Streams adapter with ordering/idempotency. | +| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-402 | NATS JetStream adapter with health probes and failover. | +| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Queue/TASKS.md | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-403 | Delivery queue with retry/dead-letter + metrics. | +| Sprint 15 | Notify Foundations | src/StellaOps.Notify.Worker/TASKS.md | DONE (2025-10-23) | Notify Worker Guild | NOTIFY-WORKER-15-201 | Bus subscription + leasing loop with backoff. | +| Sprint 17 | Symbol Intelligence & Forensics | src/StellaOps.Zastava.Observer/TASKS.md | DONE (2025-10-25) | Zastava Observer Guild | ZASTAVA-OBS-17-005 | Collect GNU build-id during runtime observation and attach it to emitted events. | +| Sprint 17 | Symbol Intelligence & Forensics | src/StellaOps.Scanner.WebService/TASKS.md | DONE (2025-10-25) | Scanner WebService Guild | SCANNER-RUNTIME-17-401 | Persist runtime build-id observations and expose them for debug-symbol correlation. | diff --git a/bench/TASKS.md b/bench/TASKS.md deleted file mode 100644 index f77bbfc3..00000000 --- a/bench/TASKS.md +++ /dev/null @@ -1,8 +0,0 @@ -# Benchmarks Task Board - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| BENCH-SCANNER-10-001 | DONE | Bench Guild, Scanner Team | SCANNER-ANALYZERS-LANG-10-303 | Analyzer microbench harness (node_modules, site-packages) + baseline CSV. | Harness committed under `bench/Scanner.Analyzers`; baseline CSV recorded; CI job publishes results. | -| BENCH-SCANNER-10-002 | DONE (2025-10-21) | Bench Guild, Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-301..309 | Wire real language analyzers into bench harness & refresh baselines post-implementation. | Harness executes analyzer assemblies end-to-end; updated baseline committed; CI trend doc linked. | -| BENCH-IMPACT-16-001 | TODO | Bench Guild, Scheduler Team | SCHED-IMPACT-16-301 | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. | Benchmark script ready; baseline metrics recorded; alert thresholds defined. | -| BENCH-NOTIFY-15-001 | TODO | Bench Guild, Notify Team | NOTIFY-ENGINE-15-301 | Notify dispatch throughput bench (vary rule density) with results CSV. | Bench executed; results stored; regression alert configured. | diff --git a/dep_tmp.txt b/dep_tmp.txt deleted file mode 100644 index e69de29b..00000000 diff --git a/docs/12_PERFORMANCE_WORKBOOK.md b/docs/12_PERFORMANCE_WORKBOOK.md index fcfa7ce9..2460fd30 100755 --- a/docs/12_PERFORMANCE_WORKBOOK.md +++ b/docs/12_PERFORMANCE_WORKBOOK.md @@ -1,170 +1,170 @@ -# 12 - Performance Workbook - -*Purpose* – define **repeatable, data‑driven** benchmarks that guard Stella Ops’ core pledge: -> *“P95 vulnerability feedback in ≤ 5 seconds.”* - ---- - -## 0 Benchmark Scope - -| Area | Included | Excluded | -|------------------|----------------------------------|---------------------------| -| SBOM‑first scan | Trivy engine w/ warmed DB | Full image unpack ≥ 300 MB | -| Delta SBOM ⭑ | Missing‑layer lookup & merge | Multi‑arch images | -| Policy eval ⭑ | YAML → JSON → rule match | Rego (until GA) | -| Feed merge | NVD JSON 2023–2025 | GHSA GraphQL (plugin) | -| Quota wait‑path | 5 s soft‑wait, 60 s hard‑wait behaviour | Paid tiers (unlimited) | -| API latency | REST `/scan`, `/layers/missing` | UI SPA calls | - -⭑ = new in July 2025. - ---- - -## 1 Hardware Baseline (Reference Rig) - -| Element | Spec | -|-------------|------------------------------------| -| CPU | 8 vCPU (Intel Ice‑Lake equiv.) | -| Memory | 16 GiB | -| Disk | NVMe SSD, 3 GB/s R/W | -| Network | 1 Gbit virt. switch | -| Container | Docker 25.0 + overlay2 | -| OS | Ubuntu 22.04 LTS (kernel 6.8) | - -*All P95 targets assume a **single‑node** deployment on this rig unless stated.* - ---- - -## 2 Phase Targets & Gates - -| Phase (ID) | Target P95 | Gate (CI) | Rationale | -|-----------------------|-----------:|-----------|----------------------------------------| -| **SBOM_FIRST** | ≤ 5 s | `hard` | Core UX promise. | -| **IMAGE_UNPACK** | ≤ 10 s | `soft` | Fallback path for legacy flows. | -| **DELTA_SBOM** ⭑ | ≤ 1 s | `hard` | Needed to stay sub‑5 s for big bases. | -| **POLICY_EVAL** ⭑ | ≤ 50 ms | `hard` | Keeps gate latency invisible to users. | -| **QUOTA_WAIT** ⭑ | *soft* ≤ 5 s
*hard* ≤ 60 s | `hard` | Ensures graceful Free‑tier throttling. | -| **SCHED_RESCAN** | ≤ 30 s | `soft` | Nightly batch – not user‑facing. | -| **FEED_MERGE** | ≤ 60 s | `soft` | Off‑peak cron @ 01:00. | -| **API_P95** | ≤ 200 ms | `hard` | UI snappiness. | - -*Gate* legend — `hard`: break CI if regression > 3 × target, -`soft`: raise warning & issue ticket. - ---- - -## 3 Test Harness - +# 12 - Performance Workbook + +*Purpose* – define **repeatable, data‑driven** benchmarks that guard Stella Ops’ core pledge: +> *“P95 vulnerability feedback in ≤ 5 seconds.”* + +--- + +## 0 Benchmark Scope + +| Area | Included | Excluded | +|------------------|----------------------------------|---------------------------| +| SBOM‑first scan | Trivy engine w/ warmed DB | Full image unpack ≥ 300 MB | +| Delta SBOM ⭑ | Missing‑layer lookup & merge | Multi‑arch images | +| Policy eval ⭑ | YAML → JSON → rule match | Rego (until GA) | +| Feed merge | NVD JSON 2023–2025 | GHSA GraphQL (plugin) | +| Quota wait‑path | 5 s soft‑wait, 60 s hard‑wait behaviour | Paid tiers (unlimited) | +| API latency | REST `/scan`, `/layers/missing` | UI SPA calls | + +⭑ = new in July 2025. + +--- + +## 1 Hardware Baseline (Reference Rig) + +| Element | Spec | +|-------------|------------------------------------| +| CPU | 8 vCPU (Intel Ice‑Lake equiv.) | +| Memory | 16 GiB | +| Disk | NVMe SSD, 3 GB/s R/W | +| Network | 1 Gbit virt. switch | +| Container | Docker 25.0 + overlay2 | +| OS | Ubuntu 22.04 LTS (kernel 6.8) | + +*All P95 targets assume a **single‑node** deployment on this rig unless stated.* + +--- + +## 2 Phase Targets & Gates + +| Phase (ID) | Target P95 | Gate (CI) | Rationale | +|-----------------------|-----------:|-----------|----------------------------------------| +| **SBOM_FIRST** | ≤ 5 s | `hard` | Core UX promise. | +| **IMAGE_UNPACK** | ≤ 10 s | `soft` | Fallback path for legacy flows. | +| **DELTA_SBOM** ⭑ | ≤ 1 s | `hard` | Needed to stay sub‑5 s for big bases. | +| **POLICY_EVAL** ⭑ | ≤ 50 ms | `hard` | Keeps gate latency invisible to users. | +| **QUOTA_WAIT** ⭑ | *soft* ≤ 5 s
*hard* ≤ 60 s | `hard` | Ensures graceful Free‑tier throttling. | +| **SCHED_RESCAN** | ≤ 30 s | `soft` | Nightly batch – not user‑facing. | +| **FEED_MERGE** | ≤ 60 s | `soft` | Off‑peak cron @ 01:00. | +| **API_P95** | ≤ 200 ms | `hard` | UI snappiness. | + +*Gate* legend — `hard`: break CI if regression > 3 × target, +`soft`: raise warning & issue ticket. + +--- + +## 3 Test Harness + * **Runner** – `perf/run.sh`, accepts `--phase` and `--samples`. -* **Language analyzers microbench** – `dotnet run --project bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --repo-root . --out bench/Scanner.Analyzers/baseline.csv --json out/bench/scanner-analyzers/latest.json --prom out/bench/scanner-analyzers/latest.prom --commit $(git rev-parse HEAD)` produces CSV + JSON + Prometheus gauges for analyzer scenarios. Runs fail if `max_ms` regresses ≥ 20 % against `baseline.csv` or if thresholds are exceeded. +* **Language analyzers microbench** – `dotnet run --project src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --repo-root . --out src/StellaOps.Bench/Scanner.Analyzers/baseline.csv --json out/bench/scanner-analyzers/latest.json --prom out/bench/scanner-analyzers/latest.prom --commit $(git rev-parse HEAD)` produces CSV + JSON + Prometheus gauges for analyzer scenarios. Runs fail if `max_ms` regresses ≥ 20 % against `baseline.csv` or if thresholds are exceeded. * **Metrics** – Prometheus + `jq` extracts; aggregated via `scripts/aggregate.ts`. * **CI** – GitLab CI job *benchmark* publishes JSON to `bench‑artifacts/`. * **Visualisation** – Grafana dashboard *Stella‑Perf* (provisioned JSON). - -> **Note** – harness mounts `/var/cache/trivy` tmpfs to avoid disk noise. - ---- - -## 4 Current Results (July 2025) - -| Phase | Samples | Mean (s) | P95 (s) | Target OK? | -|---------------|--------:|---------:|--------:|-----------:| -| SBOM_FIRST | 100 | 3.7 | 4.9 | ✅ | -| IMAGE_UNPACK | 50 | 6.4 | 9.2 | ✅ | -| **DELTA_SBOM**| 100 | 0.46 | 0.83 | ✅ | -| **POLICY_EVAL** | 1 000 | 0.021 | 0.041 | ✅ | -| **QUOTA_WAIT** | 80 | 4.0* | 4.9* | ✅ | -| SCHED_RESCAN | 10 | 18.3 | 24.9 | ✅ | -| FEED_MERGE | 3 | 38.1 | 41.0 | ✅ | -| API_P95 | 20 000 | 0.087 | 0.143 | ✅ | - -*Data files:* `bench-artifacts/2025‑07‑14/phase‑stats.json`. - ---- - -## 5 Δ‑SBOM Micro‑Benchmark Detail - -### 5.1 Scenario - -1. Base image `python:3.12-slim` already scanned (all layers cached). -2. Application layer (`COPY . /app`) triggers new digest. -3. `Stella CLI` lists **7** layers, backend replies *6 hit*, *1 miss*. -4. Builder scans **only 1 layer** (~9 MiB, 217 files) & uploads delta. - -### 5.2 Key Timings - -| Step | Time (ms) | -|---------------------|----------:| -| `/layers/missing` | 13 | -| Trivy single layer | 655 | -| Upload delta blob | 88 | -| Backend merge + CVE | 74 | -| **Total wall‑time** | **830 ms** | - ---- - -## 6 Quota Wait‑Path Benchmark Detail - -### 6.1 Scenario - -1. Free‑tier token reaches **scan #200** – dashboard shows yellow banner. - -### 6.2 Key Timings - -| Step | Time (ms) | -|------------------------------------|----------:| -| `/quota/check` Redis LUA INCR | 0.8 | -| Soft wait sleep (server) | 5 000 | -| Hard wait sleep (server) | 60 000 | -| End‑to‑end wall‑time (soft‑hit) | 5 003 | -| End‑to‑end wall‑time (hard‑hit) | 60 004 | - ---- -## 7 Policy Eval Bench - -### 7.1 Setup - -* Policy YAML: **28** rules, mix severity & package conditions. -* Input: scan result JSON with **1 026** findings. -* Evaluator: custom rules engine (Go structs → map look‑ups). - -### 7.2 Latency Histogram - -``` -0‑10 ms ▇▇▇▇▇▇▇▇▇▇ 38 % -10‑20 ms ▇▇▇▇▇▇▇▇▇▇ 42 % -20‑40 ms ▇▇▇▇▇▇ 17 % -40‑50 ms ▇ 3 % -``` - -P99 = 48 ms. Meets 50 ms gate. - ---- - -## 8 Trend Snapshot - + +> **Note** – harness mounts `/var/cache/trivy` tmpfs to avoid disk noise. + +--- + +## 4 Current Results (July 2025) + +| Phase | Samples | Mean (s) | P95 (s) | Target OK? | +|---------------|--------:|---------:|--------:|-----------:| +| SBOM_FIRST | 100 | 3.7 | 4.9 | ✅ | +| IMAGE_UNPACK | 50 | 6.4 | 9.2 | ✅ | +| **DELTA_SBOM**| 100 | 0.46 | 0.83 | ✅ | +| **POLICY_EVAL** | 1 000 | 0.021 | 0.041 | ✅ | +| **QUOTA_WAIT** | 80 | 4.0* | 4.9* | ✅ | +| SCHED_RESCAN | 10 | 18.3 | 24.9 | ✅ | +| FEED_MERGE | 3 | 38.1 | 41.0 | ✅ | +| API_P95 | 20 000 | 0.087 | 0.143 | ✅ | + +*Data files:* `bench-artifacts/2025‑07‑14/phase‑stats.json`. + +--- + +## 5 Δ‑SBOM Micro‑Benchmark Detail + +### 5.1 Scenario + +1. Base image `python:3.12-slim` already scanned (all layers cached). +2. Application layer (`COPY . /app`) triggers new digest. +3. `Stella CLI` lists **7** layers, backend replies *6 hit*, *1 miss*. +4. Builder scans **only 1 layer** (~9 MiB, 217 files) & uploads delta. + +### 5.2 Key Timings + +| Step | Time (ms) | +|---------------------|----------:| +| `/layers/missing` | 13 | +| Trivy single layer | 655 | +| Upload delta blob | 88 | +| Backend merge + CVE | 74 | +| **Total wall‑time** | **830 ms** | + +--- + +## 6 Quota Wait‑Path Benchmark Detail + +### 6.1 Scenario + +1. Free‑tier token reaches **scan #200** – dashboard shows yellow banner. + +### 6.2 Key Timings + +| Step | Time (ms) | +|------------------------------------|----------:| +| `/quota/check` Redis LUA INCR | 0.8 | +| Soft wait sleep (server) | 5 000 | +| Hard wait sleep (server) | 60 000 | +| End‑to‑end wall‑time (soft‑hit) | 5 003 | +| End‑to‑end wall‑time (hard‑hit) | 60 004 | + +--- +## 7 Policy Eval Bench + +### 7.1 Setup + +* Policy YAML: **28** rules, mix severity & package conditions. +* Input: scan result JSON with **1 026** findings. +* Evaluator: custom rules engine (Go structs → map look‑ups). + +### 7.2 Latency Histogram + +``` +0‑10 ms ▇▇▇▇▇▇▇▇▇▇ 38 % +10‑20 ms ▇▇▇▇▇▇▇▇▇▇ 42 % +20‑40 ms ▇▇▇▇▇▇ 17 % +40‑50 ms ▇ 3 % +``` + +P99 = 48 ms. Meets 50 ms gate. + +--- + +## 8 Trend Snapshot + ![Perf trend spark‑line placeholder](perf‑trend.svg) > **Grafana/Alerting** – Import `docs/ops/scanner-analyzers-grafana-dashboard.json` and point it at the Prometheus datasource storing `scanner_analyzer_bench_*` metrics. Configure an alert on `scanner_analyzer_bench_regression_ratio` ≥ 1.20 (default limit); the bundled Stat panel surfaces breached scenarios (non-zero values). On-call runbook: `docs/ops/scanner-analyzers-operations.md`. - -_Plot generated weekly by `scripts/update‑trend.py`; shows last 12 weeks P95 per phase._ - ---- - -## 9 Action Items - -1. **Image Unpack** – Evaluate zstd for layer decompress; aim to shave 1 s. -2. **Feed Merge** – Parallelise regional XML feed parse (plugin) once stable. -3. **Rego Support** – Prototype OPA side‑car; target ≤ 100 ms eval. -4. **Concurrency** – Stress‑test 100 rps on 4‑node Redis cluster (Q4‑2025). - ---- - -## 10 Change Log - -| Date | Note | -|------------|-------------------------------------------------------------------------| -| 2025‑07‑14 | Added Δ‑SBOM & Policy Eval phases; updated targets & current results. | -| 2025‑07‑12 | First public workbook (SBOM‑first, image‑unpack, feed merge). | - ---- + +_Plot generated weekly by `scripts/update‑trend.py`; shows last 12 weeks P95 per phase._ + +--- + +## 9 Action Items + +1. **Image Unpack** – Evaluate zstd for layer decompress; aim to shave 1 s. +2. **Feed Merge** – Parallelise regional XML feed parse (plugin) once stable. +3. **Rego Support** – Prototype OPA side‑car; target ≤ 100 ms eval. +4. **Concurrency** – Stress‑test 100 rps on 4‑node Redis cluster (Q4‑2025). + +--- + +## 10 Change Log + +| Date | Note | +|------------|-------------------------------------------------------------------------| +| 2025‑07‑14 | Added Δ‑SBOM & Policy Eval phases; updated targets & current results. | +| 2025‑07‑12 | First public workbook (SBOM‑first, image‑unpack, feed merge). | + +--- diff --git a/docs/README.md b/docs/README.md index 712ddf15..2585b387 100755 --- a/docs/README.md +++ b/docs/README.md @@ -1,36 +1,36 @@ -# Stella Ops - -> **Self‑hosted, SBOM‑first DevSecOps platform – offline‑friendly, AGPL‑3.0, free up to {{ quota_token }} scans per UTC day (soft delay only, never blocks).** - -Stella Ops lets you discover container vulnerabilities in **< 5 s** without sending a single byte outside your network. -Everything here is open‑source and versioned — when you check out a git tag, the docs match the code you are running. - ---- - -## 🚀 Start here (first 60 minutes) - -| Step | What you will learn | Doc | -|------|--------------------|-----| -| 1 ️⃣ | 90‑second elevator pitch & pillars | **[What Is Stella Ops?](01_WHAT_IS_IT.md)** | -| 2 ️⃣ | Pain points it solves | **[Why Does It Exist?](02_WHY.md)** | -| 3 ️⃣ | Install & run a scan in 10 min | **[Install Guide](21_INSTALL_GUIDE.md)** | -| 4 ️⃣ | Components & data‑flow | **[High‑Level Architecture](07_HIGH_LEVEL_ARCHITECTURE.md)** | -| 5 ️⃣ | Integrate the CLI / REST API | **[API & CLI Reference](09_API_CLI_REFERENCE.md)** | -| 6 ️⃣ | Vocabulary used throughout the docs | **[Glossary](14_GLOSSARY_OF_TERMS.md)** | - ---- - -## 📚 Complete Table of Contents - -
-Click to expand the full docs index - -### Overview -- **01 – [What Is Stella Ops?](01_WHAT_IS_IT.md)** -- **02 – [Why Does It Exist?](02_WHY.md)** -- **03 – [Vision & Road‑map](03_VISION.md)** -- **04 – [Feature Matrix](04_FEATURE_MATRIX.md)** - +# Stella Ops + +> **Self‑hosted, SBOM‑first DevSecOps platform – offline‑friendly, AGPL‑3.0, free up to {{ quota_token }} scans per UTC day (soft delay only, never blocks).** + +Stella Ops lets you discover container vulnerabilities in **< 5 s** without sending a single byte outside your network. +Everything here is open‑source and versioned — when you check out a git tag, the docs match the code you are running. + +--- + +## 🚀 Start here (first 60 minutes) + +| Step | What you will learn | Doc | +|------|--------------------|-----| +| 1 ️⃣ | 90‑second elevator pitch & pillars | **[What Is Stella Ops?](01_WHAT_IS_IT.md)** | +| 2 ️⃣ | Pain points it solves | **[Why Does It Exist?](02_WHY.md)** | +| 3 ️⃣ | Install & run a scan in 10 min | **[Install Guide](21_INSTALL_GUIDE.md)** | +| 4 ️⃣ | Components & data‑flow | **[High‑Level Architecture](07_HIGH_LEVEL_ARCHITECTURE.md)** | +| 5 ️⃣ | Integrate the CLI / REST API | **[API & CLI Reference](09_API_CLI_REFERENCE.md)** | +| 6 ️⃣ | Vocabulary used throughout the docs | **[Glossary](14_GLOSSARY_OF_TERMS.md)** | + +--- + +## 📚 Complete Table of Contents + +
+Click to expand the full docs index + +### Overview +- **01 – [What Is Stella Ops?](01_WHAT_IS_IT.md)** +- **02 – [Why Does It Exist?](02_WHY.md)** +- **03 – [Vision & Road‑map](03_VISION.md)** +- **04 – [Feature Matrix](04_FEATURE_MATRIX.md)** + ### Reference & concepts - **05 – [System Requirements Specification](05_SYSTEM_REQUIREMENTS_SPEC.md)** - **07 – [High‑Level Architecture](07_HIGH_LEVEL_ARCHITECTURE.md)** @@ -40,38 +40,38 @@ Everything here is open‑source and versioned — when you check out a git ta - [Concelier](ARCHITECTURE_CONCELIER.md) - [Excititor](ARCHITECTURE_EXCITITOR.md) - [Excititor Mirrors](ARCHITECTURE_EXCITITOR_MIRRORS.md) - - [Signer](ARCHITECTURE_SIGNER.md) - - [Attestor](ARCHITECTURE_ATTESTOR.md) - - [Authority](ARCHITECTURE_AUTHORITY.md) - - [Notify](ARCHITECTURE_NOTIFY.md) - - [Scheduler](ARCHITECTURE_SCHEDULER.md) - - [CLI](ARCHITECTURE_CLI.md) - - [Web UI](ARCHITECTURE_UI.md) - - [Zastava Runtime](ARCHITECTURE_ZASTAVA.md) - - [Release & Operations](ARCHITECTURE_DEVOPS.md) -- **09 – [API & CLI Reference](09_API_CLI_REFERENCE.md)** + - [Signer](ARCHITECTURE_SIGNER.md) + - [Attestor](ARCHITECTURE_ATTESTOR.md) + - [Authority](ARCHITECTURE_AUTHORITY.md) + - [Notify](ARCHITECTURE_NOTIFY.md) + - [Scheduler](ARCHITECTURE_SCHEDULER.md) + - [CLI](ARCHITECTURE_CLI.md) + - [Web UI](ARCHITECTURE_UI.md) + - [Zastava Runtime](ARCHITECTURE_ZASTAVA.md) + - [Release & Operations](ARCHITECTURE_DEVOPS.md) +- **09 – [API & CLI Reference](09_API_CLI_REFERENCE.md)** - **10 – [Plug‑in SDK Guide](10_PLUGIN_SDK_GUIDE.md)** - **10 – [Concelier CLI Quickstart](10_CONCELIER_CLI_QUICKSTART.md)** - **10 – [BuildX Generator Quickstart](dev/BUILDX_PLUGIN_QUICKSTART.md)** - **10 – [Scanner Cache Configuration](dev/SCANNER_CACHE_CONFIGURATION.md)** -- **30 – [Excititor Connector Packaging Guide](dev/30_EXCITITOR_CONNECTOR_GUIDE.md)** -- **30 – Developer Templates** - - [Excititor Connector Skeleton](dev/templates/excititor-connector/) -- **11 – [Authority Service](11_AUTHORITY.md)** -- **11 – [Data Schemas](11_DATA_SCHEMAS.md)** -- **12 – [Performance Workbook](12_PERFORMANCE_WORKBOOK.md)** -- **13 – [Release‑Engineering Playbook](13_RELEASE_ENGINEERING_PLAYBOOK.md)** -- **30 – [Fixture Maintenance](dev/fixtures.md)** - -### User & operator guides -- **14 – [Glossary](14_GLOSSARY_OF_TERMS.md)** -- **15 – [UI Guide](15_UI_GUIDE.md)** -- **17 – [Security Hardening Guide](17_SECURITY_HARDENING_GUIDE.md)** -- **18 – [Coding Standards](18_CODING_STANDARDS.md)** -- **19 – [Test‑Suite Overview](19_TEST_SUITE_OVERVIEW.md)** -- **21 – [Install Guide](21_INSTALL_GUIDE.md)** -- **22 – [CI/CD Recipes Library](ci/20_CI_RECIPES.md)** -- **23 – [FAQ](23_FAQ_MATRIX.md)** +- **30 – [Excititor Connector Packaging Guide](dev/30_EXCITITOR_CONNECTOR_GUIDE.md)** +- **30 – Developer Templates** + - [Excititor Connector Skeleton](dev/templates/excititor-connector/) +- **11 – [Authority Service](11_AUTHORITY.md)** +- **11 – [Data Schemas](11_DATA_SCHEMAS.md)** +- **12 – [Performance Workbook](12_PERFORMANCE_WORKBOOK.md)** +- **13 – [Release‑Engineering Playbook](13_RELEASE_ENGINEERING_PLAYBOOK.md)** +- **30 – [Fixture Maintenance](dev/fixtures.md)** + +### User & operator guides +- **14 – [Glossary](14_GLOSSARY_OF_TERMS.md)** +- **15 – [UI Guide](15_UI_GUIDE.md)** +- **17 – [Security Hardening Guide](17_SECURITY_HARDENING_GUIDE.md)** +- **18 – [Coding Standards](18_CODING_STANDARDS.md)** +- **19 – [Test‑Suite Overview](19_TEST_SUITE_OVERVIEW.md)** +- **21 – [Install Guide](21_INSTALL_GUIDE.md)** +- **22 – [CI/CD Recipes Library](ci/20_CI_RECIPES.md)** +- **23 – [FAQ](23_FAQ_MATRIX.md)** - **24 – [Offline Update Kit Admin Guide](24_OFFLINE_KIT.md)** - **25 – [Mirror Operations Runbook](ops/concelier-mirror-operations.md)** - **26 – [Concelier Apple Connector Operations](ops/concelier-apple-operations.md)** @@ -86,9 +86,19 @@ Everything here is open‑source and versioned — when you check out a git ta ### Legal & licence - **32 – [Legal & Quota FAQ](29_LEGAL_FAQ_QUOTA.md)** - -
- ---- - -© 2025 Stella Ops contributors – licensed AGPL‑3.0‑or‑later + +
+ +--- + +## 🧹 Backlog hygiene + +> Imposed rule: Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +- **Aggregation-Only Contract (AOC).** Ingestion services aggregate and link facts only—derived precedence, severity, and safe-fix hints live in Policy overlays and dedicated explorers. Review [`../AGENTS.md`](../AGENTS.md) and the AOC guardrails in [`aoc/aoc-guardrails.md`](aoc/aoc-guardrails.md). +- **Cartographer owns graphs.** SBOM Service emits projections/events; Cartographer (`CARTO-GRAPH-21-00x`) builds graph storage, overlays, and tiles. See `ARCHITECTURE_CONCELIER.md` (Cartographer handshake section) for handoff boundaries. +- **Notifier replaces legacy Notify.** Sprint‑15 `StellaOps.Notify.*` tasks are frozen; use the Notifications Studio/Notifier backlogs (`NOTIFY-SVC-38..40`, `WEB-NOTIFY-3x-00x`, `CLI-NOTIFY-3x-00x`). +- **Dedicated services for Vuln & Policy.** Vuln Explorer work flows through `src/StellaOps.VulnExplorer.Api`/Console/CLI (Sprint 29); gateway routes proxy only. Policy Engine remains the sole source for precedence/suppression overlays. +- **Cleanup log.** The backlog consolidation summary lives in [`backlog/2025-10-cleanup.md`](backlog/2025-10-cleanup.md). + +© 2025 Stella Ops contributors – licensed AGPL‑3.0‑or‑later diff --git a/docs/TASKS.md b/docs/TASKS.md index 6db5524f..9af34349 100644 --- a/docs/TASKS.md +++ b/docs/TASKS.md @@ -17,7 +17,330 @@ | RUNTIME-GUILD-09-402 | DONE (2025-10-19) | Runtime Guild | SCANNER-POLICY-09-107 | Confirm Scanner WebService surfaces `quietedFindingCount` and progress hints to runtime consumers; document readiness checklist. | Runtime verification run captures enriched payload; checklist/doc updates merged; stakeholders acknowledge availability. | | DOCS-CONCELIER-07-201 | DONE (2025-10-22) | Docs Guild, Concelier WebService | FEEDWEB-DOCS-01-001 | Final editorial review and publish pass for Concelier authority toggle documentation (Quickstart + operator guide). | Review feedback resolved, publish PR merged, release notes updated with documentation pointer. | | DOCS-RUNTIME-17-004 | TODO | Docs Guild, Runtime Guild | SCANNER-EMIT-17-701, ZASTAVA-OBS-17-005, DEVOPS-REL-17-002 | Document build-id workflows: SBOM exposure, runtime event payloads (`process.buildId`), Scanner `/policy/runtime` response (`buildIds` list), debug-store layout, and operator guidance for symbol retrieval. | Architecture + operator docs updated with build-id sections (Observer, Scanner, CLI), examples show `readelf` output + debuginfod usage, references linked from Offline Kit/Release guides + CLI help. | +| DOCS-OBS-50-001 | TODO | Docs Guild, Observability Guild | TELEMETRY-OBS-50-001 | Publish `/docs/observability/overview.md` introducing scope, imposed rule banner, architecture diagram, and tenant guarantees. | Doc merged with imposed rule banner; diagram committed; cross-links to telemetry stack + evidence locker docs. | +| DOCS-OBS-50-002 | TODO | Docs Guild, Security Guild | TELEMETRY-OBS-50-002 | Author `/docs/observability/telemetry-standards.md` detailing common fields, scrubbing policy, sampling defaults, and redaction override procedure. | Doc merged; imposed rule banner present; examples validated with telemetry fixtures; security review sign-off captured. | +| DOCS-OBS-50-003 | TODO | Docs Guild, Observability Guild | TELEMETRY-OBS-50-001 | Create `/docs/observability/logging.md` covering structured log schema, dos/don'ts, tenant isolation, and copyable examples. | Doc merged with banner; sample logs redacted; lint passes; linked from coding standards. | +| DOCS-OBS-50-004 | TODO | Docs Guild, Observability Guild | TELEMETRY-OBS-50-002 | Draft `/docs/observability/tracing.md` explaining context propagation, async linking, CLI header usage, and sampling strategies. | Doc merged; imposed rule banner included; diagrams updated; references to CLI/Console features added. | +| DOCS-OBS-51-001 | TODO | Docs Guild, DevOps Guild | WEB-OBS-51-001, DEVOPS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` cataloging metrics, SLO targets, burn rate policies, and alert runbooks. | Doc merged with banner; SLO tables verified; alert workflows linked to incident runbook. | +| DOCS-SEC-OBS-50-001 | TODO | Docs Guild, Security Guild | TELEMETRY-OBS-51-002 | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Doc merged; redaction matrix updated; banner present; security sign-off recorded. | +| DOCS-INSTALL-50-001 | TODO | Docs Guild, DevOps Guild | DEVOPS-OBS-50-003 | Add `/docs/install/telemetry-stack.md` with collector deployment, exporter options, offline kit notes, and imposed rule banner. | Doc merged; install steps verified on air-gapped profile; banner present; screenshots attached. | +| DOCS-FORENSICS-53-001 | TODO | Docs Guild, Evidence Locker Guild | EVID-OBS-53-003 | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Doc merged; manifest examples validated; banner present; legal hold steps aligned with API. | +| DOCS-FORENSICS-53-002 | TODO | Docs Guild, Provenance Guild | PROV-OBS-54-001 | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. | Doc merged; sample statements reference fixtures; banner included; verification steps tested. | +| DOCS-FORENSICS-53-003 | TODO | Docs Guild, Timeline Indexer Guild | TIMELINE-OBS-52-003 | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. | Doc merged; query examples validated; banner present; linked from Console/CLI docs. | +| DOCS-CONSOLE-OBS-52-001 | TODO | Docs Guild, Console Guild | CONSOLE-OBS-51-001 | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Doc merged; screenshots updated; banner present; navigation steps verified. | +| DOCS-CONSOLE-OBS-52-002 | TODO | Docs Guild, Console Guild | CONSOLE-OBS-52-002, CONSOLE-OBS-53-001 | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. | Doc merged; banner included; workflows validated via Playwright capture; troubleshooting section populated. | +| DOCS-CLI-OBS-52-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-OBS-52-001 | Create `/docs/cli/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Doc merged; examples tested; banner included; CLI parity matrix updated. | +| DOCS-CLI-FORENSICS-53-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-FORENSICS-54-001 | Publish `/docs/cli/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Doc merged; sample bundles verified; banner present; offline notes cross-linked. | +| DOCS-RUNBOOK-55-001 | TODO | Docs Guild, Ops Guild | DEVOPS-OBS-55-001, WEB-OBS-55-001 | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Doc merged; runbook rehearsed; banner included; linked from alerts. | +| DOCS-AOC-19-001 | TODO | Docs Guild, Concelier Guild | CONCELIER-WEB-AOC-19-001, EXCITITOR-WEB-AOC-19-001 | Author `/docs/ingestion/aggregation-only-contract.md` covering philosophy, invariants, schemas, error codes, migration, observability, and security checklist. | New doc published with compliance checklist; cross-links from existing docs added. | +| DOCS-AOC-19-002 | TODO | Docs Guild, Architecture Guild | DOCS-AOC-19-001 | Update `/docs/architecture/overview.md` to include AOC boundary, raw stores, and sequence diagram (fetch → guard → raw insert → policy evaluation). | Overview doc updated with diagrams/text; lint passes; stakeholders sign off. | +| DOCS-AOC-19-003 | TODO | Docs Guild, Policy Guild | POLICY-AOC-19-003 | Refresh `/docs/architecture/policy-engine.md` clarifying ingestion boundary, raw inputs, and policy-only derived data. | Doc highlights raw-only ingestion contract, updated diagrams merge, compliance checklist added. | +| DOCS-AOC-19-004 | TODO | Docs Guild, UI Guild | UI-AOC-19-001 | Extend `/docs/ui/console.md` with Sources dashboard tiles, violation drill-down workflow, and verification action. | UI doc updated with screenshots/flow descriptions, compliance checklist appended. | +| DOCS-AOC-19-005 | TODO | Docs Guild, CLI Guild | CLI-AOC-19-003 | Update `/docs/cli/cli-reference.md` with `stella sources ingest --dry-run` and `stella aoc verify` usage, exit codes, and offline notes. | CLI reference + quickstart sections updated; examples validated; compliance checklist added. | +| DOCS-AOC-19-006 | TODO | Docs Guild, Observability Guild | CONCELIER-WEB-AOC-19-002, EXCITITOR-WEB-AOC-19-002 | Document new metrics/traces/log keys in `/docs/observability/observability.md`. | Observability doc lists new metrics/traces/log fields; dashboards referenced; compliance checklist appended. | +| DOCS-AOC-19-007 | TODO | Docs Guild, Authority Core | AUTH-AOC-19-001 | Update `/docs/security/authority-scopes.md` with new ingestion scopes and tenancy enforcement notes. | Doc reflects new scopes, sample policies updated, compliance checklist added. | +| DOCS-AOC-19-008 | TODO | Docs Guild, DevOps Guild | DEVOPS-AOC-19-002 | Refresh `/docs/deploy/containers.md` to cover validator enablement, guard env flags, and read-only verify user. | Deploy doc updated; offline kit section mentions validator scripts; compliance checklist appended. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-AIRGAP-56-001 | TODO | Docs Guild, AirGap Controller Guild | AIRGAP-CTL-56-002 | Publish `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, and imposed rule banner. | Doc merged; banner present; diagrams included. | +| DOCS-AIRGAP-56-002 | TODO | Docs Guild, DevOps Guild | DEVOPS-AIRGAP-56-001 | Author `/docs/airgap/sealing-and-egress.md` covering network policies, EgressPolicy facade usage, and verification steps. | Doc merged; examples validated; banner included. | +| DOCS-AIRGAP-56-003 | TODO | Docs Guild, Exporter Guild | EXPORT-AIRGAP-56-001 | Create `/docs/airgap/mirror-bundles.md` describing bundle format, DSSE/TUF/Merkle validation, creation/import workflows. | Doc merged; sample commands verified; banner present. | +| DOCS-AIRGAP-56-004 | TODO | Docs Guild, Deployment Guild | DEVOPS-AIRGAP-56-003 | Publish `/docs/airgap/bootstrap.md` detailing Bootstrap Pack creation, validation, and install procedures. | Doc merged; checklist appended; screenshots verified. | +| DOCS-AIRGAP-57-001 | TODO | Docs Guild, AirGap Time Guild | AIRGAP-TIME-58-001 | Write `/docs/airgap/staleness-and-time.md` explaining time anchors, drift policies, staleness budgets, and UI indicators. | Doc merged; math checked; banner included. | +| DOCS-AIRGAP-57-002 | TODO | Docs Guild, Console Guild | CONSOLE-AIRGAP-57-001 | Publish `/docs/console/airgap.md` covering sealed badge, import wizard, staleness dashboards. | Doc merged; screenshots captured; banner present. | +| DOCS-AIRGAP-57-003 | TODO | Docs Guild, CLI Guild | CLI-AIRGAP-57-001 | Publish `/docs/cli/airgap.md` documenting commands, examples, exit codes. | Doc merged; examples validated; banner present. | +| DOCS-AIRGAP-57-004 | TODO | Docs Guild, Ops Guild | DEVOPS-AIRGAP-56-002 | Create `/docs/airgap/operations.md` with runbooks for imports, failure recovery, and auditing. | Doc merged; runbooks rehearsed; banner included. | +| DOCS-AIRGAP-58-001 | TODO | Docs Guild, Product Guild | CONSOLE-AIRGAP-58-002 | Provide `/docs/airgap/degradation-matrix.md` enumerating feature availability, fallbacks, remediation. | Doc merged; matrix reviewed; banner included. | +| DOCS-AIRGAP-58-002 | TODO | Docs Guild, Security Guild | PROV-OBS-54-001 | Update `/docs/security/trust-and-signing.md` with DSSE/TUF roots, rotation, and signed time tokens. | Doc merged; security sign-off recorded; banner present. | +| DOCS-AIRGAP-58-003 | TODO | Docs Guild, DevEx Guild | AIRGAP-POL-56-001 | Publish `/docs/dev/airgap-contracts.md` describing EgressPolicy usage, sealed-mode tests, linting. | Doc merged; sample code validated; banner included. | +| DOCS-AIRGAP-58-004 | TODO | Docs Guild, Evidence Locker Guild | EVID-OBS-55-001 | Document `/docs/airgap/portable-evidence.md` for exporting/importing portable evidence bundles across enclaves. | Doc merged; verification steps tested; banner present. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-OAS-61-001 | TODO | Docs Guild, API Contracts Guild | OAS-61-002 | Publish `/docs/api/overview.md` covering auth, tenancy, pagination, idempotency, rate limits with banner. | Doc merged; examples validated; banner present. | +| DOCS-OAS-61-002 | TODO | Docs Guild, API Governance Guild | APIGOV-61-001 | Author `/docs/api/conventions.md` capturing naming, errors, filters, sorting, examples. | Doc merged; lint passes; banner included. | +| DOCS-OAS-61-003 | TODO | Docs Guild, API Governance Guild | APIGOV-63-001 | Publish `/docs/api/versioning.md` describing SemVer, deprecation headers, migration playbooks. | Doc merged; example headers validated; banner present. | +| DOCS-OAS-62-001 | TODO | Docs Guild, Developer Portal Guild | DEVPORT-62-002 | Stand up `/docs/api/reference/` auto-generated site; integrate with portal nav. | Reference site builds; search works; banner included. | +| DOCS-SDK-62-001 | TODO | Docs Guild, SDK Generator Guild | SDKGEN-63-001 | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Docs merged; code samples pulled from tested examples; banner present. | +| DOCS-DEVPORT-62-001 | TODO | Docs Guild, Developer Portal Guild | DEVPORT-62-001 | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | Doc merged; cross-links validated; banner included. | +| DOCS-CONTRIB-62-001 | TODO | Docs Guild, API Governance Guild | APIGOV-61-001 | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | Doc merged; banner present; examples validated. | +| DOCS-TEST-62-001 | TODO | Docs Guild, Contract Testing Guild | CONTR-62-001 | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Doc merged; references to tooling validated; banner present. | +| DOCS-SEC-62-001 | TODO | Docs Guild, Authority Core | AUTH-AIRGAP-56-001 | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Doc merged; scope tables verified; banner included. | +| DOCS-AIRGAP-DEVPORT-64-001 | TODO | Docs Guild, DevPortal Offline Guild | DVOFF-64-001 | Create `/docs/airgap/devportal-offline.md` describing offline bundle usage and verification. | Doc merged; verification steps tested; banner present. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-RISK-66-001 | TODO | Docs Guild, Risk Profile Schema Guild | POLICY-RISK-66-001 | Publish `/docs/risk/overview.md` covering concepts and glossary. | Doc merged with banner; terminology reviewed. | +| DOCS-RISK-66-002 | TODO | Docs Guild, Policy Guild | POLICY-RISK-66-003 | Author `/docs/risk/profiles.md` (authoring, versioning, scope). | Doc merged; schema examples validated; banner present. | +| DOCS-RISK-66-003 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-67-001 | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. | Document merged; tables verified; banner included. | +| DOCS-RISK-66-004 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-66-002 | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. | Doc merged; equations rendered; banner present. | +| DOCS-RISK-67-001 | TODO | Docs Guild, Risk Engine Guild | RISK-ENGINE-68-001 | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. | Doc merged; CLI examples validated; banner included. | +| DOCS-RISK-67-002 | TODO | Docs Guild, API Guild | POLICY-RISK-67-002 | Produce `/docs/risk/api.md` with endpoint reference/examples. | Doc merged; OAS examples synced; banner present. | +| DOCS-RISK-67-003 | TODO | Docs Guild, Console Guild | CONSOLE-RISK-66-001 | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. | Doc merged; screenshots updated; banner included. | +| DOCS-RISK-67-004 | TODO | Docs Guild, CLI Guild | CLI-RISK-66-001 | Publish `/docs/cli/risk.md` covering CLI workflows. | Doc merged; command examples validated; banner present. | +| DOCS-RISK-68-001 | TODO | Docs Guild, Export Guild | RISK-BUNDLE-69-001 | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. | Doc merged; verification steps confirmed; banner included. | +| DOCS-RISK-68-002 | TODO | Docs Guild, Security Guild | POLICY-RISK-66-003 | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. | Doc merged; audit references updated; banner present. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-ATTEST-73-001 | TODO | Docs Guild, Attestor Service Guild | ATTEST-TYPES-73-001 | Publish `/docs/attestor/overview.md` with imposed rule banner. | Doc merged; terminology validated. | +| DOCS-ATTEST-73-002 | TODO | Docs Guild, Attestation Payloads Guild | ATTEST-TYPES-73-002 | Write `/docs/attestor/payloads.md` with schemas/examples. | Doc merged; examples validated via tests. | +| DOCS-ATTEST-73-003 | TODO | Docs Guild, Policy Guild | POLICY-ATTEST-73-002 | Publish `/docs/attestor/policies.md` covering verification policies. | Doc merged; policy examples validated. | +| DOCS-ATTEST-73-004 | TODO | Docs Guild, Attestor Service Guild | ATTESTOR-73-002 | Add `/docs/attestor/workflows.md` detailing ingest, verify, bulk operations. | Doc merged; workflows tested. | +| DOCS-ATTEST-74-001 | TODO | Docs Guild, KMS Guild | KMS-73-001 | Publish `/docs/attestor/keys-and-issuers.md`. | Doc merged; rotation guidance verified. | +| DOCS-ATTEST-74-002 | TODO | Docs Guild, Transparency Guild | TRANSP-74-001 | Document `/docs/attestor/transparency.md` with witness usage/offline validation. | Doc merged; proofs validated. | +| DOCS-ATTEST-74-003 | TODO | Docs Guild, Attestor Console Guild | CONSOLE-ATTEST-73-001 | Write `/docs/console/attestor-ui.md` with screenshots/workflows. | Doc merged; screenshots captured; banner present. | +| DOCS-ATTEST-74-004 | TODO | Docs Guild, CLI Attestor Guild | CLI-ATTEST-73-001 | Publish `/docs/cli/attest.md` covering CLI usage. | Doc merged; commands validated. | +| DOCS-ATTEST-75-001 | TODO | Docs Guild, Export Attestation Guild | EXPORT-ATTEST-75-002 | Add `/docs/attestor/airgap.md` for attestation bundles. | Doc merged; verification steps confirmed. | +| DOCS-ATTEST-75-002 | TODO | Docs Guild, Security Guild | ATTESTOR-73-002 | Update `/docs/security/aoc-invariants.md` with attestation invariants. | Doc merged; invariants detailed. | +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-POLICY-20-001 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-20-000 | Author `/docs/policy/overview.md` covering concepts, inputs/outputs, determinism, and compliance checklist. | Doc published with diagrams + glossary; lint passes; checklist included. | +| DOCS-POLICY-20-002 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-20-001 | Write `/docs/policy/dsl.md` with grammar, built-ins, examples, anti-patterns. | DSL doc includes grammar tables, examples, compliance checklist; validated against parser tests. | +| DOCS-POLICY-20-003 | TODO | Docs Guild, Authority Core | AUTH-POLICY-20-001 | Publish `/docs/policy/lifecycle.md` describing draft→approve workflow, roles, audit, compliance list. | Lifecycle doc linked from UI/CLI help; approvals roles documented; checklist appended. | +| DOCS-POLICY-20-004 | TODO | Docs Guild, Scheduler Guild | SCHED-MODELS-20-001 | Create `/docs/policy/runs.md` detailing run modes, incremental mechanics, cursors, replay. | Run doc includes sequence diagrams + compliance checklist; cross-links to scheduler docs. | +| DOCS-POLICY-20-005 | TODO | Docs Guild, BE-Base Platform Guild | WEB-POLICY-20-001 | Draft `/docs/api/policy.md` describing endpoints, schemas, error codes. | API doc validated against OpenAPI; examples included; checklist appended. | +| DOCS-POLICY-20-006 | TODO | Docs Guild, DevEx/CLI Guild | CLI-POLICY-20-002 | Produce `/docs/cli/policy.md` with command usage, exit codes, JSON output contracts. | CLI doc includes examples, exit codes, compliance checklist. | +| DOCS-POLICY-20-007 | TODO | Docs Guild, UI Guild | UI-POLICY-20-001 | Document `/docs/ui/policy-editor.md` covering editor, simulation, diff workflows, approvals. | UI doc includes screenshots/placeholders, accessibility notes, compliance checklist. | +| DOCS-POLICY-20-008 | TODO | Docs Guild, Architecture Guild | POLICY-ENGINE-20-003 | Write `/docs/architecture/policy-engine.md` (new epic content) with sequence diagrams, selection strategy, schema. | Architecture doc merged with diagrams; compliance checklist appended; references updated. | +| DOCS-POLICY-20-009 | TODO | Docs Guild, Observability Guild | POLICY-ENGINE-20-007 | Add `/docs/observability/policy.md` for metrics/traces/logs, sample dashboards. | Observability doc includes metrics tables, dashboard screenshots, checklist. | +| DOCS-POLICY-20-010 | TODO | Docs Guild, Security Guild | AUTH-POLICY-20-002 | Publish `/docs/security/policy-governance.md` covering scopes, approvals, tenancy, least privilege. | Security doc merged; compliance checklist appended; reviewed by Security Guild. | +| DOCS-POLICY-20-011 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-20-001 | Populate `/docs/examples/policies/` with baseline/serverless/internal-only samples and commentary. | Example policies committed with explanations; lint passes; compliance checklist per file. | +| DOCS-POLICY-20-012 | TODO | Docs Guild, Support Guild | WEB-POLICY-20-003 | Draft `/docs/faq/policy-faq.md` addressing common pitfalls, VEX conflicts, determinism issues. | FAQ published with Q/A entries, cross-links, compliance checklist. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-GRAPH-21-001 | TODO | Docs Guild, Cartographer Guild | CARTO-GRAPH-21-001..006 | Author `/docs/graph/overview.md` covering concepts, snapshot lifecycle, overlays, and compliance checklist. | Doc merged with diagrams; lint passes; checklist appended. | +| DOCS-GRAPH-21-002 | TODO | Docs Guild | CARTO-GRAPH-21-001 | Write `/docs/graph/schema.md` describing node/edge/overlay schemas, indexes, sharding strategy, and sample docs. | Schema doc validated against fixtures; compliance checklist included. | +| DOCS-GRAPH-21-003 | TODO | Docs Guild, BE-Base Platform Guild | WEB-GRAPH-21-001..004 | Produce `/docs/graph/api.md` with endpoint specs, parameters, pagination, errors, and curl examples. | API doc aligns with OpenAPI; examples verified; checklist appended. | +| DOCS-GRAPH-21-004 | TODO | Docs Guild, UI Guild | UI-GRAPH-21-001..006 | Document `/docs/ui/graph-explorer.md` (screens, filters, paths, diff, accessibility). | UI doc published with screenshots/placeholders; accessibility checklist satisfied. | +| DOCS-GRAPH-21-005 | TODO | Docs Guild, DevEx/CLI Guild | CLI-GRAPH-21-001..003 | Create `/docs/cli/graph.md` detailing CLI commands, exit codes, JSON schemas. | CLI doc merged; examples validated; checklist appended. | +| DOCS-GRAPH-21-006 | TODO | Docs Guild, Architecture Guild | CARTO-GRAPH-21-002..007 | Draft `/docs/architecture/cartographer.md` covering build pipeline, layout tiling, overlay patching, sequence diagrams. | Architecture doc merged with diagrams; compliance checklist included. | +| DOCS-GRAPH-21-007 | TODO | Docs Guild, Observability Guild | CARTO-GRAPH-21-008, DEVOPS-GRAPH-21-001 | Publish `/docs/observability/graph.md` (metrics/traces/logs, dashboards, alerts). | Observability doc live; dashboards linked; checklist appended. | +| DOCS-GRAPH-21-008 | TODO | Docs Guild, Security Guild | AUTH-GRAPH-21-001..003 | Write `/docs/security/graph-access.md` describing RBAC, tenancy, scopes, service identities. | Security doc merged; reviewer checklist completed. | +| DOCS-GRAPH-21-009 | TODO | Docs Guild, Cartographer Guild | CARTO-GRAPH-21-006 | Document `/docs/examples/graph/` sample SBOMs, screenshots, exports with reviewer checklist. | Example docs + assets committed; lint passes; checklist appended. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-LNM-22-001 | TODO | Docs Guild, Concelier Guild | CONCELIER-LNM-21-001..003 | Author `/docs/advisories/aggregation.md` covering observation vs linkset, conflict handling, AOC requirements, and reviewer checklist. | Doc merged with examples + checklist; lint passes. | +| DOCS-LNM-22-002 | TODO | Docs Guild, Excititor Guild | EXCITITOR-LNM-21-001..003 | Publish `/docs/vex/aggregation.md` describing VEX observation/linkset model, product matching, conflicts. | Doc merged with fixtures; checklist appended. | +| DOCS-LNM-22-003 | TODO | Docs Guild, BE-Base Platform Guild | WEB-LNM-21-001..003 | Update `/docs/api/advisories.md` and `/docs/api/vex.md` for new endpoints, parameters, errors, exports. | API docs aligned with OpenAPI; examples validated. | +| DOCS-LNM-22-004 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-40-001 | Create `/docs/policy/effective-severity.md` detailing severity selection strategies from multiple sources. | Doc merged with policy examples; checklist included. | +| DOCS-LNM-22-005 | TODO | Docs Guild, UI Guild | UI-LNM-22-001..003 | Document `/docs/ui/evidence-panel.md` with screenshots, conflict badges, accessibility guidance. | UI doc merged; accessibility checklist completed. | + +## StellaOps Console (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-CONSOLE-23-001 | TODO | Docs Guild, Console Guild | CONSOLE-CORE-23-004 | Publish `/docs/ui/console-overview.md` covering IA, tenant model, global filters, and AOC alignment with compliance checklist. | Doc merged with diagrams + overview tables; checklist appended; Console Guild sign-off. | +| DOCS-CONSOLE-23-002 | TODO | Docs Guild, Console Guild | DOCS-CONSOLE-23-001 | Author `/docs/ui/navigation.md` detailing routes, breadcrumbs, keyboard shortcuts, deep links, and tenant context switching. | Navigation doc merged with shortcut tables and screenshots; accessibility checklist satisfied. | +| DOCS-CONSOLE-23-003 | TODO | Docs Guild, SBOM Service Guild, Console Guild | SBOM-CONSOLE-23-001, CONSOLE-FEAT-23-102 | Document `/docs/ui/sbom-explorer.md` (catalog, detail, graph overlays, exports) including compliance checklist and performance tips. | Doc merged with annotated screenshots, export instructions, and overlay examples; checklist appended. | +| DOCS-CONSOLE-23-004 | TODO | Docs Guild, Concelier Guild, Excititor Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001 | Produce `/docs/ui/advisories-and-vex.md` explaining aggregation-not-merge, conflict indicators, raw viewers, and provenance banners. | Doc merged; raw JSON examples included; compliance checklist complete. | +| DOCS-CONSOLE-23-005 | TODO | Docs Guild, Policy Guild | POLICY-CONSOLE-23-001, CONSOLE-FEAT-23-104 | Write `/docs/ui/findings.md` describing filters, saved views, explain drawer, exports, and CLI parity callouts. | Doc merged with filter matrix + explain walkthrough; checklist appended. | +| DOCS-CONSOLE-23-006 | TODO | Docs Guild, Policy Guild, Product Ops | POLICY-CONSOLE-23-002, CONSOLE-FEAT-23-105 | Publish `/docs/ui/policies.md` with editor, simulation, approvals, compliance checklist, and RBAC mapping. | Doc merged; Monaco screenshots + simulation diff examples included; approval flow described; checklist appended. | +| DOCS-CONSOLE-23-007 | TODO | Docs Guild, Scheduler Guild | SCHED-CONSOLE-23-001, CONSOLE-FEAT-23-106 | Document `/docs/ui/runs.md` covering queues, live progress, diffs, retries, evidence downloads, and troubleshooting. | Doc merged with SSE troubleshooting, metrics references, compliance checklist. | +| DOCS-CONSOLE-23-008 | TODO | Docs Guild, Authority Guild | AUTH-CONSOLE-23-002, CONSOLE-FEAT-23-108 | Draft `/docs/ui/admin.md` describing users/roles, tenants, tokens, integrations, fresh-auth prompts, and RBAC mapping. | Doc merged with tables for scopes vs roles, screenshots, compliance checklist. | +| DOCS-CONSOLE-23-009 | TODO | Docs Guild, DevOps Guild | DOWNLOADS-CONSOLE-23-001, CONSOLE-FEAT-23-109 | Publish `/docs/ui/downloads.md` listing product images, commands, offline instructions, parity with CLI, and compliance checklist. | Doc merged; manifest sample included; copy-to-clipboard guidance documented; checklist complete. | +| DOCS-CONSOLE-23-010 | TODO | Docs Guild, Deployment Guild, Console Guild | DEVOPS-CONSOLE-23-002, CONSOLE-REL-23-301 | Write `/docs/deploy/console.md` (Helm, ingress, TLS, CSP, env vars, health checks) with compliance checklist. | Deploy doc merged; templates validated; CSP guidance included; checklist appended. | +| DOCS-CONSOLE-23-011 | TODO | Docs Guild, Deployment Guild | DOCS-CONSOLE-23-010 | Update `/docs/install/docker.md` to cover Console image, Compose/Helm usage, offline tarballs, parity with CLI. | Doc updated with new sections; commands validated; compliance checklist appended. | +| DOCS-CONSOLE-23-012 | TODO | Docs Guild, Security Guild | AUTH-CONSOLE-23-003, WEB-CONSOLE-23-002 | Publish `/docs/security/console-security.md` detailing OIDC flows, scopes, CSP, fresh-auth, evidence handling, and compliance checklist. | Security doc merged; threat model notes included; checklist appended. | +| DOCS-CONSOLE-23-013 | TODO | Docs Guild, Observability Guild | TELEMETRY-CONSOLE-23-001, CONSOLE-QA-23-403 | Write `/docs/observability/ui-telemetry.md` cataloguing metrics/logs/traces, dashboards, alerts, and feature flags. | Doc merged with instrumentation tables, dashboard screenshots, checklist appended. | +| DOCS-CONSOLE-23-014 | TODO | Docs Guild, Console Guild, CLI Guild | CONSOLE-DOC-23-502 | Maintain `/docs/cli-vs-ui-parity.md` matrix and integrate CI check guidance. | Matrix published with parity status, CI workflow documented, compliance checklist appended. | +| DOCS-CONSOLE-23-015 | TODO | Docs Guild, Architecture Guild | CONSOLE-CORE-23-001, WEB-CONSOLE-23-001 | Produce `/docs/architecture/console.md` describing frontend packages, data flow diagrams, SSE design, performance budgets. | Architecture doc merged with diagrams + compliance checklist; reviewers approve. | +| DOCS-CONSOLE-23-016 | TODO | Docs Guild, Accessibility Guild | CONSOLE-QA-23-402, CONSOLE-FEAT-23-102 | Refresh `/docs/accessibility.md` with Console-specific keyboard flows, color tokens, testing tools, and compliance checklist updates. | Accessibility doc updated; audits referenced; checklist appended. | +| DOCS-CONSOLE-23-017 | TODO | Docs Guild, Console Guild | CONSOLE-FEAT-23-101..109 | Create `/docs/examples/ui-tours.md` providing triage, audit, policy rollout walkthroughs with annotated screenshots and GIFs. | UI tours doc merged; media assets stored; compliance checklist appended. | +| DOCS-LNM-22-006 | TODO | Docs Guild, Architecture Guild | CONCELIER-LNM-21-001..005, EXCITITOR-LNM-21-001..005 | Refresh `/docs/architecture/conseiller.md` and `/docs/architecture/excitator.md` describing observation/linkset pipelines and event contracts. | Architecture docs updated with diagrams; checklist appended. | +| DOCS-LNM-22-007 | TODO | Docs Guild, Observability Guild | CONCELIER-LNM-21-005, EXCITITOR-LNM-21-005, DEVOPS-LNM-22-002 | Publish `/docs/observability/aggregation.md` with metrics/traces/logs/SLOs. | Observability doc merged; dashboards referenced; checklist appended. | +| DOCS-LNM-22-008 | TODO | Docs Guild, DevOps Guild | MERGE-LNM-21-001, CONCELIER-LNM-21-102 | Write `/docs/migration/no-merge.md` describing migration plan, backfill steps, rollback, feature flags. | Migration doc approved by stakeholders; checklist appended. | + +## Policy Engine + Editor v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-POLICY-23-001 | TODO | Docs Guild, Policy Guild | POLICY-SPL-23-001..003 | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | Doc merged; lint passes; checklist appended. | +| DOCS-POLICY-23-002 | TODO | Docs Guild, Policy Guild | POLICY-SPL-23-001 | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). | Reference published with schema snippets; checklist completed. | +| DOCS-POLICY-23-003 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-50-001..004 | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. | Runtime doc merged with diagrams; observability references included. | +| DOCS-POLICY-23-004 | TODO | Docs Guild, UI Guild | UI-POLICY-23-001..006 | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). | Editor doc merged with screenshots; accessibility checklist satisfied. | +| DOCS-POLICY-23-005 | TODO | Docs Guild, Security Guild | AUTH-POLICY-23-001..002 | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). | Governance doc merged; checklist appended. | +| DOCS-POLICY-23-006 | TODO | Docs Guild, BE-Base Platform Guild | WEB-POLICY-23-001..004 | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. | API doc aligns with OpenAPI; examples validated; checklist included. | +| DOCS-POLICY-23-007 | TODO | Docs Guild, DevEx/CLI Guild | CLI-POLICY-23-004..006 | Update `/docs/cli/policy.md` for lint/simulate/activate/history commands, exit codes. | CLI doc updated; samples verified; checklist appended. | +| DOCS-POLICY-23-008 | TODO | Docs Guild, Architecture Guild | POLICY-ENGINE-50-005..006 | Refresh `/docs/architecture/policy-engine.md` with data model, sequence diagrams, event flows. | Architecture doc merged with diagrams; checklist appended. | +| DOCS-POLICY-23-009 | TODO | Docs Guild, DevOps Guild | MERGE-LNM-21-001, DEVOPS-LNM-22-001 | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. | Migration doc approved; checklist appended. | +| DOCS-POLICY-23-010 | TODO | Docs Guild, UI Guild | UI-POLICY-23-006 | Write `/docs/ui/explainers.md` showing explain trees, evidence overlays, interpretation guidance. | Doc merged with annotated screenshots; checklist appended. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-GRAPH-24-001 | TODO | Docs Guild, UI Guild | UI-GRAPH-24-001..006 | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Doc merged; screenshots included; checklist appended. | +| DOCS-GRAPH-24-002 | TODO | Docs Guild, UI Guild | UI-GRAPH-24-005 | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. | Doc merged with annotated images; accessibility checklist satisfied. | +| DOCS-GRAPH-24-003 | TODO | Docs Guild, SBOM Service Guild | SBOM-GRAPH-24-001..003 | Create `/docs/architecture/graph-index.md` describing data model, ingestion pipeline, caches, events. | Architecture doc merged with diagrams; checklist appended. | +| DOCS-GRAPH-24-004 | TODO | Docs Guild, BE-Base Platform Guild | WEB-GRAPH-24-001..003 | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. | API docs aligned with OpenAPI; examples validated; checklist appended. | +| DOCS-GRAPH-24-005 | TODO | Docs Guild, DevEx/CLI Guild | CLI-GRAPH-24-001..003 | Update `/docs/cli/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. | CLI doc merged; examples tested; checklist appended. | +| DOCS-GRAPH-24-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-60-001..002 | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. | Doc merged; references cross-linked; checklist appended. | +| DOCS-GRAPH-24-007 | TODO | Docs Guild, DevOps Guild | DEVOPS-GRAPH-24-001..003 | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. | Migration doc approved; checklist appended. | + +## Exceptions v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-EXC-25-001 | TODO | Docs Guild, Governance Guild | WEB-EXC-25-001 | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Doc merged; reviewers sign off; checklist included. | +| DOCS-EXC-25-002 | TODO | Docs Guild, Authority Core | AUTH-EXC-25-001 | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. | Doc merged; routing examples validated; checklist appended. | +| DOCS-EXC-25-003 | TODO | Docs Guild, BE-Base Platform Guild | WEB-EXC-25-001..003 | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. | API doc aligned with OpenAPI; examples tested; checklist appended. | +| DOCS-EXC-25-004 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-70-001 | Document `/docs/policy/exception-effects.md` explaining evaluation order, conflicts, simulation. | Doc merged; tests cross-referenced; checklist appended. | +| DOCS-EXC-25-005 | TODO | Docs Guild, UI Guild | UI-EXC-25-001..004 | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. | Doc merged with screenshots; accessibility checklist completed. | +| DOCS-EXC-25-006 | TODO | Docs Guild, DevEx/CLI Guild | CLI-EXC-25-001..002 | Update `/docs/cli/exceptions.md` covering command usage and exit codes. | CLI doc updated; examples validated; checklist appended. | +| DOCS-EXC-25-007 | TODO | Docs Guild, DevOps Guild | SCHED-WORKER-25-101, DEVOPS-GRAPH-24-003 | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. | Migration doc approved; checklist included. | > Update statuses (TODO/DOING/REVIEW/DONE/BLOCKED) as progress changes. Keep guides in sync with configuration samples under `etc/`. > Remark (2025-10-13, DOC4.AUTH-PDG): Rate limit guide published (`docs/security/rate-limits.md`) and handed to plugin docs team for diagram uplift once PLG6.DIAGRAM lands. + +## Orchestrator Dashboard (Epic 9) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-ORCH-32-001 | TODO | Docs Guild | ORCH-SVC-32-001, AUTH-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, governance, with imposed rule reminder. | Doc merged with diagrams; imposed rule statement included; entry linked from docs index. | +| DOCS-ORCH-32-002 | TODO | Docs Guild | ORCH-SVC-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, data model, message bus, storage layout, restating imposed rule. | Architecture doc merged; diagrams reviewed; imposed rule noted. | +| DOCS-ORCH-33-001 | TODO | Docs Guild | ORCH-SVC-33-001..004, WEB-ORCH-33-001 | Publish `/docs/orchestrator/api.md` (REST/WebSocket endpoints, payloads, error codes) with imposed rule note. | API doc merged; examples validated; imposed rule appended. | +| DOCS-ORCH-33-002 | TODO | Docs Guild | CONSOLE-ORCH-32-002, CONSOLE-ORCH-33-001..002 | Publish `/docs/orchestrator/console.md` covering screens, a11y, live updates, control actions, reiterating imposed rule. | Console doc merged with screenshots; accessibility checklist done; imposed rule statement present. | +| DOCS-ORCH-33-003 | TODO | Docs Guild | CLI-ORCH-33-001 | Publish `/docs/orchestrator/cli.md` documenting commands, options, exit codes, streaming output, offline usage, and imposed rule. | CLI doc merged; examples tested; imposed rule appended. | +| DOCS-ORCH-34-001 | TODO | Docs Guild | ORCH-SVC-34-002, LEDGER-34-101 | Author `/docs/orchestrator/run-ledger.md` covering ledger schema, provenance chain, audit workflows, with imposed rule reminder. | Run-ledger doc merged; payload samples validated; imposed rule included; cross-links added. | +| DOCS-ORCH-34-002 | TODO | Docs Guild | AUTH-ORCH-32-001, AUTH-ORCH-34-001 | Update `/docs/security/secrets-handling.md` for orchestrator KMS refs, redaction badges, operator hygiene, reiterating imposed rule. | Security doc merged; checklists updated; imposed rule restated; references from Console/CLI docs added. | +| DOCS-ORCH-34-003 | TODO | Docs Guild | ORCH-SVC-33-003, ORCH-SVC-34-001, DEVOPS-ORCH-34-001 | Publish `/docs/operations/orchestrator-runbook.md` (incident playbook, backfill guide, circuit breakers, throttling) with imposed rule statement. | Runbook merged; steps validated with DevOps; imposed rule included; runbook linked from ops index. | +| DOCS-ORCH-34-004 | TODO | Docs Guild | ORCH-SVC-32-005, WORKER-GO-33-001, WORKER-PY-33-001 | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. | Schema doc merged; JSON schema provided; imposed rule included; sample payload validated. | +| DOCS-ORCH-34-005 | TODO | Docs Guild | ORCH-SVC-34-001, DEVOPS-ORCH-34-001 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. | SLO doc merged; dashboard screenshots embedded; imposed rule appended; alerts documented. | + +## Export Center (Epic 10) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-EXPORT-35-001 | TODO | Docs Guild | EXPORT-SVC-35-001..006 | Author `/docs/export-center/overview.md` covering purpose, profiles, security, AOC alignment, surfaces, ending with imposed rule statement. | Doc merged with diagrams/examples; imposed rule line present; index updated. | +| DOCS-EXPORT-35-002 | TODO | Docs Guild | EXPORT-SVC-35-002..005 | Publish `/docs/export-center/architecture.md` describing planner, adapters, manifests, signing, distribution flows, restating imposed rule. | Architecture doc merged; sequence diagrams included; rule statement appended. | +| DOCS-EXPORT-35-003 | TODO | Docs Guild | EXPORT-SVC-35-003..004 | Publish `/docs/export-center/profiles.md` detailing schema fields, examples, compatibility, and imposed rule reminder. | Profiles doc merged; JSON schemas linked; imposed rule noted. | +| DOCS-EXPORT-36-004 | TODO | Docs Guild | EXPORT-SVC-36-001..004, WEB-EXPORT-36-001 | Publish `/docs/export-center/api.md` covering endpoints, payloads, errors, and mention imposed rule. | API doc merged; examples validated; rule included. | +| DOCS-EXPORT-36-005 | TODO | Docs Guild | CLI-EXPORT-35-001, CLI-EXPORT-36-001 | Publish `/docs/export-center/cli.md` with command reference, CI scripts, verification steps, restating imposed rule. | CLI doc merged; script snippets tested; rule appended. | +| DOCS-EXPORT-36-006 | TODO | Docs Guild | EXPORT-SVC-36-001, DEVOPS-EXPORT-36-001 | Publish `/docs/export-center/trivy-adapter.md` covering field mappings, compatibility matrix, and imposed rule reminder. | Doc merged; mapping tables validated; rule included. | +| DOCS-EXPORT-37-001 | TODO | Docs Guild | EXPORT-SVC-37-001, DEVOPS-EXPORT-37-001 | Publish `/docs/export-center/mirror-bundles.md` describing filesystem/OCI layouts, delta/encryption, import guide, ending with imposed rule. | Doc merged; diagrams provided; verification steps tested; rule stated. | +| DOCS-EXPORT-37-002 | TODO | Docs Guild | EXPORT-SVC-35-005, EXPORT-SVC-37-002 | Publish `/docs/export-center/provenance-and-signing.md` detailing manifests, attestation flow, verification, reiterating imposed rule. | Doc merged; signature examples validated; rule appended. | +| DOCS-EXPORT-37-003 | TODO | Docs Guild | DEVOPS-EXPORT-37-001 | Publish `/docs/operations/export-runbook.md` covering failures, tuning, capacity planning, with imposed rule reminder. | Runbook merged; procedures validated; rule included. | +| DOCS-EXPORT-37-004 | TODO | Docs Guild | AUTH-EXPORT-37-001, EXPORT-SVC-37-002 | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Security doc merged; checklist updated; rule appended. | + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-SIG-26-001 | TODO | Docs Guild, Signals Guild | SIGNALS-24-004 | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Doc merged with diagrams/examples; checklist appended. | +| DOCS-SIG-26-002 | TODO | Docs Guild, Signals Guild | SIGNALS-24-002 | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. | Doc merged; examples tested; checklist included. | +| DOCS-SIG-26-003 | TODO | Docs Guild, Runtime Guild | SIGNALS-24-003 | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. | Doc merged; privacy review done; checklist appended. | +| DOCS-SIG-26-004 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-80-001 | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. | Doc merged; sample policies validated; checklist appended. | +| DOCS-SIG-26-005 | TODO | Docs Guild, UI Guild | UI-SIG-26-001..003 | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. | Doc merged with screenshots; accessibility checklist completed. | +| DOCS-SIG-26-006 | TODO | Docs Guild, DevEx/CLI Guild | CLI-SIG-26-001..002 | Update `/docs/cli/reachability.md` for new commands and automation recipes. | Doc merged; examples verified; checklist appended. | +| DOCS-SIG-26-007 | TODO | Docs Guild, BE-Base Platform Guild | WEB-SIG-26-001..003 | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. | API doc aligned with OpenAPI; examples tested; checklist appended. | +| DOCS-SIG-26-008 | TODO | Docs Guild, DevOps Guild | DEVOPS-SIG-26-001..002 | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. | Migration doc approved; checklist appended. | + +## Policy Studio (Sprint 27) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-POLICY-27-001 | TODO | Docs Guild, Policy Guild | REGISTRY-API-27-001, POLICY-ENGINE-27-001 | Publish `/docs/policy/studio-overview.md` covering lifecycle, roles, glossary, and compliance checklist. | Doc merged with diagrams + lifecycle table; checklist appended; stakeholders sign off. | +| DOCS-POLICY-27-002 | TODO | Docs Guild, Console Guild | CONSOLE-STUDIO-27-001 | Write `/docs/policy/authoring.md` detailing workspace templates, snippets, lint rules, IDE shortcuts, and best practices. | Authoring doc includes annotated screenshots, snippet catalog, compliance checklist. | +| DOCS-POLICY-27-003 | TODO | Docs Guild, Policy Registry Guild | REGISTRY-API-27-007 | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. | Doc merged with flow diagrams; attestation steps documented; checklist appended. | +| DOCS-POLICY-27-004 | TODO | Docs Guild, Scheduler Guild | REGISTRY-API-27-005, SCHED-WORKER-27-301 | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. | Simulation doc includes charts, sample manifests, checklist appended. | +| DOCS-POLICY-27-005 | TODO | Docs Guild, Product Ops | REGISTRY-API-27-006 | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. | Doc merged with role matrix + webhook schema; checklist appended. | +| DOCS-POLICY-27-006 | TODO | Docs Guild, Policy Guild | REGISTRY-API-27-008 | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. | Promotion doc includes examples + checklist; verified by Policy Ops. | +| DOCS-POLICY-27-007 | TODO | Docs Guild, DevEx/CLI Guild | CLI-POLICY-27-001..004 | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. | CLI doc merged with transcripts; schema references validated; checklist appended. | +| DOCS-POLICY-27-008 | TODO | Docs Guild, Policy Registry Guild | REGISTRY-API-27-001..008 | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. | API doc aligned with OpenAPI; examples validated; checklist appended. | +| DOCS-POLICY-27-009 | TODO | Docs Guild, Security Guild | AUTH-POLICY-27-002 | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. | Security doc approved by Security Guild; verifier steps documented; checklist appended. | +| DOCS-POLICY-27-010 | TODO | Docs Guild, Architecture Guild | REGISTRY-API-27-001, SCHED-WORKER-27-301 | Author `/docs/architecture/policy-registry.md` (service design, schemas, queues, failure modes) with diagrams and checklist. | Architecture doc merged; diagrams committed; checklist appended. | +| DOCS-POLICY-27-011 | TODO | Docs Guild, Observability Guild | DEVOPS-POLICY-27-004 | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. | Observability doc merged; dashboards linked; checklist appended. | +| DOCS-POLICY-27-012 | TODO | Docs Guild, Ops Guild | DEPLOY-POLICY-27-002 | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. | Runbook merged; rehearsal recorded; checklist appended. | +| DOCS-POLICY-27-013 | TODO | Docs Guild, Policy Guild | CONSOLE-STUDIO-27-001, REGISTRY-API-27-002 | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. | Examples committed with commentary; lint passes; checklist appended. | +| DOCS-POLICY-27-014 | TODO | Docs Guild, Policy Registry Guild | REGISTRY-API-27-003, WEB-POLICY-27-001 | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. | Doc updated with Studio guardrails; compliance checklist appended. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-VULN-29-001 | TODO | Docs Guild, Vuln Explorer Guild | VULN-API-29-001 | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Doc merged with diagrams/table; compliance checklist appended. | +| DOCS-VULN-29-002 | TODO | Docs Guild, Console Guild | CONSOLE-VULN-29-001..006 | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. | Doc merged; images stored; WCAG notes included; checklist appended. | +| DOCS-VULN-29-003 | TODO | Docs Guild, Vuln Explorer API Guild | VULN-API-29-001..009 | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). | Doc aligned with OpenAPI; examples validated; checklist appended. | +| DOCS-VULN-29-004 | TODO | Docs Guild, DevEx/CLI Guild | CLI-VULN-29-001..005 | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. | CLI doc merged; transcripts/JSON outputs validated; checklist appended. | +| DOCS-VULN-29-005 | TODO | Docs Guild, Findings Ledger Guild | LEDGER-29-001..009 | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. | Doc merged; compliance checklist appended; audit team sign-off. | +| DOCS-VULN-29-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-29-001..003 | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. | Doc updated; examples validated; checklist appended. | +| DOCS-VULN-29-007 | TODO | Docs Guild, Excititor Guild | EXCITITOR-VULN-29-001..004 | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. | Doc merged; compliance checklist appended. | +| DOCS-VULN-29-008 | TODO | Docs Guild, Concelier Guild | CONCELIER-VULN-29-001..004 | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. | Doc merged; checklist appended. | +| DOCS-VULN-29-009 | TODO | Docs Guild, SBOM Service Guild | SBOM-VULN-29-001..002 | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. | Doc merged; ecosystem tables validated; checklist appended. | +| DOCS-VULN-29-010 | TODO | Docs Guild, Observability Guild | VULN-API-29-009, DEVOPS-VULN-29-002 | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). | Doc merged; dashboards linked; checklist appended. | +| DOCS-VULN-29-011 | TODO | Docs Guild, Security Guild | AUTH-VULN-29-001..003 | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. | Security doc approved; checklist appended. | +| DOCS-VULN-29-012 | TODO | Docs Guild, Ops Guild | DEVOPS-VULN-29-002, SCHED-WORKER-29-003 | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). | Runbook merged; rehearsal recorded; checklist appended. | +| DOCS-VULN-29-013 | TODO | Docs Guild, Deployment Guild | DEPLOY-VULN-29-001..002 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. | Install doc updated; validation commands included; checklist appended. | + +## VEX Lens (Sprint 30) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-VEX-30-001 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-005 | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Doc merged with diagrams/terminology tables; compliance checklist appended. | +| DOCS-VEX-30-002 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-005 | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. | Doc merged; math reviewed by Policy; checklist appended. | +| DOCS-VEX-30-003 | TODO | Docs Guild, Issuer Directory Guild | ISSUER-30-001..003 | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). | Doc merged; security review done; checklist appended. | +| DOCS-VEX-30-004 | TODO | Docs Guild, VEX Lens Guild | VEXLENS-30-007 | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. | API doc aligned with OpenAPI; examples validated; checklist appended. | +| DOCS-VEX-30-005 | TODO | Docs Guild, Console Guild | CONSOLE-VEX-30-001 | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. | Doc merged; screenshots added; checklist appended. | +| DOCS-VEX-30-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-29-001, VEXLENS-30-004 | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. | Doc merged; policy review completed; checklist appended. | +| DOCS-VEX-30-007 | TODO | Docs Guild, SBOM Service Guild | VEXLENS-30-002 | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). | Doc merged; mapping tables validated; checklist appended. | +| DOCS-VEX-30-008 | TODO | Docs Guild, Security Guild | ISSUER-30-002, VEXLENS-30-003 | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). | Doc approved by Security; checklist appended. | +| DOCS-VEX-30-009 | TODO | Docs Guild, DevOps Guild | VEXLENS-30-009, DEVOPS-VEX-30-001 | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. | Runbook merged; rehearsal logged; checklist appended. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-AIAI-31-001 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-006 | Publish `/docs/advisory-ai/overview.md` covering capabilities, guardrails, RBAC. | Doc merged with diagrams; compliance checklist appended. | +| DOCS-AIAI-31-002 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-004 | Author `/docs/advisory-ai/architecture.md` detailing RAG pipeline, deterministics, caching, model options. | Doc merged; architecture review done; checklist appended. | +| DOCS-AIAI-31-003 | TODO | Docs Guild, Advisory AI Guild | AIAI-31-006 | Write `/docs/advisory-ai/api.md` describing endpoints, schemas, errors, rate limits. | API doc aligned with OpenAPI; examples validated; checklist appended. | +| DOCS-AIAI-31-004 | TODO | Docs Guild, Console Guild | CONSOLE-VULN-29-001, CONSOLE-VEX-30-001 | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. | Doc merged; images stored; checklist appended. | +| DOCS-AIAI-31-005 | TODO | Docs Guild, DevEx/CLI Guild | CLI-VULN-29-001, CLI-VEX-30-001 | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. | Doc merged; examples tested; checklist appended. | +| DOCS-AIAI-31-006 | TODO | Docs Guild, Policy Guild | POLICY-ENGINE-31-001 | Update `/docs/policy/assistant-parameters.md` covering temperature, token limits, ranking weights, TTLs. | Doc merged; policy review done; checklist appended. | +| DOCS-AIAI-31-007 | TODO | Docs Guild, Security Guild | AIAI-31-005 | Write `/docs/security/assistant-guardrails.md` detailing redaction, injection defense, logging. | Doc approved by Security; checklist appended. | +| DOCS-AIAI-31-008 | TODO | Docs Guild, SBOM Service Guild | SBOM-AIAI-31-001 | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | Doc merged; heuristics reviewed; checklist appended. | +| DOCS-AIAI-31-009 | TODO | Docs Guild, DevOps Guild | DEVOPS-AIAI-31-001 | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. | Runbook merged; rehearsal logged; checklist appended. | + +## Notifications Studio + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-NOTIFY-38-001 | TODO | Docs Guild, Notifications Service Guild | NOTIFY-SVC-38-001..004 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md`, each ending with imposed rule reminder. | Docs merged; diagrams verified; imposed rule appended. | +| DOCS-NOTIFY-39-002 | TODO | Docs Guild, Notifications Service Guild | NOTIFY-SVC-39-001..004 | Publish `/docs/notifications/rules.md`, `/docs/notifications/templates.md`, `/docs/notifications/digests.md` with examples and imposed rule line. | Docs merged; examples validated; imposed rule appended. | +| DOCS-NOTIFY-40-001 | TODO | Docs Guild, Security Guild | AUTH-NOTIFY-38-001, NOTIFY-SVC-40-001..004 | Publish `/docs/notifications/channels.md`, `/docs/notifications/escalations.md`, `/docs/notifications/api.md`, `/docs/operations/notifier-runbook.md`, `/docs/security/notifications-hardening.md`; each ends with imposed rule line. | Docs merged; accessibility checks passed; imposed rule appended. | + +## CLI Parity & Task Packs + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-CLI-41-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Publish `/docs/cli/overview.md`, `/docs/cli/configuration.md`, `/docs/cli/output-and-exit-codes.md` with imposed rule statements. | Docs merged; examples verified; imposed rule appended. | +| DOCS-CLI-42-001 | TODO | Docs Guild | DOCS-CLI-41-001, CLI-PARITY-41-001 | Publish `/docs/cli/parity-matrix.md` and command guides under `/docs/cli/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). | Guides merged; parity automation documented; imposed rule appended. | +| DOCS-PACKS-43-001 | TODO | Docs Guild, Task Runner Guild | PACKS-REG-42-001, TASKRUN-42-001 | Publish `/docs/task-packs/spec.md`, `/docs/task-packs/authoring-guide.md`, `/docs/task-packs/registry.md`, `/docs/task-packs/runbook.md`, `/docs/security/pack-signing-and-rbac.md`, `/docs/operations/cli-release-and-packaging.md` with imposed rule statements. | Docs merged; tutorials validated; imposed rule appended; cross-links added. | + +## Containerized Distribution (Epic 13) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-INSTALL-44-001 | TODO | Docs Guild, Deployment Guild | COMPOSE-44-001 | Publish `/docs/install/overview.md` and `/docs/install/compose-quickstart.md` with imposed rule line and copy-ready commands. | Docs merged; screenshots/commands verified; imposed rule appended. | +| DOCS-INSTALL-45-001 | TODO | Docs Guild, Deployment Guild | HELM-45-001 | Publish `/docs/install/helm-prod.md` and `/docs/install/configuration-reference.md` with values tables and imposed rule reminder. | Docs merged; configuration matrix verified; imposed rule appended. | +| DOCS-INSTALL-46-001 | TODO | Docs Guild, Security Guild | DEPLOY-PACKS-43-001, CLI-PACKS-43-001 | Publish `/docs/install/airgap.md`, `/docs/security/supply-chain.md`, `/docs/operations/health-and-readiness.md`, `/docs/release/image-catalog.md`, `/docs/console/onboarding.md` (each with imposed rule). | Docs merged; checksum/signature sections validated; imposed rule appended. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCS-TEN-47-001 | TODO | Docs Guild, Authority Core | AUTH-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Docs merged; diagrams included; imposed rule appended. | +| DOCS-TEN-48-001 | TODO | Docs Guild, Platform Ops | WEB-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. | Docs merged; examples validated; imposed rule appended. | +| DOCS-TEN-49-001 | TODO | Docs & DevEx Guilds | CLI-TEN-47-001, AUTH-TEN-49-001 | Publish `/docs/cli/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. | Docs merged; command examples verified; imposed rule appended. | diff --git a/docs/airgap/EPIC_16_AIRGAP_MODE.md b/docs/airgap/EPIC_16_AIRGAP_MODE.md new file mode 100644 index 00000000..9a11679c --- /dev/null +++ b/docs/airgap/EPIC_16_AIRGAP_MODE.md @@ -0,0 +1,429 @@ +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 16: Air‑Gapped Mode + +**Short name:** Air‑Gapped Mode +**Primary components:** Web Services API, Console, CLI, Orchestrator, Task Runner, Conseiller (Feedser), Excitator (VEXer), Policy Engine, Findings Ledger, Export Center, Authority & Tenancy, Notifications, Observability & Forensics +**Surfaces:** offline bootstrap, update ingestion via mirror bundles, sealed egress, deterministic jobs, offline advisories/VEX, offline policy packs, offline notifications, evidence exports +**Dependencies:** Export Center, Containerized Distribution, Authority‑Backed Scopes & Tenancy, Observability & Forensics, Policy Studio + +**AOC ground rule reminder:** Conseiller and Excitator aggregate and link advisories/VEX. They never merge or mutate source records. Air‑Gapped Mode must preserve this invariant even when mirroring and importing updates. + +--- + +## 1) What it is + +A fully supported operating profile where StellaOps runs in a disconnected environment with: + +* **Zero external egress** from platform services and jobs. +* **Deterministic inputs** provided via signed, offline **Mirror Bundles** (advisories, VEX, policy packs, vendor feeds, Stella metadata, container images, dashboards). +* **Offline bootstrap** for images and charts, plus reproducible configuration and cryptographically verifiable updates. +* **Graceful feature degradation** with explicit UX: features that require external connectivity are either backed by local artifacts or clearly disabled with an explanation. +* **Auditable import/export** including provenance attestations, evidence bundles, and chain‑of‑custody for all offline exchanges. + +Air‑Gapped Mode is selectable at install time and enforceable at runtime. When enabled, all components operate under an “egress sealed” policy and only consume data from local stores. + +--- + +## 2) Why + +Many users operate in classified, regulated, or high‑sensitivity networks where egress is prohibited. They still need SBOM analysis, policy evaluation, advisory/VEX mapping, and reporting. Air‑Gapped Mode provides the same core outcomes with verifiable offline inputs and explicit operational guardrails. + +--- + +## 3) How it should work + +### 3.1 Modes and lifecycle + +* **Connected Mode:** normal operation; can create Mirror Bundles on a staging host. +* **Sealed Air‑Gapped Mode:** platform enforces no egress. Only local resources are allowed. +* **Transition flow:** + + 1. Prepare an offline **Bootstrap Pack** with all container images, Helm/compose charts, seed database, and initial Mirror Bundle. + 2. Install in the air‑gapped enclave and **seal** egress. + 3. Periodically import new **Mirror Bundles** via removable media. + 4. Export evidence/reports as needed. + +### 3.2 Egress sealing + +* **Static guardrails:** + + * Platform flag `STELLA_AIRGAP=sealed` and database feature flag `env.mode='sealed'`. + * NetworkPolicy/iptables/eBPF deny‑all egress for namespaces/pods except loopback and the internal object store. + * Outbound DNS blocked. + * HTTP clients in code use a single `EgressPolicy` facade. When sealed, it panics on direct network calls and returns a typed error with remediation (“import a Mirror Bundle”). +* **Verification:** `GET /system/airgap/status` returns `sealed: true|false`, current policy hash, and last import timestamp. CLI prints warning if not sealed in declared air‑gapped install. + +### 3.3 Trusted time + +* Air‑gapped systems cannot NTP. Each Mirror Bundle includes a **signed time token** (Roughtime‑style or RFC 3161) from a trusted authority. On import, platform stores `time_anchor` for drift calculations and staleness checks. +* If time drift exceeds policy threshold, UI shows “stale view” badges and some jobs are blocked until a new bundle provides a fresh anchor. + +### 3.4 Mirror Bundles (offline updates) + +* **Content types:** + + * Public advisories (OSV, GHSA, vendor advisories), NVD mappings, CPE/Package metadata. + * VEX statements from vendors/communities. + * Policy packs (templates, baselines, versioned rule sets). + * StellaOps engine metadata and schema migrations. + * Optional: **OCI image set** for platform and recommended runners. + * Optional: dashboards and alert rule packs. +* **Format:** a TUF‑like layout: + + ``` + root.json, snapshot.json, timestamp.json, targets/ + advisories/*.jsonl.zst + vex/*.jsonl.zst + policy/*.tar.zst + images/* (OCI layout or oci-archive) + meta/engine/*.tgz + meta/time-anchor.json (signed) + ``` +* **Integrity & trust:** + + * DSSE‑signed target manifests. + * Root of trust rotated via `root.json` within strict policy; rotation requires manual dual approval in sealed mode. + * Each content artifact has a content digest and a **Merkle root** for the overall bundle. +* **Creation:** in connected networks, `stella mirror create --content advisories,vex,policy,images --since 2025-01-01 --out bundle.tgz`. +* **Import:** in air‑gap, `stella airgap import bundle.tgz`. The importer verifies DSSE, TUF metadata, Merkle root, then writes to local object store and updates catalog tables. +* **Idempotence:** imports are content‑addressed; re‑imports deduplicate. + +### 3.5 Deterministic jobs and sources + +* **Allowed sources:** filesystem, internal object store, tenant private registry, and pre‑approved connectors that don’t require external egress. +* **Disallowed in sealed mode:** remote package registries, web scrapers, outbound webhooks, cloud KMS unless on the enclave network. +* **Runner policy:** the Task Runner verifies job descriptors contain no network calls unless marked `internal:` with allow‑listed destinations. Violations fail at plan time with an explainable error. + +### 3.6 Conseiller and Excitator in air‑gap + +* **Conseiller (Feedser):** ingests advisories only from imported bundles or tenant local feeds. It preserves source identities and never merges. Linkage uses bundle‑provided cross‑refs and local heuristics. +* **Excitator (VEXer):** imports VEX records as‑is, links them to components and advisories, and records the origin bundle and statement digests. Consensus Lens (Epic 7) operates offline across the imported sources. + +### 3.7 Policy Engine and Studio + +* Policy packs are versioned and imported via bundles. +* Simulation and authoring work locally. Exports of new or updated policies can be packaged as **Policy Sub‑Bundles** for transfer back to connected environments if needed. +* Engine shows which rules depend on external evidence and how they degrade in sealed mode (e.g., “No external EPSS; using cached percentile from last bundle.”). + +### 3.8 Notifications in sealed mode + +* Default to **local delivery** only: SMTP relay inside enclave, syslog, file sink. +* External webhooks are disabled. +* Notification templates show “air‑gap compliant channel” tags to avoid misconfiguration. + +### 3.9 Observability & Forensics + +* Traces, logs, metrics remain local. +* Evidence Locker supports **portable evidence packages** for cross‑domain transfer: `stella forensic snapshot create --portable`. +* Importing an evidence bundle in another enclave verifies signatures and maintains chain‑of‑custody. + +### 3.10 Console and CLI behavior + +* Console shows a prominent **Air‑Gapped: Sealed** badge with last import time and staleness indicators for advisories, VEX, and policy packs. +* CLI commands gain `--sealed` awareness: any operation that would egress prints a refusal with remediation suggesting the appropriate import. + +### 3.11 Multi‑tenant and scope + +* Tenancy works unchanged. Bundle imports can target: + + * `--tenant-global`: shared catalogs (advisories, VEX, policy baselines). + * `--tenant=`: tenant‑specific content (e.g., private advisories). +* Authority scopes gain `airgap:import`, `airgap:status:read`, `airgap:seal` (admin‑only). + +### 3.12 Feature degradation matrix + +* **AI Assistant:** offline variants use local models if installed; otherwise feature is disabled with a message. +* **External reputation feeds (e.g., EPSS‑like):** replaced by cached values from the bundle. +* **Container base image lookups:** rely on imported metadata or tenant private registry. + +--- + +## 4) Architecture + +### 4.1 New modules + +* `airgap/controller` + + * Sealing state machine; status API; guardrails wiring into HTTP clients and runner. +* `airgap/importer` + + * TUF/DSSE verification, Merkle validation, object store loader, catalog updater. +* `mirror/creator` + + * Connected‑side builder for bundles; content plug‑ins for advisories/VEX/policy/images. +* `airgap/policy` + + * Enforcement library exposing `EgressPolicy` facade and job plan validators. +* `airgap/time` + + * Time anchor parser, drift checks, staleness annotations. +* `console/airgap` + + * Sealed badge, import UI, staleness dashboards, degradation notices. +* `cli/airgap` + + * `stella airgap seal|status|import|verify` commands; `stella mirror create|verify`. + +### 4.2 Data model additions + +* `airgap_state(id, sealed BOOLEAN, policy_hash TEXT, last_import_at TIMESTAMP, time_anchor JSONB)` +* `bundle_catalog(id, kind ENUM, merkle_root TEXT, dsse_signer TEXT, created_at TIMESTAMP, imported_at TIMESTAMP, scope ENUM('global','tenant'), tenant_id NULLABLE, labels JSONB)` +* `bundle_items(bundle_id, path TEXT, sha256 TEXT, size BIGINT, type TEXT, meta JSONB)` +* `import_audit(id, bundle_id, actor, tenant_scope, verify_result, trace_id, created_at)` + +RLS: tenant‑scoped rows when `scope='tenant'`; global rows readable only with `stella:airgap:status:read`. + +### 4.3 Storage layout + +Object store paths: + +``` +tenants/_global/mirror//targets/... +tenants//mirror//targets/... +tenants/_global/images//... +``` + +Evidence locker remains separate. Imported images use **OCI layout** for local registry sync. + +### 4.4 Message topics + +* `stella..airgap.imported` with bundle metadata. +* `stella..airgap.staleness` periodic events emitted for UX. +* `stella..policy.degraded` when rules fall back due to sealed mode. + +--- + +## 5) APIs and contracts + +### 5.1 Status and control + +* `GET /system/airgap/status` → `{ sealed, policy_hash, last_import_at, time_anchor, drift_seconds, staleness: { advisories_days, vex_days, policy_days } }` +* `POST /system/airgap/seal` → seals environment; requires `stella:airgap:seal#tenant/`. +* `POST /system/airgap/unseal` → only allowed if installed mode is not declared “permanently sealed” at bootstrap. Typically disabled. + +### 5.2 Import & verify + +* `POST /airgap/import` multipart or file reference → runs verify, writes catalog, returns bundle summary and warnings. +* `POST /airgap/verify` dry‑run verification returning DSSE/TUF and Merkle results. +* `GET /airgap/bundles` list imported bundles with filters. + +### 5.3 Conseiller/Excitator sources + +* `POST /feeds/register` supports `kind=mirror` with `bundle_id` and paths; disallowed to point to external URLs in sealed mode. +* `GET /feeds/status` shows per‑source staleness and last artifact version. + +### 5.4 Errors + +Standardized sealed‑mode error: + +``` +{ + "code": "AIRGAP_EGRESS_BLOCKED", + "message": "Egress is sealed. Import a Mirror Bundle with advisories.", + "remediation": "Run: stella airgap import bundle.tgz", + "trace_id": "..." +} +``` + +--- + +## 6) Documentation changes + +Create or update: + +1. `/docs/airgap/overview.md` + + * Modes, lifecycle, responsibilities, threat model, what degrades. +2. `/docs/airgap/bootstrap.md` + + * Offline Bootstrap Pack creation, validation, install steps for Helm/compose, local registry seeding. +3. `/docs/airgap/mirror-bundles.md` + + * Bundle format, DSSE/TUF/Merkle, signed time, creation on connected host, import in sealed environment, rotation of roots. +4. `/docs/airgap/sealing-and-egress.md` + + * Network policies, EgressPolicy facade, runner validation, verifying sealed status. +5. `/docs/airgap/staleness-and-time.md` + + * Time anchor, drift, staleness budgets and UI behavior. +6. `/docs/airgap/operations.md` + + * Periodic update cadence, runbooks, failure scenarios, disaster recovery. +7. `/docs/airgap/degradation-matrix.md` + + * Feature map: available, degraded, disabled; with remediation. +8. `/docs/console/airgap.md` + + * Status badges, import wizard, staleness indicators. +9. `/docs/cli/airgap.md` + + * Commands, examples, exit codes. +10. `/docs/security/trust-and-signing.md` + +* Roots of trust, key rotation, DSSE, TUF model. + +11. `/docs/dev/airgap-contracts.md` + +* EgressPolicy usage, testing patterns, sealed‑mode CI gates. + +Add the banner at the top of each page: + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Implementation plan + +### Phase 1 — Foundations + +* Add `airgap/controller` with sealed state and status API. +* Integrate `EgressPolicy` facade in all outbound network call sites. +* Provide default NetworkPolicy/iptables templates and Helm values to block egress. +* Console shows sealed badge and status. + +### Phase 2 — Mirror Bundles + +* Implement `mirror/creator` in connected mode with content plug‑ins. +* Implement `airgap/importer` with DSSE/TUF/Merkle verification and catalog updates. +* Export Center gains **Mirror bundle** build and verify commands (connected side). + +### Phase 3 — Deterministic jobs + +* Add job plan validation in the Task Runner. +* Restrict sources in sealed mode. +* Conseiller/Excitator add “mirror source” adapters. + +### Phase 4 — Staleness and time + +* Parse time anchors; enforce staleness budgets; add UI indicators and task refusal when budgets exceeded. +* Notifications for expiring anchors. + +### Phase 5 — Degradation matrix and UX + +* Wire feature flags and fallbacks in Console and APIs. +* Improve error messages with remediation guidance. + +### Phase 6 — Evidence portability + +* Portable evidence packages: export/import with full verification. +* Document cross‑domain workflows. + +--- + +## 8) Engineering tasks + +**Air‑gap controller and sealing** + +* [ ] Implement `airgap/controller` with persistent state and RBAC. +* [ ] Add `GET /system/airgap/status`, `POST /system/airgap/seal`. +* [ ] Provide cluster egress templates for Kubernetes and for docker‑compose. +* [ ] Instrument startup checks to refuse running in sealed mode if egress rules aren’t applied. + +**EgressPolicy integration** + +* [ ] Create `pkg/egress` facade and replace all direct HTTP client constructions in services. +* [ ] Add linter rule and CI check forbidding raw `http.NewClient` in server code. +* [ ] Add unit tests for sealed and unsealed behavior. + +**Mirror bundles** + +* [ ] Implement TUF/DSSE verifiers and Merkle root builder. +* [ ] Build content plug‑ins: advisories, VEX, policy packs, images. +* [ ] Write `bundle_catalog` and `bundle_items` tables with RLS. +* [ ] CLI: `stella mirror create|verify`, `stella airgap import|verify`. + +**Conseiller/Excitator** + +* [ ] Add mirror adapters for read‑only ingestion from bundle paths. +* [ ] Persist source digests and bundle IDs on each linked record. +* [ ] Unit tests to ensure no merge behavior is introduced by bundle ingestion. + +**Policy Engine & Studio** + +* [ ] Accept policy packs from bundles; track `policy_version` and `bundle_id`. +* [ ] Add degradation notices for rules requiring external reputation; provide cached fallbacks. + +**Task Runner & Orchestrator** + +* [ ] Plan‑time validation against network calls; add `internal:` allow‑list mapping. +* [ ] Emit sealed‑mode violations to Timeline with remediation text. + +**Console** + +* [ ] Status panel: sealed badge, last import, staleness meters. +* [ ] Import wizard with verify results and catalog diff preview. +* [ ] Degradation matrix UI and contextual tooltips. + +**Observability & Forensics** + +* [ ] Mark sealed mode in telemetry attributes. +* [ ] Add portable evidence package export/import; verify on read. + +**Authority & Tenancy** + +* [ ] New scopes: `airgap:seal`, `airgap:import`, `airgap:status:read`. +* [ ] Audit import actions with actor and trace ID. + +**Docs** + +* [ ] Author all pages listed in section 6, include signed‑time workflow diagrams. +* [ ] Insert banner statement in each page. + +**Testing** + +* [ ] Sealed‑mode e2e: attempt egress; ensure refusal and remediation. +* [ ] Bundle import e2e: corrupt DSSE, wrong root, tampered artifact → rejected. +* [ ] Performance: large advisory bundle import within target time (see Acceptance). +* [ ] Time drift scenarios and staleness budget enforcement. +* [ ] Regression: ensure AOC rules unchanged in sealed mode. + +--- + +## 9) Feature changes required in other components + +* **Export Center:** add mirror bundle export profile, signed‑time token inclusion, and portable evidence packages. +* **Notifications:** remove external webhooks by default in sealed mode; add local SMTP/syslog sinks. +* **CLI Parity:** ensure all admin and import operations are exposed; add sealed‑mode safety prompts. +* **Containerized Distribution:** ship **Bootstrap Pack** that includes all images and charts in a single oci‑archive set with index manifest. +* **Observability:** disable remote exporters; include local dashboards; mark sealed mode in UI. +* **Policy Studio:** enable offline authoring and export of policy sub‑bundles. +* **VEX Consensus Lens:** ensure it operates solely on imported VEX statements; highlight coverage vs. stale. + +> **Imposed rule reminder:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 10) Acceptance criteria + +* Environment can be **sealed** and verified via API, CLI, and network policies. +* Import of a valid Mirror Bundle succeeds; DSSE, TUF, and Merkle validations recorded in `import_audit`. +* Conseiller and Excitator operate only on imported sources; linkage reflects original source identities. +* Policy packs are importable and versioned; rules that depend on external evidence show clear degradation. +* Large bundle (e.g., 8–12 GB with images) imports in under 20 minutes on SSD storage and indexes advisories in under 5 minutes on a 4‑core node. +* Console displays sealed badge, last import, staleness, and degradation matrix. +* Attempted egress in sealed mode fails with `AIRGAP_EGRESS_BLOCKED` and remediation. +* Portable evidence packages export and verify across separate enclaves. +* All changes documented with the banner statement. + +--- + +## 11) Risks and mitigations + +* **Key management complexity:** rotate TUF roots with dual‑control workflow and explicit docs; fail‑safe to previous root if rotation bundle absent. +* **Staleness risk:** enforce budgets and block risk‑critical jobs when expired; provide monitoring and notifications for impending staleness. +* **Operator error during import:** dry‑run verification, diff preview of catalog changes, and ability to roll back via content address. +* **Hidden egress paths:** CI lints and runtime guardrails; network policies enforced at cluster layer. +* **Bundle size bloat:** Zstandard compression, delta bundles, and selective content flags for creation. + +--- + +## 12) Philosophy + +* **Predictable over perfect:** deterministic, explainable results beat unknown “live” results in sensitive networks. +* **Trust is earned:** every offline exchange is signed, verifiable, and auditable. +* **Degrade transparently:** when features reduce capability, explain it and guide remediation. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. diff --git a/docs/aoc/aoc-guardrails.md b/docs/aoc/aoc-guardrails.md new file mode 100644 index 00000000..568d969a --- /dev/null +++ b/docs/aoc/aoc-guardrails.md @@ -0,0 +1,11 @@ +# Aggregation-Only Contract (AOC) Guardrails + +The Aggregation-Only Contract keeps ingestion services deterministic and policy-neutral. Use these checkpoints whenever you add or modify backlog items: + +1. **Ingestion writes raw facts only.** Concelier and Excititor append immutable observations/linksets. No precedence, severity, suppression, or "safe fix" hints may be computed at ingest time. +2. **Derived semantics live elsewhere.** Policy Engine overlays, Vuln Explorer composition, and downstream reporting layers attach severity, precedence, policy verdicts, and UI hints. +3. **Provenance is mandatory.** Every ingestion write must include original source metadata, digests, and signing/provenance evidence when available. Reject writes lacking provenance. +4. **Deterministic outputs.** Given the same inputs, ingestion must produce identical documents, hashes, and event payloads across reruns. +5. **Guardrails everywhere.** Roslyn analyzers, schema validators, and CI smoke tests should fail builds that attempt forbidden writes. + +For detailed roles and ownership boundaries, see `AGENTS.md` at the repo root and the module-specific `ARCHITECTURE_*.md` dossiers. diff --git a/docs/api/EPIC_17_SDKS_OPENAPI.md b/docs/api/EPIC_17_SDKS_OPENAPI.md new file mode 100644 index 00000000..80fc4372 --- /dev/null +++ b/docs/api/EPIC_17_SDKS_OPENAPI.md @@ -0,0 +1,356 @@ +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 17: SDKs and OpenAPI Docs + +**Short name:** SDKs & OpenAPI +**Primary components:** API Gateway, Web Services, Policy Engine, Conseiller (Feedser), Excitator (VEXer), Orchestrator, Findings Ledger, Export Center, Authority & Tenancy, Console, CLI +**Surfaces:** OpenAPI 3.1 contracts, language SDKs (TS/Node, Python, Go, Java, C#), dev portal, examples, mock server, conformance tests, changelogs, versioning, deprecations +**Dependencies:** Authority‑Backed Scopes & Tenancy, CLI Parity, Export Center, Notifications Studio, Air‑Gapped Mode, Observability + +**AOC ground rule reminder:** Conseiller and Excitator aggregate and link advisories/VEX. They never merge or mutate source records. SDKs must preserve this invariant and expose source identity in all models. + +--- + +## 1) What it is + +A contract‑first program that standardizes StellaOps’ APIs with OpenAPI 3.1 and ships official, versioned SDKs for popular languages. It includes: + +* A single **source‑of‑truth OpenAPI** for each service and a canonical aggregate spec. +* **Generated SDKs** with idiomatic ergonomics, retries, auth helpers, pagination cursors, streaming downloads, and typed error envelopes. +* A **developer portal** with interactive reference, runnable examples, and “copy‑curl” snippets. +* **Mock server & conformance tests** so changes are validated against the contract before code ships. +* **Versioning & deprecation policy**, automated changelogs, and notification hooks. +* **Air‑gapped bundles** of docs and SDKs for disconnected environments. + +Net result: partners and internal teams integrate quickly without reverse‑engineering request bodies from error logs. + +--- + +## 2) Why + +* Reduce friction and support load with a single, accurate contract. +* Make the platform extensible: third parties can build automation, dashboards, and policy pipelines without trawling source code. +* Enforce stability: contract linting and backwards‑compat checks prevent accidental breakage. +* Bring CLI and Console parity to programmatic users through first‑class clients. + +--- + +## 3) How it should work + +### 3.1 Source of truth and layout + +* Each service owns a **module‑scoped OAS** file: `src/StellaOps.Api.OpenApi//openapi.yaml`. +* An aggregate spec `src/StellaOps.Api.OpenApi/stella.yaml` is produced by build tooling that composes per‑service specs, resolves `$ref`s, and validates cross‑service schemas. +* JSON Schema dialect: 2020‑12 (OpenAPI 3.1). No vendor‑specific features for core models. +* Every response and error has at least one **validated example**. + +### 3.2 API conventions (normative) + +* **Paths:** `/v1/{resource}`, plural nouns. Subresources use `/v1/resources/{id}/subresources`. +* **Identifiers:** `id` fields are ULID/UUIDv7 as strings. +* **Pagination:** cursor‑based: `?cursor=&limit=`, response envelope includes `next_cursor`. +* **Sorting/filtering:** `?sort=field:asc|desc`, `?filter[field]=op:value` with documented operators. +* **Idempotency:** POST operations that create or mutate accept `Idempotency-Key`. +* **Errors:** single envelope: + + ```json + { + "error": { + "code": "STRING_CODE", + "message": "human friendly", + "details": { "field": "value" }, + "trace_id": "..." + } + } + ``` + + Standard codes include `AIRGAP_EGRESS_BLOCKED`, `POLICY_VIOLATION`, `NOT_FOUND`, `RATE_LIMITED`. +* **Auth:** OAuth2 client credentials and PAT. Scopes are explicit (see 14: Authority‑Backed Scopes). Tenancy via claims; optional override header: `X-Stella-Scope: tenant/` if the token permits delegation. +* **Content negotiation:** JSON only for request/response unless endpoint is a stream or file download (`application/octet-stream`). +* **Long‑running operations:** either webhooks (if enabled) or polling via `operation_id` resource. + +### 3.3 Versioning and deprecation + +* **SemVer** for the aggregate API: `v1`, `v2` in base path. +* Backwards‑compatible changes allowed in minor versions (add fields, new optional params). +* Breaking changes require new major version and coexistence for a **deprecation window** (min 12 months) with: + + * Deprecation headers: `Deprecation: true`, `Sunset: `, `Link: `. + * Portal banners and Notifications Studio broadcast. + +### 3.4 Governance and linting + +* Enforce naming, pagination, error envelope, and example requirements via an OAS linter. +* CI gate: no PR merges if OAS validation fails or coverage < 100% for operation examples. +* **Compatibility check:** diff new OAS vs previous release, fail on breaking changes unless explicitly flagged. + +### 3.5 SDK generation + +* Initial languages: **TypeScript/Node**, **Python**, **Go**, **Java**. C# and Rust are follow‑ups. +* Generated via a stable, reproducible toolchain. Post‑generation patches are applied by templates, not hand edits. +* **Capabilities:** + + * Auth helpers: PAT and OAuth2. + * Retries with decorrelated jitter and `Retry‑After` respect. + * Pluggable HTTP transport for proxies and air‑gapped environments. + * Binary download helpers and upload helpers for multipart endpoints. + * Paginators that yield items and handle `next_cursor`. + * Rich error types mapping `error.code` to language enums. + * Telemetry hooks (before/after request callbacks). +* **Packaging:** + + * TS: npm package with ESM and CJS builds, types included. + * Python: PyPI package, Pydantic‑friendly models, type hints. + * Go: module with context‑aware methods and `io.Reader` streaming. + * Java: Maven coordinates, builder pattern, OkHttp/HTTP client provider. +* **Versioning:** SDK major matches API major. Minor/patch track generator changes only. + +### 3.6 Dev portal and artifacts + +* **Reference docs** auto‑built from the aggregate OAS with searchable nav, schema diagrams, and example blocks. +* **Try‑it** panel wired to the sandbox environment (disabled in air‑gap). +* **Download center:** links to SDKs, changelogs, and Postman/HTTP collection exports. +* **.well‑known discovery:** `GET /.well-known/openapi` returns the canonical spec. + +### 3.7 Conformance testing + +* **Mock server** generated from OAS for contract tests. +* **Replay tests**: real services are validated against the OAS via request/response capture; deviations fail CI. +* **Golden examples**: every endpoint has recorded examples exercised in tests. + +### 3.8 Air‑Gapped support + +* Export Center can build a **Docs & SDKs bundle**: `stella export devportal --offline`, including HTML docs, specs, and packages. +* SDKs avoid network discovery and accept explicit base URLs; no auto‑updates. + +### 3.9 Domain‑specific notes + +* **Conseiller/Excitator:** models expose `source_id`, `source_type`, `source_digest`. SDKs never hide source multiplicity. +* **Policy Engine:** policy documents are versioned; SDK supports dry‑run/simulate endpoints with structured explanations. +* **Findings Ledger:** paginated listing includes stable, filterable fields for evidence export. + +--- + +## 4) Architecture + +### 4.1 New modules + +* `src/StellaOps.Api.OpenApi/*` per service and aggregate composer +* `src/StellaOps.Api.Governance` OAS linter rules and compatibility checker +* `src/StellaOps.Sdk.Generator` codegen drivers, post‑processing templates, smoke tests +* `src/StellaOps.Sdk.Release` packaging, signing, publishing +* `src/StellaOps.DevPortal.Site` static generator and assets +* `test/contract` mock server config, golden examples +* `src/StellaOps.ExportCenter.DevPortalOffline` bundler + +### 4.2 Build flow + +1. Validate per‑service specs → compose aggregate → lint → compatibility diff. +2. Generate SDKs → build → run language‑level tests → publish to internal registry. +3. Build dev portal and publish. +4. Optionally build offline bundle. + +### 4.3 Runtime contracts + +* `GET /.well-known/openapi` per service and at the gateway. +* All services embed `x-stella-service` and `x-stella-version` extensions for traceability. + +--- + +## 5) APIs and contracts (select) + +* **Discovery**: `GET /.well-known/openapi` → JSON or YAML. +* **Errors**: standard envelope (see 3.2). +* **Rate limits**: expose `X-RateLimit-Limit`, `X-RateLimit-Remaining`, `X-RateLimit-Reset`. +* **Operations**: long‑running ops expose `operation_id` and `status` via `GET /v1/operations/{id}`. + +--- + +## 6) Documentation changes + +Create or update: + +1. `/docs/api/overview.md` + + * API surface, auth, tenancy, pagination, idempotency, rate limits. +2. `/docs/api/conventions.md` + + * Path, naming, errors, filters, sorting, examples. +3. `/docs/api/versioning.md` + + * SemVer policy, deprecation windows, headers, migration playbooks. +4. `/docs/api/reference/` + + * Auto‑generated OAS site; link into service pages. +5. `/docs/sdks/overview.md` + + * Supported languages, install, hello‑world, retry/auth patterns. +6. `/docs/sdks/typescript.md`, `/python.md`, `/go.md`, `/java.md` + + * Language‑specific guides, snippets, paginator usage, streaming. +7. `/docs/devportal/publishing.md` + + * Build pipeline, offline bundle steps. +8. `/docs/contributing/api-contracts.md` + + * How to edit OAS, lint rules, compatibility checks, examples. +9. `/docs/testing/contract-testing.md` + + * Mock server, golden examples, replay tests. +10. `/docs/security/auth-scopes.md` + + * OAuth2, PAT, scope mapping, tenancy header. +11. `/docs/airgap/devportal-offline.md` + + * Air‑gapped docs and SDK bundle usage. + +Add the banner at the top of each page: + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 7) Implementation plan + +### Phase 1 — Foundations + +* Establish per‑service OAS skeletons and the aggregate composer. +* Introduce linting and compatibility checks in CI. +* Define the standard error envelope and migrate services. + +### Phase 2 — Reference & discovery + +* Implement `/.well-known/openapi` for gateway and services. +* Build the dev portal with search, schema diagrams, and examples. + +### Phase 3 — SDKs (TS, Python, Go, Java) + +* Implement generator drivers and templates. +* Publish alpha packages internally; integrate in CLI and Console integration tests. +* Add paginators, retries, auth helpers, and streaming. + +### Phase 4 — Conformance & examples + +* Wire mock server into PR CI. +* Record golden example fixtures and replay tests against staging. +* Automate example extraction into docs. + +### Phase 5 — Release automation & deprecation + +* Automate changelogs from OAS diffs. +* Notifications Studio integration for API deprecations. +* Offline dev portal bundle through Export Center. + +### Phase 6 — Follow‑ups + +* C# and Rust SDKs, Postman/HTTP collections, sample apps repo. + +--- + +## 8) Engineering tasks + +**OAS & governance** + +* [ ] Create `src/StellaOps.Api.OpenApi//openapi.yaml` for all services with minimal paths and shared components. +* [ ] Implement aggregate composer and `$ref` resolver. +* [ ] Add CI job: lint, validate, compatibility diff; block merges on failure. +* [ ] Migrate all endpoints to standard error envelope and provide examples. + +**Discovery & portal** + +* [ ] Implement `GET /.well-known/openapi` at service and gateway. +* [ ] Build dev portal: nav, search, schema viewer, try‑it (non‑prod), copy‑curl. +* [ ] Add version selector for v1/v2 specs. + +**SDKs** + +* [ ] Generator driver with pinned templates; forbid manual edits in generated folders. +* [ ] TS SDK: ESM/CJS build, tree‑shaking, paginator, middleware hooks. +* [ ] Python SDK: async and sync clients, type hints, file upload/download helpers. +* [ ] Go SDK: context‑first API, streaming, error type mapping. +* [ ] Java SDK: builder pattern, HTTP client provider abstraction. +* [ ] Common: retries, `Retry‑After` handling, idempotency key helper, auth helpers, telemetry hooks. +* [ ] Language‑specific tests and smoke examples. + +**Conformance** + +* [ ] Mock server config with operation examples. +* [ ] Replay tests against staging; fail on schema drift. +* [ ] Golden example extraction pipeline. + +**Air‑Gapped** + +* [ ] Export Center job: `devportal --offline` producing HTML docs, specs, and package artifacts. +* [ ] SDKs accept explicit base URLs; disable online discovery. + +**Authority & Tenancy** + +* [ ] Document scopes per endpoint in OAS (`securitySchemes` + `security` blocks). +* [ ] Implement optional `X-Stella-Scope` override with validation. + +**Release automation** + +* [ ] Version bump tooling for OAS and SDKs; SemVer aligned. +* [ ] Auto‑generate `CHANGELOG.md` from OAS diffs. +* [ ] Publish to registries with signed artifacts and provenance. + +**Docs** + +* [ ] Author all pages listed in section 6; embed code snippets pulled from tested examples. +* [ ] Insert banner statement in each page. + +**Testing** + +* [ ] Contract tests in PR CI; 100% operation coverage with at least one example. +* [ ] Language SDK integration tests against mock server and staging. +* [ ] Backwards‑compat test suite comparing last N releases. + +--- + +## 9) Feature changes required in other components + +* **Web Services:** unify on error envelope, pagination, idempotency handling, and deprecation headers. +* **CLI:** consume the official TS or Go SDK instead of bespoke HTTP calls; this enforces parity. +* **Console:** use SDKs for backend calls where appropriate; helps dogfood the clients. +* **Export Center:** add `devportal --offline` and package signing. +* **Observability:** include `x-stella-service` and API version attributes in spans; trace IDs mirrored in error responses. +* **Notifications Studio:** templates for API deprecations and SDK updates. +* **Air‑Gapped Mode:** ship offline dev portal and SDKs bundle; console disables try‑it. + +> **Imposed rule reminder:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +## 10) Acceptance criteria + +* Aggregate OpenAPI validates, lints cleanly, and covers 100% of public endpoints with examples. +* `/.well-known/openapi` available at gateway and service level. +* Dev portal builds with search, example blocks, and version selector. +* TS/Python/Go/Java SDKs publish successfully; each has paginators, retries, auth helpers, streaming, and typed errors. +* CLI integrations pass using SDKs. +* Contract tests run in PR CI; schema drift causes failures. +* Deprecation headers and Notifications Studio flow proven in a staged deprecation. +* Offline dev portal bundle exports and renders in a sealed environment. + +--- + +## 11) Risks and mitigations + +* **Spec drift vs code reality:** mock‑first development and replay tests keep services aligned with OAS. +* **Generator churn:** pin generator and templates; only update via planned minor releases. +* **Breaking changes under pressure:** enforce compatibility gate and documented exception process. +* **SDK ergonomics mismatch:** run language‑native design reviews with maintainers before GA. +* **Air‑gapped constraints:** prebuild full offline bundles; avoid dynamic CDN assets in docs. + +--- + +## 12) Philosophy + +* **Contract first, code second.** The spec is the product; servers and SDKs are implementations. +* **Stability over cleverness.** Boring, predictable APIs beat “magical” behavior. +* **Truth preservation.** Never hide or merge advisory/VEX sources; surface provenance everywhere. +* **Automation everywhere.** Humans shouldn’t manually edit generated code or publish packages. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. diff --git a/docs/attestor/EPIC_19_ATTESTOR_CONSOLE.md b/docs/attestor/EPIC_19_ATTESTOR_CONSOLE.md new file mode 100644 index 00000000..508e7217 --- /dev/null +++ b/docs/attestor/EPIC_19_ATTESTOR_CONSOLE.md @@ -0,0 +1,135 @@ +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 19: Attestor Console + +**Short name:** Attestor Console +**Primary components:** Attestation Service, Policy Studio, Authority & Tenancy, Export Center, Observability, CLI, StellaOps Console +**Surfaces:** Web UI, REST APIs, CLI, SDKs, docs + +**AOC ground rule reminder:** Conseiller and Excitator only aggregate and link. They never merge sources. Attestations must reference the exact subject digests and their source provenance. No collapsing of distinct advisories or VEX statements. + +--- + +## 1) What it is + +Attestor Console centralizes creation, verification, browsing, and operationalization of software supply chain attestations within StellaOps. It covers build provenance, SBOM attestations, VEX statements, scan results, policy evaluations, risk profile evidence, and custom facts—all signed and verifiable end-to-end. + +--- + +## 2) Why + +Trustworthy pipelines need signed evidence, repeatable verification, explainability, and policy enforcement. Attestor Console weaves attestations into the rest of Stella (AOC, Policy Studio gates, Risk Profiles, Notifications, Export Center) to reduce blind spots and accelerate compliance. + +--- + +## 3) How it should work + +### 3.1 Roles, identities, scopes + +* Subjects: immutable digests for artifacts (images, packages, SBOMs, findings). +* Issuers: identities that sign attestations (builders, scanners, policy engines). +* Scopes: tenant/project/environment context enforced by Authority & Tenancy. + +### 3.2 Payload types + +Supports DSSE envelopes for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, and CustomEvidence v1. All payloads include subject, issuer, scope, materials, provenance, policy context, and versioned schemas. + +### 3.3 Envelope & signature model + +DSSE envelopes with multi-signature support, Ed25519/ECDSA keys, KMS/HSM/FIDO2 drivers, transparency log witnesses, and detached payload storage. Identity policies ensure least privilege and traceability. + +### 3.4 Verification pipeline + +Runs at ingest, policy gates, and interactively. Steps: resolve subject, fetch envelopes + witness proofs, validate DSSE structure/signatures, evaluate issuer trust and policies, produce cached verification reports. + +### 3.5 Verification policies + +Policy Studio authored rules covering required evidence types, allowed issuers, freshness, transparency requirements, signature counts, and waivers. Supports scoped overrides and defaults. + +### 3.6 UI workflows + +Evidence Browser, Verification Reports, Chain of Custody Graph, Key & Issuer Management, Attestation Workbench, and Bulk Verification views in Console. + +### 3.7 CLI & SDK + +Commands: `stella attest sign`, `verify`, `list`, `fetch`, `key create/import/rotate/revoke`. SDKs expose Sign/Verify/List/Fetch APIs. + +### 3.8 Data model + +Tables for attestations, issuers, verification reports, transparency index, key store. Indexed by subject digest, type, issuer, and timestamps. + +### 3.9 Storage & air gap + +Store envelopes in CAS object storage; optionally mirror transparency logs. `stella export attestation-bundle` enables offline transfer. Policies can relax witness requirements for sealed environments while logging the gap. + +### 3.10 Observability & security + +Spans, metrics, logs for signing and verification. Private keys never leave KMS/HSM. Revocation/rotation supported. Verification rejects mismatched subjects and ensures AOC invariants for scan/VEX evidence. + +### 3.11 Performance + +Use compressed JSON payloads, cached verification results, batched operations, and concurrency controls. P95 target: 1k envelopes/min on a single worker. + +--- + +## 4) Architecture + +New services (`src/StellaOps.Attestor/`), libraries (`src/StellaOps.Attestor.Envelope/`, `src/StellaOps.Attestor.Types/`, `src/StellaOps.Attestor.Verify/`), CLI (`src/StellaOps.Cli/`), export tooling (`src/StellaOps.ExportCenter.AttestationBundles/`), and shared KMS providers (`src/StellaOps.Cryptography.Kms/`). REST endpoints documented in OpenAPI. + +--- + +## 5) Documentation changes + +Requires new pages for overview, payloads, policies, workflows, key management, transparency, air gap, console UI, CLI, and updated security invariants, all with the imposed rule banner. + +--- + +## 6) Implementation plan + +Six phases: Foundations; Policies & UI; Scan & VEX support; Transparency & keys; Bulk & air gap; Performance & hardening. + +--- + +## 7) Engineering tasks + +Detailed tasks across envelope/crypto, payload schemas, APIs, Policy Studio integration, Console UI, CLI, transparency, bulk operations, observability, security, docs, and testing. + +--- + +## 8) Feature changes required elsewhere + +Policy Studio (VerificationPolicy), Export Center (attestation bundles), Authority & Tenancy, SBOM/Vulnerability explorers, Notifications, Observability. All must inherit the imposed rule and update docs accordingly. + +--- + +## 9) Acceptance criteria + +Signing and verification for all payloads, policy enforcement, Console views, bulk verification, export/import for air gap, observability coverage, AOC invariants respected, documented OpenAPI endpoints. Tests and performance targets met. + +--- + +## 10) Risks & mitigations + +Key compromise, parsing bugs, policy complexity, transparency outages addressed via rotation workflows, fuzz tests, curated starter policies, and fallback/mirroring strategies. + +--- + +## 11) Philosophy + +Evidence first, scoped identities, cheap verification, portable attestations, truth preservation. + +--- + +## 12) Examples + +Includes abbreviated SBOM attestation and verification report JSON samples illustrating required fields and outcomes. + +--- + +## 13) Cross-epic documentation updates + +Cross-link Attestor docs from Policy Studio, Export Center, Air-Gapped, Observability, Risk Profiles, SBOM Graph, and Vulnerability Explorer pages, maintaining the imposed rule banner. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. diff --git a/docs/backlog/2025-10-cleanup.md b/docs/backlog/2025-10-cleanup.md new file mode 100644 index 00000000..5fdd8cfa --- /dev/null +++ b/docs/backlog/2025-10-cleanup.md @@ -0,0 +1,17 @@ +# Backlog Cleanup — 26 October 2025 + +This note captures the Sprint backlog hygiene pass applied on 26 October 2025. The goal was to eliminate legacy tasks that violated the aggregation-only contract (AOC), duplicated scope, or conflicted with the current module ownership map. + +## Summary +- **Console replaces legacy Angular UI.** Sprint 13 UI tasks (`UI-SCANS-13-002`, `UI-VEX-13-003`, `UI-ADMIN-13-004`, `UI-SCHED-13-005`) are retired. Console Sprint 23 (`CONSOLE-CORE-23-001..005`, `CONSOLE-FEAT-23-101..109`, `CONSOLE-REL-23-301..303`) owns the experience. +- **Policy CLI runtime verbs consolidated.** `CLI-RUNTIME-13-005` is superseded by `CLI-POLICY-20-002` and Policy Studio flows (`CLI-POLICY-27-00x`). +- **Notifier supersedes legacy Notify.* modules.** All Sprint 15 `StellaOps.Notify.*` tasks are archived. Replacement work lives in Notifications Studio / Notifier Sprints 38–40 (`NOTIFY-SVC-38-00x`, `NOTIFY-SVC-39-00x`, `NOTIFY-SVC-40-00x`, plus `WEB/CLI-NOTIFY-3x-00x`). +- **Cartographer owns graph construction.** `SBOM-GRAPH-24-00{1..4}` tasks are deleted from SBOM Service; Cartographer backlog (`CARTO-GRAPH-21-001..009`) covers graph storage, overlays, and tiling. +- **Dedicated Vuln Explorer service.** Gateway/UI/CLI entries that attempted to inline Vuln Explorer logic (`WEB-GRAPH-24-003`, `UI-GRAPH-24-005`, `CLI-VULN-24-003`) now defer to Sprint 29 Vuln Explorer (`VULN-API-29-00x`, `CONSOLE-VULN-29-00x`, `CLI-VULN-29-00x`). +- **AOC enforcement.** Ingestion-layer tasks attempting to compute derived severity/safe-fix metadata (`CONCELIER-VULN-29-003`, `EXCITITOR-VULN-29-003`) were removed; the Policy Engine overlay backlog (`POLICY-ENGINE-29-001..003`) is the canonical home. +- **CI/Offline adjustments.** `DEVOPS-UI-13-006` and `DEVOPS-OFFLINE-18-003` moved under Console release tasks (`CONSOLE-QA-23-401`, `DEVOPS-CONSOLE-23-001`, `CONSOLE-REL-23-302`). + +## Follow-up +- Update module task boards only under their active backlogs (`src/StellaOps.Notifier`, Cartographer, Vuln Explorer). +- Ensure future ingestion tasks reference AOC guardrails and avoid derived semantics. +- Cross-check `SPRINTS.md` after adding new tasks to keep tables consistent with module `TASKS.md` files. diff --git a/docs/ops/scanner-analyzers-operations.md b/docs/ops/scanner-analyzers-operations.md index a719f7ff..a90920f4 100644 --- a/docs/ops/scanner-analyzers-operations.md +++ b/docs/ops/scanner-analyzers-operations.md @@ -9,10 +9,10 @@ Keep the language analyzer microbench under the < 5 s SBOM pledge. CI emits 1. CI (or engineers running locally) execute: ```bash dotnet run \ - --project bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \ + --project src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \ -- \ --repo-root . \ - --out bench/Scanner.Analyzers/baseline.csv \ + --out src/StellaOps.Bench/Scanner.Analyzers/baseline.csv \ --json out/bench/scanner-analyzers/latest.json \ --prom out/bench/scanner-analyzers/latest.prom \ --commit "$(git rev-parse HEAD)" \ diff --git a/docs/risk/EPIC_18_RISK_PROFILES.md b/docs/risk/EPIC_18_RISK_PROFILES.md new file mode 100644 index 00000000..d894ca01 --- /dev/null +++ b/docs/risk/EPIC_18_RISK_PROFILES.md @@ -0,0 +1,260 @@ +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. + +--- + +# Epic 18: Risk Scoring Profiles + +**Short name:** Risk Profiles +**Primary components:** Policy Engine, Findings Ledger, Conseiller (Feedser), Excitator (VEXer), StellaOps Console, Policy Studio, CLI, Export Center, Authority & Tenancy, Observability +**Surfaces:** policy documents, scoring engine, factor providers, explainability artifacts, APIs, CLI, UI + +**AOC ground rule reminder:** Conseiller and Excitator aggregate and link advisories/VEX. They never merge or mutate source records. Risk scoring consumes linked items and computes a contextual score per finding and per asset without collapsing sources; provenance is preserved and shown. + +--- + +## 1) What it is + +Risk Scoring Profiles let users define, version and apply customizable formulas that turn raw signals (CVSS, EPSS‑like exploit likelihood, KEV‑style exploited lists, VEX status, reachability, runtime evidence, fix availability, asset criticality, provenance trust, etc.) into a single normalized risk score from 0 to 100 with severity buckets. Profiles are authored in Policy Studio, attached to scopes/tenants/projects, simulated against inventories and SBOMs, and executed by a scoring engine that outputs: + +* A final score and severity. +* A factor‑by‑factor contribution breakdown with math. +* Gating decisions (e.g., VEX “not affected” forces score to 0). +* Audit and provenance for every signal used. + +Profiles can differ by environment: “Exploit‑aware prod,” “Compliance‑focused,” “Safety‑critical,” “Dev velocity,” and so on. The engine is pluggable: new signals can be added without breaking existing profiles. + +--- + +## 2) Why + +* One size doesn’t fit anyone. Different orgs weigh exploitability vs business criticality differently. +* Reduce noise and accelerate triage by aligning scores with how teams actually make decisions. +* Make risk explainable. If a score says 86, show why. +* Enable policy‑aware flows elsewhere: gates, notifications, dashboards, remediation queues. + +--- + +## 3) How it should work + +### 3.1 Core model + +A **RiskProfile** defines: + +* **Metadata:** name, version, description, owner, scope selector, status (draft/published/deprecated). +* **Signals:** named inputs with source bindings and transforms. +* **Formula:** a composition of weighted terms, caps, gates, and overrides producing a 0‑100 score. +* **Severity mapping:** score→{Critical, High, Medium, Low, None}. +* **Gates:** hard conditions that short‑circuit scoring (e.g., VEX Not Affected → 0). +* **Overrides:** explicit per‑package/per‑CVE/per‑asset adjustments with audit. +* **Explainability:** must compute contribution of each term and include raw values. +* **Versioning:** immutable content hash, `profile_id@version`. Inheritance supported via `extends`. + +### 3.2 Signals (factor) catalog + +Initial signals supported out of the box: + +| Signal | Description | Expected range | Default transform | +| ---------------------- | ------------------------------------------------ | -------------- | -------------------- | +| `cvss_base` | CVSS base score from each advisory | 0..10 | linear: `x/10` | +| `epss_like` | Exploit likelihood (0..1) | 0..1 | identity | +| `kev_flag` | Known exploited in the wild (boolean) | {0,1} | step: 0 or 1 | +| `vex_status` | VEX: affected, not_affected, under_investigation | enum | gate + multiplier | +| `reachability` | Static reachability to vulnerable code path | 0..1 | identity | +| `runtime_evidence` | Runtime evidence of vulnerable symbol/path | 0..1 | identity | +| `internet_exposed` | Asset externally reachable | {0,1} | multiplier | +| `asset_criticality` | Business criticality of asset | 1..5 | normalize: `(x-1)/4` | +| `fix_available` | Patch or upgrade exists | {0,1} | negative weight | +| `age_days` | Days since advisory published | 0..∞ | logistic decay | +| `privilege_escalation` | Elevation potential | {0,1} | positive bump | +| `rce_flag` | Remote code execution | {0,1} | positive bump | +| `provenance_trust` | Signature/provenance (SLSA‑ish) | 0..1 | inverse weight | +| `pkg_popularity` | Package ecosystem usage | 0..1 | mild bump | +| `source_consensus` | Count of agreeing sources (Conseiller‑linked) | 1..N | saturating transform | + +Notes: + +* Conseiller can link multiple advisories per CVE. Signals like `cvss_base` and `kev_flag` are aggregated via declared **reducers**: `max`, `mean`, or **consensus** (e.g., count of sources claiming exploited). + +### 3.3 Formula template + +Default formula (normalized result 0..1 before scaling to 0..100): + +``` +score = + gate(VEX_not_affected => 0) * + clamp01( + w1*cvss' + + w2*epss' + + w3*reachability' + + w4*runtime_evidence' + + w5*internet_exposed' + + w6*asset_criticality' + + w7*kev_flag' + + w8*rce_flag' + + w9*privilege_escalation' + + w10*source_consensus' + + w11*(1 - provenance_trust') + + w12*(1 - fix_available') + + w13*age_decay' + + bias + ) +``` + +* Each term is a transformed, normalized signal (denoted `'`). +* Weights default to reasonable values (e.g., cvss 0.25, epss 0.2, reachability 0.1, runtime 0.1, internet_exposed 0.08, asset_criticality 0.08, kev 0.07, rce 0.04, priv_esc 0.03, consensus 0.03, provenance inverse 0.01, fix inverse 0.005, age 0.005). +* **Severity mapping (default):** + + * Critical ≥ 85 + * High 70–84 + * Medium 40–69 + * Low 15–39 + * None < 15 + +Profiles can override weights, gating, transforms and severity thresholds. + +### 3.4 Reducers and provenance + +For signals with multiple sources: + +* `cvss_base`: default reducer `max`. +* `kev_flag`: reducer `any`. +* `epss_like`: reducer `max`. +* `vex_status`: **gate precedence:** if any linked VEX says `not_affected`, apply gate 0 unless an explicit policy disables that source; otherwise, most conservative status wins (`affected` > `under_investigation` > `unknown`). +* Every reduction lists contributing sources in the explanation with their digests. + +### 3.5 Explainability artifact + +For every scored item, produce a JSON object: + +```json +{ + "profile_id": "risk-default", + "profile_version": "1.2.0", + "input": { "asset_id": "...", "package": "openssl@1.1.1u", "cve": "CVE-XXXX-YYYY" }, + "signals": { + "cvss_base": { "values": [{"source":"nvd","value":9.8}, {"source":"vendor","value":9.1}], "reducer":"max", "reduced":9.8, "normalized":0.98 }, + "epss_like": { "value":0.72, "normalized":0.72 }, + "vex_status": { "values":[{"source":"vendor","value":"affected"}], "decision":"affected" } + }, + "formula": { + "weights": { "cvss":0.25, "epss":0.20 }, + "gates": [{ "name":"VEX_not_affected", "applied": false }] + }, + "contributions": [ + { "signal":"cvss_base", "weight":0.25, "value":0.98, "contribution":24.5 }, + { "signal":"epss_like", "weight":0.20, "value":0.72, "contribution":14.4 } + ], + "score": 87.1, + "severity": "Critical", + "provenance": { "calculated_at":"2025-10-25T12:00:00Z", "engine":"risk-engine@v0.6.3", "trace_id":"..." } +} +``` + +### 3.6 Profile scoping and inheritance + +* Profiles attach to scopes via Authority & Tenancy: org/tenant/project/environment. +* A scope resolves **one active profile** by precedence: project > environment > org default. +* Profiles may `extends` a base profile, overriding weights and thresholds. Resolve via immutable parent chain. + +### 3.7 Execution path + +1. New or updated findings arrive from Conseiller/Excitator into Findings Ledger. +2. A **Scoring Job** is enqueued per scope with a batch of items. +3. The engine pulls necessary signals via **Factor Providers** (reachability, runtime, KEV lists, etc.). +4. The formula executes; results are upserted to Findings Ledger with an explainability blob pointer. +5. Notifications Studio triggers based on severity deltas. +6. Console and CLI read scored findings; filters and charts operate on score and severity. + +### 3.8 Factor Provider interface + +``` +interface FactorProvider { + id(): string; + requiredInputs(): string[]; + fetch(ctx, inputs[]): Promise>; +} +``` + +Providers must be deterministic and cacheable. Every factor has a TTL and a backfill policy. + +### 3.9 Simulation + +Policy Studio provides “Simulate with profile” functionality to test profiles against SBOMs or asset sets. Simulation outputs include distributions, severity shifts, and top movers, and can be exported. + +### 3.10 Air‑gapped behavior + +Profiles work offline; providers rely on bundled datasets produced by Export Center. Missing providers surface explicit gaps in explanations. + +--- + +## 4) Architecture + +### 4.1 New modules + +* `src/StellaOps.RiskEngine/` +* `src/StellaOps.RiskEngine/providers/` +* `src/StellaOps.Policy.RiskProfile/` +* Database migrations for profiles/results/explanations +* `src/StellaOps.UI` +* `src/StellaOps.Cli` +* `src/StellaOps.ExportCenter.RiskBundles` + +### 4.2 Data model + +Tables for `risk_profiles`, `scoring_jobs`, `scoring_results`, `explanations` with indexes on finding keys, scope, severity, and timestamps. + +--- + +## 5) APIs and contracts + +Endpoints include profile CRUD, publish, simulate, job enqueue, results queries, explanation retrieval, and schema discovery. Authentication scopes: `risk.profile:*`, `risk.result:read`, `risk.job:write`. + +--- + +## 6) Documentation changes + +List of required docs with banner statements covering overview, profiles, factors, formulas, explainability, API, console UI, CLI commands, air-gapped bundles, and AOC invariants. + +--- + +## 7) Implementation plan + +Seven phases: foundations, storage/APIs, Console & Policy Studio, CLI & SDKs, expanded factors, air-gapped support, quality/performance. + +--- + +## 8) Engineering tasks + +Detailed task list spanning schema, engine, providers, APIs, ledger integration, console, CLI, export center, observability, docs, and testing. + +--- + +## 9) Feature changes required in other components + +Defines cross-team expectations for Conseiller, Excitator, Findings Ledger, Policy Studio, Vulnerability Explorer, SBOM Graph Explorer, Notifications, Authority, Export Center, CLI & SDKs. + +--- + +## 10) Acceptance criteria + +Coverage of authoring, simulation, scoring, UI, CLI, air-gapped support, AOC invariants, and performance. + +--- + +## 11) Risks and mitigations + +Addresses signal drift, weight overfitting, performance, VEX trust, and compliance differences. + +--- + +## 12) Philosophy + +Principles: context, explainability, truth preservation, portability, and loud failures. + +--- + +## 13) Example profile + +Contains an abbreviated YAML example demonstrating schema usage, weights, gates, severity mapping, and overrides. + +> **Imposed rule:** Work of this type or tasks of this type on this component must also be applied everywhere else it should be applied. diff --git a/ops/deployment/TASKS.md b/ops/deployment/TASKS.md index 64eb058a..443baf77 100644 --- a/ops/deployment/TASKS.md +++ b/ops/deployment/TASKS.md @@ -1,5 +1,48 @@ # Deployment Task Board -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| DEVOPS-OPS-14-003 | TODO | Deployment Guild | DEVOPS-REL-14-001 | Document and script upgrade/rollback flows, channel management, and compatibility matrices per architecture. | Helm/Compose guides updated with digest pinning, automated checks committed, rollback drill recorded. | +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-OPS-14-003 | TODO | Deployment Guild | DEVOPS-REL-14-001 | Document and script upgrade/rollback flows, channel management, and compatibility matrices per architecture. | Helm/Compose guides updated with digest pinning, automated checks committed, rollback drill recorded. | +| DOWNLOADS-CONSOLE-23-001 | TODO | Deployment Guild, DevOps Guild | DEVOPS-CONSOLE-23-002 | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Pipeline generates signed manifest with checksums, automated PR updates manifest, docs updated with sync workflow, parity check in CI passes. | +| DEPLOY-POLICY-27-001 | TODO | Deployment Guild, Policy Registry Guild | REGISTRY-API-27-001, DEVOPS-POLICY-27-003 | Produce Helm/Compose overlays for Policy Registry + simulation workers, including Mongo migrations, object storage buckets, signing key secrets, and tenancy defaults. | Overlays committed with deterministic digests; install docs updated; smoke deploy validated in staging. | +| DEPLOY-POLICY-27-002 | TODO | Deployment Guild, Policy Guild | DEPLOY-POLICY-27-001, WEB-POLICY-27-004 | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze toggle, evidence retrieval) under `/docs/runbooks/policy-incident.md`. | Runbook published with decision tree; checklist appended; rehearsal recorded. | +| DEPLOY-VULN-29-001 | TODO | Deployment Guild, Findings Ledger Guild | LEDGER-29-009 | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Overlays committed; migrations documented; smoke deploy executed; rollback steps recorded. | +| DEPLOY-VULN-29-002 | TODO | Deployment Guild, Vuln Explorer API Guild | VULN-API-29-011 | Package `stella-vuln-explorer-api` deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. | Deployment docs merged; health checks validated; offline kit updated; change control recorded. | +| DEPLOY-VEX-30-001 | TODO | Deployment Guild, VEX Lens Guild | VEXLENS-30-011 | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Overlays committed; smoke deploy validated; offline kit includes initial config; docs updated. | +| DEPLOY-VEX-30-002 | TODO | Deployment Guild, Issuer Directory Guild | ISSUER-30-006 | Package Issuer Directory deployment manifests, backups, and security hardening guidance. | Deployment docs merged; backup tested; hardening checklist appended. | +| DEPLOY-AIAI-31-001 | TODO | Deployment Guild, Advisory AI Guild | AIAI-31-008 | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Deployment docs merged; smoke deploy executed; offline kit updated; runbooks published. | +| DEPLOY-ORCH-34-001 | TODO | Deployment Guild, Orchestrator Service Guild | ORCH-SVC-34-004 | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Manifests committed with digests; scaling guidance documented; smoke deploy/rollback rehearsed; offline kit instructions updated. | +| DEPLOY-EXPORT-35-001 | TODO | Deployment Guild, Exporter Service Guild | EXPORT-SVC-35-001..006 | Package exporter service/worker Helm overlays (download-only), document rollout/rollback, and integrate signing KMS secrets. | Overlays committed; smoke deploy executed; rollback steps recorded; secrets templates provided. | +| DEPLOY-EXPORT-36-001 | TODO | Deployment Guild, Exporter Service Guild | DEPLOY-EXPORT-35-001, EXPORT-SVC-36-003 | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. | Documentation merged; automation scripts validated; monitoring instructions added. | + +## CLI Parity & Task Packs + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEPLOY-CLI-41-001 | TODO | Deployment Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Artifacts built and uploaded; docs updated with installation steps; signatures verified. | +| DEPLOY-PACKS-42-001 | TODO | Deployment Guild, Packs Registry Guild | PACKS-REG-41-001 | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Manifests committed; smoke deploy executed; rollback documented. | +| DEPLOY-PACKS-43-001 | TODO | Deployment Guild, Task Runner Guild | TASKRUN-42-001 | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. | Deployment docs merged; offline kit updated; approvals tested; rollback steps recorded. | + +## Containerized Distribution (Epic 13) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEPLOY-COMPOSE-44-001 | TODO | Deployment Guild | COMPOSE-44-001 | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Scripts run end-to-end; README merged; imposed rule appended. | +| DEPLOY-HELM-45-001 | TODO | Deployment Guild | HELM-45-001 | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Docs merged; values validated; helm lint/test passing. | +| DEPLOY-AIRGAP-46-001 | TODO | Deployment Guild, Offline Kit Guild | DEVOPS-CONTAINERS-46-001 | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Scripts tested; docs updated; imposed rule appended. | + +### Compose Quickstart (Epic 13) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| COMPOSE-44-001 | TODO | Deployment Guild, DevEx Guild | EXPORT-SVC-37-001 | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | `docker compose up` yields working stack with seed data; script handles preflight; imposed rule line applied in docs. | +| COMPOSE-44-002 | TODO | Deployment Guild | COMPOSE-44-001 | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. | Backup produces tarball with checksums; reset script requires confirm flag; docs updated. | +| COMPOSE-44-003 | TODO | Deployment Guild, Docs Guild | COMPOSE-44-001 | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. | Seed job loads demo SBOM/advisory/policy; credentials randomized and saved to .secrets; onboarding wizard triggers. | + +### Helm Chart (Epic 13) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| HELM-45-001 | TODO | Deployment Guild | COMPOSE-44-001 | Scaffold `deploy/helm/stella` chart with values, component toggles, and pinned image digests for all services; include migration Job templates. | Chart installs in dev cluster; images pinned; lint/tests pass. | +| HELM-45-002 | TODO | Deployment Guild, Security Guild | HELM-45-001 | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. | Helm values support secure defaults; policies validated; docs updated. | +| HELM-45-003 | TODO | Deployment Guild, Observability Guild | HELM-45-001 | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. | Rolling upgrade succeeds in CI; observability wires confirmed; upgrade docs updated. | diff --git a/ops/devops/TASKS.md b/ops/devops/TASKS.md index ee624cb4..f814618f 100644 --- a/ops/devops/TASKS.md +++ b/ops/devops/TASKS.md @@ -1,23 +1,158 @@ -# DevOps Task Board - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| DEVOPS-HELM-09-001 | DONE | DevOps Guild | SCANNER-WEB-09-101 | Create Helm/Compose environment profiles (dev, staging, airgap) with deterministic digests. | Profiles committed under `deploy/`; docs updated; CI smoke deploy passes. | +# DevOps Task Board + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-HELM-09-001 | DONE | DevOps Guild | SCANNER-WEB-09-101 | Create Helm/Compose environment profiles (dev, staging, airgap) with deterministic digests. | Profiles committed under `deploy/`; docs updated; CI smoke deploy passes. | | DEVOPS-SCANNER-09-204 | DONE (2025-10-21) | DevOps Guild, Scanner WebService Guild | SCANNER-EVENTS-15-201 | Surface `SCANNER__EVENTS__*` environment variables across docker-compose (dev/stage/airgap) and Helm values, defaulting to share the Redis queue DSN. | Compose/Helm configs ship enabled Redis event publishing with documented overrides; lint jobs updated; docs cross-link to new knobs. | | DEVOPS-SCANNER-09-205 | DONE (2025-10-21) | DevOps Guild, Notify Guild | DEVOPS-SCANNER-09-204 | Add Notify smoke stage that tails the Redis stream and asserts `scanner.report.ready`/`scanner.scan.completed` reach Notify WebService in staging. | CI job reads Redis stream during scanner smoke deploy, confirms Notify ingestion via API, alerts on failure. | -| DEVOPS-PERF-10-001 | DONE | DevOps Guild | BENCH-SCANNER-10-001 | Add perf smoke job (SBOM compose <5 s target) to CI. | CI job runs sample build verifying <5 s; alerts configured. | +| DEVOPS-PERF-10-001 | DONE | DevOps Guild | BENCH-SCANNER-10-001 | Add perf smoke job (SBOM compose <5 s target) to CI. | CI job runs sample build verifying <5 s; alerts configured. | | DEVOPS-PERF-10-002 | DONE (2025-10-23) | DevOps Guild | BENCH-SCANNER-10-002 | Publish analyzer bench metrics to Grafana/perf workbook and alarm on ≥20 % regressions. | CI exports JSON for dashboards; Grafana panel wired; Ops on-call doc updated with alert hook. | +| DEVOPS-AOC-19-001 | TODO | DevOps Guild, Platform Guild | WEB-AOC-19-003 | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | Analyzer runs in PR/CI pipelines, results surfaced in build summary, docs updated under `docs/ops/ci-aoc.md`. | +| DEVOPS-AOC-19-002 | TODO | DevOps Guild | CLI-AOC-19-002, CONCELIER-WEB-AOC-19-004, EXCITITOR-WEB-AOC-19-004 | Add pipeline stage executing `stella aoc verify --since` against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. | Stage runs on main/nightly, fails on violations, artifacts retained, runbook documented. | +| DEVOPS-AOC-19-003 | TODO | DevOps Guild, QA Guild | CONCELIER-WEB-AOC-19-003, EXCITITOR-WEB-AOC-19-003 | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. | Coverage report includes guard projects, threshold gate passes/fails as expected, dashboards refreshed with new metrics. | +| DEVOPS-OBS-50-001 | TODO | DevOps Guild, Observability Guild | TELEMETRY-OBS-50-001 | Deliver default OpenTelemetry collector deployment (Compose/Helm manifests), OTLP ingestion endpoints, and secure pipeline (authN, mTLS, tenant partitioning). Provide smoke test verifying traces/logs/metrics ingestion. | Collector manifests committed; smoke test green; docs updated; imposed rule banner reminder noted. | +| DEVOPS-OBS-50-002 | TODO | DevOps Guild, Security Guild | DEVOPS-OBS-50-001, TELEMETRY-OBS-51-002 | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | Storage stack deployed with auth; retention configured; integration tests verify tenant isolation; runbook drafted. | +| DEVOPS-OBS-50-003 | TODO | DevOps Guild, Offline Kit Guild | DEVOPS-OBS-50-001 | Package telemetry stack configs for air-gapped installs (Offline Kit bundle, documented overrides, sample values) and automate checksum/signature generation. | Offline bundle includes collector+storage configs; checksums published; docs cross-linked; imposed rule annotation recorded. | +| DEVOPS-OBS-51-001 | TODO | DevOps Guild, Observability Guild | WEB-OBS-51-001, DEVOPS-OBS-50-001 | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | Dashboards live; evaluator emits webhooks; alert runbook referenced; staging alert fired in test. | +| DEVOPS-OBS-52-001 | TODO | DevOps Guild, Timeline Indexer Guild | TIMELINE-OBS-52-002 | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. | Pipeline deployed; load test meets SLA; schema validation job passes; documentation updated. | +| DEVOPS-OBS-53-001 | TODO | DevOps Guild, Evidence Locker Guild | EVID-OBS-53-001 | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. | Storage configured with WORM; legal hold script documented; backup test performed; runbook updated. | +| DEVOPS-OBS-54-001 | TODO | DevOps Guild, Security Guild | PROV-OBS-53-002, EVID-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. | Keys provisioned with rotation policy; timestamp authority configured; CI verifies sample bundles; audit trail stored. | +| DEVOPS-OBS-55-001 | TODO | DevOps Guild, Ops Guild | DEVOPS-OBS-51-001, WEB-OBS-55-001 | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. | Incident mode toggles via API/CLI; automation tested in staging; reset job verified; runbook referenced. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-AIRGAP-56-001 | TODO | DevOps Guild | AIRGAP-CTL-56-001 | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | Policies committed with tests; verification script passes/fails as expected; docs cross-linked. | +| DEVOPS-AIRGAP-56-002 | TODO | DevOps Guild, AirGap Importer Guild | AIRGAP-IMP-57-002 | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. | Scripts documented; smoke tests validate import; runbook updated. | +| DEVOPS-AIRGAP-56-003 | TODO | DevOps Guild, Container Distribution Guild | EXPORT-AIRGAP-56-002 | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. | Pipeline runs in connected env; pack verified in air-gap smoke test; manifest recorded. | +| DEVOPS-AIRGAP-57-001 | TODO | DevOps Guild, Mirror Creator Guild | MIRROR-CRT-56-002 | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. | Approval workflow enforced; CI artifact includes DSSE/TUF metadata; audit logs stored. | +| DEVOPS-AIRGAP-57-002 | TODO | DevOps Guild, Authority Guild | AUTH-OBS-50-001 | Configure sealed-mode CI tests that run services with sealed flag and ensure no egress occurs (iptables + mock DNS). | CI suite fails on attempted egress; reports remediation; documentation updated. | +| DEVOPS-AIRGAP-58-001 | TODO | DevOps Guild, Notifications Guild | NOTIFY-AIRGAP-56-002 | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. | Templates deployed successfully; health checks in CI; docs updated. | +| DEVOPS-AIRGAP-58-002 | TODO | DevOps Guild, Observability Guild | DEVOPS-AIRGAP-56-001, DEVOPS-OBS-51-001 | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. | Stack boots offline; dashboards available; verification script confirms zero egress. | | DEVOPS-REL-14-001 | DOING (2025-10-23) | DevOps Guild | SIGNER-API-11-101, ATTESTOR-API-11-201 | Deterministic build/release pipeline with SBOM/provenance, signing, manifest generation. | CI pipeline produces signed images + SBOM/attestations, manifests published with verified hashes, docs updated. | | DEVOPS-REL-14-004 | TODO | DevOps Guild, Scanner Guild | DEVOPS-REL-14-001, SCANNER-ANALYZERS-LANG-10-309P | Extend release/offline smoke jobs to exercise the Python analyzer plug-in (warm/cold scans, determinism, signature checks). | Release/Offline pipelines run Python analyzer smoke suite; alerts hooked; docs updated with new coverage matrix. | | DEVOPS-REL-17-002 | TODO | DevOps Guild | DEVOPS-REL-14-001, SCANNER-EMIT-17-701 | Persist stripped-debug artifacts organised by GNU build-id and bundle them into release/offline kits with checksum manifests. | CI job writes `.debug` files under `artifacts/debug/.build-id/`, manifest + checksums published, offline kit includes cache, smoke job proves symbol lookup via build-id. | | DEVOPS-MIRROR-08-001 | DONE (2025-10-19) | DevOps Guild | DEVOPS-REL-14-001 | Stand up managed mirror profiles for `*.stella-ops.org` (Concelier/Excititor), including Helm/Compose overlays, multi-tenant secrets, CDN caching, and sync documentation. | Infra overlays committed, CI smoke deploy hits mirror endpoints, runbooks published for downstream sync and quota management. | | DEVOPS-SEC-10-301 | DONE (2025-10-20) | DevOps Guild | Wave 0A complete | Address NU1902/NU1903 advisories for `MongoDB.Driver` 2.12.0 and `SharpCompress` 0.23.0 surfaced during scanner cache and worker test runs. | Dependencies bumped to patched releases, audit logs free of NU1902/NU1903 warnings, regression tests green, change log documents upgrade guidance. | +| DEVOPS-CONSOLE-23-001 | TODO | DevOps Guild, Console Guild | CONSOLE-CORE-23-001 | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | Workflow runs on PR & main, caches reduce install time, failing checks block merges, artifacts uploaded for triage, docs updated. | +| DEVOPS-CONSOLE-23-002 | TODO | DevOps Guild, Console Guild | DEVOPS-CONSOLE-23-001, CONSOLE-REL-23-301 | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. | Container published to registry mirror, Helm values committed, SBOM/attestations generated, offline kit job passes smoke test, docs updated. | | DEVOPS-LAUNCH-18-100 | TODO | DevOps Guild | - | Finalise production environment footprint (clusters, secrets, network overlays) for full-platform go-live. | IaC/compose overlays committed, secrets placeholders documented, dry-run deploy succeeds in staging. | | DEVOPS-LAUNCH-18-900 | TODO | DevOps Guild, Module Leads | Wave 0 completion | Collect “full implementation” sign-off from module owners and consolidate launch readiness checklist. | Sign-off record stored under `docs/ops/launch-readiness.md`; outstanding gaps triaged; checklist approved. | | DEVOPS-LAUNCH-18-001 | TODO | DevOps Guild | DEVOPS-LAUNCH-18-100, DEVOPS-LAUNCH-18-900 | Production launch cutover rehearsal and runbook publication. | `docs/ops/launch-cutover.md` drafted, rehearsal executed with rollback drill, approvals captured. | | DEVOPS-NUGET-13-001 | DONE (2025-10-25) | DevOps Guild, Platform Leads | DEVOPS-REL-14-001 | Add .NET 10 preview feeds / local mirrors so `Microsoft.Extensions.*` 10.0 preview packages restore offline; refresh restore docs. | NuGet.config maps preview feeds (or local mirrored packages), `dotnet restore` succeeds for Excititor/Concelier solutions without ad-hoc feed edits, docs updated for offline bootstrap. | | DEVOPS-NUGET-13-002 | TODO | DevOps Guild | DEVOPS-NUGET-13-001 | Ensure all solutions/projects prefer `local-nuget` before public sources and document restore order validation. | `NuGet.config` and solution-level configs resolve from `local-nuget` first; automated check verifies priority; docs updated for restore ordering. | | DEVOPS-NUGET-13-003 | TODO | DevOps Guild, Platform Leads | DEVOPS-NUGET-13-002 | Sweep `Microsoft.*` NuGet dependencies pinned to 8.* and upgrade to latest .NET 10 equivalents (or .NET 9 when 10 unavailable), updating restore guidance. | Dependency audit shows no 8.* `Microsoft.*` packages remaining; CI builds green; changelog/doc sections capture upgrade rationale. | -| DEVOPS-UI-13-006 | TODO | DevOps Guild, UI Guild | UI-AUTH-13-001 | Add Playwright-based UI auth smoke job to CI/offline pipelines, wiring sample `/config.json` provisioning and reporting. | CI + Offline Kit run Playwright auth smoke (headless Chromium) post-build; job reuses stub config artifact, exports junit + trace on failure, docs updated under `docs/ops/ui-auth-smoke.md`. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-POLICY-20-001 | TODO | DevOps Guild, Policy Guild | POLICY-ENGINE-20-001 | Integrate DSL linting in CI (parser/compile) to block invalid policies; add pipeline step compiling sample policies. | CI fails on syntax errors; lint logs surfaced; docs updated with pipeline instructions. | +| DEVOPS-POLICY-20-002 | TODO | DevOps Guild | DEVOPS-POLICY-20-001, POLICY-ENGINE-20-006 | Add `stella policy simulate` CI stage against golden SBOMs to detect delta explosions; publish diff artifacts. | Stage runs nightly/main; artifacts retained; alert thresholds configured. | +| DEVOPS-POLICY-20-003 | TODO | DevOps Guild, QA Guild | DEVOPS-POLICY-20-001, POLICY-ENGINE-20-005 | Determinism CI: run Policy Engine twice with identical inputs and diff outputs to guard non-determinism. | CI job compares outputs, fails on differences, logs stored; documentation updated. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-GRAPH-21-001 | TODO | DevOps Guild, Cartographer Guild | CARTO-GRAPH-21-006 | Add load/perf jobs hitting graph viewport/path/diff endpoints with synthetic 50k/100k graphs; emit dashboards/alerts for SLOs. | CI perf job introduced; Grafana panels live; alerts configured for latency/SLA breaches. | +| DEVOPS-GRAPH-21-002 | TODO | DevOps Guild, UI Guild | UI-GRAPH-21-001 | Capture golden screenshots (Playwright) and JSON exports for visual regressions; wire into CI/offline kit. | Visual regression suite runs in CI; artifacts stored; failure triage docs updated. | +| DEVOPS-GRAPH-21-003 | TODO | DevOps Guild | CARTO-GRAPH-21-009, SBOM-SERVICE-21-002 | Package Cartographer + SBOM Service into offline kit bundles with seeded data/layout caches; document deployment steps. | Offline kit includes graph seeds; docs updated; smoke scripts validate airgapped startup. | + +## Orchestrator Dashboard + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-ORCH-32-001 | TODO | DevOps Guild, Orchestrator Service Guild | ORCH-SVC-32-001 | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | Helm/Compose profiles committed; CI smoke deploy runs; dashboards live with metrics; runbook updated. | +| DEVOPS-ORCH-33-001 | TODO | DevOps Guild, Observability Guild | DEVOPS-ORCH-32-001, ORCH-SVC-33-001..003 | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. | Dashboards and alerts configured; synthetic tests validate thresholds; on-call playbook updated. | +| DEVOPS-ORCH-34-001 | TODO | DevOps Guild, Orchestrator Service Guild | DEVOPS-ORCH-33-001, ORCH-SVC-34-001..003 | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. | Synthetic probes created; burn-rate alerts firing on test scenario; GA checklist approved; runbook linked. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-LNM-22-001 | TODO | DevOps Guild, Concelier Guild | CONCELIER-LNM-21-102 | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. | Migration job scripted; staging validation report produced; rollback documented. | +| DEVOPS-LNM-22-002 | TODO | DevOps Guild, Excititor Guild | EXCITITOR-LNM-21-102 | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. | Backfill completed in staging; monitoring dashboards updated; runbook published. | +| DEVOPS-LNM-22-003 | TODO | DevOps Guild, Observability Guild | CONCELIER-LNM-21-005, EXCITITOR-LNM-21-005 | Add CI/monitoring coverage for new metrics (`advisory_observations_total`, `linksets_total`, etc.) and alerts on ingest-to-API SLA breaches. | Metrics scraped into Grafana; alert thresholds set; CI job verifies metric emission. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-GRAPH-24-001 | TODO | DevOps Guild, SBOM Service Guild | SBOM-GRAPH-24-002 | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | Perf suite added; dashboards live; alerts configured. | +| DEVOPS-GRAPH-24-002 | TODO | DevOps Guild, UI Guild | UI-GRAPH-24-001..005 | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. | CI job runs UI perf tests; baseline stored; documentation updated. | +| DEVOPS-GRAPH-24-003 | TODO | DevOps Guild | WEB-GRAPH-24-002 | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. | Smoke job in CI; alerts when SLA breached; runbook documented. | +| DEVOPS-POLICY-27-001 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-POLICY-27-001, REGISTRY-API-27-001 | Add CI pipeline stages to run `stella policy lint|compile|test` with secret scanning on policy sources for PRs touching `/policies/**`; publish diagnostics artifacts. | Pipeline executes on PR/main, failures block merges, secret scan summary uploaded, docs updated. | +| DEVOPS-POLICY-27-002 | TODO | DevOps Guild, Policy Registry Guild | REGISTRY-API-27-005, SCHED-WORKER-27-301 | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. | Job configurable via label, summary comment generated, drift threshold gates merges, runbook documented. | +| DEVOPS-POLICY-27-003 | TODO | DevOps Guild, Security Guild | AUTH-POLICY-27-002, REGISTRY-API-27-007 | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. | Keys stored in secure vault, rotation procedure documented, CI verifies attestations, audit logs recorded. | +| DEVOPS-POLICY-27-004 | TODO | DevOps Guild, Observability Guild | WEB-POLICY-27-005, TELEMETRY-CONSOLE-27-001 | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. | Grafana dashboards live, alerts tuned, runbooks updated, observability tests verify metric ingestion. | > Remark (2025-10-20): Repacked `Mongo2Go` local feed to require MongoDB.Driver 3.5.0 + SharpCompress 0.41.0; cache regression tests green and NU1902/NU1903 suppressed. > Remark (2025-10-21): Compose/Helm profiles now surface `SCANNER__EVENTS__*` toggles with docs pointing at new `.env` placeholders. + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-SIG-26-001 | TODO | DevOps Guild, Signals Guild | SIGNALS-24-001 | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | Pipelines ship Signals service; deployment docs updated; smoke tests green. | +| DEVOPS-SIG-26-002 | TODO | DevOps Guild, Observability Guild | SIGNALS-24-004 | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. | Dashboards live; alert thresholds configured; documentation updated. | +| DEVOPS-VULN-29-001 | TODO | DevOps Guild, Findings Ledger Guild | LEDGER-29-002..009 | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | CI job verifies hash chains; backups documented; alerts for anchoring failures configured. | +| DEVOPS-VULN-29-002 | TODO | DevOps Guild, Vuln Explorer API Guild | VULN-API-29-002..009 | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. | Perf suite integrated; dashboards live; alerts firing; runbooks updated. | +| DEVOPS-VULN-29-003 | TODO | DevOps Guild, Console Guild | WEB-VULN-29-004, CONSOLE-VULN-29-007 | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. | Telemetry pipeline operational; PII redaction verified; docs updated with checklist. | +| DEVOPS-VEX-30-001 | TODO | DevOps Guild, VEX Lens Guild | VEXLENS-30-009, ISSUER-30-005 | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | CI/perf suites running; dashboards live; alerts configured; docs updated. | +| DEVOPS-AIAI-31-001 | TODO | DevOps Guild, Advisory AI Guild | AIAI-31-006..007 | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | CI covers golden outputs, telemetry dashboards live, privacy controls reviewed, alerts configured. | + +## Export Center +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-EXPORT-35-001 | TODO | DevOps Guild, Exporter Service Guild | EXPORT-SVC-35-001..006 | Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. | CI pipeline running; smoke export job seeded; dashboards live; runbook updated. | +| DEVOPS-EXPORT-36-001 | TODO | DevOps Guild, Exporter Service Guild | DEVOPS-EXPORT-35-001, EXPORT-SVC-36-001..004 | Integrate Trivy compatibility validation, OCI push smoke tests, and throughput/error dashboards. | CI executes Trivy validation; OCI push smoke passes; dashboards/alerts configured. | +| DEVOPS-EXPORT-37-001 | TODO | DevOps Guild, Exporter Service Guild | DEVOPS-EXPORT-36-001, EXPORT-SVC-37-001..004 | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. | Alerts tuned; chaos tests documented; retention monitoring active; runbook updated. | + +## CLI Parity & Task Packs + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-CLI-41-001 | TODO | DevOps Guild, DevEx/CLI Guild | CLI-CORE-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | Build pipeline operational; SBOM/checksums published; parity gate failing on drift; docs updated. | +| DEVOPS-CLI-42-001 | TODO | DevOps Guild | DEVOPS-CLI-41-001, CLI-PARITY-41-001 | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. | Golden tests running; parity diff automation in CI; pack run harness executes sample packs; documentation updated. | +| DEVOPS-CLI-43-001 | TODO | DevOps Guild | DEVOPS-CLI-42-001, TASKRUN-42-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | Release automation verified; SBOM signed; parity gate enforced; chaos tests documented. | + +## Containerized Distribution (Epic 13) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-CONTAINERS-44-001 | TODO | DevOps Guild | DOCKER-44-001..003 | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | Pipeline builds amd64/arm64; SBOMs pushed as referrers; cosign verify job passes. | +| DEVOPS-CONTAINERS-45-001 | TODO | DevOps Guild | HELM-45-001 | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. | CI jobs running; failures block releases; documentation updated. | +| DEVOPS-CONTAINERS-46-001 | TODO | DevOps Guild | DEPLOY-PACKS-43-001 | Build air-gap bundle generator (`tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. | Bundle artifact produced with signatures/checksums; verification job passes; instructions documented. | + +### Container Images (Epic 13) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DOCKER-44-001 | TODO | DevOps Guild, Service Owners | DEVOPS-CLI-41-001 | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitator, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | Dockerfiles committed; images build successfully; container security scans clean; health endpoints reachable. | +| DOCKER-44-002 | TODO | DevOps Guild | DOCKER-44-001 | Generate SBOMs and cosign attestations for each image and integrate verification into CI. | SBOMs attached as OCI artifacts; cosign signatures published; CI verifies signatures prior to release. | +| DOCKER-44-003 | TODO | DevOps Guild | DOCKER-44-001 | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Conseiller/Excitator. | Endpoints available across services; automated tests confirm responses; documentation updated with imposed rule reminder. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-TEN-47-001 | TODO | DevOps Guild | AUTH-TEN-47-001 | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | CI verifies tokens using cached keys; chaos test for expired keys passes; documentation updated. | +| DEVOPS-TEN-48-001 | TODO | DevOps Guild | WEB-TEN-48-001 | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. | Tests fail on cross-tenant access; lint enforced; dashboards capture audit events. | +| DEVOPS-TEN-49-001 | TODO | DevOps Guild | AUTH-TEN-49-001 | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. | Audit pipeline live; metrics dashboards updated; chaos tests documented; perf benchmarks recorded. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-OAS-61-001 | TODO | DevOps Guild, API Contracts Guild | OAS-61-002 | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | Pipeline active; merge blocked on failures; documentation updated. | +| DEVOPS-OAS-61-002 | TODO | DevOps Guild, Contract Testing Guild | CONTR-62-002 | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. | Tests run in CI; artifacts stored; failures alert. | +| DEVOPS-SDK-63-001 | TODO | DevOps Guild, SDK Release Guild | SDKREL-63-001 | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | Keys stored/rotated; publish pipeline authenticated; audit logs recorded. | +| DEVOPS-DEVPORT-63-001 | TODO | DevOps Guild, Developer Portal Guild | DEVPORT-62-001 | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | Pipeline enforced; reports archived; failures gate merges. | +| DEVOPS-DEVPORT-64-001 | TODO | DevOps Guild, DevPortal Offline Guild | DVOFF-64-001 | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. | Nightly job running; checksums published; retention policy documented. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVOPS-ATTEST-73-001 | TODO | DevOps Guild, Attestor Service Guild | ATTESTOR-72-002 | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | CI pipeline running; secrets stored securely; docs updated. | +| DEVOPS-ATTEST-73-002 | TODO | DevOps Guild, KMS Guild | KMS-72-001 | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. | Key storage configured; rotation documented; audit logs verified. | +| DEVOPS-ATTEST-74-001 | TODO | DevOps Guild, Transparency Guild | TRANSP-74-001 | Deploy transparency log witness infrastructure and monitoring. | Witness service deployed; dashboards/alerts live. | +| DEVOPS-ATTEST-74-002 | TODO | DevOps Guild, Export Attestation Guild | EXPORT-ATTEST-74-001 | Integrate attestation bundle builds into release/offline pipelines with checksum verification. | Bundle job in CI; checksum verification passes; docs updated. | +| DEVOPS-ATTEST-75-001 | TODO | DevOps Guild, Observability Guild | ATTEST-VERIFY-74-001 | Add dashboards/alerts for signing latency, verification failures, key rotation events. | Dashboards live; alerts configured. | diff --git a/ops/offline-kit/TASKS.md b/ops/offline-kit/TASKS.md index ee35af97..1d144994 100644 --- a/ops/offline-kit/TASKS.md +++ b/ops/offline-kit/TASKS.md @@ -3,6 +3,9 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| | DEVOPS-OFFLINE-14-002 | TODO | Offline Kit Guild | DEVOPS-REL-14-001 | Build offline kit packaging workflow (artifact bundling, manifest generation, signature verification). | Offline tarball generated with manifest + checksums + signatures; import script verifies integrity; docs updated. | -| DEVOPS-OFFLINE-18-003 | TODO | Offline Kit Guild, UX Specialist | DEVOPS-OFFLINE-14-002 | Capture Angular workspace npm cache + Chromium bundle in Offline Kit (`out/offline-kit/web/`) and document refresh cadence. | Web cache directory added to kit manifest; documentation updated with `npm run ci:install`/`verify:chromium` workflow; periodic refresh SOP recorded in Offline Kit guide. | | DEVOPS-OFFLINE-18-004 | DONE (2025-10-22) | Offline Kit Guild, Scanner Guild | DEVOPS-OFFLINE-18-003, SCANNER-ANALYZERS-LANG-10-309G | Rebuild Offline Kit bundle with Go analyzer plug-in and updated manifest/signature set. | Kit tarball includes Go analyzer artifacts; manifest/signature refreshed; verification steps executed and logged; docs updated with new bundle version. | | DEVOPS-OFFLINE-18-005 | TODO | Offline Kit Guild, Scanner Guild | DEVOPS-REL-14-004, SCANNER-ANALYZERS-LANG-10-309P | Repackage Offline Kit with Python analyzer plug-in artefacts and refreshed manifest/signature set. | Kit tarball includes Python analyzer DLL/PDB/manifest; signature + manifest updated; Offline Kit guide references Python coverage; smoke import validated. | +| DEVOPS-OFFLINE-34-006 | TODO | Offline Kit Guild, Orchestrator Service Guild | ORCH-SVC-34-004, DEPLOY-ORCH-34-001 | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. | Offline kit contains orchestrator assets; manifest/signature validated; docs updated with air-gapped install steps; smoke import executed. | +| DEVOPS-OFFLINE-37-001 | TODO | Offline Kit Guild, Exporter Service Guild | EXPORT-SVC-37-001..004, DEPLOY-EXPORT-36-001 | Package Export Center tooling, sample mirror bundles, verification CLI, and docs into Offline Kit with manifest/signature refresh and air-gap import script. | Offline kit includes export bundles/tools; verification script passes; manifest/signature updated; docs detail import workflow. | +| CLI-PACKS-43-002 | TODO | Offline Kit Guild, Packs Registry Guild | PACKS-REG-42-001, DEPLOY-PACKS-43-001 | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline kit includes packs registry mirror, Task Runner configs, CLI binaries; manifest/signature updated; docs describe air-gapped execution. | +| OFFLINE-CONTAINERS-46-001 | TODO | Offline Kit Guild, Deployment Guild | DEVOPS-CONTAINERS-46-001, DEPLOY-AIRGAP-46-001 | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline kit ships bundle + how-to; verification steps validated; manifest/signature updated; imposed rule noted. | diff --git a/samples/TASKS.md b/samples/TASKS.md index eebddcb3..01c5d5cb 100644 --- a/samples/TASKS.md +++ b/samples/TASKS.md @@ -4,3 +4,31 @@ |----|--------|----------|------------|-------------|---------------| | SAMPLES-10-001 | DONE | Samples Guild, Scanner Team | SCANNER-EMIT-10-605 | Curate sample images (nginx, alpine+busybox, distroless+go, .NET AOT, python venv, npm monorepo) with expected SBOM/BOM-Index sidecars. | Samples committed under `samples/`; golden SBOM/BOM-Index files present; documented usage. | | SAMPLES-13-004 | DONE (2025-10-23) | Samples Guild, Policy Guild | POLICY-CORE-09-006, UI-POLICY-13-007 | Add policy preview/report fixtures showing confidence bands and unknown-age tags. | Confidence sample (`samples/policy/policy-preview-unknown.json`) reviewed, documented usage in UI dev guide, ajv validation hook updated. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SAMPLES-POLICY-20-001 | TODO | Samples Guild, Policy Guild | POLICY-ENGINE-20-002, DOCS-POLICY-20-011 | Create sample policies (`baseline.pol`, `serverless.pol`, `internal-only.pol`) with annotated SBOM/advisory fixtures. | Samples stored under `samples/policy/`; README documents usage; tests validate deterministic outputs. | +| SAMPLES-POLICY-20-002 | TODO | Samples Guild, UI Guild | UI-POLICY-20-002 | Produce simulation diff fixtures (before/after JSON) for UI/CLI tests. | Fixtures committed with schema validation; referenced by UI+CLI tests; docs cross-link. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SAMPLES-GRAPH-21-001 | TODO | Samples Guild, Cartographer Guild | CARTO-GRAPH-21-003 | Produce small/medium SBOM graph fixtures (JSON, GraphML, layout tiles) for automated tests and docs. | Fixtures stored under `samples/graph/`; validated by Cartographer + UI tests; README documents usage. | +| SAMPLES-GRAPH-21-002 | TODO | Samples Guild, UI Guild | UI-GRAPH-21-005 | Capture golden Graph Explorer screenshots (baseline/diff) and path exports for visual regression + documentation. | Screenshots exported; stored with metadata; referenced in docs; tests consume assets. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SAMPLES-LNM-22-001 | TODO | Samples Guild, Concelier Guild | CONCELIER-LNM-21-001..003 | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. | Fixtures deposited under `samples/advisories/`; metadata README added; tests reference fixtures. | +| SAMPLES-LNM-22-002 | TODO | Samples Guild, Excititor Guild | EXCITITOR-LNM-21-001..003 | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. | Fixtures stored under `samples/vex/`; CLI/UI tests consume; docs linked. | + +## Graph & Vuln Explorer v1 (extended) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SAMPLES-GRAPH-24-003 | TODO | Samples Guild, SBOM Service Guild | SBOM-GRAPH-24-002 | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | Fixture stored under `samples/graph/large/`; README updated; perf tests reference file. | +| SAMPLES-GRAPH-24-004 | TODO | Samples Guild, UI Guild | UI-GRAPH-24-005 | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. | Fixtures available under `samples/vuln/`; schema documented; tests consume fixtures. | diff --git a/src/StellaOps.AdvisoryAI/AGENTS.md b/src/StellaOps.AdvisoryAI/AGENTS.md new file mode 100644 index 00000000..309c45dd --- /dev/null +++ b/src/StellaOps.AdvisoryAI/AGENTS.md @@ -0,0 +1,22 @@ +# Advisory AI Guild Charter (Epic 8) + +## Mission +Deliver the Advisory AI assistant service that synthesizes advisory/VEX evidence, policy context, and SBOM data into summaries, conflict explanations, and remediation hints—always with citations and guardrails. + +## Scope +- Service under `src/StellaOps.AdvisoryAI` (retrievers, deterministics, orchestrator, guardrails, inference adapters, REST APIs). +- Batch processing for CLI/automation, caching, observability, and integration with Console, CLI, and downstream systems. +- Coordination across Conseiller, Excitator, VEX Lens, SBOM Service, Policy Engine, Findings Ledger, Web Gateway, Authority, DevOps, and Docs. + +## Principles +1. **Evidence preservation** – Raw advisory/VEX documents remain untouched; AI outputs reference them with citations. +2. **Deterministic scaffolding** – Retrieval, mapping, and validators are deterministic; model variability is constrained. +3. **Guardrails everywhere** – Redaction, injection defense, output validation, and audit logging are non-optional. +4. **Policy-aware** – Outputs respect selected policy versions, thresholds, and trust configs. +5. **Explainable** – Each result carries structured JSON, rationale, and provenance; humans can audit every statement. + +## Definition of Done +- Retrievers/deterministic tools implemented with tests and docs. +- API endpoints documented (OpenAPI), RBAC enforced, guardrails active. +- Console/CLI integrations operational; telemetry dashboards live. +- Documentation suite published with compliance checklist. diff --git a/src/StellaOps.AdvisoryAI/TASKS.md b/src/StellaOps.AdvisoryAI/TASKS.md new file mode 100644 index 00000000..63a016d2 --- /dev/null +++ b/src/StellaOps.AdvisoryAI/TASKS.md @@ -0,0 +1,12 @@ +# Advisory AI Task Board — Epic 8 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIAI-31-001 | TODO | Advisory AI Guild | CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001 | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. | Retrievers return deterministic chunks with source IDs/sections; unit tests cover CSAF/OSV/vendor formats. | +| AIAI-31-002 | TODO | Advisory AI Guild, SBOM Service Guild | SBOM-VULN-29-001 | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). | Retriever returns paths/metrics under SLA; tests cover ecosystems. | +| AIAI-31-003 | TODO | Advisory AI Guild | AIAI-31-001..002 | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. | Tools validated with property tests; outputs cached; docs updated. | +| AIAI-31-004 | TODO | Advisory AI Guild | AIAI-31-001..003, AUTH-VULN-29-001 | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). | Pipeline executes tasks deterministically; caches keyed by tuple+policy; integration tests cover tasks. | +| AIAI-31-005 | TODO | Advisory AI Guild, Security Guild | AIAI-31-004 | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. | Guardrails block adversarial inputs; output validator enforces schemas; security tests pass. | +| AIAI-31-006 | TODO | Advisory AI Guild | AIAI-31-004..005 | Expose REST API endpoints (`/advisory/ai/*`) with RBAC, rate limits, OpenAPI schemas, and batching support. | Endpoints deployed with schema validation; rate limits enforced; integration tests cover error codes. | +| AIAI-31-007 | TODO | Advisory AI Guild, Observability Guild | AIAI-31-004..006 | Instrument metrics (`advisory_ai_latency`, `guardrail_blocks`, `validation_failures`, `citation_coverage`), logs, and traces; publish dashboards/alerts. | Telemetry live; dashboards approved; alerts configured. | +| AIAI-31-008 | TODO | Advisory AI Guild, DevOps Guild | AIAI-31-006..007 | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. | Deployment docs merged; smoke deploy executed; offline kit updated; feature flags documented. | +| AIAI-31-009 | TODO | Advisory AI Guild, QA Guild | AIAI-31-001..006 | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. | Test suite green; golden outputs stored; injection tests pass; perf targets documented. | diff --git a/src/StellaOps.AirGap.Controller/AGENTS.md b/src/StellaOps.AirGap.Controller/AGENTS.md new file mode 100644 index 00000000..8ba4d55e --- /dev/null +++ b/src/StellaOps.AirGap.Controller/AGENTS.md @@ -0,0 +1,16 @@ +# StellaOps AirGap Controller Guild Charter + +## Mission +Own the sealing state machine, status APIs, and enforcement hooks that keep StellaOps compliant in sealed air-gapped environments while respecting the imposed rule. + +## Scope +- Persisted air-gap state (`sealed`, policy hash, time anchor metadata) and RBAC enforcement. +- HTTP endpoints for seal/unseal/status and integration with Authority scopes. +- Startup diagnostics that refuse to run when sealing requirements are unmet. +- Coordination with DevOps for Kubernetes/Compose egress policies. +- Telemetry and audit events reflecting sealing actions and violations. + +## Definition of Done +- Deterministic tests for seal/unseal transitions and audit logging. +- Integration tests covering RBAC, sealed-mode refusal, and policy hash validation. +- Documentation hooks updated in `/docs/airgap/` for each shipped feature. diff --git a/src/StellaOps.AirGap.Controller/TASKS.md b/src/StellaOps.AirGap.Controller/TASKS.md new file mode 100644 index 00000000..4a5f657f --- /dev/null +++ b/src/StellaOps.AirGap.Controller/TASKS.md @@ -0,0 +1,18 @@ +# AirGap Controller Task Board — Epic 16: Air-Gapped Mode + +## Sprint 56 – Sealing Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-CTL-56-001 | TODO | AirGap Controller Guild | AUTH-OBS-50-001 | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). | State table created with migrations; seal/unseal transitions audited; unit tests cover happy/error paths. | +| AIRGAP-CTL-56-002 | TODO | AirGap Controller Guild, DevOps Guild | AIRGAP-CTL-56-001, DEVOPS-AIRGAP-56-001 | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. | APIs documented with OpenAPI; RBAC enforced; integration tests cover unauthorized/sealed states. | + +## Sprint 57 – Enforcement & Diagnostics +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-CTL-57-001 | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. | Startup guard tested with simulated failure; telemetry includes `airgap_sealed=true`; docs updated. | +| AIRGAP-CTL-57-002 | TODO | AirGap Controller Guild, Observability Guild | AIRGAP-CTL-56-002, TELEMETRY-OBS-50-001 | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). | Timeline events validated; logs include actor/tenant/policy hash; integration test covers duplication suppression. | + +## Sprint 58 – Time Anchor & Drift +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-CTL-58-001 | TODO | AirGap Controller Guild, AirGap Time Guild | AIRGAP-CTL-56-002, AIRGAP-TIME-57-001 | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. | Time anchor stored with bundle ID; drift calculation validated in tests; status API returns staleness metrics. | diff --git a/src/StellaOps.AirGap.Importer/AGENTS.md b/src/StellaOps.AirGap.Importer/AGENTS.md new file mode 100644 index 00000000..fbe5d555 --- /dev/null +++ b/src/StellaOps.AirGap.Importer/AGENTS.md @@ -0,0 +1,16 @@ +# StellaOps AirGap Importer Guild Charter + +## Mission +Deliver offline bundle verification and ingestion tooling for sealed environments, covering DSSE/TUF validation, catalog updates, and audit logging under the imposed rule. + +## Scope +- TUF metadata verification, DSSE signature checks, Merkle root validation. +- Import pipelines writing bundle catalogs, object-store layouts, and audit entries. +- CLI + API surfaces for dry-run verification, import, and status queries. +- Integration hooks for Conseiller, Excitator, Policy Engine, and Export Center. +- Negative-case handling (tampering, expired signatures, root rotation) with operator guidance. + +## Definition of Done +- Deterministic fixtures for valid/invalid bundles committed. +- Integration tests prove catalog + object-store updates are idempotent. +- Import audit trail viewable via API and timeline events. diff --git a/src/StellaOps.AirGap.Importer/TASKS.md b/src/StellaOps.AirGap.Importer/TASKS.md new file mode 100644 index 00000000..6eaf8f93 --- /dev/null +++ b/src/StellaOps.AirGap.Importer/TASKS.md @@ -0,0 +1,19 @@ +# AirGap Importer Task Board — Epic 16: Air-Gapped Mode + +## Sprint 56 – Verification Primitives +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-IMP-56-001 | TODO | AirGap Importer Guild | PROV-OBS-53-001 | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. | Verifier returns structured results; unit tests cover valid/invalid signatures and tampering scenarios. | +| AIRGAP-IMP-56-002 | TODO | AirGap Importer Guild, Security Guild | AIRGAP-IMP-56-001 | Introduce root rotation policy validation (dual approval) and signer trust store management. | Rotation policy enforced; tests cover valid rotation and rollback; docs stub updated. | + +## Sprint 57 – Catalog & Storage Writes +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-IMP-57-001 | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001, DEVOPS-AIRGAP-56-002 | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. | Catalog tables created; integration tests ensure tenant/global scoping; determinism check passes. | +| AIRGAP-IMP-57-002 | TODO | AirGap Importer Guild, DevOps Guild | AIRGAP-IMP-57-001 | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. | Import writes deduplicated objects; checksum mismatches raise errors; storage layout documented. | + +## Sprint 58 – Import Workflows +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-IMP-58-001 | TODO | AirGap Importer Guild, CLI Guild | AIRGAP-IMP-57-002, CLI-AIRGAP-56-001 | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. | CLI/API share validation engine; diff preview surfaces metadata changes; audit entries recorded with trace IDs. | +| AIRGAP-IMP-58-002 | TODO | AirGap Importer Guild, Observability Guild | AIRGAP-IMP-58-001, TELEMETRY-OBS-50-001 | Emit timeline events (`airgap.import.started|completed|failed`) and telemetry metrics (bundle bytes, duration, warnings). | Events/metrics validated in integration tests; docs cross-link to observability dashboards. | diff --git a/src/StellaOps.AirGap.Policy/AGENTS.md b/src/StellaOps.AirGap.Policy/AGENTS.md new file mode 100644 index 00000000..8cd703e5 --- /dev/null +++ b/src/StellaOps.AirGap.Policy/AGENTS.md @@ -0,0 +1,16 @@ +# StellaOps AirGap Policy Guild Charter + +## Mission +Provide the shared enforcement layer (`EgressPolicy`, job plan validators, sealed-mode gates) that keeps all services compliant with Air-Gapped Mode requirements. + +## Scope +- `EgressPolicy` facade replacing raw HTTP client usage. +- Static analysis/linting to detect unauthorized network calls. +- Task Runner and orchestrator validators flagging disallowed destinations. +- Shared error contract (`AIRGAP_EGRESS_BLOCKED`) and remediation messages. +- Test harnesses simulating sealed/unsealed execution paths. + +## Definition of Done +- Every service imports the facade; CI fails on direct HTTP client usage. +- Sealed-mode unit tests cover panic/remediation behavior across host types. +- Documentation updated in `/docs/dev/airgap-contracts.md` for adoption patterns. diff --git a/src/StellaOps.AirGap.Policy/TASKS.md b/src/StellaOps.AirGap.Policy/TASKS.md new file mode 100644 index 00000000..676ca97c --- /dev/null +++ b/src/StellaOps.AirGap.Policy/TASKS.md @@ -0,0 +1,19 @@ +# AirGap Policy Task Board — Epic 16: Air-Gapped Mode + +## Sprint 56 – Facade & Contracts +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-POL-56-001 | TODO | AirGap Policy Guild | TELEMETRY-OBS-50-001 | Implement `StellaOps.AirGap.Policy` package exposing `EgressPolicy` facade with sealed/unsealed branches and remediation-friendly errors. | Facade package builds/tests; integration tests simulate sealed/unsealed; error contract documented. | +| AIRGAP-POL-56-002 | TODO | AirGap Policy Guild, DevEx Guild | AIRGAP-POL-56-001 | Create Roslyn analyzer/code fix warning on raw `HttpClient` usage outside approved wrappers; add CI integration. | Analyzer packaged; CI fails on intentional violation; docs updated for opt-in. | + +## Sprint 57 – Service Adoption Wave 1 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-POL-57-001 | TODO | AirGap Policy Guild, BE-Base Platform Guild | AIRGAP-POL-56-001 | Update core web services (Web, Exporter, Policy, Findings, Authority) to use `EgressPolicy`; ensure configuration wiring for sealed mode. | Services compile with facade; sealed-mode tests run in CI; configuration docs updated. | +| AIRGAP-POL-57-002 | TODO | AirGap Policy Guild, Task Runner Guild | AIRGAP-POL-56-001, TASKRUN-OBS-50-001 | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list. | Validator blocks forbidden steps; tests cover allow/deny; error surfaces remediation text. | + +## Sprint 58 – Service Adoption Wave 2 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-POL-58-001 | TODO | AirGap Policy Guild, Observability Guild | AIRGAP-POL-57-001 | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning. | Exporters respect sealed flag; timeline/log message emitted; docs updated. | +| AIRGAP-POL-58-002 | TODO | AirGap Policy Guild, CLI Guild | AIRGAP-POL-56-001, CLI-OBS-50-001 | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation. | CLI returns `AIRGAP_EGRESS_BLOCKED`; tests cover sealed/unsealed flows; help text updated. | diff --git a/src/StellaOps.AirGap.Time/AGENTS.md b/src/StellaOps.AirGap.Time/AGENTS.md new file mode 100644 index 00000000..b42e1eb1 --- /dev/null +++ b/src/StellaOps.AirGap.Time/AGENTS.md @@ -0,0 +1,15 @@ +# StellaOps AirGap Time Guild Charter + +## Mission +Manage trusted time anchors and staleness budgets for sealed environments, ensuring deterministic behavior when external time sources are unavailable. + +## Scope +- Parse signed time tokens from Mirror Bundles and validate signatures. +- Persist `time_anchor` metadata and compute drift/staleness metrics. +- Provide helpers for UI/API staleness badges and job gating. +- Integrate with Notifications to alert on approaching drift thresholds. + +## Definition of Done +- Test vectors for time tokens committed alongside verification code. +- Drift calculations deterministic and configurable per tenant. +- Documentation updates for `/docs/airgap/staleness-and-time.md` with examples. diff --git a/src/StellaOps.AirGap.Time/TASKS.md b/src/StellaOps.AirGap.Time/TASKS.md new file mode 100644 index 00000000..bbcc31c9 --- /dev/null +++ b/src/StellaOps.AirGap.Time/TASKS.md @@ -0,0 +1,13 @@ +# AirGap Time Task Board — Epic 16: Air-Gapped Mode + +## Sprint 57 – Time Anchor Validation +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-TIME-57-001 | TODO | AirGap Time Guild | PROV-OBS-54-001, AIRGAP-IMP-56-001 | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. | Parser handles both token formats; tests cover valid/expired/tampered tokens; documentation stubbed. | +| AIRGAP-TIME-57-002 | TODO | AirGap Time Guild, Observability Guild | AIRGAP-TIME-57-001 | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. | Metrics registered; alert templates created; integration test ensures emission on stale anchor. | + +## Sprint 58 – Drift & Staleness Enforcement +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AIRGAP-TIME-58-001 | TODO | AirGap Time Guild | AIRGAP-TIME-57-001, AIRGAP-CTL-56-002 | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. | Drift/staleness values exposed via API; unit tests cover threshold calculations; docs updated. | +| AIRGAP-TIME-58-002 | TODO | AirGap Time Guild, Notifications Guild | AIRGAP-TIME-58-001, NOTIFY-OBS-51-001 | Emit notifications and timeline events when staleness budgets breached or approaching. | Notifications dispatched with remediation; timeline events recorded; CLI shows warning banner. | diff --git a/src/StellaOps.Api.Governance/AGENTS.md b/src/StellaOps.Api.Governance/AGENTS.md new file mode 100644 index 00000000..0a26f9a4 --- /dev/null +++ b/src/StellaOps.Api.Governance/AGENTS.md @@ -0,0 +1,15 @@ +# API Governance Guild Charter + +## Mission +Enforce API contract quality through linting, compatibility checks, version policy automation, and changelog generation. + +## Scope +- Maintain lint rule set, compatibility diff tooling, and CI integration. +- Gate PRs on contract validation, example coverage, and naming conventions. +- Produce automated changelogs and deprecation notices from OAS diffs. +- Coordinate with Notifications Studio for deprecation broadcasts. + +## Definition of Done +- CI gate prevents merging incompatible or non-conforming specs. +- Version bump tooling produces signed changelog artifacts per release. +- Governance documentation kept current in `/docs/contributing/api-contracts.md`. diff --git a/src/StellaOps.Api.Governance/TASKS.md b/src/StellaOps.Api.Governance/TASKS.md new file mode 100644 index 00000000..2d1c40d9 --- /dev/null +++ b/src/StellaOps.Api.Governance/TASKS.md @@ -0,0 +1,18 @@ +# API Governance Task Board — Epic 17: SDKs & OpenAPI Docs + +## Sprint 61 – Lint & CI Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| APIGOV-61-001 | TODO | API Governance Guild | OAS-61-002 | Configure spectral/linters with Stella rules; add CI job failing on violations. | Lint pipeline runs on PRs; rule set documented; intentional violations blocked. | +| APIGOV-61-002 | TODO | API Governance Guild | APIGOV-61-001 | Implement example coverage checker ensuring every operation has at least one request/response example. | Coverage job integrated; failing operations listed in CI output. | + +## Sprint 62 – Compatibility & Changelog +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| APIGOV-62-001 | TODO | API Governance Guild | APIGOV-61-001 | Build compatibility diff tool producing additive/breaking reports comparing prior release. | Diff output consumed in CI; failing on breaking changes unless override provided. | +| APIGOV-62-002 | TODO | API Governance Guild, DevOps Guild | APIGOV-62-001 | Automate changelog generation and publish signed artifacts to `src/StellaOps.Sdk.Release` pipeline. | Changelog pipeline produces markdown + JSON; signatures verified; docs updated. | + +## Sprint 63 – Deprecation & Notifications +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| APIGOV-63-001 | TODO | API Governance Guild, Notifications Guild | APIGOV-62-002 | Integrate deprecation metadata into Notification Studio templates for API sunset events. | Deprecation pipeline triggers notifier template; staging test proves delivery. | diff --git a/src/StellaOps.Api.OpenApi/AGENTS.md b/src/StellaOps.Api.OpenApi/AGENTS.md new file mode 100644 index 00000000..42f57474 --- /dev/null +++ b/src/StellaOps.Api.OpenApi/AGENTS.md @@ -0,0 +1,16 @@ +# StellaOps API Contracts Guild Charter + +## Mission +Maintain OpenAPI 3.1 specifications for every StellaOps service, compose the aggregate spec, and ensure API contract consistency across releases. + +## Scope +- Author and review per-service OAS documents in `src/StellaOps.Api.OpenApi//openapi.yaml`. +- Operate the aggregate composer producing `src/StellaOps.Api.OpenApi/stella.yaml`. +- Provide shared components, schema libraries, and example catalogs. +- Coordinate with service guilds on contract changes, examples, and versioning. +- Own CI validation, linting, and compatibility diff tooling for OAS artifacts. + +## Definition of Done +- All public endpoints represented in OAS with validated request/response examples. +- Aggregate spec builds deterministically and passes lint + compatibility checks. +- Change logs generated with every release and linked to developer portal updates. diff --git a/src/StellaOps.Api.OpenApi/TASKS.md b/src/StellaOps.Api.OpenApi/TASKS.md new file mode 100644 index 00000000..34207fdc --- /dev/null +++ b/src/StellaOps.Api.OpenApi/TASKS.md @@ -0,0 +1,19 @@ +# API OpenAPI Task Board — Epic 17: SDKs & OpenAPI Docs + +## Sprint 61 – Spec Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| OAS-61-001 | TODO | API Contracts Guild | — | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | All services have baseline `openapi.yaml`; shared components library established; lint passes. | +| OAS-61-002 | TODO | API Contracts Guild, DevOps Guild | OAS-61-001 | Implement aggregate composer (`stella.yaml`) resolving `$ref`s and merging shared components; wire into CI. | Aggregate spec builds deterministically; CI artifact published; documentation updated. | + +## Sprint 62 – Examples & Error Envelope +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| OAS-62-001 | TODO | API Contracts Guild, Service Guilds | OAS-61-001 | Populate request/response examples for top 50 endpoints, including standard error envelope. | Examples validated via CI; error envelope consistent across services. | +| OAS-62-002 | TODO | API Contracts Guild | OAS-61-002 | Add custom lint rules enforcing pagination, idempotency headers, naming conventions, and example coverage. | Lint job fails on violations; documentation for rules published. | + +## Sprint 63 – Compatibility & Discovery +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| OAS-63-001 | TODO | API Contracts Guild | OAS-61-002 | Implement compatibility diff tooling comparing previous release specs; classify breaking vs additive changes. | Diff tool integrated in CI; PRs flagged on breaking changes. | +| OAS-63-002 | TODO | API Contracts Guild, Gateway Guild | OAS-62-002 | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). | Discovery endpoints defined in spec; linked to implementation tasks. | diff --git a/src/StellaOps.Attestor.Envelope/AGENTS.md b/src/StellaOps.Attestor.Envelope/AGENTS.md new file mode 100644 index 00000000..78139cc3 --- /dev/null +++ b/src/StellaOps.Attestor.Envelope/AGENTS.md @@ -0,0 +1,15 @@ +# Attestation Envelope Guild Charter + +## Mission +Provide deterministic DSSE envelope handling with multi-signature support, canonical serialization, hashing, and integrity safeguards for all Stella attestations. + +## Scope +- DSSE encoding/decoding, canonical JSON handling, and detached payload support. +- Multi-signature verification, key identification, and cryptographic primitives. +- Integration with KMS drivers and transparency log witness utilities. +- Fuzz and property testing for envelope parsing and normalization. + +## Definition of Done +- Envelope APIs produce canonical payloads and support multiple signatures deterministically. +- Verification detects tampering, mismatched subjects, and unsupported algorithms. +- Property and fuzz tests cover canonicalization and signature edge cases. diff --git a/src/StellaOps.Attestor.Envelope/TASKS.md b/src/StellaOps.Attestor.Envelope/TASKS.md new file mode 100644 index 00000000..7e31de53 --- /dev/null +++ b/src/StellaOps.Attestor.Envelope/TASKS.md @@ -0,0 +1,13 @@ +# Attestation Envelope Task Board — Epic 19: Attestor Console + +## Sprint 72 – Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTEST-ENVELOPE-72-001 | TODO | Envelope Guild | — | Implement DSSE canonicalization, JSON normalization, multi-signature structures, and hashing helpers. | Canonicalization deterministic (property tests); hash matches DSSE spec; unit tests green. | +| ATTEST-ENVELOPE-72-002 | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Support compact and expanded JSON output, payload compression, and detached payload references. | API returns both variants; payload compression toggles tested; docs updated. | + +## Sprint 73 – Crypto Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTEST-ENVELOPE-73-001 | TODO | Envelope Guild, KMS Guild | ATTEST-ENVELOPE-72-001 | Implement Ed25519 & ECDSA signature create/verify helpers, key identification (`keyid`) scheme, and error mapping. | Sign/verify tests pass with fixtures; invalid signatures produce deterministic errors. | +| ATTEST-ENVELOPE-73-002 | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add fuzz tests for envelope parsing, signature verification, and canonical JSON round-trips. | Fuzz suite integrated; coverage metrics recorded; no regressions. | diff --git a/src/StellaOps.Attestor.Types/AGENTS.md b/src/StellaOps.Attestor.Types/AGENTS.md new file mode 100644 index 00000000..b0d74b61 --- /dev/null +++ b/src/StellaOps.Attestor.Types/AGENTS.md @@ -0,0 +1,14 @@ +# Attestation Payloads Guild Charter + +## Mission +Define strongly typed, versioned schemas for all attestation payloads and provide validation utilities for generating and verifying evidence. + +## Scope +- JSON Schemas, code generation, and documentation for each attestation type. +- Normalization and validation logic shared across services, CLI, and SDKs. +- Sample payloads and golden fixtures used in contract tests and docs. + +## Definition of Done +- Payload types compiled into Go/TypeScript models with validation helpers. +- Schemas published with semantic versioning and change logs. +- Golden samples maintained with acceptance tests and doc integration. diff --git a/src/StellaOps.Attestor.Types/TASKS.md b/src/StellaOps.Attestor.Types/TASKS.md new file mode 100644 index 00000000..fbdb8d02 --- /dev/null +++ b/src/StellaOps.Attestor.Types/TASKS.md @@ -0,0 +1,13 @@ +# Attestation Payloads Task Board — Epic 19: Attestor Console + +## Sprint 72 – Schema Definition +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTEST-TYPES-72-001 | TODO | Attestation Payloads Guild | — | Draft JSON Schemas for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, CustomEvidence v1. | Schemas validated with test fixtures; docs stubbed; versioned under `schemas/`. | +| ATTEST-TYPES-72-002 | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Generate Go/TS models from schemas with validation helpers and canonical JSON serialization. | Code generation integrated; lints pass; unit tests cover round-trips. | + +## Sprint 73 – Fixtures & Docs +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTEST-TYPES-73-001 | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Create golden payload samples for each type; integrate into tests and documentation. | Golden fixtures stored; tests compare outputs; docs embed examples. | +| ATTEST-TYPES-73-002 | TODO | Attestation Payloads Guild, Docs Guild | ATTEST-TYPES-73-001 | Publish schema reference docs (`/docs/attestor/payloads.md`) with annotated JSON examples. | Doc merged with banner; examples validated by tests. | diff --git a/src/StellaOps.Attestor.Verify/AGENTS.md b/src/StellaOps.Attestor.Verify/AGENTS.md new file mode 100644 index 00000000..d7aa85e7 --- /dev/null +++ b/src/StellaOps.Attestor.Verify/AGENTS.md @@ -0,0 +1,14 @@ +# Attestation Verification Guild Charter + +## Mission +Implement the verification engine that enforces attestation policies, issuer trust, transparency requirements, and produces audit-ready reports. + +## Scope +- Verification pipeline integrating DSSE validation, issuer/key trust, Policy Studio rules, freshness checks, and transparency proofs. +- Caching and reporting for verification results. +- Error codes and explainability artifacts for UI/CLI consumption. + +## Definition of Done +- Verification passes/fails deterministically with detailed report structures. +- Caching improves performance without sacrificing correctness. +- Policies enforce scope-based rules and waivers, with unit/integration coverage. diff --git a/src/StellaOps.Attestor.Verify/TASKS.md b/src/StellaOps.Attestor.Verify/TASKS.md new file mode 100644 index 00000000..ba882811 --- /dev/null +++ b/src/StellaOps.Attestor.Verify/TASKS.md @@ -0,0 +1,13 @@ +# Attestation Verification Task Board — Epic 19: Attestor Console + +## Sprint 73 – Policy Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTEST-VERIFY-73-001 | TODO | Verification Guild, Policy Guild | VERPOL-73-001, ATTESTOR-73-002 | Implement verification engine: policy evaluation, issuer trust resolution, freshness, signature count, transparency checks; produce structured reports. | Engine returns report DTOs; policy rules honored; unit tests cover pass/fail scenarios. | +| ATTEST-VERIFY-73-002 | TODO | Verification Guild | ATTEST-VERIFY-73-001 | Add caching layer keyed by `(subject, envelope_id, policy_version)` with TTL and invalidation on new evidence. | Cache reduces repeated verification cost; tests cover cache hits/misses. | + +## Sprint 74 – Explainability & Observability +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTEST-VERIFY-74-001 | TODO | Verification Guild, Observability Guild | ATTEST-VERIFY-73-001 | Emit telemetry (spans/metrics) tagged by subject, issuer, policy, result; integrate with dashboards. | Metrics visible; spans present; SLO thresholds defined. | +| ATTEST-VERIFY-74-002 | TODO | Verification Guild, Docs Guild | ATTEST-VERIFY-73-001 | Document verification report schema and explainability in `/docs/attestor/workflows.md`. | Documentation merged; examples verified via tests. | diff --git a/src/StellaOps.Attestor/AGENTS.md b/src/StellaOps.Attestor/AGENTS.md index 70c1828b..624d10d3 100644 --- a/src/StellaOps.Attestor/AGENTS.md +++ b/src/StellaOps.Attestor/AGENTS.md @@ -14,8 +14,26 @@ Operate the StellaOps Attestor service: accept signed DSSE envelopes from the Si - Structured logs + metrics for each stage (`validate`, `submit`, `proof`, `persist`, `archive`). - Update `TASKS.md`, architecture docs, and tests whenever behaviour changes. -## Key Directories -- `src/StellaOps.Attestor/StellaOps.Attestor.WebService/` — Minimal API host and HTTP surface. -- `src/StellaOps.Attestor/StellaOps.Attestor.Core/` — Domain contracts, submission/verification pipelines. -- `src/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/` — Mongo, Redis, Rekor, and archival implementations. -- `src/StellaOps.Attestor/StellaOps.Attestor.Tests/` — Unit and integration tests. +## Key Directories +- `src/StellaOps.Attestor/StellaOps.Attestor.WebService/` — Minimal API host and HTTP surface. +- `src/StellaOps.Attestor/StellaOps.Attestor.Core/` — Domain contracts, submission/verification pipelines. +- `src/StellaOps.Attestor/StellaOps.Attestor.Infrastructure/` — Mongo, Redis, Rekor, and archival implementations. +- `src/StellaOps.Attestor/StellaOps.Attestor.Tests/` — Unit and integration tests. + +--- + +## Epic 19 Charter — Attestor Console + +### Mission +Deliver the API, workers, and storage that power signing, verification, and lifecycle management of supply-chain attestations across StellaOps. + +### Scope +- DSSE envelope ingestion and retrieval. +- Verification pipeline orchestration, caching, and policy evaluation. +- Issuer/key registries, transparency log integration, and audit logging. +- Bulk verification workflows and air-gap bundle support. + +### Definition of Done +- Signing and verification APIs operate deterministically with full explainability. +- Policy enforcement integrated with Authority & Tenancy scopes. +- Transparency proof handling, key rotation, and revocation workflows implemented. diff --git a/src/StellaOps.Attestor/TASKS.md b/src/StellaOps.Attestor/TASKS.md index 1fe30f81..8ba43acc 100644 --- a/src/StellaOps.Attestor/TASKS.md +++ b/src/StellaOps.Attestor/TASKS.md @@ -6,5 +6,36 @@ | ATTESTOR-VERIFY-11-202 | DONE (2025-10-19) | Attestor Guild | — | `/rekor/verify` + retrieval endpoints validating signatures and Merkle proofs. | ✅ `GET /api/v1/rekor/entries/{uuid}` surfaces cached entries with optional backend refresh and handles not-found/refresh flows.
✅ `POST /api/v1/rekor/verify` accepts UUID, bundle, or artifact hash inputs; verifies DSSE signatures, Merkle proofs, and checkpoint anchors.
✅ Verification output returns `{ok, uuid, index, logURL, checkedAt}` with failure diagnostics for invalid proofs.
✅ Unit/integration tests exercise cache hits, backend refresh, invalid bundle/proof scenarios, and checkpoint trust anchor enforcement. | | ATTESTOR-OBS-11-203 | DONE (2025-10-19) | Attestor Guild | — | Telemetry, alerting, mTLS hardening, and archive workflow for Attestor. | ✅ Structured logs, metrics, and optional traces record submission latency, proof fetch outcomes, verification results, and Rekor error buckets with correlation IDs.
✅ mTLS enforcement hardened (peer allowlist, SAN checks, rate limiting) and documented; TLS settings audited for modern ciphers only.
✅ Alerting/dashboard pack covers error rates, proof backlog, Redis/Mongo health, and archive job failures; runbook updated.
✅ Archive workflow includes retention policy jobs, failure alerts, and periodic verification of stored bundles and proofs. | -> Remark (2025-10-19): Wave 0 prerequisites reviewed (none outstanding); ATTESTOR-API-11-201, ATTESTOR-VERIFY-11-202, and ATTESTOR-OBS-11-203 tracked as DOING per Wave 0A kickoff. -> Remark (2025-10-19): Dual-log submissions, signature/proof verification, and observability hardening landed; attestor endpoints now rate-limited per client with correlation-ID logging and updated docs/tests. +> Remark (2025-10-19): Wave 0 prerequisites reviewed (none outstanding); ATTESTOR-API-11-201, ATTESTOR-VERIFY-11-202, and ATTESTOR-OBS-11-203 tracked as DOING per Wave 0A kickoff. +> Remark (2025-10-19): Dual-log submissions, signature/proof verification, and observability hardening landed; attestor endpoints now rate-limited per client with correlation-ID logging and updated docs/tests. + +--- + +## Epic 19 — Attestor Console Roadmap + +### Sprint 72 – Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTESTOR-72-001 | TODO | Attestor Service Guild | ATTEST-ENVELOPE-72-001 | Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. | Service builds/tests; signing & verification stubs wired; lint/CI green. | +| ATTESTOR-72-002 | TODO | Attestor Service Guild | ATTESTOR-72-001 | Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. | Migrations applied; CRUD API functional; storage integration unit tests pass. | + +### Sprint 73 – Signing & Verification +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTESTOR-73-001 | TODO | Attestor Service Guild, KMS Guild | ATTESTOR-72-002, KMS-72-001 | Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging. | `POST /v1/attestations:sign` functional; audit entries recorded; tests cover success/failure. | +| ATTESTOR-73-002 | TODO | Attestor Service Guild, Policy Guild | ATTESTOR-72-002, VERPOL-73-001 | Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports. | Verification endpoint returns structured report; results cached; contract tests pass. | +| ATTESTOR-73-003 | TODO | Attestor Service Guild | ATTESTOR-73-002 | Implement listing/fetch APIs with filters (subject, type, issuer, scope, date). | API documented; pagination works; contract tests green. | + +### Sprint 74 – Transparency & Bulk +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTESTOR-74-001 | TODO | Attestor Service Guild | ATTESTOR-73-002, TRANSP-74-001 | Integrate transparency witness client, inclusion proof verification, and caching. | Witness proofs stored; verification fails on missing/inconsistent proofs; metrics emitted. | +| ATTESTOR-74-002 | TODO | Attestor Service Guild | ATTESTOR-73-002 | Implement bulk verification worker + API with progress tracking, rate limits, and caching. | Bulk job API functional; worker processes batches; telemetry recorded. | + +### Sprint 75 – Air Gap & Hardening +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ATTESTOR-75-001 | TODO | Attestor Service Guild, Export Guild | ATTESTOR-74-002, EXPORT-ATTEST-74-001 | Add export/import flows for attestation bundles and offline verification mode. | Bundles generated/imported; offline verification path documented; tests cover missing witness data. | +| ATTESTOR-75-002 | TODO | Attestor Service Guild, Security Guild | ATTESTOR-73-002 | Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. | Rate limiting enforced; fuzz tests run in CI; threat model actions resolved. | + +*** End Task Board *** diff --git a/src/StellaOps.Authority/TASKS.md b/src/StellaOps.Authority/TASKS.md index 6877b77f..b9130aa6 100644 --- a/src/StellaOps.Authority/TASKS.md +++ b/src/StellaOps.Authority/TASKS.md @@ -1,31 +1,136 @@ -# Authority Host Task Board (UTC 2025-10-10) +# Authority Host Task Board — Epic 1: Aggregation-Only Contract +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-AOC-19-001 | TODO | Authority Core & Security Guild | — | Introduce scopes `advisory:read`, `advisory:ingest`, `vex:read`, `vex:ingest`, `aoc:verify` with configuration binding, migrations, and offline kit defaults. | Scopes published in metadata/OpenAPI, configuration validates scope lists, tests cover token issuance + enforcement. | +| AUTH-AOC-19-002 | TODO | Authority Core & Security Guild | AUTH-AOC-19-001 | Propagate tenant claim + scope enforcement for ingestion identities; ensure cross-tenant writes/read blocked and audit logs capture tenant context. | Tenant claim injected into downstream services; forbidden cross-tenant access rejected; audit/log fixtures updated. | +| AUTH-AOC-19-003 | TODO | Authority Core & Docs Guild | AUTH-AOC-19-001 | Update Authority docs and sample configs to describe new scopes, tenancy enforcement, and verify endpoints. | Docs and examples refreshed; release notes prepared; smoke tests confirm new scopes required. | + +## Policy Engine v2 | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| -| CORE5B.DOC | DONE (2025-10-12) | Authority Core, Docs Guild | CORE5 | Document token persistence, revocation semantics, and enrichment expectations for resource servers/plugins. | ✅ `docs/11_AUTHORITY.md` + plugin guide updated with claims + token store notes; ✅ Samples include revocation sync guidance. | -| CORE9.REVOCATION | DONE (2025-10-12) | Authority Core, Security Guild | CORE5 | Implement revocation list persistence + export hooks (API + CLI). | ✅ Revoked tokens denied; ✅ Export endpoint/CLI returns manifest; ✅ Tests cover offline bundle flow. | -| CORE10.JWKS | DONE (2025-10-12) | Authority Core, DevOps | CORE9.REVOCATION | Provide JWKS rotation with pluggable key loader + documentation. | ✅ Signing/encryption keys rotate without downtime; ✅ JWKS endpoint updates; ✅ Docs describe rotation SOP. | -| CORE8.RL | DONE (2025-10-12) | Authority Core | CORE8 | Deliver ASP.NET rate limiter plumbing (request metadata, dependency injection hooks) needed by Security Guild. | ✅ `/token` & `/authorize` pipelines expose limiter hooks; ✅ Tests cover throttle behaviour baseline. | -| SEC2.HOST | DONE (2025-10-12) | Security Guild, Authority Core | SEC2.A (audit contract) | Hook audit logger into OpenIddict handlers and bootstrap endpoints. | ✅ Audit events populated with correlationId, IP, client_id; ✅ Mongo login attempts persisted; ✅ Tests verify on success/failure/lockout. | -| SEC3.HOST | DONE (2025-10-11) | Security Guild | CORE8.RL, SEC3.A (rate policy) | Apply rate limiter policies (`AddRateLimiter`) to `/token` and `/internal/*` endpoints with configuration binding. | ✅ Policies configurable via `StellaOpsAuthorityOptions.Security.RateLimiting`; ✅ Integration tests hit 429 after limit; ✅ Docs updated. | -| SEC4.HOST | DONE (2025-10-12) | Security Guild, DevOps | SEC4.A (revocation schema) | Implement CLI/HTTP surface to export revocation bundle + detached JWS using `StellaOps.Cryptography`. | ✅ `stellaops auth revoke export` CLI/endpoint returns JSON + `.jws`; ✅ Verification script passes; ✅ Operator docs updated. | -| SEC4.KEY | DONE (2025-10-12) | Security Guild, DevOps | SEC4.HOST | Integrate signing keys with provider registry (initial ES256). | ✅ Keys loaded via `ICryptoProvider` signer; ✅ Rotation SOP documented. | -| SEC5.HOST | DONE (2025-10-14) | Security Guild | SEC5.A (threat model) | Feed Authority-specific mitigations (rate limiting, audit, revocation) into threat model + backlog. | ✅ Threat model updated; ✅ Backlog issues reference mitigations; ✅ Review sign-off captured. | -| SEC5.HOST-INVITES | DONE (2025-10-14) | Security Guild, Authority Core | SEC5.D | Implement bootstrap invite persistence, APIs, and background cleanup with audit coverage. | ✅ Invite store + endpoints complete; ✅ Cleanup service expires unused invites; ✅ Audit events for create/consume/expire; ✅ Build/tests green. | -> Remark (2025-10-14): Background sweep emits invite expiry audits; integration test added. -| SEC5.HOST-REPLAY | DONE (2025-10-14) | Security Guild, Zastava | SEC5.E | Persist token usage metadata and surface suspected replay heuristics. | ✅ Validation handlers record device metadata; ✅ Suspected replay flagged via audit/logs; ✅ Tests cover regression cases. | -> Remark (2025-10-14): Token validation handler logs suspected replay audits with device metadata; coverage via unit/integration tests. -| SEC3.BUILD | DONE (2025-10-11) | Authority Core, Security Guild | SEC3.HOST, FEEDMERGE-COORD-02-900 | Track normalized-range dependency fallout and restore full test matrix once Concelier range primitives land. | ✅ Concelier normalized range libraries merged; ✅ Authority + Configuration test suites (`dotnet test src/StellaOps.Authority.sln`, `dotnet test src/StellaOps.Configuration.Tests/StellaOps.Configuration.Tests.csproj`) pass without Concelier compile failures; ✅ Status recorded here/Sprints (authority-core broadcast not available). | -| AUTHCORE-BUILD-OPENIDDICT | DONE (2025-10-14) | Authority Core | SEC2.HOST | Adapt host/audit handlers for OpenIddict 6.4 API surface (no `OpenIddictServerTransaction`) and restore Authority solution build. | ✅ Build `dotnet build src/StellaOps.Authority.sln` succeeds; ✅ Audit correlation + tamper logging verified under new abstractions; ✅ Tests updated. | -| AUTHCORE-STORAGE-DEVICE-TOKENS | DONE (2025-10-14) | Authority Core, Storage Guild | AUTHCORE-BUILD-OPENIDDICT | Reintroduce `AuthorityTokenDeviceDocument` + projections removed during refactor so storage layer compiles. | ✅ Document type restored with mappings/migrations; ✅ Storage tests cover device artifacts; ✅ Authority solution build green. | -| AUTHCORE-BOOTSTRAP-INVITES | DONE (2025-10-14) | Authority Core, DevOps | AUTHCORE-STORAGE-DEVICE-TOKENS | Wire bootstrap invite cleanup service against restored document schema and re-enable lifecycle tests. | ✅ `BootstrapInviteCleanupService` passes integration tests; ✅ Operator guide updated if behavior changes; ✅ Build/test matrices green. | -| AUTHSTORAGE-MONGO-08-001 | DONE (2025-10-19) | Authority Core & Storage Guild | — | Harden Mongo session usage with causal consistency for mutations and follow-up reads. | • Scoped middleware/service creates `IClientSessionHandle` with causal consistency + majority read/write concerns
• Stores accept optional session parameter and reuse it for write + immediate reads
• GraphQL/HTTP pipelines updated to flow session through post-mutation queries
• Replica-set integration test exercises primary election and verifies read-your-write guarantees | -| AUTH-PLUGIN-COORD-08-002 | DONE (2025-10-20) | Authority Core, Plugin Platform Guild | PLUGIN-DI-08-001 | Coordinate scoped-service adoption for Authority plug-in registrars and background jobs ahead of PLUGIN-DI-08-002 implementation. | ✅ Workshop completed 2025-10-20 15:00–16:05 UTC with notes/action log in `docs/dev/authority-plugin-di-coordination.md`; ✅ Follow-up backlog updates assigned via documented action items ahead of PLUGIN-DI-08-002 delivery. | -| AUTH-DPOP-11-001 | DONE (2025-10-20) | Authority Core & Security Guild | — | Implement DPoP proof validation + nonce handling for high-value audiences per architecture. | ✅ Redis-configurable nonce store surfaced via `security.senderConstraints.dpop.nonce` with sample YAML and architecture docs refreshed
✅ High-value audience enforcement uses normalised required audiences to avoid whitespace/case drift
✅ Operator guide updated with Redis-backed nonce snippet and env-var override guidance; integration test already covers nonce challenge | -> Remark (2025-10-20): `etc/authority.yaml.sample` gains senderConstraint sections (rate limits, DPoP, mTLS), docs (`docs/ARCHITECTURE_AUTHORITY.md`, `docs/11_AUTHORITY.md`, plan) refreshed. `ResolveNonceAudience` now relies on `NormalizedAudiences` and options trim persisted values. `dotnet test StellaOps.Authority.sln` attempted (2025-10-20 15:12 UTC) but failed on `NU1900` because the mirrored NuGet service index `https://mirrors.ablera.dev/nuget/nuget-mirror/v3/index.json` was unreachable; no project build executed. -| AUTH-MTLS-11-002 | DONE (2025-10-23) | Authority Core & Security Guild | — | Add OAuth mTLS client credential support with certificate-bound tokens and introspection updates. | ✅ Deterministic provisioning/storage for certificate bindings (thumbprint/subject/issuer/serial/SAN)
✅ Audience enforcement auto-switches to mTLS via `security.senderConstraints.mtls.enforceForAudiences`
✅ Validator matches binding metadata with rotation grace and emits confirmation thumbprints
✅ Introspection returns `cnf.x5t#S256`; docs & sample config refreshed; Authority test suite green | -> Remark (2025-10-23): Audience enforcement now rejects non-mTLS clients targeting high-value audiences; certificate validator checks binding subject/issuer/serial/SAN values and returns deterministic error codes. Docs (`docs/11_AUTHORITY.md`, `docs/ARCHITECTURE_AUTHORITY.md`, `docs/dev/authority-dpop-mtls-plan.md`) and `etc/authority.yaml.sample` updated. `dotnet test src/StellaOps.Authority/StellaOps.Authority.sln` (2025-10-23 18:07 UTC) succeeded. -> Remark (2025-10-19, AUTHSTORAGE-MONGO-08-001): Prerequisites re-checked (none outstanding). Session accessor wired through Authority pipeline; stores accept optional sessions; added replica-set election regression test for read-your-write. -> Remark (2025-10-19, AUTH-DPOP-11-001): Handler, nonce store, and persistence hooks merged; Redis-backed configuration + end-to-end nonce enforcement still open. (Superseded by 2025-10-20 update above.) +| AUTH-POLICY-20-001 | TODO | Authority Core & Security Guild | AUTH-AOC-19-001 | Add scopes `policy:write`, `policy:submit`, `policy:approve`, `policy:run`, `findings:read`, `effective:write` with configuration binding and issuer policy updates. | Scopes available in metadata; token issuance validated; offline kit defaults updated; tests cover scope combinations. | +| AUTH-POLICY-20-002 | TODO | Authority Core & Security Guild | AUTH-POLICY-20-001, AUTH-AOC-19-002 | Enforce Policy Engine service identity with `effective:write` and ensure API gateway enforces scopes/tenant claims for new endpoints. | Gateway policies updated; unauthorized requests rejected in tests; audit logs capture scope usage. | +| AUTH-POLICY-20-003 | TODO | Authority Core & Docs Guild | AUTH-POLICY-20-001 | Update Authority configuration/docs with policy scopes, service identities, and approval workflows; include compliance checklist. | Docs refreshed; samples updated; release notes prepared; doc lint passes. | -> Update status columns (TODO / DOING / DONE / BLOCKED) together with code changes. Always run `dotnet test src/StellaOps.Authority.sln` when touching host logic. +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-GRAPH-21-001 | TODO | Authority Core & Security Guild | AUTH-POLICY-20-001 | Define scopes `graph:write`, `graph:read`, `graph:export`, `graph:simulate`, update metadata/OpenAPI, and add OFFLINE kit defaults. | Scopes exposed via discovery docs; smoke tests ensure enforcement; offline kit updated. | +| AUTH-GRAPH-21-002 | TODO | Authority Core & Security Guild | AUTH-GRAPH-21-001, AUTH-AOC-19-002 | Wire gateway enforcement for new graph scopes, Cartographer service identity, and tenant propagation across graph APIs. | Gateway config updated; unauthorized access blocked in integration tests; audit logs include graph scope usage. | +| AUTH-GRAPH-21-003 | TODO | Authority Core & Docs Guild | AUTH-GRAPH-21-001 | Update security docs and samples describing graph access roles, least privilege guidance, and service identities. | Docs merged with compliance checklist; examples refreshed; release notes prepared. | + +## Policy Engine + Editor v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-POLICY-23-001 | TODO | Authority Core & Security Guild | AUTH-POLICY-20-001 | Introduce fine-grained scopes `policy:read`, `policy:edit`, `policy:approve`, `policy:activate`, `policy:simulate`; update issuer templates and metadata. | Scopes exposed; integration tests confirm enforcement; offline kit updated. | +| AUTH-POLICY-23-002 | TODO | Authority Core & Security Guild | AUTH-POLICY-23-001 | Implement optional two-person rule for activation: require two distinct `policy:activate` approvals when configured; emit audit logs. | Activation endpoint enforces rule; audit logs contain approver IDs; tests cover 2-person path. | +| AUTH-POLICY-23-003 | TODO | Authority Core & Docs Guild | AUTH-POLICY-23-001 | Update documentation and sample configs for policy roles, approval workflow, and signing requirements. | Docs updated with reviewer checklist; configuration examples validated. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-GRAPH-24-001 | TODO | Authority Core & Security Guild | AUTH-GRAPH-21-001 | Extend scopes to include `vuln:read` and signed permalinks with scoped claims for Graph/Vuln Explorer; update metadata. | Scopes published; permalinks validated; integration tests cover RBAC. | + +## Orchestrator Dashboard + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-ORCH-32-001 | TODO | Authority Core & Security Guild | — | Define `orch:read` scope, register `Orch.Viewer` role, update discovery metadata, and seed offline defaults. | Scope/role available in metadata; integration tests confirm read-only enforcement; offline kit updated. | +| AUTH-ORCH-33-001 | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Add `Orch.Operator` role/scopes for control actions, require reason/ticket attributes, and update issuer templates. | Operator tokens issued; action endpoints enforce scope + reason; audit logs capture operator info; docs refreshed. | +| AUTH-ORCH-34-001 | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Introduce `Orch.Admin` role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. | Admin role available; quotas/backfills require scope + reason; tests confirm tenant isolation; documentation updated. | + +## StellaOps Console (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-CONSOLE-23-001 | TODO | Authority Core & Security Guild | AUTH-POLICY-20-001 | Register StellaOps Console confidential client with OIDC PKCE support, short-lived ID/access tokens, `console:*` audience claims, and SPA-friendly refresh (token exchange endpoint). Publish discovery metadata + offline kit defaults. | Client registration committed, configuration templates updated, integration tests validate PKCE + scope issuance, security review recorded. | +| AUTH-CONSOLE-23-002 | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001, AUTH-AOC-19-002 | Expose tenant catalog, user profile, and token introspection endpoints required by Console (fresh-auth prompts, scope checks); enforce tenant header requirements and audit logging with correlation IDs. | Endpoints ship with RBAC enforcement, audit logs include tenant+scope, integration tests cover unauthorized/tenant-mismatch scenarios. | +| AUTH-CONSOLE-23-003 | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-001, AUTH-CONSOLE-23-002 | Update security docs/config samples for Console flows (PKCE, tenant badge, fresh-auth for admin actions, session inactivity timeouts) with compliance checklist. | Docs merged, config samples validated, release notes updated, ops runbook references new flows. | + +## Policy Studio (Sprint 27) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-POLICY-27-001 | TODO | Authority Core & Security Guild | AUTH-POLICY-20-001, AUTH-CONSOLE-23-001 | Define Policy Studio roles (`policy:author`, `policy:review`, `policy:approve`, `policy:operate`, `policy:audit`) with tenant-scoped claims, update issuer metadata, and seed offline kit defaults. | Scopes/roles exposed via discovery docs; tokens issued with correct claims; integration tests cover role combinations; docs updated. | +| AUTH-POLICY-27-002 | TODO | Authority Core & Security Guild | AUTH-POLICY-27-001, REGISTRY-API-27-007 | Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. | Publish/promote requests require fresh auth + correct scopes; attestations signed with validated identity; audit logs enriched with digest + tenant; integration tests pass. | +| AUTH-POLICY-27-003 | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-001, AUTH-POLICY-27-002 | Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. | Docs merged; samples validated; governance checklist appended; release notes updated. | + +## Exceptions v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-EXC-25-001 | TODO | Authority Core & Security Guild | AUTH-POLICY-23-001 | Introduce exception scopes (`exceptions:read`, `exceptions:write`, `exceptions:approve`) and approval routing configuration with MFA gating. | Scopes published in metadata; routing matrix validated; integration tests enforce scope + MFA rules. | +| AUTH-EXC-25-002 | TODO | Authority Core & Docs Guild | AUTH-EXC-25-001 | Update documentation/samples for exception roles, routing matrix, MFA requirements, and audit trail references. | Docs merged with compliance checklist; samples verified. | + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-SIG-26-001 | TODO | Authority Core & Security Guild | AUTH-EXC-25-001 | Add `signals:read`, `signals:write`, `signals:admin` scopes, issue `SignalsUploader` role template, and enforce AOC for sensor identities. | Scopes exposed; configuration validated; integration tests ensure RBAC + AOC enforcement. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-VULN-29-001 | TODO | Authority Core & Security Guild | AUTH-POLICY-27-001 | Define Vuln Explorer scopes/roles (`vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit`) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. | Roles/scopes published; issuer templates updated; integration tests cover ABAC filters; docs refreshed. | +| AUTH-VULN-29-002 | TODO | Authority Core & Security Guild | AUTH-VULN-29-001, LEDGER-29-002 | Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. | Workflow calls require valid tokens; audit logs include ledger references; security tests cover token expiry/abuse. | +| AUTH-VULN-29-003 | TODO | Authority Core & Docs Guild | AUTH-VULN-29-001..002 | Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. | Docs merged with compliance checklist; configuration examples validated; release notes updated. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-AIAI-31-001 | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Advisory AI scopes (`advisory-ai:view`, `advisory-ai:operate`, `advisory-ai:admin`) and remote inference toggles; update discovery metadata/offline defaults. | Scopes/flags published; integration tests cover RBAC + opt-in settings; docs updated. | +| AUTH-AIAI-31-002 | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001, AIAI-31-006 | Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. | Logging/audit flows verified; privacy review passed; docs updated. | + +## Export Center +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-EXPORT-35-001 | TODO | Authority Core & Security Guild | AUTH-AOC-19-001 | Introduce `Export.Viewer`, `Export.Operator`, `Export.Admin` scopes, configure issuer templates, and update discovery metadata/offline defaults. | Scopes available; metadata updated; tests ensure enforcement; offline kit defaults refreshed. | +| AUTH-EXPORT-37-001 | TODO | Authority Core & Security Guild | AUTH-EXPORT-35-001, WEB-EXPORT-37-001 | Enforce admin-only access for scheduling, retention, encryption key references, and verify endpoints with audit reason capture. | Admin scope required; audit logs include reason/ticket; integration tests cover denial cases; docs updated. | + +## Notifications Studio +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-NOTIFY-38-001 | TODO | Authority Core & Security Guild | — | Define `Notify.Viewer`, `Notify.Operator`, `Notify.Admin` scopes/roles, update discovery metadata, offline defaults, and issuer templates. | Scopes available; metadata updated; tests ensure enforcement; offline kit defaults refreshed. | +| AUTH-NOTIFY-40-001 | TODO | Authority Core & Security Guild | AUTH-NOTIFY-38-001, WEB-NOTIFY-40-001 | Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. | Ack tokens signed/rotated; webhook allowlists enforced; admin enforcement validated; audit logs capture ack/resolution. | + +## CLI Parity & Task Packs +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-PACKS-41-001 | TODO | Authority Core & Security Guild | AUTH-AOC-19-001 | Define CLI SSO profiles and pack scopes (`Packs.Read`, `Packs.Write`, `Packs.Run`, `Packs.Approve`), update discovery metadata, offline defaults, and issuer templates. | Scopes available; metadata updated; tests ensure enforcement; offline kit templates refreshed. | +| AUTH-PACKS-43-001 | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001, ORCH-SVC-42-101 | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. | Signing policies enforced; approvals require correct roles; CI token scope tests pass; audit logs recorded. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-TEN-47-001 | TODO | Authority Core & Security Guild | AUTH-AOC-19-001 | Align Authority with OIDC/JWT claims (tenants, projects, scopes), implement JWKS caching/rotation, publish scope grammar, and enforce required claims on tokens. | Tokens include tenant/project claims; JWKS cache validated; docs updated; imposed rule noted. | +| AUTH-TEN-49-001 | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement service accounts & delegation tokens (`act` chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. | Service tokens minted with scopes/TTL; delegation logged; quotas configurable; audit stream live; docs updated. | + +## Observability & Forensics (Epic 15) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-OBS-50-001 | TODO | Authority Core & Security Guild | AUTH-AOC-19-001 | Introduce scopes `obs:read`, `timeline:read`, `timeline:write`, `evidence:create`, `evidence:read`, `evidence:hold`, `attest:read`, and `obs:incident` (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. | Scopes exposed via metadata; issuer templates updated; offline kit seeded; integration tests cover new scopes. | +| AUTH-OBS-52-001 | TODO | Authority Core & Security Guild | AUTH-OBS-50-001, TIMELINE-OBS-52-003, EVID-OBS-53-003 | Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. | Policies deployed; unauthorized access blocked; audit logs prove scope usage; contract tests updated. | +| AUTH-OBS-55-001 | TODO | Authority Core & Security Guild, Ops Guild | AUTH-OBS-50-001, WEB-OBS-55-001 | Harden incident mode authorization: require `obs:incident` scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. | Incident activate/deactivate requires scope; audit entries logged; docs updated with imposed rule reminder. | + +## Air-Gapped Mode (Epic 16) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-AIRGAP-56-001 | TODO | Authority Core & Security Guild | AIRGAP-CTL-56-001 | Provision new scopes (`airgap:seal`, `airgap:import`, `airgap:status:read`) in configuration metadata, offline kit defaults, and issuer templates. | Scopes exposed in discovery docs; offline kit updated; integration tests cover issuance. | +| AUTH-AIRGAP-56-002 | TODO | Authority Core & Security Guild | AUTH-AIRGAP-56-001, AIRGAP-IMP-58-001 | Audit import actions with actor, tenant, bundle ID, and trace ID; expose `/authority/audit/airgap` endpoint. | Audit records persisted; endpoint paginates results; tests cover RBAC + filtering. | +| AUTH-AIRGAP-57-001 | TODO | Authority Core & Security Guild, DevOps Guild | AUTH-AIRGAP-56-001, DEVOPS-AIRGAP-57-002 | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. | CI scenario validated; error surfaces remediation; docs updated. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| AUTH-OAS-61-001 | TODO | Authority Core & Security Guild, API Contracts Guild | OAS-61-001 | Document Authority authentication/token endpoints in OAS with scopes, examples, and error envelopes. | Spec complete with security schemes; lint passes. | +| AUTH-OAS-61-002 | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Implement `/.well-known/openapi` with scope metadata, supported grant types, and build version. | Endpoint deployed; contract tests cover discovery. | +| AUTH-OAS-62-001 | TODO | Authority Core & Security Guild, SDK Generator Guild | AUTH-OAS-61-001, SDKGEN-63-001 | Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. | SDKs expose auth helpers; tests cover token issuance; docs updated. | +| AUTH-OAS-63-001 | TODO | Authority Core & Security Guild, API Governance Guild | APIGOV-63-001 | Emit deprecation headers and notifications for legacy auth endpoints. | Headers emitted; notifications verified; migration guide published. | diff --git a/bench/Scanner.Analyzers/README.md b/src/StellaOps.Bench/Scanner.Analyzers/README.md similarity index 94% rename from bench/Scanner.Analyzers/README.md rename to src/StellaOps.Bench/Scanner.Analyzers/README.md index 2fbd6640..340b23fd 100644 --- a/bench/Scanner.Analyzers/README.md +++ b/src/StellaOps.Bench/Scanner.Analyzers/README.md @@ -1,7 +1,7 @@ -# Scanner Analyzer Microbench Harness - -The bench harness exercises the language analyzers against representative filesystem layouts so that regressions are caught before they ship. - +# Scanner Analyzer Microbench Harness + +The bench harness exercises the language analyzers against representative filesystem layouts so that regressions are caught before they ship. + ## Layout - `StellaOps.Bench.ScannerAnalyzers/` – .NET 10 console harness that executes the real language analyzers (and fallback metadata walks for ecosystems that are still underway). - `config.json` – Declarative list of scenarios the harness executes. Each scenario points at a directory in `samples/`. @@ -16,10 +16,10 @@ The bench harness exercises the language analyzers against representative filesy ```bash dotnet run \ - --project bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \ + --project src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj \ -- \ --repo-root . \ - --out bench/Scanner.Analyzers/baseline.csv \ + --out src/StellaOps.Bench/Scanner.Analyzers/baseline.csv \ --json out/bench/scanner-analyzers/latest.json \ --prom out/bench/scanner-analyzers/latest.prom \ --commit "$(git rev-parse HEAD)" diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BaselineLoaderTests.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BaselineLoaderTests.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BaselineLoaderTests.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BaselineLoaderTests.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkJsonWriterTests.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkJsonWriterTests.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkJsonWriterTests.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkJsonWriterTests.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkScenarioReportTests.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkScenarioReportTests.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkScenarioReportTests.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/BenchmarkScenarioReportTests.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/PrometheusWriterTests.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/PrometheusWriterTests.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/PrometheusWriterTests.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/PrometheusWriterTests.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/StellaOps.Bench.ScannerAnalyzers.Tests.csproj b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/StellaOps.Bench.ScannerAnalyzers.Tests.csproj similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/StellaOps.Bench.ScannerAnalyzers.Tests.csproj rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers.Tests/StellaOps.Bench.ScannerAnalyzers.Tests.csproj diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineEntry.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Baseline/BaselineLoader.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/BenchmarkConfig.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/BenchmarkConfig.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/BenchmarkConfig.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/BenchmarkConfig.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Program.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Program.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Program.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Program.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkJsonWriter.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkScenarioReport.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkScenarioReport.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkScenarioReport.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/BenchmarkScenarioReport.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/PrometheusWriter.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/PrometheusWriter.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/PrometheusWriter.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/Reporting/PrometheusWriter.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioResult.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioResult.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioResult.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioResult.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioRunners.cs b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioRunners.cs similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioRunners.cs rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/ScenarioRunners.cs diff --git a/bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj b/src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj similarity index 100% rename from bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj rename to src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj diff --git a/bench/Scanner.Analyzers/baseline.csv b/src/StellaOps.Bench/Scanner.Analyzers/baseline.csv similarity index 98% rename from bench/Scanner.Analyzers/baseline.csv rename to src/StellaOps.Bench/Scanner.Analyzers/baseline.csv index a75ee90e..2611f6de 100644 --- a/bench/Scanner.Analyzers/baseline.csv +++ b/src/StellaOps.Bench/Scanner.Analyzers/baseline.csv @@ -1,7 +1,7 @@ -scenario,iterations,sample_count,mean_ms,p95_ms,max_ms -node_monorepo_walk,5,4,6.0975,21.7421,26.8537 -java_demo_archive,5,1,6.2007,23.4837,29.1143 -go_buildinfo_fixture,5,2,6.1949,22.6851,27.9196 -dotnet_multirid_fixture,5,2,11.4884,37.7460,46.4850 -python_site_packages_scan,5,3,5.6420,18.2943,22.3739 -python_pip_cache_fixture,5,1,5.8598,13.2855,15.6256 +scenario,iterations,sample_count,mean_ms,p95_ms,max_ms +node_monorepo_walk,5,4,6.0975,21.7421,26.8537 +java_demo_archive,5,1,6.2007,23.4837,29.1143 +go_buildinfo_fixture,5,2,6.1949,22.6851,27.9196 +dotnet_multirid_fixture,5,2,11.4884,37.7460,46.4850 +python_site_packages_scan,5,3,5.6420,18.2943,22.3739 +python_pip_cache_fixture,5,1,5.8598,13.2855,15.6256 diff --git a/bench/Scanner.Analyzers/config.json b/src/StellaOps.Bench/Scanner.Analyzers/config.json similarity index 99% rename from bench/Scanner.Analyzers/config.json rename to src/StellaOps.Bench/Scanner.Analyzers/config.json index 7926837f..2b49a58d 100644 --- a/bench/Scanner.Analyzers/config.json +++ b/src/StellaOps.Bench/Scanner.Analyzers/config.json @@ -1,7 +1,7 @@ -{ - "thresholdMs": 5000, - "iterations": 5, - "scenarios": [ +{ + "thresholdMs": 5000, + "iterations": 5, + "scenarios": [ { "id": "node_monorepo_walk", "label": "Node.js analyzer on monorepo fixture", diff --git a/bench/Scanner.Analyzers/lang/README.md b/src/StellaOps.Bench/Scanner.Analyzers/lang/README.md similarity index 84% rename from bench/Scanner.Analyzers/lang/README.md rename to src/StellaOps.Bench/Scanner.Analyzers/lang/README.md index 3e166861..3ffaba33 100644 --- a/bench/Scanner.Analyzers/lang/README.md +++ b/src/StellaOps.Bench/Scanner.Analyzers/lang/README.md @@ -1,8 +1,8 @@ -# Scanner Language Analyzer Benchmarks - -This directory will capture benchmark results for language analyzers (Node, Python, Go, .NET, Rust). - -Pending tasks: +# Scanner Language Analyzer Benchmarks + +This directory will capture benchmark results for language analyzers (Node, Python, Go, .NET, Rust). + +Pending tasks: - LA1: Node analyzer microbench CSV + flamegraph. - LA2: Python hash throughput CSV. - LA3: Go build info extraction benchmarks. @@ -16,13 +16,13 @@ Results should be committed as deterministic CSV/JSON outputs with accompanying - Scenario `go_buildinfo_fixture` captures our Go analyzer running against the basic build-info fixture. The Oct 23 baseline (`baseline.csv`) shows a mean duration of **35.03 ms** (p95 136.55 ms, max 170.16 ms) over 5 iterations on the current rig; earlier Oct 21 measurement recorded **4.02 ms** mean when the analyzer was profiled on the warm perf runner. - Comparative run against Syft v1.29.1 on the same fixture (captured 2025-10-21) reported a mean of **5.18 ms** (p95 18.64 ms, max 23.51 ms); raw measurements live in `go/syft-comparison-20251021.csv`. - Bench command (from repo root):\ - `dotnet run --project bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --config bench/Scanner.Analyzers/config.json --out bench/Scanner.Analyzers/baseline.csv` + `dotnet run --project src/StellaOps.Bench/Scanner.Analyzers/StellaOps.Bench.ScannerAnalyzers/StellaOps.Bench.ScannerAnalyzers.csproj -- --config src/StellaOps.Bench/Scanner.Analyzers/config.json --out src/StellaOps.Bench/Scanner.Analyzers/baseline.csv` ## Sprint LA4 — .NET Analyzer Benchmark Notes (2025-10-23) - Scenario `dotnet_multirid_fixture` exercises the .NET analyzer against the multi-RID test fixture that merges two applications and four runtime identifiers. Latest baseline run (Release build, 5 iterations) records a mean duration of **29.19 ms** (p95 106.62 ms, max 132.30 ms) with a stable component count of 2. - Syft v1.29.1 scanning the same fixture (`syft scan dir:…`) averaged **1 546 ms** (p95 ≈2 100 ms, max ≈2 100 ms) while also reporting duplicate packages; raw numbers captured in `dotnet/syft-comparison-20251023.csv`. -- The new scenario is declared in `bench/Scanner.Analyzers/config.json`; rerun the bench command above after rebuilding analyzers to refresh baselines and comparison data. +- The new scenario is declared in `src/StellaOps.Bench/Scanner.Analyzers/config.json`; rerun the bench command above after rebuilding analyzers to refresh baselines and comparison data. ## Sprint LA2 — Python Analyzer Benchmark Notes (2025-10-23) diff --git a/bench/Scanner.Analyzers/lang/dotnet/syft-comparison-20251023.csv b/src/StellaOps.Bench/Scanner.Analyzers/lang/dotnet/syft-comparison-20251023.csv similarity index 100% rename from bench/Scanner.Analyzers/lang/dotnet/syft-comparison-20251023.csv rename to src/StellaOps.Bench/Scanner.Analyzers/lang/dotnet/syft-comparison-20251023.csv diff --git a/bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv b/src/StellaOps.Bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv similarity index 100% rename from bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv rename to src/StellaOps.Bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv diff --git a/bench/Scanner.Analyzers/lang/python/hash-throughput-20251023.csv b/src/StellaOps.Bench/Scanner.Analyzers/lang/python/hash-throughput-20251023.csv similarity index 100% rename from bench/Scanner.Analyzers/lang/python/hash-throughput-20251023.csv rename to src/StellaOps.Bench/Scanner.Analyzers/lang/python/hash-throughput-20251023.csv diff --git a/src/StellaOps.Bench/TASKS.md b/src/StellaOps.Bench/TASKS.md new file mode 100644 index 00000000..2f99914b --- /dev/null +++ b/src/StellaOps.Bench/TASKS.md @@ -0,0 +1,43 @@ +# Benchmarks Task Board + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| BENCH-SCANNER-10-001 | DONE | Bench Guild, Scanner Team | SCANNER-ANALYZERS-LANG-10-303 | Analyzer microbench harness (node_modules, site-packages) + baseline CSV. | Harness committed under `src/StellaOps.Bench/Scanner.Analyzers`; baseline CSV recorded; CI job publishes results. | +| BENCH-SCANNER-10-002 | DONE (2025-10-21) | Bench Guild, Language Analyzer Guild | SCANNER-ANALYZERS-LANG-10-301..309 | Wire real language analyzers into bench harness & refresh baselines post-implementation. | Harness executes analyzer assemblies end-to-end; updated baseline committed; CI trend doc linked. | +| BENCH-IMPACT-16-001 | TODO | Bench Guild, Scheduler Team | SCHED-IMPACT-16-301 | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. | Benchmark script ready; baseline metrics recorded; alert thresholds defined. | +| BENCH-NOTIFY-15-001 | TODO | Bench Guild, Notify Team | NOTIFY-ENGINE-15-301 | Notify dispatch throughput bench (vary rule density) with results CSV. | Bench executed; results stored; regression alert configured. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| BENCH-POLICY-20-001 | TODO | Bench Guild, Policy Guild | POLICY-ENGINE-20-002, POLICY-ENGINE-20-006 | Build policy evaluation benchmark suite (100k components, 1M advisories) capturing latency, throughput, memory. | Bench harness committed; baseline metrics recorded; ties into CI dashboards. | +| BENCH-POLICY-20-002 | TODO | Bench Guild, Policy Guild, Scheduler Guild | BENCH-POLICY-20-001, SCHED-WORKER-20-302 | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. | Incremental bench executed; results stored; regression alerts configured. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| BENCH-GRAPH-21-001 | TODO | Bench Guild, Cartographer Guild | CARTO-GRAPH-21-004, CARTO-GRAPH-21-006 | Build graph viewport/path benchmark harness simulating 50k/100k nodes; record latency, memory, tile cache hit rates. | Harness committed; baseline metrics logged; integrates with perf dashboards. | +| BENCH-GRAPH-21-002 | TODO | Bench Guild, UI Guild | BENCH-GRAPH-21-001, UI-GRAPH-21-001 | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. | Benchmark runs in CI; results exported; alert thresholds defined. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| BENCH-LNM-22-001 | TODO | Bench Guild, Concelier Guild | CONCELIER-LNM-21-002 | Create ingest benchmark simulating 500 advisory observations/sec, measuring correlator latency and Mongo throughput; publish baseline metrics. | Harness added; baseline stored; alerts wired for SLA breach. | +| BENCH-LNM-22-002 | TODO | Bench Guild, Excititor Guild | EXCITITOR-LNM-21-002 | Build VEX ingestion/correlation perf test focusing on alias/product matching and event emission latency. | Benchmark executed; metrics captured; CI integration established. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| BENCH-GRAPH-24-001 | TODO | Bench Guild, SBOM Service Guild | SBOM-GRAPH-24-002 | Develop SBOM graph performance benchmark measuring build time, memory, and cache warm latency for 40k-node assets. | Benchmark runs in CI; baseline metrics recorded; alerts configured. | +| BENCH-GRAPH-24-002 | TODO | Bench Guild, UI Guild | UI-GRAPH-24-001..005 | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. | UI perf metrics collected; thresholds enforced; documentation updated. | + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| BENCH-SIG-26-001 | TODO | Bench Guild, Signals Guild | SIGNALS-24-004 | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. | Benchmark runs in CI; baseline metrics recorded; alerts configured. | +| BENCH-SIG-26-002 | TODO | Bench Guild, Policy Guild | POLICY-ENGINE-80-001 | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. | Benchmark integrated; results tracked in dashboards; regression alerts set. | diff --git a/src/StellaOps.Cartographer/AGENTS.md b/src/StellaOps.Cartographer/AGENTS.md new file mode 100644 index 00000000..bb74a2fc --- /dev/null +++ b/src/StellaOps.Cartographer/AGENTS.md @@ -0,0 +1,17 @@ +# StellaOps.Cartographer — Agent Charter + +## Mission +Build and operate the Cartographer service that materializes immutable SBOM property graphs, precomputes layout tiles, and hydrates policy/VEX overlays so other services (API, UI, CLI) can navigate and reason about dependency relationships with context. + +## Responsibilities +- Ingest normalized SBOM projections (CycloneDX/SPDX) and generate versioned graph snapshots with tenant-aware storage. +- Maintain overlay workers that merge Policy Engine effective findings and VEX metadata onto graph nodes/edges, including path relevance computation. +- Serve graph APIs for viewport tiles, paths, filters, exports, simulation overlays, and diffing. +- Coordinate with Policy Engine, Scheduler, Conseiller, Excitator, and Authority to keep overlays current, respect RBAC, and uphold determinism guarantees. +- Deliver observability (metrics/traces/logs) and performance benchmarks for large graphs (≥50k nodes). + +## Expectations +- Keep builds deterministic; snapshots are write-once and content-addressed. +- Tenancy and scope enforcement must match Authority policies (`graph:*`, `sbom:read`, `findings:read`). +- Update `TASKS.md`, `SPRINTS.md` when status changes. +- Provide fixtures and documentation so UI/CLI teams can simulate graphs offline. diff --git a/src/StellaOps.Cartographer/Program.cs b/src/StellaOps.Cartographer/Program.cs new file mode 100644 index 00000000..8f3a9613 --- /dev/null +++ b/src/StellaOps.Cartographer/Program.cs @@ -0,0 +1,17 @@ +var builder = WebApplication.CreateBuilder(args); + +builder.Configuration + .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true) + .AddEnvironmentVariables("CARTOGRAPHER_"); + +builder.Services.AddOptions(); +builder.Services.AddLogging(); + +// TODO: register Cartographer graph builders, overlay workers, and Authority client once implementations land. + +var app = builder.Build(); + +app.MapGet("/healthz", () => Results.Ok(new { status = "ok" })); +app.MapGet("/readyz", () => Results.Ok(new { status = "warming" })); + +app.Run(); diff --git a/src/StellaOps.Cartographer/StellaOps.Cartographer.csproj b/src/StellaOps.Cartographer/StellaOps.Cartographer.csproj new file mode 100644 index 00000000..3ca7436e --- /dev/null +++ b/src/StellaOps.Cartographer/StellaOps.Cartographer.csproj @@ -0,0 +1,16 @@ + + + net10.0 + enable + enable + preview + true + InProcess + + + + + + + + diff --git a/src/StellaOps.Cartographer/TASKS.md b/src/StellaOps.Cartographer/TASKS.md new file mode 100644 index 00000000..dd6ed4aa --- /dev/null +++ b/src/StellaOps.Cartographer/TASKS.md @@ -0,0 +1,12 @@ +# Cartographer Task Board — Epic 3: Graph Explorer v1 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CARTO-GRAPH-21-001 | TODO | Cartographer Guild | SBOM-SERVICE-21-001 | Define graph storage schema: snapshot catalog, node/edge collections, overlay tables, sharding strategy, indexes, and retention rules. Document migration/rollback. | Mongo collections + indexes created via bootstrapper; schema doc drafted; integration tests verify tenant isolation and sharding. | +| CARTO-GRAPH-21-002 | TODO | Cartographer Guild | CARTO-GRAPH-21-001 | Implement SBOM projection reader consuming normalized CycloneDX/SPDX from SBOM Service; validate fixtures and handle entrypoint tagging. | Reader ingests sample SBOMs (CycloneDX/SPDX); entrypoints resolved; unit tests cover malformed SBOM handling. | +| CARTO-GRAPH-21-003 | TODO | Cartographer Guild | CARTO-GRAPH-21-002 | Build graph constructor deduping PURLs, emitting typed nodes/edges with metadata (licenses, supplier, hashes, scope). | Graph snapshots generated deterministically for fixtures; duplicate suppression verified; stats recorded. | +| CARTO-GRAPH-21-004 | TODO | Cartographer Guild | CARTO-GRAPH-21-003 | Implement layout & tiling pipeline (global force layout + zoom tiles) and persist tiles to blob/object storage with manifests. | Layout tiles produced for fixtures; bbox metadata recorded; perf target (<10 min for 50k nodes) documented. | +| CARTO-GRAPH-21-005 | TODO | Cartographer Guild | CARTO-GRAPH-21-003, POLICY-ENGINE-30-001 | Overlay worker hydrating policy effective findings/VEX data, computing path relevance from entrypoints, and supporting simulation overlays. | Overlay documents created for selected policies; path relevance validated via unit tests; SLA metric recorded. | +| CARTO-GRAPH-21-006 | TODO | Cartographer Guild, BE-Base Platform Guild | CARTO-GRAPH-21-005 | Expose Cartographer APIs (versions, viewport tiles, node lookup, path queries, filters, diff, export, simulate) with pagination and streaming support. | API endpoints documented, tested, and OpenAPI published; large responses stream without timeouts; error codes mapped. | +| CARTO-GRAPH-21-007 | TODO | Cartographer Guild, Scheduler Guild | CARTO-GRAPH-21-005, SCHED-WORKER-21-201 | Build backfill + incremental overlay jobs listening to policy/SBOM change events; ensure eventual consistency SLA (<2 min). | Change stream consumers enqueue work; retries/backoff implemented; observability metrics emit overlay lag. | +| CARTO-GRAPH-21-008 | TODO | Cartographer Guild, QA Guild | CARTO-GRAPH-21-004..007 | Add unit/property/integration tests, synthetic 50k/100k perf suites, chaos scenarios (missing overlays, cyclic graphs), and determinism checks. | Test suite green; perf benchmarks logged; regression pipeline enforces determinism. | +| CARTO-GRAPH-21-009 | TODO | Cartographer Guild, DevOps Guild | CARTO-GRAPH-21-006 | Provide deployment artefacts (Helm/Compose), configuration docs, and Offline Kit bundle notes for Cartographer. | Deployment descriptors merged; docs updated; offline kit includes seeds/layout caches; smoke tests added. | diff --git a/src/StellaOps.Cli/AGENTS.md b/src/StellaOps.Cli/AGENTS.md index e72b6563..e073aeb6 100644 --- a/src/StellaOps.Cli/AGENTS.md +++ b/src/StellaOps.Cli/AGENTS.md @@ -23,5 +23,10 @@ ## Reference Materials - `docs/ARCHITECTURE_CONCELIER.md` for database operations surface area. - Backend OpenAPI/contract docs (once available) for job triggers and scanner endpoints. -- Existing module AGENTS/TASKS files for style and coordination cues. -- `docs/09_API_CLI_REFERENCE.md` (section 3) for the user-facing synopsis of the CLI verbs and flags. +- Existing module AGENTS/TASKS files for style and coordination cues. +- `docs/09_API_CLI_REFERENCE.md` (section 3) for the user-facing synopsis of the CLI verbs and flags. + +### Attestor Command Guild +- Owns the `stella attest` verb family (sign, verify, list, fetch) plus key lifecycle helpers (create, import, rotate, revoke). +- Ensures all attestation flows use the official SDK transport, support offline bundles, and surface JSON/table outputs for automation. +- Guards parity with attestor service policies (verification policies, explainability) and keeps fixtures/tests covering file-based and KMS-backed keys. diff --git a/src/StellaOps.Cli/TASKS.md b/src/StellaOps.Cli/TASKS.md index b29b0aa9..8283a002 100644 --- a/src/StellaOps.Cli/TASKS.md +++ b/src/StellaOps.Cli/TASKS.md @@ -1,24 +1,182 @@ -If you are working on this file you need to read docs/ARCHITECTURE_EXCITITOR.md and ./AGENTS.md). -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|Bootstrap configuration fallback (env → appsettings{{.json/.yaml}})|DevEx/CLI|Core|**DONE** – CLI loads `API_KEY`/`STELLAOPS_BACKEND_URL` from environment or local settings, defaulting to empty strings when unset.| -|Introduce command host & routing skeleton|DevEx/CLI|Configuration|**DONE** – System.CommandLine (v2.0.0-beta5) router stitched with `scanner`, `scan`, `db`, and `config` verbs.| -|Scanner artifact download/install commands|Ops Integrator|Backend contracts|**DONE** – `scanner download` caches bundles, validates SHA-256 (plus optional RSA signature), installs via `docker load`, persists metadata, and retries with exponential backoff.| -|Scan execution & result upload workflow|Ops Integrator, QA|Scanner cmd|**DONE** – `scan run` drives container scans against directories, emits artefacts in `ResultsDirectory`, auto-uploads on success, and `scan upload` covers manual retries.| -|Concelier DB operations passthrough|DevEx/CLI|Backend, Concelier APIs|**DONE** – `db fetch|merge|export` trigger `/jobs/*` endpoints with parameter binding and consistent exit codes.| -|CLI observability & tests|QA|Command host|**DONE** – Added console logging defaults & configuration bootstrap tests; future metrics hooks tracked separately.| -|Authority auth commands|DevEx/CLI|Auth libraries|**DONE** – `auth login/logout/status` wrap the shared auth client, manage token cache, and surface status messages.| -|Document authority workflow in CLI help & quickstart|Docs/CLI|Authority auth commands|**DONE (2025-10-10)** – CLI help now surfaces Authority config fields and docs/09 + docs/10 describe env vars, auth login/status flow, and cache location.| -|Authority whoami command|DevEx/CLI|Authority auth commands|**DONE (2025-10-10)** – Added `auth whoami` verb that displays subject/audience/expiry from cached tokens and handles opaque tokens gracefully.| -|Expose auth client resilience settings|DevEx/CLI|Auth libraries LIB5|**DONE (2025-10-10)** – CLI options now bind resilience knobs, `AddStellaOpsAuthClient` honours them, and tests cover env overrides.| -|Document advanced Authority tuning|Docs/CLI|Expose auth client resilience settings|**DONE (2025-10-10)** – docs/09 and docs/10 describe retry/offline settings with env examples and point to the integration guide.| -|Surface password policy diagnostics in CLI output|DevEx/CLI, Security Guild|AUTHSEC-CRYPTO-02-004|**DONE (2025-10-15)** – CLI startup runs the Authority plug-in analyzer, logs weakened password policy warnings with manifest paths, added unit tests (`dotnet test src/StellaOps.Cli.Tests`) and updated docs/09 with remediation guidance.| -|EXCITITOR-CLI-01-001 – Add `excititor` command group|DevEx/CLI|EXCITITOR-WEB-01-001|DONE (2025-10-18) – Introduced `excititor` verbs (init/pull/resume/list-providers/export/verify/reconcile) with token-auth backend calls, provenance-friendly logging, and regression coverage.| -|EXCITITOR-CLI-01-002 – Export download & attestation UX|DevEx/CLI|EXCITITOR-CLI-01-001, EXCITITOR-EXPORT-01-001|DONE (2025-10-19) – CLI export prints digest/size/Rekor metadata, `--output` downloads with SHA-256 verification + cache reuse, and unit coverage validated via `dotnet test src/StellaOps.Cli.Tests`.| -|EXCITITOR-CLI-01-003 – CLI docs & examples for Excititor|Docs/CLI|EXCITITOR-CLI-01-001|**DOING (2025-10-19)** – Update docs/09_API_CLI_REFERENCE.md and quickstart snippets to cover Excititor verbs, offline guidance, and attestation verification workflow.| -|CLI-RUNTIME-13-005 – Runtime policy test verbs|DevEx/CLI|SCANNER-RUNTIME-12-302, ZASTAVA-WEBHOOK-12-102|**DONE (2025-10-19)** – Added `runtime policy test` command (stdin/file support, JSON output), backend client method + typed models, verdict table output, docs/tests updated (`dotnet test src/StellaOps.Cli.Tests`).| -|CLI-OFFLINE-13-006 – Offline kit workflows|DevEx/CLI|DEVOPS-OFFLINE-14-002|**DONE (2025-10-21)** – Added `offline kit pull/import/status` commands with resumable downloads, digest/metadata validation, metrics, docs updates, and regression coverage (`dotnet test src/StellaOps.Cli.Tests`).| -|CLI-PLUGIN-13-007 – Plugin packaging|DevEx/CLI|CLI-RUNTIME-13-005, CLI-OFFLINE-13-006|DONE (2025-10-22) – Packaged non-core verbs as restart-time plug-ins with manifest + loader updates and tests ensuring no hot reload.| -|CLI-RUNTIME-13-008 – Runtime policy contract sync|DevEx/CLI, Scanner WebService Guild|SCANNER-RUNTIME-12-302|**DONE (2025-10-19)** – CLI runtime table/JSON now align with SCANNER-RUNTIME-12-302 (SBOM referrers, quieted provenance, confidence, verified Rekor); docs/09 updated with joint sign-off note.| -|CLI-RUNTIME-13-009 – Runtime policy smoke fixture|DevEx/CLI, QA Guild|CLI-RUNTIME-13-005|**DONE (2025-10-19)** – Spectre console harness + regression tests cover table and `--json` output paths for `runtime policy test`, using stubbed backend and integrated into `dotnet test` suite.| +# CLI Task Board — Epic 1: Aggregation-Only Contract +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-AOC-19-001 | TODO | DevEx/CLI Guild | CONCELIER-WEB-AOC-19-001, EXCITITOR-WEB-AOC-19-001 | Implement `stella sources ingest --dry-run` printing would-write payloads with forbidden field scan results and guard status. | Command displays diff-safe JSON, highlights forbidden fields, exits non-zero on guard violation, and has unit tests. | +| CLI-AOC-19-002 | TODO | DevEx/CLI Guild | CLI-AOC-19-001 | Add `stella aoc verify` command supporting `--since`/`--limit`, mapping `ERR_AOC_00x` to exit codes, with JSON/table output. | Command integrates with both services, exit codes documented, regression tests green. | +| CLI-AOC-19-003 | TODO | Docs/CLI Guild | CLI-AOC-19-001, CLI-AOC-19-002 | Update CLI reference and quickstart docs to cover new commands, exit codes, and offline verification workflows. | Docs updated; examples recorded; release notes mention new commands. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-POLICY-20-001 | TODO | DevEx/CLI Guild | WEB-POLICY-20-001 | Add `stella policy new|edit|submit|approve` commands with local editor integration, version pinning, and approval workflow wiring. | Commands round-trip policy drafts with temp files; approval requires correct scopes; unit tests cover happy/error paths. | +| CLI-POLICY-20-002 | TODO | DevEx/CLI Guild | CLI-POLICY-20-001, WEB-POLICY-20-001, WEB-POLICY-20-002 | Implement `stella policy simulate` with SBOM/env arguments and diff output (table/JSON), handling exit codes for `ERR_POL_*`. | Simulation outputs deterministic diffs; JSON schema documented; tests validate exit codes + piping of env variables. | +| CLI-POLICY-20-003 | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-002, WEB-POLICY-20-003, DOCS-POLICY-20-006 | Extend `stella findings ls|get` commands for policy-filtered retrieval with pagination, severity filters, and explain output. | Commands stream paginated results; explain view renders rationale entries; docs/help updated; end-to-end tests cover filters. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-GRAPH-21-001 | TODO | DevEx/CLI Guild, Cartographer Guild | CARTO-GRAPH-21-006, WEB-GRAPH-21-001 | Implement `stella sbom graph build/export/query/diff` commands with RBAC-aware behavior, streaming outputs, and offline mode. | Commands execute against local fixtures; GraphML/JSONL exports match API; scope errors mapped to `ERR_Graph_*`; unit tests added. | +| CLI-GRAPH-21-002 | TODO | DevEx/CLI Guild | CLI-GRAPH-21-001, WEB-GRAPH-21-004 | Add path query and simulation options (k-shortest paths, policy selection, filters) with JSON output suitable for CI. | Path query returns expected JSON schema; simulation overlay toggles; regression tests cover CLI-to-API contract. | +| CLI-GRAPH-21-003 | TODO | DevEx/CLI Guild, Docs Guild | CLI-GRAPH-21-001, DOCS-GRAPH-21-005 | Document CLI usage and provide golden fixtures for CI; ensure exit codes align with `ERR_Graph_*`. | Docs updated; fixtures stored under `samples/graph/`; CI job runs CLI smoke; exit codes verified. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-LNM-22-001 | TODO | DevEx/CLI Guild | WEB-LNM-21-001 | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | Commands fetch observation/linkset data; exports validated against fixtures; unit tests cover error handling. | +| CLI-LNM-22-002 | TODO | DevEx/CLI Guild | WEB-LNM-21-002 | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. | Commands support filters + streaming; integration tests use sample linksets; docs updated. | + +## Policy Engine + Editor v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-POLICY-23-004 | TODO | DevEx/CLI Guild | WEB-POLICY-23-001 | Add `stella policy lint` command validating SPL files with compiler diagnostics; support JSON output. | Command returns lint diagnostics; exit codes documented; tests cover error scenarios. | +| CLI-POLICY-23-005 | TODO | DevEx/CLI Guild | WEB-POLICY-23-002 | Implement `stella policy activate` with scheduling window, approval enforcement, and summary output. | Activation command integrates with API, handles 2-person rule failures; tests cover success/error. | +| CLI-POLICY-23-006 | TODO | DevEx/CLI Guild | WEB-POLICY-23-004 | Provide `stella policy history` and `stella policy explain` commands to pull run history and explanation trees. | Commands output JSON/table; integration tests with fixtures; docs updated. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-GRAPH-24-001 | TODO | DevEx/CLI Guild | WEB-GRAPH-24-001 | Add `stella graph show|search|diff` commands with JSON/table outputs, pagination, depth controls, and RBAC-aware error handling. | Commands return graph data; diff output validated with fixtures; unit tests cover pagination/error cases. | +| CLI-GRAPH-24-002 | TODO | DevEx/CLI Guild | WEB-GRAPH-24-002 | Implement `stella graph simulate upgrade|policy` commands including progress feedback, diff summary, and exit codes for failure/timeouts. | Simulation commands integrate with API; regression tests exercise upgrade/policy scenarios; docs updated. | + +## Exceptions v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-EXC-25-001 | TODO | DevEx/CLI Guild | WEB-EXC-25-001 | Implement `stella exceptions list|draft|propose|approve|revoke` commands with JSON/table output, validation, and workflow exit codes. | Commands exercise end-to-end workflow; unit/integration tests cover errors; docs updated. | +| CLI-EXC-25-002 | TODO | DevEx/CLI Guild | WEB-EXC-25-002 | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. | Simulation handles overrides; regression tests cover presence/absence; help text updated. | + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-SIG-26-001 | TODO | DevEx/CLI Guild | WEB-SIG-26-001 | Implement `stella reachability upload-callgraph` and `stella reachability list/explain` commands with streaming upload, pagination, and exit codes. | Commands operate end-to-end; integration tests with fixtures; docs updated. | +| CLI-SIG-26-002 | TODO | DevEx/CLI Guild | WEB-SIG-26-003 | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). | Simulation command accepts overrides; regression tests cover adjustments; help text updated. | + +## Policy Studio (Sprint 27) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-POLICY-27-001 | TODO | DevEx/CLI Guild | REGISTRY-API-27-001, WEB-POLICY-27-001 | Implement policy workspace commands (`stella policy init`, `edit`, `lint`, `compile`, `test`) with template selection, local cache, JSON output, and deterministic temp directories. | Commands operate offline with cached templates; diagnostics mirror API responses; unit tests cover happy/error paths; help text updated. | +| CLI-POLICY-27-002 | TODO | DevEx/CLI Guild | REGISTRY-API-27-006, WEB-POLICY-27-002 | Add submission/review workflow commands (`stella policy version bump`, `submit`, `review comment`, `approve`, `reject`) supporting reviewer assignment, changelog capture, and exit codes. | Workflow commands enforce required approvers; comments upload correctly; integration tests cover approval failure; docs updated. | +| CLI-POLICY-27-003 | TODO | DevEx/CLI Guild | REGISTRY-API-27-005, SCHED-CONSOLE-27-001 | Implement `stella policy simulate` enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with `--json` and Markdown report output for CI. | CLI can trigger batch sim, poll progress, download artifacts; outputs deterministic schemas; CI sample workflow documented; tests cover cancellation/timeouts. | +| CLI-POLICY-27-004 | TODO | DevEx/CLI Guild | REGISTRY-API-27-007, REGISTRY-API-27-008, AUTH-POLICY-27-002 | Add lifecycle commands for publish/promote/rollback/sign (`stella policy publish --sign`, `promote --env`, `rollback`) with attestation verification and canary arguments. | Commands enforce signing requirement, support dry-run, produce audit logs; integration tests cover promotion + rollback; documentation updated. | +| CLI-POLICY-27-005 | TODO | DevEx/CLI Guild, Docs Guild | DOCS-CONSOLE-27-007, DOCS-POLICY-27-007 | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. | CLI docs merged with screenshots/transcripts; parity matrix updated; acceptance tests ensure `--help` examples compile. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-VULN-29-001 | TODO | DevEx/CLI Guild | VULN-API-29-002, AUTH-VULN-29-001 | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. | Command returns deterministic output; paging works; regression tests cover filters/grouping. | +| CLI-VULN-29-002 | TODO | DevEx/CLI Guild | VULN-API-29-003 | Implement `stella vuln show` displaying evidence, policy rationale, paths, ledger summary; support `--json` for automation. | Output matches schema; evidence rendered with provenance; tests cover missing data. | +| CLI-VULN-29-003 | TODO | DevEx/CLI Guild | VULN-API-29-004, LEDGER-29-005 | Add workflow commands (`assign`, `comment`, `accept-risk`, `verify-fix`, `target-fix`, `reopen`) with filter selection (`--filter`) and idempotent retries. | Commands create ledger events; exit codes documented; integration tests cover role enforcement. | +| CLI-VULN-29-004 | TODO | DevEx/CLI Guild | VULN-API-29-005 | Implement `stella vuln simulate` producing delta summaries and optional Markdown report for CI. | CLI simulation returns diff tables + JSON; tests verify diff correctness; docs updated. | +| CLI-VULN-29-005 | TODO | DevEx/CLI Guild | VULN-API-29-008 | Add `stella vuln export` and `stella vuln bundle verify` commands to trigger/download evidence bundles and verify signatures. | Export command streams to file; verify command checks signatures; tests cover success/failure. | +| CLI-VULN-29-006 | TODO | DevEx/CLI Guild, Docs Guild | DOCS-VULN-29-004, DOCS-VULN-29-005 | Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets. | Docs merged; automated examples validated; compliance checklist appended. | + +## VEX Lens (Sprint 30) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-VEX-30-001 | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. | Command returns deterministic output; regression tests cover filters/paging; docs updated. | +| CLI-VEX-30-002 | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus show` displaying quorum, evidence, rationale, signature status. | Output matches schema; tests cover conflicting evidence; docs updated. | +| CLI-VEX-30-003 | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex simulate` for trust/threshold overrides with JSON diff output. | Simulation command returns diff summary; tests cover policy scenarios; docs updated. | +| CLI-VEX-30-004 | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex export` for consensus NDJSON bundles with signature verification helper. | Export & verify commands operational; tests cover file output; docs updated. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-AIAI-31-001 | TODO | DevEx/CLI Guild | AIAI-31-006 | Implement `stella advise summarize` command with JSON/Markdown outputs and citation display. | Command returns summary + JSON; citations preserved; tests cover filters. | +| CLI-AIAI-31-002 | TODO | DevEx/CLI Guild | AIAI-31-006 | Implement `stella advise explain` showing conflict narrative and structured rationale. | Output matches schemas; tests cover disputed cases. | +| CLI-AIAI-31-003 | TODO | DevEx/CLI Guild | AIAI-31-006 | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. | Plans saved to file; exit codes documented; tests cover version mapping. | +| CLI-AIAI-31-004 | TODO | DevEx/CLI Guild | AIAI-31-006 | Implement `stella advise batch` for summaries/conflicts/remediation with progress + multi-status responses. | Batch command handles 207 responses; tests cover partial failures. | + +## Export Center (Epic 10) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-EXPORT-35-001 | TODO | DevEx/CLI Guild | WEB-EXPORT-35-001, AUTH-EXPORT-35-001 | Implement `stella export profiles|runs` list/show, `run create`, `run status`, and resumable download commands with manifest/provenance retrieval. | Commands respect viewer/operator scopes; downloads resume via range requests; integration tests cover filters and offline mode. | +| CLI-EXPORT-36-001 | TODO | DevEx/CLI Guild | CLI-EXPORT-35-001, WEB-EXPORT-36-001 | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. | Distribution commands push OCI/object storage; status polling handles SSE fallback; tests cover failure cases. | +| CLI-EXPORT-37-001 | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001, WEB-EXPORT-37-001 | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. | Scheduling/retention commands enforce admin scopes; verify command checks signatures/hashes; examples documented; tests cover success/failure. | +## Orchestrator Dashboard (Epic 9) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-ORCH-32-001 | TODO | DevEx/CLI Guild | WEB-ORCH-32-001, AUTH-ORCH-32-001 | Implement `stella orch sources|runs|jobs` list/show commands with filters, pagination, table/JSON output, and deterministic exit codes. | Commands respect viewer scope; JSON schema documented; integration tests cover filters/paging/offline mode. | +| CLI-ORCH-33-001 | TODO | DevEx/CLI Guild | CLI-ORCH-32-001, WEB-ORCH-33-001, AUTH-ORCH-33-001 | Add action verbs (`sources test|pause|resume|sync-now`, `jobs retry|cancel|tail`) with streaming output, reason prompts, and retry/backoff handling. | Actions succeed with operator scope; streaming tail resilient to reconnect; tests cover permission failures and retries. | +| CLI-ORCH-34-001 | TODO | DevEx/CLI Guild | CLI-ORCH-33-001, WEB-ORCH-34-001, AUTH-ORCH-34-001 | Provide backfill wizard (`--from/--to --dry-run`), quota management (`quotas get|set`), and safety guardrails for orchestrator GA. | Backfill preview output matches API; quota updates require reason; CLI docs/help updated; regression tests cover dry-run + failure paths. | + +## Notifications Studio (Epic 11) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-NOTIFY-38-001 | TODO | DevEx/CLI Guild | WEB-NOTIFY-38-001, AUTH-NOTIFY-38-001 | Implement `stella notify rules|templates|incidents` commands (list/create/update/test/ack) with file inputs, JSON output, and RBAC-aware flow. | Commands invoke notifier APIs successfully; rule test uses local events file; integration tests cover create/test/ack; help docs updated. | +| CLI-NOTIFY-39-001 | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001, WEB-NOTIFY-39-001 | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. | Simulation command returns deterministic diff; digest command triggers run and polls status; tests cover filters and failures. | +| CLI-NOTIFY-40-001 | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001, WEB-NOTIFY-40-001 | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. | Ack redemption validates signed tokens; escalation commands manage schedules; localization preview shows variants; integration tests cover negative cases. | + +## CLI Parity & Task Packs (Epic 12) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-CORE-41-001 | TODO | DevEx/CLI Guild | AUTH-PACKS-41-001 | Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. | CLI loads config deterministically; auth works (device/PAT); outputs render correctly; tests cover precedence and exit codes. | +| CLI-PARITY-41-001 | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with `--explain`, deterministic outputs, and parity matrix entries. | Commands match Console behavior; parity matrix green for covered actions; integration tests cover major flows. | +| CLI-PARITY-41-002 | TODO | DevEx/CLI Guild | CLI-PARITY-41-001, WEB-NOTIFY-38-001 | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling. | Commands functional; completions generated; docs updated; parity matrix auto-exported; CI checks gating. | +| CLI-PACKS-42-001 | TODO | DevEx/CLI Guild | CLI-CORE-41-001, PACKS-REG-41-001, TASKRUN-41-001 | Implement Task Pack commands (`pack plan/run/push/pull/verify`) with schema validation, expression sandbox, plan/simulate engine, remote execution. | Pack commands operational; plan/sim produce accurate graph; remote run streams logs; schema validation enforced. | +| CLI-PACKS-43-001 | TODO | DevEx/CLI Guild | CLI-PACKS-42-001, TASKRUN-42-001 | Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache). | Approvals handled; secrets redacted; localization supported; man pages built; offline cache documented; integration tests cover scenarios. | + +## Authority-Backed Scopes & Tenancy (Epic 14) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-TEN-47-001 | TODO | DevEx/CLI Guild | AUTH-TEN-47-001 | Implement `stella login`, `whoami`, `tenants list`, persistent profiles, secure token storage, and `--tenant` override with validation. | Commands functional across platforms; tokens stored securely; tenancy header set on requests; integration tests cover login/tenant switch. | +| CLI-TEN-49-001 | TODO | DevEx/CLI Guild | CLI-TEN-47-001, AUTH-TEN-49-001 | Add service account token minting, delegation (`stella token delegate`), impersonation banner, and audit-friendly logging. | Service tokens minted with scopes/TTL; delegation recorded; CLI displays impersonation banner; docs updated. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-OBS-50-001 | TODO | DevEx/CLI Guild | TELEMETRY-OBS-50-002, WEB-OBS-50-001 | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | Trace headers observed in integration tests; verbose logs include trace IDs; redaction guard verified. | +| CLI-OBS-51-001 | TODO | DevEx/CLI Guild | CLI-OBS-50-001, WEB-OBS-51-001 | Implement `stella obs top` command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output. | Command streams metrics; JSON output documented; integration tests cover streaming and exit codes. | +| CLI-OBS-52-001 | TODO | DevEx/CLI Guild | CLI-OBS-51-001, TIMELINE-OBS-52-003 | Add `stella obs trace ` and `stella obs logs --from/--to` commands that correlate timeline events, logs, and evidence links with pagination + guardrails. | Commands fetch timeline/log data; paging tokens handled; fixtures stored under `samples/obs/`; tests cover errors. | +| CLI-FORENSICS-53-001 | TODO | DevEx/CLI Guild, Evidence Locker Guild | CLI-OBS-52-001, EVID-OBS-53-003 | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | Snapshot commands functional; manifests displayed; cache metadata deterministic; docs/help updated. | +| CLI-FORENSICS-54-001 | TODO | DevEx/CLI Guild, Provenance Guild | CLI-FORENSICS-53-001, PROV-OBS-54-001 | Provide `stella forensic verify ` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. | Verification works with sample bundles; tests cover success/failure; docs updated. | +| CLI-FORENSICS-54-002 | TODO | DevEx/CLI Guild, Provenance Guild | CLI-FORENSICS-54-001 | Implement `stella forensic attest show ` listing attestation details (signer, timestamp, subjects) and verifying signatures. | Command prints attestation summary; verification errors flagged; tests cover offline mode. | +| CLI-OBS-55-001 | TODO | DevEx/CLI Guild, DevOps Guild | CLI-OBS-52-001, WEB-OBS-55-001, DEVOPS-OBS-55-001 | Add `stella obs incident-mode enable|disable|status` commands with confirmation guards, cooldown timers, and audit logging. | Commands manage incident mode; audit logs verified; tests cover permissions and cooldown. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-AIRGAP-56-001 | TODO | DevEx/CLI Guild | MIRROR-CRT-56-001, AIRGAP-IMP-56-001 | Implement `stella mirror create|verify` and `stella airgap verify` commands with DSSE/TUF results, dry-run mode, and deterministic manifests. | Commands produce deterministic bundles; verify outputs structured DSSE/TUF results; integration tests cover tampering scenarios. | +| CLI-AIRGAP-57-001 | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001, AIRGAP-IMP-58-001 | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. | Import updates catalog; diff preview rendered; audit entries include bundle ID + scope; tests cover idempotent re-import. | +| CLI-AIRGAP-57-002 | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001, AIRGAP-CTL-56-002 | Provide `stella airgap seal|status` commands surfacing sealing state, drift, staleness metrics, and remediation guidance with safe confirmation prompts. | Status command prints drift/staleness; seal requires confirmation + scope; integration tests cover RBAC denials. | +| CLI-AIRGAP-58-001 | TODO | DevEx/CLI Guild, Evidence Locker Guild | CLI-AIRGAP-57-001, CLI-FORENSICS-54-001 | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. | Command generates portable bundle; verification step validates signatures; docs/help updated with examples. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-SDK-62-001 | TODO | DevEx/CLI Guild, SDK Generator Guild | SDKGEN-63-001 | Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode. | CLI builds using SDK; regression suite passes; telemetry shows SDK version. | +| CLI-SDK-62-002 | TODO | DevEx/CLI Guild | CLI-SDK-62-001, APIGOV-61-001 | Update CLI error handling to surface standardized API error envelope with `error.code` and `trace_id`. | CLI displays envelope data; integration tests cover new output. | +| CLI-SDK-63-001 | TODO | DevEx/CLI Guild, API Governance Guild | OAS-61-002 | Expose `stella api spec download` command retrieving aggregate OAS and verifying checksum/ETag. | Command downloads + verifies spec; docs updated; tests cover failure cases. | +| CLI-SDK-64-001 | TODO | DevEx/CLI Guild, SDK Release Guild | SDKREL-63-001 | Add CLI subcommand `stella sdk update` to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations. | Command lists versions/changelogs; notifications triggered on updates. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-RISK-66-001 | TODO | DevEx/CLI Guild, Policy Guild | POLICY-RISK-67-002 | Implement `stella risk profile list|get|create|publish` commands with schema validation and scope selectors. | Commands operate against API; validation errors surfaced; tests cover CRUD. | +| CLI-RISK-66-002 | TODO | DevEx/CLI Guild, Risk Engine Guild | RISK-ENGINE-69-001 | Ship `stella risk simulate` supporting SBOM/asset inputs, diff mode, and export to JSON/CSV. | Simulation runs via CLI; output tested; docs updated. | +| CLI-RISK-67-001 | TODO | DevEx/CLI Guild, Findings Ledger Guild | LEDGER-RISK-67-001 | Provide `stella risk results` with filtering, severity thresholds, explainability fetch. | Results command returns paginated data; explaination fetch command outputs artifact; tests pass. | +| CLI-RISK-68-001 | TODO | DevEx/CLI Guild, Export Guild | RISK-BUNDLE-70-001 | Add `stella risk bundle verify` and integrate with offline risk bundles. | Verification command validates signatures; integration tests cover tampered bundle. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CLI-ATTEST-73-001 | TODO | CLI Attestor Guild | ATTESTOR-73-001, SDKGEN-63-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | Command signs envelopes; tests cover file/KMS keys; docs updated. | +| CLI-ATTEST-73-002 | TODO | CLI Attestor Guild | ATTESTOR-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | Verification command returns structured report; exit codes match pass/fail; integration tests pass. | +| CLI-ATTEST-74-001 | TODO | CLI Attestor Guild | ATTESTOR-73-003 | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | Command outputs table/JSON; tests cover filters. | +| CLI-ATTEST-74-002 | TODO | CLI Attestor Guild | ATTESTOR-73-003 | Implement `stella attest fetch` to download envelopes and payloads to disk. | Fetch command saves files; checks digests; tests cover air-gap use. | +| CLI-ATTEST-75-001 | TODO | CLI Attestor Guild, KMS Guild | KMS-72-001 | Implement `stella attest key create|import|rotate|revoke` commands. | Key commands work with file/KMS drivers; tests cover rotation/revocation. | +| CLI-ATTEST-75-002 | TODO | CLI Attestor Guild, Export Guild | ATTESTOR-75-001 | Add support for building/verifying attestation bundles in CLI. | Bundle commands functional; verification catches tampering; docs updated. | diff --git a/src/StellaOps.Concelier.Core/TASKS.md b/src/StellaOps.Concelier.Core/TASKS.md index ec3ca0ac..43699a75 100644 --- a/src/StellaOps.Concelier.Core/TASKS.md +++ b/src/StellaOps.Concelier.Core/TASKS.md @@ -1,21 +1,106 @@ -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|JobCoordinator implementation (create/get/mark status)|BE-Core|Storage.Mongo|DONE – `JobCoordinator` drives Mongo-backed runs.| -|Cron scheduling loop with TimeProvider|BE-Core|Core|DONE – `JobSchedulerHostedService` evaluates cron expressions.| -|Single-flight/lease semantics|BE-Core|Storage.Mongo|DONE – lease acquisition backed by `MongoLeaseStore`.| -|Trigger API contract (Result mapping)|BE-Core|WebService|DONE – `JobTriggerResult` outcomes map to HTTP statuses.| -|Run telemetry enrichment|BE-Core|Observability|DONE – `JobDiagnostics` ties activities & counters into coordinator/scheduler paths.| -|Deterministic params hashing|BE-Core|Core|DONE – `JobParametersHasher` creates SHA256 hash.| -|Golden tests for timeout/cancel|QA|Core|DONE – JobCoordinatorTests cover cancellation timeout path.| -|JobSchedulerBuilder options registry coverage|BE-Core|Core|DONE – added scheduler tests confirming cron/timeout/lease metadata persists via JobSchedulerOptions.| -|Plugin discovery + DI glue with PluginHost|BE-Core|Plugin libs|DONE – JobPluginRegistrationExtensions now loads PluginHost routines and wires connector/exporter registrations.| -|Harden lease release error handling in JobCoordinator|BE-Core|Storage.Mongo|DONE – lease release failures now logged, wrapped, and drive run failure status; fire-and-forget execution guarded. Verified with `dotnet test --no-build --filter JobCoordinator`.| -|Validate job trigger parameters for serialization|BE-Core|WebService|DONE – trigger parameters normalized/serialized with defensive checks returning InvalidParameters on failure. Full-suite `dotnet test --no-build` currently red from live connector fixture drift (Oracle/JVN/RedHat).| -|FEEDCORE-ENGINE-03-001 Canonical merger implementation|BE-Core|Merge|DONE – `CanonicalMerger` applies GHSA/NVD/OSV conflict rules with deterministic provenance and comprehensive unit coverage. **Coordination:** Connector leads must align mapper outputs with the canonical field expectations before 2025-10-18 so Merge can activate the path globally.| -|FEEDCORE-ENGINE-03-002 Field precedence and tie-breaker map|BE-Core|Merge|DONE – field precedence and freshness overrides enforced via `FieldPrecedence` map with tie-breakers and analytics capture. **Reminder:** Storage/Merge owners review precedence overrides when onboarding new feeds to ensure `decisionReason` tagging stays consistent.| -|Canonical merger parity for description/CWE/canonical metric|BE-Core|Models|DONE (2025-10-15) – merger now populates description/CWEs/canonical metric id with provenance and regression tests cover the new decisions.| -|Reference normalization & freshness instrumentation cleanup|BE-Core, QA|Models|DONE (2025-10-15) – reference keys normalized, freshness overrides applied to union fields, and new tests assert decision logging.| -|FEEDCORE-ENGINE-07-001 – Advisory event log & asOf queries|Team Core Engine & Storage Analytics|FEEDSTORAGE-DATA-07-001|**DONE (2025-10-19)** – Implemented `AdvisoryEventLog` service plus repository contracts, canonical hashing, and lower-cased key normalization with replay support; documented determinism guarantees. Tests: `dotnet test src/StellaOps.Concelier.Core.Tests/StellaOps.Concelier.Core.Tests.csproj`.| -|FEEDCORE-ENGINE-07-002 – Noise prior computation service|Team Core Engine & Data Science|FEEDCORE-ENGINE-07-001|**DONE (2025-10-21)** – Build rule-based learner capturing false-positive priors per package/env, persist summaries, and expose APIs for Excititor/scan suppressors with reproducible statistics.| -|FEEDCORE-ENGINE-07-003 – Unknown state ledger & confidence seeding|Team Core Engine & Storage Analytics|FEEDCORE-ENGINE-07-001|DONE (2025-10-21) – Persisted `unknown_vuln_range/unknown_origin/ambiguous_fix` markers with seeded confidence bands, exposed query surface for Policy, and added canonical serialization fixtures + regression tests.| +# TASKS — Epic 1: Aggregation-Only Contract +> **AOC Reminder:** ingestion aggregates and links only—no precedence, normalization, or severity computation. Derived data lives in Policy/overlay services. +| ID | Status | Owner(s) | Depends on | Notes | +|---|---|---|---|---| +| CONCELIER-CORE-AOC-19-001 `AOC write guard` | TODO | Concelier Core Guild | WEB-AOC-19-001 | Implement repository interceptor that inspects write payloads for forbidden AOC keys, validates provenance/signature presence, and maps violations to `ERR_AOC_00x`. | +| CONCELIER-CORE-AOC-19-002 `Deterministic linkset extraction` | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Build canonical linkset mappers for CVE/GHSA/PURL/CPE/reference extraction from upstream raw payloads, ensuring reconciled-from metadata is tracked and deterministic. | +| CONCELIER-CORE-AOC-19-003 `Idempotent append-only upsert` | TODO | Concelier Core Guild | CONCELIER-STORE-AOC-19-002 | Implement idempotent upsert path using `(vendor, upstreamId, contentHash, tenant)` key, emitting supersedes pointers for new revisions and preventing duplicate inserts. | +| CONCELIER-CORE-AOC-19-004 `Remove ingestion normalization` | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002, POLICY-AOC-19-003 | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Concelier Core Guild, Policy Guild | CONCELIER-CORE-AOC-19-002, POLICY-ENGINE-20-001 | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | TODO | Concelier Core Guild, Cartographer Guild | CONCELIER-POLICY-20-002, CARTO-GRAPH-21-002 | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. | +| CONCELIER-GRAPH-21-002 `Change events` | TODO | Concelier Core Guild, Scheduler Guild | CONCELIER-GRAPH-21-001 | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Introduce immutable `advisory_observations` model with AOC metadata, raw payload pointers, normalized fields, and tenancy guardrails; publish schema definition. | +| CONCELIER-LNM-21-002 `Linkset builder` | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-001 | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces `advisory_linksets` with confidence + conflict annotations. | +| CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. | +| CONCELIER-LNM-21-004 `Merge code removal` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. | +| CONCELIER-LNM-21-005 `Event emission` | TODO | Concelier Core Guild, Platform Events Guild | CONCELIER-LNM-21-002 | Emit `advisory.linkset.updated` events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. | + +## Policy Engine + Editor v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Concelier Core Guild | CONCELIER-LNM-21-002 | Add secondary indexes/materialized views to accelerate policy lookups (alias, severity per observation, correlation confidence). Document query contracts for runtime. | +| CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Concelier Core Guild, Platform Events Guild | CONCELIER-LNM-21-005 | Ensure `advisory.linkset.updated` emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-GRAPH-24-001 `Advisory overlay inputs` | TODO | Concelier Core Guild | CONCELIER-POLICY-23-001 | Expose raw advisory observations/linksets with tenant filters for overlay services; no derived counts/severity in ingestion. | + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Concelier Core Guild, Signals Guild | SIGNALS-24-002 | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. | + +## Orchestrator Dashboard + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Concelier Core Guild | ORCH-SVC-32-001, AUTH-ORCH-32-001 | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. | +| CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001, WORKER-GO-32-001, WORKER-PY-32-001 | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. | +| CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002, ORCH-SVC-33-001, ORCH-SVC-33-002 | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. | +| CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Concelier Core Guild | AUTH-TEN-47-001 | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting `merge=false`; update events with tenant context. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-OBS-50-001 `Telemetry adoption` | TODO | Concelier Core Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. | +| CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Concelier Core Guild, DevOps Guild | CONCELIER-OBS-50-001, TELEMETRY-OBS-51-001 | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. | +| CONCELIER-OBS-52-001 `Timeline events` | TODO | Concelier Core Guild | CONCELIER-OBS-50-001, TIMELINE-OBS-52-002 | Emit `timeline_event` records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. | +| CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Concelier Core Guild, Evidence Locker Guild | CONCELIER-OBS-52-001, EVID-OBS-53-002 | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. | +| CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Concelier Core Guild, Provenance Guild | CONCELIER-OBS-53-001, PROV-OBS-54-001 | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. | +| CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Concelier Core Guild, DevOps Guild | CONCELIER-OBS-51-001, DEVOPS-OBS-55-001 | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Concelier Core Guild | AIRGAP-IMP-57-002, MIRROR-CRT-56-001 | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. | +| CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Concelier Core Guild, AirGap Importer Guild | CONCELIER-AIRGAP-56-001, AIRGAP-IMP-57-001 | Persist `bundle_id`, `merkle_root`, and time anchor references on observations/linksets for provenance. | +| CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Concelier Core Guild, AirGap Policy Guild | CONCELIER-AIRGAP-56-001, AIRGAP-POL-56-001 | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. | +| CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Concelier Core Guild, AirGap Time Guild | CONCELIER-AIRGAP-56-002, AIRGAP-TIME-58-001 | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. | +| CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Concelier Core Guild, Evidence Locker Guild | CONCELIER-OBS-53-001, EVID-OBS-54-001 | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-OAS-61-001 `Spec coverage` | TODO | Concelier Core Guild, API Contracts Guild | OAS-61-001 | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. | +| CONCELIER-OAS-61-002 `Examples library` | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. | +| CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Concelier Core Guild, SDK Generator Guild | CONCELIER-OAS-61-001, SDKGEN-63-001 | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. | +| CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Concelier Core Guild, API Governance Guild | APIGOV-63-001 | Implement deprecation header support and timeline events for retiring endpoints. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Concelier Core Guild, Risk Engine Guild | RISK-ENGINE-67-001 | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. | +| CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Provide structured fix availability and release metadata consumable by risk engine; document provenance. | +| CONCELIER-RISK-67-001 `Source consensus metrics` | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Add consensus counts and confidence scores for linked advisories; ensure explainability includes source digests. | +| CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Concelier Core Guild, Policy Studio Guild | POLICY-RISK-68-001 | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). | +| CONCELIER-RISK-69-001 `Notification hooks` | TODO | Concelier Core Guild, Notifications Guild | CONCELIER-RISK-66-002 | Emit events when advisory signals change impacting risk scores (e.g., fix available). | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-ATTEST-73-001 `ScanResults attestation inputs` | TODO | Concelier Core Guild, Attestor Service Guild | ATTEST-TYPES-72-001 | Provide normalized advisory data and linkset digests needed for ScanResults attestations. | +| CONCELIER-ATTEST-73-002 `Transparency metadata` | TODO | Concelier Core Guild | CONCELIER-ATTEST-73-001 | Ensure Conseiller exposes source digests for transparency proofs and explainability. | diff --git a/src/StellaOps.Concelier.Merge/TASKS.md b/src/StellaOps.Concelier.Merge/TASKS.md index 513437e4..894c0c24 100644 --- a/src/StellaOps.Concelier.Merge/TASKS.md +++ b/src/StellaOps.Concelier.Merge/TASKS.md @@ -24,3 +24,10 @@ |FEEDMERGE-COORD-02-901 Connector deadline check-ins|BE-Merge|FEEDMERGE-COORD-02-900|**TODO (due 2025-10-21)** – Confirm Cccs/Cisco normalized-rule branches land, capture `concelier.merge.normalized_rules*` counter screenshots, and update coordination docs with the results.| |FEEDMERGE-COORD-02-902 ICS-CISA normalized-rule decision support|BE-Merge, Models|FEEDMERGE-COORD-02-900|**TODO (due 2025-10-23)** – Review ICS-CISA sample advisories, confirm SemVer reuse vs new firmware scheme, pre-stage Models ticket template, and document outcome in coordination docs + tracker files.| |FEEDMERGE-COORD-02-903 KISA firmware scheme review|BE-Merge, Models|FEEDMERGE-COORD-02-900|**TODO (due 2025-10-24)** – Pair with KISA team on proposed firmware scheme (`kisa.build` or variant), ensure builder alignment, open Models ticket if required, and log decision in coordination docs + tracker files.| + +## Link-Not-Merge v1 Transition +| Task | Owner(s) | Depends on | Notes | +|---|---|---|---| +|MERGE-LNM-21-001 Migration plan authoring|BE-Merge, Architecture Guild|CONCELIER-LNM-21-101|Draft `no-merge` migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation.| +|MERGE-LNM-21-002 Merge service deprecation|BE-Merge|MERGE-LNM-21-001|Refactor or retire `AdvisoryMergeService` and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage.| +|MERGE-LNM-21-003 Determinism/test updates|QA Guild, BE-Merge|MERGE-LNM-21-002|Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible.| diff --git a/src/StellaOps.Concelier.Storage.Mongo/TASKS.md b/src/StellaOps.Concelier.Storage.Mongo/TASKS.md index e9ddf5cc..28a0a399 100644 --- a/src/StellaOps.Concelier.Storage.Mongo/TASKS.md +++ b/src/StellaOps.Concelier.Storage.Mongo/TASKS.md @@ -1,24 +1,22 @@ -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|MongoBootstrapper to create collections/indexes|BE-Storage|Storage.Mongo|DONE – `MongoBootstrapper` ensures collections & indexes incl. TTL on locks.ttlAt.| -|SourceState repository (get/set/backoff)|BE-Conn-Base|Storage.Mongo|DONE – implemented `MongoSourceStateRepository`.| -|Document/DTO stores with SHA/metadata|BE-Conn-Base|Storage.Mongo|DONE – DocumentStore and DtoStore provide upsert/status lookups.| -|AdvisoryStore (GetAllAsync etc.)|BE-Export|Models|DONE – AdvisoryStore handles upsert + recent/advisory fetches.| -|Job store (runs/active/recent)|BE-Core|Storage.Mongo|DONE – `MongoJobStore` covers create/start/complete queries.| -|Alias and reference secondary indexes|BE-Storage|Models|DONE – bootstrapper builds alias/reference indexes.| -|MergeEvent store|BE-Merge|Models|DONE – MergeEventStore appends/retrieves recent events.| -|ExportState store|BE-Export|Exporters|DONE – ExportStateStore upserts and retrieves exporter metadata.| -|Performance tests for large advisories|QA|Storage.Mongo|DONE – `AdvisoryStorePerformanceTests` exercises large payload upsert/find throughput budgets.| -|Migration playbook for schema/index changes|BE-Storage|Storage.Mongo|DONE – `MongoMigrationRunner` executes `IMongoMigration` steps recorded in `schema_migrations`; see `MIGRATIONS.md`.| -|Raw document retention/TTL strategy|BE-Storage|Storage.Mongo|DONE – retention options flow into `RawDocumentRetentionService` and TTL migrations for `document`/GridFS indexes.| -|Persist last failure reason in SourceState|BE-Storage|Storage.Mongo|DONE – `MongoSourceStateRepository.MarkFailureAsync` stores `lastFailureReason` with length guard + reset on success.| -|AdvisoryStore range primitives deserialization|BE-Storage|Models|DONE – BSON helpers handle `RangePrimitives`; regression test covers SemVer/NEVRA/EVR envelopes persisted through Mongo.| -|FEEDSTORAGE-DATA-03-001 Merge event provenance audit prep|BE-Storage|Merge|DONE – merge events now persist field-level decision reasons via `MergeFieldDecision` documents for analytics. **Coordination:** log any new precedence signals to storage@ so indexes/serializers stay aligned.| -|FEEDSTORAGE-DATA-02-001 Normalized range dual-write + backfill|BE-Storage|Core|**DONE (2025-10-12)** – `AdvisoryStore` honors `EnableSemVerStyle`, dual-writes normalized docs, and SemVer backfill migration registered for staged rollout.| -|FEEDSTORAGE-TESTS-02-004 Restore AdvisoryStore build after normalized versions refactor|QA|Storage.Mongo|DONE – storage tests updated to cover normalized version payloads and new provenance fields. **Heads-up:** QA to watch for fixture bumps touching normalized rule arrays when connectors roll out support.| -|FEEDSTORAGE-DATA-02-002 Provenance decision persistence|BE-Storage|Models `FEEDMODELS-SCHEMA-01-002`|**DONE (2025-10-12)** – Normalized documents carry decision reasons/source/timestamps with regression coverage verifying SemVer notes + provenance fallbacks.| -|FEEDSTORAGE-DATA-02-003 Normalized versions index creation|BE-Storage|Normalization, Mongo bootstrapper|**DONE (2025-10-12)** – Bootstrapper seeds `normalizedVersions.*` indexes when SemVer style is enabled; docs/tests confirm index presence.| -|FEEDSTORAGE-DATA-04-001 Advisory payload parity (description/CWEs/canonical metric)|BE-Storage|Models, Core|DONE (2025-10-15) – Mongo payloads round-trip new advisory fields; serializer/tests updated, no migration required beyond optional backfill.| -|FEEDSTORAGE-MONGO-08-001 Causal-consistent session plumbing|BE-Storage|Concelier Core DI|**DONE (2025-10-19)** – Scoped session provider now caches causal-consistent handles per scope, repositories accept optional sessions end-to-end, and new Mongo session consistency tests cover read-your-write + post-stepdown monotonic reads.| -|FEEDSTORAGE-DATA-07-001 Advisory statement & conflict collections|Team Normalization & Storage Backbone|FEEDMERGE-ENGINE-07-001|**DONE (2025-10-19)** – Added immutable `advisory_statements`/`advisory_conflicts` collections, bootstrapper + migration ensuring vulnerability/asOf + hash indexes, new stores (`AdvisoryStatementStore`, `AdvisoryConflictStore`), and docs outlining rollback. Tests: `dotnet test src/StellaOps.Concelier.Storage.Mongo.Tests/StellaOps.Concelier.Storage.Mongo.Tests.csproj`.| +# TASKS — Epic 1: Aggregation-Only Contract +> **AOC Reminder:** storage enforces append-only raw documents; no precedence/severity/normalization in ingestion collections. +| ID | Status | Owner(s) | Depends on | Notes | +|---|---|---|---|---| +| CONCELIER-STORE-AOC-19-001 `advisory_raw schema validator` | TODO | Concelier Storage Guild | Mongo cluster ops sign-off | Author MongoDB JSON schema enforcing required fields (`source`, `upstream`, `content`, `linkset`, `tenant`) and forbidding normalized/severity fields. Include migration toggles for staged rollout. | +| CONCELIER-STORE-AOC-19-002 `idempotency unique index` | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Create compound unique index on `(source.vendor, upstream.upstream_id, upstream.content_hash, tenant)` with backfill script verifying existing data, and document offline validator bootstrap. | +| CONCELIER-STORE-AOC-19-003 `append-only supersedes migration` | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Introduce migration that freezes legacy `advisories` writes, copies data into `_backup_*`, and backfills supersedes pointers for raw revisions. Provide rollback plan. | +| CONCELIER-STORE-AOC-19-004 `validator deployment playbook` | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-001 | Update `MIGRATIONS.md` and Offline Kit docs to cover enabling validators, rolling restarts, and validator smoke tests for air-gapped installs. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002, POLICY-ENGINE-20-003 | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-LNM-21-101 `Observations collections` | TODO | Concelier Storage Guild | CONCELIER-LNM-21-001 | Provision `advisory_observations` and `advisory_linksets` collections with hashed shard keys, TTL for ingest metadata, and required indexes (`aliases`, `purls`, `observation_ids`). | +| CONCELIER-LNM-21-102 `Migration tooling` | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-LNM-21-101 | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. | +| CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. | diff --git a/src/StellaOps.Concelier.WebService/TASKS.md b/src/StellaOps.Concelier.WebService/TASKS.md index 4777f51c..541fcb72 100644 --- a/src/StellaOps.Concelier.WebService/TASKS.md +++ b/src/StellaOps.Concelier.WebService/TASKS.md @@ -1,28 +1,86 @@ -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|FEEDWEB-EVENTS-07-001 Advisory event replay API|Concelier WebService Guild|FEEDCORE-ENGINE-07-001|**DONE (2025-10-19)** – Added `/concelier/advisories/{vulnerabilityKey}/replay` endpoint with optional `asOf`, hex hashes, and conflict payloads; integration covered via `dotnet test src/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj`.| -|Bind & validate ConcelierOptions|BE-Base|WebService|DONE – options bound/validated with failure logging.| -|Mongo service wiring|BE-Base|Storage.Mongo|DONE – wiring delegated to `AddMongoStorage`.| -|Bootstrapper execution on start|BE-Base|Storage.Mongo|DONE – startup calls `MongoBootstrapper.InitializeAsync`.| -|Plugin host options finalization|BE-Base|Plugins|DONE – default plugin directories/search patterns configured.| -|Jobs API contract tests|QA|Core|DONE – WebServiceEndpointsTests now cover success payloads, filtering, and trigger outcome mapping.| -|Health/Ready probes|DevOps|Ops|DONE – `/health` and `/ready` endpoints implemented.| -|Serilog + OTEL integration hooks|BE-Base|Observability|DONE – `TelemetryExtensions` wires Serilog + OTEL with configurable exporters.| -|Register built-in jobs (sources/exporters)|BE-Base|Core|DONE – AddBuiltInConcelierJobs adds fallback scheduler definitions for core connectors and exporters via reflection.| -|HTTP problem details consistency|BE-Base|WebService|DONE – API errors now emit RFC7807 responses with trace identifiers and typed problem categories.| -|Request logging and metrics|BE-Base|Observability|DONE – Serilog request logging enabled with enriched context and web.jobs counters published via OpenTelemetry.| -|Endpoint smoke tests (health/ready/jobs error paths)|QA|WebService|DONE – WebServiceEndpointsTests assert success and problem responses for health, ready, and job trigger error paths.| -|Batch job definition last-run lookup|BE-Base|Core|DONE – definitions endpoint now precomputes kinds array and reuses batched last-run dictionary; manual smoke verified via local GET `/jobs/definitions`.| -|Add no-cache headers to health/readiness/jobs APIs|BE-Base|WebService|DONE – helper applies Cache-Control/Pragma/Expires on all health/ready/jobs endpoints; awaiting automated probe tests once connector fixtures stabilize.| -|Authority configuration parity (FSR1)|DevEx/Concelier|Authority options schema|**DONE (2025-10-10)** – Options post-config loads clientSecretFile fallback, validators normalize scopes/audiences, and sample config documents issuer/credential/bypass settings.| -|Document authority toggle & scope requirements|Docs/Concelier|Authority integration|**DONE (2025-10-21)** – Quickstart now documents staging flag, client credentials, env overrides; operator guide refresh merged. Remaining copy polishing is tracked under `DOCS-CONCELIER-07-201` in `docs/TASKS.md`.| -|Plumb Authority client resilience options|BE-Base|Auth libraries LIB5|**DONE (2025-10-12)** – `Program.cs` wires `authority.resilience.*` + client scopes into `AddStellaOpsAuthClient`; new integration test asserts binding and retries.| -|Author ops guidance for resilience tuning|Docs/Concelier|Plumb Authority client resilience options|**DONE (2025-10-12)** – `docs/21_INSTALL_GUIDE.md` + `docs/ops/concelier-authority-audit-runbook.md` document resilience profiles for connected vs air-gapped installs and reference monitoring cues.| -|Document authority bypass logging patterns|Docs/Concelier|FSR3 logging|**DONE (2025-10-12)** – Updated operator guides clarify `Concelier.Authorization.Audit` fields (route/status/subject/clientId/scopes/bypass/remote) and SIEM triggers.| -|Update Concelier operator guide for enforcement cutoff|Docs/Concelier|FSR1 rollout|**DONE (2025-10-12)** – Installation guide emphasises disabling `allowAnonymousFallback` before 2025-12-31 UTC and connects audit signals to the rollout checklist.| -|Rename plugin drop directory to namespaced path|BE-Base|Plugins|**DONE (2025-10-19)** – Build outputs now target `StellaOps.Concelier.PluginBinaries`/`StellaOps.Authority.PluginBinaries`, plugin host defaults updated, config/docs refreshed, and `dotnet test src/StellaOps.Concelier.WebService.Tests/StellaOps.Concelier.WebService.Tests.csproj --no-restore` covers the change.| -|Authority resilience adoption|Concelier WebService, Docs|Plumb Authority client resilience options|**BLOCKED (2025-10-10)** – Roll out retry/offline knobs to deployment docs and confirm CLI parity once LIB5 lands; unblock after resilience options wired and tested.| -|CONCELIER-WEB-08-201 – Mirror distribution endpoints|Concelier WebService Guild|CONCELIER-EXPORT-08-201, DEVOPS-MIRROR-08-001|**DONE (2025-10-20)** – Mirror endpoints now enforce per-domain rate limits, emit cache headers, honour Authority/WWW-Authenticate, and docs cover auth + smoke workflows.| -> Remark (2025-10-20): Updated ops runbook with token/rate-limit checks and added API tests for Retry-After + unauthorized flows.| -|Wave 0B readiness checkpoint|Team WebService & Authority|Wave 0A completion|BLOCKED (2025-10-19) – FEEDSTORAGE-MONGO-08-001 closed, but remaining Wave 0A items (AUTH-DPOP-11-001, AUTH-MTLS-11-002, PLUGIN-DI-08-001) still open; maintain current DOING workstreams only.| +# TASKS — Epic 1: Aggregation-Only Contract +> **AOC Reminder:** service links and exposes raw data only—no precedence, severity, or hint computation inside Concelier APIs. +| ID | Status | Owner(s) | Depends on | Notes | +|---|---|---|---|---| +| CONCELIER-WEB-AOC-19-001 `Raw ingestion endpoints` | TODO | Concelier WebService Guild | CONCELIER-CORE-AOC-19-001, CONCELIER-STORE-AOC-19-001 | Implement `POST /ingest/advisory`, `GET /advisories/raw*`, and `POST /aoc/verify` minimal API endpoints. Enforce new Authority scopes, inject tenant claims, and surface `AOCWriteGuard` to repository calls. | +| CONCELIER-WEB-AOC-19-002 `AOC observability` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-001 | Emit `ingestion_write_total`, `aoc_violation_total`, latency histograms, and tracing spans (`ingest.fetch/transform/write`, `aoc.guard`). Wire structured logging to include tenant, source vendor, upstream id, and content hash. | +| CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | QA Guild | CONCELIER-WEB-AOC-19-001 | Add unit tests covering schema validation failures, forbidden field rejections (`ERR_AOC_001/002/006/007`), idempotent upserts, and supersedes chains using deterministic fixtures. | +| CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-003, CONCELIER-CORE-AOC-19-002 | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Concelier WebService Guild | WEB-POLICY-20-001, CONCELIER-CORE-AOC-19-004 | Add batch advisory lookup APIs (`/policy/select/advisories`, `/policy/select/vex`) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. | + +## StellaOps Console (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | Concelier WebService Guild, BE-Base Platform Guild | CONCELIER-LNM-21-201, CONCELIER-LNM-21-202 | Expose `/console/advisories` endpoints returning aggregation groups (per linkset) with source chips, severity summaries, and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. | +| CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001, CONCELIER-LNM-21-203 | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. | +| CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-GRAPH-21-003 `SBOM projection API` | TODO | Concelier WebService Guild, Cartographer Guild | CONCELIER-GRAPH-21-001 | Expose normalized SBOM projection endpoint (`/sboms/{id}/projections/graph`) with pagination, tenant guard, and versioning metadata for Cartographer builds. | +| CONCELIER-GRAPH-21-004 `Entry point registry` | TODO | Concelier WebService Guild | CONCELIER-GRAPH-21-003, SBOM-SERVICE-21-001 | Provide entrypoint/service node lookup API for Cartographer path relevance (configurable overrides, tagging) and document contract. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-LNM-21-201 `Observation APIs` | TODO | Concelier WebService Guild, BE-Base Platform Guild | CONCELIER-LNM-21-001 | Add REST endpoints for advisory observations (`GET /advisories/observations`) with filters (alias, purl, source), pagination, and tenancy enforcement. | +| CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Concelier WebService Guild | CONCELIER-LNM-21-002, CONCELIER-LNM-21-003 | Implement linkset read/export endpoints (`/advisories/linksets/{id}`, `/advisories/by-purl/{purl}`, `/advisories/linksets/{id}/export`, `/evidence`) with correlation/conflict payloads and `ERR_AGG_*` mapping. | +| CONCELIER-LNM-21-203 `Ingest events` | TODO | Concelier WebService Guild, Platform Events Guild | CONCELIER-LNM-21-005 | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-001 | Expose `/advisories/summary` returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. | +| CONCELIER-GRAPH-24-102 `Evidence batch API` | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-VULN-29-001 `Advisory key normalization` | TODO | Concelier WebService Guild, Data Integrity Guild | CONCELIER-LNM-21-001 | Normalize advisory identifiers (CVE/GHSA/vendor) into canonical `advisory_key`, persist `links[]`, expose raw payload snapshots for Explorer evidence tabs. Include migration/backfill scripts. | +| CONCELIER-VULN-29-002 `Evidence retrieval API` | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001, VULN-API-29-003 | Provide `/vuln/evidence/advisories/{advisory_key}` returning raw advisory docs with provenance, filtering by tenant and source. | +| CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-VULN-29-001 | Instrument metrics/logs for advisory normalization (key collisions, withdrawn flags), emit events consumed by Vuln Explorer resolver. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-AIAI-31-001 `Paragraph anchors` | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. | +| CONCELIER-AIAI-31-002 `Structured fields` | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Ensure normalized advisories expose workaround/fix/CVSS fields via API; add caching for summary queries. | +| CONCELIER-AIAI-31-003 `Advisory AI telemetry` | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-AIAI-31-001 | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-WEB-OBS-50-001 `Telemetry adoption` | TODO | Concelier WebService Guild | TELEMETRY-OBS-50-001, CONCELIER-OBS-50-001 | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (`tenant_id`, `route`, `decision_effect`), and add correlation IDs to responses. | +| CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001, WEB-OBS-51-001 | Surface ingest health metrics, queue depth, and SLO status via `/obs/concelier/health` endpoint for Console widgets, with caching and tenant partitioning. | +| CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001, TIMELINE-OBS-52-003 | Provide SSE stream `/obs/concelier/timeline` bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. | +| CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Concelier WebService Guild, Evidence Locker Guild | CONCELIER-OBS-53-001, EVID-OBS-53-003 | Add `/evidence/advisories/*` routes invoking evidence locker snapshots, verifying tenant scopes (`evidence:read`), and returning signed manifest metadata. | +| CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Concelier WebService Guild | CONCELIER-OBS-54-001, PROV-OBS-54-001 | Provide `/attestations/advisories/*` read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. | +| CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Concelier WebService Guild, DevOps Guild | CONCELIER-OBS-55-001, WEB-OBS-55-001 | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Concelier WebService Guild | AIRGAP-IMP-58-001, CONCELIER-AIRGAP-56-001 | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. | +| CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Concelier WebService Guild | CONCELIER-AIRGAP-57-002, AIRGAP-CTL-56-002 | Add staleness metadata and bundle provenance to advisory APIs (`/advisories/observations`, `/advisories/linksets`). | +| CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Concelier WebService Guild, AirGap Policy Guild | AIRGAP-POL-56-001 | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` responses with user guidance. | +| CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Concelier WebService Guild, AirGap Importer Guild | CONCELIER-WEB-AIRGAP-56-001, TIMELINE-OBS-53-001 | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| CONCELIER-WEB-OAS-61-001 `/.well-known/openapi` | TODO | Concelier WebService Guild | OAS-61-001 | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. | +| CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Concelier WebService Guild | APIGOV-61-001 | Ensure all API responses use standardized error envelope; update controllers/tests. | +| CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Concelier WebService Guild | CONCELIER-OAS-61-002 | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. | +| CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Concelier WebService Guild, API Governance Guild | APIGOV-63-001 | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. | diff --git a/src/StellaOps.Cryptography.Kms/AGENTS.md b/src/StellaOps.Cryptography.Kms/AGENTS.md new file mode 100644 index 00000000..8e7ebbe6 --- /dev/null +++ b/src/StellaOps.Cryptography.Kms/AGENTS.md @@ -0,0 +1,14 @@ +# KMS & Key Management Guild Charter + +## Mission +Provide key management abstractions and drivers (file, cloud KMS, HSM, FIDO2) for signing and verification workflows. + +## Scope +- Key store interfaces, secure configuration loading, and audit logging. +- Drivers for file-based development keys, cloud KMS providers, PKCS#11 HSMs, and FIDO2 devices. +- Key rotation, revocation, and attestation for keys used in signing. + +## Definition of Done +- KMS API supports signing, verification, key metadata, rotation, and revocation. +- Drivers pass integration tests and security review. +- CLI/Console can manage keys using these abstractions. diff --git a/src/StellaOps.Cryptography.Kms/TASKS.md b/src/StellaOps.Cryptography.Kms/TASKS.md new file mode 100644 index 00000000..2c19b666 --- /dev/null +++ b/src/StellaOps.Cryptography.Kms/TASKS.md @@ -0,0 +1,13 @@ +# KMS Task Board — Epic 19: Attestor Console + +## Sprint 72 – Abstractions & File Driver +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| KMS-72-001 | TODO | KMS Guild | — | Implement KMS interface (sign, verify, metadata, rotate, revoke) and file-based key driver with encrypted at-rest storage. | Interface + file driver operational; unit tests cover sign/verify/rotation; lint passes. | +| KMS-72-002 | TODO | KMS Guild | KMS-72-001 | Add CLI support for importing/exporting file-based keys with password protection. | CLI commands functional; docs updated; integration tests pass. | + +## Sprint 73 – Cloud & HSM Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| KMS-73-001 | TODO | KMS Guild | KMS-72-001 | Add cloud KMS driver (e.g., AWS KMS, GCP KMS) with signing and key metadata retrieval. | Cloud driver tested with mock; configuration documented; security review sign-off. | +| KMS-73-002 | TODO | KMS Guild | KMS-72-001 | Implement PKCS#11/HSM driver plus FIDO2 signing support for high assurance workflows. | HSM/FIDO2 drivers tested with hardware stubs; error handling documented. | diff --git a/src/StellaOps.DevPortal.Site/AGENTS.md b/src/StellaOps.DevPortal.Site/AGENTS.md new file mode 100644 index 00000000..acca2bf9 --- /dev/null +++ b/src/StellaOps.DevPortal.Site/AGENTS.md @@ -0,0 +1,15 @@ +# Developer Portal Guild Charter + +## Mission +Deliver the StellaOps developer portal with interactive API reference, SDK documentation, runnable examples, and offline export capability. + +## Scope +- Static site generator integrating OpenAPI specs, code examples, and SDK docs. +- Search, schema diagrams, try-it console (non-prod), copy-curl snippets. +- Version selector for API major versions and changelog integration. +- Offline bundle build compatible with air-gapped environments. + +## Definition of Done +- Portal rebuilds deterministically from specs/examples; CI publishes artifacts. +- Search, schema visuals, examples verified via automated tests. +- Offline bundle renders without external dependencies. diff --git a/src/StellaOps.DevPortal.Site/TASKS.md b/src/StellaOps.DevPortal.Site/TASKS.md new file mode 100644 index 00000000..1258ab29 --- /dev/null +++ b/src/StellaOps.DevPortal.Site/TASKS.md @@ -0,0 +1,19 @@ +# Developer Portal Task Board — Epic 17: SDKs & OpenAPI Docs + +## Sprint 62 – Static Generator Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVPORT-62-001 | TODO | Developer Portal Guild | OAS-61-002 | Select static site generator, integrate aggregate spec, build navigation + search scaffolding. | Portal builds locally; nav/search operational; CI pipeline in place. | +| DEVPORT-62-002 | TODO | Developer Portal Guild | DEVPORT-62-001 | Implement schema viewer, example rendering, copy-curl snippets, and version selector UI. | Schema diagrams render; examples tested; version selector toggles spec; accessibility check passes. | + +## Sprint 63 – Try-It & Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVPORT-63-001 | TODO | Developer Portal Guild, Platform Guild | DEVPORT-62-002 | Add Try-It console pointing at sandbox environment with token onboarding and scope info. | Try-It executes against sandbox; safeguards enforce read-only; telemetry recorded. | +| DEVPORT-63-002 | TODO | Developer Portal Guild, SDK Generator Guild | DEVPORT-62-002, SDKGEN-63-001..4 | Embed language-specific SDK snippets and quick starts generated from tested examples. | Snippets pulled from CI-verified examples; portal tests ensure freshness. | + +## Sprint 64 – Offline Bundle & QA +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DEVPORT-64-001 | TODO | Developer Portal Guild, Export Center Guild | DEVPORT-63-001, SDKREL-64-002 | Provide offline build target bundling HTML, specs, SDK archives; ensure no external assets. | Offline bundle verified in sealed environment; docs updated. | +| DEVPORT-64-002 | TODO | Developer Portal Guild | DEVPORT-63-001 | Add automated accessibility tests, link checker, and performance budgets. | CI checks added; budgets enforced; reports archived. | diff --git a/src/StellaOps.EvidenceLocker/AGENTS.md b/src/StellaOps.EvidenceLocker/AGENTS.md new file mode 100644 index 00000000..43bc666f --- /dev/null +++ b/src/StellaOps.EvidenceLocker/AGENTS.md @@ -0,0 +1,28 @@ +# Evidence Locker Service — Agent Charter + +## Mission +Implement the append-only, tenant-scoped evidence locker detailed in Epic 15. Produce immutable evidence bundles, manage legal holds, and expose verification APIs for Console and CLI consumers under the imposed rule. + +## Responsibilities +- Define object store layout, metadata DB schemas, and retention policies. +- Build bundle assembly pipelines (evaluation, job, export) with Merkle manifests and DSSE signing. +- Provide verification, download, and legal hold APIs with audit trails. +- Integrate with Timeline Indexer, Exporter, Orchestrator, Policy Engine, Concelier, and Excitator for provenance linking. + +## Coordination +- Work with Provenance Guild for signature tooling. +- Partner with DevOps Guild on storage backends and WORM options. +- Align with Security Guild on redaction and access enforcement. + +## Definition of Done +- Deterministic bundle generation proven via integration tests. +- Object store interactions tested in offline mode. +- Runbooks in `/docs/forensics/evidence-locker.md` updated per release. + +## Module Layout +- `StellaOps.EvidenceLocker.Core/` — domain models, bundle contracts, deterministic hashing helpers. +- `StellaOps.EvidenceLocker.Infrastructure/` — storage abstractions, persistence plumbing, and external integrations. +- `StellaOps.EvidenceLocker.WebService/` — HTTP entry points (minimal API host, OpenAPI, auth). +- `StellaOps.EvidenceLocker.Worker/` — background assembly/verification pipelines. +- `StellaOps.EvidenceLocker.Tests/` — unit tests (xUnit) for core/infrastructure components. +- `StellaOps.EvidenceLocker.sln` — solution aggregating the module projects. diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Class1.cs b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Class1.cs new file mode 100644 index 00000000..f0526cd7 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.EvidenceLocker.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/StellaOps.EvidenceLocker.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Class1.cs b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Class1.cs new file mode 100644 index 00000000..76ce8382 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.EvidenceLocker.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj new file mode 100644 index 00000000..257f0bdf --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/StellaOps.EvidenceLocker.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj new file mode 100644 index 00000000..b035d61a --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/StellaOps.EvidenceLocker.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/UnitTest1.cs b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/UnitTest1.cs new file mode 100644 index 00000000..4f92503f --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.EvidenceLocker.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/xunit.runner.json b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Program.cs b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Properties/launchSettings.json b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..a91c327e --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5115", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7010;http://localhost:5115", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj new file mode 100644 index 00000000..15f9a74e --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.http b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.http new file mode 100644 index 00000000..d6a7ac68 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/StellaOps.EvidenceLocker.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.EvidenceLocker.WebService_HostAddress = http://localhost:5115 + +GET {{StellaOps.EvidenceLocker.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.Development.json b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.json b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Program.cs b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Program.cs new file mode 100644 index 00000000..e4ada43e --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.EvidenceLocker.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Properties/launchSettings.json b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..e3692b13 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.EvidenceLocker.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj new file mode 100644 index 00000000..847895fd --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/StellaOps.EvidenceLocker.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.EvidenceLocker.Worker-c74bd053-c14b-412b-a177-12e15fdbe207 + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Worker.cs b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Worker.cs new file mode 100644 index 00000000..2d1c2d7d --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.EvidenceLocker.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.Development.json b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.json b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.sln b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.sln new file mode 100644 index 00000000..f5fb50af --- /dev/null +++ b/src/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.EvidenceLocker.Core", "StellaOps.EvidenceLocker.Core\StellaOps.EvidenceLocker.Core.csproj", "{217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.EvidenceLocker.Infrastructure", "StellaOps.EvidenceLocker.Infrastructure\StellaOps.EvidenceLocker.Infrastructure.csproj", "{BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.EvidenceLocker.WebService", "StellaOps.EvidenceLocker.WebService\StellaOps.EvidenceLocker.WebService.csproj", "{392D1580-C75B-4CB2-8F26-45C65268A191}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.EvidenceLocker.Worker", "StellaOps.EvidenceLocker.Worker\StellaOps.EvidenceLocker.Worker.csproj", "{B384F421-48D0-48EB-A63F-0AF28EBC75EB}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.EvidenceLocker.Tests", "StellaOps.EvidenceLocker.Tests\StellaOps.EvidenceLocker.Tests.csproj", "{B9D6DCF2-1C6F-41E5-8D63-118BD0751839}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Debug|Any CPU.Build.0 = Debug|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Debug|x64.ActiveCfg = Debug|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Debug|x64.Build.0 = Debug|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Debug|x86.ActiveCfg = Debug|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Debug|x86.Build.0 = Debug|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Release|Any CPU.ActiveCfg = Release|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Release|Any CPU.Build.0 = Release|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Release|x64.ActiveCfg = Release|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Release|x64.Build.0 = Release|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Release|x86.ActiveCfg = Release|Any CPU + {217D54F6-D07F-4B1E-8598-7DCAF0BD65C7}.Release|x86.Build.0 = Release|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Debug|Any CPU.Build.0 = Debug|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Debug|x64.ActiveCfg = Debug|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Debug|x64.Build.0 = Debug|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Debug|x86.ActiveCfg = Debug|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Debug|x86.Build.0 = Debug|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Release|Any CPU.ActiveCfg = Release|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Release|Any CPU.Build.0 = Release|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Release|x64.ActiveCfg = Release|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Release|x64.Build.0 = Release|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Release|x86.ActiveCfg = Release|Any CPU + {BF61F2F5-4ECA-4DA6-AC6B-102C39D225A1}.Release|x86.Build.0 = Release|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Debug|Any CPU.Build.0 = Debug|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Debug|x64.ActiveCfg = Debug|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Debug|x64.Build.0 = Debug|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Debug|x86.ActiveCfg = Debug|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Debug|x86.Build.0 = Debug|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Release|Any CPU.ActiveCfg = Release|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Release|Any CPU.Build.0 = Release|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Release|x64.ActiveCfg = Release|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Release|x64.Build.0 = Release|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Release|x86.ActiveCfg = Release|Any CPU + {392D1580-C75B-4CB2-8F26-45C65268A191}.Release|x86.Build.0 = Release|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Debug|x64.ActiveCfg = Debug|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Debug|x64.Build.0 = Debug|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Debug|x86.ActiveCfg = Debug|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Debug|x86.Build.0 = Debug|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Release|Any CPU.ActiveCfg = Release|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Release|Any CPU.Build.0 = Release|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Release|x64.ActiveCfg = Release|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Release|x64.Build.0 = Release|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Release|x86.ActiveCfg = Release|Any CPU + {B384F421-48D0-48EB-A63F-0AF28EBC75EB}.Release|x86.Build.0 = Release|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Debug|x64.ActiveCfg = Debug|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Debug|x64.Build.0 = Debug|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Debug|x86.ActiveCfg = Debug|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Debug|x86.Build.0 = Debug|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Release|Any CPU.ActiveCfg = Release|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Release|Any CPU.Build.0 = Release|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Release|x64.ActiveCfg = Release|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Release|x64.Build.0 = Release|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Release|x86.ActiveCfg = Release|Any CPU + {B9D6DCF2-1C6F-41E5-8D63-118BD0751839}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.EvidenceLocker/TASKS.md b/src/StellaOps.EvidenceLocker/TASKS.md new file mode 100644 index 00000000..cf085050 --- /dev/null +++ b/src/StellaOps.EvidenceLocker/TASKS.md @@ -0,0 +1,19 @@ +# Evidence Locker Task Board — Epic 15: Observability & Forensics + +## Sprint 53 – Evidence Bundle Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EVID-OBS-53-001 | TODO | Evidence Locker Guild | TELEMETRY-OBS-50-001, DEVOPS-OBS-50-003 | Bootstrap `StellaOps.Evidence.Locker` service with Postgres schema for `evidence_bundles`, `evidence_artifacts`, `evidence_holds`, tenant RLS, and object-store abstraction (WORM optional). | Service builds/tests; migrations deterministic; storage abstraction has local filesystem + S3 drivers; compliance checklist recorded. | +| EVID-OBS-53-002 | TODO | Evidence Locker Guild, Orchestrator Guild | EVID-OBS-53-001, ORCH-OBS-53-001 | Implement bundle builders for evaluation/job/export snapshots collecting inputs, outputs, env digests, run metadata. Generate Merkle tree + manifest skeletons and persist root hash. | Builders cover three bundle types; integration tests verify deterministic manifests; root hash stored; docs stubbed. | +| EVID-OBS-53-003 | TODO | Evidence Locker Guild, Security Guild | EVID-OBS-53-002 | Expose REST APIs (`POST /evidence/snapshot`, `GET /evidence/:id`, `POST /evidence/verify`, `POST /evidence/hold/:case_id`) with audit logging, tenant enforcement, and size quotas. | APIs documented via OpenAPI; tests cover RBAC/legal hold; size quota rejection returns structured error; audit logs validated. | + +## Sprint 54 – Provenance Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EVID-OBS-54-001 | TODO | Evidence Locker Guild, Provenance Guild | EVID-OBS-53-003, PROV-OBS-53-002 | Attach DSSE signing and RFC3161 timestamping to bundle manifests; validate against Provenance verification library. Wire legal hold retention extension and chain-of-custody events for Timeline Indexer. | Bundles signed; verification tests pass; timeline events emitted; timestamp optional but documented; retention updates recorded. | +| EVID-OBS-54-002 | TODO | Evidence Locker Guild, DevEx/CLI Guild | EVID-OBS-54-001, CLI-FORENSICS-54-001 | Provide bundle download/export packaging (tgz) with checksum manifest, offline verification instructions, and sample fixture for CLI tests. | Packaging script deterministic; CLI verifies sample; offline instructions documented; checksum cross-check done. | + +## Sprint 55 – Incident Mode & Retention +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EVID-OBS-55-001 | TODO | Evidence Locker Guild, DevOps Guild | EVID-OBS-54-001, DEVOPS-OBS-55-001 | Implement incident mode hooks increasing retention window, capturing additional debug artefacts, and emitting activation/deactivation events to Timeline Indexer + Notifier. | Incident mode extends retention per config; activation events emitted; tests cover revert to baseline; runbook updated. | diff --git a/src/StellaOps.Excititor.Core/TASKS.md b/src/StellaOps.Excititor.Core/TASKS.md index 3d06ea35..a3f5e680 100644 --- a/src/StellaOps.Excititor.Core/TASKS.md +++ b/src/StellaOps.Excititor.Core/TASKS.md @@ -1,9 +1,96 @@ -If you are working on this file you need to read docs/ARCHITECTURE_EXCITITOR.md and ./AGENTS.md). -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|EXCITITOR-CORE-01-001 – Canonical VEX domain records|Team Excititor Core & Policy|docs/ARCHITECTURE_EXCITITOR.md|DONE (2025-10-15) – Introduced `VexClaim`, `VexConsensus`, provider metadata, export manifest records, and deterministic JSON serialization with tests covering canonical ordering and query signatures.| -|EXCITITOR-CORE-01-002 – Trust-weighted consensus resolver|Team Excititor Core & Policy|EXCITITOR-CORE-01-001|DONE (2025-10-15) – Added consensus resolver, baseline policy (tier weights + justification gate), telemetry output, and tests covering acceptance, conflict ties, and determinism.| -|EXCITITOR-CORE-01-003 – Shared contracts & query signatures|Team Excititor Core & Policy|EXCITITOR-CORE-01-001|DONE (2025-10-15) – Published connector/normalizer/exporter/attestation abstractions and expanded deterministic `VexQuerySignature`/hash utilities with test coverage.| -|EXCITITOR-CORE-02-001 – Context signal schema prep|Team Excititor Core & Policy|EXCITITOR-POLICY-02-001|DONE (2025-10-19) – Added `VexSignalSnapshot` (severity/KEV/EPSS) to claims/consensus, updated canonical serializer + resolver plumbing, documented storage follow-up, and validated via `dotnet test src/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj`.| -|EXCITITOR-CORE-02-002 – Deterministic risk scoring engine|Team Excititor Core & Policy|EXCITITOR-CORE-02-001, EXCITITOR-POLICY-02-001|BACKLOG – Introduce the scoring calculator invoked by consensus, persist score envelopes with audit trails, and add regression fixtures covering gate/boost behaviour before enabling exports.| +# TASKS — Epic 1: Aggregation-Only Contract +> **AOC Reminder:** ingestion captures raw VEX statements/linksets only—no precedence, suppression, or severity derivation within Excititor. +| ID | Status | Owner(s) | Depends on | Notes | +|---|---|---|---|---| +| EXCITITOR-CORE-AOC-19-001 `AOC guard & provenance enforcement` | TODO | Excititor Core Guild | WEB-AOC-19-001 | Introduce repository interceptor validating provenance/signatures, rejecting forbidden fields (`severity`, `consensus`, etc.), and surfacing `ERR_AOC_00x` codes. | +| EXCITITOR-CORE-AOC-19-002 `VEX linkset extraction` | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Implement deterministic extraction of advisory IDs, component PURLs, and references into `linkset`, capturing reconciled-from metadata for traceability. | +| EXCITITOR-CORE-AOC-19-003 `Idempotent VEX raw upsert` | TODO | Excititor Core Guild | EXCITITOR-STORE-AOC-19-002 | Enforce `(vendor, upstreamId, contentHash, tenant)` uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. | +| EXCITITOR-CORE-AOC-19-004 `Remove ingestion consensus` | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002, POLICY-AOC-19-003 | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-POLICY-20-002 `Scope-aware linksets` | TODO | Excititor Core Guild, Policy Guild | EXCITITOR-CORE-AOC-19-002, POLICY-ENGINE-20-001 | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-GRAPH-21-001 `Inspector linkouts` | TODO | Excititor Core Guild, Cartographer Guild | EXCITITOR-POLICY-20-002, CARTO-GRAPH-21-005 | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | +| EXCITITOR-GRAPH-21-002 `Overlay enrichment` | TODO | Excititor Core Guild | EXCITITOR-GRAPH-21-001, POLICY-ENGINE-30-001 | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-LNM-21-001 `VEX observation model` | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Define immutable `vex_observations` schema capturing raw statements, product PURLs, justification, and AOC metadata. | +| EXCITITOR-LNM-21-002 `Linkset correlator` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Build correlation pipeline combining alias + product PURL signals to form `vex_linksets` with confidence metrics. | +| EXCITITOR-LNM-21-003 `Conflict annotator` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Record status/justification disagreements within linksets and expose structured conflicts. | +| EXCITITOR-LNM-21-004 `Merge removal` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. | +| EXCITITOR-LNM-21-005 `Event emission` | TODO | Excititor Core Guild, Platform Events Guild | EXCITITOR-LNM-21-002 | Emit `vex.linkset.updated` events for downstream consumers with delta descriptions and tenant context. | + +## Policy Engine + Editor v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-POLICY-23-001 `Evidence indexes` | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. | +| EXCITITOR-POLICY-23-002 `Event guarantees` | TODO | Excititor Core Guild, Platform Events Guild | EXCITITOR-LNM-21-005 | Ensure `vex.linkset.updated` events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-GRAPH-24-001 `VEX overlay inputs` | TODO | Excititor Core Guild | EXCITITOR-POLICY-23-001 | Expose raw VEX statements/linksets scoped for overlay services; no suppression/precedence logic in ingestion. | + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-SIG-26-001 `Vendor exploitability hints` | TODO | Excititor Core Guild, Signals Guild | SIGNALS-24-004 | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-TEN-48-001 `Tenant-aware VEX linking` | TODO | Excititor Core Guild | AUTH-TEN-47-001 | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-OBS-50-001 `Telemetry adoption` | TODO | Excititor Core Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. | +| EXCITITOR-OBS-51-001 `Metrics & SLOs` | TODO | Excititor Core Guild, DevOps Guild | EXCITITOR-OBS-50-001, TELEMETRY-OBS-51-001 | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. | +| EXCITITOR-OBS-52-001 `Timeline events` | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001, TIMELINE-OBS-52-002 | Emit `timeline_event` entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. | +| EXCITITOR-OBS-53-001 `Evidence snapshots` | TODO | Excititor Core Guild, Evidence Locker Guild | EXCITITOR-OBS-52-001, EVID-OBS-53-002 | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. | +| EXCITITOR-OBS-54-001 `Attestation & verification` | TODO | Excititor Core Guild, Provenance Guild | EXCITITOR-OBS-53-001, PROV-OBS-54-001 | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. | +| EXCITITOR-OBS-55-001 `Incident mode` | TODO | Excititor Core Guild, DevOps Guild | EXCITITOR-OBS-51-001, DEVOPS-OBS-55-001 | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Excititor Core Guild | AIRGAP-IMP-57-002, MIRROR-CRT-56-001 | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. | +| EXCITITOR-AIRGAP-56-002 `Bundle provenance` | TODO | Excititor Core Guild, AirGap Importer Guild | EXCITITOR-AIRGAP-56-001, AIRGAP-IMP-57-001 | Persist bundle metadata on VEX observations/linksets with provenance references. | +| EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Excititor Core Guild, AirGap Policy Guild | EXCITITOR-AIRGAP-56-001, AIRGAP-POL-56-001 | Block non-mirror connectors in sealed mode and surface remediation errors. | +| EXCITITOR-AIRGAP-57-002 `Staleness annotations` | TODO | Excititor Core Guild, AirGap Time Guild | EXCITITOR-AIRGAP-56-002, AIRGAP-TIME-58-001 | Annotate VEX statements with staleness metrics and expose via API. | +| EXCITITOR-AIRGAP-58-001 `Portable VEX evidence` | TODO | Excititor Core Guild, Evidence Locker Guild | EXCITITOR-OBS-53-001, EVID-OBS-54-001 | Package VEX evidence segments into portable evidence bundles linked to timeline. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-OAS-61-001 `Spec coverage` | TODO | Excititor Core Guild, API Contracts Guild | OAS-61-001 | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. | +| EXCITITOR-OAS-61-002 `Example catalog` | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. | +| EXCITITOR-OAS-62-001 `SDK smoke tests` | TODO | Excititor Core Guild, SDK Generator Guild | EXCITITOR-OAS-61-001, SDKGEN-63-001 | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. | +| EXCITITOR-OAS-63-001 `Deprecation headers` | TODO | Excititor Core Guild, API Governance Guild | APIGOV-63-001 | Add deprecation metadata and notifications for legacy VEX routes. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-RISK-66-001 `VEX gate provider` | TODO | Excititor Core Guild, Risk Engine Guild | RISK-ENGINE-67-002 | Supply VEX status and justification data for risk engine gating with full source provenance. | +| EXCITITOR-RISK-66-002 `Reachability inputs` | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Provide component/product scoping metadata enabling reachability and runtime factor mapping. | +| EXCITITOR-RISK-67-001 `Explainability metadata` | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Include VEX justification, status reasoning, and source digests in explainability artifacts. | +| EXCITITOR-RISK-68-001 `Policy Studio integration` | TODO | Excititor Core Guild, Policy Studio Guild | POLICY-RISK-68-001 | Surface VEX-specific gates/weights within profile editor UI and validation messages. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Excititor Core Guild, Attestation Payloads Guild | ATTEST-TYPES-72-001 | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. | +| EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Excititor Core Guild | EXCITITOR-ATTEST-73-001 | Expose linkage from VEX statements to subject/product for chain of custody graph. | diff --git a/src/StellaOps.Excititor.Storage.Mongo/TASKS.md b/src/StellaOps.Excititor.Storage.Mongo/TASKS.md index cb2175a7..7b8eb286 100644 --- a/src/StellaOps.Excititor.Storage.Mongo/TASKS.md +++ b/src/StellaOps.Excititor.Storage.Mongo/TASKS.md @@ -1,11 +1,27 @@ -If you are working on this file you need to read docs/ARCHITECTURE_EXCITITOR.md and ./AGENTS.md). -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|EXCITITOR-STORAGE-01-001 – Collection schemas & class maps|Team Excititor Storage|EXCITITOR-CORE-01-001|DONE (2025-10-15) – Added Mongo mapping registry with raw/export entities and service registration groundwork.| -|EXCITITOR-STORAGE-01-002 – Migrations & indices bootstrap|Team Excititor Storage|EXCITITOR-STORAGE-01-001|**DONE (2025-10-16)** – Add bootstrapper creating indices (claims by vulnId/product, exports by querySignature, etc.) and migrations for existing deployments.
2025-10-16: Introduced migration runner + hosted service, initial index migration covers raw/providers/consensus/exports/cache, and tests use Mongo2Go to verify execution.| -|EXCITITOR-STORAGE-01-003 – Repository layer & transactional flows|Team Excititor Storage|EXCITITOR-STORAGE-01-001|**DONE (2025-10-16)** – Added GridFS-backed raw store with transactional upserts (including fallback for non-replicaset Mongo), export/cache repository coordination, and coverage verifying cache TTL + GridFS round-trips.| -|EXCITITOR-STORAGE-01-004 – Provider/consensus/cache mappings|Team Excititor Storage|EXCITITOR-STORAGE-01-001|**DONE (2025-10-16)** – Registered MongoDB class maps for provider/consensus/cache records with forward-compatible field handling and added coverage ensuring GridFS-linked cache entries round-trip cleanly.| -|EXCITITOR-STORAGE-02-001 – Statement events & scoring signals|Team Excititor Storage|EXCITITOR-CORE-02-001|DONE (2025-10-19) – Added immutable `vex.statements` collection + claim store, extended consensus persistence with severity/KEV/EPSS signals, shipped migration `20251019-consensus-signals-statements`, and updated docs. Tests: `dotnet test src/StellaOps.Excititor.Core.Tests/StellaOps.Excititor.Core.Tests.csproj` & `dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`; worker/web suites pending due to NU1903 (`Microsoft.Extensions.Caching.Memory`) advisory.| -|EXCITITOR-STORAGE-03-001 – Statement backfill tooling|Team Excititor Storage|EXCITITOR-STORAGE-02-001|**DONE (2025-10-19)** – Shipped Mongo-backed statement replay service + `/excititor/admin/backfill-statements`, wired CLI command `stellaops excititor backfill-statements`, added integration tests, and documented the runbook in `docs/dev/EXCITITOR_STATEMENT_BACKFILL.md`.| -|EXCITITOR-STORAGE-MONGO-08-001 – Session + causal consistency hardening|Team Excititor Storage|EXCITITOR-STORAGE-01-003|**DONE (2025-10-19)** – Completed session-aware overloads across all repositories, persisted claims/signals/connector state with new Mongo records, updated orchestrators/workers to reuse scoped sessions, and added replica-set consistency tests (`dotnet test src/StellaOps.Excititor.Storage.Mongo.Tests/StellaOps.Excititor.Storage.Mongo.Tests.csproj`). GridFS operations fall back to majority semantics due to driver limits; transactions cover metadata writes to preserve determinism.| +# TASKS — Epic 1: Aggregation-Only Contract +> **AOC Reminder:** storage enforces raw VEX documents only—no consensus/precedence data in ingestion collections. +| ID | Status | Owner(s) | Depends on | Notes | +|---|---|---|---|---| +| EXCITITOR-STORE-AOC-19-001 `vex_raw schema validator` | TODO | Excititor Storage Guild | Mongo cluster ops sign-off | Define Mongo JSON schema for `vex_raw` enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. | +| EXCITITOR-STORE-AOC-19-002 `idempotency unique index` | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Create `(source.vendor, upstream.upstream_id, upstream.content_hash, tenant)` unique index with backfill checker, updating migrations + bootstrapper for offline installs. | +| EXCITITOR-STORE-AOC-19-003 `append-only migration plan` | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Migrate legacy consensus collections to `_backup_*`, seed supersedes chain for raw docs, and document rollback path + dry-run verification. | +| EXCITITOR-STORE-AOC-19-004 `validator deployment docset` | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-001 | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-POLICY-20-003 `Selection cursors` | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002, POLICY-ENGINE-20-003 | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-GRAPH-21-005 `Inspector indexes` | TODO | Excititor Storage Guild | EXCITITOR-GRAPH-21-001 | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-LNM-21-101 `Observations collections` | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-001 | Provision `vex_observations`/`vex_linksets` collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. | +| EXCITITOR-LNM-21-102 `Migration/backfill` | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-LNM-21-101 | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. | diff --git a/src/StellaOps.Excititor.WebService/TASKS.md b/src/StellaOps.Excititor.WebService/TASKS.md index fd9736eb..dcde0440 100644 --- a/src/StellaOps.Excititor.WebService/TASKS.md +++ b/src/StellaOps.Excititor.WebService/TASKS.md @@ -1,9 +1,86 @@ -If you are working on this file you need to read docs/ARCHITECTURE_EXCITITOR.md and ./AGENTS.md). -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|EXCITITOR-WEB-01-001 – Minimal API bootstrap & DI|Team Excititor WebService|EXCITITOR-CORE-01-003, EXCITITOR-STORAGE-01-003|**DONE (2025-10-17)** – Minimal API host composes storage/export/attestation/artifact stores, binds Mongo/attestation options, and exposes `/excititor/status` + health endpoints with regression coverage in `StatusEndpointTests`.| -|EXCITITOR-WEB-01-002 – Ingest & reconcile endpoints|Team Excititor WebService|EXCITITOR-WEB-01-001|**DONE (2025-10-20)** – `/excititor/init`, `/excititor/ingest/run`, `/excititor/ingest/resume`, `/excititor/reconcile` enforce `vex.admin`, normalize provider lists, and return deterministic summaries; covered via unit tests (`dotnet test src/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj --filter FullyQualifiedName~IngestEndpointsTests`).| -|EXCITITOR-WEB-01-003 – Export & verify endpoints|Team Excititor WebService|EXCITITOR-WEB-01-001, EXCITITOR-EXPORT-01-001, EXCITITOR-ATTEST-01-001|**DOING (2025-10-19)** – Prereqs confirmed (EXCITITOR-WEB-01-001, EXCITITOR-EXPORT-01-001, EXCITITOR-ATTEST-01-001); preparing `/excititor/export*` surfaces and `/excititor/verify` with artifact/attestation metadata caching strategy.| -|EXCITITOR-WEB-01-004 – Resolve API & signed responses|Team Excititor WebService|EXCITITOR-WEB-01-001, EXCITITOR-ATTEST-01-002|**DONE (2025-10-20)** – Added `vex.read` scope enforcement, signed consensus/attestation envelopes, docs updates, and expanded tests (auth, unauthorized/forbidden). Mirror/ingest DTO casing fixed to restore builds.| -|EXCITITOR-WEB-01-005 – Mirror distribution endpoints|Team Excititor WebService|EXCITITOR-EXPORT-01-007, DEVOPS-MIRROR-08-001|**DONE (2025-10-19)** – `/excititor/mirror` surfaces domain listings, indices, metadata, and downloads with quota/auth checks; tests cover Happy-path listing/download (`dotnet test src/StellaOps.Excititor.WebService.Tests/StellaOps.Excititor.WebService.Tests.csproj`).| +# TASKS — Epic 1: Aggregation-Only Contract +> **AOC Reminder:** Excititor WebService publishes raw statements/linksets only; derived precedence/severity belongs to Policy overlays. +| ID | Status | Owner(s) | Depends on | Notes | +|---|---|---|---|---| +| EXCITITOR-WEB-AOC-19-001 `Raw VEX ingestion APIs` | TODO | Excititor WebService Guild | EXCITITOR-CORE-AOC-19-001, EXCITITOR-STORE-AOC-19-001 | Implement `POST /ingest/vex`, `GET /vex/raw*`, and `POST /aoc/verify` endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts are persisted. | +| EXCITITOR-WEB-AOC-19-002 `AOC observability + metrics` | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-001 | Export metrics (`ingestion_write_total`, `aoc_violation_total`, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes tenant, source vendor, upstream id, and content hash. | +| EXCITITOR-WEB-AOC-19-003 `Guard + schema test harness` | TODO | QA Guild | EXCITITOR-WEB-AOC-19-001 | Add unit/integration tests for schema validation, forbidden field rejection (`ERR_AOC_001/006/007`), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic expectations. | +| EXCITITOR-WEB-AOC-19-004 `Batch ingest validation` | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-003, EXCITITOR-CORE-AOC-19-002 | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI `aoc verify` compatibility. Document load test/runbook updates. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-POLICY-20-001 `Policy selection endpoints` | TODO | Excititor WebService Guild | WEB-POLICY-20-001, EXCITITOR-CORE-AOC-19-004 | Provide VEX lookup APIs supporting PURL/advisory batching, scope filtering, and tenant enforcement with deterministic ordering + pagination. | + +## StellaOps Console (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-CONSOLE-23-001 `VEX aggregation views` | TODO | Excititor WebService Guild, BE-Base Platform Guild | EXCITITOR-LNM-21-201, EXCITITOR-LNM-21-202 | Expose `/console/vex` endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. | +| EXCITITOR-CONSOLE-23-002 `Dashboard VEX deltas` | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001, EXCITITOR-LNM-21-203 | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. | +| EXCITITOR-CONSOLE-23-003 `VEX search helpers` | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-GRAPH-21-003 `Inspector fetch API` | TODO | Excititor WebService Guild, Cartographer Guild | EXCITITOR-GRAPH-21-001 | Expose batch endpoints for retrieving VEX statements + advisory metadata by PURL/component for Graph Explorer inspector. | +| EXCITITOR-GRAPH-21-004 `Overlay subscription` | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-21-003, CARTO-GRAPH-21-007 | Emit events (NATS/Redis) when new VEX docs land so Cartographer can refresh overlays; include tenant/policy references. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-LNM-21-201 `Observation APIs` | TODO | Excititor WebService Guild, BE-Base Platform Guild | EXCITITOR-LNM-21-001 | Add VEX observation read endpoints with filters, pagination, RBAC, and tenant scoping. | +| EXCITITOR-LNM-21-202 `Linkset APIs` | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-002, EXCITITOR-LNM-21-003 | Implement linkset read/export/evidence endpoints returning correlation/conflict payloads and map errors to `ERR_AGG_*`. | +| EXCITITOR-LNM-21-203 `Event publishing` | TODO | Excititor WebService Guild, Platform Events Guild | EXCITITOR-LNM-21-005 | Publish `vex.linkset.updated` events, document schema, and ensure idempotent delivery. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-GRAPH-24-101 `VEX summary API` | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-001 | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. | +| EXCITITOR-GRAPH-24-102 `Evidence batch API` | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-VULN-29-001 `VEX key normalization` | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-001 | Canonicalize VEX advisory/product keys (map to `advisory_key`, capture product scopes); expose original sources in `links[]`; backfill existing records. | +| EXCITITOR-VULN-29-002 `Evidence retrieval` | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001, VULN-API-29-003 | Provide `/vuln/evidence/vex/{advisory_key}` returning raw VEX statements filtered by tenant/product scope for Explorer evidence tabs. | +| EXCITITOR-VULN-29-004 `Observability` | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-VULN-29-001 | Add metrics/logs for VEX normalization, suppression scopes, withdrawn statements; emit events consumed by Vuln Explorer resolver. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-AIAI-31-001 `Justification enrichment` | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. | +| EXCITITOR-AIAI-31-002 `VEX chunk API` | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001, VEXLENS-30-006 | Provide `/vex/evidence/chunks` endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. | +| EXCITITOR-AIAI-31-003 `Telemetry` | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-AIAI-31-001 | Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-WEB-OBS-50-001 `Telemetry adoption` | TODO | Excititor WebService Guild | TELEMETRY-OBS-50-001, EXCITITOR-OBS-50-001 | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. | +| EXCITITOR-WEB-OBS-51-001 `Observability health endpoints` | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001, WEB-OBS-51-001 | Implement `/obs/excititor/health` summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. | +| EXCITITOR-WEB-OBS-52-001 `Timeline streaming` | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001, TIMELINE-OBS-52-003 | Provide SSE bridge for VEX timeline events with tenant filters, pagination, and guardrails. | +| EXCITITOR-WEB-OBS-53-001 `Evidence APIs` | TODO | Excititor WebService Guild, Evidence Locker Guild | EXCITITOR-OBS-53-001, EVID-OBS-53-003 | Expose `/evidence/vex/*` endpoints that fetch locker bundles, enforce scopes, and surface verification metadata. | +| EXCITITOR-WEB-OBS-54-001 `Attestation APIs` | TODO | Excititor WebService Guild | EXCITITOR-OBS-54-001, PROV-OBS-54-001 | Add `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, and chain-of-custody links. | +| EXCITITOR-WEB-OBS-55-001 `Incident mode toggles` | TODO | Excititor WebService Guild, DevOps Guild | EXCITITOR-OBS-55-001, WEB-OBS-55-001 | Provide incident mode API for VEX pipelines with activation audit logs and retention override previews. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-WEB-AIRGAP-56-001 | TODO | Excititor WebService Guild | AIRGAP-IMP-58-001, EXCITITOR-AIRGAP-56-001 | Support mirror bundle registration via APIs, expose bundle provenance in VEX responses, and block external connectors in sealed mode. | +| EXCITITOR-WEB-AIRGAP-56-002 | TODO | Excititor WebService Guild, AirGap Time Guild | EXCITITOR-WEB-AIRGAP-56-001, AIRGAP-TIME-58-001 | Return VEX staleness metrics and time anchor info in API responses for Console/CLI use. | +| EXCITITOR-WEB-AIRGAP-57-001 | TODO | Excititor WebService Guild, AirGap Policy Guild | AIRGAP-POL-56-001 | Map sealed-mode violations to standardized error payload with remediation guidance. | +| EXCITITOR-WEB-AIRGAP-58-001 | TODO | Excititor WebService Guild, AirGap Importer Guild | EXCITITOR-WEB-AIRGAP-56-001, TIMELINE-OBS-53-001 | Emit timeline events for VEX bundle imports with bundle ID, scope, and actor metadata. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-WEB-OAS-61-001 | TODO | Excititor WebService Guild | OAS-61-001 | Implement `/.well-known/openapi` discovery endpoint with spec version metadata. | +| EXCITITOR-WEB-OAS-61-002 | TODO | Excititor WebService Guild | APIGOV-61-001 | Standardize error envelope responses and update controller/unit tests. | +| EXCITITOR-WEB-OAS-62-001 | TODO | Excititor WebService Guild | EXCITITOR-OAS-61-002 | Add curated examples for VEX observation/linkset endpoints and ensure portal displays them. | +| EXCITITOR-WEB-OAS-63-001 | TODO | Excititor WebService Guild, API Governance Guild | APIGOV-63-001 | Emit deprecation headers and update docs for retiring VEX APIs. | diff --git a/src/StellaOps.Excititor.Worker/TASKS.md b/src/StellaOps.Excititor.Worker/TASKS.md index b15cf300..8c11fd5f 100644 --- a/src/StellaOps.Excititor.Worker/TASKS.md +++ b/src/StellaOps.Excititor.Worker/TASKS.md @@ -1,10 +1,14 @@ -If you are working on this file you need to read docs/ARCHITECTURE_EXCITITOR.md and ./AGENTS.md). -# TASKS -| Task | Owner(s) | Depends on | Notes | -|---|---|---|---| -|EXCITITOR-WORKER-01-001 – Worker host & scheduling|Team Excititor Worker|EXCITITOR-STORAGE-01-003, EXCITITOR-WEB-01-001|**DONE (2025-10-17)** – Worker project bootstraps provider schedules from configuration, integrates plugin catalog discovery, and emits structured logs/metrics-ready events via `VexWorkerHostedService`; scheduling logic covered by `VexWorkerOptionsTests`.| -|EXCITITOR-WORKER-01-002 – Resume tokens & retry policy|Team Excititor Worker|EXCITITOR-WORKER-01-001|DONE (2025-10-21) – Worker flows resume tokens through `VexConnectorContext`, persists success/failure metadata with jittered exponential backoff and quarantine scheduling, and ships unit coverage for skip/backoff/resume behaviour.| -|EXCITITOR-WORKER-01-003 – Verification & cache GC loops|Team Excititor Worker|EXCITITOR-WORKER-01-001, EXCITITOR-ATTEST-01-003, EXCITITOR-EXPORT-01-002|TODO – Add scheduled attestation re-verification and cache pruning routines, surfacing metrics for export reuse ratios.| -|EXCITITOR-WORKER-01-004 – TTL refresh & stability damper|Team Excititor Worker|EXCITITOR-WORKER-01-001, EXCITITOR-CORE-02-001|DONE (2025-10-21) – Added configurable TTL refresh service with trust-weighted dampers, component fingerprint bypass, and Mongo-backed hold promotion to stabilize consensus updates.| -|EXCITITOR-WORKER-02-001 – Resolve Microsoft.Extensions.Caching.Memory advisory|Team Excititor Worker|EXCITITOR-WORKER-01-001|DONE (2025-10-21) – Upgraded Excititor dependencies to `Microsoft.Extensions.*` 10.0.0-preview.7.25380.108, re-enabled attestation fixtures, and reran worker/webservice regression suites without NU1903 warnings.| -|EXCITITOR-WORKER-02-001-REVIEW – Review Microsoft.Extensions.* upgrade|Team Excititor Worker (Review)|EXCITITOR-WORKER-02-001|TODO – Peer review for dependency bump/attestation fixture changes; verify connector coverage updates and approve release note entry.| +# TASKS — Epic 1: Aggregation-Only Contract +| ID | Status | Owner(s) | Depends on | Notes | +|---|---|---|---|---| +| EXCITITOR-WORKER-AOC-19-001 `Raw pipeline rewiring` | TODO | Excititor Worker Guild | EXCITITOR-CORE-AOC-19-001 | Update ingest pipelines to persist upstream documents directly into `vex_raw` via the new repository guard. Remove consensus/folding hooks and ensure retries respect append-only semantics. | +| EXCITITOR-WORKER-AOC-19-002 `Signature & checksum enforcement` | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Add signature verification + checksum computation before writes, capturing failure reasons mapped to `ERR_AOC_005`, with structured logs/metrics for verification results. | +| EXCITITOR-WORKER-AOC-19-003 `Deterministic batching tests` | TODO | QA Guild | EXCITITOR-WORKER-AOC-19-001 | Extend worker integration tests to replay large VEX batches ensuring idempotent upserts, supersedes chaining, and guard enforcement across restart scenarios. | + +## Orchestrator Dashboard + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| EXCITITOR-ORCH-32-001 `Worker SDK adoption` | TODO | Excititor Worker Guild | ORCH-SVC-32-005, WORKER-GO-32-001, WORKER-PY-32-001 | Integrate orchestrator worker SDK in Excititor ingestion jobs, emit heartbeats/progress/artifact hashes, and register source metadata. | +| EXCITITOR-ORCH-33-001 `Control compliance` | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001, ORCH-SVC-33-001, ORCH-SVC-33-002 | Honor orchestrator pause/throttle/retry actions, classify error outputs, and persist restart checkpoints. | +| EXCITITOR-ORCH-34-001 `Backfill & circuit breaker` | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Implement orchestrator-driven backfills, apply circuit breaker reset rules, and ensure artifact dedupe alignment. | diff --git a/src/StellaOps.ExportCenter.AttestationBundles/AGENTS.md b/src/StellaOps.ExportCenter.AttestationBundles/AGENTS.md new file mode 100644 index 00000000..03eacc72 --- /dev/null +++ b/src/StellaOps.ExportCenter.AttestationBundles/AGENTS.md @@ -0,0 +1,14 @@ +# Attestation Bundle Export Guild Charter + +## Mission +Enable offline transfer and verification of attestations by building signed bundles containing envelopes, issuer metadata, and optional transparency log segments. + +## Scope +- Bundle construction via Export Center, including manifest, checksums, DSSE signatures. +- CLI tooling for bundle verification and import. +- Coordination with risk/attestor services for air-gap workflows. + +## Definition of Done +- Bundles build reproducibly with manifest + signatures and pass verification tooling. +- Importer applies bundles to air-gapped Attestor Store safely. +- Documentation covers offline workflows with imposed rule banner. diff --git a/src/StellaOps.ExportCenter.AttestationBundles/TASKS.md b/src/StellaOps.ExportCenter.AttestationBundles/TASKS.md new file mode 100644 index 00000000..e7420d62 --- /dev/null +++ b/src/StellaOps.ExportCenter.AttestationBundles/TASKS.md @@ -0,0 +1,13 @@ +# Attestation Bundle Export Task Board — Epic 19: Attestor Console + +## Sprint 74 – Builder +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-ATTEST-74-001 | TODO | Attestation Bundle Guild, Attestor Service Guild | ATTESTOR-73-003 | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Bundle built in staging; manifest recorded; signature verification tests pass. | +| EXPORT-ATTEST-74-002 | TODO | Attestation Bundle Guild, DevOps Guild | EXPORT-ATTEST-74-001 | Integrate bundle job into CI/offline kit packaging with checksum publication. | Pipeline publishes bundle artifact + checksums; documentation updated. | + +## Sprint 75 – Verification & Import +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-ATTEST-75-001 | TODO | Attestation Bundle Guild, CLI Attestor Guild | EXPORT-ATTEST-74-001 | Provide CLI command `stella attest bundle verify/import` for air-gap usage. | CLI verifies/signatures; import seeds attestor store; tests cover corrupted bundle. | +| EXPORT-ATTEST-75-002 | TODO | Attestation Bundle Guild, Docs Guild | EXPORT-ATTEST-75-001 | Document `/docs/attestor/airgap.md` with bundle workflows and verification steps. | Doc merged with banner; examples verified. | diff --git a/src/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md b/src/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md new file mode 100644 index 00000000..48fba6ac --- /dev/null +++ b/src/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md @@ -0,0 +1,14 @@ +# DevPortal Offline Export Guild Charter + +## Mission +Package developer portal assets, OpenAPI specs, and SDK binaries into reproducible bundles for air-gapped environments. + +## Scope +- Integrate with Export Center to produce `devportal --offline` bundles. +- Manage checksum manifests, DSSE signatures, and provenance. +- Provide validation tooling for operators importing bundles. + +## Definition of Done +- Offline bundle builds reproducibly with signed manifests and verification scripts. +- Export job documented and available via CLI/Console. +- Operators can validate bundle integrity without external services. diff --git a/src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md b/src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md new file mode 100644 index 00000000..ba5b1d13 --- /dev/null +++ b/src/StellaOps.ExportCenter.DevPortalOffline/TASKS.md @@ -0,0 +1,7 @@ +# DevPortal Offline Export Task Board — Epic 17: SDKs & OpenAPI Docs + +## Sprint 64 – Bundle Implementation +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| DVOFF-64-001 | TODO | DevPortal Offline Guild, Exporter Guild | DEVPORT-64-001, SDKREL-64-002 | Implement Export Center job `devportal --offline` bundling portal HTML, specs, SDK artifacts, changelogs, and verification manifest. | Job executes in staging; manifest contains checksums + DSSE signatures; docs updated. | +| DVOFF-64-002 | TODO | DevPortal Offline Guild, AirGap Controller Guild | DVOFF-64-001 | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. | CLI command validates signatures; integration test covers corrupted bundle; runbook updated. | diff --git a/src/StellaOps.ExportCenter.RiskBundles/AGENTS.md b/src/StellaOps.ExportCenter.RiskBundles/AGENTS.md new file mode 100644 index 00000000..e60ad9b2 --- /dev/null +++ b/src/StellaOps.ExportCenter.RiskBundles/AGENTS.md @@ -0,0 +1,14 @@ +# Risk Bundle Export Guild Charter + +## Mission +Produce offline-ready bundles of risk scoring factor datasets and provider metadata for air-gapped environments. + +## Scope +- Export Center job `risk-bundle` that packages KEV/EPSS feeds, reachability indexes, runtime evidence snapshots, and metadata. +- DSSE signing, checksum manifests, and verification tooling. +- Coordination with Risk Engine providers to declare required assets and TTLs. + +## Definition of Done +- Bundles build reproducibly with manifests and signatures; verification CLI available. +- Provider metadata enumerates datasets, TTLs, and schema versions. +- Air-gapped installations can load bundles and detect missing assets loudly. diff --git a/src/StellaOps.ExportCenter.RiskBundles/TASKS.md b/src/StellaOps.ExportCenter.RiskBundles/TASKS.md new file mode 100644 index 00000000..a8036ee6 --- /dev/null +++ b/src/StellaOps.ExportCenter.RiskBundles/TASKS.md @@ -0,0 +1,13 @@ +# Risk Bundle Export Task Board — Epic 18: Risk Scoring Profiles + +## Sprint 69 – Bundle Builder +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| RISK-BUNDLE-69-001 | TODO | Risk Bundle Export Guild, Risk Engine Guild | RISK-ENGINE-67-003 | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, and DSSE signatures. | Bundle builds in staging; manifest lists datasets + TTL; signatures verified. | +| RISK-BUNDLE-69-002 | TODO | Risk Bundle Export Guild, DevOps Guild | RISK-BUNDLE-69-001 | Integrate bundle job into CI/offline kit pipelines with checksum publication. | CI produces bundle artifact; checksums in release metadata; docs updated. | + +## Sprint 70 – Verification & Docs +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| RISK-BUNDLE-70-001 | TODO | Risk Bundle Export Guild, CLI Guild | RISK-BUNDLE-69-001 | Provide CLI `stella risk bundle verify` command to validate bundles before import. | CLI verifies DSSE + checksums; integration tests cover tampered bundle. | +| RISK-BUNDLE-70-002 | TODO | Risk Bundle Export Guild, Docs Guild | RISK-BUNDLE-69-002 | Publish `/docs/airgap/risk-bundles.md` detailing build/import/verification workflows. | Doc merged with banner; examples validated. | diff --git a/src/StellaOps.ExportCenter/AGENTS.md b/src/StellaOps.ExportCenter/AGENTS.md new file mode 100644 index 00000000..ccf7967a --- /dev/null +++ b/src/StellaOps.ExportCenter/AGENTS.md @@ -0,0 +1,18 @@ +# StellaOps Exporter Service — Agent Charter + +## Mission +Deliver the Export Center service described in Epic 10. Provide reproducible, signed bundles (JSON, Trivy DB, mirror) that respect AOC boundaries, tenant isolation, and imposed rule propagation across all consuming components. + +## Key Responsibilities +- Maintain planner, adapters, signing, and distribution layers for export profiles. +- Coordinate with Orchestrator for job scheduling, Findings Ledger for data streaming, Policy Engine/VEX Lens for snapshots, and Authority for RBAC scopes. +- Guarantee deterministic outputs, provenance, and cryptographic signatures for every export profile. +- Support Console/CLI experiences, DevOps automation, and Offline Kit packaging without violating sovereignty or redaction requirements. + +## Module Layout +- `StellaOps.ExportCenter.Core/` — export profile domain logic, planners, and validation. +- `StellaOps.ExportCenter.Infrastructure/` — storage providers, signing adapters, integration clients. +- `StellaOps.ExportCenter.WebService/` — REST API surface (profiles, runs, downloads, SSE). +- `StellaOps.ExportCenter.Worker/` — export execution pipelines and background schedulers. +- `StellaOps.ExportCenter.Tests/` — unit tests and future fixture harnesses. +- `StellaOps.ExportCenter.sln` — module solution wiring projects together. diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Class1.cs b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Class1.cs new file mode 100644 index 00000000..aefce068 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.ExportCenter.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Core/StellaOps.ExportCenter.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/Class1.cs b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/Class1.cs new file mode 100644 index 00000000..4fc16d93 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.ExportCenter.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/StellaOps.ExportCenter.Infrastructure.csproj b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/StellaOps.ExportCenter.Infrastructure.csproj new file mode 100644 index 00000000..b432e2f7 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Infrastructure/StellaOps.ExportCenter.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj new file mode 100644 index 00000000..3f49694b --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/StellaOps.ExportCenter.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/UnitTest1.cs b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/UnitTest1.cs new file mode 100644 index 00000000..3f25849f --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.ExportCenter.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/xunit.runner.json b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Program.cs b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Properties/launchSettings.json b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..b656f2fa --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5269", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7218;http://localhost:5269", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj new file mode 100644 index 00000000..1ed273c2 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.http b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.http new file mode 100644 index 00000000..25c6b96f --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/StellaOps.ExportCenter.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.ExportCenter.WebService_HostAddress = http://localhost:5269 + +GET {{StellaOps.ExportCenter.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.Development.json b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.json b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Program.cs b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Program.cs new file mode 100644 index 00000000..5063a5e6 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.ExportCenter.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Properties/launchSettings.json b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..6c1d7060 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.ExportCenter.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj new file mode 100644 index 00000000..5873d8ac --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/StellaOps.ExportCenter.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.ExportCenter.Worker-d4cfd239-79d1-4d17-91d6-bb7a78770695 + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Worker.cs b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Worker.cs new file mode 100644 index 00000000..db9f59a2 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.ExportCenter.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.Development.json b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.json b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.ExportCenter/StellaOps.ExportCenter.sln b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.sln new file mode 100644 index 00000000..d93aecd8 --- /dev/null +++ b/src/StellaOps.ExportCenter/StellaOps.ExportCenter.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.ExportCenter.Core", "StellaOps.ExportCenter.Core\StellaOps.ExportCenter.Core.csproj", "{A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.ExportCenter.Infrastructure", "StellaOps.ExportCenter.Infrastructure\StellaOps.ExportCenter.Infrastructure.csproj", "{2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.ExportCenter.WebService", "StellaOps.ExportCenter.WebService\StellaOps.ExportCenter.WebService.csproj", "{A1460E98-EDED-42BE-ACF8-896ED94053F1}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.ExportCenter.Worker", "StellaOps.ExportCenter.Worker\StellaOps.ExportCenter.Worker.csproj", "{73531B46-E364-4C0F-B84C-8BDCF3E16051}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.ExportCenter.Tests", "StellaOps.ExportCenter.Tests\StellaOps.ExportCenter.Tests.csproj", "{1201F1ED-F35A-4F12-B662-BB616122A2F2}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Debug|Any CPU.Build.0 = Debug|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Debug|x64.ActiveCfg = Debug|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Debug|x64.Build.0 = Debug|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Debug|x86.ActiveCfg = Debug|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Debug|x86.Build.0 = Debug|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Release|Any CPU.ActiveCfg = Release|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Release|Any CPU.Build.0 = Release|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Release|x64.ActiveCfg = Release|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Release|x64.Build.0 = Release|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Release|x86.ActiveCfg = Release|Any CPU + {A8B060F0-BD04-4CFB-BC99-C31AE6C9C8F5}.Release|x86.Build.0 = Release|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Debug|Any CPU.Build.0 = Debug|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Debug|x64.ActiveCfg = Debug|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Debug|x64.Build.0 = Debug|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Debug|x86.ActiveCfg = Debug|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Debug|x86.Build.0 = Debug|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Release|Any CPU.ActiveCfg = Release|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Release|Any CPU.Build.0 = Release|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Release|x64.ActiveCfg = Release|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Release|x64.Build.0 = Release|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Release|x86.ActiveCfg = Release|Any CPU + {2DB372A2-C0AD-48D6-875C-CDEB01CC7AFB}.Release|x86.Build.0 = Release|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Debug|Any CPU.Build.0 = Debug|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Debug|x64.ActiveCfg = Debug|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Debug|x64.Build.0 = Debug|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Debug|x86.ActiveCfg = Debug|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Debug|x86.Build.0 = Debug|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Release|Any CPU.ActiveCfg = Release|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Release|Any CPU.Build.0 = Release|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Release|x64.ActiveCfg = Release|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Release|x64.Build.0 = Release|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Release|x86.ActiveCfg = Release|Any CPU + {A1460E98-EDED-42BE-ACF8-896ED94053F1}.Release|x86.Build.0 = Release|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Debug|Any CPU.Build.0 = Debug|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Debug|x64.ActiveCfg = Debug|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Debug|x64.Build.0 = Debug|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Debug|x86.ActiveCfg = Debug|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Debug|x86.Build.0 = Debug|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Release|Any CPU.ActiveCfg = Release|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Release|Any CPU.Build.0 = Release|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Release|x64.ActiveCfg = Release|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Release|x64.Build.0 = Release|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Release|x86.ActiveCfg = Release|Any CPU + {73531B46-E364-4C0F-B84C-8BDCF3E16051}.Release|x86.Build.0 = Release|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Debug|Any CPU.Build.0 = Debug|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Debug|x64.ActiveCfg = Debug|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Debug|x64.Build.0 = Debug|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Debug|x86.ActiveCfg = Debug|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Debug|x86.Build.0 = Debug|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Release|Any CPU.ActiveCfg = Release|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Release|Any CPU.Build.0 = Release|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Release|x64.ActiveCfg = Release|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Release|x64.Build.0 = Release|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Release|x86.ActiveCfg = Release|Any CPU + {1201F1ED-F35A-4F12-B662-BB616122A2F2}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.ExportCenter/TASKS.md b/src/StellaOps.ExportCenter/TASKS.md new file mode 100644 index 00000000..fbe6a955 --- /dev/null +++ b/src/StellaOps.ExportCenter/TASKS.md @@ -0,0 +1,76 @@ +# Exporter Service Task Board — Epic 10: Export Center + +## Sprint 35 – Foundations (JSON + Mirror Full, Download Only) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-SVC-35-001 | TODO | Exporter Service Guild | ORCH-SVC-35-101, LEDGER-EXPORT-35-001 | Bootstrap exporter service project, configuration, and Postgres migrations for `export_profiles`, `export_runs`, `export_inputs`, `export_distributions` with tenant scoping + tests. | Service builds/tests; migrations generated with scripts; baseline integration test seeds schema; compliance checklist recorded. | +| EXPORT-SVC-35-002 | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. | Planner passes unit/property tests; orchestrator contract documented; filter validation errors mapped. | +| EXPORT-SVC-35-003 | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Deliver JSON adapters (`json:raw`, `json:policy`) with canonical normalization, redaction allowlists, compression, and manifest counts. | JSONL outputs deterministic; redaction enforced; unit/integration tests cover advisories/VEX/SBOM/findings. | +| EXPORT-SVC-35-004 | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. | Mirror bundle passes integration tests; indexes generated; manifest validated; docs cross-referenced. | +| EXPORT-SVC-35-005 | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. | `export.json`/`provenance.json` generated with hashes; signatures produced via KMS; verification test passes. | +| EXPORT-SVC-35-006 | TODO | Exporter Service Guild | EXPORT-SVC-35-001..005 | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, and viewer/operator RBAC integration. | OpenAPI published; SSE stream validated; audit logs captured; rate limits enforced in tests. | + +## Sprint 36 – Trivy + Distribution +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-SVC-36-001 | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement Trivy DB adapter (core) with schema mappings, version flag gating, and validation harness. | Trivy bundle builds for fixtures; compatibility tests against reference Trivy; errors surfaced for unknown schema. | +| EXPORT-SVC-36-002 | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Add Trivy Java DB variant with shared manifest entries and adapter regression tests. | Java DB bundle produced when enabled; manifest annotated; integration tests cover optional config. | +| EXPORT-SVC-36-003 | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Build OCI distribution engine (manifests, descriptors, annotations) with registry auth support and retries. | OCI push works in integration tests; annotations present; retry/backoff validated. | +| EXPORT-SVC-36-004 | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. | Export runs track distribution state; object storage writer tested; retention metadata stored. | + +## Sprint 37 – Delta, Encryption, Scheduling, GA +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-SVC-37-001 | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Implement mirror delta adapter with base manifest comparison, change set generation, and content-addressed reuse. | Delta bundles generated with accurate adds/removes; manifest references base export; tests cover large datasets. | +| EXPORT-SVC-37-002 | TODO | Exporter Service Guild | EXPORT-SVC-35-005, AUTH-EXPORT-37-001 | Add bundle encryption (age/AES-GCM), key wrapping via KMS, and verification tooling for encrypted outputs. | Encrypted bundles produced; decrypt tool validated; key rotation tests pass. | +| EXPORT-SVC-37-003 | TODO | Exporter Service Guild | ORCH-SVC-37-101 | Implement export scheduling (cron/event), retention pruning, retry idempotency, and failure classification. | Schedules persisted; retention jobs prune data; retries clean; metrics/logs emitted. | +| EXPORT-SVC-37-004 | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Provide verification API to stream manifests/hashes, compute hash+signature checks, and return attest status for CLI/UI. | Verification endpoint live; integration tests cover success/failure; metrics track verify attempts. | + +## CLI Parity & Task Packs Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-SVC-43-001 | TODO | Exporter Service Guild | PACKS-REG-41-001, TASKRUN-41-001 | Integrate pack run manifests/artifacts into export bundles and CLI verification flows; expose provenance links. | Pack run exports available; manifests signed; CLI verify uses exports; tests cover workflow. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-TEN-48-001 | TODO | Exporter Service Guild | WEB-TEN-48-001 | Prefix artifacts/manifests with tenant/project, enforce scope checks, and prevent cross-tenant exports unless explicitly whitelisted; update provenance. | Exports contain tenant id; cross-tenant attempt denied; tests cover scope enforcement. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-OBS-50-001 | TODO | Exporter Service Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Telemetry confirmed via integration tests; logging contract validated; CLI trace linking works. | +| EXPORT-OBS-51-001 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-OBS-50-001, TELEMETRY-OBS-51-001 | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. | Metrics visible; alerts tested; documentation updated. | +| EXPORT-OBS-52-001 | TODO | Exporter Service Guild | EXPORT-OBS-50-001, TIMELINE-OBS-52-002 | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. | Timeline events verified; duplicates suppressed; docs record schema. | +| EXPORT-OBS-53-001 | TODO | Exporter Service Guild, Evidence Locker Guild | EXPORT-OBS-52-001, EVID-OBS-53-002 | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. | Evidence bundles include export data; manifests deterministic; integration tests pass. | +| EXPORT-OBS-54-001 | TODO | Exporter Service Guild, Provenance Guild | EXPORT-OBS-53-001, PROV-OBS-53-002 | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. | Attestations generated/verified; API live; CLI integration tests updated. | +| EXPORT-OBS-55-001 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-OBS-51-001, DEVOPS-OBS-55-001 | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. | Incident mode validated; extra telemetry captured; events observed. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-AIRGAP-56-001 | TODO | Exporter Service Guild, Mirror Creator Guild | MIRROR-CRT-56-001, AIRGAP-IMP-56-001 | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Export profile produces bundle matching mirror spec; verification succeeds; audit entry stored. | +| EXPORT-AIRGAP-56-002 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-AIRGAP-56-001, DEVOPS-OBS-50-003 | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. | Bootstrap pack generated; digests recorded; documentation stubbed. | +| EXPORT-AIRGAP-57-001 | TODO | Exporter Service Guild, Evidence Locker Guild | EXPORT-AIRGAP-56-001, EVID-OBS-54-002 | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. | Portable bundles generated and verified; CLI/Console flows consume exports; tests cover tampering. | +| EXPORT-AIRGAP-58-001 | TODO | Exporter Service Guild, Notifications Guild | EXPORT-AIRGAP-56-001, NOTIFY-OBS-51-001 | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. | Notifications delivered with links; timeline events recorded; metrics updated. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-OAS-61-001 | TODO | Exporter Service Guild, API Contracts Guild | OAS-61-001 | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Spec complete; lint passes; examples validated. | +| EXPORT-OAS-61-002 | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Provide `/.well-known/openapi` discovery endpoint with version metadata and ETag. | Endpoint deployed; contract tests cover discovery. | +| EXPORT-OAS-62-001 | TODO | Exporter Service Guild, SDK Generator Guild | EXPORT-OAS-61-001, SDKGEN-63-001 | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. | SDK tests download/export artifact; documentation includes snippets. | +| EXPORT-OAS-63-001 | TODO | Exporter Service Guild, API Governance Guild | APIGOV-63-001 | Implement deprecation headers and notifications for legacy export endpoints. | Headers emitted; notifications pipeline validated. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-RISK-69-001 | TODO | Exporter Service Guild, Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Add Export Center job handler `risk-bundle` with provider selection, manifest signing, and audit logging. | Job deploys; manifest stored; audit logs include actor and scope. | +| EXPORT-RISK-69-002 | TODO | Exporter Service Guild, Risk Engine Guild | EXPORT-RISK-69-001 | Enable simulation report exports pulling scored data + explainability snapshots. | Simulation exports available via API/CLI; tests ensure deterministic output. | +| EXPORT-RISK-70-001 | TODO | Exporter Service Guild, DevOps Guild | EXPORT-RISK-69-001 | Integrate risk bundle builds into offline kit packaging with checksum verification. | Offline kit includes risk bundle; verification pipeline passes; docs updated. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| EXPORT-ATTEST-74-001 | TODO | Exporter Service Guild, Attestation Bundle Guild | ATTESTOR-74-002 | Implement attestation bundle export job via Export Center. | Job builds bundle; manifest signed; tests pass. | +| EXPORT-ATTEST-75-001 | TODO | Exporter Service Guild | EXPORT-ATTEST-74-001 | Integrate attestation bundles into offline kit flows and CLI commands. | Offline kit updated; CLI `export attestation-bundle` operational; docs refreshed. | diff --git a/src/StellaOps.Findings.Ledger/AGENTS.md b/src/StellaOps.Findings.Ledger/AGENTS.md new file mode 100644 index 00000000..7ff60067 --- /dev/null +++ b/src/StellaOps.Findings.Ledger/AGENTS.md @@ -0,0 +1,33 @@ +# Findings Ledger Guild Charter (Epic 6) + +## Mission +Operate the append-only Findings Ledger and projection pipeline powering the Vulnerability Explorer. The guild guarantees immutable audit history, deterministic projections, and compliance with AOC guardrails while exposing workflow APIs. + +## Scope +- Service code under `src/StellaOps.Findings.Ledger` (event API, projector, migrations, crypto hashing). +- Ledger storage schemas, Merkle anchoring jobs, retention policies, and replay tooling. +- Projection pipeline writing `findings_projection` collections/tables consumed by Vuln Explorer API and Console. +- Collaboration with Conseiller, Excitator, SBOM Service, Policy Engine, Scheduler, Authority, and DevOps for evidence feeds and policy events. + +## Principles +1. **Immutability** – Ledger events are append-only, hashed, and chained; projections derive from ledger plus policy inputs. +2. **Determinism** – Replaying the same event stream yields identical projections and bundle outputs; hashing uses canonical JSON. +3. **Tenant isolation** – Separate namespaces per tenant in storage, queue, and Merkle anchoring artefacts. +4. **AOC alignment** – Ledger records workflow only; evidence remains in Conseiller/Excitator/SBOM stores; no mutation of source facts. +5. **Auditability** – Provide verifiable hashes, Merkle roots, and replay tooling for auditors. + +## Collaboration +- Keep `src/StellaOps.Findings.Ledger/TASKS.md`, `SPRINTS.md` synchronized. +- Publish schema docs, migrators, and replay scripts; coordinate with Vuln Explorer API on projection contracts. +- Notify DevOps/Docs when Merkle root anchoring cadence or format changes. + +## Tooling +- .NET 10 preview minimal API/background services. +- PostgreSQL (preferred) or Mongo for ledger + projection tables with JSONB support. +- Hashing utilities (SHA-256, Merkle tree), KMS integration for evidence bundle signing metadata. + +## Definition of Done +- Ledger endpoints and projector pass unit/integration/property tests. +- Hash chains verified in CI; Merkle root anchoring automated. +- Telemetry (latency, backlog, anchor success) wired with dashboards. +- Docs/runbooks updated with compliance checklist. diff --git a/src/StellaOps.Findings.Ledger/TASKS.md b/src/StellaOps.Findings.Ledger/TASKS.md new file mode 100644 index 00000000..4daf182c --- /dev/null +++ b/src/StellaOps.Findings.Ledger/TASKS.md @@ -0,0 +1,73 @@ +# Findings Ledger Task Board — Epic 6: Vulnerability Explorer +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-29-001 | TODO | Findings Ledger Guild | AUTH-POLICY-27-001 | Design ledger & projection schemas (tables/indexes), canonical JSON format, hashing strategy, and migrations. Publish schema doc + fixtures. | Schemas committed; migrations generated; hashing documented; fixtures seeded for CI. | +| LEDGER-29-002 | TODO | Findings Ledger Guild | LEDGER-29-001 | Implement ledger write API (`POST /vuln/ledger/events`) with validation, idempotency, hash chaining, and Merkle root computation job. | Events persisted with chained hashes; Merkle job emits anchors; unit/integration tests cover happy/pathological cases. | +| LEDGER-29-003 | TODO | Findings Ledger Guild, Scheduler Guild | LEDGER-29-001 | Build projector worker that derives `findings_projection` rows from ledger events + policy determinations; ensure idempotent replay keyed by `(tenant,finding_id,policy_version)`. | Projector processes sample streams deterministically; replay tests pass; metrics exported. | +| LEDGER-29-004 | TODO | Findings Ledger Guild, Policy Guild | LEDGER-29-003, POLICY-ENGINE-27-001 | Integrate Policy Engine batch evaluation (baseline + simulate) with projector; cache rationale references. | Projector fetches determinations efficiently; rationale stored for UI; regression tests cover version switches. | +| LEDGER-29-005 | TODO | Findings Ledger Guild | LEDGER-29-003 | Implement workflow mutation handlers (assign, comment, accept-risk, target-fix, verify-fix, reopen) producing ledger events with validation and attachments metadata. | API endpoints enforce business rules; attachments metadata stored; tests cover state machine transitions. | +| LEDGER-29-006 | TODO | Findings Ledger Guild, Security Guild | LEDGER-29-002 | Integrate attachment encryption (KMS envelope), signed URL issuance, CSRF protection hooks for Console. | Attachments encrypted and accessible via signed URLs; security tests verify expiry + scope. | +| LEDGER-29-007 | TODO | Findings Ledger Guild, Observability Guild | LEDGER-29-002..005 | Instrument metrics (`ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`), structured logs, and Merkle anchoring alerts; publish dashboards. | Metrics/traces emitted; dashboards live; alert thresholds documented. | +| LEDGER-29-008 | TODO | Findings Ledger Guild, QA Guild | LEDGER-29-002..005 | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant. | CI suite green; load tests documented; determinism harness proves stable projections. | +| LEDGER-29-009 | TODO | Findings Ledger Guild, DevOps Guild | LEDGER-29-002..008 | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions. | Deployment docs merged; smoke deploy validated; backup/restore scripts recorded; offline kit includes seed data. | + +## Export Center +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-EXPORT-35-001 | TODO | Findings Ledger Guild | LEDGER-29-003, EXPORT-SVC-35-002 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata. | Streaming APIs deployed; integration tests with exporter planner; metrics/logs instrumented; docs updated. | + +## Orchestrator Dashboard +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-34-101 | TODO | Findings Ledger Guild | ORCH-SVC-34-002, LEDGER-29-002 | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. | Ledger ingestion job consumes orchestrator exports; provenance queries return artifact chain; tests cover multi-tenant isolation; docs updated. | + +## CLI Parity & Task Packs +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-PACKS-42-001 | TODO | Findings Ledger Guild | LEDGER-29-003, TASKRUN-41-001 | Provide snapshot/time-travel APIs and digestable exports for task pack simulation and CLI offline mode. | Snapshot API deployed; simulation validated; docs updated; imposed rule noted. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-TEN-48-001 | TODO | Findings Ledger Guild | AUTH-TEN-47-001 | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata. | Ledger queries respect tenant context; RLS tests pass; events include tenant metadata. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-OBS-50-001 | TODO | Findings Ledger Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Integrate telemetry core within ledger writer/projector services, emitting structured logs and trace spans for ledger append, projector replay, and query APIs with tenant context. | Telemetry present for append + replay flows; integration tests assert trace propagation; log schema validated. | +| LEDGER-OBS-51-001 | TODO | Findings Ledger Guild, DevOps Guild | LEDGER-OBS-50-001, TELEMETRY-OBS-51-001 | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage. Define SLOs (ledger append P95 < 1s, replay lag < 30s) with burn-rate alerts and dashboards. | Metrics surfaced in dashboards; SLO alerts configured/tested; documentation updated. | +| LEDGER-OBS-52-001 | TODO | Findings Ledger Guild | LEDGER-29-002, TIMELINE-OBS-52-002 | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders. | Timeline events validated with fixtures; duplicates suppressed; docs note schema. | +| LEDGER-OBS-53-001 | TODO | Findings Ledger Guild, Evidence Locker Guild | LEDGER-OBS-52-001, EVID-OBS-53-002 | Persist evidence bundle references (evaluation/job capsules) alongside ledger entries, exposing lookup API linking findings to evidence manifests and timeline. | Evidence references stored/retrievable; API returns deterministic payload; integration tests pass. | +| LEDGER-OBS-54-001 | TODO | Findings Ledger Guild, Provenance Guild | LEDGER-OBS-53-001, PROV-OBS-54-001 | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary. | Endpoint returns verification results; negative cases handled; docs updated. | +| LEDGER-OBS-55-001 | TODO | Findings Ledger Guild, DevOps Guild | LEDGER-OBS-51-001, DEVOPS-OBS-55-001 | Enhance incident mode to record additional replay diagnostics (lag traces, conflict snapshots) and extend retention while active. Emit activation events to timeline + notifier. | Incident mode captures diagnostics; retention adjustments revert post-incident; timeline/notifications validated. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-AIRGAP-56-001 | TODO | Findings Ledger Guild | AIRGAP-IMP-57-001, CONCELIER-AIRGAP-56-002 | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. | Ledger entries include bundle metadata; queries expose provenance; tests cover import + replay. | +| LEDGER-AIRGAP-56-002 | TODO | Findings Ledger Guild, AirGap Time Guild | LEDGER-AIRGAP-56-001, AIRGAP-TIME-58-001 | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. | Staleness thresholds enforced; exports blocked when stale; notifications triggered. | +| LEDGER-AIRGAP-57-001 | TODO | Findings Ledger Guild, Evidence Locker Guild | LEDGER-AIRGAP-56-001, EVID-OBS-54-001 | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. | Evidence references validated; portable bundles verify across environments; integration tests updated. | +| LEDGER-AIRGAP-58-001 | TODO | Findings Ledger Guild, AirGap Controller Guild | LEDGER-AIRGAP-56-001, AIRGAP-CTL-56-002 | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. | Timeline events emitted with bundle IDs; duplicates suppressed; docs updated. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-OAS-61-001 | TODO | Findings Ledger Guild, API Contracts Guild | OAS-61-001 | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples. | Spec covers all ledger endpoints; lint/compat checks pass. | +| LEDGER-OAS-61-002 | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release. | Discovery endpoint live; contract tests added. | +| LEDGER-OAS-62-001 | TODO | Findings Ledger Guild, SDK Generator Guild | LEDGER-OAS-61-001, SDKGEN-63-001 | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance. | SDK smoke tests cover ledger flows; documentation embeds examples. | +| LEDGER-OAS-63-001 | TODO | Findings Ledger Guild, API Governance Guild | APIGOV-63-001 | Support deprecation headers and Notifications for retiring finding endpoints. | Headers emitted; notifications validated; docs updated. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-RISK-66-001 | TODO | Findings Ledger Guild, Risk Engine Guild | RISK-ENGINE-66-001 | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes. | Migrations applied; indexes created; schema docs updated. | +| LEDGER-RISK-66-002 | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit. | Upsert path tested; duplicate suppression verified; audit records stored. | +| LEDGER-RISK-67-001 | TODO | Findings Ledger Guild, Risk Engine Guild | LEDGER-RISK-66-002, RISK-ENGINE-68-001 | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links. | API documented; contract tests pass; latency within targets. | +| LEDGER-RISK-68-001 | TODO | Findings Ledger Guild, Export Guild | LEDGER-RISK-66-002 | Enable export of scored findings and simulation results via Export Center integration. | Export job functional; CLI/Console consume bundle; verification tests pass. | +| LEDGER-RISK-69-001 | TODO | Findings Ledger Guild, Observability Guild | LEDGER-RISK-66-001 | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps. | Dashboards live; alerts configured; documentation updated. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| LEDGER-ATTEST-73-001 | TODO | Findings Ledger Guild, Attestor Service Guild | ATTESTOR-73-002 | Persist pointers from findings to verification reports and attestation envelopes for explainability. | Ledger schema extended; queries return linked evidence; tests cover joins. | +| LEDGER-ATTEST-73-002 | TODO | Findings Ledger Guild | LEDGER-ATTEST-73-001 | Enable search/filter in findings projections by verification result and attestation status. | API filters by verification result; UI integration ready; tests updated. | diff --git a/src/StellaOps.Graph.Api/AGENTS.md b/src/StellaOps.Graph.Api/AGENTS.md new file mode 100644 index 00000000..13924480 --- /dev/null +++ b/src/StellaOps.Graph.Api/AGENTS.md @@ -0,0 +1,33 @@ +# Graph API Guild Charter (Epic 5) + +## Mission +Provide tenant-scoped Graph Explorer APIs for search, query, paths, diffs, overlays, and exports. Deliver cost-aware streaming endpoints that integrate with Policy Engine, Conseiller, Excitator, and the Graph Indexer while honoring AOC and RBAC. + +## Scope +- Service under `src/StellaOps.Graph.Api` (Minimal API + streaming pipeline + query planner). +- Query validation/planning, cost estimation, tile streaming, overlay composition, export serializers. +- Integration with Authority scopes, Web API Gateway, Policy Engine explain endpoints, Graph Indexer storage. +- Saved query management and diff endpoints. + +## Principles +1. **Bounded interactivity** – Enforce budgets (nodes, edges, time) per tenant and surface truncation clearly. +2. **Determinism** – Same query + seed yields same streamed content; maintain layout seeds for client. +3. **Security first** – RBAC enforced server-side; input validation, tenant isolation, query sanitization. +4. **AOC alignment** – API surfaces readonly data; overlays annotate Policy Engine outputs; never mutate facts. +5. **Observability** – Every query logs cost, latency, truncation, caching; metrics + traces integrated. + +## Collaboration +- Maintain `src/StellaOps.Graph.Api/TASKS.md`, `SPRINTS.md` alignment. +- Coordinate with Graph Indexer (storage contracts), Web Gateway, Console, CLI, Policy Engine, DevOps, and Docs teams. +- Publish OpenAPI + JSON schema for queries and streaming tiles. + +## Tooling +- .NET 10 preview Minimal API with async streaming; pipeline pattern for parsing/planning/fetching. +- Mongo aggregation / adjacency store from Graph Indexer; optional caching layer. +- SSE/WebSockets or chunked NDJSON responses for progressive loading. + +## Definition of Done +- APIs shipped with OpenAPI, unit/integration/load tests, budget enforcement. +- Metrics/logs/traces wired; dashboards seeded. +- Documentation updated (API doc, query schema, cost/limit guidance). +- Offline kit instructions include CLI + API usage. diff --git a/src/StellaOps.Graph.Api/TASKS.md b/src/StellaOps.Graph.Api/TASKS.md new file mode 100644 index 00000000..0e7a3cc8 --- /dev/null +++ b/src/StellaOps.Graph.Api/TASKS.md @@ -0,0 +1,14 @@ +# Graph API Task Board — Epic 5: SBOM Graph Explorer +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| GRAPH-API-28-001 | TODO | Graph API Guild | GRAPH-INDEX-28-001, WEB-GRAPH-21-001 | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. | OpenAPI committed; schema validated via CI; clients regenerated; docs updated. | +| GRAPH-API-28-002 | TODO | Graph API Guild | GRAPH-API-28-001, GRAPH-INDEX-28-002 | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. | Endpoint returns ranked results within budget; tests cover scope errors + caching; metrics logged. | +| GRAPH-API-28-003 | TODO | Graph API Guild | GRAPH-API-28-001, GRAPH-INDEX-28-002..005 | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. | Query endpoint streams tiles deterministically, enforces budgets, surfaces truncation flags; integration tests cover large graphs. | +| GRAPH-API-28-004 | TODO | Graph API Guild | GRAPH-API-28-003 | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. | Paths API returns expected routes; policy overlay applied; guardrails enforced; tests cover over-budget errors. | +| GRAPH-API-28-005 | TODO | Graph API Guild | GRAPH-INDEX-28-006, GRAPH-API-28-003 | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. | Diff endpoint streams deterministic results; tests cover sample diffs; metrics record diff compute time. | +| GRAPH-API-28-006 | TODO | Graph API Guild | GRAPH-INDEX-28-002..005, POLICY-ENGINE-27-001 | Implement overlays (advisory, VEX, policy) with caching, partial materialization, and explain trace sampling for focused nodes. | Overlay pipeline delivers heatmap stats + explain samples; caches invalidate on policy/VEX/advisory change; tests cover concurrency. | +| GRAPH-API-28-007 | TODO | Graph API Guild | GRAPH-API-28-003..006 | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. | Export job API returns manifest + download URLs; tests validate formats; docs updated. | +| GRAPH-API-28-008 | TODO | Graph API Guild, Authority Guild | AUTH-GRAPH-26-001, AUTH-GRAPH-21-001 | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. | Unauthorized access rejected; audit logs include query hash & scope; rate limits enforced; integration tests pass. | +| GRAPH-API-28-009 | TODO | Graph API Guild, Observability Guild | GRAPH-API-28-002..007 | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. | Metrics exposed; dashboards live; alerts configured; docs updated. | +| GRAPH-API-28-010 | TODO | Graph API Guild, QA Guild | GRAPH-API-28-002..007 | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. | Test suite green; load test report captured; determinism harness passes with fixed seed. | +| GRAPH-API-28-011 | TODO | Graph API Guild, DevOps Guild | GRAPH-API-28-003..007 | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. | Deployment descriptors merged; gateway routes documented; offline kit instructions updated; smoke tests executed. | diff --git a/src/StellaOps.Graph.Indexer/AGENTS.md b/src/StellaOps.Graph.Indexer/AGENTS.md new file mode 100644 index 00000000..b5c4f0b4 --- /dev/null +++ b/src/StellaOps.Graph.Indexer/AGENTS.md @@ -0,0 +1,33 @@ +# Graph Indexer Guild Charter (Epic 5) + +## Mission +Project SBOM, advisory, VEX, and policy overlay data into a tenant-scoped property graph powering the SBOM Graph Explorer. Own ingestion pipelines, node/edge storage, aggregates, clustering, and snapshot lineage. + +## Scope +- Service source under `src/StellaOps.Graph.Indexer` (workers, ingestion pipelines, schema builders). +- Mongo collections/object storage for `graph_nodes`, `graph_edges`, `graph_snapshots`, clustering metadata. +- Event consumers: SBOM ingest, Conseiller advisories, Excitator VEX, Policy overlay materials. +- Incremental rebuild, diff, and cache warmers for graph overlays. + +## Principles +1. **Immutability** – Graph mirrors SBOM snapshots; new data creates new snapshots rather than mutating historical records. +2. **Determinism** – Given identical inputs, node/edge ids, hashes, and aggregates remain stable across runs. +3. **Tenant isolation** – Enforce isolation at ingestion, storage, and job levels; no cross-tenant leakage. +4. **AOC alignment** – Indexer links facts; it never mutates advisories/VEX/policy outcomes. Conseiller/Excitator/Policy Engine remain authoritative. +5. **Performance & telemetry** – Every job emits metrics (latency, node/edge counts, queue lag) and structured logs. + +## Collaboration +- Keep `src/StellaOps.Graph.Indexer/TASKS.md`, `SPRINTS.md` synchronized. +- Coordinate with SBOM Service, Policy Engine, Conseiller, Excitator, Scheduler, Web Gateway, and Console teams. +- Publish schema docs and fixtures for clients; share cost/identity conventions across services. + +## Tooling +- .NET 10 preview workers (HostedService + channel pipelines). +- MongoDB for node/edge storage; S3-compatible buckets for layout tiles/snapshots if needed. +- Scheduler integration (jobs, change streams) to handle incremental updates. + +## Definition of Done +- Pipelines deterministic and tested; fixtures validated. +- Metrics/logs/traces wired with tenant context. +- Schema docs + OpenAPI (where applicable) updated; compliance checklist appended. +- Offline kit includes seed data for air-gapped installs. diff --git a/src/StellaOps.Graph.Indexer/TASKS.md b/src/StellaOps.Graph.Indexer/TASKS.md new file mode 100644 index 00000000..80f3804b --- /dev/null +++ b/src/StellaOps.Graph.Indexer/TASKS.md @@ -0,0 +1,13 @@ +# Graph Indexer Task Board — Epic 5: SBOM Graph Explorer +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| GRAPH-INDEX-28-001 | TODO | Graph Indexer Guild | SBOM-SERVICE-21-001, CARTO-GRAPH-21-001 | Define canonical node/edge schemas, attribute dictionaries, identity rules, and seed fixtures; publish schema doc. | Schema doc merged; identity property tests pass; fixtures committed for CI usage. | +| GRAPH-INDEX-28-002 | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001, SBOM-SERVICE-21-002 | Implement SBOM ingest consumer producing artifact/package/file nodes and edges with `valid_from/valid_to`, scope metadata, and provenance links. | Ingest pipeline processes sample SBOMs deterministically; metrics recorded; unit tests cover identity stability. | +| GRAPH-INDEX-28-003 | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001, CONCELIER-CONSOLE-23-001 | Project Conseiller linksets into overlay tiles (`affected_by` edges, evidence refs) without mutating source observations; keep advisory aggregates in overlay store only. | Overlay documents generated deterministically; raw node/edge collections remain immutable; tests cover overlay refresh and eviction. | +| GRAPH-INDEX-28-004 | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001, EXCITITOR-CONSOLE-23-001 | Integrate VEX statements (`vex_exempts` edges) with justification metadata and precedence markers for overlays. | VEX edges generated; conflicts resolved deterministically; tests cover status transitions. | +| GRAPH-INDEX-28-005 | TODO | Graph Indexer Guild, Policy Guild | POLICY-ENGINE-27-001, POLICY-ENGINE-27-002 | Hydrate policy overlays into graph (`governs_with` nodes/edges) referencing effective findings and explain hashes for sampled nodes. | Overlay nodes stored with policy version id, severity, status; explain references captured; validation tests pass. | +| GRAPH-INDEX-28-006 | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002..005 | Generate graph snapshots per SBOM with lineage (`derived_from`), adjacency manifests, and metadata for diff jobs. | Snapshot documents produced; lineage recorded; tests assert diff readiness; metrics emitted. | +| GRAPH-INDEX-28-007 | TODO | Graph Indexer Guild, Observability Guild | GRAPH-INDEX-28-002..006 | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules and store cluster ids on nodes. | Clustering jobs run on fixtures; metrics logged; cluster ids accessible via API; SLA documented. | +| GRAPH-INDEX-28-008 | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002..007 | Provide incremental update + backfill pipeline with change streams, retry/backoff, idempotent operations, and backlog metrics. | Incremental updates replay sample change logs; retries/backoff validated; backlog metrics exported. | +| GRAPH-INDEX-28-009 | TODO | Graph Indexer Guild, QA Guild | GRAPH-INDEX-28-002..008 | Add unit/property/integration tests, synthetic large graph fixtures, chaos testing (missing overlays, cycles), and determinism checks across runs. | Test suite green; determinism harness passes across two runs; perf metrics recorded. | +| GRAPH-INDEX-28-010 | TODO | Graph Indexer Guild, DevOps Guild | GRAPH-INDEX-28-008 | Package deployment artifacts (Helm/Compose), offline seed bundles, and configuration docs; integrate Offline Kit. | Deployment descriptors merged; offline seed bundle documented; smoke deploy tested. | diff --git a/src/StellaOps.IssuerDirectory/AGENTS.md b/src/StellaOps.IssuerDirectory/AGENTS.md new file mode 100644 index 00000000..41e05eec --- /dev/null +++ b/src/StellaOps.IssuerDirectory/AGENTS.md @@ -0,0 +1,21 @@ +# Issuer Directory Guild Charter (Epic 7) + +## Mission +Manage trusted VEX issuer metadata, keys, and trust overrides used by the VEX Lens, Policy Engine, and downstream services. + +## Scope +- Service `src/StellaOps.IssuerDirectory` providing REST APIs and admin tooling for issuers, keys, trust weights, audit logs. +- Integration with Excitator/VEX Lens/Policy Engine for signature verification and trust weighting. +- Tenant overrides, import of CSAF publisher metadata, and compliance logging. + +## Principles +1. **Security first** – enforce least privilege, key expiry, rotation, and audit logs. +2. **Tenant awareness** – global issuer defaults with per-tenant overrides. +3. **Deterministic** – trust weights reproducible; changes logged. +4. **Audit ready** – all modifications recorded with actor, reason, signature. +5. **API-first** – CLI/Console/automation consume same endpoints. + +## Definition of Done +- APIs documented, RBAC enforced, audit logs persisted. +- Key verification integrated with VEX Lens and Excitator; rotation tooling delivered. +- Docs/runbooks updated with compliance checklist. diff --git a/src/StellaOps.IssuerDirectory/TASKS.md b/src/StellaOps.IssuerDirectory/TASKS.md new file mode 100644 index 00000000..a71c1f77 --- /dev/null +++ b/src/StellaOps.IssuerDirectory/TASKS.md @@ -0,0 +1,9 @@ +# Issuer Directory Task Board — Epic 7 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ISSUER-30-001 | TODO | Issuer Directory Guild | AUTH-VULN-29-001 | Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata. | APIs deployed; audit logs capture actor/reason; seed data imported; tests cover RBAC. | +| ISSUER-30-002 | TODO | Issuer Directory Guild, Security Guild | ISSUER-30-001 | Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). | Keys stored securely; expiry enforced; validation tests cover key types; docs updated. | +| ISSUER-30-003 | TODO | Issuer Directory Guild, Policy Guild | ISSUER-30-001 | Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. | Trust overrides persisted; policy integration confirmed; tests cover overrides. | +| ISSUER-30-004 | TODO | Issuer Directory Guild, VEX Lens Guild | ISSUER-30-001..003 | Integrate with VEX Lens and Excitator signature verification (client SDK, caching, retries). | Lens/Excitator resolve issuer metadata via SDK; integration tests cover network failures. | +| ISSUER-30-005 | TODO | Issuer Directory Guild, Observability Guild | ISSUER-30-001..004 | Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. | Telemetry live; alerts configured; docs updated. | +| ISSUER-30-006 | TODO | Issuer Directory Guild, DevOps Guild | ISSUER-30-001..005 | Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. | Deployment docs merged; smoke deploy validated; backup tested; offline kit updated. | diff --git a/src/StellaOps.Mirror.Creator/AGENTS.md b/src/StellaOps.Mirror.Creator/AGENTS.md new file mode 100644 index 00000000..944fe36e --- /dev/null +++ b/src/StellaOps.Mirror.Creator/AGENTS.md @@ -0,0 +1,15 @@ +# StellaOps Mirror Creator Guild Charter + +## Mission +Deliver connected-environment tooling that assembles signed Mirror Bundles for air-gapped deployments, covering content selection, signing, and distribution. + +## Scope +- Bundle assembly pipeline (advisories, VEX, policy packs, images, dashboards). +- Integration with Export Center for bundle scheduling and verification. +- CLI commands for bundle creation, inspection, and rotation management. +- Test fixtures ensuring determinism across bundle builds. + +## Definition of Done +- Bundles are deterministic given the same inputs; regression tests verify Merkle root stability. +- Signing workflows documented and automated with dual-control for root rotation. +- Bundle metadata published for import verification. diff --git a/src/StellaOps.Mirror.Creator/TASKS.md b/src/StellaOps.Mirror.Creator/TASKS.md new file mode 100644 index 00000000..7cb9d3be --- /dev/null +++ b/src/StellaOps.Mirror.Creator/TASKS.md @@ -0,0 +1,19 @@ +# Mirror Creator Task Board — Epic 16: Air-Gapped Mode + +## Sprint 56 – Bundle Assembly +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| MIRROR-CRT-56-001 | TODO | Mirror Creator Guild | EXPORT-OBS-51-001 | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. | Bundle build produces deterministic manifest; unit tests compare against golden outputs. | +| MIRROR-CRT-56-002 | TODO | Mirror Creator Guild, Security Guild | MIRROR-CRT-56-001, PROV-OBS-53-001 | Integrate DSSE signing and TUF metadata generation (`root`, `snapshot`, `timestamp`, `targets`). | Signed bundle verified by importer tests; root rotation procedure documented. | + +## Sprint 57 – OCI Images & Time Anchors +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| MIRROR-CRT-57-001 | TODO | Mirror Creator Guild, DevOps Guild | MIRROR-CRT-56-001 | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. | Image bundles integrate with air-gapped registry; tests confirm digest equality. | +| MIRROR-CRT-57-002 | TODO | Mirror Creator Guild, AirGap Time Guild | MIRROR-CRT-56-002, AIRGAP-TIME-57-001 | Embed signed time anchor metadata (`meta/time-anchor.json`) sourced from trusted authority. | Time anchor included in bundles; verification tests confirm signature; docs updated. | + +## Sprint 58 – CLI and Scheduling +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| MIRROR-CRT-58-001 | TODO | Mirror Creator Guild, CLI Guild | MIRROR-CRT-56-002, CLI-AIRGAP-56-001 | Deliver CLI `stella mirror create|verify` commands with content selection flags, delta mode, and dry-run verification. | CLI builds bundles deterministically; verify command reports DSSE/TUF status; integration tests cover options. | +| MIRROR-CRT-58-002 | TODO | Mirror Creator Guild, Exporter Guild | MIRROR-CRT-56-002, EXPORT-OBS-54-001 | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. | Scheduler triggers bundle builds; audit entries recorded; docs updated. | diff --git a/src/StellaOps.Notifier/AGENTS.md b/src/StellaOps.Notifier/AGENTS.md new file mode 100644 index 00000000..1106d623 --- /dev/null +++ b/src/StellaOps.Notifier/AGENTS.md @@ -0,0 +1,17 @@ +# StellaOps Notifier Service — Agent Charter + +## Mission +Build Notifications Studio (Epic 11) so StellaOps delivers policy-aware, explainable, tenant-scoped notifications without flooding humans. Honor the imposed rule: any work of this type must propagate everywhere it belongs. + +## Responsibilities +- Maintain event ingestion, rule evaluation, correlation, throttling, templating, dispatch, digests, and escalation pipelines. +- Coordinate with Orchestrator, Policy Engine, Findings Ledger, VEX Lens, Export Center, Authority, Console, CLI, and DevOps teams to ensure consistent event envelopes, provenance links, and RBAC. +- Guarantee deterministic, auditable notification outcomes with provenance, signing/ack security, and localization. + +## Module Layout +- `StellaOps.Notifier.Core/` — rule engine, routing, correlation, and template orchestration primitives. +- `StellaOps.Notifier.Infrastructure/` — persistence, integration adapters, and channel implementations. +- `StellaOps.Notifier.WebService/` — HTTP APIs (rules, incidents, templates, feeds). +- `StellaOps.Notifier.Worker/` — background dispatchers, digest builders, simulation hosts. +- `StellaOps.Notifier.Tests/` — foundational unit tests covering core/infrastructure behavior. +- `StellaOps.Notifier.sln` — solution bundling the Notifier projects. diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Core/Class1.cs b/src/StellaOps.Notifier/StellaOps.Notifier.Core/Class1.cs new file mode 100644 index 00000000..f367fc31 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.Notifier.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Core/StellaOps.Notifier.Core.csproj b/src/StellaOps.Notifier/StellaOps.Notifier.Core/StellaOps.Notifier.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Core/StellaOps.Notifier.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/Class1.cs b/src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/Class1.cs new file mode 100644 index 00000000..49f6a164 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.Notifier.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/StellaOps.Notifier.Infrastructure.csproj b/src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/StellaOps.Notifier.Infrastructure.csproj new file mode 100644 index 00000000..aad9375e --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Infrastructure/StellaOps.Notifier.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj b/src/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj new file mode 100644 index 00000000..a105426c --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Tests/StellaOps.Notifier.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Tests/UnitTest1.cs b/src/StellaOps.Notifier/StellaOps.Notifier.Tests/UnitTest1.cs new file mode 100644 index 00000000..0bc9c66b --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.Notifier.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Tests/xunit.runner.json b/src/StellaOps.Notifier/StellaOps.Notifier.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.WebService/Program.cs b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.WebService/Properties/launchSettings.json b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..fdd325cf --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5124", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7202;http://localhost:5124", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.csproj b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.csproj new file mode 100644 index 00000000..65b2b077 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.http b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.http new file mode 100644 index 00000000..1d025e4f --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/StellaOps.Notifier.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.Notifier.WebService_HostAddress = http://localhost:5124 + +GET {{StellaOps.Notifier.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.Development.json b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.json b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Program.cs b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Program.cs new file mode 100644 index 00000000..84f1f3b6 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.Notifier.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Properties/launchSettings.json b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..66be97eb --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.Notifier.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Worker/StellaOps.Notifier.Worker.csproj b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/StellaOps.Notifier.Worker.csproj new file mode 100644 index 00000000..227ecefc --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/StellaOps.Notifier.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.Notifier.Worker-557c5516-a796-4499-942e-a0668e3e9622 + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Worker.cs b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Worker.cs new file mode 100644 index 00000000..5b368345 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.Notifier.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.Development.json b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.json b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.Notifier/StellaOps.Notifier.sln b/src/StellaOps.Notifier/StellaOps.Notifier.sln new file mode 100644 index 00000000..f3991915 --- /dev/null +++ b/src/StellaOps.Notifier/StellaOps.Notifier.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Notifier.Core", "StellaOps.Notifier.Core\StellaOps.Notifier.Core.csproj", "{78978C92-D065-413C-A835-B27386D35A63}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Notifier.Infrastructure", "StellaOps.Notifier.Infrastructure\StellaOps.Notifier.Infrastructure.csproj", "{4A31A75B-5EB0-4BA3-8348-4E4798266C7F}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Notifier.WebService", "StellaOps.Notifier.WebService\StellaOps.Notifier.WebService.csproj", "{D14281B8-BC8E-4D31-B1FC-E3C9565F7482}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Notifier.Worker", "StellaOps.Notifier.Worker\StellaOps.Notifier.Worker.csproj", "{A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Notifier.Tests", "StellaOps.Notifier.Tests\StellaOps.Notifier.Tests.csproj", "{1DFEC971-61F4-4E63-A903-C04062C84967}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {78978C92-D065-413C-A835-B27386D35A63}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Debug|Any CPU.Build.0 = Debug|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Debug|x64.ActiveCfg = Debug|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Debug|x64.Build.0 = Debug|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Debug|x86.ActiveCfg = Debug|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Debug|x86.Build.0 = Debug|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Release|Any CPU.ActiveCfg = Release|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Release|Any CPU.Build.0 = Release|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Release|x64.ActiveCfg = Release|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Release|x64.Build.0 = Release|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Release|x86.ActiveCfg = Release|Any CPU + {78978C92-D065-413C-A835-B27386D35A63}.Release|x86.Build.0 = Release|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Debug|Any CPU.Build.0 = Debug|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Debug|x64.ActiveCfg = Debug|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Debug|x64.Build.0 = Debug|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Debug|x86.ActiveCfg = Debug|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Debug|x86.Build.0 = Debug|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Release|Any CPU.ActiveCfg = Release|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Release|Any CPU.Build.0 = Release|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Release|x64.ActiveCfg = Release|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Release|x64.Build.0 = Release|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Release|x86.ActiveCfg = Release|Any CPU + {4A31A75B-5EB0-4BA3-8348-4E4798266C7F}.Release|x86.Build.0 = Release|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Debug|Any CPU.Build.0 = Debug|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Debug|x64.ActiveCfg = Debug|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Debug|x64.Build.0 = Debug|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Debug|x86.ActiveCfg = Debug|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Debug|x86.Build.0 = Debug|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Release|Any CPU.ActiveCfg = Release|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Release|Any CPU.Build.0 = Release|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Release|x64.ActiveCfg = Release|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Release|x64.Build.0 = Release|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Release|x86.ActiveCfg = Release|Any CPU + {D14281B8-BC8E-4D31-B1FC-E3C9565F7482}.Release|x86.Build.0 = Release|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Debug|Any CPU.Build.0 = Debug|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Debug|x64.ActiveCfg = Debug|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Debug|x64.Build.0 = Debug|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Debug|x86.ActiveCfg = Debug|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Debug|x86.Build.0 = Debug|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Release|Any CPU.ActiveCfg = Release|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Release|Any CPU.Build.0 = Release|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Release|x64.ActiveCfg = Release|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Release|x64.Build.0 = Release|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Release|x86.ActiveCfg = Release|Any CPU + {A134A9AE-CC9E-4AC7-8CD7-8C7BBF45CD02}.Release|x86.Build.0 = Release|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Debug|Any CPU.Build.0 = Debug|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Debug|x64.ActiveCfg = Debug|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Debug|x64.Build.0 = Debug|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Debug|x86.ActiveCfg = Debug|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Debug|x86.Build.0 = Debug|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Release|Any CPU.ActiveCfg = Release|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Release|Any CPU.Build.0 = Release|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Release|x64.ActiveCfg = Release|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Release|x64.Build.0 = Release|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Release|x86.ActiveCfg = Release|Any CPU + {1DFEC971-61F4-4E63-A903-C04062C84967}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.Notifier/TASKS.md b/src/StellaOps.Notifier/TASKS.md new file mode 100644 index 00000000..5bfbe2ea --- /dev/null +++ b/src/StellaOps.Notifier/TASKS.md @@ -0,0 +1,65 @@ +# Notifier Service Task Board — Epic 11: Notifications Studio + +## Sprint 38 – Foundations (Immediate notifications) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-SVC-38-001 | TODO | Notifications Service Guild | ORCH-SVC-38-101, AUTH-NOTIFY-38-001 | Bootstrap notifier service, DB migrations (`notif_*` tables), event ingestion consumer with idempotency, and baseline rule/routing engine for policy violations + job failures. | Service builds/tests; migrations scripted; ingestion handles orchestrator events; initial rules evaluated deterministically; compliance checklist recorded. | +| NOTIFY-SVC-38-002 | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Implement channel adapters (email, chat webhook, generic webhook) with retry policies, health checks, and audit logging. | Adapters send test notifications; retries/backoff validated; health endpoints available; audit logs captured. | +| NOTIFY-SVC-38-003 | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Deliver template service (versioned templates, localization scaffolding) and renderer with redaction allowlists, Markdown/HTML/JSON outputs, and provenance links. | Templates versioned; preview API works; rendered content includes provenance; redaction tests pass. | +| NOTIFY-SVC-38-004 | TODO | Notifications Service Guild | NOTIFY-SVC-38-001..003 | Expose REST + WS APIs (rules CRUD, templates preview, incidents list, ack) with audit logging, RBAC checks, and live feed stream. | OpenAPI published; WS feed delivers events; ack endpoint updates state; tests cover RBAC and audit logs. | + +## Sprint 39 – Correlation, Digests, Simulation +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-SVC-39-001 | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Implement correlation engine with pluggable key expressions/windows, throttler (token buckets), quiet hours/maintenance evaluator, and incident lifecycle. | Correlation merges duplicates; throttling enforced; quiet hours respect tenant schedules; incident state transitions tested. | +| NOTIFY-SVC-39-002 | TODO | Notifications Service Guild | NOTIFY-SVC-39-001, LEDGER-NOTIFY-39-001 | Build digest generator (queries, formatting) with schedule runner and distribution via existing channels. | Digests generated on schedule; content accurate; provenance linked; metrics emitted. | +| NOTIFY-SVC-39-003 | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Provide simulation engine/API to dry-run rules against historical events, returning matched actions with explanations. | Simulation endpoint returns deterministic results; explanation includes rule/field matches; integration tests pass. | +| NOTIFY-SVC-39-004 | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Integrate quiet hour calendars and default throttles with audit logging and operator overrides. | Quiet schedules stored; overrides audited; preview API shows suppression windows; tests cover timezone handling. | + +## Sprint 40 – Escalations, Localization, Hardening +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-SVC-40-001 | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement escalations + on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and CLI/in-app inbox channels. | Escalation workflow operational; ack tokens flow; external adapters tested; inbox channel live. | +| NOTIFY-SVC-40-002 | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add summary storm breaker notifications, localization bundles, and localization fallback handling. | Storm breaker emits summaries; localization catalogs loaded; fallback behavior tested. | +| NOTIFY-SVC-40-003 | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Harden security: signed ack links (KMS), webhook HMAC/IP allowlists, tenant isolation fuzz tests, HTML sanitization. | Ack tokens verified; webhook security enforced; fuzz tests green; sanitization validated. | +| NOTIFY-SVC-40-004 | TODO | Notifications Service Guild | NOTIFY-SVC-40-001..003 | Finalize observability (metrics/traces for escalations, latency), dead-letter handling, chaos tests for channel outages, and retention policies. | Metrics dashboards live; chaos run documented; DLQ drains; retention job operational. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-TEN-48-001 | TODO | Notifications Service Guild | WEB-TEN-48-001 | Tenant-scope rules/templates/incidents, RLS on storage, tenant-prefixed channels, and inclusion of tenant context in notifications. | Notifications isolated per tenant; RLS enabled; tests cover cross-tenant leakage. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-OBS-51-001 | TODO | Notifications Service Guild, Observability Guild | DEVOPS-OBS-51-001, WEB-OBS-51-001 | Integrate SLO evaluator webhooks into Notifier rules (burn-rate breaches, health degradations) with templates, routing, and suppression logic. Provide sample policies and ensure imposed rule propagation. | Webhooks ingested; notifications delivered across channels; suppression guardrails tested; docs updated. | +| NOTIFY-OBS-55-001 | TODO | Notifications Service Guild, Ops Guild | DEVOPS-OBS-55-001, WEB-OBS-55-001 | Publish incident mode start/stop notifications with trace/evidence quick links, retention notes, and automatic escalation paths. Include quiet-hour overrides + legal compliance logging. | Incident notifications triggered in staging; CLI/Console deep links validated; audit logs capture scope usage. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-AIRGAP-56-001 | TODO | Notifications Service Guild | AIRGAP-CTL-56-002, AIRGAP-POL-56-001 | Disable external webhook targets in sealed mode, default to enclave-safe channels (SMTP relay, syslog, file sink), and surface remediation guidance. | Sealed mode blocks external channels; configuration validation raises errors; tests cover allowances. | +| NOTIFY-AIRGAP-56-002 | TODO | Notifications Service Guild, DevOps Guild | NOTIFY-AIRGAP-56-001, DEVOPS-AIRGAP-56-001 | Provide local notifier configurations bundled within Bootstrap Pack with deterministic secrets handling. | Offline config templates published; bootstrap script validated; docs updated. | +| NOTIFY-AIRGAP-57-001 | TODO | Notifications Service Guild, AirGap Time Guild | NOTIFY-AIRGAP-56-001, AIRGAP-TIME-58-001 | Send staleness drift and bundle import notifications with remediation steps. | Notifications emitted on thresholds; tests cover suppression/resend. | +| NOTIFY-AIRGAP-58-001 | TODO | Notifications Service Guild, Evidence Locker Guild | NOTIFY-AIRGAP-56-001, EVID-OBS-54-002 | Add portable evidence export completion notifications including checksum + location metadata. | Notification payload includes bundle details; audit logs recorded; CLI integration validated. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-OAS-61-001 | TODO | Notifications Service Guild, API Contracts Guild | OAS-61-001 | Update notifier OAS with rules, templates, incidents, quiet hours endpoints using standard error envelope and examples. | Spec covers notifier APIs; lint passes; examples validated. | +| NOTIFY-OAS-61-002 | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Implement `/.well-known/openapi` discovery endpoint with scope metadata. | Discovery endpoint live; contract tests cover response. | +| NOTIFY-OAS-62-001 | TODO | Notifications Service Guild, SDK Generator Guild | NOTIFY-OAS-61-001, SDKGEN-63-001 | Provide SDK usage examples for rule CRUD, incident ack, and quiet hours; ensure SDK smoke tests. | SDK tests cover notifier flows; docs embed snippets. | +| NOTIFY-OAS-63-001 | TODO | Notifications Service Guild, API Governance Guild | APIGOV-63-001 | Emit deprecation headers and Notifications templates for retiring notifier APIs. | Headers + notifications verified; documentation updated. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-RISK-66-001 | TODO | Notifications Service Guild, Risk Engine Guild | RISK-ENGINE-68-001 | Add notification triggers for risk severity escalation/downgrade events with profile metadata in payload. | Trigger processed in staging; payload shows profile and explainability link; docs updated. | +| NOTIFY-RISK-67-001 | TODO | Notifications Service Guild, Policy Guild | POLICY-RISK-67-002 | Notify stakeholders when risk profiles are published, deprecated, or thresholds change. | Notifications delivered via email/chat; audit logs captured. | +| NOTIFY-RISK-68-001 | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Support per-profile routing rules, quiet hours, and dedupe for risk alerts; integrate with CLI/Console preferences. | Routing/quiet-hour logic tested; UI exposes settings; metrics reflect dedupe. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| NOTIFY-ATTEST-74-001 | TODO | Notifications Service Guild, Attestor Service Guild | ATTESTOR-73-002 | Create notification templates for verification failures, expiring attestations, key revocations, and transparency anomalies. | Templates deployed; staging verification failure triggers alert; documentation updated. | +| NOTIFY-ATTEST-74-002 | TODO | Notifications Service Guild, KMS Guild | KMS-73-001 | Wire notifications to key rotation/revocation events and transparency witness failures. | Rotation/revocation emits alerts; audit logs recorded; tests cover scenarios. | diff --git a/src/StellaOps.Notify.Connectors.Email/TASKS.md b/src/StellaOps.Notify.Connectors.Email/TASKS.md index e3754233..5d4ab07b 100644 --- a/src/StellaOps.Notify.Connectors.Email/TASKS.md +++ b/src/StellaOps.Notify.Connectors.Email/TASKS.md @@ -1,7 +1,2 @@ -# Notify Email Connector Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-CONN-EMAIL-15-701 | TODO | Notify Connectors Guild | NOTIFY-ENGINE-15-303 | Implement SMTP connector with STARTTLS/implicit TLS support, HTML+text rendering, attachment policy enforcement. | Integration tests with SMTP stub pass; TLS enforced; attachments blocked per policy. | -| NOTIFY-CONN-EMAIL-15-702 | BLOCKED (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-701 | Add DKIM signing optional support and health/test-send flows. | DKIM optional config verified; test-send passes; secrets handled securely. | -| NOTIFY-CONN-EMAIL-15-703 | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-EMAIL-15-702 | Package Email connector as restart-time plug-in (manifest + host registration). | Plugin manifest added; host loads connector from `plugins/notify/email/`; restart validation passes. | +# Notify Email Connector Task Board (Sprint 15) +> Archived 2025-10-26 — connector maintained under `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.Connectors.Slack/TASKS.md b/src/StellaOps.Notify.Connectors.Slack/TASKS.md index 5658db86..f2cb69c1 100644 --- a/src/StellaOps.Notify.Connectors.Slack/TASKS.md +++ b/src/StellaOps.Notify.Connectors.Slack/TASKS.md @@ -1,7 +1,2 @@ -# Notify Slack Connector Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-CONN-SLACK-15-501 | TODO | Notify Connectors Guild | NOTIFY-ENGINE-15-303 | Implement Slack connector with bot token auth, message rendering (blocks), rate limit handling, retries/backoff. | Integration tests stub Slack API; retries/jitter validated; 429 handling documented. | -| NOTIFY-CONN-SLACK-15-502 | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-501 | Health check & test-send support with minimal scopes and redacted tokens. | `/channels/{id}/test` hitting Slack stub passes; secrets never logged; health endpoint returns diagnostics. | -| NOTIFY-CONN-SLACK-15-503 | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-SLACK-15-502 | Package Slack connector as restart-time plug-in (manifest + host registration). | Plugin manifest added; host loads connector from `plugins/notify/slack/`; restart validation passes. | +# Notify Slack Connector Task Board (Sprint 15) +> Archived 2025-10-26 — connector scope now in `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.Connectors.Teams/TASKS.md b/src/StellaOps.Notify.Connectors.Teams/TASKS.md index 6a1aa92f..02bc896e 100644 --- a/src/StellaOps.Notify.Connectors.Teams/TASKS.md +++ b/src/StellaOps.Notify.Connectors.Teams/TASKS.md @@ -1,10 +1,4 @@ -# Notify Teams Connector Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-CONN-TEAMS-15-601 | TODO | Notify Connectors Guild | NOTIFY-ENGINE-15-303 | Implement Teams connector using Adaptive Cards 1.5, handle webhook auth, size limits, retries. | Adaptive card payloads validated; 413/429 handling implemented; integration tests cover success/fail. | -| NOTIFY-CONN-TEAMS-15-602 | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-601 | Provide health/test-send support with fallback text for legacy clients. | Test-send returns card preview; fallback text logged; docs updated. | -| NOTIFY-CONN-TEAMS-15-603 | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Package Teams connector as restart-time plug-in (manifest + host registration). | Plugin manifest added; host loads connector from `plugins/notify/teams/`; restart validation passes. | -| NOTIFY-CONN-TEAMS-15-604 | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-TEAMS-15-602 | Align Teams channel health endpoint with preview metadata redaction. | `/channels/{id}/health` reuses `TeamsMetadataBuilder`; sensitive fields redacted; regression tests updated. | +# Notify Teams Connector Task Board (Sprint 15) +> Archived 2025-10-26 — connector work now owned by `src/StellaOps.Notifier` (Sprints 38–40). > Remark (2025-10-20): Teams test-send now emits Adaptive Card 1.5 payloads with legacy fallback text (`teams.fallbackText` metadata) and hashed webhook secret refs; coverage lives in `StellaOps.Notify.Connectors.Teams.Tests`. `/channels/{id}/health` shares the same metadata builder via `TeamsChannelHealthProvider`, ensuring webhook hashes and sensitive keys stay redacted. diff --git a/src/StellaOps.Notify.Connectors.Webhook/TASKS.md b/src/StellaOps.Notify.Connectors.Webhook/TASKS.md index 77c96906..ca3f3fb9 100644 --- a/src/StellaOps.Notify.Connectors.Webhook/TASKS.md +++ b/src/StellaOps.Notify.Connectors.Webhook/TASKS.md @@ -1,7 +1,2 @@ -# Notify Webhook Connector Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-CONN-WEBHOOK-15-801 | TODO | Notify Connectors Guild | NOTIFY-ENGINE-15-303 | Implement webhook connector: JSON payload, signature (HMAC/Ed25519), retries/backoff, status code handling. | Integration tests with webhook stub validate signatures, retries, error handling; payload schema documented. | -| NOTIFY-CONN-WEBHOOK-15-802 | BLOCKED (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-801 | Health/test-send support with signature validation hints and secret management. | Test-send returns success with sample payload; docs include verification guide; secrets never logged. | -| NOTIFY-CONN-WEBHOOK-15-803 | DONE (2025-10-20) | Notify Connectors Guild | NOTIFY-CONN-WEBHOOK-15-802 | Package Webhook connector as restart-time plug-in (manifest + host registration). | Plugin manifest added; host loads connector from `plugins/notify/webhook/`; restart validation passes. | +# Notify Webhook Connector Task Board (Sprint 15) +> Archived 2025-10-26 — webhook connector maintained in `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.Engine/TASKS.md b/src/StellaOps.Notify.Engine/TASKS.md index 01572ed5..d15cb183 100644 --- a/src/StellaOps.Notify.Engine/TASKS.md +++ b/src/StellaOps.Notify.Engine/TASKS.md @@ -1,8 +1,2 @@ -# Notify Engine Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-ENGINE-15-301 | DOING (2025-10-24) | Notify Engine Guild | NOTIFY-MODELS-15-101 | Rules evaluation core: tenant/kind filters, severity/delta gates, VEX gating, throttling, idempotency key generation. | Unit tests cover rule permutations; idempotency keys deterministic; documentation updated. | -| NOTIFY-ENGINE-15-302 | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-301 | Action planner + digest coalescer with window management and dedupe per architecture §4. | Digest windows tested; throttles and digests recorded; metrics counters exposed. | -| NOTIFY-ENGINE-15-303 | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-302 | Template rendering engine (Slack, Teams, Email, Webhook) with helpers and i18n support. | Rendering fixtures validated; helpers documented; deterministic output proven via golden tests. | -| NOTIFY-ENGINE-15-304 | TODO | Notify Engine Guild | NOTIFY-ENGINE-15-303 | Test-send sandbox + preview utilities for WebService. | Preview/test functions validated; sample outputs returned; no state persisted. | +# Notify Engine Task Board (Sprint 15) +> Archived 2025-10-26 — runtime responsibilities moved to `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.Models/TASKS.md b/src/StellaOps.Notify.Models/TASKS.md index 6738ad87..9b75dc62 100644 --- a/src/StellaOps.Notify.Models/TASKS.md +++ b/src/StellaOps.Notify.Models/TASKS.md @@ -1,7 +1,2 @@ -# Notify Models Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-MODELS-15-101 | DONE (2025-10-19) | Notify Models Guild | — | Define core DTOs (Rule, Channel, Template, Event envelope, Delivery) with validation helpers and canonical JSON serialization. | DTOs merged with tests; documented; serialization deterministic. | -| NOTIFY-MODELS-15-102 | DONE (2025-10-19) | Notify Models Guild | NOTIFY-MODELS-15-101 | Publish schema docs + sample payloads for channels, rules, events (used by UI + connectors). | Markdown/JSON schema generated; linked in docs; integration tests reference samples. | -| NOTIFY-MODELS-15-103 | DONE (2025-10-19) | Notify Models Guild | NOTIFY-MODELS-15-101 | Provide versioning and migration helpers (e.g., rule evolution, template revisions). | Migration helpers implemented; tests cover upgrade/downgrade; guidance captured in docs. | +# Notify Models Task Board (Sprint 15) +> Archived 2025-10-26 — scope moved to `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.Queue/TASKS.md b/src/StellaOps.Notify.Queue/TASKS.md index 92d0320f..41f96344 100644 --- a/src/StellaOps.Notify.Queue/TASKS.md +++ b/src/StellaOps.Notify.Queue/TASKS.md @@ -1,7 +1,2 @@ -# Notify Queue Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-QUEUE-15-401 | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-MODELS-15-101 | Build queue abstraction + Redis Streams adapter with ack/claim APIs, idempotency tokens, serialization contracts. | Adapter integration tests cover enqueue/dequeue/ack; ordering preserved; idempotency tokens supported. | -| NOTIFY-QUEUE-15-402 | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-401 | Add NATS JetStream adapter with configuration binding, health probes, failover. | Health endpoints verified; failover documented; integration tests exercise both adapters. | -| NOTIFY-QUEUE-15-403 | DONE (2025-10-23) | Notify Queue Guild | NOTIFY-QUEUE-15-401 | Delivery queue for channel actions with retry schedules, poison queues, and metrics instrumentation. | Delivery queue integration tests cover retries/dead-letter; metrics/logging emitted per spec. | +# Notify Queue Task Board (Sprint 15) +> Archived 2025-10-26 — queue infrastructure maintained in `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.Storage.Mongo/TASKS.md b/src/StellaOps.Notify.Storage.Mongo/TASKS.md index 12090060..319e2fa6 100644 --- a/src/StellaOps.Notify.Storage.Mongo/TASKS.md +++ b/src/StellaOps.Notify.Storage.Mongo/TASKS.md @@ -1,7 +1,2 @@ -# Notify Storage Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-STORAGE-15-201 | DONE (2025-10-19) | Notify Storage Guild | NOTIFY-MODELS-15-101 | Create Mongo schemas/collections (rules, channels, deliveries, digests, locks, audit) with indexes per architecture §7. | Migration scripts authored; indexes tested; integration tests cover CRUD/read paths. | -| NOTIFY-STORAGE-15-202 | DONE (2025-10-19) | Notify Storage Guild | NOTIFY-STORAGE-15-201 | Implement repositories/services with tenant scoping, soft deletes, TTL, causal consistency (majority) options. | Repositories unit-tested; soft delete + TTL validated; majority read/write configuration documented. | -| NOTIFY-STORAGE-15-203 | DONE (2025-10-19) | Notify Storage Guild | NOTIFY-STORAGE-15-201 | Delivery history retention + query APIs (paging, filters). | History queries return expected data; paging verified; docs updated. | +# Notify Storage Task Board (Sprint 15) +> Archived 2025-10-26 — storage responsibilities now tracked in `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.WebService/TASKS.md b/src/StellaOps.Notify.WebService/TASKS.md index 9cd8614d..a13e4a53 100644 --- a/src/StellaOps.Notify.WebService/TASKS.md +++ b/src/StellaOps.Notify.WebService/TASKS.md @@ -1,8 +1,2 @@ -# Notify WebService Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-WEB-15-101 | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-MODELS-15-101 | Bootstrap minimal API host with Authority auth, health endpoints, and plug-in discovery per architecture. | Service starts with config validation, `/healthz`/`/readyz` pass, plug-ins loaded at restart. | -| NOTIFY-WEB-15-102 | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-WEB-15-101 | Rules/channel/template CRUD endpoints with tenant scoping, validation, audit logging. | CRUD endpoints tested; invalid inputs rejected; audit entries persisted. | -| NOTIFY-WEB-15-103 | DONE (2025-10-19) | Notify WebService Guild | NOTIFY-WEB-15-102 | Delivery history + test-send endpoints with rate limits. | `/deliveries` and `/channels/{id}/test` tested; rate limits enforced. | -| NOTIFY-WEB-15-104 | TODO | Notify WebService Guild | NOTIFY-STORAGE-15-201, NOTIFY-QUEUE-15-401 | Configuration binding for Mongo/queue/secrets; startup diagnostics. | Misconfiguration fails fast; diagnostics logged; integration tests cover env overrides. | +# Notify WebService Task Board (Sprint 15) +> Archived 2025-10-26 — control plane now lives in `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Notify.Worker/TASKS.md b/src/StellaOps.Notify.Worker/TASKS.md index fbb40aff..b268ea5b 100644 --- a/src/StellaOps.Notify.Worker/TASKS.md +++ b/src/StellaOps.Notify.Worker/TASKS.md @@ -1,8 +1,2 @@ -# Notify Worker Task Board (Sprint 15) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| NOTIFY-WORKER-15-201 | DONE (2025-10-23) | Notify Worker Guild | NOTIFY-QUEUE-15-401 | Implement bus subscription + leasing loop with correlation IDs, backoff, dead-letter handling (§1–§5). | Worker consumes events from queue, ack/retry behaviour proven in integration tests; logs include correlation IDs. | -| NOTIFY-WORKER-15-202 | TODO | Notify Worker Guild | NOTIFY-WORKER-15-201 | Wire rules evaluation pipeline (tenant scoping, filters, throttles, digests, idempotency) with deterministic decisions. | Evaluation unit tests cover rule combinations; throttles/digests produce expected suppression; idempotency keys validated. | -| NOTIFY-WORKER-15-203 | TODO | Notify Worker Guild | NOTIFY-WORKER-15-202 | Channel dispatch orchestration: invoke connectors, manage retries/jitter, record delivery outcomes. | Connector mocks show retries/backoff; delivery results stored; metrics incremented per outcome. | -| NOTIFY-WORKER-15-204 | TODO | Notify Worker Guild | NOTIFY-WORKER-15-203 | Metrics/telemetry: `notify.sent_total`, `notify.dropped_total`, latency histograms, tracing integration. | Metrics emitted per spec; OTLP spans annotated; dashboards documented. | +# Notify Worker Task Board (Sprint 15) +> Archived 2025-10-26 — worker responsibilities handled in `src/StellaOps.Notifier` (Sprints 38–40). diff --git a/src/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md b/src/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md new file mode 100644 index 00000000..9b7a347c --- /dev/null +++ b/src/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md @@ -0,0 +1,10 @@ +# Worker SDK (Go) — Agent Charter + +## Mission +Provide the official Go SDK for StellaOps orchestrated workers. Implement claim/heartbeat/progress clients, artifact publishing, error classification, and guardrails so Concelier, Excititor, SBOM, Policy, and other teams can integrate with the orchestrator deterministically. + +## Responsibilities +- Maintain idiomatic Go client with configurable transports, retries, and tenant-aware headers. +- Surface structured metrics/logging hooks mirroring orchestrator expectations. +- Enforce idempotency token usage, artifact checksum publication, and backfill/watermark handshakes. +- Coordinate release cadence with Worker Python SDK, orchestrator service, DevOps packaging, and Offline Kit requirements. diff --git a/src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md b/src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md new file mode 100644 index 00000000..90af4187 --- /dev/null +++ b/src/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md @@ -0,0 +1,9 @@ +# Worker SDK (Go) Task Board — Epic 9 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| WORKER-GO-32-001 | TODO | Worker SDK Guild | ORCH-SVC-32-005 | Bootstrap Go SDK project with configuration binding, auth headers, job claim/acknowledge client, and smoke sample. | `go test ./...` green; sample worker claims job against local orchestrator; README outlines usage; compliance checklist recorded. | +| WORKER-GO-32-002 | TODO | Worker SDK Guild | WORKER-GO-32-001 | Add heartbeat/progress helpers, structured logging hooks, Prometheus metrics, and jittered retry defaults. | Heartbeat/progress methods documented; metrics exported; integration test verifies heartbeat timeout handling; lint/staticcheck clean. | +| WORKER-GO-33-001 | TODO | Worker SDK Guild | WORKER-GO-32-002, ORCH-SVC-33-003 | Implement artifact publish helpers (object storage client, checksum hashing, metadata payload) and idempotency guard. | Artifact upload API tested with fake object store; idempotency violations return typed error; docs include sample. | +| WORKER-GO-33-002 | TODO | Worker SDK Guild | WORKER-GO-32-002 | Provide error classification/retry helper, exponential backoff controls, and structured failure reporting to orchestrator. | Error helper maps to orchestrator error classes; retries configurable; integration test covers HTTP 5xx, validation errors; docs updated. | +| WORKER-GO-34-001 | TODO | Worker SDK Guild | WORKER-GO-33-001, ORCH-SVC-34-001 | Add backfill range execution helpers, watermark handshake utilities, and artifact dedupe verification for backfills. | Backfill helper handles window chunks; watermark handshake verified in integration test; dedupe proof recorded; offline kit sample updated. | diff --git a/src/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md b/src/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md new file mode 100644 index 00000000..8b5b8b23 --- /dev/null +++ b/src/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md @@ -0,0 +1,10 @@ +# Worker SDK (Python) — Agent Charter + +## Mission +Publish the Python client library for StellaOps orchestrated workers. Provide asyncio-friendly claim/heartbeat/progress APIs, artifact publishing helpers, error handling, and observability hooks aligned with Epic 9 requirements and the imposed rule for cross-component parity. + +## Responsibilities +- Maintain typed client (httpx/async) with retry/backoff primitives mirroring orchestrator expectations. +- Surface structured metrics/logging instrumentation and pluggable exporters. +- Enforce idempotency token usage, artifact checksum publication, and watermark/backfill helpers. +- Coordinate versioning with Go SDK, orchestrator service contracts, DevOps packaging, and Offline Kit deliverables. diff --git a/src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md b/src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md new file mode 100644 index 00000000..c9c6afe4 --- /dev/null +++ b/src/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md @@ -0,0 +1,9 @@ +# Worker SDK (Python) Task Board — Epic 9 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| WORKER-PY-32-001 | TODO | Worker SDK Guild | ORCH-SVC-32-005 | Bootstrap asyncio-based Python SDK (config, auth headers, job claim/ack) plus sample worker script. | `pytest` suite passes; sample worker claims job from orchestrator; README documents install/offline story; type checking via `pyright` clean. | +| WORKER-PY-32-002 | TODO | Worker SDK Guild | WORKER-PY-32-001 | Implement heartbeat/progress helpers with structured logging, metrics exporter, and cancellation-safe retries. | Heartbeat/progress API documented; metrics exported via Prometheus/client; cancellation tests cover timeouts; lint/formatters pass. | +| WORKER-PY-33-001 | TODO | Worker SDK Guild | WORKER-PY-32-002, ORCH-SVC-33-003 | Add artifact publish/idempotency helpers (object storage adapters, checksum hashing, metadata payload) for Python workers. | Artifact helper tested with fake storage; idempotency enforcement verified; docs updated with sample. | +| WORKER-PY-33-002 | TODO | Worker SDK Guild | WORKER-PY-32-002 | Provide error classification/backoff helper mapping to orchestrator codes, including jittered retries and structured failure reports. | Error helper returns typed exceptions; retry config documented; integration test covers HTTP 5xx/validation errors; metrics include failure counters. | +| WORKER-PY-34-001 | TODO | Worker SDK Guild | WORKER-PY-33-001, ORCH-SVC-34-001 | Implement backfill range iteration, watermark handshake, and artifact dedupe verification utilities for Python workers. | Backfill helper exercised in integration tests; watermark handshake recorded; dedupe proof logged; offline kit sample updated. | diff --git a/src/StellaOps.Orchestrator/AGENTS.md b/src/StellaOps.Orchestrator/AGENTS.md new file mode 100644 index 00000000..af48c03b --- /dev/null +++ b/src/StellaOps.Orchestrator/AGENTS.md @@ -0,0 +1,18 @@ +# StellaOps Orchestrator Service — Agent Charter + +## Mission +Build and operate the Source & Job Orchestrator control plane described in Epic 9. Own scheduler, job state persistence, rate limiting, audit/provenance exports, and realtime streaming APIs while respecting the imposed rule: work of this type must be applied everywhere it belongs. + +## Key Responsibilities +- Maintain deterministic Postgres schema/migrations for sources, runs, jobs, dag edges, artifacts, quotas, and schedules. +- Implement DAG planner, token-bucket rate limiting, watermark/backfill manager, dead-letter replay, and horizontal scale guards. +- Publish REST + WebSocket/SSE APIs powering Console/CLI, capture audit trails, and guard tenant isolation/RBAC scopes. +- Coordinate with Worker SDK, Concelier, Excititor, SBOM, Policy, VEX Lens, Findings Ledger, Authority, Console, CLI, DevOps, and Docs teams to keep integrations in sync. + +## Module Layout +- `StellaOps.Orchestrator.Core/` — scheduler primitives, DAG models, rate limit policies. +- `StellaOps.Orchestrator.Infrastructure/` — Postgres DAL, queue integrations, telemetry shims. +- `StellaOps.Orchestrator.WebService/` — control-plane APIs (sources, runs, jobs, streams). +- `StellaOps.Orchestrator.Worker/` — execution coordinator / lease manager loops. +- `StellaOps.Orchestrator.Tests/` — unit tests for core/infrastructure concerns. +- `StellaOps.Orchestrator.sln` — solution bundling orchestrator components. diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Class1.cs b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Class1.cs new file mode 100644 index 00000000..93149c8e --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.Orchestrator.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/StellaOps.Orchestrator.Core.csproj b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/StellaOps.Orchestrator.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Core/StellaOps.Orchestrator.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Class1.cs b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Class1.cs new file mode 100644 index 00000000..96fdb698 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.Orchestrator.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/StellaOps.Orchestrator.Infrastructure.csproj b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/StellaOps.Orchestrator.Infrastructure.csproj new file mode 100644 index 00000000..684f2bbb --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Infrastructure/StellaOps.Orchestrator.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/StellaOps.Orchestrator.Tests.csproj b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/StellaOps.Orchestrator.Tests.csproj new file mode 100644 index 00000000..7ad38105 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/StellaOps.Orchestrator.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/UnitTest1.cs b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/UnitTest1.cs new file mode 100644 index 00000000..207259a4 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.Orchestrator.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/xunit.runner.json b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Program.cs b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Properties/launchSettings.json b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..5fbc3346 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5151", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7228;http://localhost:5151", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj new file mode 100644 index 00000000..5f4779ba --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.http b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.http new file mode 100644 index 00000000..b47530f9 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/StellaOps.Orchestrator.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.Orchestrator.WebService_HostAddress = http://localhost:5151 + +GET {{StellaOps.Orchestrator.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.Development.json b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.json b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Program.cs b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Program.cs new file mode 100644 index 00000000..8ab4deb8 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.Orchestrator.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Properties/launchSettings.json b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..5d536388 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.Orchestrator.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/StellaOps.Orchestrator.Worker.csproj b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/StellaOps.Orchestrator.Worker.csproj new file mode 100644 index 00000000..057adeb1 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/StellaOps.Orchestrator.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.Orchestrator.Worker-6d276def-9e32-43e0-bca8-9699cd1ae20d + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Worker.cs b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Worker.cs new file mode 100644 index 00000000..79a68dae --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.Orchestrator.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.Development.json b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.json b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.Orchestrator/StellaOps.Orchestrator.sln b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.sln new file mode 100644 index 00000000..37515ef4 --- /dev/null +++ b/src/StellaOps.Orchestrator/StellaOps.Orchestrator.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Orchestrator.Core", "StellaOps.Orchestrator.Core\StellaOps.Orchestrator.Core.csproj", "{463C8A77-52BB-4282-BCED-F8D62BAE0528}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Orchestrator.Infrastructure", "StellaOps.Orchestrator.Infrastructure\StellaOps.Orchestrator.Infrastructure.csproj", "{C0DE4E60-7554-406A-8119-7F5714A604E3}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Orchestrator.WebService", "StellaOps.Orchestrator.WebService\StellaOps.Orchestrator.WebService.csproj", "{A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Orchestrator.Worker", "StellaOps.Orchestrator.Worker\StellaOps.Orchestrator.Worker.csproj", "{38BC487F-11C6-4397-9654-D54AE7EE08DD}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Orchestrator.Tests", "StellaOps.Orchestrator.Tests\StellaOps.Orchestrator.Tests.csproj", "{8F0989E8-8666-4D37-8E50-E84602237A83}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Debug|Any CPU.Build.0 = Debug|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Debug|x64.ActiveCfg = Debug|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Debug|x64.Build.0 = Debug|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Debug|x86.ActiveCfg = Debug|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Debug|x86.Build.0 = Debug|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Release|Any CPU.ActiveCfg = Release|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Release|Any CPU.Build.0 = Release|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Release|x64.ActiveCfg = Release|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Release|x64.Build.0 = Release|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Release|x86.ActiveCfg = Release|Any CPU + {463C8A77-52BB-4282-BCED-F8D62BAE0528}.Release|x86.Build.0 = Release|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Debug|Any CPU.Build.0 = Debug|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Debug|x64.ActiveCfg = Debug|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Debug|x64.Build.0 = Debug|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Debug|x86.ActiveCfg = Debug|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Debug|x86.Build.0 = Debug|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Release|Any CPU.ActiveCfg = Release|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Release|Any CPU.Build.0 = Release|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Release|x64.ActiveCfg = Release|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Release|x64.Build.0 = Release|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Release|x86.ActiveCfg = Release|Any CPU + {C0DE4E60-7554-406A-8119-7F5714A604E3}.Release|x86.Build.0 = Release|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Debug|Any CPU.Build.0 = Debug|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Debug|x64.ActiveCfg = Debug|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Debug|x64.Build.0 = Debug|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Debug|x86.ActiveCfg = Debug|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Debug|x86.Build.0 = Debug|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Release|Any CPU.ActiveCfg = Release|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Release|Any CPU.Build.0 = Release|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Release|x64.ActiveCfg = Release|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Release|x64.Build.0 = Release|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Release|x86.ActiveCfg = Release|Any CPU + {A9D6DF47-5CAF-4E07-BC44-19ABE7D8CDD9}.Release|x86.Build.0 = Release|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Debug|Any CPU.Build.0 = Debug|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Debug|x64.ActiveCfg = Debug|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Debug|x64.Build.0 = Debug|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Debug|x86.ActiveCfg = Debug|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Debug|x86.Build.0 = Debug|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Release|Any CPU.ActiveCfg = Release|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Release|Any CPU.Build.0 = Release|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Release|x64.ActiveCfg = Release|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Release|x64.Build.0 = Release|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Release|x86.ActiveCfg = Release|Any CPU + {38BC487F-11C6-4397-9654-D54AE7EE08DD}.Release|x86.Build.0 = Release|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Debug|Any CPU.Build.0 = Debug|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Debug|x64.ActiveCfg = Debug|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Debug|x64.Build.0 = Debug|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Debug|x86.ActiveCfg = Debug|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Debug|x86.Build.0 = Debug|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Release|Any CPU.ActiveCfg = Release|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Release|Any CPU.Build.0 = Release|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Release|x64.ActiveCfg = Release|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Release|x64.Build.0 = Release|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Release|x86.ActiveCfg = Release|Any CPU + {8F0989E8-8666-4D37-8E50-E84602237A83}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.Orchestrator/TASKS.md b/src/StellaOps.Orchestrator/TASKS.md new file mode 100644 index 00000000..1a9595fe --- /dev/null +++ b/src/StellaOps.Orchestrator/TASKS.md @@ -0,0 +1,75 @@ +# Orchestrator Service Task Board — Epic 9: Source & Job Orchestrator Dashboard + +## Sprint 32 – Foundations (Read-Only) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-SVC-32-001 | TODO | Orchestrator Service Guild | DEVOPS-ORCH-32-001 | Bootstrap service project, configuration, and Postgres schema/migrations for `sources`, `runs`, `jobs`, `dag_edges`, `artifacts`, `quotas`, `schedules`. | Service builds/tests; migrations generated with repeatable scripts; baseline integration test seeds schema; compliance checklist recorded. | +| ORCH-SVC-32-002 | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Implement scheduler DAG planner + dependency resolver, job state machine, and critical-path metadata without yet issuing control actions. | DAG builder passes unit/property tests; job states transition per spec; deterministic hashes recorded; docs updated in code comments. | +| ORCH-SVC-32-003 | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI, validation, pagination, and tenant scoping. | Endpoints return deterministic responses; OpenAPI published; contract tests cover filters/pagination; lint passes. | +| ORCH-SVC-32-004 | TODO | Orchestrator Service Guild | ORCH-SVC-32-002, ORCH-SVC-32-003 | Implement WebSocket/SSE stream for job/run updates, emit structured metrics counters/histograms, and add health probes. | SSE stream proven with integration test; metrics registered in Prometheus exporter; health endpoints wired; docstrings reference event schema. | +| ORCH-SVC-32-005 | TODO | Orchestrator Service Guild | ORCH-SVC-32-001, WORKER-GO-32-001, WORKER-PY-32-001 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata/checksums and enforcing idempotency keys. | Claim/heartbeat/progress endpoints pass integration tests with Go/Python sample workers; artifact metadata persisted; idempotency violations rejected with `ERR_ORCH_4xx`; docs note imposed rule. | + +## Sprint 33 – Controls & Recovery +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-SVC-33-001 | TODO | Orchestrator Service Guild | ORCH-SVC-32-003, AUTH-ORCH-33-001 | Enable `sources test|pause|resume|sync-now` and `jobs retry|cancel|prioritize` actions with audit logging, RBAC enforcement, and optimistic concurrency. | Actions mutate state deterministically; audit entries include operator, reason, ticket; integration tests cover happy/error paths; CLI/Console smoke pass. | +| ORCH-SVC-33-002 | TODO | Orchestrator Service Guild | ORCH-SVC-32-002, DEVOPS-ORCH-33-001 | Implement per-source/tenant adaptive token-bucket rate limiter, concurrency caps, and backpressure signals reacting to upstream 429/503. | Rate limiter configurable via API; metrics expose tokens available; simulated 429 storm reduces issuance ≥80%; tests exercise cooldown logic. | +| ORCH-SVC-33-003 | TODO | Orchestrator Service Guild | ORCH-SVC-32-002, WORKER-GO-33-001, WORKER-PY-33-001 | Add watermark/backfill manager with event-time windows, duplicate suppression, dry-run preview endpoint, and safety validations. | Backfill preview API returns window coverage; executed backfills avoid duplicate artifacts (hash equality); tests cover skew/overlap; docs updated. | +| ORCH-SVC-33-004 | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Deliver dead-letter store, replay endpoints, and error classification surfaces with remediation hints + notification hooks. | Dead-letter entries persisted with error class + payload refs; replay moves jobs to queues; metrics/logs emitted; documentation references remediation guide. | + +## Sprint 34 – Backfills, Quotas & GA +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-SVC-34-001 | TODO | Orchestrator Service Guild | ORCH-SVC-33-001, ORCH-SVC-33-002 | Implement quota management APIs, per-tenant SLO burn-rate computation, and alert budget tracking surfaced via metrics. | Quotas CRUD endpoints live with RBAC; burn-rate metrics published; alerts hooked (DEVOPS-ORCH-34-001); unit/integration tests cover overage scenarios. | +| ORCH-SVC-34-002 | TODO | Orchestrator Service Guild | ORCH-SVC-33-004, LEDGER-34-101 | Build audit log + immutable run ledger export with signed manifest support, including provenance chain to artifacts. | Ledger export produces signed manifest; hash chain verified; integration test links to Findings Ledger; docs cross-link to run-ledger doc. | +| ORCH-SVC-34-003 | TODO | Orchestrator Service Guild | ORCH-SVC-32-004, ORCH-SVC-33-002 | Execute perf/scale validation (≥10k pending jobs, dispatch P95 <150 ms) and add autoscaling hooks with health probes. | Load test report committed; autoscale recommendations documented; health probes wired; perf regression guard added to CI. | +| ORCH-SVC-34-004 | TODO | Orchestrator Service Guild | ORCH-SVC-34-001..003, DEPLOY-ORCH-34-001 | Package orchestrator container, Helm overlays, offline bundle seeds, provenance attestations, and compliance checklist for GA. | Container built with SBOM/attestation; Helm/Compose overlays committed; offline bundle instructions validated; launch readiness checklist signed. | + +## Export Center Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-SVC-35-101 | TODO | Orchestrator Service Guild | EXPORT-SVC-35-001 | Register `export` job type with quotas/rate policies, expose telemetry, and ensure exporter workers heartbeat via orchestrator contracts. | Job type available; metrics emitted; integration test with exporter worker passes. | +| ORCH-SVC-36-101 | TODO | Orchestrator Service Guild | ORCH-SVC-35-101, EXPORT-SVC-36-003 | Capture distribution metadata and retention timestamps for export jobs, updating dashboards and SSE payloads. | Distribution state persisted; SSE includes distribution progress; dashboards updated. | +| ORCH-SVC-37-101 | TODO | Orchestrator Service Guild | ORCH-SVC-36-101, EXPORT-SVC-37-003 | Enable scheduled export runs, retention pruning hooks, and failure alerting tied to export job class. | Schedules trigger exports; retention API operational; alerts configured; tests cover failure alerting. | + +## Notifications Studio Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-SVC-38-101 | TODO | Orchestrator Service Guild | — | Standardize event envelope (policy/export/job lifecycle) with idempotency keys, ensure export/job failure events published to notifier bus with provenance metadata. | Event schema documented; idempotency keys enforced; notifier integration tests consume events; metrics updated. | + +## CLI Parity & Task Packs Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-SVC-41-101 | TODO | Orchestrator Service Guild | AUTH-PACKS-41-001 | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. | Pack job type available; logs/artifacts stored; API documented; CLI E2E test passes. | +| ORCH-SVC-42-101 | TODO | Orchestrator Service Guild | ORCH-SVC-41-101, TASKRUN-41-001 | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. | Log stream operational; manifests accessible; quotas enforced; events published; tests cover flows. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-TEN-48-001 | TODO | Orchestrator Service Guild | WEB-TEN-47-001 | Include `tenant_id`/`project_id` in job specs, set DB session context before processing, enforce context on all queries, and reject jobs missing tenant metadata. | Jobs stamped with tenant/project; RLS respected; tests cover missing context rejection. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-OBS-50-001 | TODO | Orchestrator Service Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Wire `StellaOps.Telemetry.Core` into orchestrator host, instrument schedulers and control APIs with trace spans, structured logs, and exemplar metrics. Ensure tenant/job metadata recorded for every span/log. | Telemetry emitted on happy/error paths; integration tests assert trace propagation to worker payloads; log field contract validated. | +| ORCH-OBS-51-001 | TODO | Orchestrator Service Guild, DevOps Guild | ORCH-OBS-50-001, TELEMETRY-OBS-51-001 | Publish golden-signal metrics (dispatch latency, queue depth, failure rate), define job/tenant SLOs, and emit burn-rate alerts to collector + Notifications. Provide Grafana dashboards + alert rules. | Metrics visible in dashboards; burn-rate alerts trigger in staging; documentation updated with thresholds and runbooks. | +| ORCH-OBS-52-001 | TODO | Orchestrator Service Guild | ORCH-OBS-50-001, TIMELINE-OBS-52-002 | Emit `timeline_event` objects for job lifecycle (`job.scheduled`, `job.started`, `job.completed`, `job.failed`) including trace IDs, run IDs, tenant/project, and causal metadata. Add contract tests and Kafka/NATS emitter with retries. | Timeline events verified against fixtures; duplicates suppressed; failure retries logged; docs reference schema. | +| ORCH-OBS-53-001 | TODO | Orchestrator Service Guild, Evidence Locker Guild | ORCH-OBS-52-001, EVID-OBS-53-002 | Generate job capsule inputs for evidence locker (payload digests, worker image, config hash, log manifest) and invoke locker snapshot hooks on completion/failure. Ensure redaction guard enforced. | Evidence snapshots created for sample jobs; manifests deterministic; secret redaction tests pass; documentation updated. | +| ORCH-OBS-54-001 | TODO | Orchestrator Service Guild, Provenance Guild | ORCH-OBS-53-001, PROV-OBS-53-002 | Produce DSSE attestations for orchestrator-scheduled jobs (subject = job capsule) and store references in timeline + evidence locker. Provide verification endpoint `/jobs/{id}/attestation`. | Attestations generated and verified in integration tests; timeline links added; docs updated. | +| ORCH-OBS-55-001 | TODO | Orchestrator Service Guild, DevOps Guild | ORCH-OBS-51-001, TELEMETRY-OBS-55-001, DEVOPS-OBS-55-001 | Implement incident mode hooks (sampling overrides, extended retention, additional debug spans) and automatic activation on SLO burn-rate breach. Emit activation/deactivation events to timeline + Notifier. | Incident mode triggers automatically in staging; manual override API documented; events observed in timeline and notifications. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-AIRGAP-56-001 | TODO | Orchestrator Service Guild, AirGap Policy Guild | AIRGAP-POL-56-001, TASKRUN-OBS-50-001 | Enforce job descriptors to declare network intents; reject or flag any external endpoints in sealed mode before scheduling. | Validator prevents forbidden jobs; errors return remediation guidance; tests cover allow/deny cases. | +| ORCH-AIRGAP-56-002 | TODO | Orchestrator Service Guild, AirGap Controller Guild | ORCH-AIRGAP-56-001, AIRGAP-CTL-56-002 | Surface sealing status and time staleness in job scheduling decisions; block runs when staleness budgets exceeded. | Scheduler checks status API; blocked runs emit timeline + notification; tests cover stale vs fresh. | +| ORCH-AIRGAP-57-001 | TODO | Orchestrator Service Guild, Mirror Creator Guild | ORCH-AIRGAP-56-001, MIRROR-CRT-58-002 | Add job type `mirror.bundle` to orchestrate bundle creation in connected environments with audit + provenance outputs. | Job type defined; export center integration validated; timeline events emitted. | +| ORCH-AIRGAP-58-001 | TODO | Orchestrator Service Guild, Evidence Locker Guild | ORCH-OBS-53-001, EVID-OBS-55-001 | Capture import/export operations as timeline/evidence entries, ensuring chain-of-custody for mirror + portable evidence jobs. | Evidence snapshots created; timeline references bundle/job IDs; integration tests pass. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| ORCH-OAS-61-001 | TODO | Orchestrator Service Guild, API Contracts Guild | OAS-61-001 | Document orchestrator endpoints in per-service OAS with standardized pagination, idempotency, and error envelope examples. | Spec covers all orchestrator endpoints; lint passes; examples validated. | +| ORCH-OAS-61-002 | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Implement `GET /.well-known/openapi` in service and ensure version metadata aligns with runtime build. | Discovery endpoint live; integration test verifies schema + headers. | +| ORCH-OAS-62-001 | TODO | Orchestrator Service Guild, SDK Generator Guild | ORCH-OAS-61-001, SDKGEN-63-001 | Ensure SDK paginators and operations support orchestrator job operations; add SDK smoke tests for schedule/retry APIs. | SDK integration tests cover orchestrator flows; CLI reuses SDK methods. | +| ORCH-OAS-63-001 | TODO | Orchestrator Service Guild, API Governance Guild | APIGOV-63-001 | Emit deprecation headers and documentation for legacy orchestrator endpoints; update notifications metadata. | Deprecated endpoints include headers + docs; Notifications triggered in staging. | diff --git a/src/StellaOps.PacksRegistry/AGENTS.md b/src/StellaOps.PacksRegistry/AGENTS.md new file mode 100644 index 00000000..e4b31d7d --- /dev/null +++ b/src/StellaOps.PacksRegistry/AGENTS.md @@ -0,0 +1,17 @@ +# Packs Registry Service — Agent Charter + +## Mission +Host signed Task Pack bundles with provenance and RBAC for Epic 12. Ensure packs are verifiable, auditable, and distributed safely, respecting the imposed rule to propagate similar safeguards elsewhere. + +## Responsibilities +- Maintain packs index, signature verification, provenance metadata, tenant visibility, and registry APIs. +- Integrate with CLI, Task Runner, Orchestrator, Authority, Export Center, and DevOps tooling. +- Guarantee deterministic digest computations, immutable history, and secure storage of pack artefacts. + +## Module Layout +- `StellaOps.PacksRegistry.Core/` — pack catalogue models, validation, lifecycle orchestration. +- `StellaOps.PacksRegistry.Infrastructure/` — storage providers, signature verification hooks, provenance stores. +- `StellaOps.PacksRegistry.WebService/` — registry APIs and RBAC enforcement. +- `StellaOps.PacksRegistry.Worker/` — background reconciliation, mirroring, and rotation jobs. +- `StellaOps.PacksRegistry.Tests/` — unit tests validating core/infrastructure logic. +- `StellaOps.PacksRegistry.sln` — module solution. diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Class1.cs b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Class1.cs new file mode 100644 index 00000000..b5cb679a --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.PacksRegistry.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/StellaOps.PacksRegistry.Core.csproj b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/StellaOps.PacksRegistry.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Core/StellaOps.PacksRegistry.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/Class1.cs b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/Class1.cs new file mode 100644 index 00000000..457bf1d0 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.PacksRegistry.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/StellaOps.PacksRegistry.Infrastructure.csproj b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/StellaOps.PacksRegistry.Infrastructure.csproj new file mode 100644 index 00000000..99c0a84e --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Infrastructure/StellaOps.PacksRegistry.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/StellaOps.PacksRegistry.Tests.csproj b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/StellaOps.PacksRegistry.Tests.csproj new file mode 100644 index 00000000..e445c56a --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/StellaOps.PacksRegistry.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/UnitTest1.cs b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/UnitTest1.cs new file mode 100644 index 00000000..6b234636 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.PacksRegistry.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/xunit.runner.json b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Program.cs b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Properties/launchSettings.json b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..b4d53ffa --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5151", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7136;http://localhost:5151", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.csproj b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.csproj new file mode 100644 index 00000000..8721a7d3 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.http b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.http new file mode 100644 index 00000000..399cd52c --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/StellaOps.PacksRegistry.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.PacksRegistry.WebService_HostAddress = http://localhost:5151 + +GET {{StellaOps.PacksRegistry.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.Development.json b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.json b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Program.cs b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Program.cs new file mode 100644 index 00000000..2e39e5ad --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.PacksRegistry.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Properties/launchSettings.json b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..950e8d35 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.PacksRegistry.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/StellaOps.PacksRegistry.Worker.csproj b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/StellaOps.PacksRegistry.Worker.csproj new file mode 100644 index 00000000..4eec11a4 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/StellaOps.PacksRegistry.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.PacksRegistry.Worker-a5c025f8-62a4-498b-928b-5ed8f27c53de + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Worker.cs b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Worker.cs new file mode 100644 index 00000000..8f2ba413 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.PacksRegistry.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.Development.json b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.json b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.sln b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.sln new file mode 100644 index 00000000..aff8259a --- /dev/null +++ b/src/StellaOps.PacksRegistry/StellaOps.PacksRegistry.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.PacksRegistry.Core", "StellaOps.PacksRegistry.Core\StellaOps.PacksRegistry.Core.csproj", "{98FB93E5-21F8-4D24-AD54-1DF52070CAB8}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.PacksRegistry.Infrastructure", "StellaOps.PacksRegistry.Infrastructure\StellaOps.PacksRegistry.Infrastructure.csproj", "{C5FDDBA3-5D96-4158-810D-6597A96DA574}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.PacksRegistry.WebService", "StellaOps.PacksRegistry.WebService\StellaOps.PacksRegistry.WebService.csproj", "{4CE7EBE6-67A6-4947-8702-D123343FC297}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.PacksRegistry.Worker", "StellaOps.PacksRegistry.Worker\StellaOps.PacksRegistry.Worker.csproj", "{7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.PacksRegistry.Tests", "StellaOps.PacksRegistry.Tests\StellaOps.PacksRegistry.Tests.csproj", "{1FA70E02-C65A-484C-87E7-0A33EEB69573}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Debug|Any CPU.Build.0 = Debug|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Debug|x64.ActiveCfg = Debug|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Debug|x64.Build.0 = Debug|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Debug|x86.ActiveCfg = Debug|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Debug|x86.Build.0 = Debug|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Release|Any CPU.ActiveCfg = Release|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Release|Any CPU.Build.0 = Release|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Release|x64.ActiveCfg = Release|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Release|x64.Build.0 = Release|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Release|x86.ActiveCfg = Release|Any CPU + {98FB93E5-21F8-4D24-AD54-1DF52070CAB8}.Release|x86.Build.0 = Release|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Debug|Any CPU.Build.0 = Debug|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Debug|x64.ActiveCfg = Debug|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Debug|x64.Build.0 = Debug|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Debug|x86.ActiveCfg = Debug|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Debug|x86.Build.0 = Debug|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Release|Any CPU.ActiveCfg = Release|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Release|Any CPU.Build.0 = Release|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Release|x64.ActiveCfg = Release|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Release|x64.Build.0 = Release|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Release|x86.ActiveCfg = Release|Any CPU + {C5FDDBA3-5D96-4158-810D-6597A96DA574}.Release|x86.Build.0 = Release|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Debug|Any CPU.Build.0 = Debug|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Debug|x64.ActiveCfg = Debug|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Debug|x64.Build.0 = Debug|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Debug|x86.ActiveCfg = Debug|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Debug|x86.Build.0 = Debug|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Release|Any CPU.ActiveCfg = Release|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Release|Any CPU.Build.0 = Release|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Release|x64.ActiveCfg = Release|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Release|x64.Build.0 = Release|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Release|x86.ActiveCfg = Release|Any CPU + {4CE7EBE6-67A6-4947-8702-D123343FC297}.Release|x86.Build.0 = Release|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Debug|Any CPU.Build.0 = Debug|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Debug|x64.ActiveCfg = Debug|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Debug|x64.Build.0 = Debug|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Debug|x86.ActiveCfg = Debug|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Debug|x86.Build.0 = Debug|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Release|Any CPU.ActiveCfg = Release|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Release|Any CPU.Build.0 = Release|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Release|x64.ActiveCfg = Release|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Release|x64.Build.0 = Release|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Release|x86.ActiveCfg = Release|Any CPU + {7DE3DD7E-E1F9-4443-81E4-C7E4E80F5703}.Release|x86.Build.0 = Release|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Debug|Any CPU.Build.0 = Debug|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Debug|x64.ActiveCfg = Debug|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Debug|x64.Build.0 = Debug|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Debug|x86.ActiveCfg = Debug|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Debug|x86.Build.0 = Debug|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Release|Any CPU.ActiveCfg = Release|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Release|Any CPU.Build.0 = Release|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Release|x64.ActiveCfg = Release|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Release|x64.Build.0 = Release|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Release|x86.ActiveCfg = Release|Any CPU + {1FA70E02-C65A-484C-87E7-0A33EEB69573}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.PacksRegistry/TASKS.md b/src/StellaOps.PacksRegistry/TASKS.md new file mode 100644 index 00000000..a7305a79 --- /dev/null +++ b/src/StellaOps.PacksRegistry/TASKS.md @@ -0,0 +1,16 @@ +# Packs Registry Task Board — Epic 12: CLI Parity & Task Packs + +## Sprint 41 – Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| PACKS-REG-41-001 | TODO | Packs Registry Guild | AUTH-PACKS-41-001 | Implement registry service, migrations for `packs_index`, `parity_matrix`, provenance docs; support pack upload/list/get, signature verification, RBAC enforcement, and provenance manifest storage. | Service builds/tests; signature verification works; RBAC validated; provenance stored; docs cross-linked. | + +## Sprint 42 – Lifecycle & Governance +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| PACKS-REG-42-001 | TODO | Packs Registry Guild | PACKS-REG-41-001 | Add version lifecycle (promote/deprecate), tenant allowlists, provenance export, signature rotation, audit logs, and Offline Kit seed support. | Version lifecycle APIs live; allowlists enforced; rotation documented; audit logs recorded; offline kit seeds generated. | + +## Sprint 43 – Mirroring & Compliance +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| PACKS-REG-43-001 | TODO | Packs Registry Guild | PACKS-REG-42-001 | Implement registry mirroring, pack signing policies, attestation integration, and compliance dashboards; integrate with Export Center. | Mirroring operational; signing policies enforced; attestation pipeline documented; dashboards live; export integration validated. | diff --git a/src/StellaOps.Policy.Engine/AGENTS.md b/src/StellaOps.Policy.Engine/AGENTS.md new file mode 100644 index 00000000..294d1399 --- /dev/null +++ b/src/StellaOps.Policy.Engine/AGENTS.md @@ -0,0 +1,18 @@ +# StellaOps.Policy.Engine — Agent Charter + +## Mission +Stand up the Policy Engine runtime host that evaluates organization policies against SBOM/advisory/VEX inputs with deterministic, replayable results. Deliver the API/worker orchestration, materialization writers, and observability stack described in Epic 2 (Policy Engine v2). + +## Scope +- Minimal API host & background workers for policy runs (full, incremental, simulate). +- Mongo persistence for `policies`, `policy_runs`, and `effective_finding_*` collections. +- Change stream listeners and scheduler integration for incremental re-evaluation. +- Authority integration enforcing new `policy:*` and `effective:write` scopes. +- Observability: metrics, traces, structured logs, trace sampling. + +## Expectations +- Keep endpoints deterministic, cancellation-aware, and tenant-scoped. +- Only Policy Engine identity performs writes to effective findings. +- Coordinate with Concelier/Excititor/Scheduler guilds for linkset joins and orchestration inputs. +- Update `TASKS.md`, `SPRINTS.md` when status changes. +- Maintain compliance checklists and schema docs alongside code updates. diff --git a/src/StellaOps.Policy.Engine/Program.cs b/src/StellaOps.Policy.Engine/Program.cs new file mode 100644 index 00000000..a891055c --- /dev/null +++ b/src/StellaOps.Policy.Engine/Program.cs @@ -0,0 +1,19 @@ +var builder = WebApplication.CreateBuilder(args); + +builder.Configuration + .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true) + .AddEnvironmentVariables("POLICY_"); + +builder.Services.AddOptions(); +builder.Services.AddLogging(); + +// TODO: wire Authority client + Policy engine services once implemented tasks land. + +var app = builder.Build(); + +app.MapGet("/healthz", () => Results.Ok(new { status = "ok" })); +app.MapGet("/readyz", () => Results.Ok(new { status = "warming" })); + +app.MapGet("/", () => Results.Redirect("/healthz")); + +app.Run(); diff --git a/src/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj b/src/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj new file mode 100644 index 00000000..73c8b7e3 --- /dev/null +++ b/src/StellaOps.Policy.Engine/StellaOps.Policy.Engine.csproj @@ -0,0 +1,16 @@ + + + net10.0 + enable + enable + preview + true + InProcess + + + + + + + + diff --git a/src/StellaOps.Policy.Engine/TASKS.md b/src/StellaOps.Policy.Engine/TASKS.md new file mode 100644 index 00000000..95c85ce0 --- /dev/null +++ b/src/StellaOps.Policy.Engine/TASKS.md @@ -0,0 +1,156 @@ +# Policy Engine Service Task Board — Epic 2 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-20-000 | TODO | Policy Guild, BE-Base Platform Guild | POLICY-AOC-19-001 | Spin up new `StellaOps.Policy.Engine` service project (minimal API host + worker), wire DI composition root, configuration binding, and Authority client scaffolding. | New project builds/tests; registered in solution; bootstrap validates configuration; host template committed with compliance checklist. | +| POLICY-ENGINE-20-001 | TODO | Policy Guild, Language Infrastructure Guild | POLICY-ENGINE-20-000 | Implement `stella-dsl@1` parser + IR compiler with grammar validation, syntax diagnostics, and checksum outputs for caching. | DSL parser handles full grammar + error reporting; IR checksum stored with policy version; unit tests cover success/error paths. | +| POLICY-ENGINE-20-002 | TODO | Policy Guild | POLICY-ENGINE-20-001 | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). | Evaluator executes policies deterministically in unit/property tests; guard rejects forbidden intrinsics; perf baseline recorded. | +| POLICY-ENGINE-20-003 | TODO | Policy Guild, Concelier Core Guild, Excititor Core Guild | POLICY-ENGINE-20-001, CONCELIER-POLICY-20-002, EXCITITOR-POLICY-20-002 | Implement selection joiners resolving SBOM↔advisory↔VEX tuples using linksets and PURL equivalence tables, with deterministic batching. | Joiners fetch correct candidate sets in integration tests; batching meets memory targets; explain traces list input provenance. | +| POLICY-ENGINE-20-004 | TODO | Policy Guild, Platform Storage Guild | POLICY-ENGINE-20-003, CONCELIER-POLICY-20-003, EXCITITOR-POLICY-20-003 | Ship materialization writer that upserts into `effective_finding_{policyId}` with append-only history, tenant scoping, and trace references. | Writes restricted to Policy Engine identity; idempotent upserts proven via tests; collections indexed per design and docs updated. | +| POLICY-ENGINE-20-005 | TODO | Policy Guild, Security Engineering | POLICY-ENGINE-20-002 | Enforce determinism guard banning wall-clock, RNG, and network usage during evaluation via static analysis + runtime sandbox. | Guard blocks forbidden APIs in unit/integration tests; violations emit `ERR_POL_004`; CI analyzer wired. | +| POLICY-ENGINE-20-006 | TODO | Policy Guild, Scheduler Worker Guild | POLICY-ENGINE-20-003, POLICY-ENGINE-20-004, SCHED-WORKER-20-301 | Implement incremental orchestrator reacting to advisory/vex/SBOM change streams and scheduling partial policy re-evaluations. | Change stream listeners enqueue affected tuples with dedupe; orchestrator meets 5 min SLA in perf tests; metrics exposed (`policy_run_seconds`). | +| POLICY-ENGINE-20-007 | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-002 | Emit structured traces/logs of rule hits with sampling controls, metrics (`rules_fired_total`, `vex_overrides_total`), and expose explain trace exports. | Trace spans present in integration tests; metrics registered with counters/histograms; sampled rule hit logs validated. | +| POLICY-ENGINE-20-008 | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-002, POLICY-ENGINE-20-003, POLICY-ENGINE-20-004, POLICY-ENGINE-20-005, POLICY-ENGINE-20-006, POLICY-ENGINE-20-007 | Add unit/property/golden/perf suites covering policy compilation, evaluation correctness, determinism, and SLA targets. | Golden fixtures pass deterministically across two seeded runs; property tests run in CI; perf regression budget documented. | +| POLICY-ENGINE-20-009 | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-000, POLICY-ENGINE-20-004 | Define Mongo schemas/indexes for `policies`, `policy_runs`, and `effective_finding_*`; implement migrations and tenant enforcement. | Collections + indexes created via bootstrapper; migrations documented; tests cover tenant scoping + write restrictions. | + +## StellaOps Console (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-CONSOLE-23-001 | TODO | Policy Guild, BE-Base Platform Guild | POLICY-ENGINE-20-003, POLICY-ENGINE-20-004, POLICY-ENGINE-20-007 | Optimize findings/explain APIs for Console: cursor-based pagination at scale, global filter parameters (severity bands, policy version, time window), rule trace summarization, and aggregation hints for dashboard cards. Ensure deterministic ordering and expose provenance refs. | APIs return deterministic cursors, aggregation hints validated against golden fixtures, latency SLO ≤ 250 ms P95 on seeded data, documentation updated. | +| POLICY-CONSOLE-23-002 | TODO | Policy Guild, Product Ops | POLICY-ENGINE-20-006, POLICY-ENGINE-20-007, POLICY-ENGINE-20-008 | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions. | Simulation diff payload documented, approval endpoints enforce scopes, integration tests cover workflow paths, metrics record diff generation latency. | +| EXPORT-CONSOLE-23-001 | TODO | Policy Guild, Scheduler Guild, Observability Guild | POLICY-ENGINE-20-004, SCHED-WORKER-20-301, POLICY-CONSOLE-23-001 | Build evidence bundle/export generator producing signed manifests, CSV/JSON replay endpoints, and trace attachments; integrate with scheduler jobs and expose progress telemetry. | Evidence bundles reproducible with checksums, manifests signed (cosign), API streams zipped content, telemetry metrics/logs added, docs updated. | + +## Policy Studio (Sprint 27) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-27-001 | TODO | Policy Guild | POLICY-ENGINE-20-001, REGISTRY-API-27-003 | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes. | Compile endpoint returns coverage + symbol table; responses validated with fixtures; hashing deterministic across runs; docs updated. | +| POLICY-ENGINE-27-002 | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-002, POLICY-ENGINE-27-001 | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims. | Simulation outputs include ordered heatmap + sample explains; integration tests verify determinism; telemetry emits `policy_rule_fired_total`. | +| POLICY-ENGINE-27-003 | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Implement complexity/time limit enforcement with compiler scoring, configurable thresholds, and structured diagnostics (`ERR_POL_COMPLEXITY`). | Policies exceeding limits return actionable diagnostics; limits configurable per tenant; regression tests cover allow/block cases. | +| POLICY-ENGINE-27-004 | TODO | Policy Guild, QA Guild | POLICY-ENGINE-27-001..003 | Update golden/property tests to cover new coverage metrics, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. | Test suites extended; fixtures shared under `StellaOps.Policy.Engine.Tests/Fixtures/policy-studio`; CI ensures determinism across runs. | + +## Epic 3: Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-30-001 | TODO | Policy Guild, Cartographer Guild | POLICY-ENGINE-20-004, CARTO-GRAPH-21-005 | Define overlay contract for graph nodes/edges (status, severity, rationale refs, path relevance), expose projection API for Cartographer, and document schema versioning. | Overlay contract published (OpenAPI + schema); integration tests validate payloads against fixtures; versioning strategy documented. | +| POLICY-ENGINE-30-002 | TODO | Policy Guild, Cartographer Guild | POLICY-ENGINE-30-001, CARTO-GRAPH-21-006 | Implement simulation bridge returning on-the-fly overlays for Cartographer/Graph Explorer when invoking Policy Engine simulate; ensure no writes and deterministic outputs. | Simulation API returns overlays within SLA; end-to-end test from Graph Explorer consumes results; docs updated. | +| POLICY-ENGINE-30-003 | TODO | Policy Guild, Scheduler Guild, Cartographer Guild | POLICY-ENGINE-20-006, CARTO-GRAPH-21-007 | Emit change events (`policy.effective.updated`) with graph-friendly payloads so Cartographer overlay worker refreshes nodes/edges within 2 minutes. | Event published on run completion; Cartographer listener integration test passes; metrics capture lag. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-40-001 | TODO | Policy Guild, Concelier Guild | CONCELIER-LNM-21-002 | Update severity/status evaluation pipelines to consume multiple source severities per linkset, supporting selection strategies (max, preferred source, policy-defined). | Policy evaluation handles multiple source inputs; tests cover selection strategies; documentation updated. | +| POLICY-ENGINE-40-002 | TODO | Policy Guild, Excititor Guild | EXCITITOR-LNM-21-002 | Accept VEX linkset conflicts and provide rationale references in effective findings; ensure explain traces cite observation IDs. | Effective findings include observation IDs + conflict reasons; explain endpoints updated; integration tests added. | +| POLICY-ENGINE-40-003 | TODO | Policy Guild, Web Scanner Guild | POLICY-ENGINE-40-001 | Provide API/SDK utilities for consumers (Web Scanner, Graph Explorer) to request policy decisions with source evidence summaries (top severity sources, conflict counts). | Utilities published; Web Scanner integration tests confirm new payload; docs updated. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-29-001 | TODO | Policy Guild | POLICY-ENGINE-27-001 | Implement batch evaluation endpoint (`POST /policy/eval/batch`) returning determinations + rationale chain for sets of `(artifact,purl,version,advisory)` tuples; support pagination and cost budgets. | Endpoint documented; latency within SLA; integration tests cover large batches; telemetry recorded. | +| POLICY-ENGINE-29-002 | TODO | Policy Guild, Findings Ledger Guild | POLICY-ENGINE-29-001, LEDGER-29-003 | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation. | Simulation output deterministic; diff schema shared; tests cover suppression/severity changes. | +| POLICY-ENGINE-29-003 | TODO | Policy Guild, SBOM Service Guild | POLICY-ENGINE-29-001, SBOM-VULN-29-001 | Surface path/scope awareness in determinations (signal optional/dev/test downgrade, runtime boost) for Vuln Explorer display. | Determinations include path annotations; policy docs updated; tests cover path-specific cases. | +| POLICY-ENGINE-29-004 | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-29-001 | Add metrics/logs for batch evaluation (latency, queue depth) and simulation diff counts; update dashboards. | Metrics exposed; dashboards updated; alert thresholds defined. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-31-001 | TODO | Policy Guild | VEXLENS-30-008, AIAI-31-004 | Expose policy knobs for Advisory AI (trust presets, temperature, token limits, plan ranking weights, TTLs) via Policy Studio and config APIs. | Knobs available; Policy Studio integration documented; tests cover overrides. | +| POLICY-ENGINE-31-002 | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide batch endpoint delivering policy context (thresholds, obligations) consumed by Advisory AI remediation planner. | Endpoint documented; integration tests confirm data; latency within SLA. | + +## Policy Engine + Editor v1 (Epic 5) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-50-001 | TODO | Policy Guild, Platform Security | POLICY-SPL-23-002 | Implement SPL compiler: validate YAML, canonicalize, produce signed bundle, store artifact in object storage, write `policy_revisions` with AOC metadata. | Compiler CLI/API available; bundles stored with hashes/AOC; unit/integration tests green. | +| POLICY-ENGINE-50-002 | TODO | Policy Guild, Runtime Guild | POLICY-ENGINE-50-001 | Build runtime evaluator executing compiled plans over advisory/vex linksets + SBOM asset metadata with deterministic caching (Redis) and fallback path. | Evaluator meets latency targets; cache hit/miss metrics emitted; deterministic tests pass across runs. | +| POLICY-ENGINE-50-003 | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-50-002 | Implement evaluation/compilation metrics, tracing, and structured logs (`policy_eval_seconds`, `policy_compiles_total`, explanation sampling). | Metrics available in Prometheus; traces wired; log schema documented. | +| POLICY-ENGINE-50-004 | TODO | Policy Guild, Platform Events Guild | POLICY-ENGINE-50-002, CONCELIER-LNM-21-005, EXCITITOR-LNM-21-005, SBOM-SERVICE-21-002 | Build event pipeline: subscribe to linkset/SBOM updates, schedule re-eval jobs, emit `policy.effective.updated` events with diff metadata. | Events consumed/produced reliably; idempotent keys; integration tests with mock inputs. | +| POLICY-ENGINE-50-005 | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-50-001 | Design and implement `policy_packs`, `policy_revisions`, `policy_runs`, `policy_artifacts` collections with indexes, TTL, and tenant scoping. | Collections + indexes created via migrations; documentation of schema; tests cover CRUD. | +| POLICY-ENGINE-50-006 | TODO | Policy Guild, QA Guild | POLICY-ENGINE-50-002 | Implement explainer persistence + retrieval APIs linking decisions to explanation tree and AOC chain. | Explain data stored/retrievable via API; UI/CLI fixtures updated; determinism verified. | +| POLICY-ENGINE-50-007 | TODO | Policy Guild, Scheduler Worker Guild | POLICY-ENGINE-50-004, SCHED-WORKER-23-101 | Provide evaluation worker host/DI wiring and job orchestration hooks for batch re-evaluations after policy activation. | Worker host runs in CI; handles sharded workloads; telemetry integrated. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-60-001 | TODO | Policy Guild, SBOM Service Guild | POLICY-ENGINE-50-004, SBOM-GRAPH-24-002 | Maintain Redis effective decision maps per asset/snapshot for Graph overlays; implement versioning and eviction strategy. | Cache warmed with metrics; invalidation on policy/graph updates; tests ensure consistency. | +| POLICY-ENGINE-60-002 | TODO | Policy Guild, BE-Base Platform Guild | POLICY-ENGINE-60-001, WEB-GRAPH-24-002 | Expose simulation bridge for Graph What-if APIs, supporting hypothetical SBOM diffs and draft policies without persisting results. | Simulation API returns projections; integration tests verify idempotence; performance <3s for target assets. | + +## Exceptions v1 (Epic 7) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-70-001 | TODO | Policy Guild, Governance Guild | POLICY-EXC-25-001 | Implement exception evaluation layer: specificity resolution, effect application (suppress/defer/downgrade/require control), and integration with explain traces. | Engine applies exceptions deterministically; unit/property tests cover precedence; explainer includes exception metadata. | +| POLICY-ENGINE-70-002 | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-70-001 | Design and create Mongo collections (`exceptions`, `exception_reviews`, `exception_bindings`) with indexes and migrations; expose repository APIs. | Collections created; migrations documented; tests cover CRUD and binding lookups. | +| POLICY-ENGINE-70-003 | TODO | Policy Guild, Runtime Guild | POLICY-ENGINE-70-001 | Build Redis exception decision cache (`exceptions_effective_map`) with warm/invalidation logic reacting to `exception.*` events. | Cache layer operational; metrics track hit/miss; fallback path tested. | +| POLICY-ENGINE-70-004 | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-70-001 | Extend metrics/tracing/logging for exception application (latency, counts, expiring events) and include AOC references in logs. | Metrics emitted (`policy_exception_applied_total` etc.); traces updated; log schema documented. | +| POLICY-ENGINE-70-005 | TODO | Policy Guild, Scheduler Worker Guild | POLICY-ENGINE-70-002 | Provide APIs/workers hook for exception activation/expiry (auto start/end) and event emission (`exception.activated/expired`). | Auto transitions tested; events published; integration with workers verified. | + +## Reachability v1 (Epic 8) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-80-001 | TODO | Policy Guild, Signals Guild | SIGNALS-24-004 | Integrate reachability/exploitability inputs into evaluation pipeline (state/score/confidence) with caching and explain support. | Policy evaluation consumes signals data; explainer includes reachability evidence; tests cover scoring impact. | +| POLICY-ENGINE-80-002 | TODO | Policy Guild, Storage Guild | SIGNALS-24-004 | Create joining layer to read `reachability_facts` efficiently (indexes, projections) and populate Redis overlay caches. | Queries optimized with indexes; cache warmed; performance <8 ms p95; tests pass. | +| POLICY-ENGINE-80-003 | TODO | Policy Guild, Policy Editor Guild | POLICY-ENGINE-80-001 | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation. | SPL accepts new predicates; canonicalization updated; schema docs regenerated. | +| POLICY-ENGINE-80-004 | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-80-001 | Emit metrics (`policy_reachability_applied_total`, `policy_reachability_cache_hit_ratio`) and traces for signals usage. | Metrics/traces available; dashboards updated; alert thresholds defined. | + +## Orchestrator Dashboard (Epic 9) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-32-101 | TODO | Policy Guild | ORCH-SVC-32-001, ORCH-SVC-32-003 | Define orchestrator `policy_eval` job schema, idempotency keys, and enqueue hooks triggered by advisory/VEX/SBOM events. | Job schema documented; enqueue hooks tested; OpenAPI references updated; determinism tests cover idempotent keys. | +| POLICY-ENGINE-33-101 | TODO | Policy Guild | POLICY-ENGINE-32-101, ORCH-SVC-33-001, WORKER-GO-33-001, WORKER-PY-33-001 | Implement orchestrator-driven policy evaluation workers using SDK heartbeats, respecting throttles, and emitting SLO metrics. | Worker claims jobs in integration tests; metrics exported; pause/resume/backfill scenarios covered; docs updated. | +| POLICY-ENGINE-34-101 | TODO | Policy Guild | POLICY-ENGINE-33-101, ORCH-SVC-34-001, LEDGER-34-101 | Publish policy run ledger exports + SLO burn-rate metrics to orchestrator; ensure provenance chain links to Findings Ledger. | Ledger export endpoint live; burn metrics recorded; tests ensure tenant isolation; documentation references run-ledger doc. | + +## Export Center (Epic 10) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ENGINE-35-201 | TODO | Policy Guild | POLICY-ENGINE-20-004, LEDGER-EXPORT-35-001 | Expose deterministic policy snapshot API and evaluated findings stream keyed by policy version for exporter consumption. | Snapshot endpoint live; outputs deterministic; provenance metadata included; tests cover policy pinning. | +| POLICY-ENGINE-38-201 | TODO | Policy Guild | ORCH-SVC-38-101 | Emit enriched policy violation events (decision rationale ids, risk bands) via orchestrator event bus for Notifications Studio. | Events published with rationale IDs; schema documented; integration tests with notifier ensure fields present. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-TEN-48-001 | TODO | Policy Guild | AUTH-TEN-47-001 | Add `tenant_id`/`project_id` columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata. | RLS enabled; tests prove isolation; rationale IDs stable; docs updated. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-OBS-50-001 | TODO | Policy Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with `tenant_id`, `policy_version`, `decision_effect`, and trace IDs. | Telemetry observed in integration tests; logging contract validated; CLI trace propagation confirmed. | +| POLICY-OBS-51-001 | TODO | Policy Guild, DevOps Guild | POLICY-OBS-50-001, TELEMETRY-OBS-51-001 | Emit golden-signal metrics (compile latency, evaluate latency, rule hits, override counts) and define SLOs (evaluation P95 <2s). Publish Grafana dashboards + burn-rate alert rules. | Metrics visible in dashboards; SLO alert tested; documentation updated. | +| POLICY-OBS-52-001 | TODO | Policy Guild | POLICY-OBS-50-001, TIMELINE-OBS-52-002 | Emit timeline events `policy.evaluate.started`, `policy.evaluate.completed`, `policy.decision.recorded` with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics. | Timeline events pass fixture tests; duplicates prevented; docs reference schema. | +| POLICY-OBS-53-001 | TODO | Policy Guild, Evidence Locker Guild | POLICY-OBS-52-001, EVID-OBS-53-002 | Produce evaluation evidence bundles (inputs slice, rule trace, engine version, config snapshot) through evidence locker integration; ensure redaction + deterministic manifests. | Bundles generated/verified in integration tests; manifests deterministic; redaction guard tests pass. | +| POLICY-OBS-54-001 | TODO | Policy Guild, Provenance Guild | POLICY-OBS-53-001, PROV-OBS-53-002 | Generate DSSE attestations for evaluation outputs, expose `/evaluations/{id}/attestation`, and link attestation IDs in timeline + console. Provide verification harness. | Attestations validated; endpoint live; docs updated. | +| POLICY-OBS-55-001 | TODO | Policy Guild, DevOps Guild | POLICY-OBS-51-001, DEVOPS-OBS-55-001 | Implement incident mode sampling overrides (full rule trace capture, extended retention) with auto-activation on SLO breach and manual override API. Emit activation events to timeline + notifier. | Incident mode validated; retention resets post incident; activation logged. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-RISK-66-003 | TODO | Policy Guild, Risk Profile Schema Guild | POLICY-RISK-66-001 | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment. | Policy Engine loads profiles with schema validation; unit tests cover invalid docs. | +| POLICY-RISK-67-001 | TODO | Policy Guild, Risk Engine Guild | POLICY-RISK-66-003, RISK-ENGINE-66-001 | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks. | Scoring jobs enqueued deterministically; tests cover delta events. | +| POLICY-RISK-67-002 | TODO | Policy Guild | POLICY-RISK-66-003 | Implement profile lifecycle APIs (`/risk/profiles` create/publish/deprecate) and scope attachment logic. | APIs documented; authorization enforced; integration tests pass. | +| POLICY-RISK-68-001 | TODO | Policy Guild, Policy Studio Guild | POLICY-RISK-67-002 | Provide simulation API bridging Policy Studio with risk engine; returns distributions and top movers. | Simulation endpoint live with documented schema; golden tests verified. | +| POLICY-RISK-69-001 | TODO | Policy Guild, Notifications Guild | POLICY-RISK-67-002 | Emit events/notifications on profile publish, deprecate, and severity threshold changes. | Notifications templates live; staging event triggers announcement. | +| POLICY-RISK-70-001 | TODO | Policy Guild, Export Guild | POLICY-RISK-67-002, RISK-BUNDLE-69-001 | Support exporting/importing profiles with signatures for air-gapped bundles. | Export/import CLI works; signatures verified; docs updated. | + +## Attestor Console (Epic 19) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-ATTEST-73-001 | TODO | Policy Guild, Attestor Service Guild | ATTESTOR-73-002 | Introduce VerificationPolicy object: schema, persistence, versioning, and lifecycle. | Policy CRUD operational; validation implemented; tests cover publish/deprecate. | +| POLICY-ATTEST-73-002 | TODO | Policy Guild | POLICY-ATTEST-73-001 | Provide Policy Studio editor with validation, dry-run simulation, and version diff. | UI supports editing/publishing policies; dry-run returns detailed feedback; docs updated. | +| POLICY-ATTEST-74-001 | TODO | Policy Guild, Attestor Service Guild | POLICY-ATTEST-73-001 | Integrate verification policies into attestor verification pipeline with caching and waiver support. | Verification uses policies; waivers logged; regression suite passes. | +| POLICY-ATTEST-74-002 | TODO | Policy Guild, Console Guild | POLICY-ATTEST-73-002 | Surface policy evaluations in Console verification reports with rule explanations. | Reports show rule hits/misses; tests confirm data flow. | +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-AIRGAP-56-001 | TODO | Policy Guild | AIRGAP-IMP-56-001, CONCELIER-OBS-52-001 | Support policy pack imports from Mirror Bundles, track `bundle_id` metadata, and ensure deterministic caching. | Policy packs import via API/CLI; bundle ID persisted; tests cover idempotent re-import and rollback. | +| POLICY-AIRGAP-56-002 | TODO | Policy Guild, Policy Studio Guild | POLICY-AIRGAP-56-001, MIRROR-CRT-56-001 | Export policy sub-bundles (`stella policy bundle export`) with DSSE signatures for outbound transfer. | Export command produces signed bundle; verification succeeds; docs updated. | +| POLICY-AIRGAP-57-001 | TODO | Policy Guild, AirGap Policy Guild | POLICY-AIRGAP-56-001, AIRGAP-POL-56-001 | Enforce sealed-mode guardrails in evaluation (no outbound fetch), surface `AIRGAP_EGRESS_BLOCKED` errors with remediation. | Evaluations fail with standard error when egress attempt occurs; unit tests cover sealed/unsealed. | +| POLICY-AIRGAP-57-002 | TODO | Policy Guild, AirGap Time Guild | POLICY-AIRGAP-56-001, AIRGAP-TIME-58-001 | Annotate rule explanations with staleness information and fallback data (cached EPSS, vendor risk). | Explain output shows fallback source + timestamp; UI consumes new fields; tests updated. | +| POLICY-AIRGAP-58-001 | TODO | Policy Guild, Notifications Guild | POLICY-AIRGAP-56-001, NOTIFY-OBS-51-001 | Emit notifications when policy packs near staleness thresholds or missing required bundles. | Notifications dispatched with remediation; CLI/Console show consistent warnings; integration tests cover thresholds. | diff --git a/src/StellaOps.Policy.Registry/AGENTS.md b/src/StellaOps.Policy.Registry/AGENTS.md new file mode 100644 index 00000000..3ba1b282 --- /dev/null +++ b/src/StellaOps.Policy.Registry/AGENTS.md @@ -0,0 +1,34 @@ +# Policy Registry Guild Charter + +## Mission +Stand up and operate the Policy Registry service defined in Epic 4. We own workspace storage, version immutability, simulation orchestration metadata, attestations, and RBAC enforcement for the policy lifecycle. + +## Scope +- Service source under `src/StellaOps.Policy.Registry` (REST API, workers, storage schemas). +- Mongo models, migrations, and object storage bindings for policy workspaces, versions, reviews, promotions, simulations. +- Integration with Policy Engine, Scheduler, Authority, Web Gateway, Telemetry. +- Attestation signing pipeline, evidence bundle management, and retention policies. + +## Principles +1. **Immutability first** – Published versions are append-only; derive new versions rather than mutate. +2. **Determinism** – Compilation/simulation requests must produce reproducible artifacts and checksums. +3. **Tenant isolation** – Enforce scoping at every storage layer (Mongo collections, buckets, queues). +4. **AOC alignment** – Registry stores metadata; it never mutates raw SBOM/advisory/VEX facts. +5. **Auditable** – Every transition emits structured events with actor, scope, digest, attestation IDs. + +## Collaboration +- Keep `src/StellaOps.Policy.Registry/TASKS.md`, `SPRINTS.md` synchronized. +- Coordinate API contracts with Policy Engine (`src/StellaOps.Policy.Engine`), Web Gateway (`src/StellaOps.Web`), Console (`/console`), CLI (`src/StellaOps.Cli`), and Docs. +- Publish or update OpenAPI specs under `src/StellaOps.Policy.Registry/openapi/` and hand them to client teams. + +## Tooling +- .NET 10 preview (minimal API + background workers). +- MongoDB with per-tenant collections, S3-compatible object storage for bundles. +- Background queue (Scheduler job queue or NATS) for batch simulations. +- Signing via Authority-issued OIDC tokens + cosign integration. + +## Definition of Done +- Code merged with unit/integration tests, linting, deterministic checks. +- Telemetry (metrics/logs/traces) wired with tenant context. +- Docs/reference updated; OpenAPI regenerated. +- Feature flags + configuration defaults documented. diff --git a/src/StellaOps.Policy.Registry/TASKS.md b/src/StellaOps.Policy.Registry/TASKS.md new file mode 100644 index 00000000..11e7bcc7 --- /dev/null +++ b/src/StellaOps.Policy.Registry/TASKS.md @@ -0,0 +1,13 @@ +# Policy Registry Task Board — Epic 4: Policy Studio +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| REGISTRY-API-27-001 | TODO | Policy Registry Guild | AUTH-CONSOLE-23-001, POLICY-ENGINE-20-001 | Define OpenAPI specification covering workspaces, versions, reviews, simulations, promotions, and attestations; publish typed clients for Console/CLI. | OpenAPI YAML committed, spectral lint passes, SDK regeneration documented, consumers notified. | +| REGISTRY-API-27-002 | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Implement workspace storage (Mongo collections, object storage buckets) with CRUD endpoints, diff history, and retention policies. | Workspace CRUD passes integration tests; retention job documented; tenancy scopes enforced. | +| REGISTRY-API-27-003 | TODO | Policy Registry Guild | REGISTRY-API-27-002, POLICY-ENGINE-20-001 | Integrate compile endpoint: forward source bundle to Policy Engine, persist diagnostics, symbol table, rule index, and complexity metrics. | Compile API returns diagnostics + symbol table, metrics recorded, failures mapped to `ERR_POL_*`, tests cover success/error cases. | +| REGISTRY-API-27-004 | TODO | Policy Registry Guild | REGISTRY-API-27-003, POLICY-ENGINE-20-002 | Implement quick simulation API with request limits (sample size, timeouts), returning counts, heatmap, sampled explains. | Quick sim enforces limits, results cached with hash, integration tests validate deterministic output. | +| REGISTRY-API-27-005 | TODO | Policy Registry Guild, Scheduler Guild | REGISTRY-API-27-004, SCHED-WORKER-27-301 | Build batch simulation orchestration: enqueue shards, collect partials, reduce deltas, produce evidence bundles + signed manifest. | Batch sim runs end-to-end in staging fixture, manifests stored with checksums, retries/backoff documented. | +| REGISTRY-API-27-006 | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Implement review workflow (comments, votes, required approvers, status transitions) with audit trails and webhooks. | Review endpoints enforce approver quorum, audit log captured, webhook integration tests pass. | +| REGISTRY-API-27-007 | TODO | Policy Registry Guild, Security Guild | REGISTRY-API-27-006, AUTH-POLICY-27-001 | Implement publish pipeline: sign source/compiled digests, create attestations, mark version immutable, emit events. | Published versions immutable, attestations stored & verifiable, metrics/logs emitted, tests cover signing failure. | +| REGISTRY-API-27-008 | TODO | Policy Registry Guild | REGISTRY-API-27-007, AUTH-POLICY-27-002 | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history. | Promotion API updates bindings atomically, canary percent enforced, rollback recorded, runbooks updated. | +| REGISTRY-API-27-009 | TODO | Policy Registry Guild, Observability Guild | REGISTRY-API-27-002..008 | Instrument metrics/logs/traces (compile time, diagnostics rate, sim queue depth, approval latency) and expose dashboards. | Metrics registered, dashboards seeded, alerts configured, documentation updated. | +| REGISTRY-API-27-010 | TODO | Policy Registry Guild, QA Guild | REGISTRY-API-27-002..008 | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI. | Tests run in CI, load test report documented, determinism checks validated across runs. | diff --git a/src/StellaOps.Policy.RiskProfile/AGENTS.md b/src/StellaOps.Policy.RiskProfile/AGENTS.md new file mode 100644 index 00000000..9a1a39a8 --- /dev/null +++ b/src/StellaOps.Policy.RiskProfile/AGENTS.md @@ -0,0 +1,15 @@ +# Risk Profile Schema Guild Charter + +## Mission +Define and maintain the RiskProfile schema, validation rules, inheritance logic, and integration with Policy Engine and Authority scoping. + +## Scope +- JSON Schema definition, validators, and code generation for RiskProfile documents. +- Inheritance/merge engine, content hashing, and signature support. +- Policy store integration, scope selectors, and lifecycle management. +- Tooling for Policy Studio and CLI authoring. + +## Definition of Done +- Schema publishes via `.well-known/risk-profile-schema` with versioning. +- Validators catch conflicts and produce actionable errors. +- Inheritance and overrides deterministic with tests and golden fixtures. diff --git a/src/StellaOps.Policy.RiskProfile/TASKS.md b/src/StellaOps.Policy.RiskProfile/TASKS.md new file mode 100644 index 00000000..599efb60 --- /dev/null +++ b/src/StellaOps.Policy.RiskProfile/TASKS.md @@ -0,0 +1,20 @@ +# Risk Profile Schema Task Board — Epic 18: Risk Scoring Profiles + +## Sprint 66 – Schema Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-RISK-66-001 | TODO | Risk Profile Schema Guild | — | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs. | Schema published; validators unit-tested with positive/negative fixtures. | +| POLICY-RISK-66-002 | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Implement inheritance/merge logic with conflict detection and deterministic content hashing. | Inheritance tests pass; hashes stable; documentation drafted. | + +## Sprint 67 – Policy Store Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-RISK-67-001 | TODO | Risk Profile Schema Guild, Policy Engine Guild | POLICY-RISK-66-002 | Integrate profile storage and versioning into Policy Store with lifecycle states (draft/publish/deprecate). | Profiles persisted with status transitions; API returns versioned docs. | +| POLICY-RISK-67-002 | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Publish `.well-known/risk-profile-schema` endpoint and CLI validation tooling. | Endpoint returns schema with version metadata; CLI `stella risk profile validate` uses schema. | + +## Sprint 68 – Scope & Overrides +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-RISK-68-001 | TODO | Risk Profile Schema Guild, Authority Guild | POLICY-RISK-67-001 | Implement scope selectors, precedence rules, and Authority attachment APIs. | Scope resolution works in tests; conflicts produce clear errors. | +| POLICY-RISK-68-002 | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Add override/adjustment support with audit metadata and validation for conflicting rules. | Overrides validated; golden tests ensure deterministic ordering. | +*** End Task Board *** diff --git a/src/StellaOps.Policy/TASKS.md b/src/StellaOps.Policy/TASKS.md index a698957b..8ccd9dae 100644 --- a/src/StellaOps.Policy/TASKS.md +++ b/src/StellaOps.Policy/TASKS.md @@ -1,17 +1,38 @@ -# Policy Engine Task Board (Sprint 9) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| POLICY-CORE-09-001 | DONE | Policy Guild | SCANNER-WEB-09-101 | Define YAML schema/binder, diagnostics, CLI validation for policy files. | Schema doc published; binder loads sample policy; validation errors actionable. | -| POLICY-CORE-09-002 | DONE | Policy Guild | POLICY-CORE-09-001 | Implement policy snapshot store + revision digests + audit logging. | Snapshots persisted with digest; tests compare revisions; audit entries created. | -| POLICY-CORE-09-003 | DONE | Policy Guild | POLICY-CORE-09-002 | `/policy/preview` API (image digest → projected verdict delta). | Preview returns diff JSON; integration tests with mocked report; docs updated. | -| POLICY-CORE-09-004 | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-001 | Versioned scoring config (weights, trust table, reachability buckets) with schema validation, binder, and golden fixtures. | Config serialized with semantic version, binder loads defaults, fixtures assert deterministic hash. | -| POLICY-CORE-09-005 | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-004, POLICY-CORE-09-002 | Implement scoring/quiet engine: compute score from config, enforce VEX-only quiet rules, emit inputs + `quietedBy` metadata in policy verdicts. | `/reports` policy result includes score, inputs, configVersion, quiet provenance; unit/integration tests prove reproducibility. | -| POLICY-CORE-09-006 | DONE (2025-10-19) | Policy Guild | POLICY-CORE-09-005, FEEDCORE-ENGINE-07-003 | Track unknown states with deterministic confidence bands that decay over time; expose state in policy outputs and docs. | Unknown flags + confidence band persisted, decay job deterministic, preview/report APIs show state with tests covering decay math. | -| POLICY-RUNTIME-17-201 | TODO | Policy Guild, Scanner WebService Guild | ZASTAVA-OBS-17-005 | Define runtime reachability feed contract and alignment plan for `SCANNER-RUNTIME-17-401` once Zastava endpoints land; roll `buildIds` + reachability hints into policy metadata so CLI/Webhook consumers know how to look up symbol/debug-store artifacts. | Contract note published (fields: `buildIds`, reachability tags, TTL guidance), sample payload agreed with Scanner team, doc cross-links captured in scanner/runtime task boards. | - -## Notes -- 2025-10-18: POLICY-CORE-09-001 completed. Binder + diagnostics + CLI scaffolding landed with tests; schema embedded at `src/StellaOps.Policy/Schemas/policy-schema@1.json` and referenced by docs/11_DATA_SCHEMAS.md. -- 2025-10-18: POLICY-CORE-09-002 completed. Snapshot store + audit trail implemented with deterministic digest hashing and tests covering revision increments and dedupe. -- 2025-10-18: POLICY-CORE-09-003 delivered. Preview service evaluates policy projections vs. baseline, returns verdict diffs, and ships with unit coverage. -- 2025-10-19: POLICY-CORE-09-004/005/006 wrapped. Default scoring config + trust/quiet/unknown outputs shipped, deterministic hashes captured in fixtures, and `dotnet test src/StellaOps.Policy.Tests/StellaOps.Policy.Tests.csproj` keeps coverage green (quiet provenance + confidence decay cases). +# Policy Engine Task Board — Epic 1: Aggregation-Only Contract +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-AOC-19-001 | TODO | Policy Guild | WEB-AOC-19-003 | Add Roslyn/CI lint preventing ingestion projects from referencing Policy merge/severity helpers; block forbidden writes at compile time. | Analyzer fails builds when ingestion projects set banned keys or reference Policy-only namespaces; CI pipeline wired. | +| POLICY-AOC-19-002 | TODO | Policy Guild, Platform Security | AUTH-AOC-19-001 | Enforce `effective_finding_*` write gate ensuring only Policy Engine identity can create/update materializations. | Guard rejects non-Policy identities with `ERR_AOC_006`; integration tests validate authorized writes; logs contain audit trail. | +| POLICY-AOC-19-003 | TODO | Policy Guild | CONCELIER-CORE-AOC-19-004, EXCITITOR-CORE-AOC-19-004 | Update readers/processors to consume only `content.raw`, `identifiers`, and `linkset`. Remove dependencies on legacy normalized fields and refresh fixtures. | All policy pipelines pass tests using raw inputs; fixture diff shows no derived data persisted in ingestion; docs updated. | +| POLICY-AOC-19-004 | TODO | Policy Guild, QA Guild | POLICY-AOC-19-003 | Add regression tests ensuring policy derived outputs remain deterministic when ingesting revised raw docs (supersedes) and when violations occur. | Determinism suite passes; new fixtures prove policy recomputation handles append-only raw data and surfaces guard violations. | + +> Epic 2 service implementation tasks now live under `src/StellaOps.Policy.Engine/TASKS.md`. Keep library-specific work in this file. + +## Policy Engine + Editor v1 (Epic 5) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-SPL-23-001 | TODO | Policy Guild, Language Infrastructure Guild | POLICY-ENGINE-20-001 | Define SPL v1 YAML + JSON Schema, including advisory rules, VEX precedence, severity mapping, exceptions, and layering metadata. Publish schema resources and validation fixtures. | Schema files committed under `Schemas/`; validation tests cover representative policies; documentation draft ready. | +| POLICY-SPL-23-002 | TODO | Policy Guild | POLICY-SPL-23-001 | Implement canonicalizer that normalizes policy packs (ordering, defaults), computes content hash, and prepares bundle metadata for AOC/signing. | Canonicalizer produces deterministic output (tests across permutations); hash matches spec; integration wired into compiler. | +| POLICY-SPL-23-003 | TODO | Policy Guild | POLICY-SPL-23-001 | Build policy layering/override engine (global/org/project/env/exception) with field-level precedence matrices; add unit/property tests. | Layering engine honors override rules, rejects widening overrides; property tests ensure determinism. | +| POLICY-SPL-23-004 | TODO | Policy Guild, Audit Guild | POLICY-SPL-23-002 | Design explanation tree model (rule hits, inputs, decisions) and persistence structures reused by runtime, UI, and CLI. | Explanation DTOs published; serialization deterministic; tests cover nested explanations. | +| POLICY-SPL-23-005 | TODO | Policy Guild, DevEx Guild | POLICY-SPL-23-001 | Create migration tool to snapshot existing behavior into baseline SPL packs (`org.core.baseline`), including policy docs and sample bundles. | Tool emits baseline policy pack + tests verifying parity against legacy behavior; documentation updated. | + +## Exceptions v1 (Epic 7) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-EXC-25-001 | TODO | Policy Guild, Governance Guild | POLICY-SPL-23-001 | Extend SPL schema/spec to reference exception effects and routing templates; publish updated docs and validation fixtures. | Schema updated with exception references; validation tests cover effect types; docs draft ready. | + +## Reachability v1 (Epic 8) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-SPL-24-001 | TODO | Policy Guild, Signals Guild | SIGNALS-24-004 | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures. | Schema updated; validation fixtures for reachability rules; docs ready for review. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| POLICY-RISK-66-004 | TODO | Policy Guild, Risk Profile Schema Guild | POLICY-RISK-66-001 | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics. | Libraries serialize/deserialize profiles; hash deterministic; tests cover invalid input. | +| POLICY-RISK-67-003 | TODO | Policy Guild, Risk Engine Guild | POLICY-RISK-66-004, RISK-ENGINE-69-001 | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns. | API returns simulation payload; golden tests match expected output. | +| POLICY-RISK-68-002 | TODO | Policy Guild, Export Guild | POLICY-RISK-66-004 | Enable exporting/importing RiskProfiles with signatures via policy tooling (CLI + API). | Export/import round-trip tested; signatures verified; docs updated. | diff --git a/src/StellaOps.Provenance.Attestation/AGENTS.md b/src/StellaOps.Provenance.Attestation/AGENTS.md new file mode 100644 index 00000000..b09e6c6a --- /dev/null +++ b/src/StellaOps.Provenance.Attestation/AGENTS.md @@ -0,0 +1,20 @@ +# StellaOps Provenance & Attestation Guild Charter + +## Mission +Provide shared libraries and tooling for generating, signing, and verifying provenance attestations (DSSE/SLSA) used by evidence bundles, exports, and timeline verification flows. + +## Scope +- DSSE statement builders with Merkle and digest utilities. +- Signer/validator abstractions for KMS, cosign, offline keys. +- Provenance schema definitions reused across services and CLI. +- Verification harnesses for evidence locker and export center integrations. + +## Collaboration +- Partner with Evidence Locker, Exporter, Orchestrator, and CLI guilds for integration. +- Coordinate with Security Guild on key management policies and rotation logs. +- Ensure docs in `/docs/forensics/provenance-attestation.md` stay aligned with implementation. + +## Definition of Done +- Libraries ship with deterministic serialization tests. +- Threat model reviewed before each release. +- Sample statements and verification scripts committed under `samples/provenance/`. diff --git a/src/StellaOps.Provenance.Attestation/TASKS.md b/src/StellaOps.Provenance.Attestation/TASKS.md new file mode 100644 index 00000000..da922fbe --- /dev/null +++ b/src/StellaOps.Provenance.Attestation/TASKS.md @@ -0,0 +1,13 @@ +# Provenance & Attestation Task Board — Epic 15: Observability & Forensics + +## Sprint 53 – Evidence Bundle Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| PROV-OBS-53-001 | TODO | Provenance Guild | TELEMETRY-OBS-50-001 | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, and deterministic hashing tests. Publish sample statements for orchestrator/job/export subjects. | Models serialized deterministically; test vectors stored under `samples/provenance/`; compliance checklist recorded. | +| PROV-OBS-53-002 | TODO | Provenance Guild, Security Guild | PROV-OBS-53-001 | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. | Signer abstraction delivers DSSE envelopes; rotation docs updated; tests cover key expiry + claim enforcement. | + +## Sprint 54 – Verification Tooling +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| PROV-OBS-54-001 | TODO | Provenance Guild, Evidence Locker Guild | PROV-OBS-53-002, EVID-OBS-53-001 | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody, exposing reusable CLI/service APIs. Include negative-case fixtures and offline timestamp verification. | Verification API integrated into evidence locker; tests cover success/failure; timestamp (RFC3161) optional hook documented. | +| PROV-OBS-54-002 | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-001, CLI-FORENSICS-54-001 | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`. Provide deterministic packaging and offline kit instructions. | Tool published to `local-nuget`; CLI integration tests pass; offline instructions documented. | diff --git a/src/StellaOps.RiskEngine/AGENTS.md b/src/StellaOps.RiskEngine/AGENTS.md new file mode 100644 index 00000000..ff92f4be --- /dev/null +++ b/src/StellaOps.RiskEngine/AGENTS.md @@ -0,0 +1,23 @@ +# Risk Engine Guild Charter + +## Mission +Design, build, and operate the scoring runtime that computes Risk Scoring Profiles across StellaOps deployments while preserving provenance and explainability. + +## Scope +- Scoring workers, job scheduler, provider registry, caching, and explainability artifacts. +- Integration with Findings Ledger, Conseiller, Excitator, and Policy Engine. +- Performance, determinism, and observability of scoring jobs. +- Air-gapped support through offline factor bundles. + +## Definition of Done +- Scoring jobs execute deterministically with audit trails and explainability payloads. +- Providers registered with TTLs and health checks; missing data surfaced explicitly. +- Benchmarks and SLO dashboards in place with incident response runbooks. + +## Module Layout +- `StellaOps.RiskEngine.Core/` — scoring orchestrators, provider contracts, explainability models. +- `StellaOps.RiskEngine.Infrastructure/` — persistence, caching, provider loading, external data connectors. +- `StellaOps.RiskEngine.WebService/` — APIs for jobs, results, explanations. +- `StellaOps.RiskEngine.Worker/` — execution loops, provider refreshers, scoring pipelines. +- `StellaOps.RiskEngine.Tests/` — unit tests for core/infrastructure services. +- `StellaOps.RiskEngine.sln` — solution unifying module projects. diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Class1.cs b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Class1.cs new file mode 100644 index 00000000..49a054c7 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.RiskEngine.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/StellaOps.RiskEngine.Core.csproj b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/StellaOps.RiskEngine.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Core/StellaOps.RiskEngine.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/Class1.cs b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/Class1.cs new file mode 100644 index 00000000..8a826da1 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.RiskEngine.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/StellaOps.RiskEngine.Infrastructure.csproj b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/StellaOps.RiskEngine.Infrastructure.csproj new file mode 100644 index 00000000..3a68070b --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Infrastructure/StellaOps.RiskEngine.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/StellaOps.RiskEngine.Tests.csproj b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/StellaOps.RiskEngine.Tests.csproj new file mode 100644 index 00000000..3a425b95 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/StellaOps.RiskEngine.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/UnitTest1.cs b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/UnitTest1.cs new file mode 100644 index 00000000..f75d6c9b --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.RiskEngine.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/xunit.runner.json b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Program.cs b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Properties/launchSettings.json b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..374038e2 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5115", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7103;http://localhost:5115", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.csproj b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.csproj new file mode 100644 index 00000000..fb13a6b6 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.http b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.http new file mode 100644 index 00000000..3d7121dc --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/StellaOps.RiskEngine.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.RiskEngine.WebService_HostAddress = http://localhost:5115 + +GET {{StellaOps.RiskEngine.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.Development.json b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.json b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Program.cs b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Program.cs new file mode 100644 index 00000000..18b42424 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.RiskEngine.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Properties/launchSettings.json b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..c50acadb --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.RiskEngine.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/StellaOps.RiskEngine.Worker.csproj b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/StellaOps.RiskEngine.Worker.csproj new file mode 100644 index 00000000..7da8df6e --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/StellaOps.RiskEngine.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.RiskEngine.Worker-b973483d-c33b-47fb-a20f-e2669c244427 + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Worker.cs b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Worker.cs new file mode 100644 index 00000000..f38be7de --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.RiskEngine.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.Development.json b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.json b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.RiskEngine/StellaOps.RiskEngine.sln b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.sln new file mode 100644 index 00000000..d0d418d9 --- /dev/null +++ b/src/StellaOps.RiskEngine/StellaOps.RiskEngine.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.RiskEngine.Core", "StellaOps.RiskEngine.Core\StellaOps.RiskEngine.Core.csproj", "{C570DE3F-3510-40EA-ADEF-40852E3B29DC}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.RiskEngine.Infrastructure", "StellaOps.RiskEngine.Infrastructure\StellaOps.RiskEngine.Infrastructure.csproj", "{7686E310-A4CF-40AD-B6D3-F875AC7AF19F}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.RiskEngine.WebService", "StellaOps.RiskEngine.WebService\StellaOps.RiskEngine.WebService.csproj", "{602F3394-15B6-4349-90CE-8E07F5BE58EB}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.RiskEngine.Worker", "StellaOps.RiskEngine.Worker\StellaOps.RiskEngine.Worker.csproj", "{B05B5581-B31D-4C49-931C-707A9206E12C}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.RiskEngine.Tests", "StellaOps.RiskEngine.Tests\StellaOps.RiskEngine.Tests.csproj", "{FE873E24-9A06-414D-BD25-7A7658D11F22}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Debug|Any CPU.Build.0 = Debug|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Debug|x64.ActiveCfg = Debug|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Debug|x64.Build.0 = Debug|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Debug|x86.ActiveCfg = Debug|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Debug|x86.Build.0 = Debug|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Release|Any CPU.ActiveCfg = Release|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Release|Any CPU.Build.0 = Release|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Release|x64.ActiveCfg = Release|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Release|x64.Build.0 = Release|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Release|x86.ActiveCfg = Release|Any CPU + {C570DE3F-3510-40EA-ADEF-40852E3B29DC}.Release|x86.Build.0 = Release|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Debug|Any CPU.Build.0 = Debug|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Debug|x64.ActiveCfg = Debug|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Debug|x64.Build.0 = Debug|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Debug|x86.ActiveCfg = Debug|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Debug|x86.Build.0 = Debug|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Release|Any CPU.ActiveCfg = Release|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Release|Any CPU.Build.0 = Release|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Release|x64.ActiveCfg = Release|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Release|x64.Build.0 = Release|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Release|x86.ActiveCfg = Release|Any CPU + {7686E310-A4CF-40AD-B6D3-F875AC7AF19F}.Release|x86.Build.0 = Release|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Debug|Any CPU.Build.0 = Debug|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Debug|x64.ActiveCfg = Debug|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Debug|x64.Build.0 = Debug|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Debug|x86.ActiveCfg = Debug|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Debug|x86.Build.0 = Debug|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Release|Any CPU.ActiveCfg = Release|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Release|Any CPU.Build.0 = Release|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Release|x64.ActiveCfg = Release|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Release|x64.Build.0 = Release|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Release|x86.ActiveCfg = Release|Any CPU + {602F3394-15B6-4349-90CE-8E07F5BE58EB}.Release|x86.Build.0 = Release|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Debug|x64.ActiveCfg = Debug|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Debug|x64.Build.0 = Debug|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Debug|x86.ActiveCfg = Debug|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Debug|x86.Build.0 = Debug|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Release|Any CPU.ActiveCfg = Release|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Release|Any CPU.Build.0 = Release|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Release|x64.ActiveCfg = Release|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Release|x64.Build.0 = Release|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Release|x86.ActiveCfg = Release|Any CPU + {B05B5581-B31D-4C49-931C-707A9206E12C}.Release|x86.Build.0 = Release|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Debug|Any CPU.Build.0 = Debug|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Debug|x64.ActiveCfg = Debug|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Debug|x64.Build.0 = Debug|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Debug|x86.ActiveCfg = Debug|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Debug|x86.Build.0 = Debug|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Release|Any CPU.ActiveCfg = Release|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Release|Any CPU.Build.0 = Release|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Release|x64.ActiveCfg = Release|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Release|x64.Build.0 = Release|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Release|x86.ActiveCfg = Release|Any CPU + {FE873E24-9A06-414D-BD25-7A7658D11F22}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.RiskEngine/TASKS.md b/src/StellaOps.RiskEngine/TASKS.md new file mode 100644 index 00000000..cfae00cc --- /dev/null +++ b/src/StellaOps.RiskEngine/TASKS.md @@ -0,0 +1,32 @@ +# Risk Engine Task Board — Epic 18: Risk Scoring Profiles + +## Sprint 66 – Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| RISK-ENGINE-66-001 | TODO | Risk Engine Guild | POLICY-RISK-66-001 | Scaffold scoring service (job queue, worker loop, provider registry) with deterministic execution harness. | Service builds/tests; job queue runs sample job; determinism tests pass. | +| RISK-ENGINE-66-002 | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Implement default transforms (linear, minmax, logistic, piecewise), clamping, gating, and contribution calculator. | Transform/gating unit tests passing; contribution breakdown matches golden fixtures. | + +## Sprint 67 – Provider Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| RISK-ENGINE-67-001 | TODO | Risk Engine Guild, Concelier Guild | RISK-ENGINE-66-002, CONCELIER-RISK-66-001 | Integrate CVSS and KEV providers pulling data from Conseiller; implement reducers (`max`, `any`, `consensus`). | Providers return sample data; reducer tests pass; provenance recorded. | +| RISK-ENGINE-67-002 | TODO | Risk Engine Guild, Excitator Guild | RISK-ENGINE-66-002, EXCITITOR-RISK-66-001 | Integrate VEX gate provider and ensure gating short-circuits scoring as configured. | VEX gate tests pass; explanation indicates gate decision. | +| RISK-ENGINE-67-003 | TODO | Risk Engine Guild, Policy Engine Guild | RISK-ENGINE-66-002 | Add fix availability, asset criticality, and internet exposure providers with caching + TTL enforcement. | Providers deliver normalized values; cache hit metrics exposed. | + +## Sprint 68 – Ledger & API Wiring +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| RISK-ENGINE-68-001 | TODO | Risk Engine Guild, Findings Ledger Guild | RISK-ENGINE-66-002, LEDGER-RISK-66-001 | Persist scoring results + explanation pointers to Findings Ledger; handle incremental updates via input hash. | Results stored with hash; updates skip unchanged findings; tests cover dedupe. | +| RISK-ENGINE-68-002 | TODO | Risk Engine Guild, API Guild | RISK-ENGINE-68-001, POLICY-RISK-67-002 | Expose APIs (`/risk/jobs`, `/risk/results`, `/risk/results/{id}/explanation`); include pagination, filtering, error codes. | OpenAPI documented; contract tests pass; endpoints gated by scopes. | + +## Sprint 69 – Simulation & Performance +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| RISK-ENGINE-69-001 | TODO | Risk Engine Guild, Policy Studio Guild | RISK-ENGINE-68-002 | Implement simulation mode producing distributions and top movers without mutating ledger. | Simulation API returns metrics; golden tests cover scenarios. | +| RISK-ENGINE-69-002 | TODO | Risk Engine Guild, Observability Guild | RISK-ENGINE-66-001 | Add telemetry (spans, metrics, logs) for provider latency, job throughput, cache hits; define SLO dashboards. | Metrics visible in Grafana; alerts configured for P95 latency + error rate. | + +## Sprint 70 – Air-Gap & Advanced Providers +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| RISK-ENGINE-70-001 | TODO | Risk Engine Guild, Export Guild | RISK-ENGINE-67-003, RISK-BUNDLE-69-001 | Support offline provider bundles with manifest verification and missing-data reporting. | Engine loads bundle data; missing providers logged with `AIRGAP_MISSING_DATA`. | +| RISK-ENGINE-70-002 | TODO | Risk Engine Guild, Observability Guild | RISK-ENGINE-68-002 | Integrate runtime evidence provider and reachability provider outputs with caching + TTL. | Providers return runtime/reachability signals; explanation includes sources; tests pass. | diff --git a/src/StellaOps.SbomService/AGENTS.md b/src/StellaOps.SbomService/AGENTS.md new file mode 100644 index 00000000..fee2ec58 --- /dev/null +++ b/src/StellaOps.SbomService/AGENTS.md @@ -0,0 +1,15 @@ +# StellaOps.SbomService — Agent Charter + +## Mission +Expose normalized SBOM projections (components, relationships, scopes, entrypoints) that downstream systems such as Cartographer, Policy Engine, and Scheduler consume. Maintain deterministic SBOM versioning, change events, and tenant-aware access patterns. + +## Responsibilities +- Normalize ingest from Scanner outputs/CycloneDX/SPDX artifacts into canonical documents. +- Provide APIs for SBOM metadata, projections, entrypoint catalogs, and version history. +- Emit change events when SBOMs are added or updated so Cartographer and overlay workers can react. +- Enforce Authority scopes/tenancy and deliver observability for SBOM projection latency. + +## Expectations +- SBOM documents remain immutable once published; new versions append only. +- Keep projections deterministic and schema-validated; include compliance checklists. +- Update `TASKS.md` whenever status changes and coordinate with Cartographer/Scheduler guilds. diff --git a/src/StellaOps.SbomService/Program.cs b/src/StellaOps.SbomService/Program.cs new file mode 100644 index 00000000..6bff3380 --- /dev/null +++ b/src/StellaOps.SbomService/Program.cs @@ -0,0 +1,17 @@ +var builder = WebApplication.CreateBuilder(args); + +builder.Configuration + .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true) + .AddEnvironmentVariables("SBOM_"); + +builder.Services.AddOptions(); +builder.Services.AddLogging(); + +// TODO: register SBOM projection services, repositories, and Authority integration. + +var app = builder.Build(); + +app.MapGet("/healthz", () => Results.Ok(new { status = "ok" })); +app.MapGet("/readyz", () => Results.Ok(new { status = "warming" })); + +app.Run(); diff --git a/src/StellaOps.SbomService/StellaOps.SbomService.csproj b/src/StellaOps.SbomService/StellaOps.SbomService.csproj new file mode 100644 index 00000000..cc5ded2a --- /dev/null +++ b/src/StellaOps.SbomService/StellaOps.SbomService.csproj @@ -0,0 +1,15 @@ + + + net10.0 + enable + enable + preview + true + InProcess + + + + + + + diff --git a/src/StellaOps.SbomService/TASKS.md b/src/StellaOps.SbomService/TASKS.md new file mode 100644 index 00000000..e4b8850b --- /dev/null +++ b/src/StellaOps.SbomService/TASKS.md @@ -0,0 +1,43 @@ +# SBOM Service Task Board — Epic 3: Graph Explorer v1 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SBOM-SERVICE-21-001 | TODO | SBOM Service Guild, Cartographer Guild | CONCELIER-GRAPH-21-001 | Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement. | Schema validated with fixtures; API documented; integration tests cover CycloneDX/SPDX inputs. | +| SBOM-SERVICE-21-002 | TODO | SBOM Service Guild, Scheduler Guild | SBOM-SERVICE-21-001, SCHED-MODELS-21-001 | Emit change events (`sbom.version.created`) carrying digest/version metadata for Cartographer builds; add replay/backfill tooling. | Events published on new SBOMs; consumer harness validated; replay scripts documented. | +| SBOM-SERVICE-21-003 | TODO | SBOM Service Guild | SBOM-SERVICE-21-001 | Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. | Entrypoint API live; overrides persisted; docs updated; tests cover fallback logic. | +| SBOM-SERVICE-21-004 | TODO | SBOM Service Guild, Observability Guild | SBOM-SERVICE-21-001 | Wire observability: metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, structured logs with tenant info; set alerts for backlog. | Metrics/traces exposed; dashboards updated; alert thresholds defined. | + +## Policy Engine + Editor v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SBOM-SERVICE-23-001 | TODO | SBOM Service Guild, Policy Guild | SBOM-SERVICE-21-001 | Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs. | Projection schema updated; fixtures expanded; policy runtime tests consume new fields. | +| SBOM-SERVICE-23-002 | TODO | SBOM Service Guild, Platform Events Guild | SBOM-SERVICE-23-001 | Emit `sbom.asset.updated` events when metadata changes; ensure idempotent payloads and documentation. | Events published with tests; evaluator receives updates; docs updated. | + +## StellaOps Console (Sprint 23) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SBOM-CONSOLE-23-001 | TODO | SBOM Service Guild, Cartographer Guild | SBOM-SERVICE-21-001, SBOM-SERVICE-21-003 | Provide Console-focused SBOM catalog API (`/console/sboms`) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees. | API deployed with contract tests, latency ≤ 200 ms P95 on seeded fixtures, docs updated, integration tests confirm parity with underlying projections. | +| SBOM-CONSOLE-23-002 | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001, SBOM-SERVICE-21-002 | Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement. | Endpoints documented, caching headers validated, integration tests cover search use cases, telemetry metrics exported. | + +## Graph & Vuln Explorer v1 + +> 2025-10-26 update — Cartographer service (`CARTO-GRAPH-21-001..009`) now owns graph construction/overlays. SBOM Service continues to expose projections and change events via `SBOM-SERVICE-21-00x`. + +## Vulnerability Explorer (Sprint 29) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SBOM-VULN-29-001 | TODO | SBOM Service Guild | SBOM-SERVICE-21-001 | Emit inventory evidence with `scope`, `runtime_flag`, dependency paths, and nearest safe version hints, streaming change events for resolver jobs. | Evidence payloads extended; change events published with tests; documentation updated. | +| SBOM-VULN-29-002 | TODO | SBOM Service Guild, Findings Ledger Guild | SBOM-VULN-29-001, LEDGER-29-002 | Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery. | Feed operational with dedupe keys; integration tests confirm candidate generation; metrics added. | + +## Advisory AI (Sprint 31) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SBOM-AIAI-31-001 | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Provide `GET /sbom/paths?purl=...` and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata). | Endpoints live with caching; perf targets met; tests cover ecosystems. | +| SBOM-AIAI-31-002 | TODO | SBOM Service Guild, Observability Guild | SBOM-AIAI-31-001 | Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards. | Metrics/traces live; dashboards approved. | + +## Orchestrator Dashboard +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SBOM-ORCH-32-001 | TODO | SBOM Service Guild | ORCH-SVC-32-001, WORKER-GO-32-001, WORKER-PY-32-001 | Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata. | SDK integration tested with orchestrator; artifact hashes persisted; metrics include sbom ingest job lifecycle. | +| SBOM-ORCH-33-001 | TODO | SBOM Service Guild | SBOM-ORCH-32-001, ORCH-SVC-33-001, ORCH-SVC-33-002 | Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs. | Backpressure metrics exported; pause/resume E2E tests pass; error classes mapped to orchestrator codes. | +| SBOM-ORCH-34-001 | TODO | SBOM Service Guild | SBOM-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse. | Backfill operations verified with no duplicate artifacts; watermark status persisted; coverage metrics published. | diff --git a/src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md b/src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md index 759ef04c..040d3fee 100644 --- a/src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md +++ b/src/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md @@ -1,10 +1,19 @@ -# .NET Analyzer Task Flow - -| Seq | ID | Status | Depends on | Description | Exit Criteria | -|-----|----|--------|------------|-------------|---------------| +# .NET Analyzer Task Flow + +| Seq | ID | Status | Depends on | Description | Exit Criteria | +|-----|----|--------|------------|-------------|---------------| | 1 | SCANNER-ANALYZERS-LANG-10-305A | DONE (2025-10-22) | SCANNER-ANALYZERS-LANG-10-307 | Parse `*.deps.json` + `runtimeconfig.json`, build RID graph, and normalize to `pkg:nuget` components. | RID graph deterministic; fixtures confirm consistent component ordering; fallback to `bin:{sha256}` documented. | | 2 | SCANNER-ANALYZERS-LANG-10-305B | DONE (2025-10-22) | SCANNER-ANALYZERS-LANG-10-305A | Extract assembly metadata (strong name, file/product info) and optional Authenticode details when offline cert bundle provided. | Signing metadata captured for signed assemblies; offline trust store documented; hash validations deterministic. | | 3 | SCANNER-ANALYZERS-LANG-10-305C | DONE (2025-10-22) | SCANNER-ANALYZERS-LANG-10-305B | Handle self-contained apps and native assets; merge with EntryTrace usage hints. | Self-contained fixtures map to components with RID flags; usage hints propagate; tests cover linux/win variants. | | 4 | SCANNER-ANALYZERS-LANG-10-307D | DONE (2025-10-22) | SCANNER-ANALYZERS-LANG-10-305C | Integrate shared helpers (license mapping, quiet provenance) and concurrency-safe caches. | Shared helpers reused; concurrency tests for parallel layer scans pass; no redundant allocations. | | 5 | SCANNER-ANALYZERS-LANG-10-308D | DONE (2025-10-23) | SCANNER-ANALYZERS-LANG-10-307D | Determinism fixtures + benchmark harness; compare to competitor scanners for accuracy/perf. | Fixtures in `Fixtures/lang/dotnet/`; determinism CI guard; benchmark demonstrates lower duplication + faster runtime. | | 6 | SCANNER-ANALYZERS-LANG-10-309D | DONE (2025-10-23) | SCANNER-ANALYZERS-LANG-10-308D | Package plug-in (manifest, DI registration) and update Offline Kit instructions. | Manifest copied to `plugins/scanner/analyzers/lang/`; Worker loads analyzer; Offline Kit doc updated. | + +## .NET Entry-Point & Dependency Resolver (Sprint 11) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCANNER-ANALYZERS-LANG-11-001 | TODO | StellaOps.Scanner EPDR Guild, Language Analyzer Guild | - | Build entrypoint resolver that maps project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles (publish mode, host kind, probing paths). Output normalized `entrypoints[]` records with deterministic IDs. | Entrypoint records produced for fixtures (framework-dependent, self-contained, single-file, multi-TFM/RID); determinism check passes; docs updated. | +| SCANNER-ANALYZERS-LANG-11-002 | TODO | StellaOps.Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Implement static analyzer (IL + reflection heuristics) capturing AssemblyRef, ModuleRef/PInvoke, DynamicDependency, reflection literals, DI patterns, and custom AssemblyLoadContext probing hints. Emit dependency edges with reason codes and confidence. | Static analysis coverage demonstrated on fixtures; edges carry reason codes (`il-assemblyref`, `il-moduleref`, `reflection-literal`, `alc-probing`); tests cover trimmed/single-file cases. | +| SCANNER-ANALYZERS-LANG-11-003 | TODO | StellaOps.Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-002 | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. | Runtime listener service pluggable; fixtures record runtime edges; merged output shows combined reason set with confidence per edge. | +| SCANNER-ANALYZERS-LANG-11-004 | TODO | StellaOps.Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-002 | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant). Wire to SBOM service entrypoint tagging. | Analyzer writes observation records consumed by SBOM service tests; AOC compliance docs updated; determinism checked. | +| SCANNER-ANALYZERS-LANG-11-005 | TODO | StellaOps.Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-004 | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. | Fixtures stored under `fixtures/lang/dotnet/epdr`; determinism + perf thresholds validated; benchmark results documented. | diff --git a/src/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md b/src/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md index c219287c..f186fe9a 100644 --- a/src/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md +++ b/src/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md @@ -1,20 +1,20 @@ -# StellaOps.Scanner.Analyzers.Lang.Go — Agent Charter - -## Role -Build the Go analyzer plug-in that reads Go build info, module metadata, and DWARF notes to attribute binaries with rich provenance inside Scanner. - -## Scope -- Inspect binaries for build info (`.note.go.buildid`, Go build info blob) and extract module, version, VCS metadata. -- Parse DWARF-lite sections for commit hash / dirty flag and map to components. -- Manage shared hash cache to dedupe identical binaries across layers. -- Provide benchmarks and determinism fixtures; package plug-in manifest. - -## Out of Scope -- Native library link analysis (belongs to native analyzer). -- VCS remote fetching or symbol download. -- Policy decisions or vulnerability joins. - -## Expectations +# StellaOps.Scanner.Analyzers.Lang.Go — Agent Charter + +## Role +Build the Go analyzer plug-in that reads Go build info, module metadata, and DWARF notes to attribute binaries with rich provenance inside Scanner. + +## Scope +- Inspect binaries for build info (`.note.go.buildid`, Go build info blob) and extract module, version, VCS metadata. +- Parse DWARF-lite sections for commit hash / dirty flag and map to components. +- Manage shared hash cache to dedupe identical binaries across layers. +- Provide benchmarks and determinism fixtures; package plug-in manifest. + +## Out of Scope +- Native library link analysis (belongs to native analyzer). +- VCS remote fetching or symbol download. +- Policy decisions or vulnerability joins. + +## Expectations - Latency targets: ≤400 µs (hot) / ≤2 ms (cold) per binary; minimal allocations via buffer pooling. - Shared buffer pooling via `ArrayPool` for build-info/DWARF reads; safe for concurrent scans. - Deterministic fallback to `bin:{sha256}` when metadata absent; heuristics clearly identified. @@ -24,8 +24,8 @@ Build the Go analyzer plug-in that reads Go build info, module metadata, and DWA ## Dependencies - Shared language analyzer core; Worker dispatcher; caching infrastructure (layer cache + file CAS). - -## Testing & Artifacts + +## Testing & Artifacts - Golden fixtures for modules with/without VCS info, stripped binaries, cross-compiled variants. -- Benchmark comparison with competitor scanners to demonstrate speed/fidelity advantages (captured in `bench/Scanner.Analyzers/lang/go/`). +- Benchmark comparison with competitor scanners to demonstrate speed/fidelity advantages (captured in `src/StellaOps.Bench/Scanner.Analyzers/lang/go/`). - ADR documenting heuristics and risk mitigation. diff --git a/src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md b/src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md new file mode 100644 index 00000000..38327115 --- /dev/null +++ b/src/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md @@ -0,0 +1,21 @@ +# Java Analyzer Task Board +> **Imposed rule:** work of this type or tasks of this type on this component — and everywhere else it should be applied. + +## Java Static Core (Sprint 39) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCANNER-ANALYZERS-JAVA-21-001 | TODO | Java Analyzer Guild | SCANNER-CORE-09-501 | Build input normalizer and virtual file system for JAR/WAR/EAR/fat-jar/JMOD/jimage/container roots. Detect packaging type, layered dirs (BOOT-INF/WEB-INF), multi-release overlays, and jlink runtime metadata. | Normalizer walks fixtures without extraction, classifies packaging, selects MR overlays deterministically, records java version + vendor from runtime images. | +| SCANNER-ANALYZERS-JAVA-21-002 | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Implement module/classpath builder: JPMS graph parser (`module-info.class`), classpath order rules (fat jar, war, ear), duplicate & split-package detection, package fingerprinting. | Classpath order reproduced for fixtures; module graph serialized; duplicate provider + split-package warnings emitted deterministically. | +| SCANNER-ANALYZERS-JAVA-21-003 | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | SPI scanner covering META-INF/services, provider selection, and warning generation. Include configurable SPI corpus (JDK, Spring, logging, Jackson, MicroProfile). | SPI tables produced with selected provider + candidates; fixtures show first-wins behaviour; warnings recorded for duplicate providers. | +| SCANNER-ANALYZERS-JAVA-21-004 | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Reflection/dynamic loader heuristics: scan constant pools, bytecode sites (Class.forName, loadClass, TCCL usage), resource-based plugin hints, manifest loader hints. Emit edges with reason codes + confidence. | Reflection edges generated for fixtures (classpath, boot, war); includes call site metadata and confidence scoring; TCCL warning emitted where detected. | +| SCANNER-ANALYZERS-JAVA-21-005 | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml & fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. | Framework fixtures parsed; relevant class FQCNs surfaced with reasons (`config-spring`, `config-jaxrs`, etc.); non-class config ignored; determinism guard passes. | +| SCANNER-ANALYZERS-JAVA-21-006 | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | JNI/native hint scanner: detect native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges for native analyzer correlation. | JNI fixtures produce hint edges pointing at embedded libs; metadata includes candidate paths and reason `jni`. | +| SCANNER-ANALYZERS-JAVA-21-007 | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | Signature and manifest metadata collector: verify JAR signature structure, capture signers, manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). | Signed jar fixture reports signer info and structural validation result; manifest metadata attached to entrypoints. | + +## Java Observation & Runtime (Sprint 40) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCANNER-ANALYZERS-JAVA-21-008 | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003, SCANNER-ANALYZERS-JAVA-21-004, SCANNER-ANALYZERS-JAVA-21-005 | Implement resolver + AOC writer: produce entrypoints (env profiles, warnings), components (jar_id + semantic ids), edges (jpms, cp, spi, reflect, jni) with reason codes/confidence. | Observation JSON for fixtures deterministic; includes entrypoints, edges, warnings; passes AOC compliance lint. | +| SCANNER-ANALYZERS-JAVA-21-009 | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-008 | Author comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. | Fixture suite committed under `fixtures/lang/java/ep`; determinism + benchmark gates (<300ms fat jar) configured in CI. | +| SCANNER-ANALYZERS-JAVA-21-010 | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-008 | Optional runtime ingestion: Java agent + JFR reader capturing class load, ServiceLoader, and System.load events with path scrubbing. Emit append-only runtime edges `runtime-class`/`runtime-spi`/`runtime-load`. | Runtime harness produces scrubbed events for sample app; edges merge with static output; docs describe sandbox & privacy. | +| SCANNER-ANALYZERS-JAVA-21-011 | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-008 | Package analyzer as restart-time plug-in (manifest/DI), update Offline Kit docs, add CLI/worker hooks for Java inspection commands. | Plugin manifest deployed to `plugins/scanner/analyzers/lang/`; Worker loads new analyzer; Offline Kit + CLI instructions updated; smoke test verifies packaging. | diff --git a/src/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md b/src/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md index 16f84ea4..d5d8406a 100644 --- a/src/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md +++ b/src/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md @@ -1,39 +1,39 @@ -# StellaOps.Scanner.Analyzers.Lang.Node — Agent Charter - -## Role -Deliver the Node.js / npm / Yarn / PNPM analyzer plug-in that resolves workspace graphs, symlinks, and script metadata for Scanner Workers. - -## Scope -- Deterministic filesystem walker for `node_modules`, PNPM store, Yarn Plug'n'Play, and workspace roots. -- Component identity normalization to `pkg:npm` with provenance evidence (manifest path, integrity hashes, lockfile references). -- Workspace + symlink attribution, script metadata (postinstall, lifecycle), and policy hints for risky scripts. -- Plug-in manifest authoring, DI bootstrap, and benchmark harness integration. - -## Out of Scope -- OS package detection, native library linkage, or vulnerability joins. -- Language analyzers for other ecosystems (Python, Go, .NET, Rust). -- CLI/UI surfacing of analyzer diagnostics (handed to UI guild post-gate). - -## Expectations -- Deterministic output across Yarn/NPM/PNPM variations; normalized casing and path separators. -- Performance targets: 10 k-module fixture <1.8 s, <220 MB RSS on 4 vCPU runner. -- Offline-first; no network dependency to resolve registries. -- Emit structured metrics + logs (`analyzer=node`) compatible with Scanner telemetry model. -- Update `TASKS.md`, `SPRINTS_LANG_IMPLEMENTATION_PLAN.md`, and corresponding fixtures as progress occurs. - -## Dependencies -- Shared language analyzer core (`StellaOps.Scanner.Analyzers.Lang`). -- Worker dispatcher for plug-in discovery. -- EntryTrace usage hints (for script usage classification). - -## Testing & Artifacts -- Determinism golden fixtures under `Fixtures/lang/node/`. -- Benchmark CSV + flamegraph stored in `bench/Scanner.Analyzers/`. -- Plug-in manifest + cosign workflow added to Offline Kit instructions once analyzer is production-ready. - -## Telemetry & Policy Hints -- Metrics: `scanner_analyzer_node_scripts_total{script}` increments for each install lifecycle script discovered. -- Metadata keys: - - `policyHint.installLifecycle` lists lifecycle scripts (`preinstall;install;postinstall`) observed for a package. - - `script.` stores the canonical command string for each lifecycle script. -- Evidence: lifecycle script entries emit `LanguageEvidenceKind.Metadata` pointing to `package.json#scripts.` with SHA-256 hashes for determinism. +# StellaOps.Scanner.Analyzers.Lang.Node — Agent Charter + +## Role +Deliver the Node.js / npm / Yarn / PNPM analyzer plug-in that resolves workspace graphs, symlinks, and script metadata for Scanner Workers. + +## Scope +- Deterministic filesystem walker for `node_modules`, PNPM store, Yarn Plug'n'Play, and workspace roots. +- Component identity normalization to `pkg:npm` with provenance evidence (manifest path, integrity hashes, lockfile references). +- Workspace + symlink attribution, script metadata (postinstall, lifecycle), and policy hints for risky scripts. +- Plug-in manifest authoring, DI bootstrap, and benchmark harness integration. + +## Out of Scope +- OS package detection, native library linkage, or vulnerability joins. +- Language analyzers for other ecosystems (Python, Go, .NET, Rust). +- CLI/UI surfacing of analyzer diagnostics (handed to UI guild post-gate). + +## Expectations +- Deterministic output across Yarn/NPM/PNPM variations; normalized casing and path separators. +- Performance targets: 10 k-module fixture <1.8 s, <220 MB RSS on 4 vCPU runner. +- Offline-first; no network dependency to resolve registries. +- Emit structured metrics + logs (`analyzer=node`) compatible with Scanner telemetry model. +- Update `TASKS.md`, `SPRINTS_LANG_IMPLEMENTATION_PLAN.md`, and corresponding fixtures as progress occurs. + +## Dependencies +- Shared language analyzer core (`StellaOps.Scanner.Analyzers.Lang`). +- Worker dispatcher for plug-in discovery. +- EntryTrace usage hints (for script usage classification). + +## Testing & Artifacts +- Determinism golden fixtures under `Fixtures/lang/node/`. +- Benchmark CSV + flamegraph stored in `src/StellaOps.Bench/Scanner.Analyzers/`. +- Plug-in manifest + cosign workflow added to Offline Kit instructions once analyzer is production-ready. + +## Telemetry & Policy Hints +- Metrics: `scanner_analyzer_node_scripts_total{script}` increments for each install lifecycle script discovered. +- Metadata keys: + - `policyHint.installLifecycle` lists lifecycle scripts (`preinstall;install;postinstall`) observed for a package. + - `script.` stores the canonical command string for each lifecycle script. +- Evidence: lifecycle script entries emit `LanguageEvidenceKind.Metadata` pointing to `package.json#scripts.` with SHA-256 hashes for determinism. diff --git a/src/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md b/src/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md index c9cc7523..89506625 100644 --- a/src/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md +++ b/src/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md @@ -18,7 +18,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana - All symlink targets canonicalized; path traversal guarded. - **Gate Artifacts:** - `Fixtures/lang/node/**` golden outputs. - - Analyzer benchmark CSV + flamegraph (commit under `bench/Scanner.Analyzers`). + - Analyzer benchmark CSV + flamegraph (commit under `src/StellaOps.Bench/Scanner.Analyzers`). - Worker integration sample enabling Node analyzer via manifest. - **Progress (2025-10-21):** Module walker with package-lock/yarn/pnpm resolution, workspace attribution, integrity metadata, and deterministic fixture harness committed; Node tasks 10-302A/B remain green. Shared component mapper + canonical result harness landed, closing tasks 10-307/308. Script metadata & telemetry (10-302C) emit policy hints, hashed evidence, and feed `scanner_analyzer_node_scripts_total` into Worker OpenTelemetry pipeline. Restart-time packaging closed (10-309): manifest added, Worker language catalog loads the Node analyzer, integration tests cover dispatch + layer fragments, and Offline Kit docs call out bundled language plug-ins. @@ -52,7 +52,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana - **Gate Artifacts:** - Benchmarks vs competitor open-source tool (Trivy or Syft) demonstrating faster metadata extraction. - Documentation snippet explaining VCS metadata fields for Policy team. -- **Progress (2025-10-22):** Build-info decoder shipped with DWARF-string fallback for `vcs.*` markers, plus cached metadata keyed by binary length/timestamp. Added Go test fixtures covering build-info and DWARF-only binaries with deterministic goldens; analyzer now emits `go.dwarf` evidence alongside `go.buildinfo` metadata to feed downstream provenance rules. Completed stripped-binary heuristics with deterministic `golang::bin::sha256` components and a new `stripped` fixture to guard quiet-provenance behaviour. Heuristic fallbacks now emit `scanner_analyzer_golang_heuristic_total{indicator,version_hint}` counters, and shared buffer pooling (`ArrayPool`) keeps concurrent scans allocation-lite. Bench harness (`bench/Scanner.Analyzers/config.json`) gained a dedicated Go scenario with baseline mean 4.02 ms; comparison against Syft v1.29.1 on the same fixture shows a 22 % speed advantage (see `bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv`). +- **Progress (2025-10-22):** Build-info decoder shipped with DWARF-string fallback for `vcs.*` markers, plus cached metadata keyed by binary length/timestamp. Added Go test fixtures covering build-info and DWARF-only binaries with deterministic goldens; analyzer now emits `go.dwarf` evidence alongside `go.buildinfo` metadata to feed downstream provenance rules. Completed stripped-binary heuristics with deterministic `golang::bin::sha256` components and a new `stripped` fixture to guard quiet-provenance behaviour. Heuristic fallbacks now emit `scanner_analyzer_golang_heuristic_total{indicator,version_hint}` counters, and shared buffer pooling (`ArrayPool`) keeps concurrent scans allocation-lite. Bench harness (`src/StellaOps.Bench/Scanner.Analyzers/config.json`) gained a dedicated Go scenario with baseline mean 4.02 ms; comparison against Syft v1.29.1 on the same fixture shows a 22 % speed advantage (see `src/StellaOps.Bench/Scanner.Analyzers/lang/go/syft-comparison-20251021.csv`). ## Sprint LA4 — .NET Analyzer & RID Variants (Tasks 10-305, 10-307, 10-308, 10-309 subset) - **Scope:** Parse `*.deps.json`, `runtimeconfig.json`, assembly metadata, and RID-specific assets; correlate with native dependencies. @@ -97,7 +97,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana - Telemetry coverage: each analyzer emits timing + component counters. - **Gate Artifacts:** - `SPRINTS_LANG_IMPLEMENTATION_PLAN.md` progress log updated (this file). - - `bench/Scanner.Analyzers/lang-matrix.csv` recorded + referenced in docs. + - `src/StellaOps.Bench/Scanner.Analyzers/lang-matrix.csv` recorded + referenced in docs. - Ops notes for packaging plug-ins into Offline Kit. --- @@ -106,7 +106,7 @@ All sprints below assume prerequisites from SP10-G2 (core scaffolding + Java ana - **Security:** All analyzers must enforce path canonicalization, guard against zip-slip, and expose provenance classifications (`observed`, `heuristic`, `attested`). - **Offline-first:** No network calls; rely on cached metadata and optional offline bundles (license texts, signature roots). - **Determinism:** Normalise timestamps to `0001-01-01T00:00:00Z` when persisting synthetic data; sort collections by stable keys. -- **Benchmarking:** Extend `bench/Scanner.Analyzers` to compare against open-source scanners (Syft/Trivy) and document performance wins. +- **Benchmarking:** Extend `src/StellaOps.Bench/Scanner.Analyzers` to compare against open-source scanners (Syft/Trivy) and document performance wins. - **Hand-offs:** Emit guild requires consistent component schemas; Policy needs license + provenance metadata; Scheduler depends on usage flags for ImpactIndex. ## Tracking & Reporting diff --git a/src/StellaOps.Scanner.Analyzers.Native/TASKS.md b/src/StellaOps.Scanner.Analyzers.Native/TASKS.md new file mode 100644 index 00000000..71594882 --- /dev/null +++ b/src/StellaOps.Scanner.Analyzers.Native/TASKS.md @@ -0,0 +1,20 @@ +# Native Analyzer Task Board +> **Imposed rule:** work of this type or tasks of this type on this component — and everywhere else it should be applied. + +## Native Static Analyzer (Sprint 37) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCANNER-ANALYZERS-NATIVE-20-001 | TODO | Native Analyzer Guild | SCANNER-CORE-09-501 | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices). Capture arch, OS, build-id/UUID, interpreter metadata. | Detector recognises sample binaries across linux/windows/macos; entrypoint identity includes arch+os slice and stable hash; fixtures stored under `fixtures/native/format-detector`. | +| SCANNER-ANALYZERS-NATIVE-20-002 | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Parse ELF dynamic sections: `DT_NEEDED`, `DT_RPATH`, `DT_RUNPATH`, symbol versions, interpreter, and note build-id. Emit declared dependency records with reason `elf-dtneeded` and attach version needs. | ELF fixtures (glibc, musl, Go static) produce deterministic dependency records with runpath/rpath metadata and symbol version needs. | +| SCANNER-ANALYZERS-NATIVE-20-003 | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags. Emit edges with reasons `pe-import` and `pe-delayimport`, plus SxS policy metadata. | Windows fixtures (standard, delay-load, SxS) generate dependency edges with policy hashes and delay-load markers; unit tests validate manifest parsing. | +| SCANNER-ANALYZERS-NATIVE-20-004 | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Parse Mach-O load commands (`LC_LOAD_DYLIB`, `LC_REEXPORT_DYLIB`, `LC_RPATH`, `LC_UUID`, fat headers). Handle `@rpath/@loader_path` placeholders and slice separation. | Mach-O fixtures (single + universal) emit dependency edges per slice with expanded paths and UUID metadata; tests confirm `@rpath` expansion order. | +| SCANNER-ANALYZERS-NATIVE-20-005 | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002, SCANNER-ANALYZERS-NATIVE-20-003, SCANNER-ANALYZERS-NATIVE-20-004 | Implement resolver engine modeling loader search order for ELF (rpath/runpath/cache/default), PE (SafeDll search + SxS), and Mach-O (`@rpath` expansion). Works against virtual image roots, producing explain traces. | Resolver passes golden tests across linux/windows/macos fixtures; resolution trace records attempted paths; no host filesystem access in tests. | +| SCANNER-ANALYZERS-NATIVE-20-006 | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Build heuristic scanner for `dlopen`/`LoadLibrary` strings, plugin ecosystem configs, and Go/Rust static hints. Emit edges with `reason_code` (`string-dlopen`, `config-plugin`, `ecosystem-heuristic`) and confidence levels. | Heuristic edges appear in fixtures (nginx modules, dlopen string literals); confidence flags applied; explain metadata references source string/config path. | + +## Native Observation Pipeline (Sprint 38) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCANNER-ANALYZERS-NATIVE-20-007 | TODO | Native Analyzer Guild, SBOM Service Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Serialize AOC-compliant observations: entrypoints + dependency edges + environment profiles (search paths, interpreter, loader metadata). Integrate with Scanner writer API. | Analyzer emits normalized `entrypoints[]`/`edges[]` JSON for fixtures; SBOM tests consume output; determinism harness updated. | +| SCANNER-ANALYZERS-NATIVE-20-008 | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). | Fixture suite committed; determinism CI passes; benchmark report documents perf budgets and regression guard rails. | +| SCANNER-ANALYZERS-NATIVE-20-009 | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Provide optional runtime capture adapters (Linux eBPF `dlopen`, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence. Include redaction/sandbox guidance. | Runtime harness emits `runtime-load` edges for sample binaries; data scrubbed to image-relative paths; docs outline sandboxing and privacy. | +| SCANNER-ANALYZERS-NATIVE-20-010 | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle + documentation. | Plugin manifest copied to `plugins/scanner/analyzers/native/`; Worker loads analyzer on restart; Offline Kit instructions updated; smoke test verifies packaging. | diff --git a/src/StellaOps.Scanner.WebService/TASKS.md b/src/StellaOps.Scanner.WebService/TASKS.md index 67f87e78..1d59b9c0 100644 --- a/src/StellaOps.Scanner.WebService/TASKS.md +++ b/src/StellaOps.Scanner.WebService/TASKS.md @@ -16,9 +16,22 @@ | SCANNER-RUNTIME-12-304 | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-302 | Surface attestation verification status by integrating Authority/Attestor Rekor validation (beyond presence-only). | `/policy/runtime` maps Rekor UUIDs through the runtime attestation verifier so `rekor.verified` reflects attestor outcomes; webhook/CLI coverage added. | | SCANNER-RUNTIME-12-305 | DONE (2025-10-24) | Scanner WebService Guild | SCANNER-RUNTIME-12-301, SCANNER-RUNTIME-12-302 | Promote shared fixtures with Zastava/CLI and add end-to-end automation for `/runtime/events` + `/policy/runtime`. | Runtime policy integration test + CLI-aligned fixture assert confidence, metadata JSON, and Rekor verification; docs note shared contract. | | SCANNER-EVENTS-15-201 | DONE (2025-10-20) | Scanner WebService Guild | NOTIFY-QUEUE-15-401 | Emit `scanner.report.ready` and `scanner.scan.completed` events (bus adapters + tests). | Event envelopes published to queue with schemas; fixtures committed; Notify consumption test passes. | -| SCANNER-EVENTS-16-301 | BLOCKED (2025-10-20) | Scanner WebService Guild | NOTIFY-QUEUE-15-401 | Integrate Redis publisher end-to-end once Notify queue abstraction ships; replace in-memory recorder with real stream assertions. | Notify Queue adapter available; integration test exercises Redis stream length/fields via test harness; docs updated with ops validation checklist. | +| SCANNER-EVENTS-16-301 | TODO | Scanner WebService Guild | ORCH-SVC-38-101, NOTIFY-SVC-38-001 | Emit orchestrator-compatible envelopes (`scanner.event.*`) and update integration tests to verify Notifier ingestion (no Redis queue coupling). | Tests assert envelope schema + orchestrator publish; Notifier consumer harness passes; docs updated with new event contract. | | SCANNER-RUNTIME-17-401 | DONE (2025-10-25) | Scanner WebService Guild | SCANNER-RUNTIME-12-301, ZASTAVA-OBS-17-005, SCANNER-EMIT-17-701, POLICY-RUNTIME-17-201 | Persist runtime build-id observations and expose them via `/runtime/events` + policy joins for debug-symbol correlation. | Runtime events store normalized digests + build IDs with supporting indexes, runtime policy responses surface `buildIds`, tests/docs updated, and CLI/API consumers can derive debug-store paths deterministically. | +## Graph Explorer v1 (Sprint 21) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCANNER-GRAPH-21-001 | TODO | Scanner WebService Guild, Cartographer Guild | CARTO-GRAPH-21-007, SCHED-WEB-21-001 | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. | Endpoint documented; integration tests cover Cartographer workflow; unauthorized access blocked. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCANNER-LNM-21-001 | TODO | Scanner WebService Guild, Policy Guild | POLICY-ENGINE-40-001 | Update `/reports` and `/policy/runtime` payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. | API schema updated; clients regenerated; integration tests cover multiple source severities. | +| SCANNER-LNM-21-002 | TODO | Scanner WebService Guild, UI Guild | SCANNER-LNM-21-001 | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Endpoint documented; UI integration passes; RBAC/tenancy enforced. | + ## Notes - 2025-10-19: Sprint 9 streaming + policy endpoints (SCANNER-WEB-09-103, SCANNER-POLICY-09-105/106/107) landed with SSE/JSONL, OpenAPI, signed report coverage documented in `docs/09_API_CLI_REFERENCE.md`. - 2025-10-20: Re-ran `dotnet test src/StellaOps.Scanner.WebService.Tests/StellaOps.Scanner.WebService.Tests.csproj --filter FullyQualifiedName~ReportsEndpointsTests` to confirm DSSE/report regressions stay green after backlog sync. diff --git a/src/StellaOps.Scheduler.Models/TASKS.md b/src/StellaOps.Scheduler.Models/TASKS.md index 73b44c02..eaeb4909 100644 --- a/src/StellaOps.Scheduler.Models/TASKS.md +++ b/src/StellaOps.Scheduler.Models/TASKS.md @@ -5,3 +5,17 @@ | SCHED-MODELS-16-101 | DONE (2025-10-19) | Scheduler Models Guild | — | Define DTOs (Schedule, Run, ImpactSet, Selector, DeltaSummary, AuditRecord) with validation + canonical JSON. | DTOs merged with tests; documentation snippet added; serialization deterministic. | | SCHED-MODELS-16-102 | DONE (2025-10-19) | Scheduler Models Guild | SCHED-MODELS-16-101 | Publish schema docs & sample payloads for UI/Notify integration. | Samples committed; docs referenced; contract tests pass. | | SCHED-MODELS-16-103 | DONE (2025-10-20) | Scheduler Models Guild | SCHED-MODELS-16-101 | Versioning/migration helpers (schedule evolution, run state transitions). | Migration helpers implemented; tests cover upgrade/downgrade; guidelines documented. | + +## Policy Engine v2 (Sprint 20) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-MODELS-20-001 | TODO | Scheduler Models Guild, Policy Guild | POLICY-ENGINE-20-000 | Define DTOs/schemas for policy runs, diffs, and explain traces (`PolicyRunRequest`, `PolicyRunStatus`, `PolicyDiffSummary`). | DTOs serialize deterministically; schema samples committed; validation helpers added. | +| SCHED-MODELS-20-002 | TODO | Scheduler Models Guild | SCHED-MODELS-20-001 | Extend scheduler schema docs to include policy run lifecycle, environment metadata, and diff payloads. | Docs updated with compliance checklist; samples validated against JSON schema; consumers notified. | + +## Graph Explorer v1 (Sprint 21) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-MODELS-21-001 | TODO | Scheduler Models Guild, Cartographer Guild | CARTO-GRAPH-21-007 | Define job DTOs for graph builds/overlay refresh (`GraphBuildJob`, `GraphOverlayJob`) with deterministic serialization and status enums. | DTOs serialized deterministically; schema snippets documented; tests cover transitions. | +| SCHED-MODELS-21-002 | TODO | Scheduler Models Guild | SCHED-MODELS-21-001 | Publish schema docs/sample payloads for graph jobs and overlay events for downstream workers/UI. | Docs updated with compliance checklist; samples validated; notifications sent to guilds. | diff --git a/src/StellaOps.Scheduler.WebService/TASKS.md b/src/StellaOps.Scheduler.WebService/TASKS.md index 7bdb4aad..ffe3605a 100644 --- a/src/StellaOps.Scheduler.WebService/TASKS.md +++ b/src/StellaOps.Scheduler.WebService/TASKS.md @@ -5,8 +5,39 @@ | SCHED-WEB-16-101 | DOING (2025-10-19) | Scheduler WebService Guild | SCHED-MODELS-16-101 | Bootstrap Minimal API host with Authority OpTok + DPoP, health endpoints, plug-in discovery per architecture §§1–2. | Service boots with config validation; `/healthz`/`/readyz` pass; restart-only plug-ins enforced. | | SCHED-WEB-16-102 | TODO | Scheduler WebService Guild | SCHED-WEB-16-101 | Implement schedules CRUD (tenant-scoped) with cron validation, pause/resume, audit logging. | CRUD operations tested; invalid cron inputs rejected; audit entries persisted. | | SCHED-WEB-16-103 | TODO | Scheduler WebService Guild | SCHED-WEB-16-102 | Runs API (list/detail/cancel), ad-hoc run POST, and impact preview endpoints. | Integration tests cover run lifecycle; preview returns counts/sample; cancellation honoured. | -| SCHED-WEB-16-104 | TODO | Scheduler WebService Guild | SCHED-QUEUE-16-401, SCHED-STORAGE-16-201 | Webhook endpoints for Feedser/Vexer exports with mTLS/HMAC validation and rate limiting. | Webhooks validated via tests; invalid signatures rejected; rate limits documented. | - -## Notes -- 2025-10-19: SCHED-MODELS-16-101 (schemas/DTOs) is DONE, so API contracts for schedules/runs are ready to consume. -- Next steps for SCHED-WEB-16-101: create Minimal API host project scaffold, wire Authority OpTok + DPoP authentication via existing DI helpers, expose `/healthz` + `/readyz`, and load restart-only plugins per architecture §§1–2. Capture configuration validation and log shape aligned with Scheduler platform guidance before moving to CRUD implementation. +| SCHED-WEB-16-104 | TODO | Scheduler WebService Guild | SCHED-QUEUE-16-401, SCHED-STORAGE-16-201 | Webhook endpoints for Feedser/Vexer exports with mTLS/HMAC validation and rate limiting. | Webhooks validated via tests; invalid signatures rejected; rate limits documented. | + +## Policy Engine v2 (Sprint 20) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WEB-20-001 | TODO | Scheduler WebService Guild, Policy Guild | SCHED-WEB-16-101, POLICY-ENGINE-20-000 | Expose policy run scheduling APIs (`POST /policy/runs`, `GET /policy/runs`) with tenant scoping and RBAC enforcement for `policy:run`. | Endpoints documented; integration tests cover run creation/status; unauthorized access blocked. | +| SCHED-WEB-20-002 | TODO | Scheduler WebService Guild | SCHED-WEB-20-001, SCHED-WORKER-20-301 | Provide simulation trigger endpoint returning diff preview metadata and job state for UI/CLI consumption. | Simulation endpoint returns deterministic diffs metadata; rate limits enforced; tests cover concurrency. | + +## Graph Explorer v1 (Sprint 21) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WEB-21-001 | TODO | Scheduler WebService Guild, Cartographer Guild | SCHED-WEB-16-101, SCHED-MODELS-21-001 | Expose graph build/overlay job APIs (`POST /graphs/build`, `GET /graphs/jobs`) with `graph:write`/`graph:read` enforcement and tenant scoping. | APIs documented; integration tests cover job submission/status; unauthorized requests blocked. | +| SCHED-WEB-21-002 | TODO | Scheduler WebService Guild | SCHED-WEB-21-001, CARTO-GRAPH-21-007 | Provide overlay lag metrics endpoint and webhook to notify Cartographer of job completions; include correlation IDs. | Endpoint returns metrics; webhook tested end-to-end; observability docs updated. | + +## StellaOps Console (Sprint 23) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-CONSOLE-23-001 | TODO | Scheduler WebService Guild, BE-Base Platform Guild | SCHED-WEB-16-103, SCHED-WEB-20-001 | Extend runs APIs with live progress SSE endpoints (`/console/runs/{id}/stream`), queue lag summaries, diff metadata fetch, retry/cancel hooks with RBAC enforcement, and deterministic pagination for history views consumed by Console. | SSE emits heartbeats/backoff headers, progress payload schema documented, unauthorized actions blocked in integration tests, metrics/logs expose queue lag + correlation IDs. | + +## Policy Studio (Sprint 27) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-CONSOLE-27-001 | TODO | Scheduler WebService Guild, Policy Registry Guild | SCHED-WEB-16-103, REGISTRY-API-27-005 | Provide policy batch simulation orchestration endpoints (`/policies/simulations` POST/GET) exposing run creation, shard status, SSE progress, cancellation, and retries with RBAC enforcement. | API handles shard lifecycle with SSE heartbeats + retry headers; unauthorized requests rejected; integration tests cover submit/cancel/resume flows. | +| SCHED-CONSOLE-27-002 | TODO | Scheduler WebService Guild, Observability Guild | SCHED-CONSOLE-27-001 | Emit telemetry endpoints/metrics (`policy_simulation_queue_depth`, `policy_simulation_latency`) and webhook callbacks for completion/failure consumed by Registry. | Metrics exposed via gateway, dashboards seeded, webhook contract documented, integration tests validate metrics emission. | + +## Vulnerability Explorer (Sprint 29) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-VULN-29-001 | TODO | Scheduler WebService Guild, Findings Ledger Guild | SCHED-WEB-16-103, SBOM-VULN-29-001 | Expose resolver job APIs (`POST /vuln/resolver/jobs`, `GET /vuln/resolver/jobs/{id}`) to trigger candidate recomputation per artifact/policy change with RBAC and rate limits. | Resolver APIs documented; integration tests cover submit/status/cancel; unauthorized requests rejected. | +| SCHED-VULN-29-002 | TODO | Scheduler WebService Guild, Observability Guild | SCHED-VULN-29-001 | Provide projector lag metrics endpoint and webhook notifications for backlog breaches consumed by DevOps dashboards. | Lag metrics exposed; webhook events triggered on thresholds; docs updated. | + +## Notes +- 2025-10-19: SCHED-MODELS-16-101 (schemas/DTOs) is DONE, so API contracts for schedules/runs are ready to consume. +- Next steps for SCHED-WEB-16-101: create Minimal API host project scaffold, wire Authority OpTok + DPoP authentication via existing DI helpers, expose `/healthz` + `/readyz`, and load restart-only plugins per architecture §§1–2. Capture configuration validation and log shape aligned with Scheduler platform guidance before moving to CRUD implementation. diff --git a/src/StellaOps.Scheduler.Worker/TASKS.md b/src/StellaOps.Scheduler.Worker/TASKS.md index 6f8a9c33..262a9eaf 100644 --- a/src/StellaOps.Scheduler.Worker/TASKS.md +++ b/src/StellaOps.Scheduler.Worker/TASKS.md @@ -1,9 +1,64 @@ -# Scheduler Worker Task Board (Sprint 16) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| SCHED-WORKER-16-201 | TODO | Scheduler Worker Guild | SCHED-QUEUE-16-401 | Planner loop (cron + event triggers) with lease management, fairness, and rate limiting (§6). | Planner integration tests cover cron/event triggers; rate limits enforced; logs include run IDs. | -| SCHED-WORKER-16-202 | TODO | Scheduler Worker Guild | SCHED-IMPACT-16-301 | Wire ImpactIndex targeting (ResolveByPurls/vulns), dedupe, shard planning. | Targeting tests confirm correct image selection; dedupe documented; shards evenly distributed. | -| SCHED-WORKER-16-203 | TODO | Scheduler Worker Guild | SCHED-WORKER-16-202 | Runner execution: call Scanner `/reports` (analysis-only) or `/scans` when configured; collect deltas; handle retries. | Runner tests stub Scanner; retries/backoff validated; deltas aggregated deterministically. | -| SCHED-WORKER-16-204 | TODO | Scheduler Worker Guild | SCHED-WORKER-16-203 | Emit events (`scheduler.rescan.delta`, `scanner.report.ready`) for Notify/UI with summaries. | Events published to queue; payload schema documented; integration tests verify consumption. | -| SCHED-WORKER-16-205 | TODO | Scheduler Worker Guild | SCHED-WORKER-16-201 | Metrics/telemetry: run stats, queue depth, planner latency, delta counts. | Metrics exported per spec; dashboards updated; alerts configured. | +# Scheduler Worker Task Board (Sprint 16) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-16-201 | TODO | Scheduler Worker Guild | SCHED-QUEUE-16-401 | Planner loop (cron + event triggers) with lease management, fairness, and rate limiting (§6). | Planner integration tests cover cron/event triggers; rate limits enforced; logs include run IDs. | +| SCHED-WORKER-16-202 | TODO | Scheduler Worker Guild | SCHED-IMPACT-16-301 | Wire ImpactIndex targeting (ResolveByPurls/vulns), dedupe, shard planning. | Targeting tests confirm correct image selection; dedupe documented; shards evenly distributed. | +| SCHED-WORKER-16-203 | TODO | Scheduler Worker Guild | SCHED-WORKER-16-202 | Runner execution: call Scanner `/reports` (analysis-only) or `/scans` when configured; collect deltas; handle retries. | Runner tests stub Scanner; retries/backoff validated; deltas aggregated deterministically. | +| SCHED-WORKER-16-204 | TODO | Scheduler Worker Guild | SCHED-WORKER-16-203 | Emit events (`scheduler.rescan.delta`, `scanner.report.ready`) for Notify/UI with summaries. | Events published to queue; payload schema documented; integration tests verify consumption. | +| SCHED-WORKER-16-205 | TODO | Scheduler Worker Guild | SCHED-WORKER-16-201 | Metrics/telemetry: run stats, queue depth, planner latency, delta counts. | Metrics exported per spec; dashboards updated; alerts configured. | + +## Policy Engine v2 (Sprint 20) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-20-301 | TODO | Scheduler Worker Guild, Policy Guild | SCHED-WORKER-16-201, POLICY-ENGINE-20-000 | Extend scheduler worker to trigger policy runs (full/incremental/simulate) via Policy Engine API, with idempotent job tracking and tenant scoping. | Worker schedules policy jobs deterministically; job records persisted; integration tests cover modes + cancellation. | +| SCHED-WORKER-20-302 | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301, POLICY-ENGINE-20-006 | Implement policy delta targeting to re-evaluate only affected SBOM sets based on change streams and policy metadata. | Targeting reduces workload per design; tests simulate advisory/vex updates; metrics show delta counts. | +| SCHED-WORKER-20-303 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-301 | Expose metrics (`policy_runs_scheduled`, `policy_runs_failed`, planner latency) and structured logs with policy/run identifiers. | Metrics registered; dashboards updated; logs validated in integration tests. | + +## Graph Explorer v1 (Sprint 21) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-21-201 | TODO | Scheduler Worker Guild, Cartographer Guild | SCHED-MODELS-21-001 | Implement graph build worker that dequeues SBOM graph jobs, invokes Cartographer build APIs, and records status with retries/backoff. | Worker processes fixtures; retries handled; logs include `graph_id`; integration tests pass. | +| SCHED-WORKER-21-202 | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201, CARTO-GRAPH-21-007 | Overlay refresh worker subscribing to policy/SBOM change events, batching affected graph overlays, and enforcing <2 min SLA. | Overlay jobs scheduled deterministically; lag metrics < 2 min in tests; alerts configured. | +| SCHED-WORKER-21-203 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-21-201 | Export metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) and structured logs with tenant/graph identifiers. | Metrics/traces exposed; dashboards updated; integration tests verify metrics emission. | + +## Policy Engine + Editor v1 (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-23-101 | TODO | Scheduler Worker Guild, Policy Guild | POLICY-ENGINE-50-004 | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. | Worker processes staging workloads; metrics (`policy_reeval_seconds`) emitted; retries/backoff validated. | +| SCHED-WORKER-23-102 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-23-101 | Add reconciliation job ensuring re-eval completion within SLA, emitting alerts on backlog and persisting status to `policy_runs`. | Reconciliation job operational with alert thresholds; integration tests simulate failure recovery; dashboards updated. | +| SCHED-WORKER-CONSOLE-23-201 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-301, SCHED-WORKER-23-101 | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. | Event stream schema documented, latency <2s, console integration tests consume events, metrics/alerts in place. | +| SCHED-WORKER-CONSOLE-23-202 | TODO | Scheduler Worker Guild, Policy Guild | EXPORT-CONSOLE-23-001, SCHED-WORKER-20-301 | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. | Job lifecycle implemented with idempotent identifiers, cancellation/resume tested, manifests persisted with retention policy, runbooks updated. | + +## Policy Studio (Sprint 27) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-27-301 | TODO | Scheduler Worker Guild, Policy Registry Guild | SCHED-WORKER-20-301, REGISTRY-API-27-005 | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. | Worker processes seeded workloads, retries/backoff validated, metrics (`policy_simulation_shard_seconds`) emitted, integration tests cover failure recovery. | +| SCHED-WORKER-27-302 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-27-301, REGISTRY-API-27-005 | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. | Reducer produces deterministic manifests with checksums, events notify Registry/Web, dashboards updated with aggregate latency metrics. | +| SCHED-WORKER-27-303 | TODO | Scheduler Worker Guild, Security Guild | SCHED-WORKER-27-301, AUTH-POLICY-27-002 | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. | Jobs validate tenant scope before execution, attestation metadata attached to results, secret scan failures logged/blocked, security tests added. | + +## Exceptions v1 (Sprint 25) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-25-101 | TODO | Scheduler Worker Guild, Policy Guild | POLICY-ENGINE-70-005 | Implement exception lifecycle worker handling auto-activation/expiry and publishing `exception.*` events with retries/backoff. | Worker transitions exceptions correctly; events emitted with metrics; tests cover activation/expiry paths. | +| SCHED-WORKER-25-102 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-25-101 | Add expiring notification job generating digests, marking `expiring` state, updating metrics/alerts. | Notifications produced; metrics/alerts configured; documentation updated. | + +## Reachability v1 (Sprint 26) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-26-201 | TODO | Scheduler Worker Guild, Signals Guild | SIGNALS-24-004 | Build reachability joiner worker that combines SBOM snapshots with signals, writes cached facts, and schedules updates on new events. | Worker processes fixtures; cache updated; metrics emitted; tests cover event-triggered runs. | +| SCHED-WORKER-26-202 | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. | Monitor flags stale assets; notifications emitted; documentation updated. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SCHED-WORKER-29-001 | TODO | Scheduler Worker Guild, Findings Ledger Guild | SBOM-VULN-29-001, CONCELIER-VULN-29-001, EXCITITOR-VULN-29-001 | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. | Worker produces deterministic candidates; property tests cover version comparisons; metrics emitted (`resolver_candidates_total`). | +| SCHED-WORKER-29-002 | TODO | Scheduler Worker Guild, Policy Guild | SCHED-WORKER-29-001, POLICY-ENGINE-29-001 | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. | Evaluation worker meets SLA; retries documented; integration tests cover failure modes. | +| SCHED-WORKER-29-003 | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-29-001..002 | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. | Metrics/alerts live; runbooks updated; CI verifies metric emission. | diff --git a/src/StellaOps.Sdk.Generator/AGENTS.md b/src/StellaOps.Sdk.Generator/AGENTS.md new file mode 100644 index 00000000..f608eec2 --- /dev/null +++ b/src/StellaOps.Sdk.Generator/AGENTS.md @@ -0,0 +1,15 @@ +# SDK Generator Guild Charter + +## Mission +Generate and maintain official StellaOps SDKs across supported languages using reproducible code generation pipelines. + +## Scope +- Manage code generation templates and tooling for TS, Python, Go, Java (C#/Rust follow-ons). +- Implement post-processing hooks for auth helpers, retries, paginators, error mapping, and telemetry. +- Provide language-specific smoke tests, example snippets, and continuous integration. +- Coordinate with Release Guild for publishing and version bumps. + +## Definition of Done +- SDKs regenerate deterministically from `stella.yaml` without manual edits. +- Smoke tests and integration suites run per language in CI. +- Generated code adheres to language-specific style guides and passes lint/format checks. diff --git a/src/StellaOps.Sdk.Generator/TASKS.md b/src/StellaOps.Sdk.Generator/TASKS.md new file mode 100644 index 00000000..379b9f3c --- /dev/null +++ b/src/StellaOps.Sdk.Generator/TASKS.md @@ -0,0 +1,21 @@ +# SDK Generator Task Board — Epic 17: SDKs & OpenAPI Docs + +## Sprint 62 – Generator Framework +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SDKGEN-62-001 | TODO | SDK Generator Guild | OAS-61-002 | Choose/pin generator toolchain, set up language template pipeline, and enforce reproducible builds. | Generator outputs deterministic code for sample spec; pipelines documented; lint passes. | +| SDKGEN-62-002 | TODO | SDK Generator Guild | SDKGEN-62-001 | Implement shared post-processing (auth helpers, retries, pagination utilities, telemetry hooks) applied to all languages. | Shared library integrated; unit tests cover helpers; docs updated. | + +## Sprint 63 – Language Alpha Releases +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SDKGEN-63-001 | TODO | SDK Generator Guild | SDKGEN-62-002 | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. | TS package published to internal registry; smoke tests pass; README generated. | +| SDKGEN-63-002 | TODO | SDK Generator Guild | SDKGEN-62-002 | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). | PyPI internal feed updated; mypy/pytest suites pass; docs generated. | +| SDKGEN-63-003 | TODO | SDK Generator Guild | SDKGEN-62-002 | Ship Go SDK alpha with context-first API and streaming helpers. | Go module published; gofmt/govet pass; integration tests run. | +| SDKGEN-63-004 | TODO | SDK Generator Guild | SDKGEN-62-002 | Ship Java SDK alpha (builder pattern, HTTP client abstraction). | Maven package staged; integration tests run; javadoc generated. | + +## Sprint 64 – Harden & Dogfood +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SDKGEN-64-001 | TODO | SDK Generator Guild, CLI Guild | SDKGEN-63-001 | Switch CLI to consume TS or Go SDK; ensure parity. | CLI builds/tests using SDK; regression suite passes. | +| SDKGEN-64-002 | TODO | SDK Generator Guild, Console Guild | SDKGEN-63-001..4 | Integrate SDKs into Console data providers where feasible. | Console builds with SDK; telemetry recorded; manual QA sign-off. | diff --git a/src/StellaOps.Sdk.Release/AGENTS.md b/src/StellaOps.Sdk.Release/AGENTS.md new file mode 100644 index 00000000..72dc4749 --- /dev/null +++ b/src/StellaOps.Sdk.Release/AGENTS.md @@ -0,0 +1,15 @@ +# SDK Release Guild Charter + +## Mission +Own packaging, signing, publishing, and changelog automation for official StellaOps SDKs and dev portal bundles. + +## Scope +- Manage language-specific release pipelines (npm, PyPI, Maven, Go modules) with provenance signing. +- Automate changelog generation and SemVer version bumps aligned with API releases. +- Coordinate publication of offline bundles for air-gapped environments. +- Operate release dashboards and notification hooks for SDK updates. + +## Definition of Done +- Every SDK release is reproducible, signed, and accompanied by changelog + provenance. +- Registries updated via automated pipeline with rollback strategy. +- Offline bundle creation integrated with Export Center workflows. diff --git a/src/StellaOps.Sdk.Release/TASKS.md b/src/StellaOps.Sdk.Release/TASKS.md new file mode 100644 index 00000000..b7dc9706 --- /dev/null +++ b/src/StellaOps.Sdk.Release/TASKS.md @@ -0,0 +1,13 @@ +# SDK Release Task Board — Epic 17: SDKs & OpenAPI Docs + +## Sprint 63 – Pipeline Setup +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SDKREL-63-001 | TODO | SDK Release Guild | SDKGEN-63-001..4 | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. | Pipelines publish to staging registries; provenance artifacts stored; rollback plan documented. | +| SDKREL-63-002 | TODO | SDK Release Guild, API Governance Guild | SDKREL-63-001 | Integrate changelog automation pulling from OAS diffs and generator metadata. | Changelogs generated per release; included in packages; verification tests pass. | + +## Sprint 64 – Release Automation & Notifications +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SDKREL-64-001 | TODO | SDK Release Guild, Notifications Guild | SDKREL-63-002 | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. | Notification templates live; staging release triggers announcement; docs updated. | +| SDKREL-64-002 | TODO | SDK Release Guild, Export Center Guild | SDKREL-63-001 | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. | Offline bundle generated and verified; Export Center docs updated. | diff --git a/src/StellaOps.Signals/AGENTS.md b/src/StellaOps.Signals/AGENTS.md new file mode 100644 index 00000000..1f2f67dc --- /dev/null +++ b/src/StellaOps.Signals/AGENTS.md @@ -0,0 +1,11 @@ +# StellaOps.Signals — Agent Charter + +## Mission +Provide language-agnostic collection, normalization, and scoring of reachability and exploitability signals for Stella Ops. Accept static artifacts (call graphs, symbol references) and runtime context facts, derive normalized reachability states/scores, and expose them to Policy Engine, Web API, and Console without mutating advisory evidence. + +## Expectations +- Maintain deterministic scoring with full provenance (AOC chains). +- Support incremental ingestion (per asset + snapshot) and expose caches for fast policy evaluation. +- Coordinate with SBOM/Policy/Console guilds on schema changes and UI expectations. +- Implement guardrails for large artifacts, authentication, and privacy (no PII). +- Update `TASKS.md`, `SPRINTS.md` as work progresses. diff --git a/src/StellaOps.Signals/TASKS.md b/src/StellaOps.Signals/TASKS.md new file mode 100644 index 00000000..c02c2454 --- /dev/null +++ b/src/StellaOps.Signals/TASKS.md @@ -0,0 +1,8 @@ +# Signals Service Task Board — Reachability v1 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SIGNALS-24-001 | TODO | Signals Guild, Architecture Guild | SBOM-GRAPH-24-002 | Implement Signals API skeleton (ASP.NET Minimal API) with auth middleware, health checks, and configuration binding. | Service boots with configuration validation, `/healthz`/`/readyz` return 200, RBAC enforced in integration tests. | +| SIGNALS-24-002 | TODO | Signals Guild, Language Specialists | SIGNALS-24-001 | Build callgraph ingestion pipeline (Java/Node/Python/Go parsers) normalizing into `callgraphs` collection and storing artifact metadata in object storage. | Parsers accept sample artifacts; data persisted with schema validation; unit tests cover malformed inputs. | +| SIGNALS-24-003 | TODO | Signals Guild, Runtime Guild | SIGNALS-24-001 | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance. | Endpoint ingests fixture batches; duplicates deduped; schema enforced; tests cover privacy filters. | +| SIGNALS-24-004 | TODO | Signals Guild, Data Science | SIGNALS-24-002, SIGNALS-24-003 | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. | Scoring engine deterministic; tests cover state transitions; metrics emitted. | +| SIGNALS-24-005 | TODO | Signals Guild, Platform Events Guild | SIGNALS-24-004 | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. | Cache hit rate tracked; invalidations working; events delivered with idempotent ids; integration tests pass. | diff --git a/src/StellaOps.Signer/TASKS.md b/src/StellaOps.Signer/TASKS.md index 3bb1186a..67dbb780 100644 --- a/src/StellaOps.Signer/TASKS.md +++ b/src/StellaOps.Signer/TASKS.md @@ -2,10 +2,9 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| -| SIGNER-API-11-101 | DONE (2025-10-21) | Signer Guild | — | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. | ✅ `POST /api/v1/signer/sign/dsse` enforces OpTok audience/scope, DPoP/mTLS binding, PoE introspection, and rejects untrusted scanner digests.
✅ Signing pipeline supports keyless (Fulcio) plus optional KMS modes, returning DSSE bundles + cert metadata; deterministic audits persisted.
✅ Regression coverage in `SignerEndpointsTests` (`dotnet test src/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj`). | -| SIGNER-REF-11-102 | DONE (2025-10-21) | Signer Guild | — | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. | ✅ `GET /api/v1/signer/verify/referrers` validates trusted scanner digests via release verifier and surfaces signer metadata; JSON responses served deterministically.
✅ Integration tests cover trusted/untrusted digests and validation failures (`SignerEndpointsTests`). | -| SIGNER-QUOTA-11-103 | DONE (2025-10-21) | Signer Guild | — | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | ✅ Quota middleware derives plan limits from PoE claims, applies per-tenant concurrency/QPS/size caps, and surfaces remaining capacity in responses.
✅ Unit coverage exercises throttled/artifact-too-large paths via in-memory quota service. | +| SIGNER-API-11-101 | DONE (2025-10-21) | Signer Guild | — | `/sign/dsse` pipeline with Authority auth, PoE introspection, release verification, DSSE signing. | ✅ `POST /api/v1/signer/sign/dsse` enforces OpTok audience/scope, DPoP/mTLS binding, PoE introspection, and rejects untrusted scanner digests.
✅ Signing pipeline supports keyless (Fulcio) plus optional KMS modes, returning DSSE bundles + cert metadata; deterministic audits persisted.
✅ Regression coverage in `SignerEndpointsTests` (`dotnet test src/StellaOps.Signer/StellaOps.Signer.Tests/StellaOps.Signer.Tests.csproj`). | +| SIGNER-REF-11-102 | DONE (2025-10-21) | Signer Guild | — | `/verify/referrers` endpoint with OCI lookup, caching, and policy enforcement. | ✅ `GET /api/v1/signer/verify/referrers` validates trusted scanner digests via release verifier and surfaces signer metadata; JSON responses served deterministically.
✅ Integration tests cover trusted/untrusted digests and validation failures (`SignerEndpointsTests`). | +| SIGNER-QUOTA-11-103 | DONE (2025-10-21) | Signer Guild | — | Enforce plan quotas, concurrency/QPS limits, artifact size caps with metrics/audit logs. | ✅ Quota middleware derives plan limits from PoE claims, applies per-tenant concurrency/QPS/size caps, and surfaces remaining capacity in responses.
✅ Unit coverage exercises throttled/artifact-too-large paths via in-memory quota service. | -> Remark (2025-10-19): Wave 0 prerequisites reviewed—none outstanding. SIGNER-API-11-101, SIGNER-REF-11-102, and SIGNER-QUOTA-11-103 moved to DOING for kickoff per EXECPLAN.md. > Update status columns (TODO / DOING / DONE / BLOCKED) in tandem with code changes and associated tests. diff --git a/src/StellaOps.TaskRunner/AGENTS.md b/src/StellaOps.TaskRunner/AGENTS.md new file mode 100644 index 00000000..d8f38b18 --- /dev/null +++ b/src/StellaOps.TaskRunner/AGENTS.md @@ -0,0 +1,17 @@ +# Task Runner Service — Agent Charter + +## Mission +Execute Task Packs safely and deterministically. Provide remote pack execution, approvals, logging, artifact capture, and policy gates in support of Epic 12, honoring the imposed rule to propagate similar work where needed. + +## Responsibilities +- Validate Task Packs, enforce RBAC/approvals, orchestrate steps, manage artifacts/logs, stream status. +- Integrate with Orchestrator, Authority, Policy Engine, Export Center, Notifications, and CLI. +- Guarantee reproducible runs, provenance manifests, and secure handling of secrets and networks. + +## Module Layout +- `StellaOps.TaskRunner.Core/` — execution engine, step DSL, policy gates. +- `StellaOps.TaskRunner.Infrastructure/` — storage adapters, artifact handling, external clients. +- `StellaOps.TaskRunner.WebService/` — run management APIs and simulation endpoints. +- `StellaOps.TaskRunner.Worker/` — background executors, approvals, and telemetry loops. +- `StellaOps.TaskRunner.Tests/` — unit tests for core/infrastructure code paths. +- `StellaOps.TaskRunner.sln` — module solution. diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Class1.cs b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Class1.cs new file mode 100644 index 00000000..2d7d7a94 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.TaskRunner.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/StellaOps.TaskRunner.Core.csproj b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/StellaOps.TaskRunner.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Core/StellaOps.TaskRunner.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Class1.cs b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Class1.cs new file mode 100644 index 00000000..748aebee --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.TaskRunner.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/StellaOps.TaskRunner.Infrastructure.csproj b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/StellaOps.TaskRunner.Infrastructure.csproj new file mode 100644 index 00000000..9291cfb0 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Infrastructure/StellaOps.TaskRunner.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/StellaOps.TaskRunner.Tests.csproj b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/StellaOps.TaskRunner.Tests.csproj new file mode 100644 index 00000000..775c67e7 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/StellaOps.TaskRunner.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/UnitTest1.cs b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/UnitTest1.cs new file mode 100644 index 00000000..2b18d585 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.TaskRunner.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/xunit.runner.json b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Properties/launchSettings.json b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..affe11d3 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5157", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7035;http://localhost:5157", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.csproj b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.csproj new file mode 100644 index 00000000..0fde3b90 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.http b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.http new file mode 100644 index 00000000..c2efa93a --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/StellaOps.TaskRunner.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.TaskRunner.WebService_HostAddress = http://localhost:5157 + +GET {{StellaOps.TaskRunner.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.Development.json b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.json b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Program.cs b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Program.cs new file mode 100644 index 00000000..d338e617 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.TaskRunner.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Properties/launchSettings.json b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..2722e495 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.TaskRunner.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/StellaOps.TaskRunner.Worker.csproj b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/StellaOps.TaskRunner.Worker.csproj new file mode 100644 index 00000000..20b9cdad --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/StellaOps.TaskRunner.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.TaskRunner.Worker-ce7b902e-94f1-41c2-861b-daa533850dc5 + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Worker.cs b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Worker.cs new file mode 100644 index 00000000..5a5bc140 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.TaskRunner.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.Development.json b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.json b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.TaskRunner/StellaOps.TaskRunner.sln b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.sln new file mode 100644 index 00000000..ca994938 --- /dev/null +++ b/src/StellaOps.TaskRunner/StellaOps.TaskRunner.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TaskRunner.Core", "StellaOps.TaskRunner.Core\StellaOps.TaskRunner.Core.csproj", "{105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TaskRunner.Infrastructure", "StellaOps.TaskRunner.Infrastructure\StellaOps.TaskRunner.Infrastructure.csproj", "{1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TaskRunner.WebService", "StellaOps.TaskRunner.WebService\StellaOps.TaskRunner.WebService.csproj", "{D8A63A97-9C56-448B-A4BB-056130224750}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TaskRunner.Worker", "StellaOps.TaskRunner.Worker\StellaOps.TaskRunner.Worker.csproj", "{C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TaskRunner.Tests", "StellaOps.TaskRunner.Tests\StellaOps.TaskRunner.Tests.csproj", "{552E7C8A-74F6-4E33-B956-46DF96E2BE11}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Debug|Any CPU.Build.0 = Debug|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Debug|x64.ActiveCfg = Debug|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Debug|x64.Build.0 = Debug|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Debug|x86.ActiveCfg = Debug|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Debug|x86.Build.0 = Debug|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Release|Any CPU.ActiveCfg = Release|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Release|Any CPU.Build.0 = Release|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Release|x64.ActiveCfg = Release|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Release|x64.Build.0 = Release|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Release|x86.ActiveCfg = Release|Any CPU + {105A0C4D-1ECD-4581-8EBF-8DB29D6EE857}.Release|x86.Build.0 = Release|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Debug|Any CPU.Build.0 = Debug|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Debug|x64.ActiveCfg = Debug|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Debug|x64.Build.0 = Debug|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Debug|x86.ActiveCfg = Debug|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Debug|x86.Build.0 = Debug|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Release|Any CPU.ActiveCfg = Release|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Release|Any CPU.Build.0 = Release|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Release|x64.ActiveCfg = Release|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Release|x64.Build.0 = Release|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Release|x86.ActiveCfg = Release|Any CPU + {1B4F4A2B-9C38-4E7A-BFBE-158BF7C1F61B}.Release|x86.Build.0 = Release|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Debug|Any CPU.Build.0 = Debug|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Debug|x64.ActiveCfg = Debug|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Debug|x64.Build.0 = Debug|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Debug|x86.ActiveCfg = Debug|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Debug|x86.Build.0 = Debug|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Release|Any CPU.ActiveCfg = Release|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Release|Any CPU.Build.0 = Release|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Release|x64.ActiveCfg = Release|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Release|x64.Build.0 = Release|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Release|x86.ActiveCfg = Release|Any CPU + {D8A63A97-9C56-448B-A4BB-056130224750}.Release|x86.Build.0 = Release|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Debug|Any CPU.Build.0 = Debug|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Debug|x64.ActiveCfg = Debug|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Debug|x64.Build.0 = Debug|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Debug|x86.ActiveCfg = Debug|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Debug|x86.Build.0 = Debug|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Release|Any CPU.ActiveCfg = Release|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Release|Any CPU.Build.0 = Release|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Release|x64.ActiveCfg = Release|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Release|x64.Build.0 = Release|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Release|x86.ActiveCfg = Release|Any CPU + {C0AC4DD1-6DD7-4FCF-A6DD-5DE9B86D6753}.Release|x86.Build.0 = Release|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Debug|Any CPU.Build.0 = Debug|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Debug|x64.ActiveCfg = Debug|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Debug|x64.Build.0 = Debug|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Debug|x86.ActiveCfg = Debug|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Debug|x86.Build.0 = Debug|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Release|Any CPU.ActiveCfg = Release|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Release|Any CPU.Build.0 = Release|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Release|x64.ActiveCfg = Release|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Release|x64.Build.0 = Release|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Release|x86.ActiveCfg = Release|Any CPU + {552E7C8A-74F6-4E33-B956-46DF96E2BE11}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.TaskRunner/TASKS.md b/src/StellaOps.TaskRunner/TASKS.md new file mode 100644 index 00000000..0a55e468 --- /dev/null +++ b/src/StellaOps.TaskRunner/TASKS.md @@ -0,0 +1,47 @@ +# Task Runner Service Task Board — Epic 12: CLI Parity & Task Packs + +## Sprint 41 – Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TASKRUN-41-001 | TODO | Task Runner Guild | ORCH-SVC-41-101, AUTH-PACKS-41-001 | Bootstrap service, define migrations for `pack_runs`, `pack_run_logs`, `pack_artifacts`, implement run API (create/get/log stream), local executor, approvals pause, artifact capture, and provenance manifest generation. | Service builds/tests; migrations scripted; run API functional with sample pack; logs/artefacts stored; manifest signed; compliance checklist recorded. | + +## Sprint 42 – Advanced Execution +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TASKRUN-42-001 | TODO | Task Runner Guild | TASKRUN-41-001 | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gate integration, and failure recovery (retry/abort) with deterministic state. | Executor handles control flow; simulation returns plan; policy gates pause for approvals; tests cover restart/resume. | + +## Sprint 43 – Approvals, Notifications, Hardening +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TASKRUN-43-001 | TODO | Task Runner Guild | TASKRUN-42-001, NOTIFY-SVC-40-001 | Implement approvals workflow (resume after approval), notifications integration, remote artifact uploads, chaos resilience, secret injection, and audit logs. | Approvals/resume flow validated; notifications emitted; chaos tests documented; secrets redacted in logs; audit logs complete. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TASKRUN-TEN-48-001 | TODO | Task Runner Guild | ORCH-TEN-48-001 | Require tenant/project context for every pack run, set DB/object-store prefixes, block egress when tenant restricted, and propagate context to steps/logs. | Pack runs fail without tenant context; artifacts stored under tenant prefix; tests verify enforcement. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TASKRUN-OBS-50-001 | TODO | Task Runner Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Adopt telemetry core in Task Runner host + worker executors, ensuring step execution spans/logs include `trace_id`, `tenant_id`, `run_id`, and scrubbed command transcripts. | Telemetry emitted for sample runs; integration test verifies context propagation across async steps; log schema validated. | +| TASKRUN-OBS-51-001 | TODO | Task Runner Guild, DevOps Guild | TASKRUN-OBS-50-001, TELEMETRY-OBS-51-001 | Emit metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs for pack run completion and failure rate; surface burn-rate alerts to collector/Notifier. | Metrics appear in dashboards; burn-rate alert tested; docs capture thresholds and response playbook. | +| TASKRUN-OBS-52-001 | TODO | Task Runner Guild | TASKRUN-OBS-50-001, TIMELINE-OBS-52-002 | Produce timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) containing evidence pointers and policy gate context. Provide dedupe + retry logic. | Timeline events recorded for sample runs; duplicates suppressed; tests cover error/retry; docs updated. | +| TASKRUN-OBS-53-001 | TODO | Task Runner Guild, Evidence Locker Guild | TASKRUN-OBS-52-001, EVID-OBS-53-002 | Capture step transcripts, artifact manifests, environment digests, and policy approvals into evidence locker snapshots; ensure redaction + hash chain coverage. | Evidence bundle created for sample pack; redaction tests pass; manifest linked in timeline. | +| TASKRUN-OBS-54-001 | TODO | Task Runner Guild, Provenance Guild | TASKRUN-OBS-53-001, PROV-OBS-53-002 | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI integration. Store references in timeline events. | Attestation generated + verified; timeline includes attestation ref; docs updated. | +| TASKRUN-OBS-55-001 | TODO | Task Runner Guild, DevOps Guild | TASKRUN-OBS-51-001, TELEMETRY-OBS-55-001, DEVOPS-OBS-55-001 | Implement incident mode escalations (extra telemetry, debug artifact capture, retention bump) and align on automatic activation via SLO breach webhooks. | Incident mode toggles validated; extra artefacts captured; notifier integration tested. | + +## Air-Gapped Mode (Epic 16) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TASKRUN-AIRGAP-56-001 | TODO | Task Runner Guild, AirGap Policy Guild | AIRGAP-POL-56-001, TASKRUN-OBS-50-001 | Enforce plan-time validation rejecting steps with non-allowlisted network calls in sealed mode and surface remediation errors. | Planner blocks disallowed steps; error contains remediation; tests cover sealed/unsealed behavior. | +| TASKRUN-AIRGAP-56-002 | TODO | Task Runner Guild, AirGap Importer Guild | TASKRUN-AIRGAP-56-001, AIRGAP-IMP-57-002 | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. | Helper steps succeed deterministically; integration tests import sample bundle. | +| TASKRUN-AIRGAP-57-001 | TODO | Task Runner Guild, AirGap Controller Guild | TASKRUN-AIRGAP-56-001, AIRGAP-CTL-56-002 | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. | Mismatch detection works; timeline + telemetry record violation; docs updated. | +| TASKRUN-AIRGAP-58-001 | TODO | Task Runner Guild, Evidence Locker Guild | TASKRUN-OBS-53-001, EVID-OBS-55-001 | Capture bundle import job transcripts, hashed inputs, and outputs into portable evidence bundles. | Evidence recorded; manifests deterministic; timeline references created. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TASKRUN-OAS-61-001 | TODO | Task Runner Guild, API Contracts Guild | OAS-61-001 | Document Task Runner APIs (pack runs, logs, approvals) in service OAS, including streaming response schemas and examples. | OAS covers all Task Runner endpoints with examples; lint passes. | +| TASKRUN-OAS-61-002 | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, and ETag. | Discovery endpoint deployed; contract tests call endpoint; telemetry includes `x-stella-service`. | +| TASKRUN-OAS-62-001 | TODO | Task Runner Guild, SDK Generator Guild | TASKRUN-OAS-61-001, SDKGEN-63-001 | Provide SDK examples for pack run lifecycle; ensure SDKs offer streaming log helpers and paginator wrappers. | SDK smoke tests cover pack run flows; docs auto-embed snippets. | +| TASKRUN-OAS-63-001 | TODO | Task Runner Guild, API Governance Guild | APIGOV-63-001 | Implement deprecation header support and Sunset handling for legacy pack APIs; emit notifications metadata. | Deprecated endpoints emit headers; notifications pipeline validated; documentation updated. | diff --git a/src/StellaOps.Telemetry.Core/AGENTS.md b/src/StellaOps.Telemetry.Core/AGENTS.md new file mode 100644 index 00000000..8e923a92 --- /dev/null +++ b/src/StellaOps.Telemetry.Core/AGENTS.md @@ -0,0 +1,21 @@ +# StellaOps Telemetry Core Guild Charter + +## Mission +Deliver shared observability primitives for every StellaOps service. Provide deterministic logging, metrics, and tracing utilities that enforce the imposed rule: instrumentation patterns adopted here must be propagated wherever applicable. + +## Scope +- Structured logging facade with fixed field schema and privacy guards. +- OpenTelemetry SDK bootstrapping helpers for services and workers. +- Sampling, exemplar, and redaction policies enforced in code. +- Context propagation middleware for HTTP, gRPC, message, and job pipelines. +- Validation test harnesses ensuring deterministic output across builds. + +## Coordination +- Partner with DevOps Guild on collector/exporter defaults. +- Align with Authority on trace/log scope annotations. +- Collaborate with service guilds to roll out new instrumentation packages per sprint objectives. + +## Definition of Done +- All library changes ship unit + integration tests. +- Determinism mode runs (`dotnet test -c Deterministic`) pass locally and in CI. +- Updated changelog fragments stored under `/docs/observability/` as referenced by tasks. diff --git a/src/StellaOps.Telemetry.Core/TASKS.md b/src/StellaOps.Telemetry.Core/TASKS.md new file mode 100644 index 00000000..f982da79 --- /dev/null +++ b/src/StellaOps.Telemetry.Core/TASKS.md @@ -0,0 +1,23 @@ +# Telemetry Core Task Board — Epic 15: Observability & Forensics + +## Sprint 50 – Baseline Instrumentation +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TELEMETRY-OBS-50-001 | TODO | Telemetry Core Guild | — | Create `StellaOps.Telemetry.Core` library with structured logging facade, OpenTelemetry configuration helpers, and deterministic bootstrap (service name/version detection, resource attributes). Publish sample usage for web/worker hosts. | Library builds/tests; NuGet local package published; sample host integration passes smoke tests; compliance checklist recorded. | +| TELEMETRY-OBS-50-002 | TODO | Telemetry Core Guild | TELEMETRY-OBS-50-001 | Implement context propagation middleware/adapters for HTTP, gRPC, background jobs, and CLI invocations, carrying `trace_id`, `tenant_id`, `actor`, and imposed-rule metadata. Provide test harness covering async resume scenarios. | Middleware packages pass integration tests; context restored across async boundaries; CLI harness emits trace headers; docs drafted under `/docs/observability/telemetry-standards.md` stub. | + +## Sprint 51 – Metrics & Log Contracts +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TELEMETRY-OBS-51-001 | TODO | Telemetry Core Guild, Observability Guild | TELEMETRY-OBS-50-001 | Ship metrics helpers for golden signals (histograms, counters, gauges) with exemplar support and cardinality guards. Provide Roslyn analyzer preventing unsanitised labels. | Helpers integrated in sample service; analyzer blocks forbidden label usage; unit/property tests cover bounds; documentation PR prepared. | +| TELEMETRY-OBS-51-002 | TODO | Telemetry Core Guild, Security Guild | TELEMETRY-OBS-50-001 | Implement redaction/scrubbing filters for secrets/PII enforced at logger sink, configurable per-tenant with TTL, including audit of overrides. Add determinism tests verifying stable field order and timestamp normalization. | Scrubber defaults enforced; override API audited; determinism tests pass twice with identical output; security review sign-off recorded. | + +## Sprint 55 – Incident Mode Support +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TELEMETRY-OBS-55-001 | TODO | Telemetry Core Guild | TELEMETRY-OBS-50-002, TELEMETRY-OBS-51-002 | Provide incident mode toggle API that adjusts sampling, enables extended retention tags, and records activation trail for services. Ensure toggle honored by all hosting templates and integrates with Config/FeatureFlag providers. | Toggle API launched; integration tests confirm sampling increase; activation events logged with tenant context; runbook updated. | + +## Sprint 56 – Sealed Mode Hooks +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TELEMETRY-OBS-56-001 | TODO | Telemetry Core Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-55-001 | Add sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters) and ensure hosts can disable external exporters when sealed. | Helpers published; sealed-mode tests verify no external egress; docs updated with sealed guidance. | diff --git a/src/StellaOps.TimelineIndexer/AGENTS.md b/src/StellaOps.TimelineIndexer/AGENTS.md new file mode 100644 index 00000000..40d08da1 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/AGENTS.md @@ -0,0 +1,28 @@ +# Tenant Timeline Indexer — Agent Charter + +## Mission +Build the tenant-scoped timeline ingestion and query service described in Epic 15. Consume structured timeline events from all services, maintain queryable indices, and expose APIs to Console and CLI without violating imposed rule guarantees. + +## Responsibilities +- Define Postgres schema, RLS policies, and ingestion pipelines for `timeline_events`. +- Provide event consumers for NATS/Redis queues with dedupe + ordering logic. +- Serve REST/gRPC APIs powering Console Forensics Explorer and CLI `stella obs trace`/`timeline` flows. +- Emit metrics/traces/logs for ingestion health and query performance. + +## Collaboration +- Coordinate with Telemetry Core for event schema definitions. +- Work with Evidence Locker to link events to evidence bundle digests. +- Align with Authority on new `timeline:read` scopes and tenant enforcement. + +## Definition of Done +- Service ships with deterministic migrations + repeatable seeds. +- Integration tests replay recorded event fixtures to stable results. +- Docs updated under `/docs/forensics/timeline.md` per release. + +## Module Layout +- `StellaOps.TimelineIndexer.Core/` — event models, ordering/dedupe logic, query contracts. +- `StellaOps.TimelineIndexer.Infrastructure/` — Postgres/NATS clients, persistence abstractions. +- `StellaOps.TimelineIndexer.WebService/` — query/lookup APIs and authentication glue. +- `StellaOps.TimelineIndexer.Worker/` — ingestion consumers and background compaction jobs. +- `StellaOps.TimelineIndexer.Tests/` — unit tests focused on ordering/dedupe/query correctness. +- `StellaOps.TimelineIndexer.sln` — solution aggregating module projects. diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/Class1.cs b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/Class1.cs new file mode 100644 index 00000000..6ec0050c --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.TimelineIndexer.Core; + +public class Class1 +{ + +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/StellaOps.TimelineIndexer.Core.csproj b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/StellaOps.TimelineIndexer.Core.csproj new file mode 100644 index 00000000..fe0eef44 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Core/StellaOps.TimelineIndexer.Core.csproj @@ -0,0 +1,18 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/Class1.cs b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/Class1.cs new file mode 100644 index 00000000..dd0e73ad --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/Class1.cs @@ -0,0 +1,6 @@ +namespace StellaOps.TimelineIndexer.Infrastructure; + +public class Class1 +{ + +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/StellaOps.TimelineIndexer.Infrastructure.csproj b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/StellaOps.TimelineIndexer.Infrastructure.csproj new file mode 100644 index 00000000..99490b67 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Infrastructure/StellaOps.TimelineIndexer.Infrastructure.csproj @@ -0,0 +1,28 @@ + + + + + + + + + + + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/StellaOps.TimelineIndexer.Tests.csproj b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/StellaOps.TimelineIndexer.Tests.csproj new file mode 100644 index 00000000..0dc7d02f --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/StellaOps.TimelineIndexer.Tests.csproj @@ -0,0 +1,135 @@ + + + + + + + + + + + + + Exe + + + + + false + + + + + + + + + + + + + + net10.0 + + + enable + + + enable + + + false + + + preview + + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/UnitTest1.cs b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/UnitTest1.cs new file mode 100644 index 00000000..d624cb6d --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/UnitTest1.cs @@ -0,0 +1,10 @@ +namespace StellaOps.TimelineIndexer.Tests; + +public class UnitTest1 +{ + [Fact] + public void Test1() + { + + } +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/xunit.runner.json b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/xunit.runner.json new file mode 100644 index 00000000..86c7ea05 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Tests/xunit.runner.json @@ -0,0 +1,3 @@ +{ + "$schema": "https://xunit.net/schema/current/xunit.runner.schema.json" +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Program.cs b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Program.cs new file mode 100644 index 00000000..ee9d65d6 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Program.cs @@ -0,0 +1,41 @@ +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. +// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi +builder.Services.AddOpenApi(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.MapOpenApi(); +} + +app.UseHttpsRedirection(); + +var summaries = new[] +{ + "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching" +}; + +app.MapGet("/weatherforecast", () => +{ + var forecast = Enumerable.Range(1, 5).Select(index => + new WeatherForecast + ( + DateOnly.FromDateTime(DateTime.Now.AddDays(index)), + Random.Shared.Next(-20, 55), + summaries[Random.Shared.Next(summaries.Length)] + )) + .ToArray(); + return forecast; +}) +.WithName("GetWeatherForecast"); + +app.Run(); + +record WeatherForecast(DateOnly Date, int TemperatureC, string? Summary) +{ + public int TemperatureF => 32 + (int)(TemperatureC / 0.5556); +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Properties/launchSettings.json b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Properties/launchSettings.json new file mode 100644 index 00000000..70e1a4ae --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/Properties/launchSettings.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "http://localhost:5194", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": false, + "applicationUrl": "https://localhost:7272;http://localhost:5194", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj new file mode 100644 index 00000000..b3e79804 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.csproj @@ -0,0 +1,41 @@ + + + + + + + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.http b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.http new file mode 100644 index 00000000..9aad74ef --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/StellaOps.TimelineIndexer.WebService.http @@ -0,0 +1,6 @@ +@StellaOps.TimelineIndexer.WebService_HostAddress = http://localhost:5194 + +GET {{StellaOps.TimelineIndexer.WebService_HostAddress}}/weatherforecast/ +Accept: application/json + +### diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.Development.json b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.Development.json new file mode 100644 index 00000000..0c208ae9 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.json b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.json new file mode 100644 index 00000000..10f68b8c --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.WebService/appsettings.json @@ -0,0 +1,9 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Program.cs b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Program.cs new file mode 100644 index 00000000..13c4cedf --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Program.cs @@ -0,0 +1,7 @@ +using StellaOps.TimelineIndexer.Worker; + +var builder = Host.CreateApplicationBuilder(args); +builder.Services.AddHostedService(); + +var host = builder.Build(); +host.Run(); diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Properties/launchSettings.json b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Properties/launchSettings.json new file mode 100644 index 00000000..69dd56fd --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "profiles": { + "StellaOps.TimelineIndexer.Worker": { + "commandName": "Project", + "dotnetRunMessages": true, + "environmentVariables": { + "DOTNET_ENVIRONMENT": "Development" + } + } + } +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj new file mode 100644 index 00000000..78834228 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/StellaOps.TimelineIndexer.Worker.csproj @@ -0,0 +1,43 @@ + + + + + + + + + dotnet-StellaOps.TimelineIndexer.Worker-f6dbdeac-9eb5-4250-9384-ef93fc70f770 + + + net10.0 + enable + enable + preview + true + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Worker.cs b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Worker.cs new file mode 100644 index 00000000..146eb37d --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/Worker.cs @@ -0,0 +1,16 @@ +namespace StellaOps.TimelineIndexer.Worker; + +public class Worker(ILogger logger) : BackgroundService +{ + protected override async Task ExecuteAsync(CancellationToken stoppingToken) + { + while (!stoppingToken.IsCancellationRequested) + { + if (logger.IsEnabled(LogLevel.Information)) + { + logger.LogInformation("Worker running at: {time}", DateTimeOffset.Now); + } + await Task.Delay(1000, stoppingToken); + } + } +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.Development.json b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.Development.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.Development.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.json b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.json new file mode 100644 index 00000000..b2dcdb67 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.Worker/appsettings.json @@ -0,0 +1,8 @@ +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.Hosting.Lifetime": "Information" + } + } +} diff --git a/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.sln b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.sln new file mode 100644 index 00000000..e46f8c80 --- /dev/null +++ b/src/StellaOps.TimelineIndexer/StellaOps.TimelineIndexer.sln @@ -0,0 +1,90 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio Version 17 +VisualStudioVersion = 17.0.31903.59 +MinimumVisualStudioVersion = 10.0.40219.1 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TimelineIndexer.Core", "StellaOps.TimelineIndexer.Core\StellaOps.TimelineIndexer.Core.csproj", "{C8959267-ACDD-49E9-B1FD-9694C8663437}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TimelineIndexer.Infrastructure", "StellaOps.TimelineIndexer.Infrastructure\StellaOps.TimelineIndexer.Infrastructure.csproj", "{185CEED8-197F-4236-8716-73B37C5F355A}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TimelineIndexer.WebService", "StellaOps.TimelineIndexer.WebService\StellaOps.TimelineIndexer.WebService.csproj", "{991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TimelineIndexer.Worker", "StellaOps.TimelineIndexer.Worker\StellaOps.TimelineIndexer.Worker.csproj", "{B8F1FE1E-7730-431D-B058-9C7A50463F91}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.TimelineIndexer.Tests", "StellaOps.TimelineIndexer.Tests\StellaOps.TimelineIndexer.Tests.csproj", "{AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 + Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 + Release|x86 = Release|x86 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Debug|Any CPU.Build.0 = Debug|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Debug|x64.ActiveCfg = Debug|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Debug|x64.Build.0 = Debug|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Debug|x86.ActiveCfg = Debug|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Debug|x86.Build.0 = Debug|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Release|Any CPU.ActiveCfg = Release|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Release|Any CPU.Build.0 = Release|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Release|x64.ActiveCfg = Release|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Release|x64.Build.0 = Release|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Release|x86.ActiveCfg = Release|Any CPU + {C8959267-ACDD-49E9-B1FD-9694C8663437}.Release|x86.Build.0 = Release|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Debug|Any CPU.Build.0 = Debug|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Debug|x64.ActiveCfg = Debug|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Debug|x64.Build.0 = Debug|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Debug|x86.ActiveCfg = Debug|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Debug|x86.Build.0 = Debug|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Release|Any CPU.ActiveCfg = Release|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Release|Any CPU.Build.0 = Release|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Release|x64.ActiveCfg = Release|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Release|x64.Build.0 = Release|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Release|x86.ActiveCfg = Release|Any CPU + {185CEED8-197F-4236-8716-73B37C5F355A}.Release|x86.Build.0 = Release|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Debug|Any CPU.Build.0 = Debug|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Debug|x64.ActiveCfg = Debug|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Debug|x64.Build.0 = Debug|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Debug|x86.ActiveCfg = Debug|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Debug|x86.Build.0 = Debug|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Release|Any CPU.ActiveCfg = Release|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Release|Any CPU.Build.0 = Release|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Release|x64.ActiveCfg = Release|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Release|x64.Build.0 = Release|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Release|x86.ActiveCfg = Release|Any CPU + {991C4CD2-F5D2-4AB7-83A5-EF4E60B61A86}.Release|x86.Build.0 = Release|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Debug|Any CPU.Build.0 = Debug|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Debug|x64.ActiveCfg = Debug|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Debug|x64.Build.0 = Debug|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Debug|x86.ActiveCfg = Debug|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Debug|x86.Build.0 = Debug|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Release|Any CPU.ActiveCfg = Release|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Release|Any CPU.Build.0 = Release|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Release|x64.ActiveCfg = Release|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Release|x64.Build.0 = Release|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Release|x86.ActiveCfg = Release|Any CPU + {B8F1FE1E-7730-431D-B058-9C7A50463F91}.Release|x86.Build.0 = Release|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Debug|Any CPU.Build.0 = Debug|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Debug|x64.ActiveCfg = Debug|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Debug|x64.Build.0 = Debug|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Debug|x86.ActiveCfg = Debug|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Debug|x86.Build.0 = Debug|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Release|Any CPU.ActiveCfg = Release|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Release|Any CPU.Build.0 = Release|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Release|x64.ActiveCfg = Release|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Release|x64.Build.0 = Release|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Release|x86.ActiveCfg = Release|Any CPU + {AA20938D-A0AC-4E37-B7D9-002C6DD90FEC}.Release|x86.Build.0 = Release|Any CPU + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection +EndGlobal diff --git a/src/StellaOps.TimelineIndexer/TASKS.md b/src/StellaOps.TimelineIndexer/TASKS.md new file mode 100644 index 00000000..a6abccba --- /dev/null +++ b/src/StellaOps.TimelineIndexer/TASKS.md @@ -0,0 +1,14 @@ +# Timeline Indexer Task Board — Epic 15: Observability & Forensics + +## Sprint 52 – Timeline Foundations +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TIMELINE-OBS-52-001 | TODO | Timeline Indexer Guild | TELEMETRY-OBS-50-001, AUTH-OBS-50-001 | Bootstrap `StellaOps.Timeline.Indexer` service with Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. | Service builds/tests; migrations replay cleanly; baseline seed fixtures committed; compliance checklist recorded. | +| TIMELINE-OBS-52-002 | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-001, DEVOPS-OBS-50-002 | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe on `(event_id, tenant_id)`, correlation to trace IDs, and backpressure metrics. | Ingestion integration tests replay fixture stream; dedupe proven; metrics exposed; failure retries documented. | +| TIMELINE-OBS-52-003 | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, and tenant enforcement. Provide OpenAPI + contract tests. | APIs documented via OpenAPI; tests cover filters/pagination; latency budget <200 ms P95 on seeded data; audit logs recorded. | +| TIMELINE-OBS-52-004 | TODO | Timeline Indexer Guild, Security Guild | TIMELINE-OBS-52-001 | Finalize RLS policies, scope checks (`timeline:read`), and audit logging for query access. Include integration tests for cross-tenant isolation and legal hold markers. | RLS proven with failing cross-tenant queries; audit logs include actor/tenant; legal hold flag prevents deletion; docs referenced. | + +## Sprint 53 – Evidence & Provenance Integration +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| TIMELINE-OBS-53-001 | TODO | Timeline Indexer Guild, Evidence Locker Guild | TIMELINE-OBS-52-003, EVID-OBS-53-002 | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` endpoint returning signed manifest references. | Endpoint returns evidence references with DSSE metadata; integration test verifies digest match; docs updated. | diff --git a/src/StellaOps.UI/TASKS.md b/src/StellaOps.UI/TASKS.md index 3e4718d7..ebf64b24 100644 --- a/src/StellaOps.UI/TASKS.md +++ b/src/StellaOps.UI/TASKS.md @@ -1,12 +1,77 @@ -# UI Task Board (Sprints 11 & 13) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| UI-AUTH-13-001 | DONE (2025-10-23) | UI Guild | AUTH-DPOP-11-001, AUTH-MTLS-11-002 | Integrate Authority OIDC + DPoP flows with session management. | Login/logout flows pass e2e tests; tokens refreshed; DPoP nonce handling validated. | -| UI-SCANS-13-002 | TODO | UI Guild | SCANNER-WEB-09-102, SIGNER-API-11-101 | Build scans module (list/detail/SBOM/diff/attestation) with performance + accessibility targets. | Cypress tests cover SBOM/diff; performance budgets met; accessibility checks pass. | -| UI-VEX-13-003 | TODO | UI Guild | EXCITITOR-CORE-02-001, EXCITITOR-EXPORT-01-005 | Implement VEX explorer + policy editor with preview integration. | VEX views render consensus/conflicts; staged policy preview works; accessibility checks pass. | -| UI-ADMIN-13-004 | TODO | UI Guild | AUTH-MTLS-11-002 | Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. | Admin e2e tests pass; unauthorized access blocked; telemetry wired. | -| UI-ATTEST-11-005 | DONE (2025-10-23) | UI Guild | SIGNER-API-11-101, ATTESTOR-API-11-201 | Attestation visibility (Rekor id, status) on Scan Detail. | UI shows Rekor UUID/status; mock attestation fixtures displayed; tests cover success/failure. | -| UI-SCHED-13-005 | TODO | UI Guild | SCHED-WEB-16-101 | Scheduler panel: schedules CRUD, run history, dry-run preview using API/mocks. | Panel functional with mocked endpoints; UX signoff; integration tests added. | -| UI-NOTIFY-13-006 | DONE (2025-10-25) | UI Guild | NOTIFY-WEB-15-101 | Notify panel: channels/rules CRUD, deliveries view, test send integration. | Panel interacts with mocked Notify API; tests cover rule lifecycle; docs updated. | -| UI-POLICY-13-007 | TODO | UI Guild | POLICY-CORE-09-006, SCANNER-WEB-09-103 | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. | UI renders new columns/tooltips, accessibility and responsive checks pass, Cypress regression updated with confidence fixtures. | +# UI Task Board (Sprints 13 & 19) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-POLICY-13-007 | TODO | UI Guild | POLICY-CORE-09-006, SCANNER-WEB-09-103 | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. | UI renders new columns/tooltips, accessibility and responsive checks pass, Cypress regression updated. | +| UI-AOC-19-001 | TODO | UI Guild | CONCELIER-WEB-AOC-19-001, EXCITITOR-WEB-AOC-19-001 | Add Sources dashboard tiles showing AOC pass/fail, recent violation codes, and ingest throughput per tenant. | Dashboard displays metrics from new endpoints, charts verified in e2e tests, accessibility checks pass. | +| UI-AOC-19-002 | TODO | UI Guild | UI-AOC-19-001 | Implement violation drill-down view highlighting offending document fields and provenance metadata. | Drill-down renders formatted JSON with highlights; copy-to-clipboard works; tests cover forbidden key cases. | +| UI-AOC-19-003 | TODO | UI Guild | UI-AOC-19-001, CLI-AOC-19-002 | Add "Verify last 24h" action triggering AOC verifier endpoint and surfacing CLI parity guidance. | Action wired to API, results rendered in toast/log panel, docs link to CLI usage, e2e test verifies flow. | + +## Policy Engine v2 (Sprint 20) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-POLICY-20-001 | TODO | UI Guild | WEB-POLICY-20-001 | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. | Editor renders DSL with token colors + lint; accessibility review passes; diagnostics surfaced from API compile endpoint in tests. | +| UI-POLICY-20-002 | TODO | UI Guild | UI-POLICY-20-001, WEB-POLICY-20-001, WEB-POLICY-20-002 | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. | Simulation view consumes API diff JSON, handles large datasets with virtualization, Cypress regression verifies charts/tables. | +| UI-POLICY-20-003 | TODO | UI Guild, Product Ops | UI-POLICY-20-001, AUTH-POLICY-20-001 | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks for `policy:write` vs `policy:approve`. | Workflow passes e2e tests, audit trail rendered, unauthorized roles blocked, docs linked from UI help. | +| UI-POLICY-20-004 | TODO | UI Guild, Observability Guild | WEB-POLICY-20-001, POLICY-ENGINE-20-006, POLICY-ENGINE-20-007 | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. | Dashboards render aggregated metrics, export downloads CSV/JSON, accessibility/perf budgets met, telemetry charts validated. | + +## Graph Explorer v1 (Sprint 21) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-GRAPH-21-001 | TODO | UI Guild, Cartographer Guild | WEB-GRAPH-21-001, CARTO-GRAPH-21-006 | Implement virtualized pan/zoom canvas with clustering, severity/status overlays, and deterministic rendering budgets. | Canvas renders 50k-node fixtures <2s viewport; clustering verified; Cypress visual regression recorded. | +| UI-GRAPH-21-002 | TODO | UI Guild | UI-GRAPH-21-001, WEB-GRAPH-21-001 | Build inspector panel showing node metadata, effective findings, VEX rationale links, and dependent counts with copy/export support. | Inspector surfaces overlays per policy; links to explain pages work; unit/e2e tests cover scenarios. | +| UI-GRAPH-21-003 | TODO | UI Guild | UI-GRAPH-21-001, WEB-GRAPH-21-002 | Add filter/search experience (severity, status, scope, supplier, regex) with debounced API calls and virtualized results. | Filters update <500 ms p95 on fixtures; state reflected in permalink; tests cover combinations. | +| UI-GRAPH-21-004 | TODO | UI Guild, Policy Guild | UI-GRAPH-21-001, WEB-GRAPH-21-004, POLICY-ENGINE-30-002 | Implement path view (k-shortest paths, highlighting, export) and simulation overlay toggle. | Paths highlight edges, export JSON works, simulation overlay toggles without reload; e2e coverage added. | +| UI-GRAPH-21-005 | TODO | UI Guild | UI-GRAPH-21-001, CARTO-GRAPH-21-006 | Deliver time travel + diff view across SBOM versions with color coding for added/removed nodes/edges/overlays. | Diff view validated with fixtures; accessibility audit passes; screenshot baseline stored. | +| UI-GRAPH-21-006 | TODO | UI Guild, Accessibility Guild | UI-GRAPH-21-001 | Ship accessibility features (keyboard nav, high-contrast mode, colorblind palettes) and snapshot permalinks. | Keyboard navigation tested; WCAG checklist satisfied; permalinks reproduce state after reload. | + +## Link-Not-Merge v1 (Sprint 22) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-LNM-22-001 | TODO | UI Guild, Policy Guild | SCANNER-LNM-21-002, WEB-LNM-21-001 | Build Evidence panel showing policy decision with advisory observations/linksets side-by-side, conflict badges, AOC chain, and raw doc download links. | Panel renders multiple sources; conflict badges accessible; e2e tests cover high-volume linksets. | +| UI-LNM-22-002 | TODO | UI Guild | UI-LNM-22-001 | Implement filters (source, severity bucket, conflict-only, CVSS vector presence) and pagination/lazy loading for large linksets. | Filters respond within 500 ms; virtualization validated; unit/e2e tests added. | +| UI-LNM-22-003 | TODO | UI Guild, Excititor Guild | UI-LNM-22-001, WEB-LNM-21-002 | Add VEX tab with status/justification summaries, conflict indicators, and export actions. | VEX tab displays multiple observations; exports produce zipped OSV/CycloneDX; tests updated. | +| UI-LNM-22-004 | TODO | UI Guild | UI-LNM-22-001 | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. | Permalink reproduces state; accessibility audit passes; telemetry events logged. | + +## Policy Engine + Editor v1 (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-POLICY-23-001 | TODO | UI Guild, Policy Guild | WEB-POLICY-23-001 | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. | Editor lists packs/revisions; navigation accessible; tests cover RBAC states. | +| UI-POLICY-23-002 | TODO | UI Guild | UI-POLICY-23-001 | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. | YAML editor surfaces inline errors sourced from compiler; keyboard shortcuts and accessibility verified. | +| UI-POLICY-23-003 | TODO | UI Guild | UI-POLICY-23-001, WEB-POLICY-23-003 | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. | Guided builder generates valid SPL, diff view matches YAML; tests cover rule permutations. | +| UI-POLICY-23-004 | TODO | UI Guild | UI-POLICY-23-001, WEB-POLICY-23-002 | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. | Workflow screens complete; approval restrictions enforced; e2e tests cover approval -> activation. | +| UI-POLICY-23-005 | TODO | UI Guild | UI-POLICY-23-001, WEB-POLICY-23-003 | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. | Simulation results render diff/projection; explain tree interactive; performance <1s for sample data. | +| UI-POLICY-23-006 | TODO | UI Guild | UI-POLICY-23-005 | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. | Explain view accessible; exports generated; analytics instrumented. | + +## Graph & Vuln Explorer v1 (Sprint 24) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-GRAPH-24-001 | TODO | UI Guild, SBOM Service Guild | WEB-GRAPH-24-001 | Build Graph Explorer canvas with layered/radial layouts, virtualization, zoom/pan, and scope toggles; initial render <1.5s for sample asset. | Canvas meets perf budget; automated tests cover navigation; accessibility validation done. | +| UI-GRAPH-24-002 | TODO | UI Guild, Policy Guild | UI-GRAPH-24-001, WEB-GRAPH-24-002 | Implement overlays (Policy, Evidence, License, Exposure) with tooltips, badges, and AOC indicators. | Overlays switch under 250ms; tooltips show explain links; tests cover overlay combos. | +| UI-GRAPH-24-003 | TODO | UI Guild | UI-GRAPH-24-001 | Deliver filters/search panel with facets, saved views, permalinks, and share modal. | Filters update view <250ms; saved view persisted; permalinks reproduce state. | +| UI-GRAPH-24-004 | TODO | UI Guild | UI-GRAPH-24-001 | Add side panels (Details, What-if, History) with upgrade simulation integration and SBOM diff viewer. | Simulation results display diff + policy impact; history shows added/removed nodes; tests cover flows. | +| UI-GRAPH-24-006 | TODO | UI Guild, Accessibility Guild | UI-GRAPH-24-001..005 | Ensure accessibility (keyboard nav, screen reader labels, contrast), add hotkeys (`f`,`e`,`.`), and analytics instrumentation. | Accessibility audit passes; hotkeys documented; telemetry events captured. | + +## Exceptions v1 (Sprint 25) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-EXC-25-001 | TODO | UI Guild, Governance Guild | WEB-EXC-25-001 | Build Exception Center (list + kanban) with filters, sorting, workflow transitions, and audit views. | Exception Center functional; state transitions via UI; accessibility validated. | +| UI-EXC-25-002 | TODO | UI Guild | UI-EXC-25-001 | Implement exception creation wizard with scope preview, justification templates, timebox guardrails. | Wizard enforces scope/timebox; previews impacted items; tests cover validation. | +| UI-EXC-25-003 | TODO | UI Guild | UI-EXC-25-001, WEB-EXC-25-002 | Add inline exception drafting/proposing from Vulnerability Explorer and Graph detail panels with live simulation. | Inline flows produce drafts; preview shows policy delta; telemetry instrumented. | +| UI-EXC-25-004 | TODO | UI Guild | UI-EXC-25-001 | Surface exception badges, countdown timers, and explain integration across Graph/Vuln Explorer and policy views. | Badges visible with SR labels; countdown updates; explain drawer shows exception info. | +| UI-EXC-25-005 | TODO | UI Guild, Accessibility Guild | UI-EXC-25-001..004 | Add keyboard shortcuts (`x`,`a`,`r`) and ensure screen-reader messaging for approvals/revocations. | Shortcuts functional; accessibility audit passes. | + +## Reachability v1 (Sprint 26) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| UI-SIG-26-001 | TODO | UI Guild, Signals Guild | WEB-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. | Columns render with virtualization; filters update under 250 ms; badges accessible. | +| UI-SIG-26-002 | TODO | UI Guild | UI-SIG-26-001, WEB-SIG-26-002 | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. | Drawer displays call path breadcrumb; copyable details; tests cover states. | +| UI-SIG-26-003 | TODO | UI Guild | UI-GRAPH-24-001, WEB-SIG-26-002 | Add reachability overlay halos/time slider to SBOM Graph along with state legend. | Overlay toggles; time slider compares snapshots; performance budget met. | +| UI-SIG-26-004 | TODO | UI Guild | WEB-SIG-26-003 | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. | Center lists assets with metrics; missing sensors highlighted; accessibility validated. | diff --git a/src/StellaOps.VexLens/AGENTS.md b/src/StellaOps.VexLens/AGENTS.md new file mode 100644 index 00000000..3f722793 --- /dev/null +++ b/src/StellaOps.VexLens/AGENTS.md @@ -0,0 +1,31 @@ +# VEX Lens Guild Charter (Epic 7) + +## Mission +Deliver the VEX Consensus Lens service that normalizes VEX evidence, computes deterministic consensus states, exposes APIs, and feeds Policy Engine and downstream explorers without mutating raw documents. + +## Scope +- Service code under `src/StellaOps.VexLens` (normalizer, mapping, trust weighting, consensus projection, APIs, simulation hooks). +- Batch workers consuming Excitator, Conseiller, SBOM, and policy events; projection storage and caching; telemetry. +- Coordination with Policy Engine, Vuln Explorer, Findings Ledger, Console, CLI, and Docs. + +## Principles +1. **Evidence preserving** – never edit or merge raw VEX docs; link via evidence IDs and maintain provenance. +2. **Deterministic outputs** – identical inputs + policy config yield identical consensus results; record seed & rationale chain. +3. **Explainable** – consensus exposes weights, issuers, reasons, and thresholds; no opaque scoring. +4. **Configurable trust** – tenant/policy controls weighting, decay, thresholds; defaults documented. +5. **Secure & auditable** – signature verification, issuer metadata, logging of conflicts, support for compliance queries. + +## Collaboration +- Keep `src/StellaOps.VexLens/TASKS.md`, `SPRINTS.md` synchronized. +- Share schemas/OpenAPI with Console & CLI; publish mapping docs and test fixtures. +- Coordinate with Policy Engine on trust knobs and Vuln Explorer on UI integration. + +## Tooling +- .NET 10 preview; background workers + minimal API. +- PostgreSQL/Mongo for consensus projection; Redis for caching if needed. +- Signature verification libraries (Ed25519, DSSE, PKIX) and mapping utilities (CPE→purl). + +## Definition of Done +- Normalization & consensus pipelines deterministic, tested, and instrumented. +- APIs documented (OpenAPI) with budget enforcement, telemetry, and replay harnesses. +- Docs updated with compliance checklist; offline kit includes configuration seeds. diff --git a/src/StellaOps.VexLens/TASKS.md b/src/StellaOps.VexLens/TASKS.md new file mode 100644 index 00000000..78a70bbd --- /dev/null +++ b/src/StellaOps.VexLens/TASKS.md @@ -0,0 +1,34 @@ +# VEX Lens Task Board — Epic 7: VEX Consensus Lens +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| VEXLENS-30-001 | TODO | VEX Lens Guild | EXCITITOR-LNM-21-001, CONCELIER-LNM-21-001 | Implement normalization pipeline for CSAF VEX, OpenVEX, CycloneDX VEX (status mapping, justification mapping, product tree parsing). | Normalization outputs deterministic canonical JSON; fixtures cover formats; unit tests pass. | +| VEXLENS-30-002 | TODO | VEX Lens Guild | VEXLENS-30-001, SBOM-VULN-29-001 | Build product mapping library (CPE/CPE2.3/vendor tokens → purl/version) with scope quality scoring and path metadata. | Mapping library handles target ecosystems with property tests; scope scores recorded; docs updated. | +| VEXLENS-30-003 | TODO | VEX Lens Guild, Issuer Directory Guild | ISSUER-30-001 | Integrate signature verification (Ed25519, DSSE, PKIX) using issuer keys, annotate evidence with verification state and failure reasons. | Signatures verified; failures logged; tests cover signed/unsigned/expired cases. | +| VEXLENS-30-004 | TODO | VEX Lens Guild, Policy Guild | POLICY-ENGINE-29-001 | Implement trust weighting engine (issuer base weights, signature modifiers, recency decay, justification modifiers, scope score adjustments) controlled by policy config. | Weighting functions configurable; policy overrides applied; unit tests validate formulas. | +| VEXLENS-30-005 | TODO | VEX Lens Guild | VEXLENS-30-001..004 | Implement consensus algorithm producing `consensus_state`, `confidence`, `weights`, `quorum`, `rationale`; support states: NOT_AFFECTED, AFFECTED, FIXED, UNDER_INVESTIGATION, DISPUTED, INCONCLUSIVE. | Algorithm deterministic; unit/property tests cover conflict scenarios; rationale includes top evidences; docs drafted. | +| VEXLENS-30-006 | TODO | VEX Lens Guild, Findings Ledger Guild | VEXLENS-30-005, LEDGER-29-003 | Materialize consensus projection storage with idempotent workers triggered by VEX/Policy changes; expose change events for downstream consumers. | Projection generated for fixtures; backpressure metrics recorded; replay harness passes. | +| VEXLENS-30-007 | TODO | VEX Lens Guild | VEXLENS-30-006 | Expose APIs (`/vex/consensus`, `/vex/consensus/query`, `/vex/consensus/{id}`, `/vex/consensus/simulate`, `/vex/consensus/export`) with pagination, cost budgets, and OpenAPI docs. | APIs deployed with schema validation; integration tests cover filters/simulation/export; rate limits enforced. | +| VEXLENS-30-008 | TODO | VEX Lens Guild, Policy Guild | VEXLENS-30-006, POLICY-ENGINE-29-001 | Integrate consensus signals with Policy Engine (thresholds, suppression, simulation inputs) and Vuln Explorer detail view. | Policy consumes consensus via documented contract; Vuln Explorer shows consensus chip; e2e tests confirm suppression behavior. | +| VEXLENS-30-009 | TODO | VEX Lens Guild, Observability Guild | VEXLENS-30-006..008 | Instrument metrics (`vex_consensus_compute_latency`, `vex_consensus_disputed_total`, `vex_signature_verification_rate`), structured logs, and traces; publish dashboards/alerts. | Metrics/traces live; dashboards approved; alert thresholds configured. | +| VEXLENS-30-010 | TODO | VEX Lens Guild, QA Guild | VEXLENS-30-001..008 | Develop unit/property/integration/load tests (10M records), determinism harness, fuzz testing for malformed product trees. | Test suites green; load tests documented; determinism harness validated across two runs. | +| VEXLENS-30-011 | TODO | VEX Lens Guild, DevOps Guild | VEXLENS-30-006..009 | Provide deployment manifests, caching configuration, scaling guides, offline kit seeds, and runbooks. | Deployment docs merged; smoke deploy validated; offline kit updated; runbooks published. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| VEXLENS-AIAI-31-001 | TODO | VEX Lens Guild | VEXLENS-30-005 | Expose consensus rationale API enhancements (policy factors, issuer details, mapping issues) for Advisory AI conflict explanations. | API returns structured factors; docs updated; integration tests cover tuples. | +| VEXLENS-AIAI-31-002 | TODO | VEX Lens Guild | VEXLENS-30-006 | Provide caching hooks for consensus lookups used by Advisory AI (batch endpoints, TTL hints). | Batch API published; caches instrumented; telemetry recorded. | + +## Orchestrator Dashboard + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| VEXLENS-ORCH-33-001 | TODO | VEX Lens Guild | ORCH-SVC-32-001, ORCH-SVC-32-003, ORCH-SVC-33-001 | Register `consensus_compute` job type with orchestrator, integrate worker SDK, and expose job planning hooks for consensus batches. | Job type documented; worker consumes orchestrator jobs; tests cover pause/retry; metrics exported. | +| VEXLENS-ORCH-34-001 | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001, ORCH-SVC-34-002, ORCH-SVC-34-001 | Emit consensus completion events into orchestrator run ledger and provenance chain, including confidence metadata. | Ledger export includes consensus entries; events contain provenance; integration tests validate chain; docs cross-link to run-ledger. | + +## Export Center (Epic 10) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| VEXLENS-EXPORT-35-001 | TODO | VEX Lens Guild | VEXLENS-30-006, LEDGER-EXPORT-35-001 | Provide consensus snapshot API delivering deterministic JSONL (state, confidence, provenance) for exporter mirror bundles. | Snapshot endpoint deployed; determinism tests pass; schema documented; metrics/logs instrumented. | diff --git a/src/StellaOps.VulnExplorer.Api/AGENTS.md b/src/StellaOps.VulnExplorer.Api/AGENTS.md new file mode 100644 index 00000000..5cf4d6e4 --- /dev/null +++ b/src/StellaOps.VulnExplorer.Api/AGENTS.md @@ -0,0 +1,31 @@ +# Vulnerability Explorer API Guild Charter (Epic 6) + +## Mission +Expose policy-aware vulnerability listing, detail, simulation, workflow, and export APIs backed by the Findings Ledger and evidence services. Provide deterministic, RBAC-enforced endpoints that power Console, CLI, and automation workflows. + +## Scope +- Service under `src/StellaOps.VulnExplorer.Api` (query engine, workflow endpoints, simulation bridge, export orchestrator). +- Integration with Findings Ledger, Policy Engine, Conseiller, Excitator, SBOM Service, Scheduler, and Authority. +- Evidence bundle assembly and signing hand-off. + +## Principles +1. **Policy-driven** – All responses reference the requested policy version and include rationale metadata. +2. **Immutable facts** – APIs read advisory/VEX/inventory evidence; they never mutate or overwrite source documents. +3. **Audit-ready** – Every workflow action records ledger events and exposes provenance (IDs, timestamps, actors). +4. **Deterministic & efficient** – Query results stable under fixed inputs; pagination and grouping honor budgets. +5. **Secure** – RBAC/ABAC enforced server-side; exports signed; attachments served via scoped URLs. + +## Collaboration +- Keep `src/StellaOps.VulnExplorer.Api/TASKS.md`, `SPRINTS.md` synchronized. +- Coordinate schemas with Findings Ledger, Console, CLI, and Docs; publish OpenAPI + JSON schemas. +- Work with DevOps/Observability for performance dashboards and SLOs. + +## Tooling +- .NET 10 preview minimal API with async streaming for exports. +- PostgreSQL/Mongo projections from Findings Ledger; Redis for query caching as needed. +- Integration with Policy Engine batch eval and simulation endpoints. + +## Definition of Done +- Endpoints documented (OpenAPI), tested (unit/integration/perf), and budget-enforced. +- Telemetry/alerts configured; CI covers determinism. +- Evidence bundle signing verified; docs updated with compliance checklist. diff --git a/src/StellaOps.VulnExplorer.Api/TASKS.md b/src/StellaOps.VulnExplorer.Api/TASKS.md new file mode 100644 index 00000000..10c064b0 --- /dev/null +++ b/src/StellaOps.VulnExplorer.Api/TASKS.md @@ -0,0 +1,14 @@ +# Vulnerability Explorer API Task Board — Epic 6 +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| VULN-API-29-001 | TODO | Vuln Explorer API Guild | LEDGER-29-001, GRAPH-INDEX-28-001 | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes. | OpenAPI + schemas committed; spectral lint passes; clients regenerated for Console/CLI; docs drafted. | +| VULN-API-29-002 | TODO | Vuln Explorer API Guild | VULN-API-29-001, LEDGER-29-003 | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets. | Endpoints return deterministic results; budgets enforced; integration tests cover filters/groupings; metrics logged. | +| VULN-API-29-003 | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement detail endpoint aggregating evidence, policy rationale, paths (Graph Explorer deep link), and workflow summary. | Detail payload matches contract; evidence references raw doc ids; tests cover missing evidence. | +| VULN-API-29-004 | TODO | Vuln Explorer API Guild, Findings Ledger Guild | LEDGER-29-005 | Expose workflow endpoints (assign, comment, accept-risk, verify-fix, target-fix, reopen) that write ledger events with idempotency + validation. | Workflow APIs create ledger events, return updated projection; error handling documented; tests cover business rules. | +| VULN-API-29-005 | TODO | Vuln Explorer API Guild, Policy Guild | POLICY-ENGINE-27-001, VULN-API-29-002 | Implement simulation endpoint comparing `policy_from` vs `policy_to`, returning diffs without side effects; hook into Policy Engine batch eval. | Simulation returns delta sets; runtime under SLA; tests cover large queries; no ledger writes. | +| VULN-API-29-006 | TODO | Vuln Explorer API Guild | SBOM-CONSOLE-23-001, GRAPH-API-28-003 | Integrate resolver results with Graph Explorer: include shortest path metadata, line up deep-link parameters, expose `paths` array in details. | API returns path metadata; Graph Explorer links validated via e2e tests; docs updated. | +| VULN-API-29-007 | TODO | Vuln Explorer API Guild, Security Guild | AUTH-POLICY-27-001, AUTH-VULN-29-001 | Enforce RBAC/ABAC scopes; implement CSRF/anti-forgery checks for Console; secure attachment URLs; audit logging. | Unauthorized requests rejected; audit logs contain actor + change; security tests cover ABAC filters. | +| VULN-API-29-008 | TODO | Vuln Explorer API Guild | VULN-API-29-001..007 | Build export orchestrator producing signed bundles (manifest, NDJSON, checksums, signature). Integrate with Findings Ledger for evidence and Policy Engine metadata. | Export endpoint streams bundles, attaches signature; tests validate manifest + checksum; docs updated. | +| VULN-API-29-009 | TODO | Vuln Explorer API Guild, Observability Guild | VULN-API-29-002..008 | Instrument metrics (`vuln_list_latency`, `vuln_simulation_latency`, `vuln_export_duration`, `vuln_workflow_events_total`), structured logs, and traces; publish dashboards/alerts. | Metrics registered; dashboards live; alert thresholds documented; telemetry tests in CI. | +| VULN-API-29-010 | TODO | Vuln Explorer API Guild, QA Guild | VULN-API-29-002..008 | Provide unit/integration/perf tests (5M findings), fuzz query validation, determinism harness comparing repeated queries. | CI suite green; perf tests documented; determinism harness passes; bug budget set. | +| VULN-API-29-011 | TODO | Vuln Explorer API Guild, DevOps Guild | VULN-API-29-002..009 | Package deployment (Helm/Compose), health checks, CI smoke, offline kit steps, and scaling guidance. | Deployment artifacts merged; smoke deploy validated; scaling/backup docs produced. | diff --git a/src/StellaOps.Web/TASKS.md b/src/StellaOps.Web/TASKS.md index 2d0d2485..5dcbd25d 100644 --- a/src/StellaOps.Web/TASKS.md +++ b/src/StellaOps.Web/TASKS.md @@ -1,9 +1,174 @@ -# StellaOps Web Task Board (UTC 2025-10-10) - -| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | -|----|--------|----------|------------|-------------|---------------| -| WEB1.TRIVY-SETTINGS | DONE (2025-10-21) | UX Specialist, Angular Eng | Backend `/exporters/trivy-db` contract | Implement Trivy DB exporter settings panel with `publishFull`, `publishDelta`, `includeFull`, `includeDelta` toggles and “Run export now” action using future `/exporters/trivy-db/settings` API. | ✅ Angular route `/concelier/trivy-db-settings` backed by `TrivyDbSettingsPageComponent` with reactive form; ✅ Overrides persisted via `ConcelierExporterClient` (`settings`/`run` endpoints); ✅ Manual run button saves current overrides then triggers export and surfaces run metadata. | -| WEB1.TRIVY-SETTINGS-TESTS | DONE (2025-10-21) | UX Specialist, Angular Eng | WEB1.TRIVY-SETTINGS | **DONE (2025-10-21)** – Added headless Karma harness (`ng test --watch=false`) wired to ChromeHeadless/CI launcher, created `karma.conf.cjs`, updated npm scripts + docs with Chromium prerequisites so CI/offline runners can execute specs deterministically. | Angular CLI available (npm scripts chained), Karma suite for Trivy DB components passing locally and in CI, docs note required prerequisites. | -| WEB1.DEPS-13-001 | DONE (2025-10-21) | UX Specialist, Angular Eng, DevEx | WEB1.TRIVY-SETTINGS-TESTS | Stabilise Angular workspace dependencies for CI/offline nodes: refresh `package-lock.json`, ensure Puppeteer/Chromium binaries optional, document deterministic install workflow. | `npm install` completes without manual intervention on air-gapped nodes, `npm test` headless run succeeds from clean checkout, README updated with lockfile + cache steps. | -| WEB-POLICY-FIXTURES-10-001 | DONE (2025-10-23) | Angular Eng | SAMPLES-13-004 | Wire policy preview/report doc fixtures into UI harness (test utility or Storybook substitute) with type bindings and validation guard so UI stays aligned with documented payloads. | JSON fixtures importable within Angular workspace, typed helpers exported for reuse, Karma spec validates critical fields (confidence band, unknown metrics, DSSE summary). | -| UI-AUTH-13-001 | DONE (2025-10-23) | UI Guild | AUTH-DPOP-11-001, AUTH-MTLS-11-002 | Integrate Authority OIDC + DPoP flows with session management (Angular SPA). | APP_INITIALIZER loads runtime config; login/logout flows drive Authority code flow; DPoP proofs generated/stored, nonce retries handled; unit specs cover proof binding + session persistence. | +# TASKS — Epic 1: Aggregation-Only Contract +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-AOC-19-001 `Shared AOC guard primitives` | TODO | BE-Base Platform Guild | — | Provide `AOCForbiddenKeys`, guard middleware/interceptor hooks, and error types (`AOCError`, `AOCViolationCode`) for ingestion services. Publish sample usage + analyzer to ensure guard registered. | +| WEB-AOC-19-002 `Provenance & signature helpers` | TODO | BE-Base Platform Guild | WEB-AOC-19-001 | Ship `ProvenanceBuilder`, checksum utilities, and signature verification helper integrated with guard logging. Cover DSSE/CMS formats with unit tests. | +| WEB-AOC-19-003 `Analyzer + test fixtures` | TODO | QA Guild, BE-Base Platform Guild | WEB-AOC-19-001 | Author Roslyn analyzer preventing ingestion modules from writing forbidden keys without guard, and provide shared test fixtures for guard validation used by Concelier/Excititor service tests. | + +## Policy Engine v2 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-POLICY-20-001 `Policy endpoints` | TODO | BE-Base Platform Guild, Policy Guild | POLICY-ENGINE-20-001, POLICY-ENGINE-20-004 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. | +| WEB-POLICY-20-002 `Pagination & filters` | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Add pagination, filtering, sorting, and tenant guards to listings for policies, runs, and findings; include deterministic ordering and query diagnostics. | +| WEB-POLICY-20-003 `Error mapping` | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-001 | Map engine errors to `ERR_POL_*` responses with consistent payloads and contract tests; expose correlation IDs in headers. | +| WEB-POLICY-20-004 `Simulate rate limits` | TODO | Platform Reliability Guild | WEB-POLICY-20-001, WEB-POLICY-20-002 | Introduce adaptive rate limiting + quotas for simulation endpoints, expose metrics, and document retry headers. | + +## Graph Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-GRAPH-21-001 `Graph endpoints` | TODO | BE-Base Platform Guild, Cartographer Guild | CARTO-GRAPH-21-006, AUTH-GRAPH-21-001 | Add gateway routes for graph versions/viewport/node/path/diff/export/simulate endpoints with tenant enforcement, scope checks, and streaming responses. | +| WEB-GRAPH-21-002 `Request validation` | TODO | BE-Base Platform Guild | WEB-GRAPH-21-001 | Implement bbox/zoom/path parameter validation, pagination tokens, and deterministic ordering; add contract tests for boundary conditions. | +| WEB-GRAPH-21-003 `Error mapping & exports` | TODO | BE-Base Platform Guild, QA Guild | WEB-GRAPH-21-001 | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, and document rate limits. | +| WEB-GRAPH-21-004 `Simulation bridge` | TODO | BE-Base Platform Guild, Policy Guild | WEB-GRAPH-21-001, POLICY-ENGINE-30-002 | Wire Policy Engine simulation overlays into graph endpoints (`simulate`, `filter`, `paths`) without persisting state; ensure latency budgets met. | + +## Graph Explorer (Sprint 28) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-GRAPH-24-001 `Gateway routing refresh` | TODO | BE-Base Platform Guild | GRAPH-API-28-001, AUTH-GRAPH-21-001 | Route `/graph/*` requests to new Graph API service, inject tenant headers, feature flags, and enforce scope checks (`graph:read`, `graph:query`, `graph:export`). | +| WEB-GRAPH-24-002 `Overlay proxy` | TODO | BE-Base Platform Guild, Policy Guild | WEB-GRAPH-24-001, GRAPH-API-28-006 | Proxy policy/advisory/VEX overlay responses from dedicated services, manage caching headers/invalidation, and ensure no simulation logic exists in gateway. | +| WEB-GRAPH-24-004 `Telemetry aggregation` | TODO | BE-Base Platform Guild, Observability Guild | WEB-GRAPH-24-001..002, DEVOPS-GRAPH-28-003 | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. | + +## Link-Not-Merge v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-LNM-21-001 `Advisory observation endpoints` | TODO | BE-Base Platform Guild, Concelier WebService Guild | CONCELIER-LNM-21-201 | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). | +| WEB-LNM-21-002 `VEX observation endpoints` | TODO | BE-Base Platform Guild, Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. | +| WEB-LNM-21-003 `Policy evidence aggregation` | TODO | BE-Base Platform Guild, Policy Guild | POLICY-ENGINE-40-001 | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. | + +## Policy Engine + Editor v1 (Epic 5) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-POLICY-23-001 `Policy pack CRUD` | TODO | BE-Base Platform Guild, Policy Guild | POLICY-ENGINE-50-001 | Implement API endpoints for creating/listing/fetching policy packs and revisions (`/policy/packs`, `/policy/packs/{id}/revisions`) with pagination, RBAC, and AOC metadata exposure. | +| WEB-POLICY-23-002 `Activation & scope` | TODO | BE-Base Platform Guild | WEB-POLICY-23-001, POLICY-ENGINE-50-005 | Add activation endpoint with scope windows, conflict checks, and optional 2-person approval integration; emit events on success. | +| WEB-POLICY-23-003 `Simulation & evaluation` | TODO | BE-Base Platform Guild | POLICY-ENGINE-50-002 | Provide `/policy/simulate` and `/policy/evaluate` endpoints with streaming responses, rate limiting, and error mapping. | +| WEB-POLICY-23-004 `Explain retrieval` | TODO | BE-Base Platform Guild | POLICY-ENGINE-50-006 | Expose explain history endpoints (`/policy/runs`, `/policy/runs/{id}`) including decision tree, sources consulted, and AOC chain. | + +## Graph & Vuln Explorer v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-GRAPH-24-001 `Graph endpoints` | TODO | BE-Base Platform Guild, SBOM Service Guild | SBOM-GRAPH-24-002 | Implement `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping. | +| WEB-GRAPH-24-002 `Simulation proxy` | TODO | BE-Base Platform Guild, Policy Guild | WEB-GRAPH-24-001, POLICY-ENGINE-50-002 | Proxy upgrade/policy simulation calls to Policy Engine, enforce rate limits, and return streamed diffs without gateway-side computation. | +| WEB-GRAPH-24-004 `AOC enrichers` | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001, WEB-GRAPH-24-002 | Embed AOC summaries sourced from overlay services; ensure gateway does not compute derived severity or hints. | + +## StellaOps Console (Sprint 23) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-CONSOLE-23-001 `Global posture endpoints` | TODO | BE-Base Platform Guild, Product Analytics Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001, POLICY-CONSOLE-23-001, SBOM-CONSOLE-23-001, SCHED-CONSOLE-23-001 | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. | +| WEB-CONSOLE-23-002 `Live status & SSE proxy` | TODO | BE-Base Platform Guild, Scheduler Guild | SCHED-CONSOLE-23-001, DEVOPS-CONSOLE-23-001 | Expose `/console/status` polling endpoint and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff, queue lag metrics, and auth scope enforcement. Surface request IDs + retry headers. | +| WEB-CONSOLE-23-003 `Evidence export orchestrator` | TODO | BE-Base Platform Guild, Policy Guild | EXPORT-CONSOLE-23-001, POLICY-CONSOLE-23-001 | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. | +| WEB-CONSOLE-23-004 `Global search router` | TODO | BE-Base Platform Guild | CONCELIER-CONSOLE-23-001, EXCITITOR-CONSOLE-23-001, SBOM-CONSOLE-23-001 | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. | +| WEB-CONSOLE-23-005 `Downloads manifest API` | TODO | BE-Base Platform Guild, DevOps Guild | DOWNLOADS-CONSOLE-23-001, DEVOPS-CONSOLE-23-002 | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. | + +## Policy Studio (Sprint 27) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-POLICY-27-001 `Policy registry proxy` | TODO | BE-Base Platform Guild, Policy Registry Guild | REGISTRY-API-27-001, AUTH-POLICY-27-001 | Surface Policy Registry APIs (`/policy/workspaces`, `/policy/versions`, `/policy/reviews`, `/policy/registry`) through gateway with tenant scoping, RBAC, and request validation; ensure streaming downloads for evidence bundles. | +| WEB-POLICY-27-002 `Review & approval routes` | TODO | BE-Base Platform Guild | WEB-POLICY-27-001, REGISTRY-API-27-006 | Implement review lifecycle endpoints (open, comment, approve/reject) with audit headers, comment pagination, and webhook fan-out. | +| WEB-POLICY-27-003 `Simulation orchestration endpoints` | TODO | BE-Base Platform Guild, Scheduler Guild | REGISTRY-API-27-005, SCHED-CONSOLE-27-001 | Expose quick/batch simulation endpoints with SSE progress (`/policy/simulations/{runId}/stream`), cursor-based result pagination, and manifest download routes. | +| WEB-POLICY-27-004 `Publish & promote controls` | TODO | BE-Base Platform Guild, Security Guild | REGISTRY-API-27-007, REGISTRY-API-27-008, AUTH-POLICY-27-002 | Add publish/sign/promote/rollback endpoints with idempotent request IDs, canary parameters, and environment bindings; enforce scope checks and emit structured events. | +| WEB-POLICY-27-005 `Policy Studio telemetry` | TODO | BE-Base Platform Guild, Observability Guild | WEB-POLICY-27-001..004, TELEMETRY-CONSOLE-27-001 | Instrument metrics/logs for compile latency, simulation queue depth, approval latency, promotion actions; expose aggregated dashboards and correlation IDs for Console. | + +## Exceptions v1 (Epic 7) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-EXC-25-001 `Exceptions CRUD & workflow` | TODO | BE-Base Platform Guild | POLICY-ENGINE-70-002, AUTH-EXC-25-001 | Implement `/exceptions` API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging. | +| WEB-EXC-25-002 `Policy integration surfaces` | TODO | BE-Base Platform Guild | POLICY-ENGINE-70-001 | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. | +| WEB-EXC-25-003 `Notifications & events` | TODO | BE-Base Platform Guild, Platform Events Guild | WEB-EXC-25-001 | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. | + +## Reachability v1 + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-SIG-26-001 `Signals proxy endpoints` | TODO | BE-Base Platform Guild, Signals Guild | SIGNALS-24-001 | Surface `/signals/callgraphs`, `/signals/facts` read/write endpoints with pagination, ETags, and RBAC. | +| WEB-SIG-26-002 `Reachability joins` | TODO | BE-Base Platform Guild | WEB-SIG-26-001, POLICY-ENGINE-80-001 | Extend `/policy/effective` and `/vuln/explorer` responses to include reachability scores/states and allow filtering. | +| WEB-SIG-26-003 `Simulation hooks` | TODO | BE-Base Platform Guild | WEB-SIG-26-002, POLICY-ENGINE-80-001 | Add reachability override parameters to `/policy/simulate` and related APIs for what-if analysis. | + +## Vulnerability Explorer (Sprint 29) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-VULN-29-001 `Vuln API routing` | TODO | BE-Base Platform Guild | VULN-API-29-001, AUTH-VULN-29-001 | Expose `/vuln/*` endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging. | +| WEB-VULN-29-002 `Ledger proxy headers` | TODO | BE-Base Platform Guild, Findings Ledger Guild | WEB-VULN-29-001, LEDGER-29-002 | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. | +| WEB-VULN-29-003 `Simulation + export routing` | TODO | BE-Base Platform Guild | VULN-API-29-005, VULN-API-29-008 | Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting. | +| WEB-VULN-29-004 `Telemetry aggregation` | TODO | BE-Base Platform Guild, Observability Guild | WEB-VULN-29-001..003, DEVOPS-VULN-29-003 | Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards. | + +## Advisory AI (Sprint 31) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-AIAI-31-001 `API routing` | TODO | BE-Base Platform Guild | AIAI-31-006, AUTH-VULN-29-001 | Route `/advisory/ai/*` endpoints through gateway with RBAC/ABAC, rate limits, and telemetry headers. | +| WEB-AIAI-31-002 `Batch orchestration` | TODO | BE-Base Platform Guild | AIAI-31-006 | Provide batching job handlers and streaming responses for CLI automation with retry/backoff. | +| WEB-AIAI-31-003 `Telemetry & audit` | TODO | BE-Base Platform Guild, Observability Guild | WEB-AIAI-31-001, DEVOPS-AIAI-31-001 | Emit metrics/logs (latency, guardrail blocks, validation failures) and forward anonymized prompt hashes to analytics. | + +## Orchestrator Dashboard + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-ORCH-32-001 `Read-only routing` | TODO | BE-Base Platform Guild | ORCH-SVC-32-003, AUTH-ORCH-32-001 | Expose `/orchestrator/sources|runs|jobs|dag` read endpoints via gateway with tenant scoping, caching, and viewer scope enforcement. | +| WEB-ORCH-33-001 `Control + backfill actions` | TODO | BE-Base Platform Guild | WEB-ORCH-32-001, ORCH-SVC-33-001, AUTH-ORCH-33-001 | Add POST action routes (`pause|resume|test`, `retry|cancel`, `jobs/tail`, `backfill preview`) with proper error mapping and SSE bridging. | +| WEB-ORCH-34-001 `Quotas & telemetry` | TODO | BE-Base Platform Guild | WEB-ORCH-33-001, ORCH-SVC-33-003, ORCH-SVC-34-001 | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. | + +## Export Center +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-EXPORT-35-001 `Export routing` | TODO | BE-Base Platform Guild | EXPORT-SVC-35-006, AUTH-EXPORT-35-001 | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. | +| WEB-EXPORT-36-001 `Distribution endpoints` | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001, EXPORT-SVC-36-004 | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. | +| WEB-EXPORT-37-001 `Scheduling & verification` | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001, EXPORT-SVC-37-003 | Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs. | + +## Notifications Studio (Epic 11) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-NOTIFY-38-001 `Gateway routing` | TODO | BE-Base Platform Guild | NOTIFY-SVC-38-004, AUTH-NOTIFY-38-001 | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | +| WEB-NOTIFY-39-001 `Digest & simulation endpoints` | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001, NOTIFY-SVC-39-001..003 | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. | +| WEB-NOTIFY-40-001 `Escalations & localization` | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001, NOTIFY-SVC-40-001..003 | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. | + +## Containerized Distribution (Epic 13) + +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-CONTAINERS-44-001 `Config discovery & quickstart flag` | TODO | BE-Base Platform Guild | COMPOSE-44-001 | Expose `/welcome` state, config discovery endpoint (safe values), and `QUICKSTART_MODE` handling for Console banner; add `/health/liveness`, `/health/readiness`, `/version` if missing. | +| WEB-CONTAINERS-45-001 `Helm readiness support` | TODO | BE-Base Platform Guild | HELM-45-001 | Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports. | +| WEB-CONTAINERS-46-001 `Air-gap hardening` | TODO | BE-Base Platform Guild | DEPLOY-AIRGAP-46-001 | Provide offline-friendly asset serving (no CDN), allow overriding object store endpoints via env, and document fallback behavior. | + +## Authority-Backed Scopes & Tenancy (Epic 14) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-TEN-47-001 `Auth middleware` | TODO | BE-Base Platform Guild | AUTH-TEN-47-001 | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. | +| WEB-TEN-48-001 `Tenant context propagation` | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. | +| WEB-TEN-49-001 `ABAC & audit API` | TODO | BE-Base Platform Guild, Policy Guild | POLICY-TEN-48-001 | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. | + +## Observability & Forensics (Epic 15) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-OBS-50-001 `Telemetry core adoption` | TODO | BE-Base Platform Guild, Observability Guild | TELEMETRY-OBS-50-001, TELEMETRY-OBS-50-002 | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. | +| WEB-OBS-51-001 `Observability health endpoints` | TODO | BE-Base Platform Guild | WEB-OBS-50-001, TELEMETRY-OBS-51-001 | Implement `/obs/health` and `/obs/slo` aggregations, pulling metrics from Prometheus/collector APIs, including burn-rate signals and exemplar links for Console widgets. | +| WEB-OBS-52-001 `Trace & log proxies` | TODO | BE-Base Platform Guild | WEB-OBS-50-001, TIMELINE-OBS-52-003 | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. | +| WEB-OBS-54-001 `Evidence & attestation bridges` | TODO | BE-Base Platform Guild | EVID-OBS-54-001, PROV-OBS-54-001 | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. | +| WEB-OBS-55-001 `Incident mode controls` | TODO | BE-Base Platform Guild, Ops Guild | WEB-OBS-50-001, TELEMETRY-OBS-55-001, DEVOPS-OBS-55-001 | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. | +| WEB-OBS-56-001 `Sealed status surfaces` | TODO | BE-Base Platform Guild, AirGap Guild | WEB-OBS-50-001, AIRGAP-CTL-56-002 | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. | + +## SDKs & OpenAPI (Epic 17) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-OAS-61-001 `Discovery endpoint` | TODO | BE-Base Platform Guild | OAS-61-002 | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. | +| WEB-OAS-61-002 `Standard error envelope` | TODO | BE-Base Platform Guild | APIGOV-61-001 | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. | +| WEB-OAS-62-001 `Pagination & idempotency alignment` | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Normalize all endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. | +| WEB-OAS-63-001 `Deprecation support` | TODO | BE-Base Platform Guild, API Governance Guild | APIGOV-63-001 | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. | + +## Risk Profiles (Epic 18) +| ID | Status | Owner(s) | Depends on | Notes | +|----|--------|----------|------------|-------| +| WEB-RISK-66-001 `Risk API routing` | TODO | BE-Base Platform Guild, Policy Guild | POLICY-RISK-67-002 | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. | +| WEB-RISK-66-002 `Explainability downloads` | TODO | BE-Base Platform Guild, Risk Engine Guild | RISK-ENGINE-68-002 | Add signed URL handling for explanation blobs and enforce scope checks. | +| WEB-RISK-67-001 `Risk status endpoint` | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). | +| WEB-RISK-68-001 `Notification hooks` | TODO | BE-Base Platform Guild, Notifications Guild | NOTIFY-RISK-66-001 | Emit events on severity transitions via gateway to notifier bus with trace metadata. | diff --git a/src/StellaOps.sln b/src/StellaOps.sln index b00b85df..8d7a1025 100644 --- a/src/StellaOps.sln +++ b/src/StellaOps.sln @@ -339,6 +339,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Observer" EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Zastava.Observer.Tests", "StellaOps.Zastava.Observer.Tests\StellaOps.Zastava.Observer.Tests.csproj", "{20E0774F-86D5-4CD0-B636-E5212074FDE8}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Policy.Engine", "StellaOps.Policy.Engine\StellaOps.Policy.Engine.csproj", "{FE668D8D-AB46-41F4-A82F-8A3330C4D152}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.Cartographer", "StellaOps.Cartographer\StellaOps.Cartographer.csproj", "{548C296A-476B-433D-9552-923648BDFA97}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "StellaOps.SbomService", "StellaOps.SbomService\StellaOps.SbomService.csproj", "{3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -2305,6 +2311,42 @@ Global {20E0774F-86D5-4CD0-B636-E5212074FDE8}.Release|x64.Build.0 = Release|Any CPU {20E0774F-86D5-4CD0-B636-E5212074FDE8}.Release|x86.ActiveCfg = Release|Any CPU {20E0774F-86D5-4CD0-B636-E5212074FDE8}.Release|x86.Build.0 = Release|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Debug|Any CPU.Build.0 = Debug|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Debug|x64.ActiveCfg = Debug|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Debug|x64.Build.0 = Debug|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Debug|x86.ActiveCfg = Debug|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Debug|x86.Build.0 = Debug|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Release|Any CPU.ActiveCfg = Release|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Release|Any CPU.Build.0 = Release|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Release|x64.ActiveCfg = Release|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Release|x64.Build.0 = Release|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Release|x86.ActiveCfg = Release|Any CPU + {FE668D8D-AB46-41F4-A82F-8A3330C4D152}.Release|x86.Build.0 = Release|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Debug|Any CPU.Build.0 = Debug|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Debug|x64.ActiveCfg = Debug|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Debug|x64.Build.0 = Debug|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Debug|x86.ActiveCfg = Debug|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Debug|x86.Build.0 = Debug|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Release|Any CPU.ActiveCfg = Release|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Release|Any CPU.Build.0 = Release|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Release|x64.ActiveCfg = Release|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Release|x64.Build.0 = Release|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Release|x86.ActiveCfg = Release|Any CPU + {548C296A-476B-433D-9552-923648BDFA97}.Release|x86.Build.0 = Release|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Debug|Any CPU.Build.0 = Debug|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Debug|x64.ActiveCfg = Debug|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Debug|x64.Build.0 = Debug|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Debug|x86.ActiveCfg = Debug|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Debug|x86.Build.0 = Debug|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Release|Any CPU.ActiveCfg = Release|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Release|Any CPU.Build.0 = Release|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Release|x64.ActiveCfg = Release|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Release|x64.Build.0 = Release|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Release|x86.ActiveCfg = Release|Any CPU + {3510DF3E-E822-4FB1-8C65-ED6DBAD223D4}.Release|x86.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/test/contract/AGENTS.md b/test/contract/AGENTS.md new file mode 100644 index 00000000..301ca4bd --- /dev/null +++ b/test/contract/AGENTS.md @@ -0,0 +1,15 @@ +# Contract Testing Guild Charter + +## Mission +Guarantee runtime adherence to OpenAPI specifications through mock servers, replay suites, and golden example validation. + +## Scope +- Generate mock servers from aggregate OAS and maintain operation examples. +- Run replay tests against staging environments to detect schema drift. +- Manage golden fixtures used for SDK examples and documentation. +- Provide tooling for PR-level contract verification. + +## Definition of Done +- Mock server and replay suites run in CI gating merges. +- Golden examples kept in sync with docs and SDK snippets. +- Regression catches contract drift before release. diff --git a/test/contract/TASKS.md b/test/contract/TASKS.md new file mode 100644 index 00000000..c7fbc857 --- /dev/null +++ b/test/contract/TASKS.md @@ -0,0 +1,13 @@ +# Contract Testing Task Board — Epic 17: SDKs & OpenAPI Docs + +## Sprint 62 – Mock Server & Fixtures +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CONTR-62-001 | TODO | Contract Testing Guild | OAS-61-002 | Generate mock server configuration from aggregate spec; seed golden request/response fixtures. | Mock server runs locally; fixtures stored under version control; integration docs updated. | +| CONTR-62-002 | TODO | Contract Testing Guild | CONTR-62-001 | Integrate mock server tests into PR CI ensuring each operation has example coverage. | CI job added; failing on missing examples; results visible in PR checks. | + +## Sprint 63 – Replay & Drift Detection +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| CONTR-63-001 | TODO | Contract Testing Guild, Platform Guild | CONTR-62-002 | Build replay harness capturing staging traffic and validating against spec; enforce zero drift. | Replay suite runs nightly; failures create alerts; documentation updated. | +| CONTR-63-002 | TODO | Contract Testing Guild, Observability Guild | CONTR-63-001 | Emit metrics/logs for contract test coverage and failures. | Metrics visible in dashboards; alerts configured. |