From 66cb6c4b8af58a33efa1521b7953dda834431497 Mon Sep 17 00:00:00 2001 From: master Date: Sat, 1 Nov 2025 02:21:46 +0200 Subject: [PATCH] feat: Add guild charters and task boards for various components - Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform. - Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds. - Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies. - Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries. --- AGENTS.md | 431 ++-- docs/AGENTS.md | 54 +- docs/TASKS.md | 1 + docs/airgap/staleness-and-time.md | 68 + docs/contributing/api-contracts.md | 37 + docs/dev/plugins/README.md | 34 + docs/forensics/provenance-attestation.md | 41 + docs/forensics/timeline.md | 41 + docs/implplan/EXECPLAN.md | 1831 ----------------- docs/implplan/SPRINTS.md | 1110 +--------- docs/implplan/SPRINTS_PRIOR_20251031.md | 1099 ++++++++++ docs/implplan/SPRINT_100_identity_signing.md | 99 + .../implplan/SPRINT_110_ingestion_evidence.md | 305 +++ docs/implplan/SPRINT_120_policy_reasoning.md | 287 +++ docs/implplan/SPRINT_130_scanner_surface.md | 169 ++ docs/implplan/SPRINT_140_runtime_signals.md | 65 + .../SPRINT_150_scheduling_automation.md | 148 ++ docs/implplan/SPRINT_160_export_evidence.md | 95 + .../SPRINT_170_notifications_telemetry.md | 68 + docs/implplan/SPRINT_180_experience_sdks.md | 326 +++ docs/implplan/SPRINT_190_ops_offline.md | 237 +++ .../SPRINT_200_documentation_process.md | 482 +++++ docs/modules/advisory-ai/AGENTS.md | 57 +- docs/modules/attestor/AGENTS.md | 57 +- docs/modules/authority/AGENTS.md | 56 +- docs/modules/ci/AGENTS.md | 56 +- docs/modules/cli/AGENTS.md | 56 +- docs/modules/concelier/AGENTS.md | 56 +- docs/modules/devops/AGENTS.md | 56 +- .../devops/runbooks/launch-readiness.md | 2 +- .../devops/runbooks/zastava-deployment.md | 49 + docs/modules/excititor/AGENTS.md | 56 +- docs/modules/export-center/AGENTS.md | 56 +- docs/modules/graph/AGENTS.md | 56 +- docs/modules/notify/AGENTS.md | 56 +- docs/modules/orchestrator/AGENTS.md | 56 +- docs/modules/platform/AGENTS.md | 56 +- docs/modules/policy/AGENTS.md | 56 +- docs/modules/registry/AGENTS.md | 56 +- docs/modules/scanner/AGENTS.md | 56 +- docs/modules/scanner/design/surface-env.md | 147 ++ docs/modules/scanner/design/surface-fs.md | 130 ++ .../modules/scanner/design/surface-secrets.md | 121 ++ .../scanner/design/surface-validation.md | 99 + docs/modules/scheduler/AGENTS.md | 56 +- docs/modules/signer/AGENTS.md | 57 +- docs/modules/telemetry/AGENTS.md | 56 +- docs/modules/ui/AGENTS.md | 56 +- docs/modules/vex-lens/AGENTS.md | 57 +- docs/modules/vexer/AGENTS.md | 56 +- docs/modules/vuln-explorer/AGENTS.md | 57 +- docs/modules/zastava/AGENTS.md | 56 +- docs/technical/architecture/component-map.md | 6 +- docs/technical/process/README.md | 1 - ops/authority/AGENTS.md | 4 + ops/deployment/AGENTS.md | 19 +- ops/devops/AGENTS.md | 33 +- ops/devops/TASKS.md | 8 + ops/licensing/AGENTS.md | 19 +- ops/offline-kit/AGENTS.md | 19 +- ops/offline-kit/TASKS.md | 1 + samples/AGENTS.md | 30 + src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md | 11 + .../StellaOps.AirGap.Controller/AGENTS.md | 43 +- .../StellaOps.AirGap.Importer/AGENTS.md | 43 +- src/AirGap/StellaOps.AirGap.Policy/AGENTS.md | 43 +- src/AirGap/StellaOps.AirGap.Time/AGENTS.md | 42 +- src/Api/StellaOps.Api.Governance/AGENTS.md | 41 +- src/Api/StellaOps.Api.OpenApi/AGENTS.md | 10 + .../StellaOps.Attestor.Envelope/AGENTS.md | 41 +- .../StellaOps.Attestor.Types/AGENTS.md | 39 +- .../StellaOps.Attestor.Verify/AGENTS.md | 39 +- src/Attestor/StellaOps.Attestor/AGENTS.md | 11 + src/Authority/StellaOps.Authority/AGENTS.md | 11 + .../AGENTS.md | 11 + src/Bench/StellaOps.Bench/AGENTS.md | 27 + .../StellaOps.Cartographer/AGENTS.md | 44 +- src/Cli/StellaOps.Cli/AGENTS.md | 68 +- .../StellaOps.Concelier.WebService/AGENTS.md | 77 +- .../AGENTS.md | 91 +- .../AGENTS.md | 91 +- .../AGENTS.md | 91 +- .../AGENTS.md | 87 +- .../AGENTS.md | 65 +- .../AGENTS.md | 67 +- .../AGENTS.md | 73 +- .../AGENTS.md | 87 +- .../AGENTS.md | 65 +- .../AGENTS.md | 25 + .../AGENTS.md | 89 +- .../AGENTS.md | 89 +- .../AGENTS.md | 67 +- .../AGENTS.md | 69 +- .../AGENTS.md | 99 +- .../AGENTS.md | 87 +- .../AGENTS.md | 63 +- .../AGENTS.md | 63 +- .../AGENTS.md | 87 +- .../AGENTS.md | 87 +- .../AGENTS.md | 25 + .../AGENTS.md | 67 +- .../AGENTS.md | 89 +- .../AGENTS.md | 67 +- .../AGENTS.md | 71 +- .../AGENTS.md | 71 +- .../AGENTS.md | 65 +- .../AGENTS.md | 67 +- .../StellaOps.Concelier.Core/AGENTS.md | 75 +- .../AGENTS.md | 67 +- .../AGENTS.md | 69 +- .../StellaOps.Concelier.Merge/AGENTS.md | 77 +- .../StellaOps.Concelier.Models/AGENTS.md | 71 +- .../AGENTS.md | 27 + .../AGENTS.md | 69 +- .../StellaOps.DevPortal.Site/AGENTS.md | 41 +- .../StellaOps.EvidenceLocker/AGENTS.md | 67 +- .../AGENTS.md | 25 + .../StellaOps.Excititor.WebService/AGENTS.md | 61 +- .../StellaOps.Excititor.Worker/AGENTS.md | 57 +- .../StellaOps.Excititor.Attestation/AGENTS.md | 57 +- .../AGENTS.md | 55 +- .../AGENTS.md | 57 +- .../AGENTS.md | 57 +- .../AGENTS.md | 57 +- .../AGENTS.md | 57 +- .../AGENTS.md | 61 +- .../AGENTS.md | 57 +- .../AGENTS.md | 57 +- .../StellaOps.Excititor.Core/AGENTS.md | 63 +- .../StellaOps.Excititor.Export/AGENTS.md | 57 +- .../AGENTS.md | 57 +- .../AGENTS.md | 55 +- .../AGENTS.md | 53 +- .../StellaOps.Excititor.Policy/AGENTS.md | 57 +- .../AGENTS.md | 59 +- .../AGENTS.md | 39 +- .../AGENTS.md | 39 +- .../AGENTS.md | 39 +- .../StellaOps.ExportCenter/AGENTS.md | 47 +- .../StellaOps.Findings.Ledger/AGENTS.md | 11 + src/Graph/StellaOps.Graph.Api/AGENTS.md | 11 + src/Graph/StellaOps.Graph.Indexer/AGENTS.md | 11 + .../StellaOps.IssuerDirectory/AGENTS.md | 10 + src/Mirror/StellaOps.Mirror.Creator/AGENTS.md | 40 +- src/Notifier/StellaOps.Notifier/AGENTS.md | 45 +- .../StellaOps.Notify.WebService/AGENTS.md | 19 +- src/Notify/StellaOps.Notify.Worker/AGENTS.md | 19 +- .../AGENTS.md | 19 +- .../AGENTS.md | 19 +- .../AGENTS.md | 19 +- .../AGENTS.md | 19 +- .../StellaOps.Notify.Engine/AGENTS.md | 19 +- .../StellaOps.Notify.Models/AGENTS.md | 19 +- .../StellaOps.Notify.Queue/AGENTS.md | 19 +- .../StellaOps.Notify.Storage.Mongo/AGENTS.md | 19 +- .../AGENTS.md | 31 +- .../AGENTS.md | 31 +- .../StellaOps.Orchestrator/AGENTS.md | 47 +- .../StellaOps.PacksRegistry/AGENTS.md | 45 +- src/Policy/StellaOps.Policy.Engine/AGENTS.md | 45 +- .../StellaOps.Policy.Registry/AGENTS.md | 11 + .../StellaOps.Policy.RiskProfile/AGENTS.md | 41 +- .../__Libraries/StellaOps.Policy/AGENTS.md | 35 +- .../AGENTS.md | 51 +- src/RiskEngine/StellaOps.RiskEngine/AGENTS.md | 56 +- .../StellaOps.SbomService/AGENTS.md | 40 +- .../AGENTS.md | 27 + .../AGENTS.md | 27 + .../AGENTS.md | 29 + .../AGENTS.md | 27 + .../AGENTS.md | 35 +- .../TASKS.md | 3 + .../StellaOps.Scanner.WebService/AGENTS.md | 29 + .../StellaOps.Scanner.WebService/TASKS.md | 3 + .../StellaOps.Scanner.Worker/AGENTS.md | 63 +- src/Scanner/StellaOps.Scanner.Worker/TASKS.md | 3 + .../AGENTS.md | 69 +- .../AGENTS.md | 11 + .../AGENTS.md | 27 + .../AGENTS.md | 11 + .../AGENTS.md | 75 +- .../AGENTS.md | 69 +- .../AGENTS.md | 77 +- .../StellaOps.Scanner.Analyzers.Lang/TASKS.md | 3 + .../StellaOps.Scanner.Analyzers.OS/AGENTS.md | 91 +- .../StellaOps.Scanner.Cache/AGENTS.md | 41 +- .../StellaOps.Scanner.Core/AGENTS.md | 69 +- .../StellaOps.Scanner.Diff/AGENTS.md | 51 +- .../StellaOps.Scanner.Emit/AGENTS.md | 51 +- .../StellaOps.Scanner.EntryTrace/AGENTS.md | 75 +- .../StellaOps.Scanner.EntryTrace/TASKS.md | 2 + .../StellaOps.Scanner.Queue/AGENTS.md | 41 +- .../StellaOps.Scanner.Storage/AGENTS.md | 67 +- .../StellaOps.Scanner.Surface.Env/AGENTS.md | 27 + .../StellaOps.Scanner.Surface.Env/TASKS.md | 9 + .../StellaOps.Scanner.Surface.FS/AGENTS.md | 30 + .../StellaOps.Scanner.Surface.FS/TASKS.md | 10 + .../AGENTS.md | 30 + .../TASKS.md | 10 + .../AGENTS.md | 27 + .../TASKS.md | 9 + .../StellaOps.Scheduler.WebService/AGENTS.md | 19 +- .../StellaOps.Scheduler.ImpactIndex/AGENTS.md | 19 +- .../StellaOps.Scheduler.Models/AGENTS.md | 19 +- .../StellaOps.Scheduler.Queue/AGENTS.md | 19 +- .../AGENTS.md | 19 +- .../StellaOps.Scheduler.Worker/AGENTS.md | 19 +- .../StellaOps.Scheduler.Worker/TASKS.md | 1 + src/Sdk/StellaOps.Sdk.Generator/AGENTS.md | 41 +- src/Sdk/StellaOps.Sdk.Release/AGENTS.md | 41 +- src/Signals/StellaOps.Signals/AGENTS.md | 31 +- src/Signer/StellaOps.Signer/AGENTS.md | 11 + src/TaskRunner/StellaOps.TaskRunner/AGENTS.md | 45 +- .../StellaOps.Telemetry.Core/AGENTS.md | 53 +- .../StellaOps.TimelineIndexer/AGENTS.md | 67 +- src/UI/StellaOps.UI/AGENTS.md | 28 + src/VexLens/StellaOps.VexLens/AGENTS.md | 10 + .../StellaOps.VulnExplorer.Api/AGENTS.md | 10 + src/Web/StellaOps.Web/AGENTS.md | 10 + .../StellaOps.Zastava.Observer/AGENTS.md | 29 + .../StellaOps.Zastava.Observer/TASKS.md | 3 + .../StellaOps.Zastava.Webhook/AGENTS.md | 30 + .../StellaOps.Zastava.Webhook/TASKS.md | 3 + .../StellaOps.Zastava.Core/AGENTS.md | 28 + .../StellaOps.Cryptography.Kms/AGENTS.md | 38 +- .../StellaOps.Cryptography/AGENTS.md | 10 + src/__Libraries/StellaOps.Plugin/AGENTS.md | 25 + 227 files changed, 9913 insertions(+), 6210 deletions(-) create mode 100644 docs/airgap/staleness-and-time.md create mode 100644 docs/contributing/api-contracts.md create mode 100644 docs/dev/plugins/README.md create mode 100644 docs/forensics/provenance-attestation.md create mode 100644 docs/forensics/timeline.md delete mode 100644 docs/implplan/EXECPLAN.md create mode 100644 docs/implplan/SPRINTS_PRIOR_20251031.md create mode 100644 docs/implplan/SPRINT_100_identity_signing.md create mode 100644 docs/implplan/SPRINT_110_ingestion_evidence.md create mode 100644 docs/implplan/SPRINT_120_policy_reasoning.md create mode 100644 docs/implplan/SPRINT_130_scanner_surface.md create mode 100644 docs/implplan/SPRINT_140_runtime_signals.md create mode 100644 docs/implplan/SPRINT_150_scheduling_automation.md create mode 100644 docs/implplan/SPRINT_160_export_evidence.md create mode 100644 docs/implplan/SPRINT_170_notifications_telemetry.md create mode 100644 docs/implplan/SPRINT_180_experience_sdks.md create mode 100644 docs/implplan/SPRINT_190_ops_offline.md create mode 100644 docs/implplan/SPRINT_200_documentation_process.md create mode 100644 docs/modules/devops/runbooks/zastava-deployment.md create mode 100644 docs/modules/scanner/design/surface-env.md create mode 100644 docs/modules/scanner/design/surface-fs.md create mode 100644 docs/modules/scanner/design/surface-secrets.md create mode 100644 docs/modules/scanner/design/surface-validation.md create mode 100644 samples/AGENTS.md create mode 100644 src/Bench/StellaOps.Bench/AGENTS.md create mode 100644 src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md create mode 100644 src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md create mode 100644 src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md create mode 100644 src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md create mode 100644 src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md create mode 100644 src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md create mode 100644 src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md create mode 100644 src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md create mode 100644 src/Scanner/StellaOps.Scanner.WebService/AGENTS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/TASKS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/TASKS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/TASKS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md create mode 100644 src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/TASKS.md create mode 100644 src/UI/StellaOps.UI/AGENTS.md create mode 100644 src/Zastava/StellaOps.Zastava.Observer/AGENTS.md create mode 100644 src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md create mode 100644 src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md create mode 100644 src/__Libraries/StellaOps.Plugin/AGENTS.md diff --git a/AGENTS.md b/AGENTS.md index 0aa368d6..2c14a581 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -1,206 +1,225 @@ -# 1) What is StellaOps? - -**StellaOps** an next-gen and sovereign container-security toolkit built for high-speed, offline operation, released under AGPL-3.0-or-later. - -Stella Ops is a self-hostable, sovereign container-security platform that makes proof—not promises—default. It binds every container digest to content-addressed SBOMs (SBOM 3.0.0 and CycloneDX 1.6), in-toto/DSSE attestations, and optional Sigstore Rekor transparency, then layers deterministic, replayable scanning with entry-trace and VEX-first decisioning. “Next-gen” means findings are reproducible and explainable, exploitability is modeled in OpenVEX and merged with lattice logic for stable outcomes, and the same workflow runs online or fully air-gapped. “Sovereign” means cryptographic and operational independence: bring-your-own trust roots, regional crypto readiness (eIDAS/FIPS/GOST/SM), offline bundles, and post-quantum-ready modes—so regulated orgs can comply without phoning home. - -Our principles and goals are simple: authenticity & integrity by default, provenance attached to digests, transparency for tamper-evidence, determinism & replay for audits, explainability engineers can act on, and exploitability over enumeration to cut noise. We minimize trust and blast radius with short-lived keys, least-privilege, and content-addressed caches; we stay air-gap friendly with mirrored feeds; and we keep governance honest with reviewable OPA/Rego policy gates and VEX-based waivers. The result is a platform that shortens time-to-truth, makes risk measurable, and lets you ship with confidence—anywhere, under any sovereignty requirement. -More documention is available ./docs/*.md files. Read `docs/README.md` to gather information about the available documentation. You could inquiry specific documents as your work requires it - ---- - -# 3) Practices - -## 3.1) Naming -All modules are .NET projects based on .NET 10 (preview). Exclussion is the UI. It is based on Angular -All modules are contained by one or more projects. Each project goes in its dedicated folder. Each project starts with StellaOps.. In case it is common for for all StellaOps modules it is library or plugin and it is named StellaOps.. - -## 3.2) Key technologies & integrations - -- **Runtime**: .NET 10 (`net10.0`) preview SDK; C# latest preview features. Any dependencies like Microsoft.* should strive to be closests version. -- **Nuget**: Try to re-use / cache nugets to /local-nugets -- **Data**: MongoDB (canonical store and job/export state). MongoDB driver version should be > 3.0 -- **Observability**: structured logs, counters, and (optional) OpenTelemetry traces. -- **Ops posture**: offline‑first, allowlist for remote hosts, strict schema validation, gated LLM fallback (only where explicitly configured). - -# 4) Modules -StellaOps ships as containerised building blocks; each module owns a clear boundary and has its own code folder, deployable image, and deep-dive architecture dossier. - -| Module | Primary path(s) | Key doc | -|--------|-----------------|---------| -| Authority | `src/Authority/StellaOps.Authority`
`src/Authority/StellaOps.Authority.Plugin.*` | `docs/modules/authority/architecture.md` | -| Signer | `src/Signer/StellaOps.Signer` | `docs/modules/signer/architecture.md` | -| Attestor | `src/Attestor/StellaOps.Attestor`
`src/Attestor/StellaOps.Attestor.Verify` | `docs/modules/attestor/architecture.md` | -| Concelier | `src/Concelier/StellaOps.Concelier.WebService`
`src/Concelier/__Libraries/StellaOps.Concelier.*` | `docs/modules/concelier/architecture.md` | -| Excititor | `src/Excititor/StellaOps.Excititor.WebService`
`src/Excititor/__Libraries/StellaOps.Excititor.*` | `docs/modules/excititor/architecture.md` | -| Policy Engine | `src/Policy/StellaOps.Policy.Engine`
`src/Policy/__Libraries/StellaOps.Policy.*` | `docs/modules/policy/architecture.md` | -| Scanner | `src/Scanner/StellaOps.Scanner.WebService`
`src/Scanner/StellaOps.Scanner.Worker`
`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md` | -| Scheduler | `src/Scheduler/StellaOps.Scheduler.WebService`
`src/Scheduler/StellaOps.Scheduler.Worker` | `docs/modules/scheduler/architecture.md` | -| CLI | `src/Cli/StellaOps.Cli`
`src/Cli/StellaOps.Cli.Core`
`src/Cli/StellaOps.Cli.Plugins.*` | `docs/modules/cli/architecture.md` | -| UI / Console | `src/UI/StellaOps.UI` | `docs/modules/ui/architecture.md` | -| Notify | `src/Notify/StellaOps.Notify.WebService`
`src/Notify/StellaOps.Notify.Worker` | `docs/modules/notify/architecture.md` | -| Export Center | `src/ExportCenter/StellaOps.ExportCenter.WebService`
`src/ExportCenter/StellaOps.ExportCenter.Worker` | `docs/modules/export-center/architecture.md` | -| Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`
`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests` | `docs/modules/registry/architecture.md` | -| Advisory AI | `src/AdvisoryAI/StellaOps.AdvisoryAI` | `docs/modules/advisory-ai/architecture.md` | -| Orchestrator | `src/Orchestrator/StellaOps.Orchestrator` | `docs/modules/orchestrator/architecture.md` | -| Vulnerability Explorer | `src/VulnExplorer/StellaOps.VulnExplorer.Api` | `docs/modules/vuln-explorer/architecture.md` | -| VEX Lens | `src/VexLens/StellaOps.VexLens` | `docs/modules/vex-lens/architecture.md` | -| Graph Explorer | `src/Graph/StellaOps.Graph.Api`
`src/Graph/StellaOps.Graph.Indexer` | `docs/modules/graph/architecture.md` | -| Telemetry Stack | `ops/devops/telemetry` | `docs/modules/telemetry/architecture.md` | -| DevOps / Release | `ops/devops` | `docs/modules/devops/architecture.md` | -| Platform | *(cross-cutting docs)* | `docs/modules/platform/architecture-overview.md` | -| CI Recipes | *(pipeline templates)* | `docs/modules/ci/architecture.md` | -| Zastava | `src/Zastava/StellaOps.Zastava.Observer`
`src/Zastava/StellaOps.Zastava.Webhook`
`src/Zastava/StellaOps.Zastava.Core` | `docs/modules/zastava/architecture.md` | - -## 4.1 Module cheat sheet - -### Authority -- **Path:** `src/Authority/StellaOps.Authority`, plugins in `src/Authority/StellaOps.Authority.Plugin.*`. -- **Docs:** `docs/modules/authority/architecture.md`. -- **Responsibilities:** Issues short-lived, sender-constrained OpToks (DPoP/mTLS) for services, CLI, and UI; exposes OIDC discovery, device-code, and auth-code flows. -- **Key traits:** Ed25519/ES256 signing with JWKS rotation, tenant-aware scopes, stateless JWT validation, optional introspection, and structured audit trails. - -### Signer -- **Path:** `src/Signer/StellaOps.Signer`. -- **Docs:** `docs/modules/signer/architecture.md`. -- **Responsibilities:** Authenticates callers, enforces Proof-of-Entitlement, verifies scanner release signatures, and returns DSSE bundles for SBOMs and reports. -- **Key traits:** Supports keyless (Fulcio) and keyful (KMS/HSM) signing, applies plan quotas, stores audit trails, and delegates Rekor logging to the Attestor. - -### Attestor -- **Path:** `src/Attestor/StellaOps.Attestor`, proof helpers in `src/Attestor/StellaOps.Attestor.Verify`. -- **Docs:** `docs/modules/attestor/architecture.md`. -- **Responsibilities:** Submits DSSE bundles to Rekor v2, caches `{uuid, index, proof}`, and serves verification bundles to Scanner, UI, CLI, and Export Center. -- **Key traits:** mTLS + OpTok enforcement for Signer-only submissions, Mongo/Redis idempotency, optional DSSE archive mirroring, and resilient retry/backoff. - -### Concelier -- **Path:** `src/Concelier/StellaOps.Concelier.WebService` with connectors/exporters under `src/Concelier/__Libraries/StellaOps.Concelier.*`. -- **Docs:** `docs/modules/concelier/architecture.md`. -- **Responsibilities:** Applies the Aggregation-Only Contract to ingest advisories, produce immutable observations, correlate linksets, and publish deterministic exports. -- **Key traits:** Restart-time connectors/exporters, Mongo-backed scheduling, canonical JSON/Trivy outputs, Offline Kit parity, and hash-stable manifests. - -### Excititor -- **Path:** `src/Excititor/StellaOps.Excititor.WebService`, connectors/adapters in `src/Excititor/__Libraries/StellaOps.Excititor.*`. -- **Docs:** `docs/modules/excititor/architecture.md`. -- **Responsibilities:** Normalises VEX statements into observations, builds provenance-rich linksets, and surfaces consensus/conflicts for policy suppression. -- **Key traits:** Aggregation-only guardrails, restart-time plug-ins, Mongo persistence, deterministic exports, and Offline Kit-ready bundles. - -### Policy Engine -- **Path:** `src/Policy/StellaOps.Policy.Engine`, shared libraries under `src/Policy/__Libraries/StellaOps.Policy.*`. -- **Docs:** `docs/modules/policy/architecture.md`. -- **Responsibilities:** Evaluates `stella-dsl@1` policies, joins SBOM/advisory/VEX evidence, materialises effective findings, and emits explain traces. -- **Key traits:** Deterministic evaluation (no wall clock), change-stream driven increments, simulation endpoints, and Authority-scoped tenancy/RBAC enforcement. - -### Scanner.WebService -- **Path:** `src/Scanner/StellaOps.Scanner.WebService`. -- **Docs:** `docs/modules/scanner/architecture.md`. -- **Responsibilities:** Hosts scan/diff/export APIs, enqueues work, serves SBOM and diff artifacts, and publishes DSSE-ready report metadata. -- **Key traits:** Minimal APIs with Redis/NATS queue clients, RustFS artifact integration, BOM-index lookups, and DSSE hand-off to Signer/Attestor. - -### Scanner.Worker -- **Path:** `src/Scanner/StellaOps.Scanner.Worker` with analyzers/caches in `src/Scanner/__Libraries/StellaOps.Scanner.*`. -- **Docs:** `docs/modules/scanner/architecture.md`. -- **Responsibilities:** Runs deterministic OS/language/native analyzers per layer, composes inventory and usage SBOM fragments, and streams them back to the catalog. -- **Key traits:** Layer/file CAS caching, restart-time analyzer plug-ins under `plugins/scanner/**`, bounded retries with lease renewals, and DSSE-ready outputs. - -### Scheduler -- **Path:** `src/Scheduler/StellaOps.Scheduler.WebService`, `src/Scheduler/StellaOps.Scheduler.Worker`. -- **Docs:** `docs/modules/scheduler/architecture.md`. -- **Responsibilities:** Detects advisory/VEX deltas, selects impacted assets via BOM index, and schedules analysis-only runs toward Scanner and Policy Engine. -- **Key traits:** Mongo impact cursors, Redis/NATS orchestration, webhook fan-out (Policy/Notify/Runtime), and deterministic evaluation windows. - -### CLI -- **Path:** `src/Cli/StellaOps.Cli`, helpers in `src/Cli/StellaOps.Cli.Core`, plug-ins in `src/Cli/StellaOps.Cli.Plugins.*`. -- **Docs:** `docs/modules/cli/architecture.md`. -- **Responsibilities:** Provides deterministic verbs for scan/diff/export/report, Buildx SBOM orchestration, policy/VEX administration, and offline kit workflows. -- **Key traits:** Native AOT binaries, device-code/client-credential login with DPoP storage, golden-output tests, and restart-time plug-in manifests in `plugins/cli/**`. - -### UI -- **Path:** `src/UI/StellaOps.UI`. -- **Docs:** `docs/modules/ui/architecture.md`. -- **Responsibilities:** Angular SPA for scans, policy authoring, VEX evidence exploration, runtime posture, and admin tooling via backend APIs. -- **Key traits:** Angular Signals with `@ngrx/signals`, typed API clients handling DPoP + SSE, Tailwind theming, and immutable content-hashed bundles. - -### Notify -- **Path:** `src/Notify/StellaOps.Notify.WebService`, `src/Notify/StellaOps.Notify.Worker`, connectors in `src/Notify/__Libraries`. -- **Docs:** `docs/modules/notify/architecture.md`. -- **Responsibilities:** Evaluates notification rules on platform events, renders channel-specific payloads, and delivers messages with throttling/digests. -- **Key traits:** Tenant-scoped rule engine, idempotent delivery queues, secrets referenced rather than stored, and comprehensive audit/metrics coverage. - -### Export Center -- **Path:** `src/ExportCenter/StellaOps.ExportCenter.WebService`, `src/ExportCenter/StellaOps.ExportCenter.Worker`, adapters in `src/ExportCenter/StellaOps.ExportCenter.*`. -- **Docs:** `docs/modules/export-center/architecture.md`. -- **Responsibilities:** Packages reproducible evidence bundles (JSON, Trivy, mirror) with provenance, signing, and distribution manifests for offline or mirror deployments. -- **Key traits:** Profile-driven exports, Orchestrator-backed job leases, Mongo/object storage staging, and cosign-compatible provenance/signature emission. - -### Registry Token Service -- **Path:** `src/Registry/StellaOps.Registry.TokenService`, with integration tests in `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`. -- **Docs:** `docs/modules/registry/operations/token-service.md`. -- **Responsibilities:** Issues scoped pull tokens for container/image registries, enforces licence/plan constraints, and publishes audit telemetry for token usage. -- **Key traits:** Authority-issued OpTok validation, Mongo-backed issuance ledger, deterministic checksum manifests for Offline Kit bundles, and emergency revoke/rotation tooling. - -### Zastava -- **Path:** `src/Zastava/StellaOps.Zastava.Observer`, `src/Zastava/StellaOps.Zastava.Webhook`, shared contracts in `src/Zastava/StellaOps.Zastava.Core`. -- **Docs:** `docs/modules/zastava/architecture.md`. -- **Responsibilities:** Observes running workloads, emits runtime posture events, and enforces admission-time policy (signed images, SBOM availability, policy verdict). -- **Key traits:** Authority-issued OpToks with DPoP/mTLS, ND-JSON batching with local buffering, delta-scan triggers on drift, and Kubernetes webhook enforcement. - ---- - -### 4.1.4) Glossary (quick) - -- **OVAL** — Vendor/distro security definition format; authoritative for OS packages. -- **NEVRA / EVR** — RPM and Debian version semantics for OS packages. -- **PURL / SemVer** — Coordinates and version semantics for OSS ecosystems. -- **KEV** — Known Exploited Vulnerabilities (flag only). - ---- -# 5) Your role as StellaOps contributor - -You acting as information technology engineer that will take different type of roles in goal achieving StellaOps production implementation -In order you to work - you have to be supplied with directory that contains `AGENTS.md`,`TASKS.md` files. There will you have more information about the role you have, the scope of your work and the tasks you will have. - -Boundaries: -- You operate only in the working directories I gave you, unless there is dependencies that makes you to work on dependency in shared directory. Then you ask for confirmation. - -You main characteristics: -- Keep endpoints small, deterministic, and cancellation-aware. -- Improve logs/metrics as per tasks. -- Update `TASKS.md` when moving tasks forward. -- When you are done with all task you state explicitly you are done. -- Impersonate the role described on working directory `AGENTS.md` you will read, if role is not available - take role of the CTO of the StellaOps in early stages. -- You always strive for best practices -- You always strive for re-usability -- When in doubt of design decision - you ask then act -- You are autonomus - meaning that you will work for long time alone and achieve maximum without stopping for stupid questions -- You operate on the same directory where other agents will work. In case you need to work on directory that is dependency on provided `AGENTS.md`,`TASKS.md` files you have to ask for confirmation first. - -## 5.1) Type of contributions - -- **BE‑Base (Platform & Pipeline)** - Owns DI, plugin host, job scheduler/coordinator, configuration binding, minimal API endpoints, and Mongo bootstrapping. -- **BE‑Conn‑X (Connectors)** - One agent per source family (NVD, Red Hat, Ubuntu, Debian, SUSE, GHSA, OSV, PSIRTs, CERTs, KEV, ICS). Implements fetch/parse/map with incremental watermarks. -- **BE‑Merge (Canonical Merge & Dedupe)** - Identity graph, precedence policies, canonical JSON serializer, and deterministic hashing (`merge_event`). -- **BE‑Export (JSON & Trivy DB)** - Deterministic export trees, Trivy DB packaging, optional ORAS push, and offline bundle. -- **QA (Validation & Observability)** - Schema tests, fixture goldens, determinism checks, metrics/logs/traces, e2e reproducibility runs. -- **DevEx/Docs** - Maintains this agent framework, templates, and per‑directory guides; assists parallelization and reviews. - - -## 5.2) Work rules (important) - -- **Directory ownership**: Each agent works **only inside its module directory**. Cross‑module edits require a brief handshake in issues/PR description. -- **Scoping**: Use each module’s `AGENTS.md` and `TASKS.md` to plan; autonomous agents must read `src/AGENTS.md` and the module docs before acting. -- **Determinism**: Sort keys, normalize timestamps to UTC ISO‑8601, avoid non‑deterministic data in exports and tests. -- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINTS.md file. -- **Coordination**: In case task is discovered as blocked on other team or task, according TASKS.md files that dependency is on needs to be changed by adding new tasks describing the requirement. the current task must be updated as completed. In case task changes, scope or requirements or rules - other documentations needs be updated accordingly. -- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. -- **Tests**: Add/extend fixtures and unit tests per change; never regress determinism or precedence. -- **Test layout**: Use module-specific projects in `StellaOps.Concelier..Tests`; shared fixtures/harnesses live in `StellaOps.Concelier.Testing`. -- **Execution autonomous**: In case you need to continue with more than one options just continue sequentially, unless the continue requires design decision. -- **Additional references**: When a task mentions historical epics, consult the corresponding module guides or domain playbooks under `docs/modules/**`, `docs/api/`, `docs/risk/`, or `docs/airgap/` for the latest specification. - ---- +# 1) What is StellaOps? + +**StellaOps** an next-gen and sovereign container-security toolkit built for high-speed, offline operation, released under AGPL-3.0-or-later. + +Stella Ops is a self-hostable, sovereign container-security platform that makes proof—not promises—default. It binds every container digest to content-addressed SBOMs (SBOM 3.0.0 and CycloneDX 1.6), in-toto/DSSE attestations, and optional Sigstore Rekor transparency, then layers deterministic, replayable scanning with entry-trace and VEX-first decisioning. “Next-gen” means findings are reproducible and explainable, exploitability is modeled in OpenVEX and merged with lattice logic for stable outcomes, and the same workflow runs online or fully air-gapped. “Sovereign” means cryptographic and operational independence: bring-your-own trust roots, regional crypto readiness (eIDAS/FIPS/GOST/SM), offline bundles, and post-quantum-ready modes—so regulated orgs can comply without phoning home. + +Our principles and goals are simple: authenticity & integrity by default, provenance attached to digests, transparency for tamper-evidence, determinism & replay for audits, explainability engineers can act on, and exploitability over enumeration to cut noise. We minimize trust and blast radius with short-lived keys, least-privilege, and content-addressed caches; we stay air-gap friendly with mirrored feeds; and we keep governance honest with reviewable OPA/Rego policy gates and VEX-based waivers. The result is a platform that shortens time-to-truth, makes risk measurable, and lets you ship with confidence—anywhere, under any sovereignty requirement. +More documention is available ./docs/*.md files. Read `docs/README.md` to gather information about the available documentation. You could inquiry specific documents as your work requires it + +--- + +# 3) Practices + +## 3.1) Naming +All modules are .NET projects based on .NET 10 (preview). Exclussion is the UI. It is based on Angular +All modules are contained by one or more projects. Each project goes in its dedicated folder. Each project starts with StellaOps.. In case it is common for for all StellaOps modules it is library or plugin and it is named StellaOps.. + +## 3.2) Key technologies & integrations + +- **Runtime**: .NET 10 (`net10.0`) preview SDK; C# latest preview features. Any dependencies like Microsoft.* should strive to be closests version. +- **Nuget**: Try to re-use / cache nugets to /local-nugets +- **Data**: MongoDB (canonical store and job/export state). MongoDB driver version should be > 3.0 +- **Observability**: structured logs, counters, and (optional) OpenTelemetry traces. +- **Ops posture**: offline‑first, allowlist for remote hosts, strict schema validation, gated LLM fallback (only where explicitly configured). + +## 3.3) Task workflow & guild coordination +- **Always sync state before coding.** When you pick up a task, immediately flip its status from `TODO` (or current state) to `DOING` in **both** `docs/implplan/SPRINTS.md` and the module’s local `TASKS.md`. Tasks must return to `TODO` if you step away, or `DONE` when you ship. +- **Read the local agent charter first.** Every task directory must contain an `AGENTS.md` describing roles, expectations, and required prep docs. Review it (and the referenced module documentation) before touching code. +- **Mirror state across artefacts.** Any status update in `TASKS.md` requires the same change in `SPRINTS.md`, plus context noted in commit/PR descriptions. +- **Document prerequisites.** If an `AGENTS.md` points to onboarding docs, verify you have read them before setting `DOING`. When new docs are required, update the agent charter alongside the task change. + +# 4) Modules +StellaOps ships as containerised building blocks; each module owns a clear boundary and has its own code folder, deployable image, and deep-dive architecture dossier. + +| Module | Primary path(s) | Key doc | +|--------|-----------------|---------| +| Authority | `src/Authority/StellaOps.Authority`
`src/Authority/StellaOps.Authority.Plugin.*` | `docs/modules/authority/architecture.md` | +| Signer | `src/Signer/StellaOps.Signer` | `docs/modules/signer/architecture.md` | +| Attestor | `src/Attestor/StellaOps.Attestor`
`src/Attestor/StellaOps.Attestor.Verify` | `docs/modules/attestor/architecture.md` | +| Concelier | `src/Concelier/StellaOps.Concelier.WebService`
`src/Concelier/__Libraries/StellaOps.Concelier.*` | `docs/modules/concelier/architecture.md` | +| Excititor | `src/Excititor/StellaOps.Excititor.WebService`
`src/Excititor/__Libraries/StellaOps.Excititor.*` | `docs/modules/excititor/architecture.md` | +| Policy Engine | `src/Policy/StellaOps.Policy.Engine`
`src/Policy/__Libraries/StellaOps.Policy.*` | `docs/modules/policy/architecture.md` | +| Scanner | `src/Scanner/StellaOps.Scanner.WebService`
`src/Scanner/StellaOps.Scanner.Worker`
`src/Scanner/__Libraries/StellaOps.Scanner.*` | `docs/modules/scanner/architecture.md` | +| Scheduler | `src/Scheduler/StellaOps.Scheduler.WebService`
`src/Scheduler/StellaOps.Scheduler.Worker` | `docs/modules/scheduler/architecture.md` | +| CLI | `src/Cli/StellaOps.Cli`
`src/Cli/StellaOps.Cli.Core`
`src/Cli/StellaOps.Cli.Plugins.*` | `docs/modules/cli/architecture.md` | +| UI / Console | `src/UI/StellaOps.UI` | `docs/modules/ui/architecture.md` | +| Notify | `src/Notify/StellaOps.Notify.WebService`
`src/Notify/StellaOps.Notify.Worker` | `docs/modules/notify/architecture.md` | +| Export Center | `src/ExportCenter/StellaOps.ExportCenter.WebService`
`src/ExportCenter/StellaOps.ExportCenter.Worker` | `docs/modules/export-center/architecture.md` | +| Registry Token Service | `src/Registry/StellaOps.Registry.TokenService`
`src/Registry/__Tests/StellaOps.Registry.TokenService.Tests` | `docs/modules/registry/architecture.md` | +| Advisory AI | `src/AdvisoryAI/StellaOps.AdvisoryAI` | `docs/modules/advisory-ai/architecture.md` | +| Orchestrator | `src/Orchestrator/StellaOps.Orchestrator` | `docs/modules/orchestrator/architecture.md` | +| Vulnerability Explorer | `src/VulnExplorer/StellaOps.VulnExplorer.Api` | `docs/modules/vuln-explorer/architecture.md` | +| VEX Lens | `src/VexLens/StellaOps.VexLens` | `docs/modules/vex-lens/architecture.md` | +| Graph Explorer | `src/Graph/StellaOps.Graph.Api`
`src/Graph/StellaOps.Graph.Indexer` | `docs/modules/graph/architecture.md` | +| Telemetry Stack | `ops/devops/telemetry` | `docs/modules/telemetry/architecture.md` | +| DevOps / Release | `ops/devops` | `docs/modules/devops/architecture.md` | +| Platform | *(cross-cutting docs)* | `docs/modules/platform/architecture-overview.md` | +| CI Recipes | *(pipeline templates)* | `docs/modules/ci/architecture.md` | +| Zastava | `src/Zastava/StellaOps.Zastava.Observer`
`src/Zastava/StellaOps.Zastava.Webhook`
`src/Zastava/StellaOps.Zastava.Core` | `docs/modules/zastava/architecture.md` | + +## 4.1 Module cheat sheet + +### Authority +- **Path:** `src/Authority/StellaOps.Authority`, plugins in `src/Authority/StellaOps.Authority.Plugin.*`. +- **Docs:** `docs/modules/authority/architecture.md`. +- **Responsibilities:** Issues short-lived, sender-constrained OpToks (DPoP/mTLS) for services, CLI, and UI; exposes OIDC discovery, device-code, and auth-code flows. +- **Key traits:** Ed25519/ES256 signing with JWKS rotation, tenant-aware scopes, stateless JWT validation, optional introspection, and structured audit trails. + +### Signer +- **Path:** `src/Signer/StellaOps.Signer`. +- **Docs:** `docs/modules/signer/architecture.md`. +- **Responsibilities:** Authenticates callers, enforces Proof-of-Entitlement, verifies scanner release signatures, and returns DSSE bundles for SBOMs and reports. +- **Key traits:** Supports keyless (Fulcio) and keyful (KMS/HSM) signing, applies plan quotas, stores audit trails, and delegates Rekor logging to the Attestor. + +### Attestor +- **Path:** `src/Attestor/StellaOps.Attestor`, proof helpers in `src/Attestor/StellaOps.Attestor.Verify`. +- **Docs:** `docs/modules/attestor/architecture.md`. +- **Responsibilities:** Submits DSSE bundles to Rekor v2, caches `{uuid, index, proof}`, and serves verification bundles to Scanner, UI, CLI, and Export Center. +- **Key traits:** mTLS + OpTok enforcement for Signer-only submissions, Mongo/Redis idempotency, optional DSSE archive mirroring, and resilient retry/backoff. + +### Concelier +- **Path:** `src/Concelier/StellaOps.Concelier.WebService` with connectors/exporters under `src/Concelier/__Libraries/StellaOps.Concelier.*`. +- **Docs:** `docs/modules/concelier/architecture.md`. +- **Responsibilities:** Applies the Aggregation-Only Contract to ingest advisories, produce immutable observations, correlate linksets, and publish deterministic exports. +- **Key traits:** Restart-time connectors/exporters, Mongo-backed scheduling, canonical JSON/Trivy outputs, Offline Kit parity, and hash-stable manifests. + +### Excititor +- **Path:** `src/Excititor/StellaOps.Excititor.WebService`, connectors/adapters in `src/Excititor/__Libraries/StellaOps.Excititor.*`. +- **Docs:** `docs/modules/excititor/architecture.md`. +- **Responsibilities:** Normalises VEX statements into observations, builds provenance-rich linksets, and surfaces consensus/conflicts for policy suppression. +- **Key traits:** Aggregation-only guardrails, restart-time plug-ins, Mongo persistence, deterministic exports, and Offline Kit-ready bundles. + +### Policy Engine +- **Path:** `src/Policy/StellaOps.Policy.Engine`, shared libraries under `src/Policy/__Libraries/StellaOps.Policy.*`. +- **Docs:** `docs/modules/policy/architecture.md`. +- **Responsibilities:** Evaluates `stella-dsl@1` policies, joins SBOM/advisory/VEX evidence, materialises effective findings, and emits explain traces. +- **Key traits:** Deterministic evaluation (no wall clock), change-stream driven increments, simulation endpoints, and Authority-scoped tenancy/RBAC enforcement. + +### Scanner.WebService +- **Path:** `src/Scanner/StellaOps.Scanner.WebService`. +- **Docs:** `docs/modules/scanner/architecture.md`. +- **Responsibilities:** Hosts scan/diff/export APIs, enqueues work, serves SBOM and diff artifacts, and publishes DSSE-ready report metadata. +- **Key traits:** Minimal APIs with Redis/NATS queue clients, RustFS artifact integration, BOM-index lookups, and DSSE hand-off to Signer/Attestor. + +### Scanner.Worker +- **Path:** `src/Scanner/StellaOps.Scanner.Worker` with analyzers/caches in `src/Scanner/__Libraries/StellaOps.Scanner.*`. +- **Docs:** `docs/modules/scanner/architecture.md`. +- **Responsibilities:** Runs deterministic OS/language/native analyzers per layer, composes inventory and usage SBOM fragments, and streams them back to the catalog. +- **Key traits:** Layer/file CAS caching, restart-time analyzer plug-ins under `plugins/scanner/**`, bounded retries with lease renewals, and DSSE-ready outputs. + +### Scheduler +- **Path:** `src/Scheduler/StellaOps.Scheduler.WebService`, `src/Scheduler/StellaOps.Scheduler.Worker`. +- **Docs:** `docs/modules/scheduler/architecture.md`. +- **Responsibilities:** Detects advisory/VEX deltas, selects impacted assets via BOM index, and schedules analysis-only runs toward Scanner and Policy Engine. +- **Key traits:** Mongo impact cursors, Redis/NATS orchestration, webhook fan-out (Policy/Notify/Runtime), and deterministic evaluation windows. + +### CLI +- **Path:** `src/Cli/StellaOps.Cli`, helpers in `src/Cli/StellaOps.Cli.Core`, plug-ins in `src/Cli/StellaOps.Cli.Plugins.*`. +- **Docs:** `docs/modules/cli/architecture.md`. +- **Responsibilities:** Provides deterministic verbs for scan/diff/export/report, Buildx SBOM orchestration, policy/VEX administration, and offline kit workflows. +- **Key traits:** Native AOT binaries, device-code/client-credential login with DPoP storage, golden-output tests, and restart-time plug-in manifests in `plugins/cli/**`. + +### UI +- **Path:** `src/UI/StellaOps.UI`. +- **Docs:** `docs/modules/ui/architecture.md`. +- **Responsibilities:** Angular SPA for scans, policy authoring, VEX evidence exploration, runtime posture, and admin tooling via backend APIs. +- **Key traits:** Angular Signals with `@ngrx/signals`, typed API clients handling DPoP + SSE, Tailwind theming, and immutable content-hashed bundles. + +### Notify +- **Path:** `src/Notify/StellaOps.Notify.WebService`, `src/Notify/StellaOps.Notify.Worker`, connectors in `src/Notify/__Libraries`. +- **Docs:** `docs/modules/notify/architecture.md`. +- **Responsibilities:** Evaluates notification rules on platform events, renders channel-specific payloads, and delivers messages with throttling/digests. +- **Key traits:** Tenant-scoped rule engine, idempotent delivery queues, secrets referenced rather than stored, and comprehensive audit/metrics coverage. + +### Export Center +- **Path:** `src/ExportCenter/StellaOps.ExportCenter.WebService`, `src/ExportCenter/StellaOps.ExportCenter.Worker`, adapters in `src/ExportCenter/StellaOps.ExportCenter.*`. +- **Docs:** `docs/modules/export-center/architecture.md`. +- **Responsibilities:** Packages reproducible evidence bundles (JSON, Trivy, mirror) with provenance, signing, and distribution manifests for offline or mirror deployments. +- **Key traits:** Profile-driven exports, Orchestrator-backed job leases, Mongo/object storage staging, and cosign-compatible provenance/signature emission. + +### Registry Token Service +- **Path:** `src/Registry/StellaOps.Registry.TokenService`, with integration tests in `src/Registry/__Tests/StellaOps.Registry.TokenService.Tests`. +- **Docs:** `docs/modules/registry/operations/token-service.md`. +- **Responsibilities:** Issues scoped pull tokens for container/image registries, enforces licence/plan constraints, and publishes audit telemetry for token usage. +- **Key traits:** Authority-issued OpTok validation, Mongo-backed issuance ledger, deterministic checksum manifests for Offline Kit bundles, and emergency revoke/rotation tooling. + +### Zastava +- **Path:** `src/Zastava/StellaOps.Zastava.Observer`, `src/Zastava/StellaOps.Zastava.Webhook`, shared contracts in `src/Zastava/StellaOps.Zastava.Core`. +- **Docs:** `docs/modules/zastava/architecture.md`. +- **Responsibilities:** Observes running workloads, emits runtime posture events, and enforces admission-time policy (signed images, SBOM availability, policy verdict). +- **Key traits:** Authority-issued OpToks with DPoP/mTLS, ND-JSON batching with local buffering, delta-scan triggers on drift, and Kubernetes webhook enforcement. + +--- + +### 4.1.4) Glossary (quick) + +- **OVAL** — Vendor/distro security definition format; authoritative for OS packages. +- **NEVRA / EVR** — RPM and Debian version semantics for OS packages. +- **PURL / SemVer** — Coordinates and version semantics for OSS ecosystems. +- **KEV** — Known Exploited Vulnerabilities (flag only). + +--- +# 5) Your role as StellaOps contributor + +You acting as information technology engineer that will take different type of roles in goal achieving StellaOps production implementation +In order you to work - you have to be supplied with directory that contains `AGENTS.md`,`TASKS.md` files. There will you have more information about the role you have, the scope of your work and the tasks you will have. + +Boundaries: +- You operate only in the working directories I gave you, unless there is dependencies that makes you to work on dependency in shared directory. Then you ask for confirmation. + +You main characteristics: +- Keep endpoints small, deterministic, and cancellation-aware. +- Improve logs/metrics as per tasks. +- Update `TASKS.md` when moving tasks forward. +- When you are done with all task you state explicitly you are done. +- Impersonate the role described on working directory `AGENTS.md` you will read, if role is not available - take role of the CTO of the StellaOps in early stages. +- You always strive for best practices +- You always strive for re-usability +- When in doubt of design decision - you ask then act +- You are autonomus - meaning that you will work for long time alone and achieve maximum without stopping for stupid questions +- You operate on the same directory where other agents will work. In case you need to work on directory that is dependency on provided `AGENTS.md`,`TASKS.md` files you have to ask for confirmation first. + +## 5.1) Type of contributions + +- **BE‑Base (Platform & Pipeline)** + Owns DI, plugin host, job scheduler/coordinator, configuration binding, minimal API endpoints, and Mongo bootstrapping. +- **BE‑Conn‑X (Connectors)** + One agent per source family (NVD, Red Hat, Ubuntu, Debian, SUSE, GHSA, OSV, PSIRTs, CERTs, KEV, ICS). Implements fetch/parse/map with incremental watermarks. +- **BE‑Merge (Canonical Merge & Dedupe)** + Identity graph, precedence policies, canonical JSON serializer, and deterministic hashing (`merge_event`). +- **BE‑Export (JSON & Trivy DB)** + Deterministic export trees, Trivy DB packaging, optional ORAS push, and offline bundle. +- **QA (Validation & Observability)** + Schema tests, fixture goldens, determinism checks, metrics/logs/traces, e2e reproducibility runs. +- **DevEx/Docs** + Maintains this agent framework, templates, and per‑directory guides; assists parallelization and reviews. + + +## 5.2) Work rules (important) + +- **Directory ownership**: Each agent works **only inside its module directory**. Cross‑module edits require a brief handshake in issues/PR description. +- **Scoping**: Use each module’s `AGENTS.md` and `TASKS.md` to plan; autonomous agents must read `src/AGENTS.md` and the module docs before acting. +- **Determinism**: Sort keys, normalize timestamps to UTC ISO‑8601, avoid non‑deterministic data in exports and tests. +- **Status tracking**: Update your module’s `TASKS.md` as you progress (TODO → DOING → DONE/BLOCKED). Before starting of actual work - ensure you have set the task to DOING. When complete or stop update the status in corresponding TASKS.md and in ./SPRINTS.md file. +- **Coordination**: In case task is discovered as blocked on other team or task, according TASKS.md files that dependency is on needs to be changed by adding new tasks describing the requirement. the current task must be updated as completed. In case task changes, scope or requirements or rules - other documentations needs be updated accordingly. +- **Sprint synchronization**: When given task seek for relevant directory to work on from SPRINTS.md. Confirm its state on both SPRINTS.md and the relevant TASKS.md file. Always check the AGENTS.md in the relevant TASKS.md directory. +- **Tests**: Add/extend fixtures and unit tests per change; never regress determinism or precedence. +- **Test layout**: Use module-specific projects in `StellaOps.Concelier..Tests`; shared fixtures/harnesses live in `StellaOps.Concelier.Testing`. +- **Execution autonomous**: In case you need to continue with more than one options just continue sequentially, unless the continue requires design decision. +- **Additional references**: When a task mentions historical epics, consult the corresponding module guides or domain playbooks under `docs/modules/**`, `docs/api/`, `docs/risk/`, or `docs/airgap/` for the latest specification. + +--- + +## Required Reading +- `docs/README.md` +- `docs/07_HIGH_LEVEL_ARCHITECTURE.md` +- `docs/modules/platform/architecture-overview.md` +- Review the relevant module dossier (for example, `docs/modules/authority/architecture.md`) before editing component-specific content. + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/AGENTS.md b/docs/AGENTS.md index 333d45a1..0fcbad36 100644 --- a/docs/AGENTS.md +++ b/docs/AGENTS.md @@ -1,20 +1,34 @@ -# Docs & Enablement Guild - -## Mission -Produce and maintain offline-friendly documentation for StellaOps modules, covering architecture, configuration, operator workflows, and developer onboarding. - -## Scope Highlights -- Authority docs (`docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, upcoming `docs/11_AUTHORITY.md`). -- Concelier quickstarts, CLI guides, Offline Kit manuals. -- Release notes and migration playbooks. - -## Operating Principles -- Keep guides deterministic and in sync with shipped configuration samples. -- Prefer tables/checklists for operator steps; flag security-sensitive actions. -- When work involves a specific `StellaOps.` project, consult both `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and the matching dossier `docs/modules//architecture.md` before drafting or editing content. -- Update `docs/TASKS.md` whenever work items change status (TODO/DOING/REVIEW/DONE/BLOCKED). - -## Coordination -- Authority Core & Plugin teams for auth-related changes. -- Security Guild for threat-model outputs and mitigations. -- DevEx for tooling diagrams and documentation pipeline. +# Docs & Enablement Guild + +## Mission +Produce and maintain offline-friendly documentation for StellaOps modules, covering architecture, configuration, operator workflows, and developer onboarding. + +## Scope Highlights +- Authority docs (`docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, upcoming `docs/11_AUTHORITY.md`). +- Concelier quickstarts, CLI guides, Offline Kit manuals. +- Release notes and migration playbooks. + +## Operating Principles +- Keep guides deterministic and in sync with shipped configuration samples. +- Prefer tables/checklists for operator steps; flag security-sensitive actions. +- When work involves a specific `StellaOps.` project, consult both `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and the matching dossier `docs/modules//architecture.md` before drafting or editing content. +- Update `docs/TASKS.md` whenever work items change status (TODO/DOING/REVIEW/DONE/BLOCKED). + +## Coordination +- Authority Core & Plugin teams for auth-related changes. +- Security Guild for threat-model outputs and mitigations. +- DevEx for tooling diagrams and documentation pipeline. + +## Required Reading +- `docs/README.md` +- `docs/07_HIGH_LEVEL_ARCHITECTURE.md` +- `docs/modules/platform/architecture-overview.md` +- `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md` +- Module-specific README and architecture dossiers for the area you are updating (for example, `docs/modules/concelier/README.md` and `docs/modules/concelier/architecture.md`) + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/TASKS.md b/docs/TASKS.md index 10d1877a..ce1cee07 100644 --- a/docs/TASKS.md +++ b/docs/TASKS.md @@ -18,6 +18,7 @@ | DOCS-CLI-OBS-52-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-OBS-52-001 | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Doc merged; examples tested; banner included; CLI parity matrix updated. | | DOCS-CLI-FORENSICS-53-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-FORENSICS-54-001 | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Doc merged; sample bundles verified; banner present; offline notes cross-linked. | | DOCS-RUNBOOK-55-001 | TODO | Docs Guild, Ops Guild | DEVOPS-OBS-55-001, WEB-OBS-55-001 | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Doc merged; runbook rehearsed; banner included; linked from alerts. | +| DOCS-SURFACE-01 | TODO | Docs Guild, Scanner Guild, Zastava Guild | SURFACE-FS-01, SURFACE-ENV-01, SURFACE-SECRETS-01 | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Guide merged; linked from scanner/zastava architecture dossiers and component map; diagrams committed. | ## Air-Gapped Mode (Epic 16) | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | diff --git a/docs/airgap/staleness-and-time.md b/docs/airgap/staleness-and-time.md new file mode 100644 index 00000000..74ab40cc --- /dev/null +++ b/docs/airgap/staleness-and-time.md @@ -0,0 +1,68 @@ +# Air-Gapped Time Anchors & Staleness Budgets + +> **Audience:** AirGap Time/Controller/Policy guilds, DevOps +> +> **Purpose:** Document how air-gapped installations maintain trusted time anchors, compute staleness windows, and expose drift telemetry. + +## 1. Overview + +Air-gapped clusters cannot contact external NTP servers. StellaOps distributes signed time anchor tokens alongside mirror bundles so services can reason about freshness and seal state without external clocks. + +Key goals: + +- Provide deterministic time anchors signed by the mirror authority. +- Track drift and staleness budgets for scanner reports, advisories, and runtime evidence. +- Surface warnings to operators (UI/CLI/Notifier) before anchors expire. + +## 2. Components + +| Component | Responsibility | +|-----------|----------------| +| AirGap Controller | Stores the active `time_anchor` token and enforces sealed/unsealed transitions. | +| AirGap Time service | Parses anchor bundles, validates signatures, records monotonic offsets, and exposes drift metrics. | +| Scheduler & Policy Engine | Query the time service to gate scheduled runs and evidence evaluation. | +| UI / Notifier | Display remaining budget and raise alerts when thresholds are crossed. | + +## 3. Time Anchor Tokens + +- Distributed as part of mirror/offline bundles (`airgap/time-anchor.json`). +- Signed with mirror key; includes issuance time, validity window, and monotonic counter. +- Validation steps: + 1. Verify detached signature. + 2. Compare bundle counter to previously applied anchors. + 3. Persist anchor with checksum for audit. + +## 4. Staleness Budgets + +Each tenant/configuration defines budgets: + +- **Advisory freshness** – maximum age of advisory/VEX data before rescans are required. +- **Scanner evidence** – acceptable drift between last scan and current anchor. +- **Runtime posture** – tolerated drift before Notifier raises incidents. + +AirGap Time calculates drift = `now(monotonic) - anchor.issued_at` and exposes: + +- `/api/v1/time/status` – current anchor metadata, drift, remaining budget. +- `/api/v1/time/metrics` – Prometheus counters (`airgap_anchor_drift_seconds`, `airgap_anchor_expiry_seconds`). + +## 5. Operator Workflow + +1. Import new mirror bundle (includes time anchor). +2. AirGap Time validates and stores the anchor; Controller records audit entry. +3. Services subscribe to change events and recompute drift. +4. UI displays badge (green/amber/red) based on thresholds. +5. Notifier sends alerts when drift exceeds warning or expiry limits. + +## 6. Implementation Notes + +- Use `IAirGapTimeStore` for persistence; default implementation relies on Mongo with tenant partitioning. +- Ensure deterministic JSON serialization (UTC ISO-8601 timestamps, sorted keys). +- Test vectors located under `src/AirGap/StellaOps.AirGap.Time/fixtures/`. +- For offline testing, simulate monotonic clock via `ITestClock` to avoid system clock drift in CI. + +## 7. References + +- `docs/airgap/airgap-mode.md` +- `src/AirGap/StellaOps.AirGap.Time` +- `src/AirGap/StellaOps.AirGap.Controller` +- `src/AirGap/StellaOps.AirGap.Policy` diff --git a/docs/contributing/api-contracts.md b/docs/contributing/api-contracts.md new file mode 100644 index 00000000..29f9d503 --- /dev/null +++ b/docs/contributing/api-contracts.md @@ -0,0 +1,37 @@ +# API Contract Contribution Guide + +This guide explains how to propose, review, and publish API contract changes across StellaOps services. Follow these steps whenever you modify an OpenAPI specification or an externally supported endpoint. + +## 1. Background + +- Public APIs are defined in `src/Api/StellaOps.Api.OpenApi` (aggregate spec) and per-service OpenAPI documents. +- Compatibility checks run in CI via the API Governance tooling (`StellaOps.Api.Governance`). +- Docs & SDK guilds consume the generated specs to publish references and SDK packages. + +## 2. Workflow + +1. **Design review** – capture the proposed endpoint or schema change in the relevant module’s `TASKS.md` and link to any ADR or design doc. +2. **Spec update** – modify the service-specific OpenAPI file under `src/Api/StellaOps.Api.OpenApi//`. +3. **Run governance checks** – execute `dotnet test src/Api/StellaOps.Api.Governance.Tests` to validate lint rules, backwards compatibility, and examples. +4. **Regenerate aggregate spec** – run `dotnet run --project src/Api/StellaOps.Api.OpenApi` to update `stella.yaml`. +5. **Update docs** – adjust the corresponding module dossier (`docs/modules//architecture.md` or guides) to reflect new/changed endpoints. +6. **Notify SDK/Docs guilds** – coordinate SDK regeneration (`src/Sdk/StellaOps.Sdk.Generator`) and release notes. + +## 3. Backwards Compatibility Rules + +- Avoid breaking changes (removing endpoints/fields, altering semantics). If unavoidable, document deprecation timelines and fallback behaviour. +- Additive changes (new optional fields, new endpoints) require version bump and changelog entry. +- Error responses must remain structured; return `application/problem+json` payloads with stable error codes. + +## 4. Tooling + +- `dotnet tool run stellaops-api-lint` – local lint. +- `dotnet run --project src/Api/StellaOps.Api.OpenApi -- --validate` – schema validation. +- `docs/09_API_CLI_REFERENCE.md` – update CLI reference when command behaviour shifts. + +## 5. References + +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/cli/architecture.md` +- `src/Api/StellaOps.Api.Governance` +- `src/Api/StellaOps.Api.OpenApi` diff --git a/docs/dev/plugins/README.md b/docs/dev/plugins/README.md new file mode 100644 index 00000000..02e970af --- /dev/null +++ b/docs/dev/plugins/README.md @@ -0,0 +1,34 @@ +# Plugin Development Guide + +StellaOps services expose restart-time plug-in hooks so operators can extend functionality (connectors, analyzers, notification channels). This guide covers common patterns when implementing plug-ins against `StellaOps.Plugin`. + +## 1. Concepts + +- **Manifest** – describes the plug-in assembly, supported capabilities, and minimum host version. +- **Registration** – plug-ins export DI registration classes discovered by `StellaOps.Plugin` at host startup. +- **Isolation** – plug-ins load from a dedicated directory with ordered manifests; hosts enforce allow-lists and capability checks. + +## 2. Authoring Steps + +1. Reference `StellaOps.Plugin` and implement `IPluginRegistration`. +2. Provide a manifest (`manifest.json`) describing assembly name, version, and capabilities. +3. Add unit tests covering registration and integration (use `StellaOps.Plugin.Tests` helpers). +4. Package plug-in binaries under `plugins//` with checksum manifest for offline kits. + +## 3. Security & Determinism + +- Avoid global state or non-deterministic behaviour; plug-ins must be restart-safe. +- Do not perform network access unless explicitly allowed by host configuration. +- Use dependency injection to receive configuration and shared services. + +## 4. Resources + +- `src/__Libraries/StellaOps.Plugin` +- `docs/modules/platform/architecture-overview.md` +- Host-specific docs (e.g., `docs/modules/scanner/architecture.md`, `docs/modules/notify/architecture.md`) + +## 5. Testing & Deployment + +- Run host integration tests to ensure plug-in loads correctly. +- Provide sample configuration snippets for Helm/Compose/Offline kits. +- Document plug-in versioning and compatibility requirements. diff --git a/docs/forensics/provenance-attestation.md b/docs/forensics/provenance-attestation.md new file mode 100644 index 00000000..a18bfbea --- /dev/null +++ b/docs/forensics/provenance-attestation.md @@ -0,0 +1,41 @@ +# Provenance & Attestation Reference + +This guide explains how StellaOps generates, signs, verifies, and distributes DSSE attestations for SBOMs, policy evaluations, and runtime evidence. + +## 1. Attestation Workflow + +1. **Scanner** produces signed payload requests (SBOM, report metadata). +2. **Signer** authenticates the caller, verifies release integrity, and issues DSSE bundles (keyless or KMS-backed). +3. **Attestor** submits bundles to Rekor v2, caches inclusion proofs, and serves verification packages. +4. **Consumers** (Export Center, Evidence Locker, CLI, Policy Engine) fetch bundles for verification. + +## 2. DSSE Payload Types + +- `StellaOps.BuildProvenance@1` +- `StellaOps.SBOMAttestation@1` +- `StellaOps.ScanResults@1` +- `StellaOps.PolicyEvaluation@1` +- `StellaOps.VEXAttestation@1` +- `StellaOps.RiskProfileEvidence@1` + +Schemas live under `src/Attestor/StellaOps.Attestor.Types` and are documented in module architecture guides. + +## 3. Verification + +- CLI command `stella attest verify` requests proofs from Attestor. +- Services embed Rekor UUID/index and DSSE digests in their APIs for downstream verification. +- Verification pipeline checks signature trust roots, Rekor inclusion proofs, and transparency witness endorsements when enabled. + +## 4. Offline/air-gap considerations + +- Export Center bundles incorporate attestations and proofs for offline verification. +- Evidence Locker stores immutable attestation bundles with retention policies. + +## 5. References + +- `docs/modules/signer/architecture.md` +- `docs/modules/attestor/architecture.md` +- `docs/modules/export-center/architecture.md` +- `docs/modules/policy/architecture.md` +- `docs/modules/telemetry/architecture.md` +- `src/Provenance/StellaOps.Provenance.Attestation` diff --git a/docs/forensics/timeline.md b/docs/forensics/timeline.md new file mode 100644 index 00000000..18ab6194 --- /dev/null +++ b/docs/forensics/timeline.md @@ -0,0 +1,41 @@ +# Timeline Forensics Guide + +The Timeline Indexer service aggregates structured events (scanner runs, policy verdicts, runtime posture, evidence locker activity) so operators can audit changes over time. This guide summarises the event schema, query surfaces, and integration points. + +## 1. Event Model + +| Field | Description | +|-------|-------------| +| `event_id` | ULID identifying the event. | +| `tenant` | Tenant scope. | +| `timestamp` | UTC ISO-8601 time the event occurred. | +| `category` | Logical grouping (scanner, policy, runtime, evidence). | +| `details` | JSON payload describing the event; contract defined per producer. | +| `trace_id` | Optional distributed trace correlation ID. | + +Events are stored append-only with tenant-specific partitions. Producers include Scanner WebService, Policy Engine, Zastava Observer, Evidence Locker, and Notify. + +## 2. APIs + +- `GET /api/v1/timeline/events` – paginated event stream with filters (tenant, category, time window, correlation IDs). +- `GET /api/v1/timeline/events/{id}` – fetch single event payload. +- `GET /api/v1/timeline/export` – NDJSON export for offline review. + +## 3. Query Tips + +- Use `category` + `trace_id` to follow a scan-to-policy-to-notification flow. +- Combine `tenant` and `timestamp` filters for SLA audits. +- CLI command `stella timeline list` mirrors the API for automation. + +## 4. Integration + +- Evidence Locker attaches evidence bundle digests; the console links from timeline to evidence viewer. +- Notifier creates acknowledgement events for incident workflows. +- Offline kits package timeline exports for compliance reviews. + +## 5. References + +- `docs/modules/telemetry/architecture.md` +- `docs/modules/zastava/architecture.md` +- `docs/modules/export-center/architecture.md` +- `src/TimelineIndexer/StellaOps.TimelineIndexer` diff --git a/docs/implplan/EXECPLAN.md b/docs/implplan/EXECPLAN.md deleted file mode 100644 index c50a6ba5..00000000 --- a/docs/implplan/EXECPLAN.md +++ /dev/null @@ -1,1831 +0,0 @@ -# Execution Tree for Open Backlog -Generated from SPRINTS.md and module TASKS.md files on 2025-10-19. Waves cluster tasks by dependency depth; Wave 0 has no unresolved blockers and later waves depend on earlier ones. - -## Wave Instructions -### Wave 0 -- Team Authority Core & Security Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Focus on AUTH-DPOP-11-001 (DONE 2025-10-20), AUTH-MTLS-11-002 (DONE 2025-10-23). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Authority Core & Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Focus on AUTHSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team DevEx/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-002 (TODO), CLI-RUNTIME-13-005 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001, EXCITITOR-EXPORT-01-001) before starting and report status in module TASKS.md. -- Team DevOps Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SEC-10-301 (DONE 2025-10-20); Wave 0A prerequisites reconfirmed so remediation work may proceed. Keep module TASKS.md/Sprints in sync as patches land. -- Team Diff Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Diff/TASKS.md`. SCANNER-DIFF-10-501/502/503 all closed on 2025-10-19; keep determinism fixtures green and sync downstream consumers as Emit/Diff integration tickets arise. -- Team Docs Guild, Plugin Team: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on DOC4.AUTH-PDG (REVIEW). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Docs/CLI: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on EXCITITOR-CLI-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CLI-01-001) before starting and report status in module TASKS.md. -- Team Emit Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md`. Sprint 10 composition milestones (10-601..10-606) wrapped 2025-10-22 and SCANNER-EMIT-10-607 completed alongside; remaining watch item is SCANNER-EMIT-17-701 (Wave 1) with build-id enrichment. -- Team EntryTrace Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md`. SCANNER-ENTRYTRACE-10-401..407 landed 2025-10-19; continue monitoring determinism harness outputs and raise follow-ups if new interpreter cases appear. -- Team Language Analyzer Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md`. Java, shared helpers, determinism harness, and the Sprint 10 analyzers (10-301..10-309) are DONE (latest 2025-10-22); keep fixture refresh notes current and pivot to Wave 1 benchmarking/packaging follow-ups. -- Team Notify Models Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Models/TASKS.md`. Focus on NOTIFY-MODELS-15-101 (TODO), NOTIFY-MODELS-15-102 (TODO), NOTIFY-MODELS-15-103 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Notify Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/TASKS.md`. Focus on NOTIFY-STORAGE-15-201 (TODO), NOTIFY-STORAGE-15-202 (TODO), NOTIFY-STORAGE-15-203 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Notify WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-101 (TODO), NOTIFY-WEB-15-102 (TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Platform Events Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on PLATFORM-EVENTS-09-401 (TODO). Confirm prerequisites (external: DOCS-EVENTS-09-003) before starting and report status in module TASKS.md. -- Team Plugin Platform Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/__Libraries/StellaOps.Plugin/TASKS.md`. Focus on PLUGIN-DI-08-002.COORD (DONE 2025-10-20), PLUGIN-DI-08-002 (DONE 2025-10-20), PLUGIN-DI-08-003 (DONE 2025-10-20), PLUGIN-DI-08-004 (DONE 2025-10-20), and PLUGIN-DI-08-005 (DONE 2025-10-20). Confirm prerequisites (PLUGIN-DI-08-001) before starting and report status in module TASKS.md. -- Team Plugin Platform Guild, Authority Core: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/__Libraries/StellaOps.Plugin/TASKS.md`. Coordination session for PLUGIN-DI-08-002 implementation completed on 2025-10-20 15:00–16:05 UTC and scoped-service changes have shipped with regression coverage; subsequent tasks (PLUGIN-DI-08-003/004/005) remain green. -- Team Policy Guild: Sprint 9 core tasks (POLICY-CORE-09-004/005/006) closed on 2025-10-19; ensure downstream consumers refresh against the published scoring config + quiet/unknown outputs and raise follow-up tasks if additional polish is required. -- Team Runtime Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `docs/TASKS.md`. Focus on RUNTIME-GUILD-09-402 (TODO). Confirm prerequisites (external: SCANNER-POLICY-09-107) before starting and report status in module TASKS.md. -- Team Scanner WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/StellaOps.Scanner.WebService/TASKS.md`. Focus on SCANNER-EVENTS-15-201 (DONE 2025-10-20). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-300 (DONE 2025-10-20) and ensure the temporary stub removal note stays tracked. Confirm prerequisites (external: SAMPLES-10-001) before starting and report status in module TASKS.md. -- Team Scheduler Models Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md`. SCHED-MODELS-16-103 completed (2025-10-20); ensure downstream teams consume the migration helpers and log upgrade warnings. -- Team Scheduler Queue Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-401 completed (2025-10-20); proceed with Wave 1 queue enhancements. -- Team Scheduler Storage Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md`. Focus on SCHED-STORAGE-16-201 (TODO). Confirm prerequisites (external: SCHED-MODELS-16-101) before starting and report status in module TASKS.md. -- Team Scheduler WebService Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-101 (TODO). Confirm prerequisites (external: SCHED-MODELS-16-101) before starting and report status in module TASKS.md. -- Team Signer Guild: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Signer/StellaOps.Signer/TASKS.md`. Focus on SIGNER-API-11-101 (DONE 2025-10-21), SIGNER-REF-11-102 (DONE 2025-10-21), SIGNER-QUOTA-11-103 (DONE 2025-10-21). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`. Focus on SCANNER-ANALYZERS-LANG-10-302C (TODO). Confirm prerequisites (external: SCANNER-ANALYZERS-LANG-10-302B) before starting and report status in module TASKS.md. -- Team Team Connector Resumption – CERT/RedHat: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md`. Focus on FEEDCONN-REDHAT-02-001 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Team Excititor Attestation: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md`. Focus on EXCITITOR-ATTEST-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-ATTEST-01-002) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Cisco: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-CISCO-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-CISCO-01-002, EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-MS-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-MS-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-001 (DOING). Confirm prerequisites (external: EXCITITOR-CONN-ABS-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – SUSE: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md`. Focus on EXCITITOR-CONN-SUSE-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-SUSE-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-002 (TODO). Confirm prerequisites (external: EXCITITOR-CONN-UBUNTU-01-001, EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Export: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-005 (DONE 2025-10-21). Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-EXPORT-01-004) before starting and report status in module TASKS.md. -- Team Team Excititor Formats: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md`. Focus on EXCITITOR-FMT-CSAF-01-002 (TODO), EXCITITOR-FMT-CSAF-01-003 (TODO), EXCITITOR-FMT-CYCLONE-01-002 (TODO), EXCITITOR-FMT-CYCLONE-01-003 (TODO), EXCITITOR-FMT-OPENVEX-01-002 (TODO), EXCITITOR-FMT-OPENVEX-01-003 (TODO). Confirm prerequisites (external: EXCITITOR-EXPORT-01-001, EXCITITOR-FMT-CSAF-01-001, EXCITITOR-FMT-CYCLONE-01-001, EXCITITOR-FMT-OPENVEX-01-001, EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Storage: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Focus on EXCITITOR-STORAGE-MONGO-08-001 (DONE 2025-10-19), EXCITITOR-STORAGE-03-001 (TODO). Confirm prerequisites (external: EXCITITOR-STORAGE-01-003, EXCITITOR-STORAGE-02-001) before starting and report status in module TASKS.md. -- Team Team Excititor WebService: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-01-002 (DONE 2025-10-20), EXCITITOR-WEB-01-003 (TODO), EXCITITOR-WEB-01-004 (DONE 2025-10-20). Confirm prerequisites (external: EXCITITOR-ATTEST-01-001, EXCITITOR-EXPORT-01-001, EXCITITOR-WEB-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Worker: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-004 (DONE 2025-10-21); EXCITITOR-WORKER-01-002 (DONE 2025-10-21) and EXCITITOR-WORKER-02-001 (DONE 2025-10-21) recorded. Confirm prerequisites (external: EXCITITOR-CORE-02-001, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md. -- Team Team Merge & QA Enforcement: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md`. Focus on FEEDMERGE-COORD-02-900 (DOING). Confirm prerequisites (none) before starting and report status in module TASKS.md. **2025-10-19:** Coordination refreshed; connector owners notified and TASKS.md entries updated. **2025-10-20:** Coordination matrix + rollout dashboard refreshed with connector due dates (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24) and escalation plan logged. -- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-MONGO-08-001 (DONE 2025-10-19). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Team WebService & Authority: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. Focus on SEC2.PLG (DOING), SEC3.PLG (DOING), SEC5.PLG (DOING), PLG4-6.CAPABILITIES (BLOCKED), PLG6.DIAGRAM (TODO), PLG7.RFC (REVIEW), FEEDWEB-DOCS-01-001 (DOING), FEEDWEB-OPS-01-006 (TODO), FEEDWEB-OPS-01-007 (BLOCKED). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team Tools Guild, BE-Conn-MSRC: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/TASKS.md`. Focus on FEEDCONN-SHARED-STATE-003 (**TODO). Confirm prerequisites (none) before starting and report status in module TASKS.md. -- Team UX Specialist, Angular Eng: read EXECPLAN.md Wave 0 and SPRINTS.md rows for `src/Web/StellaOps.Web/TASKS.md`. Focus on WEB1.TRIVY-SETTINGS (DONE 2025-10-21), WEB1.TRIVY-SETTINGS-TESTS (DONE 2025-10-21), and WEB1.DEPS-13-001 (DONE 2025-10-21). Confirm prerequisites (none) before starting and report status in module TASKS.md. - -### Wave 1 -- Team Concelier WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. Focus on CONCELIER-WEB-AOC-19-001/002/003/004 (TODO). Confirm prerequisites (WEB-AOC-19-001, CONCELIER-CORE-AOC-19-001, CONCELIER-STORE-AOC-19-001) before starting and record progress in TASKS.md. -- Team Concelier Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on CONCELIER-CORE-AOC-19-001/002/003/004 (TODO). Coordinate with Policy team on derived-data removal. -- Team Concelier Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Prioritise CONCELIER-STORE-AOC-19-001/002/003/004 (TODO) and align validator rollout with DevOps. -- Team Excititor WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`. Focus on EXCITITOR-WEB-AOC-19-001/002/003/004 (TODO). Ensure parity with Concelier ingestion guard. -- Team Excititor Core Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`. Focus on EXCITITOR-CORE-AOC-19-001/002/003/004 (TODO). -- Team Excititor Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md`. Work on EXCITITOR-STORE-AOC-19-001/002/003/004 (TODO) with migration dry-run plans. -- Team Excititor Worker Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-AOC-19-001/002/003 (TODO) coordinating signature enforcement with storage guard. -- Team BE-Base Platform Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Web/StellaOps.Web/TASKS.md`. Deliver WEB-AOC-19-001/002/003 (TODO) to unblock ingestion services. -- Team Policy Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`. Work on POLICY-AOC-19-001/002/003/004 (TODO) to keep derived data policy-only. -- Team Authority Core & Security Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Authority/StellaOps.Authority/TASKS.md`. Prioritise AUTH-AOC-19-001/002/003 (TODO) for new scopes + tenancy. -- Team DevEx/CLI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-AOC-19-001/002/003 (TODO) and sync exit codes with services. -- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/UI/StellaOps.UI/TASKS.md`. Execute UI-AOC-19-001/002/003 (TODO) using new verify endpoints. -- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Implement DEVOPS-AOC-19-001/002/003 (TODO) to gate CI with new guards. -- Team Docs Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `docs/TASKS.md`. Cover DOCS-AOC-19-001..008 (TODO) aligning docs with new ingestion contract. -- Team Bench Guild, Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-SCANNER-10-002 (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-301 (Wave 0)) before starting and report status in module TASKS.md. -- Team DevEx/CLI, QA Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-RUNTIME-13-009 (TODO). Confirm prerequisites (internal: CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team DevOps Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-REL-14-001 (DOING 2025-10-23). Confirm prerequisites (internal: SIGNER-API-11-101 (Wave 0)) before starting and report status in module TASKS.md. -- Team DevOps Guild, Scanner WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-204 (TODO). Confirm prerequisites (internal: SCANNER-EVENTS-15-201 (Wave 0)) before starting and report status in module TASKS.md. -- Team Emit Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md`. SCANNER-EMIT-10-607 shipped 2025-10-22; remaining focus is SCANNER-EMIT-17-701 (build-id enrichment). Confirm prerequisites (internal: POLICY-CORE-09-005 (Wave 0), SCANNER-EMIT-10-602 (Wave 0), SCANNER-EMIT-10-604 (Wave 0)) before starting and report status in module TASKS.md. -- Team Language Analyzer Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md`. Sprint 10 language analyzers (10-303..10-306) wrapped by 2025-10-22; shift to Wave 1 benchmarking/packaging follow-ups (10-308+/309 variants) and ensure shared helpers stay stable. Node stream (tasks 10-302/309) closed on 2025-10-21; verify prereqs SCANNER-ANALYZERS-LANG-10-301/307 remain satisfied before new work. -- Team Licensing Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `ops/licensing/TASKS.md`. Focus on DEVOPS-LIC-14-004 (TODO). Confirm prerequisites (internal: AUTH-MTLS-11-002 (Wave 0)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-301 (TODO). Confirm prerequisites (internal: NOTIFY-MODELS-15-101 (Wave 0)) before starting and report status in module TASKS.md. -- Team Notify WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.WebService/TASKS.md`. Focus on NOTIFY-WEB-15-103 (DONE). Confirm prerequisites (internal: NOTIFY-WEB-15-102 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-301 (TODO). Confirm prerequisites (internal: SCANNER-EMIT-10-605 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler Queue Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/TASKS.md`. SCHED-QUEUE-16-402 completed (2025-10-20); next focus is SCHED-QUEUE-16-403. -- Team Scheduler Storage Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md`. Focus on SCHED-STORAGE-16-203 (TODO), SCHED-STORAGE-16-202 (TODO). Confirm prerequisites (internal: SCHED-STORAGE-16-201 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler WebService Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-104 (TODO), SCHED-WEB-16-102 (TODO). Confirm prerequisites (internal: SCHED-QUEUE-16-401 (Wave 0), SCHED-STORAGE-16-201 (Wave 0), SCHED-WEB-16-101 (Wave 0)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-201 (TODO). Confirm prerequisites (internal: SCHED-QUEUE-16-401 (Wave 0)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305A/304A/303A/306A all closed by 2025-10-22; use this slot to review cross-language fixture hygiene and prep Wave 1 benchmarking tickets. Node add-ons 10-307N/10-308N/10-309N remain DONE with restart-time packaging verified 2025-10-21. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-302C (Wave 0), SCANNER-ANALYZERS-LANG-10-307 (Wave 0)) before starting any new follow-ups and report status in module TASKS.md. -- Team Team Excititor Connectors – MSRC: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-MS-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-MS-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-002 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-ORACLE-01-001 (Wave 0); external: EXCITITOR-STORAGE-01-003) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – SUSE: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md`. Focus on EXCITITOR-CONN-SUSE-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-SUSE-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Connectors – Ubuntu: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-UBUNTU-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Export: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-006 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team Team Excititor Worker: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Worker/TASKS.md`. Focus on EXCITITOR-WORKER-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-ATTEST-01-003 (Wave 0); external: EXCITITOR-EXPORT-01-002, EXCITITOR-WORKER-01-001) before starting and report status in module TASKS.md. -- Team UI Guild: read EXECPLAN.md Wave 1 and SPRINTS.md rows for `src/UI/StellaOps.UI/TASKS.md`. Focus on UI-SCANS-13-002 (TODO), UI-VEX-13-003 (TODO), UI-ADMIN-13-004 (TODO), UI-SCHED-13-005 (TODO). Confirm prerequisites (internal: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0), EXCITITOR-EXPORT-01-005 (Wave 0), NOTIFY-WEB-15-101 (Wave 0), POLICY-CORE-09-006 (Wave 0), SCHED-WEB-16-101 (Wave 0), SIGNER-API-11-101 (Wave 0); external: EXCITITOR-CORE-02-001, SCANNER-WEB-09-102, SCANNER-WEB-09-103) before starting and report status in module TASKS.md. - -### Wave 2 -- Team Bench Guild, Notify Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-NOTIFY-15-001 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Bench Guild, Scheduler Team: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Bench/StellaOps.Bench/TASKS.md`. Focus on BENCH-IMPACT-16-001 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Deployment Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/deployment/TASKS.md`. Focus on DEVOPS-OPS-14-003 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1)) before starting and report status in module TASKS.md. -- Team DevOps Guild, Notify Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/devops/TASKS.md`. Focus on DEVOPS-SCANNER-09-205 (TODO). Confirm prerequisites (internal: DEVOPS-SCANNER-09-204 (Wave 1)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-302 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Offline Kit Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `ops/offline-kit/TASKS.md`. Focus on DEVOPS-OFFLINE-14-002 (TODO), DEVOPS-OFFLINE-18-003 (TODO), and DEVOPS-OFFLINE-18-005 (TODO). Confirm prerequisites (internal: DEVOPS-REL-14-001 (Wave 1), DEVOPS-REL-14-004 (Wave 2)) before starting and report status in module TASKS.md. -- Team Samples Guild, Policy Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `samples/TASKS.md`. Focus on SAMPLES-13-004 (TODO). Confirm prerequisites (internal: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1)) before starting and report status in module TASKS.md. -- Team Scheduler ImpactIndex Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md`. Focus on SCHED-IMPACT-16-303 (TODO), SCHED-IMPACT-16-302 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1)) before starting and report status in module TASKS.md. -- Team Scheduler WebService Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`. Focus on SCHED-WEB-16-103 (TODO). Confirm prerequisites (internal: SCHED-WEB-16-102 (Wave 1)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-202 (TODO), SCHED-WORKER-16-205 (TODO). Confirm prerequisites (internal: SCHED-IMPACT-16-301 (Wave 1), SCHED-WORKER-16-201 (Wave 1)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305B/304B/303B/306B wrapped on 2025-10-22; next focus moves to `10-307*` shared helper integration and Wave 2 benchmark polish. Node packaging milestone 10-308N closed 2025-10-21. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303A (Wave 1), SCANNER-ANALYZERS-LANG-10-304A (Wave 1), SCANNER-ANALYZERS-LANG-10-305A (Wave 1), SCANNER-ANALYZERS-LANG-10-306A (Wave 1), SCANNER-ANALYZERS-LANG-10-307N (Wave 1)) before starting new work and report status in module TASKS.md. -- Team Team Excititor Connectors – Oracle: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md`. Focus on EXCITITOR-CONN-ORACLE-01-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-ORACLE-01-002 (Wave 1); external: EXCITITOR-POLICY-01-001) before starting and report status in module TASKS.md. -- Team Team Excititor Export: read EXECPLAN.md Wave 2 and SPRINTS.md rows for `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md`. Focus on EXCITITOR-EXPORT-01-007 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-006 (Wave 1)) before starting and report status in module TASKS.md. - -### Wave 3 -- Team DevEx/CLI: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-OFFLINE-13-006 (DONE 2025-10-21). Confirm prerequisites (internal: DEVOPS-OFFLINE-14-002 (Wave 2)) before starting and report status in module TASKS.md. -- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-001 (DONE 2025-10-21). Confirm prerequisites (internal: EXCITITOR-EXPORT-01-007 (Wave 2)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-303 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. -- Team Notify Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-203 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-302 (Wave 2)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-203 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-202 (Wave 2)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 3 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-305C/304C/309N/303C/306C are all DONE (latest 2025-10-22); remaining Wave 3 attention shifts to 10-307* helper consolidation and subsequent benchmarking tickets. Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303B (Wave 2), SCANNER-ANALYZERS-LANG-10-304B (Wave 2), SCANNER-ANALYZERS-LANG-10-305B (Wave 2), SCANNER-ANALYZERS-LANG-10-306B (Wave 2), SCANNER-ANALYZERS-LANG-10-308N (Wave 2)) before scheduling new work and report status in module TASKS.md. - -### Wave 4 -- Team DevEx/CLI: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Cli/StellaOps.Cli/TASKS.md`. Focus on CLI-PLUGIN-13-007 (DONE 2025-10-22). Confirm prerequisites (internal: CLI-OFFLINE-13-006 (Wave 3), CLI-RUNTIME-13-005 (Wave 0)) before starting and report status in module TASKS.md. -- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-002 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-001 (Wave 3)) before starting and report status in module TASKS.md. -- Team Notify Connectors Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-501 (TODO), NOTIFY-CONN-TEAMS-15-601 (TODO), NOTIFY-CONN-EMAIL-15-701 (TODO), NOTIFY-CONN-WEBHOOK-15-801 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. -- Team Notify Engine Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md`. Focus on NOTIFY-ENGINE-15-304 (TODO). Confirm prerequisites (internal: NOTIFY-ENGINE-15-303 (Wave 3)) before starting and report status in module TASKS.md. -- Team Notify Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Notify/StellaOps.Notify.Worker/TASKS.md`. Focus on NOTIFY-WORKER-15-204 (TODO). Confirm prerequisites (internal: NOTIFY-WORKER-15-203 (Wave 3)) before starting and report status in module TASKS.md. -- Team Scheduler Worker Guild: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md`. Focus on SCHED-WORKER-16-204 (TODO). Confirm prerequisites (internal: SCHED-WORKER-16-203 (Wave 3)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 4 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-307D/G/P are DONE (latest 2025-10-23); remaining focus is SCANNER-ANALYZERS-LANG-10-307R (DOING). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-303C (Wave 3), SCANNER-ANALYZERS-LANG-10-304C (Wave 3), SCANNER-ANALYZERS-LANG-10-305C (Wave 3), SCANNER-ANALYZERS-LANG-10-306C (Wave 3)) before progressing and report status in module TASKS.md. - -### Wave 5 -- **Sprint 23-28** · StellaOps Console, Policy Studio, Graph Explorer - - Team: Policy Registry Guild - - Path: `src/Policy/StellaOps.Policy.Registry/TASKS.md` - 1. [TODO] REGISTRY-API-27-001..010 — Deliver Registry service (OpenAPI, workspace storage, compile/sim integration, review workflow, publish/attest, promotion, telemetry, testing). Coordinate closely with Policy Engine, Scheduler, Authority, Console, CLI, Docs, and DevOps. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-29-001..009 — Stand up immutable ledger, projector, workflow handlers, hashing/Merkle anchoring, and deployment tooling powering Vuln Explorer. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-30-001..011 — Build VEX normalization, mapping, trust weighting, consensus projection, APIs, simulation, telemetry, and deployment. - - Team: Issuer Directory Guild - - Path: `src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md` - 1. [TODO] ISSUER-30-001..006 — Provide issuer/key management, trust overrides, integration with VEX Lens, telemetry, and deployment guidance. - - Team: Advisory AI Guild - - Path: `src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md` - 1. [TODO] AIAI-31-001..009 — Implement retrievers, deterministics, guardrails, APIs, telemetry, and deployment for Advisory AI summaries/conflict explain/remediation. - - Team: Graph Indexer Guild - - Path: `src/Graph/StellaOps.Graph.Indexer/TASKS.md` - 1. [TODO] GRAPH-INDEX-28-001..010 — Build graph ingestion (SBOM, advisory, VEX, policy overlays), snapshots, clustering, incremental updates, and deployment artifacts. Maintain deterministic identity + tenant isolation. - - Team: Graph API Guild - - Path: `src/Graph/StellaOps.Graph.Api/TASKS.md` - 1. [TODO] GRAPH-API-28-001..011 — Ship streaming query/search/paths/diff/export endpoints with cost enforcement, overlays, RBAC, telemetry, and deployment docs. - - Team: Vuln Explorer API Guild - - Path: `src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md` - 1. [TODO] VULN-API-29-001..011 — Provide policy-aware list/detail/workflow/simulation/export APIs atop the ledger with deterministic outputs and auditable telemetry. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-CORE-23-001..CONSOLE-REL-23-303, CONSOLE-DOC-23-501/502, TELEMETRY-CONSOLE-23-001 — Bootstrap the Next.js workspace, build shell/navigation, deliver feature modules (Dashboard, SBOM, Advisories/VEX, Findings, Policies, Runs, Reports, Admin, Downloads), wire telemetry, QA (Playwright, Storybook a11y, Lighthouse), release artifacts, and support docs/parity automation. Sequence: finish core scaffolding (23-001..005) before picking up feature modules; hold Reports/Downloads until backend export + manifest tasks signal ready. - 2. [TODO] CONSOLE-STUDIO-27-001..007, CONSOLE-GRAPH-28-001..008, TELEMETRY-CONSOLE-27-001 — Deliver Policy Studio editor experience and Graph Explorer WebGL module (semantic zoom, overlays, diff, exports, saved queries, accessibility, telemetry). - 3. [TODO] CONSOLE-VULN-29-001..007 — Ship Vuln Explorer UI enhancements (list/detail/workflow/simulation/export) with telemetry and accessibility. - 4. [TODO] CONSOLE-VEX-30-001..005 — Provide VEX Lens console experience with quorum/conflict visualization and telemetry. - 5. [TODO] CONSOLE-AIAI-31-001..005 — Build Advisory AI side panel (summary/conflict/remediation) with copy-as-ticket, a11y, and telemetry integration. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-CONSOLE-23-001..005 — Stand up `/console/*` aggregates, SSE proxy, export orchestrator, global search, and downloads manifest endpoints. Coordinate closely with Policy, Scheduler, Concelier, Excititor, SBOM services to validate payloads. - 2. [TODO] WEB-GRAPH-24-001..004 — Route `/graph/*` APIs to Graph service, enforce scopes, provide overlay/export proxies, and aggregate telemetry. - 3. [TODO] WEB-VULN-29-001..004 — Provide Vuln Explorer routing, ledger proxying, simulation/export orchestration, and telemetry. - 4. [TODO] WEB-AIAI-31-001..003 — Route Advisory AI endpoints, batch orchestration, and telemetry/audit pipelines. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-CONSOLE-23-001..003 — Register Console OIDC client, expose tenant/profile endpoints, refresh security docs. PKCE + short-lived tokens must land before Console auth wiring can start. - 2. [TODO] AUTH-POLICY-27-001..003, AUTH-GRAPH-21-001..003 — Roll out Policy Studio scopes + signing enforcement and ensure Graph scopes/RBAC stay in sync. - 3. [TODO] AUTH-VULN-29-001..003 — Deliver Vuln Explorer scopes, CSRF enforcement, attachment signing, and documentation. - 4. [TODO] AUTH-AIAI-31-001..002 — Define Advisory AI scopes/consent controls and enforce anonymized logging/audit flows. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-CONSOLE-23-001/002, EXPORT-CONSOLE-23-001 — Optimize findings/explain APIs, expose simulation diff + approvals metadata, and deliver evidence bundle generator feeding Web gateway + Console Reports. - 2. [TODO] POLICY-ENGINE-27-001..004, POLICY-ENGINE-30-001..003 — Provide Studio compile metadata, simulation enhancements, complexity limits, and graph overlay contracts/events. - 3. [TODO] POLICY-ENGINE-29-001..004 — Supply batch evaluation/simulation for Vuln Explorer and consensus overlays with telemetry. - 4. [TODO] POLICY-ENGINE-31-001..002 — Surface Advisory AI parameters and policy context endpoints consumed by the assistant. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-CONSOLE-23-001/002 — Provide Console catalog + component lookup endpoints (filters, overlays, raw projections). Coordinate caching hints with Web + Console teams. - 2. [TODO] SBOM-GRAPH-24-001..004 — Maintain graph node/edge collections, builders, diff events, and caches feeding Graph Explorer. - 3. [TODO] SBOM-VULN-29-001/002 — Emit enriched inventory evidence (scope/runtime/path/safe versions) and resolver feeds for Vuln Explorer. - 4. [TODO] SBOM-AIAI-31-001/002 — Deliver path/timeline APIs and telemetry for Advisory AI remediation hints. - - Team: Concelier WebService Guild - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-CONSOLE-23-001..003 — Deliver advisory aggregation views, delta metrics feed, and search helpers backing Dashboard/Search modules. - 2. [TODO] CONCELIER-VULN-29-001..004 — Normalize advisory keys, expose raw evidence, publish safe fix hints, and instrument metrics for Vuln Explorer. - 3. [TODO] CONCELIER-AIAI-31-001..003 — Provide paragraph anchors, structured fields, and telemetry required by Advisory AI. - - Team: Excititor WebService Guild - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] EXCITITOR-CONSOLE-23-001..003 — Provide VEX aggregation, override deltas, and search helpers for Console UX. - 2. [TODO] EXCITITOR-GRAPH-24-101/102 — Supply VEX summaries for Graph Explorer overlays and inspectors. - 3. [TODO] EXCITITOR-VULN-29-001..004 — Canonicalize VEX keys, surface evidence APIs, suppression metadata, and telemetry for Vuln Explorer. - 4. [TODO] EXCITITOR-AIAI-31-001..003 — Serve VEX chunks/justifications/signature metadata and telemetry for Advisory AI. - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-CONSOLE-23-001 — Extend runs API with SSE progress stream, queue lag summaries, RBAC-gated actions. - 2. [TODO] SCHED-CONSOLE-27-001/002, SCHED-WEB-21-001/002 — Surface policy batch sim orchestration and graph build/overlay monitoring endpoints. - 3. [TODO] SCHED-VULN-29-001/002 — Provide resolver job APIs and lag metrics for Vulnerability Explorer recomputation. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-CONSOLE-23-201/202 — Publish run progress events and coordinate evidence bundle jobs consumed by Console + gateway. - 2. [TODO] SCHED-WORKER-27-301..303, SCHED-WORKER-21-201..203 — Execute policy batch simulation sharding/reduction and graph build/overlay workers with telemetry + security controls. - 3. [TODO] SCHED-WORKER-29-001..003 — Run vulnerability resolver/evaluation workers and monitoring to keep projections fresh. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CONSOLE-23-001/002 — Add console CI workflow (pnpm lint/test/Playwright/Lighthouse) and produce `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. - 2. [TODO] DEVOPS-POLICY-27-001..004 — Wire policy lint/compile/test jobs, optional batch simulation CI, signing key management, and telemetry dashboards/alerts. - 3. [TODO] DEVOPS-GRAPH-28-001..003 — Stand up graph perf/load tests, rate limiting/backpressure controls, and observability dashboards/alerts. - 4. [TODO] DEVOPS-VULN-29-001..003 — Establish ledger CI/backups/anchoring, Vuln Explorer performance dashboards/alerts, and telemetry privacy safeguards. - 5. [TODO] DEVOPS-VEX-30-001 — Provision CI/perf/dashboards/alerts for VEX Lens & Issuer Directory. - 6. [TODO] DEVOPS-AIAI-31-001 — Provide CI, inference monitoring, privacy review, perf dashboards, and alerts for Advisory AI service. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DOWNLOADS-CONSOLE-23-001 — Maintain signed downloads manifest pipeline used by Console `/downloads` and docs parity checks. - 2. [TODO] DEPLOY-POLICY-27-001/002 — Provide Policy Registry deployment overlays and publish policy rollout/rollback runbook. - 3. [TODO] DEPLOY-GRAPH-28-001 — Create deployment/offline instructions for Graph Indexer/API (including cache seeds). - 4. [TODO] DEPLOY-VULN-29-001/002 — Package Findings Ledger and Vuln Explorer API deployments with migrations/backups/offline guidance. - 5. [TODO] DEPLOY-VEX-30-001/002 — Provide deployments/offline instructions for VEX Lens and Issuer Directory. - 6. [TODO] DEPLOY-AIAI-31-001 — Deliver Advisory AI deployment manifests, GPU toggle guidance, and offline kit instructions. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-CONSOLE-23-001..017 — Publish the Console doc suite (overview, navigation, module guides, deploy/install, security, observability, parity matrix, accessibility, UI tours). Coordinate media capture with Console Guild. - 2. [TODO] DOCS-POLICY-27-001..014 — Deliver Policy Studio documentation set (overview, authoring, versioning, simulation, review, promotion, CLI/API/security/observability/runbooks/templates/AOC guardrails). - 3. [TODO] DOCS-GRAPH-28-001..012 — Produce Graph Explorer documentation (overview, console usage, query language, API, CLI, overlays, advisory/VEX integration, architecture, telemetry, runbooks, security). - 4. [TODO] DOCS-VULN-29-001..013 — Author Vulnerability Explorer documents (overview, console usage, API/CLI, ledger, policy mapping, advisory/VEX integration, SBOM resolution, telemetry, security, runbooks, install updates). - 5. [TODO] DOCS-VEX-30-001..009 — Publish VEX Lens documentation set (overview, algorithm, issuer directory, APIs, console, policy trust model, mapping, signatures, runbooks). - 6. [TODO] DOCS-AIAI-31-001..009 — Publish Advisory AI documentation suite (overview, architecture, APIs, console, CLI, policy parameters, guardrails, remediation heuristics, ops runbook). - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-POLICY-27-001..005 — Implement Policy Studio CLI lifecycle (init→lint→simulate→submit→approve→publish→promote/rollback), enhance simulation reporting, and update documentation with CI-friendly outputs. - 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. - 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. - 4. [TODO] CLI-VEX-30-001..004 — Provide VEX Lens CLI commands (consensus list/show/simulate/export). - 5. [TODO] CLI-AIAI-31-001..004 — Implement Advisory AI CLI commands (`stella advise *`) with docs and tests. - 2. [TODO] CLI-GRAPH-28-001..003 — Implement Graph Explorer CLI commands, saved query management, and updated docs/examples. - 3. [TODO] CLI-VULN-29-001..006 — Deliver Vuln Explorer CLI commands (list/show/workflow/simulate/export) and documentation updates. -- Team Excititor Connectors – Stella: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md`. Focus on EXCITITOR-CONN-STELLA-07-003 (TODO). Confirm prerequisites (internal: EXCITITOR-CONN-STELLA-07-002 (Wave 4)) before starting and report status in module TASKS.md. -- Team Notify Connectors Guild: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-502 (DONE), NOTIFY-CONN-TEAMS-15-602 (DONE), NOTIFY-CONN-EMAIL-15-702 (BLOCKED 2025-10-20), NOTIFY-CONN-WEBHOOK-15-802 (BLOCKED 2025-10-20). Confirm prerequisites (internal: NOTIFY-CONN-EMAIL-15-701 (Wave 4), NOTIFY-CONN-SLACK-15-501 (Wave 4), NOTIFY-CONN-TEAMS-15-601 (Wave 4), NOTIFY-CONN-WEBHOOK-15-801 (Wave 4)) before starting and report status in module TASKS.md. -- Team TBD: read EXECPLAN.md Wave 5 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-308D/G/P completed (2025-10-23/2025-10-22/2025-10-23); pending items are SCANNER-ANALYZERS-LANG-10-308R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-307D (Wave 4), SCANNER-ANALYZERS-LANG-10-307G (Wave 4), SCANNER-ANALYZERS-LANG-10-307P (Wave 4), SCANNER-ANALYZERS-LANG-10-307R (Wave 4)) before starting and report status in module TASKS.md. - -### Wave 6 -- Team Notify Connectors Guild: read EXECPLAN.md Wave 6 and SPRINTS.md rows for `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md`, `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md`. Focus on NOTIFY-CONN-SLACK-15-503 (DONE), NOTIFY-CONN-TEAMS-15-603 (DONE), NOTIFY-CONN-EMAIL-15-703 (DONE), NOTIFY-CONN-WEBHOOK-15-803 (DONE). Confirm packaging outputs remain deterministic while upstream implementation tasks (15-702/802) stay blocked. -- Team TBD: read EXECPLAN.md Wave 6 and SPRINTS.md rows for `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md`, `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md`. SCANNER-ANALYZERS-LANG-10-309D/G/P completed (2025-10-23/2025-10-22/2025-10-23); remaining item is SCANNER-ANALYZERS-LANG-10-309R (TODO). Confirm prerequisites (internal: SCANNER-ANALYZERS-LANG-10-308D (Wave 5), SCANNER-ANALYZERS-LANG-10-308G (Wave 5), SCANNER-ANALYZERS-LANG-10-308P (Wave 5), SCANNER-ANALYZERS-LANG-10-308R (Wave 5)) before starting and report status in module TASKS.md. - -### Wave 7 -- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 7 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDSTORAGE-DATA-07-001 (Wave 10)) before starting and report status in module TASKS.md. - -### Wave 8 -- Team Team Core Engine & Data Science: read EXECPLAN.md Wave 8 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. Focus on FEEDCORE-ENGINE-07-002 (DONE 2025-10-21). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md. - -### Wave 9 -- Team Team Core Engine & Storage Analytics: read EXECPLAN.md Wave 9 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`. FEEDCORE-ENGINE-07-003 marked DONE (2025-10-21); share ledger heuristics with Policy when integrating confidence decay. - -### Wave 10 -- Team Team Normalization & Storage Backbone: read EXECPLAN.md Wave 10 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md`. Focus on FEEDSTORAGE-DATA-07-001 (DONE 2025-10-19). Confirm prerequisites (internal: FEEDMERGE-ENGINE-07-001 (Wave 11)) before starting and report status in module TASKS.md. - -### Wave 11 — 48 task(s) ready after Wave 10 -- **Sprint 25** · Exceptions v1 - - Team: Policy Guild - - Paths: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`, `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-EXC-25-001, POLICY-ENGINE-70-001..005 — SPL updates, evaluation layer, storage, cache, observability, worker hooks. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXC-25-001..003 — Exceptions API workflow, policy integration, events/notifications. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-EXC-25-001..005 — Exception Center, creation wizard, inline flows, badges, accessibility. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXC-25-001/002 — CLI workflow commands and simulation overrides. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-EXC-25-001/002 — Exception scopes, routing matrix, docs. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-25-101/102 — Exception lifecycle + expiring notification jobs. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXC-25-001..007 — Governance, approvals, API, policy effects, UI, CLI, migration docs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] (future) exception monitoring/notifications integration if needed (track under DEVOPS-LNM-22-003 extension). - -- Team BE-Merge: read EXECPLAN.md Wave 11 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md`. FEEDMERGE-ENGINE-07-001 marked DONE (2025-10-20); share conflict explainer rollout notes with Storage before Wave 10 resumes. - -### Wave 12 — 40 task(s) ready after Wave 11 -- **Sprint 26** · Reachability v1 - - Team: Signals Guild - - Path: `src/Signals/StellaOps.Signals/TASKS.md` - 1. [TODO] SIGNALS-24-001..005 — Signals service API, parsers, runtime ingest, scoring, caching/events. - - Team: Policy Guild - - Paths: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md`, `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-SPL-24-001, POLICY-ENGINE-80-001..004 — SPL updates, evaluation integration, cache optimization, metrics. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-SIG-26-001..003 — Signals endpoints, reachability joins, simulation overrides. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-SIG-26-001..004 — Reachability columns/overlays, explain drawer, center. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-SIG-26-001/002 — CLI commands for reachability upload/list/simulate. - - Team: Authority Core - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-SIG-26-001 — Signals scopes/roles with AOC requirements. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-26-201/202 — Reachability joiner and staleness monitor jobs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-SIG-26-001/002 — Deployment pipelines and observability for Signals. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-SIG-26-001..008 — Reachability concepts, formats, runtime, policy weighting, UI, CLI, API, migration docs. - - Team: Concelier/Excititor Guilds - - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] CONCELIER-SIG-26-001, EXCITITOR-SIG-26-001 — Provide symbol/exploitability metadata to Signals. - - Team: Bench Guild - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-SIG-26-001/002 — Performance benchmarks for Signals and policy evaluation overhead. - -- Team Concelier Export Guild: read EXECPLAN.md Wave 12 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.Json/TASKS.md`. Focus on CONCELIER-EXPORT-08-201 (TODO). Confirm prerequisites (internal: FEEDCORE-ENGINE-07-001 (Wave 7)) before starting and report status in module TASKS.md. - -### Wave 13 -- Team Concelier Export Guild: read EXECPLAN.md Wave 13 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Exporter.TrivyDb/TASKS.md`. Focus on CONCELIER-EXPORT-08-202 (DONE 2025-10-19). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md. - -### Wave 14 -- Team Concelier WebService Guild: read EXECPLAN.md Wave 14 and SPRINTS.md rows for `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`. CONCELIER-WEB-08-201 closed (2025-10-20); coordinate with DevOps for mirror smoke before promoting to stable. - -### Wave 15 -- Team BE-Conn-Stella: read EXECPLAN.md Wave 15 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. Focus on FEEDCONN-STELLA-08-001 (DONE 2025-10-20). Confirm prerequisites (internal: CONCELIER-EXPORT-08-201 (Wave 12)) before starting and report status in module TASKS.md. - -### Wave 16 -- Team BE-Conn-Stella: read EXECPLAN.md Wave 16 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. FEEDCONN-STELLA-08-002 completed (2025-10-20) with canonical DTO mapper + provenance fixtures. - -### Wave 17 -- Team BE-Conn-Stella: read EXECPLAN.md Wave 17 and SPRINTS.md rows for `src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/TASKS.md`. Focus on FEEDCONN-STELLA-08-003 (TODO). Confirm prerequisites (internal: FEEDCONN-STELLA-08-002 (Wave 16)) before starting and report status in module TASKS.md. - -## Wave 0 — 98 task(s) ready now -- **Sprint 1** · Backlog - - Team: UX Specialist, Angular Eng - - Path: `src/Web/StellaOps.Web/TASKS.md` - • Prereqs: WEB1.TRIVY-SETTINGS - • Current: DONE (2025-10-21) – ChromeHeadless launcher + README updates merged; dependency hardening completed via WEB1.DEPS-13-001. - • Prereqs: WEB1.TRIVY-SETTINGS-TESTS - • Current: DONE (2025-10-21) – Lockfile generated via `npm ci`, Chromium auto-detection/verification scripts added, and deterministic install guide published for offline runners. -- **Sprint 1** · Developer Tooling - - Team: DevEx/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] EXCITITOR-CLI-01-002 — EXCITITOR-CLI-01-002 – Export download & attestation UX - • Prereqs: EXCITITOR-CLI-01-001 (external/completed), EXCITITOR-EXPORT-01-001 (external/completed) - • Current: TODO – Display export metadata (sha256, size, Rekor link), support optional artifact download path, and handle cache hits gracefully. - - Team: Docs/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] EXCITITOR-CLI-01-003 — EXCITITOR-CLI-01-003 – CLI docs & examples for Excititor - • Prereqs: EXCITITOR-CLI-01-001 (external/completed) - • Current: TODO – Update docs/09_API_CLI_REFERENCE.md and quickstart snippets to cover Excititor verbs, offline guidance, and attestation verification workflow. -- **Sprint 1** · Stabilize In-Progress Foundations - - Team: Team Connector Resumption – CERT/RedHat - - Path: `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md` - 1. [DOING] FEEDCONN-REDHAT-02-001 — Fixture validation sweep — Instructions to work: — Regenerating RHSA fixtures awaits remaining range provenance patches; review snapshot diffs and update docs once upstream helpers land. Conflict resolver deltas logged in src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Distro.RedHat/CONFLICT_RESOLVER_NOTES.md for Sprint 3 consumers. - • Prereqs: — - • Current: DOING (2025-10-10) - - Team: Team WebService & Authority - - Path: `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md` - 1. [DOING] SEC2.PLG — Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`; Serilog enrichment complete, storage durability tests in flight. - • Prereqs: — - • Current: DOING (2025-10-14) - 2. [DOING] SEC3.PLG — Ensure lockout responses carry rate-limit metadata through plugin logs/events; retry-after propagation and limiter tests underway. - • Prereqs: — - • Current: DOING (2025-10-14) - 3. [DOING] SEC5.PLG — Address plugin-specific mitigations in threat model backlog; mitigation items tracked, docs updates pending. - • Prereqs: — - • Current: DOING (2025-10-14) - 4. [BLOCKED] PLG4-6.CAPABILITIES — Finalise capability metadata exposure and docs once Authority rate-limiter stream (CORE8/SEC3) is stable; awaiting dependency unblock. - • Prereqs: — - • Current: BLOCKED (2025-10-12) - 5. [TODO] PLG6.DIAGRAM — Export final sequence/component diagrams for the developer guide and add offline-friendly assets under `docs/assets/authority`. - • Prereqs: — - • Current: TODO - 6. [REVIEW] PLG7.RFC — Socialize LDAP plugin RFC and capture guild feedback; awaiting final review sign-off and follow-up issue tracking. - • Prereqs: — - • Current: REVIEW (2025-10-13) - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [DOING] FEEDWEB-DOCS-01-001 — Document authority toggle & scope requirements — Quickstart updates are staged; awaiting Docs guild review before publishing operator guide refresh. - • Prereqs: — - • Current: DOING (2025-10-10) - 3. [BLOCKED] FEEDWEB-OPS-01-007 — Authority resilience adoption — Roll out retry/offline knobs to deployment docs and align CLI parity once LIB5 resilience options land; unblock when library release is available and docs review completes. - • Prereqs: — - • Current: BLOCKED (2025-10-10) -- **Sprint 2** · Connector & Data Implementation Wave - - Team: Docs Guild, Plugin Team - - Path: `docs/TASKS.md` - 1. [REVIEW] DOC4.AUTH-PDG — Copy-edit `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, export lifecycle diagram, add LDAP RFC cross-link. - • Prereqs: — - • Current: REVIEW - - Team: Team Merge & QA Enforcement - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md` - 1. [DOING] FEEDMERGE-COORD-02-900 — Range primitives rollout coordination — Coordinate remaining connectors (`Acsc`, `Cccs`, `CertBund`, `CertCc`, `Cve`, `Ghsa`, `Ics.Cisa`, `Kisa`, `Ru.Bdu`, `Ru.Nkcki`, `Vndr.Apple`, `Vndr.Cisco`, `Vndr.Msrc`) to emit canonical range primitives with provenance tags; fixtures tracked in `RANGE_PRIMITIVES_COORDINATION.md`. - • Prereqs: — - • Current: DOING (2025-10-20) – Coordination docs refreshed with connector due dates (Cccs/Cisco 2025-10-21, CertBund 2025-10-22, ICS-CISA 2025-10-23, KISA 2025-10-24); escalation plan defined if deadlines slip. -- **Sprint 3** · Backlog - - Team: Tools Guild, BE-Conn-MSRC - - Path: `src/Concelier/StellaOps.Concelier.PluginBinaries/StellaOps.Concelier.Connector.Common/TASKS.md` - 1. [**TODO] FEEDCONN-SHARED-STATE-003 — FEEDCONN-SHARED-STATE-003 Source state seeding helper - • Prereqs: — - • Current: **TODO (2025-10-15)** – Provide a reusable CLI/utility to seed `pendingDocuments`/`pendingMappings` for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. -- **Sprint 5** · Excititor Core Foundations - - Team: Team Excititor Attestation - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md` - 1. [TODO] EXCITITOR-ATTEST-01-003 — EXCITITOR-ATTEST-01-003 – Verification suite & observability - • Prereqs: EXCITITOR-ATTEST-01-002 (external/completed) - • Current: TODO – Add verification helpers for Worker/WebService, metrics/logging hooks, and negative-path regression tests. - - Team: Team Excititor WebService - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 2. [TODO] EXCITITOR-WEB-01-003 — EXCITITOR-WEB-01-003 – Export & verify endpoints - • Prereqs: EXCITITOR-WEB-01-001 (external/completed), EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-ATTEST-01-001 (external/completed) - • Current: TODO – Add `/excititor/export`, `/excititor/export/{id}`, `/excititor/export/{id}/download`, `/excititor/verify`, returning artifact + attestation metadata with cache awareness. -- **Sprint 6** · Excititor Ingest & Formats - - Team: Team Excititor Connectors – Cisco - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-CISCO-01-003 — EXCITITOR-CONN-CISCO-01-003 – Provider trust metadata - • Prereqs: EXCITITOR-CONN-CISCO-01-002 (external/completed), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit cosign/PGP trust metadata and advisory provenance hints for policy weighting. - - Team: Team Excititor Connectors – MSRC - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-MS-01-002 — EXCITITOR-CONN-MS-01-002 – CSAF download pipeline - • Prereqs: EXCITITOR-CONN-MS-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Fetch CSAF packages with retry/backoff, checksum verification, and raw document persistence plus quarantine for schema failures. - - Team: Team Excititor Connectors – Oracle - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` - 1. [DOING] EXCITITOR-CONN-ORACLE-01-001 — EXCITITOR-CONN-ORACLE-01-001 – Oracle CSAF catalogue discovery - • Prereqs: EXCITITOR-CONN-ABS-01-001 (external/completed) - • Current: DOING (2025-10-17) – Implement catalogue discovery, CPU calendar awareness, and offline snapshot import for Oracle CSAF feeds. - - Team: Team Excititor Connectors – SUSE - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md` - 1. [TODO] EXCITITOR-CONN-SUSE-01-002 — EXCITITOR-CONN-SUSE-01-002 – Checkpointed event ingestion - • Prereqs: EXCITITOR-CONN-SUSE-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Process hub events with resume checkpoints, deduplication, and quarantine path for malformed payloads. - - Team: Team Excititor Connectors – Ubuntu - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-UBUNTU-01-002 — EXCITITOR-CONN-UBUNTU-01-002 – Incremental fetch & deduplication - • Prereqs: EXCITITOR-CONN-UBUNTU-01-001 (external/completed), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Fetch CSAF bundles with ETag handling, checksum validation, deduplication, and raw persistence. - - Team: Team Excititor Formats - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/TASKS.md` - 1. [DONE 2025-10-29] EXCITITOR-FMT-CSAF-01-002 — EXCITITOR-FMT-CSAF-01-002 – Status/justification mapping - • Prereqs: EXCITITOR-FMT-CSAF-01-001 (external/completed), EXCITITOR-POLICY-01-001 (external/completed) - • Current: DONE – Normalizer now emits policy-safe status/justification mappings and flags unsupported or missing evidence for audit diagnostics. - 2. [DONE 2025-10-29] EXCITITOR-FMT-CSAF-01-003 — EXCITITOR-FMT-CSAF-01-003 – CSAF export adapter - • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-CSAF-01-001 (external/completed) - • Current: DONE – CSAF exporter produces deterministic documents with reconciled product tree, vulnerability statuses, and export metadata. - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/TASKS.md` - 1. [DONE 2025-10-29] EXCITITOR-FMT-CYCLONE-01-002 — EXCITITOR-FMT-CYCLONE-01-002 – Component reference reconciliation - • Prereqs: EXCITITOR-FMT-CYCLONE-01-001 (external/completed) - • Current: DONE – Component reconciler issues stable bom-refs, aggregates identifiers, and records diagnostics for missing SBOM linkage. - 2. [DONE 2025-10-29] EXCITITOR-FMT-CYCLONE-01-003 — EXCITITOR-FMT-CYCLONE-01-003 – CycloneDX export serializer - • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-CYCLONE-01-001 (external/completed) - • Current: DONE – CycloneDX exporter delivers canonical VEX payloads with reconciled components, per-claim analyses, and metadata for caching. - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/TASKS.md` - 1. [DONE 2025-10-29] EXCITITOR-FMT-OPENVEX-01-002 — EXCITITOR-FMT-OPENVEX-01-002 – Statement merge utilities - • Prereqs: EXCITITOR-FMT-OPENVEX-01-001 (external/completed) - • Current: DONE – Merge utilities combine statements deterministically, highlight conflicts, and preserve source diagnostics for policy checks. - 2. [DONE 2025-10-29] EXCITITOR-FMT-OPENVEX-01-003 — EXCITITOR-FMT-OPENVEX-01-003 – OpenVEX export writer - • Prereqs: EXCITITOR-EXPORT-01-001 (external/completed), EXCITITOR-FMT-OPENVEX-01-001 (external/completed) - • Current: DONE – OpenVEX exporter serializes merged statements with canonical ordering, provenance metadata, and deterministic digests. - -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Excititor Export - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-004 (external/completed), EXCITITOR-CORE-02-001 (external/completed) - • Current: TODO – Emit consensus+score envelopes in export manifests, include policy/scoring digests, and update offline bundle/ORAS layouts to carry signed VEX responses. - -- **Sprint 9** · Docs & Governance - - - Team: Runtime Guild - - Path: `docs/TASKS.md` - 1. [TODO] RUNTIME-GUILD-09-402 — Confirm Scanner WebService surfaces `quietedFindingCount` and progress hints to runtime consumers; document readiness checklist. - • Prereqs: SCANNER-POLICY-09-107 (external/completed) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-302B (external/completed) - • Current: DONE — Telemetry counter wired, lifecycle script evidence emitted; see Node analyzer fixtures. -- **Sprint 10** · Scanner Analyzers & SBOM - - Team: Diff Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Diff/TASKS.md` - • Prereqs: — - • Current: DONE — Diff engine produces deterministic add/remove/version deltas; regression suite covers warm/cold path parity. - • Prereqs: — - • Current: DONE — Layer attribution recorded on every change; fixtures assert provenance integrity. - • Prereqs: — - • Current: DONE — JSON serializer emits stable ordering; golden outputs locked in tests. - - Team: Emit Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` - • Prereqs: — - • Current: DONE — Inventory builder validated against CycloneDX schema; deterministic fixtures added. - • Prereqs: — - • Current: DONE — Usage view toggles wired; tests confirm subset alignment with EntryTrace signals. - • Prereqs: — - • Current: DONE — BOM Index format published with roaring bitmap helpers; golden fixtures locked. - • Prereqs: — - • Current: DONE — Export packaging deterministic; integration test with storage succeeds. - • Prereqs: — - • Current: DONE — `bom-index@1` schema + fixtures published; Scheduler notes updated. - • Prereqs: — - • Current: DONE — EntryTrace usage bits round-trip in BOM Index; regression harness verified. - - Team: EntryTrace Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md` - • Prereqs: — - • Current: DONE — Parser emits stable AST; determinism tests captured. - • Prereqs: — - • Current: DONE — Resolver walks layered PATH with provenance evidence; fixtures validate. - • Prereqs: — - • Current: DONE — Interpreter tracer resolves Python/Node/Java hand-offs; golden graphs updated. - • Prereqs: — - • Current: DONE — Python analyzer surfaces venv/module details; usage flag propagated. - • Prereqs: — - • Current: DONE — Node/Java launchers traced end-to-end; evidence attached for each hop. - • Prereqs: — - • Current: DONE — Diagnostics enumerated, metrics emitted via `EntryTraceMetrics`. - • Prereqs: — - • Current: DONE — Plug-in manifests under `plugins/scanner/entrytrace`; restart-only guard documented. - - Team: Language Analyzer Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/SPRINTS_LANG_IMPLEMENTATION_PLAN.md` - • Prereqs: — - • Current: DONE — Implementation plan captured per language with progress notes through 2025-10-22. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md` - • Prereqs: — - • Current: DONE — Java analyzer shipped with deterministic fixtures. - • Prereqs: — - • Current: DONE — Shared helpers live under Lang.Core and are consumed by Java/Node analyzers. - • Prereqs: — - • Current: DONE — Determinism harness + fixtures checked in; CI guard active. -- **Sprint 13** · UX & CLI Experience - - Team: DevEx/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-RUNTIME-13-005 — Add runtime policy test verbs that consume `/policy/runtime` and display verdicts. - • Prereqs: — - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Models Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Models/TASKS.md` - 1. [TODO] NOTIFY-MODELS-15-101 — Define core Notify DTOs, validation helpers, canonical serialization. - • Prereqs: — - • Current: TODO - 2. [TODO] NOTIFY-MODELS-15-102 — Publish schema docs and sample payloads for Notify. - • Prereqs: — - • Current: TODO - 3. [TODO] NOTIFY-MODELS-15-103 — Versioning/migration helpers for rules/templates/deliveries. - • Prereqs: — - • Current: TODO - - Team: Notify Storage Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/TASKS.md` - 1. [TODO] NOTIFY-STORAGE-15-201 — Mongo schemas/indexes for rules, channels, deliveries, digests, locks, audit. - • Prereqs: — - • Current: TODO - 2. [TODO] NOTIFY-STORAGE-15-202 — Repositories with tenant scoping, soft delete, TTL, causal consistency options. - • Prereqs: — - • Current: TODO - 3. [TODO] NOTIFY-STORAGE-15-203 — Delivery history retention and query APIs. - • Prereqs: — - • Current: TODO - - Team: Notify WebService Guild - - Path: `src/Notify/StellaOps.Notify.WebService/TASKS.md` - 1. [TODO] NOTIFY-WEB-15-101 — Minimal API host with Authority enforcement and plug-in loading. - • Prereqs: — - • Current: TODO - 2. [TODO] NOTIFY-WEB-15-102 — Rules/channel/template CRUD with audit logging. - • Prereqs: — - • Current: TODO - - Team: Scanner WebService Guild - - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` - 2. [BLOCKED] SCANNER-EVENTS-16-301 — Redis publisher integration tests once Notify queue adapter ships. - • Current: BLOCKED – waiting on Notify queue abstraction and Redis adapter deliverables for end-to-end validation. -- **Sprint 16** · Scheduler Intelligence - - - Team: Scheduler Storage Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md` - 1. [TODO] SCHED-STORAGE-16-201 — Create Mongo collections (schedules, runs, impact_cursors, locks, audit) with indexes/migrations per architecture. - • Prereqs: SCHED-MODELS-16-101 (external/completed) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-16-101 — Bootstrap Minimal API host with Authority OpTok + DPoP, health endpoints, plug-in discovery per architecture §§1–2. - • Prereqs: SCHED-MODELS-16-101 (external/completed) - • Current: TODO -- **Sprint 18** · Launch Readiness - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-LAUNCH-18-100 - Finalise production environment footprint (clusters, secrets, network overlays) for full-platform go-live. - • Prereqs: — - • Current: TODO - 2. [TODO] DEVOPS-LAUNCH-18-900 - Collect "full implementation" sign-off from module owners and consolidate the launch readiness checklist. - • Prereqs: Wave 0 completion - • Current: TODO - 3. [TODO] DEVOPS-LAUNCH-18-001 - Production launch cutover rehearsal and runbook publication. - • Prereqs: DEVOPS-LAUNCH-18-100, DEVOPS-LAUNCH-18-900 - • Current: TODO - - Team: Offline Kit Guild, UX Specialist - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-18-003 — Capture Angular workspace npm cache + Chromium bundle for Offline Kit distribution and document refresh cadence. - • Prereqs: DEVOPS-OFFLINE-14-002 (Wave 2) - • Current: TODO - -## Wave 1 — 45 task(s) ready after Wave 0 -- **Sprint 6** · Excititor Ingest & Formats - - Team: Team Excititor Connectors – MSRC - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-MS-01-003 — EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints - • Prereqs: EXCITITOR-CONN-MS-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. - - Team: Team Excititor Connectors – Oracle - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-ORACLE-01-002 — EXCITITOR-CONN-ORACLE-01-002 – CSAF download & dedupe pipeline - • Prereqs: EXCITITOR-CONN-ORACLE-01-001 (Wave 0), EXCITITOR-STORAGE-01-003 (external/completed) - • Current: TODO – Fetch CSAF documents with retry/backoff, checksum validation, revision deduplication, and raw persistence. - - Team: Team Excititor Connectors – SUSE - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md` - 1. [TODO] EXCITITOR-CONN-SUSE-01-003 — EXCITITOR-CONN-SUSE-01-003 – Trust metadata & policy hints - • Prereqs: EXCITITOR-CONN-SUSE-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit provider trust configuration (signers, weight overrides) and attach provenance hints for consensus engine. - - Team: Team Excititor Connectors – Ubuntu - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-UBUNTU-01-003 — EXCITITOR-CONN-UBUNTU-01-003 – Trust metadata & provenance - • Prereqs: EXCITITOR-CONN-UBUNTU-01-002 (Wave 0), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit Ubuntu signing metadata (GPG fingerprints) plus provenance hints for policy weighting and diagnostics. - - Team: Team Excititor Worker - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-WORKER-01-003 — EXCITITOR-WORKER-01-003 – Verification & cache GC loops - • Prereqs: EXCITITOR-WORKER-01-001 (external/completed), EXCITITOR-ATTEST-01-003 (Wave 0), EXCITITOR-EXPORT-01-002 (external/completed) - • Current: TODO – Add scheduled attestation re-verification and cache pruning routines, surfacing metrics for export reuse ratios. -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Excititor Export - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-005 (Wave 0), POLICY-CORE-09-005 (Wave 0) - • Current: TODO – Attach `quietedBy` statement IDs, signers, and justification codes to exports/offline bundles, mirror metadata into attested manifest, and add regression fixtures. -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — RID-aware deps/runtimeconfig parser emitting deterministic NuGet components with tests landed. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE – Varint build-info decoder implemented with fixtures and determinism harness coverage. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-302C (Wave 0) - • Current: DONE — Node analyzer now reuses shared metadata/evidence helpers. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Python analyzer ingests METADATA/WHEEL/entry_points with deterministic ordering and UTF-8 normalization. Fixtures updated (`simple-venv`). - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Cargo metadata walker emits `pkg:cargo` components with provenance and deterministic fixtures. -- **Sprint 10** · Scanner Analyzers & SBOM - - Team: Emit Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` - • Prereqs: SCANNER-EMIT-10-604 (Wave 0), POLICY-CORE-09-005 (Wave 0) - • Current: DONE — SBOM/attestation fixtures include scoring metadata and serialize deterministically. - - Team: Language Analyzer Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-301 (Wave 0) - • Current: DONE — Manifest published under `plugins/scanner/analyzers/lang/`, Worker loader wired, integration tests updated. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Rust analyzer emits cargo components with provenance and deterministic fallbacks. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Workspace/symlink coverage validated via determinism fixtures; metrics + lifecycle script evidence landed. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Buildinfo decoder + DWARF fallbacks captured; fixtures and benchmarks green. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — RID-aware deps/runtimeconfig parser emits deterministic NuGet components; tests landed. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307 (Wave 0) - • Current: DONE — Dist-info parser, RECORD verifier, editable install metadata, and entrypoint usage hints shipped with deterministic fixture/tests. -- **Sprint 13** · UX & CLI Experience - - Team: DevEx/CLI, QA Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-RUNTIME-13-009 — CLI-RUNTIME-13-009 – Runtime policy smoke fixture - • Prereqs: CLI-RUNTIME-13-005 (Wave 0) - • Current: TODO – Build Spectre test harness exercising `runtime policy test` against a stubbed backend to lock output shape (table + `--json`) and guard regressions. Integrate into `dotnet test` suite. - - Team: UX Specialist, Angular Eng, DevEx - - Path: `src/Web/StellaOps.Web/TASKS.md` - • Prereqs: WEB1.TRIVY-SETTINGS-TESTS (Wave 0) - • Current: TODO – Capture deterministic lockfile flow, cache Puppeteer downloads, validate `npm test` from clean checkout offline, and update README. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-VEX-13-003 — Implement VEX explorer + policy editor with preview integration. - • Prereqs: EXCITITOR-CORE-02-001 (external/completed), EXCITITOR-EXPORT-01-005 (Wave 0) - • Current: TODO - 2. [TODO] UI-POLICY-13-007 — Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. - • Prereqs: POLICY-CORE-09-006 (Wave 0), SCANNER-WEB-09-103 (external/completed) - • Current: TODO - 3. [TODO] UI-ADMIN-13-004 — Deliver admin area (tenants/clients/quotas/licensing) with RBAC + audit hooks. - • Prereqs: AUTH-MTLS-11-002 (Wave 0) - • Current: TODO - • Prereqs: AUTH-DPOP-11-001 (Wave 0), AUTH-MTLS-11-002 (Wave 0) - • Current: TODO - 5. [TODO] UI-SCANS-13-002 — Build scans module (list/detail/SBOM/diff/attestation) with performance + accessibility targets. - • Prereqs: SCANNER-WEB-09-102 (external/completed), SIGNER-API-11-101 (Wave 0) - • Current: TODO - • Prereqs: NOTIFY-WEB-15-101 (Wave 0) - • Current: TODO - 7. [TODO] UI-SCHED-13-005 — Scheduler panel: schedules CRUD, run history, dry-run preview using API/mocks. - • Prereqs: SCHED-WEB-16-101 (Wave 0) - • Current: TODO -- **Sprint 13** · Platform Reliability - - Team: DevOps Guild, Platform Leads - - Path: `ops/devops/TASKS.md` - • Prereqs: DEVOPS-REL-14-001 (Wave 1) - • Current: DOING – Mirror preview packages into Offline Kit/allowlisted feeds, update NuGet.config mapping, and refresh restore documentation. - 2. [TODO] DEVOPS-UI-13-006 — Add Playwright-based UI auth smoke job to CI/offline pipelines, wiring sample `/config.json` provisioning and reporting. - • Current: TODO – Extend release/offline pipelines to run `npm run test:e2e`, publish traces on failure, and ensure stub config assets ship alongside the UI bundle. -- **Sprint 14** · Release & Offline Ops - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [DOING 2025-10-23] DEVOPS-REL-14-001 — Deterministic build/release pipeline with SBOM/provenance, signing, manifest generation. - • Current: TODO - - Team: Licensing Guild - - Path: `ops/licensing/TASKS.md` - 1. [TODO] DEVOPS-LIC-14-004 — Implement registry token service tied to Authority (DPoP/mTLS), plan gating, revocation handling, and monitoring per architecture. - • Prereqs: AUTH-MTLS-11-002 (Wave 0) - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [DOING (2025-10-24)] NOTIFY-ENGINE-15-301 — Rules evaluation core: tenant/kind filters, severity/delta gates, VEX gating, throttling, idempotency key generation. - • Prereqs: NOTIFY-MODELS-15-101 (Wave 0) - • Current: DOING (2025-10-24) - - Team: Notify Queue Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Queue/TASKS.md` - • Prereqs: NOTIFY-MODELS-15-101 (Wave 0) - • Current: DONE — Redis transport, queue contracts, and integration tests delivered (2025-10-23). - -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler ImpactIndex Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md` - 1. [TODO] SCHED-IMPACT-16-301 — Implement ingestion of per-image BOM-Index sidecars into roaring bitmap store (contains/usedBy). - • Prereqs: SCANNER-EMIT-10-605 (Wave 0) - • Current: TODO - - - Team: Scheduler Storage Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/TASKS.md` - 1. [TODO] SCHED-STORAGE-16-203 — Audit/logging pipeline + run stats materialized views for UI. - • Prereqs: SCHED-STORAGE-16-201 (Wave 0) - • Current: TODO - 2. [TODO] SCHED-STORAGE-16-202 — Implement repositories/services with tenant scoping, soft delete, TTL for completed runs, and causal consistency options. - • Prereqs: SCHED-STORAGE-16-201 (Wave 0) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-16-104 — Webhook endpoints for Feedser/Vexer exports with mTLS/HMAC validation and rate limiting. - • Prereqs: SCHED-QUEUE-16-401 (Wave 0), SCHED-STORAGE-16-201 (Wave 0) - • Current: TODO - 2. [TODO] SCHED-WEB-16-102 — Implement schedules CRUD (tenant-scoped) with cron validation, pause/resume, audit logging. - • Prereqs: SCHED-WEB-16-101 (Wave 0) - • Current: TODO - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-201 — Planner loop (cron + event triggers) with lease management, fairness, and rate limiting (§6). - • Prereqs: SCHED-QUEUE-16-401 (Wave 0) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Emit Guild - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Emit/TASKS.md` - 1. [TODO] SCANNER-EMIT-17-701 — Record GNU build-id for ELF components and surface it in inventory/usage SBOM plus diff payloads with deterministic ordering. - • Prereqs: SCANNER-EMIT-10-602 (Wave 0) - • Current: TODO - -## Wave 2 — 29 task(s) ready after Wave 1 -- **Sprint 6** · Excititor Ingest & Formats - - Team: Team Excititor Connectors – Oracle - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md` - 1. [TODO] EXCITITOR-CONN-ORACLE-01-003 — EXCITITOR-CONN-ORACLE-01-003 – Trust metadata + provenance - • Prereqs: EXCITITOR-CONN-ORACLE-01-002 (Wave 1), EXCITITOR-POLICY-01-001 (external/completed) - • Current: TODO – Emit Oracle signing metadata (PGP/cosign) and provenance hints for consensus weighting. -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Excititor Export - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Export/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-006 (Wave 1) - • Current: TODO – Create per-domain mirror bundles with consensus/score artifacts, publish signed index for downstream Excititor sync, and ensure deterministic digests + fixtures. -- **Sprint 9** · DevOps Foundations - - Team: DevOps Guild, Notify Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-SCANNER-09-205 — Add Notify smoke stage that tails the Redis stream and asserts `scanner.report.ready`/`scanner.scan.completed` reach Notify WebService in staging. - • Prereqs: DEVOPS-SCANNER-09-204 (Wave 1) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) - • Current: DONE — Assembly metadata now emits strong-name, file/product info, and optional Authenticode signals with deterministic fixtures/tests. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-304A (Wave 1) - • Current: DONE — DWARF fallback parses vcs.* markers, cache reuses metadata keyed by file identity. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307N (Wave 1) - • Current: DONE — Harness + fixtures merged; benchmark CSV recorded under `src/Bench/StellaOps.Bench/Scanner.Analyzers`. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-303A (Wave 1) - • Current: DONE — Streaming SHA-256 verification with deterministic mismatch evidence; unsupported algorithms tracked; fixtures validated. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-306A (Wave 1) - • Current: DONE — Heuristic classifier flags stripped binaries, regression tests guard false positives. -- **Sprint 10** · DevOps Perf - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - • Prereqs: BENCH-SCANNER-10-002 (Wave 1) - • Current: DONE (2025-10-23) -- **Sprint 10** · Samples - - Team: Samples Guild, Policy Guild - - Path: `samples/TASKS.md` - • Prereqs: POLICY-CORE-09-006 (Wave 0), UI-POLICY-13-007 (Wave 1) - • Current: DONE (2025-10-23) - - Team: UI Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - • Prereqs: SAMPLES-13-004 (Wave 0) - • Current: DONE (2025-10-23) -- **Sprint 14** · Release & Offline Ops - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEVOPS-OPS-14-003 — Document and script upgrade/rollback flows, channel management, and compatibility matrices per architecture. - • Prereqs: DEVOPS-REL-14-001 (Wave 1) - • Current: TODO - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-14-002 — Build offline kit packaging workflow (artifact bundling, manifest generation, signature verification). - • Prereqs: DEVOPS-REL-14-001 (Wave 1) - • Current: TODO -- **Sprint 15** · Benchmarks - - Team: Bench Guild, Notify Team - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-NOTIFY-15-001 — Notify dispatch throughput bench (vary rule density) with results CSV. - • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [TODO] NOTIFY-ENGINE-15-302 — Action planner + digest coalescer with window management and dedupe per architecture §4. - • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) - • Current: TODO - - Team: Notify Queue Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Queue/TASKS.md` - • Current: DONE — delivery queue + retry/dead-letter pipeline shipped with integration tests and metrics (2025-10-23). - • Current: DONE — JetStream transport, DI binding, health check, and integration tests delivered (2025-10-23). - - Team: Notify WebService Guild - - Path: `src/Notify/StellaOps.Notify.WebService/TASKS.md` - 1. [TODO] NOTIFY-WEB-15-104 — Configuration binding for Mongo/queue/secrets; startup diagnostics. - • Current: TODO - - Team: Notify Worker Guild - - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` - • Current: DONE — worker leasing loop wired to queue adapters with retry/backoff telemetry (2025-10-23). - 2. [TODO] NOTIFY-WORKER-15-202 — Wire rules evaluation pipeline (tenant scoping, filters, throttles, digests, idempotency) with deterministic decisions. - • Prereqs: NOTIFY-ENGINE-15-301 (Wave 1) - • Current: TODO -- **Sprint 16** · Benchmarks - - Team: Bench Guild, Scheduler Team - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-IMPACT-16-001 — ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler ImpactIndex Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md` - 1. [TODO] SCHED-IMPACT-16-303 — Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO - 2. [TODO] SCHED-IMPACT-16-302 — Provide query APIs (ResolveByPurls, ResolveByVulns, ResolveAll, selectors) with tenant/namespace filters. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-16-103 — Runs API (list/detail/cancel), ad-hoc run POST, and impact preview endpoints. - • Prereqs: SCHED-WEB-16-102 (Wave 1) - • Current: TODO - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-202 — Wire ImpactIndex targeting (ResolveByPurls/vulns), dedupe, shard planning. - • Prereqs: SCHED-IMPACT-16-301 (Wave 1) - • Current: TODO - 2. [TODO] SCHED-WORKER-16-205 — Metrics/telemetry: run stats, queue depth, planner latency, delta counts. - • Prereqs: SCHED-WORKER-16-201 (Wave 1) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-REL-17-002 — Persist stripped-debug artifacts organised by GNU build-id and bundle them into release/offline kits with checksum manifests. - • Prereqs: DEVOPS-REL-14-001 (Wave 1), SCANNER-EMIT-17-701 (Wave 1) - • Current: TODO - -## Wave 3 — 14 task(s) ready after Wave 2 -- **Sprint 7** · Contextual Truth Foundations - - Team: Excititor Connectors – Stella - - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` - • Prereqs: EXCITITOR-EXPORT-01-007 (Wave 2) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-305A (Wave 1) - • Current: DONE — Self-contained fixtures emit components with RID flags; EntryTrace usage hints preserved. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-304B (Wave 2) - • Current: DONE — `bin:{sha256}` fallback + quiet provenance docs shipped with determinism fixtures. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308N (Wave 2) - • Current: DONE — Manifest shipped, Worker catalog integration complete, Offline Kit docs updated. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-303B (Wave 2) - • Current: DONE — `direct_url.json` editable insights surfaced; EntryTrace usage hints mark console scripts; deterministic fixture covers editable vs wheel installs. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-306B (Wave 2) - • Current: DONE — Hash fallback wired through shared helpers; fixtures ensure deterministic output. -- **Sprint 13** · UX & CLI Experience - - - Team: DevEx/CLI, Scanner WebService Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-RUNTIME-13-008 — CLI-RUNTIME-13-008 – Runtime policy contract sync - • Current: TODO – Once `/api/v1/scanner/policy/runtime` exits TODO, verify CLI output against final schema (field names, metadata) and update formatter/tests if the contract moves. Capture joint review notes in docs/09 and link Scanner task sign-off. -- **Sprint 15** · Notify Foundations - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [TODO] NOTIFY-ENGINE-15-303 — Template rendering engine (Slack, Teams, Email, Webhook) with helpers and i18n support. - • Prereqs: NOTIFY-ENGINE-15-302 (Wave 2) - • Current: TODO - - Team: Notify Worker Guild - - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` - 1. [TODO] NOTIFY-WORKER-15-203 — Channel dispatch orchestration: invoke connectors, manage retries/jitter, record delivery outcomes. - • Prereqs: NOTIFY-ENGINE-15-302 (Wave 2) - • Current: TODO -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-203 — Runner execution: call Scanner `/reports` (analysis-only) or `/scans` when configured; collect deltas; handle retries. - • Prereqs: SCHED-WORKER-16-202 (Wave 2) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Zastava Observer Guild - - Path: `src/Zastava/StellaOps.Zastava.Observer/TASKS.md` - • Current: DONE — Build-id capture wired through RuntimeProcessCollector + RuntimeEventFactory; docs/runbook updated with debug-store workflow. - -## Wave 4 — 15 task(s) ready after Wave 3 -- **Sprint 7** · Contextual Truth Foundations - - Team: Excititor Connectors – Stella - - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` - 1. [TODO] EXCITITOR-CONN-STELLA-07-002 — Normalize mirror bundles into VexClaim sets referencing original provider metadata and mirror provenance. - • Prereqs: EXCITITOR-CONN-STELLA-07-001 (Wave 3) - • Current: TODO -- **Sprint 9** · Policy Foundations - - Team: Policy Guild, Scanner WebService Guild - - Path: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md` - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-305C (Wave 3) - • Current: DONE 2025-10-22 - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-304C (Wave 3) - • Current: DONE — Shared helpers integrated; concurrency tests verify buffer reuse. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - 1. [TODO] SCANNER-ANALYZERS-LANG-10-307P — Shared helper integration (license metadata, quiet provenance, component merging). - • Prereqs: SCANNER-ANALYZERS-LANG-10-303C (Wave 3) - • Current: TODO - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [DOING] SCANNER-ANALYZERS-LANG-10-307R — Finalize shared helper usage (license, usage flags) and concurrency-safe caches. - • Prereqs: SCANNER-ANALYZERS-LANG-10-306C (Wave 3) - • Current: TODO -- **Sprint 13** · UX & CLI Experience - - Team: DevEx/CLI - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - • Prereqs: CLI-RUNTIME-13-005 (Wave 0), CLI-OFFLINE-13-006 (Wave 3) - • Current: TODO – Package non-core verbs as restart-time plug-ins (manifest + loader updates, tests ensuring no hot reload). -- **Sprint 15** · Notify Foundations - - Team: Notify Connectors Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md` - 1. [TODO] NOTIFY-CONN-EMAIL-15-701 — Implement SMTP connector with STARTTLS/implicit TLS support, HTML+text rendering, attachment policy enforcement. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md` - 1. [TODO] NOTIFY-CONN-SLACK-15-501 — Implement Slack connector with bot token auth, message rendering (blocks), rate limit handling, retries/backoff. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md` - 1. [TODO] NOTIFY-CONN-TEAMS-15-601 — Implement Teams connector using Adaptive Cards 1.5, handle webhook auth, size limits, retries. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md` - 1. [TODO] NOTIFY-CONN-WEBHOOK-15-801 — Implement webhook connector: JSON payload, signature (HMAC/Ed25519), retries/backoff, status code handling. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Team: Notify Engine Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Engine/TASKS.md` - 1. [TODO] NOTIFY-ENGINE-15-304 — Test-send sandbox + preview utilities for WebService. - • Prereqs: NOTIFY-ENGINE-15-303 (Wave 3) - • Current: TODO - - Team: Notify Worker Guild - - Path: `src/Notify/StellaOps.Notify.Worker/TASKS.md` - 1. [TODO] NOTIFY-WORKER-15-204 — Metrics/telemetry: `notify.sent_total`, `notify.dropped_total`, latency histograms, tracing integration. - • Prereqs: NOTIFY-WORKER-15-203 (Wave 3) - • Current: TODO -- **Sprint 16** · Scheduler Intelligence - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-16-204 — Emit events (`scheduler.rescan.delta`, `scanner.report.ready`) for Notify/UI with summaries. - • Prereqs: SCHED-WORKER-16-203 (Wave 3) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-RUNTIME-17-004 — Document build-id workflows: SBOM exposure, runtime event payloads, debug-store layout, and operator guidance for symbol retrieval. - • Current: TODO - -## Wave 5 — 10 task(s) ready after Wave 4 -- **Sprint 7** · Contextual Truth Foundations - - Team: Excititor Connectors – Stella - - Path: `src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md` - 1. [TODO] EXCITITOR-CONN-STELLA-07-003 — Implement incremental cursor handling per-export digest, support resume, and document configuration for downstream Excititor mirrors. - • Prereqs: EXCITITOR-CONN-STELLA-07-002 (Wave 4) - • Current: TODO -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307D (Wave 4) - • Current: DONE — fixtures + benchmarks merged 2025-10-23 - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307G (Wave 4) - • Current: DONE — Fixtures and benchmark harness merged; perf delta captured vs competitor. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-307P (Wave 4) - • Current: DONE — Fixtures `simple-venv`, `pip-cache`, `layered-editable` + hash throughput benchmarks merged 2025-10-23. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [TODO] SCANNER-ANALYZERS-LANG-10-308R — Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. - • Prereqs: SCANNER-ANALYZERS-LANG-10-307R (Wave 4) - • Current: TODO -- **Sprint 15** · Notify Foundations - - Team: Notify Connectors Guild - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/TASKS.md` - 1. [BLOCKED] NOTIFY-CONN-EMAIL-15-702 — Add DKIM signing optional support and health/test-send flows. - • Prereqs: NOTIFY-CONN-EMAIL-15-701 (Wave 4) - • Current: BLOCKED – waiting on base SMTP connector implementation (NOTIFY-CONN-EMAIL-15-701). - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/TASKS.md` - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/TASKS.md` - - Path: `src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/TASKS.md` - 1. [DOING] NOTIFY-CONN-WEBHOOK-15-802 — Health/test-send support with signature validation hints and secret management. - • Prereqs: NOTIFY-CONN-WEBHOOK-15-801 (Wave 4) - • Current: TODO -- **Sprint 17** · Symbol Intelligence & Forensics - - Team: Scanner WebService Guild - - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` - • Current: DONE — runtime events normalize digests/build IDs, policy responses/CLI emit `buildIds`, docs/tests updated for debug-store workflows. - -## Wave 6 — 8 task(s) ready after Wave 5 -- **Sprint 10** · Backlog - - Team: TBD - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308D (Wave 5) - • Current: DONE — manifest + Offline Kit docs updated 2025-10-23 - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308G (Wave 5) - • Current: DONE — Manifest copied, Worker DI registration verified, Offline Kit docs updated. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md` - • Prereqs: SCANNER-ANALYZERS-LANG-10-308P (Wave 5) - • Current: DONE — Manifest copied, Worker integration verified, Offline Kit docs updated with Python plug-in guidance. - - Path: `src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md` - 1. [TODO] SCANNER-ANALYZERS-LANG-10-309R — Package plug-in manifest + Offline Kit documentation; ensure Worker integration. - • Prereqs: SCANNER-ANALYZERS-LANG-10-308R (Wave 5) - • Current: TODO -- **Sprint 7** · Contextual Truth Foundations - - Team: Team Normalization & Storage Backbone - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` - • Prereqs: FEEDMERGE-ENGINE-07-001 (Wave 11) - • Current: TODO – Create `advisory_statements` (immutable) and `advisory_conflicts` collections, define `asOf`/`vulnerabilityKey` indexes, and document migration/rollback steps for event-sourced merge. - -## Wave 7 — 52 task(s) ready after Wave 6 -- **Sprint 20** · Policy Engine v2 - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-20-000 — New Policy Engine service host, DI bootstrap, Authority scaffolding. - • Prereqs: POLICY-AOC-19-001 (Wave 1) - • Current: TODO - 2. [TODO] POLICY-ENGINE-20-001 — `stella-dsl@1` parser + IR compiler with diagnostics/checksums. - • Prereqs: POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 3. [TODO] POLICY-ENGINE-20-002 — Deterministic evaluator (priority/first-match, safe intrinsics). - • Prereqs: POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - 4. [TODO] POLICY-ENGINE-20-005 — Determinism guard preventing wall-clock/network/RNG usage. - • Prereqs: POLICY-ENGINE-20-002 (Wave 7) - • Current: TODO - 5. [TODO] POLICY-ENGINE-20-008 — Unit/property/golden/perf suites proving determinism + SLA. - • Prereqs: POLICY-ENGINE-20-002/003/004/005/006/007 (Wave 7) - • Current: TODO - 6. [TODO] POLICY-ENGINE-20-007 — Metrics/traces/log sampling for policy runs/rule hits. - • Prereqs: POLICY-ENGINE-20-002 (Wave 7) - • Current: TODO - 7. [TODO] POLICY-ENGINE-20-009 — Mongo schemas/indexes + migrations for policies/runs/findings. - • Prereqs: POLICY-ENGINE-20-000 & POLICY-ENGINE-20-004 (Wave 7) - • Current: TODO - - Team: Policy Guild · Data Joiners - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-20-003 — SBOM↔advisory↔VEX joiners using linksets. - • Prereqs: POLICY-ENGINE-20-001 (Wave 7), CONCELIER-POLICY-20-002 (Wave 7), EXCITITOR-POLICY-20-002 (Wave 7) - • Current: TODO - 2. [TODO] POLICY-ENGINE-20-004 — Materialization writer to `effective_finding_*` with append-only history. - • Prereqs: POLICY-ENGINE-20-003 (Wave 7), CONCELIER-POLICY-20-003 (Wave 7), EXCITITOR-POLICY-20-003 (Wave 7) - • Current: TODO - 3. [TODO] POLICY-ENGINE-20-006 — Incremental orchestrator reacting to change streams. - • Prereqs: POLICY-ENGINE-20-003/004 (Wave 7), SCHED-WORKER-20-301 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy API Surface - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-POLICY-20-001 — Policy CRUD/compile/run/simulate/findings/explain endpoints. - • Prereqs: POLICY-ENGINE-20-001/004 (Wave 7), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] WEB-POLICY-20-002 — Pagination, filters, deterministic ordering. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 3. [TODO] WEB-POLICY-20-003 — Error mapping to `ERR_POL_*` with contract tests. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 4. [TODO] WEB-POLICY-20-004 — Simulation rate limits + metrics/headers. - • Prereqs: WEB-POLICY-20-001/002 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy Console - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-POLICY-20-001 — Monaco editor with inline diagnostics/compliance checklist. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] UI-POLICY-20-002 — Simulation diff panel with virtualization + deltas. - • Prereqs: UI-POLICY-20-001 (Wave 7), WEB-POLICY-20-001/002 (Wave 7) - • Current: TODO - 3. [TODO] UI-POLICY-20-003 — Submit/review/approve workflow with RBAC + audit log. - • Prereqs: UI-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 4. [TODO] UI-POLICY-20-004 — Run viewer dashboards (rule heatmap, VEX wins, suppressions). - • Prereqs: POLICY-ENGINE-20-006/007 (Wave 7), WEB-POLICY-20-001 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy CLI - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-POLICY-20-001 — `policy new|edit|submit|approve` commands. - • Prereqs: WEB-POLICY-20-001 (Wave 7), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] CLI-POLICY-20-002 — `policy simulate` with diff rendering + exit codes. - • Prereqs: CLI-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - 3. [TODO] CLI-POLICY-20-003 — `findings ls|get` policy-aware filters + explain output. - • Prereqs: WEB-POLICY-20-001/002 (Wave 7) - • Current: TODO -- **Sprint 20** · Policy Selection Services - - Team: Concelier WebService Guild - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-POLICY-20-001 — Advisory selection endpoints for policy engine. - • Prereqs: CONCELIER-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) - • Current: TODO - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-POLICY-20-002 — Linkset enrichment with equivalence tables/ranges. - • Prereqs: CONCELIER-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - - Team: Concelier Storage Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` - 1. [TODO] CONCELIER-POLICY-20-003 — Selection cursors + change-stream checkpoints. - • Prereqs: CONCELIER-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) - • Current: TODO - - Team: Excititor WebService Guild - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] EXCITITOR-POLICY-20-001 — VEX selection APIs (batch PURL/ID, tenant filters). - • Prereqs: EXCITITOR-CORE-AOC-19-004 (Wave 1), WEB-POLICY-20-001 (Wave 7) - • Current: TODO - - Team: Excititor Core Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] EXCITITOR-POLICY-20-002 — Scope-aware linksets + version range handling. - • Prereqs: EXCITITOR-CORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - - Team: Excititor Storage Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` - 1. [TODO] EXCITITOR-POLICY-20-003 — Selection cursors + checkpoints for VEX change streams. - • Prereqs: EXCITITOR-STORE-AOC-19-002 (Wave 1), POLICY-ENGINE-20-003 (Wave 7) - • Current: TODO -- **Sprint 20** · Scheduler Integration - - Team: Scheduler Models Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md` - 1. [TODO] SCHED-MODELS-20-001 — Policy run/diff DTOs + validation helpers. - • Prereqs: POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 2. [TODO] SCHED-MODELS-20-002 — Schema docs/sample payloads for policy runs. - • Prereqs: SCHED-MODELS-20-001 (Wave 7) - • Current: TODO - - Team: Scheduler WebService Guild - - Path: `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md` - 1. [TODO] SCHED-WEB-20-001 — Policy run scheduling APIs with `policy:run` enforcement. - • Prereqs: SCHED-WEB-16-101 (Wave 1), AUTH-POLICY-20-001 (Wave 7) - • Current: TODO - 2. [TODO] SCHED-WEB-20-002 — Simulation trigger endpoint returning diff metadata. - • Prereqs: SCHED-WEB-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-20-301 — Trigger policy runs (full/incremental/simulate) via API. - • Prereqs: SCHED-WORKER-16-201 (Wave 1), POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 2. [TODO] SCHED-WORKER-20-302 — Delta targeting for policy reruns using change streams. - • Prereqs: SCHED-WORKER-20-301 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - 3. [TODO] SCHED-WORKER-20-303 — Metrics/logs for scheduled policy runs. - • Prereqs: SCHED-WORKER-20-301 (Wave 7) - • Current: TODO -- **Sprint 20** · Authority & Security - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-POLICY-20-001 — Introduce policy scopes (`policy:*`, `findings:read`, `effective:write`). - • Prereqs: AUTH-AOC-19-001 (Wave 1) - • Current: TODO - 2. [TODO] AUTH-POLICY-20-002 — Enforce Policy Engine identity + gateway scope checks. - • Prereqs: AUTH-POLICY-20-001 (Wave 7), AUTH-AOC-19-002 (Wave 1) - • Current: TODO - 3. [TODO] AUTH-POLICY-20-003 — Update Authority docs/config samples for new scopes. - • Prereqs: AUTH-POLICY-20-001 (Wave 7) - • Current: TODO -- **Sprint 20** · CI/CD & Observability - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-POLICY-20-001 — Integrate DSL lint/compile checks in CI. - • Prereqs: POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - 2. [TODO] DEVOPS-POLICY-20-002 — Run `stella policy simulate` stage on golden SBOMs. - • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-006 (Wave 7) - • Current: TODO - 3. [TODO] DEVOPS-POLICY-20-003 — Determinism CI diffing repeated policy runs. - • Prereqs: DEVOPS-POLICY-20-001 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) - • Current: TODO -- **Sprint 20** · Documentation - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-POLICY-20-001 — `/docs/policy/overview.md`. - • Prereqs: POLICY-ENGINE-20-000 (Wave 7) - • Current: TODO - 2. [TODO] DOCS-POLICY-20-002 — `/docs/policy/dsl.md` grammar + examples. - • Prereqs: POLICY-ENGINE-20-001 (Wave 7) - • Current: TODO - 3. [TODO] DOCS-POLICY-20-003 — `/docs/policy/lifecycle.md` workflow/roles. - • Prereqs: AUTH-POLICY-20-001 (Wave 7), WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 4. [TODO] DOCS-POLICY-20-004 — `/docs/policy/runs.md` run modes + cursors. - • Prereqs: POLICY-ENGINE-20-006 (Wave 7), SCHED-WEB-20-001 (Wave 7) - • Current: TODO - 5. [TODO] DOCS-POLICY-20-005 — `/docs/api/policy.md` endpoints + schemas. - • Prereqs: WEB-POLICY-20-001 (Wave 7) - • Current: TODO - 6. [TODO] DOCS-POLICY-20-006 — `/docs/modules/cli/guides/policy.md` with command usage. - • Prereqs: CLI-POLICY-20-002 (Wave 7) - • Current: TODO - 7. [TODO] DOCS-POLICY-20-007 — `/docs/ui/policy-editor.md` flows + screenshots. - • Prereqs: UI-POLICY-20-001/002/003 (Wave 7) - • Current: TODO - 8. [TODO] DOCS-POLICY-20-008 — `/docs/architecture/policy-engine.md` with diagrams. - • Prereqs: POLICY-ENGINE-20-003/006 (Wave 7) - • Current: TODO - 9. [TODO] DOCS-POLICY-20-009 — `/docs/observability/policy.md` metrics/traces/logs. - • Prereqs: POLICY-ENGINE-20-007 (Wave 7), DEVOPS-POLICY-20-002 (Wave 7) - • Current: TODO - 10. [TODO] DOCS-POLICY-20-010 — `/docs/security/policy-governance.md` scopes/approvals. - • Prereqs: AUTH-POLICY-20-002 (Wave 7) - • Current: TODO - 11. [TODO] DOCS-POLICY-20-011 — `/docs/examples/policies/` sample policies + commentary. - • Prereqs: POLICY-ENGINE-20-001/002 (Wave 7) - • Current: TODO - 12. [TODO] DOCS-POLICY-20-012 — `/docs/faq/policy-faq.md` common pitfalls. - • Prereqs: WEB-POLICY-20-003 (Wave 7), POLICY-ENGINE-20-005 (Wave 7) - • Current: TODO -- **Sprint 20** · Samples & Benchmarks - - Team: Samples Guild - - Path: `samples/TASKS.md` - 1. [TODO] SAMPLES-POLICY-20-001 — Baseline/serverless/internal-only policy samples + fixtures. - • Prereqs: POLICY-ENGINE-20-002 (Wave 7), DOCS-POLICY-20-011 (Wave 7) - • Current: TODO - 2. [TODO] SAMPLES-POLICY-20-002 — Simulation diff fixtures for UI/CLI tests. - • Prereqs: UI-POLICY-20-002 (Wave 7) - • Current: TODO - - Team: Bench Guild - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-POLICY-20-001 — Policy evaluation performance benchmark suite. - • Prereqs: POLICY-ENGINE-20-002/006 (Wave 7) - • Current: TODO - 2. [TODO] BENCH-POLICY-20-002 — Incremental run benchmark tracking delta SLA. - • Prereqs: BENCH-POLICY-20-001 (Wave 7), SCHED-WORKER-20-302 (Wave 7) - • Current: TODO - -## Wave 8 — 60 task(s) ready after Wave 7 -- **Sprint 21** · Graph Explorer v1 - - Team: Cartographer Guild - - Path: `src/Cartographer/StellaOps.Cartographer/TASKS.md` - 1. [TODO] CARTO-GRAPH-21-001/002/003/004 — Schema, projection reader, graph constructor, and layout tiling are ready once SBOM projections ship (Wave 7 prereqs). - 2. [TODO] CARTO-GRAPH-21-005/006/007/008/009 — Overlay worker, API surface, backfill/overlay jobs, testing, and deployment artefacts depend on Cartographer infrastructure plus Policy Engine 30-series work. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-SERVICE-21-001/002/003/004 — Normalized projection API, change events, entrypoint management, and observability unblock Cartographer’s ingestion. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-30-001/002/003 — Graph overlay contract, simulation bridge, and change events rely on Policy Engine v2 core (Wave 7) and feed Cartographer overlays. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-GRAPH-21-001..004 — Graph gateway routes, validation, exports, and simulation bridging activate once Cartographer endpoints exist. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-GRAPH-21-001..006 — Canvas, inspector, filters, paths, diff, and accessibility depend on Cartographer/Web graph APIs and Samples fixtures. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-GRAPH-21-001..003 — CLI commands, path/simulation options, and docs require Cartographer/Web readiness. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-GRAPH-21-001..003 — Graph scope issuance, enforcement, and documentation unblock service deployments. - - Team: Scheduler Guilds - - Paths: `src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md`, `src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md`, `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-MODELS-21-001/002, SCHED-WEB-21-001/002, SCHED-WORKER-21-201..203 — Graph job DTOs, APIs, workers, and metrics coordinate Cartographer runs after SBOM change events. - - Team: Concelier Guild - - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-GRAPH-21-001..004 — SBOM projection enrichment and entrypoint APIs feed SBOM Service/Cartographer. - - Team: Excititor Guild - - Paths: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`, `src/Excititor/StellaOps.Excititor.WebService/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` - 1. [TODO] EXCITITOR-GRAPH-21-001..005 — Provide VEX inspector data, overlay enrichment, events, and indexes for Graph Explorer. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-GRAPH-21-001..003 — Perf tests, visual regression captures, and offline kit bundling align with Cartographer/SBOM readiness. - - Team: Docs/Samples/Bench Guilds - - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] DOCS-GRAPH-21-001..009, SAMPLES-GRAPH-21-001..002, BENCH-GRAPH-21-001..002 — Publish documentation set, sample assets, and benchmarks once API/UI stabilize. - - -## Wave 9 — 58 task(s) ready after Wave 8 -- **Sprint 22** · Link-Not-Merge v1 - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-LNM-21-001/002/003/004/005 — Observation schema, linkset builder, conflict annotator, merge removal, and event emission follow Graph wave completion and AOC guard readiness. - - Team: Concelier Storage Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md` - 1. [TODO] CONCELIER-LNM-21-101/102/103 — Collections, backfill tooling, and blob storage wiring depend on core schema finalization. - - Team: Concelier WebService Guild - - Path: `src/Concelier/StellaOps.Concelier.WebService/TASKS.md` - 1. [TODO] CONCELIER-LNM-21-201/202/203 — Advisory observation/linkset APIs and event publishing follow storage readiness. - - Team: BE-Merge - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md` - 1. [TODO] MERGE-LNM-21-001/002/003 — Decommission merge pipeline once observation/linkset flow validated. - - Team: Excititor Core Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] EXCITITOR-LNM-21-001..005 — VEX observations/linksets, conflicts, merge removal, and events mirror advisory work. - - Team: Excititor Storage Guild - - Path: `src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md` - 1. [TODO] EXCITITOR-LNM-21-101/102 — Collections and backfill for VEX data prepared after schema finalization. - - Team: Excititor WebService Guild - - Path: `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] EXCITITOR-LNM-21-201..203 — VEX observation/linkset APIs and event publishing. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-40-001..003 — Effective severity adjustments, VEX conflict handling, and consumer utilities once observation/linkset data shape is fixed. - - Team: Scanner WebService Guild - - Path: `src/Scanner/StellaOps.Scanner.WebService/TASKS.md` - 1. [TODO] SCANNER-LNM-21-001/002 — Report/runtime updates and evidence endpoint leveraging new linksets. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-LNM-21-001..003 — Gateway exposure for advisory/vex APIs and policy evidence combos. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-LNM-22-001..004 — Evidence panel, filters, VEX tab, permalinks after API readiness. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-LNM-22-001/002 — CLI support for observations/linksets and exports. - - Team: Authority Core Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-AOC-19-001 — Scope rollout (`advisory/vex ingest/read`) enabling new APIs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-LNM-22-001..003 — Migration automation, monitoring, and SLA alerts for observation pipelines. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-LNM-22-001..008 — Publish aggregation philosophy, API docs, UI guides, migration playbook. - - Team: Samples Guild - - Path: `samples/TASKS.md` - 1. [TODO] SAMPLES-LNM-22-001/002 — Observation/linkset fixtures for advisories and VEX. - - Team: Bench Guild - - Path: `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] BENCH-LNM-22-001/002 — Ingest/correlation performance benchmarks to enforce SLA. - - -## Wave 10 — 54 task(s) ready after Wave 9 -- **Sprint 23** · Policy Engine + Editor v1 - - Team: Policy Guild (Library) - - Path: `src/Policy/__Libraries/StellaOps.Policy/TASKS.md` - 1. [TODO] POLICY-SPL-23-001..005 — SPL schema/canonicalizer/layering/explain model/migration tooling once Link-Not-Merge data model is stable. - - Team: Policy Engine Service - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-50-001..007 — Compiler, evaluator, observability, event pipeline, storage schemas, explainer persistence, worker orchestration. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-POLICY-23-001..004 — Policy pack CRUD, activation, simulation/evaluation, explain history APIs. - - Team: UI Guild - - Path: `src/UI/StellaOps.UI/TASKS.md` - 1. [TODO] UI-POLICY-23-001..006 — Policy editor workspace, YAML builder, guided builder, approvals, simulator, explain view. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-POLICY-23-004..006 — CLI lint/activate/history + explain commands aligned with new APIs. - - Team: Authority Core Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-POLICY-23-001..003 — Policy scopes, two-person activation, documentation. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-SERVICE-23-001/002 — Asset metadata projection + `sbom.asset.updated` events feeding evaluator. - - Team: Concelier & Excititor Guilds - - Paths: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md`, `src/Concelier/StellaOps.Concelier.WebService/TASKS.md`, `src/Excititor/StellaOps.Excititor.WebService/TASKS.md` - 1. [TODO] CONCELIER-POLICY-23-001/002 and EXCITITOR-POLICY-23-001/002 plus CONCELIER/EXCITITOR-LNM-21-201..203 — Evidence indexes, enriched events, observation/linkset APIs supporting policy runtime. - - Team: Scheduler Worker Guild - - Path: `src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md` - 1. [TODO] SCHED-WORKER-23-101/102 — Policy re-evaluation worker + reconciliation job post activation. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-LNM-22-001..003 (migration/monitoring) and future policy deployment automation for SPL bundles. - - Team: Docs Guild, Samples, Bench - - Paths: `docs/TASKS.md`, `samples/TASKS.md`, `src/Bench/StellaOps.Bench/TASKS.md` - 1. [TODO] DOCS-POLICY-23-001..010, SAMPLES-LNM-22-001/002, BENCH-LNM-22-001/002 — Documentation set, policy fixtures, performance benchmarks. - - -## Wave 11 — 1 task(s) ready after Wave 10 -- **Sprint 32** · Orchestrator Dashboard Phase 1 (Foundations) - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-32-001..005 — Stand up the orchestrator service (schema, scheduler, read-only APIs, SSE, worker endpoints). Coordinate with DevOps (DEVOPS-ORCH-32-001) for Postgres + message bus availability before enabling progression. - - Team: Worker SDK Guild - - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` - 1. [TODO] WORKER-GO-32-001/002, WORKER-PY-32-001/002 — Deliver baseline job claim/heartbeat libraries. These unblock Concelier/Excititor/SBOM adoption tasks and should validate against ORCH-SVC-32-005 contract. - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-ORCH-32-001/002 — Register sources and embed SDK hooks in ingestion loops. Depends on Worker SDK handshake and orchestrator read APIs. - - Team: Excititor Worker Guild - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-ORCH-32-001 — Adopt worker SDK for VEX ingestion. Requires ORCH-SVC-32-005 and Worker SDK readiness. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-ORCH-32-001 — Emit orchestrator job metadata and artifact hashes for SBOM ingest/index jobs; depends on orchestrator schema finalization. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-32-101 — Define `policy_eval` job contract and enqueue hooks so orchestrator DAGs can plan downstream work. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-ORCH-32-001 — Surface read-only orchestrator APIs through the gateway with tenant scoping once service endpoints exist. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-ORCH-32-001 — Introduce `orch:read` scope and `Orch.Viewer` role so CLI/Console work can proceed safely. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-ORCH-32-001 — Provide read-only `stella orch` listings after gateway routes/scopes are available; validate against imposed rule requirement. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-ORCH-32-001/002 — Overview + Sources pages (read-only) rely on SSE stream, viewer scope, and CLI/gateway parity. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-ORCH-32-001/002 — Publish overview/architecture docs (each closing with imposed rule statement) to align cross-team implementation. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-ORCH-32-001 — Stand up Postgres/message bus environments and seed Grafana dashboards; prerequisite for orchestrator integration workstreams. -- **Sprint 33** · Orchestrator Dashboard Phase 2 (Controls & Recovery) - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-33-001..004 — Add control actions, adaptive rate limiter, watermark/backfill manager, and dead-letter replay. Requires Phase 1 completion and Worker SDK control hooks. - - Team: Worker SDK Guild - - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` - 1. [TODO] WORKER-GO-33-001/002, WORKER-PY-33-001/002 — Provide artifact upload, idempotency guards, and error classification so orchestrator controls function safely. - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-ORCH-33-001 — Honor orchestrator throttles and retry semantics; unblocker for circuit breaker work in Sprint 34. - - Team: Excititor Worker Guild - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-ORCH-33-001 — Surface error classes and throttling compliance; depends on Worker SDK error helpers. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-ORCH-33-001 — Report backpressure metrics and respect orchestrator pause/backfill signals. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-33-101 — Implement orchestrator-driven evaluation workers with SLO metrics; prerequisites: ORCH-SVC-32-003/005 and Worker SDK upgrades. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-ORCH-33-001 — Register `consensus_compute` job type and worker integration so orchestrator can schedule consensus batches. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-ORCH-33-001 — Wire control/backfill endpoints through gateway with proper error mapping and SSE bridging; relies on AUTH-ORCH-33-001. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-ORCH-33-001 — Add `Orch.Operator` role/scopes and enforce reason strings; prerequisite for CLI/Console control surfaces. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-ORCH-33-001 — Implement action verbs (`pause|resume|test`, `retry|cancel`, `jobs tail`) with streaming output and scope enforcement. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-ORCH-33-001/002 — Runs timeline/DAG and Jobs tail views with action buttons. Requires SSE, operator scopes, and orchestrator control endpoints. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-ORCH-33-001..003 — Publish API, Console, and CLI guides (each reiterating imposed rule) once control endpoints stabilize. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-ORCH-33-001 — Deliver Grafana dashboards/alerts (rate limiter, queue depth, error clustering) gated by orchestrator metrics. -- **Sprint 34** · Orchestrator Dashboard Phase 3 (Backfills, Quotas, GA) - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-34-001..004 — Quotas/SLOs, audit ledger export, scale tests, and packaging. Requires Phase 2 controls plus DevOps support for perf/load validation. - - Team: Worker SDK Guild - - Paths: `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md` - 1. [TODO] WORKER-GO-34-001, WORKER-PY-34-001 — Backfill range execution and dedupe verification; prerequisites: ORCH-SVC-33-003 and service artifact schemas. - - Team: Concelier Core Guild - - Path: `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md` - 1. [TODO] CONCELIER-ORCH-34-001 — Execute orchestrator-driven backfills with ledger linkage; ensure idempotency before GA sign-off. - - Team: Excititor Worker Guild - - Path: `src/Excititor/StellaOps.Excititor.Worker/TASKS.md` - 1. [TODO] EXCITITOR-ORCH-34-001 — Backfill + circuit breaker reset logic; depends on Worker SDK backfill support. - - Team: SBOM Service Guild - - Path: `src/SbomService/StellaOps.SbomService/TASKS.md` - 1. [TODO] SBOM-ORCH-34-001 — Watermark reconciliation and coverage metrics for sbom backfills. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-34-101 — Surface run ledger exports and SLO burn metrics to orchestrator; coordinates with Findings Ledger. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-ORCH-34-001 — Emit consensus completion events into orchestrator ledger + provenance chain. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-34-101 — Consume orchestrator ledger entries for provenance exports; must align with ORCH-SVC-34-002 hashing. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-ORCH-34-001 — Route quotas/backfill/error clustering APIs; prerequisite for CLI/Console GA features. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-ORCH-34-001 — Add `Orch.Admin` role, quota scopes, and audit reason enforcement; required before exposing admin controls. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-ORCH-34-001 — Implement backfill/quota commands with dry-run preview; depends on ORCH-SVC-34-001/003 and AUTH-ORCH-34-001. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-ORCH-34-001..003 — Queues/backpressure dashboard, backfill wizard, and error clustering view; align with API + metrics outputs. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-ORCH-34-001..005 — Final documentation set (run ledger, secrets handling, runbook, schema, SLO) — each must restate imposed rule and cross-link to services adopting orchestrator. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-ORCH-34-001 — Harden production dashboards/alerts and synthetic probes prior to GA. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-ORCH-34-001 — Package orchestrator Helm/Compose, scaling defaults, offline guidance; depends on ORCH-SVC-34-004. - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-34-006 — Bundle orchestrator service artifacts, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. -- **Sprint 35** · Export Center Phase 1 (Foundations) - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-35-001..006 — Bootstrap exporter service, planner, JSON/mirror adapters, manifests/signing, and download APIs. Blocks downstream integrations (Findings Ledger, Policy, VEX Lens, Web, CLI, Console). - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-35-101 — Register export job type, quotas, and telemetry to support exporter workers. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-EXPORT-35-001 — Provide streaming endpoints for advisories/VEX/SBOM/findings filtered per export scopes. Required before planner work can complete. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-35-201 — Supply deterministic policy snapshot + evaluated findings endpoint for policy-aware exports. - - Team: VEX Lens Guild - - Path: `src/VexLens/StellaOps.VexLens/TASKS.md` - 1. [TODO] VEXLENS-EXPORT-35-001 — Produce consensus snapshot API consumed by mirror bundles. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXPORT-35-001 — Route export APIs and downloads through gateway once exporter endpoints are live. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-EXPORT-35-001 — Publish Export Viewer/Operator/Admin scopes and issuer templates before Console/CLI ship. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXPORT-35-001 — Read-only CLI commands for profiles/runs/downloads; depends on WEB-EXPORT-35-001 and AUTH-EXPORT-35-001. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-EXPORT-35-001 — Profiles + overview UI; requires gateway routes and scopes. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXPORT-35-001..003 — Publish overview, architecture, and profiles docs with imposed rule reminders to align teams. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-EXPORT-35-001 — Establish exporter CI/perf smoke and dashboards; prerequisite for later alerting. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-EXPORT-35-001 — Package exporter service/worker Helm overlays for download-only phase. -- **Sprint 36** · Export Center Phase 2 (Trivy + Distribution) - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-36-001..004 — Trivy adapters, OCI/object storage distribution, planner updates. Trivy bundles require DEVOPS-EXPORT-36-001 validation. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-36-101 — Extend orchestrator telemetry/retention fields for export runs. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXPORT-36-001 — Distribution endpoints must land before CLI/Console actions move forward. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXPORT-36-001 — Distribute/download resume features depend on WEB-EXPORT-36-001 and AUTH scopes. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-EXPORT-36-001 — Runs detail + distribution UI after API support exists. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXPORT-36-004..006 — API/CLI/Trivy docs to support rollout; each must restate imposed rule. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-EXPORT-36-001 — CI validation for Trivy compatibility and OCI pushes. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-EXPORT-36-001 — Document registry credentials and automation for distributions. -- **Sprint 37** · Export Center Phase 3 (Delta, Encryption, Scheduling, GA) - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-37-001..004 — Mirror delta/encryption, scheduling+retention, verification API. Depends on DEVOPS-EXPORT-37-001 for chaos/alert readiness. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-37-101 — Scheduling + retention hooks required for exporter automation. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-EXPORT-37-001 — Surface scheduling, retention, verification, encryption parameters once exporter endpoints exist. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-EXPORT-37-001 — Admin scope enforcement for scheduling, retention, encryption. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-EXPORT-37-001 — Scheduling and verification commands with signature/hash checks; relies on WEB-EXPORT-37-001. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-EXPORT-37-001 — Verification panel, scheduling UI, retention controls, encryption workflows. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-EXPORT-37-001..004 — Mirror bundles, provenance & signing, operations runbook, security hardening docs (all reiterate imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-EXPORT-37-001 — Finalize dashboards/alerts, chaos testing, retention monitoring. - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] DEVOPS-OFFLINE-37-001 — Bundle export tooling and sample mirror bundles into Offline Kit. -- **Sprint 38** · Notifications Studio Phase 1 (Foundations) - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-38-001..004 — Bootstrap notifier service, migrations, ingestion, templates, channel adapters, initial APIs. Requires orchestrator event envelope updates and policy violation enrichment. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-38-101 — Standardize event publication (policy/export/job lifecycle) with idempotency keys for notifier. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-38-201 — Emit enriched policy violation events (decision rationale IDs) for notifier ingestion. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-NOTIFY-38-001 — Gateway routing for notifier APIs with tenant RBAC. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-NOTIFY-38-001 — Publish Notify Viewer/Operator/Admin scopes and issuer templates. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-NOTIFY-38-001 — CLI commands for rules/templates/incidents. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-NOTIFY-38-001 — Studio home, rule editor, incidents UI (phase 1). - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-NOTIFY-38-001 — Overview + architecture docs (imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-NOTIFY-38-001 — Notifier CI pipeline, base dashboards. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-NOTIFY-38-001 — Helm overlays and rollout guide for notifier foundations. -- **Sprint 39** · Notifications Studio Phase 2 (Correlation, Digests, Simulation) - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-39-001..004 — Correlation, throttling, quiet hours, digest generator, simulation engine. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-NOTIFY-39-001 — Digest query optimization endpoints. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-NOTIFY-39-001 — Gateway updates for digests, simulation, throttles. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-NOTIFY-39-001 — CLI simulation/digest commands. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-NOTIFY-39-001 — Template editor, digest profiles, quiet calendar, storm banner. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-NOTIFY-39-002 — Rules/templates/digests docs (imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-NOTIFY-39-002 — Throttle/quiet/digest dashboards. -- **Sprint 40** · Notifications Studio Phase 3 (Escalations, Localization, Hardening) - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-40-001..004 — Escalations, ack bridge, PagerDuty/OpsGenie adapters, localization, security hardening, chaos tests. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-NOTIFY-40-001 — Ack token signing/rotation, webhook allowlists, admin enforcement. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-NOTIFY-40-001 — Expose escalation/localization/channel health endpoints. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-NOTIFY-40-001 — Ack redemption, escalation management, localization previews. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-NOTIFY-40-001 — Escalation settings, on-call schedules, localization UI, incident Kanban enhancements. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-NOTIFY-40-001 — Channels, escalations, API, runbook, security docs (imposed rule). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-NOTIFY-40-001 — Escalation/ack latency dashboards, chaos tooling. -- **Sprint 41** · CLI Parity & Task Packs Phase 1 - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-CORE-41-001, CLI-PARITY-41-001/002 — Implement CLI core config/auth/output foundations and initial parity command groups. - - Team: Task Runner Guild - - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` - 1. [TODO] TASKRUN-41-001 — Bootstrap Task Runner service, run API, local executor, approvals pause, artifact capture. - - Team: Packs Registry Guild - - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` - 1. [TODO] PACKS-REG-41-001 — Registry API, signature verification, provenance storage, RBAC. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-41-101 — Register `pack-run` job type, integrate logs/artifacts, expose metadata. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-PACKS-41-001 — Define CLI/pack scopes, discovery metadata, offline defaults. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-CLI-41-001 — Publish CLI overview/config/output docs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CLI-41-001 — Multi-platform build pipeline, SBOM/checksums, parity CI gate. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-CLI-41-001 — Package CLI release artifacts and distribution docs. -- **Sprint 42** · CLI Parity & Task Packs Phase 2 - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-PARITY-41-001/002, CLI-PACKS-42-001 — Close remaining parity gaps and ship Task Pack CLI commands. - - Team: Task Runner Guild - - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` - 1. [TODO] TASKRUN-42-001 — Loops, conditionals, simulation mode, policy gates. - - Team: Packs Registry Guild - - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` - 1. [TODO] PACKS-REG-42-001 — Version lifecycle, allowlists, provenance export, signature rotation. - - Team: Orchestrator Service Guild - - Path: `src/Orchestrator/StellaOps.Orchestrator/TASKS.md` - 1. [TODO] ORCH-SVC-42-101 — Stream pack run logs, expose manifolds, enforce quotas. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-ENGINE-42-201 — Stable rationale IDs/APIs for CLI `--explain` and packs. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-PACKS-42-001 — Snapshot/time-travel APIs for pack simulation. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-CLI-42-001 — Copy CLI buttons, parity hints, pack browser. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-CLI-42-001 — Parity matrix & command guides; DOCS-PACKS-43-001 groundwork. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CLI-42-001 — CLI golden outputs, parity diff automation, pack run CI harness. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-PACKS-42-001 — Deploy packs registry/task runner with secrets templates. -- **Sprint 43** · CLI Parity & Task Packs Phase 3 - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-PACKS-43-001 — Advanced pack features (approvals pause/resume, secrets, localization, man pages). - - Team: Task Runner Guild - - Path: `src/TaskRunner/StellaOps.TaskRunner/TASKS.md` - 1. [TODO] TASKRUN-43-001 — Approvals workflow, notifications integration, chaos resilience. - - Team: Packs Registry Guild - - Path: `src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md` - 1. [TODO] PACKS-REG-43-001 — Mirroring, signing policies, attestation integration. - - Team: Exporter Service Guild - - Path: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md` - 1. [TODO] EXPORT-SVC-35-005, EXPORT-SVC-37-001 — Include pack run manifests in exports. - - Team: Notifications Service Guild - - Path: `src/Notifier/StellaOps.Notifier/TASKS.md` - 1. [TODO] NOTIFY-SVC-40-001 — Emit pack run notifications. - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-PACKS-43-001 — Enforce pack signing/approval policies, CLI CI scopes. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-PACKS-43-001 — Task Pack spec/authoring/registry/runbook/security/release docs. - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-CLI-43-001 — Final release automation, SBOM signing, parity gating, chaos tests. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY-PACKS-43-001 — Remote execution rollout guidance, Offline kit instructions. - - Team: Offline Kit Guild - - Path: `ops/offline-kit/TASKS.md` - 1. [TODO] CLI-PACKS-43-002 — Bundle CLI, pack samples, registry mirror into Offline Kit with manifests. -- **Sprint 47-49** · Authority-Backed Scopes & Tenancy - - Team: Authority Core & Security Guild - - Path: `src/Authority/StellaOps.Authority/TASKS.md` - 1. [TODO] AUTH-TEN-47-001 — JWT/OIDC alignment, scope grammar, tenant/project claims. - 2. [TODO] AUTH-TEN-49-001 — Service accounts, delegation, quotas, audit streaming. - - Team: BE-Base Platform Guild - - Path: `src/Web/StellaOps.Web/TASKS.md` - 1. [TODO] WEB-TEN-47-001/48-001/49-001 — Middleware enforcement, tenant context propagation, ABAC overlay, audit API. - - Team: DevEx/CLI Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CLI-TEN-47-001/49-001 — Auth CLI flows, tenant switching, service tokens, delegation. - - Team: Console Guild - - Path: `src/Cli/StellaOps.Cli/TASKS.md` - 1. [TODO] CONSOLE-TEN-48-001/49-001 — Tenant switcher, admin screens, audit viewer. - - Team: Policy Guild - - Path: `src/Policy/StellaOps.Policy.Engine/TASKS.md` - 1. [TODO] POLICY-TEN-48-001 — Tenant-aware policy storage, RLS, rationale IDs. - - Team: Findings Ledger Guild - - Path: `src/Findings/StellaOps.Findings.Ledger/TASKS.md` - 1. [TODO] LEDGER-TEN-48-001 — Tenant partitioning and RLS. - - Team: Exporter/Notifications/Orchestrator/Task Runner/Concelier/Excititor Guilds - - Paths: `src/ExportCenter/StellaOps.ExportCenter/TASKS.md`, `src/Notifier/StellaOps.Notifier/TASKS.md`, `src/Orchestrator/StellaOps.Orchestrator/TASKS.md`, `src/TaskRunner/StellaOps.TaskRunner/TASKS.md`, `src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md`, `src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md` - 1. [TODO] Export/Notify tasks (EXPORT-TEN-48-001, NOTIFY-TEN-48-001) — Tenant stamping. - 2. [TODO] ORCH-TEN-48-001, TASKRUN-TEN-48-001 — Job context enforcement. - 3. [TODO] CONCELIER/EXCITITOR-TEN-48-001 — Tenant-aware linking with aggregation-only guarantee. - - Team: Docs Guild - - Path: `docs/TASKS.md` - 1. [TODO] DOCS-TEN-47-001/48-001/49-001 — Tenancy docs suite (overview, operations, authentication, ABAC). - - Team: DevOps Guild - - Path: `ops/devops/TASKS.md` - 1. [TODO] DEVOPS-TEN-47-001/48-001/49-001 — JWKS caching, RLS tests, audit pipeline, chaos tests. - - Team: Deployment Guild - - Path: `ops/deployment/TASKS.md` - 1. [TODO] DEPLOY updates (if needed) for tenant configuration. diff --git a/docs/implplan/SPRINTS.md b/docs/implplan/SPRINTS.md index 10073b5a..e2a3947b 100644 --- a/docs/implplan/SPRINTS.md +++ b/docs/implplan/SPRINTS.md @@ -1,1095 +1,15 @@ -This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not). - -| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | -| --- | --- | --- | --- | --- | --- | --- | -| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | DOING (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-201 | Planner loop (cron/event triggers, leases, fairness). | -| Sprint 17 | Symbol Intelligence & Forensics | ops/offline-kit/TASKS.md | BLOCKED (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-OFFLINE-17-004 | Run mirror_debug_store.py once release artefacts exist and archive verification evidence with the Offline Kit. | -| Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-REL-17-004 | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. | -> DOCS-AOC-19-004: Architecture overview & policy-engine docs refreshed 2025-10-26 — reuse new AOC boundary diagram + metrics guidance. -> DOCS-AOC-19-005: Link to the new AOC reference and architecture overview; include exit code table sourced from those docs. -| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, Platform Guild | DEVOPS-AOC-19-001 | Integrate AOC analyzer/guard enforcement into CI pipelines. | -| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-AOC-19-002 | Add CI stage running `stella aoc verify` against seeded snapshots. | -| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-AOC-19-003 | Enforce guard coverage thresholds and export metrics to dashboards. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | DOING (2025-10-27) | DevEx/CLI Guild | CLI-AOC-19-001 | Implement `stella sources ingest --dry-run` command. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AOC-19-002 | Implement `stella aoc verify` command with exit codes. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | Docs/CLI Guild | CLI-AOC-19-003 | Update CLI reference and quickstart docs for new AOC commands. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Implement AOC repository guard rejecting forbidden fields. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002 | Deliver deterministic linkset extraction for advisories. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-003 | Enforce idempotent append-only upsert with supersedes pointers. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DOING (2025-10-28) | Concelier Core Guild | CONCELIER-CORE-AOC-19-004 | Remove ingestion normalization; defer derived logic to Policy Engine. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-013 | Extend smoke coverage to validate tenant-scoped Authority tokens and cross-tenant rejection. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Add Mongo schema validator for `advisory_raw`. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Create idempotency unique index backed by migration scripts. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-003 | Deliver append-only migration/backfill plan with supersedes chaining. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-004 | Document validator deployment steps for online/offline clusters. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-002 | Emit AOC observability metrics, traces, and structured logs. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | QA Guild | CONCELIER-WEB-AOC-19-003 | Add schema/guard unit tests covering AOC error codes. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-004 | Build integration suite validating deterministic ingest under load. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Introduce VEX repository guard enforcing AOC invariants. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002 | Build deterministic VEX linkset extraction. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-003 | Enforce append-only idempotent VEX raw upserts. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-004 | Remove ingestion consensus logic; rely on Policy Engine. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-013 | Update smoke suites to enforce tenant-scoped Authority tokens and cross-tenant VEX rejection. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Add Mongo schema validator for `vex_raw`. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Create idempotency unique index for VEX raw documents. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-003 | Deliver append-only migration/backfill for VEX raw collections. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-004 | Document validator deployment for Excititor clusters/offline kit. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AOC-19-001 | Implement raw VEX ingestion and AOC verifier endpoints. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-002 | Emit AOC metrics/traces/logging for Excititor ingestion. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | QA Guild | EXCITITOR-WEB-AOC-19-003 | Add AOC guard test harness for VEX schemas. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-004 | Validate large VEX ingest runs and CLI verification parity. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Rewire worker to persist raw VEX docs with guard enforcement. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-002 | Enforce signature/checksum verification prior to raw writes. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-001 | Add lint preventing ingestion modules from referencing Policy-only helpers. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-AOC-19-002 | Enforce Policy-only writes to `effective_finding_*` collections. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-003 | Update Policy readers to consume only raw document fields. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-AOC-19-004 | Add determinism tests for raw-driven policy recomputation. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-001 | Add Sources dashboard tiles surfacing AOC status and violations. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-002 | Build violation drill-down view for offending documents. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-003 | Wire "Verify last 24h" action and CLI parity messaging. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | DOING (2025-10-26) | BE-Base Platform Guild | WEB-AOC-19-001 | Provide shared AOC forbidden key set and guard middleware. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AOC-19-002 | Ship provenance builder and signature helpers for ingestion services. | -| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-AOC-19-003 | Author analyzer + shared test fixtures for guard compliance. | -| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | BLOCKED (waiting on POLICY-ENGINE-20-006) | DevOps Guild | DEVOPS-POLICY-20-002 | Run `stella policy simulate` CI stage against golden SBOMs. | -| Sprint 20 | Policy Engine v2 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (waiting on SCHED-WORKER-20-302) | Bench Guild, Scheduler Guild | BENCH-POLICY-20-002 | Add incremental run benchmark capturing delta SLA compliance. | -| Sprint 20 | Policy Engine v2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-003 | Extend `stella findings` commands with policy filters and explain view. | -> 2025-10-27: Backend helpers drafted but command integration/tests pending; task reset to TODO awaiting follow-up. -| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-POLICY-20-002 | Strengthen linkset builders with equivalence tables + range parsing. | -| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-POLICY-20-003 | Add advisory selection cursors + change-stream checkpoints for policy runs. | -| Sprint 20 | Policy Engine v2 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-POLICY-20-001 | Provide advisory selection endpoints for policy engine (batch PURL/ID). | -| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-POLICY-20-002 | Enhance VEX linkset scope + version resolution for policy accuracy. | -| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-POLICY-20-003 | Introduce VEX selection cursors + change-stream checkpoints. | -| Sprint 20 | Policy Engine v2 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-POLICY-20-001 | Ship VEX selection APIs aligned with policy join requirements. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | BLOCKED (2025-10-26) | Policy Guild | POLICY-ENGINE-20-002 | Implement deterministic rule evaluator with priority/first-match semantics. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Concelier Core, Excititor Core | POLICY-ENGINE-20-003 | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-004 | Materialize effective findings with append-only history and tenant scoping. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Enforce determinism guard banning wall-clock, RNG, and network usage. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | POLICY-ENGINE-20-006 | Implement incremental orchestrator reacting to change streams. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-007 | Emit policy metrics, traces, and sampled rule-hit logs. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-008 | Add unit/property/golden/perf suites verifying determinism + SLA. | -| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-009 | Define Mongo schemas/indexes + migrations for policies/runs/findings. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-20-002 | Update schema docs with policy run lifecycle samples. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-001 | Expose policy run scheduling APIs with scope enforcement. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-002 | Provide simulation trigger endpoint returning diff metadata. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301 | Schedule policy runs via API with idempotent job tracking. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-302 | Implement delta targeting leveraging change streams + policy metadata. | -| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-303 | Expose policy scheduling metrics/logs with policy/run identifiers. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-001 | Ship Monaco-based policy editor with inline diagnostics + checklists. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-002 | Build simulation panel with deterministic diff rendering + virtualization. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Product Ops | UI-POLICY-20-003 | Implement submit/review/approve workflow with RBAC + audit trail. | -| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Observability Guild | UI-POLICY-20-004 | Add run dashboards (heatmap/VEX wins/suppressions) with export. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-002 | Add pagination, filters, deterministic ordering to policy listings. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-003 | Map engine errors to `ERR_POL_*` responses with contract tests. | -| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | Platform Reliability Guild | WEB-POLICY-20-004 | Introduce rate limits/quotas + metrics for simulation endpoints. | -| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, Graph Platform Guild | BENCH-GRAPH-21-001 | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (`GRAPH-API-28-003`, `GRAPH-INDEX-28-006`) still pending, so benchmarks cannot target stable endpoints yet. | -| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, UI Guild | BENCH-GRAPH-21-002 | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (`UI-GRAPH-24-001`), both pending. | -| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core Guild | CONCELIER-GRAPH-21-001 | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Requires finalized schemas from `CONCELIER-POLICY-20-002` and Cartographer event contract (`CARTO-GRAPH-21-002`). | -| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core & Scheduler Guilds | CONCELIER-GRAPH-21-002 | Publish SBOM change events with tenant metadata for graph builds. Awaiting projection schema from `CONCELIER-GRAPH-21-001` and Cartographer webhook expectations. | -| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-001 | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). | -| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-002 | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on `EXCITITOR-GRAPH-21-001` and Policy overlay schema (`POLICY-ENGINE-30-001`). | -| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | BLOCKED (2025-10-27) | Excititor Storage Guild | EXCITITOR-GRAPH-21-005 | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from `EXCITITOR-GRAPH-21-001`. | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Waiting on Concelier projection schema (`CONCELIER-GRAPH-21-001`). | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Scheduler Guilds | SBOM-SERVICE-21-002 | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (`SBOM-SERVICE-21-001`) and Scheduler contracts. | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-003 | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. | -| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Observability Guilds | SBOM-SERVICE-21-004 | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from `SBOM-SERVICE-21-001`. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-001 | Add gateway routes for graph APIs with scope enforcement and streaming. Upstream Graph API (`GRAPH-API-28-003`) and Authority scope work (`AUTH-VULN-24-001`) pending. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-002 | Implement bbox/zoom/path validation and pagination for graph endpoints. Depends on core proxy routes. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform & QA Guilds | WEB-GRAPH-21-003 | Map graph errors to `ERR_Graph_*` and support export streaming. Requires `WEB-GRAPH-21-001`. | -| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base & Policy Guilds | WEB-GRAPH-21-004 | Wire Policy Engine simulation overlays into graph responses. Waiting on Graph routes and Policy overlay schema (`POLICY-ENGINE-30-002`). | -| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-001 | Publish advisories aggregation doc with observation/linkset philosophy. | -> Blocked by `CONCELIER-LNM-21-001..003`; draft doc exists but final alignment waits for schema/API delivery. -| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-002 | Publish VEX aggregation doc describing observation/linkset flow. | -> Blocked by `EXCITITOR-LNM-21-001..003`; draft doc staged pending observation/linkset implementation. -| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-005 | Document UI evidence panel with conflict badges/AOC drill-down. | -> Blocked by `UI-LNM-22-001..003`; need shipping UI to capture screenshots and finalize guidance. -| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-001 | Execute advisory observation/linkset migration/backfill and automation. | -| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-002 | Run VEX observation/linkset migration/backfill with monitoring/runbook. | -| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-001 | Add advisory observation/linkset fixtures with conflicts. | -| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-002 | Add VEX observation/linkset fixtures with status disagreements. | -| Sprint 22 | Link-Not-Merge v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-AOC-22-001 | Roll out new advisory/vex ingest/read scopes. | -| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-001 | Implement advisory observation/linkset CLI commands with JSON/OSV export. | -| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-002 | Implement VEX observation/linkset CLI commands. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-LNM-21-001 | Define immutable advisory observation schema with AOC metadata. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-002 | Implement advisory linkset builder with correlation signals/conflicts. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | MERGE-LNM-21-002 | Deprecate merge service and enforce observation-only pipeline. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Provision observations/linksets collections and indexes. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage & DevOps Guilds | CONCELIER-LNM-21-102 | Backfill legacy merged advisories into observations/linksets with rollback tooling. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Ship advisory observation read APIs with pagination/RBAC. | -| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-202 | Implement advisory linkset read/export/evidence endpoints mapped to `ERR_AGG_*`. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Define immutable VEX observation model. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Build VEX linkset correlator with confidence/conflict recording. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-101 | Provision VEX observation/linkset collections and indexes. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage & DevOps Guilds | EXCITITOR-LNM-21-102 | Backfill legacy VEX data into observations/linksets with rollback scripts. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose VEX observation APIs with filters/pagination and RBAC. | -| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-202 | Implement VEX linkset endpoints + exports with evidence payloads. | -| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-40-001 | Update severity selection to handle multiple source severities per linkset. | -| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Excititor Guild | POLICY-ENGINE-40-002 | Integrate VEX linkset conflicts into effective findings/explain traces. | -| Sprint 22 | Link-Not-Merge v1 | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | TODO | Scanner WebService Guild | SCANNER-LNM-21-001 | Update report/runtime payloads to consume linksets and surface source evidence. | -| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-001 | Deliver Evidence panel with policy banner and source observations. | -| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-003 | Add VEX evidence tab with conflict indicators and exports. | -| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-001 | Surface advisory observation/linkset APIs through gateway with RBAC. | -| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-002 | Expose VEX observation/linkset endpoints with export handling. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-015 | Produce `/docs/architecture/console.md` describing packages, data flow, SSE design. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-017 | Create `/docs/examples/ui-tours.md` walkthroughs with annotated screenshots/GIFs. | -| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-018 | Execute console security checklist and record Security Guild sign-off. | -| Sprint 23 | StellaOps Console | ops/deployment/TASKS.md | TODO | Deployment Guild | DOWNLOADS-CONSOLE-23-001 | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. | -| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-CONSOLE-23-001 | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). | -| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONSOLE-23-002 | Deliver `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. | -| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001 | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. | -| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-002 | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. | -| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-003 | Update security docs/sample configs for Console flows, CSP, and session policies. | -| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Surface `/console/advisories` aggregation views with per-source metadata and filters. | -| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-002 | Provide advisory delta metrics API for dashboard + live status ticker. | -| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-003 | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. | -| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Expose `/console/vex` aggregation endpoints with precedence and provenance. | -| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-002 | Publish VEX override delta metrics feeding dashboard/status ticker. | -| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-003 | Implement VEX search helpers for global search and explain drill-downs. | -| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | EXPORT-CONSOLE-23-001 | Implement evidence bundle/export generator with signed manifests and telemetry. | -| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-CONSOLE-23-001 | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. | -| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Product Ops | POLICY-CONSOLE-23-002 | Expose simulation diff + approval state metadata for policy workspace scenarios. | -| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001 | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. | -| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-002 | Provide component lookup/neighborhood endpoints for global search and overlays. | -| Sprint 23 | StellaOps Console | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-23-001 | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. | -| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-201 | Stream run progress events with heartbeat/dedupe for Console SSE consumers. | -| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-202 | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-001 | Ship `/console/dashboard` + `/console/filters` aggregates with tenant scoping and deterministic totals. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Scheduler Guild | WEB-CONSOLE-23-002 | Provide `/console/status` polling and `/console/runs/{id}/stream` SSE proxy with heartbeat/backoff. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Policy Guild | WEB-CONSOLE-23-003 | Expose `/console/exports` orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-004 | Implement `/console/search` fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. | -| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, DevOps Guild | WEB-CONSOLE-23-005 | Serve `/console/downloads` manifest with signed image metadata and offline guidance. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-VULN-24-001 | Extend scopes (`vuln:read`) and signed permalinks. | -> 2025-10-27: Scope enforcement spike paused; no production change landed. -| Sprint 24 | Graph & Vuln Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-GRAPH-24-001 | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). | -> 2025-10-27: Prototype not merged (query layer + CLI consumer under review); resetting to TODO. -| Sprint 24 | Graph & Vuln Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-24-001 | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). | -| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-001 | Maintain Redis effective decision maps for overlays. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-002 | Provide simulation bridge for graph what-if APIs. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-001 | Build Graph Explorer canvas with virtualization. | -| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-002 | Implement overlays (Policy/Evidence/License/Exposure). | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-001 | Document exception governance concepts/workflow. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-002 | Document approvals routing / MFA requirements. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-003 | Publish API documentation for exceptions endpoints. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-005 | Document UI exception center + badges. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-006 | Update CLI docs for exception commands. | -| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-007 | Write migration guide for governed exceptions. | -| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-EXC-25-001 | Introduce exception scopes and routing matrix with MFA. | -| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-EXC-25-002 | Update docs/config samples for exception governance. | -| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-001 | Implement CLI exception workflow commands. | -| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-002 | Extend policy simulate with exception overrides. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-002 | Create exception collections/bindings storage + repos. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-003 | Implement Redis exception cache + invalidation. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-004 | Add metrics/tracing/logging for exception application. | -| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-005 | Hook workers/events for activation/expiry. | -| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-101 | Implement exception lifecycle worker for activation/expiry. | -| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-102 | Add expiring notification job & metrics. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-001 | Deliver Exception Center (list/kanban) with workflows. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-002 | Build exception creation wizard with scope/timebox guardrails. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-003 | Add inline exception drafting/proposing from explorers. | -| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-004 | Surface badges/countdowns/explain integration. | -| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-001 | Ship exception CRUD + workflow API endpoints. | -| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-002 | Extend policy endpoints to include exception metadata. | -| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-003 | Emit exception events/notifications with rate limits. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-001 | Document reachability concepts and scoring. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-002 | Document callgraph formats. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-003 | Document runtime facts ingestion. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-004 | Document policy weighting for signals. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-005 | Document UI overlays/timelines. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-006 | Document CLI reachability commands. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-007 | Publish API docs for signals endpoints. | -| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-008 | Write migration guide for enabling reachability. | -| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-001 | Provision pipelines/deployments for Signals service. | -| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-002 | Add dashboards/alerts for reachability metrics. | -| Sprint 26 | Reachability v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-SIG-26-001 | Add signals scopes/roles + AOC requirements. | -| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-001 | Implement reachability CLI commands (upload/list/explain). | -| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-002 | Add reachability overrides to policy simulate. | -| Sprint 26 | Reachability v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-SIG-26-001 | Expose advisory symbol metadata for signals scoring. | -| Sprint 26 | Reachability v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-SIG-26-001 | Surface vendor exploitability hints to Signals. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-001 | Integrate reachability inputs into policy evaluation and explainers. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-002 | Optimize reachability fact retrieval + cache. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-003 | Update SPL compiler for reachability predicates. | -| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-004 | Emit reachability metrics/traces. | -| Sprint 26 | Reachability v1 | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-SPL-24-001 | Extend SPL schema with reachability predicates/actions. | -| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement reachability joiner worker. | -| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-202 | Implement staleness monitor + notifications. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild, Authority Guild | SIGNALS-24-001 | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on `AUTH-SIG-26-001` to finalize scope issuance and tenant enforcement. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-002 | Implement callgraph ingestion/normalization pipeline. Waiting on SIGNALS-24-001 skeleton deployment. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-003 | Ingest runtime facts and persist context data with AOC provenance. Depends on SIGNALS-24-001 base host. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-004 | Deliver reachability scoring engine writing reachability facts. Blocked until ingestion pipelines unblock. | -| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-005 | Implement caches + signals events. Downstream of SIGNALS-24-004. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-002 | Enhance Why drawer with call path/timeline. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-003 | Add reachability overlay/time slider to SBOM Graph. | -| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-004 | Build Reachability Center + missing sensor view. | -| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-001 | Expose signals proxy endpoints with pagination and RBAC. | -| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-002 | Join reachability data into policy/vuln responses. | -| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-003 | Support reachability overrides in simulate APIs. | -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-001 | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. | -> Blocked by `REGISTRY-API-27-001` and `POLICY-ENGINE-27-001`; revisit once spec and compile enrichments land. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Console Guilds | DOCS-POLICY-27-002 | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. | -> Blocked by `CONSOLE-STUDIO-27-001` pending; waiting on Studio authoring UX. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-003 | Document `/docs/policy/versioning-and-publishing.md`. | -> Blocked by `REGISTRY-API-27-007` pending publish/sign pipeline. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Scheduler Guilds | DOCS-POLICY-27-004 | Publish `/docs/policy/simulation.md` with quick vs batch guidance. | -> Blocked by `REGISTRY-API-27-005`/`SCHED-WORKER-27-301` pending batch simulation. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Product Ops | DOCS-POLICY-27-005 | Author `/docs/policy/review-and-approval.md`. | -> Blocked by `REGISTRY-API-27-006` review workflow outstanding. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-006 | Publish `/docs/policy/promotion.md` covering canary + rollback. | -> Blocked by `REGISTRY-API-27-008` promotion APIs not ready. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & DevEx/CLI Guilds | DOCS-POLICY-27-007 | Update `/docs/policy/cli.md` with new commands + JSON schemas. | -> Blocked by `CLI-POLICY-27-001..004` CLI commands missing. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-008 | Publish `/docs/policy/api.md` aligning with Registry OpenAPI. | -> Blocked by Registry OpenAPI (`REGISTRY-API-27-001..008`) incomplete. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Security Guilds | DOCS-POLICY-27-009 | Create `/docs/security/policy-attestations.md`. | -> Blocked by `AUTH-POLICY-27-002` signing integration pending. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Architecture Guilds | DOCS-POLICY-27-010 | Write `/docs/architecture/policy-registry.md`. | -> Blocked by `REGISTRY-API-27-001` & `SCHED-WORKER-27-301` not delivered. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Observability Guilds | DOCS-POLICY-27-011 | Publish `/docs/observability/policy-telemetry.md`. | -> Blocked by `DEVOPS-POLICY-27-004` observability work outstanding. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Ops Guilds | DOCS-POLICY-27-012 | Write `/docs/runbooks/policy-incident.md`. | -> Blocked by `DEPLOY-POLICY-27-002` ops playbooks pending. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-013 | Update `/docs/examples/policy-templates.md`. | -> Blocked by `CONSOLE-STUDIO-27-001`/`REGISTRY-API-27-002` templates missing. -| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-014 | Refresh `/docs/aoc/aoc-guardrails.md` with Studio guardrails. | -> Blocked by `REGISTRY-API-27-003` & `WEB-POLICY-27-001` guardrails not implemented. -| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Registry Guilds | DEPLOY-POLICY-27-001 | Create Helm/Compose overlays for Policy Registry + workers with signing config. | -| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Guilds | DEPLOY-POLICY-27-002 | Document policy rollout/rollback playbooks in runbook. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-27-001 | Add CI stage for policy lint/compile/test + secret scanning and artifacts. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Policy Registry Guilds | DEVOPS-POLICY-27-002 | Provide optional batch simulation CI job with drift gating + PR comment. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-POLICY-27-003 | Manage signing keys + attestation verification in pipelines. | -| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-POLICY-27-004 | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. | -| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-POLICY-27-001 | Define Policy Studio roles/scopes for author/review/approve/operate/audit. | -| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guilds | AUTH-POLICY-27-002 | Wire signing service + fresh-auth enforcement for publish/promote. | -| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-003 | Update authority configuration/docs for Policy Studio roles & signing. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-001 | Implement policy workspace CLI commands (init, lint, compile, test). | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-002 | Add version bump, submit, review/approve CLI workflow commands. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-003 | Extend simulate command for quick/batch runs, manifests, CI reports. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-004 | Implement publish/promote/rollback/sign CLI lifecycle commands. | -| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-POLICY-27-005 | Update CLI docs/reference for Policy Studio commands and schemas. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-001 | Return rule coverage, symbol table, docs, hashes from compile endpoint. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-002 | Enhance simulate outputs with heatmap, explain traces, delta summaries. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-003 | Enforce complexity/time limits with diagnostics. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-004 | Update tests/fixtures for coverage, symbol table, explain, complexity. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-002 | Implement workspace storage + CRUD with tenant retention policies. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-004 | Deliver quick simulation API with limits and deterministic outputs. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Scheduler Guilds | REGISTRY-API-27-005 | Build batch simulation orchestration, reduction, and evidence bundle storage. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-006 | Implement review workflow with comments, required approvers, webhooks. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Security Guilds | REGISTRY-API-27-007 | Ship publish/sign pipeline with attestations, immutable versions. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-008 | Implement promotion/canary bindings per tenant/environment with rollback. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Observability Guilds | REGISTRY-API-27-009 | Instrument metrics/logs/traces for compile, simulation, approval latency. | -| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & QA Guilds | REGISTRY-API-27-010 | Build unit/integration/load test suites and seeded fixtures. | -| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-27-001 | Provide policy simulation orchestration endpoints with SSE + RBAC. | -| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-CONSOLE-27-002 | Emit policy simulation telemetry endpoints/metrics + webhooks. | -| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-301 | Implement batch simulation worker sharding SBOMs with retries/backoff. | -| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-302 | Build reducer job aggregating shard outputs into manifests with checksums. | -| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Security Guilds | SCHED-WORKER-27-303 | Enforce tenant isolation/attestation integration and secret scanning for jobs. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-001 | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-002 | Implement review lifecycle routes with audit logs and webhooks. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Scheduler Guilds | WEB-POLICY-27-003 | Expose quick/batch simulation endpoints with SSE progress + manifests. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Security Guilds | WEB-POLICY-27-004 | Add publish/promote/rollback endpoints with canary + signing enforcement. | -| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-POLICY-27-005 | Instrument Policy Studio metrics/logs for dashboards. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-GRAPH-28-001 | Publish `/docs/sbom/graph-explorer-overview.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-GRAPH-28-002 | Write `/docs/sbom/graph-using-the-console.md` with walkthrough + accessibility tips. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-003 | Document `/docs/sbom/graph-query-language.md` (JSON schema, cost rules). | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-004 | Publish `/docs/sbom/graph-api.md` endpoints + streaming guidance. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & CLI Guilds | DOCS-GRAPH-28-005 | Produce `/docs/sbom/graph-cli.md` command reference. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-GRAPH-28-006 | Publish `/docs/policy/graph-overlays.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Excitator Guilds | DOCS-GRAPH-28-007 | Document `/docs/vex/graph-integration.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-GRAPH-28-008 | Document `/docs/advisories/graph-integration.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-GRAPH-28-009 | Author `/docs/architecture/graph-services.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-GRAPH-28-010 | Publish `/docs/observability/graph-telemetry.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-GRAPH-28-011 | Write `/docs/runbooks/graph-incidents.md`. | -| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-GRAPH-28-012 | Create `/docs/security/graph-rbac.md`. | -| Sprint 28 | Graph Explorer | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-GRAPH-28-001 | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. | -| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-28-001 | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. | -| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-GRAPH-28-002 | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. | -| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-GRAPH-28-003 | Build dashboards/alerts for tile latency, query denials, memory pressure. | -| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-001 | Ship `stella sbom graph` subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. | -| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-002 | Add saved query management + deep link helpers to CLI. | -| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-003 | Update CLI docs/examples for Graph Explorer commands. | -| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-101 | Deliver advisory summary API feeding graph tooltips. | -| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-28-102 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | -| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | WEB-LNM-21-001 | Provide advisory observation endpoints optimized for graph overlays. | -| Sprint 28 | Graph Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-101 | Provide VEX summary API for Graph Explorer inspector overlays. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-001 | Publish Graph API OpenAPI + JSON schemas for queries/tiles. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-002 | Implement `/graph/search` with caching and RBAC. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-003 | Build query planner + streaming tile pipeline with budgets. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-004 | Deliver `/graph/paths` with depth limits and policy overlay support. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-005 | Implement `/graph/diff` streaming adds/removes/changes for SBOM snapshots. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-006 | Compose advisory/VEX/policy overlays with caching + explain sampling. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-007 | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Authority Guilds | GRAPH-API-28-008 | Enforce RBAC scopes, tenant headers, audit logging, rate limits. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Observability Guilds | GRAPH-API-28-009 | Instrument metrics/logs/traces; publish dashboards. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & QA Guilds | GRAPH-API-28-010 | Build unit/integration/load tests with synthetic datasets. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & DevOps Guilds | GRAPH-API-28-011 | Ship deployment/offline manifests + gateway integration docs. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001 | Define node/edge schemas, identity rules, and fixtures for graph ingestion. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002 | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-003 | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-004 | Integrate VEX statements for `vex_exempts` edges with precedence metadata. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Policy Guilds | GRAPH-INDEX-28-005 | Hydrate policy overlay nodes/edges referencing determinations + explains. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-006 | Produce graph snapshots per SBOM with lineage for diff jobs. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Observability Guilds | GRAPH-INDEX-28-007 | Run clustering/centrality background jobs and persist cluster ids. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-008 | Build incremental/backfill pipeline with change streams, retries, backlog metrics. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & QA Guilds | GRAPH-INDEX-28-009 | Extend tests/perf fixtures ensuring determinism on large graphs. | -| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & DevOps Guilds | GRAPH-INDEX-28-010 | Provide deployment/offline artifacts and docs for Graph Indexer. | -| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-001 | Finalize graph overlay contract + projection API. | -| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Graph Explorer queries. | -| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit change events for effective findings supporting graph overlays. | -| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DOING (2025-10-26) | Scheduler WebService Guild, Scheduler Storage Guild | SCHED-WEB-21-004 | Persist graph jobs + emit completion events/webhook. | -| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Run graph build worker for SBOM snapshots with retries/backoff. | -| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Execute overlay refresh worker subscribing to change events. | -| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Emit metrics/logs for graph build/overlay jobs. | -| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Route `/graph/*` APIs through gateway with tenant scoping and RBAC. | -| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. | -| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-GRAPH-24-004 | Add Graph Explorer telemetry endpoints and metrics aggregation. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-001 | Publish `/docs/vuln/explorer-overview.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-VULN-29-002 | Write `/docs/vuln/explorer-using-console.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-003 | Author `/docs/vuln/explorer-api.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-004 | Publish `/docs/vuln/explorer-cli.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ledger Guilds | DOCS-VULN-29-005 | Document Findings Ledger (`/docs/vuln/findings-ledger.md`). | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-VULN-29-006 | Update `/docs/policy/vuln-determinations.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Excititor Guilds | DOCS-VULN-29-007 | Publish `/docs/vex/explorer-integration.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-VULN-29-008 | Publish `/docs/advisories/explorer-integration.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-VULN-29-009 | Publish `/docs/sbom/vuln-resolution.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-VULN-29-010 | Publish `/docs/observability/vuln-telemetry.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-VULN-29-011 | Publish `/docs/security/vuln-rbac.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-VULN-29-012 | Publish `/docs/runbooks/vuln-ops.md`. | -| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Deployment Guilds | DOCS-VULN-29-013 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API. | -| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Findings Ledger Guilds | DEPLOY-VULN-29-001 | Provide deployments for Findings Ledger/projector with migrations/backups. | -| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Vuln Explorer API Guilds | DEPLOY-VULN-29-002 | Package Vuln Explorer API deployments/health checks/offline kit notes. | -| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Findings Ledger Guilds | DEVOPS-VULN-29-001 | Set up CI/backups/anchoring monitoring for Findings Ledger. | -| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Vuln Explorer API Guilds | DEVOPS-VULN-29-002 | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. | -| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Console Guilds | DEVOPS-VULN-29-003 | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. | -| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. | -| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-002 | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. | -| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-VULN-29-003 | Update docs/config samples for Vuln Explorer roles and security posture. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-001 | Implement `stella vuln list` with grouping, filters, JSON/CSV output. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-002 | Implement `stella vuln show` with evidence/policy/path display. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-003 | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-004 | Implement `stella vuln simulate` producing diff summaries/Markdown. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-005 | Implement `stella vuln export` and bundle signature verification. | -| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-VULN-29-006 | Update CLI docs/examples for Vulnerability Explorer commands. | -| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Canonicalize (lossless) advisory identifiers, persist `links[]`, backfill, and expose raw payload snapshots (no merge/derived fields). | -| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-002 | Provide advisory evidence retrieval endpoint for Vuln Explorer. | -| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService & Observability Guilds | CONCELIER-VULN-29-004 | Add metrics/logs/events for advisory normalization supporting resolver. | -| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Canonicalize (lossless) VEX keys and product scopes with backfill + links (no merge/suppression). | -| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-002 | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. | -| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService & Observability Guilds | EXCITITOR-VULN-29-004 | Instrument metrics/logs for VEX normalization and suppression events. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API with hash chaining and Merkle root anchoring job. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Scheduler Guilds | LEDGER-29-003 | Build projector worker deriving `findings_projection` with idempotent replay. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Policy Guilds | LEDGER-29-004 | Integrate Policy Engine batch evaluation into projector with rationale caching. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Security Guilds | LEDGER-29-006 | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Observability Guilds | LEDGER-29-007 | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & QA Guilds | LEDGER-29-008 | Provide replay/determinism/load tests for ledger/projector pipelines. | -| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & DevOps Guilds | LEDGER-29-009 | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-001 | Implement policy batch evaluation endpoint returning determinations + rationale. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-002 | Provide simulation diff API for Vuln Explorer comparisons. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-003 | Include path/scope annotations in determinations for Explorer. | -| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild & Observability Guild | POLICY-ENGINE-29-004 | Add telemetry for batch evaluation + simulation jobs. | -| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. | -| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Findings Ledger Guilds | SBOM-VULN-29-002 | Provide resolver feed for candidate generation with idempotent delivery. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-VULN-29-001 | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-VULN-29-002 | Provide projector lag metrics endpoint + webhook notifications. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-001 | Implement resolver worker applying ecosystem version semantics and path scope. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-002 | Implement evaluation worker invoking Policy Engine and updating ledger queues. | -| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-29-003 | Add monitoring for resolver/evaluation backlog and SLA alerts. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-001 | Publish Vuln Explorer OpenAPI + query schemas. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement list/query endpoints with grouping, paging, cost budgets. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-003 | Implement detail endpoint combining evidence, policy rationale, paths, history. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Findings Ledger Guilds | VULN-API-29-004 | Expose workflow APIs writing ledger events with validation + idempotency. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Policy Guilds | VULN-API-29-005 | Implement policy simulation endpoint producing diffs without side effects. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-006 | Integrate Graph Explorer paths metadata and deep-link parameters. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Security Guilds | VULN-API-29-007 | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-008 | Provide evidence bundle export job with signing + manifests. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Observability Guilds | VULN-API-29-009 | Instrument API telemetry (latency, workflow counts, exports). | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & QA Guilds | VULN-API-29-010 | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | -| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & DevOps Guilds | VULN-API-29-011 | Ship deployment/offline manifests, health checks, scaling docs. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-001 | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-002 | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-003 | Expose simulation/export orchestration with SSE/progress + signed links. | -| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-VULN-29-004 | Aggregate Vuln Explorer telemetry (latency, errors, exports). | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-001 | Publish `/docs/vex/consensus-overview.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-002 | Write `/docs/vex/consensus-algorithm.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-003 | Document `/docs/vex/issuer-directory.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-004 | Publish `/docs/vex/consensus-api.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-005 | Create `/docs/vex/consensus-console.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-006 | Add `/docs/policy/vex-trust-model.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-007 | Author `/docs/sbom/vex-mapping.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-008 | Publish `/docs/security/vex-signatures.md`. | -| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-009 | Write `/docs/runbooks/vex-ops.md`. | -| Sprint 30 | VEX Lens | ops/devops/TASKS.md | TODO | DevOps Guild | VEXLENS-30-009, ISSUER-30-005 | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. | -| Sprint 30 | VEX Lens | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus` CLI commands with list/show/simulate/export. | -| Sprint 30 | VEX Lens | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VEXLENS-30-001 | Guarantee advisory key consistency and provide cross-links for consensus rationale (VEX Lens). | -| Sprint 30 | VEX Lens | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory Guild | ISSUER-30-001 | Implement issuer CRUD API with RBAC and audit logs. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Security Guilds | ISSUER-30-002 | Implement key management endpoints with expiry enforcement. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Policy Guilds | ISSUER-30-003 | Provide trust weight override APIs with audit trails. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & VEX Lens Guilds | ISSUER-30-004 | Integrate issuer data into signature verification clients. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Observability Guilds | ISSUER-30-005 | Instrument issuer change metrics/logs and dashboards. | -| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & DevOps Guilds | ISSUER-30-006 | Provide deployment/backup/offline docs for Issuer Directory. | -| Sprint 30 | VEX Lens | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-101 | Surface trust weighting configuration (issuer weights, modifiers, decay) for VEX Lens via Policy Studio/API. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-001 | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-002 | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Issuer Directory Guilds | VEXLENS-30-003 | Integrate signature verification using issuer keys; annotate evidence. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-004 | Implement trust weighting functions configurable via policy. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-005 | Implement consensus algorithm producing state, confidence, rationale, and quorum. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Findings Ledger Guilds | VEXLENS-30-006 | Materialize consensus projections and change events. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-007 | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-008 | Integrate consensus signals with Policy Engine and Vuln Explorer. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Observability Guilds | VEXLENS-30-009 | Instrument metrics/logs/traces; publish dashboards/alerts. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & QA Guilds | VEXLENS-30-010 | Build unit/property/integration/load tests and determinism harness. | -| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & DevOps Guilds | VEXLENS-30-011 | Provide deployment manifests, scaling guides, offline seeds, runbooks. | -| Sprint 30 | VEX Lens | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, VEX Lens Guild | WEB-VEX-30-007 | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | -| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-001 | Publish Advisory AI overview doc. | -| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-002 | Publish architecture doc for Advisory AI. | -| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-003..009 | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | -| Sprint 31 | Advisory AI | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Provide Advisory AI deployment/offline guidance. | -| Sprint 31 | Advisory AI | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/telemetry for Advisory AI. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-001 | Implement advisory/VEX retrievers with paragraph anchors and citations. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-002 | Build SBOM context retriever and blast radius estimator. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-003 | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-004 | Orchestrator with task templates, tool chaining, caching. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Security Guilds | AIAI-31-005 | Guardrails (redaction, injection defense, output validation). | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-006 | Expose REST/batch APIs with RBAC and OpenAPI. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Observability Guilds | AIAI-31-007 | Instrument metrics/logs/traces and dashboards. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & DevOps Guilds | AIAI-31-008 | Package inference + deployment manifests/flags. | -| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & QA Guilds | AIAI-31-009 | Build golden/injection/perf tests ensuring determinism. | -| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001 | Define Advisory AI scopes and remote inference toggles. | -| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-002 | Enforce prompt logging and consent/audit flows. | -| Sprint 31 | Advisory AI | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIAI-31-001 | Implement `stella advise *` CLI commands leveraging Advisory AI orchestration and policy scopes. | -| Sprint 31 | Advisory AI | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with paragraph anchors. | -| Sprint 31 | Advisory AI | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Provide VEX chunks with justifications and signatures. | -| Sprint 31 | Advisory AI | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide policy knobs for Advisory AI. | -| Sprint 31 | Advisory AI | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Deliver SBOM path/timeline endpoints for Advisory AI. | -| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose enriched rationale API for conflict explanations. | -| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-002 | Provide batching/caching hooks for Advisory AI. | -| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route `/advisory/ai/*` APIs with RBAC/telemetry. | -| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-002 | Provide batch orchestration and retry handling for Advisory AI. | -| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-003 | Emit Advisory AI gateway telemetry/audit logs. | -| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, and imposed rule reminder. | -| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, and data model. | -| Sprint 32 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-32-001 | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. | -| Sprint 32 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Introduce `orch:read` scope and `Orch.Viewer` role with metadata, discovery docs, and offline defaults. | -| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001 | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. | -| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002 | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. | -| Sprint 32 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001 | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-001 | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-002 | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-001 | Bootstrap Python async SDK with job claim/config adapters and sample worker. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-002 | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-002 | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-003 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. | -| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-005 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. | -| Sprint 32 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-32-101 | Define orchestrator `policy_eval` job contract, idempotency keys, and enqueue hooks for change events. | -| Sprint 32 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-32-001 | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. | -| Sprint 32 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-32-001 | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. | -| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-001 | Author `/docs/orchestrator/api.md` with endpoints, WebSocket events, error codes, and imposed rule reminder. | -| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-002 | Author `/docs/orchestrator/console.md` covering screens, accessibility, and live updates. | -| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-003 | Author `/docs/orchestrator/cli.md` with command reference, examples, and exit codes. | -| Sprint 33 | Governance & Rules | ops/devops/TASKS.md | REVIEW (2025-10-30) | DevOps Guild, Platform Leads | DEVOPS-RULES-33-001 | Contracts & Rules anchor (gateway proxy-only; Policy Engine overlays/simulations; AOC ingestion canonicalization; Graph Indexer + Graph API as sole platform). | -| Sprint 33 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-33-001 | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. | -| Sprint 33 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Add `Orch.Operator` role, control action scopes, and enforce reason/ticket field capture. | -| Sprint 33 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001 | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. | -| Sprint 33 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001 | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-001 | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-002 | Implement error classification/retry helper and structured failure report in Go SDK. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-001 | Add artifact publish/idempotency features to Python SDK with object store integration. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-002 | Expose error classification/retry/backoff helpers in Python SDK with structured logging. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-001 | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-002 | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-003 | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. | -| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-004 | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. | -| Sprint 33 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-33-101 | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. | -| Sprint 33 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-33-001 | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. | -| Sprint 33 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001 | Expose `consensus_compute` orchestrator job type and integrate VEX Lens worker for diff batches. | -| Sprint 33 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-33-001 | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-001 | Author `/docs/orchestrator/run-ledger.md` describing provenance export format and audits. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-002 | Author `/docs/security/secrets-handling.md` covering KMS refs, redaction, and operator hygiene. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-003 | Author `/docs/operations/orchestrator-runbook.md` (failures, backfill guide, circuit breakers). | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-004 | Author `/docs/schemas/artifacts.md` detailing artifact kinds, schema versions, hashing, storage layout. | -| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-005 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, and measurement strategy. | -| Sprint 34 | Orchestrator Dashboard | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-ORCH-34-001 | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. | -| Sprint 34 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-34-001 | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. | -| Sprint 34 | Orchestrator Dashboard | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-34-006 | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. | -| Sprint 34 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-34-001 | Add `Orch.Admin` role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. | -| Sprint 34 | Orchestrator Dashboard | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-34-001 | Implement backfill wizard and quota management commands with dry-run preview and guardrails. | -| Sprint 34 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-34-001 | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. | -| Sprint 34 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-34-001 | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. | -| Sprint 34 | Orchestrator Dashboard | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-34-101 | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-34-001 | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-34-001 | Add backfill support and deterministic artifact dedupe validation to Python SDK. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-001 | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-002 | Build audit log and immutable run ledger export with signed manifest support. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-003 | Run perf/scale validation (10k jobs, dispatch <150 ms) and add autoscaling hooks. | -| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-004 | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. | -| Sprint 34 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-34-101 | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. | -| Sprint 34 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-34-001 | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. | -| Sprint 34 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-34-001 | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. | -| Sprint 34 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-34-001 | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. | -| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. | -| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-002 | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. | -| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-003 | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). | -| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-001 | Author `/docs/modules/export-center/overview.md` with purpose, profiles, security, and imposed rule reminder. | -| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-002 | Author `/docs/modules/export-center/architecture.md` detailing service components, adapters, manifests, signing, and distribution. | -| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-003 | Publish `/docs/modules/export-center/profiles.md` covering schemas, examples, and compatibility. | -| Sprint 35 | Export Center Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-35-001 | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. | -| Sprint 35 | Export Center Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-35-001 | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Implement manifest/provenance writer and KMS signing/attestation for export bundles. | -| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. | -| Sprint 35 | Export Center Phase 1 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-EXPORT-35-001 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. | -| Sprint 35 | Export Center Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-35-101 | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. | -| Sprint 35 | Export Center Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-35-201 | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. | -| Sprint 35 | Export Center Phase 1 | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-EXPORT-35-001 | Publish consensus snapshot API delivering deterministic JSON for export consumption. | -| Sprint 35 | Export Center Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001 | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. | -| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-004 | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). | -| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-005 | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. | -| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-004 | Author `/docs/modules/export-center/api.md` with endpoint examples and imposed rule note. | -| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-005 | Publish `/docs/modules/export-center/cli.md` covering commands, scripts, verification, and imposed rule reminder. | -| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-006 | Write `/docs/modules/export-center/trivy-adapter.md` detailing mappings, compatibility, and test matrix. | -| Sprint 36 | Export Center Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-36-001 | Document registry credentials, OCI push workflows, and automation for export distributions. | -| Sprint 36 | Export Center Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-36-001 | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. | -| Sprint 36 | Export Center Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001 | Add `stella export distribute` (OCI/objstore), `run download --resume`, and status polling enhancements. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-002 | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. | -| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-004 | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. | -| Sprint 36 | Export Center Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-36-101 | Add distribution job follow-ups, retention metadata, and metrics for export runs. | -| Sprint 36 | Export Center Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001 | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-001 | Publish `/docs/modules/export-center/mirror-bundles.md` detailing layouts, deltas, encryption, imposed rule reminder. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-002 | Publish `/docs/modules/export-center/provenance-and-signing.md` covering manifests, attestation, verification. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-003 | Publish `/docs/operations/export-runbook.md` for failures, tuning, capacity, with imposed rule note. | -| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-004 | Publish `/docs/security/export-hardening.md` covering RBAC, isolation, encryption, and imposed rule. | -| Sprint 37 | Export Center Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-37-001 | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. | -| Sprint 37 | Export Center Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. | -| Sprint 37 | Export Center Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-EXPORT-37-001 | Add `Export.Admin` scope enforcement for retention, encryption keys, and scheduling APIs. | -| Sprint 37 | Export Center Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-37-001 | Implement `stella export schedule`, `run verify`, and bundle verification tooling with signature/hash checks. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-001 | Implement mirror delta adapter, base export linkage, and content-addressed reuse. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-002 | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-003 | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. | -| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-004 | Provide export verification API and CLI integration, including hash/signature validation endpoints. | -| Sprint 37 | Export Center Phase 3 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-37-101 | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. | -| Sprint 37 | Export Center Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-37-001 | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002 | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-003 | PE import + delay-load + SxS manifest parsing producing reason-coded edges. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-004 | Mach-O load command parsing with @rpath expansion and slice handling. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. | -| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-006 | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-008 | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-009 | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. | -| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-010 | Package native analyzer plug-in + Offline Kit updates and restart-time loading. | -| Sprint 38 | Notifications Studio Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-38-001 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md` ending with imposed rule statement. | -| Sprint 38 | Notifications Studio Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-38-001 | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | -| Sprint 38 | Notifications Studio Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-38-001 | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. | -| Sprint 38 | Notifications Studio Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001 | Implement `stella notify` rule/template/incident commands (list/create/test/ack) with file-based inputs. | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-002 | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-003 | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. | -| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. | -| Sprint 38 | Notifications Studio Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-38-101 | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. | -| Sprint 38 | Notifications Studio Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-38-201 | Emit enriched violation events including rationale IDs via orchestrator bus. | -| Sprint 38 | Notifications Studio Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001 | Route notifier APIs through gateway with tenant scoping and operator scopes. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Module/classpath builder with duplicate & split-package detection. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | SPI scanner & provider selection with warnings. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | DONE | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-004 | Reflection/TCCL heuristics emitting reason-coded edges. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-005 | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-006 | JNI/native hint detection for Java artifacts. | -| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-007 | Manifest/signature metadata collector (main/start/agent classes, signers). | -| Sprint 39 | Notifications Studio Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-39-002 | Publish `/docs/notifications/rules.md`, `/templates.md`, `/digests.md` with imposed rule reminder. | -| Sprint 39 | Notifications Studio Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-39-002 | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. | -| Sprint 39 | Notifications Studio Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001 | Add simulation/digest CLI verbs and advanced filtering for incidents. | -| Sprint 39 | Notifications Studio Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-NOTIFY-39-001 | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add digests generator with Findings Ledger queries and distribution (email/chat). | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-003 | Provide simulation engine and API for rule dry-run against historical events. | -| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-004 | Integrate quiet hours calendars and default throttles with audit logging. | -| Sprint 39 | Notifications Studio Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001 | Surface digest scheduling, simulation, and throttle management endpoints via gateway. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-008 | Observation writer producing entrypoints/components/edges with warnings. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-009 | Fixture suite + determinism/perf benchmarks for Java analyzer. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-010 | Optional runtime ingestion via agent/JFR producing runtime edges. | -| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-011 | Package Java analyzer plug-in + Offline Kit/CLI updates. | -| Sprint 40 | Notifications Studio Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-40-001 | Publish `/docs/notifications/channels.md`, `/escalations.md`, `/api.md`, `/operations/notifier-runbook.md`, `/security/notifications-hardening.md` with imposed rule lines. | -| Sprint 40 | Notifications Studio Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-40-001 | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. | -| Sprint 40 | Notifications Studio Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | -| Sprint 40 | Notifications Studio Phase 3 | ops/offline-kit/TASKS.md | CARRY (no scope change) | Offline Kit Guild | DEVOPS-OFFLINE-37-002 | Carry from Sprint 37: Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks. | -| Sprint 40 | Notifications Studio Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-NOTIFY-40-001 | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. | -| Sprint 40 | Notifications Studio Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-40-001 | Implement ack token redemption, escalation management, localization previews. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-002 | Add CLI inbox/in-app feed channels and summary storm breaker notifications. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-003 | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. | -| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-004 | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. | -| Sprint 40 | Notifications Studio Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-40-001 | Expose escalation, localization, channel health endpoints and verification of signed links. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-41-001 | Publish `/docs/modules/cli/guides/overview.md`, `/cli/configuration.md`, `/cli/output-and-exit-codes.md` (with imposed rule). | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-CLI-41-001 | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Define CLI SSO scopes and Packs (`Packs.Read/Write/Run/Approve`) roles; update discovery/offline defaults. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001 | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with JSON/table outputs and `--explain`. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-002 | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, completions, and parity matrix export. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-41-101 | Register `pack-run` job type, integrate logs/artifacts, expose pack run metadata. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-41-001 | Implement packs index API, signature verification, provenance storage, and RBAC. | -| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-41-001 | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-42-001 | Publish `/docs/modules/cli/guides/parity-matrix.md`, `/cli/commands/*.md`, `/docs/task-packs/spec.md` (imposed rule). | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-42-001 | Add CLI golden output tests, parity diff automation, and pack run CI harness. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Implement Task Pack CLI commands (`pack plan/run/push/pull/verify`) with plan/simulate engine and expression sandbox. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001..002 | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-PACKS-42-001 | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-42-101 | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-42-201 | Provide stable rationale IDs/APIs for CLI `--explain` and pack policy gates. | -| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gates in Task Runner. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-PACKS-43-001 | Publish `/docs/task-packs/authoring-guide.md`, `/registry.md`, `/runbook.md`, `/security/pack-signing-and-rbac.md`, `/operations/cli-release-and-packaging.md` (imposed rule). | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-43-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005, PACKS-REG-41-001 | Integrate pack run manifests into export bundles and CLI verify flows. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. | -| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience. | -| Sprint 44 | Containerized Distribution Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-44-001 | Publish install overview + Compose Quickstart docs (imposed rule). | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-001 | Deliver Quickstart Compose stack with seed data and quickstart script. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-002 | Provide backup/reset scripts with guardrails and documentation. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-003 | Implement seed job and onboarding wizard toggle (`QUICKSTART_MODE`). | -| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-COMPOSE-44-001 | Finalize Quickstart scripts and README. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-44-001 | Automate multi-arch builds with SBOM/signature pipeline. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-001 | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-002 | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. | -| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-003 | Ensure `/health/*`, `/version`, `/metrics`, and capability endpoints (`merge=false`) are exposed across services. | -| Sprint 44 | Containerized Distribution Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-44-001 | Expose config discovery and quickstart handling with health/version endpoints. | -| Sprint 45 | Containerized Distribution Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-45-001 | Publish Helm production + configuration reference docs (imposed rule). | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-HELM-45-001 | Publish Helm install guide and sample values. | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-001 | Scaffold Helm chart with component toggles and pinned digests. | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-002 | Add security features (TLS, NetworkPolicy, Secrets integration). | -| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-003 | Implement HPA, PDB, readiness gates, and observability hooks. | -| Sprint 45 | Containerized Distribution Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-45-001 | Add Compose/Helm smoke tests to CI. | -| Sprint 45 | Containerized Distribution Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-45-001 | Ensure readiness endpoints and config toggles support Helm deployments. | -| Sprint 46 | Containerized Distribution Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-46-001 | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). | -| Sprint 46 | Containerized Distribution Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIRGAP-46-001 | Provide air-gap load script and docs. | -| Sprint 46 | Containerized Distribution Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-46-001 | Build signed air-gap bundle and verify in CI. | -| Sprint 46 | Containerized Distribution Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | OFFLINE-CONTAINERS-46-001 | Include air-gap bundle and instructions in Offline Kit. | -| Sprint 46 | Containerized Distribution Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-46-001 | Harden offline mode and document fallback behavior. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` (imposed rule). | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-47-001 | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-47-001 | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. | -| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-48-001 | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-TEN-48-001 | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-TEN-48-001 | Same as above for VEX linkers; enforce capability endpoint `merge=false`. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-TEN-48-001 | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-TEN-48-001 | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-TEN-48-001 | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-TEN-48-001 | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-TEN-48-001 | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-TEN-48-001 | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | -| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-48-001 | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-49-001 | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-49-001 | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-49-001 | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-49-001 | Add service account token minting, delegation, and `--impersonate` banner/controls. | -| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-49-001 | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-50-001 | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | BLOCKED (2025-10-26) | Docs Guild | DOCS-OBS-50-001 | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-002 | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-003 | Publish structured logging guide `/docs/observability/logging.md` with examples and imposed rule banner. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-004 | Publish tracing guide `/docs/observability/tracing.md` covering context propagation and sampling. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-OBS-50-001 | Update `/docs/security/redaction-and-privacy.md` for telemetry privacy controls. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DOING (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-002 | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. | -> Staging rollout plan recorded in `docs/modules/telemetry/operations/storage.md`; waiting on Authority-issued tokens and namespace bootstrap. -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-50-001 | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Propagate trace headers from CLI commands and print correlation IDs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-50-001 | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001 | Adopt telemetry core in Concelier APIs and surface correlation IDs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001 | Integrate telemetry core into VEX ingestion/linking with scope metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001 | Add telemetry core to VEX APIs and emit trace headers. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-50-001 | Enable telemetry core in export planner/workers capturing bundle metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-50-001 | Wire telemetry core through ledger writer/projector for append/replay operations. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-50-001 | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-50-001 | Instrument policy compile/evaluate flows with telemetry core spans/logs. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-50-001 | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-001 | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-002 | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | -| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-50-001 | Integrate telemetry core into gateway and emit structured traces/logs for all routes. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` with alert policies. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-51-001 | Deploy SLO evaluator service, dashboards, and alert routing. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-51-001 | Implement `stella obs top` streaming health metrics command. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-51-001 | Emit ingest latency metrics + SLO thresholds for advisories. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-51-001 | Provide VEX ingest metrics and SLO burn-rate automation. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-51-001 | Capture export planner/bundle latency metrics and SLOs. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-51-001 | Add ledger/projector metrics dashboards and burn-rate policies. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-51-001 | Ingest SLO burn-rate webhooks and deliver observability alerts. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-51-001 | Publish orchestration metrics, SLOs, and burn-rate alerts. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-51-001 | Publish policy evaluation metrics + dashboards meeting SLO targets. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-51-001 | Emit task runner golden-signal metrics and SLO alerts. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-51-001 | Ship metrics helpers + exemplar guards for golden signals. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Security Guild | TELEMETRY-OBS-51-002 | Implement logging scrubbing and tenant debug override controls. | -| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-51-001 | Expose `/obs/health` and `/obs/slo` aggregations for services. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-OBS-52-001 | Document `stella obs` CLI commands and scripting patterns. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-001 | Document Console observability hub and trace/log search workflows. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-002 | Publish Console forensics/timeline guidance with imposed rule banner. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-52-001 | Configure streaming pipelines and schema validation for timeline events. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-52-001 | Add `stella obs trace` + log commands correlating timeline data. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-52-001 | Emit advisory ingest/link timeline events with provenance metadata. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-52-001 | Provide SSE bridge for advisory timeline events. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-52-001 | Emit VEX ingest/link timeline events with justification info. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-52-001 | Stream VEX timeline updates to clients with tenant filters. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-52-001 | Publish export lifecycle events into timeline. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-52-001 | Record ledger append/projection events into timeline stream. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-52-001 | Emit job lifecycle timeline events with tenant/project metadata. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-52-001 | Emit policy decision timeline events with rule summaries and trace IDs. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-52-001 | Emit pack run timeline events and dedupe logic. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-001 | Bootstrap timeline indexer service and schema with RLS scaffolding. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Implement event ingestion pipeline with ordering and dedupe. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-003 | Expose timeline query APIs with tenant filters and pagination. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. | -| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document `stella forensic` CLI workflows with sample bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship `stella forensic snapshot` commands invoking evidence locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-53-001 | Add `/evidence/advisories/*` gateway endpoints consuming locker APIs. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-001 | Bootstrap evidence locker service with schema, storage abstraction, and RLS. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-002 | Implement bundle builders for evaluation, job, and export snapshots. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-003 | Expose evidence APIs (create/get/verify/hold) with audit + quotas. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-53-001 | Produce VEX evidence payloads and push to locker. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-53-001 | Expose `/evidence/vex/*` endpoints retrieving locker bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-53-001 | Store export manifests + transcripts within evidence bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-53-001 | Persist evidence bundle references alongside ledger entries and expose lookup API. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-53-001 | Attach job capsules + manifests to evidence locker snapshots. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. | -| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement `stella forensic verify` command verifying bundles + signatures. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add `stella forensic attest show` command with signer/timestamp details. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-54-001 | Sign advisory batches with DSSE attestations and expose verification. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-54-001 | Add `/attestations/advisories/*` endpoints surfacing verification metadata. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-001 | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-002 | Provide bundle packaging + offline verification fixtures. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-54-001 | Produce VEX batch attestations linking to timeline/ledger. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-54-001 | Expose `/attestations/vex/*` endpoints with verification summaries. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-54-001 | Produce export attestation manifests and CLI verification hooks. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-54-001 | Produce DSSE attestations for jobs and surface verification endpoint. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-54-001 | Generate DSSE attestations for policy evaluations and expose verification API. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-001 | Implement DSSE/SLSA models with deterministic serializer + test vectors. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-002 | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-54-001 | Deliver verification library validating DSSE signatures + Merkle roots. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-002 | Package provenance verification tool for CLI integration and offline use. | -| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-54-001 | Generate pack run attestations and link to timeline/evidence. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | docs/TASKS.md | TODO | Docs Guild | DOCS-RUNBOOK-55-001 | Publish `/docs/runbooks/incidents.md` covering activation, escalation, and verification checklist. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-55-001 | Automate incident mode activation via SLO alerts, retention override management, and reset job. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-55-001 | Enforce `obs:incident` scope with fresh-auth requirement and audit export for toggles. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-55-001 | Ship `stella obs incident-mode` commands with safeguards and audit logging. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-55-001 | Increase sampling and raw payload retention under incident mode with redaction guards. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-55-001 | Provide incident mode toggle endpoints and propagate to services. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend evidence retention + activation events for incident windows. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-55-001 | Enable incident sampling + retention overrides for VEX pipelines. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-55-001 | Add incident mode APIs for VEX services with audit + guardrails. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-55-001 | Increase export telemetry + debug retention during incident mode and emit events. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-55-001 | Extend retention and diagnostics capture during incident mode. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-55-001 | Send incident mode start/stop notifications with quick links to evidence/timeline. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-55-001 | Increase telemetry + evidence capture during incident mode and emit activation events. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-55-001 | Capture full rule traces + retention bump on incident activation with timeline events. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-55-001 | Capture extra debug data + notifications for incident mode runs. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-55-001 | Implement incident mode sampling toggle API with activation audit trail. | -| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-55-001 | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-001 | Publish `/docs/airgap/overview.md`. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-002 | Document sealing and egress controls. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-003 | Publish mirror bundles guide. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-004 | Publish bootstrap pack guide. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-001 | Publish deny-all egress policies and verification script for sealed environments. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-002 | Provide bundle staging/import scripts for air-gapped object stores. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-003 | Build Bootstrap Pack pipeline bundling images/charts with checksums. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-001 | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Expose seal/status APIs with policy hash validation and staleness placeholders. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001 | Implement DSSE/TUF/Merkle verification helpers. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-002 | Enforce root rotation policy for bundles. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-001 | Ship `EgressPolicy` facade with sealed/unsealed enforcement and remediation errors. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-002 | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001 | Implement mirror create/verify and airgap verify commands. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Ensure telemetry propagation for sealed logging. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-56-001 | Add mirror ingestion adapters preserving source metadata. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-56-001 | Add VEX mirror ingestion adapters. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-001 | Extend export center to build mirror bundles. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-56-001 | Build deterministic bundle assembler (advisories/vex/policy). | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-001 | Validate jobs against sealed-mode restrictions. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-56-001 | Accept policy packs from bundles with provenance tracking. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-001 | Enforce sealed-mode plan validation for network calls. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-56-001 | (Carry) Extend telemetry core with sealed-mode hooks before integration. | -| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-56-001 | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-001 | Publish staleness/time doc. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-002 | Publish console airgap doc. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-003 | Publish CLI airgap doc. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-004 | Publish airgap operations runbook. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-001 | Automate mirror bundle creation with approvals. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-002 | Run sealed-mode CI suite enforcing zero egress. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-001 | Implement bundle catalog with RLS + migrations. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-002 | Load artifacts into object store with checksum verification. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-001 | Adopt EgressPolicy in core services. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-002 | Enforce Task Runner job plan validation. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-57-001 | Parse signed time tokens and expose normalized anchors. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-001 | Complete airgap import CLI with diff preview. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-002 | Ship seal/status CLI commands. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-002 | Deliver bootstrap pack artifacts. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-001 | Add OCI image support to mirror bundles. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. | -| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-58-001 | Persist time anchor data and expose drift metrics. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-001 | Disable remote observability exporters in sealed mode. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-001 | Compute drift/staleness metrics and surface via controller status. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-002 | Emit notifications/events for staleness budgets. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Ship portable evidence export helper. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-57-002 | Annotate advisories with staleness metadata. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-57-002 | Annotate VEX statements with staleness metadata. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-57-001 | Add portable evidence export integration. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-57-001 | Notify on drift/staleness thresholds. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-58-001 | Link import/export jobs to timeline/evidence. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-002 | Show degradation fallback info in explain traces. | -| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-58-001 | Capture import job evidence transcripts. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-58-001 | Emit notifications/timeline for bundle readiness. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-56-002 | Enforce staleness thresholds for findings exports. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | Notify on portable evidence exports. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-57-001 | Automate mirror bundle job scheduling with audit provenance. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-001 | Enforce sealed-mode guardrails inside evaluation engine. | -| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-57-001 | Block execution when seal state mismatched; emit timeline events. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Finalize portable evidence CLI workflow with verification. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-58-001 | Emit timeline events for bundle imports. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-60-001 | Deliver portable evidence export flow for sealed environments with checksum manifest and offline verification script. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-58-001 | Emit timeline events for VEX bundle imports. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-57-001 | Link findings to portable evidence bundles. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | (Carry) Portable evidence notifications. | -| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-58-001 | Notify on stale policy packs and guide remediation. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-001 | Publish `/docs/api/overview.md`. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-002 | Publish `/docs/api/conventions.md`. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-003 | Publish `/docs/api/versioning.md`. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OAS-61-001 | Add OAS lint/validation/diff stages to CI. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-001 | Configure lint rules and CI enforcement. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-002 | Enforce example coverage in CI. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-001 | Scaffold per-service OpenAPI skeletons with shared components. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-002 | Build aggregate composer and integrate into CI. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Document Authority authentication APIs in OAS. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-002 | Provide Authority discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Update advisory OAS coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-002 | Populate advisory examples. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-001 | Implement Concelier discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-002 | Standardize error envelope. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Update VEX OAS coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-002 | Provide VEX examples. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-001 | Implement discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-002 | Migrate errors to standard envelope. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Update Exporter spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-002 | Implement Exporter discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Expand Findings Ledger spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-002 | Provide ledger discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Update notifier spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-002 | Implement notifier discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Extend Orchestrator spec coverage. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-002 | Provide orchestrator discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Document Task Runner APIs in OAS. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-002 | Expose Task Runner discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-001 | Implement gateway discovery endpoint. | -| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Standardize error envelope across gateway. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-CONTRIB-62-001 | Publish API contracts contributing guide. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-DEVPORT-62-001 | Document dev portal publishing. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-62-001 | Deploy `/docs/api/reference/` generated site. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SDK-62-001 | Publish SDK overview + language guides. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-62-001 | Update auth scopes documentation. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | Publish contract testing doc. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-62-001 | Implement compatibility diff tool. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-62-001 | Populate examples for top endpoints. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-62-001 | Provide SDK auth helpers/tests. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-001 | Migrate CLI to official SDK. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-002 | Update CLI error handling for new envelope. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-62-001 | Add SDK smoke tests for advisory APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-62-001 | Add advisory API examples. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-001 | Build static generator with nav/search. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-002 | Add schema viewer, examples, version selector. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-62-001 | Add SDK tests for VEX APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-62-001 | Provide VEX API examples. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-62-001 | Ensure SDK streaming helpers for exports. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-62-001 | Provide SDK tests for ledger APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Provide SDK examples for notifier APIs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-001 | Establish generator framework. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-002 | Implement shared post-processing helpers. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-62-001 | Provide SDK examples for pack runs. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-62-001 | Align pagination/idempotency behaviors. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-001 | Generate mock server fixtures. | -| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-002 | Integrate mock server into CI. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | (Carry) ensure contract testing doc final. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | Integrate compatibility diff gating. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-001 | Compatibility diff support. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-002 | Define discovery schema metadata. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-63-001 | Add CLI spec download command. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-001 | Add Try-It console. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-002 | Embed SDK snippets/quick starts. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-001 | Release TypeScript SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-002 | Release Python SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-003 | Release Go SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-004 | Release Java SDK alpha. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-001 | Configure SDK release pipelines. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-002 | Automate changelogs from OAS diffs. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-001 | Build replay harness for drift detection. | -| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-002 | Emit contract testing metrics. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | Document devportal offline usage. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-63-001 | Automate developer portal pipeline. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-64-001 | Schedule offline bundle builds. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-001 | Offline portal build. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-002 | Add accessibility/performance checks. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-001 | Implement devportal offline export job. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-002 | Provide verification CLI. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-001 | Migrate CLI to SDK. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-002 | Integrate SDKs into Console. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Hook SDK releases to Notifications. | -| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-002 | Produce devportal offline bundle. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | (Carry) ensure offline doc published; update as necessary. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | (Carry) compatibility gating monitoring. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-63-001 | Deprecation headers for auth endpoints. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-64-001 | SDK update awareness command. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-63-001 | Deprecation metadata for Concelier APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-63-001 | Deprecation metadata for VEX APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-63-001 | Deprecation headers for exporter APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-63-001 | Deprecation headers for ledger APIs. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Emit deprecation notifications. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-63-001 | Add orchestrator deprecation headers. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Production rollout of notifications feed. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-63-001 | Add Task Runner deprecation headers. | -| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-63-001 | Implement deprecation headers in gateway. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-001 | Publish `/docs/risk/overview.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-002 | Publish `/docs/risk/profiles.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-003 | Publish `/docs/risk/factors.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-004 | Publish `/docs/risk/formulas.md`. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001 | Implement CLI profile management commands. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-002 | Implement CLI simulation command. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Expose CVSS/KEV provider data. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-002 | Provide fix availability signals. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Supply VEX gating data to risk engine. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-002 | Provide reachability inputs. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Add risk scoring columns/indexes. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-002 | Implement deterministic scoring upserts. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Create risk severity alert templates. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-003 | Integrate schema validation into Policy Engine. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Deliver RiskProfile schema + validators. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Implement inheritance/merge and hashing. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-004 | Extend Policy libraries for RiskProfile handling. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Scaffold risk engine queue/worker/registry. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-002 | Implement transforms/gates/contribution calculator. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Expose risk API routing in gateway. | -| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-002 | Handle explainability downloads. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001 | Publish explainability doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-002 | Publish risk API doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-003 | Publish console risk UI doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-004 | Publish CLI risk doc. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-67-001 | Provide risk results query command. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-67-001 | Add source consensus metrics. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-67-001 | Add VEX explainability metadata. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-67-001 | Notify on profile publish/deprecate. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | (Prep) risk routing settings seeds. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-001 | Enqueue scoring on new findings. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-002 | Deliver profile lifecycle APIs. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Integrate profiles into policy store lifecycle. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-002 | Publish schema endpoint + validation tooling. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-003 | Provide simulation orchestration APIs. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-001 | Integrate CVSS/KEV providers. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-002 | Integrate VEX gate provider. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-003 | Add fix availability/criticality/exposure providers. | -| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-67-001 | Provide risk status endpoint. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | Publish risk bundle doc. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-002 | Update AOC invariants doc. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-68-001 | Add risk bundle verification command. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-67-001 | Provide scored findings query API. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-68-001 | Enable scored findings export. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Configure risk notification routing UI/logic. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-001 | Ship simulation API endpoint. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-002 | Support profile export/import. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-001 | Persist scoring results & explanations. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-002 | Expose jobs/results/explanations APIs. | -| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-68-001 | Emit severity transition events via gateway. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..004 | (Carry) ensure docs updated from simulation release. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Build risk bundle. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-002 | Integrate bundle into pipelines. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-69-002 | Enable simulation report exports. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | (Completion) finalize severity alert templates. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-001 | Implement simulation mode. | -| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Add telemetry/metrics dashboards. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | (Carry) finalize risk bundle doc after verification CLI. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-001 | Provide bundle verification CLI. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-002 | Publish documentation. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-70-001 | Integrate risk bundle into offline kit. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Finalize risk alert routing UI. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-001 | Support offline provider bundles. | -| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-002 | Integrate runtime/reachability providers. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..68-002 | Final editorial pass on risk documentation set. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001..68-001 | Harden CLI commands with integration tests and error handling. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-69-001 | Finalize dashboards and alerts for scoring latency. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Tune routing/quiet hour dedupe for risk alerts. | -| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Optimize performance, cache, and incremental scoring; validate SLOs. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-73-001 | (Prep) align CI secrets for Attestor service. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Implement DSSE canonicalization and hashing helpers. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-002 | Support compact/expanded output and detached payloads. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. | -| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. | | Sprint 72 | Attestor Console Phase 1 – Foundations | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. | -| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | -| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-001 | Publish attestor overview. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-002 | Publish payload docs. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-003 | Publish policies doc. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-004 | Publish workflows doc. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add signing/verification helpers with KMS integration. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-73-001 | Create golden payload fixtures. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-001 | Ship signing endpoint. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-002 | Ship verification pipeline and reports. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-003 | Implement list/fetch APIs. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE (2025-10-30) | KMS Guild | KMS-72-002 | CLI support for key import/export. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-001 | Implement VerificationPolicy lifecycle. | -| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-002 | Surface policies in Policy Studio. | -| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-001 | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | -| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-002 | Implement `stella attest fetch` to download envelopes and payloads to disk. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-001 | Publish keys & issuers doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-002 | Publish transparency doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-003 | Publish console attestor UI doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-004 | Publish CLI attest doc. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-001 | Deploy transparency witness infra. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-002 | Run fuzz tests for envelope handling. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-001 | Add telemetry for verification pipeline. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-002 | Document verification explainability. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-001 | Integrate transparency witness client. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-002 | Implement bulk verification worker. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-74-001 | Build attestation bundle export job. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-001 | Add verification/key notifications. | -| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-002 | Notify key rotation/revocation. | -| Sprint 75 | Attestor CLI Phase 4 – Air Gap & Bulk | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild, Export Guild | CLI-ATTEST-75-002 | Add support for building/verifying attestation bundles in CLI. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-001 | Publish attestor airgap doc. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-002 | Update AOC invariants for attestations. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-002 | Integrate bundle builds into release/offline pipelines. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-75-001 | Dashboards/alerts for attestor metrics. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-001 | Support attestation bundle export/import for air gap. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. | -| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. | +# Sprint Index + +Follow the sprint files below in order. Update task status in both `SPRINTS` and module `TASKS.md` as you progress. + +- [Identity & Signing](./SPRINT_100_identity_signing.md) +- [Ingestion & Evidence](./SPRINT_110_ingestion_evidence.md) +- [Policy & Reasoning](./SPRINT_120_policy_reasoning.md) +- [Scanner & Surface](./SPRINT_130_scanner_surface.md) +- [Runtime & Signals](./SPRINT_140_runtime_signals.md) +- [Scheduling & Automation](./SPRINT_150_scheduling_automation.md) +- [Export & Evidence](./SPRINT_160_export_evidence.md) +- [Notifications & Telemetry](./SPRINT_170_notifications_telemetry.md) +- [Experience & SDKs](./SPRINT_180_experience_sdks.md) +- [Ops & Offline](./SPRINT_190_ops_offline.md) +- [Documentation & Process](./SPRINT_200_documentation_process.md) diff --git a/docs/implplan/SPRINTS_PRIOR_20251031.md b/docs/implplan/SPRINTS_PRIOR_20251031.md new file mode 100644 index 00000000..eb86f30e --- /dev/null +++ b/docs/implplan/SPRINTS_PRIOR_20251031.md @@ -0,0 +1,1099 @@ +This file describe implementation of Stella Ops (docs/README.md). Implementation must respect rules from AGENTS.md (read if you have not). + +| Sprint | Theme | Tasks File Path | Status | Type of Specialist | Task ID | Task Description | +| --- | --- | --- | --- | --- | --- | --- | +| Sprint 16 | Scheduler Intelligence | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | DOING (2025-10-27) | Scheduler Worker Guild | SCHED-WORKER-16-201 | Planner loop (cron/event triggers, leases, fairness). | +| Sprint 17 | Symbol Intelligence & Forensics | ops/offline-kit/TASKS.md | BLOCKED (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-OFFLINE-17-004 | Run mirror_debug_store.py once release artefacts exist and archive verification evidence with the Offline Kit. | +| Sprint 17 | Symbol Intelligence & Forensics | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-REL-17-004 | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. | +> DOCS-AOC-19-004: Architecture overview & policy-engine docs refreshed 2025-10-26 — reuse new AOC boundary diagram + metrics guidance. +> DOCS-AOC-19-005: Link to the new AOC reference and architecture overview; include exit code table sourced from those docs. +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, Platform Guild | DEVOPS-AOC-19-001 | Integrate AOC analyzer/guard enforcement into CI pipelines. | +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-AOC-19-002 | Add CI stage running `stella aoc verify` against seeded snapshots. | +| Sprint 19 | Aggregation-Only Contract Enforcement | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild, QA Guild | DEVOPS-AOC-19-003 | Enforce guard coverage thresholds and export metrics to dashboards. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | DOING (2025-10-27) | DevEx/CLI Guild | CLI-AOC-19-001 | Implement `stella sources ingest --dry-run` command. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AOC-19-002 | Implement `stella aoc verify` command with exit codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | Docs/CLI Guild | CLI-AOC-19-003 | Update CLI reference and quickstart docs for new AOC commands. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-001 | Implement AOC repository guard rejecting forbidden fields. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-002 | Deliver deterministic linkset extraction for advisories. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-003 | Enforce idempotent append-only upsert with supersedes pointers. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | DOING (2025-10-28) | Concelier Core Guild | CONCELIER-CORE-AOC-19-004 | Remove ingestion normalization; defer derived logic to Policy Engine. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-CORE-AOC-19-013 | Extend smoke coverage to validate tenant-scoped Authority tokens and cross-tenant rejection. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-001 | Add Mongo schema validator for `advisory_raw`. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-002 | Create idempotency unique index backed by migration scripts. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-STORE-AOC-19-003 | Deliver append-only migration/backfill plan with supersedes chaining. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild, DevOps Guild | CONCELIER-STORE-AOC-19-004 | Document validator deployment steps for online/offline clusters. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, Observability Guild | CONCELIER-WEB-AOC-19-002 | Emit AOC observability metrics, traces, and structured logs. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | QA Guild | CONCELIER-WEB-AOC-19-003 | Add schema/guard unit tests covering AOC error codes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, QA Guild | CONCELIER-WEB-AOC-19-004 | Build integration suite validating deterministic ingest under load. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-001 | Introduce VEX repository guard enforcing AOC invariants. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-002 | Build deterministic VEX linkset extraction. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-003 | Enforce append-only idempotent VEX raw upserts. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-004 | Remove ingestion consensus logic; rely on Policy Engine. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-CORE-AOC-19-013 | Update smoke suites to enforce tenant-scoped Authority tokens and cross-tenant VEX rejection. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-001 | Add Mongo schema validator for `vex_raw`. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-002 | Create idempotency unique index for VEX raw documents. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-STORE-AOC-19-003 | Deliver append-only migration/backfill for VEX raw collections. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild, DevOps Guild | EXCITITOR-STORE-AOC-19-004 | Document validator deployment for Excititor clusters/offline kit. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AOC-19-001 | Implement raw VEX ingestion and AOC verifier endpoints. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, Observability Guild | EXCITITOR-WEB-AOC-19-002 | Emit AOC metrics/traces/logging for Excititor ingestion. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | QA Guild | EXCITITOR-WEB-AOC-19-003 | Add AOC guard test harness for VEX schemas. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild, QA Guild | EXCITITOR-WEB-AOC-19-004 | Validate large VEX ingest runs and CLI verification parity. | +| Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/TASKS.md | TODO | Scanner Guild, Zastava Guild | SURFACE-FS-01 | Author Surface.FS cache specification and cross-module contract. | +| Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/TASKS.md | TODO | Scanner Guild, Ops Guild, Zastava Guild | SURFACE-ENV-01 | Draft Surface.Env variable matrix for Scanner/Zastava deployments. | +| Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/TASKS.md | TODO | Scanner Guild, Security Guild, Zastava Guild | SURFACE-SECRETS-01 | Define Surface.Secrets schema and rotation guidance. | +| Sprint 41 | Surface Sharing Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/TASKS.md | TODO | Scanner Guild, Security Guild | SURFACE-VAL-01 | Design validator framework for shared Surface checks and extensibility. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-001 | Rewire worker to persist raw VEX docs with guard enforcement. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-WORKER-AOC-19-002 | Enforce signature/checksum verification prior to raw writes. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-001 | Add lint preventing ingestion modules from referencing Policy-only helpers. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-AOC-19-002 | Enforce Policy-only writes to `effective_finding_*` collections. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-AOC-19-003 | Update Policy readers to consume only raw document fields. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-AOC-19-004 | Add determinism tests for raw-driven policy recomputation. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-001 | Add Sources dashboard tiles surfacing AOC status and violations. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-002 | Build violation drill-down view for offending documents. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-AOC-19-003 | Wire "Verify last 24h" action and CLI parity messaging. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | DOING (2025-10-26) | BE-Base Platform Guild | WEB-AOC-19-001 | Provide shared AOC forbidden key set and guard middleware. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AOC-19-002 | Ship provenance builder and signature helpers for ingestion services. | +| Sprint 19 | Aggregation-Only Contract Enforcement | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-AOC-19-003 | Author analyzer + shared test fixtures for guard compliance. | +| Sprint 20 | Policy Engine v2 | ops/devops/TASKS.md | BLOCKED (waiting on POLICY-ENGINE-20-006) | DevOps Guild | DEVOPS-POLICY-20-002 | Run `stella policy simulate` CI stage against golden SBOMs. | +| Sprint 20 | Policy Engine v2 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (waiting on SCHED-WORKER-20-302) | Bench Guild, Scheduler Guild | BENCH-POLICY-20-002 | Add incremental run benchmark capturing delta SLA compliance. | +| Sprint 20 | Policy Engine v2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild, Docs Guild | CLI-POLICY-20-003 | Extend `stella findings` commands with policy filters and explain view. | +> 2025-10-27: Backend helpers drafted but command integration/tests pending; task reset to TODO awaiting follow-up. +| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-POLICY-20-002 | Strengthen linkset builders with equivalence tables + range parsing. | +| Sprint 20 | Policy Engine v2 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-POLICY-20-003 | Add advisory selection cursors + change-stream checkpoints for policy runs. | +| Sprint 20 | Policy Engine v2 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-POLICY-20-001 | Provide advisory selection endpoints for policy engine (batch PURL/ID). | +| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-POLICY-20-002 | Enhance VEX linkset scope + version resolution for policy accuracy. | +| Sprint 20 | Policy Engine v2 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-POLICY-20-003 | Introduce VEX selection cursors + change-stream checkpoints. | +| Sprint 20 | Policy Engine v2 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-POLICY-20-001 | Ship VEX selection APIs aligned with policy join requirements. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | BLOCKED (2025-10-26) | Policy Guild | POLICY-ENGINE-20-002 | Implement deterministic rule evaluator with priority/first-match semantics. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Concelier Core, Excititor Core | POLICY-ENGINE-20-003 | Build SBOM↔advisory↔VEX linkset joiners with deterministic batching. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-004 | Materialize effective findings with append-only history and tenant scoping. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Security Guild | POLICY-ENGINE-20-005 | Enforce determinism guard banning wall-clock, RNG, and network usage. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | POLICY-ENGINE-20-006 | Implement incremental orchestrator reacting to change streams. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Observability Guild | POLICY-ENGINE-20-007 | Emit policy metrics, traces, and sampled rule-hit logs. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, QA Guild | POLICY-ENGINE-20-008 | Add unit/property/golden/perf suites verifying determinism + SLA. | +| Sprint 20 | Policy Engine v2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Storage Guild | POLICY-ENGINE-20-009 | Define Mongo schemas/indexes + migrations for policies/runs/findings. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Models/TASKS.md | TODO | Scheduler Models Guild | SCHED-MODELS-20-002 | Update schema docs with policy run lifecycle samples. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-001 | Expose policy run scheduling APIs with scope enforcement. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-WEB-20-002 | Provide simulation trigger endpoint returning diff metadata. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-301 | Schedule policy runs via API with idempotent job tracking. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-20-302 | Implement delta targeting leveraging change streams + policy metadata. | +| Sprint 20 | Policy Engine v2 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild, Observability Guild | SCHED-WORKER-20-303 | Expose policy scheduling metrics/logs with policy/run identifiers. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-001 | Ship Monaco-based policy editor with inline diagnostics + checklists. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-POLICY-20-002 | Build simulation panel with deterministic diff rendering + virtualization. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Product Ops | UI-POLICY-20-003 | Implement submit/review/approve workflow with RBAC + audit trail. | +| Sprint 20 | Policy Engine v2 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild, Observability Guild | UI-POLICY-20-004 | Add run dashboards (heatmap/VEX wins/suppressions) with export. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-001 | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-20-002 | Add pagination, filters, deterministic ordering to policy listings. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, QA Guild | WEB-POLICY-20-003 | Map engine errors to `ERR_POL_*` responses with contract tests. | +| Sprint 20 | Policy Engine v2 | src/Web/StellaOps.Web/TASKS.md | TODO | Platform Reliability Guild | WEB-POLICY-20-004 | Introduce rate limits/quotas + metrics for simulation endpoints. | +| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, Graph Platform Guild | BENCH-GRAPH-21-001 | Graph viewport/path perf harness (50k/100k nodes) measuring Graph API/Indexer latency and cache hit rates. Executed within Sprint 28 Graph program. Upstream Graph API/indexer contracts (`GRAPH-API-28-003`, `GRAPH-INDEX-28-006`) still pending, so benchmarks cannot target stable endpoints yet. | +| Sprint 21 | Graph Explorer v1 | src/Bench/StellaOps.Bench/TASKS.md | BLOCKED (2025-10-27) | Bench Guild, UI Guild | BENCH-GRAPH-21-002 | Headless UI load benchmark for graph canvas interactions (Playwright) tracking render FPS budgets. Executed within Sprint 28 Graph program. Depends on BENCH-GRAPH-21-001 and UI Graph Explorer (`UI-GRAPH-24-001`), both pending. | +| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core Guild | CONCELIER-GRAPH-21-001 | Enrich SBOM normalization with relationships, scopes, entrypoint annotations for Cartographer. Requires finalized schemas from `CONCELIER-POLICY-20-002` and Cartographer event contract (`CARTO-GRAPH-21-002`). | +| Sprint 21 | Graph Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | BLOCKED (2025-10-27) | Concelier Core & Scheduler Guilds | CONCELIER-GRAPH-21-002 | Publish SBOM change events with tenant metadata for graph builds. Awaiting projection schema from `CONCELIER-GRAPH-21-001` and Cartographer webhook expectations. | +| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-001 | Deliver batched VEX/advisory fetch helpers for inspector linkouts. Waiting on linkset enrichment (`EXCITITOR-POLICY-20-002`) and Cartographer inspector contract (`CARTO-GRAPH-21-005`). | +| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | BLOCKED (2025-10-27) | Excititor Core Guild | EXCITITOR-GRAPH-21-002 | Enrich overlay metadata with VEX justification summaries for graph overlays. Depends on `EXCITITOR-GRAPH-21-001` and Policy overlay schema (`POLICY-ENGINE-30-001`). | +| Sprint 21 | Graph Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | BLOCKED (2025-10-27) | Excititor Storage Guild | EXCITITOR-GRAPH-21-005 | Create indexes/materialized views for VEX lookups by PURL/policy. Awaiting access pattern specs from `EXCITITOR-GRAPH-21-001`. | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-001 | Expose normalized SBOM projection API with relationships, scopes, entrypoints. Waiting on Concelier projection schema (`CONCELIER-GRAPH-21-001`). | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Scheduler Guilds | SBOM-SERVICE-21-002 | Emit SBOM version change events for Cartographer build queue. Depends on SBOM projection API (`SBOM-SERVICE-21-001`) and Scheduler contracts. | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service Guild | SBOM-SERVICE-21-003 | Provide entrypoint management API with tenant overrides. Blocked by SBOM projection API contract. | +| Sprint 21 | Graph Explorer v1 | src/SbomService/StellaOps.SbomService/TASKS.md | BLOCKED (2025-10-27) | SBOM Service & Observability Guilds | SBOM-SERVICE-21-004 | Add metrics/traces/logs for SBOM projections. Requires projection pipeline from `SBOM-SERVICE-21-001`. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-001 | Add gateway routes for graph APIs with scope enforcement and streaming. Upstream Graph API (`GRAPH-API-28-003`) and Authority scope work (`AUTH-VULN-24-001`) pending. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform Guild | WEB-GRAPH-21-002 | Implement bbox/zoom/path validation and pagination for graph endpoints. Depends on core proxy routes. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base Platform & QA Guilds | WEB-GRAPH-21-003 | Map graph errors to `ERR_Graph_*` and support export streaming. Requires `WEB-GRAPH-21-001`. | +| Sprint 21 | Graph Explorer v1 | src/Web/StellaOps.Web/TASKS.md | BLOCKED (2025-10-27) | BE-Base & Policy Guilds | WEB-GRAPH-21-004 | Wire Policy Engine simulation overlays into graph responses. Waiting on Graph routes and Policy overlay schema (`POLICY-ENGINE-30-002`). | +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-001 | Publish advisories aggregation doc with observation/linkset philosophy. | +> Blocked by `CONCELIER-LNM-21-001..003`; draft doc exists but final alignment waits for schema/API delivery. +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-002 | Publish VEX aggregation doc describing observation/linkset flow. | +> Blocked by `EXCITITOR-LNM-21-001..003`; draft doc staged pending observation/linkset implementation. +| Sprint 22 | Link-Not-Merge v1 | docs/TASKS.md | BLOCKED (2025-10-27) | Docs Guild | DOCS-LNM-22-005 | Document UI evidence panel with conflict badges/AOC drill-down. | +> Blocked by `UI-LNM-22-001..003`; need shipping UI to capture screenshots and finalize guidance. +| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-001 | Execute advisory observation/linkset migration/backfill and automation. | +| Sprint 22 | Link-Not-Merge v1 | ops/devops/TASKS.md | BLOCKED (2025-10-27) | DevOps Guild | DEVOPS-LNM-22-002 | Run VEX observation/linkset migration/backfill with monitoring/runbook. | +| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-001 | Add advisory observation/linkset fixtures with conflicts. | +| Sprint 22 | Link-Not-Merge v1 | samples/TASKS.md | BLOCKED (2025-10-27) | Samples Guild | SAMPLES-LNM-22-002 | Add VEX observation/linkset fixtures with status disagreements. | +| Sprint 22 | Link-Not-Merge v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-AOC-22-001 | Roll out new advisory/vex ingest/read scopes. | +| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-001 | Implement advisory observation/linkset CLI commands with JSON/OSV export. | +| Sprint 22 | Link-Not-Merge v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-LNM-22-002 | Implement VEX observation/linkset CLI commands. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-LNM-21-001 | Define immutable advisory observation schema with AOC metadata. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild, Data Science Guild | CONCELIER-LNM-21-002 | Implement advisory linkset builder with correlation signals/conflicts. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md | TODO | BE-Merge | MERGE-LNM-21-002 | Deprecate merge service and enforce observation-only pipeline. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage Guild | CONCELIER-LNM-21-101 | Provision observations/linksets collections and indexes. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md | TODO | Concelier Storage & DevOps Guilds | CONCELIER-LNM-21-102 | Backfill legacy merged advisories into observations/linksets with rollback tooling. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-201 | Ship advisory observation read APIs with pagination/RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-LNM-21-202 | Implement advisory linkset read/export/evidence endpoints mapped to `ERR_AGG_*`. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-001 | Define immutable VEX observation model. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-LNM-21-002 | Build VEX linkset correlator with confidence/conflict recording. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage Guild | EXCITITOR-LNM-21-101 | Provision VEX observation/linkset collections and indexes. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md | TODO | Excititor Storage & DevOps Guilds | EXCITITOR-LNM-21-102 | Backfill legacy VEX data into observations/linksets with rollback scripts. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-201 | Expose VEX observation APIs with filters/pagination and RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-LNM-21-202 | Implement VEX linkset endpoints + exports with evidence payloads. | +| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-40-001 | Update severity selection to handle multiple source severities per linkset. | +| Sprint 22 | Link-Not-Merge v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Excititor Guild | POLICY-ENGINE-40-002 | Integrate VEX linkset conflicts into effective findings/explain traces. | +| Sprint 22 | Link-Not-Merge v1 | src/Scanner/StellaOps.Scanner.WebService/TASKS.md | TODO | Scanner WebService Guild | SCANNER-LNM-21-001 | Update report/runtime payloads to consume linksets and surface source evidence. | +| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-001 | Deliver Evidence panel with policy banner and source observations. | +| Sprint 22 | Link-Not-Merge v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-LNM-22-003 | Add VEX evidence tab with conflict indicators and exports. | +| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-001 | Surface advisory observation/linkset APIs through gateway with RBAC. | +| Sprint 22 | Link-Not-Merge v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-LNM-21-002 | Expose VEX observation/linkset endpoints with export handling. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-015 | Produce `/docs/architecture/console.md` describing packages, data flow, SSE design. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-017 | Create `/docs/examples/ui-tours.md` walkthroughs with annotated screenshots/GIFs. | +| Sprint 23 | StellaOps Console | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-23-018 | Execute console security checklist and record Security Guild sign-off. | +| Sprint 23 | StellaOps Console | ops/deployment/TASKS.md | TODO | Deployment Guild | DOWNLOADS-CONSOLE-23-001 | Maintain signed downloads manifest pipeline feeding Console + docs parity checks. | +| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | BLOCKED (2025-10-26) | DevOps Guild | DEVOPS-CONSOLE-23-001 | Stand up console CI pipeline (pnpm cache, lint, tests, Playwright, Lighthouse, offline runners). | +| Sprint 23 | StellaOps Console | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONSOLE-23-002 | Deliver `stella-console` container + Helm overlays with SBOM/provenance and offline packaging. | +| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-001 | Register Console OIDC client with PKCE, scopes, short-lived tokens, and offline defaults. | +| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-CONSOLE-23-002 | Provide tenant catalog/user profile endpoints with audit logging and fresh-auth requirements. | +| Sprint 23 | StellaOps Console | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-CONSOLE-23-003 | Update security docs/sample configs for Console flows, CSP, and session policies. | +| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-001 | Surface `/console/advisories` aggregation views with per-source metadata and filters. | +| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-002 | Provide advisory delta metrics API for dashboard + live status ticker. | +| Sprint 23 | StellaOps Console | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-CONSOLE-23-003 | Add search helpers for CVE/GHSA/PURL lookups returning evidence fragments. | +| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-001 | Expose `/console/vex` aggregation endpoints with precedence and provenance. | +| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-002 | Publish VEX override delta metrics feeding dashboard/status ticker. | +| Sprint 23 | StellaOps Console | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-CONSOLE-23-003 | Implement VEX search helpers for global search and explain drill-downs. | +| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Scheduler Guild | EXPORT-CONSOLE-23-001 | Implement evidence bundle/export generator with signed manifests and telemetry. | +| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-CONSOLE-23-001 | Optimize findings/explain APIs for Console filters, aggregation hints, and provenance traces. | +| Sprint 23 | StellaOps Console | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild, Product Ops | POLICY-CONSOLE-23-002 | Expose simulation diff + approval state metadata for policy workspace scenarios. | +| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-001 | Deliver Console SBOM catalog API with filters, evaluation metadata, and raw projections. | +| Sprint 23 | StellaOps Console | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-CONSOLE-23-002 | Provide component lookup/neighborhood endpoints for global search and overlays. | +| Sprint 23 | StellaOps Console | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-23-001 | Extend runs API with SSE progress, queue lag summaries, RBAC actions, and history pagination. | +| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-201 | Stream run progress events with heartbeat/dedupe for Console SSE consumers. | +| Sprint 23 | StellaOps Console | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-CONSOLE-23-202 | Coordinate evidence bundle job queueing, status tracking, cancellation, and retention. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-001 | Ship `/console/dashboard` + `/console/filters` aggregates with tenant scoping and deterministic totals. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Scheduler Guild | WEB-CONSOLE-23-002 | Provide `/console/status` polling and `/console/runs/{id}/stream` SSE proxy with heartbeat/backoff. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, Policy Guild | WEB-CONSOLE-23-003 | Expose `/console/exports` orchestration for evidence bundles, CSV/JSON streaming, manifest retrieval. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONSOLE-23-004 | Implement `/console/search` fan-out router for CVE/GHSA/PURL/SBOM lookups with caching and RBAC. | +| Sprint 23 | StellaOps Console | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, DevOps Guild | WEB-CONSOLE-23-005 | Serve `/console/downloads` manifest with signed image metadata and offline guidance. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-VULN-24-001 | Extend scopes (`vuln:read`) and signed permalinks. | +> 2025-10-27: Scope enforcement spike paused; no production change landed. +| Sprint 24 | Graph & Vuln Explorer v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-GRAPH-24-001 | Surface raw advisory observations/linksets for overlay services (no derived aggregation in ingestion). | +> 2025-10-27: Prototype not merged (query layer + CLI consumer under review); resetting to TODO. +| Sprint 24 | Graph & Vuln Explorer v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-GRAPH-24-001 | Surface raw VEX statements/linksets for overlay services (no suppression/precedence logic here). | +| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-001 | Maintain Redis effective decision maps for overlays. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-60-002 | Provide simulation bridge for graph what-if APIs. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-001 | Build Graph Explorer canvas with virtualization. | +| Sprint 24 | Graph & Vuln Explorer v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-GRAPH-24-002 | Implement overlays (Policy/Evidence/License/Exposure). | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-001 | Document exception governance concepts/workflow. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-002 | Document approvals routing / MFA requirements. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-003 | Publish API documentation for exceptions endpoints. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-005 | Document UI exception center + badges. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-006 | Update CLI docs for exception commands. | +| Sprint 25 | Exceptions v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXC-25-007 | Write migration guide for governed exceptions. | +| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-EXC-25-001 | Introduce exception scopes and routing matrix with MFA. | +| Sprint 25 | Exceptions v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-EXC-25-002 | Update docs/config samples for exception governance. | +| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-001 | Implement CLI exception workflow commands. | +| Sprint 25 | Exceptions v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXC-25-002 | Extend policy simulate with exception overrides. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-002 | Create exception collections/bindings storage + repos. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-003 | Implement Redis exception cache + invalidation. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-004 | Add metrics/tracing/logging for exception application. | +| Sprint 25 | Exceptions v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-70-005 | Hook workers/events for activation/expiry. | +| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-101 | Implement exception lifecycle worker for activation/expiry. | +| Sprint 25 | Exceptions v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-25-102 | Add expiring notification job & metrics. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-001 | Deliver Exception Center (list/kanban) with workflows. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-002 | Build exception creation wizard with scope/timebox guardrails. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-003 | Add inline exception drafting/proposing from explorers. | +| Sprint 25 | Exceptions v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-EXC-25-004 | Surface badges/countdowns/explain integration. | +| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-001 | Ship exception CRUD + workflow API endpoints. | +| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-002 | Extend policy endpoints to include exception metadata. | +| Sprint 25 | Exceptions v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXC-25-003 | Emit exception events/notifications with rate limits. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-001 | Document reachability concepts and scoring. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-002 | Document callgraph formats. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-003 | Document runtime facts ingestion. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-004 | Document policy weighting for signals. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-005 | Document UI overlays/timelines. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-006 | Document CLI reachability commands. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-007 | Publish API docs for signals endpoints. | +| Sprint 26 | Reachability v1 | docs/TASKS.md | TODO | Docs Guild | DOCS-SIG-26-008 | Write migration guide for enabling reachability. | +| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-001 | Provision pipelines/deployments for Signals service. | +| Sprint 26 | Reachability v1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-SIG-26-002 | Add dashboards/alerts for reachability metrics. | +| Sprint 26 | Reachability v1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-SIG-26-001 | Add signals scopes/roles + AOC requirements. | +| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-001 | Implement reachability CLI commands (upload/list/explain). | +| Sprint 26 | Reachability v1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SIG-26-002 | Add reachability overrides to policy simulate. | +| Sprint 26 | Reachability v1 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-SIG-26-001 | Expose advisory symbol metadata for signals scoring. | +| Sprint 26 | Reachability v1 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-SIG-26-001 | Surface vendor exploitability hints to Signals. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-001 | Integrate reachability inputs into policy evaluation and explainers. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-002 | Optimize reachability fact retrieval + cache. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-003 | Update SPL compiler for reachability predicates. | +| Sprint 26 | Reachability v1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-80-004 | Emit reachability metrics/traces. | +| Sprint 26 | Reachability v1 | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-SPL-24-001 | Extend SPL schema with reachability predicates/actions. | +| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-201 | Implement reachability joiner worker. | +| Sprint 26 | Reachability v1 | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-26-202 | Implement staleness monitor + notifications. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild, Authority Guild | SIGNALS-24-001 | Stand up Signals API skeleton with RBAC + health checks. Host scaffold ready, waiting on `AUTH-SIG-26-001` to finalize scope issuance and tenant enforcement. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-002 | Implement callgraph ingestion/normalization pipeline. Waiting on SIGNALS-24-001 skeleton deployment. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-003 | Ingest runtime facts and persist context data with AOC provenance. Depends on SIGNALS-24-001 base host. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-004 | Deliver reachability scoring engine writing reachability facts. Blocked until ingestion pipelines unblock. | +| Sprint 26 | Reachability v1 | src/Signals/StellaOps.Signals/TASKS.md | BLOCKED (2025-10-27) | Signals Guild | SIGNALS-24-005 | Implement caches + signals events. Downstream of SIGNALS-24-004. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-001 | Add reachability columns/badges to Vulnerability Explorer. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-002 | Enhance Why drawer with call path/timeline. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-003 | Add reachability overlay/time slider to SBOM Graph. | +| Sprint 26 | Reachability v1 | src/UI/StellaOps.UI/TASKS.md | TODO | UI Guild | UI-SIG-26-004 | Build Reachability Center + missing sensor view. | +| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-001 | Expose signals proxy endpoints with pagination and RBAC. | +| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-002 | Join reachability data into policy/vuln responses. | +| Sprint 26 | Reachability v1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-SIG-26-003 | Support reachability overrides in simulate APIs. | +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-001 | Publish `/docs/policy/studio-overview.md` with lifecycle + roles. | +> Blocked by `REGISTRY-API-27-001` and `POLICY-ENGINE-27-001`; revisit once spec and compile enrichments land. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Console Guilds | DOCS-POLICY-27-002 | Write `/docs/policy/authoring.md` with templates/snippets/lint rules. | +> Blocked by `CONSOLE-STUDIO-27-001` pending; waiting on Studio authoring UX. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-003 | Document `/docs/policy/versioning-and-publishing.md`. | +> Blocked by `REGISTRY-API-27-007` pending publish/sign pipeline. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Scheduler Guilds | DOCS-POLICY-27-004 | Publish `/docs/policy/simulation.md` with quick vs batch guidance. | +> Blocked by `REGISTRY-API-27-005`/`SCHED-WORKER-27-301` pending batch simulation. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Product Ops | DOCS-POLICY-27-005 | Author `/docs/policy/review-and-approval.md`. | +> Blocked by `REGISTRY-API-27-006` review workflow outstanding. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-006 | Publish `/docs/policy/promotion.md` covering canary + rollback. | +> Blocked by `REGISTRY-API-27-008` promotion APIs not ready. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & DevEx/CLI Guilds | DOCS-POLICY-27-007 | Update `/docs/policy/cli.md` with new commands + JSON schemas. | +> Blocked by `CLI-POLICY-27-001..004` CLI commands missing. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-008 | Publish `/docs/policy/api.md` aligning with Registry OpenAPI. | +> Blocked by Registry OpenAPI (`REGISTRY-API-27-001..008`) incomplete. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Security Guilds | DOCS-POLICY-27-009 | Create `/docs/security/policy-attestations.md`. | +> Blocked by `AUTH-POLICY-27-002` signing integration pending. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Architecture Guilds | DOCS-POLICY-27-010 | Write `/docs/architecture/policy-registry.md`. | +> Blocked by `REGISTRY-API-27-001` & `SCHED-WORKER-27-301` not delivered. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Observability Guilds | DOCS-POLICY-27-011 | Publish `/docs/observability/policy-telemetry.md`. | +> Blocked by `DEVOPS-POLICY-27-004` observability work outstanding. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Ops Guilds | DOCS-POLICY-27-012 | Write `/docs/runbooks/policy-incident.md`. | +> Blocked by `DEPLOY-POLICY-27-002` ops playbooks pending. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Guilds | DOCS-POLICY-27-013 | Update `/docs/examples/policy-templates.md`. | +> Blocked by `CONSOLE-STUDIO-27-001`/`REGISTRY-API-27-002` templates missing. +| Sprint 27 | Policy Studio | docs/TASKS.md | BLOCKED (2025-10-27) | Docs & Policy Registry Guilds | DOCS-POLICY-27-014 | Refresh `/docs/aoc/aoc-guardrails.md` with Studio guardrails. | +> Blocked by `REGISTRY-API-27-003` & `WEB-POLICY-27-001` guardrails not implemented. +| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Registry Guilds | DEPLOY-POLICY-27-001 | Create Helm/Compose overlays for Policy Registry + workers with signing config. | +| Sprint 27 | Policy Studio | ops/deployment/TASKS.md | TODO | Deployment & Policy Guilds | DEPLOY-POLICY-27-002 | Document policy rollout/rollback playbooks in runbook. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-POLICY-27-001 | Add CI stage for policy lint/compile/test + secret scanning and artifacts. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Policy Registry Guilds | DEVOPS-POLICY-27-002 | Provide optional batch simulation CI job with drift gating + PR comment. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-POLICY-27-003 | Manage signing keys + attestation verification in pipelines. | +| Sprint 27 | Policy Studio | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-POLICY-27-004 | Build dashboards/alerts for compile latency, queue depth, approvals, promotions. | +| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core Guild | AUTH-POLICY-27-001 | Define Policy Studio roles/scopes for author/review/approve/operate/audit. | +| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guilds | AUTH-POLICY-27-002 | Wire signing service + fresh-auth enforcement for publish/promote. | +| Sprint 27 | Policy Studio | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-POLICY-27-003 | Update authority configuration/docs for Policy Studio roles & signing. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-001 | Implement policy workspace CLI commands (init, lint, compile, test). | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-002 | Add version bump, submit, review/approve CLI workflow commands. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-003 | Extend simulate command for quick/batch runs, manifests, CI reports. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-POLICY-27-004 | Implement publish/promote/rollback/sign CLI lifecycle commands. | +| Sprint 27 | Policy Studio | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-POLICY-27-005 | Update CLI docs/reference for Policy Studio commands and schemas. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-001 | Return rule coverage, symbol table, docs, hashes from compile endpoint. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-002 | Enhance simulate outputs with heatmap, explain traces, delta summaries. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-003 | Enforce complexity/time limits with diagnostics. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-27-004 | Update tests/fixtures for coverage, symbol table, explain, complexity. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-001 | Define Policy Registry OpenAPI spec for workspaces, versions, reviews, simulations, promotions, attestations. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-002 | Implement workspace storage + CRUD with tenant retention policies. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-003 | Integrate compile pipeline storing diagnostics, symbol tables, complexity metrics. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-004 | Deliver quick simulation API with limits and deterministic outputs. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Scheduler Guilds | REGISTRY-API-27-005 | Build batch simulation orchestration, reduction, and evidence bundle storage. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-006 | Implement review workflow with comments, required approvers, webhooks. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Security Guilds | REGISTRY-API-27-007 | Ship publish/sign pipeline with attestations, immutable versions. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry Guild | REGISTRY-API-27-008 | Implement promotion/canary bindings per tenant/environment with rollback. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & Observability Guilds | REGISTRY-API-27-009 | Instrument metrics/logs/traces for compile, simulation, approval latency. | +| Sprint 27 | Policy Studio | src/Policy/StellaOps.Policy.Registry/TASKS.md | TODO | Policy Registry & QA Guilds | REGISTRY-API-27-010 | Build unit/integration/load test suites and seeded fixtures. | +| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-CONSOLE-27-001 | Provide policy simulation orchestration endpoints with SSE + RBAC. | +| Sprint 27 | Policy Studio | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-CONSOLE-27-002 | Emit policy simulation telemetry endpoints/metrics + webhooks. | +| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-301 | Implement batch simulation worker sharding SBOMs with retries/backoff. | +| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-27-302 | Build reducer job aggregating shard outputs into manifests with checksums. | +| Sprint 27 | Policy Studio | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Security Guilds | SCHED-WORKER-27-303 | Enforce tenant isolation/attestation integration and secret scanning for jobs. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-001 | Proxy Policy Registry APIs with tenant scoping, RBAC, evidence streaming. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-POLICY-27-002 | Implement review lifecycle routes with audit logs and webhooks. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Scheduler Guilds | WEB-POLICY-27-003 | Expose quick/batch simulation endpoints with SSE progress + manifests. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Security Guilds | WEB-POLICY-27-004 | Add publish/promote/rollback endpoints with canary + signing enforcement. | +| Sprint 27 | Policy Studio | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-POLICY-27-005 | Instrument Policy Studio metrics/logs for dashboards. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-GRAPH-28-001 | Publish `/docs/sbom/graph-explorer-overview.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-GRAPH-28-002 | Write `/docs/sbom/graph-using-the-console.md` with walkthrough + accessibility tips. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-003 | Document `/docs/sbom/graph-query-language.md` (JSON schema, cost rules). | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Graph API Guilds | DOCS-GRAPH-28-004 | Publish `/docs/sbom/graph-api.md` endpoints + streaming guidance. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & CLI Guilds | DOCS-GRAPH-28-005 | Produce `/docs/sbom/graph-cli.md` command reference. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-GRAPH-28-006 | Publish `/docs/policy/graph-overlays.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Excitator Guilds | DOCS-GRAPH-28-007 | Document `/docs/vex/graph-integration.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-GRAPH-28-008 | Document `/docs/advisories/graph-integration.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Architecture Guilds | DOCS-GRAPH-28-009 | Author `/docs/architecture/graph-services.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-GRAPH-28-010 | Publish `/docs/observability/graph-telemetry.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-GRAPH-28-011 | Write `/docs/runbooks/graph-incidents.md`. | +| Sprint 28 | Graph Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-GRAPH-28-012 | Create `/docs/security/graph-rbac.md`. | +| Sprint 28 | Graph Explorer | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-GRAPH-28-001 | Provide deployment/offline instructions for Graph Indexer/API, including cache seeds. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-GRAPH-28-001 | Configure load/perf tests, query budget alerts, and CI smoke for graph APIs. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Security Guilds | DEVOPS-GRAPH-28-002 | Implement caching/backpressure limits, rate limiting configs, and runaway query kill switches. | +| Sprint 28 | Graph Explorer | ops/devops/TASKS.md | TODO | DevOps & Observability Guilds | DEVOPS-GRAPH-28-003 | Build dashboards/alerts for tile latency, query denials, memory pressure. | +| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-001 | Ship `stella sbom graph` subcommands (search, query, paths, diff, impacted, export) with JSON output + exit codes. | +| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-002 | Add saved query management + deep link helpers to CLI. | +| Sprint 28 | Graph Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-GRAPH-28-003 | Update CLI docs/examples for Graph Explorer commands. | +| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-24-101 | Deliver advisory summary API feeding graph tooltips. | +| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-GRAPH-28-102 | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | +| Sprint 28 | Graph Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | WEB-LNM-21-001 | Provide advisory observation endpoints optimized for graph overlays. | +| Sprint 28 | Graph Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-GRAPH-24-101 | Provide VEX summary API for Graph Explorer inspector overlays. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-001 | Publish Graph API OpenAPI + JSON schemas for queries/tiles. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-002 | Implement `/graph/search` with caching and RBAC. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-003 | Build query planner + streaming tile pipeline with budgets. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-004 | Deliver `/graph/paths` with depth limits and policy overlay support. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-005 | Implement `/graph/diff` streaming adds/removes/changes for SBOM snapshots. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-006 | Compose advisory/VEX/policy overlays with caching + explain sampling. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API Guild | GRAPH-API-28-007 | Provide export jobs (GraphML/CSV/NDJSON/PNG/SVG) with manifests. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Authority Guilds | GRAPH-API-28-008 | Enforce RBAC scopes, tenant headers, audit logging, rate limits. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & Observability Guilds | GRAPH-API-28-009 | Instrument metrics/logs/traces; publish dashboards. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & QA Guilds | GRAPH-API-28-010 | Build unit/integration/load tests with synthetic datasets. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Api/TASKS.md | TODO | Graph API & DevOps Guilds | GRAPH-API-28-011 | Ship deployment/offline manifests + gateway integration docs. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-001 | Define node/edge schemas, identity rules, and fixtures for graph ingestion. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-002 | Implement SBOM ingest consumer generating artifact/package/file nodes & edges. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-003 | Serve advisory overlay tiles from Conseiller linksets (no mutation of raw node/edge stores). | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-004 | Integrate VEX statements for `vex_exempts` edges with precedence metadata. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Policy Guilds | GRAPH-INDEX-28-005 | Hydrate policy overlay nodes/edges referencing determinations + explains. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-006 | Produce graph snapshots per SBOM with lineage for diff jobs. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & Observability Guilds | GRAPH-INDEX-28-007 | Run clustering/centrality background jobs and persist cluster ids. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer Guild | GRAPH-INDEX-28-008 | Build incremental/backfill pipeline with change streams, retries, backlog metrics. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & QA Guilds | GRAPH-INDEX-28-009 | Extend tests/perf fixtures ensuring determinism on large graphs. | +| Sprint 28 | Graph Explorer | src/Graph/StellaOps.Graph.Indexer/TASKS.md | TODO | Graph Indexer & DevOps Guilds | GRAPH-INDEX-28-010 | Provide deployment/offline artifacts and docs for Graph Indexer. | +| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-001 | Finalize graph overlay contract + projection API. | +| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-002 | Implement simulation overlay bridge for Graph Explorer queries. | +| Sprint 28 | Graph Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy & Scheduler Guilds | POLICY-ENGINE-30-003 | Emit change events for effective findings supporting graph overlays. | +| Sprint 28 | Graph Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | DOING (2025-10-26) | Scheduler WebService Guild, Scheduler Storage Guild | SCHED-WEB-21-004 | Persist graph jobs + emit completion events/webhook. | +| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-201 | Run graph build worker for SBOM snapshots with retries/backoff. | +| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-21-202 | Execute overlay refresh worker subscribing to change events. | +| Sprint 28 | Graph Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-21-203 | Emit metrics/logs for graph build/overlay jobs. | +| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-001 | Route `/graph/*` APIs through gateway with tenant scoping and RBAC. | +| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-GRAPH-24-002 | Maintain overlay proxy routes to dedicated services (Policy/Vuln API), ensuring caching + RBAC only. | +| Sprint 28 | Graph Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-GRAPH-24-004 | Add Graph Explorer telemetry endpoints and metrics aggregation. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-001 | Publish `/docs/vuln/explorer-overview.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Console Guilds | DOCS-VULN-29-002 | Write `/docs/vuln/explorer-using-console.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-003 | Author `/docs/vuln/explorer-api.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs Guild | DOCS-VULN-29-004 | Publish `/docs/vuln/explorer-cli.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ledger Guilds | DOCS-VULN-29-005 | Document Findings Ledger (`/docs/vuln/findings-ledger.md`). | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Policy Guilds | DOCS-VULN-29-006 | Update `/docs/policy/vuln-determinations.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Excititor Guilds | DOCS-VULN-29-007 | Publish `/docs/vex/explorer-integration.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Concelier Guilds | DOCS-VULN-29-008 | Publish `/docs/advisories/explorer-integration.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & SBOM Guilds | DOCS-VULN-29-009 | Publish `/docs/sbom/vuln-resolution.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Observability Guilds | DOCS-VULN-29-010 | Publish `/docs/observability/vuln-telemetry.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Security Guilds | DOCS-VULN-29-011 | Publish `/docs/security/vuln-rbac.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Ops Guilds | DOCS-VULN-29-012 | Publish `/docs/runbooks/vuln-ops.md`. | +| Sprint 29 | Vulnerability Explorer | docs/TASKS.md | TODO | Docs & Deployment Guilds | DOCS-VULN-29-013 | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API. | +| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Findings Ledger Guilds | DEPLOY-VULN-29-001 | Provide deployments for Findings Ledger/projector with migrations/backups. | +| Sprint 29 | Vulnerability Explorer | ops/deployment/TASKS.md | TODO | Deployment & Vuln Explorer API Guilds | DEPLOY-VULN-29-002 | Package Vuln Explorer API deployments/health checks/offline kit notes. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Findings Ledger Guilds | DEVOPS-VULN-29-001 | Set up CI/backups/anchoring monitoring for Findings Ledger. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Vuln Explorer API Guilds | DEVOPS-VULN-29-002 | Configure Vuln Explorer perf tests, budgets, dashboards, alerts. | +| Sprint 29 | Vulnerability Explorer | ops/devops/TASKS.md | TODO | DevOps & Console Guilds | DEVOPS-VULN-29-003 | Integrate Vuln Explorer telemetry pipeline with privacy safeguards + dashboards. | +| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-001 | Define Vuln Explorer RBAC/ABAC scopes and issuer metadata. | +| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-VULN-29-002 | Enforce CSRF, attachment signing, and audit logging referencing ledger hashes. | +| Sprint 29 | Vulnerability Explorer | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Docs Guild | AUTH-VULN-29-003 | Update docs/config samples for Vuln Explorer roles and security posture. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-001 | Implement `stella vuln list` with grouping, filters, JSON/CSV output. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-002 | Implement `stella vuln show` with evidence/policy/path display. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-003 | Add workflow CLI commands (assign/comment/accept-risk/verify-fix/target-fix/reopen). | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-004 | Implement `stella vuln simulate` producing diff summaries/Markdown. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-VULN-29-005 | Implement `stella vuln export` and bundle signature verification. | +| Sprint 29 | Vulnerability Explorer | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI & Docs Guilds | CLI-VULN-29-006 | Update CLI docs/examples for Vulnerability Explorer commands. | +| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-001 | Canonicalize (lossless) advisory identifiers, persist `links[]`, backfill, and expose raw payload snapshots (no merge/derived fields). | +| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-VULN-29-002 | Provide advisory evidence retrieval endpoint for Vuln Explorer. | +| Sprint 29 | Vulnerability Explorer | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService & Observability Guilds | CONCELIER-VULN-29-004 | Add metrics/logs/events for advisory normalization supporting resolver. | +| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Canonicalize (lossless) VEX keys and product scopes with backfill + links (no merge/suppression). | +| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-002 | Expose VEX evidence retrieval endpoint for Explorer evidence tabs. | +| Sprint 29 | Vulnerability Explorer | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService & Observability Guilds | EXCITITOR-VULN-29-004 | Instrument metrics/logs for VEX normalization and suppression events. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-001 | Design ledger & projection schemas, hashing strategy, and migrations for Findings Ledger. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-002 | Implement ledger write API with hash chaining and Merkle root anchoring job. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Scheduler Guilds | LEDGER-29-003 | Build projector worker deriving `findings_projection` with idempotent replay. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Policy Guilds | LEDGER-29-004 | Integrate Policy Engine batch evaluation into projector with rationale caching. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-29-005 | Implement workflow mutation endpoints producing ledger events (assign/comment/accept-risk/etc.). | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Security Guilds | LEDGER-29-006 | Add attachment encryption, signed URLs, and CSRF protections for workflow endpoints. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & Observability Guilds | LEDGER-29-007 | Instrument ledger metrics/logs/alerts (write latency, projection lag, anchoring). | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & QA Guilds | LEDGER-29-008 | Provide replay/determinism/load tests for ledger/projector pipelines. | +| Sprint 29 | Vulnerability Explorer | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger & DevOps Guilds | LEDGER-29-009 | Deliver deployment/offline artefacts, backup/restore, Merkle anchoring guidance. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-001 | Implement policy batch evaluation endpoint returning determinations + rationale. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-002 | Provide simulation diff API for Vuln Explorer comparisons. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-29-003 | Include path/scope annotations in determinations for Explorer. | +| Sprint 29 | Vulnerability Explorer | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild & Observability Guild | POLICY-ENGINE-29-004 | Add telemetry for batch evaluation + simulation jobs. | +| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-VULN-29-001 | Emit inventory evidence with scope/runtime/path/safe version hints; publish change events. | +| Sprint 29 | Vulnerability Explorer | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service & Findings Ledger Guilds | SBOM-VULN-29-002 | Provide resolver feed for candidate generation with idempotent delivery. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService Guild | SCHED-VULN-29-001 | Expose resolver job APIs + status monitoring for Vuln Explorer recomputation. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md | TODO | Scheduler WebService & Observability Guilds | SCHED-VULN-29-002 | Provide projector lag metrics endpoint + webhook notifications. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-001 | Implement resolver worker applying ecosystem version semantics and path scope. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker Guild | SCHED-WORKER-29-002 | Implement evaluation worker invoking Policy Engine and updating ledger queues. | +| Sprint 29 | Vulnerability Explorer | src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md | TODO | Scheduler Worker & Observability Guilds | SCHED-WORKER-29-003 | Add monitoring for resolver/evaluation backlog and SLA alerts. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-001 | Publish Vuln Explorer OpenAPI + query schemas. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-002 | Implement list/query endpoints with grouping, paging, cost budgets. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-003 | Implement detail endpoint combining evidence, policy rationale, paths, history. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Findings Ledger Guilds | VULN-API-29-004 | Expose workflow APIs writing ledger events with validation + idempotency. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Policy Guilds | VULN-API-29-005 | Implement policy simulation endpoint producing diffs without side effects. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-006 | Integrate Graph Explorer paths metadata and deep-link parameters. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Security Guilds | VULN-API-29-007 | Enforce RBAC/ABAC, CSRF, attachment security, and audit logging. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API Guild | VULN-API-29-008 | Provide evidence bundle export job with signing + manifests. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & Observability Guilds | VULN-API-29-009 | Instrument API telemetry (latency, workflow counts, exports). | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & QA Guilds | VULN-API-29-010 | Deliver unit/integration/perf/determinism tests for Vuln Explorer API. | +| Sprint 29 | Vulnerability Explorer | src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md | TODO | Vuln Explorer API & DevOps Guilds | VULN-API-29-011 | Ship deployment/offline manifests, health checks, scaling docs. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-001 | Route `/vuln/*` APIs with tenant RBAC, ABAC, anti-forgery enforcement. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-002 | Proxy workflow calls to Findings Ledger with correlation IDs + retries. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-VULN-29-003 | Expose simulation/export orchestration with SSE/progress + signed links. | +| Sprint 29 | Vulnerability Explorer | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform & Observability Guilds | WEB-VULN-29-004 | Aggregate Vuln Explorer telemetry (latency, errors, exports). | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-001 | Publish `/docs/vex/consensus-overview.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-002 | Write `/docs/vex/consensus-algorithm.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-003 | Document `/docs/vex/issuer-directory.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-004 | Publish `/docs/vex/consensus-api.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-005 | Create `/docs/vex/consensus-console.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-006 | Add `/docs/policy/vex-trust-model.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-007 | Author `/docs/sbom/vex-mapping.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-008 | Publish `/docs/security/vex-signatures.md`. | +| Sprint 30 | VEX Lens | docs/TASKS.md | TODO | Docs Guild | DOCS-VEX-30-009 | Write `/docs/runbooks/vex-ops.md`. | +| Sprint 30 | VEX Lens | ops/devops/TASKS.md | TODO | DevOps Guild | VEXLENS-30-009, ISSUER-30-005 | Set up CI/perf/telemetry dashboards for VEX Lens and Issuer Directory. | +| Sprint 30 | VEX Lens | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | VEXLENS-30-007 | Implement `stella vex consensus` CLI commands with list/show/simulate/export. | +| Sprint 30 | VEX Lens | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild, VEX Lens Guild | CONCELIER-VEXLENS-30-001 | Guarantee advisory key consistency and provide cross-links for consensus rationale (VEX Lens). | +| Sprint 30 | VEX Lens | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-VULN-29-001 | Ensure VEX evidence includes issuer hints, signatures, product trees for Lens consumption. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory Guild | ISSUER-30-001 | Implement issuer CRUD API with RBAC and audit logs. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Security Guilds | ISSUER-30-002 | Implement key management endpoints with expiry enforcement. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Policy Guilds | ISSUER-30-003 | Provide trust weight override APIs with audit trails. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & VEX Lens Guilds | ISSUER-30-004 | Integrate issuer data into signature verification clients. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & Observability Guilds | ISSUER-30-005 | Instrument issuer change metrics/logs and dashboards. | +| Sprint 30 | VEX Lens | src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md | TODO | Issuer Directory & DevOps Guilds | ISSUER-30-006 | Provide deployment/backup/offline docs for Issuer Directory. | +| Sprint 30 | VEX Lens | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-30-101 | Surface trust weighting configuration (issuer weights, modifiers, decay) for VEX Lens via Policy Studio/API. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-001 | Implement VEX normalization pipeline (CSAF, OpenVEX, CycloneDX) with deterministic outputs. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-002 | Build product mapping library aligning CSAF product trees to purls/versions with scope scoring. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Issuer Directory Guilds | VEXLENS-30-003 | Integrate signature verification using issuer keys; annotate evidence. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-004 | Implement trust weighting functions configurable via policy. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-005 | Implement consensus algorithm producing state, confidence, rationale, and quorum. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Findings Ledger Guilds | VEXLENS-30-006 | Materialize consensus projections and change events. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-30-007 | Deliver query/detail/simulation/export APIs with budgets and OpenAPI docs. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Policy Guilds | VEXLENS-30-008 | Integrate consensus signals with Policy Engine and Vuln Explorer. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & Observability Guilds | VEXLENS-30-009 | Instrument metrics/logs/traces; publish dashboards/alerts. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & QA Guilds | VEXLENS-30-010 | Build unit/property/integration/load tests and determinism harness. | +| Sprint 30 | VEX Lens | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens & DevOps Guilds | VEXLENS-30-011 | Provide deployment manifests, scaling guides, offline seeds, runbooks. | +| Sprint 30 | VEX Lens | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild, VEX Lens Guild | WEB-VEX-30-007 | Route `/vex/consensus` APIs via gateway with RBAC/ABAC, caching, and telemetry (proxy-only). | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-001 | Publish Advisory AI overview doc. | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-002 | Publish architecture doc for Advisory AI. | +| Sprint 31 | Advisory AI | docs/TASKS.md | TODO | Docs Guild | DOCS-AIAI-31-003..009 | Complete API/Console/CLI/Policy/Security/SBOM/Runbook docs. | +| Sprint 31 | Advisory AI | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIAI-31-001 | Provide Advisory AI deployment/offline guidance. | +| Sprint 31 | Advisory AI | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIAI-31-001 | Provision CI/perf/telemetry for Advisory AI. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-001 | Implement advisory/VEX retrievers with paragraph anchors and citations. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-002 | Build SBOM context retriever and blast radius estimator. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-003 | Deliver deterministic toolset (version checks, dependency analysis, policy lookup). | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-004 | Orchestrator with task templates, tool chaining, caching. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Security Guilds | AIAI-31-005 | Guardrails (redaction, injection defense, output validation). | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI Guild | AIAI-31-006 | Expose REST/batch APIs with RBAC and OpenAPI. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & Observability Guilds | AIAI-31-007 | Instrument metrics/logs/traces and dashboards. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & DevOps Guilds | AIAI-31-008 | Package inference + deployment manifests/flags. | +| Sprint 31 | Advisory AI | src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md | TODO | Advisory AI & QA Guilds | AIAI-31-009 | Build golden/injection/perf tests ensuring determinism. | +| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-001 | Define Advisory AI scopes and remote inference toggles. | +| Sprint 31 | Advisory AI | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-AIAI-31-002 | Enforce prompt logging and consent/audit flows. | +| Sprint 31 | Advisory AI | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIAI-31-001 | Implement `stella advise *` CLI commands leveraging Advisory AI orchestration and policy scopes. | +| Sprint 31 | Advisory AI | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-AIAI-31-001 | Expose advisory chunk API with paragraph anchors. | +| Sprint 31 | Advisory AI | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-AIAI-31-001 | Provide VEX chunks with justifications and signatures. | +| Sprint 31 | Advisory AI | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-31-001 | Provide policy knobs for Advisory AI. | +| Sprint 31 | Advisory AI | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-AIAI-31-001 | Deliver SBOM path/timeline endpoints for Advisory AI. | +| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-001 | Expose enriched rationale API for conflict explanations. | +| Sprint 31 | Advisory AI | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-AIAI-31-002 | Provide batching/caching hooks for Advisory AI. | +| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-001 | Route `/advisory/ai/*` APIs with RBAC/telemetry. | +| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-002 | Provide batch orchestration and retry handling for Advisory AI. | +| Sprint 31 | Advisory AI | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-AIAI-31-003 | Emit Advisory AI gateway telemetry/audit logs. | +| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-001 | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, and imposed rule reminder. | +| Sprint 32 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-32-002 | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, and data model. | +| Sprint 32 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-32-001 | Provision staging Postgres/message-bus charts, CI smoke deploy, and baseline dashboards for queue depth and inflight jobs. | +| Sprint 32 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-32-001 | Introduce `orch:read` scope and `Orch.Viewer` role with metadata, discovery docs, and offline defaults. | +| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-001 | Register Concelier sources with orchestrator, publish schedules/rate policies, and seed metadata. | +| Sprint 32 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-32-002 | Embed worker SDK into Concelier ingestion loops emitting progress, heartbeats, and artifact hashes. | +| Sprint 32 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-32-001 | Adopt worker SDK in Excititor worker with job claim/heartbeat and artifact summary emission. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-001 | Bootstrap Go worker SDK (client config, job claim, acknowledgement flow) with integration tests. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-32-002 | Add heartbeat/progress helpers, structured logging, and default metrics exporters to Go SDK. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-001 | Bootstrap Python async SDK with job claim/config adapters and sample worker. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-32-002 | Implement heartbeat/progress helpers and logging/metrics instrumentation for Python workers. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-001 | Bootstrap orchestrator service with Postgres schema/migrations for sources, runs, jobs, dag_edges, artifacts, quotas, schedules. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-002 | Implement scheduler DAG planner, dependency resolver, and job state machine for read-only tracking. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-003 | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI + validation. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-004 | Ship WebSocket/SSE live update stream and metrics counters/histograms for job lifecycle. | +| Sprint 32 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-32-005 | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata and checksums. | +| Sprint 32 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-32-101 | Define orchestrator `policy_eval` job contract, idempotency keys, and enqueue hooks for change events. | +| Sprint 32 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-32-001 | Integrate orchestrator job IDs into SBOM ingest/index pipelines with artifact hashing and status updates. | +| Sprint 32 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-32-001 | Expose read-only orchestrator APIs via gateway with tenant scoping, caching headers, and rate limits. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-001 | Author `/docs/orchestrator/api.md` with endpoints, WebSocket events, error codes, and imposed rule reminder. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-002 | Author `/docs/orchestrator/console.md` covering screens, accessibility, and live updates. | +| Sprint 33 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-33-003 | Author `/docs/orchestrator/cli.md` with command reference, examples, and exit codes. | +| Sprint 33 | Governance & Rules | ops/devops/TASKS.md | REVIEW (2025-10-30) | DevOps Guild, Platform Leads | DEVOPS-RULES-33-001 | Contracts & Rules anchor (gateway proxy-only; Policy Engine overlays/simulations; AOC ingestion canonicalization; Graph Indexer + Graph API as sole platform). | +| Sprint 33 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-33-001 | Publish Grafana dashboards for rate-limit/backpressure/error clustering and configure alert rules with runbooks. | +| Sprint 33 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-33-001 | Add `Orch.Operator` role, control action scopes, and enforce reason/ticket field capture. | +| Sprint 33 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-33-001 | Wire orchestrator control hooks (pause, throttle, retry) into Concelier workers with safe checkpoints. | +| Sprint 33 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-33-001 | Honor orchestrator throttles, classify VEX errors, and emit retry-safe checkpoints in Excititor worker. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-001 | Add artifact upload helpers (object store + checksum) and idempotency guard to Go SDK. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-33-002 | Implement error classification/retry helper and structured failure report in Go SDK. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-001 | Add artifact publish/idempotency features to Python SDK with object store integration. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-33-002 | Expose error classification/retry/backoff helpers in Python SDK with structured logging. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-001 | Enable source/job control actions (test, pause/resume, retry/cancel/prioritize) with RBAC and audit hooks. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-002 | Implement adaptive token-bucket rate limiter and concurrency caps reacting to upstream 429/503 signals. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-003 | Add watermark/backfill manager with event-time windows, duplicate suppression, and preview API. | +| Sprint 33 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-33-004 | Deliver dead-letter storage, replay endpoints, and surfaced error classes with remediation hints. | +| Sprint 33 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-33-101 | Implement orchestrator-driven policy evaluation workers with heartbeats, SLO metrics, and rate limit awareness. | +| Sprint 33 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-33-001 | Report SBOM ingest backpressure metrics and support orchestrator pause/resume/backfill signals. | +| Sprint 33 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-33-001 | Expose `consensus_compute` orchestrator job type and integrate VEX Lens worker for diff batches. | +| Sprint 33 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-33-001 | Add control endpoints (actions/backfill) and SSE bridging with permission checks and error mapping. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-001 | Author `/docs/orchestrator/run-ledger.md` describing provenance export format and audits. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-002 | Author `/docs/security/secrets-handling.md` covering KMS refs, redaction, and operator hygiene. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-003 | Author `/docs/operations/orchestrator-runbook.md` (failures, backfill guide, circuit breakers). | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-004 | Author `/docs/schemas/artifacts.md` detailing artifact kinds, schema versions, hashing, storage layout. | +| Sprint 34 | Orchestrator Dashboard | docs/TASKS.md | TODO | Docs Guild | DOCS-ORCH-34-005 | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, and measurement strategy. | +| Sprint 34 | Orchestrator Dashboard | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-ORCH-34-001 | Provide Helm/Compose manifests, scaling defaults, and offline kit instructions for orchestrator service. | +| Sprint 34 | Orchestrator Dashboard | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ORCH-34-001 | Harden production dashboards/alerts, synthetic probes, and incident response playbooks for orchestrator. | +| Sprint 34 | Orchestrator Dashboard | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-34-006 | Bundle orchestrator service, worker SDK samples, and Postgres snapshot into Offline Kit with integrity checks. | +| Sprint 34 | Orchestrator Dashboard | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-ORCH-34-001 | Add `Orch.Admin` role for quotas/backfills, enforce audit reason requirements, update docs and offline defaults. | +| Sprint 34 | Orchestrator Dashboard | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-ORCH-34-001 | Implement backfill wizard and quota management commands with dry-run preview and guardrails. | +| Sprint 34 | Orchestrator Dashboard | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-ORCH-34-001 | Implement orchestrator-driven backfills for advisory sources with idempotent artifact reuse and ledger linkage. | +| Sprint 34 | Orchestrator Dashboard | src/Excititor/StellaOps.Excititor.Worker/TASKS.md | TODO | Excititor Worker Guild | EXCITITOR-ORCH-34-001 | Support orchestrator backfills and circuit breaker resets for Excititor sources with auditing. | +| Sprint 34 | Orchestrator Dashboard | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-34-101 | Link orchestrator run ledger entries into Findings Ledger provenance export and audit queries. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md | TODO | Worker SDK Guild | WORKER-GO-34-001 | Add backfill range execution, watermark handshake, and artifact dedupe verification to Go SDK. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md | TODO | Worker SDK Guild | WORKER-PY-34-001 | Add backfill support and deterministic artifact dedupe validation to Python SDK. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-001 | Implement quota management APIs, SLO burn-rate computation, and alert budget tracking. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-002 | Build audit log and immutable run ledger export with signed manifest support. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-003 | Run perf/scale validation (10k jobs, dispatch <150 ms) and add autoscaling hooks. | +| Sprint 34 | Orchestrator Dashboard | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-34-004 | Package orchestrator container, Helm overlays, offline bundle seeds, and provenance attestations. | +| Sprint 34 | Orchestrator Dashboard | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-34-101 | Expose policy eval run ledger exports and SLO burn metrics to orchestrator. | +| Sprint 34 | Orchestrator Dashboard | src/SbomService/StellaOps.SbomService/TASKS.md | TODO | SBOM Service Guild | SBOM-ORCH-34-001 | Enable SBOM backfill and watermark reconciliation; emit coverage metrics and flood guard. | +| Sprint 34 | Orchestrator Dashboard | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-ORCH-34-001 | Integrate consensus compute completion events with orchestrator ledger and provenance outputs. | +| Sprint 34 | Orchestrator Dashboard | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-ORCH-34-001 | Expose quotas/backfill/queue metrics endpoints, throttle toggles, and error clustering APIs. | +| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-001 | Build entrypoint resolver (identity + environment profiles) and emit normalized entrypoint records. | +| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild | SCANNER-ANALYZERS-LANG-11-002 | Static IL/reflection/ALC heuristics producing dependency edges with reason codes and confidence. | +| Sprint 35 | EPDR Foundations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, Signals Guild | SCANNER-ANALYZERS-LANG-11-003 | Runtime loader/PInvoke signal ingestion merged with static/declared edges (confidence & explain). | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-001 | Author `/docs/modules/export-center/overview.md` with purpose, profiles, security, and imposed rule reminder. | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-002 | Author `/docs/modules/export-center/architecture.md` detailing service components, adapters, manifests, signing, and distribution. | +| Sprint 35 | Export Center Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-35-003 | Publish `/docs/modules/export-center/profiles.md` covering schemas, examples, and compatibility. | +| Sprint 35 | Export Center Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-35-001 | Package exporter service/worker containers, Helm overlays (download-only), and rollout guide. | +| Sprint 35 | Export Center Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-35-001 | Create exporter CI pipeline (lint/test/perf smoke), object storage fixtures, and initial Grafana dashboards. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-001 | Bootstrap exporter service, configuration, and migrations for export profiles/runs/inputs/distributions with tenant scopes. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-002 | Implement planner resolving filters to iterators and orchestrator job contract with deterministic sampling. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-003 | Deliver JSON adapters (raw/policy) with canonical normalization, redaction enforcement, and zstd writers. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-004 | Build mirror (full) adapter producing filesystem layout, manifests, and bundle assembly for download profile. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005 | Implement manifest/provenance writer and KMS signing/attestation for export bundles. | +| Sprint 35 | Export Center Phase 1 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-006 | Expose Export API (profiles, runs, download) with SSE updates, concurrency controls, and audit logging. | +| Sprint 35 | Export Center Phase 1 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-EXPORT-35-001 | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings filtered by scope selectors. | +| Sprint 35 | Export Center Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-35-101 | Register export job type, quotas, and rate policies; surface export job telemetry for scheduler. | +| Sprint 35 | Export Center Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-35-201 | Expose deterministic policy snapshot + evaluated findings endpoint aligned with Export Center requirements. | +| Sprint 35 | Export Center Phase 1 | src/VexLens/StellaOps.VexLens/TASKS.md | TODO | VEX Lens Guild | VEXLENS-EXPORT-35-001 | Publish consensus snapshot API delivering deterministic JSON for export consumption. | +| Sprint 35 | Export Center Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-35-001 | Route Export Center APIs through gateway with tenant scoping, viewer/operator scopes, and streaming downloads. | +| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, SBOM Service Guild | SCANNER-ANALYZERS-LANG-11-004 | Normalize EPDR output to Scanner observation writer (entrypoints + edges + env profiles). | +| Sprint 36 | EPDR Observations | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md | TODO | Scanner EPDR Guild, QA Guild | SCANNER-ANALYZERS-LANG-11-005 | End-to-end fixtures/benchmarks covering publish modes, RIDs, trimming, NativeAOT with explain traces. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-004 | Author `/docs/modules/export-center/api.md` with endpoint examples and imposed rule note. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-005 | Publish `/docs/modules/export-center/cli.md` covering commands, scripts, verification, and imposed rule reminder. | +| Sprint 36 | Export Center Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-36-006 | Write `/docs/modules/export-center/trivy-adapter.md` detailing mappings, compatibility, and test matrix. | +| Sprint 36 | Export Center Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-EXPORT-36-001 | Document registry credentials, OCI push workflows, and automation for export distributions. | +| Sprint 36 | Export Center Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-36-001 | Integrate Trivy compatibility validation, OCI push smoke tests, and metrics dashboards for export throughput. | +| Sprint 36 | Export Center Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-36-001 | Add `stella export distribute` (OCI/objstore), `run download --resume`, and status polling enhancements. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-001 | Implement Trivy DB adapter (core) with schema mapping, validation, and compatibility gating. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-002 | Add Trivy Java DB variant, shared manifest entries, and adapter regression tests. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-003 | Build OCI distribution engine for exports with descriptor annotations and registry auth handling. | +| Sprint 36 | Export Center Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-36-004 | Extend planner/run lifecycle for OCI/object storage distributions with retry + idempotency. | +| Sprint 36 | Export Center Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-36-101 | Add distribution job follow-ups, retention metadata, and metrics for export runs. | +| Sprint 36 | Export Center Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-36-001 | Expose distribution endpoints (OCI/object storage) and manifest/provenance download proxies with RBAC. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-001 | Publish `/docs/modules/export-center/mirror-bundles.md` detailing layouts, deltas, encryption, imposed rule reminder. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-002 | Publish `/docs/modules/export-center/provenance-and-signing.md` covering manifests, attestation, verification. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-003 | Publish `/docs/operations/export-runbook.md` for failures, tuning, capacity, with imposed rule note. | +| Sprint 37 | Export Center Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-EXPORT-37-004 | Publish `/docs/security/export-hardening.md` covering RBAC, isolation, encryption, and imposed rule. | +| Sprint 37 | Export Center Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-EXPORT-37-001 | Finalize dashboards/alerts for exports (failure, verify), retention jobs, and chaos testing harness. | +| Sprint 37 | Export Center Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | DEVOPS-OFFLINE-37-001 | Package Export Center mirror bundles + verification tooling into Offline Kit with manifest/signature updates. | +| Sprint 37 | Export Center Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-EXPORT-37-001 | Add `Export.Admin` scope enforcement for retention, encryption keys, and scheduling APIs. | +| Sprint 37 | Export Center Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-EXPORT-37-001 | Implement `stella export schedule`, `run verify`, and bundle verification tooling with signature/hash checks. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-001 | Implement mirror delta adapter, base export linkage, and content-addressed reuse. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-002 | Add bundle encryption, key wrapping with KMS, and verification tooling for encrypted exports. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-003 | Deliver scheduling/retention engine (cron/event triggers), audit trails, and retry idempotency enhancements. | +| Sprint 37 | Export Center Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-37-004 | Provide export verification API and CLI integration, including hash/signature validation endpoints. | +| Sprint 37 | Export Center Phase 3 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-37-101 | Enable scheduled export runs, retention pruning hooks, and failure alerting integration. | +| Sprint 37 | Export Center Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-EXPORT-37-001 | Surface scheduling, retention, and verification endpoints plus encryption parameter handling. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-001 | Format detector & binary identity for ELF/PE/Mach-O (multi-slice) with stable entrypoint IDs. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-002 | ELF dynamic parser emitting dtneeded edges, runpath metadata, symbol version needs. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-003 | PE import + delay-load + SxS manifest parsing producing reason-coded edges. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-004 | Mach-O load command parsing with @rpath expansion and slice handling. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-005 | Cross-platform resolver engine modeling search order/explain traces for ELF/PE/Mach-O. | +| Sprint 37 | Native Analyzer Core | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-006 | Heuristic scanner for dlopen/LoadLibrary strings, plugin configs, ecosystem hints with confidence tags. | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild | SCANNER-ANALYZERS-NATIVE-20-007 | Serialize entrypoints/edges/env profiles to Scanner writer (AOC-compliant observations). | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, QA Guild | SCANNER-ANALYZERS-NATIVE-20-008 | Fixture suite + determinism benchmarks for native analyzer across linux/windows/macos. | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-NATIVE-20-009 | Optional runtime capture adapters (eBPF/ETW/dyld) producing runtime-load edges with redaction. | +| Sprint 38 | Native Observation Pipeline | src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md | TODO | Native Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-NATIVE-20-010 | Package native analyzer plug-in + Offline Kit updates and restart-time loading. | +| Sprint 38 | Notifications Studio Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-38-001 | Publish `/docs/notifications/overview.md` and `/docs/notifications/architecture.md` ending with imposed rule statement. | +| Sprint 38 | Notifications Studio Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-38-001 | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | +| Sprint 38 | Notifications Studio Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-38-001 | Stand up notifier CI pipelines, event bus fixtures, base dashboards for events/notifications latency. | +| Sprint 38 | Notifications Studio Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-38-001 | Implement `stella notify` rule/template/incident commands (list/create/test/ack) with file-based inputs. | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-001 | Bootstrap notifier service, migrations for notif tables, event ingestion, and rule engine foundation (policy violations + job failures). | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-002 | Implement channel adapters (email, chat-webhook, generic webhook) with retry and audit logging. | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-003 | Deliver template service (versioning, preview), rendering pipeline with redaction, and provenance links. | +| Sprint 38 | Notifications Studio Phase 1 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-38-004 | Expose initial API (rules CRUD, templates, incidents list, ack) and live feed WS stream. | +| Sprint 38 | Notifications Studio Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-38-101 | Standardize event envelope publication (policy/export/job lifecycle) with idempotency keys for notifier ingestion. | +| Sprint 38 | Notifications Studio Phase 1 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-38-201 | Emit enriched violation events including rationale IDs via orchestrator bus. | +| Sprint 38 | Notifications Studio Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-38-001 | Route notifier APIs through gateway with tenant scoping and operator scopes. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-001 | Java input normalizer (jar/war/ear/fat/jmod/jimage) with MR overlay selection. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-002 | Module/classpath builder with duplicate & split-package detection. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-003 | SPI scanner & provider selection with warnings. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | DONE | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-004 | Reflection/TCCL heuristics emitting reason-coded edges. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-005 | Framework config extraction (Spring, Jakarta, MicroProfile, logging, Graal configs). | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-006 | JNI/native hint detection for Java artifacts. | +| Sprint 39 | Java Analyzer Core | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-007 | Manifest/signature metadata collector (main/start/agent classes, signers). | +| Sprint 39 | Notifications Studio Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-39-002 | Publish `/docs/notifications/rules.md`, `/templates.md`, `/digests.md` with imposed rule reminder. | +| Sprint 39 | Notifications Studio Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-39-002 | Add throttling/quiet-hours dashboards, digest job monitoring, and storm breaker alerts. | +| Sprint 39 | Notifications Studio Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-39-001 | Add simulation/digest CLI verbs and advanced filtering for incidents. | +| Sprint 39 | Notifications Studio Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-NOTIFY-39-001 | Optimize digest queries and provide API for notifier to fetch unresolved policy violations/SBOM deltas. | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-001 | Implement correlation engine, throttling, quiet hours/maintenance evaluator, and incident state machine. | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-002 | Add digests generator with Findings Ledger queries and distribution (email/chat). | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-003 | Provide simulation engine and API for rule dry-run against historical events. | +| Sprint 39 | Notifications Studio Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-39-004 | Integrate quiet hours calendars and default throttles with audit logging. | +| Sprint 39 | Notifications Studio Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-39-001 | Surface digest scheduling, simulation, and throttle management endpoints via gateway. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild | SCANNER-ANALYZERS-JAVA-21-008 | Observation writer producing entrypoints/components/edges with warnings. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, QA Guild | SCANNER-ANALYZERS-JAVA-21-009 | Fixture suite + determinism/perf benchmarks for Java analyzer. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, Signals Guild | SCANNER-ANALYZERS-JAVA-21-010 | Optional runtime ingestion via agent/JFR producing runtime edges. | +| Sprint 40 | Java Observation & Runtime | src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md | TODO | Java Analyzer Guild, DevOps Guild | SCANNER-ANALYZERS-JAVA-21-011 | Package Java analyzer plug-in + Offline Kit/CLI updates. | +| Sprint 40 | Notifications Studio Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-NOTIFY-40-001 | Publish `/docs/notifications/channels.md`, `/escalations.md`, `/api.md`, `/operations/notifier-runbook.md`, `/security/notifications-hardening.md` with imposed rule lines. | +| Sprint 40 | Notifications Studio Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-NOTIFY-40-001 | Package notifier escalations + localization deployment overlays, signed ack token rotation scripts, and rollback guidance. | +| Sprint 40 | Notifications Studio Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-NOTIFY-40-001 | Finalize notifier dashboards/alerts (escalation failures, ack latency), chaos testing harness, and channel health monitoring. | +| Sprint 40 | Notifications Studio Phase 3 | ops/offline-kit/TASKS.md | CARRY (no scope change) | Offline Kit Guild | DEVOPS-OFFLINE-37-002 | Carry from Sprint 37: Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks. | +| Sprint 40 | Notifications Studio Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-NOTIFY-40-001 | Enforce ack token signing/rotation, webhook allowlists, and admin-only escalation settings. | +| Sprint 40 | Notifications Studio Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-NOTIFY-40-001 | Implement ack token redemption, escalation management, localization previews. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-001 | Implement escalations, on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and localization bundles. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-002 | Add CLI inbox/in-app feed channels and summary storm breaker notifications. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-003 | Harden security: signed ack links, webhook HMAC/IP allowlists, tenant isolation fuzzing, localization fallback. | +| Sprint 40 | Notifications Studio Phase 3 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-SVC-40-004 | Finalize observability (incident metrics, escalation latency) and chaos tests for channel outages. | +| Sprint 40 | Notifications Studio Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-NOTIFY-40-001 | Expose escalation, localization, channel health endpoints and verification of signed links. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-41-001 | Publish `/docs/modules/cli/guides/overview.md`, `/cli/configuration.md`, `/cli/output-and-exit-codes.md` (with imposed rule). | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-CLI-41-001 | Package CLI release artifacts (tarballs, completions, container image) with distribution docs. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-41-001 | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums) and parity matrix CI enforcement. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Define CLI SSO scopes and Packs (`Packs.Read/Write/Run/Approve`) roles; update discovery/offline defaults. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-CORE-41-001 | Implement CLI config/auth foundation, global flags, output renderer, and error/exit code mapping. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001 | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with JSON/table outputs and `--explain`. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-002 | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, completions, and parity matrix export. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-41-101 | Register `pack-run` job type, integrate logs/artifacts, expose pack run metadata. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-41-001 | Implement packs index API, signature verification, provenance storage, and RBAC. | +| Sprint 41 | CLI Parity & Task Packs Phase 1 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-41-001 | Bootstrap Task Runner service, migrations, run API, local executor, approvals pause, artifact capture. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-42-001 | Publish `/docs/modules/cli/guides/parity-matrix.md`, `/cli/commands/*.md`, `/docs/task-packs/spec.md` (imposed rule). | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-42-001 | Add CLI golden output tests, parity diff automation, and pack run CI harness. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Implement Task Pack CLI commands (`pack plan/run/push/pull/verify`) with plan/simulate engine and expression sandbox. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PARITY-41-001..002 | Close parity gaps for Notifications, Policy Studio advanced features, SBOM graph, Vuln Explorer; parity matrix green. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-PACKS-42-001 | Expose snapshot/time-travel APIs for CLI offline mode and pack simulation. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-SVC-42-101 | Stream pack run logs via SSE/WS, expose artifact manifests, enforce pack run quotas. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Support pack version lifecycle, tenant allowlists, provenance export, signature rotation. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ENGINE-42-201 | Provide stable rationale IDs/APIs for CLI `--explain` and pack policy gates. | +| Sprint 42 | CLI Parity & Task Packs Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gates in Task Runner. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-PACKS-43-001 | Publish `/docs/task-packs/authoring-guide.md`, `/registry.md`, `/runbook.md`, `/security/pack-signing-and-rbac.md`, `/operations/cli-release-and-packaging.md` (imposed rule). | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CLI-43-001 | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, pack run chaos tests. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-PACKS-41-001 | Enforce pack signing policies, approval RBAC, CLI token scopes for CI headless runs. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-PACKS-42-001 | Deliver advanced pack features (approvals pause/resume, remote streaming, secret injection), localization, man pages. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-SVC-35-005, PACKS-REG-41-001 | Integrate pack run manifests into export bundles and CLI verify flows. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md | TODO | Packs Registry Guild | PACKS-REG-42-001 | Enforce pack signing policies, audit trails, registry mirroring, Offline Kit support. | +| Sprint 43 | CLI Parity & Task Packs Phase 3 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-42-001 | Implement approvals workflow, notifications integration, remote artifact uploads, chaos resilience. | +| Sprint 44 | Containerized Distribution Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-44-001 | Publish install overview + Compose Quickstart docs (imposed rule). | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-001 | Deliver Quickstart Compose stack with seed data and quickstart script. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-002 | Provide backup/reset scripts with guardrails and documentation. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | COMPOSE-44-003 | Implement seed job and onboarding wizard toggle (`QUICKSTART_MODE`). | +| Sprint 44 | Containerized Distribution Phase 1 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-COMPOSE-44-001 | Finalize Quickstart scripts and README. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-44-001 | Automate multi-arch builds with SBOM/signature pipeline. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-001 | Author multi-stage Dockerfiles with non-root users, read-only FS, and health scripts for all services. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-002 | Generate SBOMs and cosign attestations for each image; integrate signature verification in CI. | +| Sprint 44 | Containerized Distribution Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DOCKER-44-003 | Ensure `/health/*`, `/version`, `/metrics`, and capability endpoints (`merge=false`) are exposed across services. | +| Sprint 44 | Containerized Distribution Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-44-001 | Expose config discovery and quickstart handling with health/version endpoints. | +| Sprint 45 | Containerized Distribution Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-45-001 | Publish Helm production + configuration reference docs (imposed rule). | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-HELM-45-001 | Publish Helm install guide and sample values. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-001 | Scaffold Helm chart with component toggles and pinned digests. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-002 | Add security features (TLS, NetworkPolicy, Secrets integration). | +| Sprint 45 | Containerized Distribution Phase 2 | ops/deployment/TASKS.md | TODO | Deployment Guild | HELM-45-003 | Implement HPA, PDB, readiness gates, and observability hooks. | +| Sprint 45 | Containerized Distribution Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-45-001 | Add Compose/Helm smoke tests to CI. | +| Sprint 45 | Containerized Distribution Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-45-001 | Ensure readiness endpoints and config toggles support Helm deployments. | +| Sprint 46 | Containerized Distribution Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-46-001 | Publish air-gap, supply chain, health/readiness, image catalog, console onboarding docs (imposed rule). | +| Sprint 46 | Containerized Distribution Phase 3 | ops/deployment/TASKS.md | TODO | Deployment Guild | DEPLOY-AIRGAP-46-001 | Provide air-gap load script and docs. | +| Sprint 46 | Containerized Distribution Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-CONTAINERS-46-001 | Build signed air-gap bundle and verify in CI. | +| Sprint 46 | Containerized Distribution Phase 3 | ops/offline-kit/TASKS.md | TODO | Offline Kit Guild | OFFLINE-CONTAINERS-46-001 | Include air-gap bundle and instructions in Offline Kit. | +| Sprint 46 | Containerized Distribution Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-CONTAINERS-46-001 | Harden offline mode and document fallback behavior. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-47-001 | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` (imposed rule). | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-47-001 | Integrate JWKS caching, signature verification tests, and auth regression suite into CI. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-47-001 | Implement unified JWT/ODIC config, scope grammar, tenant/project claims, and JWKS caching in Authority. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-47-001 | Ship `stella login`, `whoami`, `tenants list`, and tenant flag persistence with secure token storage. | +| Sprint 47 | Authority-Backed Scopes & Tenancy Phase 1 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-47-001 | Add auth middleware (token verification, tenant activation, scope checks) and structured 403 responses. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-48-001 | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md` (imposed rule). | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-48-001 | Write integration tests for RLS enforcement, tenant audit stream, and object store prefix checks. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-TEN-48-001 | Ensure advisory linkers operate per tenant with RLS, enforce aggregation-only capability endpoint. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-TEN-48-001 | Same as above for VEX linkers; enforce capability endpoint `merge=false`. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-TEN-48-001 | Add tenant prefixes to manifests/artifacts, enforce scope checks, and block cross-tenant exports by default. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-TEN-48-001 | Partition findings by tenant/project, enable RLS, and update queries/events to include tenant context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-TEN-48-001 | Tenant-scope notification rules, incidents, and outbound channels; update storage schemas. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-TEN-48-001 | Stamp jobs with tenant/project, set DB session context, and reject jobs without context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-TEN-48-001 | Add `tenant_id`/`project_id` to policy data, enable Postgres RLS, and expose rationale IDs with tenant context. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-TEN-48-001 | Propagate tenant/project to all steps, enforce object store prefix, and validate before execution. | +| Sprint 48 | Authority-Backed Scopes & Tenancy Phase 2 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-48-001 | Enforce tenant context through persistence (DB GUC, object store prefix), add request annotations, and emit audit events. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | docs/TASKS.md | TODO | Docs Guild | DOCS-TEN-49-001 | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, `/docs/install/configuration-reference.md` updates (imposed rule). | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-TEN-49-001 | Implement audit log pipeline, monitor scope usage, chaos tests for JWKS outage, and tenant load/perf tests. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-TEN-49-001 | Implement service accounts, delegation tokens (`act` chain), per-tenant quotas, and audit log streaming. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-TEN-49-001 | Add service account token minting, delegation, and `--impersonate` banner/controls. | +| Sprint 49 | Authority-Backed Scopes & Tenancy Phase 3 | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-TEN-49-001 | Integrate ABAC policy overlay (optional), expose audit API, and support service token minting endpoints. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-INSTALL-50-001 | Add `/docs/install/telemetry-stack.md` for collector deployment and offline packaging. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | BLOCKED (2025-10-26) | Docs Guild | DOCS-OBS-50-001 | Author `/docs/observability/overview.md` with imposed rule banner and architecture context. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-002 | Document telemetry standards (fields, scrubbing, sampling) under `/docs/observability/telemetry-standards.md`. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-003 | Publish structured logging guide `/docs/observability/logging.md` with examples and imposed rule banner. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-50-004 | Publish tracing guide `/docs/observability/tracing.md` covering context propagation and sampling. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-OBS-50-001 | Update `/docs/security/redaction-and-privacy.md` for telemetry privacy controls. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | ops/devops/TASKS.md | DOING (2025-10-26) | DevOps Guild | DEVOPS-OBS-50-002 | Stand up multi-tenant metrics/logs/traces backends with retention and isolation. | +> Staging rollout plan recorded in `docs/modules/telemetry/operations/storage.md`; waiting on Authority-issued tokens and namespace bootstrap. +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-50-001 | Introduce observability/timeline/evidence/attestation scopes and update discovery metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Propagate trace headers from CLI commands and print correlation IDs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-50-001 | Replace ad-hoc logging with telemetry core across advisory ingestion/linking. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-50-001 | Adopt telemetry core in Concelier APIs and surface correlation IDs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-50-001 | Integrate telemetry core into VEX ingestion/linking with scope metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-50-001 | Add telemetry core to VEX APIs and emit trace headers. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-50-001 | Enable telemetry core in export planner/workers capturing bundle metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-50-001 | Wire telemetry core through ledger writer/projector for append/replay operations. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-50-001 | Instrument orchestrator scheduler/control APIs with telemetry core spans/logs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-50-001 | Instrument policy compile/evaluate flows with telemetry core spans/logs. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-50-001 | Adopt telemetry core in Task Runner host and workers with scrubbed transcripts. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-001 | Bootstrap telemetry core library with structured logging, OTLP exporters, and deterministic bootstrap. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-50-002 | Deliver context propagation middleware for HTTP/gRPC/jobs/CLI carrying trace + tenant metadata. | +| Sprint 50 | Observability & Forensics Phase 1 – Baseline Telemetry | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-50-001 | Integrate telemetry core into gateway and emit structured traces/logs for all routes. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | docs/TASKS.md | TODO | Docs Guild | DOCS-OBS-51-001 | Publish `/docs/observability/metrics-and-slos.md` with alert policies. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-51-001 | Deploy SLO evaluator service, dashboards, and alert routing. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-51-001 | Implement `stella obs top` streaming health metrics command. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-51-001 | Emit ingest latency metrics + SLO thresholds for advisories. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-51-001 | Provide VEX ingest metrics and SLO burn-rate automation. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-51-001 | Capture export planner/bundle latency metrics and SLOs. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-51-001 | Add ledger/projector metrics dashboards and burn-rate policies. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-51-001 | Ingest SLO burn-rate webhooks and deliver observability alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-51-001 | Publish orchestration metrics, SLOs, and burn-rate alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-51-001 | Publish policy evaluation metrics + dashboards meeting SLO targets. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-51-001 | Emit task runner golden-signal metrics and SLO alerts. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-51-001 | Ship metrics helpers + exemplar guards for golden signals. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Security Guild | TELEMETRY-OBS-51-002 | Implement logging scrubbing and tenant debug override controls. | +| Sprint 51 | Observability & Forensics Phase 2 – SLOs & Dashboards | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-51-001 | Expose `/obs/health` and `/obs/slo` aggregations for services. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-OBS-52-001 | Document `stella obs` CLI commands and scripting patterns. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-001 | Document Console observability hub and trace/log search workflows. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | docs/TASKS.md | TODO | Docs Guild | DOCS-CONSOLE-OBS-52-002 | Publish Console forensics/timeline guidance with imposed rule banner. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-52-001 | Configure streaming pipelines and schema validation for timeline events. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-52-001 | Add `stella obs trace` + log commands correlating timeline data. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-52-001 | Emit advisory ingest/link timeline events with provenance metadata. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-52-001 | Provide SSE bridge for advisory timeline events. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-52-001 | Emit VEX ingest/link timeline events with justification info. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-52-001 | Stream VEX timeline updates to clients with tenant filters. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-52-001 | Publish export lifecycle events into timeline. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-52-001 | Record ledger append/projection events into timeline stream. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-52-001 | Emit job lifecycle timeline events with tenant/project metadata. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-52-001 | Emit policy decision timeline events with rule summaries and trace IDs. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-52-001 | Emit pack run timeline events and dedupe logic. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-001 | Bootstrap timeline indexer service and schema with RLS scaffolding. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-002 | Implement event ingestion pipeline with ordering and dedupe. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-52-003 | Expose timeline query APIs with tenant filters and pagination. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Security Guild | TIMELINE-OBS-52-004 | Finalize RLS + scope enforcement and audit logging for timeline reads. | +| Sprint 52 | Observability & Forensics Phase 3 – Timeline & Decision Logs | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-52-001 | Provide trace/log proxy endpoints bridging to timeline + log store. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-CLI-FORENSICS-53-001 | Document `stella forensic` CLI workflows with sample bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-001 | Publish `/docs/forensics/evidence-locker.md` covering bundles, WORM, legal holds. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-003 | Publish `/docs/forensics/timeline.md` with schema and query examples. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-53-001 | Provision WORM-capable storage, legal hold automation, and backup/restore scripts for evidence locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-53-001 | Ship `stella forensic snapshot` commands invoking evidence locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-53-001 | Generate advisory evidence payloads (raw doc, linkset diff) for locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-53-001 | Add `/evidence/advisories/*` gateway endpoints consuming locker APIs. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-001 | Bootstrap evidence locker service with schema, storage abstraction, and RLS. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-002 | Implement bundle builders for evaluation, job, and export snapshots. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-53-003 | Expose evidence APIs (create/get/verify/hold) with audit + quotas. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-53-001 | Produce VEX evidence payloads and push to locker. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-53-001 | Expose `/evidence/vex/*` endpoints retrieving locker bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-53-001 | Store export manifests + transcripts within evidence bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-53-001 | Persist evidence bundle references alongside ledger entries and expose lookup API. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-53-001 | Attach job capsules + manifests to evidence locker snapshots. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-53-001 | Build evaluation evidence bundles (inputs, rule traces, engine version). | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-53-001 | Capture step transcripts and manifests into evidence bundles. | +| Sprint 53 | Observability & Forensics Phase 4 – Evidence Locker | src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md | TODO | Timeline Indexer Guild | TIMELINE-OBS-53-001 | Link timeline events to evidence bundle digests and expose evidence lookup endpoint. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | docs/TASKS.md | TODO | Docs Guild | DOCS-FORENSICS-53-002 | Publish `/docs/forensics/provenance-attestation.md` covering signing + verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, timestamp authority) and CI verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-001 | Implement `stella forensic verify` command verifying bundles + signatures. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-FORENSICS-54-002 | Add `stella forensic attest show` command with signer/timestamp details. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-54-001 | Sign advisory batches with DSSE attestations and expose verification. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-54-001 | Add `/attestations/advisories/*` endpoints surfacing verification metadata. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-001 | Attach DSSE signing/timestamping to evidence bundles and emit timeline hooks. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-54-002 | Provide bundle packaging + offline verification fixtures. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-54-001 | Produce VEX batch attestations linking to timeline/ledger. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-54-001 | Expose `/attestations/vex/*` endpoints with verification summaries. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-54-001 | Produce export attestation manifests and CLI verification hooks. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-54-001 | Produce DSSE attestations for jobs and surface verification endpoint. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-54-001 | Generate DSSE attestations for policy evaluations and expose verification API. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-001 | Implement DSSE/SLSA models with deterministic serializer + test vectors. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-53-002 | Build signer abstraction (cosign/KMS/offline) with policy enforcement. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild | PROV-OBS-54-001 | Deliver verification library validating DSSE signatures + Merkle roots. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/Provenance/StellaOps.Provenance.Attestation/TASKS.md | TODO | Provenance Guild, DevEx/CLI Guild | PROV-OBS-54-002 | Package provenance verification tool for CLI integration and offline use. | +| Sprint 54 | Observability & Forensics Phase 5 – Provenance & Verification | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-54-001 | Generate pack run attestations and link to timeline/evidence. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | docs/TASKS.md | TODO | Docs Guild | DOCS-RUNBOOK-55-001 | Publish `/docs/runbooks/incidents.md` covering activation, escalation, and verification checklist. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OBS-55-001 | Automate incident mode activation via SLO alerts, retention override management, and reset job. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OBS-55-001 | Enforce `obs:incident` scope with fresh-auth requirement and audit export for toggles. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-55-001 | Ship `stella obs incident-mode` commands with safeguards and audit logging. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OBS-55-001 | Increase sampling and raw payload retention under incident mode with redaction guards. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OBS-55-001 | Provide incident mode toggle endpoints and propagate to services. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-55-001 | Extend evidence retention + activation events for incident windows. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OBS-55-001 | Enable incident sampling + retention overrides for VEX pipelines. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OBS-55-001 | Add incident mode APIs for VEX services with audit + guardrails. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OBS-55-001 | Increase export telemetry + debug retention during incident mode and emit events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OBS-55-001 | Extend retention and diagnostics capture during incident mode. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OBS-55-001 | Send incident mode start/stop notifications with quick links to evidence/timeline. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OBS-55-001 | Increase telemetry + evidence capture during incident mode and emit activation events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-OBS-55-001 | Capture full rule traces + retention bump on incident activation with timeline events. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OBS-55-001 | Capture extra debug data + notifications for incident mode runs. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-55-001 | Implement incident mode sampling toggle API with activation audit trail. | +| Sprint 55 | Observability & Forensics Phase 6 – Incident Mode | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-55-001 | Deliver `/obs/incident-mode` control endpoints with audit + retention previews. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-001 | Publish `/docs/airgap/overview.md`. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-002 | Document sealing and egress controls. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-003 | Publish mirror bundles guide. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-56-004 | Publish bootstrap pack guide. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-001 | Publish deny-all egress policies and verification script for sealed environments. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-002 | Provide bundle staging/import scripts for air-gapped object stores. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-56-003 | Build Bootstrap Pack pipeline bundling images/charts with checksums. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-001 | Implement sealing state machine, persistence, and RBAC scopes for air-gapped status. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-56-002 | Expose seal/status APIs with policy hash validation and staleness placeholders. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-001 | Implement DSSE/TUF/Merkle verification helpers. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-56-002 | Enforce root rotation policy for bundles. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-001 | Ship `EgressPolicy` facade with sealed/unsealed enforcement and remediation errors. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-56-002 | Deliver Roslyn analyzer blocking raw HTTP clients; wire into CI. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-56-001 | Implement mirror create/verify and airgap verify commands. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-OBS-50-001 | Ensure telemetry propagation for sealed logging. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-56-001 | Add mirror ingestion adapters preserving source metadata. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-56-001 | Add VEX mirror ingestion adapters. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-001 | Extend export center to build mirror bundles. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-56-001 | Build deterministic bundle assembler (advisories/vex/policy). | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-001 | Validate jobs against sealed-mode restrictions. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-56-001 | Accept policy packs from bundles with provenance tracking. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-001 | Enforce sealed-mode plan validation for network calls. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Telemetry/StellaOps.Telemetry.Core/TASKS.md | TODO | Observability Guild | TELEMETRY-OBS-56-001 | (Carry) Extend telemetry core with sealed-mode hooks before integration. | +| Sprint 56 | Air-Gapped Mode Phase 1 – Sealing Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OBS-56-001 | Extend telemetry core usage for sealed-mode status surfaces (seal/unseal dashboards, drift signals). | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-001 | Publish staleness/time doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-002 | Publish console airgap doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-003 | Publish CLI airgap doc. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-57-004 | Publish airgap operations runbook. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-001 | Automate mirror bundle creation with approvals. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-AIRGAP-57-002 | Run sealed-mode CI suite enforcing zero egress. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-001 | Implement bundle catalog with RLS + migrations. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Importer/TASKS.md | TODO | AirGap Importer Guild | AIRGAP-IMP-57-002 | Load artifacts into object store with checksum verification. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-001 | Adopt EgressPolicy in core services. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-57-002 | Enforce Task Runner job plan validation. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-57-001 | Parse signed time tokens and expose normalized anchors. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-001 | Complete airgap import CLI with diff preview. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-57-002 | Ship seal/status CLI commands. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-56-002 | Deliver bootstrap pack artifacts. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-001 | Add OCI image support to mirror bundles. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Mirror/StellaOps.Mirror.Creator/TASKS.md | TODO | Mirror Creator Guild | MIRROR-CRT-57-002 | Embed signed time anchors in bundles. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-56-001 | Lock notifications to enclave-safe channels. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-56-002 | Integrate sealing status + staleness into scheduling. | +| Sprint 57 | Air-Gapped Mode Phase 2 – Mirror Bundles & Imports | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-56-002 | Provide bundle ingestion helper steps. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-001 | Publish degradation matrix doc. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-002 | Update trust & signing doc for DSSE/TUF roots. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-003 | Publish developer airgap contracts doc. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Controller/TASKS.md | TODO | AirGap Controller Guild | AIRGAP-CTL-58-001 | Persist time anchor data and expose drift metrics. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-001 | Disable remote observability exporters in sealed mode. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Policy/TASKS.md | TODO | AirGap Policy Guild | AIRGAP-POL-58-002 | Add CLI sealed-mode guard. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-001 | Compute drift/staleness metrics and surface via controller status. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/AirGap/StellaOps.AirGap.Time/TASKS.md | TODO | AirGap Time Guild | AIRGAP-TIME-58-002 | Emit notifications/events for staleness budgets. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Ship portable evidence export helper. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-AIRGAP-57-002 | Annotate advisories with staleness metadata. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-AIRGAP-57-002 | Annotate VEX statements with staleness metadata. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-57-001 | Add portable evidence export integration. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-57-001 | Notify on drift/staleness thresholds. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-58-001 | Link import/export jobs to timeline/evidence. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-002 | Show degradation fallback info in explain traces. | +| Sprint 58 | Air-Gapped Mode Phase 3 – Staleness & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-58-001 | Capture import job evidence transcripts. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-57-001 | Map sealed-mode violations to standard errors. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-AIRGAP-58-001 | Emit notifications/timeline for bundle readiness. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-56-002 | Enforce staleness thresholds for findings exports. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | Notify on portable evidence exports. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-AIRGAP-57-001 | Automate mirror bundle job scheduling with audit provenance. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-57-001 | Enforce sealed-mode guardrails inside evaluation engine. | +| Sprint 59 | Air-Gapped Mode Phase 4 – Deterministic Jobs & Enforcement | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-AIRGAP-57-001 | Block execution when seal state mismatched; emit timeline events. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-58-004 | Document portable evidence workflows. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-AIRGAP-58-001 | Finalize portable evidence CLI workflow with verification. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-AIRGAP-58-001 | Emit timeline events for bundle imports. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md | TODO | Evidence Locker Guild | EVID-OBS-60-001 | Deliver portable evidence export flow for sealed environments with checksum manifest and offline verification script. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-AIRGAP-58-001 | Emit timeline events for VEX bundle imports. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-AIRGAP-57-001 | Link findings to portable evidence bundles. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-AIRGAP-58-001 | (Carry) Portable evidence notifications. | +| Sprint 60 | Air-Gapped Mode Phase 5 – Evidence Portability & UX | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-AIRGAP-58-001 | Notify on stale policy packs and guide remediation. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-001 | Publish `/docs/api/overview.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-002 | Publish `/docs/api/conventions.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-61-003 | Publish `/docs/api/versioning.md`. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-OAS-61-001 | Add OAS lint/validation/diff stages to CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-001 | Configure lint rules and CI enforcement. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-61-002 | Enforce example coverage in CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-001 | Scaffold per-service OpenAPI skeletons with shared components. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-61-002 | Build aggregate composer and integrate into CI. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-001 | Document Authority authentication APIs in OAS. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-61-002 | Provide Authority discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-001 | Update advisory OAS coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-61-002 | Populate advisory examples. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-001 | Implement Concelier discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-61-002 | Standardize error envelope. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-001 | Update VEX OAS coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-61-002 | Provide VEX examples. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-001 | Implement discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-61-002 | Migrate errors to standard envelope. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-001 | Update Exporter spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-61-002 | Implement Exporter discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-001 | Expand Findings Ledger spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-61-002 | Provide ledger discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-001 | Update notifier spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-61-002 | Implement notifier discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-001 | Extend Orchestrator spec coverage. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-61-002 | Provide orchestrator discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-001 | Document Task Runner APIs in OAS. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-61-002 | Expose Task Runner discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-001 | Implement gateway discovery endpoint. | +| Sprint 61 | SDKs & OpenAPI Phase 1 – Contract Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-61-002 | Standardize error envelope across gateway. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-CONTRIB-62-001 | Publish API contracts contributing guide. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-DEVPORT-62-001 | Document dev portal publishing. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-OAS-62-001 | Deploy `/docs/api/reference/` generated site. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SDK-62-001 | Publish SDK overview + language guides. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-SEC-62-001 | Update auth scopes documentation. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | Publish contract testing doc. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-62-001 | Implement compatibility diff tool. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-62-001 | Populate examples for top endpoints. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-62-001 | Provide SDK auth helpers/tests. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-001 | Migrate CLI to official SDK. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-62-002 | Update CLI error handling for new envelope. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-62-001 | Add SDK smoke tests for advisory APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Concelier/StellaOps.Concelier.WebService/TASKS.md | TODO | Concelier WebService Guild | CONCELIER-WEB-OAS-62-001 | Add advisory API examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-001 | Build static generator with nav/search. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-62-002 | Add schema viewer, examples, version selector. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-62-001 | Add SDK tests for VEX APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Excititor/StellaOps.Excititor.WebService/TASKS.md | TODO | Excititor WebService Guild | EXCITITOR-WEB-OAS-62-001 | Provide VEX API examples. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-62-001 | Ensure SDK streaming helpers for exports. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-62-001 | Provide SDK tests for ledger APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-62-001 | Provide SDK examples for notifier APIs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-001 | Establish generator framework. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-62-002 | Implement shared post-processing helpers. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-62-001 | Provide SDK examples for pack runs. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-62-001 | Align pagination/idempotency behaviors. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-001 | Generate mock server fixtures. | +| Sprint 62 | SDKs & OpenAPI Phase 2 – Examples & Portal | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-62-002 | Integrate mock server into CI. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | docs/TASKS.md | TODO | Docs Guild | DOCS-TEST-62-001 | (Carry) ensure contract testing doc final. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | Integrate compatibility diff gating. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-001 | Compatibility diff support. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Api/StellaOps.Api.OpenApi/TASKS.md | TODO | API Contracts Guild | OAS-63-002 | Define discovery schema metadata. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-63-001 | Add CLI spec download command. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-001 | Add Try-It console. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-63-002 | Embed SDK snippets/quick starts. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-001 | Release TypeScript SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-002 | Release Python SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-003 | Release Go SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-63-004 | Release Java SDK alpha. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-001 | Configure SDK release pipelines. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-63-002 | Automate changelogs from OAS diffs. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-001 | Build replay harness for drift detection. | +| Sprint 63 | SDKs & OpenAPI Phase 3 – SDK Alpha & Try-It | test/contract/TASKS.md | TODO | Contract Testing Guild | CONTR-63-002 | Emit contract testing metrics. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | Document devportal offline usage. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-63-001 | Automate developer portal pipeline. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-DEVPORT-64-001 | Schedule offline bundle builds. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-001 | Offline portal build. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/DevPortal/StellaOps.DevPortal.Site/TASKS.md | TODO | Developer Portal Guild | DEVPORT-64-002 | Add accessibility/performance checks. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-001 | Implement devportal offline export job. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md | TODO | DevPortal Offline Guild | DVOFF-64-002 | Provide verification CLI. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-001 | Migrate CLI to SDK. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Generator/TASKS.md | TODO | SDK Generator Guild | SDKGEN-64-002 | Integrate SDKs into Console. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Hook SDK releases to Notifications. | +| Sprint 64 | SDKs & OpenAPI Phase 4 – Harden & Offline Bundles | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-002 | Produce devportal offline bundle. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | docs/TASKS.md | TODO | Docs Guild | DOCS-AIRGAP-DEVPORT-64-001 | (Carry) ensure offline doc published; update as necessary. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Api/StellaOps.Api.Governance/TASKS.md | TODO | API Governance Guild | APIGOV-63-001 | (Carry) compatibility gating monitoring. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Authority/StellaOps.Authority/TASKS.md | TODO | Authority Core & Security Guild | AUTH-OAS-63-001 | Deprecation headers for auth endpoints. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-SDK-64-001 | SDK update awareness command. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-OAS-63-001 | Deprecation metadata for Concelier APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-OAS-63-001 | Deprecation metadata for VEX APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-OAS-63-001 | Deprecation headers for exporter APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-OAS-63-001 | Deprecation headers for ledger APIs. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-OAS-63-001 | Emit deprecation notifications. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Orchestrator/StellaOps.Orchestrator/TASKS.md | TODO | Orchestrator Service Guild | ORCH-OAS-63-001 | Add orchestrator deprecation headers. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Sdk/StellaOps.Sdk.Release/TASKS.md | TODO | SDK Release Guild | SDKREL-64-001 | Production rollout of notifications feed. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/TaskRunner/StellaOps.TaskRunner/TASKS.md | TODO | Task Runner Guild | TASKRUN-OAS-63-001 | Add Task Runner deprecation headers. | +| Sprint 65 | SDKs & OpenAPI Phase 5 – Deprecation & Notifications | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-OAS-63-001 | Implement deprecation headers in gateway. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-001 | Publish `/docs/risk/overview.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-002 | Publish `/docs/risk/profiles.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-003 | Publish `/docs/risk/factors.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-66-004 | Publish `/docs/risk/formulas.md`. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001 | Implement CLI profile management commands. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-002 | Implement CLI simulation command. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-001 | Expose CVSS/KEV provider data. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-66-002 | Provide fix availability signals. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-001 | Supply VEX gating data to risk engine. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-66-002 | Provide reachability inputs. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-001 | Add risk scoring columns/indexes. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-66-002 | Implement deterministic scoring upserts. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | Create risk severity alert templates. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-003 | Integrate schema validation into Policy Engine. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-001 | Deliver RiskProfile schema + validators. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-66-002 | Implement inheritance/merge and hashing. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-66-004 | Extend Policy libraries for RiskProfile handling. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-001 | Scaffold risk engine queue/worker/registry. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-66-002 | Implement transforms/gates/contribution calculator. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-001 | Expose risk API routing in gateway. | +| Sprint 66 | Risk Profiles Phase 1 – Foundations | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-66-002 | Handle explainability downloads. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001 | Publish explainability doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-002 | Publish risk API doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-003 | Publish console risk UI doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-004 | Publish CLI risk doc. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-67-001 | Provide risk results query command. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md | TODO | Concelier Core Guild | CONCELIER-RISK-67-001 | Add source consensus metrics. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md | TODO | Excititor Core Guild | EXCITITOR-RISK-67-001 | Add VEX explainability metadata. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-67-001 | Notify on profile publish/deprecate. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | (Prep) risk routing settings seeds. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-001 | Enqueue scoring on new findings. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-002 | Deliver profile lifecycle APIs. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-001 | Integrate profiles into policy store lifecycle. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/StellaOps.Policy.RiskProfile/TASKS.md | TODO | Risk Profile Schema Guild | POLICY-RISK-67-002 | Publish schema endpoint + validation tooling. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-67-003 | Provide simulation orchestration APIs. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-001 | Integrate CVSS/KEV providers. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-002 | Integrate VEX gate provider. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-67-003 | Add fix availability/criticality/exposure providers. | +| Sprint 67 | Risk Profiles Phase 2 – Providers & Lifecycle | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-67-001 | Provide risk status endpoint. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | Publish risk bundle doc. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-002 | Update AOC invariants doc. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-68-001 | Add risk bundle verification command. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-67-001 | Provide scored findings query API. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-68-001 | Enable scored findings export. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Configure risk notification routing UI/logic. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-001 | Ship simulation API endpoint. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Policy/__Libraries/StellaOps.Policy/TASKS.md | TODO | Policy Guild | POLICY-RISK-68-002 | Support profile export/import. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-001 | Persist scoring results & explanations. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-68-002 | Expose jobs/results/explanations APIs. | +| Sprint 68 | Risk Profiles Phase 3 – APIs & Ledger | src/Web/StellaOps.Web/TASKS.md | TODO | BE-Base Platform Guild | WEB-RISK-68-001 | Emit severity transition events via gateway. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..004 | (Carry) ensure docs updated from simulation release. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-001 | Build risk bundle. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-69-002 | Integrate bundle into pipelines. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-69-002 | Enable simulation report exports. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-66-001 | (Completion) finalize severity alert templates. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-001 | Implement simulation mode. | +| Sprint 69 | Risk Profiles Phase 4 – Simulation & Reporting | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Add telemetry/metrics dashboards. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-68-001 | (Carry) finalize risk bundle doc after verification CLI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-001 | Provide bundle verification CLI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md | TODO | Risk Bundle Export Guild | RISK-BUNDLE-70-002 | Publish documentation. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/ExportCenter/StellaOps.ExportCenter/TASKS.md | TODO | Exporter Service Guild | EXPORT-RISK-70-001 | Integrate risk bundle into offline kit. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Finalize risk alert routing UI. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-001 | Support offline provider bundles. | +| Sprint 70 | Risk Profiles Phase 5 – Air-Gap & Advanced Factors | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-70-002 | Integrate runtime/reachability providers. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | docs/TASKS.md | TODO | Docs Guild | DOCS-RISK-67-001..68-002 | Final editorial pass on risk documentation set. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Cli/StellaOps.Cli/TASKS.md | TODO | DevEx/CLI Guild | CLI-RISK-66-001..68-001 | Harden CLI commands with integration tests and error handling. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Findings/StellaOps.Findings.Ledger/TASKS.md | TODO | Findings Ledger Guild | LEDGER-RISK-69-001 | Finalize dashboards and alerts for scoring latency. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-RISK-68-001 | Tune routing/quiet hour dedupe for risk alerts. | +| Sprint 71 | Risk Profiles Phase 6 – Quality & Performance | src/RiskEngine/StellaOps.RiskEngine/TASKS.md | TODO | Risk Engine Guild | RISK-ENGINE-69-002 | Optimize performance, cache, and incremental scoring; validate SLOs. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-73-001 | (Prep) align CI secrets for Attestor service. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-001 | Implement DSSE canonicalization and hashing helpers. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-72-002 | Support compact/expanded output and detached payloads. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-001 | Draft schemas for all attestation payload types. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-72-002 | Generate models/validators from schemas. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-001 | Scaffold attestor service skeleton. | +| Sprint 72 | Attestor Console Phase 1 – Foundations | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-72-002 | Implement attestation store + storage integration. | | Sprint 72 | Attestor Console Phase 1 – Foundations | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE | KMS Guild | KMS-72-001 | Implement KMS interface + file driver. | +| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-001 | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | +| Sprint 73 | Attestor CLI Phase 2 – Signing & Policies | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-73-002 | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-001 | Publish attestor overview. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-002 | Publish payload docs. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-003 | Publish policies doc. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-73-004 | Publish workflows doc. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-001 | Add signing/verification helpers with KMS integration. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor.Types/TASKS.md | TODO | Attestation Payloads Guild | ATTEST-TYPES-73-001 | Create golden payload fixtures. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-001 | Ship signing endpoint. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-002 | Ship verification pipeline and reports. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-73-003 | Implement list/fetch APIs. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md | DONE (2025-10-30) | KMS Guild | KMS-72-002 | CLI support for key import/export. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-001 | Implement VerificationPolicy lifecycle. | +| Sprint 73 | Attestor Console Phase 2 – Signing & Policies | src/Policy/StellaOps.Policy.Engine/TASKS.md | TODO | Policy Guild | POLICY-ATTEST-73-002 | Surface policies in Policy Studio. | +| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-001 | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | +| Sprint 74 | Attestor CLI Phase 3 – Transparency & Chain of Custody | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild | CLI-ATTEST-74-002 | Implement `stella attest fetch` to download envelopes and payloads to disk. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-001 | Publish keys & issuers doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-002 | Publish transparency doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-003 | Publish console attestor UI doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-74-004 | Publish CLI attest doc. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-001 | Deploy transparency witness infra. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Envelope/TASKS.md | TODO | Envelope Guild | ATTEST-ENVELOPE-73-002 | Run fuzz tests for envelope handling. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-001 | Add telemetry for verification pipeline. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor.Verify/TASKS.md | TODO | Verification Guild | ATTEST-VERIFY-74-002 | Document verification explainability. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-001 | Integrate transparency witness client. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-74-002 | Implement bulk verification worker. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-74-001 | Build attestation bundle export job. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-001 | Add verification/key notifications. | +| Sprint 74 | Attestor Console Phase 3 – Transparency & Chain of Custody | src/Notifier/StellaOps.Notifier/TASKS.md | TODO | Notifications Service Guild | NOTIFY-ATTEST-74-002 | Notify key rotation/revocation. | +| Sprint 75 | Attestor CLI Phase 4 – Air Gap & Bulk | src/Cli/StellaOps.Cli/TASKS.md | TODO | CLI Attestor Guild, Export Guild | CLI-ATTEST-75-002 | Add support for building/verifying attestation bundles in CLI. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-001 | Publish attestor airgap doc. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | docs/TASKS.md | TODO | Docs Guild | DOCS-ATTEST-75-002 | Update AOC invariants for attestations. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-74-002 | Integrate bundle builds into release/offline pipelines. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | ops/devops/TASKS.md | TODO | DevOps Guild | DEVOPS-ATTEST-75-001 | Dashboards/alerts for attestor metrics. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-001 | Support attestation bundle export/import for air gap. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/Attestor/StellaOps.Attestor/TASKS.md | TODO | Attestor Service Guild | ATTESTOR-75-002 | Harden APIs (rate limits, fuzz tests, threat model actions). | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-001 | CLI bundle verify/import. | +| Sprint 75 | Attestor Console Phase 4 – Air Gap & Bulk | src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md | TODO | Attestation Bundle Guild | EXPORT-ATTEST-75-002 | Document attestor airgap workflow. | diff --git a/docs/implplan/SPRINT_100_identity_signing.md b/docs/implplan/SPRINT_100_identity_signing.md new file mode 100644 index 00000000..feff1c9d --- /dev/null +++ b/docs/implplan/SPRINT_100_identity_signing.md @@ -0,0 +1,99 @@ +# Sprint 100 - Identity & Signing + +[Identity & Signing] 100.A) Attestor.I +Summary: Identity & Signing focus on Attestor (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ATTEST-ENVELOPE-72-001 | TODO | Implement DSSE canonicalization, JSON normalization, multi-signature structures, and hashing helpers. | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) +ATTEST-ENVELOPE-72-002 | TODO | Support compact and expanded JSON output, payload compression, and detached payload references. | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) +ATTEST-ENVELOPE-73-001 | TODO | Implement Ed25519 & ECDSA signature create/verify helpers, key identification (`keyid`) scheme, and error mapping. | Envelope Guild, KMS Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) +ATTEST-ENVELOPE-73-002 | TODO | Add fuzz tests for envelope parsing, signature verification, and canonical JSON round-trips. | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md) +ATTEST-TYPES-72-001 | TODO | Draft JSON Schemas for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, CustomEvidence v1. | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) +ATTEST-TYPES-72-002 | TODO | Generate Go/TS models from schemas with validation helpers and canonical JSON serialization. | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) +ATTEST-TYPES-73-001 | TODO | Create golden payload samples for each type; integrate into tests and documentation. | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) +ATTEST-TYPES-73-002 | TODO | Publish schema reference docs (`/docs/modules/attestor/payloads.md`) with annotated JSON examples. | Attestation Payloads Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md) +ATTEST-VERIFY-73-001 | TODO | Implement verification engine: policy evaluation, issuer trust resolution, freshness, signature count, transparency checks; produce structured reports. | Verification Guild, Policy Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) +ATTEST-VERIFY-73-002 | TODO | Add caching layer keyed by `(subject, envelope_id, policy_version)` with TTL and invalidation on new evidence. | Verification Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) +ATTEST-VERIFY-74-001 | TODO | Emit telemetry (spans/metrics) tagged by subject, issuer, policy, result; integrate with dashboards. | Verification Guild, Observability Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) +ATTEST-VERIFY-74-002 | TODO | Document verification report schema and explainability in `/docs/modules/attestor/workflows.md`. | Verification Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md) +ATTESTOR-72-001 | TODO | Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) +ATTESTOR-72-002 | TODO | Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) +ATTESTOR-73-001 | TODO | Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging. | Attestor Service Guild, KMS Guild (src/Attestor/StellaOps.Attestor/TASKS.md) + + +[Identity & Signing] 100.A) Attestor.II +Depends on: Sprint 100.A - Attestor.I +Summary: Identity & Signing focus on Attestor (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ATTESTOR-73-002 | TODO | Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports. | Attestor Service Guild, Policy Guild (src/Attestor/StellaOps.Attestor/TASKS.md) +ATTESTOR-73-003 | TODO | Implement listing/fetch APIs with filters (subject, type, issuer, scope, date). | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) +ATTESTOR-74-001 | TODO | Integrate transparency witness client, inclusion proof verification, and caching. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) +ATTESTOR-74-002 | TODO | Implement bulk verification worker + API with progress tracking, rate limits, and caching. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md) +ATTESTOR-75-001 | TODO | Add export/import flows for attestation bundles and offline verification mode. | Attestor Service Guild, Export Guild (src/Attestor/StellaOps.Attestor/TASKS.md) +ATTESTOR-75-002 | TODO | Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. | Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor/TASKS.md) + + +[Identity & Signing] 100.B) Authority.I +Summary: Identity & Signing focus on Authority (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +AUTH-AIAI-31-001 | TODO | Define Advisory AI scopes (`advisory-ai:view`, `advisory-ai:operate`, `advisory-ai:admin`) and remote inference toggles; update discovery metadata/offline defaults. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-AIAI-31-002 | TODO | Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-AIRGAP-56-001 | TODO | Provision new scopes (`airgap:seal`, `airgap:import`, `airgap:status:read`) in configuration metadata, offline kit defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-AIRGAP-56-002 | TODO | Audit import actions with actor, tenant, bundle ID, and trace ID; expose `/authority/audit/airgap` endpoint. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-AIRGAP-57-001 | TODO | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-NOTIFY-38-001 | TODO | Define `Notify.Viewer`, `Notify.Operator`, `Notify.Admin` scopes/roles, update discovery metadata, offline defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-NOTIFY-40-001 | TODO | Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-OAS-62-001 | TODO | Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. | Authority Core & Security Guild, SDK Generator Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-OAS-63-001 | TODO | Emit deprecation headers and notifications for legacy auth endpoints. | Authority Core & Security Guild, API Governance Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-OBS-50-001 | TODO | Introduce scopes `obs:read`, `timeline:read`, `timeline:write`, `evidence:create`, `evidence:read`, `evidence:hold`, `attest:read`, and `obs:incident` (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-OBS-52-001 | TODO | Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-OBS-55-001 | TODO | Harden incident mode authorization: require `obs:incident` scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. | Authority Core & Security Guild, Ops Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-ORCH-34-001 | TODO | Introduce `Orch.Admin` role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-PACKS-41-001 | TODO | Define CLI SSO profiles and pack scopes (`Packs.Read`, `Packs.Write`, `Packs.Run`, `Packs.Approve`), update discovery metadata, offline defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-PACKS-43-001 | BLOCKED (2025-10-27) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) + + +[Identity & Signing] 100.B) Authority.II +Depends on: Sprint 100.B - Authority.I +Summary: Identity & Signing focus on Authority (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +AUTH-POLICY-23-002 | BLOCKED (2025-10-29) | Implement optional two-person rule for activation: require two distinct `policy:activate` approvals when configured; emit audit logs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-POLICY-23-003 | BLOCKED (2025-10-29) | Update documentation and sample configs for policy roles, approval workflow, and signing requirements. | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-POLICY-27-002 | TODO | Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-POLICY-27-003 | TODO | Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-TEN-49-001 | TODO | Implement service accounts & delegation tokens (`act` chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-VULN-29-001 | TODO | Define Vuln Explorer scopes/roles (`vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit`) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-VULN-29-002 | TODO | Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md) +AUTH-VULN-29-003 | TODO | Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md) +PLG4-6.CAPABILITIES | BLOCKED (2025-10-12) | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) +PLG6.DIAGRAM | TODO | Export final sequence/component diagrams for the developer guide and add offline-friendly assets under `docs/assets/authority`. | Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) +PLG7.RFC | REVIEW | Socialize LDAP plugin RFC (`docs/rfcs/authority-plugin-ldap.md`) and capture guild feedback. | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) +SEC2.PLG | BLOCKED (2025-10-21) | Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`.
⛔ Waiting on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 to stabilise Authority auth surfaces before final verification + publish. | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) +SEC3.PLG | BLOCKED (2025-10-21) | Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after).
⛔ Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 so limiter telemetry contract matches final authority surface. | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) +SEC5.PLG | BLOCKED (2025-10-21) | Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog.
⛔ Final documentation depends on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 outcomes. | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md) + + +[Identity & Signing] 100.C) IssuerDirectory +Summary: Identity & Signing focus on IssuerDirectory. +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ISSUER-30-001 | TODO | Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata. | Issuer Directory Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) +ISSUER-30-002 | TODO | Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). | Issuer Directory Guild, Security Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) +ISSUER-30-003 | TODO | Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. | Issuer Directory Guild, Policy Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) +ISSUER-30-004 | TODO | Integrate with VEX Lens and Excitator signature verification (client SDK, caching, retries). | Issuer Directory Guild, VEX Lens Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) +ISSUER-30-005 | TODO | Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. | Issuer Directory Guild, Observability Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) +ISSUER-30-006 | TODO | Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. | Issuer Directory Guild, DevOps Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md) + + +[Identity & Signing] 100.D) __Libraries +Summary: Identity & Signing focus on Libraries. +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +KMS-73-001 | TODO | Add cloud KMS driver (e.g., AWS KMS, GCP KMS) with signing and key metadata retrieval. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md) +KMS-73-002 | TODO | Implement PKCS#11/HSM driver plus FIDO2 signing support for high assurance workflows. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_110_ingestion_evidence.md diff --git a/docs/implplan/SPRINT_110_ingestion_evidence.md b/docs/implplan/SPRINT_110_ingestion_evidence.md new file mode 100644 index 00000000..9707a42b --- /dev/null +++ b/docs/implplan/SPRINT_110_ingestion_evidence.md @@ -0,0 +1,305 @@ +# Sprint 110 - Ingestion & Evidence + +[Ingestion & Evidence] 110.A) AdvisoryAI +Depends on: Sprint 100.A - Attestor +Summary: Ingestion & Evidence focus on AdvisoryAI). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +AIAI-31-001 | TODO | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-002 | TODO | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). | Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-003 | TODO | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-004 | TODO | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-005 | TODO | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-006 | TODO | Expose REST API endpoints (`/advisory/ai/*`) with RBAC, rate limits, OpenAPI schemas, and batching support. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-007 | TODO | Instrument metrics (`advisory_ai_latency`, `guardrail_blocks`, `validation_failures`, `citation_coverage`), logs, and traces; publish dashboards/alerts. | Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) +AIAI-31-009 | TODO | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md) + + +[Ingestion & Evidence] 110.B) Concelier.I +Depends on: Sprint 100.A - Attestor +Summary: Ingestion & Evidence focus on Concelier (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONCELIER-AIAI-31-001 `Paragraph anchors` | TODO | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-AIAI-31-002 `Structured fields` | TODO | Ensure observation APIs expose upstream workaround/fix/CVSS fields with provenance; add caching for summary queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-AIAI-31-003 `Advisory AI telemetry` | TODO | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Persist `bundle_id`, `merkle_root`, and time anchor references on observations/linksets for provenance. | Concelier Core Guild, AirGap Importer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. | Concelier Core Guild, AirGap Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. | Concelier Core Guild, AirGap Time Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-ATTEST-73-001 `ScanResults attestation inputs` | TODO | Provide observation artifacts and linkset digests needed for ScanResults attestations (raw data + provenance, no merge outputs). | Concelier Core Guild, Attestor Service Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-ATTEST-73-002 `Transparency metadata` | TODO | Ensure Conseiller exposes source digests for transparency proofs and explainability. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | Expose `/console/advisories` endpoints returning aggregation groups (per linkset) with source chips, provider-reported severity columns (no local consensus), and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-CORE-AOC-19-004 `Remove ingestion normalization` | DOING (2025-10-28) | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only.
2025-10-29 19:05Z: Audit completed for `AdvisoryRawService`/Mongo repo to confirm alias order/dedup removal persists; identified remaining normalization in observation/linkset factory that will be revised to surface raw duplicates for Policy ingestion. Change sketch + regression matrix drafted under `docs/dev/aoc-normalization-removal-notes.md` (pending commit).
2025-10-31 20:45Z: Added raw linkset projection to observations/storage, exposing canonical+raw views, refreshed fixtures/tests, and documented behaviour in models/doc factory.
2025-10-31 21:10Z: Coordinated with Policy Engine (POLICY-ENGINE-20-003) on adoption timeline; backfill + consumer readiness tracked in `docs/dev/raw-linkset-backfill-plan.md`. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Extend Concelier smoke/e2e fixtures to configure `requiredTenants` and assert cross-tenant rejection with updated Authority tokens. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) + + +[Ingestion & Evidence] 110.B) Concelier.II +Depends on: Sprint 110.B - Concelier.I +Summary: Ingestion & Evidence focus on Concelier (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Expose `/advisories/summary` returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Introduce immutable `advisory_observations` model with AOC metadata, raw payload pointers, structured per-source fields (version ranges, severity, CVSS), and tenancy guardrails; publish schema definition. `DOCS-LNM-22-001` blocked pending this deliverable. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-LNM-21-002 `Linkset builder` | TODO | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces `advisory_linksets` with confidence + conflict annotations. Docs note: unblock `DOCS-LNM-22-001` once builder lands. | Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-LNM-21-004 `Merge code removal` | TODO | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-LNM-21-005 `Event emission` | TODO | Emit `advisory.linkset.updated` events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-LNM-21-101 `Observations collections` | TODO | Provision `advisory_observations` and `advisory_linksets` collections with hashed shard keys, TTL for ingest metadata, and required indexes (`aliases`, `purls`, `observation_ids`). | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) +CONCELIER-LNM-21-102 `Migration tooling` | TODO | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) +CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) +CONCELIER-LNM-21-201 `Observation APIs` | TODO | Add REST endpoints for advisory observations (`GET /advisories/observations`) with filters (alias, purl, source), pagination, and tenancy enforcement. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Implement linkset read/export endpoints (`/advisories/linksets/{id}`, `/advisories/by-purl/{purl}`, `/advisories/linksets/{id}/export`, `/evidence`) with correlation/conflict payloads and `ERR_AGG_*` mapping. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-LNM-21-203 `Ingest events` | TODO | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) + + +[Ingestion & Evidence] 110.B) Concelier.III +Depends on: Sprint 110.B - Concelier.II +Summary: Ingestion & Evidence focus on Concelier (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONCELIER-OAS-61-001 `Spec coverage` | TODO | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OAS-61-002 `Examples library` | TODO | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Implement deprecation header support and timeline events for retiring endpoints. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OBS-50-001 `Telemetry adoption` | TODO | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. | Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OBS-52-001 `Timeline events` | TODO | Emit `timeline_event` records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Add batch advisory lookup APIs (`/policy/select/advisories`, `/policy/select/vex`) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) + + +[Ingestion & Evidence] 110.B) Concelier.IV +Depends on: Sprint 110.B - Concelier.III +Summary: Ingestion & Evidence focus on Concelier (phase IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) +CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Add secondary indexes/materialized views to accelerate policy lookups (alias, provider severity per observation, correlation confidence). Document query contracts for runtime. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Ensure `advisory.linkset.updated` emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Provide structured fix availability and release metadata consumable by risk engine; document provenance. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-RISK-67-001 `Source coverage metrics` | TODO | Add per-source coverage metrics for linked advisories (observation counts, conflicting statuses) without computing consensus scores; ensure explainability includes source digests. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-RISK-69-001 `Notification hooks` | TODO | Emit events when advisory signals change impacting risk scores (e.g., fix available). | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Plan and execute advisory_observations `rawLinkset` backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in `docs/dev/raw-linkset-backfill-plan.md`. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md) +CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting `merge=false`; update events with tenant context. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md) +CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-VULN-29-001 `Advisory key canonicalization` | TODO | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into `advisory_key`, persist `links[]`, expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. | Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-VULN-29-002 `Evidence retrieval API` | TODO | Provide `/vuln/evidence/advisories/{advisory_key}` returning raw advisory docs with provenance, filtering by tenant and source. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) + + +[Ingestion & Evidence] 110.B) Concelier.V +Depends on: Sprint 110.B - Concelier.IV +Summary: Ingestion & Evidence focus on Concelier (phase V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Instrument metrics/logs for observation + linkset pipelines (identifier collisions, withdrawn flags) and emit events consumed by Vuln Explorer resolver. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Add staleness metadata and bundle provenance to advisory APIs (`/advisories/observations`, `/advisories/linksets`). | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` responses with user guidance. | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-AOC-19-002 `AOC observability` | TODO | Emit `ingestion_write_total`, `aoc_violation_total`, latency histograms, and tracing spans (`ingest.fetch/transform/write`, `aoc.guard`). Wire structured logging to include tenant, source vendor, upstream id, and content hash. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | Add unit tests covering schema validation failures, forbidden field rejections (`ERR_AOC_001/002/006/007`), idempotent upserts, and supersedes chains using deterministic fixtures. | QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OAS-61-001 `/.well-known/openapi` | TODO | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Ensure all API responses use standardized error envelope; update controllers/tests. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OBS-50-001 `Telemetry adoption` | TODO | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (`tenant_id`, `route`, `decision_effect`), and add correlation IDs to responses. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Surface ingest health metrics, queue depth, and SLO status via `/obs/concelier/health` endpoint for Console widgets, with caching and tenant partitioning. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE stream `/obs/concelier/timeline` bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) + + +[Ingestion & Evidence] 110.B) Concelier.VI +Depends on: Sprint 110.B - Concelier.V +Summary: Ingestion & Evidence focus on Concelier (phase VI). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Add `/evidence/advisories/*` routes invoking evidence locker snapshots, verifying tenant scopes (`evidence:read`), and returning signed manifest metadata. | Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Provide `/attestations/advisories/*` read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md) +FEEDCONN-CCCS-02-009 Version range provenance (Oct 2025) | BE-Conn-CCCS | **TODO (due 2025-10-21)** – Map CCCS advisories into the new `advisory_observations.affected.versions[]` structure, preserving each upstream range with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. Update mapper tests/fixtures for the Link-Not-Merge schema and verify linkset builders consume the ranges without relying on legacy merge counters.
2025-10-29: `docs/dev/normalized-rule-recipes.md` now documents helper snippets for building observation version entries—use them instead of merge-specific builders and refresh fixtures with `UPDATE_CCCS_FIXTURES=1`. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/TASKS.md) +FEEDCONN-CERTBUND-02-010 Version range provenance | BE-Conn-CERTBUND | **TODO (due 2025-10-22)** – Translate `product.Versions` phrases (e.g., `2023.1 bis 2024.2`, `alle`) into comparison helpers for `advisory_observations.affected.versions[]`, capturing provenance (`certbund:{advisoryId}:{vendor}`) and localisation notes. Update mapper/tests for the Link-Not-Merge schema and refresh documentation accordingly. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/TASKS.md) +FEEDCONN-CISCO-02-009 SemVer range provenance | BE-Conn-Cisco | **TODO (due 2025-10-21)** – Emit Cisco SemVer ranges into `advisory_observations.affected.versions[]` with provenance identifiers (`cisco:{productId}`) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md) +FEEDCONN-ICSCISA-02-012 Version range provenance | BE-Conn-ICS-CISA | **TODO (due 2025-10-23)** – Promote existing firmware/semver data into `advisory_observations.affected.versions[]` entries with deterministic comparison keys and provenance identifiers (`ics-cisa:{advisoryId}:{product}`). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.
2025-10-29: Follow `docs/dev/normalized-rule-recipes.md` §2 to build observation version entries and log failures without invoking the retired merge helpers. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md) +FEEDCONN-KISA-02-008 Firmware range provenance | BE-Conn-KISA, Models | **TODO (due 2025-10-24)** – Define comparison helpers for Hangul-labelled firmware ranges (`XFU 1.0.1.0084 ~ 2.0.1.0034`) and map them into `advisory_observations.affected.versions[]` with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md) +FEEDCONN-SHARED-STATE-003 Source state seeding helper | Tools Guild, BE-Conn-MSRC | **DOING (2025-10-19)** – Provide a reusable CLI/utility to seed `pendingDocuments`/`pendingMappings` for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. Prereqs confirmed none (2025-10-19). | Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/TASKS.md) +FEEDMERGE-COORD-02-901 Connector deadline check-ins | BE-Merge | **TODO (due 2025-10-21)** – Confirm Cccs/Cisco version-provenance updates land, capture `LinksetVersionCoverage` dashboard snapshots (expect zero missing-range warnings), and update coordination docs with the results.
2025-10-29: Observation metrics now surface `version_entries_total`/`missing_version_entries_total`; include screenshots for both when closing this task. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) +FEEDMERGE-COORD-02-902 ICS-CISA version comparison support | BE-Merge, Models | **TODO (due 2025-10-23)** – Review ICS-CISA sample advisories, validate reuse of existing comparison helpers, and pre-stage Models ticket template only if a new firmware comparator is required. Document the outcome and observation coverage logs in coordination docs + tracker files.
2025-10-29: `docs/dev/normalized-rule-recipes.md` (§2–§3) now covers observation entries; attach decision summary + log sample when handing off to Models. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) +FEEDMERGE-COORD-02-903 KISA firmware scheme review | BE-Merge, Models | **TODO (due 2025-10-24)** – Pair with KISA team on proposed firmware comparison helper (`kisa.build` or variant), ensure observation mapper alignment, and open Models ticket only if a new comparator is required. Log the final helper signature and observation coverage metrics in coordination docs + tracker files. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) +Fixture validation sweep | QA | **DOING (2025-10-19)** – Prereqs confirmed none; continuing RHSA fixture regeneration and diff review alongside mapper provenance updates.
2025-10-29: Added `scripts/update-redhat-fixtures.sh` to regenerate golden snapshots with `UPDATE_GOLDENS=1`; run it before reviews to capture CSAF contract deltas. | None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md) +Link-Not-Merge version provenance coordination | BE-Merge | **DOING** – Coordinate remaining connectors (`Acsc`, `Cccs`, `CertBund`, `CertCc`, `Cve`, `Ghsa`, `Ics.Cisa`, `Kisa`, `Ru.Bdu`, `Ru.Nkcki`, `Vndr.Apple`, `Vndr.Cisco`, `Vndr.Msrc`) so they emit `advisory_observations.affected.versions[]` entries with provenance tags and deterministic comparison keys. Track rollout status in `docs/dev/normalized-rule-recipes.md` (now updated for Link-Not-Merge) and retire the legacy merge counters as coverage transitions to linkset validation metrics.
2025-10-29: Added new guidance in the doc for recording observation version metadata and logging gaps via `LinksetVersionCoverage` warnings to replace prior `concelier.merge.normalized_rules*` alerts. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) +MERGE-LNM-21-001 Migration plan authoring | BE-Merge, Architecture Guild | Draft `no-merge` migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation. | CONCELIER-LNM-21-101 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) + + +[Ingestion & Evidence] 110.B) Concelier.VII +Depends on: Sprint 110.B - Concelier.VI +Summary: Ingestion & Evidence focus on Concelier (phase VII). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +MERGE-LNM-21-002 Merge service deprecation | BE-Merge | Refactor or retire `AdvisoryMergeService` and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage. | MERGE-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) +MERGE-LNM-21-003 Determinism/test updates | QA Guild, BE-Merge | Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible. | MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md) + + +[Ingestion & Evidence] 110.C) Excititor.I +Depends on: Sprint 100.A - Attestor +Summary: Ingestion & Evidence focus on Excititor (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXCITITOR-AIAI-31-001 `Justification enrichment` | TODO | Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-AIAI-31-002 `VEX chunk API` | TODO | Provide `/vex/evidence/chunks` endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-AIAI-31-003 `Telemetry` | TODO | Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-AIRGAP-56-002 `Bundle provenance` | TODO | Persist bundle metadata on VEX observations/linksets with provenance references. | Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Block non-mirror connectors in sealed mode and surface remediation errors. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-AIRGAP-57-002 `Staleness annotations` | TODO | Annotate VEX statements with staleness metrics and expose via API. | Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-AIRGAP-58-001 `Portable VEX evidence` | TODO | Package VEX evidence segments into portable evidence bundles linked to timeline. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-ATTEST-01-003 – Verification suite & observability | Team Excititor Attestation | DOING (2025-10-22) – Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.
2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests. | EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md) +EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Expose linkage from VEX statements to subject/product for chain of custody graph. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-CONN-MS-01-003 – Trust metadata & provenance hints | Team Excititor Connectors – MSRC | TODO – Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. | EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md) +EXCITITOR-CONN-ORACLE-01-003 – Trust provenance enrichment | Team Excititor Connectors – Oracle | TODO – Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion. | EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md) +EXCITITOR-CONN-STELLA-07-002 | TODO | Parse mirror bundles into raw `VexClaim` batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. | Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) +EXCITITOR-CONN-STELLA-07-003 | TODO | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. | Excititor Connectors – Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md) + + +[Ingestion & Evidence] 110.C) Excititor.II +Depends on: Sprint 110.C - Excititor.I +Summary: Ingestion & Evidence focus on Excititor (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXCITITOR-CONN-SUSE-01-003 – Trust metadata provenance | Team Excititor Connectors – SUSE | TODO – Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md) +EXCITITOR-CONN-UBUNTU-01-003 – Trust provenance enrichment | Team Excititor Connectors – Ubuntu | TODO – Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md) +EXCITITOR-CONSOLE-23-001 `VEX aggregation views` | TODO | Expose `/console/vex` endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-CONSOLE-23-002 `Dashboard VEX deltas` | TODO | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-CONSOLE-23-003 `VEX search helpers` | TODO | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-CORE-AOC-19-002 `VEX linkset extraction` | TODO | Implement deterministic extraction of advisory IDs, component PURLs, and references into `linkset`, capturing reconciled-from metadata for traceability. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-CORE-AOC-19-003 `Idempotent VEX raw upsert` | TODO | Enforce `(vendor, upstreamId, contentHash, tenant)` uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-CORE-AOC-19-004 `Remove ingestion consensus` | TODO | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-GRAPH-21-001 `Inspector linkouts` | BLOCKED (2025-10-27) | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | Excititor Core Guild, Cartographer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-GRAPH-21-002 `Overlay enrichment` | BLOCKED (2025-10-27) | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-GRAPH-21-005 `Inspector indexes` | BLOCKED (2025-10-27) | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-GRAPH-24-101 `VEX summary API` | TODO | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-GRAPH-24-102 `Evidence batch API` | TODO | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-LNM-21-001 `VEX observation model` | TODO | Define immutable `vex_observations` schema capturing raw statements, product PURLs, justification, and AOC metadata. `DOCS-LNM-22-002` blocked pending this schema. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) + + +[Ingestion & Evidence] 110.C) Excititor.III +Depends on: Sprint 110.C - Excititor.II +Summary: Ingestion & Evidence focus on Excititor (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXCITITOR-LNM-21-002 `Linkset correlator` | TODO | Build correlation pipeline combining alias + product PURL signals to form `vex_linksets` with confidence metrics. Docs waiting to finalize VEX aggregation guide. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-LNM-21-003 `Conflict annotator` | TODO | Record status/justification disagreements within linksets and expose structured conflicts. Provide structured payloads for `DOCS-LNM-22-002`. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-LNM-21-004 `Merge removal` | TODO | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-LNM-21-005 `Event emission` | TODO | Emit `vex.linkset.updated` events for downstream consumers with delta descriptions and tenant context. | Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-LNM-21-101 `Observations collections` | TODO | Provision `vex_observations`/`vex_linksets` collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-LNM-21-102 `Migration/backfill` | TODO | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-LNM-21-201 `Observation APIs` | TODO | Add VEX observation read endpoints with filters, pagination, RBAC, and tenant scoping. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-LNM-21-202 `Linkset APIs` | TODO | Implement linkset read/export/evidence endpoints returning correlation/conflict payloads and map errors to `ERR_AGG_*`. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-LNM-21-203 `Event publishing` | TODO | Publish `vex.linkset.updated` events, document schema, and ensure idempotent delivery. | Excititor WebService Guild, Platform Events Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-OAS-61-001 `Spec coverage` | TODO | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. | Excititor Core Guild, API Contracts Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OAS-61-002 `Example catalog` | TODO | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OAS-62-001 `SDK smoke tests` | TODO | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. | Excititor Core Guild, SDK Generator Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OAS-63-001 `Deprecation headers` | TODO | Add deprecation metadata and notifications for legacy VEX routes. | Excititor Core Guild, API Governance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OBS-50-001 `Telemetry adoption` | TODO | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. | Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OBS-51-001 `Metrics & SLOs` | TODO | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) + + +[Ingestion & Evidence] 110.C) Excititor.IV +Depends on: Sprint 110.C - Excititor.III +Summary: Ingestion & Evidence focus on Excititor (phase IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXCITITOR-OBS-52-001 `Timeline events` | TODO | Emit `timeline_event` entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OBS-53-001 `Evidence snapshots` | TODO | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. | Excititor Core Guild, Provenance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-OBS-55-001 `Incident mode` | TODO | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-ORCH-32-001 `Worker SDK adoption` | TODO | Integrate orchestrator worker SDK in Excititor ingestion jobs, emit heartbeats/progress/artifact hashes, and register source metadata. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) +EXCITITOR-ORCH-33-001 `Control compliance` | TODO | Honor orchestrator pause/throttle/retry actions, classify error outputs, and persist restart checkpoints. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) +EXCITITOR-ORCH-34-001 `Backfill & circuit breaker` | TODO | Implement orchestrator-driven backfills, apply circuit breaker reset rules, and ensure artifact dedupe alignment. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md) +EXCITITOR-POLICY-02-002 – Diagnostics for scoring signals | Team Excititor Policy | BACKLOG – Update diagnostics reports to surface missing severity/KEV/EPSS mappings, coefficient overrides, and provide actionable recommendations for policy tuning. | EXCITITOR-POLICY-02-001 (src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md) +EXCITITOR-POLICY-20-001 `Policy selection endpoints` | TODO | Provide VEX lookup APIs supporting PURL/advisory batching, scope filtering, and tenant enforcement with deterministic ordering + pagination. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-POLICY-20-002 `Scope-aware linksets` | TODO | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. | Excititor Core Guild, Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-POLICY-20-003 `Selection cursors` | TODO | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-POLICY-23-001 `Evidence indexes` | TODO | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-POLICY-23-002 `Event guarantees` | TODO | Ensure `vex.linkset.updated` events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. | Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-RISK-66-001 `VEX gate provider` | TODO | Supply VEX status and justification data for risk engine gating with full source provenance. | Excititor Core Guild, Risk Engine Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-RISK-66-002 `Reachability inputs` | TODO | Provide component/product scoping metadata enabling reachability and runtime factor mapping. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) + + +[Ingestion & Evidence] 110.C) Excititor.V +Depends on: Sprint 110.C - Excititor.IV +Summary: Ingestion & Evidence focus on Excititor (phase V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXCITITOR-RISK-67-001 `Explainability metadata` | TODO | Include VEX justification, status reasoning, and source digests in explainability artifacts. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-RISK-68-001 `Policy Studio integration` | TODO | Surface VEX-specific gates/weights within profile editor UI and validation messages. | Excititor Core Guild, Policy Studio Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-SIG-26-001 `Vendor exploitability hints` | TODO | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. | Excititor Core Guild, Signals Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-STORE-AOC-19-001 `vex_raw schema validator` | TODO | Define Mongo JSON schema for `vex_raw` enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-STORE-AOC-19-002 `idempotency unique index` | TODO | Create `(source.vendor, upstream.upstream_id, upstream.content_hash, tenant)` unique index with backfill checker, updating migrations + bootstrapper for offline installs. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-STORE-AOC-19-003 `append-only migration plan` | TODO | Migrate legacy consensus collections to `_backup_*`, seed supersedes chain for raw docs, and document rollback path + dry-run verification. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-STORE-AOC-19-004 `validator deployment docset` | TODO | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md) +EXCITITOR-TEN-48-001 `Tenant-aware VEX linking` | TODO | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md) +EXCITITOR-VEXLENS-30-001 `VEX evidence enrichers` | TODO | Include issuer hints, signatures, and product trees in evidence payloads for VEX Lens; Label: VEX-Lens. | Excititor WebService Guild, VEX Lens Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-VULN-29-001 `VEX key canonicalization` | TODO | Canonicalize (lossless) VEX advisory/product keys (map to `advisory_key`, capture product scopes); expose original sources in `links[]`; AOC-compliant: no merge, no derived fields, no suppression; backfill existing records. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-VULN-29-002 `Evidence retrieval` | TODO | Provide `/vuln/evidence/vex/{advisory_key}` returning raw VEX statements filtered by tenant/product scope for Explorer evidence tabs. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-VULN-29-004 `Observability` | TODO | Add metrics/logs for VEX normalization, suppression scopes, withdrawn statements; emit events consumed by Vuln Explorer resolver. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-AIRGAP-56-001 | TODO | Support mirror bundle registration via APIs, expose bundle provenance in VEX responses, and block external connectors in sealed mode. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-AIRGAP-56-002 | TODO | Return VEX staleness metrics and time anchor info in API responses for Console/CLI use. | Excititor WebService Guild, AirGap Time Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standardized error payload with remediation guidance. | Excititor WebService Guild, AirGap Policy Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) + + +[Ingestion & Evidence] 110.C) Excititor.VI +Depends on: Sprint 110.C - Excititor.V +Summary: Ingestion & Evidence focus on Excititor (phase VI). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXCITITOR-WEB-AIRGAP-58-001 | TODO | Emit timeline events for VEX bundle imports with bundle ID, scope, and actor metadata. | Excititor WebService Guild, AirGap Importer Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-AOC-19-001 `Raw VEX ingestion APIs` | TODO | Implement `POST /ingest/vex`, `GET /vex/raw*`, and `POST /aoc/verify` endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts are persisted. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-AOC-19-002 `AOC observability + metrics` | TODO | Export metrics (`ingestion_write_total`, `aoc_violation_total`, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes tenant, source vendor, upstream id, and content hash. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-AOC-19-003 `Guard + schema test harness` | TODO | Add unit/integration tests for schema validation, forbidden field rejection (`ERR_AOC_001/006/007`), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic expectations. | QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-AOC-19-004 `Batch ingest validation` | TODO | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI `aoc verify` compatibility. Document load test/runbook updates. | Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OAS-61-001 | TODO | Implement `/.well-known/openapi` discovery endpoint with spec version metadata. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OAS-61-002 | TODO | Standardize error envelope responses and update controller/unit tests. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OAS-62-001 | TODO | Add curated examples for VEX observation/linkset endpoints and ensure portal displays them. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OAS-63-001 | TODO | Emit deprecation headers and update docs for retiring VEX APIs. | Excititor WebService Guild, API Governance Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OBS-50-001 `Telemetry adoption` | TODO | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OBS-51-001 `Observability health endpoints` | TODO | Implement `/obs/excititor/health` summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE bridge for VEX timeline events with tenant filters, pagination, and guardrails. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OBS-53-001 `Evidence APIs` | TODO | Expose `/evidence/vex/*` endpoints that fetch locker bundles, enforce scopes, and surface verification metadata. | Excititor WebService Guild, Evidence Locker Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OBS-54-001 `Attestation APIs` | TODO | Add `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, and chain-of-custody links. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) +EXCITITOR-WEB-OBS-55-001 `Incident mode toggles` | TODO | Provide incident mode API for VEX pipelines with activation audit logs and retention override previews. | Excititor WebService Guild, DevOps Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md) + + +[Ingestion & Evidence] 110.D) Mirror +Depends on: Sprint 100.A - Attestor +Summary: Ingestion & Evidence focus on Mirror). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +MIRROR-CRT-56-001 | TODO | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. | Mirror Creator Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) +MIRROR-CRT-56-002 | TODO | Integrate DSSE signing and TUF metadata generation (`root`, `snapshot`, `timestamp`, `targets`). | Mirror Creator Guild, Security Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) +MIRROR-CRT-57-001 | TODO | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. | Mirror Creator Guild, DevOps Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) +MIRROR-CRT-57-002 | TODO | Embed signed time anchor metadata (`meta/time-anchor.json`) sourced from trusted authority. | Mirror Creator Guild, AirGap Time Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) +MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create | Mirror Creator Guild, CLI Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) +MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md diff --git a/docs/implplan/SPRINT_120_policy_reasoning.md b/docs/implplan/SPRINT_120_policy_reasoning.md new file mode 100644 index 00000000..ffa6e83f --- /dev/null +++ b/docs/implplan/SPRINT_120_policy_reasoning.md @@ -0,0 +1,287 @@ +# Sprint 120 - Policy & Reasoning + +[Policy & Reasoning] 120.A) AirGap +Depends on: Sprint 110.A - AdvisoryAI +Summary: Policy & Reasoning focus on AirGap). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +AIRGAP-POL-56-001 | TODO | Implement `StellaOps.AirGap.Policy` package exposing `EgressPolicy` facade with sealed/unsealed branches and remediation-friendly errors. | AirGap Policy Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) +AIRGAP-POL-56-002 | TODO | Create Roslyn analyzer/code fix warning on raw `HttpClient` usage outside approved wrappers; add CI integration. | AirGap Policy Guild, DevEx Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) +AIRGAP-POL-57-001 | TODO | Update core web services (Web, Exporter, Policy, Findings, Authority) to use `EgressPolicy`; ensure configuration wiring for sealed mode. | AirGap Policy Guild, BE-Base Platform Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) +AIRGAP-POL-57-002 | TODO | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list. | AirGap Policy Guild, Task Runner Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) +AIRGAP-POL-58-001 | TODO | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning. | AirGap Policy Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) +AIRGAP-POL-58-002 | TODO | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation. | AirGap Policy Guild, CLI Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md) + + +[Policy & Reasoning] 120.B) Findings.I +Depends on: Sprint 110.A - AdvisoryAI +Summary: Policy & Reasoning focus on Findings (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +LEDGER-29-001 | TODO | Design ledger & projection schemas (tables/indexes), canonical JSON format, hashing strategy, and migrations. Publish schema doc + fixtures. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-002 | TODO | Implement ledger write API (`POST /vuln/ledger/events`) with validation, idempotency, hash chaining, and Merkle root computation job. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-003 | TODO | Build projector worker that derives `findings_projection` rows from ledger events + policy determinations; ensure idempotent replay keyed by `(tenant,finding_id,policy_version)`. | Findings Ledger Guild, Scheduler Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-004 | TODO | Integrate Policy Engine batch evaluation (baseline + simulate) with projector; cache rationale references. | Findings Ledger Guild, Policy Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-005 | TODO | Implement workflow mutation handlers (assign, comment, accept-risk, target-fix, verify-fix, reopen) producing ledger events with validation and attachments metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-006 | TODO | Integrate attachment encryption (KMS envelope), signed URL issuance, CSRF protection hooks for Console. | Findings Ledger Guild, Security Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-007 | TODO | Instrument metrics (`ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`), structured logs, and Merkle anchoring alerts; publish dashboards. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-008 | TODO | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant. | Findings Ledger Guild, QA Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-29-009 | TODO | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-34-101 | TODO | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-AIRGAP-56-001 | TODO | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-AIRGAP-56-002 | TODO | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. | Findings Ledger Guild, AirGap Time Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-AIRGAP-57-001 | TODO | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. | Findings Ledger Guild, Evidence Locker Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-AIRGAP-58-001 | TODO | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. | Findings Ledger Guild, AirGap Controller Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-ATTEST-73-001 | TODO | Persist pointers from findings to verification reports and attestation envelopes for explainability. | Findings Ledger Guild, Attestor Service Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) + + +[Policy & Reasoning] 120.B) Findings.II +Depends on: Sprint 120.B - Findings.I +Summary: Policy & Reasoning focus on Findings (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +LEDGER-ATTEST-73-002 | TODO | Enable search/filter in findings projections by verification result and attestation status. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-EXPORT-35-001 | TODO | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OAS-61-001 | TODO | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples. | Findings Ledger Guild, API Contracts Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OAS-61-002 | TODO | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OAS-62-001 | TODO | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance. | Findings Ledger Guild, SDK Generator Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OAS-63-001 | TODO | Support deprecation headers and Notifications for retiring finding endpoints. | Findings Ledger Guild, API Governance Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OBS-50-001 | TODO | Integrate telemetry core within ledger writer/projector services, emitting structured logs and trace spans for ledger append, projector replay, and query APIs with tenant context. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OBS-51-001 | TODO | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage. Define SLOs (ledger append P95 < 1s, replay lag < 30s) with burn-rate alerts and dashboards. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OBS-52-001 | TODO | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OBS-53-001 | TODO | Persist evidence bundle references (evaluation/job capsules) alongside ledger entries, exposing lookup API linking findings to evidence manifests and timeline. | Findings Ledger Guild, Evidence Locker Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OBS-54-001 | TODO | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary. | Findings Ledger Guild, Provenance Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-OBS-55-001 | TODO | Enhance incident mode to record additional replay diagnostics (lag traces, conflict snapshots) and extend retention while active. Emit activation events to timeline + notifier. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-PACKS-42-001 | TODO | Provide snapshot/time-travel APIs and digestable exports for task pack simulation and CLI offline mode. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-RISK-66-001 | TODO | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes. | Findings Ledger Guild, Risk Engine Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-RISK-66-002 | TODO | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) + + +[Policy & Reasoning] 120.B) Findings.III +Depends on: Sprint 120.B - Findings.II +Summary: Policy & Reasoning focus on Findings (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +LEDGER-RISK-67-001 | TODO | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links. | Findings Ledger Guild, Risk Engine Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-RISK-68-001 | TODO | Enable export of scored findings and simulation results via Export Center integration. | Findings Ledger Guild, Export Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-RISK-69-001 | TODO | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) +LEDGER-TEN-48-001 | TODO | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md) + + +[Policy & Reasoning] 120.C) Policy.I +Depends on: Sprint 110.A - AdvisoryAI +Summary: Policy & Reasoning focus on Policy (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXPORT-CONSOLE-23-001 | TODO | Build evidence bundle/export generator producing signed manifests, CSV/JSON replay endpoints, and trace attachments; integrate with scheduler jobs and expose progress telemetry. | Policy Guild, Scheduler Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-AIRGAP-56-001 | TODO | Support policy pack imports from Mirror Bundles, track `bundle_id` metadata, and ensure deterministic caching. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-AIRGAP-56-002 | TODO | Export policy sub-bundles (`stella policy bundle export`) with DSSE signatures for outbound transfer. | Policy Guild, Policy Studio Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-AIRGAP-57-001 | TODO | Enforce sealed-mode guardrails in evaluation (no outbound fetch), surface `AIRGAP_EGRESS_BLOCKED` errors with remediation. | Policy Guild, AirGap Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-AIRGAP-57-002 | TODO | Annotate rule explanations with staleness information and fallback data (cached EPSS, vendor risk). | Policy Guild, AirGap Time Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-AIRGAP-58-001 | TODO | Emit notifications when policy packs near staleness thresholds or missing required bundles. | Policy Guild, Notifications Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-AOC-19-001 | TODO | Add Roslyn/CI lint preventing ingestion projects from referencing Policy merge/severity helpers; block forbidden writes at compile time. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-AOC-19-002 | TODO | Enforce `effective_finding_*` write gate ensuring only Policy Engine identity can create/update materializations. | Policy Guild, Platform Security (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-AOC-19-003 | TODO | Update readers/processors to consume only `content.raw`, `identifiers`, and `linkset`. Remove dependencies on legacy normalized fields and refresh fixtures. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-AOC-19-004 | TODO | Add regression tests ensuring policy derived outputs remain deterministic when ingesting revised raw docs (supersedes) and when violations occur. | Policy Guild, QA Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-ATTEST-73-001 | TODO | Introduce VerificationPolicy object: schema, persistence, versioning, and lifecycle. | Policy Guild, Attestor Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ATTEST-73-002 | TODO | Provide Policy Studio editor with validation, dry-run simulation, and version diff. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ATTEST-74-001 | TODO | Integrate verification policies into attestor verification pipeline with caching and waiver support. | Policy Guild, Attestor Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ATTEST-74-002 | TODO | Surface policy evaluations in Console verification reports with rule explanations. | Policy Guild, Console Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-CONSOLE-23-001 | TODO | Optimize findings/explain APIs for Console: cursor-based pagination at scale, global filter parameters (severity bands, policy version, time window), rule trace summarization, and aggregation hints for dashboard cards. Ensure deterministic ordering and expose provenance refs. | Policy Guild, BE-Base Platform Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) + + +[Policy & Reasoning] 120.C) Policy.II +Depends on: Sprint 120.C - Policy.I +Summary: Policy & Reasoning focus on Policy (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions. | Policy Guild, Product Ops (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-003 | TODO | Implement selection joiners resolving SBOM↔advisory↔VEX tuples using linksets and PURL equivalence tables, with deterministic batching. | Policy Guild, Concelier Core Guild, Excititor Core Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-004 | TODO | Ship materialization writer that upserts into `effective_finding_{policyId}` with append-only history, tenant scoping, and trace references. | Policy Guild, Platform Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-005 | TODO | Enforce determinism guard banning wall-clock, RNG, and network usage during evaluation via static analysis + runtime sandbox. | Policy Guild, Security Engineering (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-006 | TODO | Implement incremental orchestrator reacting to advisory/vex/SBOM change streams and scheduling partial policy re-evaluations. | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-007 | TODO | Emit structured traces/logs of rule hits with sampling controls, metrics (`rules_fired_total`, `vex_overrides_total`), and expose explain trace exports. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-008 | TODO | Add unit/property/golden/perf suites covering policy compilation, evaluation correctness, determinism, and SLA targets. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-20-009 | TODO | Define Mongo schemas/indexes for `policies`, `policy_runs`, and `effective_finding_*`; implement migrations and tenant enforcement. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-27-001 | TODO | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-27-003 | TODO | Implement complexity/time limit enforcement with compiler scoring, configurable thresholds, and structured diagnostics (`ERR_POL_COMPLEXITY`). | Policy Guild, Security Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-27-004 | TODO | Update golden/property tests to cover new coverage metrics, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (`POST /policy/eval/batch`) returning determinations + rationale chain for sets of `(artifact,purl,version,advisory)` tuples; support pagination and cost budgets. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation. | Policy Guild, Findings Ledger Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) + + +[Policy & Reasoning] 120.C) Policy.III +Depends on: Sprint 120.C - Policy.II +Summary: Policy & Reasoning focus on Policy (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +POLICY-ENGINE-29-003 | TODO | Surface path/scope awareness in determinations (signal optional/dev/test downgrade, runtime boost) for Vuln Explorer display. | Policy Guild, SBOM Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-29-004 | TODO | Add metrics/logs for batch evaluation (latency, queue depth) and simulation diff counts; update dashboards. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-30-001 | TODO | Define overlay contract for graph nodes/edges (status, severity, rationale refs, path relevance), expose projection API for Cartographer, and document schema versioning. | Policy Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-30-002 | TODO | Implement simulation bridge returning on-the-fly overlays for Cartographer/Graph Explorer when invoking Policy Engine simulate; ensure no writes and deterministic outputs. | Policy Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-30-003 | TODO | Emit change events (`policy.effective.updated`) with graph-friendly payloads so Cartographer overlay worker refreshes nodes/edges within 2 minutes. | Policy Guild, Scheduler Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-30-101 | TODO | Surface trust weighting configuration (issuer base weights, signature modifiers, recency decay, scope adjustments) for VEX Lens via Policy Studio + API; ensure deterministic evaluation. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-31-001 | TODO | Expose policy knobs for Advisory AI (trust presets, temperature, token limits, plan ranking weights, TTLs) via Policy Studio and config APIs. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-31-002 | TODO | Provide batch endpoint delivering policy context (thresholds, obligations) consumed by Advisory AI remediation planner. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-32-101 | TODO | Define orchestrator `policy_eval` job schema, idempotency keys, and enqueue hooks triggered by advisory/VEX/SBOM events. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-33-101 | TODO | Implement orchestrator-driven policy evaluation workers using SDK heartbeats, respecting throttles, and emitting SLO metrics. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-34-101 | TODO | Publish policy run ledger exports + SLO burn-rate metrics to orchestrator; ensure provenance chain links to Findings Ledger. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-35-201 | TODO | Expose deterministic policy snapshot API and evaluated findings stream keyed by policy version for exporter consumption. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-38-201 | TODO | Emit enriched policy violation events (decision rationale ids, risk bands) via orchestrator event bus for Notifications Studio. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-40-001 | TODO | Update severity/status evaluation pipelines to consume multiple source severities per linkset, supporting selection strategies (max, preferred source, policy-defined). | Policy Guild, Concelier Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-40-002 | TODO | Accept VEX linkset conflicts and provide rationale references in effective findings; ensure explain traces cite observation IDs. | Policy Guild, Excititor Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) + + +[Policy & Reasoning] 120.C) Policy.IV +Depends on: Sprint 120.C - Policy.III +Summary: Policy & Reasoning focus on Policy (phase IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +POLICY-ENGINE-40-003 | TODO | Provide API/SDK utilities for consumers (Web Scanner, Graph Explorer) to request policy decisions with source evidence summaries (top severity sources, conflict counts). | Policy Guild, Web Scanner Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-50-001 | TODO | Implement SPL compiler: validate YAML, canonicalize, produce signed bundle, store artifact in object storage, write `policy_revisions` with AOC metadata. | Policy Guild, Platform Security (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-50-002 | TODO | Build runtime evaluator executing compiled plans over advisory/vex linksets + SBOM asset metadata with deterministic caching (Redis) and fallback path. | Policy Guild, Runtime Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-50-003 | TODO | Implement evaluation/compilation metrics, tracing, and structured logs (`policy_eval_seconds`, `policy_compiles_total`, explanation sampling). | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-50-004 | TODO | Build event pipeline: subscribe to linkset/SBOM updates, schedule re-eval jobs, emit `policy.effective.updated` events with diff metadata. | Policy Guild, Platform Events Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-50-005 | TODO | Design and implement `policy_packs`, `policy_revisions`, `policy_runs`, `policy_artifacts` collections with indexes, TTL, and tenant scoping. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-50-006 | TODO | Implement explainer persistence + retrieval APIs linking decisions to explanation tree and AOC chain. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-50-007 | TODO | Provide evaluation worker host/DI wiring and job orchestration hooks for batch re-evaluations after policy activation. | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-60-001 | TODO | Maintain Redis effective decision maps per asset/snapshot for Graph overlays; implement versioning and eviction strategy. | Policy Guild, SBOM Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-60-002 | TODO | Expose simulation bridge for Graph What-if APIs, supporting hypothetical SBOM diffs and draft policies without persisting results. | Policy Guild, BE-Base Platform Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-70-002 | TODO | Design and create Mongo collections (`exceptions`, `exception_reviews`, `exception_bindings`) with indexes and migrations; expose repository APIs. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-70-003 | TODO | Build Redis exception decision cache (`exceptions_effective_map`) with warm/invalidation logic reacting to `exception.*` events. | Policy Guild, Runtime Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-70-004 | TODO | Extend metrics/tracing/logging for exception application (latency, counts, expiring events) and include AOC references in logs. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-70-005 | TODO | Provide APIs/workers hook for exception activation/expiry (auto start/end) and event emission (`exception.activated/expired`). | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-80-001 | TODO | Integrate reachability/exploitability inputs into evaluation pipeline (state/score/confidence) with caching and explain support. | Policy Guild, Signals Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) + + +[Policy & Reasoning] 120.C) Policy.V +Depends on: Sprint 120.C - Policy.IV +Summary: Policy & Reasoning focus on Policy (phase V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +POLICY-ENGINE-80-002 | TODO | Create joining layer to read `reachability_facts` efficiently (indexes, projections) and populate Redis overlay caches. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-80-003 | TODO | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation. | Policy Guild, Policy Editor Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-ENGINE-80-004 | TODO | Emit metrics (`policy_reachability_applied_total`, `policy_reachability_cache_hit_ratio`) and traces for signals usage. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-OBS-50-001 | TODO | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with `tenant_id`, `policy_version`, `decision_effect`, and trace IDs. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-OBS-51-001 | TODO | Emit golden-signal metrics (compile latency, evaluate latency, rule hits, override counts) and define SLOs (evaluation P95 <2s). Publish Grafana dashboards + burn-rate alert rules. | Policy Guild, DevOps Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-OBS-52-001 | TODO | Emit timeline events `policy.evaluate.started`, `policy.evaluate.completed`, `policy.decision.recorded` with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-OBS-53-001 | TODO | Produce evaluation evidence bundles (inputs slice, rule trace, engine version, config snapshot) through evidence locker integration; ensure redaction + deterministic manifests. | Policy Guild, Evidence Locker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-OBS-54-001 | TODO | Generate DSSE attestations for evaluation outputs, expose `/evaluations/{id}/attestation`, and link attestation IDs in timeline + console. Provide verification harness. | Policy Guild, Provenance Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-OBS-55-001 | TODO | Implement incident mode sampling overrides (full rule trace capture, extended retention) with auto-activation on SLO breach and manual override API. Emit activation events to timeline + notifier. | Policy Guild, DevOps Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-RISK-66-001 | TODO | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) +POLICY-RISK-66-002 | TODO | Implement inheritance/merge logic with conflict detection and deterministic content hashing. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) +POLICY-RISK-66-003 | TODO | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment. | Policy Guild, Risk Profile Schema Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-RISK-66-004 | TODO | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics. | Policy Guild, Risk Profile Schema Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-RISK-67-001 | TODO | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks. | Policy Guild, Risk Engine Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-RISK-67-001 | TODO | Integrate profile storage and versioning into Policy Store with lifecycle states (draft/publish/deprecate). | Risk Profile Schema Guild, Policy Engine Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) + + +[Policy & Reasoning] 120.C) Policy.VI +Depends on: Sprint 120.C - Policy.V +Summary: Policy & Reasoning focus on Policy (phase VI). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +POLICY-RISK-67-002 | TODO | Implement profile lifecycle APIs (`/risk/profiles` create/publish/deprecate) and scope attachment logic. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-RISK-67-002 | TODO | Publish `.well-known/risk-profile-schema` endpoint and CLI validation tooling. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) +POLICY-RISK-67-003 | TODO | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns. | Policy Guild, Risk Engine Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-RISK-68-001 | TODO | Provide simulation API bridging Policy Studio with risk engine; returns distributions and top movers. | Policy Guild, Policy Studio Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-RISK-68-001 | TODO | Implement scope selectors, precedence rules, and Authority attachment APIs. | Risk Profile Schema Guild, Authority Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) +POLICY-RISK-68-002 | TODO | Add override/adjustment support with audit metadata and validation for conflicting rules. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md) +POLICY-RISK-68-002 | TODO | Enable exporting/importing RiskProfiles with signatures via policy tooling (CLI + API). | Policy Guild, Export Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-RISK-69-001 | TODO | Emit events/notifications on profile publish, deprecate, and severity threshold changes. | Policy Guild, Notifications Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-RISK-70-001 | TODO | Support exporting/importing profiles with signatures for air-gapped bundles. | Policy Guild, Export Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +POLICY-SPL-23-001 | TODO | Define SPL v1 YAML + JSON Schema, including advisory rules, VEX precedence, severity mapping, exceptions, and layering metadata. Publish schema resources and validation fixtures. | Policy Guild, Language Infrastructure Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-SPL-23-002 | TODO | Implement canonicalizer that normalizes policy packs (ordering, defaults), computes content hash, and prepares bundle metadata for AOC/signing. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-SPL-23-003 | TODO | Build policy layering/override engine (global/org/project/env/exception) with field-level precedence matrices; add unit/property tests. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-SPL-23-004 | TODO | Design explanation tree model (rule hits, inputs, decisions) and persistence structures reused by runtime, UI, and CLI. | Policy Guild, Audit Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-SPL-23-005 | TODO | Create migration tool to snapshot existing behavior into baseline SPL packs (`org.core.baseline`), including policy docs and sample bundles. | Policy Guild, DevEx Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) +POLICY-SPL-24-001 | TODO | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures. | Policy Guild, Signals Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md) + + +[Policy & Reasoning] 120.C) Policy.VII +Depends on: Sprint 120.C - Policy.VI +Summary: Policy & Reasoning focus on Policy (phase VII). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +POLICY-TEN-48-001 | TODO | Add `tenant_id`/`project_id` columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md) +REGISTRY-API-27-001 | TODO | Define OpenAPI specification covering workspaces, versions, reviews, simulations, promotions, and attestations; publish typed clients for Console/CLI. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-002 | TODO | Implement workspace storage (Mongo collections, object storage buckets) with CRUD endpoints, diff history, and retention policies. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-003 | TODO | Integrate compile endpoint: forward source bundle to Policy Engine, persist diagnostics, symbol table, rule index, and complexity metrics. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-004 | TODO | Implement quick simulation API with request limits (sample size, timeouts), returning counts, heatmap, sampled explains. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-005 | TODO | Build batch simulation orchestration: enqueue shards, collect partials, reduce deltas, produce evidence bundles + signed manifest. | Policy Registry Guild, Scheduler Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-006 | TODO | Implement review workflow (comments, votes, required approvers, status transitions) with audit trails and webhooks. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-007 | TODO | Implement publish pipeline: sign source/compiled digests, create attestations, mark version immutable, emit events. | Policy Registry Guild, Security Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-008 | TODO | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-009 | TODO | Instrument metrics/logs/traces (compile time, diagnostics rate, sim queue depth, approval latency) and expose dashboards. | Policy Registry Guild, Observability Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) +REGISTRY-API-27-010 | TODO | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI. | Policy Registry Guild, QA Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md) + + +[Policy & Reasoning] 120.D) RiskEngine +Depends on: Sprint 110.A - AdvisoryAI +Summary: Policy & Reasoning focus on RiskEngine). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +RISK-ENGINE-66-001 | TODO | Scaffold scoring service (job queue, worker loop, provider registry) with deterministic execution harness. | Risk Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-66-002 | TODO | Implement default transforms (linear, minmax, logistic, piecewise), clamping, gating, and contribution calculator. | Risk Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-67-001 | TODO | Integrate CVSS and KEV providers pulling data from Conseiller; implement reducers (`max`, `any`, `consensus`). | Risk Engine Guild, Concelier Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-67-002 | TODO | Integrate VEX gate provider and ensure gating short-circuits scoring as configured. | Risk Engine Guild, Excitator Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-67-003 | TODO | Add fix availability, asset criticality, and internet exposure providers with caching + TTL enforcement. | Risk Engine Guild, Policy Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-68-001 | TODO | Persist scoring results + explanation pointers to Findings Ledger; handle incremental updates via input hash. | Risk Engine Guild, Findings Ledger Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-68-002 | TODO | Expose APIs (`/risk/jobs`, `/risk/results`, `/risk/results/{id}/explanation`); include pagination, filtering, error codes. | Risk Engine Guild, API Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-69-001 | TODO | Implement simulation mode producing distributions and top movers without mutating ledger. | Risk Engine Guild, Policy Studio Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-69-002 | TODO | Add telemetry (spans, metrics, logs) for provider latency, job throughput, cache hits; define SLO dashboards. | Risk Engine Guild, Observability Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-70-001 | TODO | Support offline provider bundles with manifest verification and missing-data reporting. | Risk Engine Guild, Export Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) +RISK-ENGINE-70-002 | TODO | Integrate runtime evidence provider and reachability provider outputs with caching + TTL. | Risk Engine Guild, Observability Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md) + + +[Policy & Reasoning] 120.E) VexLens.I +Depends on: Sprint 110.A - AdvisoryAI +Summary: Policy & Reasoning focus on VexLens (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +VEXLENS-30-001 | TODO | Implement normalization pipeline for CSAF VEX, OpenVEX, CycloneDX VEX (status mapping, justification mapping, product tree parsing). | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-002 | TODO | Build product mapping library (CPE/CPE2.3/vendor tokens → purl/version) with scope quality scoring and path metadata. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-003 | TODO | Integrate signature verification (Ed25519, DSSE, PKIX) using issuer keys, annotate evidence with verification state and failure reasons. | VEX Lens Guild, Issuer Directory Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-004 | TODO | Implement trust weighting engine (issuer base weights, signature modifiers, recency decay, justification modifiers, scope score adjustments) controlled by policy config. | VEX Lens Guild, Policy Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-005 | TODO | Implement consensus algorithm producing `consensus_state`, `confidence`, `weights`, `quorum`, `rationale`; support states: NOT_AFFECTED, AFFECTED, FIXED, UNDER_INVESTIGATION, DISPUTED, INCONCLUSIVE. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-006 | TODO | Materialize consensus projection storage with idempotent workers triggered by VEX/Policy changes; expose change events for downstream consumers. | VEX Lens Guild, Findings Ledger Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-007 | TODO | Expose APIs (`/vex/consensus`, `/vex/consensus/query`, `/vex/consensus/{id}`, `/vex/consensus/simulate`, `/vex/consensus/export`) with pagination, cost budgets, and OpenAPI docs. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-008 | TODO | Integrate consensus signals with Policy Engine (thresholds, suppression, simulation inputs) and Vuln Explorer detail view. | VEX Lens Guild, Policy Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-009 | TODO | Instrument metrics (`vex_consensus_compute_latency`, `vex_consensus_disputed_total`, `vex_signature_verification_rate`), structured logs, and traces; publish dashboards/alerts. | VEX Lens Guild, Observability Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-010 | TODO | Develop unit/property/integration/load tests (10M records), determinism harness, fuzz testing for malformed product trees. | VEX Lens Guild, QA Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-30-011 | TODO | Provide deployment manifests, caching configuration, scaling guides, offline kit seeds, and runbooks. | VEX Lens Guild, DevOps Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-AIAI-31-001 | TODO | Expose consensus rationale API enhancements (policy factors, issuer details, mapping issues) for Advisory AI conflict explanations. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-AIAI-31-002 | TODO | Provide caching hooks for consensus lookups used by Advisory AI (batch endpoints, TTL hints). | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-EXPORT-35-001 | TODO | Provide consensus snapshot API delivering deterministic JSONL (state, confidence, provenance) for exporter mirror bundles. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) +VEXLENS-ORCH-33-001 | TODO | Register `consensus_compute` job type with orchestrator, integrate worker SDK, and expose job planning hooks for consensus batches. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) + + +[Policy & Reasoning] 120.E) VexLens.II +Depends on: Sprint 120.E - VexLens.I +Summary: Policy & Reasoning focus on VexLens (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +VEXLENS-ORCH-34-001 | TODO | Emit consensus completion events into orchestrator run ledger and provenance chain, including confidence metadata. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md) + + +[Policy & Reasoning] 120.F) VulnExplorer +Depends on: Sprint 110.A - AdvisoryAI +Summary: Policy & Reasoning focus on VulnExplorer). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +VULN-API-29-001 | TODO | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-002 | TODO | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-003 | TODO | Implement detail endpoint aggregating evidence, policy rationale, paths (Graph Explorer deep link), and workflow summary. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-004 | TODO | Expose workflow endpoints (assign, comment, accept-risk, verify-fix, target-fix, reopen) that write ledger events with idempotency + validation. | Vuln Explorer API Guild, Findings Ledger Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-005 | TODO | Implement simulation endpoint comparing `policy_from` vs `policy_to`, returning diffs without side effects; hook into Policy Engine batch eval. | Vuln Explorer API Guild, Policy Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-006 | TODO | Integrate resolver results with Graph Explorer: include shortest path metadata, line up deep-link parameters, expose `paths` array in details. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-007 | TODO | Enforce RBAC/ABAC scopes; implement CSRF/anti-forgery checks for Console; secure attachment URLs; audit logging. | Vuln Explorer API Guild, Security Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-008 | TODO | Build export orchestrator producing signed bundles (manifest, NDJSON, checksums, signature). Integrate with Findings Ledger for evidence and Policy Engine metadata. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-009 | TODO | Instrument metrics (`vuln_list_latency`, `vuln_simulation_latency`, `vuln_export_duration`, `vuln_workflow_events_total`), structured logs, and traces; publish dashboards/alerts. | Vuln Explorer API Guild, Observability Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-010 | TODO | Provide unit/integration/perf tests (5M findings), fuzz query validation, determinism harness comparing repeated queries. | Vuln Explorer API Guild, QA Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) +VULN-API-29-011 | TODO | Package deployment (Helm/Compose), health checks, CI smoke, offline kit steps, and scaling guidance. | Vuln Explorer API Guild, DevOps Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_130_scanner_surface.md diff --git a/docs/implplan/SPRINT_130_scanner_surface.md b/docs/implplan/SPRINT_130_scanner_surface.md new file mode 100644 index 00000000..96c171d0 --- /dev/null +++ b/docs/implplan/SPRINT_130_scanner_surface.md @@ -0,0 +1,169 @@ +# Sprint 130 - Scanner & Surface + +[Scanner & Surface] 130.A) Scanner.I +Depends on: Sprint 110.A - AdvisoryAI +Summary: Scanner & Surface focus on Scanner (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +5 | SCANNER-ANALYZERS-LANG-10-308R | Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. | TODO (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) +6 | SCANNER-ANALYZERS-LANG-10-309R | Package plug-in manifest + Offline Kit documentation; ensure Worker integration. | TODO (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) +ENTRYTRACE-SURFACE-01 | TODO | Run Surface.Validation prereq checks and resolve cached entry fragments via Surface.FS to avoid duplicate parsing. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) +ENTRYTRACE-SURFACE-02 | TODO | Replace direct env/secret access with Surface.Secrets provider when tracing runtime configs. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) +LANG-SURFACE-01 | TODO | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md) +LANG-SURFACE-02 | TODO | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md) +LANG-SURFACE-03 | TODO | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md) +SCANNER-ANALYZERS-DENO-26-001 | TODO | Build input normalizer & VFS for Deno projects: merge `deno.json(c)`, import maps, lockfiles, vendor dirs, `$DENO_DIR` caches, and container layers. Detect runtime/toolchain hints deterministically. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-002 | TODO | Module graph builder: resolve static/dynamic imports using import map, `deno.lock`, vendor/, cache, npm bridge, node: builtins, WASM/JSON assertions. Annotate edges with resolution source and form. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-003 | TODO | NPM/Node compat adapter: map `npm:` specifiers to cached packages or compat `node_modules`, evaluate package `exports`/conditions, record node: builtin usage. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-004 | TODO | Static analyzer for permission/capability signals (FS, net, env, process, crypto, FFI, workers). Detect dynamic-import patterns, literal fetch URLs, tasks vs declared permissions. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-005 | TODO | Bundle/binary inspector: parse eszip bundles and `deno compile` executables (embedded eszip + snapshot) to recover module graph, config, embedded resources. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-006 | TODO | Container adapter: traverse OCI layers for `deno`, caches, vendor directories, compiled binaries; merge module provenance with layer info. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-007 | TODO | Produce AOC-compliant observations: entrypoints, modules, edges, permissions, workers, warnings, binaries with reason codes and contexts. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-008 | TODO | Fixture suite + performance benchmarks (vendor, npm, FFI, workers, dynamic import, bundle/binary, cache-only, container). | Deno Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) + + +[Scanner & Surface] 130.A) Scanner.II +Depends on: Sprint 130.A - Scanner.I +Summary: Scanner & Surface focus on Scanner (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCANNER-ANALYZERS-DENO-26-009 | TODO | Optional runtime evidence hooks (loader/require shim) capturing module loads + permissions during harnessed execution with path hashing. | Deno Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-010 | TODO | Package analyzer plug-in, add CLI (`stella deno inspect | Deno Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-DENO-26-011 | TODO | Policy signal emitter: net/fs/env/ffi/process/crypto capabilities, remote origin list, npm usage, wasm modules, dynamic-import warnings. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md) +SCANNER-ANALYZERS-JAVA-21-005 | TODO | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml & fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) +SCANNER-ANALYZERS-JAVA-21-006 | TODO | JNI/native hint scanner: detect native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges for native analyzer correlation. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) +SCANNER-ANALYZERS-JAVA-21-007 | TODO | Signature and manifest metadata collector: verify JAR signature structure, capture signers, manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) +SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | Implement resolver + AOC writer: produce entrypoints (env profiles, warnings), components (jar_id + semantic ids), edges (jpms, cp, spi, reflect, jni) with reason codes/confidence. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) +SCANNER-ANALYZERS-JAVA-21-009 | TODO | Author comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. | Java Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) +SCANNER-ANALYZERS-JAVA-21-010 | TODO | Optional runtime ingestion: Java agent + JFR reader capturing class load, ServiceLoader, and System.load events with path scrubbing. Emit append-only runtime edges `runtime-class`/`runtime-spi`/`runtime-load`. | Java Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) +SCANNER-ANALYZERS-JAVA-21-011 | TODO | Package analyzer as restart-time plug-in (manifest/DI), update Offline Kit docs, add CLI/worker hooks for Java inspection commands. | Java Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md) +SCANNER-ANALYZERS-LANG-11-001 | TODO | Build entrypoint resolver that maps project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles (publish mode, host kind, probing paths). Output normalized `entrypoints[]` records with deterministic IDs. | StellaOps.Scanner EPDR Guild, Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) +SCANNER-ANALYZERS-LANG-11-002 | TODO | Implement static analyzer (IL + reflection heuristics) capturing AssemblyRef, ModuleRef/PInvoke, DynamicDependency, reflection literals, DI patterns, and custom AssemblyLoadContext probing hints. Emit dependency edges with reason codes and confidence. | StellaOps.Scanner EPDR Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) +SCANNER-ANALYZERS-LANG-11-003 | TODO | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. | StellaOps.Scanner EPDR Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) +SCANNER-ANALYZERS-LANG-11-004 | TODO | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant). Wire to SBOM service entrypoint tagging. | StellaOps.Scanner EPDR Guild, SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) +SCANNER-ANALYZERS-LANG-11-005 | TODO | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. | StellaOps.Scanner EPDR Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) + + +[Scanner & Surface] 130.A) Scanner.III +Depends on: Sprint 130.A - Scanner.II +Summary: Scanner & Surface focus on Scanner (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCANNER-ANALYZERS-NATIVE-20-001 | TODO | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices). Capture arch, OS, build-id/UUID, interpreter metadata. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-002 | TODO | Parse ELF dynamic sections: `DT_NEEDED`, `DT_RPATH`, `DT_RUNPATH`, symbol versions, interpreter, and note build-id. Emit declared dependency records with reason `elf-dtneeded` and attach version needs. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-003 | TODO | Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags. Emit edges with reasons `pe-import` and `pe-delayimport`, plus SxS policy metadata. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-004 | TODO | Parse Mach-O load commands (`LC_LOAD_DYLIB`, `LC_REEXPORT_DYLIB`, `LC_RPATH`, `LC_UUID`, fat headers). Handle `@rpath/@loader_path` placeholders and slice separation. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-005 | TODO | Implement resolver engine modeling loader search order for ELF (rpath/runpath/cache/default), PE (SafeDll search + SxS), and Mach-O (`@rpath` expansion). Works against virtual image roots, producing explain traces. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-006 | TODO | Build heuristic scanner for `dlopen`/`LoadLibrary` strings, plugin ecosystem configs, and Go/Rust static hints. Emit edges with `reason_code` (`string-dlopen`, `config-plugin`, `ecosystem-heuristic`) and confidence levels. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-007 | TODO | Serialize AOC-compliant observations: entrypoints + dependency edges + environment profiles (search paths, interpreter, loader metadata). Integrate with Scanner writer API. | Native Analyzer Guild, SBOM Service Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-008 | TODO | Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). | Native Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-009 | TODO | Provide optional runtime capture adapters (Linux eBPF `dlopen`, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence. Include redaction/sandbox guidance. | Native Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NATIVE-20-010 | TODO | Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle + documentation. | Native Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md) +SCANNER-ANALYZERS-NODE-22-001 | TODO | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (`.nvmrc`, `.node-version`, Dockerfile) and workspace roots deterministically. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-002 | TODO | Implement entrypoint discovery (bin/main/module/exports/imports, workers, electron, shebang scripts) and condition set builder per entrypoint. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-003 | TODO | Parse JS/TS sources for static `import`, `require`, `import()` and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-004 | TODO | Implement Node resolver engine for CJS + ESM (core modules, exports/imports maps, conditions, extension priorities, self-references) parameterised by node_version. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-005 | TODO | Add package manager adapters: Yarn PnP (.pnp.data/.pnp.cjs), pnpm virtual store, npm/Yarn classic hoists; operate entirely in virtual FS. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) + + +[Scanner & Surface] 130.A) Scanner.IV +Depends on: Sprint 130.A - Scanner.III +Summary: Scanner & Surface focus on Scanner (phase IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCANNER-ANALYZERS-NODE-22-006 | TODO | Detect bundles + source maps, reconstruct module specifiers, and correlate to original paths; support dual CJS/ESM graphs with conditions. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-007 | TODO | Scan for native addons (.node), WASM modules, and core capability signals (child_process, vm, worker_threads); emit hint edges and native metadata. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-008 | TODO | Produce AOC-compliant observations: entrypoints, components (pkg/native/wasm), edges (esm-import, cjs-require, exports, json, native-addon, wasm, worker) with reason codes/confidence and resolver traces. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-009 | TODO | Author fixture suite + performance benchmarks (npm, pnpm, PnP, bundle, electron, worker) with golden outputs and latency budgets. | Node Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-010 | TODO | Implement optional runtime evidence hooks (ESM loader, CJS require hook) with path scrubbing and loader ID hashing; emit runtime-* edges. | Node Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-011 | TODO | Package updated analyzer as restart-time plug-in, expose Scanner CLI (`stella node *`) commands, refresh Offline Kit documentation. | Node Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-NODE-22-012 | TODO | Integrate container filesystem adapter (OCI layers, Dockerfile hints) and record NODE_OPTIONS/env warnings. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +SCANNER-ANALYZERS-PHP-27-001 | TODO | Build input normalizer & VFS for PHP projects: merge source trees, composer manifests, vendor/, php.ini/conf.d, `.htaccess`, FPM configs, container layers. Detect framework/CMS fingerprints deterministically. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-002 | TODO | Composer/Autoload analyzer: parse composer.json/lock/installed.json, generate package nodes, autoload edges (psr-4/0/classmap/files), bin entrypoints, composer plugins. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-003 | TODO | Include/require graph builder: resolve static includes, capture dynamic include patterns, bootstrap chains, merge with autoload edges. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-004 | TODO | Runtime capability scanner: detect exec/fs/net/env/serialization/crypto/database usage, stream wrappers, uploads; record evidence snippets. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-005 | TODO | PHAR/Archive inspector: parse phar manifests/stubs, hash files, detect embedded vendor trees and phar:// usage. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-006 | TODO | Framework/CMS surface mapper: extract routes, controllers, middleware, CLI/cron entrypoints for Laravel/Symfony/Slim/WordPress/Drupal/Magento. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-007 | TODO | Container & extension detector: parse php.ini/conf.d, map extensions to .so/.dll, collect web server/FPM settings, upload limits, disable_functions. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-008 | TODO | Produce AOC-compliant observations: entrypoints, packages, extensions, modules, edges (require/autoload), capabilities, routes, configs. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) + + +[Scanner & Surface] 130.A) Scanner.V +Depends on: Sprint 130.A - Scanner.IV +Summary: Scanner & Surface focus on Scanner (phase V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCANNER-ANALYZERS-PHP-27-009 | TODO | Fixture suite + performance benchmarks (Laravel, Symfony, WordPress, legacy, PHAR, container) with golden outputs. | PHP Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-010 | TODO | Optional runtime evidence hooks (if provided) to ingest audit logs or opcode cache stats with path hashing. | PHP Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-011 | TODO | Package analyzer plug-in, add CLI (`stella php inspect | PHP Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PHP-27-012 | TODO | Policy signal emitter: extension requirements/presence, dangerous constructs counters, stream wrapper usage, capability summaries. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-001 | TODO | Build input normalizer & virtual filesystem for wheels, sdists, editable installs, zipapps, site-packages trees, and container roots. Detect Python version targets (`pyproject.toml`, `runtime.txt`, Dockerfile) + virtualenv layout deterministically. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-002 | TODO | Entrypoint discovery: module `__main__`, console_scripts entry points, `scripts`, zipapp main, `manage.py`/gunicorn/celery patterns. Capture invocation context (module vs package, argv wrappers). | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-003 | TODO | Static import graph builder using AST and bytecode fallback. Support `import`, `from ... import`, relative imports, `importlib.import_module`, `__import__` with literal args, `pkgutil.extend_path`. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-004 | TODO | Python resolver engine (importlib semantics) handling namespace packages (PEP 420), package discovery order, `.pth` files, `sys.path` composition, zipimport, and site-packages precedence across virtualenv/container roots. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-005 | TODO | Packaging adapters: pip editable (`.egg-link`), Poetry/Flit layout, Conda prefix, `.dist-info/RECORD` cross-check, container layer overlays. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-006 | TODO | Detect native extensions (`*.so`, `*.pyd`), CFFI modules, ctypes loaders, embedded WASM, and runtime capability signals (subprocess, multiprocessing, ctypes, eval). | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-007 | TODO | Framework/config heuristics: Django, Flask, FastAPI, Celery, AWS Lambda handlers, Gunicorn, Click/Typer CLIs, logging configs, pyproject optional dependencies. Tagged as hints only. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-008 | TODO | Produce AOC-compliant observations: entrypoints, components (modules/packages/native), edges (import, namespace, dynamic-hint, native-extension) with reason codes/confidence and resolver traces. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-009 | TODO | Fixture suite + perf benchmarks covering virtualenv, namespace packages, zipapp, editable installs, containers, lambda handler. | Python Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-010 | TODO | Optional runtime evidence: import hook capturing module load events with path scrubbing, optional bytecode instrumentation for `importlib` hooks, multiprocessing tracer. | Python Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-PYTHON-23-011 | TODO | Package analyzer plug-in, add CLI commands (`stella python inspect | Python Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) + + +[Scanner & Surface] 130.A) Scanner.VI +Depends on: Sprint 130.A - Scanner.V +Summary: Scanner & Surface focus on Scanner (phase VI). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCANNER-ANALYZERS-PYTHON-23-012 | TODO | Container/zipapp adapter enhancements: parse OCI layers for Python runtime, detect `PYTHONPATH`/`PYTHONHOME` env, record warnings for sitecustomize/startup hooks. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-001 | TODO | Build input normalizer & VFS for Ruby projects: merge source trees, Gemfile/Gemfile.lock, vendor/bundle, .gem archives, `.bundle/config`, Rack configs, containers. Detect framework/job fingerprints deterministically. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-002 | TODO | Gem & Bundler analyzer: parse Gemfile/Gemfile.lock, vendor specs, .gem archives, produce package nodes (PURLs), dependency edges, bin scripts, Bundler group metadata. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-003 | TODO | Require/autoload graph builder: resolve static/dynamic require, require_relative, load; infer Zeitwerk autoload paths and Rack boot chain. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-004 | TODO | Framework surface mapper: extract routes/controllers/middleware for Rails/Rack/Sinatra/Grape/Hanami; inventory jobs/schedulers (Sidekiq, Resque, ActiveJob, whenever, clockwork). | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-005 | TODO | Capability analyzer: detect os-exec, filesystem, network, serialization, crypto, DB usage, TLS posture, dynamic eval; record evidence snippets with file/line. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-006 | TODO | Rake task & scheduler analyzer: parse Rakefiles/lib/tasks, capture task names/prereqs/shell commands; parse Sidekiq/whenever/clockwork configs into schedules. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-007 | TODO | Container/runtime scanner: detect Ruby version, installed gems, native extensions, web server configs in OCI layers. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-008 | TODO | Produce AOC-compliant observations: entrypoints, packages, modules, edges (require/autoload), routes, jobs, tasks, capabilities, configs, warnings. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-009 | TODO | Fixture suite + performance benchmarks (Rails, Rack, Sinatra, Sidekiq, legacy, .gem, container) with golden outputs. | Ruby Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-010 | TODO | Optional runtime evidence integration (if provided logs/metrics) with path hashing, without altering static precedence. | Ruby Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-011 | TODO | Package analyzer plug-in, add CLI (`stella ruby inspect | Ruby Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ANALYZERS-RUBY-28-012 | TODO | Policy signal emitter: rubygems drift, native extension flags, dangerous constructs counts, TLS verify posture, dynamic require eval warnings. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md) +SCANNER-ENTRYTRACE-18-502 | TODO | Expand chain walker with init shim/user-switch/supervisor recognition plus env/workdir accumulation and guarded edges. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) +SCANNER-ENTRYTRACE-18-503 | TODO | Introduce target classifier + EntryPlan handoff with confidence scoring for ELF/Java/.NET/Node/Python and user/workdir context. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) + + +[Scanner & Surface] 130.A) Scanner.VII +Depends on: Sprint 130.A - Scanner.VI +Summary: Scanner & Surface focus on Scanner (phase VII). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCANNER-ENTRYTRACE-18-504 | TODO | Emit EntryTrace AOC NDJSON (`entrytrace.entry/node/edge/target/warning/capability`) and wire CLI/service streaming outputs. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md) +SCANNER-ENV-01 | TODO | Replace ad-hoc environment reads with `StellaOps.Scanner.Surface.Env` helpers for cache roots and CAS endpoints. | Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md) +SCANNER-ENV-02 | TODO | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-ENV-03 | TODO | Adopt Surface.Env helpers for plugin configuration (cache roots, CAS endpoints, feature toggles). | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md) +SCANNER-EVENTS-16-301 | BLOCKED (2025-10-26) | Emit orchestrator-compatible envelopes (`scanner.event.*`) and update integration tests to verify Notifier ingestion (no Redis queue coupling). | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-EVENTS-16-302 | DOING (2025-10-26) | Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-GRAPH-21-001 | TODO | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. | Scanner WebService Guild, Cartographer Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-LNM-21-001 | TODO | Update `/reports` and `/policy/runtime` payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. | Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-LNM-21-002 | TODO | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-SECRETS-01 | TODO | Adopt `StellaOps.Scanner.Surface.Secrets` for registry/CAS credentials during scan execution. | Scanner Worker Guild, Security Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md) +SCANNER-SECRETS-02 | TODO | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens). | Scanner WebService Guild, Security Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-SECRETS-03 | TODO | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md) +SCANNER-SURFACE-01 | TODO | Persist Surface.FS manifests after analyzer stages, including layer CAS metadata and EntryTrace fragments. | Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md) +SCANNER-SURFACE-02 | TODO | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata. | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md) +SCANNER-SURFACE-03 | TODO | Push layer manifests and entry fragments into Surface.FS during build-time SBOM generation. | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md) + + +[Scanner & Surface] 130.A) Scanner.VIII +Depends on: Sprint 130.A - Scanner.VII +Summary: Scanner & Surface focus on Scanner (phase VIII). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md) +Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md) +Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md) +Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md) +Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_140_runtime_signals.md diff --git a/docs/implplan/SPRINT_140_runtime_signals.md b/docs/implplan/SPRINT_140_runtime_signals.md new file mode 100644 index 00000000..19fbd712 --- /dev/null +++ b/docs/implplan/SPRINT_140_runtime_signals.md @@ -0,0 +1,65 @@ +# Sprint 140 - Runtime & Signals + +[Runtime & Signals] 140.A) Graph +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner +Summary: Runtime & Signals focus on Graph). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +GRAPH-INDEX-28-001 | TODO | Define canonical node/edge schemas, attribute dictionaries, identity rules, and seed fixtures; publish schema doc. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-002 | TODO | Implement SBOM ingest consumer producing artifact/package/file nodes and edges with `valid_from/valid_to`, scope metadata, and provenance links. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-003 | TODO | Project Concelier linksets into overlay tiles (`affected_by` edges, evidence refs) without mutating source observations; keep advisory aggregates in overlay store only. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-004 | TODO | Integrate VEX statements (`vex_exempts` edges) with justification metadata and precedence markers for overlays. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-005 | TODO | Hydrate policy overlays into graph (`governs_with` nodes/edges) referencing effective findings and explain hashes for sampled nodes. | Graph Indexer Guild, Policy Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-006 | TODO | Generate graph snapshots per SBOM with lineage (`derived_from`), adjacency manifests, and metadata for diff jobs. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-007 | TODO | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules and store cluster ids on nodes. | Graph Indexer Guild, Observability Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-008 | TODO | Provide incremental update + backfill pipeline with change streams, retry/backoff, idempotent operations, and backlog metrics. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-009 | TODO | Add unit/property/integration tests, synthetic large graph fixtures, chaos testing (missing overlays, cycles), and determinism checks across runs. | Graph Indexer Guild, QA Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) +GRAPH-INDEX-28-010 | TODO | Package deployment artifacts (Helm/Compose), offline seed bundles, and configuration docs; integrate Offline Kit. | Graph Indexer Guild, DevOps Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md) + + +[Runtime & Signals] 140.B) SbomService +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner +Summary: Runtime & Signals focus on SbomService). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SBOM-AIAI-31-001 | TODO | Provide `GET /sbom/paths?purl=...` and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata). | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-AIAI-31-002 | TODO | Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards. | SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-CONSOLE-23-001 | TODO | Provide Console-focused SBOM catalog API (`/console/sboms`) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees. | SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-CONSOLE-23-002 | TODO | Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-ORCH-32-001 | TODO | Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-ORCH-33-001 | TODO | Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-ORCH-34-001 | TODO | Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-SERVICE-21-001 | BLOCKED (2025-10-27) | Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement. | SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | Emit change events (`sbom.version.created`) carrying digest/version metadata for Graph Indexer builds; add replay/backfill tooling. | SBOM Service Guild, Scheduler Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | Wire observability: metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, structured logs with tenant info; set alerts for backlog. | SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-SERVICE-23-001 | TODO | Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs. | SBOM Service Guild, Policy Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-SERVICE-23-002 | TODO | Emit `sbom.asset.updated` events when metadata changes; ensure idempotent payloads and documentation. | SBOM Service Guild, Platform Events Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-VULN-29-001 | TODO | Emit inventory evidence with `scope`, `runtime_flag`, dependency paths, and nearest safe version hints, streaming change events for resolver jobs. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md) +SBOM-VULN-29-002 | TODO | Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery. | SBOM Service Guild, Findings Ledger Guild (src/SbomService/StellaOps.SbomService/TASKS.md) + + +[Runtime & Signals] 140.C) Signals +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner +Summary: Runtime & Signals focus on Signals). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SIGNALS-24-003 | BLOCKED (2025-10-27) | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance. | Signals Guild, Runtime Guild (src/Signals/StellaOps.Signals/TASKS.md) +SIGNALS-24-004 | BLOCKED (2025-10-27) | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. | Signals Guild, Data Science (src/Signals/StellaOps.Signals/TASKS.md) +SIGNALS-24-005 | BLOCKED (2025-10-27) | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. | Signals Guild, Platform Events Guild (src/Signals/StellaOps.Signals/TASKS.md) + + +[Runtime & Signals] 140.D) Zastava +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner +Summary: Runtime & Signals focus on Zastava). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ZASTAVA-ENV-01 | TODO | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer/TASKS.md) +ZASTAVA-ENV-02 | TODO | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook/TASKS.md) +ZASTAVA-SECRETS-01 | TODO | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. | Zastava Observer Guild, Security Guild (src/Zastava/StellaOps.Zastava.Observer/TASKS.md) +ZASTAVA-SECRETS-02 | TODO | Retrieve attestation verification secrets via Surface.Secrets. | Zastava Webhook Guild, Security Guild (src/Zastava/StellaOps.Zastava.Webhook/TASKS.md) +ZASTAVA-SURFACE-01 | TODO | Integrate Surface.FS client for runtime drift detection (lookup cached layer hashes/entry traces). | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer/TASKS.md) +ZASTAVA-SURFACE-02 | TODO | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_150_scheduling_automation.md diff --git a/docs/implplan/SPRINT_150_scheduling_automation.md b/docs/implplan/SPRINT_150_scheduling_automation.md new file mode 100644 index 00000000..9bf52907 --- /dev/null +++ b/docs/implplan/SPRINT_150_scheduling_automation.md @@ -0,0 +1,148 @@ +# Sprint 150 - Scheduling & Automation + +[Scheduling & Automation] 150.A) Orchestrator.I +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph +Summary: Scheduling & Automation focus on Orchestrator (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ORCH-AIRGAP-56-001 | TODO | Enforce job descriptors to declare network intents; reject or flag any external endpoints in sealed mode before scheduling. | Orchestrator Service Guild, AirGap Policy Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-AIRGAP-56-002 | TODO | Surface sealing status and time staleness in job scheduling decisions; block runs when staleness budgets exceeded. | Orchestrator Service Guild, AirGap Controller Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-AIRGAP-57-001 | TODO | Add job type `mirror.bundle` to orchestrate bundle creation in connected environments with audit + provenance outputs. | Orchestrator Service Guild, Mirror Creator Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-AIRGAP-58-001 | TODO | Capture import/export operations as timeline/evidence entries, ensuring chain-of-custody for mirror + portable evidence jobs. | Orchestrator Service Guild, Evidence Locker Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OAS-61-001 | TODO | Document orchestrator endpoints in per-service OAS with standardized pagination, idempotency, and error envelope examples. | Orchestrator Service Guild, API Contracts Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OAS-61-002 | TODO | Implement `GET /.well-known/openapi` in service and ensure version metadata aligns with runtime build. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OAS-62-001 | TODO | Ensure SDK paginators and operations support orchestrator job operations; add SDK smoke tests for schedule/retry APIs. | Orchestrator Service Guild, SDK Generator Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OAS-63-001 | TODO | Emit deprecation headers and documentation for legacy orchestrator endpoints; update notifications metadata. | Orchestrator Service Guild, API Governance Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OBS-50-001 | TODO | Wire `StellaOps.Telemetry.Core` into orchestrator host, instrument schedulers and control APIs with trace spans, structured logs, and exemplar metrics. Ensure tenant/job metadata recorded for every span/log. | Orchestrator Service Guild, Observability Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OBS-51-001 | TODO | Publish golden-signal metrics (dispatch latency, queue depth, failure rate), define job/tenant SLOs, and emit burn-rate alerts to collector + Notifications. Provide Grafana dashboards + alert rules. | Orchestrator Service Guild, DevOps Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OBS-52-001 | TODO | Emit `timeline_event` objects for job lifecycle (`job.scheduled`, `job.started`, `job.completed`, `job.failed`) including trace IDs, run IDs, tenant/project, and causal metadata. Add contract tests and Kafka/NATS emitter with retries. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OBS-53-001 | TODO | Generate job capsule inputs for evidence locker (payload digests, worker image, config hash, log manifest) and invoke locker snapshot hooks on completion/failure. Ensure redaction guard enforced. | Orchestrator Service Guild, Evidence Locker Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OBS-54-001 | TODO | Produce DSSE attestations for orchestrator-scheduled jobs (subject = job capsule) and store references in timeline + evidence locker. Provide verification endpoint `/jobs/{id}/attestation`. | Orchestrator Service Guild, Provenance Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-OBS-55-001 | TODO | Implement incident mode hooks (sampling overrides, extended retention, additional debug spans) and automatic activation on SLO burn-rate breach. Emit activation/deactivation events to timeline + Notifier. | Orchestrator Service Guild, DevOps Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-32-001 | TODO | Bootstrap service project, configuration, and Postgres schema/migrations for `sources`, `runs`, `jobs`, `dag_edges`, `artifacts`, `quotas`, `schedules`. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) + + +[Scheduling & Automation] 150.A) Orchestrator.II +Depends on: Sprint 150.A - Orchestrator.I +Summary: Scheduling & Automation focus on Orchestrator (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ORCH-SVC-32-002 | TODO | Implement scheduler DAG planner + dependency resolver, job state machine, and critical-path metadata without yet issuing control actions. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-32-003 | TODO | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI, validation, pagination, and tenant scoping. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-32-004 | TODO | Implement WebSocket/SSE stream for job/run updates, emit structured metrics counters/histograms, and add health probes. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-32-005 | TODO | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata/checksums and enforcing idempotency keys. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-33-001 | TODO | Enable `sources test | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-33-002 | TODO | Implement per-source/tenant adaptive token-bucket rate limiter, concurrency caps, and backpressure signals reacting to upstream 429/503. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-33-003 | TODO | Add watermark/backfill manager with event-time windows, duplicate suppression, dry-run preview endpoint, and safety validations. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-33-004 | TODO | Deliver dead-letter store, replay endpoints, and error classification surfaces with remediation hints + notification hooks. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-34-001 | TODO | Implement quota management APIs, per-tenant SLO burn-rate computation, and alert budget tracking surfaced via metrics. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-34-002 | TODO | Build audit log + immutable run ledger export with signed manifest support, including provenance chain to artifacts. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-34-003 | TODO | Execute perf/scale validation (≥10k pending jobs, dispatch P95 <150 ms) and add autoscaling hooks with health probes. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-34-004 | TODO | Package orchestrator container, Helm overlays, offline bundle seeds, provenance attestations, and compliance checklist for GA. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-35-101 | TODO | Register `export` job type with quotas/rate policies, expose telemetry, and ensure exporter workers heartbeat via orchestrator contracts. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-36-101 | TODO | Capture distribution metadata and retention timestamps for export jobs, updating dashboards and SSE payloads. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-37-101 | TODO | Enable scheduled export runs, retention pruning hooks, and failure alerting tied to export job class. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) + + +[Scheduling & Automation] 150.A) Orchestrator.III +Depends on: Sprint 150.A - Orchestrator.II +Summary: Scheduling & Automation focus on Orchestrator (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ORCH-SVC-38-101 | TODO | Standardize event envelope (policy/export/job lifecycle) with idempotency keys, ensure export/job failure events published to notifier bus with provenance metadata. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-41-101 | TODO | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-SVC-42-101 | TODO | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +ORCH-TEN-48-001 | TODO | Include `tenant_id`/`project_id` in job specs, set DB session context before processing, enforce context on all queries, and reject jobs missing tenant metadata. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md) +WORKER-GO-32-001 | TODO | Bootstrap Go SDK project with configuration binding, auth headers, job claim/acknowledge client, and smoke sample. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md) +WORKER-GO-32-002 | TODO | Add heartbeat/progress helpers, structured logging hooks, Prometheus metrics, and jittered retry defaults. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md) +WORKER-GO-33-001 | TODO | Implement artifact publish helpers (object storage client, checksum hashing, metadata payload) and idempotency guard. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md) +WORKER-GO-33-002 | TODO | Provide error classification/retry helper, exponential backoff controls, and structured failure reporting to orchestrator. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md) +WORKER-GO-34-001 | TODO | Add backfill range execution helpers, watermark handshake utilities, and artifact dedupe verification for backfills. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md) +WORKER-PY-32-001 | TODO | Bootstrap asyncio-based Python SDK (config, auth headers, job claim/ack) plus sample worker script. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md) +WORKER-PY-32-002 | TODO | Implement heartbeat/progress helpers with structured logging, metrics exporter, and cancellation-safe retries. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md) +WORKER-PY-33-001 | TODO | Add artifact publish/idempotency helpers (object storage adapters, checksum hashing, metadata payload) for Python workers. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md) +WORKER-PY-33-002 | TODO | Provide error classification/backoff helper mapping to orchestrator codes, including jittered retries and structured failure reports. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md) +WORKER-PY-34-001 | TODO | Implement backfill range iteration, watermark handshake, and artifact dedupe verification utilities for Python workers. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md) + + +[Scheduling & Automation] 150.B) PacksRegistry +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph +Summary: Scheduling & Automation focus on PacksRegistry). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +PACKS-REG-41-001 | TODO | Implement registry service, migrations for `packs_index`, `parity_matrix`, provenance docs; support pack upload/list/get, signature verification, RBAC enforcement, and provenance manifest storage. | Packs Registry Guild (src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md) +PACKS-REG-42-001 | TODO | Add version lifecycle (promote/deprecate), tenant allowlists, provenance export, signature rotation, audit logs, and Offline Kit seed support. | Packs Registry Guild (src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md) +PACKS-REG-43-001 | TODO | Implement registry mirroring, pack signing policies, attestation integration, and compliance dashboards; integrate with Export Center. | Packs Registry Guild (src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md) + + +[Scheduling & Automation] 150.C) Scheduler.I +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph +Summary: Scheduling & Automation focus on Scheduler (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCHED-CONSOLE-23-001 | TODO | Extend runs APIs with live progress SSE endpoints (`/console/runs/{id}/stream`), queue lag summaries, diff metadata fetch, retry/cancel hooks with RBAC enforcement, and deterministic pagination for history views consumed by Console. | Scheduler WebService Guild, BE-Base Platform Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md) +SCHED-CONSOLE-27-001 | TODO | Provide policy batch simulation orchestration endpoints (`/policies/simulations` POST/GET) exposing run creation, shard status, SSE progress, cancellation, and retries with RBAC enforcement. | Scheduler WebService Guild, Policy Registry Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md) +SCHED-CONSOLE-27-002 | TODO | Emit telemetry endpoints/metrics (`policy_simulation_queue_depth`, `policy_simulation_latency`) and webhook callbacks for completion/failure consumed by Registry. | Scheduler WebService Guild, Observability Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md) +SCHED-IMPACT-16-303 | TODO | Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. | Scheduler ImpactIndex Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md) +SCHED-SURFACE-01 | TODO | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-VULN-29-001 | TODO | Expose resolver job APIs (`POST /vuln/resolver/jobs`, `GET /vuln/resolver/jobs/{id}`) to trigger candidate recomputation per artifact/policy change with RBAC and rate limits. | Scheduler WebService Guild, Findings Ledger Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md) +SCHED-VULN-29-002 | TODO | Provide projector lag metrics endpoint and webhook notifications for backlog breaches consumed by DevOps dashboards. | Scheduler WebService Guild, Observability Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md) +SCHED-WEB-20-002 | BLOCKED (waiting on SCHED-WORKER-20-301) | Provide simulation trigger endpoint returning diff preview metadata and job state for UI/CLI consumption. | Scheduler WebService Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md) +SCHED-WEB-21-004 | DOING (2025-10-26) | Persist graph job lifecycle to Mongo storage and publish `scheduler.graph.job.completed@1` events + outbound webhook to Cartographer. | Scheduler WebService Guild, Scheduler Storage Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md) +SCHED-WORKER-21-203 | TODO | Export metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) and structured logs with tenant/graph identifiers. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-23-101 | TODO | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-23-102 | TODO | Add reconciliation job ensuring re-eval completion within SLA, emitting alerts on backlog and persisting status to `policy_runs`. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-25-101 | TODO | Implement exception lifecycle worker handling auto-activation/expiry and publishing `exception.*` events with retries/backoff. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-25-102 | TODO | Add expiring notification job generating digests, marking `expiring` state, updating metrics/alerts. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-26-201 | TODO | Build reachability joiner worker that combines SBOM snapshots with signals, writes cached facts, and schedules updates on new events. | Scheduler Worker Guild, Signals Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) + + +[Scheduling & Automation] 150.C) Scheduler.II +Depends on: Sprint 150.C - Scheduler.I +Summary: Scheduling & Automation focus on Scheduler (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCHED-WORKER-26-202 | TODO | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-27-301 | TODO | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. | Scheduler Worker Guild, Policy Registry Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-27-302 | TODO | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-27-303 | TODO | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. | Scheduler Worker Guild, Security Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-29-001 | TODO | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. | Scheduler Worker Guild, Findings Ledger Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-29-002 | TODO | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-29-003 | TODO | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-CONSOLE-23-201 | TODO | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) +SCHED-WORKER-CONSOLE-23-202 | TODO | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md) + + +[Scheduling & Automation] 150.D) TaskRunner.I +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph +Summary: Scheduling & Automation focus on TaskRunner (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +TASKRUN-41-001 | TODO | Bootstrap service, define migrations for `pack_runs`, `pack_run_logs`, `pack_artifacts`, implement run API (create/get/log stream), local executor, approvals pause, artifact capture, and provenance manifest generation. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-42-001 | DOING (2025-10-29) | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gate integration, and failure recovery (retry/abort) with deterministic state. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-43-001 | DOING (2025-10-29) | Implement approvals workflow (resume after approval), notifications integration, remote artifact uploads, chaos resilience, secret injection, and audit logs. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-AIRGAP-56-001 | TODO | Enforce plan-time validation rejecting steps with non-allowlisted network calls in sealed mode and surface remediation errors. | Task Runner Guild, AirGap Policy Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-AIRGAP-56-002 | TODO | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. | Task Runner Guild, AirGap Importer Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-AIRGAP-57-001 | TODO | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. | Task Runner Guild, AirGap Controller Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-AIRGAP-58-001 | TODO | Capture bundle import job transcripts, hashed inputs, and outputs into portable evidence bundles. | Task Runner Guild, Evidence Locker Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OAS-61-001 | TODO | Document Task Runner APIs (pack runs, logs, approvals) in service OAS, including streaming response schemas and examples. | Task Runner Guild, API Contracts Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OAS-61-002 | TODO | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, and ETag. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OAS-62-001 | TODO | Provide SDK examples for pack run lifecycle; ensure SDKs offer streaming log helpers and paginator wrappers. | Task Runner Guild, SDK Generator Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OAS-63-001 | TODO | Implement deprecation header support and Sunset handling for legacy pack APIs; emit notifications metadata. | Task Runner Guild, API Governance Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OBS-50-001 | TODO | Adopt telemetry core in Task Runner host + worker executors, ensuring step execution spans/logs include `trace_id`, `tenant_id`, `run_id`, and scrubbed command transcripts. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OBS-51-001 | TODO | Emit metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs for pack run completion and failure rate; surface burn-rate alerts to collector/Notifier. | Task Runner Guild, DevOps Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OBS-52-001 | TODO | Produce timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) containing evidence pointers and policy gate context. Provide dedupe + retry logic. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OBS-53-001 | TODO | Capture step transcripts, artifact manifests, environment digests, and policy approvals into evidence locker snapshots; ensure redaction + hash chain coverage. | Task Runner Guild, Evidence Locker Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) + + +[Scheduling & Automation] 150.D) TaskRunner.II +Depends on: Sprint 150.D - TaskRunner.I +Summary: Scheduling & Automation focus on TaskRunner (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +TASKRUN-OBS-54-001 | TODO | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI integration. Store references in timeline events. | Task Runner Guild, Provenance Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-OBS-55-001 | TODO | Implement incident mode escalations (extra telemetry, debug artifact capture, retention bump) and align on automatic activation via SLO breach webhooks. | Task Runner Guild, DevOps Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) +TASKRUN-TEN-48-001 | TODO | Require tenant/project context for every pack run, set DB/object-store prefixes, block egress when tenant restricted, and propagate context to steps/logs. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_160_export_evidence.md diff --git a/docs/implplan/SPRINT_160_export_evidence.md b/docs/implplan/SPRINT_160_export_evidence.md new file mode 100644 index 00000000..4d9bcd4a --- /dev/null +++ b/docs/implplan/SPRINT_160_export_evidence.md @@ -0,0 +1,95 @@ +# Sprint 160 - Export & Evidence + +[Export & Evidence] 160.A) EvidenceLocker +Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator +Summary: Export & Evidence focus on EvidenceLocker). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EVID-OBS-53-001 | TODO | Bootstrap `StellaOps.Evidence.Locker` service with Postgres schema for `evidence_bundles`, `evidence_artifacts`, `evidence_holds`, tenant RLS, and object-store abstraction (WORM optional). | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) +EVID-OBS-53-002 | TODO | Implement bundle builders for evaluation/job/export snapshots collecting inputs, outputs, env digests, run metadata. Generate Merkle tree + manifest skeletons and persist root hash. | Evidence Locker Guild, Orchestrator Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) +EVID-OBS-53-003 | TODO | Expose REST APIs (`POST /evidence/snapshot`, `GET /evidence/:id`, `POST /evidence/verify`, `POST /evidence/hold/:case_id`) with audit logging, tenant enforcement, and size quotas. | Evidence Locker Guild, Security Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) +EVID-OBS-54-001 | TODO | Attach DSSE signing and RFC3161 timestamping to bundle manifests; validate against Provenance verification library. Wire legal hold retention extension and chain-of-custody events for Timeline Indexer. | Evidence Locker Guild, Provenance Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) +EVID-OBS-54-002 | TODO | Provide bundle download/export packaging (tgz) with checksum manifest, offline verification instructions, and sample fixture for CLI tests. | Evidence Locker Guild, DevEx/CLI Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) +EVID-OBS-55-001 | TODO | Implement incident mode hooks increasing retention window, capturing additional debug artefacts, and emitting activation/deactivation events to Timeline Indexer + Notifier. | Evidence Locker Guild, DevOps Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) +EVID-OBS-60-001 | TODO | Deliver portable evidence export flow for sealed environments: generate sealed bundles with checksum manifest, redacted metadata, and offline verification script. Document air-gapped import/verify procedures. | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md) + + +[Export & Evidence] 160.B) ExportCenter.I +Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator +Summary: Export & Evidence focus on ExportCenter (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DVOFF-64-001 | TODO | Implement Export Center job `devportal --offline` bundling portal HTML, specs, SDK artifacts, changelogs, and verification manifest. | DevPortal Offline Guild, Exporter Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md) +DVOFF-64-002 | TODO | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. | DevPortal Offline Guild, AirGap Controller Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md) +EXPORT-AIRGAP-56-001 | TODO | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Exporter Service Guild, Mirror Creator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-AIRGAP-56-002 | TODO | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-AIRGAP-57-001 | TODO | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-AIRGAP-58-001 | TODO | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. | Exporter Service Guild, Notifications Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-ATTEST-74-001 | TODO | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Attestation Bundle Guild, Attestor Service Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) +EXPORT-ATTEST-74-001 | TODO | Implement attestation bundle export job via Export Center. | Exporter Service Guild, Attestation Bundle Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-ATTEST-74-002 | TODO | Integrate bundle job into CI/offline kit packaging with checksum publication. | Attestation Bundle Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) +EXPORT-ATTEST-75-001 | TODO | Provide CLI command `stella attest bundle verify/import` for air-gap usage. | Attestation Bundle Guild, CLI Attestor Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) +EXPORT-ATTEST-75-001 | TODO | Integrate attestation bundles into offline kit flows and CLI commands. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-ATTEST-75-002 | TODO | Document `/docs/modules/attestor/airgap.md` with bundle workflows and verification steps. | Attestation Bundle Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md) +EXPORT-OAS-61-001 | TODO | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Exporter Service Guild, API Contracts Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OAS-61-002 | TODO | Provide `/.well-known/openapi` discovery endpoint with version metadata and ETag. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OAS-62-001 | TODO | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. | Exporter Service Guild, SDK Generator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) + + +[Export & Evidence] 160.B) ExportCenter.II +Depends on: Sprint 160.B - ExportCenter.I +Summary: Export & Evidence focus on ExportCenter (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXPORT-OAS-63-001 | TODO | Implement deprecation headers and notifications for legacy export endpoints. | Exporter Service Guild, API Governance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OBS-50-001 | TODO | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Exporter Service Guild, Observability Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OBS-51-001 | TODO | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OBS-52-001 | TODO | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OBS-53-001 | TODO | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OBS-54-001 | TODO | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. | Exporter Service Guild, Provenance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-OBS-55-001 | TODO | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-RISK-69-001 | TODO | Add Export Center job handler `risk-bundle` with provider selection, manifest signing, and audit logging. | Exporter Service Guild, Risk Bundle Export Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-RISK-69-002 | TODO | Enable simulation report exports pulling scored data + explainability snapshots. | Exporter Service Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-RISK-70-001 | TODO | Integrate risk bundle builds into offline kit packaging with checksum verification. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-35-001 | BLOCKED (2025-10-29) | Bootstrap exporter service project, configuration, and Postgres migrations for `export_profiles`, `export_runs`, `export_inputs`, `export_distributions` with tenant scoping + tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-35-002 | TODO | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-35-003 | TODO | Deliver JSON adapters (`json:raw`, `json:policy`) with canonical normalization, redaction allowlists, compression, and manifest counts. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-35-004 | TODO | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-35-005 | TODO | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) + + +[Export & Evidence] 160.B) ExportCenter.III +Depends on: Sprint 160.B - ExportCenter.II +Summary: Export & Evidence focus on ExportCenter (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXPORT-SVC-35-006 | TODO | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, and viewer/operator RBAC integration. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-36-001 | TODO | Implement Trivy DB adapter (core) with schema mappings, version flag gating, and validation harness. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-36-002 | TODO | Add Trivy Java DB variant with shared manifest entries and adapter regression tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-36-003 | TODO | Build OCI distribution engine (manifests, descriptors, annotations) with registry auth support and retries. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-36-004 | TODO | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-37-001 | TODO | Implement mirror delta adapter with base manifest comparison, change set generation, and content-addressed reuse. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-37-002 | TODO | Add bundle encryption (age/AES-GCM), key wrapping via KMS, and verification tooling for encrypted outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-37-003 | TODO | Implement export scheduling (cron/event), retention pruning, retry idempotency, and failure classification. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-37-004 | TODO | Provide verification API to stream manifests/hashes, compute hash+signature checks, and return attest status for CLI/UI. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-SVC-43-001 | TODO | Integrate pack run manifests/artifacts into export bundles and CLI verification flows; expose provenance links. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +EXPORT-TEN-48-001 | TODO | Prefix artifacts/manifests with tenant/project, enforce scope checks, and prevent cross-tenant exports unless explicitly whitelisted; update provenance. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md) +RISK-BUNDLE-69-001 | TODO | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, and DSSE signatures. | Risk Bundle Export Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) +RISK-BUNDLE-69-002 | TODO | Integrate bundle job into CI/offline kit pipelines with checksum publication. | Risk Bundle Export Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) +RISK-BUNDLE-70-001 | TODO | Provide CLI `stella risk bundle verify` command to validate bundles before import. | Risk Bundle Export Guild, CLI Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) +RISK-BUNDLE-70-002 | TODO | Publish `/docs/airgap/risk-bundles.md` detailing build/import/verification workflows. | Risk Bundle Export Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md) + + +[Export & Evidence] 160.C) TimelineIndexer +Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator +Summary: Export & Evidence focus on TimelineIndexer). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +TIMELINE-OBS-52-001 | TODO | Bootstrap `StellaOps.Timeline.Indexer` service with Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) +TIMELINE-OBS-52-002 | TODO | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe on `(event_id, tenant_id)`, correlation to trace IDs, and backpressure metrics. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) +TIMELINE-OBS-52-003 | TODO | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, and tenant enforcement. Provide OpenAPI + contract tests. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) +TIMELINE-OBS-52-004 | TODO | Finalize RLS policies, scope checks (`timeline:read`), and audit logging for query access. Include integration tests for cross-tenant isolation and legal hold markers. | Timeline Indexer Guild, Security Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) +TIMELINE-OBS-53-001 | TODO | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` endpoint returning signed manifest references. | Timeline Indexer Guild, Evidence Locker Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_170_notifications_telemetry.md diff --git a/docs/implplan/SPRINT_170_notifications_telemetry.md b/docs/implplan/SPRINT_170_notifications_telemetry.md new file mode 100644 index 00000000..d2bb17be --- /dev/null +++ b/docs/implplan/SPRINT_170_notifications_telemetry.md @@ -0,0 +1,68 @@ +# Sprint 170 - Notifications & Telemetry + +[Notifications & Telemetry] 170.A) Notifier.I +Depends on: Sprint 150.A - Orchestrator +Summary: Notifications & Telemetry focus on Notifier (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +NOTIFY-AIRGAP-56-001 | TODO | Disable external webhook targets in sealed mode, default to enclave-safe channels (SMTP relay, syslog, file sink), and surface remediation guidance. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-AIRGAP-56-002 | TODO | Provide local notifier configurations bundled within Bootstrap Pack with deterministic secrets handling. | Notifications Service Guild, DevOps Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-AIRGAP-57-001 | TODO | Send staleness drift and bundle import notifications with remediation steps. | Notifications Service Guild, AirGap Time Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-AIRGAP-58-001 | TODO | Add portable evidence export completion notifications including checksum + location metadata. | Notifications Service Guild, Evidence Locker Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-ATTEST-74-001 | TODO | Create notification templates for verification failures, expiring attestations, key revocations, and transparency anomalies. | Notifications Service Guild, Attestor Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-ATTEST-74-002 | TODO | Wire notifications to key rotation/revocation events and transparency witness failures. | Notifications Service Guild, KMS Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-OAS-61-001 | TODO | Update notifier OAS with rules, templates, incidents, quiet hours endpoints using standard error envelope and examples. | Notifications Service Guild, API Contracts Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-OAS-61-002 | TODO | Implement `/.well-known/openapi` discovery endpoint with scope metadata. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-OAS-62-001 | TODO | Provide SDK usage examples for rule CRUD, incident ack, and quiet hours; ensure SDK smoke tests. | Notifications Service Guild, SDK Generator Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-OAS-63-001 | TODO | Emit deprecation headers and Notifications templates for retiring notifier APIs. | Notifications Service Guild, API Governance Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-OBS-51-001 | TODO | Integrate SLO evaluator webhooks into Notifier rules (burn-rate breaches, health degradations) with templates, routing, and suppression logic. Provide sample policies and ensure imposed rule propagation. | Notifications Service Guild, Observability Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-OBS-55-001 | TODO | Publish incident mode start/stop notifications with trace/evidence quick links, retention notes, and automatic escalation paths. Include quiet-hour overrides + legal compliance logging. | Notifications Service Guild, Ops Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-RISK-66-001 | TODO | Add notification triggers for risk severity escalation/downgrade events with profile metadata in payload. | Notifications Service Guild, Risk Engine Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-RISK-67-001 | TODO | Notify stakeholders when risk profiles are published, deprecated, or thresholds change. | Notifications Service Guild, Policy Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-RISK-68-001 | TODO | Support per-profile routing rules, quiet hours, and dedupe for risk alerts; integrate with CLI/Console preferences. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) + + +[Notifications & Telemetry] 170.A) Notifier.II +Depends on: Sprint 170.A - Notifier.I +Summary: Notifications & Telemetry focus on Notifier (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +NOTIFY-SVC-37-001 | TODO | Define pack approval & policy notification contract, including OpenAPI schema, event payloads, resume token mechanics, and security guidance. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-37-002 | TODO | Implement secure ingestion endpoint, Mongo persistence (`pack_approvals`), idempotent writes, and audit trail for approval events. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-37-003 | TODO | Deliver approval/policy templates, routing predicates, and channel dispatch (email + webhook) with localization + redaction. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-37-004 | TODO | Provide acknowledgement API, Task Runner callback client, metrics for outstanding approvals, and runbook updates. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-38-002 | TODO | Implement channel adapters (email, chat webhook, generic webhook) with retry policies, health checks, and audit logging. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-38-003 | TODO | Deliver template service (versioned templates, localization scaffolding) and renderer with redaction allowlists, Markdown/HTML/JSON outputs, and provenance links. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-38-004 | TODO | Expose REST + WS APIs (rules CRUD, templates preview, incidents list, ack) with audit logging, RBAC checks, and live feed stream. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-39-001 | TODO | Implement correlation engine with pluggable key expressions/windows, throttler (token buckets), quiet hours/maintenance evaluator, and incident lifecycle. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-39-002 | TODO | Build digest generator (queries, formatting) with schedule runner and distribution via existing channels. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-39-003 | TODO | Provide simulation engine/API to dry-run rules against historical events, returning matched actions with explanations. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-39-004 | TODO | Integrate quiet hour calendars and default throttles with audit logging and operator overrides. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-40-001 | TODO | Implement escalations + on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and CLI/in-app inbox channels. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-40-002 | TODO | Add summary storm breaker notifications, localization bundles, and localization fallback handling. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-40-003 | TODO | Harden security: signed ack links (KMS), webhook HMAC/IP allowlists, tenant isolation fuzz tests, HTML sanitization. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) +NOTIFY-SVC-40-004 | TODO | Finalize observability (metrics/traces for escalations, latency), dead-letter handling, chaos tests for channel outages, and retention policies. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) + + +[Notifications & Telemetry] 170.A) Notifier.III +Depends on: Sprint 170.A - Notifier.II +Summary: Notifications & Telemetry focus on Notifier (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +NOTIFY-TEN-48-001 | TODO | Tenant-scope rules/templates/incidents, RLS on storage, tenant-prefixed channels, and inclusion of tenant context in notifications. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md) + + +[Notifications & Telemetry] 170.B) Telemetry +Depends on: Sprint 150.A - Orchestrator +Summary: Notifications & Telemetry focus on Telemetry). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +TELEMETRY-OBS-50-001 | TODO | Create `StellaOps.Telemetry.Core` library with structured logging facade, OpenTelemetry configuration helpers, and deterministic bootstrap (service name/version detection, resource attributes). Publish sample usage for web/worker hosts. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md) +TELEMETRY-OBS-50-002 | TODO | Implement context propagation middleware/adapters for HTTP, gRPC, background jobs, and CLI invocations, carrying `trace_id`, `tenant_id`, `actor`, and imposed-rule metadata. Provide test harness covering async resume scenarios. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md) +TELEMETRY-OBS-51-001 | TODO | Ship metrics helpers for golden signals (histograms, counters, gauges) with exemplar support and cardinality guards. Provide Roslyn analyzer preventing unsanitised labels. | Telemetry Core Guild, Observability Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md) +TELEMETRY-OBS-51-002 | TODO | Implement redaction/scrubbing filters for secrets/PII enforced at logger sink, configurable per-tenant with TTL, including audit of overrides. Add determinism tests verifying stable field order and timestamp normalization. | Telemetry Core Guild, Security Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md) +TELEMETRY-OBS-55-001 | TODO | Provide incident mode toggle API that adjusts sampling, enables extended retention tags, and records activation trail for services. Ensure toggle honored by all hosting templates and integrates with Config/FeatureFlag providers. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md) +TELEMETRY-OBS-56-001 | TODO | Add sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters) and ensure hosts can disable external exporters when sealed. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_180_experience_sdks.md diff --git a/docs/implplan/SPRINT_180_experience_sdks.md b/docs/implplan/SPRINT_180_experience_sdks.md new file mode 100644 index 00000000..09c94492 --- /dev/null +++ b/docs/implplan/SPRINT_180_experience_sdks.md @@ -0,0 +1,326 @@ +# Sprint 180 - Experience & SDKs + +[Experience & SDKs] 180.A) Cli.I +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier +Summary: Experience & SDKs focus on Cli (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CLI-AIAI-31-001 | TODO | Implement `stella advise summarize` command with JSON/Markdown outputs and citation display. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIAI-31-002 | TODO | Implement `stella advise explain` showing conflict narrative and structured rationale. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIAI-31-003 | TODO | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIAI-31-004 | TODO | Implement `stella advise batch` for summaries/conflicts/remediation with progress + multi-status responses. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIRGAP-56-001 | TODO | Implement `stella mirror create | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIRGAP-56-002 | TODO | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIRGAP-57-001 | TODO | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIRGAP-57-002 | TODO | Provide `stella airgap seal | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-AIRGAP-58-001 | TODO | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ATTEST-73-001 | TODO | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ATTEST-73-002 | TODO | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ATTEST-74-001 | TODO | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ATTEST-74-002 | TODO | Implement `stella attest fetch` to download envelopes and payloads to disk. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ATTEST-75-001 | TODO | Implement `stella attest key create | CLI Attestor Guild, KMS Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ATTEST-75-002 | TODO | Add support for building/verifying attestation bundles in CLI. | CLI Attestor Guild, Export Guild (src/Cli/StellaOps.Cli/TASKS.md) + + +[Experience & SDKs] 180.A) Cli.II +Depends on: Sprint 180.A - Cli.I +Summary: Experience & SDKs focus on Cli (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CLI-CORE-41-001 | TODO | Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-EXC-25-001 | TODO | Implement `stella exceptions list | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-EXC-25-002 | TODO | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-EXPORT-35-001 | BLOCKED (2025-10-29) | Implement `stella export profiles | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-EXPORT-36-001 | TODO | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-EXPORT-37-001 | TODO | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-FORENSICS-53-001 | TODO | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-FORENSICS-54-001 | TODO | Provide `stella forensic verify ` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-FORENSICS-54-002 | TODO | Implement `stella forensic attest show ` listing attestation details (signer, timestamp, subjects) and verifying signatures. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-LNM-22-001 | TODO | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-LNM-22-002 | TODO | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-NOTIFY-38-001 | BLOCKED (2025-10-29) | Implement `stella notify rules | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-NOTIFY-39-001 | BLOCKED (2025-10-29) | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-NOTIFY-40-001 | TODO | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-OBS-50-001 | TODO | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) + + +[Experience & SDKs] 180.A) Cli.III +Depends on: Sprint 180.A - Cli.II +Summary: Experience & SDKs focus on Cli (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CLI-OBS-51-001 | TODO | Implement `stella obs top` command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-OBS-52-001 | TODO | Add `stella obs trace ` and `stella obs logs --from/--to` commands that correlate timeline events, logs, and evidence links with pagination + guardrails. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-OBS-55-001 | TODO | Add `stella obs incident-mode enable | DevEx/CLI Guild, DevOps Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ORCH-32-001 | TODO | Implement `stella orch sources | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ORCH-33-001 | TODO | Add action verbs (`sources test | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-ORCH-34-001 | TODO | Provide backfill wizard (`--from/--to --dry-run`), quota management (`quotas get | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-PACKS-42-001 | TODO | Implement Task Pack commands (`pack plan/run/push/pull/verify`) with schema validation, expression sandbox, plan/simulate engine, remote execution. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-PACKS-43-001 | TODO | Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache). | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-PARITY-41-001 | TODO | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with `--explain`, deterministic outputs, and parity matrix entries. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-PARITY-41-002 | TODO | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-20-001 | TODO | Add `stella policy new | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-23-004 | TODO | Add `stella policy lint` command validating SPL files with compiler diagnostics; support JSON output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-23-005 | DOING (2025-10-28) | Implement `stella policy activate` with scheduling window, approval enforcement, and summary output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-23-006 | TODO | Provide `stella policy history` and `stella policy explain` commands to pull run history and explanation trees. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-27-001 | TODO | Implement policy workspace commands (`stella policy init`, `edit`, `lint`, `compile`, `test`) with template selection, local cache, JSON output, and deterministic temp directories. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) + + +[Experience & SDKs] 180.A) Cli.IV +Depends on: Sprint 180.A - Cli.III +Summary: Experience & SDKs focus on Cli (phase IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CLI-POLICY-27-002 | TODO | Add submission/review workflow commands (`stella policy version bump`, `submit`, `review comment`, `approve`, `reject`) supporting reviewer assignment, changelog capture, and exit codes. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-27-003 | TODO | Implement `stella policy simulate` enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with `--json` and Markdown report output for CI. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-27-004 | TODO | Add lifecycle commands for publish/promote/rollback/sign (`stella policy publish --sign`, `promote --env`, `rollback`) with attestation verification and canary arguments. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-27-005 | TODO | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-POLICY-27-006 | TODO | Update CLI policy profiles/help text to request the new Policy Studio scope family, surface ProblemDetails guidance for `invalid_scope`, and adjust regression tests for scope failures. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-RISK-66-001 | TODO | Implement `stella risk profile list | DevEx/CLI Guild, Policy Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-RISK-66-002 | TODO | Ship `stella risk simulate` supporting SBOM/asset inputs, diff mode, and export to JSON/CSV. | DevEx/CLI Guild, Risk Engine Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-RISK-67-001 | TODO | Provide `stella risk results` with filtering, severity thresholds, explainability fetch. | DevEx/CLI Guild, Findings Ledger Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-RISK-68-001 | TODO | Add `stella risk bundle verify` and integrate with offline risk bundles. | DevEx/CLI Guild, Export Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-SDK-62-001 | TODO | Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode. | DevEx/CLI Guild, SDK Generator Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-SDK-62-002 | TODO | Update CLI error handling to surface standardized API error envelope with `error.code` and `trace_id`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-SDK-63-001 | TODO | Expose `stella api spec download` command retrieving aggregate OAS and verifying checksum/ETag. | DevEx/CLI Guild, API Governance Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-SDK-64-001 | TODO | Add CLI subcommand `stella sdk update` to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations. | DevEx/CLI Guild, SDK Release Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-SIG-26-001 | TODO | Implement `stella reachability upload-callgraph` and `stella reachability list/explain` commands with streaming upload, pagination, and exit codes. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-SIG-26-002 | TODO | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) + + +[Experience & SDKs] 180.A) Cli.V +Depends on: Sprint 180.A - Cli.IV +Summary: Experience & SDKs focus on Cli (phase V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CLI-TEN-47-001 | TODO | Implement `stella login`, `whoami`, `tenants list`, persistent profiles, secure token storage, and `--tenant` override with validation. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-TEN-49-001 | TODO | Add service account token minting, delegation (`stella token delegate`), impersonation banner, and audit-friendly logging. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VEX-30-001 | TODO | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VEX-30-002 | TODO | Implement `stella vex consensus show` displaying quorum, evidence, rationale, signature status. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VEX-30-003 | TODO | Implement `stella vex simulate` for trust/threshold overrides with JSON diff output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VEX-30-004 | TODO | Implement `stella vex export` for consensus NDJSON bundles with signature verification helper. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VULN-29-001 | TODO | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VULN-29-002 | TODO | Implement `stella vuln show` displaying evidence, policy rationale, paths, ledger summary; support `--json` for automation. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VULN-29-003 | TODO | Add workflow commands (`assign`, `comment`, `accept-risk`, `verify-fix`, `target-fix`, `reopen`) with filter selection (`--filter`) and idempotent retries. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VULN-29-004 | TODO | Implement `stella vuln simulate` producing delta summaries and optional Markdown report for CI. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VULN-29-005 | TODO | Add `stella vuln export` and `stella vuln bundle verify` commands to trigger/download evidence bundles and verify signatures. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md) +CLI-VULN-29-006 | TODO | Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets. | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli/TASKS.md) + + +[Experience & SDKs] 180.B) DevPortal +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier +Summary: Experience & SDKs focus on DevPortal). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEVPORT-62-001 | TODO | Select static site generator, integrate aggregate spec, build navigation + search scaffolding. | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md) +DEVPORT-62-002 | TODO | Implement schema viewer, example rendering, copy-curl snippets, and version selector UI. | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md) +DEVPORT-63-001 | TODO | Add Try-It console pointing at sandbox environment with token onboarding and scope info. | Developer Portal Guild, Platform Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md) +DEVPORT-63-002 | TODO | Embed language-specific SDK snippets and quick starts generated from tested examples. | Developer Portal Guild, SDK Generator Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md) +DEVPORT-64-001 | TODO | Provide offline build target bundling HTML, specs, SDK archives; ensure no external assets. | Developer Portal Guild, Export Center Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md) +DEVPORT-64-002 | TODO | Add automated accessibility tests, link checker, and performance budgets. | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md) + + +[Experience & SDKs] 180.C) Graph +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier +Summary: Experience & SDKs focus on Graph). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +GRAPH-API-28-001 | TODO | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-002 | TODO | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-003 | TODO | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-004 | TODO | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-005 | TODO | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-006 | TODO | Consume Policy Engine overlay contract (`POLICY-ENGINE-30-001..003`) and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-007 | TODO | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-008 | TODO | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. | Graph API Guild, Authority Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-009 | TODO | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. | Graph API Guild, Observability Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-010 | TODO | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. | Graph API Guild, QA Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) +GRAPH-API-28-011 | TODO | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. | Graph API Guild, DevOps Guild (src/Graph/StellaOps.Graph.Api/TASKS.md) + + +[Experience & SDKs] 180.D) Sdk +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier +Summary: Experience & SDKs focus on Sdk). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SDKGEN-62-001 | TODO | Choose/pin generator toolchain, set up language template pipeline, and enforce reproducible builds. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKGEN-62-002 | TODO | Implement shared post-processing (auth helpers, retries, pagination utilities, telemetry hooks) applied to all languages. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKGEN-63-001 | TODO | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKGEN-63-002 | TODO | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKGEN-63-003 | TODO | Ship Go SDK alpha with context-first API and streaming helpers. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKGEN-63-004 | TODO | Ship Java SDK alpha (builder pattern, HTTP client abstraction). | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKGEN-64-001 | TODO | Switch CLI to consume TS or Go SDK; ensure parity. | SDK Generator Guild, CLI Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKGEN-64-002 | TODO | Integrate SDKs into Console data providers where feasible. | SDK Generator Guild, Console Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md) +SDKREL-63-001 | TODO | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. | SDK Release Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md) +SDKREL-63-002 | TODO | Integrate changelog automation pulling from OAS diffs and generator metadata. | SDK Release Guild, API Governance Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md) +SDKREL-64-001 | TODO | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. | SDK Release Guild, Notifications Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md) +SDKREL-64-002 | TODO | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. | SDK Release Guild, Export Center Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md) + + +[Experience & SDKs] 180.E) UI.I +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier +Summary: Experience & SDKs focus on UI (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +UI-AOC-19-001 | TODO | Add Sources dashboard tiles showing AOC pass/fail, recent violation codes, and ingest throughput per tenant. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-AOC-19-002 | TODO | Implement violation drill-down view highlighting offending document fields and provenance metadata. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-AOC-19-003 | TODO | Add "Verify last 24h" action triggering AOC verifier endpoint and surfacing CLI parity guidance. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-EXC-25-001 | TODO | Build Exception Center (list + kanban) with filters, sorting, workflow transitions, and audit views. | UI Guild, Governance Guild (src/UI/StellaOps.UI/TASKS.md) +UI-EXC-25-002 | TODO | Implement exception creation wizard with scope preview, justification templates, timebox guardrails. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-EXC-25-003 | TODO | Add inline exception drafting/proposing from Vulnerability Explorer and Graph detail panels with live simulation. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-EXC-25-004 | TODO | Surface exception badges, countdown timers, and explain integration across Graph/Vuln Explorer and policy views. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-EXC-25-005 | TODO | Add keyboard shortcuts (`x`,`a`,`r`) and ensure screen-reader messaging for approvals/revocations. | UI Guild, Accessibility Guild (src/UI/StellaOps.UI/TASKS.md) +UI-GRAPH-21-001 | TODO | Align Graph Explorer auth configuration with new `graph:*` scopes; consume scope identifiers from shared `StellaOpsScopes` exports (via generated SDK/config) instead of hard-coded strings. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-GRAPH-24-001 | TODO | Build Graph Explorer canvas with layered/radial layouts, virtualization, zoom/pan, and scope toggles; initial render <1.5s for sample asset. | UI Guild, SBOM Service Guild (src/UI/StellaOps.UI/TASKS.md) +UI-GRAPH-24-002 | TODO | Implement overlays (Policy, Evidence, License, Exposure), simulation toggle, path view, and SBOM diff/time-travel with accessible tooltips/AOC indicators. | UI Guild, Policy Guild (src/UI/StellaOps.UI/TASKS.md) +UI-GRAPH-24-003 | TODO | Deliver filters/search panel with facets, saved views, permalinks, and share modal. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-GRAPH-24-004 | TODO | Add side panels (Details, What-if, History) with upgrade simulation integration and SBOM diff viewer. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-GRAPH-24-006 | TODO | Ensure accessibility (keyboard nav, screen reader labels, contrast), add hotkeys (`f`,`e`,`.`), and analytics instrumentation. | UI Guild, Accessibility Guild (src/UI/StellaOps.UI/TASKS.md) +UI-LNM-22-001 | TODO | Build Evidence panel showing policy decision with advisory observations/linksets side-by-side, conflict badges, AOC chain, and raw doc download links. Docs `DOCS-LNM-22-005` waiting on delivered UI for screenshots + flows. | UI Guild, Policy Guild (src/UI/StellaOps.UI/TASKS.md) + + +[Experience & SDKs] 180.E) UI.II +Depends on: Sprint 180.E - UI.I +Summary: Experience & SDKs focus on UI (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +UI-LNM-22-002 | TODO | Implement filters (source, severity bucket, conflict-only, CVSS vector presence) and pagination/lazy loading for large linksets. Docs depend on finalized filtering UX. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-LNM-22-003 | TODO | Add VEX tab with status/justification summaries, conflict indicators, and export actions. Required for `DOCS-LNM-22-005` coverage of VEX evidence tab. | UI Guild, Excititor Guild (src/UI/StellaOps.UI/TASKS.md) +UI-LNM-22-004 | TODO | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-ORCH-32-001 | TODO | Update Console RBAC mappings to surface `Orch.Viewer`, request `orch:read` scope in token flows, and gate dashboard access/messaging accordingly. | UI Guild, Console Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-13-007 | TODO | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-20-001 | TODO | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-20-002 | TODO | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-20-003 | TODO | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). | UI Guild, Product Ops (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-20-004 | TODO | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. | UI Guild, Observability Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-23-001 | TODO | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. | UI Guild, Policy Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-23-002 | TODO | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-23-003 | TODO | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-23-004 | TODO | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-23-005 | TODO | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-POLICY-23-006 | TODO | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. | UI Guild (src/UI/StellaOps.UI/TASKS.md) + + +[Experience & SDKs] 180.E) UI.III +Depends on: Sprint 180.E - UI.II +Summary: Experience & SDKs focus on UI (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +UI-POLICY-27-001 | TODO | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. | UI Guild, Product Ops (src/UI/StellaOps.UI/TASKS.md) +UI-SIG-26-001 | TODO | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. | UI Guild, Signals Guild (src/UI/StellaOps.UI/TASKS.md) +UI-SIG-26-002 | TODO | Enhance “Why” drawer with call path visualization, reachability timeline, and evidence list. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-SIG-26-003 | TODO | Add reachability overlay halos/time slider to SBOM Graph along with state legend. | UI Guild (src/UI/StellaOps.UI/TASKS.md) +UI-SIG-26-004 | TODO | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. | UI Guild (src/UI/StellaOps.UI/TASKS.md) + + +[Experience & SDKs] 180.F) Web.I +Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier +Summary: Experience & SDKs focus on Web (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +WEB-AIAI-31-001 `API routing` | TODO | Route `/advisory/ai/*` endpoints through gateway with RBAC/ABAC, rate limits, and telemetry headers. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-AIAI-31-002 `Batch orchestration` | TODO | Provide batching job handlers and streaming responses for CLI automation with retry/backoff. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-AIAI-31-003 `Telemetry & audit` | TODO | Emit metrics/logs (latency, guardrail blocks, validation failures) and forward anonymized prompt hashes to analytics. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-AOC-19-001 `Shared AOC guard primitives` | DOING (2025-10-26) | Provide `AOCForbiddenKeys`, guard middleware/interceptor hooks, and error types (`AOCError`, `AOCViolationCode`) for ingestion services. Publish sample usage + analyzer to ensure guard registered. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-AOC-19-002 `Provenance & signature helpers` | TODO | Ship `ProvenanceBuilder`, checksum utilities, and signature verification helper integrated with guard logging. Cover DSSE/CMS formats with unit tests. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-AOC-19-003 `Analyzer + test fixtures` | TODO | Author Roslyn analyzer preventing ingestion modules from writing forbidden keys without guard, and provide shared test fixtures for guard validation used by Concelier/Excititor service tests. | QA Guild, BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONSOLE-23-001 `Global posture endpoints` | TODO | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. | BE-Base Platform Guild, Product Analytics Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONSOLE-23-002 `Live status & SSE proxy` | TODO | Expose `/console/status` polling endpoint and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff, queue lag metrics, and auth scope enforcement. Surface request IDs + retry headers. | BE-Base Platform Guild, Scheduler Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONSOLE-23-003 `Evidence export orchestrator` | TODO | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONSOLE-23-004 `Global search router` | TODO | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONSOLE-23-005 `Downloads manifest API` | TODO | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONTAINERS-44-001 `Config discovery & quickstart flag` | TODO | Expose `/welcome` state, config discovery endpoint (safe values), and `QUICKSTART_MODE` handling for Console banner; add `/health/liveness`, `/health/readiness`, `/version` if missing. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONTAINERS-45-001 `Helm readiness support` | TODO | Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-CONTAINERS-46-001 `Air-gap hardening` | TODO | Provide offline-friendly asset serving (no CDN), allow overriding object store endpoints via env, and document fallback behavior. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-EXC-25-001 `Exceptions CRUD & workflow` | TODO | Implement `/exceptions` API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) + + +[Experience & SDKs] 180.F) Web.II +Depends on: Sprint 180.F - Web.I +Summary: Experience & SDKs focus on Web (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +WEB-EXC-25-002 `Policy integration surfaces` | TODO | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-EXC-25-003 `Notifications & events` | TODO | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. | BE-Base Platform Guild, Platform Events Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-EXPORT-35-001 `Export routing` | TODO | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-EXPORT-36-001 `Distribution endpoints` | TODO | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-EXPORT-37-001 `Scheduling & verification` | TODO | Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-21-001 `Graph endpoints` | BLOCKED (2025-10-27) | Add gateway routes for graph versions/viewport/node/path/diff/export endpoints with tenant enforcement, scope checks, and streaming responses; proxy Policy Engine diff toggles without inline logic. Adopt `StellaOpsScopes` constants for RBAC enforcement. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-21-002 `Request validation` | BLOCKED (2025-10-27) | Implement bbox/zoom/path parameter validation, pagination tokens, and deterministic ordering; add contract tests for boundary conditions. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-21-003 `Error mapping & exports` | BLOCKED (2025-10-27) | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, and document rate limits. | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-21-004 `Overlay pass-through` | BLOCKED (2025-10-27) | Proxy Policy Engine overlay responses for graph endpoints while keeping gateway stateless; maintain streaming budgets and latency SLOs. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-24-001 `Gateway proxy refresh` | TODO | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-24-001 `Graph endpoints` | TODO | Implement `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping while acting as a pure proxy. | BE-Base Platform Guild, SBOM Service Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-24-004 `AOC enrichers` | TODO | Embed AOC summaries sourced from overlay services; ensure gateway does not compute derived severity or hints. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-GRAPH-24-004 `Telemetry aggregation` | TODO | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-LNM-21-001 `Advisory observation endpoints` | TODO | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). | BE-Base Platform Guild, Concelier WebService Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-LNM-21-002 `VEX observation endpoints` | TODO | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. | BE-Base Platform Guild, Excititor WebService Guild (src/Web/StellaOps.Web/TASKS.md) + + +[Experience & SDKs] 180.F) Web.III +Depends on: Sprint 180.F - Web.II +Summary: Experience & SDKs focus on Web (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +WEB-LNM-21-003 `Policy evidence aggregation` | TODO | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-NOTIFY-38-001 `Gateway routing` | TODO | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-NOTIFY-39-001 `Digest & simulation endpoints` | TODO | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-NOTIFY-40-001 `Escalations & localization` | TODO | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OAS-61-001 `Discovery endpoint` | TODO | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OAS-61-002 `Standard error envelope` | TODO | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OAS-62-001 `Pagination & idempotency alignment` | TODO | Normalize all endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OAS-63-001 `Deprecation support` | TODO | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. | BE-Base Platform Guild, API Governance Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OBS-50-001 `Telemetry core adoption` | TODO | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OBS-51-001 `Observability health endpoints` | TODO | Implement `/obs/health` and `/obs/slo` aggregations, pulling metrics from Prometheus/collector APIs, including burn-rate signals and exemplar links for Console widgets. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OBS-52-001 `Trace & log proxies` | TODO | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OBS-54-001 `Evidence & attestation bridges` | TODO | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OBS-55-001 `Incident mode controls` | TODO | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. | BE-Base Platform Guild, Ops Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-OBS-56-001 `Sealed status surfaces` | TODO | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-ORCH-32-001 `Read-only routing` | TODO | Expose `/orchestrator/sources | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) + + +[Experience & SDKs] 180.F) Web.IV +Depends on: Sprint 180.F - Web.III +Summary: Experience & SDKs focus on Web (phase IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +WEB-ORCH-33-001 `Control + backfill actions` | TODO | Add POST action routes (`pause | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-ORCH-34-001 `Quotas & telemetry` | TODO | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-20-001 `Policy endpoints` | TODO | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-20-002 `Pagination & filters` | TODO | Add pagination, filtering, sorting, and tenant guards to listings for policies, runs, and findings; include deterministic ordering and query diagnostics. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-20-003 `Error mapping` | TODO | Map engine errors to `ERR_POL_*` responses with consistent payloads and contract tests; expose correlation IDs in headers. | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-20-004 `Simulate rate limits` | TODO | Introduce adaptive rate limiting + quotas for simulation endpoints, expose metrics, and document retry headers. | Platform Reliability Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-23-001 `Policy pack CRUD` | BLOCKED (2025-10-29) | Implement API endpoints for creating/listing/fetching policy packs and revisions (`/policy/packs`, `/policy/packs/{id}/revisions`) with pagination, RBAC, and AOC metadata exposure. (Tracked via Sprint 18.5 gateway tasks.) | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-23-002 `Activation & scope` | BLOCKED (2025-10-29) | Add activation endpoint with scope windows, conflict checks, and optional 2-person approval integration; emit events on success. (Tracked via Sprint 18.5 gateway tasks.) | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-23-003 `Simulation & evaluation` | TODO | Provide `/policy/simulate` and `/policy/evaluate` endpoints with streaming responses, rate limiting, and error mapping. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-23-004 `Explain retrieval` | TODO | Expose explain history endpoints (`/policy/runs`, `/policy/runs/{id}`) including decision tree, sources consulted, and AOC chain. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-27-001 `Policy registry proxy` | TODO | Surface Policy Registry APIs (`/policy/workspaces`, `/policy/versions`, `/policy/reviews`, `/policy/registry`) through gateway with tenant scoping, RBAC, and request validation; ensure streaming downloads for evidence bundles. | BE-Base Platform Guild, Policy Registry Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-27-002 `Review & approval routes` | TODO | Implement review lifecycle endpoints (open, comment, approve/reject) with audit headers, comment pagination, and webhook fan-out. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-27-003 `Simulation orchestration endpoints` | TODO | Expose quick/batch simulation endpoints with SSE progress (`/policy/simulations/{runId}/stream`), cursor-based result pagination, and manifest download routes. | BE-Base Platform Guild, Scheduler Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-27-004 `Publish & promote controls` | TODO | Add publish/sign/promote/rollback endpoints with idempotent request IDs, canary parameters, and environment bindings; enforce scope checks and emit structured events. | BE-Base Platform Guild, Security Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-POLICY-27-005 `Policy Studio telemetry` | TODO | Instrument metrics/logs for compile latency, simulation queue depth, approval latency, promotion actions; expose aggregated dashboards and correlation IDs for Console. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md) + + +[Experience & SDKs] 180.F) Web.V +Depends on: Sprint 180.F - Web.IV +Summary: Experience & SDKs focus on Web (phase V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +WEB-RISK-66-001 `Risk API routing` | TODO | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-RISK-66-002 `Explainability downloads` | TODO | Add signed URL handling for explanation blobs and enforce scope checks. | BE-Base Platform Guild, Risk Engine Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-RISK-67-001 `Risk status endpoint` | TODO | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-RISK-68-001 `Notification hooks` | TODO | Emit events on severity transitions via gateway to notifier bus with trace metadata. | BE-Base Platform Guild, Notifications Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-SIG-26-001 `Signals proxy endpoints` | TODO | Surface `/signals/callgraphs`, `/signals/facts` read/write endpoints with pagination, ETags, and RBAC. | BE-Base Platform Guild, Signals Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-SIG-26-002 `Reachability joins` | TODO | Extend `/policy/effective` and `/vuln/explorer` responses to include reachability scores/states and allow filtering. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-SIG-26-003 `Simulation hooks` | TODO | Add reachability override parameters to `/policy/simulate` and related APIs for what-if analysis. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-TEN-47-001 `Auth middleware` | TODO | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-TEN-48-001 `Tenant context propagation` | TODO | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-TEN-49-001 `ABAC & audit API` | TODO | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-VEX-30-007 `VEX consensus routing` | TODO | Route `/vex/consensus` APIs with tenant RBAC/ABAC, caching, and streaming; surface telemetry and trace IDs without gateway-side overlay logic. | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-VULN-29-001 `Vuln API routing` | TODO | Expose `/vuln/*` endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-VULN-29-002 `Ledger proxy headers` | TODO | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. | BE-Base Platform Guild, Findings Ledger Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-VULN-29-003 `Simulation + export routing` | TODO | Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md) +WEB-VULN-29-004 `Telemetry aggregation` | TODO | Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_190_ops_offline.md diff --git a/docs/implplan/SPRINT_190_ops_offline.md b/docs/implplan/SPRINT_190_ops_offline.md new file mode 100644 index 00000000..9ed82aba --- /dev/null +++ b/docs/implplan/SPRINT_190_ops_offline.md @@ -0,0 +1,237 @@ +# Sprint 190 - Ops & Offline + +[Ops & Offline] 190.A) Ops Deployment.I +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on Ops Deployment (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +COMPOSE-44-001 | TODO | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Deployment Guild, DevEx Guild (ops/deployment/TASKS.md) +COMPOSE-44-002 | TODO | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. | Deployment Guild (ops/deployment/TASKS.md) +COMPOSE-44-003 | TODO | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. | Deployment Guild, Docs Guild (ops/deployment/TASKS.md) +DEPLOY-AIAI-31-001 | TODO | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Deployment Guild, Advisory AI Guild (ops/deployment/TASKS.md) +DEPLOY-AIRGAP-46-001 | TODO | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Deployment Guild, Offline Kit Guild (ops/deployment/TASKS.md) +DEPLOY-CLI-41-001 | TODO | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Deployment Guild, DevEx/CLI Guild (ops/deployment/TASKS.md) +DEPLOY-COMPOSE-44-001 | TODO | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Deployment Guild (ops/deployment/TASKS.md) +DEPLOY-EXPORT-35-001 | BLOCKED (2025-10-29) | Package exporter service/worker Helm overlays (download-only), document rollout/rollback, and integrate signing KMS secrets. | Deployment Guild, Exporter Service Guild (ops/deployment/TASKS.md) +DEPLOY-EXPORT-36-001 | TODO | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. | Deployment Guild, Exporter Service Guild (ops/deployment/TASKS.md) +DEPLOY-HELM-45-001 | TODO | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Deployment Guild (ops/deployment/TASKS.md) +DEPLOY-NOTIFY-38-001 | BLOCKED (2025-10-29) | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | Deployment Guild, DevOps Guild (ops/deployment/TASKS.md) +DEPLOY-ORCH-34-001 | TODO | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Deployment Guild, Orchestrator Service Guild (ops/deployment/TASKS.md) +DEPLOY-PACKS-42-001 | TODO | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Deployment Guild, Packs Registry Guild (ops/deployment/TASKS.md) +DEPLOY-PACKS-43-001 | TODO | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. | Deployment Guild, Task Runner Guild (ops/deployment/TASKS.md) +DEPLOY-POLICY-27-001 | TODO | Produce Helm/Compose overlays for Policy Registry + simulation workers, including Mongo migrations, object storage buckets, signing key secrets, and tenancy defaults. | Deployment Guild, Policy Registry Guild (ops/deployment/TASKS.md) + + +[Ops & Offline] 190.A) Ops Deployment.II +Depends on: Sprint 190.A - Ops Deployment.I +Summary: Ops & Offline focus on Ops Deployment (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEPLOY-POLICY-27-002 | TODO | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze toggle, evidence retrieval) under `/docs/runbooks/policy-incident.md`. | Deployment Guild, Policy Guild (ops/deployment/TASKS.md) +DEPLOY-VEX-30-001 | TODO | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Deployment Guild, VEX Lens Guild (ops/deployment/TASKS.md) +DEPLOY-VEX-30-002 | TODO | Package Issuer Directory deployment manifests, backups, and security hardening guidance. | Deployment Guild, Issuer Directory Guild (ops/deployment/TASKS.md) +DEPLOY-VULN-29-001 | TODO | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Deployment Guild, Findings Ledger Guild (ops/deployment/TASKS.md) +DEPLOY-VULN-29-002 | TODO | Package `stella-vuln-explorer-api` deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. | Deployment Guild, Vuln Explorer API Guild (ops/deployment/TASKS.md) +DOWNLOADS-CONSOLE-23-001 | TODO | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Deployment Guild, DevOps Guild (ops/deployment/TASKS.md) +HELM-45-001 | TODO | Scaffold `deploy/helm/stella` chart with values, component toggles, and pinned image digests for all services; include migration Job templates. | Deployment Guild (ops/deployment/TASKS.md) +HELM-45-002 | TODO | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. | Deployment Guild, Security Guild (ops/deployment/TASKS.md) +HELM-45-003 | TODO | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. | Deployment Guild, Observability Guild (ops/deployment/TASKS.md) + + +[Ops & Offline] 190.B) Ops Devops.I +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on Ops Devops (phase I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEVOPS-AIAI-31-001 | TODO | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | DevOps Guild, Advisory AI Guild (ops/devops/TASKS.md) +DEVOPS-AIRGAP-56-001 | TODO | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-AIRGAP-56-002 | TODO | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. | DevOps Guild, AirGap Importer Guild (ops/devops/TASKS.md) +DEVOPS-AIRGAP-56-003 | TODO | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. | DevOps Guild, Container Distribution Guild (ops/devops/TASKS.md) +DEVOPS-AIRGAP-57-001 | TODO | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. | DevOps Guild, Mirror Creator Guild (ops/devops/TASKS.md) +DEVOPS-AIRGAP-57-002 | TODO | Configure sealed-mode CI tests that run services with sealed flag and ensure no egress occurs (iptables + mock DNS). | DevOps Guild, Authority Guild (ops/devops/TASKS.md) +DEVOPS-AIRGAP-58-001 | TODO | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. | DevOps Guild, Notifications Guild (ops/devops/TASKS.md) +DEVOPS-AIRGAP-58-002 | TODO | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) +DEVOPS-AOC-19-001 | BLOCKED (2025-10-26) | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | DevOps Guild, Platform Guild (ops/devops/TASKS.md) +DEVOPS-AOC-19-002 | BLOCKED (2025-10-26) | Add pipeline stage executing `stella aoc verify --since` against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-AOC-19-003 | BLOCKED (2025-10-26) | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. | DevOps Guild, QA Guild (ops/devops/TASKS.md) +DEVOPS-AOC-19-101 | TODO (2025-10-28) | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. | DevOps Guild, Concelier Storage Guild (ops/devops/TASKS.md) +DEVOPS-ATTEST-73-001 | TODO | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | DevOps Guild, Attestor Service Guild (ops/devops/TASKS.md) +DEVOPS-ATTEST-73-002 | TODO | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. | DevOps Guild, KMS Guild (ops/devops/TASKS.md) +DEVOPS-ATTEST-74-001 | TODO | Deploy transparency log witness infrastructure and monitoring. | DevOps Guild, Transparency Guild (ops/devops/TASKS.md) + + +[Ops & Offline] 190.B) Ops Devops.II +Depends on: Sprint 190.B - Ops Devops.I +Summary: Ops & Offline focus on Ops Devops (phase II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEVOPS-ATTEST-74-002 | TODO | Integrate attestation bundle builds into release/offline pipelines with checksum verification. | DevOps Guild, Export Attestation Guild (ops/devops/TASKS.md) +DEVOPS-ATTEST-75-001 | TODO | Add dashboards/alerts for signing latency, verification failures, key rotation events. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) +DEVOPS-CLI-41-001 | TODO | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) +DEVOPS-CLI-42-001 | TODO | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-CLI-43-001 | DOING (2025-10-27) | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-CLI-43-002 | TODO | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. | DevOps Guild, Task Runner Guild (ops/devops/TASKS.md) +DEVOPS-CLI-43-003 | TODO | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) +DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | DevOps Guild, Console Guild (ops/devops/TASKS.md) +DEVOPS-CONSOLE-23-002 | TODO | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. | DevOps Guild, Console Guild (ops/devops/TASKS.md) +DEVOPS-CONTAINERS-44-001 | TODO | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-CONTAINERS-45-001 | TODO | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-CONTAINERS-46-001 | TODO | Build air-gap bundle generator (`src/Tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-DEVPORT-63-001 | TODO | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | DevOps Guild, Developer Portal Guild (ops/devops/TASKS.md) +DEVOPS-DEVPORT-64-001 | TODO | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. | DevOps Guild, DevPortal Offline Guild (ops/devops/TASKS.md) +DEVOPS-EXPORT-35-001 | BLOCKED (2025-10-29) | Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md) + + +[Ops & Offline] 190.B) Ops Devops.III +Depends on: Sprint 190.B - Ops Devops.II +Summary: Ops & Offline focus on Ops Devops (phase III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEVOPS-EXPORT-36-001 | TODO | Integrate Trivy compatibility validation, cosign signature checks, `trivy module db import` smoke tests, OCI distribution verification, and throughput/error dashboards. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md) +DEVOPS-EXPORT-37-001 | TODO | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md) +DEVOPS-GRAPH-24-001 | TODO | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | DevOps Guild, SBOM Service Guild (ops/devops/TASKS.md) +DEVOPS-GRAPH-24-002 | TODO | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. | DevOps Guild, UI Guild (ops/devops/TASKS.md) +DEVOPS-GRAPH-24-003 | TODO | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-LNM-22-001 | BLOCKED (2025-10-27) | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. Awaiting storage backfill tooling. | DevOps Guild, Concelier Guild (ops/devops/TASKS.md) +DEVOPS-LNM-22-002 | BLOCKED (2025-10-27) | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands. | DevOps Guild, Excititor Guild (ops/devops/TASKS.md) +DEVOPS-LNM-22-003 | TODO | Add CI/monitoring coverage for new metrics (`advisory_observations_total`, `linksets_total`, etc.) and alerts on ingest-to-API SLA breaches. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) +DEVOPS-OAS-61-001 | TODO | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | DevOps Guild, API Contracts Guild (ops/devops/TASKS.md) +DEVOPS-OAS-61-002 | TODO | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. | DevOps Guild, Contract Testing Guild (ops/devops/TASKS.md) +DEVOPS-OBS-50-002 | DOING (2025-10-26) | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | DevOps Guild, Security Guild (ops/devops/TASKS.md) +DEVOPS-OBS-51-001 | TODO | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) +DEVOPS-OBS-52-001 | TODO | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. | DevOps Guild, Timeline Indexer Guild (ops/devops/TASKS.md) +DEVOPS-OBS-53-001 | TODO | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. | DevOps Guild, Evidence Locker Guild (ops/devops/TASKS.md) +DEVOPS-OBS-54-001 | TODO | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. | DevOps Guild, Security Guild (ops/devops/TASKS.md) + + +[Ops & Offline] 190.B) Ops Devops.IV +Depends on: Sprint 190.B - Ops Devops.III +Summary: Ops & Offline focus on Ops Devops (phase IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEVOPS-OBS-55-001 | TODO | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. | DevOps Guild, Ops Guild (ops/devops/TASKS.md) +DEVOPS-ORCH-32-001 | TODO | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops/TASKS.md) +DEVOPS-ORCH-33-001 | TODO | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) +DEVOPS-ORCH-34-001 | TODO | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. | DevOps Guild, Orchestrator Service Guild (ops/devops/TASKS.md) +DEVOPS-POLICY-27-001 | TODO | Add CI pipeline stages to run `stella policy lint | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md) +DEVOPS-POLICY-27-002 | TODO | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. | DevOps Guild, Policy Registry Guild (ops/devops/TASKS.md) +DEVOPS-POLICY-27-003 | TODO | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. | DevOps Guild, Security Guild (ops/devops/TASKS.md) +DEVOPS-POLICY-27-004 | TODO | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) +DEVOPS-REL-17-004 | BLOCKED (2025-10-26) | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-RULES-33-001 | REVIEW (2025-10-30) | Contracts & Rules anchor:
• Gateway proxies only; Policy Engine composes overlays/simulations.
• AOC ingestion cannot merge; only lossless canonicalization.
• One graph platform: Graph Indexer + Graph API. Cartographer retired. | DevOps Guild, Platform Leads (ops/devops/TASKS.md) +DEVOPS-SDK-63-001 | TODO | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | DevOps Guild, SDK Release Guild (ops/devops/TASKS.md) +DEVOPS-SIG-26-001 | TODO | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | DevOps Guild, Signals Guild (ops/devops/TASKS.md) +DEVOPS-SIG-26-002 | TODO | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. | DevOps Guild, Observability Guild (ops/devops/TASKS.md) +DEVOPS-TEN-47-001 | TODO | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-TEN-48-001 | TODO | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. | DevOps Guild (ops/devops/TASKS.md) + + +[Ops & Offline] 190.B) Ops Devops.V +Depends on: Sprint 190.B - Ops Devops.IV +Summary: Ops & Offline focus on Ops Devops (phase V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEVOPS-TEN-49-001 | TODO | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. | DevOps Guild (ops/devops/TASKS.md) +DEVOPS-VEX-30-001 | TODO | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | DevOps Guild, VEX Lens Guild (ops/devops/TASKS.md) +DEVOPS-VULN-29-001 | TODO | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | DevOps Guild, Findings Ledger Guild (ops/devops/TASKS.md) +DEVOPS-VULN-29-002 | TODO | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. | DevOps Guild, Vuln Explorer API Guild (ops/devops/TASKS.md) +DEVOPS-VULN-29-003 | TODO | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. | DevOps Guild, Console Guild (ops/devops/TASKS.md) +DOCKER-44-001 | TODO | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitator, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | DevOps Guild, Service Owners (ops/devops/TASKS.md) +DOCKER-44-002 | TODO | Generate SBOMs and cosign attestations for each image and integrate verification into CI. | DevOps Guild (ops/devops/TASKS.md) +DOCKER-44-003 | TODO | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Conseiller/Excitator. | DevOps Guild (ops/devops/TASKS.md) +OPS-ENV-01 | TODO | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | DevOps Guild, Scanner Guild (ops/devops/TASKS.md) +OPS-SECRETS-01 | TODO | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | DevOps Guild, Security Guild (ops/devops/TASKS.md) +OPS-SECRETS-02 | TODO | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. | DevOps Guild, Offline Kit Guild (ops/devops/TASKS.md) + + +[Ops & Offline] 190.C) Ops Offline Kit +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on Ops Offline Kit). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CLI-PACKS-43-002 | TODO | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline Kit Guild, Packs Registry Guild (ops/offline-kit/TASKS.md) +DEVOPS-OFFLINE-17-004 | BLOCKED (2025-10-26) | Execute `mirror_debug_store.py` after the next release pipeline emits `out/release/debug`, verify manifest hashes, and archive `metadata/debug-store.json` with the kit. | Offline Kit Guild, DevOps Guild (ops/offline-kit/TASKS.md) +DEVOPS-OFFLINE-34-006 | TODO | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. | Offline Kit Guild, Orchestrator Service Guild (ops/offline-kit/TASKS.md) +DEVOPS-OFFLINE-37-001 | TODO | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). | Offline Kit Guild, Exporter Service Guild (ops/offline-kit/TASKS.md) +DEVOPS-OFFLINE-37-002 | TODO | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. | Offline Kit Guild, Notifications Service Guild (ops/offline-kit/TASKS.md) +OFFLINE-CONTAINERS-46-001 | TODO | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline Kit Guild, Deployment Guild (ops/offline-kit/TASKS.md) +OPS-SECRETS-02 | TODO | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. | Offline Kit Guild, DevOps Guild (ops/offline-kit/TASKS.md) + + +[Ops & Offline] 190.D) Samples +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on Samples). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SAMPLES-GRAPH-24-003 | TODO | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | Samples Guild, SBOM Service Guild (samples/TASKS.md) +SAMPLES-GRAPH-24-004 | TODO | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. | Samples Guild, UI Guild (samples/TASKS.md) +SAMPLES-LNM-22-001 | BLOCKED (2025-10-27) | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. Waiting on finalized schema/linkset outputs. | Samples Guild, Concelier Guild (samples/TASKS.md) +SAMPLES-LNM-22-002 | BLOCKED (2025-10-27) | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. Pending Excititor observation/linkset implementation. | Samples Guild, Excititor Guild (samples/TASKS.md) + + +[Ops & Offline] 190.E) AirGap +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on AirGap). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +AIRGAP-CTL-56-001 | TODO | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). | AirGap Controller Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) +AIRGAP-CTL-56-002 | TODO | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. | AirGap Controller Guild, DevOps Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) +AIRGAP-CTL-57-001 | TODO | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. | AirGap Controller Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) +AIRGAP-CTL-57-002 | TODO | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). | AirGap Controller Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) +AIRGAP-CTL-58-001 | TODO | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. | AirGap Controller Guild, AirGap Time Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md) +AIRGAP-IMP-56-001 | TODO | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. | AirGap Importer Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) +AIRGAP-IMP-56-002 | TODO | Introduce root rotation policy validation (dual approval) and signer trust store management. | AirGap Importer Guild, Security Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) +AIRGAP-IMP-57-001 | TODO | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. | AirGap Importer Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) +AIRGAP-IMP-57-002 | TODO | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. | AirGap Importer Guild, DevOps Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) +AIRGAP-IMP-58-001 | TODO | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. | AirGap Importer Guild, CLI Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) +AIRGAP-IMP-58-002 | TODO | Emit timeline events (`airgap.import.started | AirGap Importer Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md) +AIRGAP-TIME-57-001 | TODO | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. | AirGap Time Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) +AIRGAP-TIME-57-002 | TODO | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. | AirGap Time Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) +AIRGAP-TIME-58-001 | TODO | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. | AirGap Time Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) +AIRGAP-TIME-58-002 | TODO | Emit notifications and timeline events when staleness budgets breached or approaching. | AirGap Time Guild, Notifications Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md) + + +[Ops & Offline] 190.F) Api +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on Api). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +APIGOV-61-001 | TODO | Configure spectral/linters with Stella rules; add CI job failing on violations. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md) +APIGOV-61-002 | TODO | Implement example coverage checker ensuring every operation has at least one request/response example. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md) +APIGOV-62-001 | TODO | Build compatibility diff tool producing additive/breaking reports comparing prior release. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md) +APIGOV-62-002 | TODO | Automate changelog generation and publish signed artifacts to `src/Sdk/StellaOps.Sdk.Release` pipeline. | API Governance Guild, DevOps Guild (src/Api/StellaOps.Api.Governance/TASKS.md) +APIGOV-63-001 | TODO | Integrate deprecation metadata into Notification Studio templates for API sunset events. | API Governance Guild, Notifications Guild (src/Api/StellaOps.Api.Governance/TASKS.md) +OAS-61-001 | TODO | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) +OAS-61-002 | TODO | Implement aggregate composer (`stella.yaml`) resolving `$ref`s and merging shared components; wire into CI. | API Contracts Guild, DevOps Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) +OAS-62-001 | TODO | Populate request/response examples for top 50 endpoints, including standard error envelope. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi/TASKS.md) +OAS-62-002 | TODO | Add custom lint rules enforcing pagination, idempotency headers, naming conventions, and example coverage. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) +OAS-63-001 | TODO | Implement compatibility diff tooling comparing previous release specs; classify breaking vs additive changes. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) +OAS-63-002 | TODO | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). | API Contracts Guild, Gateway Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md) + + +[Ops & Offline] 190.G) Bench +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on Bench). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +BENCH-GRAPH-21-001 | BLOCKED (2025-10-27) | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. *(Executed within Sprint 28 Graph program).* | Bench Guild, Graph Platform Guild (src/Bench/StellaOps.Bench/TASKS.md) +BENCH-GRAPH-21-002 | BLOCKED (2025-10-27) | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. *(Executed within Sprint 28 Graph program).* | Bench Guild, UI Guild (src/Bench/StellaOps.Bench/TASKS.md) +BENCH-GRAPH-24-002 | TODO | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. | Bench Guild, UI Guild (src/Bench/StellaOps.Bench/TASKS.md) +BENCH-IMPACT-16-001 | TODO | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. | Bench Guild, Scheduler Team (src/Bench/StellaOps.Bench/TASKS.md) +BENCH-POLICY-20-002 | TODO | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. | Bench Guild, Policy Guild, Scheduler Guild (src/Bench/StellaOps.Bench/TASKS.md) +BENCH-SIG-26-001 | TODO | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. | Bench Guild, Signals Guild (src/Bench/StellaOps.Bench/TASKS.md) +BENCH-SIG-26-002 | TODO | Measure policy evaluation overhead with reachability cache hot/cold; ensure ≤8 ms p95 added latency. | Bench Guild, Policy Guild (src/Bench/StellaOps.Bench/TASKS.md) + + +[Ops & Offline] 190.H) Provenance +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli +Summary: Ops & Offline focus on Provenance). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +PROV-OBS-53-001 | TODO | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, and deterministic hashing tests. Publish sample statements for orchestrator/job/export subjects. | Provenance Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) +PROV-OBS-53-002 | TODO | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. | Provenance Guild, Security Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) +PROV-OBS-54-001 | TODO | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody, exposing reusable CLI/service APIs. Include negative-case fixtures and offline timestamp verification. | Provenance Guild, Evidence Locker Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) +PROV-OBS-54-002 | TODO | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`. Provide deterministic packaging and offline kit instructions. | Provenance Guild, DevEx/CLI Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md) + + +If all tasks are done - read next sprint section - SPRINT_200_documentation_process.md diff --git a/docs/implplan/SPRINT_200_documentation_process.md b/docs/implplan/SPRINT_200_documentation_process.md new file mode 100644 index 00000000..62dd8a58 --- /dev/null +++ b/docs/implplan/SPRINT_200_documentation_process.md @@ -0,0 +1,482 @@ +# Sprint 200 - Documentation & Process + +[Documentation & Process] 200.A) Docs Tasks.Md.I +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Tasks (phase Md.I). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-AIAI-31-001 | TODO | Publish `/docs/advisory-ai/overview.md` covering capabilities, guardrails, RBAC. | Docs Guild, Advisory AI Guild (docs/TASKS.md) +DOCS-AIAI-31-002 | TODO | Author `/docs/advisory-ai/architecture.md` detailing RAG pipeline, deterministics, caching, model options. | Docs Guild, Advisory AI Guild (docs/TASKS.md) +DOCS-AIAI-31-003 | TODO | Write `/docs/advisory-ai/api.md` describing endpoints, schemas, errors, rate limits. | Docs Guild, Advisory AI Guild (docs/TASKS.md) +DOCS-AIAI-31-004 | TODO | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. | Docs Guild, Console Guild (docs/TASKS.md) +DOCS-AIAI-31-005 | TODO | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-AIAI-31-006 | TODO | Update `/docs/policy/assistant-parameters.md` covering temperature, token limits, ranking weights, TTLs. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-AIAI-31-007 | TODO | Write `/docs/security/assistant-guardrails.md` detailing redaction, injection defense, logging. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-AIAI-31-008 | TODO | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | Docs Guild, SBOM Service Guild (docs/TASKS.md) +DOCS-AIAI-31-009 | TODO | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-AIRGAP-56-001 | TODO | Publish `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, and imposed rule banner. | Docs Guild, AirGap Controller Guild (docs/TASKS.md) +DOCS-AIRGAP-56-002 | TODO | Author `/docs/airgap/sealing-and-egress.md` covering network policies, EgressPolicy facade usage, and verification steps. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-AIRGAP-56-003 | TODO | Create `/docs/airgap/mirror-bundles.md` describing bundle format, DSSE/TUF/Merkle validation, creation/import workflows. | Docs Guild, Exporter Guild (docs/TASKS.md) +DOCS-AIRGAP-56-004 | TODO | Publish `/docs/airgap/bootstrap.md` detailing Bootstrap Pack creation, validation, and install procedures. | Docs Guild, Deployment Guild (docs/TASKS.md) +DOCS-AIRGAP-57-001 | TODO | Write `/docs/airgap/staleness-and-time.md` explaining time anchors, drift policies, staleness budgets, and UI indicators. | Docs Guild, AirGap Time Guild (docs/TASKS.md) +DOCS-AIRGAP-57-002 | TODO | Publish `/docs/console/airgap.md` covering sealed badge, import wizard, staleness dashboards. | Docs Guild, Console Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.II +Depends on: Sprint 200.A - Docs Tasks.Md.I +Summary: Documentation & Process focus on Docs Tasks (phase Md.II). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-AIRGAP-57-003 | TODO | Publish `/docs/modules/cli/guides/airgap.md` documenting commands, examples, exit codes. | Docs Guild, CLI Guild (docs/TASKS.md) +DOCS-AIRGAP-57-004 | TODO | Create `/docs/airgap/operations.md` with runbooks for imports, failure recovery, and auditing. | Docs Guild, Ops Guild (docs/TASKS.md) +DOCS-AIRGAP-58-001 | TODO | Provide `/docs/airgap/degradation-matrix.md` enumerating feature availability, fallbacks, remediation. | Docs Guild, Product Guild (docs/TASKS.md) +DOCS-AIRGAP-58-002 | TODO | Update `/docs/security/trust-and-signing.md` with DSSE/TUF roots, rotation, and signed time tokens. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-AIRGAP-58-003 | TODO | Publish `/docs/dev/airgap-contracts.md` describing EgressPolicy usage, sealed-mode tests, linting. | Docs Guild, DevEx Guild (docs/TASKS.md) +DOCS-AIRGAP-58-004 | TODO | Document `/docs/airgap/portable-evidence.md` for exporting/importing portable evidence bundles across enclaves. | Docs Guild, Evidence Locker Guild (docs/TASKS.md) +DOCS-AIRGAP-DEVPORT-64-001 | TODO | Create `/docs/airgap/devportal-offline.md` describing offline bundle usage and verification. | Docs Guild, DevPortal Offline Guild (docs/TASKS.md) +DOCS-ATTEST-73-001 | TODO | Publish `/docs/modules/attestor/overview.md` with imposed rule banner. | Docs Guild, Attestor Service Guild (docs/TASKS.md) +DOCS-ATTEST-73-002 | TODO | Write `/docs/modules/attestor/payloads.md` with schemas/examples. | Docs Guild, Attestation Payloads Guild (docs/TASKS.md) +DOCS-ATTEST-73-003 | TODO | Publish `/docs/modules/attestor/policies.md` covering verification policies. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-ATTEST-73-004 | TODO | Add `/docs/modules/attestor/workflows.md` detailing ingest, verify, bulk operations. | Docs Guild, Attestor Service Guild (docs/TASKS.md) +DOCS-ATTEST-74-001 | TODO | Publish `/docs/modules/attestor/keys-and-issuers.md`. | Docs Guild, KMS Guild (docs/TASKS.md) +DOCS-ATTEST-74-002 | TODO | Document `/docs/modules/attestor/transparency.md` with witness usage/offline validation. | Docs Guild, Transparency Guild (docs/TASKS.md) +DOCS-ATTEST-74-003 | TODO | Write `/docs/console/attestor-ui.md` with screenshots/workflows. | Docs Guild, Attestor Console Guild (docs/TASKS.md) +DOCS-ATTEST-74-004 | TODO | Publish `/docs/modules/cli/guides/attest.md` covering CLI usage. | Docs Guild, CLI Attestor Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.III +Depends on: Sprint 200.A - Docs Tasks.Md.II +Summary: Documentation & Process focus on Docs Tasks (phase Md.III). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-ATTEST-75-001 | TODO | Add `/docs/modules/attestor/airgap.md` for attestation bundles. | Docs Guild, Export Attestation Guild (docs/TASKS.md) +DOCS-ATTEST-75-002 | TODO | Update `/docs/security/aoc-invariants.md` with attestation invariants. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-CLI-41-001 | TODO | Publish `/docs/modules/cli/guides/overview.md`, `/docs/modules/cli/guides/configuration.md`, `/docs/modules/cli/guides/output-and-exit-codes.md` with imposed rule statements. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-CLI-42-001 | TODO | Publish `/docs/modules/cli/guides/parity-matrix.md` and command guides under `/docs/modules/cli/guides/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). | Docs Guild (docs/TASKS.md) +DOCS-CLI-FORENSICS-53-001 | TODO | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-CLI-OBS-52-001 | TODO | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-CONSOLE-OBS-52-001 | TODO | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Docs Guild, Console Guild (docs/TASKS.md) +DOCS-CONSOLE-OBS-52-002 | TODO | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. | Docs Guild, Console Guild (docs/TASKS.md) +DOCS-CONTRIB-62-001 | TODO | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | Docs Guild, API Governance Guild (docs/TASKS.md) +DOCS-DEVPORT-62-001 | TODO | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | Docs Guild, Developer Portal Guild (docs/TASKS.md) +DOCS-EXC-25-001 | TODO | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Docs Guild, Governance Guild (docs/TASKS.md) +DOCS-EXC-25-002 | TODO | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. | Docs Guild, Authority Core (docs/TASKS.md) +DOCS-EXC-25-003 | TODO | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md) +DOCS-EXC-25-005 | TODO | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. | Docs Guild, UI Guild (docs/TASKS.md) +DOCS-EXC-25-006 | TODO | Update `/docs/modules/cli/guides/exceptions.md` covering command usage and exit codes. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.IV +Depends on: Sprint 200.A - Docs Tasks.Md.III +Summary: Documentation & Process focus on Docs Tasks (phase Md.IV). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-EXC-25-007 | TODO | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-EXPORT-37-004 | TODO | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Docs Guild (docs/TASKS.md) +DOCS-EXPORT-37-005 | TODO | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. | Docs Guild, Exporter Service Guild (docs/TASKS.md) +DOCS-EXPORT-37-101 | TODO | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-EXPORT-37-102 | TODO | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-FORENSICS-53-001 | TODO | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Docs Guild, Evidence Locker Guild (docs/TASKS.md) +DOCS-FORENSICS-53-002 | TODO | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. | Docs Guild, Provenance Guild (docs/TASKS.md) +DOCS-FORENSICS-53-003 | TODO | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. | Docs Guild, Timeline Indexer Guild (docs/TASKS.md) +DOCS-GRAPH-24-001 | TODO | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Docs Guild, UI Guild (docs/TASKS.md) +DOCS-GRAPH-24-002 | TODO | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. | Docs Guild, UI Guild (docs/TASKS.md) +DOCS-GRAPH-24-003 | TODO | Create `/docs/modules/graph/architecture-index.md` describing data model, ingestion pipeline, caches, events. | Docs Guild, SBOM Service Guild (docs/TASKS.md) +DOCS-GRAPH-24-004 | TODO | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md) +DOCS-GRAPH-24-005 | TODO | Update `/docs/modules/cli/guides/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-GRAPH-24-006 | TODO | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-GRAPH-24-007 | TODO | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. | Docs Guild, DevOps Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.V +Depends on: Sprint 200.A - Docs Tasks.Md.IV +Summary: Documentation & Process focus on Docs Tasks (phase Md.V). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-INSTALL-44-001 | TODO | Publish `/docs/install/overview.md` and `/docs/install/compose-quickstart.md` with imposed rule line and copy-ready commands. | Docs Guild, Deployment Guild (docs/TASKS.md) +DOCS-INSTALL-45-001 | TODO | Publish `/docs/install/helm-prod.md` and `/docs/install/configuration-reference.md` with values tables and imposed rule reminder. | Docs Guild, Deployment Guild (docs/TASKS.md) +DOCS-INSTALL-46-001 | TODO | Publish `/docs/install/airgap.md`, `/docs/security/supply-chain.md`, `/docs/operations/health-and-readiness.md`, `/docs/release/image-catalog.md`, `/docs/console/onboarding.md` (each with imposed rule). | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-INSTALL-50-001 | TODO | Add `/docs/install/telemetry-stack.md` with collector deployment, exporter options, offline kit notes, and imposed rule banner. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-LNM-22-001 | BLOCKED (2025-10-27) | Author `/docs/advisories/aggregation.md` covering observation vs linkset, conflict handling, AOC requirements, and reviewer checklist. | Docs Guild, Concelier Guild (docs/TASKS.md) +DOCS-LNM-22-002 | BLOCKED (2025-10-27) | Publish `/docs/vex/aggregation.md` describing VEX observation/linkset model, product matching, conflicts. | Docs Guild, Excititor Guild (docs/TASKS.md) +DOCS-LNM-22-003 | BLOCKED (2025-10-27) | Update `/docs/api/advisories.md` and `/docs/api/vex.md` for new endpoints, parameters, errors, exports. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md) +DOCS-LNM-22-004 | TODO | Create `/docs/policy/effective-severity.md` detailing severity selection strategies from multiple sources. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-LNM-22-005 | BLOCKED (2025-10-27) | Document `/docs/ui/evidence-panel.md` with screenshots, conflict badges, accessibility guidance. | Docs Guild, UI Guild (docs/TASKS.md) +DOCS-LNM-22-007 | TODO | Publish `/docs/observability/aggregation.md` with metrics/traces/logs/SLOs. | Docs Guild, Observability Guild (docs/TASKS.md) +DOCS-LNM-22-008 | TODO | Write `/docs/migration/no-merge.md` describing migration plan, backfill steps, rollback, feature flags. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-NOTIFY-40-001 | TODO | Publish `/docs/notifications/channels.md`, `/docs/notifications/escalations.md`, `/docs/notifications/api.md`, `/docs/operations/notifier-runbook.md`, `/docs/security/notifications-hardening.md`; each ends with imposed rule line. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-OAS-61-001 | TODO | Publish `/docs/api/overview.md` covering auth, tenancy, pagination, idempotency, rate limits with banner. | Docs Guild, API Contracts Guild (docs/TASKS.md) +DOCS-OAS-61-002 | TODO | Author `/docs/api/conventions.md` capturing naming, errors, filters, sorting, examples. | Docs Guild, API Governance Guild (docs/TASKS.md) +DOCS-OAS-61-003 | TODO | Publish `/docs/api/versioning.md` describing SemVer, deprecation headers, migration playbooks. | Docs Guild, API Governance Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.VI +Depends on: Sprint 200.A - Docs Tasks.Md.V +Summary: Documentation & Process focus on Docs Tasks (phase Md.VI). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-OAS-62-001 | TODO | Stand up `/docs/api/reference/` auto-generated site; integrate with portal nav. | Docs Guild, Developer Portal Guild (docs/TASKS.md) +DOCS-OBS-50-002 | TODO | Author `/docs/observability/telemetry-standards.md` detailing common fields, scrubbing policy, sampling defaults, and redaction override procedure. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-OBS-50-003 | TODO | Create `/docs/observability/logging.md` covering structured log schema, dos/don'ts, tenant isolation, and copyable examples. | Docs Guild, Observability Guild (docs/TASKS.md) +DOCS-OBS-50-004 | TODO | Draft `/docs/observability/tracing.md` explaining context propagation, async linking, CLI header usage, and sampling strategies. | Docs Guild, Observability Guild (docs/TASKS.md) +DOCS-OBS-51-001 | TODO | Publish `/docs/observability/metrics-and-slos.md` cataloging metrics, SLO targets, burn rate policies, and alert runbooks. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-ORCH-32-001 | TODO | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, governance, with imposed rule reminder. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-32-002 | TODO | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, data model, message bus, storage layout, restating imposed rule. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-33-001 | TODO | Publish `/docs/orchestrator/api.md` (REST/WebSocket endpoints, payloads, error codes) with imposed rule note. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-33-002 | TODO | Publish `/docs/orchestrator/console.md` covering screens, a11y, live updates, control actions, reiterating imposed rule. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-33-003 | TODO | Publish `/docs/orchestrator/cli.md` documenting commands, options, exit codes, streaming output, offline usage, and imposed rule. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-34-001 | TODO | Author `/docs/orchestrator/run-ledger.md` covering ledger schema, provenance chain, audit workflows, with imposed rule reminder. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-34-002 | TODO | Update `/docs/security/secrets-handling.md` for orchestrator KMS refs, redaction badges, operator hygiene, reiterating imposed rule. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-34-003 | TODO | Publish `/docs/operations/orchestrator-runbook.md` (incident playbook, backfill guide, circuit breakers, throttling) with imposed rule statement. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-34-004 | TODO | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. | Docs Guild (docs/TASKS.md) +DOCS-ORCH-34-005 | TODO | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. | Docs Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.VII +Depends on: Sprint 200.A - Docs Tasks.Md.VI +Summary: Documentation & Process focus on Docs Tasks (phase Md.VII). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-POLICY-23-001 | TODO | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-POLICY-23-002 | TODO | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-POLICY-23-003 | TODO | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-POLICY-23-004 | TODO | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). | Docs Guild, UI Guild (docs/TASKS.md) +DOCS-POLICY-23-005 | TODO | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-POLICY-23-006 | TODO | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md) +DOCS-POLICY-23-007 | TODO | Update `/docs/modules/cli/guides/policy.md` for lint/simulate/activate/history commands, exit codes. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-POLICY-23-008 | TODO | Refresh `/docs/modules/policy/architecture.md` with data model, sequence diagrams, event flows. | Docs Guild, Architecture Guild (docs/TASKS.md) +DOCS-POLICY-23-009 | TODO | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-POLICY-23-010 | TODO | Write `/docs/ui/explainers.md` showing explain trees, evidence overlays, interpretation guidance. | Docs Guild, UI Guild (docs/TASKS.md) +DOCS-POLICY-27-001 | BLOCKED (2025-10-27) | Publish `/docs/policy/studio-overview.md` covering lifecycle, roles, glossary, and compliance checklist. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-POLICY-27-002 | BLOCKED (2025-10-27) | Write `/docs/policy/authoring.md` detailing workspace templates, snippets, lint rules, IDE shortcuts, and best practices. | Docs Guild, Console Guild (docs/TASKS.md) +DOCS-POLICY-27-003 | BLOCKED (2025-10-27) | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. | Docs Guild, Policy Registry Guild (docs/TASKS.md) +DOCS-POLICY-27-004 | BLOCKED (2025-10-27) | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. | Docs Guild, Scheduler Guild (docs/TASKS.md) +DOCS-POLICY-27-005 | BLOCKED (2025-10-27) | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. | Docs Guild, Product Ops (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.VIII +Depends on: Sprint 200.A - Docs Tasks.Md.VII +Summary: Documentation & Process focus on Docs Tasks (phase Md.VIII). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-POLICY-27-006 | BLOCKED (2025-10-27) | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-POLICY-27-007 | BLOCKED (2025-10-27) | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-POLICY-27-008 | BLOCKED (2025-10-27) | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. | Docs Guild, Policy Registry Guild (docs/TASKS.md) +DOCS-POLICY-27-009 | BLOCKED (2025-10-27) | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-POLICY-27-010 | BLOCKED (2025-10-27) | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, queues, failure modes) with diagrams and checklist. | Docs Guild, Architecture Guild (docs/TASKS.md) +DOCS-POLICY-27-011 | BLOCKED (2025-10-27) | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. | Docs Guild, Observability Guild (docs/TASKS.md) +DOCS-POLICY-27-012 | BLOCKED (2025-10-27) | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. | Docs Guild, Ops Guild (docs/TASKS.md) +DOCS-POLICY-27-013 | BLOCKED (2025-10-27) | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-POLICY-27-014 | BLOCKED (2025-10-27) | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. | Docs Guild, Policy Registry Guild (docs/TASKS.md) +DOCS-RISK-66-001 | TODO | Publish `/docs/risk/overview.md` covering concepts and glossary. | Docs Guild, Risk Profile Schema Guild (docs/TASKS.md) +DOCS-RISK-66-002 | TODO | Author `/docs/risk/profiles.md` (authoring, versioning, scope). | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-RISK-66-003 | TODO | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. | Docs Guild, Risk Engine Guild (docs/TASKS.md) +DOCS-RISK-66-004 | TODO | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. | Docs Guild, Risk Engine Guild (docs/TASKS.md) +DOCS-RISK-67-001 | TODO | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. | Docs Guild, Risk Engine Guild (docs/TASKS.md) +DOCS-RISK-67-002 | TODO | Produce `/docs/risk/api.md` with endpoint reference/examples. | Docs Guild, API Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.IX +Depends on: Sprint 200.A - Docs Tasks.Md.VIII +Summary: Documentation & Process focus on Docs Tasks (phase Md.IX). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-RISK-67-003 | TODO | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. | Docs Guild, Console Guild (docs/TASKS.md) +DOCS-RISK-67-004 | TODO | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. | Docs Guild, CLI Guild (docs/TASKS.md) +DOCS-RISK-68-001 | TODO | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. | Docs Guild, Export Guild (docs/TASKS.md) +DOCS-RISK-68-002 | TODO | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-RUNBOOK-55-001 | TODO | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Docs Guild, Ops Guild (docs/TASKS.md) +DOCS-SDK-62-001 | TODO | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Docs Guild, SDK Generator Guild (docs/TASKS.md) +DOCS-SEC-62-001 | TODO | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Docs Guild, Authority Core (docs/TASKS.md) +DOCS-SEC-OBS-50-001 | TODO | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-SIG-26-001 | TODO | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Docs Guild, Signals Guild (docs/TASKS.md) +DOCS-SIG-26-002 | TODO | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. | Docs Guild, Signals Guild (docs/TASKS.md) +DOCS-SIG-26-003 | TODO | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. | Docs Guild, Runtime Guild (docs/TASKS.md) +DOCS-SIG-26-004 | TODO | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-SIG-26-005 | TODO | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. | Docs Guild, UI Guild (docs/TASKS.md) +DOCS-SIG-26-006 | TODO | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-SIG-26-007 | TODO | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.X +Depends on: Sprint 200.A - Docs Tasks.Md.IX +Summary: Documentation & Process focus on Docs Tasks (phase Md.X). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-SIG-26-008 | TODO | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. | Docs Guild, DevOps Guild (docs/TASKS.md) +DOCS-SURFACE-01 | TODO | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Docs Guild, Scanner Guild, Zastava Guild (docs/TASKS.md) +DOCS-TEN-47-001 | TODO | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Docs Guild, Authority Core (docs/TASKS.md) +DOCS-TEN-48-001 | TODO | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. | Docs Guild, Platform Ops (docs/TASKS.md) +DOCS-TEN-49-001 | TODO | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. | Docs & DevEx Guilds (docs/TASKS.md) +DOCS-TEST-62-001 | TODO | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Docs Guild, Contract Testing Guild (docs/TASKS.md) +DOCS-VEX-30-001 | TODO | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Docs Guild, VEX Lens Guild (docs/TASKS.md) +DOCS-VEX-30-002 | TODO | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. | Docs Guild, VEX Lens Guild (docs/TASKS.md) +DOCS-VEX-30-003 | TODO | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). | Docs Guild, Issuer Directory Guild (docs/TASKS.md) +DOCS-VEX-30-004 | TODO | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. | Docs Guild, VEX Lens Guild (docs/TASKS.md) +DOCS-VEX-30-005 | TODO | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. | Docs Guild, Console Guild (docs/TASKS.md) +DOCS-VEX-30-006 | TODO | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-VEX-30-007 | TODO | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). | Docs Guild, SBOM Service Guild (docs/TASKS.md) +DOCS-VEX-30-008 | TODO | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-VEX-30-009 | TODO | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. | Docs Guild, DevOps Guild (docs/TASKS.md) + + +[Documentation & Process] 200.A) Docs Tasks.Md.XI +Depends on: Sprint 200.A - Docs Tasks.Md.X +Summary: Documentation & Process focus on Docs Tasks (phase Md.XI). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DOCS-VULN-29-001 | TODO | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Docs Guild, Vuln Explorer Guild (docs/TASKS.md) +DOCS-VULN-29-002 | TODO | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. | Docs Guild, Console Guild (docs/TASKS.md) +DOCS-VULN-29-003 | TODO | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). | Docs Guild, Vuln Explorer API Guild (docs/TASKS.md) +DOCS-VULN-29-004 | TODO | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md) +DOCS-VULN-29-005 | TODO | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. | Docs Guild, Findings Ledger Guild (docs/TASKS.md) +DOCS-VULN-29-006 | TODO | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. | Docs Guild, Policy Guild (docs/TASKS.md) +DOCS-VULN-29-007 | TODO | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. | Docs Guild, Excititor Guild (docs/TASKS.md) +DOCS-VULN-29-008 | TODO | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. | Docs Guild, Concelier Guild (docs/TASKS.md) +DOCS-VULN-29-009 | TODO | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. | Docs Guild, SBOM Service Guild (docs/TASKS.md) +DOCS-VULN-29-010 | TODO | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). | Docs Guild, Observability Guild (docs/TASKS.md) +DOCS-VULN-29-011 | TODO | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. | Docs Guild, Security Guild (docs/TASKS.md) +DOCS-VULN-29-012 | TODO | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). | Docs Guild, Ops Guild (docs/TASKS.md) +DOCS-VULN-29-013 | TODO | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. | Docs Guild, Deployment Guild (docs/TASKS.md) + + +[Documentation & Process] 200.B) Docs Modules Advisory Ai +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Advisory Ai). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ADVISORY-AI-DOCS-0001 | TODO | Align with ./AGENTS.md | Docs Guild (docs/modules/advisory-ai/TASKS.md) +ADVISORY-AI-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/advisory-ai/TASKS.md) +ADVISORY-AI-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/advisory-ai/TASKS.md) + + +[Documentation & Process] 200.C) Docs Modules Attestor +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Attestor). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ATTESTOR-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/attestor/TASKS.md) +ATTESTOR-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/attestor/TASKS.md) +ATTESTOR-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/attestor/TASKS.md) + + +[Documentation & Process] 200.D) Docs Modules Authority +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Authority). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +AUTHORITY-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/authority/TASKS.md) +AUTHORITY-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/authority/TASKS.md) +AUTHORITY-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/authority/TASKS.md) + + +[Documentation & Process] 200.E) Docs Modules Ci +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Ci). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CI RECIPES-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/ci/TASKS.md) +CI RECIPES-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/ci/TASKS.md) +CI RECIPES-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/ci/TASKS.md) + + +[Documentation & Process] 200.F) Docs Modules Cli +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Cli). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CLI-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/cli/TASKS.md) +CLI-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/cli/TASKS.md) +CLI-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/cli/TASKS.md) + + +[Documentation & Process] 200.G) Docs Modules Concelier +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Concelier). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONCELIER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/concelier/TASKS.md) +CONCELIER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/concelier/TASKS.md) +CONCELIER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/concelier/TASKS.md) + + +[Documentation & Process] 200.H) Docs Modules Devops +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Devops). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +DEVOPS-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/devops/TASKS.md) +DEVOPS-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/devops/TASKS.md) +DEVOPS-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/devops/TASKS.md) + + +[Documentation & Process] 200.I) Docs Modules Excititor +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Excititor). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXCITITOR-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/excititor/TASKS.md) +EXCITITOR-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/excititor/TASKS.md) +EXCITITOR-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/excititor/TASKS.md) + + +[Documentation & Process] 200.J) Docs Modules Export Center +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Export Center). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +EXPORT CENTER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/export-center/TASKS.md) +EXPORT CENTER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/export-center/TASKS.md) +EXPORT CENTER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/export-center/TASKS.md) + + +[Documentation & Process] 200.K) Docs Modules Graph +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Graph). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +GRAPH-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/graph/TASKS.md) +GRAPH-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/graph/TASKS.md) +GRAPH-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/graph/TASKS.md) + + +[Documentation & Process] 200.L) Docs Modules Notify +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Notify). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +NOTIFY-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/notify/TASKS.md) +NOTIFY-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/notify/TASKS.md) +NOTIFY-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/notify/TASKS.md) + + +[Documentation & Process] 200.M) Docs Modules Orchestrator +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Orchestrator). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SOURCE---JOB-ORCHESTRATOR-DOCS-0001 | DOING (2025-10-29) | Align with ./AGENTS.md | Docs Guild (docs/modules/orchestrator/TASKS.md) +SOURCE---JOB-ORCHESTRATOR-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/orchestrator/TASKS.md) +SOURCE---JOB-ORCHESTRATOR-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/orchestrator/TASKS.md) + + +[Documentation & Process] 200.N) Docs Modules Platform +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Platform). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +PLATFORM-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/platform/TASKS.md) +PLATFORM-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/platform/TASKS.md) +PLATFORM-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/platform/TASKS.md) + + +[Documentation & Process] 200.O) Docs Modules Policy +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Policy). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +POLICY ENGINE-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/policy/TASKS.md) +POLICY ENGINE-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/policy/TASKS.md) +POLICY ENGINE-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/policy/TASKS.md) + + +[Documentation & Process] 200.P) Docs Modules Registry +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Registry). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +REGISTRY TOKEN SERVICE-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/registry/TASKS.md) +REGISTRY TOKEN SERVICE-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/registry/TASKS.md) +REGISTRY TOKEN SERVICE-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/registry/TASKS.md) + + +[Documentation & Process] 200.Q) Docs Modules Scanner +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Scanner). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCANNER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/scanner/TASKS.md) +SCANNER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/scanner/TASKS.md) +SCANNER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/scanner/TASKS.md) + + +[Documentation & Process] 200.R) Docs Modules Scheduler +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Scheduler). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SCHEDULER-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/scheduler/TASKS.md) +SCHEDULER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/scheduler/TASKS.md) +SCHEDULER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/scheduler/TASKS.md) + + +[Documentation & Process] 200.S) Docs Modules Signer +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Signer). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +SIGNER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/signer/TASKS.md) +SIGNER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/signer/TASKS.md) +SIGNER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/signer/TASKS.md) + + +[Documentation & Process] 200.T) Docs Modules Telemetry +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Telemetry). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +TELEMETRY-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/telemetry/TASKS.md) +TELEMETRY-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/telemetry/TASKS.md) +TELEMETRY-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/telemetry/TASKS.md) + + +[Documentation & Process] 200.U) Docs Modules Ui +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Ui). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +CONSOLE UI-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/ui/TASKS.md) +CONSOLE UI-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/ui/TASKS.md) +CONSOLE UI-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/ui/TASKS.md) + + +[Documentation & Process] 200.V) Docs Modules Vex Lens +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Vex Lens). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +VEX-CONSENSUS-LENS-DOCS-0001 | DOING (2025-10-29) | Align with ./AGENTS.md | Docs Guild (docs/modules/vex-lens/TASKS.md) +VEX-CONSENSUS-LENS-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/vex-lens/TASKS.md) +VEX-CONSENSUS-LENS-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/vex-lens/TASKS.md) + + +[Documentation & Process] 200.W) Docs Modules Vexer +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Vexer). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +VEXER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/vexer/TASKS.md) +VEXER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/vexer/TASKS.md) +VEXER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/vexer/TASKS.md) + + +[Documentation & Process] 200.X) Docs Modules Vuln Explorer +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Vuln Explorer). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +VULNERABILITY-EXPLORER-DOCS-0001 | DOING (2025-10-29) | Align with ./AGENTS.md | Docs Guild (docs/modules/vuln-explorer/TASKS.md) +VULNERABILITY-EXPLORER-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/vuln-explorer/TASKS.md) +VULNERABILITY-EXPLORER-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/vuln-explorer/TASKS.md) + + +[Documentation & Process] 200.Y) Docs Modules Zastava +Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment +Summary: Documentation & Process focus on Docs Modules Zastava). +Task ID | State | Task description | Owners (Source) +--- | --- | --- | --- +ZASTAVA-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/zastava/TASKS.md) +ZASTAVA-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/zastava/TASKS.md) +ZASTAVA-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/zastava/TASKS.md) + +If all tasks are done - you have reached the end of the sprint plan. diff --git a/docs/modules/advisory-ai/AGENTS.md b/docs/modules/advisory-ai/AGENTS.md index 1885c2b8..ae84725e 100644 --- a/docs/modules/advisory-ai/AGENTS.md +++ b/docs/modules/advisory-ai/AGENTS.md @@ -1,22 +1,35 @@ -# Advisory AI agent guide - -## Mission -Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Review ./architecture.md for retrieval pipeline, guardrails, and profile support. -2. Open ../../implplan/SPRINTS.md and locate stories for this component. -3. Check ./TASKS.md and update status before/after work. -4. Read README/architecture for design context and update as the implementation evolves. - -## Guardrails -- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. -- Preserve determinism and provenance in all derived outputs. -- Document offline/air-gap pathways for any new feature. -- Update telemetry/observability assets alongside feature work. +# Advisory AI agent guide + +## Mission +Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Review ./architecture.md for retrieval pipeline, guardrails, and profile support. +2. Open ../../implplan/SPRINTS.md and locate stories for this component. +3. Check ./TASKS.md and update status before/after work. +4. Read README/architecture for design context and update as the implementation evolves. + +## Guardrails +- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. +- Preserve determinism and provenance in all derived outputs. +- Document offline/air-gap pathways for any new feature. +- Update telemetry/observability assets alongside feature work. + +## Required Reading +- `docs/modules/advisory-ai/README.md` +- `docs/modules/advisory-ai/architecture.md` +- `docs/modules/advisory-ai/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/attestor/AGENTS.md b/docs/modules/attestor/AGENTS.md index b0211dbc..32c13087 100644 --- a/docs/modules/attestor/AGENTS.md +++ b/docs/modules/attestor/AGENTS.md @@ -1,22 +1,35 @@ -# Attestor agent guide - -## Mission -Attestor moves signed evidence through the trust chain by accepting DSSE bundles from Signer, registering them with Rekor v2, and serving deterministic verification payloads to other services. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. +# Attestor agent guide + +## Mission +Attestor moves signed evidence through the trust chain by accepting DSSE bundles from Signer, registering them with Rekor v2, and serving deterministic verification payloads to other services. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. + +## Required Reading +- `docs/modules/attestor/README.md` +- `docs/modules/attestor/architecture.md` +- `docs/modules/attestor/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/authority/AGENTS.md b/docs/modules/authority/AGENTS.md index 42c48c82..eaebf613 100644 --- a/docs/modules/authority/AGENTS.md +++ b/docs/modules/authority/AGENTS.md @@ -1,22 +1,34 @@ -# Authority agent guide - -## Mission -Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Authority agent guide + +## Mission +Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/authority/README.md` +- `docs/modules/authority/architecture.md` +- `docs/modules/authority/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/ci/AGENTS.md b/docs/modules/ci/AGENTS.md index 16fe4ced..dc321c7f 100644 --- a/docs/modules/ci/AGENTS.md +++ b/docs/modules/ci/AGENTS.md @@ -1,22 +1,34 @@ -# CI Recipes agent guide - -## Mission -CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# CI Recipes agent guide + +## Mission +CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/ci/README.md` +- `docs/modules/ci/architecture.md` +- `docs/modules/ci/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/cli/AGENTS.md b/docs/modules/cli/AGENTS.md index 1557cea8..f2abd1d5 100644 --- a/docs/modules/cli/AGENTS.md +++ b/docs/modules/cli/AGENTS.md @@ -1,22 +1,34 @@ -# CLI agent guide - -## Mission -The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# CLI agent guide + +## Mission +The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/cli/README.md` +- `docs/modules/cli/architecture.md` +- `docs/modules/cli/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/concelier/AGENTS.md b/docs/modules/concelier/AGENTS.md index 4bfbe9ae..3ddabd26 100644 --- a/docs/modules/concelier/AGENTS.md +++ b/docs/modules/concelier/AGENTS.md @@ -1,22 +1,34 @@ -# Concelier agent guide - -## Mission -Concelier ingests signed advisories from dozens of sources and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC). - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Concelier agent guide + +## Mission +Concelier ingests signed advisories from dozens of sources and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC). + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/concelier/README.md` +- `docs/modules/concelier/architecture.md` +- `docs/modules/concelier/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/devops/AGENTS.md b/docs/modules/devops/AGENTS.md index 33f4bf99..c68ad349 100644 --- a/docs/modules/devops/AGENTS.md +++ b/docs/modules/devops/AGENTS.md @@ -1,22 +1,34 @@ -# DevOps agent guide - -## Mission -The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# DevOps agent guide + +## Mission +The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/devops/README.md` +- `docs/modules/devops/architecture.md` +- `docs/modules/devops/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/devops/runbooks/launch-readiness.md b/docs/modules/devops/runbooks/launch-readiness.md index 2604054b..b7ebe0ee 100644 --- a/docs/modules/devops/runbooks/launch-readiness.md +++ b/docs/modules/devops/runbooks/launch-readiness.md @@ -13,7 +13,7 @@ This document captures production launch sign-offs, deployment readiness checkpo | Attestor | Attestor Guild | `ATTESTOR-API-11-201` / `ATTESTOR-VERIFY-11-202` / `ATTESTOR-OBS-11-203` (DONE 2025-10-19) | READY | 2025-10-26T14:10Z | Rekor submission/verification pipeline green; telemetry pack published. | | Scanner Web + Worker | Scanner WebService Guild | `SCANNER-WEB-09-10x`, `SCANNER-RUNTIME-12-30x` (DONE 2025-10-18 -> 2025-10-24) | READY* | 2025-10-26T14:20Z | Orchestrator envelope work (`SCANNER-EVENTS-16-301/302`) still open; see gaps. | | Concelier Core & Connectors | Concelier Core / Ops Guild | Ops runbook sign-off in `docs/modules/concelier/operations/conflict-resolution.md` (2025-10-16) | READY | 2025-10-26T14:25Z | Conflict resolution & connector coverage accepted; Mongo schema hardening pending (see gaps). | -| Excititor API | Excititor Core Guild | Wave 0 connector ingest sign-offs (EXECPLAN.Section Wave 0) | READY | 2025-10-26T14:28Z | VEX linkset publishing complete for launch datasets. | +| Excititor API | Excititor Core Guild | Wave 0 connector ingest sign-offs (Sprint backlog reference) | READY | 2025-10-26T14:28Z | VEX linkset publishing complete for launch datasets. | | Notify Web (legacy) | Notify Guild | Existing stack carried forward; Notifier program tracked separately (Sprint 38-40) | PENDING | 2025-10-26T14:32Z | Legacy notify web remains operational; migration to Notifier blocked on `SCANNER-EVENTS-16-301`. | | Web UI | UI Guild | Stable build `registry.stella-ops.org/.../web-ui@sha256:10d9248...` deployed in stage and smoke-tested | READY | 2025-10-26T14:35Z | Policy editor GA items (Sprint 20) outside launch scope. | | DevOps / Release | DevOps Guild | `deploy/tools/validate-profiles.sh` run (2025-10-26) covering dev/stage/prod/airgap/mirror | READY | 2025-10-26T15:02Z | Compose/Helm lint + docker compose config validated; see Section 2 for details. | diff --git a/docs/modules/devops/runbooks/zastava-deployment.md b/docs/modules/devops/runbooks/zastava-deployment.md new file mode 100644 index 00000000..79a43b4d --- /dev/null +++ b/docs/modules/devops/runbooks/zastava-deployment.md @@ -0,0 +1,49 @@ +# Zastava Deployment Runbook + +> **Audience:** DevOps, Zastava Guild +> +> **Purpose:** Provide steps for deploying Zastava Observer + Webhook in connected and air-gapped clusters. + +## 1. Prerequisites + +- Kubernetes 1.26+ with admission registration permissions. +- Access to StellaOps Container Registry or offline bundle with Zastava images. +- Authority scopes and certificates configured for Zastava identities. +- Surface.FS cache endpoint (RustFS/S3) reachable from nodes. + +## 2. Installation Steps + +1. **Prepare namespace & secrets** + - Create Kubernetes namespace (default `stellaops-runtime`). + - Provision secrets (`zastava-mtls`, `zastava-op-token`, `surface-secrets`). +2. **Deploy Observer** + - Apply Helm chart `helm/zastava` with values aligning to Surface.Env settings. + - Confirm DaemonSet pods schedule on all nodes; check `/healthz` endpoints. +3. **Deploy Webhook** + - Install ValidatingWebhookConfiguration with CA bundle and service reference. + - Enable dry-run mode first, monitor logs, then switch `enforce=true` once validations pass. +4. **Configure policies** + - Populate admission policies in Policy Engine; ensure tokens contain `runtime:read` scopes. + - Update CLI/Console settings for runtime posture view. +5. **Observability** + - Scrape metrics (`zastava_observer_*`, `zastava_webhook_*`). + - Stream logs to central collector. + +## 3. Air-Gapped Deployment Notes + +- Use Offline Kit bundle (`offline/zastava/`) to load images and configuration. +- Validate Surface.FS bundles before enabling enforcement. +- Replace webhook CA with offline authority; document rotation schedule. + +## 4. Validation + +- Run `stella runtime policy test` against sample workloads. +- Trigger deployment denial for unsigned images; verify Notifier emits alerts. +- Check timeline events for observer telemetry. + +## 5. References + +- `docs/modules/zastava/architecture.md` +- `docs/modules/scanner/architecture.md` +- `docs/airgap/airgap-mode.md` +- `docs/forensics/timeline.md` diff --git a/docs/modules/excititor/AGENTS.md b/docs/modules/excititor/AGENTS.md index 00f2aa26..e05226ed 100644 --- a/docs/modules/excititor/AGENTS.md +++ b/docs/modules/excititor/AGENTS.md @@ -1,22 +1,34 @@ -# Excititor agent guide - -## Mission -Excititor converts heterogeneous VEX feeds into raw observations and linksets that honour the Aggregation-Only Contract. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Excititor agent guide + +## Mission +Excititor converts heterogeneous VEX feeds into raw observations and linksets that honour the Aggregation-Only Contract. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/excititor/README.md` +- `docs/modules/excititor/architecture.md` +- `docs/modules/excititor/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/export-center/AGENTS.md b/docs/modules/export-center/AGENTS.md index 96c3b039..da3364a9 100644 --- a/docs/modules/export-center/AGENTS.md +++ b/docs/modules/export-center/AGENTS.md @@ -1,22 +1,34 @@ -# Export Center agent guide - -## Mission -Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) with provenance metadata and optional signing for offline or mirrored deployments. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Export Center agent guide + +## Mission +Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) with provenance metadata and optional signing for offline or mirrored deployments. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/export-center/README.md` +- `docs/modules/export-center/architecture.md` +- `docs/modules/export-center/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/graph/AGENTS.md b/docs/modules/graph/AGENTS.md index 292a829d..7ced63ed 100644 --- a/docs/modules/graph/AGENTS.md +++ b/docs/modules/graph/AGENTS.md @@ -1,22 +1,34 @@ -# Graph agent guide - -## Mission -Graph module (upcoming) will power graph-indexed queries for SBOM relationships, lineage, and blast-radius analysis. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Graph agent guide + +## Mission +Graph module (upcoming) will power graph-indexed queries for SBOM relationships, lineage, and blast-radius analysis. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/graph/README.md` +- `docs/modules/graph/architecture.md` +- `docs/modules/graph/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/notify/AGENTS.md b/docs/modules/notify/AGENTS.md index fc03e99d..f98759ec 100644 --- a/docs/modules/notify/AGENTS.md +++ b/docs/modules/notify/AGENTS.md @@ -1,22 +1,34 @@ -# Notify agent guide - -## Mission -Notify evaluates operator-defined rules against platform events and dispatches channel-specific payloads with full auditability. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Notify agent guide + +## Mission +Notify evaluates operator-defined rules against platform events and dispatches channel-specific payloads with full auditability. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/notify/README.md` +- `docs/modules/notify/architecture.md` +- `docs/modules/notify/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/orchestrator/AGENTS.md b/docs/modules/orchestrator/AGENTS.md index cc54209b..87574d25 100644 --- a/docs/modules/orchestrator/AGENTS.md +++ b/docs/modules/orchestrator/AGENTS.md @@ -1,22 +1,34 @@ -# Source & Job Orchestrator agent guide - -## Mission -The Orchestrator schedules, observes, and recovers ingestion and analysis jobs across the StellaOps platform. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Read the design summaries in ./architecture.md (quota governance, job lifecycle, dashboard feeds). -2. Open ../../implplan/SPRINTS.md and locate stories for this component. -3. Check ./TASKS.md and update status before/after work. -4. Review ./README.md for responsibilities and ensure changes maintain determinism and offline parity. - -## Guardrails -- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. -- Preserve determinism and provenance in all derived outputs. -- Document offline/air-gap pathways for any new feature. -- Update telemetry/observability assets alongside feature work. \ No newline at end of file +# Source & Job Orchestrator agent guide + +## Mission +The Orchestrator schedules, observes, and recovers ingestion and analysis jobs across the StellaOps platform. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Read the design summaries in ./architecture.md (quota governance, job lifecycle, dashboard feeds). +2. Open ../../implplan/SPRINTS.md and locate stories for this component. +3. Check ./TASKS.md and update status before/after work. +4. Review ./README.md for responsibilities and ensure changes maintain determinism and offline parity. + +## Guardrails +- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. +- Preserve determinism and provenance in all derived outputs. +- Document offline/air-gap pathways for any new feature. +- Update telemetry/observability assets alongside feature work. +## Required Reading +- `docs/modules/orchestrator/README.md` +- `docs/modules/orchestrator/architecture.md` +- `docs/modules/orchestrator/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/platform/AGENTS.md b/docs/modules/platform/AGENTS.md index 37f6ab7b..0fec5084 100644 --- a/docs/modules/platform/AGENTS.md +++ b/docs/modules/platform/AGENTS.md @@ -1,22 +1,34 @@ -# Platform agent guide - -## Mission -Platform module describes cross-cutting architecture, contracts, and guardrails that bind the services together. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Platform agent guide + +## Mission +Platform module describes cross-cutting architecture, contracts, and guardrails that bind the services together. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/platform/README.md` +- `docs/modules/platform/architecture.md` +- `docs/modules/platform/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/policy/AGENTS.md b/docs/modules/policy/AGENTS.md index e22d3f10..4d05ac36 100644 --- a/docs/modules/policy/AGENTS.md +++ b/docs/modules/policy/AGENTS.md @@ -1,22 +1,34 @@ -# Policy Engine agent guide - -## Mission -Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Policy Engine agent guide + +## Mission +Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/policy/README.md` +- `docs/modules/policy/architecture.md` +- `docs/modules/policy/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/registry/AGENTS.md b/docs/modules/registry/AGENTS.md index 2e844d37..35756b65 100644 --- a/docs/modules/registry/AGENTS.md +++ b/docs/modules/registry/AGENTS.md @@ -1,22 +1,34 @@ -# Registry Token Service agent guide - -## Mission -The registry module issues scoped pull tokens for mirrored container registries while enforcing plan and licence constraints. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Registry Token Service agent guide + +## Mission +The registry module issues scoped pull tokens for mirrored container registries while enforcing plan and licence constraints. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/registry/README.md` +- `docs/modules/registry/architecture.md` +- `docs/modules/registry/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/scanner/AGENTS.md b/docs/modules/scanner/AGENTS.md index 9a8200f3..23d06b0a 100644 --- a/docs/modules/scanner/AGENTS.md +++ b/docs/modules/scanner/AGENTS.md @@ -1,22 +1,34 @@ -# Scanner agent guide - -## Mission -Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Scanner agent guide + +## Mission +Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/scanner/README.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/scanner/design/surface-env.md b/docs/modules/scanner/design/surface-env.md new file mode 100644 index 00000000..74a4f3f6 --- /dev/null +++ b/docs/modules/scanner/design/surface-env.md @@ -0,0 +1,147 @@ +# Surface.Env Design (Epic: SURFACE-SHARING) + +> **Status:** Draft v1.0 — aligns with tasks `SURFACE-ENV-01..05`, `SCANNER-ENV-01..03`, `ZASTAVA-ENV-01..02`, `OPS-ENV-01`. +> +> **Audience:** Scanner Worker/WebService engineers, Zastava engineers, DevOps/Ops teams. + +## 1. Goals + +Surface.Env centralises configuration discovery for every component that touches the shared Scanner “surface” (cache, manifests, secrets). The library replaces ad-hoc environment lookups with a deterministic, validated contract that: + +1. Works identically across Scanner Worker, Scanner WebService, BuildX plug-ins, Zastava Observer/Webhook, and future consumers (Scheduler planners, CLI runners). +2. Supports both connected and air-gapped deployments with clear defaults. +3. Records configuration intent (tenant isolation, cache limits, TLS, feature flags) so Surface.Validation can enforce preconditions before any work executes. + +## 2. Architecture Overview + +``` ++-----------------------+ +| Host (Worker/WebSvc) | +| - IConfiguration | +| - ILogger | +| | +| +-----------------+ | +| | SurfaceEnv | | loads env vars / config file +| | - Provider |--+------------------------------+ +| | - Validators | | +| +-----------------+ | +| | | +| | IResolvedSurfaceConfiguration | +| v v +| Surface.FS / Surface.Secrets / Surface.Validation consumers ++------------------------------------------------------------- +``` + +Surface.Env exposes `ISurfaceEnvironment` which returns an immutable `SurfaceEnvironmentSettings` record. Hosts call `SurfaceEnvBuilder.Build()` during startup, passing optional configuration overrides (for example, Helm chart values). The builder resolves environment variables, applies defaults, and executes Surface.Validation rules before handing settings to downstream services. + +## 3. Configuration Schema + +### 3.1 Common keys + +| Variable | Description | Default | Notes | +|----------|-------------|---------|-------| +| `SCANNER_SURFACE_FS_ENDPOINT` | Base URI for Surface.FS service (RustFS, S3-compatible). | _required_ | e.g. `https://surface-cache.svc.cluster.local`. Zastava uses `ZASTAVA_SURFACE_FS_ENDPOINT`; when absent, falls back to scanner value. | +| `SCANNER_SURFACE_FS_BUCKET` | Bucket/container name used for manifests and artefacts. | `surface-cache` | Must be unique per tenant. | +| `SCANNER_SURFACE_FS_REGION` | Optional region (S3-style). | `null` | Required for AWS S3. | +| `SCANNER_SURFACE_CACHE_ROOT` | Local filesystem directory for warm caches. | `/var/lib/stellaops/surface` | Should reside on fast SSD. | +| `SCANNER_SURFACE_CACHE_QUOTA_MB` | Soft limit for local cache usage. | `4096` | Enforced by Surface.FS eviction policy. | +| `SCANNER_SURFACE_TLS_CERT_PATH` | Path to PEM bundle for mutual TLS with Surface.FS. | `null` | If provided, library loads cert/key pair. | +| `SCANNER_SURFACE_TENANT` | Tenant identifier used for cache namespaces. | derived from Authority token | Can be overridden for multi-tenant workers. | +| `SCANNER_SURFACE_PREFETCH_ENABLED` | Toggle surface prefetch threads. | `false` | If `true`, Worker prefetches manifests before analyzer stage. | +| `SCANNER_SURFACE_FEATURES` | Comma-separated feature switches. | `""` | e.g. `validation,prewarm,runtime-diff`. | + +### 3.2 Secrets provider keys + +| Variable | Description | Notes | +|----------|-------------|-------| +| `SCANNER_SURFACE_SECRETS_PROVIDER` | Provider ID (`kubernetes`, `file`, `inline`). | Controls Surface.Secrets back-end. | +| `SCANNER_SURFACE_SECRETS_ROOT` | Path or secret namespace. | Example: `/etc/stellaops/secrets` for file provider. | +| `SCANNER_SURFACE_SECRETS_TENANT` | Tenant override for secret lookup. | Defaults to `SCANNER_SURFACE_TENANT`. | + +### 3.3 Zastava-specific keys + +Zastava containers read the same primary variables but may override names under the `ZASTAVA_` prefix (e.g., `ZASTAVA_SURFACE_CACHE_ROOT`, `ZASTAVA_SURFACE_FEATURES`). Surface.Env automatically checks component-specific prefixes before falling back to the scanner defaults. + +### 3.4 Configuration precedence + +1. Explicit overrides passed to `SurfaceEnvBuilder` (e.g., from appsettings). +2. Component-specific env (e.g., `ZASTAVA_SURFACE_FS_ENDPOINT`). +3. Scanner global env (e.g., `SCANNER_SURFACE_FS_ENDPOINT`). +4. `SurfaceEnvDefaults.json` (shipped with library for sensible defaults). +5. Emergency fallback values defined in code (only for development scenarios). + +## 4. API Surface + +```csharp +public interface ISurfaceEnvironment +{ + SurfaceEnvironmentSettings Settings { get; } + IReadOnlyDictionary RawVariables { get; } +} + +public sealed record SurfaceEnvironmentSettings +( + Uri SurfaceFsEndpoint, + string SurfaceFsBucket, + string? SurfaceFsRegion, + DirectoryInfo CacheRoot, + int CacheQuotaMegabytes, + X509Certificate2Collection? ClientCertificates, + string Tenant, + bool PrefetchEnabled, + IReadOnlyCollection FeatureFlags, + SecretProviderConfiguration Secrets, + IDictionary ComponentOverrides +); +``` + +Consumers access `ISurfaceEnvironment.Settings` and pass the record into Surface.FS / Surface.Secrets factories. The interface memoises results so repeated access is cheap. + +## 5. Validation + +Surface.Env invokes the following validators (implemented in Surface.Validation): + +1. **EndpointValidator** – ensures endpoint URI is absolute HTTPS and not localhost in production. +2. **CacheQuotaValidator** – verifies quota > 0 and below host max. +3. **FilesystemValidator** – checks cache root exists/writable; attempts to create directory if missing. +4. **SecretsProviderValidator** – ensures provider-specific settings (e.g., Kubernetes namespace) are present. +5. **FeatureFlagValidator** – warns on unknown feature flag tokens. + +Failures throw `SurfaceEnvironmentException` with error codes (`SURFACE_ENV_MISSING_ENDPOINT`, `SURFACE_ENV_CACHE_DIR_UNWRITABLE`, etc.). Hosts log the error and fail fast during startup. + +## 6. Integration Guidance + +- **Scanner Worker**: call `services.AddSurfaceEnvironment()` in `Program.cs` before registering analyzers. Pass `hostContext.Configuration.GetSection("Surface")` for overrides. +- **Scanner WebService**: build environment during startup, then expose selected values via diagnostics (`/internal/surface` when diagnostics enabled). +- **Zastava Observer/Webhook**: use the same builder; ensure Helm charts set `ZASTAVA_` variables. +- **Scheduler Planner (future)**: treat Surface.Env as read-only input; do not mutate settings. + +## 7. Security & Observability + +- Never log raw secrets; Surface.Env redacts values by default. +- Emit metric `surface_env_validation_total{status}` to observe validation outcomes. +- Provide `/metrics` gauge for cache quota/residual via Surface.FS integration. + +## 8. Offline & Air-Gap Support + +- Defaults assume no public network access; endpoints should point to internal RustFS or S3-compatible system. +- Offline kit templates supply env files under `offline/scanner/surface-env.env`. +- Document steps in `docs/modules/devops/runbooks/zastava-deployment.md` and `offline-kit` tasks for synchronising env values. + +## 9. Testing Strategy + +- Unit tests for each resolver/validator. +- Integration tests for Worker & Observer verifying that missing configuration causes deterministic failures. +- Golden tests for configuration precedence (component overrides, defaults). + +## 10. Open Questions / Future Work + +- Dynamic refresh of environment (watch ConfigMap) is out of scope for v1. +- Evaluate adding support for environment discovery via `IConfiguration` only (no env vars) for Windows service deployments. + +## 11. References + +- Surface.FS Design (`docs/modules/scanner/design/surface-fs.md`) +- Surface.Secrets Design (`docs/modules/scanner/design/surface-secrets.md`) +- Surface.Validation Design (`docs/modules/scanner/design/surface-validation.md`) +- AirGap mode overview (`docs/airgap/airgap-mode.md`) diff --git a/docs/modules/scanner/design/surface-fs.md b/docs/modules/scanner/design/surface-fs.md new file mode 100644 index 00000000..86697374 --- /dev/null +++ b/docs/modules/scanner/design/surface-fs.md @@ -0,0 +1,130 @@ +# Surface.FS Design (Epic: SURFACE-SHARING) + +> **Status:** Draft v1.0 — aligns with tasks `SURFACE-FS-01..06`, `SCANNER-SURFACE-01..05`, `ZASTAVA-SURFACE-01..02`, `SCHED-SURFACE-01`, `OPS-SECRETS-01..02`. +> +> **Audience:** Scanner Worker/WebService, Zastava, Scheduler, DevOps. + +## 1. Purpose + +Surface.FS provides a unified content-addressable cache for Scanner-derived artefacts (layer manifests, entry traces, SBOM fragments, runtime deltas). It enables: + +- Sharing scan results between Worker, WebService, Zastava Observer/Webhook, Scheduler planners, Export Center, and future CLI operations. +- Deterministic reproduction of scan evidence (manifests and payloads) in both connected and air-gapped environments. +- Efficient data movement by storing manifests once and referencing them via stable pointers. + +## 2. Core Concepts + +### 2.1 Artefact Key + +Each artefact is addressed by a tuple `(tenant, surfaceKind, contentDigest)` where `contentDigest` is a SHA256 of the canonical payload. `surfaceKind` identifies artefact type (see Manifest schema below). + +### 2.2 Manifest + +Manifests describe the artefact metadata and storage pointers. They are stored in the `surface-manifests` bucket and fetched by consumers before retrieving bulk data. + +```json +{ + "schema": "stellaops.surface.manifest@1", + "tenant": "acme", + "kind": "layer-entry-trace", + "digest": "sha256:ab12...", + "createdAt": "2025-10-29T12:00:00Z", + "expiresAt": "2025-11-05T12:00:00Z", + "source": { + "scannerBuild": "stellaops/scanner@sha256:deadbeef", + "imageDigest": "sha256:cafe...", + "scanId": "scan-1234" + }, + "storage": { + "bucket": "surface-cache", + "objectKey": "tenants/acme/layer-entry-trace/sha256/ab/12/.../payload.json.zst", + "sizeBytes": 524288, + "contentType": "application/json+zstd" + }, + "integrity": { + "hash": "sha256:ab12...", + "signature": null + } +} +``` + +### 2.3 Payload Storage + +Large payloads (SBOM fragments, entry traces, runtime events) live in the same object store as manifests (RustFS/S3). Manifests record relative paths so offline bundles can copy both manifest and payload without modification. + +## 3. APIs + +Surface.FS exposes a gRPC/HTTP API consumed by .NET clients: + +| Method | Description | +|--------|-------------| +| `PutManifest(PutManifestRequest)` | Stores manifest + optional payload. Idempotent via `digest`. | +| `GetManifest(GetManifestRequest)` | Returns manifest metadata; 404 if missing. | +| `GetPayload(GetPayloadRequest)` | Streams payload bytes (optionally decompressing). | +| `ListManifests(ListManifestRequest)` | Enumerates manifests for tenant/kind with pagination. | +| `DeleteManifest(DeleteManifestRequest)` | (Optional) Removes manifest/payload based on retention policies. | + +.NET client wraps these calls and handles retries using Polly policies. + +## 4. Library Responsibilities + +Surface.FS library for .NET hosts provides: + +- `ISurfaceManifestWriter` / `ISurfaceManifestReader` interfaces. +- Content-addressed path builder (`SurfacePathBuilder`). +- Tenant namespace isolation and bucket configuration (via Surface.Env). +- Local cache management (using `SCANNER_SURFACE_CACHE_ROOT` and quota). +- Metrics: `surface_manifest_put_seconds`, `surface_manifest_cache_hit_total`, etc. + +## 5. Retention & Eviction + +- Manifests include optional `expiresAt`; Worker defaults to 30 days for SBOM fragments, 7 days for entry traces. +- Background job `SurfaceCacheMaintenanceService` evicts local cache entries exceeding quota, oldest-first. +- Object storage retention policies are managed by DevOps; library exposes metrics but does not auto-delete unless instructed. + +## 6. Offline Kit Handling + +Offline kits include: + +``` +offline/surface/ + manifests/ + tenants///.json + payloads/ + tenants///.json.zst + manifest-index.json +``` + +Import script calls `PutManifest` for each manifest, verifying digests. This enables Zastava and Scheduler running offline to consume cached data without re-scanning. + +## 7. Security & Tenancy + +- Tenant ID is mandatory; Surface.Validation enforces match with Authority token. +- Manifests/payloads stored in tenant-specific prefixes to prevent leakage. +- Optional manifest signing (future) will use `Surface.Secrets` to load signing keys. +- TLS enforced between hosts and Surface.FS endpoint; certificate pins configured via Surface.Env. + +## 8. Observability + +- Logs include manifest SHA, tenant, and kind; payload paths truncated for brevity. +- Metrics exported via Prometheus with labels `{tenant, kind, result}`. +- Tracing spans: `surface.fs.put`, `surface.fs.get`, `surface.fs.cache`. + +## 9. Testing Strategy + +- Unit tests for path builder, manifest serializer, and local cache eviction. +- Integration tests using embedded RustFS or MinIO container to validate API interactions. +- Offline kit tests verifying export/import cycle round-trips manifests and payloads. + +## 10. Future Enhancements + +- Manifest signing (DSSE) to support tamper detection in hostile environments. +- Differential manifests to optimise large SBOM updates. +- Cross-region replication for multi-site deployments. + +## 11. References + +- Surface.Env Design (`docs/modules/scanner/design/surface-env.md`) +- Surface.Secrets Design (`docs/modules/scanner/design/surface-secrets.md`) +- Surface.Validation Design (`docs/modules/scanner/design/surface-validation.md`) +- Zastava Deployment Runbook (`docs/modules/devops/runbooks/zastava-deployment.md`) diff --git a/docs/modules/scanner/design/surface-secrets.md b/docs/modules/scanner/design/surface-secrets.md new file mode 100644 index 00000000..3dbf019e --- /dev/null +++ b/docs/modules/scanner/design/surface-secrets.md @@ -0,0 +1,121 @@ +# Surface.Secrets Design (Epic: SURFACE-SHARING) + +> **Status:** Draft v1.0 — aligns with tasks `SURFACE-SECRETS-01..06`, `SCANNER-SECRETS-01..03`, `ZASTAVA-SECRETS-01..02`, `OPS-SECRETS-01..02`. +> +> **Audience:** Scanner/Zastava engineers, Security Guild, DevOps/Ops teams. + +## 1. Goals + +Surface.Secrets standardises how Scanner, Zastava, Scheduler, and related services obtain credentials and sensitive material required for surface operations (registry pull secrets, CAS tokens, manifest signing keys). Key requirements: + +- Consistent, pluggable providers (Kubernetes Secret, file, inline, future vaults). +- Deterministic lookup keyed by tenant/component to avoid accidental leakage. +- Integration with Surface.Env & Surface.Validation for configuration and pre-flight checks. +- Minimal in-memory exposure; secrets wrapped in secure handles with automatic disposal. + +## 2. Secret Types + +| Secret Type | Description | Example Consumers | +|-------------|-------------|-------------------| +| `cas-access` | Credentials for RustFS/S3 object storage (access key/secret, session token). | Scanner Worker/WebService, Zastava Observer/Webhook | +| `registry` | Container registry auth (username/password or token). | Scanner Worker (pulling layers for SBOM) | +| `attestation` | DSSE signing key material, Rekor API tokens. | Scanner WebService (delegation), Attestor (future integration) | +| `tls` | Client TLS certificates for Surface.FS or other services. | Scanner Worker, Zastava Observer | + +Additional secret types can be registered via `ISurfaceSecretTypeRegistry`. + +## 3. Provider Model + +```csharp +public interface ISurfaceSecretProvider +{ + ValueTask GetAsync(SurfaceSecretRequest request, CancellationToken ct = default); +} + +public sealed record SurfaceSecretRequest +( + string Tenant, + string Component, // e.g. "Scanner.Worker" + string SecretType, // e.g. "cas-access" + string? Name // optional override (e.g., "primary", "mirror-eu") +); +``` + +### 3.1 Built-in providers + +1. **Kubernetes** – Reads from `Secret` objects. Configuration: + - `namespace`: derived from `SCANNER_SURFACE_SECRETS_ROOT` or component override. + - Secret name format: `surface-{tenant}-{component}-{secretType}`. + - Supports key mapping (e.g., `accessKey`, `secretKey`, `sessionToken`). +2. **File** – Loads JSON/YAML files from a directory (for offline kit, dev). File path derived from root + tenant/component. +3. **Inline** – Accepts base64 encoded JSON from env (useful for tests). + +### 3.2 Secret Handle + +`SurfaceSecretHandle` exposes typed accessors (`AsCredentials()`, `AsTlsCertificate()`) and ensures sensitive data is cleared when disposed. + +## 4. Configuration + +Surface.Env supplies provider configuration (`SecretsProviderConfiguration`). Example: + +```json +{ + "provider": "kubernetes", + "namespace": "stellaops-runtime", + "prefix": "surface-", + "fallbackProvider": "file", + "file": { + "root": "/etc/stellaops/secrets" + } +} +``` + +Fallback provider allows offline development (use file provider if K8s secret missing). + +## 5. Validation + +Surface.Validation supplies validators: + +- `SecretProviderValidator` – ensures provider ID is known; checks required configuration (namespace/root). +- `SecretExistenceValidator` – optional check verifying required secret types exist at startup (configurable list). +- `SecretRotationValidator` – warns when secrets are older than rotation window (uses metadata stored in provider). + +Failures produce error codes (`SURFACE_SECRET_PROVIDER_UNKNOWN`, `SURFACE_SECRET_MISSING`, `SURFACE_SECRET_STALE`). + +## 6. Security Considerations + +- Secrets returned as `SecureString`/byte arrays; never log values. +- Kubernetes provider caches secrets in-memory with TTL (default 10 minutes) to reduce API calls; cache invalidated when `generation` changes. +- File provider enforces permissions (`0600`); rejects world-readable files. +- Inline provider meant for tests only; flag `Surface:Secrets:AllowInline` enables it explicitly. + +## 7. Offline & Air-Gap Support + +- Offline kits include `offline/secrets/` with encrypted archive plus manifest file enumerating secret metadata (tenant, component, type, checksum). +- Import script decrypts archive using site-specific key and populates file provider root. +- Documented workflow lives in `ops/offline-kit/TASKS.md` and associated runbooks. + +## 8. Observability + +- Metrics: `surface_secrets_requests_total{provider,result}`. +- Logs: only log secret identifiers, never values. +- Traces: `surface.secrets.get` span showing provider latency. + +## 9. Testing Strategy + +- Unit tests per provider with fake backends. +- Integration tests in Scanner/Zastava verifying provider selection, fallback, and rotation. +- Security tests ensuring secrets aren’t leaked in logs or exceptions. + +## 10. Future Enhancements + +- Support for HashiCorp Vault / AWS Secrets Manager providers. +- Built-in DSSE signing key management for Attestor/Signer. +- Automatic rotation notifications via Notifier. + +## 11. References + +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/airgap/airgap-mode.md` diff --git a/docs/modules/scanner/design/surface-validation.md b/docs/modules/scanner/design/surface-validation.md new file mode 100644 index 00000000..4eb96a7c --- /dev/null +++ b/docs/modules/scanner/design/surface-validation.md @@ -0,0 +1,99 @@ +# Surface.Validation Design (Epic: SURFACE-SHARING) + +> **Status:** Draft v1.0 — aligns with tasks `SURFACE-VAL-01..05`, `LANG-SURFACE-01..03`, `ENTRYTRACE-SURFACE-01..02`, `ZASTAVA-SURFACE-02`, `SCANNER-SECRETS-01..03`. +> +> **Audience:** Engineers integrating Surface Env/FS/Secrets, QA guild, Security guild. + +## 1. Objectives + +Surface.Validation provides a shared validator framework to ensure all surface consumers meet configuration and data preconditions before performing work. It prevents subtle runtime errors by failing fast with actionable diagnostics. + +## 2. Core Interfaces + +```csharp +public interface ISurfaceValidator +{ + ValueTask ValidateAsync(SurfaceValidationContext context, CancellationToken ct = default); +} + +public sealed record SurfaceValidationContext +( + SurfaceEnvironmentSettings Environment, + IServiceProvider Services, + string ComponentName +); + +public sealed record ValidationResult +( + bool IsSuccess, + IReadOnlyCollection Issues +); + +public sealed record SurfaceValidationIssue +( + string Code, + string Message, + SurfaceValidationSeverity Severity, + string? Hint = null +); +``` + +Validators register with DI (`services.AddSurfaceValidation()`). Hosts call `ISurfaceValidatorRunner.RunAllAsync()` during startup and periodically (optional) to re-check configuration. + +## 3. Built-in Validators + +| Code | Severity | Description | +|------|----------|-------------| +| `SURFACE_ENV_MISSING_ENDPOINT` | Error | Raised when `SurfaceFsEndpoint` absent. | +| `SURFACE_ENV_CACHE_DIR_UNWRITABLE` | Error | Cache root not writable or disk full. | +| `SURFACE_SECRET_MISSING` | Error | Secret provider cannot locate required secret type. | +| `SURFACE_SECRET_STALE` | Warning | Secret older than rotation window. | +| `SURFACE_FS_ENDPOINT_REACHABILITY` | Error | HEAD request to Surface.FS endpoint failed. | +| `SURFACE_FS_BUCKET_MISMATCH` | Error | Provided bucket does not exist / lacks permissions. | +| `SURFACE_FEATURE_UNKNOWN` | Warning | Feature flag not recognised. | +| `SURFACE_TENANT_MISMATCH` | Error | Tenant from environment differs from Authority token tenant. | + +Validation pipeline stops on the first error (severity `Error`) unless `Surface:Validation:ContinueOnError=true` is set (useful for diagnostics mode). + +## 4. Extensibility + +Consumers can register custom validators: + +```csharp +services.AddSurfaceValidation(builder => + builder.AddValidator() + .AddValidator()); +``` + +Validators can access DI services (e.g., HttpClient, Authority token provider) through the context. To avoid long-running checks, recommended max validation time is 500ms per validator. + +## 5. Reporting & Observability + +- Results exposed via `ISurfaceValidationReporter` (default logs structured JSON to `Validation` category). +- Metrics: `surface_validation_issues_total{code,severity}`. +- Optional debug endpoint `/internal/surface/validation` (Scanner WebService) returns last validation run. + +## 6. Integration Guidelines + +- **Scanner Worker/WebService**: fail startup if any error-level issue occurs; log warnings but continue running. +- **Zastava Webhook**: treat validation errors as fatal (webhook should not enforce policies when surface preconditions fail). Display validation error summary in `/readyz` response to aid debugging. +- **Analysers**: call `SurfaceValidation.Ensure()` before executing heavy work to catch misconfiguration during integration tests. + +## 7. Testing Strategy + +- Unit tests for built-in validators using in-memory providers. +- Integration tests in Scanner/Zastava verifying validators run during startup and produce expected outcomes. +- Negative tests simulating missing secrets, unreachable endpoints, or mismatched tenants. + +## 8. Error Handling & Remediation + +- Each issue includes a hint describing remediation steps (e.g., “Verify `SCANNER_SURFACE_FS_ENDPOINT` is reachable from worker nodes”). +- DevOps runbooks should reference issue codes in troubleshooting sections. +- `surface_validation.json` file stored alongside application logs summarises the last run for offline support. + +## 9. References + +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/devops/runbooks/zastava-deployment.md` diff --git a/docs/modules/scheduler/AGENTS.md b/docs/modules/scheduler/AGENTS.md index 1d486457..4af5acea 100644 --- a/docs/modules/scheduler/AGENTS.md +++ b/docs/modules/scheduler/AGENTS.md @@ -1,22 +1,34 @@ -# Scheduler agent guide - -## Mission -Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates re-evaluations across Scanner and Policy Engine. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Scheduler agent guide + +## Mission +Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates re-evaluations across Scanner and Policy Engine. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/scheduler/README.md` +- `docs/modules/scheduler/architecture.md` +- `docs/modules/scheduler/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/signer/AGENTS.md b/docs/modules/signer/AGENTS.md index c6aa8700..d547d2c8 100644 --- a/docs/modules/signer/AGENTS.md +++ b/docs/modules/signer/AGENTS.md @@ -1,22 +1,35 @@ -# Signer agent guide - -## Mission -Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. +# Signer agent guide + +## Mission +Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. + +## Required Reading +- `docs/modules/signer/README.md` +- `docs/modules/signer/architecture.md` +- `docs/modules/signer/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/telemetry/AGENTS.md b/docs/modules/telemetry/AGENTS.md index 437faa02..84657747 100644 --- a/docs/modules/telemetry/AGENTS.md +++ b/docs/modules/telemetry/AGENTS.md @@ -1,22 +1,34 @@ -# Telemetry agent guide - -## Mission -Telemetry module captures deployment and operations guidance for the shared observability stack (collectors, storage, dashboards). - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Telemetry agent guide + +## Mission +Telemetry module captures deployment and operations guidance for the shared observability stack (collectors, storage, dashboards). + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/telemetry/README.md` +- `docs/modules/telemetry/architecture.md` +- `docs/modules/telemetry/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/ui/AGENTS.md b/docs/modules/ui/AGENTS.md index be731ef5..5dd9d540 100644 --- a/docs/modules/ui/AGENTS.md +++ b/docs/modules/ui/AGENTS.md @@ -1,22 +1,34 @@ -# Console UI agent guide - -## Mission -The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Console UI agent guide + +## Mission +The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/ui/README.md` +- `docs/modules/ui/architecture.md` +- `docs/modules/ui/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/vex-lens/AGENTS.md b/docs/modules/vex-lens/AGENTS.md index ec9f9f9b..138ad307 100644 --- a/docs/modules/vex-lens/AGENTS.md +++ b/docs/modules/vex-lens/AGENTS.md @@ -1,22 +1,35 @@ -# VEX Consensus Lens agent guide - -## Mission -VEX Lens computes deterministic consensus across conflicting VEX statements while preserving raw provenance. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Review ./architecture.md for consensus algorithm, trust model, and export contracts. -2. Open ../../implplan/SPRINTS.md and locate stories for this component. -3. Check ./TASKS.md and update status before/after work. -4. Read README/architecture for design context and update as the implementation evolves. - -## Guardrails -- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. -- Preserve determinism and provenance in all derived outputs. -- Document offline/air-gap pathways for any new feature. -- Update telemetry/observability assets alongside feature work. +# VEX Consensus Lens agent guide + +## Mission +VEX Lens computes deterministic consensus across conflicting VEX statements while preserving raw provenance. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Review ./architecture.md for consensus algorithm, trust model, and export contracts. +2. Open ../../implplan/SPRINTS.md and locate stories for this component. +3. Check ./TASKS.md and update status before/after work. +4. Read README/architecture for design context and update as the implementation evolves. + +## Guardrails +- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. +- Preserve determinism and provenance in all derived outputs. +- Document offline/air-gap pathways for any new feature. +- Update telemetry/observability assets alongside feature work. + +## Required Reading +- `docs/modules/vex-lens/README.md` +- `docs/modules/vex-lens/architecture.md` +- `docs/modules/vex-lens/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/vexer/AGENTS.md b/docs/modules/vexer/AGENTS.md index 2bd07e08..67a49e5a 100644 --- a/docs/modules/vexer/AGENTS.md +++ b/docs/modules/vexer/AGENTS.md @@ -1,22 +1,34 @@ -# Vexer agent guide - -## Mission -Vexer computes deterministic consensus across VEX claims, preserving conflicts and producing attestable evidence for policy suppression. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Vexer agent guide + +## Mission +Vexer computes deterministic consensus across VEX claims, preserving conflicts and producing attestable evidence for policy suppression. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/vexer/README.md` +- `docs/modules/vexer/architecture.md` +- `docs/modules/vexer/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/vuln-explorer/AGENTS.md b/docs/modules/vuln-explorer/AGENTS.md index 0a2b9138..6b8c5dc5 100644 --- a/docs/modules/vuln-explorer/AGENTS.md +++ b/docs/modules/vuln-explorer/AGENTS.md @@ -1,22 +1,35 @@ -# Vulnerability Explorer agent guide - -## Mission -Vulnerability Explorer delivers policy-aware triage, investigation, and reporting surfaces for effective findings. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Review ./architecture.md for ledger schema, workflow states, and export requirements. -2. Open ../../implplan/SPRINTS.md and locate stories for this component. -3. Check ./TASKS.md and update status before/after work. -4. Read README/architecture for design context and update as the implementation evolves. - -## Guardrails -- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. -- Preserve determinism and provenance in all derived outputs. -- Document offline/air-gap pathways for any new feature. -- Update telemetry/observability assets alongside feature work. +# Vulnerability Explorer agent guide + +## Mission +Vulnerability Explorer delivers policy-aware triage, investigation, and reporting surfaces for effective findings. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Review ./architecture.md for ledger schema, workflow states, and export requirements. +2. Open ../../implplan/SPRINTS.md and locate stories for this component. +3. Check ./TASKS.md and update status before/after work. +4. Read README/architecture for design context and update as the implementation evolves. + +## Guardrails +- Uphold Aggregation-Only Contract boundaries when consuming ingestion data. +- Preserve determinism and provenance in all derived outputs. +- Document offline/air-gap pathways for any new feature. +- Update telemetry/observability assets alongside feature work. + +## Required Reading +- `docs/modules/vuln-explorer/README.md` +- `docs/modules/vuln-explorer/architecture.md` +- `docs/modules/vuln-explorer/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/modules/zastava/AGENTS.md b/docs/modules/zastava/AGENTS.md index 20ccfd60..1f8411ad 100644 --- a/docs/modules/zastava/AGENTS.md +++ b/docs/modules/zastava/AGENTS.md @@ -1,22 +1,34 @@ -# Zastava agent guide - -## Mission -Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks. - -## Key docs -- [Module README](./README.md) -- [Architecture](./architecture.md) -- [Implementation plan](./implementation_plan.md) -- [Task board](./TASKS.md) - -## How to get started -1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. -2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). -3. Read the architecture and README for domain context before editing code or docs. -4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. - -## Guardrails -- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). -- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. -- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. -- Update runbooks/observability assets when operational characteristics change. \ No newline at end of file +# Zastava agent guide + +## Mission +Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks. + +## Key docs +- [Module README](./README.md) +- [Architecture](./architecture.md) +- [Implementation plan](./implementation_plan.md) +- [Task board](./TASKS.md) + +## How to get started +1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module. +2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED). +3. Read the architecture and README for domain context before editing code or docs. +4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan. + +## Guardrails +- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md). +- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts. +- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature. +- Update runbooks/observability assets when operational characteristics change. +## Required Reading +- `docs/modules/zastava/README.md` +- `docs/modules/zastava/architecture.md` +- `docs/modules/zastava/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/docs/technical/architecture/component-map.md b/docs/technical/architecture/component-map.md index 0ff1e54c..e4fcbf4e 100644 --- a/docs/technical/architecture/component-map.md +++ b/docs/technical/architecture/component-map.md @@ -40,8 +40,8 @@ Concise descriptions of every top-level component under `src/`, summarising the - **TimelineIndexer** — Builds timelines of evidence/events for forensics and audit tooling (`docs/forensics/timeline.md`). ## Notification & UI -- **Notifier** — New notifications studio with rule engine, digesting, and channel plug-ins (`docs/notifications/overview.md`). -- **Notify** — Legacy notification service referenced in backlog/cleanup docs; still handles existing deployments (`docs/modules/notify/architecture.md`). +- **Notifier** — Current notifications studio (WebService + Worker under `src/Notifier/StellaOps.Notifier`) delivering rule evaluation, digests, incidents, and channel plug-ins. Built on the shared `StellaOps.Notify.*` libraries; see `docs/notifications/overview.md` and `src/Notifier/StellaOps.Notifier/docs/NOTIFY-SVC-38-001-FOUNDATIONS.md`. +- **Notify (shared libraries / archival hosts)** — The former `StellaOps.Notify.WebService|Worker` hosts were archived on 2025-10-26. The directory now provides the reusable engine, storage, queue, and connector plug-ins that Notifier composes. Legacy guidance in `docs/modules/notify/architecture.md` remains as migration context until the Notifications Studio docs fully supersede it. - **UI** — Angular console surfacing scans, policy authoring, VEX evidence, runtime posture, and admin flows. Talks to Web gateway, Authority, Policy, Concelier, Scheduler, Notify, etc. (`docs/modules/ui/architecture.md`). - **DevPortal** — Developer onboarding portal consuming Api definitions, CLI samples, and Authority auth flows (`docs/modules/devops/architecture.md`, dev portal sections). @@ -71,7 +71,7 @@ High-level flows (see `docs/high-level-architecture.md` for diagrams): 1. **Ingest** — Concelier and Excititor use AOC to ingest advisories/VEX; Scheduler observes deltas. 2. **Scan & Evaluate** — Scanner generates SBOM evidence and hands to Signer/Attestor; Policy Engine merges SBOM, advisory, VEX, runtime signals; RiskEngine prioritises. 3. **Store & Export** — EvidenceLocker and Export Center package results; Registry serves artefacts; AirGap bundles offline editions. -4. **Observe & Notify** — Telemetry captures metrics/traces/logs; Notifier/Notify deliver alerts; UI/CLI/Web expose operations; TimelineIndexer builds audit trails. +4. **Observe & Notify** — Telemetry captures metrics/traces/logs; Notifier (via the shared `StellaOps.Notify.*` libraries) delivers alerts; UI/CLI/Web expose operations; TimelineIndexer builds audit trails. 5. **Govern & Secure** — Authority, IssuerDirectory, Signer, and Attestor maintain trust; Policy governance and console experiences let teams manage waivers and approvals. Refer back to module-specific documentation for APIs, configuration, schema details, and operational runbooks. This component map will stay updated alongside module architecture changes—log updates in `docs/updates/` whenever new modules are introduced or deprecated. diff --git a/docs/technical/process/README.md b/docs/technical/process/README.md index 0994bd47..fb84328f 100644 --- a/docs/technical/process/README.md +++ b/docs/technical/process/README.md @@ -9,7 +9,6 @@ Use these artefacts to understand team ownership, active workstreams, and histor ## Work Tracking - [../TASKS.md](../../TASKS.md) – Docs Guild task board. - Sprint plans and historical boards: [../implplan/SPRINTS.md](../../implplan/SPRINTS.md), [../implplan/SPRINTS_PRIOR_20251028.md](../../implplan/SPRINTS_PRIOR_20251028.md), [../implplan/SPRINTS_PRIOR_20251027.md](../../implplan/SPRINTS_PRIOR_20251027.md), [../implplan/SPRINTS_PRIOR_20251025.md](../../implplan/SPRINTS_PRIOR_20251025.md), [../implplan/SPRINTS_PRIOR_20251021.md](../../implplan/SPRINTS_PRIOR_20251021.md), [../implplan/SPRINTS_PRIOR_20251019.md](../../implplan/SPRINTS_PRIOR_20251019.md). -- Execution plan: [../implplan/EXECPLAN.md](../../implplan/EXECPLAN.md). - Backlog hygiene and consolidation notes: [../backlog/](../../backlog/). - Task packs and reusable templates: [../task-packs/](../../task-packs/). diff --git a/ops/authority/AGENTS.md b/ops/authority/AGENTS.md index b19cf07d..4286d3d3 100644 --- a/ops/authority/AGENTS.md +++ b/ops/authority/AGENTS.md @@ -14,3 +14,7 @@ Operate and harden the StellaOps Authority platform in production and air-gapped - Validate container changes with the CI pipeline (`ops/authority` GitHub workflow) before marking DONE. - Update operator documentation in `docs/` together with any behavioural change. - Coordinate with Authority Core and Security Guild before altering sensitive defaults (rate limits, crypto providers, revocation jobs). + +## Required Reading +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/airgap/airgap-mode.md` diff --git a/ops/deployment/AGENTS.md b/ops/deployment/AGENTS.md index 8cc49cf6..db3beb1c 100644 --- a/ops/deployment/AGENTS.md +++ b/ops/deployment/AGENTS.md @@ -1,4 +1,15 @@ -# Deployment & Operations — Agent Charter - -## Mission -Maintain deployment/upgrade/rollback workflows (Helm/Compose) per `docs/modules/devops/ARCHITECTURE.md` including environment-specific configs. +# Deployment & Operations — Agent Charter + +## Mission +Maintain deployment/upgrade/rollback workflows (Helm/Compose) per `docs/modules/devops/ARCHITECTURE.md` including environment-specific configs. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/airgap/airgap-mode.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/ops/devops/AGENTS.md b/ops/devops/AGENTS.md index 6826e7ef..ba3087e0 100644 --- a/ops/devops/AGENTS.md +++ b/ops/devops/AGENTS.md @@ -1,11 +1,22 @@ -# DevOps & Release — Agent Charter - -## Mission -Execute deterministic build/release pipeline per `docs/modules/devops/ARCHITECTURE.md`: -- Reproducible builds with SBOM/provenance, cosign signing, transparency logging. -- Channel manifests (LTS/Stable/Edge) with digests, Helm/Compose profiles. -- Performance guard jobs ensuring budgets. - -## Expectations -- Coordinate with Scanner/Scheduler/Notify teams for artifact availability. -- Maintain CI reliability; update `TASKS.md` as states change. +# DevOps & Release — Agent Charter + +## Mission +Execute deterministic build/release pipeline per `docs/modules/devops/ARCHITECTURE.md`: +- Reproducible builds with SBOM/provenance, cosign signing, transparency logging. +- Channel manifests (LTS/Stable/Edge) with digests, Helm/Compose profiles. +- Performance guard jobs ensuring budgets. + +## Expectations +- Coordinate with Scanner/Scheduler/Notify teams for artifact availability. +- Maintain CI reliability; update `TASKS.md` as states change. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/airgap/airgap-mode.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/ops/devops/TASKS.md b/ops/devops/TASKS.md index 10d615b3..0fc0d89e 100644 --- a/ops/devops/TASKS.md +++ b/ops/devops/TASKS.md @@ -25,6 +25,14 @@ | DEVOPS-OBS-54-001 | TODO | DevOps Guild, Security Guild | PROV-OBS-53-002, EVID-OBS-54-001 | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. | Keys provisioned with rotation policy; timestamp authority configured; CI verifies sample bundles; audit trail stored. | | DEVOPS-OBS-55-001 | TODO | DevOps Guild, Ops Guild | DEVOPS-OBS-51-001, WEB-OBS-55-001 | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. | Incident mode toggles via API/CLI; automation tested in staging; reset job verified; runbook referenced. | +## Surface Sharing Enablement + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| OPS-ENV-01 | TODO | DevOps Guild, Scanner Guild | SURFACE-ENV-02 | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | Templates merged; config docs updated; air-gap bootstrap tested with new vars. | +| OPS-SECRETS-01 | TODO | DevOps Guild, Security Guild | SURFACE-SECRETS-03 | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | Runbook merged; sample manifests include secret refs; security review noted. | +| OPS-SECRETS-02 | TODO | DevOps Guild, Offline Kit Guild | OPS-SECRETS-01 | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. | Offline kit build includes secrets manifest; verification script added; docs refreshed. | + ## Air-Gapped Mode (Epic 16) | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| diff --git a/ops/licensing/AGENTS.md b/ops/licensing/AGENTS.md index 1d87b713..0ad0cffb 100644 --- a/ops/licensing/AGENTS.md +++ b/ops/licensing/AGENTS.md @@ -1,4 +1,15 @@ -# Licensing & Registry Access — Agent Charter - -## Mission -Implement licensing token service and registry access workflows described in `docs/modules/devops/ARCHITECTURE.md`. +# Licensing & Registry Access — Agent Charter + +## Mission +Implement licensing token service and registry access workflows described in `docs/modules/devops/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/airgap/airgap-mode.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/ops/offline-kit/AGENTS.md b/ops/offline-kit/AGENTS.md index 62f9ecdd..404724ce 100644 --- a/ops/offline-kit/AGENTS.md +++ b/ops/offline-kit/AGENTS.md @@ -1,4 +1,15 @@ -# Offline Kit — Agent Charter - -## Mission -Package Offline Update Kit per `docs/modules/devops/ARCHITECTURE.md` and `docs/24_OFFLINE_KIT.md` with deterministic digests and import tooling. +# Offline Kit — Agent Charter + +## Mission +Package Offline Update Kit per `docs/modules/devops/ARCHITECTURE.md` and `docs/24_OFFLINE_KIT.md` with deterministic digests and import tooling. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/airgap/airgap-mode.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/ops/offline-kit/TASKS.md b/ops/offline-kit/TASKS.md index 025fb06f..b28f2292 100644 --- a/ops/offline-kit/TASKS.md +++ b/ops/offline-kit/TASKS.md @@ -8,3 +8,4 @@ | CLI-PACKS-43-002 | TODO | Offline Kit Guild, Packs Registry Guild | PACKS-REG-42-001, DEPLOY-PACKS-43-001 | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline kit includes packs registry mirror, Task Runner configs, CLI binaries; manifest/signature updated; docs describe air-gapped execution. | | OFFLINE-CONTAINERS-46-001 | TODO | Offline Kit Guild, Deployment Guild | DEVOPS-CONTAINERS-46-001, DEPLOY-AIRGAP-46-001 | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline kit ships bundle + how-to; verification steps validated; manifest/signature updated; imposed rule noted. | | DEVOPS-OFFLINE-17-004 | BLOCKED (2025-10-26) | Offline Kit Guild, DevOps Guild | DEVOPS-REL-17-002 | Execute `mirror_debug_store.py` after the next release pipeline emits `out/release/debug`, verify manifest hashes, and archive `metadata/debug-store.json` with the kit. | Debug store mirrored post-release, manifest SHA validated, summary committed alongside Offline Kit bundle evidence. ⏳ Blocked until the release pipeline publishes the next `out/release/debug` tree; rerun the mirroring script as part of that pipeline. | +| OPS-SECRETS-02 | TODO | Offline Kit Guild, DevOps Guild | OPS-SECRETS-01 | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. | Offline kit includes Surface.Secrets materials; verification script passes; docs updated with import instructions. | diff --git a/samples/AGENTS.md b/samples/AGENTS.md new file mode 100644 index 00000000..863afa2c --- /dev/null +++ b/samples/AGENTS.md @@ -0,0 +1,30 @@ +# Samples Guild Charter + +## Mission +Curate and maintain deterministic sample assets (configs, fixtures, walkthrough projects) that demonstrate StellaOps capabilities across modules. Samples must stay aligned with current APIs, schemas, and offline workflows so other guilds can rely on them for documentation, demos, and regression tests. + +## Scope +- Own sample bundles under `samples/` (configuration packs, walkthrough datasets, tutorial projects). +- Keep sample instructions in sync with latest component behaviour (Policy Engine, Scanner, CLI, UI, Offline Kit). +- Provide reproducible scripts to set up, execute, and validate each sample. +- Coordinate with Docs and DevRel to surface sample updates. + +## Required Reading +- `docs/README.md` +- `docs/quickstart.md` +- `docs/09_API_CLI_REFERENCE.md` +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/cli/architecture.md` +- `docs/modules/ui/architecture.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/policy/architecture.md` +- `docs/modules/export-center/architecture.md` +- `docs/modules/telemetry/architecture.md` (for observability-focused samples) + +## Working Agreement +1. **Before starting a task** update its status to `DOING` in both `docs/implplan/SPRINTS.md` and `samples/TASKS.md`. Revert to `TODO` if you pause, or `DONE` when complete. +2. **Review this charter & required docs** to confirm conventions (deterministic outputs, offline readiness, security posture) before coding. +3. **Preserve determinism**: scripts must pin versions, normalise timestamps, and avoid network calls beyond documented mirrors. +4. **Documentation parity**: every change to a sample must include README/guide updates explaining execution steps and expected results. +5. **Cross-guild sign-off**: if a sample depends on another module (e.g., Policy, Scanner), sync with that guild before changing APIs or fixtures. +6. **Telemetry & cleanup**: ensure sample scripts clean up resources and redact secrets; include telemetry hints where valuable for users. diff --git a/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md b/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md index ff59c22f..a5932b88 100644 --- a/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md +++ b/src/AdvisoryAI/StellaOps.AdvisoryAI/AGENTS.md @@ -20,3 +20,14 @@ Deliver the Advisory AI assistant service that synthesizes advisory/VEX evidence - API endpoints documented (OpenAPI), RBAC enforced, guardrails active. - Console/CLI integrations operational; telemetry dashboards live. - Documentation suite published with compliance checklist. + +## Required Reading +- `docs/modules/advisory-ai/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md b/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md index ef1fee8b..bad732b6 100644 --- a/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Controller/AGENTS.md @@ -1,16 +1,27 @@ -# StellaOps AirGap Controller Guild Charter - -## Mission -Own the sealing state machine, status APIs, and enforcement hooks that keep StellaOps compliant in sealed air-gapped environments while respecting the imposed rule. - -## Scope -- Persisted air-gap state (`sealed`, policy hash, time anchor metadata) and RBAC enforcement. -- HTTP endpoints for seal/unseal/status and integration with Authority scopes. -- Startup diagnostics that refuse to run when sealing requirements are unmet. -- Coordination with DevOps for Kubernetes/Compose egress policies. -- Telemetry and audit events reflecting sealing actions and violations. - -## Definition of Done -- Deterministic tests for seal/unseal transitions and audit logging. -- Integration tests covering RBAC, sealed-mode refusal, and policy hash validation. -- Documentation hooks updated in `/docs/airgap/` for each shipped feature. +# StellaOps AirGap Controller Guild Charter + +## Mission +Own the sealing state machine, status APIs, and enforcement hooks that keep StellaOps compliant in sealed air-gapped environments while respecting the imposed rule. + +## Scope +- Persisted air-gap state (`sealed`, policy hash, time anchor metadata) and RBAC enforcement. +- HTTP endpoints for seal/unseal/status and integration with Authority scopes. +- Startup diagnostics that refuse to run when sealing requirements are unmet. +- Coordination with DevOps for Kubernetes/Compose egress policies. +- Telemetry and audit events reflecting sealing actions and violations. + +## Definition of Done +- Deterministic tests for seal/unseal transitions and audit logging. +- Integration tests covering RBAC, sealed-mode refusal, and policy hash validation. +- Documentation hooks updated in `/docs/airgap/` for each shipped feature. + +## Required Reading +- `docs/airgap/airgap-mode.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md b/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md index 1935f15c..d3e20a95 100644 --- a/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Importer/AGENTS.md @@ -1,16 +1,27 @@ -# StellaOps AirGap Importer Guild Charter - -## Mission -Deliver offline bundle verification and ingestion tooling for sealed environments, covering DSSE/TUF validation, catalog updates, and audit logging under the imposed rule. - -## Scope -- TUF metadata verification, DSSE signature checks, Merkle root validation. -- Import pipelines writing bundle catalogs, object-store layouts, and audit entries. -- CLI + API surfaces for dry-run verification, import, and status queries. -- Integration hooks for Conseiller, Excitator, Policy Engine, and Export Center. -- Negative-case handling (tampering, expired signatures, root rotation) with operator guidance. - -## Definition of Done -- Deterministic fixtures for valid/invalid bundles committed. -- Integration tests prove catalog + object-store updates are idempotent. -- Import audit trail viewable via API and timeline events. +# StellaOps AirGap Importer Guild Charter + +## Mission +Deliver offline bundle verification and ingestion tooling for sealed environments, covering DSSE/TUF validation, catalog updates, and audit logging under the imposed rule. + +## Scope +- TUF metadata verification, DSSE signature checks, Merkle root validation. +- Import pipelines writing bundle catalogs, object-store layouts, and audit entries. +- CLI + API surfaces for dry-run verification, import, and status queries. +- Integration hooks for Conseiller, Excitator, Policy Engine, and Export Center. +- Negative-case handling (tampering, expired signatures, root rotation) with operator guidance. + +## Definition of Done +- Deterministic fixtures for valid/invalid bundles committed. +- Integration tests prove catalog + object-store updates are idempotent. +- Import audit trail viewable via API and timeline events. + +## Required Reading +- `docs/airgap/airgap-mode.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md b/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md index 1f5aea43..7fe56f70 100644 --- a/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Policy/AGENTS.md @@ -1,16 +1,27 @@ -# StellaOps AirGap Policy Guild Charter - -## Mission -Provide the shared enforcement layer (`EgressPolicy`, job plan validators, sealed-mode gates) that keeps all services compliant with Air-Gapped Mode requirements. - -## Scope -- `EgressPolicy` facade replacing raw HTTP client usage. -- Static analysis/linting to detect unauthorized network calls. -- Task Runner and orchestrator validators flagging disallowed destinations. -- Shared error contract (`AIRGAP_EGRESS_BLOCKED`) and remediation messages. -- Test harnesses simulating sealed/unsealed execution paths. - -## Definition of Done -- Every service imports the facade; CI fails on direct HTTP client usage. -- Sealed-mode unit tests cover panic/remediation behavior across host types. -- Documentation updated in `/docs/dev/airgap-contracts.md` for adoption patterns. +# StellaOps AirGap Policy Guild Charter + +## Mission +Provide the shared enforcement layer (`EgressPolicy`, job plan validators, sealed-mode gates) that keeps all services compliant with Air-Gapped Mode requirements. + +## Scope +- `EgressPolicy` facade replacing raw HTTP client usage. +- Static analysis/linting to detect unauthorized network calls. +- Task Runner and orchestrator validators flagging disallowed destinations. +- Shared error contract (`AIRGAP_EGRESS_BLOCKED`) and remediation messages. +- Test harnesses simulating sealed/unsealed execution paths. + +## Definition of Done +- Every service imports the facade; CI fails on direct HTTP client usage. +- Sealed-mode unit tests cover panic/remediation behavior across host types. +- Documentation updated in `docs/airgap/airgap-mode.md` and `docs/airgap/staleness-and-time.md` for adoption patterns. + +## Required Reading +- `docs/airgap/airgap-mode.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/AirGap/StellaOps.AirGap.Time/AGENTS.md b/src/AirGap/StellaOps.AirGap.Time/AGENTS.md index f37ec8e8..f010a814 100644 --- a/src/AirGap/StellaOps.AirGap.Time/AGENTS.md +++ b/src/AirGap/StellaOps.AirGap.Time/AGENTS.md @@ -1,15 +1,27 @@ -# StellaOps AirGap Time Guild Charter - -## Mission -Manage trusted time anchors and staleness budgets for sealed environments, ensuring deterministic behavior when external time sources are unavailable. - -## Scope -- Parse signed time tokens from Mirror Bundles and validate signatures. -- Persist `time_anchor` metadata and compute drift/staleness metrics. -- Provide helpers for UI/API staleness badges and job gating. -- Integrate with Notifications to alert on approaching drift thresholds. - -## Definition of Done -- Test vectors for time tokens committed alongside verification code. -- Drift calculations deterministic and configurable per tenant. -- Documentation updates for `/docs/airgap/staleness-and-time.md` with examples. +# StellaOps AirGap Time Guild Charter + +## Mission +Manage trusted time anchors and staleness budgets for sealed environments, ensuring deterministic behavior when external time sources are unavailable. + +## Scope +- Parse signed time tokens from Mirror Bundles and validate signatures. +- Persist `time_anchor` metadata and compute drift/staleness metrics. +- Provide helpers for UI/API staleness badges and job gating. +- Integrate with Notifications to alert on approaching drift thresholds. + +## Definition of Done +- Test vectors for time tokens committed alongside verification code. +- Drift calculations deterministic and configurable per tenant. +- Documentation updates for `docs/airgap/staleness-and-time.md` with examples. + +## Required Reading +- `docs/airgap/airgap-mode.md` +- `docs/airgap/staleness-and-time.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Api/StellaOps.Api.Governance/AGENTS.md b/src/Api/StellaOps.Api.Governance/AGENTS.md index 6b20f66d..51d8ac39 100644 --- a/src/Api/StellaOps.Api.Governance/AGENTS.md +++ b/src/Api/StellaOps.Api.Governance/AGENTS.md @@ -1,15 +1,26 @@ -# API Governance Guild Charter - -## Mission -Enforce API contract quality through linting, compatibility checks, version policy automation, and changelog generation. - -## Scope -- Maintain lint rule set, compatibility diff tooling, and CI integration. -- Gate PRs on contract validation, example coverage, and naming conventions. -- Produce automated changelogs and deprecation notices from OAS diffs. -- Coordinate with Notifications Studio for deprecation broadcasts. - -## Definition of Done -- CI gate prevents merging incompatible or non-conforming specs. -- Version bump tooling produces signed changelog artifacts per release. -- Governance documentation kept current in `/docs/contributing/api-contracts.md`. +# API Governance Guild Charter + +## Mission +Enforce API contract quality through linting, compatibility checks, version policy automation, and changelog generation. + +## Scope +- Maintain lint rule set, compatibility diff tooling, and CI integration. +- Gate PRs on contract validation, example coverage, and naming conventions. +- Produce automated changelogs and deprecation notices from OAS diffs. +- Coordinate with Notifications Studio for deprecation broadcasts. + +## Definition of Done +- CI gate prevents merging incompatible or non-conforming specs. +- Version bump tooling produces signed changelog artifacts per release. +- Governance documentation kept current in `docs/contributing/api-contracts.md`. + +## Required Reading +- `docs/contributing/api-contracts.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Api/StellaOps.Api.OpenApi/AGENTS.md b/src/Api/StellaOps.Api.OpenApi/AGENTS.md index 5e696b14..8dd8deaf 100644 --- a/src/Api/StellaOps.Api.OpenApi/AGENTS.md +++ b/src/Api/StellaOps.Api.OpenApi/AGENTS.md @@ -14,3 +14,13 @@ Maintain OpenAPI 3.1 specifications for every StellaOps service, compose the agg - All public endpoints represented in OAS with validated request/response examples. - Aggregate spec builds deterministically and passes lint + compatibility checks. - Change logs generated with every release and linked to developer portal updates. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md b/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md index 1a284b71..66ece153 100644 --- a/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor.Envelope/AGENTS.md @@ -1,15 +1,26 @@ -# Attestation Envelope Guild Charter - -## Mission -Provide deterministic DSSE envelope handling with multi-signature support, canonical serialization, hashing, and integrity safeguards for all Stella attestations. - -## Scope -- DSSE encoding/decoding, canonical JSON handling, and detached payload support. -- Multi-signature verification, key identification, and cryptographic primitives. -- Integration with KMS drivers and transparency log witness utilities. -- Fuzz and property testing for envelope parsing and normalization. - -## Definition of Done -- Envelope APIs produce canonical payloads and support multiple signatures deterministically. -- Verification detects tampering, mismatched subjects, and unsupported algorithms. -- Property and fuzz tests cover canonicalization and signature edge cases. +# Attestation Envelope Guild Charter + +## Mission +Provide deterministic DSSE envelope handling with multi-signature support, canonical serialization, hashing, and integrity safeguards for all Stella attestations. + +## Scope +- DSSE encoding/decoding, canonical JSON handling, and detached payload support. +- Multi-signature verification, key identification, and cryptographic primitives. +- Integration with KMS drivers and transparency log witness utilities. +- Fuzz and property testing for envelope parsing and normalization. + +## Definition of Done +- Envelope APIs produce canonical payloads and support multiple signatures deterministically. +- Verification detects tampering, mismatched subjects, and unsupported algorithms. +- Property and fuzz tests cover canonicalization and signature edge cases. + +## Required Reading +- `docs/modules/attestor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Attestor/StellaOps.Attestor.Types/AGENTS.md b/src/Attestor/StellaOps.Attestor.Types/AGENTS.md index 8f1b79af..fcd6cff5 100644 --- a/src/Attestor/StellaOps.Attestor.Types/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor.Types/AGENTS.md @@ -1,14 +1,25 @@ -# Attestation Payloads Guild Charter - -## Mission -Define strongly typed, versioned schemas for all attestation payloads and provide validation utilities for generating and verifying evidence. - -## Scope -- JSON Schemas, code generation, and documentation for each attestation type. -- Normalization and validation logic shared across services, CLI, and SDKs. -- Sample payloads and golden fixtures used in contract tests and docs. - -## Definition of Done -- Payload types compiled into Go/TypeScript models with validation helpers. -- Schemas published with semantic versioning and change logs. -- Golden samples maintained with acceptance tests and doc integration. +# Attestation Payloads Guild Charter + +## Mission +Define strongly typed, versioned schemas for all attestation payloads and provide validation utilities for generating and verifying evidence. + +## Scope +- JSON Schemas, code generation, and documentation for each attestation type. +- Normalization and validation logic shared across services, CLI, and SDKs. +- Sample payloads and golden fixtures used in contract tests and docs. + +## Definition of Done +- Payload types compiled into Go/TypeScript models with validation helpers. +- Schemas published with semantic versioning and change logs. +- Golden samples maintained with acceptance tests and doc integration. + +## Required Reading +- `docs/modules/attestor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md b/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md index a9270df3..595f2773 100644 --- a/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor.Verify/AGENTS.md @@ -1,14 +1,25 @@ -# Attestation Verification Guild Charter - -## Mission -Implement the verification engine that enforces attestation policies, issuer trust, transparency requirements, and produces audit-ready reports. - -## Scope -- Verification pipeline integrating DSSE validation, issuer/key trust, Policy Studio rules, freshness checks, and transparency proofs. -- Caching and reporting for verification results. -- Error codes and explainability artifacts for UI/CLI consumption. - -## Definition of Done -- Verification passes/fails deterministically with detailed report structures. -- Caching improves performance without sacrificing correctness. -- Policies enforce scope-based rules and waivers, with unit/integration coverage. +# Attestation Verification Guild Charter + +## Mission +Implement the verification engine that enforces attestation policies, issuer trust, transparency requirements, and produces audit-ready reports. + +## Scope +- Verification pipeline integrating DSSE validation, issuer/key trust, Policy Studio rules, freshness checks, and transparency proofs. +- Caching and reporting for verification results. +- Error codes and explainability artifacts for UI/CLI consumption. + +## Definition of Done +- Verification passes/fails deterministically with detailed report structures. +- Caching improves performance without sacrificing correctness. +- Policies enforce scope-based rules and waivers, with unit/integration coverage. + +## Required Reading +- `docs/modules/attestor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Attestor/StellaOps.Attestor/AGENTS.md b/src/Attestor/StellaOps.Attestor/AGENTS.md index 0baead27..2b087877 100644 --- a/src/Attestor/StellaOps.Attestor/AGENTS.md +++ b/src/Attestor/StellaOps.Attestor/AGENTS.md @@ -37,3 +37,14 @@ Deliver the API, workers, and storage that power signing, verification, and life - Signing and verification APIs operate deterministically with full explainability. - Policy enforcement integrated with Authority & Tenancy scopes. - Transparency proof handling, key rotation, and revocation workflows implemented. + +## Required Reading +- `docs/modules/attestor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Authority/StellaOps.Authority/AGENTS.md b/src/Authority/StellaOps.Authority/AGENTS.md index 29c2d12f..ac886657 100644 --- a/src/Authority/StellaOps.Authority/AGENTS.md +++ b/src/Authority/StellaOps.Authority/AGENTS.md @@ -18,3 +18,14 @@ Own the StellaOps Authority host service: ASP.NET minimal API, OpenIddict flows, - `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/` — integration/unit tests - `src/Authority/StellaOps.Authority/StellaOps.Authority.Storage.Mongo/` — data access helpers - `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/` — default identity provider plugin + +## Required Reading +- `docs/modules/authority/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md b/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md index 5dc29805..be0d3fbe 100644 --- a/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md +++ b/src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/AGENTS.md @@ -18,3 +18,14 @@ Own the Mongo-backed Standard identity provider plug-in and shared Authority plu - Team 2 (Authority Core) for handler integration. - Security Guild for password hashing, audit, revocation. - Docs Guild for developer guide polish and diagrams. + +## Required Reading +- `docs/modules/authority/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Bench/StellaOps.Bench/AGENTS.md b/src/Bench/StellaOps.Bench/AGENTS.md new file mode 100644 index 00000000..8a4f8ddd --- /dev/null +++ b/src/Bench/StellaOps.Bench/AGENTS.md @@ -0,0 +1,27 @@ +# Benchmarks Guild Charter + +## Mission +Design and maintain deterministic benchmark suites that measure StellaOps performance (queue throughput, cache efficiency, API latency) to guard SLOs and capacity plans. Benchmarks must mirror production-like workloads yet remain reproducible for local and CI runs. + +## Scope +- `src/Bench/StellaOps.Bench/**` benchmark harnesses, datasets, and result reporters. +- ImpactIndex/Scheduler/Scanner/Policy Engine workload simulations referenced in tasks. +- Benchmark configuration and warm-up scripts used by DevOps for regression tracking. +- Documentation of benchmark methodology and expected baseline metrics. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` +- `docs/modules/scanner/architecture.md` (Scanner throughput metrics) +- `docs/modules/scheduler/architecture.md` (ImpactIndex & planner loops) +- `docs/modules/policy/architecture.md` (evaluation pipeline) +- `docs/modules/telemetry/architecture.md` (metrics naming, sampling policies) +- `docs/observability/metrics-and-slos.md` (once published) +- Existing benchmark notes in `docs/dev/perf/` (if present) and any sprint-specific design docs referenced by TASKS. + +## Working Agreement +1. **State sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `src/Bench/StellaOps.Bench/TASKS.md` before/after work. +2. **Baseline references**: link commits/results for baseline metrics; update docs when targets shift. +3. **Deterministic harnesses**: avoid random seeds without explicit seeding; ensure benchmarks run offline with local fixtures. +4. **Safety**: guard against resource exhaustion—cap concurrency, add cleanup/finalizers, ensure containerised runs have limits. +5. **Telemetry integration**: export metrics via OpenTelemetry/Metrics APIs; coordinate with DevOps on dashboards/alerts. +6. **Cross-guild coordination**: notify impacted component guilds when benchmarks uncover regressions; file follow-up issues with actionable data. diff --git a/src/Cartographer/StellaOps.Cartographer/AGENTS.md b/src/Cartographer/StellaOps.Cartographer/AGENTS.md index b27b2019..02b02135 100644 --- a/src/Cartographer/StellaOps.Cartographer/AGENTS.md +++ b/src/Cartographer/StellaOps.Cartographer/AGENTS.md @@ -1,18 +1,28 @@ -# StellaOps.Cartographer — Agent Charter - -## Mission -Build and operate the Cartographer service that materializes immutable SBOM property graphs, precomputes layout tiles, and hydrates policy/VEX overlays so other services (API, UI, CLI) can navigate and reason about dependency relationships with context. - -## Responsibilities -- Ingest normalized SBOM projections (CycloneDX/SPDX) and generate versioned graph snapshots with tenant-aware storage. -- Maintain overlay workers that merge Policy Engine effective findings and VEX metadata onto graph nodes/edges, including path relevance computation. -- Serve graph APIs for viewport tiles, paths, filters, exports, simulation overlays, and diffing. -- Coordinate with Policy Engine, Scheduler, Conseiller, Excitator, and Authority to keep overlays current, respect RBAC, and uphold determinism guarantees. -- Deliver observability (metrics/traces/logs) and performance benchmarks for large graphs (≥50k nodes). - -## Expectations -- Keep builds deterministic; snapshots are write-once and content-addressed. -- Tenancy and scope enforcement must match Authority policies (`graph:*`, `sbom:read`, `findings:read`). +# StellaOps.Cartographer — Agent Charter + +## Mission +Build and operate the Cartographer service that materializes immutable SBOM property graphs, precomputes layout tiles, and hydrates policy/VEX overlays so other services (API, UI, CLI) can navigate and reason about dependency relationships with context. + +## Responsibilities +- Ingest normalized SBOM projections (CycloneDX/SPDX) and generate versioned graph snapshots with tenant-aware storage. +- Maintain overlay workers that merge Policy Engine effective findings and VEX metadata onto graph nodes/edges, including path relevance computation. +- Serve graph APIs for viewport tiles, paths, filters, exports, simulation overlays, and diffing. +- Coordinate with Policy Engine, Scheduler, Conseiller, Excitator, and Authority to keep overlays current, respect RBAC, and uphold determinism guarantees. +- Deliver observability (metrics/traces/logs) and performance benchmarks for large graphs (≥50k nodes). + +## Expectations +- Keep builds deterministic; snapshots are write-once and content-addressed. +- Tenancy and scope enforcement must match Authority policies (`graph:*`, `sbom:read`, `findings:read`). - Update `TASKS.md`, `../../docs/implplan/SPRINTS.md` when status changes. -- Provide fixtures and documentation so UI/CLI teams can simulate graphs offline. -- Authority integration derives scope names from `StellaOps.Auth.Abstractions.StellaOpsScopes`; avoid hard-coded `graph:*` literals. +- Provide fixtures and documentation so UI/CLI teams can simulate graphs offline. +- Authority integration derives scope names from `StellaOps.Auth.Abstractions.StellaOpsScopes`; avoid hard-coded `graph:*` literals. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Cli/StellaOps.Cli/AGENTS.md b/src/Cli/StellaOps.Cli/AGENTS.md index 1d15a32d..b1648e73 100644 --- a/src/Cli/StellaOps.Cli/AGENTS.md +++ b/src/Cli/StellaOps.Cli/AGENTS.md @@ -1,32 +1,36 @@ -# StellaOps.Cli — Agent Brief - -## Mission -- Deliver an offline-capable command-line interface that drives StellaOps back-end operations: scanner distribution, scan execution, result uploads, and Concelier database lifecycle calls (init/resume/export). -- Honour StellaOps principles of determinism, observability, and offline-first behaviour while providing a polished operator experience. - -## Role Charter -| Role | Mandate | Collaboration | -| --- | --- | --- | -| **DevEx/CLI** | Own CLI UX, command routing, and configuration model. Ensure commands work with empty/default config and document overrides. | Coordinate with Backend/WebService for API contracts and with Docs for operator workflows. | -| **Ops Integrator** | Maintain integration paths for shell/dotnet/docker tooling. Validate that air-gapped runners can bootstrap required binaries. | Work with Concelier/Agent teams to mirror packaging and signing requirements. | -| **QA** | Provide command-level fixtures, golden outputs, and regression coverage (unit & smoke). Ensure commands respect cancellation and deterministic logging. | Partner with QA guild for shared harnesses and test data. | - -## Working Agreements -- Configuration is centralised in `StellaOps.Configuration`; always consume the bootstrapper instead of hand rolling builders. Env vars (`API_KEY`, `STELLAOPS_BACKEND_URL`, `StellaOps:*`) override JSON/YAML and default to empty values. -- Command verbs (`scanner`, `scan`, `db`, `config`) are wired through System.CommandLine 2.0; keep handlers composable, cancellation-aware, and unit-testable. -- `scanner download` must verify digests/signatures, install containers locally (docker load), and log artefact metadata. -- `scan run` must execute the container against a directory, materialise artefacts in `ResultsDirectory`, and auto-upload them on success; `scan upload` is the manual retry path. -- Emit structured console logs (single line, UTC timestamps) and honour offline-first expectations—no hidden network calls. -- Mirror repository guidance: stay within `src/Cli/StellaOps.Cli` unless collaborating via documented handshakes. -- Update `TASKS.md` as states change (TODO → DOING → DONE/BLOCKED) and record added tests/fixtures alongside implementation notes. - -## Reference Materials -- `docs/modules/concelier/ARCHITECTURE.md` for database operations surface area. -- Backend OpenAPI/contract docs (once available) for job triggers and scanner endpoints. -- Existing module AGENTS/TASKS files for style and coordination cues. -- `docs/09_API_CLI_REFERENCE.md` (section 3) for the user-facing synopsis of the CLI verbs and flags. - -### Attestor Command Guild -- Owns the `stella attest` verb family (sign, verify, list, fetch) plus key lifecycle helpers (create, import, rotate, revoke). -- Ensures all attestation flows use the official SDK transport, support offline bundles, and surface JSON/table outputs for automation. -- Guards parity with attestor service policies (verification policies, explainability) and keeps fixtures/tests covering file-based and KMS-backed keys. +# StellaOps.Cli — Agent Brief + +## Mission +- Deliver an offline-capable command-line interface that drives StellaOps back-end operations: scanner distribution, scan execution, result uploads, and Concelier database lifecycle calls (init/resume/export). +- Honour StellaOps principles of determinism, observability, and offline-first behaviour while providing a polished operator experience. + +## Role Charter +| Role | Mandate | Collaboration | +| --- | --- | --- | +| **DevEx/CLI** | Own CLI UX, command routing, and configuration model. Ensure commands work with empty/default config and document overrides. | Coordinate with Backend/WebService for API contracts and with Docs for operator workflows. | +| **Ops Integrator** | Maintain integration paths for shell/dotnet/docker tooling. Validate that air-gapped runners can bootstrap required binaries. | Work with Concelier/Agent teams to mirror packaging and signing requirements. | +| **QA** | Provide command-level fixtures, golden outputs, and regression coverage (unit & smoke). Ensure commands respect cancellation and deterministic logging. | Partner with QA guild for shared harnesses and test data. | + +## Working Agreements +- Configuration is centralised in `StellaOps.Configuration`; always consume the bootstrapper instead of hand rolling builders. Env vars (`API_KEY`, `STELLAOPS_BACKEND_URL`, `StellaOps:*`) override JSON/YAML and default to empty values. +- Command verbs (`scanner`, `scan`, `db`, `config`) are wired through System.CommandLine 2.0; keep handlers composable, cancellation-aware, and unit-testable. +- `scanner download` must verify digests/signatures, install containers locally (docker load), and log artefact metadata. +- `scan run` must execute the container against a directory, materialise artefacts in `ResultsDirectory`, and auto-upload them on success; `scan upload` is the manual retry path. +- Emit structured console logs (single line, UTC timestamps) and honour offline-first expectations—no hidden network calls. +- Mirror repository guidance: stay within `src/Cli/StellaOps.Cli` unless collaborating via documented handshakes. +- Update `TASKS.md` as states change (TODO → DOING → DONE/BLOCKED) and record added tests/fixtures alongside implementation notes. + +## Reference Materials +- `docs/modules/concelier/ARCHITECTURE.md` for database operations surface area. +- Backend OpenAPI/contract docs (once available) for job triggers and scanner endpoints. +- Existing module AGENTS/TASKS files for style and coordination cues. +- `docs/09_API_CLI_REFERENCE.md` (section 3) for the user-facing synopsis of the CLI verbs and flags. + +### Attestor Command Guild +- Owns the `stella attest` verb family (sign, verify, list, fetch) plus key lifecycle helpers (create, import, rotate, revoke). +- Ensures all attestation flows use the official SDK transport, support offline bundles, and surface JSON/table outputs for automation. +- Guards parity with attestor service policies (verification policies, explainability) and keeps fixtures/tests covering file-based and KMS-backed keys. + +## Required Reading +- `docs/modules/cli/architecture.md` +- `docs/modules/platform/architecture-overview.md` diff --git a/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md b/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md index e09ae40c..d93ff9ea 100644 --- a/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md +++ b/src/Concelier/StellaOps.Concelier.WebService/AGENTS.md @@ -1,34 +1,45 @@ -# AGENTS -## Role -Minimal API host wiring configuration, storage, plugin routines, and job endpoints. Operational surface for health, readiness, and job control. -## Scope -- Configuration: appsettings.json + etc/concelier.yaml (yaml path = ../etc/concelier.yaml); bind into ConcelierOptions with validation (Only Mongo supported). -- Mongo: MongoUrl from options.Storage.Dsn; IMongoClient/IMongoDatabase singletons; default database name fallback (options -> URL -> "concelier"). -- Services: AddMongoStorage(); AddSourceHttpClients(); RegisterPluginRoutines(configuration, PluginHostOptions). -- Bootstrap: MongoBootstrapper.InitializeAsync on startup. -- Endpoints (configuration & job control only; root path intentionally unbound): - - GET /health -> {status:"healthy"} after options validation binds. - - GET /ready -> MongoDB ping; 503 on MongoException/Timeout. - - GET /jobs?kind=&limit= -> recent runs. - - GET /jobs/{id} -> run detail. - - GET /jobs/definitions -> definitions with lastRun. - - GET /jobs/definitions/{kind} -> definition + lastRun or 404. - - GET /jobs/definitions/{kind}/runs?limit= -> recent runs or 404 if kind unknown. - - GET /jobs/active -> currently running. - - POST /jobs/{*jobKind} with {trigger?,parameters?} -> 202 Accepted (Location:/jobs/{runId}) | 404 | 409 | 423. +# AGENTS +## Role +Minimal API host wiring configuration, storage, plugin routines, and job endpoints. Operational surface for health, readiness, and job control. +## Scope +- Configuration: appsettings.json + etc/concelier.yaml (yaml path = ../etc/concelier.yaml); bind into ConcelierOptions with validation (Only Mongo supported). +- Mongo: MongoUrl from options.Storage.Dsn; IMongoClient/IMongoDatabase singletons; default database name fallback (options -> URL -> "concelier"). +- Services: AddMongoStorage(); AddSourceHttpClients(); RegisterPluginRoutines(configuration, PluginHostOptions). +- Bootstrap: MongoBootstrapper.InitializeAsync on startup. +- Endpoints (configuration & job control only; root path intentionally unbound): + - GET /health -> {status:"healthy"} after options validation binds. + - GET /ready -> MongoDB ping; 503 on MongoException/Timeout. + - GET /jobs?kind=&limit= -> recent runs. + - GET /jobs/{id} -> run detail. + - GET /jobs/definitions -> definitions with lastRun. + - GET /jobs/definitions/{kind} -> definition + lastRun or 404. + - GET /jobs/definitions/{kind}/runs?limit= -> recent runs or 404 if kind unknown. + - GET /jobs/active -> currently running. + - POST /jobs/{*jobKind} with {trigger?,parameters?} -> 202 Accepted (Location:/jobs/{runId}) | 404 | 409 | 423. - PluginHost defaults: BaseDirectory = solution root; PluginsDirectory = "StellaOps.Concelier.PluginBinaries"; SearchPatterns += "StellaOps.Concelier.Plugin.*.dll"; EnsureDirectoryExists = true. -## Participants -- Core job system; Storage.Mongo; Source.Common HTTP clients; Exporter and Connector plugin routines discover/register jobs. -## Interfaces & contracts -- Dependency injection boundary for all connectors/exporters; IOptions validated on start. -- Cancellation: pass app.Lifetime.ApplicationStopping to bootstrapper. -## In/Out of scope -In: hosting, DI composition, REST surface, readiness checks. -Out: business logic of jobs, HTML UI, authn/z (future). -## Observability & security expectations -- Log startup config (redact DSN credentials), plugin scan results (missing ordered plugins if any). -- Structured responses with status codes; no stack traces in HTTP bodies; errors mapped cleanly. -## Tests -- Author and review coverage in `../StellaOps.Concelier.WebService.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +## Participants +- Core job system; Storage.Mongo; Source.Common HTTP clients; Exporter and Connector plugin routines discover/register jobs. +## Interfaces & contracts +- Dependency injection boundary for all connectors/exporters; IOptions validated on start. +- Cancellation: pass app.Lifetime.ApplicationStopping to bootstrapper. +## In/Out of scope +In: hosting, DI composition, REST surface, readiness checks. +Out: business logic of jobs, HTML UI, authn/z (future). +## Observability & security expectations +- Log startup config (redact DSN credentials), plugin scan results (missing ordered plugins if any). +- Structured responses with status codes; no stack traces in HTTP bodies; errors mapped cleanly. +## Tests +- Author and review coverage in `../StellaOps.Concelier.WebService.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md index 257b7a98..e2634134 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Acsc/AGENTS.md @@ -1,40 +1,51 @@ -# AGENTS -## Role -Bootstrap the ACSC (Australian Cyber Security Centre) advisories connector so the Concelier pipeline can ingest, normalise, and enrich ACSC security bulletins. - -## Scope -- Research the authoritative ACSC advisory feed (RSS/Atom, JSON API, or HTML). -- Implement fetch windowing, cursor persistence, and retry strategy consistent with other external connectors. -- Parse advisory content (summary, affected products, mitigation guidance, references). -- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and provenance metadata. -- Provide deterministic fixtures and regression tests that cover fetch/parse/map flows. - -## Participants -- `Source.Common` for HTTP client creation, fetch service, and DTO persistence helpers. -- `Storage.Mongo` for raw/document/DTO/advisory storage plus cursor management. -- `Concelier.Models` for canonical advisory structures and provenance utilities. -- `Concelier.Testing` for integration harnesses and snapshot helpers. - -## Interfaces & Contracts -- Job kinds should follow the pattern `acsc:fetch`, `acsc:parse`, `acsc:map`. -- Documents persisted to Mongo must include ETag/Last-Modified metadata when the source exposes it. -- Canonical advisories must emit aliases (ACSC ID + CVE IDs) and references (official bulletin + vendor notices). - -## In/Out of scope -In scope: -- Initial end-to-end connector implementation with tests, fixtures, and range primitive coverage. -- Minimal telemetry (logging + diagnostics counters) consistent with other connectors. - -Out of scope: -- Upstream remediation automation or vendor-specific enrichment beyond ACSC data. -- Export-related changes (handled by exporter teams). - -## Observability & Security Expectations -- Log key lifecycle events (fetch/page processed, parse success/error counts, mapping stats). -- Sanitise HTML safely and avoid persisting external scripts or embedded media. -- Handle transient fetch failures gracefully with exponential backoff and mark failures in source state. - -## Tests -- Add integration-style tests under `StellaOps.Concelier.Connector.Acsc.Tests` covering fetch/parse/map with canned fixtures. -- Snapshot canonical advisories; provide UPDATE flag flow for regeneration. -- Validate determinism (ordering, casing, timestamps) to satisfy pipeline reproducibility requirements. +# AGENTS +## Role +Bootstrap the ACSC (Australian Cyber Security Centre) advisories connector so the Concelier pipeline can ingest, normalise, and enrich ACSC security bulletins. + +## Scope +- Research the authoritative ACSC advisory feed (RSS/Atom, JSON API, or HTML). +- Implement fetch windowing, cursor persistence, and retry strategy consistent with other external connectors. +- Parse advisory content (summary, affected products, mitigation guidance, references). +- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and provenance metadata. +- Provide deterministic fixtures and regression tests that cover fetch/parse/map flows. + +## Participants +- `Source.Common` for HTTP client creation, fetch service, and DTO persistence helpers. +- `Storage.Mongo` for raw/document/DTO/advisory storage plus cursor management. +- `Concelier.Models` for canonical advisory structures and provenance utilities. +- `Concelier.Testing` for integration harnesses and snapshot helpers. + +## Interfaces & Contracts +- Job kinds should follow the pattern `acsc:fetch`, `acsc:parse`, `acsc:map`. +- Documents persisted to Mongo must include ETag/Last-Modified metadata when the source exposes it. +- Canonical advisories must emit aliases (ACSC ID + CVE IDs) and references (official bulletin + vendor notices). + +## In/Out of scope +In scope: +- Initial end-to-end connector implementation with tests, fixtures, and range primitive coverage. +- Minimal telemetry (logging + diagnostics counters) consistent with other connectors. + +Out of scope: +- Upstream remediation automation or vendor-specific enrichment beyond ACSC data. +- Export-related changes (handled by exporter teams). + +## Observability & Security Expectations +- Log key lifecycle events (fetch/page processed, parse success/error counts, mapping stats). +- Sanitise HTML safely and avoid persisting external scripts or embedded media. +- Handle transient fetch failures gracefully with exponential backoff and mark failures in source state. + +## Tests +- Add integration-style tests under `StellaOps.Concelier.Connector.Acsc.Tests` covering fetch/parse/map with canned fixtures. +- Snapshot canonical advisories; provide UPDATE flag flow for regeneration. +- Validate determinism (ordering, casing, timestamps) to satisfy pipeline reproducibility requirements. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md index a5c48edf..bfa05f4d 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/AGENTS.md @@ -1,40 +1,51 @@ -# AGENTS -## Role -Build the CCCS (Canadian Centre for Cyber Security) advisories connector so Concelier can ingest national cyber bulletins alongside other vendor/regional sources. - -## Scope -- Research CCCS advisory feeds (RSS/Atom, JSON API, or HTML listings) and define the canonical fetch workflow. -- Implement fetch, parse, and mapping stages with deterministic cursoring and retry/backoff behaviour. -- Normalise advisory content (summary, affected vendors/products, mitigation guidance, references, CVE IDs). -- Emit canonical `Advisory` records with aliases, references, affected packages, and provenance metadata. -- Provide fixtures and regression tests to keep the connector deterministic. - -## Participants -- `Source.Common` (HTTP clients, fetch service, DTO storage helpers). -- `Storage.Mongo` (raw/document/DTO/advisory stores + source state). -- `Concelier.Models` (canonical advisory data structures). -- `Concelier.Testing` (integration fixtures and snapshot utilities). - -## Interfaces & Contracts -- Job kinds: `cccs:fetch`, `cccs:parse`, `cccs:map`. -- Persist ETag/Last-Modified metadata when the upstream supports it. -- Include alias entries for CCCS advisory IDs plus referenced CVE IDs. - -## In/Out of scope -In scope: -- End-to-end connector implementation with range primitive coverage for affected packages. -- Minimal telemetry logging/counters matching other connectors. - -Out of scope: -- Automated remediation actions or vendor-specific enrichment beyond CCCS published data. -- Export or downstream pipeline changes. - -## Observability & Security Expectations -- Log fetch attempts, success/failure counts, and mapping statistics. -- Sanitize HTML safely, dropping scripts/styles before storing DTOs. -- Respect upstream rate limits; mark failures in source state with backoff. - -## Tests -- Add `StellaOps.Concelier.Connector.Cccs.Tests` covering fetch/parse/map with canned fixtures. -- Snapshot canonical advisories; support fixture regeneration via env flag. -- Validate deterministic ordering and timestamps to maintain reproducibility. +# AGENTS +## Role +Build the CCCS (Canadian Centre for Cyber Security) advisories connector so Concelier can ingest national cyber bulletins alongside other vendor/regional sources. + +## Scope +- Research CCCS advisory feeds (RSS/Atom, JSON API, or HTML listings) and define the canonical fetch workflow. +- Implement fetch, parse, and mapping stages with deterministic cursoring and retry/backoff behaviour. +- Normalise advisory content (summary, affected vendors/products, mitigation guidance, references, CVE IDs). +- Emit canonical `Advisory` records with aliases, references, affected packages, and provenance metadata. +- Provide fixtures and regression tests to keep the connector deterministic. + +## Participants +- `Source.Common` (HTTP clients, fetch service, DTO storage helpers). +- `Storage.Mongo` (raw/document/DTO/advisory stores + source state). +- `Concelier.Models` (canonical advisory data structures). +- `Concelier.Testing` (integration fixtures and snapshot utilities). + +## Interfaces & Contracts +- Job kinds: `cccs:fetch`, `cccs:parse`, `cccs:map`. +- Persist ETag/Last-Modified metadata when the upstream supports it. +- Include alias entries for CCCS advisory IDs plus referenced CVE IDs. + +## In/Out of scope +In scope: +- End-to-end connector implementation with range primitive coverage for affected packages. +- Minimal telemetry logging/counters matching other connectors. + +Out of scope: +- Automated remediation actions or vendor-specific enrichment beyond CCCS published data. +- Export or downstream pipeline changes. + +## Observability & Security Expectations +- Log fetch attempts, success/failure counts, and mapping statistics. +- Sanitize HTML safely, dropping scripts/styles before storing DTOs. +- Respect upstream rate limits; mark failures in source state with backoff. + +## Tests +- Add `StellaOps.Concelier.Connector.Cccs.Tests` covering fetch/parse/map with canned fixtures. +- Snapshot canonical advisories; support fixture regeneration via env flag. +- Validate deterministic ordering and timestamps to maintain reproducibility. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md index cb4debae..bc5f48ff 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/AGENTS.md @@ -1,40 +1,51 @@ -# AGENTS -## Role -Deliver a connector for Germany’s CERT-Bund advisories so Concelier can ingest, normalise, and enrich BSI alerts alongside other national feeds. - -## Scope -- Identify the authoritative CERT-Bund advisory feed(s) (RSS/Atom, JSON, CSV, or HTML). -- Implement fetch/cursor logic with proper windowing, dedupe, and failure backoff. -- Parse advisory detail pages for summary, affected products/vendors, mitigation, and references. -- Map advisories into canonical `Advisory` objects including aliases, references, affected packages, and provenance/range primitives. -- Provide deterministic fixtures and regression tests. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). -- `Concelier.Models` (canonical data model). -- `Concelier.Testing` (integration harness, snapshot utilities). - -## Interfaces & Contracts -- Job kinds: `certbund:fetch`, `certbund:parse`, `certbund:map`. -- Persist upstream metadata (ETag/Last-Modified) if provided. -- Alias set should include CERT-Bund ID and referenced CVE entries. - -## In/Out of scope -In scope: -- End-to-end connector implementation with deterministic tests and range primitive coverage. -- Baseline logging/metrics for pipeline observability. - -Out of scope: -- Non-advisory CERT-Bund digests or newsletters. -- Downstream exporter changes. - -## Observability & Security Expectations -- Log fetch attempts, item counts, and mapping metrics. -- Sanitize HTML thoroughly before persistence. -- Handle transient failures gracefully with exponential backoff and failure records in source state. - -## Tests -- Add `StellaOps.Concelier.Connector.CertBund.Tests` covering fetch/parse/map with canned fixtures. -- Snapshot canonical advisories; support regeneration via environment flag. -- Ensure deterministic ordering, casing, and timestamps. +# AGENTS +## Role +Deliver a connector for Germany’s CERT-Bund advisories so Concelier can ingest, normalise, and enrich BSI alerts alongside other national feeds. + +## Scope +- Identify the authoritative CERT-Bund advisory feed(s) (RSS/Atom, JSON, CSV, or HTML). +- Implement fetch/cursor logic with proper windowing, dedupe, and failure backoff. +- Parse advisory detail pages for summary, affected products/vendors, mitigation, and references. +- Map advisories into canonical `Advisory` objects including aliases, references, affected packages, and provenance/range primitives. +- Provide deterministic fixtures and regression tests. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). +- `Concelier.Models` (canonical data model). +- `Concelier.Testing` (integration harness, snapshot utilities). + +## Interfaces & Contracts +- Job kinds: `certbund:fetch`, `certbund:parse`, `certbund:map`. +- Persist upstream metadata (ETag/Last-Modified) if provided. +- Alias set should include CERT-Bund ID and referenced CVE entries. + +## In/Out of scope +In scope: +- End-to-end connector implementation with deterministic tests and range primitive coverage. +- Baseline logging/metrics for pipeline observability. + +Out of scope: +- Non-advisory CERT-Bund digests or newsletters. +- Downstream exporter changes. + +## Observability & Security Expectations +- Log fetch attempts, item counts, and mapping metrics. +- Sanitize HTML thoroughly before persistence. +- Handle transient failures gracefully with exponential backoff and failure records in source state. + +## Tests +- Add `StellaOps.Concelier.Connector.CertBund.Tests` covering fetch/parse/map with canned fixtures. +- Snapshot canonical advisories; support regeneration via environment flag. +- Ensure deterministic ordering, casing, and timestamps. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md index 04a62061..cbf77b74 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertCc/AGENTS.md @@ -1,38 +1,49 @@ -# AGENTS -## Role -Implement the CERT/CC (Carnegie Mellon CERT Coordination Center) advisory connector so Concelier can ingest US CERT coordination bulletins. - -## Scope -- Identify CERT/CC advisory publication format (VU#, blog, RSS, JSON) and define fetch cadence/windowing. -- Implement fetch, parse, and mapping jobs with cursor persistence and dedupe. -- Normalise advisory content (summary, impacted vendors, products, recommended mitigations, CVEs). -- Produce canonical `Advisory` objects including aliases, references, affected packages, and range primitive metadata. -- Supply fixtures and deterministic regression tests. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores and state). -- `Concelier.Models` (canonical structures). -- `Concelier.Testing` (integration tests and snapshots). - -## Interfaces & Contracts -- Job kinds: `certcc:fetch`, `certcc:parse`, `certcc:map`. -- Persist upstream caching metadata (ETag/Last-Modified) when available. -- Aliases should capture CERT/CC VU IDs and referenced CVEs. - -## In/Out of scope -In scope: -- End-to-end connector with range primitive instrumentation and telemetry. - -Out of scope: -- ICS-CERT alerts (handled by dedicated connector) or blog posts unrelated to advisories. - -## Observability & Security Expectations -- Log fetch and mapping statistics; surface failures with backoff. -- Sanitise HTML sources before persistence. -- Respect upstream throttling via retry/backoff. - -## Tests -- Add `StellaOps.Concelier.Connector.CertCc.Tests` to cover fetch/parse/map with canned fixtures. -- Snapshot canonical advisories and support UPDATE flag for regeneration. -- Ensure deterministic ordering and timestamp normalisation. +# AGENTS +## Role +Implement the CERT/CC (Carnegie Mellon CERT Coordination Center) advisory connector so Concelier can ingest US CERT coordination bulletins. + +## Scope +- Identify CERT/CC advisory publication format (VU#, blog, RSS, JSON) and define fetch cadence/windowing. +- Implement fetch, parse, and mapping jobs with cursor persistence and dedupe. +- Normalise advisory content (summary, impacted vendors, products, recommended mitigations, CVEs). +- Produce canonical `Advisory` objects including aliases, references, affected packages, and range primitive metadata. +- Supply fixtures and deterministic regression tests. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores and state). +- `Concelier.Models` (canonical structures). +- `Concelier.Testing` (integration tests and snapshots). + +## Interfaces & Contracts +- Job kinds: `certcc:fetch`, `certcc:parse`, `certcc:map`. +- Persist upstream caching metadata (ETag/Last-Modified) when available. +- Aliases should capture CERT/CC VU IDs and referenced CVEs. + +## In/Out of scope +In scope: +- End-to-end connector with range primitive instrumentation and telemetry. + +Out of scope: +- ICS-CERT alerts (handled by dedicated connector) or blog posts unrelated to advisories. + +## Observability & Security Expectations +- Log fetch and mapping statistics; surface failures with backoff. +- Sanitise HTML sources before persistence. +- Respect upstream throttling via retry/backoff. + +## Tests +- Add `StellaOps.Concelier.Connector.CertCc.Tests` to cover fetch/parse/map with canned fixtures. +- Snapshot canonical advisories and support UPDATE flag for regeneration. +- Ensure deterministic ordering and timestamp normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md index 15d9fbd7..a5cdc81d 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertFr/AGENTS.md @@ -1,27 +1,38 @@ -# AGENTS -## Role -ANSSI CERT-FR advisories connector (avis/alertes) providing national enrichment: advisory metadata, CVE links, mitigation notes, and references. -## Scope -- Harvest CERT-FR items via RSS and/or list pages; follow item pages for detail; window by publish/update date. -- Validate HTML or JSON payloads; extract structured fields; map to canonical aliases, references, severity text. -- Maintain watermarks and de-duplication by content hash; idempotent processing. -## Participants -- Source.Common (HTTP, HTML parsing helpers, validators). -- Storage.Mongo (document, dto, advisory, reference, source_state). -- Models (canonical). -- Core/WebService (jobs: source:certfr:fetch|parse|map). -- Merge engine (later) to enrich only. -## Interfaces & contracts -- Treat CERT-FR as enrichment; never override distro or PSIRT version ranges absent concrete evidence. -- References must include primary bulletin URL and vendor links; tag kind=bulletin/vendor/mitigation appropriately. -- Provenance records cite "cert-fr" with method=parser and source URL. -## In/Out of scope -In: advisory metadata extraction, references, severity text, watermarking. -Out: OVAL or package-level authority. -## Observability & security expectations -- Metrics: SourceDiagnostics emits shared `concelier.source.http.*` counters/histograms tagged `concelier.source=certfr`, covering fetch counts, parse failures, and map activity. -- Logs: feed URL(s), item ids/urls, extraction durations; no PII; allowlist hostnames. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.CertFr.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +ANSSI CERT-FR advisories connector (avis/alertes) providing national enrichment: advisory metadata, CVE links, mitigation notes, and references. +## Scope +- Harvest CERT-FR items via RSS and/or list pages; follow item pages for detail; window by publish/update date. +- Validate HTML or JSON payloads; extract structured fields; map to canonical aliases, references, severity text. +- Maintain watermarks and de-duplication by content hash; idempotent processing. +## Participants +- Source.Common (HTTP, HTML parsing helpers, validators). +- Storage.Mongo (document, dto, advisory, reference, source_state). +- Models (canonical). +- Core/WebService (jobs: source:certfr:fetch|parse|map). +- Merge engine (later) to enrich only. +## Interfaces & contracts +- Treat CERT-FR as enrichment; never override distro or PSIRT version ranges absent concrete evidence. +- References must include primary bulletin URL and vendor links; tag kind=bulletin/vendor/mitigation appropriately. +- Provenance records cite "cert-fr" with method=parser and source URL. +## In/Out of scope +In: advisory metadata extraction, references, severity text, watermarking. +Out: OVAL or package-level authority. +## Observability & security expectations +- Metrics: SourceDiagnostics emits shared `concelier.source.http.*` counters/histograms tagged `concelier.source=certfr`, covering fetch counts, parse failures, and map activity. +- Logs: feed URL(s), item ids/urls, extraction durations; no PII; allowlist hostnames. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.CertFr.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md index 4aec2205..cfb80e8b 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertIn/AGENTS.md @@ -1,28 +1,39 @@ -# AGENTS -## Role -CERT-In national CERT connector; enrichment advisories for India; maps CVE lists, advisory text, mitigations, and references; non-authoritative for package ranges unless explicit evidence is present. -## Scope -- Discover and fetch advisories from the CERT-In portal; window by advisory code/date; follow detail pages. -- Validate HTML or JSON; extract title, summary, CVEs, affected vendor names, mitigations; map references; normalize dates and IDs. -- Persist raw docs and maintain source_state cursor; idempotent mapping. -## Participants -- Source.Common (HTTP, HTML parsing, normalization, validators). -- Storage.Mongo (document, dto, advisory, alias, reference, source_state). -- Models (canonical). -- Core/WebService (jobs: source:certin:fetch|parse|map). -- Merge engine treats CERT-In as enrichment (no override of PSIRT or OVAL without concrete ranges). -## Interfaces & contracts -- Aliases: advisory code if stable (scheme "CERT-IN") and CVE ids; if code is not stable, store as reference only. -- References typed: bulletin/advisory/vendor/mitigation; deduped. -- Affected omitted unless CERT-In publishes explicit version or fix details. -- Provenance: method=parser; value=advisory code or URL; recordedAt. -## In/Out of scope -In: enrichment, aliasing where stable, references, mitigation text. -Out: package range authority; scraping behind auth walls. -## Observability & security expectations -- Metrics: shared `concelier.source.http.*` counters/histograms from SourceDiagnostics tagged `concelier.source=certin` capture fetch volume, parse failures, and map enrich counts. -- Logs: advisory codes, CVE counts per advisory, timing; allowlist host; redact personal data if present. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.CertIn.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +CERT-In national CERT connector; enrichment advisories for India; maps CVE lists, advisory text, mitigations, and references; non-authoritative for package ranges unless explicit evidence is present. +## Scope +- Discover and fetch advisories from the CERT-In portal; window by advisory code/date; follow detail pages. +- Validate HTML or JSON; extract title, summary, CVEs, affected vendor names, mitigations; map references; normalize dates and IDs. +- Persist raw docs and maintain source_state cursor; idempotent mapping. +## Participants +- Source.Common (HTTP, HTML parsing, normalization, validators). +- Storage.Mongo (document, dto, advisory, alias, reference, source_state). +- Models (canonical). +- Core/WebService (jobs: source:certin:fetch|parse|map). +- Merge engine treats CERT-In as enrichment (no override of PSIRT or OVAL without concrete ranges). +## Interfaces & contracts +- Aliases: advisory code if stable (scheme "CERT-IN") and CVE ids; if code is not stable, store as reference only. +- References typed: bulletin/advisory/vendor/mitigation; deduped. +- Affected omitted unless CERT-In publishes explicit version or fix details. +- Provenance: method=parser; value=advisory code or URL; recordedAt. +## In/Out of scope +In: enrichment, aliasing where stable, references, mitigation text. +Out: package range authority; scraping behind auth walls. +## Observability & security expectations +- Metrics: shared `concelier.source.http.*` counters/histograms from SourceDiagnostics tagged `concelier.source=certin` capture fetch volume, parse failures, and map enrich counts. +- Logs: advisory codes, CVE counts per advisory, timing; allowlist host; redact personal data if present. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.CertIn.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md index 52be2af8..1c2e8839 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/AGENTS.md @@ -1,31 +1,42 @@ -# AGENTS -## Role -Shared connector toolkit. Provides HTTP clients, retry/backoff, conditional GET (ETag/Last-Modified), schema validation, pagination helpers, clocks, and common DTO utilities for all connectors. -## Scope -- Typed HttpClient registrations with allowlisted hosts and timeouts. -- Request pipeline: retries with jitter, backoff on 429/5xx, rate-limit tracking per source. -- Conditional GET helpers (If-None-Match, If-Modified-Since), window cursors, and pagination iterators. -- Validators: JSON Schema, XML Schema (for example XmlSchemaValidator), and sanitizers. -- Content hashing and raw document capture helpers; metadata extraction (headers, status). -- HTML sanitization, URL normalization, and PDF-to-text extraction utilities for feeds that require cleanup before validation. -## Participants -- Source.* connectors (NVD, Red Hat, JVN, PSIRTs, CERTs, ICS). -- Storage.Mongo (document/dto repositories using shared shapes). -- Core (jobs schedule/trigger for connectors). -- QA (canned HTTP server harness, schema fixtures). -## Interfaces & contracts -- All network calls must pass through configured HttpClient with allowlist and sane timeouts; no direct new HttpClient(). -- Validators return detailed errors; invalid payloads quarantined and not mapped. -- Cursor helpers implement sliding windows and ID-based pagination; rely on IClock/TimeProvider for determinism. -- Strict provenance tags for extraction method: parser, oval, package.nevra, llm (gated). -## In/Out of scope -In: HTTP plumbing, validators, cursor/backoff utilities, hashing. -Out: connector-specific schemas/mapping rules, merge precedence. -## Observability & security expectations -- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms tagged with `concelier.source=` plus retries/failures; connector dashboards slice on that tag instead of bespoke metric names. -- Logs include uri, status, retries, etag; redact tokens and auth headers. -- Distributed tracing hooks and per-connector counters should be wired centrally for consistent observability. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Common.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Shared connector toolkit. Provides HTTP clients, retry/backoff, conditional GET (ETag/Last-Modified), schema validation, pagination helpers, clocks, and common DTO utilities for all connectors. +## Scope +- Typed HttpClient registrations with allowlisted hosts and timeouts. +- Request pipeline: retries with jitter, backoff on 429/5xx, rate-limit tracking per source. +- Conditional GET helpers (If-None-Match, If-Modified-Since), window cursors, and pagination iterators. +- Validators: JSON Schema, XML Schema (for example XmlSchemaValidator), and sanitizers. +- Content hashing and raw document capture helpers; metadata extraction (headers, status). +- HTML sanitization, URL normalization, and PDF-to-text extraction utilities for feeds that require cleanup before validation. +## Participants +- Source.* connectors (NVD, Red Hat, JVN, PSIRTs, CERTs, ICS). +- Storage.Mongo (document/dto repositories using shared shapes). +- Core (jobs schedule/trigger for connectors). +- QA (canned HTTP server harness, schema fixtures). +## Interfaces & contracts +- All network calls must pass through configured HttpClient with allowlist and sane timeouts; no direct new HttpClient(). +- Validators return detailed errors; invalid payloads quarantined and not mapped. +- Cursor helpers implement sliding windows and ID-based pagination; rely on IClock/TimeProvider for determinism. +- Strict provenance tags for extraction method: parser, oval, package.nevra, llm (gated). +## In/Out of scope +In: HTTP plumbing, validators, cursor/backoff utilities, hashing. +Out: connector-specific schemas/mapping rules, merge precedence. +## Observability & security expectations +- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms tagged with `concelier.source=` plus retries/failures; connector dashboards slice on that tag instead of bespoke metric names. +- Logs include uri, status, retries, etag; redact tokens and auth headers. +- Distributed tracing hooks and per-connector counters should be wired centrally for consistent observability. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Common.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md index a1ff634d..2b07a147 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cve/AGENTS.md @@ -1,38 +1,49 @@ -# AGENTS -## Role -Create a dedicated CVE connector when we need raw CVE stream ingestion outside of NVD/OSV/National feeds (e.g., CVE JSON 5 API or CNA disclosures). - -## Scope -- Determine whether this connector should consume the official CVE JSON 5 API, CNA disclosures, or another stream. -- Implement fetch/windowing aligned with CVE publication cadence; manage cursors for incremental backfills. -- Parse CVE payloads into DTOs capturing descriptions, affected vendors/products, references, and metrics. -- Map CVEs into canonical `Advisory` records (aliases, references, affected packages, range primitives). -- Deliver deterministic fixtures/tests for fetch/parse/map lifecycle. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores & source state). -- `Concelier.Models` (canonical data model). -- `Concelier.Testing` (integration fixtures, snapshot helpers). - -## Interfaces & Contracts -- Job kinds: `cve:fetch`, `cve:parse`, `cve:map`. -- Persist upstream metadata (e.g., `If-Modified-Since`, `cveMetadataDate`) for incremental fetching. -- Aliases must include primary CVE ID along with CNA-specific identifiers when available. - -## In/Out of scope -In scope: -- Core pipeline for CVE ingestion with provenance/range primitives. - -Out of scope: -- Downstream impact scoring or enrichment (handled by other teams). - -## Observability & Security Expectations -- Log fetch batch sizes, update timestamps, and mapping counts. -- Handle rate limits politely with exponential backoff. -- Sanitize and validate payloads before persistence. - -## Tests -- Add `StellaOps.Concelier.Connector.Cve.Tests` with canned CVE JSON fixtures covering fetch/parse/map. -- Snapshot canonical advisories; include env flag for fixture regeneration. -- Ensure deterministic ordering and timestamp handling. +# AGENTS +## Role +Create a dedicated CVE connector when we need raw CVE stream ingestion outside of NVD/OSV/National feeds (e.g., CVE JSON 5 API or CNA disclosures). + +## Scope +- Determine whether this connector should consume the official CVE JSON 5 API, CNA disclosures, or another stream. +- Implement fetch/windowing aligned with CVE publication cadence; manage cursors for incremental backfills. +- Parse CVE payloads into DTOs capturing descriptions, affected vendors/products, references, and metrics. +- Map CVEs into canonical `Advisory` records (aliases, references, affected packages, range primitives). +- Deliver deterministic fixtures/tests for fetch/parse/map lifecycle. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores & source state). +- `Concelier.Models` (canonical data model). +- `Concelier.Testing` (integration fixtures, snapshot helpers). + +## Interfaces & Contracts +- Job kinds: `cve:fetch`, `cve:parse`, `cve:map`. +- Persist upstream metadata (e.g., `If-Modified-Since`, `cveMetadataDate`) for incremental fetching. +- Aliases must include primary CVE ID along with CNA-specific identifiers when available. + +## In/Out of scope +In scope: +- Core pipeline for CVE ingestion with provenance/range primitives. + +Out of scope: +- Downstream impact scoring or enrichment (handled by other teams). + +## Observability & Security Expectations +- Log fetch batch sizes, update timestamps, and mapping counts. +- Handle rate limits politely with exponential backoff. +- Sanitize and validate payloads before persistence. + +## Tests +- Add `StellaOps.Concelier.Connector.Cve.Tests` with canned CVE JSON fixtures covering fetch/parse/map. +- Snapshot canonical advisories; include env flag for fixture regeneration. +- Ensure deterministic ordering and timestamp handling. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md index 0394fed9..2d50cd12 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/AGENTS.md @@ -1,27 +1,38 @@ -# AGENTS -## Role -Red Hat distro connector (Security Data API and OVAL) providing authoritative OS package ranges (RPM NEVRA) and RHSA metadata; overrides generic registry ranges during merge. -## Scope -- Fetch Security Data JSON (for example CVRF) via Hydra; window by last_modified or after cursor; optionally ingest OVAL definitions. -- Validate payloads; parse advisories, CVEs, affected packages; materialize NEVRA and CPE records. -- Map to canonical advisories with affected Type=rpm/cpe, fixedBy NEVRA, RHSA aliasing; persist provenance indicating oval/package.nevra. -## Participants -- Source.Common (HTTP, throttling, validators). -- Storage.Mongo (document, dto, advisory, alias, affected, reference, source_state). -- Models (canonical Affected with NEVRA). -- Core/WebService (jobs: source:redhat:fetch|parse|map) already registered. -- Merge engine to enforce distro precedence (OVAL or PSIRT greater than NVD). -## Interfaces & contracts -- Aliases: RHSA-YYYY:NNNN, CVE ids; references include RHSA pages, errata, OVAL links. -- Affected: rpm (Identifier=NEVRA key) and cpe entries; versions include introduced/fixed/fixedBy; platforms mark RHEL streams. -- Provenance: kind="oval" or "package.nevra" as applicable; value=definition id or package. -## In/Out of scope -In: authoritative rpm ranges, RHSA mapping, OVAL interpretation, watermarking. -Out: building RPM artifacts; cross-distro reconciliation beyond Red Hat. -## Observability & security expectations -- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms tagged `concelier.source=redhat`, capturing fetch volumes, parse/OVAL failures, and map affected counts without bespoke metric names. -- Logs: cursor bounds, advisory ids, NEVRA counts; allowlist Red Hat endpoints. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Distro.RedHat.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Red Hat distro connector (Security Data API and OVAL) providing authoritative OS package ranges (RPM NEVRA) and RHSA metadata; overrides generic registry ranges during merge. +## Scope +- Fetch Security Data JSON (for example CVRF) via Hydra; window by last_modified or after cursor; optionally ingest OVAL definitions. +- Validate payloads; parse advisories, CVEs, affected packages; materialize NEVRA and CPE records. +- Map to canonical advisories with affected Type=rpm/cpe, fixedBy NEVRA, RHSA aliasing; persist provenance indicating oval/package.nevra. +## Participants +- Source.Common (HTTP, throttling, validators). +- Storage.Mongo (document, dto, advisory, alias, affected, reference, source_state). +- Models (canonical Affected with NEVRA). +- Core/WebService (jobs: source:redhat:fetch|parse|map) already registered. +- Merge engine to enforce distro precedence (OVAL or PSIRT greater than NVD). +## Interfaces & contracts +- Aliases: RHSA-YYYY:NNNN, CVE ids; references include RHSA pages, errata, OVAL links. +- Affected: rpm (Identifier=NEVRA key) and cpe entries; versions include introduced/fixed/fixedBy; platforms mark RHEL streams. +- Provenance: kind="oval" or "package.nevra" as applicable; value=definition id or package. +## In/Out of scope +In: authoritative rpm ranges, RHSA mapping, OVAL interpretation, watermarking. +Out: building RPM artifacts; cross-distro reconciliation beyond Red Hat. +## Observability & security expectations +- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms tagged `concelier.source=redhat`, capturing fetch volumes, parse/OVAL failures, and map affected counts without bespoke metric names. +- Logs: cursor bounds, advisory ids, NEVRA counts; allowlist Red Hat endpoints. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Distro.RedHat.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md new file mode 100644 index 00000000..f26909cf --- /dev/null +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.Ubuntu/AGENTS.md @@ -0,0 +1,25 @@ +# Concelier Ubuntu Connector Charter + +## Mission +Implement and maintain the Ubuntu security advisory connector that ingests CVE/USN data into Concelier under the Aggregation-Only Contract (AOC). The connector must capture provenance, version semantics (NEVRA/EVR), and metadata required by downstream policy, export, and AI components while remaining deterministic and offline-friendly. + +## Scope +- Connector fetchers/parsers within `StellaOps.Concelier.Connector.Distro.Ubuntu`. +- Mirroring support for offline kits (bundle import/export). +- Schema updates and fixtures ensuring AOC compliance. +- Unit/integration tests validating deterministic ingestion. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/ingestion/aggregation-only-contract.md` +- `docs/modules/concelier/operations/connectors/osv.md` (reference style & guardrails) +- `docs/modules/concelier/operations/mirror.md` (offline mirroring requirements) +- Ubuntu advisory format references linked from sprint notes (tasks should include source URLs). + +## Working Agreement +1. **Status sync**: switch task state to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `TASKS.md` before/after work. +2. **AOC adherence**: never derive severity or merge fields; store raw documents with provenance (`source`, `upstream`, `content`, `linkset`, `supersedes`). +3. **Deterministic parsing**: normalise timestamps to UTC ISO-8601, sort arrays, stabilise JSON output. +4. **Offline readiness**: ensure mirroring path works (no live network unless configured), document bundle usage. +5. **Testing**: extend fixtures covering typical, superseding, and edge-case advisories; run connector integration suite. +6. **Documentation**: update connector operations docs (add Ubuntu section under `docs/modules/concelier/operations/connectors/`) when formats or configuration change. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md index be116480..a2642568 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ghsa/AGENTS.md @@ -1,39 +1,50 @@ -# AGENTS -## Role -Implement a connector for GitHub Security Advisories (GHSA) when we need to ingest GHSA content directly (instead of crosswalking via OSV/NVD). - -## Scope -- Determine the optimal GHSA data source (GraphQL API, REST, or ecosystem export) and required authentication. -- Implement fetch logic with pagination, updated-since filtering, and cursor persistence. -- Parse GHSA records (identifiers, summaries, affected packages, versions, references, severity). -- Map advisories into canonical `Advisory` objects with aliases, references, affected packages, and range primitives. -- Provide deterministic fixtures and regression tests for the full pipeline. - -## Participants -- `Source.Common` (HTTP clients, fetch service, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores and source state). -- `Concelier.Models` (canonical advisory types). -- `Concelier.Testing` (integration harness, snapshot helpers). - -## Interfaces & Contracts -- Job kinds: `ghsa:fetch`, `ghsa:parse`, `ghsa:map`. -- Support GitHub API authentication & rate limiting (token, retry/backoff). -- Alias set must include GHSA IDs and linked CVE IDs. - -## In/Out of scope -In scope: -- Full GHSA connector implementation with range primitives and provenance instrumentation. - -Out of scope: -- Repo-specific advisory ingest (handled via GitHub repo exports). -- Downstream ecosystem-specific enrichments. - -## Observability & Security Expectations -- Log fetch pagination, throttling, and mapping stats. -- Handle GitHub API rate limits with exponential backoff and `Retry-After`. -- Sanitize/validate payloads before persistence. - -## Tests -- Add `StellaOps.Concelier.Connector.Ghsa.Tests` with canned GraphQL/REST fixtures. -- Snapshot canonical advisories; enable fixture regeneration with env flag. -- Confirm deterministic ordering/time normalisation. +# AGENTS +## Role +Implement a connector for GitHub Security Advisories (GHSA) when we need to ingest GHSA content directly (instead of crosswalking via OSV/NVD). + +## Scope +- Determine the optimal GHSA data source (GraphQL API, REST, or ecosystem export) and required authentication. +- Implement fetch logic with pagination, updated-since filtering, and cursor persistence. +- Parse GHSA records (identifiers, summaries, affected packages, versions, references, severity). +- Map advisories into canonical `Advisory` objects with aliases, references, affected packages, and range primitives. +- Provide deterministic fixtures and regression tests for the full pipeline. + +## Participants +- `Source.Common` (HTTP clients, fetch service, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores and source state). +- `Concelier.Models` (canonical advisory types). +- `Concelier.Testing` (integration harness, snapshot helpers). + +## Interfaces & Contracts +- Job kinds: `ghsa:fetch`, `ghsa:parse`, `ghsa:map`. +- Support GitHub API authentication & rate limiting (token, retry/backoff). +- Alias set must include GHSA IDs and linked CVE IDs. + +## In/Out of scope +In scope: +- Full GHSA connector implementation with range primitives and provenance instrumentation. + +Out of scope: +- Repo-specific advisory ingest (handled via GitHub repo exports). +- Downstream ecosystem-specific enrichments. + +## Observability & Security Expectations +- Log fetch pagination, throttling, and mapping stats. +- Handle GitHub API rate limits with exponential backoff and `Retry-After`. +- Sanitize/validate payloads before persistence. + +## Tests +- Add `StellaOps.Concelier.Connector.Ghsa.Tests` with canned GraphQL/REST fixtures. +- Snapshot canonical advisories; enable fixture regeneration with env flag. +- Confirm deterministic ordering/time normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md index b9fa7005..41dde7fe 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/AGENTS.md @@ -1,39 +1,50 @@ -# AGENTS -## Role -Implement the CISA ICS advisory connector to ingest US CISA Industrial Control Systems advisories (distinct from the general CERT feed). - -## Scope -- Locate the official CISA ICS advisory feed/API (currently HTML/RSS) and define fetch cadence/windowing. -- Build fetch/cursor pipeline with retry/backoff and raw document storage. -- Parse advisory content for summary, impacted vendors/products, mitigation, CVEs. -- Map advisories into canonical `Advisory` records with aliases, references, affected ICS packages, and range primitives. -- Provide deterministic fixtures and automated regression tests. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores + source state). -- `Concelier.Models` (canonical advisory structures). -- `Concelier.Testing` (integration fixtures and snapshots). - -## Interfaces & Contracts -- Job kinds: `ics-cisa:fetch`, `ics-cisa:parse`, `ics-cisa:map`. -- Persist upstream caching metadata (ETag/Last-Modified) when available. -- Alias set should include CISA ICS advisory IDs and referenced CVE IDs. - -## In/Out of scope -In scope: -- ICS-specific advisories from CISA. -- Range primitives capturing vendor/equipment metadata. - -Out of scope: -- General CISA alerts (covered elsewhere). - -## Observability & Security Expectations -- Log fetch attempts, advisory counts, and mapping results. -- Sanitize HTML, removing scripts/styles before persistence. -- Honour upstream rate limits with exponential backoff. - -## Tests -- Add `StellaOps.Concelier.Connector.Ics.Cisa.Tests` to cover fetch/parse/map with canned fixtures. -- Snapshot canonical advisories; support fixture regeneration via env flag. -- Ensure deterministic ordering/time normalisation. +# AGENTS +## Role +Implement the CISA ICS advisory connector to ingest US CISA Industrial Control Systems advisories (distinct from the general CERT feed). + +## Scope +- Locate the official CISA ICS advisory feed/API (currently HTML/RSS) and define fetch cadence/windowing. +- Build fetch/cursor pipeline with retry/backoff and raw document storage. +- Parse advisory content for summary, impacted vendors/products, mitigation, CVEs. +- Map advisories into canonical `Advisory` records with aliases, references, affected ICS packages, and range primitives. +- Provide deterministic fixtures and automated regression tests. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores + source state). +- `Concelier.Models` (canonical advisory structures). +- `Concelier.Testing` (integration fixtures and snapshots). + +## Interfaces & Contracts +- Job kinds: `ics-cisa:fetch`, `ics-cisa:parse`, `ics-cisa:map`. +- Persist upstream caching metadata (ETag/Last-Modified) when available. +- Alias set should include CISA ICS advisory IDs and referenced CVE IDs. + +## In/Out of scope +In scope: +- ICS-specific advisories from CISA. +- Range primitives capturing vendor/equipment metadata. + +Out of scope: +- General CISA alerts (covered elsewhere). + +## Observability & Security Expectations +- Log fetch attempts, advisory counts, and mapping results. +- Sanitize HTML, removing scripts/styles before persistence. +- Honour upstream rate limits with exponential backoff. + +## Tests +- Add `StellaOps.Concelier.Connector.Ics.Cisa.Tests` to cover fetch/parse/map with canned fixtures. +- Snapshot canonical advisories; support fixture regeneration via env flag. +- Ensure deterministic ordering/time normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md index ed709759..adcfb42f 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Kaspersky/AGENTS.md @@ -1,28 +1,39 @@ -# AGENTS -## Role -Kaspersky ICS-CERT connector; authoritative for OT/ICS vendor advisories covered by Kaspersky ICS-CERT; maps affected products as ICS domain entities with platform tags. -## Scope -- Discover/fetch advisories list; window by publish date or slug; fetch detail pages; handle pagination. -- Validate HTML or JSON; extract CVEs, affected OT vendors/models/families, mitigations; normalize product taxonomy; map fixed versions if present. -- Persist raw docs with sha256; maintain source_state; idempotent mapping. -## Participants -- Source.Common (HTTP, HTML helpers, validators). -- Storage.Mongo (document, dto, advisory, alias, affected, reference, source_state). -- Models (canonical; affected.platform="ics-vendor", tags for device families). -- Core/WebService (jobs: source:ics-kaspersky:fetch|parse|map). -- Merge engine respects ICS vendor authority for OT impact. -## Interfaces & contracts -- Aliases: CVE ids; if stable ICS-CERT advisory id exists, store scheme "ICS-KASP". -- Affected: Type=vendor; Vendor/Product populated; platforms/tags for device family or firmware line; versions with fixedBy when explicit. -- References: advisory, vendor pages, mitigation guides; typed; deduped. -- Provenance: method=parser; value=advisory slug. -## In/Out of scope -In: ICS advisory mapping, affected vendor products, mitigation references. -Out: firmware downloads; reverse-engineering artifacts. -## Observability & security expectations -- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms with `concelier.source=ics-kaspersky` to track fetch totals, parse failures, and mapped affected counts. -- Logs: slugs, vendor/product counts, timing; allowlist host. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Ics.Kaspersky.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Kaspersky ICS-CERT connector; authoritative for OT/ICS vendor advisories covered by Kaspersky ICS-CERT; maps affected products as ICS domain entities with platform tags. +## Scope +- Discover/fetch advisories list; window by publish date or slug; fetch detail pages; handle pagination. +- Validate HTML or JSON; extract CVEs, affected OT vendors/models/families, mitigations; normalize product taxonomy; map fixed versions if present. +- Persist raw docs with sha256; maintain source_state; idempotent mapping. +## Participants +- Source.Common (HTTP, HTML helpers, validators). +- Storage.Mongo (document, dto, advisory, alias, affected, reference, source_state). +- Models (canonical; affected.platform="ics-vendor", tags for device families). +- Core/WebService (jobs: source:ics-kaspersky:fetch|parse|map). +- Merge engine respects ICS vendor authority for OT impact. +## Interfaces & contracts +- Aliases: CVE ids; if stable ICS-CERT advisory id exists, store scheme "ICS-KASP". +- Affected: Type=vendor; Vendor/Product populated; platforms/tags for device family or firmware line; versions with fixedBy when explicit. +- References: advisory, vendor pages, mitigation guides; typed; deduped. +- Provenance: method=parser; value=advisory slug. +## In/Out of scope +In: ICS advisory mapping, affected vendor products, mitigation references. +Out: firmware downloads; reverse-engineering artifacts. +## Observability & security expectations +- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms with `concelier.source=ics-kaspersky` to track fetch totals, parse failures, and mapped affected counts. +- Logs: slugs, vendor/product counts, timing; allowlist host. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Ics.Kaspersky.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md index 38e3f736..18c6a4d3 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Jvn/AGENTS.md @@ -1,29 +1,40 @@ -# AGENTS -## Role -Japan JVN/MyJVN connector; national CERT enrichment with strong identifiers (JVNDB) and vendor status; authoritative only where concrete package evidence exists; otherwise enriches text, severity, references, and aliases. -## Scope -- Fetch JVNRSS (overview) and VULDEF (detail) via MyJVN API; window by dateFirstPublished/dateLastUpdated; paginate; respect rate limits. -- Validate XML or JSON payloads; normalize titles, CVEs, JVNDB ids, vendor status, categories; map references and severity text; attach jp_flags. -- Persist raw docs with sha256 and headers; manage source_state cursor; idempotent parse/map. -## Participants -- Source.Common (HTTP, pagination, XML or XSD validators, retries/backoff). -- Storage.Mongo (document, dto, advisory, alias, affected (when concrete), reference, jp_flags, source_state). -- Models (canonical Advisory/Affected/Provenance). -- Core/WebService (jobs: source:jvn:fetch|parse|map). -- Merge engine applies enrichment precedence (does not override distro or PSIRT ranges unless JVN gives explicit package truth). -## Interfaces & contracts -- Aliases include JVNDB-YYYY-NNNNN and CVE ids; scheme "JVNDB". -- jp_flags: { jvndb_id, jvn_category, vendor_status }. -- References typed: advisory/vendor/bulletin; URLs normalized and deduped. -- Affected only when VULDEF gives concrete coordinates; otherwise omit. -- Provenance: method=parser; kind=api; value=endpoint plus query window; recordedAt=fetched time. -## In/Out of scope -In: JVN/MyJVN ingestion, aliases, jp_flags, enrichment mapping, watermarking. -Out: overriding distro or PSIRT ranges without concrete evidence; scraping unofficial mirrors. -## Observability & security expectations -- Metrics: SourceDiagnostics emits `concelier.source.http.*` counters/histograms tagged `concelier.source=jvn`, enabling dashboards to track fetch requests, item counts, parse failures, and enrichment/map activity (including jp_flags) via tag filters. -- Logs: window bounds, jvndb ids processed, vendor_status distribution; redact API keys. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Jvn.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Japan JVN/MyJVN connector; national CERT enrichment with strong identifiers (JVNDB) and vendor status; authoritative only where concrete package evidence exists; otherwise enriches text, severity, references, and aliases. +## Scope +- Fetch JVNRSS (overview) and VULDEF (detail) via MyJVN API; window by dateFirstPublished/dateLastUpdated; paginate; respect rate limits. +- Validate XML or JSON payloads; normalize titles, CVEs, JVNDB ids, vendor status, categories; map references and severity text; attach jp_flags. +- Persist raw docs with sha256 and headers; manage source_state cursor; idempotent parse/map. +## Participants +- Source.Common (HTTP, pagination, XML or XSD validators, retries/backoff). +- Storage.Mongo (document, dto, advisory, alias, affected (when concrete), reference, jp_flags, source_state). +- Models (canonical Advisory/Affected/Provenance). +- Core/WebService (jobs: source:jvn:fetch|parse|map). +- Merge engine applies enrichment precedence (does not override distro or PSIRT ranges unless JVN gives explicit package truth). +## Interfaces & contracts +- Aliases include JVNDB-YYYY-NNNNN and CVE ids; scheme "JVNDB". +- jp_flags: { jvndb_id, jvn_category, vendor_status }. +- References typed: advisory/vendor/bulletin; URLs normalized and deduped. +- Affected only when VULDEF gives concrete coordinates; otherwise omit. +- Provenance: method=parser; kind=api; value=endpoint plus query window; recordedAt=fetched time. +## In/Out of scope +In: JVN/MyJVN ingestion, aliases, jp_flags, enrichment mapping, watermarking. +Out: overriding distro or PSIRT ranges without concrete evidence; scraping unofficial mirrors. +## Observability & security expectations +- Metrics: SourceDiagnostics emits `concelier.source.http.*` counters/histograms tagged `concelier.source=jvn`, enabling dashboards to track fetch requests, item counts, parse failures, and enrichment/map activity (including jp_flags) via tag filters. +- Logs: window bounds, jvndb ids processed, vendor_status distribution; redact API keys. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Jvn.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md index 4b238198..6e155209 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kev/AGENTS.md @@ -1,44 +1,55 @@ -# AGENTS -## Role -Implement the CISA Known Exploited Vulnerabilities (KEV) catalogue connector to ingest KEV entries for enrichment and policy checks. - -## Scope -- Integrate with the official KEV JSON feed; understand schema, update cadence, and pagination (if any). -- Implement fetch job with incremental updates, checksum validation, and cursor persistence. -- Parse KEV entries (CVE ID, vendor/product, required actions, due dates). -- Map entries into canonical `Advisory` (or augmentation) records with aliases, references, affected packages, and range primitives capturing enforcement metadata. -- Deliver deterministic fixtures and regression tests. - -## Participants -- `Source.Common` (HTTP client, fetch service, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). -- `Concelier.Models` (advisory + range primitive types). -- `Concelier.Testing` (integration fixtures & snapshots). - -## Interfaces & Contracts -- Job kinds: `kev:fetch`, `kev:parse`, `kev:map`. -- Persist upstream `catalogLastUpdated` / ETag to detect changes. -- Alias list must include CVE ID; references should point to CISA KEV listing and vendor advisories. - -## In/Out of scope -In scope: -- KEV feed ingestion and canonical mapping. -- Range primitives capturing remediation due dates or vendor requirements. - -Out of scope: -- Compliance policy enforcement (handled elsewhere). - -## Observability & Security Expectations -- Log fetch timestamps, updated entry counts, and mapping stats. -- Handle data anomalies and record failures with backoff. -- Validate JSON payloads before persistence. -- Structured informational logs should surface the catalog version, release timestamp, and advisory counts for each successful parse/map cycle. - -## Operational Notes -- HTTP allowlist is limited to `www.cisa.gov`; operators should mirror / proxy that hostname for air-gapped deployments. -- CISA publishes KEV updates daily (catalogVersion follows `yyyy.MM.dd`). Expect releases near 16:30–17:00 UTC and retain overlap when scheduling fetches. - -## Tests -- Add `StellaOps.Concelier.Connector.Kev.Tests` covering fetch/parse/map with KEV JSON fixtures. -- Snapshot canonical output; allow fixture regeneration via env flag. -- Ensure deterministic ordering/time normalisation. +# AGENTS +## Role +Implement the CISA Known Exploited Vulnerabilities (KEV) catalogue connector to ingest KEV entries for enrichment and policy checks. + +## Scope +- Integrate with the official KEV JSON feed; understand schema, update cadence, and pagination (if any). +- Implement fetch job with incremental updates, checksum validation, and cursor persistence. +- Parse KEV entries (CVE ID, vendor/product, required actions, due dates). +- Map entries into canonical `Advisory` (or augmentation) records with aliases, references, affected packages, and range primitives capturing enforcement metadata. +- Deliver deterministic fixtures and regression tests. + +## Participants +- `Source.Common` (HTTP client, fetch service, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). +- `Concelier.Models` (advisory + range primitive types). +- `Concelier.Testing` (integration fixtures & snapshots). + +## Interfaces & Contracts +- Job kinds: `kev:fetch`, `kev:parse`, `kev:map`. +- Persist upstream `catalogLastUpdated` / ETag to detect changes. +- Alias list must include CVE ID; references should point to CISA KEV listing and vendor advisories. + +## In/Out of scope +In scope: +- KEV feed ingestion and canonical mapping. +- Range primitives capturing remediation due dates or vendor requirements. + +Out of scope: +- Compliance policy enforcement (handled elsewhere). + +## Observability & Security Expectations +- Log fetch timestamps, updated entry counts, and mapping stats. +- Handle data anomalies and record failures with backoff. +- Validate JSON payloads before persistence. +- Structured informational logs should surface the catalog version, release timestamp, and advisory counts for each successful parse/map cycle. + +## Operational Notes +- HTTP allowlist is limited to `www.cisa.gov`; operators should mirror / proxy that hostname for air-gapped deployments. +- CISA publishes KEV updates daily (catalogVersion follows `yyyy.MM.dd`). Expect releases near 16:30–17:00 UTC and retain overlap when scheduling fetches. + +## Tests +- Add `StellaOps.Concelier.Connector.Kev.Tests` covering fetch/parse/map with KEV JSON fixtures. +- Snapshot canonical output; allow fixture regeneration via env flag. +- Ensure deterministic ordering/time normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md index 71465b95..2b6cca1c 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/AGENTS.md @@ -1,38 +1,49 @@ -# AGENTS -## Role -Deliver the KISA (Korea Internet & Security Agency) advisory connector to ingest Korean vulnerability alerts for Concelier’s regional coverage. - -## Scope -- Identify KISA’s advisory feeds (RSS/Atom, JSON, HTML) and determine localisation requirements (Korean language parsing). -- Implement fetch/cursor logic with retry/backoff, handling authentication if required. -- Parse advisory content to extract summary, affected vendors/products, mitigation steps, CVEs, references. -- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives (including vendor/language metadata). -- Provide deterministic fixtures and regression tests. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). -- `Concelier.Models` (canonical data structures). -- `Concelier.Testing` (integration fixtures and snapshots). - -## Interfaces & Contracts -- Job kinds: `kisa:fetch`, `kisa:parse`, `kisa:map`. -- Persist upstream caching metadata (e.g., ETag/Last-Modified) when available. -- Alias set should include KISA advisory identifiers and CVE IDs. - -## In/Out of scope -In scope: -- Advisory ingestion, translation/normalisation, range primitives. - -Out of scope: -- Automated Korean↔English translations beyond summary normalization (unless required for canonical fields). - -## Observability & Security Expectations -- Log fetch and mapping metrics; record failures with backoff. -- Sanitise HTML, removing scripts/styles. -- Handle character encoding (UTF-8/Korean) correctly. - -## Tests -- Add `StellaOps.Concelier.Connector.Kisa.Tests` covering fetch/parse/map with Korean-language fixtures. -- Snapshot canonical advisories; support fixture regeneration via env flag. -- Ensure deterministic ordering/time normalisation. +# AGENTS +## Role +Deliver the KISA (Korea Internet & Security Agency) advisory connector to ingest Korean vulnerability alerts for Concelier’s regional coverage. + +## Scope +- Identify KISA’s advisory feeds (RSS/Atom, JSON, HTML) and determine localisation requirements (Korean language parsing). +- Implement fetch/cursor logic with retry/backoff, handling authentication if required. +- Parse advisory content to extract summary, affected vendors/products, mitigation steps, CVEs, references. +- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives (including vendor/language metadata). +- Provide deterministic fixtures and regression tests. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). +- `Concelier.Models` (canonical data structures). +- `Concelier.Testing` (integration fixtures and snapshots). + +## Interfaces & Contracts +- Job kinds: `kisa:fetch`, `kisa:parse`, `kisa:map`. +- Persist upstream caching metadata (e.g., ETag/Last-Modified) when available. +- Alias set should include KISA advisory identifiers and CVE IDs. + +## In/Out of scope +In scope: +- Advisory ingestion, translation/normalisation, range primitives. + +Out of scope: +- Automated Korean↔English translations beyond summary normalization (unless required for canonical fields). + +## Observability & Security Expectations +- Log fetch and mapping metrics; record failures with backoff. +- Sanitise HTML, removing scripts/styles. +- Handle character encoding (UTF-8/Korean) correctly. + +## Tests +- Add `StellaOps.Concelier.Connector.Kisa.Tests` covering fetch/parse/map with Korean-language fixtures. +- Snapshot canonical advisories; support fixture regeneration via env flag. +- Ensure deterministic ordering/time normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md index 16f53c22..6373a287 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Nvd/AGENTS.md @@ -1,26 +1,37 @@ -# AGENTS -## Role -Connector for NVD API v2: fetch, validate, map CVE items to canonical advisories, including CVSS/CWE/CPE as aliases/references. -## Scope -- Windowed fetch by modified range (6-12h default) with pagination; respect rate limits. -- Parse NVD JSON; validate against schema; extract CVSS v3/v4 metrics, CWE IDs, configurations.cpeMatch. -- Map to Advisory: primary id='CVE-YYYY-NNNN'; references; AffectedPackage entries for CPE (type=cpe) and optional vendor tags. -- Optional change-history capture: store previous payload hashes and diff summaries for auditing modified CVEs. -- Watermark: last successful modified_end; handle partial windows with overlap to avoid misses. -## Participants -- Merge engine reconciles NVD with PSIRT/OVAL (NVD yields to OVAL for OS packages). -- KEV connector may flag some CVEs; NVD severity is preserved but not overridden by KEV. -- Exporters consume canonical advisories. -## Interfaces & contracts -- Job kinds: nvd:fetch, nvd:parse, nvd:map. -- Input params: windowHours, since, until; safe defaults in ConcelierOptions. -- Output: raw documents, sanitized DTOs, mapped advisories + provenance (document, parser). -## In/Out of scope -In: registry-level data, references, generic CPEs. -Out: authoritative distro package ranges; vendor patch states. -## Observability & security expectations -- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms tagged `concelier.source=nvd`; dashboards slice on the tag to track page counts, schema failures, map throughput, and window advancement. Structured logs include window bounds and etag hits. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Nvd.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Connector for NVD API v2: fetch, validate, map CVE items to canonical advisories, including CVSS/CWE/CPE as aliases/references. +## Scope +- Windowed fetch by modified range (6-12h default) with pagination; respect rate limits. +- Parse NVD JSON; validate against schema; extract CVSS v3/v4 metrics, CWE IDs, configurations.cpeMatch. +- Map to Advisory: primary id='CVE-YYYY-NNNN'; references; AffectedPackage entries for CPE (type=cpe) and optional vendor tags. +- Optional change-history capture: store previous payload hashes and diff summaries for auditing modified CVEs. +- Watermark: last successful modified_end; handle partial windows with overlap to avoid misses. +## Participants +- Merge engine reconciles NVD with PSIRT/OVAL (NVD yields to OVAL for OS packages). +- KEV connector may flag some CVEs; NVD severity is preserved but not overridden by KEV. +- Exporters consume canonical advisories. +## Interfaces & contracts +- Job kinds: nvd:fetch, nvd:parse, nvd:map. +- Input params: windowHours, since, until; safe defaults in ConcelierOptions. +- Output: raw documents, sanitized DTOs, mapped advisories + provenance (document, parser). +## In/Out of scope +In: registry-level data, references, generic CPEs. +Out: authoritative distro package ranges; vendor patch states. +## Observability & security expectations +- Metrics: SourceDiagnostics publishes `concelier.source.http.*` counters/histograms tagged `concelier.source=nvd`; dashboards slice on the tag to track page counts, schema failures, map throughput, and window advancement. Structured logs include window bounds and etag hits. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Nvd.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md index 14834498..622804db 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Osv/AGENTS.md @@ -1,26 +1,37 @@ -# AGENTS -## Role -Connector for OSV.dev across ecosystems; authoritative SemVer/PURL ranges for OSS packages. -## Scope -- Fetch by ecosystem or time range; handle pagination and changed-since cursors. -- Parse OSV JSON; validate schema; capture introduced/fixed events, database_specific where relevant. -- Map to Advisory with AffectedPackage(type=semver, Identifier=PURL); preserve SemVer constraints and introduced/fixed chronology. -- Maintain per-ecosystem cursors and deduplicate runs via payload hashes to keep reruns idempotent. -## Participants -- Source.Common supplies HTTP clients, pagination helpers, and validators. -- Storage.Mongo persists documents, DTOs, advisories, and source_state cursors. -- Merge engine resolves OSV vs GHSA consistency; prefers SemVer data for libraries; distro OVAL still overrides OS packages. -- Exporters serialize per-ecosystem ranges untouched. -## Interfaces & contracts -- Job kinds: osv:fetch, osv:parse, osv:map (naming consistent with other connectors). -- Aliases include CVE/GHSA/OSV IDs; references include advisory/patch/release URLs. -- Provenance records method=parser and source=osv. -## In/Out of scope -In: SemVer+PURL accuracy for OSS ecosystems. -Out: vendor PSIRT and distro OVAL specifics. -## Observability & security expectations -- Metrics: SourceDiagnostics exposes the shared `concelier.source.http.*` counters/histograms tagged `concelier.source=osv`; observability dashboards slice on the tag to monitor item volume, schema failures, range counts, and ecosystem coverage. Logs include ecosystem and cursor values. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Osv.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Connector for OSV.dev across ecosystems; authoritative SemVer/PURL ranges for OSS packages. +## Scope +- Fetch by ecosystem or time range; handle pagination and changed-since cursors. +- Parse OSV JSON; validate schema; capture introduced/fixed events, database_specific where relevant. +- Map to Advisory with AffectedPackage(type=semver, Identifier=PURL); preserve SemVer constraints and introduced/fixed chronology. +- Maintain per-ecosystem cursors and deduplicate runs via payload hashes to keep reruns idempotent. +## Participants +- Source.Common supplies HTTP clients, pagination helpers, and validators. +- Storage.Mongo persists documents, DTOs, advisories, and source_state cursors. +- Merge engine resolves OSV vs GHSA consistency; prefers SemVer data for libraries; distro OVAL still overrides OS packages. +- Exporters serialize per-ecosystem ranges untouched. +## Interfaces & contracts +- Job kinds: osv:fetch, osv:parse, osv:map (naming consistent with other connectors). +- Aliases include CVE/GHSA/OSV IDs; references include advisory/patch/release URLs. +- Provenance records method=parser and source=osv. +## In/Out of scope +In: SemVer+PURL accuracy for OSS ecosystems. +Out: vendor PSIRT and distro OVAL specifics. +## Observability & security expectations +- Metrics: SourceDiagnostics exposes the shared `concelier.source.http.*` counters/histograms tagged `concelier.source=osv`; observability dashboards slice on the tag to monitor item volume, schema failures, range counts, and ecosystem coverage. Logs include ecosystem and cursor values. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Osv.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md index 3dbe3c19..de7172d8 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Bdu/AGENTS.md @@ -1,38 +1,49 @@ -# AGENTS -## Role -Implement the Russian BDU (Vulnerability Database) connector to ingest advisories published by FSTEC’s BDU catalogue. - -## Scope -- Determine accessible BDU feeds/APIs (HTML listings, downloadable CSV, SOAP/REST) and access constraints. -- Build fetch/cursor pipeline with dedupe, retries, and backoff appropriate for the data source. -- Parse advisory records to extract summary, affected vendors/products, mitigation recommendations, CVE IDs. -- Map advisories into canonical `Advisory` objects including aliases, references, affected packages, and range primitives. -- Provide deterministic fixtures and regression tests for the connector lifecycle. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores + source state). -- `Concelier.Models` (canonical data structures). -- `Concelier.Testing` (integration harness, snapshot utilities). - -## Interfaces & Contracts -- Job kinds: `bdu:fetch`, `bdu:parse`, `bdu:map`. -- Persist upstream metadata (e.g., record modification timestamp) to drive incremental updates. -- Alias set should include BDU identifiers and CVE IDs when present. - -## In/Out of scope -In scope: -- Core ingestion/mapping of BDU vulnerability records. - -Out of scope: -- Translation beyond normalising required canonical fields. - -## Observability & Security Expectations -- Log fetch/mapping statistics and failure details. -- Sanitize source payloads, handling Cyrillic text/encodings correctly. -- Respect upstream rate limits and mark failures with backoff. - -## Tests -- Add `StellaOps.Concelier.Connector.Ru.Bdu.Tests` covering fetch/parse/map with canned fixtures. -- Snapshot canonical advisories; support fixture regeneration via env flag. -- Ensure deterministic ordering/time normalisation. +# AGENTS +## Role +Implement the Russian BDU (Vulnerability Database) connector to ingest advisories published by FSTEC’s BDU catalogue. + +## Scope +- Determine accessible BDU feeds/APIs (HTML listings, downloadable CSV, SOAP/REST) and access constraints. +- Build fetch/cursor pipeline with dedupe, retries, and backoff appropriate for the data source. +- Parse advisory records to extract summary, affected vendors/products, mitigation recommendations, CVE IDs. +- Map advisories into canonical `Advisory` objects including aliases, references, affected packages, and range primitives. +- Provide deterministic fixtures and regression tests for the connector lifecycle. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores + source state). +- `Concelier.Models` (canonical data structures). +- `Concelier.Testing` (integration harness, snapshot utilities). + +## Interfaces & Contracts +- Job kinds: `bdu:fetch`, `bdu:parse`, `bdu:map`. +- Persist upstream metadata (e.g., record modification timestamp) to drive incremental updates. +- Alias set should include BDU identifiers and CVE IDs when present. + +## In/Out of scope +In scope: +- Core ingestion/mapping of BDU vulnerability records. + +Out of scope: +- Translation beyond normalising required canonical fields. + +## Observability & Security Expectations +- Log fetch/mapping statistics and failure details. +- Sanitize source payloads, handling Cyrillic text/encodings correctly. +- Respect upstream rate limits and mark failures with backoff. + +## Tests +- Add `StellaOps.Concelier.Connector.Ru.Bdu.Tests` covering fetch/parse/map with canned fixtures. +- Snapshot canonical advisories; support fixture regeneration via env flag. +- Ensure deterministic ordering/time normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md index 96b8e81a..70c217e4 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ru.Nkcki/AGENTS.md @@ -1,38 +1,49 @@ -# AGENTS -## Role -Implement the Russian NKTsKI (formerly NKCKI) advisories connector to ingest NKTsKI vulnerability bulletins for Concelier’s regional coverage. - -## Scope -- Identify NKTsKI advisory feeds/APIs (HTML, RSS, CSV) and access/authentication requirements. -- Implement fetch/cursor pipeline with dedupe and failure backoff tailored to the source format. -- Parse advisories to extract summary, affected vendors/products, recommended mitigation, and CVE identifiers. -- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives. -- Create deterministic fixtures and regression tests. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). -- `Concelier.Models` (canonical data structures). -- `Concelier.Testing` (integration fixtures, snapshots). - -## Interfaces & Contracts -- Job kinds: `nkcki:fetch`, `nkcki:parse`, `nkcki:map`. -- Persist upstream modification metadata to support incremental updates. -- Alias set should include NKTsKI advisory IDs and CVEs when present. - -## In/Out of scope -In scope: -- Core ingestion/mapping pipeline with range primitives. - -Out of scope: -- Translation beyond canonical field normalisation. - -## Observability & Security Expectations -- Log fetch/mapping activity; mark failures with backoff delays. -- Handle Cyrillic text encoding and sanitise HTML safely. -- Respect upstream rate limiting/politeness. - -## Tests -- Add `StellaOps.Concelier.Connector.Ru.Nkcki.Tests` for fetch/parse/map with canned fixtures. -- Snapshot canonical advisories; support fixture regeneration via env flag. -- Ensure deterministic ordering/time normalisation. +# AGENTS +## Role +Implement the Russian NKTsKI (formerly NKCKI) advisories connector to ingest NKTsKI vulnerability bulletins for Concelier’s regional coverage. + +## Scope +- Identify NKTsKI advisory feeds/APIs (HTML, RSS, CSV) and access/authentication requirements. +- Implement fetch/cursor pipeline with dedupe and failure backoff tailored to the source format. +- Parse advisories to extract summary, affected vendors/products, recommended mitigation, and CVE identifiers. +- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives. +- Create deterministic fixtures and regression tests. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). +- `Concelier.Models` (canonical data structures). +- `Concelier.Testing` (integration fixtures, snapshots). + +## Interfaces & Contracts +- Job kinds: `nkcki:fetch`, `nkcki:parse`, `nkcki:map`. +- Persist upstream modification metadata to support incremental updates. +- Alias set should include NKTsKI advisory IDs and CVEs when present. + +## In/Out of scope +In scope: +- Core ingestion/mapping pipeline with range primitives. + +Out of scope: +- Translation beyond canonical field normalisation. + +## Observability & Security Expectations +- Log fetch/mapping activity; mark failures with backoff delays. +- Handle Cyrillic text encoding and sanitise HTML safely. +- Respect upstream rate limiting/politeness. + +## Tests +- Add `StellaOps.Concelier.Connector.Ru.Nkcki.Tests` for fetch/parse/map with canned fixtures. +- Snapshot canonical advisories; support fixture regeneration via env flag. +- Ensure deterministic ordering/time normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md new file mode 100644 index 00000000..77c053b4 --- /dev/null +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.StellaOpsMirror/AGENTS.md @@ -0,0 +1,25 @@ +# Concelier Mirror Connector Charter + +## Mission +Provide the connector that ingests advisory mirror bundles produced by Export Center / Mirror Creator into Concelier without external network calls. The connector must preserve bundle provenance, operate under the Aggregation-Only Contract, and support incremental replay for air-gapped deployments. + +## Scope +- Connector code in `StellaOps.Concelier.Connector.StellaOpsMirror`. +- Bundle validation (signatures, manifests, Merkle roots) and resumable cursor handling. +- Integration with mirror ingestion pipelines and Offline Kit workflows. +- Tests verifying deterministic behaviour across bundle versions. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/ingestion/aggregation-only-contract.md` +- `docs/modules/concelier/operations/mirror.md` +- `docs/modules/export-center/architecture.md` (mirror profiles) +- `docs/modules/airgap/airgap-mode.md` + +## Working Agreement +1. **State updates**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `TASKS.md` when work begins/ends. +2. **Provenance first**: record bundle identifiers (`bundle_id`, digests, time anchors) alongside every observation/linkset; never mutate raw documents. +3. **Deterministic replay**: implement cursor storage and re-run safety (same bundle yields identical outputs). +4. **Offline integrity**: validate signatures/hashes before ingest; emit actionable errors for stale/invalid bundles. +5. **Testing**: maintain fixtures covering full/delta bundles, supersedes, and failure cases; run integration suite offline. +6. **Docs**: update mirror connector guidance in `docs/modules/concelier/operations/mirror.md` whenever workflow changes. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md index 0e8afc6a..0a00144d 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Adobe/AGENTS.md @@ -1,28 +1,39 @@ -# AGENTS -## Role -Adobe PSIRT connector ingesting APSB/APA advisories; authoritative for Adobe products; emits psirt_flags and affected ranges; establishes PSIRT precedence over registry or distro data for Adobe software. -## Scope -- Discover and fetch APSB/APA index and detail pages; follow product links as needed; window by advisory ID/date. -- Validate HTML or JSON; normalize titles, CVE lists, product components, fixed versions/builds; capture mitigation notes and KBs. -- Persist raw docs with sha256 and headers; maintain source_state cursors; ensure idempotent mapping. -## Participants -- Source.Common (HTTP, HTML parsing, retries/backoff, validators). -- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). -- Models (canonical Advisory/Affected/Provenance). -- Core/WebService (jobs: source:adobe:fetch|parse|map). -- Merge engine (later) to apply PSIRT override policy for Adobe packages. -## Interfaces & contracts -- Aliases include APSB-YYYY-XX (and APA-* when present) plus CVE ids. -- Affected entries capture Vendor=Adobe, Product/component names, Type=vendor, Identifier stable (for example product slug), Versions with fixed/fixedBy where available. -- References typed: advisory, patch, mitigation, release notes; URLs normalized and deduped. -- Provenance.method="parser"; value carries advisory id and URL; recordedAt=fetch time. -## In/Out of scope -In: PSIRT ingestion, aliases, affected plus fixedBy, psirt_flags, watermark/resume. -Out: signing, package artifact downloads, non-Adobe product truth. -## Observability & security expectations -- Metrics: SourceDiagnostics produces `concelier.source.http.*` counters/histograms tagged `concelier.source=adobe`; operators filter on that tag to monitor fetch counts, parse failures, map affected counts, and cursor movement without bespoke metric names. -- Logs: advisory ids, product counts, extraction timings; hosts allowlisted; no secret logging. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Adobe.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Adobe PSIRT connector ingesting APSB/APA advisories; authoritative for Adobe products; emits psirt_flags and affected ranges; establishes PSIRT precedence over registry or distro data for Adobe software. +## Scope +- Discover and fetch APSB/APA index and detail pages; follow product links as needed; window by advisory ID/date. +- Validate HTML or JSON; normalize titles, CVE lists, product components, fixed versions/builds; capture mitigation notes and KBs. +- Persist raw docs with sha256 and headers; maintain source_state cursors; ensure idempotent mapping. +## Participants +- Source.Common (HTTP, HTML parsing, retries/backoff, validators). +- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). +- Models (canonical Advisory/Affected/Provenance). +- Core/WebService (jobs: source:adobe:fetch|parse|map). +- Merge engine (later) to apply PSIRT override policy for Adobe packages. +## Interfaces & contracts +- Aliases include APSB-YYYY-XX (and APA-* when present) plus CVE ids. +- Affected entries capture Vendor=Adobe, Product/component names, Type=vendor, Identifier stable (for example product slug), Versions with fixed/fixedBy where available. +- References typed: advisory, patch, mitigation, release notes; URLs normalized and deduped. +- Provenance.method="parser"; value carries advisory id and URL; recordedAt=fetch time. +## In/Out of scope +In: PSIRT ingestion, aliases, affected plus fixedBy, psirt_flags, watermark/resume. +Out: signing, package artifact downloads, non-Adobe product truth. +## Observability & security expectations +- Metrics: SourceDiagnostics produces `concelier.source.http.*` counters/histograms tagged `concelier.source=adobe`; operators filter on that tag to monitor fetch counts, parse failures, map affected counts, and cursor movement without bespoke metric names. +- Logs: advisory ids, product counts, extraction timings; hosts allowlisted; no secret logging. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Adobe.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md index 3a218151..f651faa2 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Apple/AGENTS.md @@ -1,39 +1,50 @@ -# AGENTS -## Role -Implement the Apple security advisories connector to ingest Apple HT/HT2 security bulletins for macOS/iOS/tvOS/visionOS. - -## Scope -- Identify canonical Apple security bulletin feeds (HTML, RSS, JSON) and change detection strategy. -- Implement fetch/cursor pipeline with retry/backoff, handling localisation/HTML quirks. -- Parse advisories to extract summary, affected products/versions, mitigation, CVEs. -- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives (SemVer + vendor extensions). -- Produce deterministic fixtures and regression tests. - -## Participants -- `Source.Common` (HTTP/fetch utilities, DTO storage). -- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). -- `Concelier.Models` (canonical structures + range primitives). -- `Concelier.Testing` (integration fixtures/snapshots). - -## Interfaces & Contracts -- Job kinds: `apple:fetch`, `apple:parse`, `apple:map`. -- Persist upstream metadata (ETag/Last-Modified or revision IDs) for incremental updates. -- Alias set should include Apple HT IDs and CVE IDs. - -## In/Out of scope -In scope: -- Security advisories covering Apple OS/app updates. -- Range primitives capturing device/OS version ranges. - -Out of scope: -- Release notes unrelated to security. - -## Observability & Security Expectations -- Log fetch/mapping statistics and failure details. -- Sanitize HTML while preserving structured data tables. -- Respect upstream rate limits; record failures with backoff. - -## Tests -- Add `StellaOps.Concelier.Connector.Vndr.Apple.Tests` covering fetch/parse/map with fixtures. -- Snapshot canonical advisories; support fixture regeneration via env flag. -- Ensure deterministic ordering/time normalisation. +# AGENTS +## Role +Implement the Apple security advisories connector to ingest Apple HT/HT2 security bulletins for macOS/iOS/tvOS/visionOS. + +## Scope +- Identify canonical Apple security bulletin feeds (HTML, RSS, JSON) and change detection strategy. +- Implement fetch/cursor pipeline with retry/backoff, handling localisation/HTML quirks. +- Parse advisories to extract summary, affected products/versions, mitigation, CVEs. +- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives (SemVer + vendor extensions). +- Produce deterministic fixtures and regression tests. + +## Participants +- `Source.Common` (HTTP/fetch utilities, DTO storage). +- `Storage.Mongo` (raw/document/DTO/advisory stores, source state). +- `Concelier.Models` (canonical structures + range primitives). +- `Concelier.Testing` (integration fixtures/snapshots). + +## Interfaces & Contracts +- Job kinds: `apple:fetch`, `apple:parse`, `apple:map`. +- Persist upstream metadata (ETag/Last-Modified or revision IDs) for incremental updates. +- Alias set should include Apple HT IDs and CVE IDs. + +## In/Out of scope +In scope: +- Security advisories covering Apple OS/app updates. +- Range primitives capturing device/OS version ranges. + +Out of scope: +- Release notes unrelated to security. + +## Observability & Security Expectations +- Log fetch/mapping statistics and failure details. +- Sanitize HTML while preserving structured data tables. +- Respect upstream rate limits; record failures with backoff. + +## Tests +- Add `StellaOps.Concelier.Connector.Vndr.Apple.Tests` covering fetch/parse/map with fixtures. +- Snapshot canonical advisories; support fixture regeneration via env flag. +- Ensure deterministic ordering/time normalisation. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md index bf628ae5..cd83f388 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Chromium/AGENTS.md @@ -1,28 +1,39 @@ -# AGENTS -## Role -Chromium/Chrome vendor feed connector parsing Stable Channel Update posts; authoritative vendor context for Chrome/Chromium versions and CVE lists; maps fixed versions as affected ranges. -## Scope -- Crawl Chrome Releases blog list; window by publish date; fetch detail posts; identify "Stable Channel Update" and security fix sections. -- Validate HTML; extract version trains, platform notes (Windows/macOS/Linux/Android), CVEs, acknowledgements; map fixed versions. -- Persist raw docs and maintain source_state cursor; idempotent mapping. -## Participants -- Source.Common (HTTP, HTML helpers, validators). -- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). -- Models (canonical; affected ranges by product/version). -- Core/WebService (jobs: source:chromium:fetch|parse|map). -- Merge engine (later) to respect vendor PSIRT precedence for Chrome. -## Interfaces & contracts -- Aliases: CHROMIUM-POST: plus CVE ids. -- Affected: Vendor=Google, Product=Chrome/Chromium (platform tags), Type=vendor; Versions indicate introduced? (often unknown) and fixed (for example 127.0.6533.88); tags mark platforms. -- References: advisory (post URL), release notes, bug links; kind set appropriately. -- Provenance: method=parser; value=post slug; recordedAt=fetch time. -## In/Out of scope -In: vendor advisory mapping, fixed version emission per platform, psirt_flags vendor context. -Out: OS distro packaging semantics; bug bounty details beyond references. -## Observability & security expectations -- Metrics: SourceDiagnostics exports the shared `concelier.source.http.*` counters/histograms tagged `concelier.source=chromium`, enabling dashboards to observe fetch volumes, parse failures, and map affected counts via tag filters. -- Logs: post slugs, version extracted, platform coverage, timing; allowlist blog host. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Chromium.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Chromium/Chrome vendor feed connector parsing Stable Channel Update posts; authoritative vendor context for Chrome/Chromium versions and CVE lists; maps fixed versions as affected ranges. +## Scope +- Crawl Chrome Releases blog list; window by publish date; fetch detail posts; identify "Stable Channel Update" and security fix sections. +- Validate HTML; extract version trains, platform notes (Windows/macOS/Linux/Android), CVEs, acknowledgements; map fixed versions. +- Persist raw docs and maintain source_state cursor; idempotent mapping. +## Participants +- Source.Common (HTTP, HTML helpers, validators). +- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). +- Models (canonical; affected ranges by product/version). +- Core/WebService (jobs: source:chromium:fetch|parse|map). +- Merge engine (later) to respect vendor PSIRT precedence for Chrome. +## Interfaces & contracts +- Aliases: CHROMIUM-POST: plus CVE ids. +- Affected: Vendor=Google, Product=Chrome/Chromium (platform tags), Type=vendor; Versions indicate introduced? (often unknown) and fixed (for example 127.0.6533.88); tags mark platforms. +- References: advisory (post URL), release notes, bug links; kind set appropriately. +- Provenance: method=parser; value=post slug; recordedAt=fetch time. +## In/Out of scope +In: vendor advisory mapping, fixed version emission per platform, psirt_flags vendor context. +Out: OS distro packaging semantics; bug bounty details beyond references. +## Observability & security expectations +- Metrics: SourceDiagnostics exports the shared `concelier.source.http.*` counters/histograms tagged `concelier.source=chromium`, enabling dashboards to observe fetch volumes, parse failures, and map affected counts via tag filters. +- Logs: post slugs, version extracted, platform coverage, timing; allowlist blog host. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Chromium.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md index 99565a05..1ee0b6d0 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/AGENTS.md @@ -1,30 +1,41 @@ -# AGENTS -## Role -Implement the Cisco security advisory connector to ingest Cisco PSIRT bulletins for Concelier. - -## Scope -- Identify Cisco advisory feeds/APIs (XML, HTML, JSON) and define incremental fetch strategy. -- Implement fetch/cursor pipeline with retry/backoff and document dedupe. -- Parse advisories to extract summary, affected products, Cisco bug IDs, CVEs, mitigation guidance. -- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives (e.g., SemVer/IOS version metadata). -- Provide deterministic fixtures and regression tests. - -## Participants -- `Source.Common`, `Storage.Mongo`, `Concelier.Models`, `Concelier.Testing`. - -## Interfaces & Contracts -- Job kinds: `cisco:fetch`, `cisco:parse`, `cisco:map`. -- Persist upstream metadata (e.g., `Last-Modified`, `advisoryId`). -- Alias set should include Cisco advisory IDs, bug IDs, and CVEs. - -## In/Out of scope -In scope: Cisco PSIRT advisories, range primitive coverage. -Out of scope: Non-security Cisco release notes. - -## Observability & Security Expectations -- Log fetch/mapping statistics, respect Cisco API rate limits, sanitise HTML. -- Handle authentication tokens if API requires them. - -## Tests -- Add `StellaOps.Concelier.Connector.Vndr.Cisco.Tests` with canned fixtures for fetch/parse/map. -- Snapshot canonical advisories and support fixture regeneration. +# AGENTS +## Role +Implement the Cisco security advisory connector to ingest Cisco PSIRT bulletins for Concelier. + +## Scope +- Identify Cisco advisory feeds/APIs (XML, HTML, JSON) and define incremental fetch strategy. +- Implement fetch/cursor pipeline with retry/backoff and document dedupe. +- Parse advisories to extract summary, affected products, Cisco bug IDs, CVEs, mitigation guidance. +- Map advisories into canonical `Advisory` records with aliases, references, affected packages, and range primitives (e.g., SemVer/IOS version metadata). +- Provide deterministic fixtures and regression tests. + +## Participants +- `Source.Common`, `Storage.Mongo`, `Concelier.Models`, `Concelier.Testing`. + +## Interfaces & Contracts +- Job kinds: `cisco:fetch`, `cisco:parse`, `cisco:map`. +- Persist upstream metadata (e.g., `Last-Modified`, `advisoryId`). +- Alias set should include Cisco advisory IDs, bug IDs, and CVEs. + +## In/Out of scope +In scope: Cisco PSIRT advisories, range primitive coverage. +Out of scope: Non-security Cisco release notes. + +## Observability & Security Expectations +- Log fetch/mapping statistics, respect Cisco API rate limits, sanitise HTML. +- Handle authentication tokens if API requires them. + +## Tests +- Add `StellaOps.Concelier.Connector.Vndr.Cisco.Tests` with canned fixtures for fetch/parse/map. +- Snapshot canonical advisories and support fixture regeneration. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md index e2f82ea5..9c4fff83 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Msrc/AGENTS.md @@ -1,30 +1,41 @@ -# AGENTS -## Role -Implement the Microsoft Security Response Center (MSRC) connector to ingest Microsoft security updates (Security Updates API / CVRF). - -## Scope -- Identify MSRC data sources (Security Update Guide API, CVRF downloads) and incremental update strategy. -- Implement fetch/cursor pipeline with retry/backoff, handling API keys if required. -- Parse advisories to extract summary, affected products, KBs, CVEs, severities, mitigations. -- Map entries into canonical `Advisory` objects with aliases, references, affected packages, and range primitives (e.g., Windows build numbers, SemVer). -- Provide deterministic fixtures and regression tests. - -## Participants -- `Source.Common`, `Storage.Mongo`, `Concelier.Models`, `Concelier.Testing`. - -## Interfaces & Contracts -- Job kinds: `msrc:fetch`, `msrc:parse`, `msrc:map`. -- Persist upstream metadata (e.g., `lastModified`, `releaseDate`). -- Alias set should include MSRC ID, CVEs, and KB identifiers. - -## In/Out of scope -In scope: Microsoft Security Update Guide advisories. -Out of scope: Non-security Microsoft release notes. - -## Observability & Security Expectations -- Log fetch/mapping stats, respect API rate limits, handle authentication securely. -- Sanitize payloads; validate JSON/CVRF before persistence. - -## Tests -- Add `StellaOps.Concelier.Connector.Vndr.Msrc.Tests` with fixtures covering fetch/parse/map. -- Snapshot canonical advisories; support fixture regeneration. +# AGENTS +## Role +Implement the Microsoft Security Response Center (MSRC) connector to ingest Microsoft security updates (Security Updates API / CVRF). + +## Scope +- Identify MSRC data sources (Security Update Guide API, CVRF downloads) and incremental update strategy. +- Implement fetch/cursor pipeline with retry/backoff, handling API keys if required. +- Parse advisories to extract summary, affected products, KBs, CVEs, severities, mitigations. +- Map entries into canonical `Advisory` objects with aliases, references, affected packages, and range primitives (e.g., Windows build numbers, SemVer). +- Provide deterministic fixtures and regression tests. + +## Participants +- `Source.Common`, `Storage.Mongo`, `Concelier.Models`, `Concelier.Testing`. + +## Interfaces & Contracts +- Job kinds: `msrc:fetch`, `msrc:parse`, `msrc:map`. +- Persist upstream metadata (e.g., `lastModified`, `releaseDate`). +- Alias set should include MSRC ID, CVEs, and KB identifiers. + +## In/Out of scope +In scope: Microsoft Security Update Guide advisories. +Out of scope: Non-security Microsoft release notes. + +## Observability & Security Expectations +- Log fetch/mapping stats, respect API rate limits, handle authentication securely. +- Sanitize payloads; validate JSON/CVRF before persistence. + +## Tests +- Add `StellaOps.Concelier.Connector.Vndr.Msrc.Tests` with fixtures covering fetch/parse/map. +- Snapshot canonical advisories; support fixture regeneration. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md index f17567a5..3800fdfb 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Oracle/AGENTS.md @@ -1,27 +1,38 @@ -# AGENTS -## Role -Oracle PSIRT connector for Critical Patch Updates (CPU) and Security Alerts; authoritative vendor ranges and severities for Oracle products; establishes PSIRT precedence over registry or distro where applicable. -## Scope -- Harvest CPU calendar pages and per-advisory content; window by CPU cycle (Jan/Apr/Jul/Oct) and last modified timestamps. -- Validate HTML or JSON; extract CVE lists, affected products, components, versions, fixed patch levels; map to canonical with aliases and psirt_flags. -- Persist raw documents; maintain source_state across cycles; idempotent mapping. -## Participants -- Source.Common (HTTP, validators). -- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). -- Models (canonical; affected ranges for vendor products). -- Core/WebService (jobs: source:oracle:fetch|parse|map). -- Merge engine (later) to prefer PSIRT ranges over NVD for Oracle products. -## Interfaces & contracts -- Alias scheme includes CPU:YYYY-QQ plus individual advisory ids when present; include CVE mappings. -- Affected entries capture product/component and fixedBy patch version; references include product notes and patch docs; kind=advisory or patch. -- Provenance.method=parser; value includes CPU cycle and advisory slug. -## In/Out of scope -In: PSIRT authoritative mapping, cycles handling, precedence signaling. -Out: signing or patch artifact downloads. -## Observability & security expectations -- Metrics: SourceDiagnostics emits `concelier.source.http.*` counters/histograms tagged `concelier.source=oracle`, so observability dashboards slice on that tag to monitor fetch pages, CPU cycle coverage, parse failures, and map affected counts. -- Logs: cycle tags, advisory ids, extraction timings; redact nothing sensitive. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Oracle.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Oracle PSIRT connector for Critical Patch Updates (CPU) and Security Alerts; authoritative vendor ranges and severities for Oracle products; establishes PSIRT precedence over registry or distro where applicable. +## Scope +- Harvest CPU calendar pages and per-advisory content; window by CPU cycle (Jan/Apr/Jul/Oct) and last modified timestamps. +- Validate HTML or JSON; extract CVE lists, affected products, components, versions, fixed patch levels; map to canonical with aliases and psirt_flags. +- Persist raw documents; maintain source_state across cycles; idempotent mapping. +## Participants +- Source.Common (HTTP, validators). +- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). +- Models (canonical; affected ranges for vendor products). +- Core/WebService (jobs: source:oracle:fetch|parse|map). +- Merge engine (later) to prefer PSIRT ranges over NVD for Oracle products. +## Interfaces & contracts +- Alias scheme includes CPU:YYYY-QQ plus individual advisory ids when present; include CVE mappings. +- Affected entries capture product/component and fixedBy patch version; references include product notes and patch docs; kind=advisory or patch. +- Provenance.method=parser; value includes CPU cycle and advisory slug. +## In/Out of scope +In: PSIRT authoritative mapping, cycles handling, precedence signaling. +Out: signing or patch artifact downloads. +## Observability & security expectations +- Metrics: SourceDiagnostics emits `concelier.source.http.*` counters/histograms tagged `concelier.source=oracle`, so observability dashboards slice on that tag to monitor fetch pages, CPU cycle coverage, parse failures, and map affected counts. +- Logs: cycle tags, advisory ids, extraction timings; redact nothing sensitive. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Oracle.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md index e1cec064..fb6bc51c 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Vmware/AGENTS.md @@ -1,28 +1,39 @@ -# AGENTS -## Role -VMware/Broadcom PSIRT connector ingesting VMSA advisories; authoritative for VMware products; maps affected versions/builds and emits psirt_flags. -## Scope -- Discover/fetch VMSA index and detail pages via Broadcom portal; window by advisory ID/date; follow updates/revisions. -- Validate HTML or JSON; extract CVEs, affected product versions/builds, workarounds, fixed versions; normalize product naming. -- Persist raw docs with sha256; manage source_state; idempotent mapping. -## Participants -- Source.Common (HTTP, cookies/session handling if needed, validators). -- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). -- Models (canonical). -- Core/WebService (jobs: source:vmware:fetch|parse|map). -- Merge engine (later) to prefer PSIRT ranges for VMware products. -## Interfaces & contracts -- Aliases: VMSA-YYYY-NNNN plus CVEs. -- Affected entries include Vendor=VMware, Product plus component; Versions carry fixed/fixedBy; tags may include build numbers or ESXi/VC levels. -- References: advisory URL, KBs, workaround pages; typed; deduped. -- Provenance: method=parser; value=VMSA id. -## In/Out of scope -In: PSIRT precedence mapping, affected/fixedBy extraction, advisory references. -Out: customer portal authentication flows beyond public advisories; downloading patches. -## Observability & security expectations -- Metrics: SourceDiagnostics emits shared `concelier.source.http.*` counters/histograms tagged `concelier.source=vmware`, allowing dashboards to measure fetch volume, parse failures, and map affected counts without bespoke metric names. -- Logs: vmsa ids, product counts, extraction timings; handle portal rate limits politely. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Vmware.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +VMware/Broadcom PSIRT connector ingesting VMSA advisories; authoritative for VMware products; maps affected versions/builds and emits psirt_flags. +## Scope +- Discover/fetch VMSA index and detail pages via Broadcom portal; window by advisory ID/date; follow updates/revisions. +- Validate HTML or JSON; extract CVEs, affected product versions/builds, workarounds, fixed versions; normalize product naming. +- Persist raw docs with sha256; manage source_state; idempotent mapping. +## Participants +- Source.Common (HTTP, cookies/session handling if needed, validators). +- Storage.Mongo (document, dto, advisory, alias, affected, reference, psirt_flags, source_state). +- Models (canonical). +- Core/WebService (jobs: source:vmware:fetch|parse|map). +- Merge engine (later) to prefer PSIRT ranges for VMware products. +## Interfaces & contracts +- Aliases: VMSA-YYYY-NNNN plus CVEs. +- Affected entries include Vendor=VMware, Product plus component; Versions carry fixed/fixedBy; tags may include build numbers or ESXi/VC levels. +- References: advisory URL, KBs, workaround pages; typed; deduped. +- Provenance: method=parser; value=VMSA id. +## In/Out of scope +In: PSIRT precedence mapping, affected/fixedBy extraction, advisory references. +Out: customer portal authentication flows beyond public advisories; downloading patches. +## Observability & security expectations +- Metrics: SourceDiagnostics emits shared `concelier.source.http.*` counters/histograms tagged `concelier.source=vmware`, allowing dashboards to measure fetch volume, parse failures, and map affected counts without bespoke metric names. +- Logs: vmsa ids, product counts, extraction timings; handle portal rate limits politely. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Connector.Vndr.Vmware.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md index e6e0b4a4..8dd14239 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Core/AGENTS.md @@ -1,32 +1,43 @@ -# AGENTS -## Role -Job orchestration and lifecycle. Registers job definitions, schedules execution, triggers runs, reports status for connectors and exporters. -## Scope -- Contracts: IJob (execute with CancellationToken), JobRunStatus, JobTriggerOutcome/Result. -- Registration: JobSchedulerBuilder.AddJob(kind, cronExpression?, timeout?, leaseDuration?); options recorded in JobSchedulerOptions. -- Plugin host integration discovers IJob providers via registered IDependencyInjectionRoutine implementations. -- Coordination: start/stop, single-flight via storage locks/leases, run bookkeeping (status, timings, errors). -- Triggering: manual/cron/API; parameterized runs; idempotent rejection if already running. -- Surfacing: enumerate definitions, last run, recent runs, active runs to WebService endpoints. -## Participants -- WebService exposes REST endpoints for definitions, runs, active, and trigger. -- Storage.Mongo persists job definitions metadata, run documents, and leases (locks collection). -- Source connectors and Exporters implement IJob and are registered into the scheduler via DI and Plugin routines. -- Models/Merge/Export are invoked indirectly through jobs. -- Plugin host runtime loads dependency injection routines that register job definitions. -## Interfaces & contracts -- Kind naming: family:source:verb (e.g., nvd:fetch, redhat:map, export:trivy-db). -- Timeout and lease duration enforce cancellation and duplicate-prevention. -- TimeProvider used for deterministic timing in tests. -## In/Out of scope -In: job lifecycle, registration, trigger semantics, run metadata. -Out: business logic of connectors/exporters, HTTP handlers (owned by WebService). -## Observability & security expectations -- Metrics: job.run.started/succeeded/failed, job.durationMs, job.concurrent.rejected, job.alreadyRunning. -- Logs: kind, trigger, params hash, lease holder, outcome; redact params containing secrets. -- Honor CancellationToken early and often. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Core.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. - +# AGENTS +## Role +Job orchestration and lifecycle. Registers job definitions, schedules execution, triggers runs, reports status for connectors and exporters. +## Scope +- Contracts: IJob (execute with CancellationToken), JobRunStatus, JobTriggerOutcome/Result. +- Registration: JobSchedulerBuilder.AddJob(kind, cronExpression?, timeout?, leaseDuration?); options recorded in JobSchedulerOptions. +- Plugin host integration discovers IJob providers via registered IDependencyInjectionRoutine implementations. +- Coordination: start/stop, single-flight via storage locks/leases, run bookkeeping (status, timings, errors). +- Triggering: manual/cron/API; parameterized runs; idempotent rejection if already running. +- Surfacing: enumerate definitions, last run, recent runs, active runs to WebService endpoints. +## Participants +- WebService exposes REST endpoints for definitions, runs, active, and trigger. +- Storage.Mongo persists job definitions metadata, run documents, and leases (locks collection). +- Source connectors and Exporters implement IJob and are registered into the scheduler via DI and Plugin routines. +- Models/Merge/Export are invoked indirectly through jobs. +- Plugin host runtime loads dependency injection routines that register job definitions. +## Interfaces & contracts +- Kind naming: family:source:verb (e.g., nvd:fetch, redhat:map, export:trivy-db). +- Timeout and lease duration enforce cancellation and duplicate-prevention. +- TimeProvider used for deterministic timing in tests. +## In/Out of scope +In: job lifecycle, registration, trigger semantics, run metadata. +Out: business logic of connectors/exporters, HTTP handlers (owned by WebService). +## Observability & security expectations +- Metrics: job.run.started/succeeded/failed, job.durationMs, job.concurrent.rejected, job.alreadyRunning. +- Logs: kind, trigger, params hash, lease holder, outcome; redact params containing secrets. +- Honor CancellationToken early and often. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Core.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md index 5ce605e3..50f70432 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.Json/AGENTS.md @@ -1,28 +1,39 @@ -# AGENTS -## Role -Optional exporter producing vuln-list-shaped JSON tree for downstream trivy-db builder or interoperability. Deterministic, provenance-preserving. -## Scope -- Transform canonical advisories into directory tree structure mirroring aquasecurity/vuln-list (by ecosystem/vendor/distro as applicable). -- Sorting and serialization invariants: stable key order, newline policy, UTC ISO-8601. -- Cursoring/incremental export: export_state tracks last advisory hash/time to avoid full rewrites. -- Packaging: output directory under exports/json/ with reproducible naming; optionally symlink latest. -- Optional auxiliary index files (for example severity summaries) may be generated when explicitly requested, but must remain deterministic and avoid altering canonical payloads. -## Participants -- Storage.Mongo.AdvisoryStore as input; ExportState repository for cursors/digests. -- Core scheduler runs JsonExportJob; Plugin DI wires JsonExporter + job. -- TrivyDb exporter may consume the rendered tree in v0 (builder path) if configured. -## Interfaces & contracts -- Job kind: export:json (JsonExportJob). -- Determinism: same inputs -> identical file bytes; hash snapshot persisted. -- Provenance: include minimal provenance fields when helpful; keep identity stable. -## In/Out of scope -In: JSON rendering and layout; incremental/deterministic writes. -Out: ORAS push and Trivy DB BoltDB writing (owned by Trivy exporter). -## Observability & security expectations -- Metrics: export.json.records, bytes, duration, delta.changed. -- Logs: target path, record counts, digest; no sensitive data. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Exporter.Json.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. - +# AGENTS +## Role +Optional exporter producing vuln-list-shaped JSON tree for downstream trivy-db builder or interoperability. Deterministic, provenance-preserving. +## Scope +- Transform canonical advisories into directory tree structure mirroring aquasecurity/vuln-list (by ecosystem/vendor/distro as applicable). +- Sorting and serialization invariants: stable key order, newline policy, UTC ISO-8601. +- Cursoring/incremental export: export_state tracks last advisory hash/time to avoid full rewrites. +- Packaging: output directory under exports/json/ with reproducible naming; optionally symlink latest. +- Optional auxiliary index files (for example severity summaries) may be generated when explicitly requested, but must remain deterministic and avoid altering canonical payloads. +## Participants +- Storage.Mongo.AdvisoryStore as input; ExportState repository for cursors/digests. +- Core scheduler runs JsonExportJob; Plugin DI wires JsonExporter + job. +- TrivyDb exporter may consume the rendered tree in v0 (builder path) if configured. +## Interfaces & contracts +- Job kind: export:json (JsonExportJob). +- Determinism: same inputs -> identical file bytes; hash snapshot persisted. +- Provenance: include minimal provenance fields when helpful; keep identity stable. +## In/Out of scope +In: JSON rendering and layout; incremental/deterministic writes. +Out: ORAS push and Trivy DB BoltDB writing (owned by Trivy exporter). +## Observability & security expectations +- Metrics: export.json.records, bytes, duration, delta.changed. +- Logs: target path, record counts, digest; no sensitive data. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Exporter.Json.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md index cdd6ffdb..04d84911 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Exporter.TrivyDb/AGENTS.md @@ -1,29 +1,40 @@ -# AGENTS -## Role -Exporter producing a Trivy-compatible database artifact for self-hosting or offline use. v0: JSON list + metadata; v1: integrate official trivy-db builder or write BoltDB directly; pack and optionally push via ORAS. -## Scope -- Read canonical advisories; serialize payload for builder or intermediate; write metadata.json (generatedAt, counts). -- Output root: exports/trivy/; deterministic path components. -- OCI/Trivy expectations: layer media type application/vnd.aquasec.trivy.db.layer.v1.tar+gzip; config media type application/vnd.aquasec.trivy.config.v1+json; tag (e.g., 2). -- Optional ORAS push; optional offline bundle (db.tar.gz + metadata.json). -- DI: TrivyExporter + Jobs.TrivyExportJob registered by TrivyExporterDependencyInjectionRoutine. -- Export_state recording: capture digests, counts, start/end timestamps for idempotent reruns and incremental packaging. -## Participants -- Storage.Mongo.AdvisoryStore as input. -- Core scheduler runs export job; WebService/Plugins trigger it. -- JSON exporter (optional precursor) if choosing the builder path. -## Interfaces & contracts -- IFeedExporter.Name = "trivy-db"; ExportAsync(IServiceProvider, CancellationToken). -- ConcelierOptions.packaging.trivy governs repo/tag/publish/offline_bundle. -- Deterministic sorting and timestamp discipline (UTC; consider build reproducibility knobs). -## In/Out of scope -In: assembling builder inputs, packing tar.gz, pushing to registry when configured. -Out: signing (external pipeline), scanner behavior. -## Observability & security expectations -- Metrics: export.trivy.records, size_bytes, duration, oras.push.success/fail. -- Logs: export path, repo/tag, digest; redact credentials; backoff on push errors. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Exporter.TrivyDb.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. - +# AGENTS +## Role +Exporter producing a Trivy-compatible database artifact for self-hosting or offline use. v0: JSON list + metadata; v1: integrate official trivy-db builder or write BoltDB directly; pack and optionally push via ORAS. +## Scope +- Read canonical advisories; serialize payload for builder or intermediate; write metadata.json (generatedAt, counts). +- Output root: exports/trivy/; deterministic path components. +- OCI/Trivy expectations: layer media type application/vnd.aquasec.trivy.db.layer.v1.tar+gzip; config media type application/vnd.aquasec.trivy.config.v1+json; tag (e.g., 2). +- Optional ORAS push; optional offline bundle (db.tar.gz + metadata.json). +- DI: TrivyExporter + Jobs.TrivyExportJob registered by TrivyExporterDependencyInjectionRoutine. +- Export_state recording: capture digests, counts, start/end timestamps for idempotent reruns and incremental packaging. +## Participants +- Storage.Mongo.AdvisoryStore as input. +- Core scheduler runs export job; WebService/Plugins trigger it. +- JSON exporter (optional precursor) if choosing the builder path. +## Interfaces & contracts +- IFeedExporter.Name = "trivy-db"; ExportAsync(IServiceProvider, CancellationToken). +- ConcelierOptions.packaging.trivy governs repo/tag/publish/offline_bundle. +- Deterministic sorting and timestamp discipline (UTC; consider build reproducibility knobs). +## In/Out of scope +In: assembling builder inputs, packing tar.gz, pushing to registry when configured. +Out: signing (external pipeline), scanner behavior. +## Observability & security expectations +- Metrics: export.trivy.records, size_bytes, duration, oras.push.success/fail. +- Logs: export path, repo/tag, digest; redact credentials; backoff on push errors. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Exporter.TrivyDb.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md index 9900155f..069f3b9d 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Merge/AGENTS.md @@ -1,33 +1,44 @@ -# AGENTS -## Role -Deterministic merge and reconciliation engine; builds identity graph via aliases; applies precedence (PSIRT/OVAL > NVD; KEV flag only; regional feeds enrich); produces canonical advisory JSON and merge_event audit trail. -## Scope -- Identity: resolve advisory_key (prefer CVE, else PSIRT/Distro/JVN/BDU/GHSA/ICSA); unify aliases; detect collisions. -- Precedence: override rules for affected ranges (vendor PSIRT/OVAL over registry), enrichment-only feeds (CERTs/JVN/RU-CERT), KEV toggles exploitKnown only. -- Range comparers: RPM NEVRA comparer (epoch:version-release), Debian EVR comparer, SemVer range resolver; platform-aware selection. -- Merge algorithm: stable ordering, pure functions, idempotence; compute beforeHash/afterHash over canonical form; write merge_event. -- Conflict reporting: counters and logs for identity conflicts, reference merges, range overrides. -## Participants -- Storage.Mongo (reads raw mapped advisories, writes merged docs plus merge_event). -- Models (canonical types). -- Exporters (consume merged canonical). -- Core/WebService (jobs: merge:run, maybe per-kind). -## Interfaces & contracts -- AdvisoryMergeService.MergeAsync(ids or byKind): returns summary {processed, merged, overrides, conflicts}. -- Precedence table configurable but with sane defaults: RedHat/Ubuntu/Debian/SUSE > Vendor PSIRT > GHSA/OSV > NVD; CERTs enrich; KEV sets flags. -- Range selection uses comparers: NevraComparer, DebEvrComparer, SemVerRange; deterministic tie-breakers. -- Provenance propagation merges unique entries; references deduped by (url, type). - -## Configuration -- Precedence overrides bind via `concelier:merge:precedence:ranks` (dictionary of `source` → `rank`, lower wins). Absent entries fall back to defaults. -- Operator workflow: update `etc/concelier.yaml` or environment variables, restart merge job; overrides surface in metrics/logs as `AdvisoryOverride` entries. -## In/Out of scope -In: merge logic, precedence policy, hashing, event records, comparers. -Out: fetching/parsing, exporter packaging, signing. -## Observability & security expectations -- Metrics: merge.delta.count, merge.identity.conflicts, merge.range.overrides, merge.duration_ms. -- Logs: decisions (why replaced), keys involved, hashes; avoid dumping large blobs; redact secrets (none expected). -## Tests -- Author and review coverage in `../StellaOps.Concelier.Merge.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. +# AGENTS +## Role +Deterministic merge and reconciliation engine; builds identity graph via aliases; applies precedence (PSIRT/OVAL > NVD; KEV flag only; regional feeds enrich); produces canonical advisory JSON and merge_event audit trail. +## Scope +- Identity: resolve advisory_key (prefer CVE, else PSIRT/Distro/JVN/BDU/GHSA/ICSA); unify aliases; detect collisions. +- Precedence: override rules for affected ranges (vendor PSIRT/OVAL over registry), enrichment-only feeds (CERTs/JVN/RU-CERT), KEV toggles exploitKnown only. +- Range comparers: RPM NEVRA comparer (epoch:version-release), Debian EVR comparer, SemVer range resolver; platform-aware selection. +- Merge algorithm: stable ordering, pure functions, idempotence; compute beforeHash/afterHash over canonical form; write merge_event. +- Conflict reporting: counters and logs for identity conflicts, reference merges, range overrides. +## Participants +- Storage.Mongo (reads raw mapped advisories, writes merged docs plus merge_event). +- Models (canonical types). +- Exporters (consume merged canonical). +- Core/WebService (jobs: merge:run, maybe per-kind). +## Interfaces & contracts +- AdvisoryMergeService.MergeAsync(ids or byKind): returns summary {processed, merged, overrides, conflicts}. +- Precedence table configurable but with sane defaults: RedHat/Ubuntu/Debian/SUSE > Vendor PSIRT > GHSA/OSV > NVD; CERTs enrich; KEV sets flags. +- Range selection uses comparers: NevraComparer, DebEvrComparer, SemVerRange; deterministic tie-breakers. +- Provenance propagation merges unique entries; references deduped by (url, type). + +## Configuration +- Precedence overrides bind via `concelier:merge:precedence:ranks` (dictionary of `source` → `rank`, lower wins). Absent entries fall back to defaults. +- Operator workflow: update `etc/concelier.yaml` or environment variables, restart merge job; overrides surface in metrics/logs as `AdvisoryOverride` entries. +## In/Out of scope +In: merge logic, precedence policy, hashing, event records, comparers. +Out: fetching/parsing, exporter packaging, signing. +## Observability & security expectations +- Metrics: merge.delta.count, merge.identity.conflicts, merge.range.overrides, merge.duration_ms. +- Logs: decisions (why replaced), keys involved, hashes; avoid dumping large blobs; redact secrets (none expected). +## Tests +- Author and review coverage in `../StellaOps.Concelier.Merge.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md index 23beb90a..ba5edb95 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Models/AGENTS.md @@ -1,30 +1,41 @@ -# AGENTS -## Role -Canonical data model for normalized advisories and all downstream serialization. Source of truth for merge/export. -## Scope -- Canonical types: Advisory, AdvisoryReference, CvssMetric, AffectedPackage, AffectedVersionRange, AdvisoryProvenance. -- Invariants: stable ordering, culture-invariant serialization, UTC timestamps, deterministic equality semantics. -- Field semantics: preserve all aliases/references; ranges per ecosystem (NEVRA/EVR/SemVer); provenance on every mapped field. -- Backward/forward compatibility: additive evolution; versioned DTOs where needed; no breaking field renames. -- Detailed field coverage documented in `CANONICAL_RECORDS.md`; update alongside model changes. -## Participants -- Source connectors map external DTOs into these types. -- Merge engine composes/overrides AffectedPackage sets and consolidates references/aliases. -- Exporters serialize canonical documents deterministically. -## Interfaces & contracts -- Null-object statics: Advisory.Empty, AdvisoryReference.Empty, CvssMetric.Empty. -- AffectedPackage.Type describes semantics (e.g., rpm, deb, cpe, semver). Identifier is stable (e.g., NEVRA, PURL, CPE). -- Version ranges list is ordered by introduction then fix; provenance identifies source/kind/value/recordedAt. -- Alias schemes must include CVE, GHSA, OSV, JVN/JVNDB, BDU, VU(CERT/CC), MSRC, CISCO-SA, ORACLE-CPU, APSB/APA, APPLE-HT, CHROMIUM-POST, VMSA, RHSA, USN, DSA, SUSE-SU, ICSA, CWE, CPE, PURL. -## In/Out of scope -In: data shapes, invariants, helpers for canonical serialization and comparison. -Out: fetching/parsing external schemas, storage, HTTP. -## Observability & security expectations -- No secrets; purely in-memory types. -- Provide debug renders for test snapshots (canonical JSON). -- Emit model version identifiers in logs when canonical structures change; keep adapters for older readers until deprecated. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Models.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. - +# AGENTS +## Role +Canonical data model for normalized advisories and all downstream serialization. Source of truth for merge/export. +## Scope +- Canonical types: Advisory, AdvisoryReference, CvssMetric, AffectedPackage, AffectedVersionRange, AdvisoryProvenance. +- Invariants: stable ordering, culture-invariant serialization, UTC timestamps, deterministic equality semantics. +- Field semantics: preserve all aliases/references; ranges per ecosystem (NEVRA/EVR/SemVer); provenance on every mapped field. +- Backward/forward compatibility: additive evolution; versioned DTOs where needed; no breaking field renames. +- Detailed field coverage documented in `CANONICAL_RECORDS.md`; update alongside model changes. +## Participants +- Source connectors map external DTOs into these types. +- Merge engine composes/overrides AffectedPackage sets and consolidates references/aliases. +- Exporters serialize canonical documents deterministically. +## Interfaces & contracts +- Null-object statics: Advisory.Empty, AdvisoryReference.Empty, CvssMetric.Empty. +- AffectedPackage.Type describes semantics (e.g., rpm, deb, cpe, semver). Identifier is stable (e.g., NEVRA, PURL, CPE). +- Version ranges list is ordered by introduction then fix; provenance identifies source/kind/value/recordedAt. +- Alias schemes must include CVE, GHSA, OSV, JVN/JVNDB, BDU, VU(CERT/CC), MSRC, CISCO-SA, ORACLE-CPU, APSB/APA, APPLE-HT, CHROMIUM-POST, VMSA, RHSA, USN, DSA, SUSE-SU, ICSA, CWE, CPE, PURL. +## In/Out of scope +In: data shapes, invariants, helpers for canonical serialization and comparison. +Out: fetching/parsing external schemas, storage, HTTP. +## Observability & security expectations +- No secrets; purely in-memory types. +- Provide debug renders for test snapshots (canonical JSON). +- Emit model version identifiers in logs when canonical structures change; keep adapters for older readers until deprecated. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Models.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md new file mode 100644 index 00000000..9c5a7a1b --- /dev/null +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Normalization/AGENTS.md @@ -0,0 +1,27 @@ +# Concelier Normalization Guild Charter + +## Mission +Maintain helper utilities that normalise upstream advisory payloads into Concelier’s immutable observation/linkset structures while respecting the Aggregation-Only Contract. The goal is to provide consistent field extraction and canonicalisation without introducing derived data or losing provenance. + +## Scope +- Shared normalization helpers in `StellaOps.Concelier.Normalization`. +- Field mappers (identifiers, products, references) reused by connectors. +- Canonical JSON serialization rules (sorting, formatting, timestamp normalisation). +- Schema evolution helpers tied to `advisory_raw` / `linkset` documents. + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/ingestion/aggregation-only-contract.md` +- `docs/modules/concelier/operations/conflict-resolution.md` +- `docs/modules/concelier/operations/connectors/*` (to understand per-source nuances) +- `docs/modules/concelier/design/` materials if referenced by tasks. + +## Working Agreement +1. **Synchronise status** in both `docs/implplan/SPRINTS.md` and `TASKS.md` when starting/finishing tasks. +2. **AOC compliance**: avoid adding severity, consensus, fix hints, or other derived fields—output raw upstream data plus provenance. +3. **Deterministic outputs**: enforce stable ordering (sorted arrays/objects), UTC timestamps, lowercase enum values as documented. +4. **Shared API stability**: version helpers when breaking changes are needed; communicate with connector guilds. +5. **Testing**: extend golden fixtures & property tests to catch regressions; ensure CI covers multi-source scenarios. +6. **Documentation**: update developer notes (add/refresh doc under `docs/modules/concelier`) when normalization contracts change. + +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md b/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md index b60532c6..2352c558 100644 --- a/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md +++ b/src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/AGENTS.md @@ -1,29 +1,40 @@ -# AGENTS -## Role -Canonical persistence for raw documents, DTOs, canonical advisories, jobs, and state. Provides repositories and bootstrapper for collections/indexes. -## Scope -- Collections (MongoStorageDefaults): source, source_state, document, dto, advisory, alias, affected, reference, kev_flag, ru_flags, jp_flags, psirt_flags, merge_event, export_state, locks, jobs; GridFS bucket fs.documents; field names include ttlAt (locks), sourceName, uri, advisoryKey. -- Records: SourceState (cursor, lastSuccess/error, failCount, backoffUntil), JobRun, MergeEvent, ExportState, Advisory documents mirroring Models with embedded arrays when practical. -- Bootstrapper: create collections, indexes (unique advisoryKey, scheme/value, platform/name, published, modified), TTL on locks, and validate connectivity for /ready health probes. -- Job store: create, read, mark completed/failed; compute durations; recent/last queries; active by status. -- Advisory store: CRUD for canonical advisories; query by key/alias and list for exporters with deterministic paging. -## Participants -- Core jobs read/write runs and leases; WebService /ready pings database; /jobs APIs query runs/definitions. -- Source connectors store raw docs, DTOs, and mapped canonical advisories with provenance; Update SourceState cursor/backoff. -- Exporters read advisories and write export_state. -## Interfaces & contracts -- IMongoDatabase injected; MongoUrl from options; database name from options or MongoUrl or default "concelier". -- Repositories expose async methods with CancellationToken; deterministic sorting. -- All date/time values stored as UTC; identifiers normalized. -## In/Out of scope -In: persistence, bootstrap, indexes, basic query helpers. -Out: business mapping logic, HTTP, packaging. -## Observability & security expectations -- Log collection/index creation; warn on existing mismatches. -- Timeouts and retry policies; avoid unbounded scans; page reads. -- Do not log DSNs with credentials; redact in diagnostics. -## Tests -- Author and review coverage in `../StellaOps.Concelier.Storage.Mongo.Tests`. -- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. -- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. - +# AGENTS +## Role +Canonical persistence for raw documents, DTOs, canonical advisories, jobs, and state. Provides repositories and bootstrapper for collections/indexes. +## Scope +- Collections (MongoStorageDefaults): source, source_state, document, dto, advisory, alias, affected, reference, kev_flag, ru_flags, jp_flags, psirt_flags, merge_event, export_state, locks, jobs; GridFS bucket fs.documents; field names include ttlAt (locks), sourceName, uri, advisoryKey. +- Records: SourceState (cursor, lastSuccess/error, failCount, backoffUntil), JobRun, MergeEvent, ExportState, Advisory documents mirroring Models with embedded arrays when practical. +- Bootstrapper: create collections, indexes (unique advisoryKey, scheme/value, platform/name, published, modified), TTL on locks, and validate connectivity for /ready health probes. +- Job store: create, read, mark completed/failed; compute durations; recent/last queries; active by status. +- Advisory store: CRUD for canonical advisories; query by key/alias and list for exporters with deterministic paging. +## Participants +- Core jobs read/write runs and leases; WebService /ready pings database; /jobs APIs query runs/definitions. +- Source connectors store raw docs, DTOs, and mapped canonical advisories with provenance; Update SourceState cursor/backoff. +- Exporters read advisories and write export_state. +## Interfaces & contracts +- IMongoDatabase injected; MongoUrl from options; database name from options or MongoUrl or default "concelier". +- Repositories expose async methods with CancellationToken; deterministic sorting. +- All date/time values stored as UTC; identifiers normalized. +## In/Out of scope +In: persistence, bootstrap, indexes, basic query helpers. +Out: business mapping logic, HTTP, packaging. +## Observability & security expectations +- Log collection/index creation; warn on existing mismatches. +- Timeouts and retry policies; avoid unbounded scans; page reads. +- Do not log DSNs with credentials; redact in diagnostics. +## Tests +- Author and review coverage in `../StellaOps.Concelier.Storage.Mongo.Tests`. +- Shared fixtures (e.g., `MongoIntegrationFixture`, `ConnectorTestHarness`) live in `../StellaOps.Concelier.Testing`. +- Keep fixtures deterministic; match new cases to real-world advisories or regression scenarios. + + +## Required Reading +- `docs/modules/concelier/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md b/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md index acb78db8..83fe855b 100644 --- a/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md +++ b/src/DevPortal/StellaOps.DevPortal.Site/AGENTS.md @@ -1,15 +1,26 @@ -# Developer Portal Guild Charter - -## Mission -Deliver the StellaOps developer portal with interactive API reference, SDK documentation, runnable examples, and offline export capability. - -## Scope -- Static site generator integrating OpenAPI specs, code examples, and SDK docs. -- Search, schema diagrams, try-it console (non-prod), copy-curl snippets. -- Version selector for API major versions and changelog integration. -- Offline bundle build compatible with air-gapped environments. - -## Definition of Done -- Portal rebuilds deterministically from specs/examples; CI publishes artifacts. -- Search, schema visuals, examples verified via automated tests. -- Offline bundle renders without external dependencies. +# Developer Portal Guild Charter + +## Mission +Deliver the StellaOps developer portal with interactive API reference, SDK documentation, runnable examples, and offline export capability. + +## Scope +- Static site generator integrating OpenAPI specs, code examples, and SDK docs. +- Search, schema diagrams, try-it console (non-prod), copy-curl snippets. +- Version selector for API major versions and changelog integration. +- Offline bundle build compatible with air-gapped environments. + +## Definition of Done +- Portal rebuilds deterministically from specs/examples; CI publishes artifacts. +- Search, schema visuals, examples verified via automated tests. +- Offline bundle renders without external dependencies. + +## Required Reading +- `docs/modules/platform/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md b/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md index b32d93e5..75873b96 100644 --- a/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md +++ b/src/EvidenceLocker/StellaOps.EvidenceLocker/AGENTS.md @@ -1,28 +1,39 @@ -# Evidence Locker Service — Agent Charter - -## Mission -Implement the append-only, tenant-scoped evidence locker detailed in Epic 15. Produce immutable evidence bundles, manage legal holds, and expose verification APIs for Console and CLI consumers under the imposed rule. - -## Responsibilities -- Define object store layout, metadata DB schemas, and retention policies. -- Build bundle assembly pipelines (evaluation, job, export) with Merkle manifests and DSSE signing. -- Provide verification, download, and legal hold APIs with audit trails. -- Integrate with Timeline Indexer, Exporter, Orchestrator, Policy Engine, Concelier, and Excitator for provenance linking. - -## Coordination -- Work with Provenance Guild for signature tooling. -- Partner with DevOps Guild on storage backends and WORM options. -- Align with Security Guild on redaction and access enforcement. - -## Definition of Done -- Deterministic bundle generation proven via integration tests. -- Object store interactions tested in offline mode. -- Runbooks in `/docs/forensics/evidence-locker.md` updated per release. - -## Module Layout -- `StellaOps.EvidenceLocker.Core/` — domain models, bundle contracts, deterministic hashing helpers. -- `StellaOps.EvidenceLocker.Infrastructure/` — storage abstractions, persistence plumbing, and external integrations. -- `StellaOps.EvidenceLocker.WebService/` — HTTP entry points (minimal API host, OpenAPI, auth). -- `StellaOps.EvidenceLocker.Worker/` — background assembly/verification pipelines. -- `StellaOps.EvidenceLocker.Tests/` — unit tests (xUnit) for core/infrastructure components. -- `StellaOps.EvidenceLocker.sln` — solution aggregating the module projects. +# Evidence Locker Service — Agent Charter + +## Mission +Implement the append-only, tenant-scoped evidence locker detailed in Epic 15. Produce immutable evidence bundles, manage legal holds, and expose verification APIs for Console and CLI consumers under the imposed rule. + +## Responsibilities +- Define object store layout, metadata DB schemas, and retention policies. +- Build bundle assembly pipelines (evaluation, job, export) with Merkle manifests and DSSE signing. +- Provide verification, download, and legal hold APIs with audit trails. +- Integrate with Timeline Indexer, Exporter, Orchestrator, Policy Engine, Concelier, and Excitator for provenance linking. + +## Coordination +- Work with Provenance Guild for signature tooling. +- Partner with DevOps Guild on storage backends and WORM options. +- Align with Security Guild on redaction and access enforcement. + +## Definition of Done +- Deterministic bundle generation proven via integration tests. +- Object store interactions tested in offline mode. +- Runbooks in `/docs/forensics/evidence-locker.md` updated per release. + +## Module Layout +- `StellaOps.EvidenceLocker.Core/` — domain models, bundle contracts, deterministic hashing helpers. +- `StellaOps.EvidenceLocker.Infrastructure/` — storage abstractions, persistence plumbing, and external integrations. +- `StellaOps.EvidenceLocker.WebService/` — HTTP entry points (minimal API host, OpenAPI, auth). +- `StellaOps.EvidenceLocker.Worker/` — background assembly/verification pipelines. +- `StellaOps.EvidenceLocker.Tests/` — unit tests (xUnit) for core/infrastructure components. +- `StellaOps.EvidenceLocker.sln` — solution aggregating the module projects. + +## Required Reading +- `docs/modules/export-center/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md b/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md new file mode 100644 index 00000000..6d6cda82 --- /dev/null +++ b/src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/AGENTS.md @@ -0,0 +1,25 @@ +# Excititor Mirror Connector Charter + +## Mission +Ingest StellaOps VEX mirror bundles into Excititor, converting them into immutable VEX observations without applying consensus or suppression. The connector must honour the Aggregation-Only Contract, maintain provenance, and support offline replay and incremental updates. + +## Scope +- Code in `StellaOps.Excititor.Connectors.StellaOpsMirror`. +- Bundle validation (signatures, manifests, Merkle roots) and cursor management. +- Integration with Excititor storage and Surface/VEX Lens consumers. +- Test fixtures demonstrating deterministic ingest across bundle versions. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/ingestion/aggregation-only-contract.md` +- `docs/modules/excititor/operations/mirror.md` (if available; otherwise coordinate with Docs to add details) +- `docs/modules/airgap/airgap-mode.md` +- `docs/modules/concelier/operations/mirror.md` (shared mirror concepts) + +## Working Agreement +1. **Status updates**: set tasks to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when work starts/finishes. +2. **Provenance preservation**: record bundle IDs, digests, and time anchors in stored observations; avoid derived fields. +3. **Deterministic replay**: ensure repeated imports of the same bundle produce identical documents; handle supersedes and delta bundles gracefully. +4. **Offline readiness**: no external network calls; provide clear errors for invalid or stale bundles. +5. **Testing**: maintain mirror fixtures covering full/delta bundles, supersedes chains, and failure cases. +6. **Documentation**: coordinate updates to mirror connector docs and release notes when behaviour or configuration changes. diff --git a/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md b/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md index 790102c2..e370fcf9 100644 --- a/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md +++ b/src/Excititor/StellaOps.Excititor.WebService/AGENTS.md @@ -1,25 +1,36 @@ -# AGENTS -## Role -ASP.NET Minimal API surface for Excititor ingest, provider administration, reconciliation, export, and verification flows. -## Scope -- Program bootstrap, DI wiring for connectors/normalizers/export/attestation/policy/storage. -- HTTP endpoints `/excititor/*` with authentication, authorization scopes, request validation, and deterministic responses. -- Job orchestration bridges for Worker hand-off (when co-hosted) and offline-friendly configuration. -- Observability (structured logs, metrics, tracing) aligned with StellaOps conventions. -## Participants -- StellaOps.Cli sends `excititor` verbs to this service via token-authenticated HTTPS. -- Worker receives scheduled jobs and uses shared infrastructure via common DI extensions. -- Authority service provides tokens; WebService enforces scopes before executing operations. -## Interfaces & contracts -- DTOs for ingest/export requests, run metadata, provider management. -- Background job interfaces for ingest/resume/reconcile triggering. -- Health/status endpoints exposing pull/export history and current policy revision. -## In/Out of scope -In: HTTP hosting, request orchestration, DI composition, auth/authorization, logging. -Out: long-running ingestion loops (Worker), export rendering (Export module), connector implementations. -## Observability & security expectations -- Enforce bearer token scopes, enforce audit logging (request/response correlation IDs, provider IDs). -- Emit structured events for ingest runs, export invocations, attestation references. -- Provide built-in counters/histograms for latency and throughput. -## Tests -- Minimal API contract/unit tests and integration harness will live in `../StellaOps.Excititor.WebService.Tests`. +# AGENTS +## Role +ASP.NET Minimal API surface for Excititor ingest, provider administration, reconciliation, export, and verification flows. +## Scope +- Program bootstrap, DI wiring for connectors/normalizers/export/attestation/policy/storage. +- HTTP endpoints `/excititor/*` with authentication, authorization scopes, request validation, and deterministic responses. +- Job orchestration bridges for Worker hand-off (when co-hosted) and offline-friendly configuration. +- Observability (structured logs, metrics, tracing) aligned with StellaOps conventions. +## Participants +- StellaOps.Cli sends `excititor` verbs to this service via token-authenticated HTTPS. +- Worker receives scheduled jobs and uses shared infrastructure via common DI extensions. +- Authority service provides tokens; WebService enforces scopes before executing operations. +## Interfaces & contracts +- DTOs for ingest/export requests, run metadata, provider management. +- Background job interfaces for ingest/resume/reconcile triggering. +- Health/status endpoints exposing pull/export history and current policy revision. +## In/Out of scope +In: HTTP hosting, request orchestration, DI composition, auth/authorization, logging. +Out: long-running ingestion loops (Worker), export rendering (Export module), connector implementations. +## Observability & security expectations +- Enforce bearer token scopes, enforce audit logging (request/response correlation IDs, provider IDs). +- Emit structured events for ingest runs, export invocations, attestation references. +- Provide built-in counters/histograms for latency and throughput. +## Tests +- Minimal API contract/unit tests and integration harness will live in `../StellaOps.Excititor.WebService.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md b/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md index bb042579..a9a6d2a3 100644 --- a/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md +++ b/src/Excititor/StellaOps.Excititor.Worker/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Background processing host coordinating scheduled pulls, retries, reconciliation, verification, and cache maintenance for Excititor. -## Scope -- Hosted service (Worker Service) wiring timers/queues for provider pulls and reconciliation cycles. -- Resume token management, retry policies, and failure quarantines for connectors. -- Re-verification of stored attestations and cache garbage collection routines. -- Operational metrics and structured logging for offline-friendly monitoring. -## Participants -- Triggered by WebService job requests or internal schedules to run connector pulls. -- Collaborates with Storage.Mongo repositories and Attestation verification utilities. -- Emits telemetry consumed by observability stack and CLI status queries. -## Interfaces & contracts -- Scheduler abstractions, provider run controllers, retry/backoff strategies, and queue processors. -- Hooks for policy revision changes and cache GC thresholds. -## In/Out of scope -In: background orchestration, job lifecycle management, observability for worker operations. -Out: HTTP endpoint definitions, domain modeling, connector-specific parsing logic. -## Observability & security expectations -- Publish metrics for pull latency, failure counts, retry depth, cache size, and verification outcomes. -- Log correlation IDs & provider IDs; avoid leaking secret config values. -## Tests -- Worker orchestration tests, timer controls, and retry behavior will live in `../StellaOps.Excititor.Worker.Tests`. +# AGENTS +## Role +Background processing host coordinating scheduled pulls, retries, reconciliation, verification, and cache maintenance for Excititor. +## Scope +- Hosted service (Worker Service) wiring timers/queues for provider pulls and reconciliation cycles. +- Resume token management, retry policies, and failure quarantines for connectors. +- Re-verification of stored attestations and cache garbage collection routines. +- Operational metrics and structured logging for offline-friendly monitoring. +## Participants +- Triggered by WebService job requests or internal schedules to run connector pulls. +- Collaborates with Storage.Mongo repositories and Attestation verification utilities. +- Emits telemetry consumed by observability stack and CLI status queries. +## Interfaces & contracts +- Scheduler abstractions, provider run controllers, retry/backoff strategies, and queue processors. +- Hooks for policy revision changes and cache GC thresholds. +## In/Out of scope +In: background orchestration, job lifecycle management, observability for worker operations. +Out: HTTP endpoint definitions, domain modeling, connector-specific parsing logic. +## Observability & security expectations +- Publish metrics for pull latency, failure counts, retry depth, cache size, and verification outcomes. +- Log correlation IDs & provider IDs; avoid leaking secret config values. +## Tests +- Worker orchestration tests, timer controls, and retry behavior will live in `../StellaOps.Excititor.Worker.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md index 5ce4b59f..e97cb7ef 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Attestation/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Builds and verifies in-toto/DSSE attestations for Excititor exports and integrates with Rekor v2 transparency logs. -## Scope -- Attestation envelope builders, signing workflows (keyless/keyed), and predicate model definitions. -- Rekor v2 client implementation (submit, verify, poll inclusion) with retry/backoff policies. -- Verification utilities reused by Worker for periodic revalidation. -- Configuration bindings for signer identity, Rekor endpoints, and offline bundle operation. -## Participants -- Export module calls into this layer to generate attestations after export artifacts are produced. -- WebService and Worker consume verification helpers to ensure stored envelopes remain valid. -- CLI `excititor verify` leverages verification services through WebService endpoints. -## Interfaces & contracts -- `IExportAttestor`, `ITransparencyLogClient`, predicate DTOs, and verification result records. -- Extension methods to register attestation services in DI across WebService/Worker. -## In/Out of scope -In: attestation creation, verification, Rekor integration, signer configuration. -Out: export artifact generation, storage persistence, CLI interaction layers. -## Observability & security expectations -- Structured logs for signing/verification with envelope digest, Rekor URI, and latency; never log private keys. -- Metrics for attestation successes/failures and Rekor submission durations. -## Tests -- Unit tests and integration stubs (with fake Rekor) will live in `../StellaOps.Excititor.Attestation.Tests`. +# AGENTS +## Role +Builds and verifies in-toto/DSSE attestations for Excititor exports and integrates with Rekor v2 transparency logs. +## Scope +- Attestation envelope builders, signing workflows (keyless/keyed), and predicate model definitions. +- Rekor v2 client implementation (submit, verify, poll inclusion) with retry/backoff policies. +- Verification utilities reused by Worker for periodic revalidation. +- Configuration bindings for signer identity, Rekor endpoints, and offline bundle operation. +## Participants +- Export module calls into this layer to generate attestations after export artifacts are produced. +- WebService and Worker consume verification helpers to ensure stored envelopes remain valid. +- CLI `excititor verify` leverages verification services through WebService endpoints. +## Interfaces & contracts +- `IExportAttestor`, `ITransparencyLogClient`, predicate DTOs, and verification result records. +- Extension methods to register attestation services in DI across WebService/Worker. +## In/Out of scope +In: attestation creation, verification, Rekor integration, signer configuration. +Out: export artifact generation, storage persistence, CLI interaction layers. +## Observability & security expectations +- Structured logs for signing/verification with envelope digest, Rekor URI, and latency; never log private keys. +- Metrics for attestation successes/failures and Rekor submission durations. +## Tests +- Unit tests and integration stubs (with fake Rekor) will live in `../StellaOps.Excititor.Attestation.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md index 7d428357..7c9fde12 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/AGENTS.md @@ -1,22 +1,33 @@ -# AGENTS -## Role -Defines shared connector infrastructure for Excititor, including base contexts, result contracts, configuration binding, and helper utilities reused by all connector plug-ins. -## Scope -- `IVexConnector` context implementation, raw store helpers, verification hooks, and telemetry utilities. -- Configuration primitives (YAML parsing, secrets handling guidelines) and options validation. -- Connector lifecycle helpers for retries, paging, `.well-known` discovery, and resume markers. -- Documentation for connector packaging, plugin manifest metadata, and DI registration (see `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` and `docs/dev/templates/excititor-connector/`). -## Participants -- All Excititor connector projects reference this module to obtain base classes and context services. -- WebService/Worker instantiate connectors via plugin loader leveraging abstractions defined here. -## Interfaces & contracts -- Connector context, result, and telemetry interfaces; `VexConnectorDescriptor`, `VexConnectorBase`, options binder/validators, authentication helpers. -- Utility classes for HTTP clients, throttling, and deterministic logging. -## In/Out of scope -In: shared abstractions, helper utilities, configuration binding, documentation for connector authors. -Out: provider-specific logic (implemented in individual connector modules), storage persistence, HTTP host code. -## Observability & security expectations -- Provide structured logging helpers, correlation IDs, and metrics instrumentation toggles for connectors. -- Enforce redaction of secrets in logs and config dumps. -## Tests -- Abstraction/unit tests will live in `../StellaOps.Excititor.Connectors.Abstractions.Tests`, covering default behaviors and sample harness. +# AGENTS +## Role +Defines shared connector infrastructure for Excititor, including base contexts, result contracts, configuration binding, and helper utilities reused by all connector plug-ins. +## Scope +- `IVexConnector` context implementation, raw store helpers, verification hooks, and telemetry utilities. +- Configuration primitives (YAML parsing, secrets handling guidelines) and options validation. +- Connector lifecycle helpers for retries, paging, `.well-known` discovery, and resume markers. +- Documentation for connector packaging, plugin manifest metadata, and DI registration (see `docs/dev/30_EXCITITOR_CONNECTOR_GUIDE.md` and `docs/dev/templates/excititor-connector/`). +## Participants +- All Excititor connector projects reference this module to obtain base classes and context services. +- WebService/Worker instantiate connectors via plugin loader leveraging abstractions defined here. +## Interfaces & contracts +- Connector context, result, and telemetry interfaces; `VexConnectorDescriptor`, `VexConnectorBase`, options binder/validators, authentication helpers. +- Utility classes for HTTP clients, throttling, and deterministic logging. +## In/Out of scope +In: shared abstractions, helper utilities, configuration binding, documentation for connector authors. +Out: provider-specific logic (implemented in individual connector modules), storage persistence, HTTP host code. +## Observability & security expectations +- Provide structured logging helpers, correlation IDs, and metrics instrumentation toggles for connectors. +- Enforce redaction of secrets in logs and config dumps. +## Tests +- Abstraction/unit tests will live in `../StellaOps.Excititor.Connectors.Abstractions.Tests`, covering default behaviors and sample harness. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md index 0c632160..dcb4ccbf 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Cisco.CSAF/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Connector responsible for ingesting Cisco CSAF VEX advisories and handing raw documents to normalizers with Cisco-specific metadata. -## Scope -- Discovery of Cisco CSAF collection endpoints, authentication (when required), and pagination routines. -- HTTP retries/backoff, checksum verification, and document deduplication before storage. -- Mapping Cisco advisory identifiers, product hierarchies, and severity hints into connector metadata. -- Surfacing provider trust configuration aligned with policy expectations. -## Participants -- Worker drives scheduled pulls; WebService may trigger manual runs. -- CSAF normalizer consumes raw documents to emit claims. -- Policy module references connector trust hints (e.g., Cisco signing identities). -## Interfaces & contracts -- Implements `IVexConnector` using shared abstractions for HTTP/resume handling. -- Provides options for API tokens, rate limits, and concurrency. -## In/Out of scope -In: data fetching, provider metadata, retry controls, raw document persistence. -Out: normalization/export, attestation, Mongo wiring (handled in other modules). -## Observability & security expectations -- Log fetch batches with document counts/durations; mask credentials. -- Emit metrics for rate-limit hits, retries, and quarantine events. -## Tests -- Unit tests plus HTTP harness fixtures will live in `../StellaOps.Excititor.Connectors.Cisco.CSAF.Tests`. +# AGENTS +## Role +Connector responsible for ingesting Cisco CSAF VEX advisories and handing raw documents to normalizers with Cisco-specific metadata. +## Scope +- Discovery of Cisco CSAF collection endpoints, authentication (when required), and pagination routines. +- HTTP retries/backoff, checksum verification, and document deduplication before storage. +- Mapping Cisco advisory identifiers, product hierarchies, and severity hints into connector metadata. +- Surfacing provider trust configuration aligned with policy expectations. +## Participants +- Worker drives scheduled pulls; WebService may trigger manual runs. +- CSAF normalizer consumes raw documents to emit claims. +- Policy module references connector trust hints (e.g., Cisco signing identities). +## Interfaces & contracts +- Implements `IVexConnector` using shared abstractions for HTTP/resume handling. +- Provides options for API tokens, rate limits, and concurrency. +## In/Out of scope +In: data fetching, provider metadata, retry controls, raw document persistence. +Out: normalization/export, attestation, Mongo wiring (handled in other modules). +## Observability & security expectations +- Log fetch batches with document counts/durations; mask credentials. +- Emit metrics for rate-limit hits, retries, and quarantine events. +## Tests +- Unit tests plus HTTP harness fixtures will live in `../StellaOps.Excititor.Connectors.Cisco.CSAF.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md index 7d4abf20..1f075579 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Connector for Microsoft Security Response Center (MSRC) CSAF advisories, handling authenticated downloads, throttling, and raw document persistence. -## Scope -- MSRC API onboarding (AAD client credentials), metadata discovery, and CSAF listing retrieval. -- Download pipeline with retry/backoff, checksum validation, and document deduplication. -- Mapping MSRC-specific identifiers (CVE, ADV, KB) and remediation guidance into connector metadata. -- Emitting trust metadata (AAD issuer, signing certificates) for policy weighting. -## Participants -- Worker schedules MSRC pulls honoring rate limits; WebService may trigger manual runs for urgent updates. -- CSAF normalizer processes retrieved documents into claims. -- Policy subsystem references connector trust hints for consensus scoring. -## Interfaces & contracts -- Implements `IVexConnector`, requires configuration options for tenant/client/secret or managed identity. -- Uses shared HTTP helpers, resume markers, and telemetry from Abstractions module. -## In/Out of scope -In: authenticated fetching, raw document storage, metadata mapping, retry logic. -Out: normalization/export, attestation, storage implementations (handled elsewhere). -## Observability & security expectations -- Log request batches, rate-limit responses, and token refresh events without leaking secrets. -- Track metrics for documents fetched, retries, and failure categories. -## Tests -- Connector tests with mocked MSRC endpoints and AAD token flow will live in `../StellaOps.Excititor.Connectors.MSRC.CSAF.Tests`. +# AGENTS +## Role +Connector for Microsoft Security Response Center (MSRC) CSAF advisories, handling authenticated downloads, throttling, and raw document persistence. +## Scope +- MSRC API onboarding (AAD client credentials), metadata discovery, and CSAF listing retrieval. +- Download pipeline with retry/backoff, checksum validation, and document deduplication. +- Mapping MSRC-specific identifiers (CVE, ADV, KB) and remediation guidance into connector metadata. +- Emitting trust metadata (AAD issuer, signing certificates) for policy weighting. +## Participants +- Worker schedules MSRC pulls honoring rate limits; WebService may trigger manual runs for urgent updates. +- CSAF normalizer processes retrieved documents into claims. +- Policy subsystem references connector trust hints for consensus scoring. +## Interfaces & contracts +- Implements `IVexConnector`, requires configuration options for tenant/client/secret or managed identity. +- Uses shared HTTP helpers, resume markers, and telemetry from Abstractions module. +## In/Out of scope +In: authenticated fetching, raw document storage, metadata mapping, retry logic. +Out: normalization/export, attestation, storage implementations (handled elsewhere). +## Observability & security expectations +- Log request batches, rate-limit responses, and token refresh events without leaking secrets. +- Track metrics for documents fetched, retries, and failure categories. +## Tests +- Connector tests with mocked MSRC endpoints and AAD token flow will live in `../StellaOps.Excititor.Connectors.MSRC.CSAF.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md index 19e43061..9e321d72 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Connector for OCI registry OpenVEX attestations, discovering images, downloading attestations, and projecting statements into raw storage. -## Scope -- OCI registry discovery, authentication (cosign OIDC/key), and ref resolution for provided image digests/tags. -- Fetching DSSE envelopes, verifying signatures (delegated to Attestation module), and persisting raw statements. -- Mapping OCI manifest metadata (repository, digest, subject) to connector provenance. -- Managing offline bundles that seed attestations without registry access. -## Participants -- Worker schedules polls for configured registries/images; WebService supports manual refresh. -- OpenVEX normalizer consumes statements to create claims. -- Attestation module is reused to verify upstream envelopes prior to storage. -## Interfaces & contracts -- Implements `IVexConnector` with options for image list, auth, parallelism, and offline file seeds. -- Utilizes shared abstractions for retries, telemetry, and resume markers. -## In/Out of scope -In: OCI interaction, attestation retrieval, verification trigger, raw persistence. -Out: normalization/export, policy evaluation, storage implementation. -## Observability & security expectations -- Log image references, attestation counts, verification outcomes; redact credentials. -- Emit metrics for attestation reuse ratio, verification duration, and failures. -## Tests -- Connector tests with mock OCI registry/attestation responses will live in `../StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests`. +# AGENTS +## Role +Connector for OCI registry OpenVEX attestations, discovering images, downloading attestations, and projecting statements into raw storage. +## Scope +- OCI registry discovery, authentication (cosign OIDC/key), and ref resolution for provided image digests/tags. +- Fetching DSSE envelopes, verifying signatures (delegated to Attestation module), and persisting raw statements. +- Mapping OCI manifest metadata (repository, digest, subject) to connector provenance. +- Managing offline bundles that seed attestations without registry access. +## Participants +- Worker schedules polls for configured registries/images; WebService supports manual refresh. +- OpenVEX normalizer consumes statements to create claims. +- Attestation module is reused to verify upstream envelopes prior to storage. +## Interfaces & contracts +- Implements `IVexConnector` with options for image list, auth, parallelism, and offline file seeds. +- Utilizes shared abstractions for retries, telemetry, and resume markers. +## In/Out of scope +In: OCI interaction, attestation retrieval, verification trigger, raw persistence. +Out: normalization/export, policy evaluation, storage implementation. +## Observability & security expectations +- Log image references, attestation counts, verification outcomes; redact credentials. +- Emit metrics for attestation reuse ratio, verification duration, and failures. +## Tests +- Connector tests with mock OCI registry/attestation responses will live in `../StellaOps.Excititor.Connectors.OCI.OpenVEX.Attest.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md index d65ccf14..6f2a9e37 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Connector for Oracle CSAF advisories, including CPU and other bulletin releases, projecting documents into raw storage for normalization. -## Scope -- Discovery of Oracle CSAF catalogue, navigation of quarterly CPU bundles, and delta detection. -- HTTP fetch with retry/backoff, checksum validation, and deduplication across revisions. -- Mapping Oracle advisory metadata (CPU ID, component families) into connector context. -- Publishing trust metadata (PGP keys/cosign options) aligned with policy expectations. -## Participants -- Worker orchestrates regular pulls respecting Oracle publication cadence; WebService offers manual triggers. -- CSAF normalizer processes raw documents to claims. -- Policy engine leverages trust metadata and provenance hints. -## Interfaces & contracts -- Implements `IVexConnector` using shared abstractions for HTTP/resume and telemetry. -- Configuration options for CPU schedule, credentials (if required), and offline snapshot ingestion. -## In/Out of scope -In: fetching, metadata mapping, raw persistence, trust hints. -Out: normalization, storage internals, export/attestation flows. -## Observability & security expectations -- Log CPU release windows, document counts, and fetch durations; redact any secrets. -- Emit metrics for deduped vs new documents and quarantine rates. -## Tests -- Harness tests with mocked Oracle catalogues will live in `../StellaOps.Excititor.Connectors.Oracle.CSAF.Tests`. +# AGENTS +## Role +Connector for Oracle CSAF advisories, including CPU and other bulletin releases, projecting documents into raw storage for normalization. +## Scope +- Discovery of Oracle CSAF catalogue, navigation of quarterly CPU bundles, and delta detection. +- HTTP fetch with retry/backoff, checksum validation, and deduplication across revisions. +- Mapping Oracle advisory metadata (CPU ID, component families) into connector context. +- Publishing trust metadata (PGP keys/cosign options) aligned with policy expectations. +## Participants +- Worker orchestrates regular pulls respecting Oracle publication cadence; WebService offers manual triggers. +- CSAF normalizer processes raw documents to claims. +- Policy engine leverages trust metadata and provenance hints. +## Interfaces & contracts +- Implements `IVexConnector` using shared abstractions for HTTP/resume and telemetry. +- Configuration options for CPU schedule, credentials (if required), and offline snapshot ingestion. +## In/Out of scope +In: fetching, metadata mapping, raw persistence, trust hints. +Out: normalization, storage internals, export/attestation flows. +## Observability & security expectations +- Log CPU release windows, document counts, and fetch durations; redact any secrets. +- Emit metrics for deduped vs new documents and quarantine rates. +## Tests +- Harness tests with mocked Oracle catalogues will live in `../StellaOps.Excititor.Connectors.Oracle.CSAF.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md index 648bb1e1..35291837 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.RedHat.CSAF/AGENTS.md @@ -1,25 +1,36 @@ -# AGENTS -## Role -Connector for Red Hat CSAF VEX feeds, fetching provider metadata, CSAF documents, and projecting them into raw storage for normalization. -## Scope -- Discovery via `/.well-known/csaf/provider-metadata.json`, scheduling windows, and ETag-aware HTTP fetches. -- `RedHatProviderMetadataLoader` handles `.well-known` metadata with caching, schema validation, and offline snapshots. -- `RedHatCsafConnector` consumes ROLIE feeds to fetch incremental CSAF documents, honours `context.Since`, and streams raw advisories to storage. -- Mapping Red Hat CSAF specifics (product tree aliases, RHSA identifiers, revision history) into raw documents. -- Emitting structured telemetry and resume markers for incremental pulls. -- Supplying Red Hat-specific trust overrides and provenance hints to normalization. -## Participants -- Worker schedules pulls using this connector; WebService triggers ad-hoc runs. -- CSAF normalizer consumes fetched documents to produce claims. -- Policy/consensus rely on Red Hat trust metadata captured here. -## Interfaces & contracts -- Implements `IVexConnector` with Red Hat-specific options (parallelism, token auth if configured). -- Uses abstractions from `StellaOps.Excititor.Connectors.Abstractions` for HTTP/resume helpers. -## In/Out of scope -In: data acquisition, HTTP retries, raw document persistence, provider metadata population. -Out: normalization, storage internals, attestation, general connector abstractions (covered elsewhere). -## Observability & security expectations -- Log provider metadata URL, revision ids, fetch durations; redact tokens. -- Emit counters for documents fetched, skipped (304), quarantined. -## Tests -- Connector harness tests (mock HTTP) and resume regression cases will live in `../StellaOps.Excititor.Connectors.RedHat.CSAF.Tests`. +# AGENTS +## Role +Connector for Red Hat CSAF VEX feeds, fetching provider metadata, CSAF documents, and projecting them into raw storage for normalization. +## Scope +- Discovery via `/.well-known/csaf/provider-metadata.json`, scheduling windows, and ETag-aware HTTP fetches. +- `RedHatProviderMetadataLoader` handles `.well-known` metadata with caching, schema validation, and offline snapshots. +- `RedHatCsafConnector` consumes ROLIE feeds to fetch incremental CSAF documents, honours `context.Since`, and streams raw advisories to storage. +- Mapping Red Hat CSAF specifics (product tree aliases, RHSA identifiers, revision history) into raw documents. +- Emitting structured telemetry and resume markers for incremental pulls. +- Supplying Red Hat-specific trust overrides and provenance hints to normalization. +## Participants +- Worker schedules pulls using this connector; WebService triggers ad-hoc runs. +- CSAF normalizer consumes fetched documents to produce claims. +- Policy/consensus rely on Red Hat trust metadata captured here. +## Interfaces & contracts +- Implements `IVexConnector` with Red Hat-specific options (parallelism, token auth if configured). +- Uses abstractions from `StellaOps.Excititor.Connectors.Abstractions` for HTTP/resume helpers. +## In/Out of scope +In: data acquisition, HTTP retries, raw document persistence, provider metadata population. +Out: normalization, storage internals, attestation, general connector abstractions (covered elsewhere). +## Observability & security expectations +- Log provider metadata URL, revision ids, fetch durations; redact tokens. +- Emit counters for documents fetched, skipped (304), quarantined. +## Tests +- Connector harness tests (mock HTTP) and resume regression cases will live in `../StellaOps.Excititor.Connectors.RedHat.CSAF.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md index 8bd774ca..6ebeeba3 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Connector targeting SUSE Rancher VEX Hub feeds, ingesting hub events and translating them into raw documents for normalization. -## Scope -- Hub discovery, authentication, and subscription handling for Rancher VEX updates. -- HTTP/WebSocket (if provided) ingestion, checkpoint tracking, and deduplication. -- Mapping Rancher-specific status fields and product identifiers into connector metadata. -- Integration with offline bundles to allow snapshot imports. -## Participants -- Worker manages scheduled syncs using this connector; WebService can trigger manual reconcile pulls. -- Normalizers convert retrieved documents via CSAF/OpenVEX workflows depending on payload. -- Policy module uses trust metadata produced here for weight evaluation. -## Interfaces & contracts -- Implements `IVexConnector` with options for hub URL, credentials, and poll intervals. -- Uses shared abstractions for resume markers and telemetry. -## In/Out of scope -In: hub connectivity, message processing, raw persistence, provider metadata. -Out: normalization/export tasks, storage layer implementation, attestation. -## Observability & security expectations -- Log subscription IDs, batch sizes, and checkpoint updates while redacting secrets. -- Emit metrics for messages processed, lag, and retries. -## Tests -- Connector harness tests with simulated hub responses will live in `../StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests`. +# AGENTS +## Role +Connector targeting SUSE Rancher VEX Hub feeds, ingesting hub events and translating them into raw documents for normalization. +## Scope +- Hub discovery, authentication, and subscription handling for Rancher VEX updates. +- HTTP/WebSocket (if provided) ingestion, checkpoint tracking, and deduplication. +- Mapping Rancher-specific status fields and product identifiers into connector metadata. +- Integration with offline bundles to allow snapshot imports. +## Participants +- Worker manages scheduled syncs using this connector; WebService can trigger manual reconcile pulls. +- Normalizers convert retrieved documents via CSAF/OpenVEX workflows depending on payload. +- Policy module uses trust metadata produced here for weight evaluation. +## Interfaces & contracts +- Implements `IVexConnector` with options for hub URL, credentials, and poll intervals. +- Uses shared abstractions for resume markers and telemetry. +## In/Out of scope +In: hub connectivity, message processing, raw persistence, provider metadata. +Out: normalization/export tasks, storage layer implementation, attestation. +## Observability & security expectations +- Log subscription IDs, batch sizes, and checkpoint updates while redacting secrets. +- Emit metrics for messages processed, lag, and retries. +## Tests +- Connector harness tests with simulated hub responses will live in `../StellaOps.Excititor.Connectors.SUSE.RancherVEXHub.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md index a17155ad..28cdc546 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Connector for Ubuntu CSAF advisories (USN VEX data), managing discovery, incremental pulls, and raw document persistence. -## Scope -- Ubuntu CSAF metadata discovery, release channel awareness, and pagination handling. -- HTTP client with retries/backoff, checksum validation, and deduplication. -- Mapping Ubuntu identifiers (USN numbers, package metadata) into connector metadata for downstream policy. -- Emitting trust configuration (GPG fingerprints, cosign options) for policy weighting. -## Participants -- Worker schedules regular pulls; WebService can initiate manual ingest/resume. -- CSAF normalizer converts raw documents into claims. -- Policy engine leverages connector-supplied trust metadata. -## Interfaces & contracts -- Implements `IVexConnector`, using shared abstractions for HTTP/resume markers and telemetry. -- Provides options for release channels (stable/LTS) and offline seed bundles. -## In/Out of scope -In: data fetching, metadata mapping, raw persistence, trust hints. -Out: normalization/export, storage internals, attestation. -## Observability & security expectations -- Log release window fetch metrics, rate limits, and deduplication stats; mask secrets. -- Emit counters for newly ingested vs unchanged USNs and quota usage. -## Tests -- Connector tests with mocked Ubuntu CSAF endpoints will live in `../StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests`. +# AGENTS +## Role +Connector for Ubuntu CSAF advisories (USN VEX data), managing discovery, incremental pulls, and raw document persistence. +## Scope +- Ubuntu CSAF metadata discovery, release channel awareness, and pagination handling. +- HTTP client with retries/backoff, checksum validation, and deduplication. +- Mapping Ubuntu identifiers (USN numbers, package metadata) into connector metadata for downstream policy. +- Emitting trust configuration (GPG fingerprints, cosign options) for policy weighting. +## Participants +- Worker schedules regular pulls; WebService can initiate manual ingest/resume. +- CSAF normalizer converts raw documents into claims. +- Policy engine leverages connector-supplied trust metadata. +## Interfaces & contracts +- Implements `IVexConnector`, using shared abstractions for HTTP/resume markers and telemetry. +- Provides options for release channels (stable/LTS) and offline seed bundles. +## In/Out of scope +In: data fetching, metadata mapping, raw persistence, trust hints. +Out: normalization/export, storage internals, attestation. +## Observability & security expectations +- Log release window fetch metrics, rate limits, and deduplication stats; mask secrets. +- Emit counters for newly ingested vs unchanged USNs and quota usage. +## Tests +- Connector tests with mocked Ubuntu CSAF endpoints will live in `../StellaOps.Excititor.Connectors.Ubuntu.CSAF.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md index a04ff935..66933408 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Core/AGENTS.md @@ -1,26 +1,37 @@ -# AGENTS -## Role -Domain source of truth for VEX statements, consensus rollups, and trust policy orchestration across all Excititor services. -## Scope -- Records for raw document metadata, normalized claims, consensus projections, and export descriptors. -- Policy + weighting engine that projects provider trust tiers into consensus status outcomes. -- Connector, normalizer, export, and attestation contracts shared by WebService, Worker, and plug-ins. -- Deterministic hashing utilities (query signatures, artifact digests, attestation subjects). -## Participants -- Excititor WebService uses the models to persist ingress/egress payloads and to perform consensus mutations. -- Excititor Worker executes reconciliation and verification routines using policy helpers defined here. -- Export/Attestation modules depend on record definitions for envelopes and manifest payloads. -## Interfaces & contracts -- `IVexConnector`, `INormalizer`, `IExportEngine`, `ITransparencyLogClient`, `IArtifactStore`, and policy abstractions for consensus resolution. -- Value objects for provider metadata, VexClaim, VexConsensusEntry, ExportManifest, QuerySignature. -- Deterministic comparer utilities and stable JSON serialization helpers for tests and cache keys. -## In/Out of scope -In: domain invariants, policy evaluation helpers, deterministic serialization, shared abstractions. -Out: Mongo persistence implementations, HTTP endpoints, background scheduling, concrete connector logic. -## Observability & security expectations -- Avoid secret handling; provide structured logging extension methods for consensus decisions. -- Emit correlation identifiers and query signatures without embedding PII. -- Ensure deterministic logging order to keep reproducibility guarantees intact. -## Tests -- Unit coverage lives in `../StellaOps.Excititor.Core.Tests` (to be scaffolded) focusing on consensus, policy gates, and serialization determinism. -- Golden fixtures must rely on canonical JSON snapshots produced via stable serializers. +# AGENTS +## Role +Domain source of truth for VEX statements, consensus rollups, and trust policy orchestration across all Excititor services. +## Scope +- Records for raw document metadata, normalized claims, consensus projections, and export descriptors. +- Policy + weighting engine that projects provider trust tiers into consensus status outcomes. +- Connector, normalizer, export, and attestation contracts shared by WebService, Worker, and plug-ins. +- Deterministic hashing utilities (query signatures, artifact digests, attestation subjects). +## Participants +- Excititor WebService uses the models to persist ingress/egress payloads and to perform consensus mutations. +- Excititor Worker executes reconciliation and verification routines using policy helpers defined here. +- Export/Attestation modules depend on record definitions for envelopes and manifest payloads. +## Interfaces & contracts +- `IVexConnector`, `INormalizer`, `IExportEngine`, `ITransparencyLogClient`, `IArtifactStore`, and policy abstractions for consensus resolution. +- Value objects for provider metadata, VexClaim, VexConsensusEntry, ExportManifest, QuerySignature. +- Deterministic comparer utilities and stable JSON serialization helpers for tests and cache keys. +## In/Out of scope +In: domain invariants, policy evaluation helpers, deterministic serialization, shared abstractions. +Out: Mongo persistence implementations, HTTP endpoints, background scheduling, concrete connector logic. +## Observability & security expectations +- Avoid secret handling; provide structured logging extension methods for consensus decisions. +- Emit correlation identifiers and query signatures without embedding PII. +- Ensure deterministic logging order to keep reproducibility guarantees intact. +## Tests +- Unit coverage lives in `../StellaOps.Excititor.Core.Tests` (to be scaffolded) focusing on consensus, policy gates, and serialization determinism. +- Golden fixtures must rely on canonical JSON snapshots produced via stable serializers. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md index 0e34cfbc..476090d0 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Export/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Produces deterministic VEX export artifacts, coordinates cache lookups, and bridges artifact storage with attestation generation. -## Scope -- Export orchestration pipeline: query signature resolution, cache lookup, snapshot building, attestation handoff. -- Format-neutral builder interfaces consumed by format-specific plug-ins. -- Artifact store abstraction wiring (S3/MinIO/filesystem) with offline-friendly packaging. -- Export metrics/logging and deterministic manifest emission. -## Participants -- WebService invokes the export engine to service `/excititor/export` requests. -- Attestation module receives built artifacts through this layer for signing. -- Worker reuses caching and artifact utilities for scheduled exports and GC routines. -## Interfaces & contracts -- `IExportEngine`, `IExportSnapshotBuilder`, cache provider interfaces, and artifact store adapters. -- Hook points for format plug-ins (JSON, JSONL, OpenVEX, CSAF, ZIP bundle). -## In/Out of scope -In: orchestration, caching, artifact store interactions, manifest metadata. -Out: format-specific serialization (lives in Formats.*), policy evaluation (Policy), HTTP presentation (WebService). -## Observability & security expectations -- Emit cache hit/miss counters, export durations, artifact sizes, and attestation timing logs. -- Ensure no sensitive tokens/URIs are logged. -## Tests -- Engine orchestration tests, cache behavior, and artifact lifecycle coverage will live in `../StellaOps.Excititor.Export.Tests`. +# AGENTS +## Role +Produces deterministic VEX export artifacts, coordinates cache lookups, and bridges artifact storage with attestation generation. +## Scope +- Export orchestration pipeline: query signature resolution, cache lookup, snapshot building, attestation handoff. +- Format-neutral builder interfaces consumed by format-specific plug-ins. +- Artifact store abstraction wiring (S3/MinIO/filesystem) with offline-friendly packaging. +- Export metrics/logging and deterministic manifest emission. +## Participants +- WebService invokes the export engine to service `/excititor/export` requests. +- Attestation module receives built artifacts through this layer for signing. +- Worker reuses caching and artifact utilities for scheduled exports and GC routines. +## Interfaces & contracts +- `IExportEngine`, `IExportSnapshotBuilder`, cache provider interfaces, and artifact store adapters. +- Hook points for format plug-ins (JSON, JSONL, OpenVEX, CSAF, ZIP bundle). +## In/Out of scope +In: orchestration, caching, artifact store interactions, manifest metadata. +Out: format-specific serialization (lives in Formats.*), policy evaluation (Policy), HTTP presentation (WebService). +## Observability & security expectations +- Emit cache hit/miss counters, export durations, artifact sizes, and attestation timing logs. +- Ensure no sensitive tokens/URIs are logged. +## Tests +- Engine orchestration tests, cache behavior, and artifact lifecycle coverage will live in `../StellaOps.Excititor.Export.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md index 94174806..7a74c5e1 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CSAF/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Normalize CSAF VEX profile documents into Excititor claims and provide CSAF export adapters. -## Scope -- CSAF ingestion helpers: provider metadata parsing, document revision handling, vulnerability/action mappings. -- Normalizer implementation fulfilling `INormalizer` for CSAF sources (Red Hat, Cisco, SUSE, MSRC, Oracle, Ubuntu). -- Export adapters producing CSAF-compliant output slices from consensus data. -- Schema/version compatibility checks (CSAF 2.0 profile validation). -## Participants -- Connectors deliver raw CSAF documents to this module for normalization. -- Export module leverages adapters when producing CSAF exports. -- Policy engine consumes normalized justification/status fields for gating. -## Interfaces & contracts -- Parser/normalizer classes, helper utilities for `product_tree`, `vulnerabilities`, and `notes`. -- Export writer interfaces for per-provider/per-product CSAF packaging. -## In/Out of scope -In: CSAF parsing/normalization/export, schema validation, mapping to canonical claims. -Out: HTTP fetching (connectors), storage persistence, attestation logic. -## Observability & security expectations -- Emit structured diagnostics when CSAF documents fail schema validation, including source URI and revision. -- Provide counters for normalization outcomes (status distribution, justification coverage). -## Tests -- Fixture-driven parsing/export tests will live in `../StellaOps.Excititor.Formats.CSAF.Tests` using real CSAF samples. +# AGENTS +## Role +Normalize CSAF VEX profile documents into Excititor claims and provide CSAF export adapters. +## Scope +- CSAF ingestion helpers: provider metadata parsing, document revision handling, vulnerability/action mappings. +- Normalizer implementation fulfilling `INormalizer` for CSAF sources (Red Hat, Cisco, SUSE, MSRC, Oracle, Ubuntu). +- Export adapters producing CSAF-compliant output slices from consensus data. +- Schema/version compatibility checks (CSAF 2.0 profile validation). +## Participants +- Connectors deliver raw CSAF documents to this module for normalization. +- Export module leverages adapters when producing CSAF exports. +- Policy engine consumes normalized justification/status fields for gating. +## Interfaces & contracts +- Parser/normalizer classes, helper utilities for `product_tree`, `vulnerabilities`, and `notes`. +- Export writer interfaces for per-provider/per-product CSAF packaging. +## In/Out of scope +In: CSAF parsing/normalization/export, schema validation, mapping to canonical claims. +Out: HTTP fetching (connectors), storage persistence, attestation logic. +## Observability & security expectations +- Emit structured diagnostics when CSAF documents fail schema validation, including source URI and revision. +- Provide counters for normalization outcomes (status distribution, justification coverage). +## Tests +- Fixture-driven parsing/export tests will live in `../StellaOps.Excititor.Formats.CSAF.Tests` using real CSAF samples. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md index a7b7b25a..b1669a7e 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.CycloneDX/AGENTS.md @@ -1,22 +1,33 @@ -# AGENTS -## Role -Normalize CycloneDX VEX documents and expose serialization utilities for CycloneDX-based exports. -## Scope -- Parsing of CycloneDX VEX statements (`analysis.state`, `justification`, `impact`) into canonical claims. -- Utilities to align SBOM references (components, services) with policy expectations. -- Export builders that emit CycloneDX-compliant VEX bundles or augment existing SBOMs. -- Validation against CycloneDX schema versions and namespace compatibility. -## Participants -- Connectors ingesting CycloneDX VEX or SBOM attestations send documents here for normalization. -- Export module uses serializers to produce CycloneDX JSON/JSONL as requested. -- Policy/consensus logic depends on status/justification mapping provided here. -## Interfaces & contracts -- Normalizer implementations, component reference mapping helpers, export serializers. -- Schema validation adaptor for offline mode and fixture-driven testing. -## In/Out of scope -In: CycloneDX parsing, normalization, export writing, schema validation. -Out: Connector transport, storage, attestation; these rely on other modules. -## Observability & security expectations -- Log schema mismatches with document digest and component references; avoid logging proprietary component details where possible. -## Tests -- Unit and fixture tests will live in `../StellaOps.Excititor.Formats.CycloneDX.Tests`, covering normalization and serialization determinism. +# AGENTS +## Role +Normalize CycloneDX VEX documents and expose serialization utilities for CycloneDX-based exports. +## Scope +- Parsing of CycloneDX VEX statements (`analysis.state`, `justification`, `impact`) into canonical claims. +- Utilities to align SBOM references (components, services) with policy expectations. +- Export builders that emit CycloneDX-compliant VEX bundles or augment existing SBOMs. +- Validation against CycloneDX schema versions and namespace compatibility. +## Participants +- Connectors ingesting CycloneDX VEX or SBOM attestations send documents here for normalization. +- Export module uses serializers to produce CycloneDX JSON/JSONL as requested. +- Policy/consensus logic depends on status/justification mapping provided here. +## Interfaces & contracts +- Normalizer implementations, component reference mapping helpers, export serializers. +- Schema validation adaptor for offline mode and fixture-driven testing. +## In/Out of scope +In: CycloneDX parsing, normalization, export writing, schema validation. +Out: Connector transport, storage, attestation; these rely on other modules. +## Observability & security expectations +- Log schema mismatches with document digest and component references; avoid logging proprietary component details where possible. +## Tests +- Unit and fixture tests will live in `../StellaOps.Excititor.Formats.CycloneDX.Tests`, covering normalization and serialization determinism. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md index ca7796ee..f89a8834 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Formats.OpenVEX/AGENTS.md @@ -1,21 +1,32 @@ -# AGENTS -## Role -Provides OpenVEX statement normalization and export writers for lightweight attestation-oriented outputs. -## Scope -- Parse OpenVEX documents/attestations into canonical claims with provenance metadata. -- Utilities to merge multiple OpenVEX statements and resolve conflicts for consensus ingestion. -- Export writer emitting OpenVEX envelopes from consensus data with deterministic ordering. -- Optional SBOM linkage helpers referencing component digests or PURLs. -## Participants -- OCI/OpenVEX connector and other attest-based sources depend on this module for normalization. -- Export module uses writers for `--format openvex` requests. -- Attestation layer references emitted statements to populate predicate subjects. -## Interfaces & contracts -- Normalizer classes implementing `INormalizer`, reducer utilities to consolidate OpenVEX events, export serializer. -## In/Out of scope -In: OpenVEX parsing, normalization, export serialization, helper utilities. -Out: OCI registry access, policy evaluation, attestation signing (handled by other modules). -## Observability & security expectations -- Log normalization anomalies with subject digest and justification mapping while respecting offline constraints. -## Tests -- Snapshot-driven normalization/export tests will be placed in `../StellaOps.Excititor.Formats.OpenVEX.Tests`. +# AGENTS +## Role +Provides OpenVEX statement normalization and export writers for lightweight attestation-oriented outputs. +## Scope +- Parse OpenVEX documents/attestations into canonical claims with provenance metadata. +- Utilities to merge multiple OpenVEX statements and resolve conflicts for consensus ingestion. +- Export writer emitting OpenVEX envelopes from consensus data with deterministic ordering. +- Optional SBOM linkage helpers referencing component digests or PURLs. +## Participants +- OCI/OpenVEX connector and other attest-based sources depend on this module for normalization. +- Export module uses writers for `--format openvex` requests. +- Attestation layer references emitted statements to populate predicate subjects. +## Interfaces & contracts +- Normalizer classes implementing `INormalizer`, reducer utilities to consolidate OpenVEX events, export serializer. +## In/Out of scope +In: OpenVEX parsing, normalization, export serialization, helper utilities. +Out: OCI registry access, policy evaluation, attestation signing (handled by other modules). +## Observability & security expectations +- Log normalization anomalies with subject digest and justification mapping while respecting offline constraints. +## Tests +- Snapshot-driven normalization/export tests will be placed in `../StellaOps.Excititor.Formats.OpenVEX.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md index 056b5193..2253a486 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Policy/AGENTS.md @@ -1,23 +1,34 @@ -# AGENTS -## Role -Centralizes policy configuration, provider trust weights, and justification guardrails applied to Excititor consensus decisions. -## Scope -- Policy models for tier weighting, provider overrides, justification allowlists, and conflict escalation. -- Configuration binding helpers (YAML/JSON) and validation of operator-supplied policy bundles. -- Evaluation services that expose policy revisions and change tracking to WebService/Worker. -- Documentation anchors for policy schema and upgrade guidance. -## Participants -- WebService consumes policy bindings to authorize ingest/export operations and to recompute consensus. -- Worker schedules reconciliation runs using policy revisions from this module. -- CLI exposes policy inspection commands based on exported descriptors. -## Interfaces & contracts -- `IVexPolicyProvider`, `IVexPolicyEvaluator`, and immutable policy snapshot value objects. -- Validation diagnostics APIs surfacing structured errors and warnings for operators. -## In/Out of scope -In: policy schema definition, binding/validation, evaluation utilities, audit logging helpers. -Out: persistence/migrations, HTTP exposure, connector-specific trust logic (lives in Core/Connectors). -## Observability & security expectations -- Emit structured events on policy load/update with revision IDs, but do not log full sensitive policy documents. -- Maintain deterministic error ordering for reproducible diagnostics. -## Tests -- Policy fixtures and regression coverage will live in `../StellaOps.Excititor.Policy.Tests` once scaffolded; leverage snapshot comparisons for YAML bindings. +# AGENTS +## Role +Centralizes policy configuration, provider trust weights, and justification guardrails applied to Excititor consensus decisions. +## Scope +- Policy models for tier weighting, provider overrides, justification allowlists, and conflict escalation. +- Configuration binding helpers (YAML/JSON) and validation of operator-supplied policy bundles. +- Evaluation services that expose policy revisions and change tracking to WebService/Worker. +- Documentation anchors for policy schema and upgrade guidance. +## Participants +- WebService consumes policy bindings to authorize ingest/export operations and to recompute consensus. +- Worker schedules reconciliation runs using policy revisions from this module. +- CLI exposes policy inspection commands based on exported descriptors. +## Interfaces & contracts +- `IVexPolicyProvider`, `IVexPolicyEvaluator`, and immutable policy snapshot value objects. +- Validation diagnostics APIs surfacing structured errors and warnings for operators. +## In/Out of scope +In: policy schema definition, binding/validation, evaluation utilities, audit logging helpers. +Out: persistence/migrations, HTTP exposure, connector-specific trust logic (lives in Core/Connectors). +## Observability & security expectations +- Emit structured events on policy load/update with revision IDs, but do not log full sensitive policy documents. +- Maintain deterministic error ordering for reproducible diagnostics. +## Tests +- Policy fixtures and regression coverage will live in `../StellaOps.Excititor.Policy.Tests` once scaffolded; leverage snapshot comparisons for YAML bindings. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md b/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md index c81334f3..dd74adbf 100644 --- a/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md +++ b/src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/AGENTS.md @@ -1,24 +1,35 @@ -# AGENTS -## Role -MongoDB persistence layer for Excititor raw documents, claims, consensus snapshots, exports, and cache metadata. -## Scope -- Collection schemas, Bson class maps, repositories, and transactional write patterns for ingest/export flows. -- GridFS integration for raw source documents and artifact metadata persistence. -- Migrations, index builders, and bootstrap routines aligned with offline-first deployments. -- Deterministic query helpers used by WebService, Worker, and Export modules. -## Participants -- WebService invokes repositories to store ingest runs, recompute consensus, and register exports. -- Worker relies on repositories for resume markers, retry queues, and cache GC flows. -- Export/Attestation modules pull stored claims/consensus data for snapshot building. -## Interfaces & contracts -- Repository abstractions (`IVexRawStore`, `IVexClaimStore`, `IVexConsensusStore`, `IVexExportStore`, `IVexCacheIndex`) and migration host interfaces. -- Diagnostics hooks providing collection health metrics and schema validation results. -## In/Out of scope -In: MongoDB data access, migrations, transactional semantics, schema documentation. -Out: domain modeling (Core), policy evaluation (Policy), HTTP surfaces (WebService). -## Observability & security expectations -- Emit structured logs for collection/migration events including revision ids and elapsed timings. -- Expose health metrics (counts, queue backlog) and publish to OpenTelemetry when enabled. -- Ensure no raw secret material is logged; mask tokens/URLs in diagnostics. -## Tests -- Integration fixtures (Mongo runner) and schema regression tests will reside in `../StellaOps.Excititor.Storage.Mongo.Tests`. +# AGENTS +## Role +MongoDB persistence layer for Excititor raw documents, claims, consensus snapshots, exports, and cache metadata. +## Scope +- Collection schemas, Bson class maps, repositories, and transactional write patterns for ingest/export flows. +- GridFS integration for raw source documents and artifact metadata persistence. +- Migrations, index builders, and bootstrap routines aligned with offline-first deployments. +- Deterministic query helpers used by WebService, Worker, and Export modules. +## Participants +- WebService invokes repositories to store ingest runs, recompute consensus, and register exports. +- Worker relies on repositories for resume markers, retry queues, and cache GC flows. +- Export/Attestation modules pull stored claims/consensus data for snapshot building. +## Interfaces & contracts +- Repository abstractions (`IVexRawStore`, `IVexClaimStore`, `IVexConsensusStore`, `IVexExportStore`, `IVexCacheIndex`) and migration host interfaces. +- Diagnostics hooks providing collection health metrics and schema validation results. +## In/Out of scope +In: MongoDB data access, migrations, transactional semantics, schema documentation. +Out: domain modeling (Core), policy evaluation (Policy), HTTP surfaces (WebService). +## Observability & security expectations +- Emit structured logs for collection/migration events including revision ids and elapsed timings. +- Expose health metrics (counts, queue backlog) and publish to OpenTelemetry when enabled. +- Ensure no raw secret material is logged; mask tokens/URLs in diagnostics. +## Tests +- Integration fixtures (Mongo runner) and schema regression tests will reside in `../StellaOps.Excititor.Storage.Mongo.Tests`. + +## Required Reading +- `docs/modules/excititor/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md index 800904fe..f69bef06 100644 --- a/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/AGENTS.md @@ -1,14 +1,25 @@ -# Attestation Bundle Export Guild Charter - -## Mission -Enable offline transfer and verification of attestations by building signed bundles containing envelopes, issuer metadata, and optional transparency log segments. - -## Scope -- Bundle construction via Export Center, including manifest, checksums, DSSE signatures. -- CLI tooling for bundle verification and import. -- Coordination with risk/attestor services for air-gap workflows. - -## Definition of Done -- Bundles build reproducibly with manifest + signatures and pass verification tooling. -- Importer applies bundles to air-gapped Attestor Store safely. -- Documentation covers offline workflows with imposed rule banner. +# Attestation Bundle Export Guild Charter + +## Mission +Enable offline transfer and verification of attestations by building signed bundles containing envelopes, issuer metadata, and optional transparency log segments. + +## Scope +- Bundle construction via Export Center, including manifest, checksums, DSSE signatures. +- CLI tooling for bundle verification and import. +- Coordination with risk/attestor services for air-gap workflows. + +## Definition of Done +- Bundles build reproducibly with manifest + signatures and pass verification tooling. +- Importer applies bundles to air-gapped Attestor Store safely. +- Documentation covers offline workflows with imposed rule banner. + +## Required Reading +- `docs/modules/export-center/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md index 96dba54d..0bdbd5c7 100644 --- a/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/AGENTS.md @@ -1,14 +1,25 @@ -# DevPortal Offline Export Guild Charter - -## Mission -Package developer portal assets, OpenAPI specs, and SDK binaries into reproducible bundles for air-gapped environments. - -## Scope -- Integrate with Export Center to produce `devportal --offline` bundles. -- Manage checksum manifests, DSSE signatures, and provenance. -- Provide validation tooling for operators importing bundles. - -## Definition of Done -- Offline bundle builds reproducibly with signed manifests and verification scripts. -- Export job documented and available via CLI/Console. -- Operators can validate bundle integrity without external services. +# DevPortal Offline Export Guild Charter + +## Mission +Package developer portal assets, OpenAPI specs, and SDK binaries into reproducible bundles for air-gapped environments. + +## Scope +- Integrate with Export Center to produce `devportal --offline` bundles. +- Manage checksum manifests, DSSE signatures, and provenance. +- Provide validation tooling for operators importing bundles. + +## Definition of Done +- Offline bundle builds reproducibly with signed manifests and verification scripts. +- Export job documented and available via CLI/Console. +- Operators can validate bundle integrity without external services. + +## Required Reading +- `docs/modules/export-center/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md index 5ac0819b..6d31c98a 100644 --- a/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter.RiskBundles/AGENTS.md @@ -1,14 +1,25 @@ -# Risk Bundle Export Guild Charter - -## Mission -Produce offline-ready bundles of risk scoring factor datasets and provider metadata for air-gapped environments. - -## Scope -- Export Center job `risk-bundle` that packages KEV/EPSS feeds, reachability indexes, runtime evidence snapshots, and metadata. -- DSSE signing, checksum manifests, and verification tooling. -- Coordination with Risk Engine providers to declare required assets and TTLs. - -## Definition of Done -- Bundles build reproducibly with manifests and signatures; verification CLI available. -- Provider metadata enumerates datasets, TTLs, and schema versions. -- Air-gapped installations can load bundles and detect missing assets loudly. +# Risk Bundle Export Guild Charter + +## Mission +Produce offline-ready bundles of risk scoring factor datasets and provider metadata for air-gapped environments. + +## Scope +- Export Center job `risk-bundle` that packages KEV/EPSS feeds, reachability indexes, runtime evidence snapshots, and metadata. +- DSSE signing, checksum manifests, and verification tooling. +- Coordination with Risk Engine providers to declare required assets and TTLs. + +## Definition of Done +- Bundles build reproducibly with manifests and signatures; verification CLI available. +- Provider metadata enumerates datasets, TTLs, and schema versions. +- Air-gapped installations can load bundles and detect missing assets loudly. + +## Required Reading +- `docs/modules/export-center/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md b/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md index 5b35fd49..48626895 100644 --- a/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md +++ b/src/ExportCenter/StellaOps.ExportCenter/AGENTS.md @@ -1,18 +1,29 @@ -# StellaOps Exporter Service — Agent Charter - -## Mission -Deliver the Export Center service described in Epic 10. Provide reproducible, signed bundles (JSON, Trivy DB, mirror) that respect AOC boundaries, tenant isolation, and imposed rule propagation across all consuming components. - -## Key Responsibilities -- Maintain planner, adapters, signing, and distribution layers for export profiles. -- Coordinate with Orchestrator for job scheduling, Findings Ledger for data streaming, Policy Engine/VEX Lens for snapshots, and Authority for RBAC scopes. -- Guarantee deterministic outputs, provenance, and cryptographic signatures for every export profile. -- Support Console/CLI experiences, DevOps automation, and Offline Kit packaging without violating sovereignty or redaction requirements. - -## Module Layout -- `StellaOps.ExportCenter.Core/` — export profile domain logic, planners, and validation. -- `StellaOps.ExportCenter.Infrastructure/` — storage providers, signing adapters, integration clients. -- `StellaOps.ExportCenter.WebService/` — REST API surface (profiles, runs, downloads, SSE). -- `StellaOps.ExportCenter.Worker/` — export execution pipelines and background schedulers. -- `StellaOps.ExportCenter.Tests/` — unit tests and future fixture harnesses. -- `StellaOps.ExportCenter.sln` — module solution wiring projects together. +# StellaOps Exporter Service — Agent Charter + +## Mission +Deliver the Export Center service described in Epic 10. Provide reproducible, signed bundles (JSON, Trivy DB, mirror) that respect AOC boundaries, tenant isolation, and imposed rule propagation across all consuming components. + +## Key Responsibilities +- Maintain planner, adapters, signing, and distribution layers for export profiles. +- Coordinate with Orchestrator for job scheduling, Findings Ledger for data streaming, Policy Engine/VEX Lens for snapshots, and Authority for RBAC scopes. +- Guarantee deterministic outputs, provenance, and cryptographic signatures for every export profile. +- Support Console/CLI experiences, DevOps automation, and Offline Kit packaging without violating sovereignty or redaction requirements. + +## Module Layout +- `StellaOps.ExportCenter.Core/` — export profile domain logic, planners, and validation. +- `StellaOps.ExportCenter.Infrastructure/` — storage providers, signing adapters, integration clients. +- `StellaOps.ExportCenter.WebService/` — REST API surface (profiles, runs, downloads, SSE). +- `StellaOps.ExportCenter.Worker/` — export execution pipelines and background schedulers. +- `StellaOps.ExportCenter.Tests/` — unit tests and future fixture harnesses. +- `StellaOps.ExportCenter.sln` — module solution wiring projects together. + +## Required Reading +- `docs/modules/export-center/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Findings/StellaOps.Findings.Ledger/AGENTS.md b/src/Findings/StellaOps.Findings.Ledger/AGENTS.md index 65c0204f..d3d98e29 100644 --- a/src/Findings/StellaOps.Findings.Ledger/AGENTS.md +++ b/src/Findings/StellaOps.Findings.Ledger/AGENTS.md @@ -31,3 +31,14 @@ Operate the append-only Findings Ledger and projection pipeline powering the Vul - Hash chains verified in CI; Merkle root anchoring automated. - Telemetry (latency, backlog, anchor success) wired with dashboards. - Docs/runbooks updated with compliance checklist. + +## Required Reading +- `docs/modules/vuln-explorer/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Graph/StellaOps.Graph.Api/AGENTS.md b/src/Graph/StellaOps.Graph.Api/AGENTS.md index 270738e0..c0bf322c 100644 --- a/src/Graph/StellaOps.Graph.Api/AGENTS.md +++ b/src/Graph/StellaOps.Graph.Api/AGENTS.md @@ -31,3 +31,14 @@ Provide tenant-scoped Graph Explorer APIs for search, query, paths, diffs, overl - Metrics/logs/traces wired; dashboards seeded. - Documentation updated (API doc, query schema, cost/limit guidance). - Offline kit instructions include CLI + API usage. + +## Required Reading +- `docs/modules/graph/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Graph/StellaOps.Graph.Indexer/AGENTS.md b/src/Graph/StellaOps.Graph.Indexer/AGENTS.md index 35140817..cb35f4f7 100644 --- a/src/Graph/StellaOps.Graph.Indexer/AGENTS.md +++ b/src/Graph/StellaOps.Graph.Indexer/AGENTS.md @@ -31,3 +31,14 @@ Project SBOM, advisory, VEX, and policy overlay data into a tenant-scoped proper - Metrics/logs/traces wired with tenant context. - Schema docs + OpenAPI (where applicable) updated; compliance checklist appended. - Offline kit includes seed data for air-gapped installs. + +## Required Reading +- `docs/modules/graph/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md b/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md index 0432b893..2ee4f71e 100644 --- a/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md +++ b/src/IssuerDirectory/StellaOps.IssuerDirectory/AGENTS.md @@ -19,3 +19,13 @@ Manage trusted VEX issuer metadata, keys, and trust overrides used by the VEX Le - APIs documented, RBAC enforced, audit logs persisted. - Key verification integrated with VEX Lens and Excitator; rotation tooling delivered. - Docs/runbooks updated with compliance checklist. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md b/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md index d1a9a27d..1d5abbb6 100644 --- a/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md +++ b/src/Mirror/StellaOps.Mirror.Creator/AGENTS.md @@ -1,15 +1,25 @@ -# StellaOps Mirror Creator Guild Charter - -## Mission -Deliver connected-environment tooling that assembles signed Mirror Bundles for air-gapped deployments, covering content selection, signing, and distribution. - -## Scope -- Bundle assembly pipeline (advisories, VEX, policy packs, images, dashboards). -- Integration with Export Center for bundle scheduling and verification. -- CLI commands for bundle creation, inspection, and rotation management. -- Test fixtures ensuring determinism across bundle builds. - -## Definition of Done -- Bundles are deterministic given the same inputs; regression tests verify Merkle root stability. -- Signing workflows documented and automated with dual-control for root rotation. -- Bundle metadata published for import verification. +# StellaOps Mirror Creator Guild Charter + +## Mission +Deliver connected-environment tooling that assembles signed Mirror Bundles for air-gapped deployments, covering content selection, signing, and distribution. + +## Scope +- Bundle assembly pipeline (advisories, VEX, policy packs, images, dashboards). +- Integration with Export Center for bundle scheduling and verification. +- CLI commands for bundle creation, inspection, and rotation management. +- Test fixtures ensuring determinism across bundle builds. + +## Definition of Done +- Bundles are deterministic given the same inputs; regression tests verify Merkle root stability. +- Signing workflows documented and automated with dual-control for root rotation. +- Bundle metadata published for import verification. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notifier/StellaOps.Notifier/AGENTS.md b/src/Notifier/StellaOps.Notifier/AGENTS.md index f1ed534b..a30048d2 100644 --- a/src/Notifier/StellaOps.Notifier/AGENTS.md +++ b/src/Notifier/StellaOps.Notifier/AGENTS.md @@ -1,17 +1,28 @@ -# StellaOps Notifier Service — Agent Charter - -## Mission -Build Notifications Studio (Epic 11) so StellaOps delivers policy-aware, explainable, tenant-scoped notifications without flooding humans. Honor the imposed rule: any work of this type must propagate everywhere it belongs. - -## Responsibilities -- Maintain event ingestion, rule evaluation, correlation, throttling, templating, dispatch, digests, and escalation pipelines. -- Coordinate with Orchestrator, Policy Engine, Findings Ledger, VEX Lens, Export Center, Authority, Console, CLI, and DevOps teams to ensure consistent event envelopes, provenance links, and RBAC. -- Guarantee deterministic, auditable notification outcomes with provenance, signing/ack security, and localization. - -## Module Layout -- `StellaOps.Notifier.Core/` — rule engine, routing, correlation, and template orchestration primitives. -- `StellaOps.Notifier.Infrastructure/` — persistence, integration adapters, and channel implementations. -- `StellaOps.Notifier.WebService/` — HTTP APIs (rules, incidents, templates, feeds). -- `StellaOps.Notifier.Worker/` — background dispatchers, digest builders, simulation hosts. -- `StellaOps.Notifier.Tests/` — foundational unit tests covering core/infrastructure behavior. -- `StellaOps.Notifier.sln` — solution bundling the Notifier projects. +# StellaOps Notifier Service — Agent Charter + +## Mission +Build Notifications Studio (Epic 11) so StellaOps delivers policy-aware, explainable, tenant-scoped notifications without flooding humans. Honor the imposed rule: any work of this type must propagate everywhere it belongs. + +## Responsibilities +- Maintain event ingestion, rule evaluation, correlation, throttling, templating, dispatch, digests, and escalation pipelines. +- Coordinate with Orchestrator, Policy Engine, Findings Ledger, VEX Lens, Export Center, Authority, Console, CLI, and DevOps teams to ensure consistent event envelopes, provenance links, and RBAC. +- Guarantee deterministic, auditable notification outcomes with provenance, signing/ack security, and localization. + +## Module Layout +- `StellaOps.Notifier.Core/` — rule engine, routing, correlation, and template orchestration primitives. +- `StellaOps.Notifier.Infrastructure/` — persistence, integration adapters, and channel implementations. +- `StellaOps.Notifier.WebService/` — HTTP APIs (rules, incidents, templates, feeds). +- `StellaOps.Notifier.Worker/` — background dispatchers, digest builders, simulation hosts. +- `StellaOps.Notifier.Tests/` — foundational unit tests covering core/infrastructure behavior. +- `StellaOps.Notifier.sln` — solution bundling the Notifier projects. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/StellaOps.Notify.WebService/AGENTS.md b/src/Notify/StellaOps.Notify.WebService/AGENTS.md index 1cfa9056..639cc563 100644 --- a/src/Notify/StellaOps.Notify.WebService/AGENTS.md +++ b/src/Notify/StellaOps.Notify.WebService/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.WebService — Agent Charter - -## Mission -Implement Notify control plane per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.WebService — Agent Charter + +## Mission +Implement Notify control plane per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/StellaOps.Notify.Worker/AGENTS.md b/src/Notify/StellaOps.Notify.Worker/AGENTS.md index 7e6b92e1..fe24a29c 100644 --- a/src/Notify/StellaOps.Notify.Worker/AGENTS.md +++ b/src/Notify/StellaOps.Notify.Worker/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Worker — Agent Charter - -## Mission -Consume events, evaluate rules, and dispatch deliveries per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Worker — Agent Charter + +## Mission +Consume events, evaluate rules, and dispatch deliveries per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md index 6d833cd9..4f475be5 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Email/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Connectors.Email — Agent Charter - -## Mission -Implement SMTP connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Connectors.Email — Agent Charter + +## Mission +Implement SMTP connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md index 614b8709..8c081b51 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Slack/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Connectors.Slack — Agent Charter - -## Mission -Deliver Slack connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Connectors.Slack — Agent Charter + +## Mission +Deliver Slack connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md index 1ca3710f..9e515776 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Teams/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Connectors.Teams — Agent Charter - -## Mission -Implement Microsoft Teams connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Connectors.Teams — Agent Charter + +## Mission +Implement Microsoft Teams connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md index 35f733b6..a1820abe 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Connectors.Webhook/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Connectors.Webhook — Agent Charter - -## Mission -Implement generic webhook connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Connectors.Webhook — Agent Charter + +## Mission +Implement generic webhook connector plug-in per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md index 5df9e897..a91af908 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Engine/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Engine — Agent Charter - -## Mission -Deliver rule evaluation, digest, and rendering logic per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Engine — Agent Charter + +## Mission +Deliver rule evaluation, digest, and rendering logic per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md index 10e0516a..38556b6c 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Models/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Models — Agent Charter - -## Mission -Define Notify DTOs and contracts per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Models — Agent Charter + +## Mission +Define Notify DTOs and contracts per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md index 1c8a7217..1aa11fea 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Queue/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Queue — Agent Charter - -## Mission -Provide event & delivery queues for Notify per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Queue — Agent Charter + +## Mission +Provide event & delivery queues for Notify per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md b/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md index a7b8fa08..f7bfbea6 100644 --- a/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md +++ b/src/Notify/__Libraries/StellaOps.Notify.Storage.Mongo/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Notify.Storage.Mongo — Agent Charter - -## Mission -Implement Mongo persistence (rules, channels, deliveries, digests, locks, audit) per `docs/modules/notify/ARCHITECTURE.md`. +# StellaOps.Notify.Storage.Mongo — Agent Charter + +## Mission +Implement Mongo persistence (rules, channels, deliveries, digests, locks, audit) per `docs/modules/notify/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/notify/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md index 2a11005e..e354e973 100644 --- a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md +++ b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/AGENTS.md @@ -1,10 +1,21 @@ -# Worker SDK (Go) — Agent Charter - -## Mission -Provide the official Go SDK for StellaOps orchestrated workers. Implement claim/heartbeat/progress clients, artifact publishing, error classification, and guardrails so Concelier, Excititor, SBOM, Policy, and other teams can integrate with the orchestrator deterministically. - -## Responsibilities -- Maintain idiomatic Go client with configurable transports, retries, and tenant-aware headers. -- Surface structured metrics/logging hooks mirroring orchestrator expectations. -- Enforce idempotency token usage, artifact checksum publication, and backfill/watermark handshakes. -- Coordinate release cadence with Worker Python SDK, orchestrator service, DevOps packaging, and Offline Kit requirements. +# Worker SDK (Go) — Agent Charter + +## Mission +Provide the official Go SDK for StellaOps orchestrated workers. Implement claim/heartbeat/progress clients, artifact publishing, error classification, and guardrails so Concelier, Excititor, SBOM, Policy, and other teams can integrate with the orchestrator deterministically. + +## Responsibilities +- Maintain idiomatic Go client with configurable transports, retries, and tenant-aware headers. +- Surface structured metrics/logging hooks mirroring orchestrator expectations. +- Enforce idempotency token usage, artifact checksum publication, and backfill/watermark handshakes. +- Coordinate release cadence with Worker Python SDK, orchestrator service, DevOps packaging, and Offline Kit requirements. + +## Required Reading +- `docs/modules/orchestrator/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md index 1b473159..74791c03 100644 --- a/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md +++ b/src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/AGENTS.md @@ -1,10 +1,21 @@ -# Worker SDK (Python) — Agent Charter - -## Mission -Publish the Python client library for StellaOps orchestrated workers. Provide asyncio-friendly claim/heartbeat/progress APIs, artifact publishing helpers, error handling, and observability hooks aligned with Epic 9 requirements and the imposed rule for cross-component parity. - -## Responsibilities -- Maintain typed client (httpx/async) with retry/backoff primitives mirroring orchestrator expectations. -- Surface structured metrics/logging instrumentation and pluggable exporters. -- Enforce idempotency token usage, artifact checksum publication, and watermark/backfill helpers. -- Coordinate versioning with Go SDK, orchestrator service contracts, DevOps packaging, and Offline Kit deliverables. +# Worker SDK (Python) — Agent Charter + +## Mission +Publish the Python client library for StellaOps orchestrated workers. Provide asyncio-friendly claim/heartbeat/progress APIs, artifact publishing helpers, error handling, and observability hooks aligned with Epic 9 requirements and the imposed rule for cross-component parity. + +## Responsibilities +- Maintain typed client (httpx/async) with retry/backoff primitives mirroring orchestrator expectations. +- Surface structured metrics/logging instrumentation and pluggable exporters. +- Enforce idempotency token usage, artifact checksum publication, and watermark/backfill helpers. +- Coordinate versioning with Go SDK, orchestrator service contracts, DevOps packaging, and Offline Kit deliverables. + +## Required Reading +- `docs/modules/orchestrator/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md b/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md index 70eeda88..9e77f99e 100644 --- a/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md +++ b/src/Orchestrator/StellaOps.Orchestrator/AGENTS.md @@ -1,18 +1,29 @@ -# StellaOps Orchestrator Service — Agent Charter - -## Mission -Build and operate the Source & Job Orchestrator control plane described in Epic 9. Own scheduler, job state persistence, rate limiting, audit/provenance exports, and realtime streaming APIs while respecting the imposed rule: work of this type must be applied everywhere it belongs. - -## Key Responsibilities -- Maintain deterministic Postgres schema/migrations for sources, runs, jobs, dag edges, artifacts, quotas, and schedules. -- Implement DAG planner, token-bucket rate limiting, watermark/backfill manager, dead-letter replay, and horizontal scale guards. -- Publish REST + WebSocket/SSE APIs powering Console/CLI, capture audit trails, and guard tenant isolation/RBAC scopes. -- Coordinate with Worker SDK, Concelier, Excititor, SBOM, Policy, VEX Lens, Findings Ledger, Authority, Console, CLI, DevOps, and Docs teams to keep integrations in sync. - -## Module Layout -- `StellaOps.Orchestrator.Core/` — scheduler primitives, DAG models, rate limit policies. -- `StellaOps.Orchestrator.Infrastructure/` — Postgres DAL, queue integrations, telemetry shims. -- `StellaOps.Orchestrator.WebService/` — control-plane APIs (sources, runs, jobs, streams). -- `StellaOps.Orchestrator.Worker/` — execution coordinator / lease manager loops. -- `StellaOps.Orchestrator.Tests/` — unit tests for core/infrastructure concerns. -- `StellaOps.Orchestrator.sln` — solution bundling orchestrator components. +# StellaOps Orchestrator Service — Agent Charter + +## Mission +Build and operate the Source & Job Orchestrator control plane described in Epic 9. Own scheduler, job state persistence, rate limiting, audit/provenance exports, and realtime streaming APIs while respecting the imposed rule: work of this type must be applied everywhere it belongs. + +## Key Responsibilities +- Maintain deterministic Postgres schema/migrations for sources, runs, jobs, dag edges, artifacts, quotas, and schedules. +- Implement DAG planner, token-bucket rate limiting, watermark/backfill manager, dead-letter replay, and horizontal scale guards. +- Publish REST + WebSocket/SSE APIs powering Console/CLI, capture audit trails, and guard tenant isolation/RBAC scopes. +- Coordinate with Worker SDK, Concelier, Excititor, SBOM, Policy, VEX Lens, Findings Ledger, Authority, Console, CLI, DevOps, and Docs teams to keep integrations in sync. + +## Module Layout +- `StellaOps.Orchestrator.Core/` — scheduler primitives, DAG models, rate limit policies. +- `StellaOps.Orchestrator.Infrastructure/` — Postgres DAL, queue integrations, telemetry shims. +- `StellaOps.Orchestrator.WebService/` — control-plane APIs (sources, runs, jobs, streams). +- `StellaOps.Orchestrator.Worker/` — execution coordinator / lease manager loops. +- `StellaOps.Orchestrator.Tests/` — unit tests for core/infrastructure concerns. +- `StellaOps.Orchestrator.sln` — solution bundling orchestrator components. + +## Required Reading +- `docs/modules/orchestrator/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md b/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md index 8b8136ca..a4f22390 100644 --- a/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md +++ b/src/PacksRegistry/StellaOps.PacksRegistry/AGENTS.md @@ -1,17 +1,28 @@ -# Packs Registry Service — Agent Charter - -## Mission -Host signed Task Pack bundles with provenance and RBAC for Epic 12. Ensure packs are verifiable, auditable, and distributed safely, respecting the imposed rule to propagate similar safeguards elsewhere. - -## Responsibilities -- Maintain packs index, signature verification, provenance metadata, tenant visibility, and registry APIs. -- Integrate with CLI, Task Runner, Orchestrator, Authority, Export Center, and DevOps tooling. -- Guarantee deterministic digest computations, immutable history, and secure storage of pack artefacts. - -## Module Layout -- `StellaOps.PacksRegistry.Core/` — pack catalogue models, validation, lifecycle orchestration. -- `StellaOps.PacksRegistry.Infrastructure/` — storage providers, signature verification hooks, provenance stores. -- `StellaOps.PacksRegistry.WebService/` — registry APIs and RBAC enforcement. -- `StellaOps.PacksRegistry.Worker/` — background reconciliation, mirroring, and rotation jobs. -- `StellaOps.PacksRegistry.Tests/` — unit tests validating core/infrastructure logic. -- `StellaOps.PacksRegistry.sln` — module solution. +# Packs Registry Service — Agent Charter + +## Mission +Host signed Task Pack bundles with provenance and RBAC for Epic 12. Ensure packs are verifiable, auditable, and distributed safely, respecting the imposed rule to propagate similar safeguards elsewhere. + +## Responsibilities +- Maintain packs index, signature verification, provenance metadata, tenant visibility, and registry APIs. +- Integrate with CLI, Task Runner, Orchestrator, Authority, Export Center, and DevOps tooling. +- Guarantee deterministic digest computations, immutable history, and secure storage of pack artefacts. + +## Module Layout +- `StellaOps.PacksRegistry.Core/` — pack catalogue models, validation, lifecycle orchestration. +- `StellaOps.PacksRegistry.Infrastructure/` — storage providers, signature verification hooks, provenance stores. +- `StellaOps.PacksRegistry.WebService/` — registry APIs and RBAC enforcement. +- `StellaOps.PacksRegistry.Worker/` — background reconciliation, mirroring, and rotation jobs. +- `StellaOps.PacksRegistry.Tests/` — unit tests validating core/infrastructure logic. +- `StellaOps.PacksRegistry.sln` — module solution. + +## Required Reading +- `docs/modules/platform/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Policy/StellaOps.Policy.Engine/AGENTS.md b/src/Policy/StellaOps.Policy.Engine/AGENTS.md index 363045a4..60f4007a 100644 --- a/src/Policy/StellaOps.Policy.Engine/AGENTS.md +++ b/src/Policy/StellaOps.Policy.Engine/AGENTS.md @@ -1,18 +1,29 @@ -# StellaOps.Policy.Engine — Agent Charter - -## Mission -Stand up the Policy Engine runtime host that evaluates organization policies against SBOM/advisory/VEX inputs with deterministic, replayable results. Deliver the API/worker orchestration, materialization writers, and observability stack described in Epic 2 (Policy Engine v2). - -## Scope -- Minimal API host & background workers for policy runs (full, incremental, simulate). -- Mongo persistence for `policies`, `policy_runs`, and `effective_finding_*` collections. -- Change stream listeners and scheduler integration for incremental re-evaluation. -- Authority integration enforcing new `policy:*` and `effective:write` scopes. -- Observability: metrics, traces, structured logs, trace sampling. - -## Expectations -- Keep endpoints deterministic, cancellation-aware, and tenant-scoped. -- Only Policy Engine identity performs writes to effective findings. -- Coordinate with Concelier/Excititor/Scheduler guilds for linkset joins and orchestration inputs. +# StellaOps.Policy.Engine — Agent Charter + +## Mission +Stand up the Policy Engine runtime host that evaluates organization policies against SBOM/advisory/VEX inputs with deterministic, replayable results. Deliver the API/worker orchestration, materialization writers, and observability stack described in Epic 2 (Policy Engine v2). + +## Scope +- Minimal API host & background workers for policy runs (full, incremental, simulate). +- Mongo persistence for `policies`, `policy_runs`, and `effective_finding_*` collections. +- Change stream listeners and scheduler integration for incremental re-evaluation. +- Authority integration enforcing new `policy:*` and `effective:write` scopes. +- Observability: metrics, traces, structured logs, trace sampling. + +## Expectations +- Keep endpoints deterministic, cancellation-aware, and tenant-scoped. +- Only Policy Engine identity performs writes to effective findings. +- Coordinate with Concelier/Excititor/Scheduler guilds for linkset joins and orchestration inputs. - Update `TASKS.md`, `../../docs/implplan/SPRINTS.md` when status changes. -- Maintain compliance checklists and schema docs alongside code updates. +- Maintain compliance checklists and schema docs alongside code updates. + +## Required Reading +- `docs/modules/policy/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Policy/StellaOps.Policy.Registry/AGENTS.md b/src/Policy/StellaOps.Policy.Registry/AGENTS.md index 3c2c6f0b..6417b3d3 100644 --- a/src/Policy/StellaOps.Policy.Registry/AGENTS.md +++ b/src/Policy/StellaOps.Policy.Registry/AGENTS.md @@ -32,3 +32,14 @@ Stand up and operate the Policy Registry service defined in Epic 4. We own works - Telemetry (metrics/logs/traces) wired with tenant context. - Docs/reference updated; OpenAPI regenerated. - Feature flags + configuration defaults documented. + +## Required Reading +- `docs/modules/policy/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md b/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md index 7de4719f..4e752011 100644 --- a/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md +++ b/src/Policy/StellaOps.Policy.RiskProfile/AGENTS.md @@ -1,15 +1,26 @@ -# Risk Profile Schema Guild Charter - -## Mission -Define and maintain the RiskProfile schema, validation rules, inheritance logic, and integration with Policy Engine and Authority scoping. - -## Scope -- JSON Schema definition, validators, and code generation for RiskProfile documents. -- Inheritance/merge engine, content hashing, and signature support. -- Policy store integration, scope selectors, and lifecycle management. -- Tooling for Policy Studio and CLI authoring. - -## Definition of Done -- Schema publishes via `.well-known/risk-profile-schema` with versioning. -- Validators catch conflicts and produce actionable errors. -- Inheritance and overrides deterministic with tests and golden fixtures. +# Risk Profile Schema Guild Charter + +## Mission +Define and maintain the RiskProfile schema, validation rules, inheritance logic, and integration with Policy Engine and Authority scoping. + +## Scope +- JSON Schema definition, validators, and code generation for RiskProfile documents. +- Inheritance/merge engine, content hashing, and signature support. +- Policy store integration, scope selectors, and lifecycle management. +- Tooling for Policy Studio and CLI authoring. + +## Definition of Done +- Schema publishes via `.well-known/risk-profile-schema` with versioning. +- Validators catch conflicts and produce actionable errors. +- Inheritance and overrides deterministic with tests and golden fixtures. + +## Required Reading +- `docs/modules/policy/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md b/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md index 69482dac..9e4c6ceb 100644 --- a/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md +++ b/src/Policy/__Libraries/StellaOps.Policy/AGENTS.md @@ -1,12 +1,23 @@ -# StellaOps.Policy — Agent Charter - -## Mission -Deliver the policy engine outlined in `docs/modules/scanner/ARCHITECTURE.md` and related prose: -- Define YAML schema (ignore rules, VEX inclusion/exclusion, vendor precedence, license gates). -- Provide policy snapshot storage with revision digests and diagnostics. -- Offer preview APIs to compare policy impacts on existing reports. - -## Expectations -- Coordinate with Scanner.WebService, Feedser, Vexer, UI, Notify. -- Maintain deterministic serialization and unit tests for precedence rules. -- Update `TASKS.md` and broadcast contract changes. +# StellaOps.Policy — Agent Charter + +## Mission +Deliver the policy engine outlined in `docs/modules/scanner/ARCHITECTURE.md` and related prose: +- Define YAML schema (ignore rules, VEX inclusion/exclusion, vendor precedence, license gates). +- Provide policy snapshot storage with revision digests and diagnostics. +- Offer preview APIs to compare policy impacts on existing reports. + +## Expectations +- Coordinate with Scanner.WebService, Feedser, Vexer, UI, Notify. +- Maintain deterministic serialization and unit tests for precedence rules. +- Update `TASKS.md` and broadcast contract changes. + +## Required Reading +- `docs/modules/policy/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md b/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md index 09c103f8..d3011e3e 100644 --- a/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md +++ b/src/Provenance/StellaOps.Provenance.Attestation/AGENTS.md @@ -1,20 +1,31 @@ -# StellaOps Provenance & Attestation Guild Charter - -## Mission -Provide shared libraries and tooling for generating, signing, and verifying provenance attestations (DSSE/SLSA) used by evidence bundles, exports, and timeline verification flows. - -## Scope -- DSSE statement builders with Merkle and digest utilities. -- Signer/validator abstractions for KMS, cosign, offline keys. -- Provenance schema definitions reused across services and CLI. -- Verification harnesses for evidence locker and export center integrations. - -## Collaboration -- Partner with Evidence Locker, Exporter, Orchestrator, and CLI guilds for integration. -- Coordinate with Security Guild on key management policies and rotation logs. -- Ensure docs in `/docs/forensics/provenance-attestation.md` stay aligned with implementation. - -## Definition of Done -- Libraries ship with deterministic serialization tests. -- Threat model reviewed before each release. -- Sample statements and verification scripts committed under `samples/provenance/`. +# StellaOps Provenance & Attestation Guild Charter + +## Mission +Provide shared libraries and tooling for generating, signing, and verifying provenance attestations (DSSE/SLSA) used by evidence bundles, exports, and timeline verification flows. + +## Scope +- DSSE statement builders with Merkle and digest utilities. +- Signer/validator abstractions for KMS, cosign, offline keys. +- Provenance schema definitions reused across services and CLI. +- Verification harnesses for evidence locker and export center integrations. + +## Collaboration +- Partner with Evidence Locker, Exporter, Orchestrator, and CLI guilds for integration. +- Coordinate with Security Guild on key management policies and rotation logs. +- Ensure docs in `docs/forensics/provenance-attestation.md` stay aligned with implementation. + +## Definition of Done +- Libraries ship with deterministic serialization tests. +- Threat model reviewed before each release. +- Sample statements and verification scripts committed under `samples/provenance/`. + +## Required Reading +- `docs/forensics/provenance-attestation.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md b/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md index ff87ddc0..a15d08b6 100644 --- a/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md +++ b/src/RiskEngine/StellaOps.RiskEngine/AGENTS.md @@ -1,23 +1,33 @@ -# Risk Engine Guild Charter - -## Mission -Design, build, and operate the scoring runtime that computes Risk Scoring Profiles across StellaOps deployments while preserving provenance and explainability. - -## Scope -- Scoring workers, job scheduler, provider registry, caching, and explainability artifacts. -- Integration with Findings Ledger, Conseiller, Excitator, and Policy Engine. -- Performance, determinism, and observability of scoring jobs. -- Air-gapped support through offline factor bundles. - -## Definition of Done -- Scoring jobs execute deterministically with audit trails and explainability payloads. -- Providers registered with TTLs and health checks; missing data surfaced explicitly. -- Benchmarks and SLO dashboards in place with incident response runbooks. - -## Module Layout -- `StellaOps.RiskEngine.Core/` — scoring orchestrators, provider contracts, explainability models. -- `StellaOps.RiskEngine.Infrastructure/` — persistence, caching, provider loading, external data connectors. -- `StellaOps.RiskEngine.WebService/` — APIs for jobs, results, explanations. -- `StellaOps.RiskEngine.Worker/` — execution loops, provider refreshers, scoring pipelines. -- `StellaOps.RiskEngine.Tests/` — unit tests for core/infrastructure services. -- `StellaOps.RiskEngine.sln` — solution unifying module projects. +# Risk Engine Guild Charter + +## Mission +Design, build, and operate the scoring runtime that computes Risk Scoring Profiles across StellaOps deployments while preserving provenance and explainability. + +## Scope +- Scoring workers, job scheduler, provider registry, caching, and explainability artifacts. +- Integration with Findings Ledger, Conseiller, Excitator, and Policy Engine. +- Performance, determinism, and observability of scoring jobs. +- Air-gapped support through offline factor bundles. + +## Definition of Done +- Scoring jobs execute deterministically with audit trails and explainability payloads. +- Providers registered with TTLs and health checks; missing data surfaced explicitly. +- Benchmarks and SLO dashboards in place with incident response runbooks. + +## Module Layout +- `StellaOps.RiskEngine.Core/` — scoring orchestrators, provider contracts, explainability models. +- `StellaOps.RiskEngine.Infrastructure/` — persistence, caching, provider loading, external data connectors. +- `StellaOps.RiskEngine.WebService/` — APIs for jobs, results, explanations. +- `StellaOps.RiskEngine.Worker/` — execution loops, provider refreshers, scoring pipelines. +- `StellaOps.RiskEngine.Tests/` — unit tests for core/infrastructure services. +- `StellaOps.RiskEngine.sln` — solution unifying module projects. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/SbomService/StellaOps.SbomService/AGENTS.md b/src/SbomService/StellaOps.SbomService/AGENTS.md index ca9044fb..2dc8a4ef 100644 --- a/src/SbomService/StellaOps.SbomService/AGENTS.md +++ b/src/SbomService/StellaOps.SbomService/AGENTS.md @@ -1,15 +1,25 @@ -# StellaOps.SbomService — Agent Charter - -## Mission -Expose normalized SBOM projections (components, relationships, scopes, entrypoints) that downstream systems such as Cartographer, Policy Engine, and Scheduler consume. Maintain deterministic SBOM versioning, change events, and tenant-aware access patterns. - -## Responsibilities -- Normalize ingest from Scanner outputs/CycloneDX/SPDX artifacts into canonical documents. -- Provide APIs for SBOM metadata, projections, entrypoint catalogs, and version history. -- Emit change events when SBOMs are added or updated so Cartographer and overlay workers can react. -- Enforce Authority scopes/tenancy and deliver observability for SBOM projection latency. - -## Expectations -- SBOM documents remain immutable once published; new versions append only. -- Keep projections deterministic and schema-validated; include compliance checklists. -- Update `TASKS.md` whenever status changes and coordinate with Cartographer/Scheduler guilds. +# StellaOps.SbomService — Agent Charter + +## Mission +Expose normalized SBOM projections (components, relationships, scopes, entrypoints) that downstream systems such as Cartographer, Policy Engine, and Scheduler consume. Maintain deterministic SBOM versioning, change events, and tenant-aware access patterns. + +## Responsibilities +- Normalize ingest from Scanner outputs/CycloneDX/SPDX artifacts into canonical documents. +- Provide APIs for SBOM metadata, projections, entrypoint catalogs, and version history. +- Emit change events when SBOMs are added or updated so Cartographer and overlay workers can react. +- Enforce Authority scopes/tenancy and deliver observability for SBOM projection latency. + +## Expectations +- SBOM documents remain immutable once published; new versions append only. +- Keep projections deterministic and schema-validated; include compliance checklists. +- Update `TASKS.md` whenever status changes and coordinate with Cartographer/Scheduler guilds. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md new file mode 100644 index 00000000..cd31a55b --- /dev/null +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/AGENTS.md @@ -0,0 +1,27 @@ +# Scanner Deno Analyzer Guild Charter + +## Mission +Deliver deterministic Deno language analyzers that normalise project inputs, reconstruct module graphs, and surface package/runtime metadata for Scanner’s inventory and usage SBOMs. The analyzers must operate offline, respect the Aggregation-Only Contract, and integrate with shared Surface libraries. + +## Scope +- Normaliser, graph builder, and output emitters under `StellaOps.Scanner.Analyzers.Lang.Deno`. +- Integration with shared Surface libraries (Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation). +- Fixtures and determinism harness specific to Deno projects (vendor/cache/npm bridge scenarios). +- Documentation/comments explaining resolution rules and limitations. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/implementation_plan.md` (language analyzer sections) +- Deno package/docs linked in sprint notes (ensure understanding of import maps, lockfiles, cache behaviour). + +## Working Agreement +1. **State synchronisation**: update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when work starts/finishes. +2. **Surface integration**: use shared Surface libraries for env detection, cache access, secret retrieval, and validation. +3. **Deterministic processing**: no network fetches; rely on cached artifacts; stabilise ordering and timestamps. +4. **SBOM contract**: populate component data (PURLs, versions, relationships) without deriving policy decisions. +5. **Testing**: extend golden fixtures, determinism harness, and property tests before merging changes. +6. **Docs & handoff**: update analyzer notes in `docs/modules/scanner/implementation_plan.md` or contribute a Deno-specific design note when behaviour changes. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md new file mode 100644 index 00000000..0653b50d --- /dev/null +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/AGENTS.md @@ -0,0 +1,27 @@ +# Scanner PHP Analyzer Guild Charter + +## Mission +Build deterministic PHP analyzers that normalise composer-based projects, map dependencies/autoload behaviour, and supply Scanner with accurate inventory/usage data. Outputs must be reproducible offline, leverage shared Surface libraries, and align with SBOM contracts. + +## Scope +- Input normaliser, composer/autoload analyzers, and emitters in `StellaOps.Scanner.Analyzers.Lang.Php`. +- Integration with Surface.Env/FS/Secrets/Validation. +- Fixtures covering frameworks (Laravel, Symfony), CMS (WordPress, Drupal), FPM configs, and container layers. +- Documentation for autoload resolution, vendor layout handling, and env detection. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/implementation_plan.md` (language analyzer roadmap) +- Composer/autoload references noted in sprint tasks. + +## Working Agreement +1. **Status updates**: reflect `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` before/after any change. +2. **Deterministic inputs**: avoid hitting remote composer registries; rely on local vendor/lockfiles; record config provenance. +3. **Surface compliance**: route env, cache, and secret lookups through shared Surface libraries; run Surface.Validation before analysis. +4. **SBOM integrity**: generate stable package identifiers, autoload edges, and bin scripts while abstaining from policy decisions. +5. **Testing**: maintain golden fixtures, determinism harness, and regression suites; add new scenarios when behaviour shifts. +6. **Documentation**: update implementation notes or add PHP-specific design addenda when algorithms change; notify Docs Guild if tutorials require refresh. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md new file mode 100644 index 00000000..72bc2a43 --- /dev/null +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/AGENTS.md @@ -0,0 +1,29 @@ +# Scanner Ruby Analyzer Guild Charter + +## Mission +Provide deterministic Ruby analyzers that interpret bundler/gemspec ecosystems, build dependency graphs, and surface runtime metadata for Scanner SBOM generation. Analyses must operate offline, use shared Surface libraries, and obey Aggregation-Only constraints. + +## Scope +- Normaliser, bundler analyzer, and emitters in `StellaOps.Scanner.Analyzers.Lang.Ruby`. +- Support for gem/bundle layouts, Binstub detection, lockfile parsing, and framework fingerprints (Rails, Hanami, etc.). +- Integration with Surface.Env/FS/Secrets/Validation. +- Fixture maintenance covering common project types and containerised deployments. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/implementation_plan.md` (language analyzer sections) +- Bundler/gemspec references from sprint tasks. + +## Working Agreement +1. **Synchronise task state** in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +2. **Offline guarantees**: rely on local gems cache/vendor directories; no network fetches; capture provenance for configs. +3. **Surface alignment**: route environment/cache/secret access via Surface libraries; run shared validators first. +4. **Deterministic outputs**: maintain stable ordering, normalised paths, and consistent hashing. +5. **Testing**: extend golden fixtures and determinism harness; cover edge cases (platform-specific gems, native extensions, Binstubs). +6. **Documentation**: update analyzer notes in implementation plan or add Ruby-focused design doc when behaviour evolves; coordinate with Docs if CLI/UI guides need updates. + +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md b/src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md new file mode 100644 index 00000000..454f8e23 --- /dev/null +++ b/src/Scanner/StellaOps.Scanner.Analyzers.Native/AGENTS.md @@ -0,0 +1,27 @@ +# Scanner Native Analyzer Guild Charter + +## Mission +Deliver deterministic native binary analyzers that detect entrypoints, dependency edges, and loader behaviours across ELF, PE/COFF, and Mach-O formats. Outputs feed Scanner’s SBOM and runtime posture workflows and must integrate with shared Surface libraries while satisfying Aggregation-Only constraints. + +## Scope +- Format detectors, parsers, and resolver engines in `StellaOps.Scanner.Analyzers.Native`. +- Runtime capture adapters (eBPF/ETW/dyld) for optional evidence. +- Integration with Surface.Env/FS/Secrets/Validation and Scanner writer APIs. +- Fixture curation spanning Linux/Windows/macOS binaries. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/implementation_plan.md` (native analyzer sections) +- Platform-specific loader references cited in sprint notes (e.g., ld.so, SafeDll search, dyld). + +## Working Agreement +1. **Status sync** – set task state to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +2. **Surface usage** – run Surface.Validation, use Surface.Env for configuration, Surface.FS for cached artefacts, and Surface.Secrets for protected inputs. +3. **Determinism** – no host filesystem lookups; rely on virtual image roots; stabilise ordering and timestamps. +4. **AOC compliance** – emit observations/edges without severity or policy interpretation; include provenance and reason codes. +5. **Testing** – maintain golden fixtures per platform, determinism harness, runtime capture simulations, and performance budgets. +6. **Documentation** – update implementation plan or create dedicated design notes when algorithms change; coordinate with Docs/Signals guilds for runtime adapters. diff --git a/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md b/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md index bf291699..e9e61b25 100644 --- a/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md @@ -1,12 +1,23 @@ -# StellaOps.Scanner.Sbomer.BuildXPlugin — Agent Charter - -## Mission -Implement the build-time SBOM generator described in `docs/modules/scanner/ARCHITECTURE.md` and new buildx dossier requirements: -- Provide a deterministic BuildKit/Buildx generator that produces layer SBOM fragments and uploads them to local CAS. -- Emit OCI annotations (+provenance) compatible with Scanner.Emit and Attestor hand-offs. -- Respect restart-time plug-in policy (`plugins/scanner/buildx/` manifests) and keep CI overhead ≤300 ms per layer. - -## Expectations -- Read architecture + upcoming Buildx addendum before coding. -- Ensure graceful fallback to post-build scan when generator unavailable. -- Provide integration tests with mock BuildKit, and update `TASKS.md` as states change. +# StellaOps.Scanner.Sbomer.BuildXPlugin — Agent Charter + +## Mission +Implement the build-time SBOM generator described in `docs/modules/scanner/ARCHITECTURE.md` and new buildx dossier requirements: +- Provide a deterministic BuildKit/Buildx generator that produces layer SBOM fragments and uploads them to local CAS. +- Emit OCI annotations (+provenance) compatible with Scanner.Emit and Attestor hand-offs. +- Respect restart-time plug-in policy (`plugins/scanner/buildx/` manifests) and keep CI overhead ≤300 ms per layer. + +## Expectations +- Read architecture + upcoming Buildx addendum before coding. +- Ensure graceful fallback to post-build scan when generator unavailable. +- Provide integration tests with mock BuildKit, and update `TASKS.md` as states change. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md b/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md index 9ae89c62..c54f1ea0 100644 --- a/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md +++ b/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md @@ -2,3 +2,6 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| +| SCANNER-SURFACE-03 | TODO | BuildX Plugin Guild | SURFACE-FS-02 | Push layer manifests and entry fragments into Surface.FS during build-time SBOM generation. | BuildX integration tests confirm cache population; CLI docs updated. | +| SCANNER-ENV-03 | TODO | BuildX Plugin Guild | SURFACE-ENV-02 | Adopt Surface.Env helpers for plugin configuration (cache roots, CAS endpoints, feature toggles). | Plugin loads helper; misconfig errors logged; README updated. | +| SCANNER-SECRETS-03 | TODO | BuildX Plugin Guild, Security Guild | SURFACE-SECRETS-02 | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | Secrets retrieved via shared library; e2e tests cover rotation; operations guide refreshed. | diff --git a/src/Scanner/StellaOps.Scanner.WebService/AGENTS.md b/src/Scanner/StellaOps.Scanner.WebService/AGENTS.md new file mode 100644 index 00000000..d8a6695e --- /dev/null +++ b/src/Scanner/StellaOps.Scanner.WebService/AGENTS.md @@ -0,0 +1,29 @@ +# Scanner WebService Guild Charter + +## Mission +Operate the Scanner WebService API, orchestrating scan requests, queue interactions, artifact delivery, and integration with attestation, policy, and surface libraries. The service must remain deterministic, tenant-aware, and offline-ready while exposing minimal APIs and events. + +## Scope +- APIs, controllers, and background services in `StellaOps.Scanner.WebService`. +- Queue producers, artifact catalog endpoints, diff/report export, and attestation hand-offs. +- Integration with Surface.Env/Fs/Secrets/Validation and Scanner Worker. +- Event publishing (orchestrator/Notifier) and observability instrumentation. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/platform/architecture-overview.md` (scanner section) +- `docs/modules/attestor/architecture.md` (handoff expectations) +- `docs/modules/export-center/architecture.md` (report export dependencies) +- `docs/modules/scheduler/architecture.md` (rescan interactions) + +## Working Agreement +1. **Status updates**: change task state to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when you start/finish work. +2. **Contract-first changes**: update OpenAPI specs/test fixtures when APIs change; coordinate with CLI/UI consumers. +3. **Surface integration**: centralise cache/env/secret access via Surface libraries; run validators before executing handlers. +4. **Determinism**: queue IDs, report manifests, and export metadata must remain stable; avoid wall-clock usage in response payloads. +5. **Security & tenancy**: enforce Authority scopes, DPoP, and tenant context; audit sensitive operations. +6. **Observability**: instrument metrics/logs/traces per design docs; ensure new endpoints include structured logging and unit/integration tests. diff --git a/src/Scanner/StellaOps.Scanner.WebService/TASKS.md b/src/Scanner/StellaOps.Scanner.WebService/TASKS.md index 31164219..fe42236a 100644 --- a/src/Scanner/StellaOps.Scanner.WebService/TASKS.md +++ b/src/Scanner/StellaOps.Scanner.WebService/TASKS.md @@ -2,6 +2,9 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| +| SCANNER-SURFACE-02 | TODO | Scanner WebService Guild | SURFACE-FS-02 | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata. | OpenAPI updated; clients regenerated; integration tests validate pointer presence and tenancy. | +| SCANNER-ENV-02 | TODO | Scanner WebService Guild, Ops Guild | SURFACE-ENV-02 | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Service uses helper; env table documented; helm/compose templates updated. | +| SCANNER-SECRETS-02 | TODO | Scanner WebService Guild, Security Guild | SURFACE-SECRETS-02 | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens). | Secrets fetched through shared provider; unit/integration tests cover rotation + failure cases. | | SCANNER-EVENTS-16-301 | BLOCKED (2025-10-26) | Scanner WebService Guild | ORCH-SVC-38-101, NOTIFY-SVC-38-001 | Emit orchestrator-compatible envelopes (`scanner.event.*`) and update integration tests to verify Notifier ingestion (no Redis queue coupling). | Tests assert envelope schema + orchestrator publish; Notifier consumer harness passes; docs updated with new event contract. Blocked by .NET 10 preview OpenAPI/Auth dependency drift preventing `dotnet test` completion. | | SCANNER-EVENTS-16-302 | DOING (2025-10-26) | Scanner WebService Guild | SCANNER-EVENTS-16-301 | Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. | Links section covers UI/API targets; downstream consumers validated; docs/samples updated. | diff --git a/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md b/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md index ae5d9277..fbbdf87f 100644 --- a/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md +++ b/src/Scanner/StellaOps.Scanner.Worker/AGENTS.md @@ -1,26 +1,37 @@ -# AGENTS -## Role -Scanner.Worker engineers own the queue-driven execution host that turns scan jobs into SBOM artefacts with deterministic progress reporting. -## Scope -- Host bootstrap: configuration binding, Authority client wiring, graceful shutdown, restart-time plug-in discovery hooks. -- Job acquisition & lease renewal semantics backed by the Scanner queue abstraction. -- Analyzer orchestration skeleton: stage pipeline, cancellation awareness, deterministic progress emissions. -- Telemetry: structured logging, OpenTelemetry metrics/traces, health counters for offline diagnostics. -## Participants -- Consumes jobs from `StellaOps.Scanner.Queue`. -- Persists progress/artifacts via `StellaOps.Scanner.Storage` once those modules land. -- Emits metrics and structured logs consumed by Observability stack & WebService status endpoints. -## Interfaces & contracts -- Queue lease abstraction (`IScanJobLease`, `IScanJobSource`) with deterministic identifiers and attempt counters. -- Analyzer dispatcher contracts for OS/lang/native analyzers and emitters. -- Telemetry resource attributes shared with Scanner.WebService and Scheduler. -## In/Out of scope -In scope: worker host, concurrency orchestration, lease renewal, cancellation wiring, deterministic logging/metrics. -Out of scope: queue provider implementations, analyzer business logic, Mongo/object-store repositories. -## Observability expectations -- Meter `StellaOps.Scanner.Worker` with queue latency, stage duration, failure counters. -- Activity source `StellaOps.Scanner.Worker.Job` for per-job tracing. -- Log correlation IDs (`jobId`, `leaseId`, `scanId`) with structured payloads; avoid dumping secrets or full manifests. -## Tests -- Integration fixture `WorkerBasicScanScenario` verifying acquisition → heartbeat → analyzer stages → completion. -- Unit tests around retry/jitter calculators as they are introduced. +# AGENTS +## Role +Scanner.Worker engineers own the queue-driven execution host that turns scan jobs into SBOM artefacts with deterministic progress reporting. +## Scope +- Host bootstrap: configuration binding, Authority client wiring, graceful shutdown, restart-time plug-in discovery hooks. +- Job acquisition & lease renewal semantics backed by the Scanner queue abstraction. +- Analyzer orchestration skeleton: stage pipeline, cancellation awareness, deterministic progress emissions. +- Telemetry: structured logging, OpenTelemetry metrics/traces, health counters for offline diagnostics. +## Participants +- Consumes jobs from `StellaOps.Scanner.Queue`. +- Persists progress/artifacts via `StellaOps.Scanner.Storage` once those modules land. +- Emits metrics and structured logs consumed by Observability stack & WebService status endpoints. +## Interfaces & contracts +- Queue lease abstraction (`IScanJobLease`, `IScanJobSource`) with deterministic identifiers and attempt counters. +- Analyzer dispatcher contracts for OS/lang/native analyzers and emitters. +- Telemetry resource attributes shared with Scanner.WebService and Scheduler. +## In/Out of scope +In scope: worker host, concurrency orchestration, lease renewal, cancellation wiring, deterministic logging/metrics. +Out of scope: queue provider implementations, analyzer business logic, Mongo/object-store repositories. +## Observability expectations +- Meter `StellaOps.Scanner.Worker` with queue latency, stage duration, failure counters. +- Activity source `StellaOps.Scanner.Worker.Job` for per-job tracing. +- Log correlation IDs (`jobId`, `leaseId`, `scanId`) with structured payloads; avoid dumping secrets or full manifests. +## Tests +- Integration fixture `WorkerBasicScanScenario` verifying acquisition → heartbeat → analyzer stages → completion. +- Unit tests around retry/jitter calculators as they are introduced. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/StellaOps.Scanner.Worker/TASKS.md b/src/Scanner/StellaOps.Scanner.Worker/TASKS.md index 0daf77b6..efa2a8bd 100644 --- a/src/Scanner/StellaOps.Scanner.Worker/TASKS.md +++ b/src/Scanner/StellaOps.Scanner.Worker/TASKS.md @@ -2,3 +2,6 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| +| SCANNER-SURFACE-01 | TODO | Scanner Worker Guild | SURFACE-FS-02 | Persist Surface.FS manifests after analyzer stages, including layer CAS metadata and EntryTrace fragments. | Integration tests prove cache entries exist; telemetry counters exported. | +| SCANNER-ENV-01 | TODO | Scanner Worker Guild | SURFACE-ENV-02 | Replace ad-hoc environment reads with `StellaOps.Scanner.Surface.Env` helpers for cache roots and CAS endpoints. | Worker boots with helper; misconfiguration warnings documented; smoke tests updated. | +| SCANNER-SECRETS-01 | TODO | Scanner Worker Guild, Security Guild | SURFACE-SECRETS-02 | Adopt `StellaOps.Scanner.Surface.Secrets` for registry/CAS credentials during scan execution. | Secrets fetched via shared provider; legacy secret code removed; integration tests cover rotation. | diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md index 5731b819..086aca85 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/AGENTS.md @@ -1,29 +1,40 @@ -# StellaOps.Scanner.Analyzers.Lang.DotNet — Agent Charter - -## Role -Create the .NET analyzer plug-in that inspects `*.deps.json`, `runtimeconfig.json`, assemblies, and RID-specific assets to deliver accurate NuGet components with signing metadata. - -## Scope -- Parse dependency graphs from `*.deps.json` and merge with `runtimeconfig.json` and bundle manifests. -- Capture assembly metadata (strong name, file version, Authenticode) and correlate with packages. -- Handle RID-specific asset selection, self-contained apps, and crossgen/native dependency hints. -- Package plug-in manifest, determinism fixtures, benchmarks, and Offline Kit documentation. - -## Out of Scope -- Policy evaluation or Signer integration (handled elsewhere). -- Native dependency resolution outside RID mapping. -- Windows-specific MSI/SxS analyzers (covered by native analyzer roadmap). - -## Expectations -- Performance target: multi-target app fixture <1.2 s, memory <250 MB. -- Deterministic RID collapsing to reduce component duplication by ≥40 % vs naive approach. -- Offline-first; support air-gapped strong-name/Authenticode validation using cached root store. -- Rich telemetry (components per RID, strong-name validations) conforming to Scanner metrics. - -## Dependencies -- Shared language analyzer infrastructure; Worker dispatcher; optional security key store for signature verification. - -## Testing & Artifacts -- Fixtures for framework-dependent and self-contained apps (linux-musl, win-x64). -- Golden outputs capturing signature metadata and RID grouping. -- Benchmark comparing analyzer fidelity vs market competitors. +# StellaOps.Scanner.Analyzers.Lang.DotNet — Agent Charter + +## Role +Create the .NET analyzer plug-in that inspects `*.deps.json`, `runtimeconfig.json`, assemblies, and RID-specific assets to deliver accurate NuGet components with signing metadata. + +## Scope +- Parse dependency graphs from `*.deps.json` and merge with `runtimeconfig.json` and bundle manifests. +- Capture assembly metadata (strong name, file version, Authenticode) and correlate with packages. +- Handle RID-specific asset selection, self-contained apps, and crossgen/native dependency hints. +- Package plug-in manifest, determinism fixtures, benchmarks, and Offline Kit documentation. + +## Out of Scope +- Policy evaluation or Signer integration (handled elsewhere). +- Native dependency resolution outside RID mapping. +- Windows-specific MSI/SxS analyzers (covered by native analyzer roadmap). + +## Expectations +- Performance target: multi-target app fixture <1.2 s, memory <250 MB. +- Deterministic RID collapsing to reduce component duplication by ≥40 % vs naive approach. +- Offline-first; support air-gapped strong-name/Authenticode validation using cached root store. +- Rich telemetry (components per RID, strong-name validations) conforming to Scanner metrics. + +## Dependencies +- Shared language analyzer infrastructure; Worker dispatcher; optional security key store for signature verification. + +## Testing & Artifacts +- Fixtures for framework-dependent and self-contained apps (linux-musl, win-x64). +- Golden outputs capturing signature metadata and RID grouping. +- Benchmark comparing analyzer fidelity vs market competitors. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md index 164cf928..c5ada5a1 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/AGENTS.md @@ -29,3 +29,14 @@ Build the Go analyzer plug-in that reads Go build info, module metadata, and DWA - Golden fixtures for modules with/without VCS info, stripped binaries, cross-compiled variants. - Benchmark comparison with competitor scanners to demonstrate speed/fidelity advantages (captured in `src/Bench/StellaOps.Bench/Scanner.Analyzers/lang/go/`). - ADR documenting heuristics and risk mitigation. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md new file mode 100644 index 00000000..3f78ed0a --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/AGENTS.md @@ -0,0 +1,27 @@ +# Scanner Java Analyzer Guild Charter + +## Mission +Implement deterministic Java analyzers that normalise JVM/Build ecosystem inputs (Maven/Gradle, classpath jars, module-info), reconstruct dependency graphs, and provide Scanner with reliable SBOM data. Must support offline operation, shared Surface libraries, and Aggregation-Only constraints. + +## Scope +- Java normaliser/analyzer code and emitters in `StellaOps.Scanner.Analyzers.Lang.Java`. +- Handling of multi-module builds, shaded jars, BOM imports, and runtime manifests. +- Integration with Surface.Env/Fs/Secrets/Validation. +- Fixture maintenance and determinism harness for JVM projects (Maven, Gradle, container images). + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/implementation_plan.md` (Java analyzer sections) +- Build system references linked from sprint tasks (Maven, Gradle, shading). + +## Working Agreement +1. **Status synchronisation**: set tasks to `DOING`/`DONE` in `docs/implplan/SPRINTS.md` and local `TASKS.md` as work progresses. +2. **Surface usage**: rely on shared Surface libraries for env detection, cached artifacts, secret access, and validation. +3. **Deterministic outputs**: stabilise classpath ordering, canonicalise PURLs, and avoid network fetches; rely on local caches. +4. **SBOM accuracy**: produce consistent component/relationship data; no policy/severity decisions. +5. **Testing**: update golden fixtures, determinism harness, and property tests; include shading/multi-module edge cases. +6. **Documentation**: adjust implementation plan notes or author Java-specific design doc when behaviour changes; inform Docs/CLI teams if outputs or configuration differ. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md index 67d37fab..d0c5132f 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/AGENTS.md @@ -37,3 +37,14 @@ Deliver the Node.js / npm / Yarn / PNPM analyzer plug-in that resolves workspace - `policyHint.installLifecycle` lists lifecycle scripts (`preinstall;install;postinstall`) observed for a package. - `script.` stores the canonical command string for each lifecycle script. - Evidence: lifecycle script entries emit `LanguageEvidenceKind.Metadata` pointing to `package.json#scripts.` with SHA-256 hashes for determinism. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md index 977b828a..018c9a91 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/AGENTS.md @@ -1,32 +1,43 @@ -# StellaOps.Scanner.Analyzers.Lang.Python — Agent Charter - -## Role -Implement the Python analyzer plug-in that inspects installed distributions, RECORD hashes, entry points, and editable installs to feed Scanner SBOM views. - -## Scope -- Parse `*.dist-info` and `*.data` directories, validating `METADATA`, `RECORD`, and `entry_points.txt`. -- Detect editable installs and pip caches, reconciling metadata with actual files. -- Integrate EntryTrace usage hints for runtime entry points and flag missing RECORD hashes. -- Package plug-in manifest and ensure deterministic fixtures + benchmarks. - -## Out of Scope -- Language analyzers for other ecosystems. -- Policy evaluation, vulnerability correlation, or packaging into UI flows. -- Building Python interpreters or executing scripts (analysis is static only). - -## Expectations -- Deterministic RECORD hashing with streaming IO; fallback heuristics clearly flagged. -- Performance target: ≥75 MB/s RECORD verification, end-to-end fixture <2.0 s. -- Offline-first: no PyPI calls; relies on local metadata only. -- Rich telemetry (components counted, hash mismatches) following Scanner metrics schema. -- Keep `TASKS.md` and `SPRINTS_LANG_IMPLEMENTATION_PLAN.md` in sync. - -## Dependencies -- Shared language analyzer infrastructure. -- EntryTrace usage hints (for script activation). -- Worker dispatcher for plug-in loading. - -## Testing & Artifacts -- Golden fixtures for venv, virtualenv, pipx, and editable installs. -- Benchmark results comparing hash-check throughput against competitor tools. -- Offline Kit guidance for bundling standard library metadata if required. +# StellaOps.Scanner.Analyzers.Lang.Python — Agent Charter + +## Role +Implement the Python analyzer plug-in that inspects installed distributions, RECORD hashes, entry points, and editable installs to feed Scanner SBOM views. + +## Scope +- Parse `*.dist-info` and `*.data` directories, validating `METADATA`, `RECORD`, and `entry_points.txt`. +- Detect editable installs and pip caches, reconciling metadata with actual files. +- Integrate EntryTrace usage hints for runtime entry points and flag missing RECORD hashes. +- Package plug-in manifest and ensure deterministic fixtures + benchmarks. + +## Out of Scope +- Language analyzers for other ecosystems. +- Policy evaluation, vulnerability correlation, or packaging into UI flows. +- Building Python interpreters or executing scripts (analysis is static only). + +## Expectations +- Deterministic RECORD hashing with streaming IO; fallback heuristics clearly flagged. +- Performance target: ≥75 MB/s RECORD verification, end-to-end fixture <2.0 s. +- Offline-first: no PyPI calls; relies on local metadata only. +- Rich telemetry (components counted, hash mismatches) following Scanner metrics schema. +- Keep `TASKS.md` and `SPRINTS_LANG_IMPLEMENTATION_PLAN.md` in sync. + +## Dependencies +- Shared language analyzer infrastructure. +- EntryTrace usage hints (for script activation). +- Worker dispatcher for plug-in loading. + +## Testing & Artifacts +- Golden fixtures for venv, virtualenv, pipx, and editable installs. +- Benchmark results comparing hash-check throughput against competitor tools. +- Offline Kit guidance for bundling standard library metadata if required. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md index c41c745c..d6d95dbd 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/AGENTS.md @@ -1,29 +1,40 @@ -# StellaOps.Scanner.Analyzers.Lang.Rust — Agent Charter - -## Role -Develop the Rust analyzer plug-in that resolves crates from metadata (`.fingerprint`, Cargo.lock, embedded markers) and provides deterministic fallbacks for stripped binaries. - -## Scope -- Locate Cargo metadata in container layers (registry cache, target fingerprints, embedded Git info). -- Parse symbol tables / section data to heuristically identify crates when metadata missing, tagging provenance appropriately. -- Integrate binary hash fallback with quiet provenance classification. -- Package plug-in manifest, determinism fixtures, and performance/coverage benchmarks. - -## Out of Scope -- Native linker analysis beyond crate attribution. -- Fetching Cargo registry metadata from the network. -- Policy decisions or UI surfacing. - -## Expectations -- Accurate crate attribution (≥85 % on curated fixtures) with explicit heuristic labeling. -- Analyzer runtime <1 s over 500 binary corpus; minimal allocations through pooling. -- Offline-first; rely on local Cargo data. -- Telemetry capturing heuristic vs verified evidence ratios. - -## Dependencies -- Shared language analyzer infrastructure; Worker dispatcher; optionally EntryTrace hints for runtime coverage. - -## Testing & Artifacts -- Fixtures for cargo workspaces, release builds, stripped binaries, vendor caches. -- Determinism + benchmark artifacts comparing to competitor scanners. -- ADR documenting heuristic boundaries + risk mitigations. +# StellaOps.Scanner.Analyzers.Lang.Rust — Agent Charter + +## Role +Develop the Rust analyzer plug-in that resolves crates from metadata (`.fingerprint`, Cargo.lock, embedded markers) and provides deterministic fallbacks for stripped binaries. + +## Scope +- Locate Cargo metadata in container layers (registry cache, target fingerprints, embedded Git info). +- Parse symbol tables / section data to heuristically identify crates when metadata missing, tagging provenance appropriately. +- Integrate binary hash fallback with quiet provenance classification. +- Package plug-in manifest, determinism fixtures, and performance/coverage benchmarks. + +## Out of Scope +- Native linker analysis beyond crate attribution. +- Fetching Cargo registry metadata from the network. +- Policy decisions or UI surfacing. + +## Expectations +- Accurate crate attribution (≥85 % on curated fixtures) with explicit heuristic labeling. +- Analyzer runtime <1 s over 500 binary corpus; minimal allocations through pooling. +- Offline-first; rely on local Cargo data. +- Telemetry capturing heuristic vs verified evidence ratios. + +## Dependencies +- Shared language analyzer infrastructure; Worker dispatcher; optionally EntryTrace hints for runtime coverage. + +## Testing & Artifacts +- Fixtures for cargo workspaces, release builds, stripped binaries, vendor caches. +- Determinism + benchmark artifacts comparing to competitor scanners. +- ADR documenting heuristic boundaries + risk mitigations. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md index c8b87654..262a420f 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/AGENTS.md @@ -1,33 +1,44 @@ -# StellaOps.Scanner.Analyzers.Lang — Agent Charter - -## Role -Deliver deterministic language ecosystem analyzers that run inside Scanner Workers, emit component evidence for SBOM assembly, and package as restart-time plug-ins. - -## Scope -- Shared analyzer abstractions for installed application ecosystems (Java, Node.js, Python, Go, .NET, Rust). -- Evidence helpers that map on-disk artefacts to canonical component identities (purl/bin sha) with provenance and usage flags. -- File-system traversal, metadata parsing, and normalization for language-specific package formats. -- Plug-in bootstrap, manifest authoring, and DI registration so Workers load analyzers at start-up. - -## Out of Scope -- OS package analyzers, native link graph, or EntryTrace plug-ins (handled by other guilds). -- SBOM composition, diffing, or signing (owned by Emit/Diff/Signer groups). -- Policy adjudication or vulnerability joins. - -## Expectations -- Deterministic output: identical inputs → identical component ordering and hashes. -- Memory discipline: streaming walkers, avoid loading entire trees; reuse buffers. -- Cancellation-aware and timeboxed per layer. -- Enrich telemetry (counters + timings) via Scanner.Core primitives. -- Update `TASKS.md` as work progresses (TODO → DOING → DONE/BLOCKED). - -## Dependencies -- Scanner.Core contracts + observability helpers. -- Scanner.Worker analyzer dispatcher. -- Upcoming Scanner.Emit models for SBOM assembly. -- Plugin host infrastructure under `StellaOps.Plugin`. - -## Testing & Artifacts -- Determinism harness with golden fixtures under `Fixtures/`. -- Microbench benchmarks recorded per language where feasible. -- Plugin manifests stored under `plugins/scanner/analyzers/lang/` with cosign workflow documented. +# StellaOps.Scanner.Analyzers.Lang — Agent Charter + +## Role +Deliver deterministic language ecosystem analyzers that run inside Scanner Workers, emit component evidence for SBOM assembly, and package as restart-time plug-ins. + +## Scope +- Shared analyzer abstractions for installed application ecosystems (Java, Node.js, Python, Go, .NET, Rust). +- Evidence helpers that map on-disk artefacts to canonical component identities (purl/bin sha) with provenance and usage flags. +- File-system traversal, metadata parsing, and normalization for language-specific package formats. +- Plug-in bootstrap, manifest authoring, and DI registration so Workers load analyzers at start-up. + +## Out of Scope +- OS package analyzers, native link graph, or EntryTrace plug-ins (handled by other guilds). +- SBOM composition, diffing, or signing (owned by Emit/Diff/Signer groups). +- Policy adjudication or vulnerability joins. + +## Expectations +- Deterministic output: identical inputs → identical component ordering and hashes. +- Memory discipline: streaming walkers, avoid loading entire trees; reuse buffers. +- Cancellation-aware and timeboxed per layer. +- Enrich telemetry (counters + timings) via Scanner.Core primitives. +- Update `TASKS.md` as work progresses (TODO → DOING → DONE/BLOCKED). + +## Dependencies +- Scanner.Core contracts + observability helpers. +- Scanner.Worker analyzer dispatcher. +- Upcoming Scanner.Emit models for SBOM assembly. +- Plugin host infrastructure under `StellaOps.Plugin`. + +## Testing & Artifacts +- Determinism harness with golden fixtures under `Fixtures/`. +- Microbench benchmarks recorded per language where feasible. +- Plugin manifests stored under `plugins/scanner/analyzers/lang/` with cosign workflow documented. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md index f16b869a..02dacd26 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md @@ -2,3 +2,6 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| +| LANG-SURFACE-01 | TODO | Language Analyzer Guild | SURFACE-VAL-02, SURFACE-FS-02 | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites. | Validation pipeline integrated; regression tests updated; failures bubble with actionable errors. | +| LANG-SURFACE-02 | TODO | Language Analyzer Guild | SURFACE-FS-02 | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. | Analyzer outputs match baseline; performance benchmarks recorded; docs updated. | +| LANG-SURFACE-03 | TODO | Language Analyzer Guild | SURFACE-SECRETS-02 | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. | Analyzer uses shared provider; tests cover rotation/failure; config docs updated. | diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md index 91f164f3..921fbcb0 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.OS/AGENTS.md @@ -1,40 +1,51 @@ -# AGENTS -## Role -Design and ship deterministic Linux operating-system analyzers that transform container root filesystems into canonical package evidence for SBOM emission. - -## Scope -- Provide shared helpers for reading apk, dpkg, and rpm metadata and emitting normalized package identities with provenance. -- Implement analyzer plug-ins for Alpine (apk), Debian (dpkg), and RPM-based distributions that operate on extracted rootfs snapshots. -- Enrich package records with vendor-origin metadata (source packages, declared licenses, CVE hints) and evidence linking files to packages. -- Expose restart-time plug-in manifests so the Scanner.Worker can load analyzers in offline or air-gapped environments. -- Supply deterministic fixtures and a regression harness that verifies analyzer outputs remain stable across runs. - -## Participants -- `StellaOps.Scanner.Core` for shared contracts, observability, and plug-in catalog guardrails. -- `StellaOps.Scanner.Worker` which executes analyzers inside the scan pipeline. -- `StellaOps.Scanner.Cache` (future) for layer cache integration; analyzers must be cache-aware via deterministic inputs/outputs. -- `StellaOps.Scanner.Emit` and `StellaOps.Scanner.Diff` rely on analyzer outputs to build SBOMs and change reports. - -## Interfaces & Contracts -- Analyzers implement `IOSPackageAnalyzer` (defined in this module) and register via plug-in manifests; they must be restart-time only. -- Input rootfs paths are read-only; analyzers must never mutate files and must tolerate missing metadata gracefully. -- Package records emit canonical purls (`pkg:alpine`, `pkg:deb`, `pkg:rpm`) plus NEVRA/EVR details, source package identifiers, declared licenses, and evidence (file lists with layer attribution placeholders). -- Outputs must be deterministic: ordering is lexicographic, timestamps removed or normalized, hashes (SHA256) calculated when required. - -## In/Out of Scope -In scope: -- Linux apk/dpkg/rpm analyzers, shared helpers, plug-in manifests, deterministic regression harness. - -Out of scope: -- Windows MSI/SxS analyzers, native (ELF) analyzers, language analyzers, EntryTrace pipeline, or SBOM assembly logic (handled by other guilds). - -## Observability & Security Expectations -- Emit structured logs with correlation/job identifiers provided by `StellaOps.Scanner.Core`. -- Surface metrics for package counts, elapsed time, and cache hits (metrics hooks stubbed until Cache module lands). -- Do not perform outbound network calls; operate entirely on provided filesystem snapshot. -- Validate plug-in manifests via `IPluginCatalogGuard` to enforce restart-only loading. - -## Tests -- `StellaOps.Scanner.Analyzers.OS.Tests` hosts regression tests with canned rootfs fixtures to verify determinism. -- Fixtures store expected analyzer outputs under `Fixtures/` with golden JSON (normalized, sorted). -- Tests cover apk/dpkg/rpm analyzers, shared helper edge cases, and plug-in catalog enforcement. +# AGENTS +## Role +Design and ship deterministic Linux operating-system analyzers that transform container root filesystems into canonical package evidence for SBOM emission. + +## Scope +- Provide shared helpers for reading apk, dpkg, and rpm metadata and emitting normalized package identities with provenance. +- Implement analyzer plug-ins for Alpine (apk), Debian (dpkg), and RPM-based distributions that operate on extracted rootfs snapshots. +- Enrich package records with vendor-origin metadata (source packages, declared licenses, CVE hints) and evidence linking files to packages. +- Expose restart-time plug-in manifests so the Scanner.Worker can load analyzers in offline or air-gapped environments. +- Supply deterministic fixtures and a regression harness that verifies analyzer outputs remain stable across runs. + +## Participants +- `StellaOps.Scanner.Core` for shared contracts, observability, and plug-in catalog guardrails. +- `StellaOps.Scanner.Worker` which executes analyzers inside the scan pipeline. +- `StellaOps.Scanner.Cache` (future) for layer cache integration; analyzers must be cache-aware via deterministic inputs/outputs. +- `StellaOps.Scanner.Emit` and `StellaOps.Scanner.Diff` rely on analyzer outputs to build SBOMs and change reports. + +## Interfaces & Contracts +- Analyzers implement `IOSPackageAnalyzer` (defined in this module) and register via plug-in manifests; they must be restart-time only. +- Input rootfs paths are read-only; analyzers must never mutate files and must tolerate missing metadata gracefully. +- Package records emit canonical purls (`pkg:alpine`, `pkg:deb`, `pkg:rpm`) plus NEVRA/EVR details, source package identifiers, declared licenses, and evidence (file lists with layer attribution placeholders). +- Outputs must be deterministic: ordering is lexicographic, timestamps removed or normalized, hashes (SHA256) calculated when required. + +## In/Out of Scope +In scope: +- Linux apk/dpkg/rpm analyzers, shared helpers, plug-in manifests, deterministic regression harness. + +Out of scope: +- Windows MSI/SxS analyzers, native (ELF) analyzers, language analyzers, EntryTrace pipeline, or SBOM assembly logic (handled by other guilds). + +## Observability & Security Expectations +- Emit structured logs with correlation/job identifiers provided by `StellaOps.Scanner.Core`. +- Surface metrics for package counts, elapsed time, and cache hits (metrics hooks stubbed until Cache module lands). +- Do not perform outbound network calls; operate entirely on provided filesystem snapshot. +- Validate plug-in manifests via `IPluginCatalogGuard` to enforce restart-only loading. + +## Tests +- `StellaOps.Scanner.Analyzers.OS.Tests` hosts regression tests with canned rootfs fixtures to verify determinism. +- Fixtures store expected analyzer outputs under `Fixtures/` with golden JSON (normalized, sorted). +- Tests cover apk/dpkg/rpm analyzers, shared helper edge cases, and plug-in catalog enforcement. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md index 69929606..d518c55c 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Cache/AGENTS.md @@ -1,15 +1,26 @@ -# StellaOps.Scanner.Cache — Agent Charter - -## Mission -Provide deterministic, offline-friendly caching primitives for scanner layers and file content so warm scans complete in <5 s and cache reuse remains reproducible across deployments. - -## Responsibilities -- Implement layer cache keyed by layer digest, retaining analyzer metadata and provenance per architecture §3.3. -- Deliver file content-addressable storage (CAS) with deduplication, TTL enforcement, and offline import/export hooks. -- Expose structured metrics, health probes, and configuration toggles for cache sizing, eviction, and warm/cold thresholds. -- Coordinate invalidation workflows (layer purge, TTL expiry, diff invalidation) while keeping deterministic logs and telemetry. - -## Interfaces & Dependencies -- Relies on `StackExchange.Redis` via `StellaOps.DependencyInjection` bindings for cache state. -- Coordinates with `StellaOps.Scanner.Storage` object store when persisting immutable artifacts. -- Targets `net10.0` preview SDK and follows scanner coding standards from `docs/18_CODING_STANDARDS.md`. +# StellaOps.Scanner.Cache — Agent Charter + +## Mission +Provide deterministic, offline-friendly caching primitives for scanner layers and file content so warm scans complete in <5 s and cache reuse remains reproducible across deployments. + +## Responsibilities +- Implement layer cache keyed by layer digest, retaining analyzer metadata and provenance per architecture §3.3. +- Deliver file content-addressable storage (CAS) with deduplication, TTL enforcement, and offline import/export hooks. +- Expose structured metrics, health probes, and configuration toggles for cache sizing, eviction, and warm/cold thresholds. +- Coordinate invalidation workflows (layer purge, TTL expiry, diff invalidation) while keeping deterministic logs and telemetry. + +## Interfaces & Dependencies +- Relies on `StackExchange.Redis` via `StellaOps.DependencyInjection` bindings for cache state. +- Coordinates with `StellaOps.Scanner.Storage` object store when persisting immutable artifacts. +- Targets `net10.0` preview SDK and follows scanner coding standards from `docs/18_CODING_STANDARDS.md`. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md index 4805f55e..eb0599cc 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Core/AGENTS.md @@ -1,29 +1,40 @@ -# AGENTS -## Role -Provide shared scanner contracts, observability primitives, and security utilities consumed by the WebService, Worker, analyzers, and downstream tooling. -## Scope -- Canonical DTOs for scan jobs, progress, outcomes, and error taxonomy shared across scanner services. -- Deterministic ID and timestamp helpers to guarantee reproducible job identifiers and ISO-8601 rendering. -- Observability helpers (logging scopes, correlation IDs, metric naming, activity sources) with negligible overhead. -- Authority/OpTok integrations, DPoP validation helpers, and restart-time plug-in guardrails for scanner components. -## Participants -- Scanner.WebService and Scanner.Worker depend on these primitives for request handling, queue interactions, and diagnostics. -- Policy/Signer integrations rely on deterministic identifiers and timestamps emitted here. -- DevOps/Offline kits bundle plug-in manifests validated via the guardrails defined in this module. -## Interfaces & contracts -- DTOs must round-trip via System.Text.Json with `JsonSerializerDefaults.Web` and preserve ordering. -- Deterministic helpers must not depend on ambient time/randomness; they derive IDs from explicit inputs and normalize timestamps to microsecond precision in UTC. -- Observability scopes expose `scanId`, `jobId`, `correlationId`, and `imageDigest` fields with `stellaops scanner` metric prefixing. -- Security helpers expose `IAuthorityTokenSource`, `IDPoPProofValidator`, and `IPluginCatalogGuard` abstractions with DI-friendly implementations. -## In/Out of scope -In: shared contracts, telemetry primitives, security utilities, plug-in manifest checks. -Out: queue implementations, analyzer logic, storage adapters, HTTP endpoints, UI wiring. -## Observability & security expectations -- No network calls except via registered Authority clients. -- Avoid allocations in hot paths; prefer struct enumerables/`ValueTask`. -- All logs structured, correlation IDs propagated, no secrets persisted. -- DPoP validation enforces algorithm allowlist (ES256/ES384) and ensures replay cache hooks. -## Tests -- `../StellaOps.Scanner.Core.Tests` owns unit coverage with deterministic fixtures. -- Golden JSON for DTO round-trips stored under `Fixtures/`. -- Security and observability helpers must include tests proving deterministic outputs and rejecting malformed proofs. +# AGENTS +## Role +Provide shared scanner contracts, observability primitives, and security utilities consumed by the WebService, Worker, analyzers, and downstream tooling. +## Scope +- Canonical DTOs for scan jobs, progress, outcomes, and error taxonomy shared across scanner services. +- Deterministic ID and timestamp helpers to guarantee reproducible job identifiers and ISO-8601 rendering. +- Observability helpers (logging scopes, correlation IDs, metric naming, activity sources) with negligible overhead. +- Authority/OpTok integrations, DPoP validation helpers, and restart-time plug-in guardrails for scanner components. +## Participants +- Scanner.WebService and Scanner.Worker depend on these primitives for request handling, queue interactions, and diagnostics. +- Policy/Signer integrations rely on deterministic identifiers and timestamps emitted here. +- DevOps/Offline kits bundle plug-in manifests validated via the guardrails defined in this module. +## Interfaces & contracts +- DTOs must round-trip via System.Text.Json with `JsonSerializerDefaults.Web` and preserve ordering. +- Deterministic helpers must not depend on ambient time/randomness; they derive IDs from explicit inputs and normalize timestamps to microsecond precision in UTC. +- Observability scopes expose `scanId`, `jobId`, `correlationId`, and `imageDigest` fields with `stellaops scanner` metric prefixing. +- Security helpers expose `IAuthorityTokenSource`, `IDPoPProofValidator`, and `IPluginCatalogGuard` abstractions with DI-friendly implementations. +## In/Out of scope +In: shared contracts, telemetry primitives, security utilities, plug-in manifest checks. +Out: queue implementations, analyzer logic, storage adapters, HTTP endpoints, UI wiring. +## Observability & security expectations +- No network calls except via registered Authority clients. +- Avoid allocations in hot paths; prefer struct enumerables/`ValueTask`. +- All logs structured, correlation IDs propagated, no secrets persisted. +- DPoP validation enforces algorithm allowlist (ES256/ES384) and ensures replay cache hooks. +## Tests +- `../StellaOps.Scanner.Core.Tests` owns unit coverage with deterministic fixtures. +- Golden JSON for DTO round-trips stored under `Fixtures/`. +- Security and observability helpers must include tests proving deterministic outputs and rejecting malformed proofs. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md index 0cf4ccca..cad47c96 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Diff/AGENTS.md @@ -1,20 +1,31 @@ -# StellaOps.Scanner.Diff — Agent Charter - -## Mission -Deliver deterministic image-to-image component diffs grouped by layer with provenance signals that power policy previews, UI surfacing, and downstream scheduling. - -## Responsibilities -- Maintain diff computation pipelines for inventory and usage SBOM views. -- Ensure ordering, hashing, and serialization are stable across runs and hosts. -- Capture layer provenance, usage flags, and supporting evidence for every change. -- Provide JSON artifacts and helper APIs consumed by the Scanner WebService, Worker, CLI, and UI. - -## Interfaces & Dependencies -- Consumes normalized component fragments emitted by analyzers and usage signals from EntryTrace. -- Emits diff models used by `StellaOps.Scanner.WebService` and persisted by `StellaOps.Scanner.Storage`. -- Shares deterministic primitives from `StellaOps.Scanner.Core` once extended with component contracts. - -## Testing Expectations -- Golden diff fixtures for add/remove/version-change flows. -- Determinism checks comparing shuffled inputs. -- Layer attribution regression tests to guard provenance correctness. +# StellaOps.Scanner.Diff — Agent Charter + +## Mission +Deliver deterministic image-to-image component diffs grouped by layer with provenance signals that power policy previews, UI surfacing, and downstream scheduling. + +## Responsibilities +- Maintain diff computation pipelines for inventory and usage SBOM views. +- Ensure ordering, hashing, and serialization are stable across runs and hosts. +- Capture layer provenance, usage flags, and supporting evidence for every change. +- Provide JSON artifacts and helper APIs consumed by the Scanner WebService, Worker, CLI, and UI. + +## Interfaces & Dependencies +- Consumes normalized component fragments emitted by analyzers and usage signals from EntryTrace. +- Emits diff models used by `StellaOps.Scanner.WebService` and persisted by `StellaOps.Scanner.Storage`. +- Shares deterministic primitives from `StellaOps.Scanner.Core` once extended with component contracts. + +## Testing Expectations +- Golden diff fixtures for add/remove/version-change flows. +- Determinism checks comparing shuffled inputs. +- Layer attribution regression tests to guard provenance correctness. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md index 9757097d..7b5b68a1 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Emit/AGENTS.md @@ -1,20 +1,31 @@ -# StellaOps.Scanner.Emit — Agent Charter - -## Mission -Assemble deterministic SBOM artifacts (inventory, usage, BOM index) from analyzer fragments and usage telemetry, and prepare them for storage, signing, and distribution. - -## Responsibilities -- Merge per-layer/component fragments into CycloneDX JSON/Protobuf SBOMs. -- Generate BOM index sidecars with roaring bitmap acceleration and usage flags. -- Package artifacts with stable naming, hashing, and manifests for downstream storage and attestations. -- Surface helper APIs for Scanner Worker/WebService to request compositions and exports. - -## Interfaces & Dependencies -- Consumes analyzer outputs (OS, language, native) and EntryTrace usage annotations. -- Produces artifacts persisted via `StellaOps.Scanner.Storage` and referenced by policy/report pipelines. -- Relies on deterministic primitives from `StellaOps.Scanner.Core` for timestamps, hashing, and serialization defaults. - -## Testing Expectations -- Golden SBOM and BOM index fixtures with determinism checks. -- Schema validation for CycloneDX outputs and BOM index binary layout. -- Integration tests exercising packaging helpers with in-memory storage fakes. +# StellaOps.Scanner.Emit — Agent Charter + +## Mission +Assemble deterministic SBOM artifacts (inventory, usage, BOM index) from analyzer fragments and usage telemetry, and prepare them for storage, signing, and distribution. + +## Responsibilities +- Merge per-layer/component fragments into CycloneDX JSON/Protobuf SBOMs. +- Generate BOM index sidecars with roaring bitmap acceleration and usage flags. +- Package artifacts with stable naming, hashing, and manifests for downstream storage and attestations. +- Surface helper APIs for Scanner Worker/WebService to request compositions and exports. + +## Interfaces & Dependencies +- Consumes analyzer outputs (OS, language, native) and EntryTrace usage annotations. +- Produces artifacts persisted via `StellaOps.Scanner.Storage` and referenced by policy/report pipelines. +- Relies on deterministic primitives from `StellaOps.Scanner.Core` for timestamps, hashing, and serialization defaults. + +## Testing Expectations +- Golden SBOM and BOM index fixtures with determinism checks. +- Schema validation for CycloneDX outputs and BOM index binary layout. +- Integration tests exercising packaging helpers with in-memory storage fakes. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md index 3ad8f323..adb6a924 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/AGENTS.md @@ -1,32 +1,43 @@ -# StellaOps.Scanner.EntryTrace — Agent Charter - -## Mission -Resolve container `ENTRYPOINT`/`CMD` chains into deterministic call graphs that fuel usage-aware SBOMs, policy explainability, and runtime drift detection. Implement the EntryTrace analyzers and expose them as restart-time plug-ins for the Scanner Worker. - -## Scope -- Parse POSIX/Bourne shell constructs (exec, command, case, if, source/run-parts) with deterministic AST output. -- Walk layered root filesystems to resolve PATH lookups, interpreter hand-offs (Python/Node/Java), and record evidence. -- Surface explainable diagnostics for unresolved branches (env indirection, missing files, unsupported syntax) and emit metrics. -- Package analyzers as signed plug-ins under `plugins/scanner/entrytrace/`, guarded by restart-only policy. - -## Out of Scope -- SBOM emission/diffing (owned by `Scanner.Emit`/`Scanner.Diff`). -- Runtime enforcement or live drift reconciliation (owned by Zastava). -- Registry/network fetchers beyond file lookups inside extracted layers. - -## Interfaces & Contracts -- Primary entry point: `IEntryTraceAnalyzer.ResolveAsync` returning a deterministic `EntryTraceGraph`. -- Graph nodes must include file path, line span, interpreter classification, evidence source, and follow `Scanner.Core` timestamp/ID helpers when emitting events. -- Diagnostics must enumerate unknown reasons from fixed enum; metrics tagged `entrytrace.*`. -- Plug-ins register via `IEntryTraceAnalyzerFactory` and must validate against `IPluginCatalogGuard`. - -## Observability & Security -- No dynamic assembly loading beyond restart-time plug-in catalog. -- Structured logs include `scanId`, `imageDigest`, `layerDigest`, `command`, `reason`. -- Metrics counters: `entrytrace_resolutions_total{result}`, `entrytrace_unresolved_total{reason}`. -- Deny `source` directives outside image root; sandbox file IO via provided `IRootFileSystem`. - -## Testing -- Unit tests live in `../StellaOps.Scanner.EntryTrace.Tests` with golden fixtures under `Fixtures/`. -- Determinism harness: same inputs produce byte-identical serialized graphs. -- Parser fuzz seeds captured for regression; interpreter tracers validated with sample scripts for Python, Node, Java launchers. +# StellaOps.Scanner.EntryTrace — Agent Charter + +## Mission +Resolve container `ENTRYPOINT`/`CMD` chains into deterministic call graphs that fuel usage-aware SBOMs, policy explainability, and runtime drift detection. Implement the EntryTrace analyzers and expose them as restart-time plug-ins for the Scanner Worker. + +## Scope +- Parse POSIX/Bourne shell constructs (exec, command, case, if, source/run-parts) with deterministic AST output. +- Walk layered root filesystems to resolve PATH lookups, interpreter hand-offs (Python/Node/Java), and record evidence. +- Surface explainable diagnostics for unresolved branches (env indirection, missing files, unsupported syntax) and emit metrics. +- Package analyzers as signed plug-ins under `plugins/scanner/entrytrace/`, guarded by restart-only policy. + +## Out of Scope +- SBOM emission/diffing (owned by `Scanner.Emit`/`Scanner.Diff`). +- Runtime enforcement or live drift reconciliation (owned by Zastava). +- Registry/network fetchers beyond file lookups inside extracted layers. + +## Interfaces & Contracts +- Primary entry point: `IEntryTraceAnalyzer.ResolveAsync` returning a deterministic `EntryTraceGraph`. +- Graph nodes must include file path, line span, interpreter classification, evidence source, and follow `Scanner.Core` timestamp/ID helpers when emitting events. +- Diagnostics must enumerate unknown reasons from fixed enum; metrics tagged `entrytrace.*`. +- Plug-ins register via `IEntryTraceAnalyzerFactory` and must validate against `IPluginCatalogGuard`. + +## Observability & Security +- No dynamic assembly loading beyond restart-time plug-in catalog. +- Structured logs include `scanId`, `imageDigest`, `layerDigest`, `command`, `reason`. +- Metrics counters: `entrytrace_resolutions_total{result}`, `entrytrace_unresolved_total{reason}`. +- Deny `source` directives outside image root; sandbox file IO via provided `IRootFileSystem`. + +## Testing +- Unit tests live in `../StellaOps.Scanner.EntryTrace.Tests` with golden fixtures under `Fixtures/`. +- Determinism harness: same inputs produce byte-identical serialized graphs. +- Parser fuzz seeds captured for regression; interpreter tracers validated with sample scripts for Python, Node, Java launchers. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md index cd90dd03..af68f200 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md @@ -5,6 +5,8 @@ | SCANNER-ENTRYTRACE-18-502 | TODO | EntryTrace Guild | SCANNER-ENTRYTRACE-18-501 | Expand chain walker with init shim/user-switch/supervisor recognition plus env/workdir accumulation and guarded edges. | Graph nodes annotate tini/dumb-init/gosu/su-exec/s6/supervisord/runit branches with capability tags, environment deltas, and guard metadata validated against fixture scripts. | | SCANNER-ENTRYTRACE-18-503 | TODO | EntryTrace Guild | SCANNER-ENTRYTRACE-18-502 | Introduce target classifier + EntryPlan handoff with confidence scoring for ELF/Java/.NET/Node/Python and user/workdir context. | Analyzer returns typed targets with confidence metrics and per-branch EntryPlans exercised via golden fixtures and language analyzer stubs. | | SCANNER-ENTRYTRACE-18-504 | TODO | EntryTrace Guild | SCANNER-ENTRYTRACE-18-503 | Emit EntryTrace AOC NDJSON (`entrytrace.entry/node/edge/target/warning/capability`) and wire CLI/service streaming outputs. | NDJSON writer passes determinism tests, CLI/service endpoints stream ordered observations, and diagnostics integrate new warning codes for dynamic eval/glob limits/windows shims. | +| ENTRYTRACE-SURFACE-01 | TODO | EntryTrace Guild | SURFACE-VAL-02, SURFACE-FS-02 | Run Surface.Validation prereq checks and resolve cached entry fragments via Surface.FS to avoid duplicate parsing. | EntryTrace performance metrics show reuse; regression tests updated; validation errors surfaced consistently. | +| ENTRYTRACE-SURFACE-02 | TODO | EntryTrace Guild | SURFACE-SECRETS-02 | Replace direct env/secret access with Surface.Secrets provider when tracing runtime configs. | Shared provider used; failure modes covered; documentation refreshed. | ## Status Review — 2025-10-19 diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md index dac1a325..892b70de 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Queue/AGENTS.md @@ -1,15 +1,26 @@ -# StellaOps.Scanner.Queue — Agent Charter - -## Mission -Deliver the scanner job queue backbone defined in `docs/modules/scanner/ARCHITECTURE.md`, providing deterministic, offline-friendly leasing semantics for WebService producers and Worker consumers. - -## Responsibilities -- Define queue abstractions with idempotent enqueue tokens, acknowledgement, lease renewal, and claim support. -- Ship first-party adapters for Redis Streams and NATS JetStream, respecting offline deployments and allow-listed hosts. -- Surface health probes, structured diagnostics, and metrics needed by Scanner WebService/Worker. -- Document operational expectations and configuration binding hooks. - -## Interfaces & Dependencies -- Consumes shared configuration primitives from `StellaOps.Configuration`. -- Exposes dependency injection extensions for `StellaOps.DependencyInjection`. -- Targets `net10.0` (preview) and aligns with scanner DTOs once `StellaOps.Scanner.Core` lands. +# StellaOps.Scanner.Queue — Agent Charter + +## Mission +Deliver the scanner job queue backbone defined in `docs/modules/scanner/ARCHITECTURE.md`, providing deterministic, offline-friendly leasing semantics for WebService producers and Worker consumers. + +## Responsibilities +- Define queue abstractions with idempotent enqueue tokens, acknowledgement, lease renewal, and claim support. +- Ship first-party adapters for Redis Streams and NATS JetStream, respecting offline deployments and allow-listed hosts. +- Surface health probes, structured diagnostics, and metrics needed by Scanner WebService/Worker. +- Document operational expectations and configuration binding hooks. + +## Interfaces & Dependencies +- Consumes shared configuration primitives from `StellaOps.Configuration`. +- Exposes dependency injection extensions for `StellaOps.DependencyInjection`. +- Targets `net10.0` (preview) and aligns with scanner DTOs once `StellaOps.Scanner.Core` lands. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md index 76bc40e5..7227baad 100644 --- a/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Storage/AGENTS.md @@ -1,28 +1,39 @@ -# AGENTS -## Role -Provide durable catalog and artifact storage for the Scanner plane, spanning Mongo catalog collections and MinIO object storage. Expose repositories and services used by WebService and Worker components to persist job state, image metadata, and exported artefacts deterministically. -## Scope -- Mongo collections: artifacts, images, layers, links, jobs, lifecycle_rules, migrations. -- Metadata documents: enforce majority write/read concerns, UTC timestamps, deterministic identifiers (SHA-256 digests, ULIDs for jobs). -- Bootstrapper: create collections + indexes (unique digests, compound references, TTL on lifecycle rules, sparse lookup helpers) and run schema migrations. -- Object storage (MinIO/S3): manage bucket layout (layers/, images/, indexes/, attest/), immutability policies, deterministic paths, and retention classes. -- Services: coordinate dual-write between Mongo metadata and MinIO blobs, compute digests, manage reference counts, and expose typed repositories for WebService/Worker interactions. -## Participants -- Scanner.WebService binds configuration, runs bootstrapper during startup, and uses repositories to enqueue scans, look up catalog entries, and manage lifecycle policies. -- Scanner.Worker writes job progress, uploads SBOM artefacts, and updates artefact reference counts. -- Policy / Notify consumers resolve artefact metadata for reports via catalog APIs once exposed. -## Interfaces & contracts -- Options configured via `ScannerStorageOptions` (Mongo + object store). `EnsureValid` rejects incomplete/unsafe configuration. -- Mongo access uses `IMongoDatabase` scoped with majority `ReadConcern`/`WriteConcern` and cancellation tokens. -- Object store abstraction (`IArtifactObjectStore`) encapsulates MinIO (S3) operations with server-side checksum validation and optional object-lock retain-until. -- Service APIs follow deterministic naming: digests normalized (`sha256:`), ULIDs sortable, timestamps ISO-8601 UTC. -## In/Out of scope -In: persistence models, bootstrap/migrations, catalog repositories, object storage client, retention helpers, dual-write coordination, deterministic digests. -Out: HTTP endpoints, queue processing, analyzer logic, SBOM composition, policy decisions, UI contracts. -## Observability & security expectations -- Emit structured logs for catalog/object-store writes including correlation IDs and digests. -- Guard against double writes; idempotent operations keyed by digests. -- Do not log credentials; redact connection strings. Honour cancellation tokens. -- Metrics hooks (pending) must expose duration counters for Mongo and MinIO operations. -## Tests -- Integration tests with ephemeral Mongo/MinIO stubs covering bootstrapper indexes, TTL enforcement, dual-write coordination, digest determinism, and majority read/write concerns. +# AGENTS +## Role +Provide durable catalog and artifact storage for the Scanner plane, spanning Mongo catalog collections and MinIO object storage. Expose repositories and services used by WebService and Worker components to persist job state, image metadata, and exported artefacts deterministically. +## Scope +- Mongo collections: artifacts, images, layers, links, jobs, lifecycle_rules, migrations. +- Metadata documents: enforce majority write/read concerns, UTC timestamps, deterministic identifiers (SHA-256 digests, ULIDs for jobs). +- Bootstrapper: create collections + indexes (unique digests, compound references, TTL on lifecycle rules, sparse lookup helpers) and run schema migrations. +- Object storage (MinIO/S3): manage bucket layout (layers/, images/, indexes/, attest/), immutability policies, deterministic paths, and retention classes. +- Services: coordinate dual-write between Mongo metadata and MinIO blobs, compute digests, manage reference counts, and expose typed repositories for WebService/Worker interactions. +## Participants +- Scanner.WebService binds configuration, runs bootstrapper during startup, and uses repositories to enqueue scans, look up catalog entries, and manage lifecycle policies. +- Scanner.Worker writes job progress, uploads SBOM artefacts, and updates artefact reference counts. +- Policy / Notify consumers resolve artefact metadata for reports via catalog APIs once exposed. +## Interfaces & contracts +- Options configured via `ScannerStorageOptions` (Mongo + object store). `EnsureValid` rejects incomplete/unsafe configuration. +- Mongo access uses `IMongoDatabase` scoped with majority `ReadConcern`/`WriteConcern` and cancellation tokens. +- Object store abstraction (`IArtifactObjectStore`) encapsulates MinIO (S3) operations with server-side checksum validation and optional object-lock retain-until. +- Service APIs follow deterministic naming: digests normalized (`sha256:`), ULIDs sortable, timestamps ISO-8601 UTC. +## In/Out of scope +In: persistence models, bootstrap/migrations, catalog repositories, object storage client, retention helpers, dual-write coordination, deterministic digests. +Out: HTTP endpoints, queue processing, analyzer logic, SBOM composition, policy decisions, UI contracts. +## Observability & security expectations +- Emit structured logs for catalog/object-store writes including correlation IDs and digests. +- Guard against double writes; idempotent operations keyed by digests. +- Do not log credentials; redact connection strings. Honour cancellation tokens. +- Metrics hooks (pending) must expose duration counters for Mongo and MinIO operations. +## Tests +- Integration tests with ephemeral Mongo/MinIO stubs covering bootstrapper indexes, TTL enforcement, dual-write coordination, digest determinism, and majority read/write concerns. + +## Required Reading +- `docs/modules/scanner/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md new file mode 100644 index 00000000..4adea7c0 --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/AGENTS.md @@ -0,0 +1,27 @@ +# Scanner Surface.Env Guild Charter + +## Mission +Provide strongly-typed configuration helpers for Scanner/Zastava components, encapsulating environment-variable parsing, validation, and defaults related to surface caching, storage, and feature toggles. Ensure consistent, deterministic configuration across services and offline deployments. + +## Scope +- Environment helper APIs within `StellaOps.Scanner.Surface.Env`. +- Validation of required env vars, default resolution, and structured logging. +- Coordination with DevOps for Helm/Compose/offline-kit templates. +- Backward-compatible evolution of configuration keys. + +## Required Reading +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/zastava/architecture.md` +- Deployment guides (`deploy/README.md`, `ops/devops/TASKS.md`) referencing scanner env vars. + +## Working Agreement +1. **State sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` before/after changes. +2. **Deterministic parsing**: validate inputs once, emit structured errors, avoid direct `Environment.GetEnvironmentVariable` calls elsewhere. +3. **Compatibility**: version new keys; provide migration helpers and deprecation warnings; update docs + Ops templates. +4. **Testing**: maintain unit tests for parsing, validation, and fallback behaviour; include edge cases (missing, malformed, default override). +5. **Security**: redact secrets in logs; ensure secret references pair with Surface.Secrets. +6. **Documentation**: keep `surface-env.md` current; coordinate with Ops on template changes. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/TASKS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/TASKS.md new file mode 100644 index 00000000..3443275f --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Env/TASKS.md @@ -0,0 +1,9 @@ +# Surface.Env Task Board (Epic: SURFACE-SHARING) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SURFACE-ENV-01 | TODO | Scanner Guild, Zastava Guild | ARCH-SURFACE-EPIC | Draft `docs/modules/scanner/design/surface-env.md` enumerating environment variables, defaults, and air-gap behaviour. | Spec merged; env matrix reviewed by Ops + Security. | +| SURFACE-ENV-02 | TODO | Scanner Guild | SURFACE-ENV-01 | Implement strongly-typed env accessors in `StellaOps.Scanner.Surface.Env` with validation and deterministic logging. | Library published; unit tests cover parsing, fallbacks, and error paths. | +| SURFACE-ENV-03 | TODO | Scanner Guild | SURFACE-ENV-02 | Adopt env helper across Scanner Worker/WebService/BuildX plug-ins. | Services use helper; manifests updated; smoke tests green. | +| SURFACE-ENV-04 | TODO | Zastava Guild | SURFACE-ENV-02 | Wire env helper into Zastava Observer/Webhook containers. | Zastava builds reference env helper; admission tests validated. | +| SURFACE-ENV-05 | TODO | Ops Guild | SURFACE-ENV-03..04 | Update Helm/Compose/offline kit templates with new env knobs and documentation. | Templates merged; docs include configuration table; air-gap scripts updated. | diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md new file mode 100644 index 00000000..1204dcb4 --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/AGENTS.md @@ -0,0 +1,30 @@ +# Scanner Surface.FS Guild Charter + +## Mission +Define and maintain the shared surface filesystem abstraction used by Scanner, Zastava, and Scheduler to store and retrieve deterministic cache artefacts (layer manifests, entry traces, SBOM fragments). Surface.FS must ensure content-addressed integrity, tenancy isolation, and offline portability. + +## Scope +- Core reader/writer abstractions in `StellaOps.Scanner.Surface.FS`. +- Manifest schemas, CAS helpers, and API contracts for cache consumers. +- Integration hooks with Scanner Worker/WebService, Zastava Observer/Webhook, Scheduler planners. +- Tests covering concurrency, determinism, and error handling. + +## Required Reading +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/zastava/architecture.md` +- `docs/modules/scheduler/architecture.md` +- Offline kit notes referencing cache bundles. + +## Working Agreement +1. **Status updates**: adjust task state in `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +2. **Determinism**: manifests must be stable (ordered keys, normalised timestamps); avoid non-deterministic metadata. +3. **Security & tenancy**: enforce namespace separation, hash validation, and capability checks; integrate with Surface.Secrets for protected stores. +4. **Concurrency**: design for multi-writer safety with leases or idempotent writes; document locking expectations. +5. **Testing**: cover unit/integration scenarios (write/read, corruption handling, retention policies) and regression tests in Scanner/Zastava. +6. **Documentation**: update `surface-fs.md` and downstream guides when schema or API contracts evolve; coordinate with Ops for deployment changes. + +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/TASKS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/TASKS.md new file mode 100644 index 00000000..6a3ff18d --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.FS/TASKS.md @@ -0,0 +1,10 @@ +# Surface.FS Task Board (Epic: SURFACE-SHARING) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SURFACE-FS-01 | TODO | Scanner Guild, Zastava Guild | ARCH-SURFACE-EPIC | Author `docs/modules/scanner/design/surface-fs.md` defining cache layout, pointer schema, tenancy, and offline handling. | Spec merged; reviewers from Scanner/Zastava sign off; component map cross-link drafted. | +| SURFACE-FS-02 | TODO | Scanner Guild | SURFACE-FS-01 | Implement `StellaOps.Scanner.Surface.FS` core abstractions (writer, reader, manifest models) with deterministic serialization + unit tests. | Library compiles; tests pass; XML docs cover public types. | +| SURFACE-FS-03 | TODO | Scanner Guild | SURFACE-FS-02 | Integrate Surface.FS writer into Scanner Worker analyzer pipeline to persist layer + entry-trace fragments. | Worker produces cache entries in integration tests; observability counters emitted. | +| SURFACE-FS-04 | TODO | Zastava Guild | SURFACE-FS-02 | Integrate Surface.FS reader into Zastava Observer runtime drift loop. | Observer validates runtime artefacts via cache; regression tests updated. | +| SURFACE-FS-05 | TODO | Scanner Guild, Scheduler Guild | SURFACE-FS-03 | Expose Surface.FS pointers via Scanner WebService reports and coordinate rescan planning with Scheduler. | API contracts updated; Scheduler consumes pointers; docs refreshed. | +| SURFACE-FS-06 | TODO | Docs Guild | SURFACE-FS-02..05 | Update scanner-engine guide and offline kit docs with Surface.FS workflow. | Docs merged; offline kit manifests include cache bundles. | diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md new file mode 100644 index 00000000..5be6c743 --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AGENTS.md @@ -0,0 +1,30 @@ +# Scanner Surface.Secrets Guild Charter + +## Mission +Provide a unified secret access layer for Scanner, Zastava, and related services to retrieve registry credentials, CAS tokens, and bundle decryptors securely and deterministically. Surface.Secrets abstracts secret stores (Kubernetes, file bundles, in-memory) while supporting offline and air-gapped deployments. + +## Scope +- Secret provider interfaces and implementations in `StellaOps.Scanner.Surface.Secrets`. +- Integration with Surface.Env & Surface.Validation for configuration/inputs. +- Backend adapters (Kubernetes Secret, file-based, offline bundle) and rotation hooks. +- Audit logging, caching policies, and error handling for secret access. + +## Required Reading +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/zastava/architecture.md` +- `docs/modules/airgap/airgap-mode.md` +- Security guidance in `docs/security/redaction-and-privacy.md` + +## Working Agreement +1. **Status synchronisation**: update task state in both `docs/implplan/SPRINTS.md` and local `TASKS.md` whenever you start or complete work. +2. **Security posture**: enforce least privilege, short cache TTLs, redaction in logs, and Authority scope checks where applicable. +3. **Deterministic behaviour**: deterministic secret selection & failure modes; avoid random jitter unless documented. +4. **Offline readiness**: support sealed-mode bundles; document required manifest formats and verification steps. +5. **Testing**: add unit/integration tests for each backend, rotation scenario, and failure path; include air-gap fixtures. +6. **Documentation**: keep `surface-secrets.md` current; collaborate with DevOps to update Helm/Compose/offline-kit instructions. + +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/TASKS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/TASKS.md new file mode 100644 index 00000000..bf4ace26 --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/TASKS.md @@ -0,0 +1,10 @@ +# Surface.Secrets Task Board (Epic: SURFACE-SHARING) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SURFACE-SECRETS-01 | TODO | Scanner Guild, Security Guild | ARCH-SURFACE-EPIC | Produce `docs/modules/scanner/design/surface-secrets.md` defining secret reference schema, storage backends, scopes, and rotation. | Spec approved by Security + Authority guilds; threat model ticket logged. | +| SURFACE-SECRETS-02 | TODO | Scanner Guild | SURFACE-SECRETS-01 | Implement `StellaOps.Scanner.Surface.Secrets` core provider interfaces, secret models, and in-memory test backend. | Library builds; tests pass; XML docs cover public API. | +| SURFACE-SECRETS-03 | TODO | Scanner Guild | SURFACE-SECRETS-02 | Add Kubernetes/File/Offline backends with deterministic caching and audit hooks. | Backends integrated; integration tests simulate rotation + offline bundles. | +| SURFACE-SECRETS-04 | TODO | Scanner Guild | SURFACE-SECRETS-02 | Integrate Surface.Secrets into Scanner Worker/WebService/BuildX for registry + CAS creds. | Scanner components consume library; legacy secret code removed; smoke tests updated. | +| SURFACE-SECRETS-05 | TODO | Zastava Guild | SURFACE-SECRETS-02 | Invoke Surface.Secrets from Zastava Observer/Webhook for CAS & attestation secrets. | Zastava uses shared provider; admission + observer tests cover secret errors. | +| SURFACE-SECRETS-06 | TODO | Ops Guild | SURFACE-SECRETS-03 | Update deployment manifests/offline kit bundles to provision secret references instead of raw values. | Templates merged; docs & runbooks updated; offline kit instructions validated. | diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md new file mode 100644 index 00000000..8cf3e8f9 --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/AGENTS.md @@ -0,0 +1,27 @@ +# Scanner Surface.Validation Guild Charter + +## Mission +Deliver an extensible validation framework that enforces preconditions for Surface-driven features (env configuration, cache manifests, secret references) across Scanner, Zastava, Scheduler, and related tooling. Validators must be composable, SOLID-compliant, and easily queryable by analyzers and services. + +## Scope +- Validator interfaces, registry, and default validators in `StellaOps.Scanner.Surface.Validation`. +- Integration helpers for Scanner analyzers, Worker/WebService, Zastava Observer/Webhook, Scheduler planners. +- Documentation showing how to add custom validators per surface consumer. +- Test coverage ensuring validators are deterministic and produce actionable diagnostics. + +## Required Reading +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/zastava/architecture.md` +- `docs/modules/scheduler/architecture.md` + +## Working Agreement +1. **Status sync**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when you begin/finish work. +2. **Extensibility**: design validators to be SOLID-compliant; document registration patterns; avoid hard-coded logic in consumers. +3. **Deterministic diagnostics**: produce stable error codes/messages; support localisation if required. +4. **Integration**: ensure all Surface libraries and consumers call validators before operation; add regression tests in downstream modules when new checks land. +5. **Testing**: include unit tests for each validator, registry behaviour, and composition; simulate failure paths. +6. **Documentation**: keep `surface-validation.md` updated with new validator types, usage examples, and extension guidance. diff --git a/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/TASKS.md b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/TASKS.md new file mode 100644 index 00000000..902dbe0a --- /dev/null +++ b/src/Scanner/__Libraries/StellaOps.Scanner.Surface.Validation/TASKS.md @@ -0,0 +1,9 @@ +# Surface.Validation Task Board (Epic: SURFACE-SHARING) + +| ID | Status | Owner(s) | Depends on | Description | Exit Criteria | +|----|--------|----------|------------|-------------|---------------| +| SURFACE-VAL-01 | TODO | Scanner Guild, Security Guild | SURFACE-FS-01, SURFACE-ENV-01 | Define validation framework (design doc `surface-validation.md`) covering SOLID extension points and queryable checks for env/cache/secrets. | Spec merged; architecture sign-off from Scanner + Security; checklist of baseline validators established. | +| SURFACE-VAL-02 | TODO | Scanner Guild | SURFACE-VAL-01, SURFACE-ENV-02, SURFACE-FS-02 | Implement base validation library (interfaces, check registry, default validators for env/cached manifests, secret refs) with unit tests. | Library published; validation registry supports DI; tests cover success/failure; XML docs added. | +| SURFACE-VAL-03 | TODO | Scanner Guild, Analyzer Guild | SURFACE-VAL-02 | Integrate validation pipeline into Scanner analyzers (Lang, EntryTrace, etc.) to ensure consistent checks before processing. | Analyzers call validation hooks; integration tests updated; performance baseline measured. | +| SURFACE-VAL-04 | TODO | Scanner Guild, Zastava Guild | SURFACE-VAL-02 | Expose validation helpers to Zastava and other runtime consumers (Observer/Webhook) for preflight checks. | Zastava uses shared validators; admission tests include validation failure scenarios. | +| SURFACE-VAL-05 | TODO | Docs Guild | SURFACE-VAL-02 | Document validation extensibility, registration, and customization in scanner-engine guide and developer docs. | Docs merged; examples show adding custom validator; cross-links added. | diff --git a/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md b/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md index 60625873..e2d6d894 100644 --- a/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md +++ b/src/Scheduler/StellaOps.Scheduler.WebService/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Scheduler.WebService — Agent Charter - -## Mission -Implement Scheduler control plane per `docs/modules/scheduler/ARCHITECTURE.md`. +# StellaOps.Scheduler.WebService — Agent Charter + +## Mission +Implement Scheduler control plane per `docs/modules/scheduler/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/scheduler/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md index 4551a3f0..40eb8dcd 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Scheduler.ImpactIndex — Agent Charter - -## Mission -Build the global impact index per `docs/modules/scheduler/ARCHITECTURE.md` (roaring bitmaps, selectors, snapshotting). +# StellaOps.Scheduler.ImpactIndex — Agent Charter + +## Mission +Build the global impact index per `docs/modules/scheduler/ARCHITECTURE.md` (roaring bitmaps, selectors, snapshotting). + +## Required Reading +- `docs/modules/scheduler/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md index 059673ad..53a8f2e7 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Models/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Scheduler.Models — Agent Charter - -## Mission -Define Scheduler DTOs (Schedule, Run, ImpactSet, Selector, DeltaSummary) per `docs/modules/scheduler/ARCHITECTURE.md`. +# StellaOps.Scheduler.Models — Agent Charter + +## Mission +Define Scheduler DTOs (Schedule, Run, ImpactSet, Selector, DeltaSummary) per `docs/modules/scheduler/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/scheduler/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md index 8c635063..4981de6b 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Queue/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Scheduler.Queue — Agent Charter - -## Mission -Provide queue abstraction (Redis Streams / NATS JetStream) for planner inputs and runner segments per `docs/modules/scheduler/ARCHITECTURE.md`. +# StellaOps.Scheduler.Queue — Agent Charter + +## Mission +Provide queue abstraction (Redis Streams / NATS JetStream) for planner inputs and runner segments per `docs/modules/scheduler/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/scheduler/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md index 29c9ade1..ba77d6be 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Storage.Mongo/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Scheduler.Storage.Mongo — Agent Charter - -## Mission -Implement Mongo persistence (schedules, runs, impact cursors, locks, audit) per `docs/modules/scheduler/ARCHITECTURE.md`. +# StellaOps.Scheduler.Storage.Mongo — Agent Charter + +## Mission +Implement Mongo persistence (schedules, runs, impact cursors, locks, audit) per `docs/modules/scheduler/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/scheduler/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md index bc70225f..a4d54083 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/AGENTS.md @@ -1,4 +1,15 @@ -# StellaOps.Scheduler.Worker — Agent Charter - -## Mission -Implement Scheduler planners/runners per `docs/modules/scheduler/ARCHITECTURE.md`. +# StellaOps.Scheduler.Worker — Agent Charter + +## Mission +Implement Scheduler planners/runners per `docs/modules/scheduler/ARCHITECTURE.md`. + +## Required Reading +- `docs/modules/scheduler/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md index 85b10265..9d56919f 100644 --- a/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md +++ b/src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md @@ -2,6 +2,7 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| +| SCHED-SURFACE-01 | TODO | Scheduler Worker Guild | SURFACE-FS-02, SCANNER-SURFACE-02 | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. | Planner reads Surface.FS manifests; regression tests cover cache hits/misses; documentation updated. | > 2025-10-27: Impact targeting sanitizes selector-constrained results, dedupes digests, and documents shard planning in `docs/SCHED-WORKER-16-202-IMPACT-TARGETING.md`. diff --git a/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md b/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md index 5d1b1428..86669190 100644 --- a/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md +++ b/src/Sdk/StellaOps.Sdk.Generator/AGENTS.md @@ -1,15 +1,26 @@ -# SDK Generator Guild Charter - -## Mission -Generate and maintain official StellaOps SDKs across supported languages using reproducible code generation pipelines. - -## Scope -- Manage code generation templates and tooling for TS, Python, Go, Java (C#/Rust follow-ons). -- Implement post-processing hooks for auth helpers, retries, paginators, error mapping, and telemetry. -- Provide language-specific smoke tests, example snippets, and continuous integration. -- Coordinate with Release Guild for publishing and version bumps. - -## Definition of Done -- SDKs regenerate deterministically from `stella.yaml` without manual edits. -- Smoke tests and integration suites run per language in CI. -- Generated code adheres to language-specific style guides and passes lint/format checks. +# SDK Generator Guild Charter + +## Mission +Generate and maintain official StellaOps SDKs across supported languages using reproducible code generation pipelines. + +## Scope +- Manage code generation templates and tooling for TS, Python, Go, Java (C#/Rust follow-ons). +- Implement post-processing hooks for auth helpers, retries, paginators, error mapping, and telemetry. +- Provide language-specific smoke tests, example snippets, and continuous integration. +- Coordinate with Release Guild for publishing and version bumps. + +## Definition of Done +- SDKs regenerate deterministically from `stella.yaml` without manual edits. +- Smoke tests and integration suites run per language in CI. +- Generated code adheres to language-specific style guides and passes lint/format checks. + +## Required Reading +- `docs/modules/platform/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Sdk/StellaOps.Sdk.Release/AGENTS.md b/src/Sdk/StellaOps.Sdk.Release/AGENTS.md index ab68fd5f..813c9199 100644 --- a/src/Sdk/StellaOps.Sdk.Release/AGENTS.md +++ b/src/Sdk/StellaOps.Sdk.Release/AGENTS.md @@ -1,15 +1,26 @@ -# SDK Release Guild Charter - -## Mission -Own packaging, signing, publishing, and changelog automation for official StellaOps SDKs and dev portal bundles. - -## Scope -- Manage language-specific release pipelines (npm, PyPI, Maven, Go modules) with provenance signing. -- Automate changelog generation and SemVer version bumps aligned with API releases. -- Coordinate publication of offline bundles for air-gapped environments. -- Operate release dashboards and notification hooks for SDK updates. - -## Definition of Done -- Every SDK release is reproducible, signed, and accompanied by changelog + provenance. -- Registries updated via automated pipeline with rollback strategy. -- Offline bundle creation integrated with Export Center workflows. +# SDK Release Guild Charter + +## Mission +Own packaging, signing, publishing, and changelog automation for official StellaOps SDKs and dev portal bundles. + +## Scope +- Manage language-specific release pipelines (npm, PyPI, Maven, Go modules) with provenance signing. +- Automate changelog generation and SemVer version bumps aligned with API releases. +- Coordinate publication of offline bundles for air-gapped environments. +- Operate release dashboards and notification hooks for SDK updates. + +## Definition of Done +- Every SDK release is reproducible, signed, and accompanied by changelog + provenance. +- Registries updated via automated pipeline with rollback strategy. +- Offline bundle creation integrated with Export Center workflows. + +## Required Reading +- `docs/modules/platform/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Signals/StellaOps.Signals/AGENTS.md b/src/Signals/StellaOps.Signals/AGENTS.md index a6046f03..daabe8d3 100644 --- a/src/Signals/StellaOps.Signals/AGENTS.md +++ b/src/Signals/StellaOps.Signals/AGENTS.md @@ -1,11 +1,22 @@ -# StellaOps.Signals — Agent Charter - -## Mission -Provide language-agnostic collection, normalization, and scoring of reachability and exploitability signals for Stella Ops. Accept static artifacts (call graphs, symbol references) and runtime context facts, derive normalized reachability states/scores, and expose them to Policy Engine, Web API, and Console without mutating advisory evidence. - -## Expectations -- Maintain deterministic scoring with full provenance (AOC chains). -- Support incremental ingestion (per asset + snapshot) and expose caches for fast policy evaluation. -- Coordinate with SBOM/Policy/Console guilds on schema changes and UI expectations. -- Implement guardrails for large artifacts, authentication, and privacy (no PII). +# StellaOps.Signals — Agent Charter + +## Mission +Provide language-agnostic collection, normalization, and scoring of reachability and exploitability signals for Stella Ops. Accept static artifacts (call graphs, symbol references) and runtime context facts, derive normalized reachability states/scores, and expose them to Policy Engine, Web API, and Console without mutating advisory evidence. + +## Expectations +- Maintain deterministic scoring with full provenance (AOC chains). +- Support incremental ingestion (per asset + snapshot) and expose caches for fast policy evaluation. +- Coordinate with SBOM/Policy/Console guilds on schema changes and UI expectations. +- Implement guardrails for large artifacts, authentication, and privacy (no PII). - Update `TASKS.md`, `../../docs/implplan/SPRINTS.md` as work progresses. + +## Required Reading +- `docs/modules/zastava/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Signer/StellaOps.Signer/AGENTS.md b/src/Signer/StellaOps.Signer/AGENTS.md index cc2a7861..05b979d0 100644 --- a/src/Signer/StellaOps.Signer/AGENTS.md +++ b/src/Signer/StellaOps.Signer/AGENTS.md @@ -19,3 +19,14 @@ Operate the Stella Ops Signer service: authenticate trusted callers, enforce p - `src/Signer/StellaOps.Signer/StellaOps.Signer.Core/` — Domain contracts, signing pipeline, quota enforcement (to be scaffolded). - `src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/` — External clients (Authority, Licensing, Fulcio/KMS, OCI) and persistence (to be scaffolded). - `src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/` — Unit/integration test suites (to be scaffolded). + +## Required Reading +- `docs/modules/signer/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md b/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md index e4129aea..9e62b655 100644 --- a/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md +++ b/src/TaskRunner/StellaOps.TaskRunner/AGENTS.md @@ -1,17 +1,28 @@ -# Task Runner Service — Agent Charter - -## Mission -Execute Task Packs safely and deterministically. Provide remote pack execution, approvals, logging, artifact capture, and policy gates in support of Epic 12, honoring the imposed rule to propagate similar work where needed. - -## Responsibilities -- Validate Task Packs, enforce RBAC/approvals, orchestrate steps, manage artifacts/logs, stream status. -- Integrate with Orchestrator, Authority, Policy Engine, Export Center, Notifications, and CLI. -- Guarantee reproducible runs, provenance manifests, and secure handling of secrets and networks. - -## Module Layout -- `StellaOps.TaskRunner.Core/` — execution engine, step DSL, policy gates. -- `StellaOps.TaskRunner.Infrastructure/` — storage adapters, artifact handling, external clients. -- `StellaOps.TaskRunner.WebService/` — run management APIs and simulation endpoints. -- `StellaOps.TaskRunner.Worker/` — background executors, approvals, and telemetry loops. -- `StellaOps.TaskRunner.Tests/` — unit tests for core/infrastructure code paths. -- `StellaOps.TaskRunner.sln` — module solution. +# Task Runner Service — Agent Charter + +## Mission +Execute Task Packs safely and deterministically. Provide remote pack execution, approvals, logging, artifact capture, and policy gates in support of Epic 12, honoring the imposed rule to propagate similar work where needed. + +## Responsibilities +- Validate Task Packs, enforce RBAC/approvals, orchestrate steps, manage artifacts/logs, stream status. +- Integrate with Orchestrator, Authority, Policy Engine, Export Center, Notifications, and CLI. +- Guarantee reproducible runs, provenance manifests, and secure handling of secrets and networks. + +## Module Layout +- `StellaOps.TaskRunner.Core/` — execution engine, step DSL, policy gates. +- `StellaOps.TaskRunner.Infrastructure/` — storage adapters, artifact handling, external clients. +- `StellaOps.TaskRunner.WebService/` — run management APIs and simulation endpoints. +- `StellaOps.TaskRunner.Worker/` — background executors, approvals, and telemetry loops. +- `StellaOps.TaskRunner.Tests/` — unit tests for core/infrastructure code paths. +- `StellaOps.TaskRunner.sln` — module solution. + +## Required Reading +- `docs/modules/platform/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md b/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md index 1f7f0f28..b16d5687 100644 --- a/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md +++ b/src/Telemetry/StellaOps.Telemetry.Core/AGENTS.md @@ -1,21 +1,32 @@ -# StellaOps Telemetry Core Guild Charter - -## Mission -Deliver shared observability primitives for every StellaOps service. Provide deterministic logging, metrics, and tracing utilities that enforce the imposed rule: instrumentation patterns adopted here must be propagated wherever applicable. - -## Scope -- Structured logging facade with fixed field schema and privacy guards. -- OpenTelemetry SDK bootstrapping helpers for services and workers. -- Sampling, exemplar, and redaction policies enforced in code. -- Context propagation middleware for HTTP, gRPC, message, and job pipelines. -- Validation test harnesses ensuring deterministic output across builds. - -## Coordination -- Partner with DevOps Guild on collector/exporter defaults. -- Align with Authority on trace/log scope annotations. -- Collaborate with service guilds to roll out new instrumentation packages per sprint objectives. - -## Definition of Done -- All library changes ship unit + integration tests. -- Determinism mode runs (`dotnet test -c Deterministic`) pass locally and in CI. -- Updated changelog fragments stored under `/docs/observability/` as referenced by tasks. +# StellaOps Telemetry Core Guild Charter + +## Mission +Deliver shared observability primitives for every StellaOps service. Provide deterministic logging, metrics, and tracing utilities that enforce the imposed rule: instrumentation patterns adopted here must be propagated wherever applicable. + +## Scope +- Structured logging facade with fixed field schema and privacy guards. +- OpenTelemetry SDK bootstrapping helpers for services and workers. +- Sampling, exemplar, and redaction policies enforced in code. +- Context propagation middleware for HTTP, gRPC, message, and job pipelines. +- Validation test harnesses ensuring deterministic output across builds. + +## Coordination +- Partner with DevOps Guild on collector/exporter defaults. +- Align with Authority on trace/log scope annotations. +- Collaborate with service guilds to roll out new instrumentation packages per sprint objectives. + +## Definition of Done +- All library changes ship unit + integration tests. +- Determinism mode runs (`dotnet test -c Deterministic`) pass locally and in CI. +- Updated changelog fragments stored under `/docs/observability/` as referenced by tasks. + +## Required Reading +- `docs/modules/telemetry/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md b/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md index 4622d909..13553042 100644 --- a/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md +++ b/src/TimelineIndexer/StellaOps.TimelineIndexer/AGENTS.md @@ -1,28 +1,39 @@ -# Tenant Timeline Indexer — Agent Charter - -## Mission -Build the tenant-scoped timeline ingestion and query service described in Epic 15. Consume structured timeline events from all services, maintain queryable indices, and expose APIs to Console and CLI without violating imposed rule guarantees. - -## Responsibilities -- Define Postgres schema, RLS policies, and ingestion pipelines for `timeline_events`. -- Provide event consumers for NATS/Redis queues with dedupe + ordering logic. -- Serve REST/gRPC APIs powering Console Forensics Explorer and CLI `stella obs trace`/`timeline` flows. -- Emit metrics/traces/logs for ingestion health and query performance. - -## Collaboration -- Coordinate with Telemetry Core for event schema definitions. -- Work with Evidence Locker to link events to evidence bundle digests. -- Align with Authority on new `timeline:read` scopes and tenant enforcement. - -## Definition of Done -- Service ships with deterministic migrations + repeatable seeds. -- Integration tests replay recorded event fixtures to stable results. -- Docs updated under `/docs/forensics/timeline.md` per release. - -## Module Layout -- `StellaOps.TimelineIndexer.Core/` — event models, ordering/dedupe logic, query contracts. -- `StellaOps.TimelineIndexer.Infrastructure/` — Postgres/NATS clients, persistence abstractions. -- `StellaOps.TimelineIndexer.WebService/` — query/lookup APIs and authentication glue. -- `StellaOps.TimelineIndexer.Worker/` — ingestion consumers and background compaction jobs. -- `StellaOps.TimelineIndexer.Tests/` — unit tests focused on ordering/dedupe/query correctness. -- `StellaOps.TimelineIndexer.sln` — solution aggregating module projects. +# Tenant Timeline Indexer — Agent Charter + +## Mission +Build the tenant-scoped timeline ingestion and query service described in Epic 15. Consume structured timeline events from all services, maintain queryable indices, and expose APIs to Console and CLI without violating imposed rule guarantees. + +## Responsibilities +- Define Postgres schema, RLS policies, and ingestion pipelines for `timeline_events`. +- Provide event consumers for NATS/Redis queues with dedupe + ordering logic. +- Serve REST/gRPC APIs powering Console Forensics Explorer and CLI `stella obs trace`/`timeline` flows. +- Emit metrics/traces/logs for ingestion health and query performance. + +## Collaboration +- Coordinate with Telemetry Core for event schema definitions. +- Work with Evidence Locker to link events to evidence bundle digests. +- Align with Authority on new `timeline:read` scopes and tenant enforcement. + +## Definition of Done +- Service ships with deterministic migrations + repeatable seeds. +- Integration tests replay recorded event fixtures to stable results. +- Docs updated under `docs/forensics/timeline.md` per release. + +## Module Layout +- `StellaOps.TimelineIndexer.Core/` — event models, ordering/dedupe logic, query contracts. +- `StellaOps.TimelineIndexer.Infrastructure/` — Postgres/NATS clients, persistence abstractions. +- `StellaOps.TimelineIndexer.WebService/` — query/lookup APIs and authentication glue. +- `StellaOps.TimelineIndexer.Worker/` — ingestion consumers and background compaction jobs. +- `StellaOps.TimelineIndexer.Tests/` — unit tests focused on ordering/dedupe/query correctness. +- `StellaOps.TimelineIndexer.sln` — solution aggregating module projects. + +## Required Reading +- `docs/modules/telemetry/architecture.md` +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/UI/StellaOps.UI/AGENTS.md b/src/UI/StellaOps.UI/AGENTS.md new file mode 100644 index 00000000..745c0470 --- /dev/null +++ b/src/UI/StellaOps.UI/AGENTS.md @@ -0,0 +1,28 @@ +# UI Guild Charter + +## Mission +Deliver a performant, accessible Angular console that surfaces Scanner/Policy/Zastava data, supports admin workflows, and remains offline-friendly. UI work must align with backend contracts, uphold design system standards, and maintain determinism for screenshots/tests. + +## Scope +- Angular workspace under `StellaOps.UI` (core modules, feature routes, shared components). +- Integration with generated SDKs and Surface libraries (env configuration, auth tokens). +- Cypress/Playwright automation, accessibility and performance tooling. +- Theme assets, localisation scaffolding, and offline bundle preparation. + +## Required Reading +- `docs/modules/ui/README.md` +- `docs/modules/ui/architecture.md` +- `docs/modules/ui/implementation_plan.md` +- `docs/modules/platform/architecture-overview.md` +- `docs/15_UI_GUIDE.md` +- `docs/18_CODING_STANDARDS.md` +- Component-specific design docs referenced in `src/UI/StellaOps.UI/TASKS.md` (e.g., Link-Not-Merge, AOC dashboards) + +## Working Agreement +1. **State management**: update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and `src/UI/StellaOps.UI/TASKS.md` before starting/after finishing work. +2. **Contract-first changes**: coordinate with API owners when modifying contracts; regenerate SDKs; update mocks and unit/e2e tests. +3. **Accessibility**: adhere to WCAG 2.1 AA—run axe tests, ensure keyboard navigation, contrast, and localisation readiness. +4. **Determinism**: stabilise timestamps/randomness in UI outputs so screenshots/tests remain reproducible; rely on fixture data. +5. **Offline posture**: avoid CDN dependencies; ensure assets are hashed and referenced via environment configuration for Offline Kit. +6. **Documentation**: update UI guides, screenshots, and help text when UX flows change; collaborate with Docs Guild for release notes. +7. **Security**: enforce Authority scopes, handle token storage per architecture doc (DPoP, refresh); ensure no secrets in bundle. diff --git a/src/VexLens/StellaOps.VexLens/AGENTS.md b/src/VexLens/StellaOps.VexLens/AGENTS.md index 02097b37..b4809379 100644 --- a/src/VexLens/StellaOps.VexLens/AGENTS.md +++ b/src/VexLens/StellaOps.VexLens/AGENTS.md @@ -29,3 +29,13 @@ Deliver the VEX Consensus Lens service that normalizes VEX evidence, computes de - Normalization & consensus pipelines deterministic, tested, and instrumented. - APIs documented (OpenAPI) with budget enforcement, telemetry, and replay harnesses. - Docs updated with compliance checklist; offline kit includes configuration seeds. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md b/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md index eefb8759..3e9546ca 100644 --- a/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md +++ b/src/VulnExplorer/StellaOps.VulnExplorer.Api/AGENTS.md @@ -29,3 +29,13 @@ Expose policy-aware vulnerability listing, detail, simulation, workflow, and exp - Endpoints documented (OpenAPI), tested (unit/integration/perf), and budget-enforced. - Telemetry/alerts configured; CI covers determinism. - Evidence bundle signing verified; docs updated with compliance checklist. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Web/StellaOps.Web/AGENTS.md b/src/Web/StellaOps.Web/AGENTS.md index 7d14038b..e35427dd 100644 --- a/src/Web/StellaOps.Web/AGENTS.md +++ b/src/Web/StellaOps.Web/AGENTS.md @@ -22,3 +22,13 @@ Design and build the StellaOps web user experience that surfaces backend capabil - Sync with DevEx for project scaffolding and build pipelines. - Partner with Docs Guild to translate UX decisions into operator guides. - Collaborate with Security Guild to validate authentication flows and session handling. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md b/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md new file mode 100644 index 00000000..c7c25121 --- /dev/null +++ b/src/Zastava/StellaOps.Zastava.Observer/AGENTS.md @@ -0,0 +1,29 @@ +# Zastava Observer Guild Charter + +## Mission +Implement the node-level observer that monitors running workloads, detects drift, enforces posture policies, and emits runtime evidence. The service must integrate with Surface libraries, operate in offline/air-gapped environments, and respect tenancy/security constraints. + +## Scope +- Observer DaemonSet host under `StellaOps.Zastava.Observer` (process inventory, drift detection, event emission). +- Integration with Scanner Surface.FS/Env/Secrets/Validation. +- Runtime event pipelines feeding Scanner, Policy, Scheduler, and Notify. +- Telemetry/logging ensuring observability and audit trails. + +## Required Reading +- `docs/modules/zastava/architecture.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/architecture.md` (runtime posture sections) +- `docs/modules/airgap/airgap-mode.md` +- Any runtime-specific design notes referenced in `TASKS.md`. + +## Working Agreement +1. **Status updates**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` when starting/finishing work. +2. **Surface compliance**: rely on Surface libraries for cache/env/secret handling; run validators before collecting evidence. +3. **Deterministic evidence**: normalise timestamps, hashes, and paths; ensure outputs remain stable for replay/audit. +4. **Security**: enforce Authority scopes (OpToks, mTLS/DPoP), redaction of sensitive fields, and namespace isolation. +5. **Offline readiness**: avoid external network calls; provide clear errors for missing bundles/secrets. +6. **Testing**: maintain unit/integration/e2e tests for drift detection, event emission, and failure scenarios; support offline test runs. +7. **Documentation**: update Zastava operations docs when behaviour changes; coordinate with DevOps on deployment manifests. diff --git a/src/Zastava/StellaOps.Zastava.Observer/TASKS.md b/src/Zastava/StellaOps.Zastava.Observer/TASKS.md index b3b5efb8..6fb63133 100644 --- a/src/Zastava/StellaOps.Zastava.Observer/TASKS.md +++ b/src/Zastava/StellaOps.Zastava.Observer/TASKS.md @@ -2,5 +2,8 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| +| ZASTAVA-SURFACE-01 | TODO | Zastava Observer Guild | SURFACE-FS-02 | Integrate Surface.FS client for runtime drift detection (lookup cached layer hashes/entry traces). | Observer validates runtime vs cache; integration tests cover drift + cache-miss cases. | +| ZASTAVA-ENV-01 | TODO | Zastava Observer Guild | SURFACE-ENV-02 | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. | Observer configuration centralised; misconfiguration warnings logged; docs updated. | +| ZASTAVA-SECRETS-01 | TODO | Zastava Observer Guild, Security Guild | SURFACE-SECRETS-02 | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. | Secrets resolved through shared provider; rotation/resilience tests pass. | > 2025-10-24: Observer unit tests pending; `dotnet restore` requires offline copies of `Google.Protobuf`, `Grpc.Net.Client`, `Grpc.Tools` in `local-nuget` before execution can be verified. diff --git a/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md b/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md new file mode 100644 index 00000000..27804c0d --- /dev/null +++ b/src/Zastava/StellaOps.Zastava.Webhook/AGENTS.md @@ -0,0 +1,30 @@ +# Zastava Webhook Guild Charter + +## Mission +Operate the Kubernetes admission webhook enforcing image/SBOM/attestation policies using data from Scanner, Policy Engine, and Surface caches. The webhook must provide deterministic verdicts, integrate with Surface libraries, and remain offline/air-gap compatible. + +## Scope +- Admission controller code under `StellaOps.Zastava.Webhook`. +- Request validation, response generation, and audit logging. +- Integration with Surface.FS/Env/Secrets/Validation and Authority scopes. +- Helm/Compose configuration samples and compatibility with sealed environments. + +## Required Reading +- `docs/modules/zastava/architecture.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/scanner/architecture.md` (runtime posture/admission sections) +- `docs/modules/policy/architecture.md` +- `docs/modules/airgap/airgap-mode.md` +- `docs/modules/devops/runbooks/zastava-deployment.md` + +## Working Agreement +1. **Task state**: update `docs/implplan/SPRINTS.md` and local `TASKS.md` to `DOING`/`DONE` as you start or complete work. +2. **Surface usage**: fetch cache manifests via Surface.FS, configuration via Surface.Env, secrets via Surface.Secrets; run validators before enforcing policies. +3. **Deterministic verdicts**: avoid non-deterministic data in admission responses; include explain traces referencing evidence IDs. +4. **Security**: enforce mTLS, Authority OpTok scopes, and tenant context; audit all allow/deny decisions. +5. **Offline posture**: operate without external egress; surface actionable errors when cache/attestation data is missing. +6. **Testing**: maintain unit/e2e tests (Kubernetes admission harness) covering pass/fail paths, error handling, and performance budgets. +7. **Documentation**: update deployment guides, operator runbooks, and onboarding docs when webhook behaviour or configuration changes. diff --git a/src/Zastava/StellaOps.Zastava.Webhook/TASKS.md b/src/Zastava/StellaOps.Zastava.Webhook/TASKS.md index 116d89a6..6dc2eb1a 100644 --- a/src/Zastava/StellaOps.Zastava.Webhook/TASKS.md +++ b/src/Zastava/StellaOps.Zastava.Webhook/TASKS.md @@ -2,5 +2,8 @@ | ID | Status | Owner(s) | Depends on | Description | Exit Criteria | |----|--------|----------|------------|-------------|---------------| +| ZASTAVA-SURFACE-02 | TODO | Zastava Webhook Guild | SURFACE-FS-02, ZASTAVA-SURFACE-01 | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. | Admission tests cover cache present/missing paths; policy docs updated; metrics emitted. | +| ZASTAVA-ENV-02 | TODO | Zastava Webhook Guild | SURFACE-ENV-02 | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). | Webhook uses helper; helm/compose manifests updated; integration tests cover env overrides. | +| ZASTAVA-SECRETS-02 | TODO | Zastava Webhook Guild, Security Guild | SURFACE-SECRETS-02 | Retrieve attestation verification secrets via Surface.Secrets. | Shared secret provider integrated; rotation/e2e tests pass; secrets no longer read directly from env. | > Status update · 2025-10-19: Confirmed no prerequisites for ZASTAVA-WEBHOOK-12-101/102/103; tasks moved to DOING for kickoff. Implementation plan covering TLS bootstrap, backend contract, caching/metrics recorded in `IMPLEMENTATION_PLAN.md`. diff --git a/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md b/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md new file mode 100644 index 00000000..1c8a77e7 --- /dev/null +++ b/src/Zastava/__Libraries/StellaOps.Zastava.Core/AGENTS.md @@ -0,0 +1,28 @@ +# Zastava Core Guild Charter + +## Mission +Maintain shared domain models, policy evaluation helpers, and event contracts used by Zastava Observer, Webhook, CLI, and downstream services. Core components must remain deterministic, tenant-aware, and compatible with offline deployments. + +## Scope +- Shared models and services under `StellaOps.Zastava.Core` (events, posture verdicts, configuration primitives). +- Serialization utilities, validation logic, and integration contracts for runtime posture data. +- Backward-compatible evolution of event schemas and public APIs. +- Supporting tests and fixtures consumed by Observer/Webhook/CLI. + +## Required Reading +- `docs/modules/zastava/architecture.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/scanner/design/surface-fs.md` +- `docs/modules/scanner/design/surface-env.md` +- `docs/modules/scanner/design/surface-secrets.md` +- `docs/modules/scanner/design/surface-validation.md` +- `docs/modules/policy/architecture.md` +- `docs/modules/devops/runbooks/zastava-deployment.md` + +## Working Agreement +1. **Status alignment**: mark tasks `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and local `TASKS.md` at start/finish. +2. **Compatibility**: version event schemas/models; provide migration notes and ensure Observer/Webhook consumers stay in lock-step. +3. **Determinism**: avoid wall-clock or random values in shared models; normalise timestamps; maintain canonical ordering. +4. **Security & tenancy**: include tenant identifiers and audit fields where required; document contract changes for other guilds. +5. **Testing**: keep unit/integration tests covering schema contracts, serialization, and validation; coordinate with downstream components when fixtures change. +6. **Documentation**: update Zastava architecture docs or add design notes when shared contracts evolve; notify Docs/DevOps for release notes and deployment guidance. diff --git a/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md b/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md index daa8fa83..83a7e34f 100644 --- a/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md +++ b/src/__Libraries/StellaOps.Cryptography.Kms/AGENTS.md @@ -1,14 +1,24 @@ -# KMS & Key Management Guild Charter - -## Mission -Provide key management abstractions and drivers (file, cloud KMS, HSM, FIDO2) for signing and verification workflows. - -## Scope -- Key store interfaces, secure configuration loading, and audit logging. -- Drivers for file-based development keys, cloud KMS providers, PKCS#11 HSMs, and FIDO2 devices. -- Key rotation, revocation, and attestation for keys used in signing. - -## Definition of Done -- KMS API supports signing, verification, key metadata, rotation, and revocation. -- Drivers pass integration tests and security review. -- CLI/Console can manage keys using these abstractions. +# KMS & Key Management Guild Charter + +## Mission +Provide key management abstractions and drivers (file, cloud KMS, HSM, FIDO2) for signing and verification workflows. + +## Scope +- Key store interfaces, secure configuration loading, and audit logging. +- Drivers for file-based development keys, cloud KMS providers, PKCS#11 HSMs, and FIDO2 devices. +- Key rotation, revocation, and attestation for keys used in signing. + +## Definition of Done +- KMS API supports signing, verification, key metadata, rotation, and revocation. +- Drivers pass integration tests and security review. +- CLI/Console can manage keys using these abstractions. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/__Libraries/StellaOps.Cryptography/AGENTS.md b/src/__Libraries/StellaOps.Cryptography/AGENTS.md index ae2fe4e8..0fddd851 100644 --- a/src/__Libraries/StellaOps.Cryptography/AGENTS.md +++ b/src/__Libraries/StellaOps.Cryptography/AGENTS.md @@ -20,3 +20,13 @@ Team 8 owns the end-to-end security posture for StellaOps Authority and its cons - Maintain `docs/security/authority-threat-model.md` and ensure mitigations are tracked. - All crypto consumption flows through `StellaOps.Cryptography` abstractions to enable sovereign crypto providers. - Every new cryptographic algorithm, dependency, or acceleration path ships as an `ICryptoProvider` plug-in under `StellaOps.Cryptography.*`; feature code must never bind directly to third-party crypto libraries. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` + +## Working Agreement +- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work. +- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met. +- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations. +- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change. +- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context. diff --git a/src/__Libraries/StellaOps.Plugin/AGENTS.md b/src/__Libraries/StellaOps.Plugin/AGENTS.md new file mode 100644 index 00000000..b957f62d --- /dev/null +++ b/src/__Libraries/StellaOps.Plugin/AGENTS.md @@ -0,0 +1,25 @@ +# Plugin Platform Guild Charter + +## Mission +Maintain the shared plugin infrastructure used across StellaOps services (Scanner analyzers, Notifier channels, Surface extensions). The library must provide deterministic discovery, dependency injection helpers, and security safeguards for restart-time plug-ins. + +## Scope +- Core abstractions and DI helpers under `StellaOps.Plugin`. +- Plugin manifest format, loading order, capability flags, and validation. +- Sample host integrations and test harnesses verifying plugin lifecycle. +- Documentation guiding guilds on authoring and packaging plug-ins. + +## Required Reading +- `docs/modules/platform/architecture-overview.md` +- `docs/dev/plugins/README.md` +- `docs/modules/scanner/architecture.md` +- `docs/modules/notify/architecture.md` +- `docs/modules/excititor/architecture.md` + +## Working Agreement +1. **Status sync**: update task state to `DOING`/`DONE` in `docs/implplan/SPRINTS.md` and local `TASKS.md` whenever work begins/ends. +2. **Deterministic loading**: maintain ordered, reproducible plugin discovery; enforce hash verification/whitelists as documented. +3. **Security**: validate manifests, restrict assembly loading paths, and expose capability checks to hosts; document hardening guidance. +4. **Compatibility**: version public APIs carefully; provide migration guides when breaking changes occur. +5. **Testing**: cover unit/integration scenarios (manifest parsing, dependency injection, failure paths); ensure cross-platform compatibility. +6. **Documentation**: keep plugin developer guides current; update sample manifests when configuration changes; coordinate with host guilds for rollout plans.