stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity

feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
master
2025-11-01 02:21:46 +02:00
parent e5629454cf
commit 66cb6c4b8a
227 changed files with 9913 additions and 6210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
docs/AGENTS.md
View File

@@ -1,20 +1,34 @@
# Docs & Enablement Guild
## Mission
Produce and maintain offline-friendly documentation for StellaOps modules, covering architecture, configuration, operator workflows, and developer onboarding.
## Scope Highlights
- Authority docs (`docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, upcoming `docs/11_AUTHORITY.md`).
- Concelier quickstarts, CLI guides, Offline Kit manuals.
- Release notes and migration playbooks.
## Operating Principles
- Keep guides deterministic and in sync with shipped configuration samples.
- Prefer tables/checklists for operator steps; flag security-sensitive actions.
- When work involves a specific `StellaOps.<Component>` project, consult both `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and the matching dossier `docs/modules/<component>/architecture.md` before drafting or editing content.
- Update `docs/TASKS.md` whenever work items change status (TODO/DOING/REVIEW/DONE/BLOCKED).
## Coordination
- Authority Core & Plugin teams for auth-related changes.
- Security Guild for threat-model outputs and mitigations.
- DevEx for tooling diagrams and documentation pipeline.
# Docs & Enablement Guild
## Mission
Produce and maintain offline-friendly documentation for StellaOps modules, covering architecture, configuration, operator workflows, and developer onboarding.
## Scope Highlights
- Authority docs (`docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`, upcoming `docs/11_AUTHORITY.md`).
- Concelier quickstarts, CLI guides, Offline Kit manuals.
- Release notes and migration playbooks.
## Operating Principles
- Keep guides deterministic and in sync with shipped configuration samples.
- Prefer tables/checklists for operator steps; flag security-sensitive actions.
- When work involves a specific `StellaOps.<Component>` project, consult both `docs/07_HIGH_LEVEL_ARCHITECTURE.md` and the matching dossier `docs/modules/<component>/architecture.md` before drafting or editing content.
- Update `docs/TASKS.md` whenever work items change status (TODO/DOING/REVIEW/DONE/BLOCKED).
## Coordination
- Authority Core & Plugin teams for auth-related changes.
- Security Guild for threat-model outputs and mitigations.
- DevEx for tooling diagrams and documentation pipeline.
## Required Reading
- `docs/README.md`
- `docs/07_HIGH_LEVEL_ARCHITECTURE.md`
- `docs/modules/platform/architecture-overview.md`
- `docs/dev/31_AUTHORITY_PLUGIN_DEVELOPER_GUIDE.md`
- Module-specific README and architecture dossiers for the area you are updating (for example, `docs/modules/concelier/README.md` and `docs/modules/concelier/architecture.md`)
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

1
docs/TASKS.md
View File

@@ -18,6 +18,7 @@
| DOCS-CLI-OBS-52-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-OBS-52-001 | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Doc merged; examples tested; banner included; CLI parity matrix updated. |
| DOCS-CLI-FORENSICS-53-001 | TODO | Docs Guild, DevEx/CLI Guild | CLI-FORENSICS-54-001 | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Doc merged; sample bundles verified; banner present; offline notes cross-linked. |
| DOCS-RUNBOOK-55-001 | TODO | Docs Guild, Ops Guild | DEVOPS-OBS-55-001, WEB-OBS-55-001 | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Doc merged; runbook rehearsed; banner included; linked from alerts. |
| DOCS-SURFACE-01 | TODO | Docs Guild, Scanner Guild, Zastava Guild | SURFACE-FS-01, SURFACE-ENV-01, SURFACE-SECRETS-01 | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Guide merged; linked from scanner/zastava architecture dossiers and component map; diagrams committed. |
## Air-Gapped Mode (Epic 16)
| ID | Status | Owner(s) | Depends on | Description | Exit Criteria |

68
docs/airgap/staleness-and-time.md Normal file
View File

@@ -0,0 +1,68 @@
# Air-Gapped Time Anchors & Staleness Budgets
> **Audience:** AirGap Time/Controller/Policy guilds, DevOps
>
> **Purpose:** Document how air-gapped installations maintain trusted time anchors, compute staleness windows, and expose drift telemetry.
## 1. Overview
Air-gapped clusters cannot contact external NTP servers. StellaOps distributes signed time anchor tokens alongside mirror bundles so services can reason about freshness and seal state without external clocks.
Key goals:
- Provide deterministic time anchors signed by the mirror authority.
- Track drift and staleness budgets for scanner reports, advisories, and runtime evidence.
- Surface warnings to operators (UI/CLI/Notifier) before anchors expire.
## 2. Components
| Component | Responsibility |
|-----------|----------------|
| AirGap Controller | Stores the active `time_anchor` token and enforces sealed/unsealed transitions. |
| AirGap Time service | Parses anchor bundles, validates signatures, records monotonic offsets, and exposes drift metrics. |
| Scheduler & Policy Engine | Query the time service to gate scheduled runs and evidence evaluation. |
| UI / Notifier | Display remaining budget and raise alerts when thresholds are crossed. |
## 3. Time Anchor Tokens
- Distributed as part of mirror/offline bundles (`airgap/time-anchor.json`).
- Signed with mirror key; includes issuance time, validity window, and monotonic counter.
- Validation steps:
1. Verify detached signature.
2. Compare bundle counter to previously applied anchors.
3. Persist anchor with checksum for audit.
## 4. Staleness Budgets
Each tenant/configuration defines budgets:
- **Advisory freshness** maximum age of advisory/VEX data before rescans are required.
- **Scanner evidence** acceptable drift between last scan and current anchor.
- **Runtime posture** tolerated drift before Notifier raises incidents.
AirGap Time calculates drift = `now(monotonic) - anchor.issued_at` and exposes:
- `/api/v1/time/status` current anchor metadata, drift, remaining budget.
- `/api/v1/time/metrics` Prometheus counters (`airgap_anchor_drift_seconds`, `airgap_anchor_expiry_seconds`).
## 5. Operator Workflow
1. Import new mirror bundle (includes time anchor).
2. AirGap Time validates and stores the anchor; Controller records audit entry.
3. Services subscribe to change events and recompute drift.
4. UI displays badge (green/amber/red) based on thresholds.
5. Notifier sends alerts when drift exceeds warning or expiry limits.
## 6. Implementation Notes
- Use `IAirGapTimeStore` for persistence; default implementation relies on Mongo with tenant partitioning.
- Ensure deterministic JSON serialization (UTC ISO-8601 timestamps, sorted keys).
- Test vectors located under `src/AirGap/StellaOps.AirGap.Time/fixtures/`.
- For offline testing, simulate monotonic clock via `ITestClock` to avoid system clock drift in CI.
## 7. References
- `docs/airgap/airgap-mode.md`
- `src/AirGap/StellaOps.AirGap.Time`
- `src/AirGap/StellaOps.AirGap.Controller`
- `src/AirGap/StellaOps.AirGap.Policy`

37
docs/contributing/api-contracts.md Normal file
View File

@@ -0,0 +1,37 @@
# API Contract Contribution Guide
This guide explains how to propose, review, and publish API contract changes across StellaOps services. Follow these steps whenever you modify an OpenAPI specification or an externally supported endpoint.
## 1. Background
- Public APIs are defined in `src/Api/StellaOps.Api.OpenApi` (aggregate spec) and per-service OpenAPI documents.
- Compatibility checks run in CI via the API Governance tooling (`StellaOps.Api.Governance`).
- Docs & SDK guilds consume the generated specs to publish references and SDK packages.
## 2. Workflow
1. **Design review** capture the proposed endpoint or schema change in the relevant modules `TASKS.md` and link to any ADR or design doc.
2. **Spec update** modify the service-specific OpenAPI file under `src/Api/StellaOps.Api.OpenApi/<service>/`.
3. **Run governance checks** execute `dotnet test src/Api/StellaOps.Api.Governance.Tests` to validate lint rules, backwards compatibility, and examples.
4. **Regenerate aggregate spec** run `dotnet run --project src/Api/StellaOps.Api.OpenApi` to update `stella.yaml`.
5. **Update docs** adjust the corresponding module dossier (`docs/modules/<component>/architecture.md` or guides) to reflect new/changed endpoints.
6. **Notify SDK/Docs guilds** coordinate SDK regeneration (`src/Sdk/StellaOps.Sdk.Generator`) and release notes.
## 3. Backwards Compatibility Rules
- Avoid breaking changes (removing endpoints/fields, altering semantics). If unavoidable, document deprecation timelines and fallback behaviour.
- Additive changes (new optional fields, new endpoints) require version bump and changelog entry.
- Error responses must remain structured; return `application/problem+json` payloads with stable error codes.
## 4. Tooling
- `dotnet tool run stellaops-api-lint` local lint.
- `dotnet run --project src/Api/StellaOps.Api.OpenApi -- --validate` schema validation.
- `docs/09_API_CLI_REFERENCE.md` update CLI reference when command behaviour shifts.
## 5. References
- `docs/modules/platform/architecture-overview.md`
- `docs/modules/cli/architecture.md`
- `src/Api/StellaOps.Api.Governance`
- `src/Api/StellaOps.Api.OpenApi`

34
docs/dev/plugins/README.md Normal file
View File

@@ -0,0 +1,34 @@
# Plugin Development Guide
StellaOps services expose restart-time plug-in hooks so operators can extend functionality (connectors, analyzers, notification channels). This guide covers common patterns when implementing plug-ins against `StellaOps.Plugin`.
## 1. Concepts
- **Manifest** describes the plug-in assembly, supported capabilities, and minimum host version.
- **Registration** plug-ins export DI registration classes discovered by `StellaOps.Plugin` at host startup.
- **Isolation** plug-ins load from a dedicated directory with ordered manifests; hosts enforce allow-lists and capability checks.
## 2. Authoring Steps
1. Reference `StellaOps.Plugin` and implement `IPluginRegistration`.
2. Provide a manifest (`manifest.json`) describing assembly name, version, and capabilities.
3. Add unit tests covering registration and integration (use `StellaOps.Plugin.Tests` helpers).
4. Package plug-in binaries under `plugins/<host>/` with checksum manifest for offline kits.
## 3. Security & Determinism
- Avoid global state or non-deterministic behaviour; plug-ins must be restart-safe.
- Do not perform network access unless explicitly allowed by host configuration.
- Use dependency injection to receive configuration and shared services.
## 4. Resources
- `src/__Libraries/StellaOps.Plugin`
- `docs/modules/platform/architecture-overview.md`
- Host-specific docs (e.g., `docs/modules/scanner/architecture.md`, `docs/modules/notify/architecture.md`)
## 5. Testing & Deployment
- Run host integration tests to ensure plug-in loads correctly.
- Provide sample configuration snippets for Helm/Compose/Offline kits.
- Document plug-in versioning and compatibility requirements.

41
docs/forensics/provenance-attestation.md Normal file
View File

@@ -0,0 +1,41 @@
# Provenance & Attestation Reference
This guide explains how StellaOps generates, signs, verifies, and distributes DSSE attestations for SBOMs, policy evaluations, and runtime evidence.
## 1. Attestation Workflow
1. **Scanner** produces signed payload requests (SBOM, report metadata).
2. **Signer** authenticates the caller, verifies release integrity, and issues DSSE bundles (keyless or KMS-backed).
3. **Attestor** submits bundles to Rekor v2, caches inclusion proofs, and serves verification packages.
4. **Consumers** (Export Center, Evidence Locker, CLI, Policy Engine) fetch bundles for verification.
## 2. DSSE Payload Types
- `StellaOps.BuildProvenance@1`
- `StellaOps.SBOMAttestation@1`
- `StellaOps.ScanResults@1`
- `StellaOps.PolicyEvaluation@1`
- `StellaOps.VEXAttestation@1`
- `StellaOps.RiskProfileEvidence@1`
Schemas live under `src/Attestor/StellaOps.Attestor.Types` and are documented in module architecture guides.
## 3. Verification
- CLI command `stella attest verify` requests proofs from Attestor.
- Services embed Rekor UUID/index and DSSE digests in their APIs for downstream verification.
- Verification pipeline checks signature trust roots, Rekor inclusion proofs, and transparency witness endorsements when enabled.
## 4. Offline/air-gap considerations
- Export Center bundles incorporate attestations and proofs for offline verification.
- Evidence Locker stores immutable attestation bundles with retention policies.
## 5. References
- `docs/modules/signer/architecture.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/export-center/architecture.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/telemetry/architecture.md`
- `src/Provenance/StellaOps.Provenance.Attestation`

41
docs/forensics/timeline.md Normal file
View File

@@ -0,0 +1,41 @@
# Timeline Forensics Guide
The Timeline Indexer service aggregates structured events (scanner runs, policy verdicts, runtime posture, evidence locker activity) so operators can audit changes over time. This guide summarises the event schema, query surfaces, and integration points.
## 1. Event Model
| Field | Description |
|-------|-------------|
| `event_id` | ULID identifying the event. |
| `tenant` | Tenant scope. |
| `timestamp` | UTC ISO-8601 time the event occurred. |
| `category` | Logical grouping (scanner, policy, runtime, evidence). |
| `details` | JSON payload describing the event; contract defined per producer. |
| `trace_id` | Optional distributed trace correlation ID. |
Events are stored append-only with tenant-specific partitions. Producers include Scanner WebService, Policy Engine, Zastava Observer, Evidence Locker, and Notify.
## 2. APIs
- `GET /api/v1/timeline/events` paginated event stream with filters (tenant, category, time window, correlation IDs).
- `GET /api/v1/timeline/events/{id}` fetch single event payload.
- `GET /api/v1/timeline/export` NDJSON export for offline review.
## 3. Query Tips
- Use `category` + `trace_id` to follow a scan-to-policy-to-notification flow.
- Combine `tenant` and `timestamp` filters for SLA audits.
- CLI command `stella timeline list` mirrors the API for automation.
## 4. Integration
- Evidence Locker attaches evidence bundle digests; the console links from timeline to evidence viewer.
- Notifier creates acknowledgement events for incident workflows.
- Offline kits package timeline exports for compliance reviews.
## 5. References
- `docs/modules/telemetry/architecture.md`
- `docs/modules/zastava/architecture.md`
- `docs/modules/export-center/architecture.md`
- `src/TimelineIndexer/StellaOps.TimelineIndexer`

1831
docs/implplan/EXECPLAN.md
View File

File diff suppressed because it is too large Load Diff

1110
docs/implplan/SPRINTS.md
View File

File diff suppressed because it is too large Load Diff

1099
docs/implplan/SPRINTS_PRIOR_20251031.md Normal file
View File

File diff suppressed because it is too large Load Diff

99
docs/implplan/SPRINT_100_identity_signing.md Normal file
View File

@@ -0,0 +1,99 @@
# Sprint 100 - Identity & Signing
[Identity & Signing] 100.A) Attestor.I
Summary: Identity & Signing focus on Attestor (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ATTEST-ENVELOPE-72-001 | TODO | Implement DSSE canonicalization, JSON normalization, multi-signature structures, and hashing helpers. | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-72-002 | TODO | Support compact and expanded JSON output, payload compression, and detached payload references. | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-73-001 | TODO | Implement Ed25519 & ECDSA signature create/verify helpers, key identification (`keyid`) scheme, and error mapping. | Envelope Guild, KMS Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-ENVELOPE-73-002 | TODO | Add fuzz tests for envelope parsing, signature verification, and canonical JSON round-trips. | Envelope Guild (src/Attestor/StellaOps.Attestor.Envelope/TASKS.md)
ATTEST-TYPES-72-001 | TODO | Draft JSON Schemas for BuildProvenance v1, SBOMAttestation v1, VEXAttestation v1, ScanResults v1, PolicyEvaluation v1, RiskProfileEvidence v1, CustomEvidence v1. | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-72-002 | TODO | Generate Go/TS models from schemas with validation helpers and canonical JSON serialization. | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-73-001 | TODO | Create golden payload samples for each type; integrate into tests and documentation. | Attestation Payloads Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-TYPES-73-002 | TODO | Publish schema reference docs (`/docs/modules/attestor/payloads.md`) with annotated JSON examples. | Attestation Payloads Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Types/TASKS.md)
ATTEST-VERIFY-73-001 | TODO | Implement verification engine: policy evaluation, issuer trust resolution, freshness, signature count, transparency checks; produce structured reports. | Verification Guild, Policy Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-73-002 | TODO | Add caching layer keyed by `(subject, envelope_id, policy_version)` with TTL and invalidation on new evidence. | Verification Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-74-001 | TODO | Emit telemetry (spans/metrics) tagged by subject, issuer, policy, result; integrate with dashboards. | Verification Guild, Observability Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTEST-VERIFY-74-002 | TODO | Document verification report schema and explainability in `/docs/modules/attestor/workflows.md`. | Verification Guild, Docs Guild (src/Attestor/StellaOps.Attestor.Verify/TASKS.md)
ATTESTOR-72-001 | TODO | Scaffold service (REST API skeleton, storage interfaces, KMS integration stubs) and DSSE validation pipeline. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-72-002 | TODO | Implement attestation store (DB tables, object storage integration), CRUD, and indexing strategies. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-73-001 | TODO | Implement signing endpoint with Ed25519/ECDSA support, KMS integration, and audit logging. | Attestor Service Guild, KMS Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
[Identity & Signing] 100.A) Attestor.II
Depends on: Sprint 100.A - Attestor.I
Summary: Identity & Signing focus on Attestor (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ATTESTOR-73-002 | TODO | Build verification pipeline evaluating DSSE signatures, issuer trust, and verification policies; persist reports. | Attestor Service Guild, Policy Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-73-003 | TODO | Implement listing/fetch APIs with filters (subject, type, issuer, scope, date). | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-74-001 | TODO | Integrate transparency witness client, inclusion proof verification, and caching. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-74-002 | TODO | Implement bulk verification worker + API with progress tracking, rate limits, and caching. | Attestor Service Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-75-001 | TODO | Add export/import flows for attestation bundles and offline verification mode. | Attestor Service Guild, Export Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
ATTESTOR-75-002 | TODO | Harden APIs with rate limits, auth scopes, threat model mitigations, and fuzz testing. | Attestor Service Guild, Security Guild (src/Attestor/StellaOps.Attestor/TASKS.md)
[Identity & Signing] 100.B) Authority.I
Summary: Identity & Signing focus on Authority (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
AUTH-AIAI-31-001 | TODO | Define Advisory AI scopes (`advisory-ai:view`, `advisory-ai:operate`, `advisory-ai:admin`) and remote inference toggles; update discovery metadata/offline defaults. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIAI-31-002 | TODO | Enforce anonymized prompt logging, tenant consent for remote inference, and audit logging of assistant tasks. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-56-001 | TODO | Provision new scopes (`airgap:seal`, `airgap:import`, `airgap:status:read`) in configuration metadata, offline kit defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-56-002 | TODO | Audit import actions with actor, tenant, bundle ID, and trace ID; expose `/authority/audit/airgap` endpoint. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-AIRGAP-57-001 | TODO | Enforce sealed-mode CI gating by refusing token issuance when declared sealed install lacks sealing confirmation. | Authority Core & Security Guild, DevOps Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-NOTIFY-38-001 | TODO | Define `Notify.Viewer`, `Notify.Operator`, `Notify.Admin` scopes/roles, update discovery metadata, offline defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-NOTIFY-40-001 | TODO | Implement signed ack token key rotation, webhook allowlists, admin-only escalation settings, and audit logging of ack actions. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-OAS-62-001 | TODO | Provide SDK helpers for OAuth2/PAT flows, tenancy override header; add integration tests. | Authority Core & Security Guild, SDK Generator Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-OAS-63-001 | TODO | Emit deprecation headers and notifications for legacy auth endpoints. | Authority Core & Security Guild, API Governance Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-OBS-50-001 | TODO | Introduce scopes `obs:read`, `timeline:read`, `timeline:write`, `evidence:create`, `evidence:read`, `evidence:hold`, `attest:read`, and `obs:incident` (all tenant-scoped). Update discovery metadata, offline defaults, and scope grammar docs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-OBS-52-001 | TODO | Configure resource server policies for Timeline Indexer, Evidence Locker, Exporter, and Observability APIs enforcing new scopes + tenant claims. Emit audit events including scope usage and trace IDs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-OBS-55-001 | TODO | Harden incident mode authorization: require `obs:incident` scope + fresh auth, log activation reason, and expose verification endpoint for auditors. Update docs/runbooks. | Authority Core & Security Guild, Ops Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-ORCH-34-001 | TODO | Introduce `Orch.Admin` role with quota/backfill scopes, enforce audit reason on quota changes, and update offline defaults/docs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-PACKS-41-001 | TODO | Define CLI SSO profiles and pack scopes (`Packs.Read`, `Packs.Write`, `Packs.Run`, `Packs.Approve`), update discovery metadata, offline defaults, and issuer templates. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-PACKS-43-001 | BLOCKED (2025-10-27) | Enforce pack signing policies, approval RBAC checks, CLI CI token scopes, and audit logging for approvals. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
[Identity & Signing] 100.B) Authority.II
Depends on: Sprint 100.B - Authority.I
Summary: Identity & Signing focus on Authority (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
AUTH-POLICY-23-002 | BLOCKED (2025-10-29) | Implement optional two-person rule for activation: require two distinct `policy:activate` approvals when configured; emit audit logs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-23-003 | BLOCKED (2025-10-29) | Update documentation and sample configs for policy roles, approval workflow, and signing requirements. | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-27-002 | TODO | Provide attestation signing service bindings (OIDC token exchange, cosign integration) and enforce publish/promote scope checks, fresh-auth requirements, and audit logging. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-POLICY-27-003 | TODO | Update Authority configuration/docs for Policy Studio roles, signing policies, approval workflows, and CLI integration; include compliance checklist. | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-TEN-49-001 | TODO | Implement service accounts & delegation tokens (`act` chain), per-tenant quotas, audit stream of auth decisions, and revocation APIs. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-001 | TODO | Define Vuln Explorer scopes/roles (`vuln:view`, `vuln:investigate`, `vuln:operate`, `vuln:audit`) with ABAC attributes (env, owner, business_tier) and update discovery metadata/offline kit defaults. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-002 | TODO | Enforce CSRF/anti-forgery tokens for workflow actions, sign attachment tokens, and record audit logs with ledger event hashes. | Authority Core & Security Guild (src/Authority/StellaOps.Authority/TASKS.md)
AUTH-VULN-29-003 | TODO | Update security docs/config samples for Vuln Explorer roles, ABAC policies, attachment signing, and ledger verification guidance. | Authority Core & Docs Guild (src/Authority/StellaOps.Authority/TASKS.md)
PLG4-6.CAPABILITIES | BLOCKED (2025-10-12) | Finalise capability metadata exposure, config validation, and developer guide updates; remaining action is Docs polish/diagram export. | BE-Auth Plugin, Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
PLG6.DIAGRAM | TODO | Export final sequence/component diagrams for the developer guide and add offline-friendly assets under `docs/assets/authority`. | Docs Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
PLG7.RFC | REVIEW | Socialize LDAP plugin RFC (`docs/rfcs/authority-plugin-ldap.md`) and capture guild feedback. | BE-Auth Plugin, Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC2.PLG | BLOCKED (2025-10-21) | Emit audit events from password verification outcomes and persist via `IAuthorityLoginAttemptStore`. <br>⛔ Waiting on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 to stabilise Authority auth surfaces before final verification + publish. | Security Guild, Storage Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC3.PLG | BLOCKED (2025-10-21) | Ensure lockout responses and rate-limit metadata flow through plugin logs/events (include retry-after). <br>⛔ Pending AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 so limiter telemetry contract matches final authority surface. | Security Guild, BE-Auth Plugin (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
SEC5.PLG | BLOCKED (2025-10-21) | Address plugin-specific mitigations (bootstrap user handling, password policy docs) in threat model backlog. <br>⛔ Final documentation depends on AUTH-DPOP-11-001 / AUTH-MTLS-11-002 / PLUGIN-DI-08-001 outcomes. | Security Guild (src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/TASKS.md)
[Identity & Signing] 100.C) IssuerDirectory
Summary: Identity & Signing focus on IssuerDirectory.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ISSUER-30-001 | TODO | Implement issuer CRUD API with RBAC, audit logging, and tenant scoping; seed CSAF publisher metadata. | Issuer Directory Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-002 | TODO | Implement key management endpoints (add/rotate/revoke keys), enforce expiry, validate formats (Ed25519, X.509, DSSE). | Issuer Directory Guild, Security Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-003 | TODO | Provide trust weight APIs and tenant overrides with validation (+/- bounds) and audit trails. | Issuer Directory Guild, Policy Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-004 | TODO | Integrate with VEX Lens and Excitator signature verification (client SDK, caching, retries). | Issuer Directory Guild, VEX Lens Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-005 | TODO | Instrument metrics/logs (issuer changes, key rotation, verification failures) and dashboards/alerts. | Issuer Directory Guild, Observability Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
ISSUER-30-006 | TODO | Provide deployment manifests, backup/restore, secure secret storage, and offline kit instructions. | Issuer Directory Guild, DevOps Guild (src/IssuerDirectory/StellaOps.IssuerDirectory/TASKS.md)
[Identity & Signing] 100.D) __Libraries
Summary: Identity & Signing focus on Libraries.
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
KMS-73-001 | TODO | Add cloud KMS driver (e.g., AWS KMS, GCP KMS) with signing and key metadata retrieval. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)
KMS-73-002 | TODO | Implement PKCS#11/HSM driver plus FIDO2 signing support for high assurance workflows. | KMS Guild (src/__Libraries/StellaOps.Cryptography.Kms/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_110_ingestion_evidence.md

305
docs/implplan/SPRINT_110_ingestion_evidence.md Normal file
View File

@@ -0,0 +1,305 @@
# Sprint 110 - Ingestion & Evidence
[Ingestion & Evidence] 110.A) AdvisoryAI
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on AdvisoryAI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
AIAI-31-001 | TODO | Implement structured and vector retrievers for advisories/VEX with paragraph anchors and citation metadata. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-002 | TODO | Build SBOM context retriever (purl version timelines, dependency paths, env flags, blast radius estimator). | Advisory AI Guild, SBOM Service Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-003 | TODO | Implement deterministic toolset (version comparators, range checks, dependency analysis, policy lookup) exposed via orchestrator. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-004 | TODO | Build orchestration pipeline for Summary/Conflict/Remediation tasks (prompt templates, tool calls, token budgets, caching). | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-005 | TODO | Implement guardrails (redaction, injection defense, output validation, citation enforcement) and fail-safe handling. | Advisory AI Guild, Security Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-006 | TODO | Expose REST API endpoints (`/advisory/ai/*`) with RBAC, rate limits, OpenAPI schemas, and batching support. | Advisory AI Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-007 | TODO | Instrument metrics (`advisory_ai_latency`, `guardrail_blocks`, `validation_failures`, `citation_coverage`), logs, and traces; publish dashboards/alerts. | Advisory AI Guild, Observability Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-008 | TODO | Package inference on-prem container, remote inference toggle, Helm/Compose manifests, scaling guidance, offline kit instructions. | Advisory AI Guild, DevOps Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
AIAI-31-009 | TODO | Develop unit/golden/property/perf tests, injection harness, and regression suite; ensure determinism with seeded caches. | Advisory AI Guild, QA Guild (src/AdvisoryAI/StellaOps.AdvisoryAI/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.I
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on Concelier (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-AIAI-31-001 `Paragraph anchors` | TODO | Expose advisory chunk API returning paragraph anchors, section metadata, and token-safe text for Advisory AI retrieval. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-AIAI-31-002 `Structured fields` | TODO | Ensure observation APIs expose upstream workaround/fix/CVSS fields with provenance; add caching for summary queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-AIAI-31-003 `Advisory AI telemetry` | TODO | Emit metrics/logs for chunk requests, cache hits, and guardrail blocks triggered by advisory payloads. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Add mirror source adapters reading advisories from imported bundles, preserving source metadata and bundle IDs. Ensure ingestion remains append-only. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-56-002 `Bundle catalog linking` | TODO | Persist `bundle_id`, `merkle_root`, and time anchor references on observations/linksets for provenance. | Concelier Core Guild, AirGap Importer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-57-001 `Sealed-mode source restrictions` | TODO | Enforce sealed-mode egress rules by disallowing non-mirror connectors and surfacing remediation errors. | Concelier Core Guild, AirGap Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-57-002 `Staleness annotations` | TODO | Compute staleness metadata for advisories per bundle and expose via API for Console/CLI badges. | Concelier Core Guild, AirGap Time Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-AIRGAP-58-001 `Portable advisory evidence` | TODO | Package advisory evidence fragments into portable evidence bundles for cross-domain transfer. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ATTEST-73-001 `ScanResults attestation inputs` | TODO | Provide observation artifacts and linkset digests needed for ScanResults attestations (raw data + provenance, no merge outputs). | Concelier Core Guild, Attestor Service Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ATTEST-73-002 `Transparency metadata` | TODO | Ensure Conseiller exposes source digests for transparency proofs and explainability. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-CONSOLE-23-001 `Advisory aggregation views` | TODO | Expose `/console/advisories` endpoints returning aggregation groups (per linkset) with source chips, provider-reported severity columns (no local consensus), and provenance metadata for Console list + dashboard cards. Support filters by source, ecosystem, published/modified window, tenant enforcement. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-CONSOLE-23-002 `Dashboard deltas API` | TODO | Provide aggregated advisory delta counts (new, modified, conflicting) for Console dashboard + live status ticker; emit structured events for queue lag metrics. Ensure deterministic counts across repeated queries. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-CONSOLE-23-003 `Search fan-out helpers` | TODO | Deliver fast lookup endpoints for CVE/GHSA/purl search (linksets, observations) returning evidence fragments for Console global search; implement caching + scope guards. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-CORE-AOC-19-004 `Remove ingestion normalization` | DOING (2025-10-28) | Strip normalization/dedup/severity logic from ingestion pipelines, delegate derived computations to Policy Engine, and update exporters/tests to consume raw documents only.<br>2025-10-29 19:05Z: Audit completed for `AdvisoryRawService`/Mongo repo to confirm alias order/dedup removal persists; identified remaining normalization in observation/linkset factory that will be revised to surface raw duplicates for Policy ingestion. Change sketch + regression matrix drafted under `docs/dev/aoc-normalization-removal-notes.md` (pending commit).<br>2025-10-31 20:45Z: Added raw linkset projection to observations/storage, exposing canonical+raw views, refreshed fixtures/tests, and documented behaviour in models/doc factory.<br>2025-10-31 21:10Z: Coordinated with Policy Engine (POLICY-ENGINE-20-003) on adoption timeline; backfill + consumer readiness tracked in `docs/dev/raw-linkset-backfill-plan.md`. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Extend Concelier smoke/e2e fixtures to configure `requiredTenants` and assert cross-tenant rejection with updated Authority tokens. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.II
Depends on: Sprint 110.B - Concelier.I
Summary: Ingestion & Evidence focus on Concelier (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-GRAPH-21-001 `SBOM projection enrichment` | BLOCKED (2025-10-27) | Extend SBOM normalization to emit full relationship graph (depends_on/contains/provides), scope tags, entrypoint annotations, and component metadata required by Cartographer. | Concelier Core Guild, Cartographer Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-GRAPH-21-002 `Change events` | BLOCKED (2025-10-27) | Publish change events (new SBOM version, relationship delta) for Cartographer build queue; ensure events include tenant/context metadata. | Concelier Core Guild, Scheduler Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-GRAPH-24-101 `Advisory summary API` | TODO | Expose `/advisories/summary` returning raw linkset/observation metadata for overlay services; no derived severity or fix hints. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-GRAPH-28-102 `Evidence batch API` | TODO | Add batch fetch for advisory observations/linksets keyed by component sets to feed Graph overlay tooltips efficiently. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-LNM-21-001 `Advisory observation schema` | TODO | Introduce immutable `advisory_observations` model with AOC metadata, raw payload pointers, structured per-source fields (version ranges, severity, CVSS), and tenancy guardrails; publish schema definition. `DOCS-LNM-22-001` blocked pending this deliverable. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-002 `Linkset builder` | TODO | Implement correlation pipeline (alias graph, PURL overlap, CVSS vector equality, fuzzy title match) that produces `advisory_linksets` with confidence + conflict annotations. Docs note: unblock `DOCS-LNM-22-001` once builder lands. | Concelier Core Guild, Data Science Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-003 `Conflict annotator` | TODO | Detect field disagreements (severity, CVSS, ranges, references) and record structured conflicts on linksets; surface to API/UI. Docs awaiting structured conflict payloads. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-004 `Merge code removal` | TODO | Excise existing merge/dedup logic, enforce immutability on observations, and add guards/tests to prevent future merges. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-005 `Event emission` | TODO | Emit `advisory.linkset.updated` events with delta payloads for downstream Policy Engine/Cartographer consumers; ensure idempotent delivery. | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-LNM-21-101 `Observations collections` | TODO | Provision `advisory_observations` and `advisory_linksets` collections with hashed shard keys, TTL for ingest metadata, and required indexes (`aliases`, `purls`, `observation_ids`). | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-LNM-21-102 `Migration tooling` | TODO | Backfill legacy merged advisories into observation/linkset collections, create tombstones for merged docs, and supply rollback scripts. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-LNM-21-103 `Blob/store wiring` | TODO | Store large raw payloads in object storage with pointers from observations; update bootstrapper/offline kit to seed sample blobs. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-LNM-21-201 `Observation APIs` | TODO | Add REST endpoints for advisory observations (`GET /advisories/observations`) with filters (alias, purl, source), pagination, and tenancy enforcement. | Concelier WebService Guild, BE-Base Platform Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-LNM-21-202 `Linkset APIs` | TODO | Implement linkset read/export endpoints (`/advisories/linksets/{id}`, `/advisories/by-purl/{purl}`, `/advisories/linksets/{id}/export`, `/evidence`) with correlation/conflict payloads and `ERR_AGG_*` mapping. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-LNM-21-203 `Ingest events` | TODO | Publish NATS/Redis events for new observations/linksets and ensure idempotent consumer contracts; document event schemas. | Concelier WebService Guild, Platform Events Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.III
Depends on: Sprint 110.B - Concelier.II
Summary: Ingestion & Evidence focus on Concelier (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-OAS-61-001 `Spec coverage` | TODO | Update Concelier OAS with advisory observation/linkset endpoints, standard pagination, and source provenance fields. | Concelier Core Guild, API Contracts Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OAS-61-002 `Examples library` | TODO | Provide rich examples for advisories, linksets, conflict annotations used by SDK + docs. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OAS-62-001 `SDK smoke tests` | TODO | Add SDK tests covering advisory search, pagination, and conflict handling; ensure source metadata surfaced. | Concelier Core Guild, SDK Generator Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OAS-63-001 `Deprecation headers` | TODO | Implement deprecation header support and timeline events for retiring endpoints. | Concelier Core Guild, API Governance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-50-001 `Telemetry adoption` | TODO | Replace ad-hoc logging with telemetry core across ingestion/linking pipelines; ensure spans/logs include tenant, source vendor, upstream id, content hash, and trace IDs. | Concelier Core Guild, Observability Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-51-001 `Metrics & SLOs` | TODO | Emit metrics for ingest latency (cold/warm), queue depth, aoc violation rate, and publish SLO burn-rate alerts (ingest P95 <30s cold / <5s warm). Ship dashboards + alert configs. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-52-001 `Timeline events` | TODO | Emit `timeline_event` records for advisory ingest/normalization/linkset creation with provenance, trace IDs, conflict summaries, and evidence placeholders. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-53-001 `Evidence snapshots` | TODO | Produce advisory evaluation bundle payloads (raw doc, linkset, normalization diff) for evidence locker; ensure Merkle manifests seeded with content hashes. | Concelier Core Guild, Evidence Locker Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations for advisory processing batches, expose verification API to confirm bundle integrity, and link attestation IDs back to timeline + ledger. | Concelier Core Guild, Provenance Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-OBS-55-001 `Incident mode hooks` | TODO | Increase sampling, capture raw payload snapshots, and extend retention under incident mode; emit activation events + guardrails against PII leak. | Concelier Core Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-32-001 `Source registry integration` | TODO | Register Concelier data sources with orchestrator (metadata, schedules, rate policies) and wire provenance IDs/security scopes. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-32-002 `Worker SDK adoption` | TODO | Embed orchestrator worker SDK in ingestion loops, emit heartbeats/progress/artifact hashes, and enforce idempotency keys. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-33-001 `Control hook compliance` | TODO | Honor orchestrator throttle/pause/retry actions, surface structured error classes, and persist safe checkpoints for resume. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-ORCH-34-001 `Backfill + ledger linkage` | TODO | Execute orchestrator-driven backfills, reuse artifact hashes to avoid duplicates, and link provenance to run ledger exports. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-POLICY-20-001 `Policy selection endpoints` | TODO | Add batch advisory lookup APIs (`/policy/select/advisories`, `/policy/select/vex`) optimized for PURL/ID lists with pagination, tenant scoping, and explain metadata. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.IV
Depends on: Sprint 110.B - Concelier.III
Summary: Ingestion & Evidence focus on Concelier (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-POLICY-20-002 `Linkset enrichment for policy` | TODO | Strengthen linkset builders with vendor-specific equivalence tables, NEVRA/PURL normalization, and version range parsing to maximize policy join recall; update fixtures + docs. | Concelier Core Guild, Policy Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-POLICY-20-003 `Selection cursors` | TODO | Add advisory/vex selection cursors (per policy run) with change stream checkpoints, indexes, and offline migration scripts to support incremental evaluations. | Concelier Storage Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-POLICY-23-001 `Evidence indexes` | TODO | Add secondary indexes/materialized views to accelerate policy lookups (alias, provider severity per observation, correlation confidence). Document query contracts for runtime. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-POLICY-23-002 `Event guarantees` | TODO | Ensure `advisory.linkset.updated` emits at-least-once with idempotent keys and include policy-relevant metadata (confidence, conflict summary). | Concelier Core Guild, Platform Events Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-66-001 `CVSS/KEV providers` | TODO | Expose CVSS, KEV, fix availability data via provider APIs with source metadata preserved. | Concelier Core Guild, Risk Engine Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-66-002 `Fix availability signals` | TODO | Provide structured fix availability and release metadata consumable by risk engine; document provenance. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-67-001 `Source coverage metrics` | TODO | Add per-source coverage metrics for linked advisories (observation counts, conflicting statuses) without computing consensus scores; ensure explainability includes source digests. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-68-001 `Policy Studio integration` | TODO | Surface advisory fields in Policy Studio profile editor (signal pickers, reducers). | Concelier Core Guild, Policy Studio Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-RISK-69-001 `Notification hooks` | TODO | Emit events when advisory signals change impacting risk scores (e.g., fix available). | Concelier Core Guild, Notifications Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-SIG-26-001 `Vulnerable symbol exposure` | TODO | Expose advisory metadata (affected symbols/functions) via API to enrich reachability scoring; update fixtures. | Concelier Core Guild, Signals Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-STORE-AOC-19-005 `Raw linkset backfill` | TODO (2025-11-04) | Plan and execute advisory_observations `rawLinkset` backfill (online + Offline Kit bundles), supply migration scripts + rehearse rollback. Follow the coordination plan in `docs/dev/raw-linkset-backfill-plan.md`. | Concelier Storage Guild, DevOps Guild (src/Concelier/__Libraries/StellaOps.Concelier.Storage.Mongo/TASKS.md)
CONCELIER-TEN-48-001 `Tenant-aware linking` | TODO | Ensure advisory normalization/linking runs per tenant with RLS enforcing isolation; emit capability endpoint reporting `merge=false`; update events with tenant context. | Concelier Core Guild (src/Concelier/__Libraries/StellaOps.Concelier.Core/TASKS.md)
CONCELIER-VEXLENS-30-001 `Advisory rationale bridges` | TODO | Guarantee advisory key consistency and cross-links for consensus rationale; Label: VEX-Lens. | Concelier WebService Guild, VEX Lens Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-VULN-29-001 `Advisory key canonicalization` | TODO | Canonicalize (lossless) advisory identifiers (CVE/GHSA/vendor) into `advisory_key`, persist `links[]`, expose raw payload snapshots for Explorer evidence tabs; AOC-compliant: no merge, no derived fields, no suppression. Include migration/backfill scripts. | Concelier WebService Guild, Data Integrity Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-VULN-29-002 `Evidence retrieval API` | TODO | Provide `/vuln/evidence/advisories/{advisory_key}` returning raw advisory docs with provenance, filtering by tenant and source. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.V
Depends on: Sprint 110.B - Concelier.IV
Summary: Ingestion & Evidence focus on Concelier (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-VULN-29-004 `Observability enhancements` | TODO | Instrument metrics/logs for observation + linkset pipelines (identifier collisions, withdrawn flags) and emit events consumed by Vuln Explorer resolver. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-56-001 `Mirror import APIs` | TODO | Extend ingestion endpoints to register mirror bundle sources, expose bundle catalog queries, and block external feed URLs in sealed mode. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-56-002 `Airgap status surfaces` | TODO | Add staleness metadata and bundle provenance to advisory APIs (`/advisories/observations`, `/advisories/linksets`). | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-57-001 `Error remediation` | TODO | Map sealed-mode violations to `AIRGAP_EGRESS_BLOCKED` responses with user guidance. | Concelier WebService Guild, AirGap Policy Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AIRGAP-58-001 `Import timeline emission` | TODO | Emit timeline events for bundle ingestion operations with bundle ID, scope, and actor metadata. | Concelier WebService Guild, AirGap Importer Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AOC-19-002 `AOC observability` | TODO | Emit `ingestion_write_total`, `aoc_violation_total`, latency histograms, and tracing spans (`ingest.fetch/transform/write`, `aoc.guard`). Wire structured logging to include tenant, source vendor, upstream id, and content hash. | Concelier WebService Guild, Observability Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AOC-19-003 `Schema/guard unit tests` | TODO | Add unit tests covering schema validation failures, forbidden field rejections (`ERR_AOC_001/002/006/007`), idempotent upserts, and supersedes chains using deterministic fixtures. | QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-AOC-19-004 `End-to-end ingest verification` | TODO | Create integration tests ingesting large advisory batches (cold/warm) validating linkset enrichment, metrics emission, and reproducible outputs. Capture load-test scripts + doc notes for Offline Kit dry runs. | Concelier WebService Guild, QA Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-61-001 `/.well-known/openapi` | TODO | Implement discovery endpoint emitting Concelier spec with version metadata and ETag. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-61-002 `Error envelope migration` | TODO | Ensure all API responses use standardized error envelope; update controllers/tests. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-62-001 `Examples expansion` | TODO | Add curated examples for advisory observations/linksets/conflicts; integrate into dev portal. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OAS-63-001 `Deprecation headers` | TODO | Add Sunset/Deprecation headers for retiring endpoints and update documentation/notifications. | Concelier WebService Guild, API Governance Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-50-001 `Telemetry adoption` | TODO | Adopt telemetry core in web service host, ensure ingest + read endpoints emit trace/log fields (`tenant_id`, `route`, `decision_effect`), and add correlation IDs to responses. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-51-001 `Observability APIs` | TODO | Surface ingest health metrics, queue depth, and SLO status via `/obs/concelier/health` endpoint for Console widgets, with caching and tenant partitioning. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE stream `/obs/concelier/timeline` bridging to Timeline Indexer with paging tokens, guardrails, and audit logging. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.VI
Depends on: Sprint 110.B - Concelier.V
Summary: Ingestion & Evidence focus on Concelier (phase VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-WEB-OBS-53-001 `Evidence locker integration` | TODO | Add `/evidence/advisories/*` routes invoking evidence locker snapshots, verifying tenant scopes (`evidence:read`), and returning signed manifest metadata. | Concelier WebService Guild, Evidence Locker Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-54-001 `Attestation exposure` | TODO | Provide `/attestations/advisories/*` read APIs surfacing DSSE status, verification summary, and provenance chain for Console/CLI. | Concelier WebService Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
CONCELIER-WEB-OBS-55-001 `Incident mode toggles` | TODO | Implement incident mode toggle endpoints, propagate to orchestrator/locker, and document cooldown/backoff semantics. | Concelier WebService Guild, DevOps Guild (src/Concelier/StellaOps.Concelier.WebService/TASKS.md)
FEEDCONN-CCCS-02-009 Version range provenance (Oct 2025) | BE-Conn-CCCS | **TODO (due 2025-10-21)** Map CCCS advisories into the new `advisory_observations.affected.versions[]` structure, preserving each upstream range with provenance anchors (`cccs:{serial}:{index}`) and normalized comparison keys. Update mapper tests/fixtures for the Link-Not-Merge schema and verify linkset builders consume the ranges without relying on legacy merge counters.<br>2025-10-29: `docs/dev/normalized-rule-recipes.md` now documents helper snippets for building observation version entries—use them instead of merge-specific builders and refresh fixtures with `UPDATE_CCCS_FIXTURES=1`. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Cccs/TASKS.md)
FEEDCONN-CERTBUND-02-010 Version range provenance | BE-Conn-CERTBUND | **TODO (due 2025-10-22)** Translate `product.Versions` phrases (e.g., `2023.1 bis 2024.2`, `alle`) into comparison helpers for `advisory_observations.affected.versions[]`, capturing provenance (`certbund:{advisoryId}:{vendor}`) and localisation notes. Update mapper/tests for the Link-Not-Merge schema and refresh documentation accordingly. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.CertBund/TASKS.md)
FEEDCONN-CISCO-02-009 SemVer range provenance | BE-Conn-Cisco | **TODO (due 2025-10-21)** Emit Cisco SemVer ranges into `advisory_observations.affected.versions[]` with provenance identifiers (`cisco:{productId}`) and deterministic comparison keys. Update mapper/tests for the Link-Not-Merge schema and replace legacy merge counter checks with observation/linkset validation. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Vndr.Cisco/TASKS.md)
FEEDCONN-ICSCISA-02-012 Version range provenance | BE-Conn-ICS-CISA | **TODO (due 2025-10-23)** Promote existing firmware/semver data into `advisory_observations.affected.versions[]` entries with deterministic comparison keys and provenance identifiers (`ics-cisa:{advisoryId}:{product}`). Add regression coverage for mixed firmware strings and raise a Models ticket only when observation schema needs a new comparison helper.<br>2025-10-29: Follow `docs/dev/normalized-rule-recipes.md` §2 to build observation version entries and log failures without invoking the retired merge helpers. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Ics.Cisa/TASKS.md)
FEEDCONN-KISA-02-008 Firmware range provenance | BE-Conn-KISA, Models | **TODO (due 2025-10-24)** Define comparison helpers for Hangul-labelled firmware ranges (`XFU 1.0.1.0084 ~ 2.0.1.0034`) and map them into `advisory_observations.affected.versions[]` with provenance tags. Coordinate with Models only if a new comparison scheme is required, then update localisation notes and fixtures for the Link-Not-Merge schema. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Kisa/TASKS.md)
FEEDCONN-SHARED-STATE-003 Source state seeding helper | Tools Guild, BE-Conn-MSRC | **DOING (2025-10-19)** Provide a reusable CLI/utility to seed `pendingDocuments`/`pendingMappings` for connectors (MSRC backfills require scripted CVRF + detail injection). Coordinate with MSRC team for expected JSON schema and handoff once prototype lands. Prereqs confirmed none (2025-10-19). | Tools (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Common/TASKS.md)
FEEDMERGE-COORD-02-901 Connector deadline check-ins | BE-Merge | **TODO (due 2025-10-21)** Confirm Cccs/Cisco version-provenance updates land, capture `LinksetVersionCoverage` dashboard snapshots (expect zero missing-range warnings), and update coordination docs with the results.<br>2025-10-29: Observation metrics now surface `version_entries_total`/`missing_version_entries_total`; include screenshots for both when closing this task. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
FEEDMERGE-COORD-02-902 ICS-CISA version comparison support | BE-Merge, Models | **TODO (due 2025-10-23)** Review ICS-CISA sample advisories, validate reuse of existing comparison helpers, and pre-stage Models ticket template only if a new firmware comparator is required. Document the outcome and observation coverage logs in coordination docs + tracker files.<br>2025-10-29: `docs/dev/normalized-rule-recipes.md` (§2§3) now covers observation entries; attach decision summary + log sample when handing off to Models. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
FEEDMERGE-COORD-02-903 KISA firmware scheme review | BE-Merge, Models | **TODO (due 2025-10-24)** Pair with KISA team on proposed firmware comparison helper (`kisa.build` or variant), ensure observation mapper alignment, and open Models ticket only if a new comparator is required. Log the final helper signature and observation coverage metrics in coordination docs + tracker files. | FEEDMERGE-COORD-02-900 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
Fixture validation sweep | QA | **DOING (2025-10-19)** Prereqs confirmed none; continuing RHSA fixture regeneration and diff review alongside mapper provenance updates.<br>2025-10-29: Added `scripts/update-redhat-fixtures.sh` to regenerate golden snapshots with `UPDATE_GOLDENS=1`; run it before reviews to capture CSAF contract deltas. | None (src/Concelier/__Libraries/StellaOps.Concelier.Connector.Distro.RedHat/TASKS.md)
Link-Not-Merge version provenance coordination | BE-Merge | **DOING** Coordinate remaining connectors (`Acsc`, `Cccs`, `CertBund`, `CertCc`, `Cve`, `Ghsa`, `Ics.Cisa`, `Kisa`, `Ru.Bdu`, `Ru.Nkcki`, `Vndr.Apple`, `Vndr.Cisco`, `Vndr.Msrc`) so they emit `advisory_observations.affected.versions[]` entries with provenance tags and deterministic comparison keys. Track rollout status in `docs/dev/normalized-rule-recipes.md` (now updated for Link-Not-Merge) and retire the legacy merge counters as coverage transitions to linkset validation metrics.<br>2025-10-29: Added new guidance in the doc for recording observation version metadata and logging gaps via `LinksetVersionCoverage` warnings to replace prior `concelier.merge.normalized_rules*` alerts. | CONCELIER-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
MERGE-LNM-21-001 Migration plan authoring | BE-Merge, Architecture Guild | Draft `no-merge` migration playbook, documenting backfill strategy, feature flag rollout, and rollback steps for legacy merge pipeline deprecation. | CONCELIER-LNM-21-101 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
[Ingestion & Evidence] 110.B) Concelier.VII
Depends on: Sprint 110.B - Concelier.VI
Summary: Ingestion & Evidence focus on Concelier (phase VII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
MERGE-LNM-21-002 Merge service deprecation | BE-Merge | Refactor or retire `AdvisoryMergeService` and related pipelines, ensuring callers transition to observation/linkset APIs; add compile-time analyzer preventing merge service usage. | MERGE-LNM-21-001 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
MERGE-LNM-21-003 Determinism/test updates | QA Guild, BE-Merge | Replace merge determinism suites with observation/linkset regression tests verifying no data mutation and conflicts remain visible. | MERGE-LNM-21-002 (src/Concelier/__Libraries/StellaOps.Concelier.Merge/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.I
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on Excititor (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-AIAI-31-001 `Justification enrichment` | TODO | Expose normalized VEX justifications, product trees, and paragraph anchors for Advisory AI conflict explanations. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-AIAI-31-002 `VEX chunk API` | TODO | Provide `/vex/evidence/chunks` endpoint returning tenant-scoped VEX statements with signature metadata and scope scores for RAG. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-AIAI-31-003 `Telemetry` | TODO | Emit metrics/logs for VEX chunk usage, signature verification failures, and guardrail triggers. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-AIRGAP-56-001 `Mirror ingestion adapters` | TODO | Add mirror-based VEX ingestion, preserving statement digests and bundle IDs. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-56-002 `Bundle provenance` | TODO | Persist bundle metadata on VEX observations/linksets with provenance references. | Excititor Core Guild, AirGap Importer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-57-001 `Sealed-mode enforcement` | TODO | Block non-mirror connectors in sealed mode and surface remediation errors. | Excititor Core Guild, AirGap Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-57-002 `Staleness annotations` | TODO | Annotate VEX statements with staleness metrics and expose via API. | Excititor Core Guild, AirGap Time Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-AIRGAP-58-001 `Portable VEX evidence` | TODO | Package VEX evidence segments into portable evidence bundles linked to timeline. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-ATTEST-01-003 Verification suite & observability | Team Excititor Attestation | DOING (2025-10-22) Continuing implementation: build `IVexAttestationVerifier`, wire metrics/logging, and add regression tests. Draft plan in `EXCITITOR-ATTEST-01-003-plan.md` (2025-10-19) guides scope; updating with worknotes as progress lands.<br>2025-10-31: Verifier now tolerates duplicate source providers from AOC raw projections, downgrades offline Rekor verification to a degraded result, and enforces trusted signer registry checks with detailed diagnostics/tests. | EXCITITOR-ATTEST-01-002 (src/Excititor/__Libraries/StellaOps.Excititor.Attestation/TASKS.md)
EXCITITOR-ATTEST-73-001 `VEX attestation payloads` | TODO | Provide VEX statement metadata (supplier identity, justification, scope) required for VEXAttestation payloads. | Excititor Core Guild, Attestation Payloads Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-ATTEST-73-002 `Chain provenance` | TODO | Expose linkage from VEX statements to subject/product for chain of custody graph. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CONN-MS-01-003 Trust metadata & provenance hints | Team Excititor Connectors MSRC | TODO Emit cosign/AAD issuer metadata, attach provenance details, and document policy integration. | EXCITITOR-CONN-MS-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.MSRC.CSAF/TASKS.md)
EXCITITOR-CONN-ORACLE-01-003 Trust provenance enrichment | Team Excititor Connectors Oracle | TODO Emit Oracle signing metadata (PGP/cosign fingerprint list, issuer trust tier) into raw provenance so downstream services can evaluate trust. Connector must not apply consensus weighting during ingestion. | EXCITITOR-CONN-ORACLE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Oracle.CSAF/TASKS.md)
EXCITITOR-CONN-STELLA-07-002 | TODO | Parse mirror bundles into raw `VexClaim` batches, preserving original provider metadata and mirror provenance without applying consensus or weighting. | Excititor Connectors Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md)
EXCITITOR-CONN-STELLA-07-003 | TODO | Implement incremental cursor handling per-export digest for raw claim replays, support resume, and document configuration for downstream Excititor mirrors. | Excititor Connectors Stella (src/Excititor/StellaOps.Excititor.Connectors.StellaOpsMirror/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.II
Depends on: Sprint 110.C - Excititor.I
Summary: Ingestion & Evidence focus on Excititor (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-CONN-SUSE-01-003 Trust metadata provenance | Team Excititor Connectors SUSE | TODO Emit provider trust configuration (signer fingerprints, trust tier notes) into the raw provenance envelope so downstream VEX Lens/Policy components can weigh issuers. Connector must not apply weighting or consensus inside ingestion. | EXCITITOR-CONN-SUSE-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.SUSE.RancherVEXHub/TASKS.md)
EXCITITOR-CONN-UBUNTU-01-003 Trust provenance enrichment | Team Excititor Connectors Ubuntu | TODO Emit Ubuntu signing metadata (GPG fingerprints, issuer trust tier) inside raw provenance artifacts so downstream Policy/VEX Lens consumers can weigh issuers. Connector must remain aggregation-only with no inline weighting. | EXCITITOR-CONN-UBUNTU-01-002, EXCITITOR-POLICY-01-001 (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Ubuntu.CSAF/TASKS.md)
EXCITITOR-CONSOLE-23-001 `VEX aggregation views` | TODO | Expose `/console/vex` endpoints returning grouped VEX statements per advisory/component with status chips, justification metadata, precedence trace pointers, and tenant-scoped filters for Console explorer. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-CONSOLE-23-002 `Dashboard VEX deltas` | TODO | Provide aggregated counts for VEX overrides (new, not_affected, revoked) powering Console dashboard + live status ticker; emit metrics for policy explain integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-CONSOLE-23-003 `VEX search helpers` | TODO | Deliver rapid lookup endpoints of VEX by advisory/component for Console global search; ensure response includes provenance and precedence context; include caching and RBAC. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-CORE-AOC-19-002 `VEX linkset extraction` | TODO | Implement deterministic extraction of advisory IDs, component PURLs, and references into `linkset`, capturing reconciled-from metadata for traceability. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CORE-AOC-19-003 `Idempotent VEX raw upsert` | TODO | Enforce `(vendor, upstreamId, contentHash, tenant)` uniqueness, generate supersedes chains, and ensure append-only versioning of raw VEX documents. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CORE-AOC-19-004 `Remove ingestion consensus` | TODO | Excise consensus/merge/severity logic from Excititor ingestion paths, updating exports/tests to rely on Policy Engine materializations instead. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-CORE-AOC-19-013 `Authority tenant scope smoke coverage` | TODO | Update Excititor smoke/e2e suites to seed tenant-aware Authority clients and ensure cross-tenant VEX ingestion is rejected. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-GRAPH-21-001 `Inspector linkouts` | BLOCKED (2025-10-27) | Provide batched VEX/advisory reference fetches keyed by graph node PURLs so UI inspector can display raw documents and justification metadata. | Excititor Core Guild, Cartographer Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-GRAPH-21-002 `Overlay enrichment` | BLOCKED (2025-10-27) | Ensure overlay metadata includes VEX justification summaries and document versions for Cartographer overlays; update fixtures/tests. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-GRAPH-21-005 `Inspector indexes` | BLOCKED (2025-10-27) | Add indexes/materialized views for VEX lookups by PURL/policy to support Cartographer inspector performance; document migrations. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-GRAPH-24-101 `VEX summary API` | TODO | Provide endpoints delivering VEX status summaries per component/asset for Vuln Explorer integration. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-GRAPH-24-102 `Evidence batch API` | TODO | Add batch VEX observation retrieval optimized for Graph overlays/tooltips. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-LNM-21-001 `VEX observation model` | TODO | Define immutable `vex_observations` schema capturing raw statements, product PURLs, justification, and AOC metadata. `DOCS-LNM-22-002` blocked pending this schema. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.III
Depends on: Sprint 110.C - Excititor.II
Summary: Ingestion & Evidence focus on Excititor (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-LNM-21-002 `Linkset correlator` | TODO | Build correlation pipeline combining alias + product PURL signals to form `vex_linksets` with confidence metrics. Docs waiting to finalize VEX aggregation guide. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-003 `Conflict annotator` | TODO | Record status/justification disagreements within linksets and expose structured conflicts. Provide structured payloads for `DOCS-LNM-22-002`. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-004 `Merge removal` | TODO | Remove legacy VEX merge logic, enforce immutability, and add guards/tests to prevent future merges. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-005 `Event emission` | TODO | Emit `vex.linkset.updated` events for downstream consumers with delta descriptions and tenant context. | Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-LNM-21-101 `Observations collections` | TODO | Provision `vex_observations`/`vex_linksets` collections with shard keys, indexes over aliases & product PURLs, and multi-tenant guards. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-LNM-21-102 `Migration/backfill` | TODO | Backfill legacy merged VEX docs into observations/linksets, add provenance notes, and produce rollback scripts. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-LNM-21-201 `Observation APIs` | TODO | Add VEX observation read endpoints with filters, pagination, RBAC, and tenant scoping. | Excititor WebService Guild, BE-Base Platform Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-LNM-21-202 `Linkset APIs` | TODO | Implement linkset read/export/evidence endpoints returning correlation/conflict payloads and map errors to `ERR_AGG_*`. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-LNM-21-203 `Event publishing` | TODO | Publish `vex.linkset.updated` events, document schema, and ensure idempotent delivery. | Excititor WebService Guild, Platform Events Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-OAS-61-001 `Spec coverage` | TODO | Update VEX OAS to include observation/linkset endpoints with provenance fields and examples. | Excititor Core Guild, API Contracts Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OAS-61-002 `Example catalog` | TODO | Provide examples for VEX justifications, statuses, conflicts; ensure SDK docs reference them. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OAS-62-001 `SDK smoke tests` | TODO | Add SDK scenarios for VEX observation queries and conflict handling to language smoke suites. | Excititor Core Guild, SDK Generator Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OAS-63-001 `Deprecation headers` | TODO | Add deprecation metadata and notifications for legacy VEX routes. | Excititor Core Guild, API Governance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-50-001 `Telemetry adoption` | TODO | Integrate telemetry core across VEX ingestion/linking, ensuring spans/logs capture tenant, product scope, upstream id, justification hash, and trace IDs. | Excititor Core Guild, Observability Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-51-001 `Metrics & SLOs` | TODO | Publish metrics for VEX ingest latency, scope resolution success, conflict rate, signature verification failures. Define SLOs (link latency P95 <30s) and configure burn-rate alerts. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.IV
Depends on: Sprint 110.C - Excititor.III
Summary: Ingestion & Evidence focus on Excititor (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-OBS-52-001 `Timeline events` | TODO | Emit `timeline_event` entries for VEX ingest/linking/outcome changes with trace IDs, justification summaries, and evidence placeholders. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-53-001 `Evidence snapshots` | TODO | Build evidence payloads for VEX statements (raw doc, normalization diff, precedence notes) and push to evidence locker with Merkle manifests. | Excititor Core Guild, Evidence Locker Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-54-001 `Attestation & verification` | TODO | Attach DSSE attestations to VEX batch processing, verify chain-of-custody via Provenance library, and link attestation IDs to timeline + ledger. | Excititor Core Guild, Provenance Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-OBS-55-001 `Incident mode` | TODO | Implement incident sampling bump, additional raw payload retention, and activation events for VEX pipelines with redaction guard rails. | Excititor Core Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-ORCH-32-001 `Worker SDK adoption` | TODO | Integrate orchestrator worker SDK in Excititor ingestion jobs, emit heartbeats/progress/artifact hashes, and register source metadata. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md)
EXCITITOR-ORCH-33-001 `Control compliance` | TODO | Honor orchestrator pause/throttle/retry actions, classify error outputs, and persist restart checkpoints. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md)
EXCITITOR-ORCH-34-001 `Backfill & circuit breaker` | TODO | Implement orchestrator-driven backfills, apply circuit breaker reset rules, and ensure artifact dedupe alignment. | Excititor Worker Guild (src/Excititor/StellaOps.Excititor.Worker/TASKS.md)
EXCITITOR-POLICY-02-002 Diagnostics for scoring signals | Team Excititor Policy | BACKLOG Update diagnostics reports to surface missing severity/KEV/EPSS mappings, coefficient overrides, and provide actionable recommendations for policy tuning. | EXCITITOR-POLICY-02-001 (src/Excititor/__Libraries/StellaOps.Excititor.Policy/TASKS.md)
EXCITITOR-POLICY-20-001 `Policy selection endpoints` | TODO | Provide VEX lookup APIs supporting PURL/advisory batching, scope filtering, and tenant enforcement with deterministic ordering + pagination. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-POLICY-20-002 `Scope-aware linksets` | TODO | Enhance VEX linkset extraction with scope resolution (product/component) + version range matching to boost policy join accuracy; refresh fixtures/tests. | Excititor Core Guild, Policy Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-POLICY-20-003 `Selection cursors` | TODO | Introduce VEX selection cursor collections + indexes powering incremental policy runs; bundle change-stream checkpoint migrations and Offline Kit tooling. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-POLICY-23-001 `Evidence indexes` | TODO | Provide indexes/materialized views for policy runtime (status, justification, product PURL) to accelerate queries; document contract. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-POLICY-23-002 `Event guarantees` | TODO | Ensure `vex.linkset.updated` events include correlation confidence, conflict summaries, and idempotent ids for evaluator consumption. | Excititor Core Guild, Platform Events Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-RISK-66-001 `VEX gate provider` | TODO | Supply VEX status and justification data for risk engine gating with full source provenance. | Excititor Core Guild, Risk Engine Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-RISK-66-002 `Reachability inputs` | TODO | Provide component/product scoping metadata enabling reachability and runtime factor mapping. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.V
Depends on: Sprint 110.C - Excititor.IV
Summary: Ingestion & Evidence focus on Excititor (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-RISK-67-001 `Explainability metadata` | TODO | Include VEX justification, status reasoning, and source digests in explainability artifacts. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-RISK-68-001 `Policy Studio integration` | TODO | Surface VEX-specific gates/weights within profile editor UI and validation messages. | Excititor Core Guild, Policy Studio Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-SIG-26-001 `Vendor exploitability hints` | TODO | Surface vendor-provided exploitability indicators and affected symbol lists to Signals service via projection endpoints. | Excititor Core Guild, Signals Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-STORE-AOC-19-001 `vex_raw schema validator` | TODO | Define Mongo JSON schema for `vex_raw` enforcing required fields and forbidding derived/consensus/severity fields. Ship unit tests with Mongo2Go to validate rejects. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-STORE-AOC-19-002 `idempotency unique index` | TODO | Create `(source.vendor, upstream.upstream_id, upstream.content_hash, tenant)` unique index with backfill checker, updating migrations + bootstrapper for offline installs. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-STORE-AOC-19-003 `append-only migration plan` | TODO | Migrate legacy consensus collections to `_backup_*`, seed supersedes chain for raw docs, and document rollback path + dry-run verification. | Excititor Storage Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-STORE-AOC-19-004 `validator deployment docset` | TODO | Update migration runbooks and Offline Kit packaging to bundle schema validator scripts, with smoke instructions for air-gapped clusters. | Excititor Storage Guild, DevOps Guild (src/Excititor/__Libraries/StellaOps.Excititor.Storage.Mongo/TASKS.md)
EXCITITOR-TEN-48-001 `Tenant-aware VEX linking` | TODO | Apply tenant context to VEX linkers, enable RLS, and expose capability endpoint confirming aggregation-only behavior. | Excititor Core Guild (src/Excititor/__Libraries/StellaOps.Excititor.Core/TASKS.md)
EXCITITOR-VEXLENS-30-001 `VEX evidence enrichers` | TODO | Include issuer hints, signatures, and product trees in evidence payloads for VEX Lens; Label: VEX-Lens. | Excititor WebService Guild, VEX Lens Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-VULN-29-001 `VEX key canonicalization` | TODO | Canonicalize (lossless) VEX advisory/product keys (map to `advisory_key`, capture product scopes); expose original sources in `links[]`; AOC-compliant: no merge, no derived fields, no suppression; backfill existing records. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-VULN-29-002 `Evidence retrieval` | TODO | Provide `/vuln/evidence/vex/{advisory_key}` returning raw VEX statements filtered by tenant/product scope for Explorer evidence tabs. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-VULN-29-004 `Observability` | TODO | Add metrics/logs for VEX normalization, suppression scopes, withdrawn statements; emit events consumed by Vuln Explorer resolver. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AIRGAP-56-001 | TODO | Support mirror bundle registration via APIs, expose bundle provenance in VEX responses, and block external connectors in sealed mode. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AIRGAP-56-002 | TODO | Return VEX staleness metrics and time anchor info in API responses for Console/CLI use. | Excititor WebService Guild, AirGap Time Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AIRGAP-57-001 | TODO | Map sealed-mode violations to standardized error payload with remediation guidance. | Excititor WebService Guild, AirGap Policy Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
[Ingestion & Evidence] 110.C) Excititor.VI
Depends on: Sprint 110.C - Excititor.V
Summary: Ingestion & Evidence focus on Excititor (phase VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-WEB-AIRGAP-58-001 | TODO | Emit timeline events for VEX bundle imports with bundle ID, scope, and actor metadata. | Excititor WebService Guild, AirGap Importer Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-001 `Raw VEX ingestion APIs` | TODO | Implement `POST /ingest/vex`, `GET /vex/raw*`, and `POST /aoc/verify` endpoints. Enforce Authority scopes, tenant injection, and guard pipeline to ensure only immutable VEX facts are persisted. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-002 `AOC observability + metrics` | TODO | Export metrics (`ingestion_write_total`, `aoc_violation_total`, signature verification counters) and tracing spans matching Conseiller naming. Ensure structured logging includes tenant, source vendor, upstream id, and content hash. | Excititor WebService Guild, Observability Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-003 `Guard + schema test harness` | TODO | Add unit/integration tests for schema validation, forbidden field rejection (`ERR_AOC_001/006/007`), and supersedes behavior using CycloneDX-VEX & CSAF fixtures with deterministic expectations. | QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-AOC-19-004 `Batch ingest validation` | TODO | Build large fixture ingest covering mixed VEX statuses, verifying raw storage parity, metrics, and CLI `aoc verify` compatibility. Document load test/runbook updates. | Excititor WebService Guild, QA Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-61-001 | TODO | Implement `/.well-known/openapi` discovery endpoint with spec version metadata. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-61-002 | TODO | Standardize error envelope responses and update controller/unit tests. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-62-001 | TODO | Add curated examples for VEX observation/linkset endpoints and ensure portal displays them. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OAS-63-001 | TODO | Emit deprecation headers and update docs for retiring VEX APIs. | Excititor WebService Guild, API Governance Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-50-001 `Telemetry adoption` | TODO | Adopt telemetry core for VEX APIs, ensure responses include trace IDs & correlation headers, and update structured logging for read endpoints. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-51-001 `Observability health endpoints` | TODO | Implement `/obs/excititor/health` summarizing ingest/link SLOs, signature failure counts, and conflict trends for Console dashboards. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-52-001 `Timeline streaming` | TODO | Provide SSE bridge for VEX timeline events with tenant filters, pagination, and guardrails. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-53-001 `Evidence APIs` | TODO | Expose `/evidence/vex/*` endpoints that fetch locker bundles, enforce scopes, and surface verification metadata. | Excititor WebService Guild, Evidence Locker Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-54-001 `Attestation APIs` | TODO | Add `/attestations/vex/*` endpoints returning DSSE verification state, builder identity, and chain-of-custody links. | Excititor WebService Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
EXCITITOR-WEB-OBS-55-001 `Incident mode toggles` | TODO | Provide incident mode API for VEX pipelines with activation audit logs and retention override previews. | Excititor WebService Guild, DevOps Guild (src/Excititor/StellaOps.Excititor.WebService/TASKS.md)
[Ingestion & Evidence] 110.D) Mirror
Depends on: Sprint 100.A - Attestor
Summary: Ingestion & Evidence focus on Mirror).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
MIRROR-CRT-56-001 | TODO | Implement deterministic bundle assembler supporting advisories, VEX, policy packs with Zstandard compression and manifest generation. | Mirror Creator Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-56-002 | TODO | Integrate DSSE signing and TUF metadata generation (`root`, `snapshot`, `timestamp`, `targets`). | Mirror Creator Guild, Security Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-57-001 | TODO | Add optional OCI image collection producing oci-archive layout with digests recorded in manifest. | Mirror Creator Guild, DevOps Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-57-002 | TODO | Embed signed time anchor metadata (`meta/time-anchor.json`) sourced from trusted authority. | Mirror Creator Guild, AirGap Time Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-58-001 | TODO | Deliver CLI `stella mirror create | Mirror Creator Guild, CLI Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
MIRROR-CRT-58-002 | TODO | Integrate with Export Center scheduling to automate mirror bundle creation with audit logs. | Mirror Creator Guild, Exporter Guild (src/Mirror/StellaOps.Mirror.Creator/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_120_policy_reasoning.md

287
docs/implplan/SPRINT_120_policy_reasoning.md Normal file
View File

@@ -0,0 +1,287 @@
# Sprint 120 - Policy & Reasoning
[Policy & Reasoning] 120.A) AirGap
Depends on: Sprint 110.A - AdvisoryAI
Summary: Policy & Reasoning focus on AirGap).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
AIRGAP-POL-56-001 | TODO | Implement `StellaOps.AirGap.Policy` package exposing `EgressPolicy` facade with sealed/unsealed branches and remediation-friendly errors. | AirGap Policy Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md)
AIRGAP-POL-56-002 | TODO | Create Roslyn analyzer/code fix warning on raw `HttpClient` usage outside approved wrappers; add CI integration. | AirGap Policy Guild, DevEx Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md)
AIRGAP-POL-57-001 | TODO | Update core web services (Web, Exporter, Policy, Findings, Authority) to use `EgressPolicy`; ensure configuration wiring for sealed mode. | AirGap Policy Guild, BE-Base Platform Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md)
AIRGAP-POL-57-002 | TODO | Implement Task Runner job plan validator rejecting network steps unless marked internal allow-list. | AirGap Policy Guild, Task Runner Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md)
AIRGAP-POL-58-001 | TODO | Ensure Observability exporters only target local endpoints in sealed mode; disable remote sinks with warning. | AirGap Policy Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md)
AIRGAP-POL-58-002 | TODO | Add CLI sealed-mode guard that refuses commands needing egress and surfaces remediation. | AirGap Policy Guild, CLI Guild (src/AirGap/StellaOps.AirGap.Policy/TASKS.md)
[Policy & Reasoning] 120.B) Findings.I
Depends on: Sprint 110.A - AdvisoryAI
Summary: Policy & Reasoning focus on Findings (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
LEDGER-29-001 | TODO | Design ledger & projection schemas (tables/indexes), canonical JSON format, hashing strategy, and migrations. Publish schema doc + fixtures. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-002 | TODO | Implement ledger write API (`POST /vuln/ledger/events`) with validation, idempotency, hash chaining, and Merkle root computation job. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-003 | TODO | Build projector worker that derives `findings_projection` rows from ledger events + policy determinations; ensure idempotent replay keyed by `(tenant,finding_id,policy_version)`. | Findings Ledger Guild, Scheduler Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-004 | TODO | Integrate Policy Engine batch evaluation (baseline + simulate) with projector; cache rationale references. | Findings Ledger Guild, Policy Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-005 | TODO | Implement workflow mutation handlers (assign, comment, accept-risk, target-fix, verify-fix, reopen) producing ledger events with validation and attachments metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-006 | TODO | Integrate attachment encryption (KMS envelope), signed URL issuance, CSRF protection hooks for Console. | Findings Ledger Guild, Security Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-007 | TODO | Instrument metrics (`ledger_write_latency`, `projection_lag_seconds`, `ledger_events_total`), structured logs, and Merkle anchoring alerts; publish dashboards. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-008 | TODO | Develop unit/property/integration tests, replay/restore tooling, determinism harness, and load tests at 5M findings/tenant. | Findings Ledger Guild, QA Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-29-009 | TODO | Provide deployment manifests (Helm/Compose), backup/restore guidance, Merkle anchor externalization (optional), and offline kit instructions. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-34-101 | TODO | Link orchestrator run ledger exports into Findings Ledger provenance chain, index by artifact hash, and expose audit queries. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-AIRGAP-56-001 | TODO | Record bundle provenance (`bundle_id`, `merkle_root`, `time_anchor`) on ledger events for advisories/VEX/policies imported via Mirror Bundles. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-AIRGAP-56-002 | TODO | Surface staleness metrics for findings and block risk-critical exports when stale beyond thresholds; provide remediation messaging. | Findings Ledger Guild, AirGap Time Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-AIRGAP-57-001 | TODO | Link findings evidence snapshots to portable evidence bundles and ensure cross-enclave verification works. | Findings Ledger Guild, Evidence Locker Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-AIRGAP-58-001 | TODO | Emit timeline events for bundle import impacts (new findings, remediation changes) with sealed-mode context. | Findings Ledger Guild, AirGap Controller Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-ATTEST-73-001 | TODO | Persist pointers from findings to verification reports and attestation envelopes for explainability. | Findings Ledger Guild, Attestor Service Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
[Policy & Reasoning] 120.B) Findings.II
Depends on: Sprint 120.B - Findings.I
Summary: Policy & Reasoning focus on Findings (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
LEDGER-ATTEST-73-002 | TODO | Enable search/filter in findings projections by verification result and attestation status. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-EXPORT-35-001 | TODO | Provide paginated streaming endpoints for advisories, VEX, SBOMs, and findings aligned with export filters, including deterministic ordering and provenance metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OAS-61-001 | TODO | Expand Findings Ledger OAS to include projections, evidence lookups, and filter parameters with examples. | Findings Ledger Guild, API Contracts Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OAS-61-002 | TODO | Implement `/.well-known/openapi` endpoint and ensure version metadata matches release. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OAS-62-001 | TODO | Provide SDK test cases for findings pagination, filtering, evidence links; ensure typed models expose provenance. | Findings Ledger Guild, SDK Generator Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OAS-63-001 | TODO | Support deprecation headers and Notifications for retiring finding endpoints. | Findings Ledger Guild, API Governance Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OBS-50-001 | TODO | Integrate telemetry core within ledger writer/projector services, emitting structured logs and trace spans for ledger append, projector replay, and query APIs with tenant context. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OBS-51-001 | TODO | Publish metrics for ledger latency, projector lag, event throughput, and policy evaluation linkage. Define SLOs (ledger append P95 < 1s, replay lag < 30s) with burn-rate alerts and dashboards. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OBS-52-001 | TODO | Emit timeline events for ledger writes and projector commits (`ledger.event.appended`, `ledger.projection.updated`) with trace ID, policy version, evidence bundle reference placeholders. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OBS-53-001 | TODO | Persist evidence bundle references (evaluation/job capsules) alongside ledger entries, exposing lookup API linking findings to evidence manifests and timeline. | Findings Ledger Guild, Evidence Locker Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OBS-54-001 | TODO | Verify attestation references for ledger-derived exports; expose `/ledger/attestations` endpoint returning DSSE verification state and chain-of-custody summary. | Findings Ledger Guild, Provenance Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-OBS-55-001 | TODO | Enhance incident mode to record additional replay diagnostics (lag traces, conflict snapshots) and extend retention while active. Emit activation events to timeline + notifier. | Findings Ledger Guild, DevOps Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-PACKS-42-001 | TODO | Provide snapshot/time-travel APIs and digestable exports for task pack simulation and CLI offline mode. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-RISK-66-001 | TODO | Add schema migrations for `risk_score`, `risk_severity`, `profile_version`, `explanation_id`, and supporting indexes. | Findings Ledger Guild, Risk Engine Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-RISK-66-002 | TODO | Implement deterministic upsert of scoring results keyed by finding hash/profile version with history audit. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
[Policy & Reasoning] 120.B) Findings.III
Depends on: Sprint 120.B - Findings.II
Summary: Policy & Reasoning focus on Findings (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
LEDGER-RISK-67-001 | TODO | Expose query APIs for scored findings with score/severity filters, pagination, and explainability links. | Findings Ledger Guild, Risk Engine Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-RISK-68-001 | TODO | Enable export of scored findings and simulation results via Export Center integration. | Findings Ledger Guild, Export Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-RISK-69-001 | TODO | Emit metrics/dashboards for scoring latency, result freshness, severity distribution, provider gaps. | Findings Ledger Guild, Observability Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
LEDGER-TEN-48-001 | TODO | Partition ledger tables by tenant/project, enable RLS, update queries/events, and stamp audit metadata. | Findings Ledger Guild (src/Findings/StellaOps.Findings.Ledger/TASKS.md)
[Policy & Reasoning] 120.C) Policy.I
Depends on: Sprint 110.A - AdvisoryAI
Summary: Policy & Reasoning focus on Policy (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXPORT-CONSOLE-23-001 | TODO | Build evidence bundle/export generator producing signed manifests, CSV/JSON replay endpoints, and trace attachments; integrate with scheduler jobs and expose progress telemetry. | Policy Guild, Scheduler Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-AIRGAP-56-001 | TODO | Support policy pack imports from Mirror Bundles, track `bundle_id` metadata, and ensure deterministic caching. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-AIRGAP-56-002 | TODO | Export policy sub-bundles (`stella policy bundle export`) with DSSE signatures for outbound transfer. | Policy Guild, Policy Studio Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-AIRGAP-57-001 | TODO | Enforce sealed-mode guardrails in evaluation (no outbound fetch), surface `AIRGAP_EGRESS_BLOCKED` errors with remediation. | Policy Guild, AirGap Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-AIRGAP-57-002 | TODO | Annotate rule explanations with staleness information and fallback data (cached EPSS, vendor risk). | Policy Guild, AirGap Time Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-AIRGAP-58-001 | TODO | Emit notifications when policy packs near staleness thresholds or missing required bundles. | Policy Guild, Notifications Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-AOC-19-001 | TODO | Add Roslyn/CI lint preventing ingestion projects from referencing Policy merge/severity helpers; block forbidden writes at compile time. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-AOC-19-002 | TODO | Enforce `effective_finding_*` write gate ensuring only Policy Engine identity can create/update materializations. | Policy Guild, Platform Security (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-AOC-19-003 | TODO | Update readers/processors to consume only `content.raw`, `identifiers`, and `linkset`. Remove dependencies on legacy normalized fields and refresh fixtures. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-AOC-19-004 | TODO | Add regression tests ensuring policy derived outputs remain deterministic when ingesting revised raw docs (supersedes) and when violations occur. | Policy Guild, QA Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-ATTEST-73-001 | TODO | Introduce VerificationPolicy object: schema, persistence, versioning, and lifecycle. | Policy Guild, Attestor Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ATTEST-73-002 | TODO | Provide Policy Studio editor with validation, dry-run simulation, and version diff. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ATTEST-74-001 | TODO | Integrate verification policies into attestor verification pipeline with caching and waiver support. | Policy Guild, Attestor Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ATTEST-74-002 | TODO | Surface policy evaluations in Console verification reports with rule explanations. | Policy Guild, Console Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-CONSOLE-23-001 | TODO | Optimize findings/explain APIs for Console: cursor-based pagination at scale, global filter parameters (severity bands, policy version, time window), rule trace summarization, and aggregation hints for dashboard cards. Ensure deterministic ordering and expose provenance refs. | Policy Guild, BE-Base Platform Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
[Policy & Reasoning] 120.C) Policy.II
Depends on: Sprint 120.C - Policy.I
Summary: Policy & Reasoning focus on Policy (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
POLICY-CONSOLE-23-002 | TODO | Produce simulation diff metadata (before/after counts, severity deltas, rule impact summaries) and approval state endpoints consumed by Console policy workspace; expose RBAC-aware status transitions. | Policy Guild, Product Ops (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-002 | BLOCKED (2025-10-26) | Build deterministic evaluator honoring lexical/priority order, first-match semantics, and safe value types (no wall-clock/network access). | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-003 | TODO | Implement selection joiners resolving SBOMadvisoryVEX tuples using linksets and PURL equivalence tables, with deterministic batching. | Policy Guild, Concelier Core Guild, Excititor Core Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-004 | TODO | Ship materialization writer that upserts into `effective_finding_{policyId}` with append-only history, tenant scoping, and trace references. | Policy Guild, Platform Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-005 | TODO | Enforce determinism guard banning wall-clock, RNG, and network usage during evaluation via static analysis + runtime sandbox. | Policy Guild, Security Engineering (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-006 | TODO | Implement incremental orchestrator reacting to advisory/vex/SBOM change streams and scheduling partial policy re-evaluations. | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-007 | TODO | Emit structured traces/logs of rule hits with sampling controls, metrics (`rules_fired_total`, `vex_overrides_total`), and expose explain trace exports. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-008 | TODO | Add unit/property/golden/perf suites covering policy compilation, evaluation correctness, determinism, and SLA targets. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-20-009 | TODO | Define Mongo schemas/indexes for `policies`, `policy_runs`, and `effective_finding_*`; implement migrations and tenant enforcement. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-27-001 | TODO | Extend compile outputs to include rule coverage metadata, symbol table, inline documentation, and rule index for editor autocomplete; persist deterministic hashes. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-27-002 | TODO | Enhance simulate endpoints to emit rule firing counts, heatmap aggregates, sampled explain traces with deterministic ordering, and delta summaries for quick/batch sims. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-27-003 | TODO | Implement complexity/time limit enforcement with compiler scoring, configurable thresholds, and structured diagnostics (`ERR_POL_COMPLEXITY`). | Policy Guild, Security Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-27-004 | TODO | Update golden/property tests to cover new coverage metrics, symbol tables, explain traces, and complexity limits; provide fixtures for Registry/Console integration. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-29-001 | TODO | Implement batch evaluation endpoint (`POST /policy/eval/batch`) returning determinations + rationale chain for sets of `(artifact,purl,version,advisory)` tuples; support pagination and cost budgets. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-29-002 | TODO | Provide streaming simulation API comparing two policy versions, returning per-finding deltas without writes; align determinism with Vuln Explorer simulation. | Policy Guild, Findings Ledger Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
[Policy & Reasoning] 120.C) Policy.III
Depends on: Sprint 120.C - Policy.II
Summary: Policy & Reasoning focus on Policy (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
POLICY-ENGINE-29-003 | TODO | Surface path/scope awareness in determinations (signal optional/dev/test downgrade, runtime boost) for Vuln Explorer display. | Policy Guild, SBOM Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-29-004 | TODO | Add metrics/logs for batch evaluation (latency, queue depth) and simulation diff counts; update dashboards. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-30-001 | TODO | Define overlay contract for graph nodes/edges (status, severity, rationale refs, path relevance), expose projection API for Cartographer, and document schema versioning. | Policy Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-30-002 | TODO | Implement simulation bridge returning on-the-fly overlays for Cartographer/Graph Explorer when invoking Policy Engine simulate; ensure no writes and deterministic outputs. | Policy Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-30-003 | TODO | Emit change events (`policy.effective.updated`) with graph-friendly payloads so Cartographer overlay worker refreshes nodes/edges within 2 minutes. | Policy Guild, Scheduler Guild, Cartographer Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-30-101 | TODO | Surface trust weighting configuration (issuer base weights, signature modifiers, recency decay, scope adjustments) for VEX Lens via Policy Studio + API; ensure deterministic evaluation. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-31-001 | TODO | Expose policy knobs for Advisory AI (trust presets, temperature, token limits, plan ranking weights, TTLs) via Policy Studio and config APIs. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-31-002 | TODO | Provide batch endpoint delivering policy context (thresholds, obligations) consumed by Advisory AI remediation planner. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-32-101 | TODO | Define orchestrator `policy_eval` job schema, idempotency keys, and enqueue hooks triggered by advisory/VEX/SBOM events. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-33-101 | TODO | Implement orchestrator-driven policy evaluation workers using SDK heartbeats, respecting throttles, and emitting SLO metrics. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-34-101 | TODO | Publish policy run ledger exports + SLO burn-rate metrics to orchestrator; ensure provenance chain links to Findings Ledger. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-35-201 | TODO | Expose deterministic policy snapshot API and evaluated findings stream keyed by policy version for exporter consumption. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-38-201 | TODO | Emit enriched policy violation events (decision rationale ids, risk bands) via orchestrator event bus for Notifications Studio. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-40-001 | TODO | Update severity/status evaluation pipelines to consume multiple source severities per linkset, supporting selection strategies (max, preferred source, policy-defined). | Policy Guild, Concelier Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-40-002 | TODO | Accept VEX linkset conflicts and provide rationale references in effective findings; ensure explain traces cite observation IDs. | Policy Guild, Excititor Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
[Policy & Reasoning] 120.C) Policy.IV
Depends on: Sprint 120.C - Policy.III
Summary: Policy & Reasoning focus on Policy (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
POLICY-ENGINE-40-003 | TODO | Provide API/SDK utilities for consumers (Web Scanner, Graph Explorer) to request policy decisions with source evidence summaries (top severity sources, conflict counts). | Policy Guild, Web Scanner Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-50-001 | TODO | Implement SPL compiler: validate YAML, canonicalize, produce signed bundle, store artifact in object storage, write `policy_revisions` with AOC metadata. | Policy Guild, Platform Security (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-50-002 | TODO | Build runtime evaluator executing compiled plans over advisory/vex linksets + SBOM asset metadata with deterministic caching (Redis) and fallback path. | Policy Guild, Runtime Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-50-003 | TODO | Implement evaluation/compilation metrics, tracing, and structured logs (`policy_eval_seconds`, `policy_compiles_total`, explanation sampling). | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-50-004 | TODO | Build event pipeline: subscribe to linkset/SBOM updates, schedule re-eval jobs, emit `policy.effective.updated` events with diff metadata. | Policy Guild, Platform Events Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-50-005 | TODO | Design and implement `policy_packs`, `policy_revisions`, `policy_runs`, `policy_artifacts` collections with indexes, TTL, and tenant scoping. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-50-006 | TODO | Implement explainer persistence + retrieval APIs linking decisions to explanation tree and AOC chain. | Policy Guild, QA Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-50-007 | TODO | Provide evaluation worker host/DI wiring and job orchestration hooks for batch re-evaluations after policy activation. | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-60-001 | TODO | Maintain Redis effective decision maps per asset/snapshot for Graph overlays; implement versioning and eviction strategy. | Policy Guild, SBOM Service Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-60-002 | TODO | Expose simulation bridge for Graph What-if APIs, supporting hypothetical SBOM diffs and draft policies without persisting results. | Policy Guild, BE-Base Platform Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-70-002 | TODO | Design and create Mongo collections (`exceptions`, `exception_reviews`, `exception_bindings`) with indexes and migrations; expose repository APIs. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-70-003 | TODO | Build Redis exception decision cache (`exceptions_effective_map`) with warm/invalidation logic reacting to `exception.*` events. | Policy Guild, Runtime Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-70-004 | TODO | Extend metrics/tracing/logging for exception application (latency, counts, expiring events) and include AOC references in logs. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-70-005 | TODO | Provide APIs/workers hook for exception activation/expiry (auto start/end) and event emission (`exception.activated/expired`). | Policy Guild, Scheduler Worker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-80-001 | TODO | Integrate reachability/exploitability inputs into evaluation pipeline (state/score/confidence) with caching and explain support. | Policy Guild, Signals Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
[Policy & Reasoning] 120.C) Policy.V
Depends on: Sprint 120.C - Policy.IV
Summary: Policy & Reasoning focus on Policy (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
POLICY-ENGINE-80-002 | TODO | Create joining layer to read `reachability_facts` efficiently (indexes, projections) and populate Redis overlay caches. | Policy Guild, Storage Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-80-003 | TODO | Extend SPL predicates/actions to reference reachability state/score/confidence; update compiler validation. | Policy Guild, Policy Editor Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-ENGINE-80-004 | TODO | Emit metrics (`policy_reachability_applied_total`, `policy_reachability_cache_hit_ratio`) and traces for signals usage. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-OBS-50-001 | TODO | Integrate telemetry core into policy API + worker hosts, ensuring spans/logs cover compile/evaluate flows with `tenant_id`, `policy_version`, `decision_effect`, and trace IDs. | Policy Guild, Observability Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-OBS-51-001 | TODO | Emit golden-signal metrics (compile latency, evaluate latency, rule hits, override counts) and define SLOs (evaluation P95 <2s). Publish Grafana dashboards + burn-rate alert rules. | Policy Guild, DevOps Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-OBS-52-001 | TODO | Emit timeline events `policy.evaluate.started`, `policy.evaluate.completed`, `policy.decision.recorded` with trace IDs, input digests, and rule summary. Provide contract tests and retry semantics. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-OBS-53-001 | TODO | Produce evaluation evidence bundles (inputs slice, rule trace, engine version, config snapshot) through evidence locker integration; ensure redaction + deterministic manifests. | Policy Guild, Evidence Locker Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-OBS-54-001 | TODO | Generate DSSE attestations for evaluation outputs, expose `/evaluations/{id}/attestation`, and link attestation IDs in timeline + console. Provide verification harness. | Policy Guild, Provenance Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-OBS-55-001 | TODO | Implement incident mode sampling overrides (full rule trace capture, extended retention) with auto-activation on SLO breach and manual override API. Emit activation events to timeline + notifier. | Policy Guild, DevOps Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-RISK-66-001 | TODO | Develop initial JSON Schema for RiskProfile (signals, transforms, weights, severity, overrides) with validator stubs. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md)
POLICY-RISK-66-002 | TODO | Implement inheritance/merge logic with conflict detection and deterministic content hashing. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md)
POLICY-RISK-66-003 | TODO | Integrate RiskProfile schema into Policy Engine configuration, ensuring validation and default profile deployment. | Policy Guild, Risk Profile Schema Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-RISK-66-004 | TODO | Extend Policy libraries to load/save RiskProfile documents, compute content hashes, and surface validation diagnostics. | Policy Guild, Risk Profile Schema Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-RISK-67-001 | TODO | Trigger scoring jobs on new/updated findings via Policy Engine orchestration hooks. | Policy Guild, Risk Engine Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-RISK-67-001 | TODO | Integrate profile storage and versioning into Policy Store with lifecycle states (draft/publish/deprecate). | Risk Profile Schema Guild, Policy Engine Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md)
[Policy & Reasoning] 120.C) Policy.VI
Depends on: Sprint 120.C - Policy.V
Summary: Policy & Reasoning focus on Policy (phase VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
POLICY-RISK-67-002 | TODO | Implement profile lifecycle APIs (`/risk/profiles` create/publish/deprecate) and scope attachment logic. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-RISK-67-002 | TODO | Publish `.well-known/risk-profile-schema` endpoint and CLI validation tooling. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md)
POLICY-RISK-67-003 | TODO | Provide policy-layer APIs to trigger risk simulations and return distributions/contribution breakdowns. | Policy Guild, Risk Engine Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-RISK-68-001 | TODO | Provide simulation API bridging Policy Studio with risk engine; returns distributions and top movers. | Policy Guild, Policy Studio Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-RISK-68-001 | TODO | Implement scope selectors, precedence rules, and Authority attachment APIs. | Risk Profile Schema Guild, Authority Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md)
POLICY-RISK-68-002 | TODO | Add override/adjustment support with audit metadata and validation for conflicting rules. | Risk Profile Schema Guild (src/Policy/StellaOps.Policy.RiskProfile/TASKS.md)
POLICY-RISK-68-002 | TODO | Enable exporting/importing RiskProfiles with signatures via policy tooling (CLI + API). | Policy Guild, Export Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-RISK-69-001 | TODO | Emit events/notifications on profile publish, deprecate, and severity threshold changes. | Policy Guild, Notifications Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-RISK-70-001 | TODO | Support exporting/importing profiles with signatures for air-gapped bundles. | Policy Guild, Export Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
POLICY-SPL-23-001 | TODO | Define SPL v1 YAML + JSON Schema, including advisory rules, VEX precedence, severity mapping, exceptions, and layering metadata. Publish schema resources and validation fixtures. | Policy Guild, Language Infrastructure Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-SPL-23-002 | TODO | Implement canonicalizer that normalizes policy packs (ordering, defaults), computes content hash, and prepares bundle metadata for AOC/signing. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-SPL-23-003 | TODO | Build policy layering/override engine (global/org/project/env/exception) with field-level precedence matrices; add unit/property tests. | Policy Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-SPL-23-004 | TODO | Design explanation tree model (rule hits, inputs, decisions) and persistence structures reused by runtime, UI, and CLI. | Policy Guild, Audit Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-SPL-23-005 | TODO | Create migration tool to snapshot existing behavior into baseline SPL packs (`org.core.baseline`), including policy docs and sample bundles. | Policy Guild, DevEx Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
POLICY-SPL-24-001 | TODO | Extend SPL schema to expose reachability/exploitability predicates and weighting functions; update documentation and fixtures. | Policy Guild, Signals Guild (src/Policy/__Libraries/StellaOps.Policy/TASKS.md)
[Policy & Reasoning] 120.C) Policy.VII
Depends on: Sprint 120.C - Policy.VI
Summary: Policy & Reasoning focus on Policy (phase VII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
POLICY-TEN-48-001 | TODO | Add `tenant_id`/`project_id` columns, enable RLS, update evaluators to require tenant context, and emit rationale IDs including tenant metadata. | Policy Guild (src/Policy/StellaOps.Policy.Engine/TASKS.md)
REGISTRY-API-27-001 | TODO | Define OpenAPI specification covering workspaces, versions, reviews, simulations, promotions, and attestations; publish typed clients for Console/CLI. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-002 | TODO | Implement workspace storage (Mongo collections, object storage buckets) with CRUD endpoints, diff history, and retention policies. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-003 | TODO | Integrate compile endpoint: forward source bundle to Policy Engine, persist diagnostics, symbol table, rule index, and complexity metrics. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-004 | TODO | Implement quick simulation API with request limits (sample size, timeouts), returning counts, heatmap, sampled explains. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-005 | TODO | Build batch simulation orchestration: enqueue shards, collect partials, reduce deltas, produce evidence bundles + signed manifest. | Policy Registry Guild, Scheduler Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-006 | TODO | Implement review workflow (comments, votes, required approvers, status transitions) with audit trails and webhooks. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-007 | TODO | Implement publish pipeline: sign source/compiled digests, create attestations, mark version immutable, emit events. | Policy Registry Guild, Security Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-008 | TODO | Implement promotion bindings per tenant/environment with canary subsets, rollback path, and environment history. | Policy Registry Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-009 | TODO | Instrument metrics/logs/traces (compile time, diagnostics rate, sim queue depth, approval latency) and expose dashboards. | Policy Registry Guild, Observability Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
REGISTRY-API-27-010 | TODO | Build unit/integration/load test suites for compile/sim/review/publish/promote flows; provide seeded fixtures for CI. | Policy Registry Guild, QA Guild (src/Policy/StellaOps.Policy.Registry/TASKS.md)
[Policy & Reasoning] 120.D) RiskEngine
Depends on: Sprint 110.A - AdvisoryAI
Summary: Policy & Reasoning focus on RiskEngine).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
RISK-ENGINE-66-001 | TODO | Scaffold scoring service (job queue, worker loop, provider registry) with deterministic execution harness. | Risk Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-66-002 | TODO | Implement default transforms (linear, minmax, logistic, piecewise), clamping, gating, and contribution calculator. | Risk Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-67-001 | TODO | Integrate CVSS and KEV providers pulling data from Conseiller; implement reducers (`max`, `any`, `consensus`). | Risk Engine Guild, Concelier Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-67-002 | TODO | Integrate VEX gate provider and ensure gating short-circuits scoring as configured. | Risk Engine Guild, Excitator Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-67-003 | TODO | Add fix availability, asset criticality, and internet exposure providers with caching + TTL enforcement. | Risk Engine Guild, Policy Engine Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-68-001 | TODO | Persist scoring results + explanation pointers to Findings Ledger; handle incremental updates via input hash. | Risk Engine Guild, Findings Ledger Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-68-002 | TODO | Expose APIs (`/risk/jobs`, `/risk/results`, `/risk/results/{id}/explanation`); include pagination, filtering, error codes. | Risk Engine Guild, API Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-69-001 | TODO | Implement simulation mode producing distributions and top movers without mutating ledger. | Risk Engine Guild, Policy Studio Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-69-002 | TODO | Add telemetry (spans, metrics, logs) for provider latency, job throughput, cache hits; define SLO dashboards. | Risk Engine Guild, Observability Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-70-001 | TODO | Support offline provider bundles with manifest verification and missing-data reporting. | Risk Engine Guild, Export Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
RISK-ENGINE-70-002 | TODO | Integrate runtime evidence provider and reachability provider outputs with caching + TTL. | Risk Engine Guild, Observability Guild (src/RiskEngine/StellaOps.RiskEngine/TASKS.md)
[Policy & Reasoning] 120.E) VexLens.I
Depends on: Sprint 110.A - AdvisoryAI
Summary: Policy & Reasoning focus on VexLens (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
VEXLENS-30-001 | TODO | Implement normalization pipeline for CSAF VEX, OpenVEX, CycloneDX VEX (status mapping, justification mapping, product tree parsing). | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-002 | TODO | Build product mapping library (CPE/CPE2.3/vendor tokens purl/version) with scope quality scoring and path metadata. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-003 | TODO | Integrate signature verification (Ed25519, DSSE, PKIX) using issuer keys, annotate evidence with verification state and failure reasons. | VEX Lens Guild, Issuer Directory Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-004 | TODO | Implement trust weighting engine (issuer base weights, signature modifiers, recency decay, justification modifiers, scope score adjustments) controlled by policy config. | VEX Lens Guild, Policy Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-005 | TODO | Implement consensus algorithm producing `consensus_state`, `confidence`, `weights`, `quorum`, `rationale`; support states: NOT_AFFECTED, AFFECTED, FIXED, UNDER_INVESTIGATION, DISPUTED, INCONCLUSIVE. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-006 | TODO | Materialize consensus projection storage with idempotent workers triggered by VEX/Policy changes; expose change events for downstream consumers. | VEX Lens Guild, Findings Ledger Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-007 | TODO | Expose APIs (`/vex/consensus`, `/vex/consensus/query`, `/vex/consensus/{id}`, `/vex/consensus/simulate`, `/vex/consensus/export`) with pagination, cost budgets, and OpenAPI docs. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-008 | TODO | Integrate consensus signals with Policy Engine (thresholds, suppression, simulation inputs) and Vuln Explorer detail view. | VEX Lens Guild, Policy Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-009 | TODO | Instrument metrics (`vex_consensus_compute_latency`, `vex_consensus_disputed_total`, `vex_signature_verification_rate`), structured logs, and traces; publish dashboards/alerts. | VEX Lens Guild, Observability Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-010 | TODO | Develop unit/property/integration/load tests (10M records), determinism harness, fuzz testing for malformed product trees. | VEX Lens Guild, QA Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-30-011 | TODO | Provide deployment manifests, caching configuration, scaling guides, offline kit seeds, and runbooks. | VEX Lens Guild, DevOps Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-AIAI-31-001 | TODO | Expose consensus rationale API enhancements (policy factors, issuer details, mapping issues) for Advisory AI conflict explanations. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-AIAI-31-002 | TODO | Provide caching hooks for consensus lookups used by Advisory AI (batch endpoints, TTL hints). | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-EXPORT-35-001 | TODO | Provide consensus snapshot API delivering deterministic JSONL (state, confidence, provenance) for exporter mirror bundles. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
VEXLENS-ORCH-33-001 | TODO | Register `consensus_compute` job type with orchestrator, integrate worker SDK, and expose job planning hooks for consensus batches. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
[Policy & Reasoning] 120.E) VexLens.II
Depends on: Sprint 120.E - VexLens.I
Summary: Policy & Reasoning focus on VexLens (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
VEXLENS-ORCH-34-001 | TODO | Emit consensus completion events into orchestrator run ledger and provenance chain, including confidence metadata. | VEX Lens Guild (src/VexLens/StellaOps.VexLens/TASKS.md)
[Policy & Reasoning] 120.F) VulnExplorer
Depends on: Sprint 110.A - AdvisoryAI
Summary: Policy & Reasoning focus on VulnExplorer).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
VULN-API-29-001 | TODO | Define OpenAPI spec (list/detail/query/simulation/workflow/export), query JSON schema, pagination/grouping contracts, and error codes. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-002 | TODO | Implement list/query endpoints with policy parameter, grouping, server paging, caching, and cost budgets. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-003 | TODO | Implement detail endpoint aggregating evidence, policy rationale, paths (Graph Explorer deep link), and workflow summary. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-004 | TODO | Expose workflow endpoints (assign, comment, accept-risk, verify-fix, target-fix, reopen) that write ledger events with idempotency + validation. | Vuln Explorer API Guild, Findings Ledger Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-005 | TODO | Implement simulation endpoint comparing `policy_from` vs `policy_to`, returning diffs without side effects; hook into Policy Engine batch eval. | Vuln Explorer API Guild, Policy Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-006 | TODO | Integrate resolver results with Graph Explorer: include shortest path metadata, line up deep-link parameters, expose `paths` array in details. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-007 | TODO | Enforce RBAC/ABAC scopes; implement CSRF/anti-forgery checks for Console; secure attachment URLs; audit logging. | Vuln Explorer API Guild, Security Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-008 | TODO | Build export orchestrator producing signed bundles (manifest, NDJSON, checksums, signature). Integrate with Findings Ledger for evidence and Policy Engine metadata. | Vuln Explorer API Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-009 | TODO | Instrument metrics (`vuln_list_latency`, `vuln_simulation_latency`, `vuln_export_duration`, `vuln_workflow_events_total`), structured logs, and traces; publish dashboards/alerts. | Vuln Explorer API Guild, Observability Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-010 | TODO | Provide unit/integration/perf tests (5M findings), fuzz query validation, determinism harness comparing repeated queries. | Vuln Explorer API Guild, QA Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
VULN-API-29-011 | TODO | Package deployment (Helm/Compose), health checks, CI smoke, offline kit steps, and scaling guidance. | Vuln Explorer API Guild, DevOps Guild (src/VulnExplorer/StellaOps.VulnExplorer.Api/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_130_scanner_surface.md

169
docs/implplan/SPRINT_130_scanner_surface.md Normal file
View File

@@ -0,0 +1,169 @@
# Sprint 130 - Scanner & Surface
[Scanner & Surface] 130.A) Scanner.I
Depends on: Sprint 110.A - AdvisoryAI
Summary: Scanner & Surface focus on Scanner (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
5 | SCANNER-ANALYZERS-LANG-10-308R | Determinism fixtures + performance benchmarks; compare against competitor heuristic coverage. | TODO (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md)
6 | SCANNER-ANALYZERS-LANG-10-309R | Package plug-in manifest + Offline Kit documentation; ensure Worker integration. | TODO (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md)
ENTRYTRACE-SURFACE-01 | TODO | Run Surface.Validation prereq checks and resolve cached entry fragments via Surface.FS to avoid duplicate parsing. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md)
ENTRYTRACE-SURFACE-02 | TODO | Replace direct env/secret access with Surface.Secrets provider when tracing runtime configs. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md)
LANG-SURFACE-01 | TODO | Invoke Surface.Validation checks (env/cache/secrets) before analyzer execution to ensure consistent prerequisites. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md)
LANG-SURFACE-02 | TODO | Consume Surface.FS APIs for layer/source caching (instead of bespoke caches) to improve determinism. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md)
LANG-SURFACE-03 | TODO | Replace direct secret/env reads with Surface.Secrets references when fetching package feeds or registry creds. | Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang/TASKS.md)
SCANNER-ANALYZERS-DENO-26-001 | TODO | Build input normalizer & VFS for Deno projects: merge `deno.json(c)`, import maps, lockfiles, vendor dirs, `$DENO_DIR` caches, and container layers. Detect runtime/toolchain hints deterministically. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-002 | TODO | Module graph builder: resolve static/dynamic imports using import map, `deno.lock`, vendor/, cache, npm bridge, node: builtins, WASM/JSON assertions. Annotate edges with resolution source and form. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-003 | TODO | NPM/Node compat adapter: map `npm:` specifiers to cached packages or compat `node_modules`, evaluate package `exports`/conditions, record node: builtin usage. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-004 | TODO | Static analyzer for permission/capability signals (FS, net, env, process, crypto, FFI, workers). Detect dynamic-import patterns, literal fetch URLs, tasks vs declared permissions. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-005 | TODO | Bundle/binary inspector: parse eszip bundles and `deno compile` executables (embedded eszip + snapshot) to recover module graph, config, embedded resources. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-006 | TODO | Container adapter: traverse OCI layers for `deno`, caches, vendor directories, compiled binaries; merge module provenance with layer info. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-007 | TODO | Produce AOC-compliant observations: entrypoints, modules, edges, permissions, workers, warnings, binaries with reason codes and contexts. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-008 | TODO | Fixture suite + performance benchmarks (vendor, npm, FFI, workers, dynamic import, bundle/binary, cache-only, container). | Deno Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
[Scanner & Surface] 130.A) Scanner.II
Depends on: Sprint 130.A - Scanner.I
Summary: Scanner & Surface focus on Scanner (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCANNER-ANALYZERS-DENO-26-009 | TODO | Optional runtime evidence hooks (loader/require shim) capturing module loads + permissions during harnessed execution with path hashing. | Deno Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-010 | TODO | Package analyzer plug-in, add CLI (`stella deno inspect | Deno Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-DENO-26-011 | TODO | Policy signal emitter: net/fs/env/ffi/process/crypto capabilities, remote origin list, npm usage, wasm modules, dynamic-import warnings. | Deno Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Deno/TASKS.md)
SCANNER-ANALYZERS-JAVA-21-005 | TODO | Framework config extraction: Spring Boot imports, spring.factories, application properties/yaml, Jakarta web.xml & fragments, JAX-RS/JPA/CDI/JAXB configs, logging files, Graal native-image configs. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md)
SCANNER-ANALYZERS-JAVA-21-006 | TODO | JNI/native hint scanner: detect native methods, System.load/Library literals, bundled native libs, Graal JNI configs; emit `jni-load` edges for native analyzer correlation. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md)
SCANNER-ANALYZERS-JAVA-21-007 | TODO | Signature and manifest metadata collector: verify JAR signature structure, capture signers, manifest loader attributes (Main-Class, Agent-Class, Start-Class, Class-Path). | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md)
SCANNER-ANALYZERS-JAVA-21-008 | BLOCKED (2025-10-27) | Implement resolver + AOC writer: produce entrypoints (env profiles, warnings), components (jar_id + semantic ids), edges (jpms, cp, spi, reflect, jni) with reason codes/confidence. | Java Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md)
SCANNER-ANALYZERS-JAVA-21-009 | TODO | Author comprehensive fixtures (modular app, boot fat jar, war, ear, MR-jar, jlink image, JNI, reflection heavy, signed jar, microprofile) with golden outputs and perf benchmarks. | Java Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md)
SCANNER-ANALYZERS-JAVA-21-010 | TODO | Optional runtime ingestion: Java agent + JFR reader capturing class load, ServiceLoader, and System.load events with path scrubbing. Emit append-only runtime edges `runtime-class`/`runtime-spi`/`runtime-load`. | Java Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md)
SCANNER-ANALYZERS-JAVA-21-011 | TODO | Package analyzer as restart-time plug-in (manifest/DI), update Offline Kit docs, add CLI/worker hooks for Java inspection commands. | Java Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/TASKS.md)
SCANNER-ANALYZERS-LANG-11-001 | TODO | Build entrypoint resolver that maps project/publish artifacts to entrypoint identities (assembly name, MVID, TFM, RID) and environment profiles (publish mode, host kind, probing paths). Output normalized `entrypoints[]` records with deterministic IDs. | StellaOps.Scanner EPDR Guild, Language Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md)
SCANNER-ANALYZERS-LANG-11-002 | TODO | Implement static analyzer (IL + reflection heuristics) capturing AssemblyRef, ModuleRef/PInvoke, DynamicDependency, reflection literals, DI patterns, and custom AssemblyLoadContext probing hints. Emit dependency edges with reason codes and confidence. | StellaOps.Scanner EPDR Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md)
SCANNER-ANALYZERS-LANG-11-003 | TODO | Ingest optional runtime evidence (AssemblyLoad, Resolving, P/Invoke) via event listener harness; merge runtime edges with static/declared ones and attach reason codes/confidence. | StellaOps.Scanner EPDR Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md)
SCANNER-ANALYZERS-LANG-11-004 | TODO | Produce normalized observation export to Scanner writer: entrypoints + dependency edges + environment profiles (AOC compliant). Wire to SBOM service entrypoint tagging. | StellaOps.Scanner EPDR Guild, SBOM Service Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md)
SCANNER-ANALYZERS-LANG-11-005 | TODO | Add comprehensive fixtures/benchmarks covering framework-dependent, self-contained, single-file, trimmed, NativeAOT, multi-RID scenarios; include explain traces and perf benchmarks vs previous analyzer. | StellaOps.Scanner EPDR Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md)
[Scanner & Surface] 130.A) Scanner.III
Depends on: Sprint 130.A - Scanner.II
Summary: Scanner & Surface focus on Scanner (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCANNER-ANALYZERS-NATIVE-20-001 | TODO | Implement format detector and binary identity model supporting ELF, PE/COFF, and Mach-O (including fat slices). Capture arch, OS, build-id/UUID, interpreter metadata. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-002 | TODO | Parse ELF dynamic sections: `DT_NEEDED`, `DT_RPATH`, `DT_RUNPATH`, symbol versions, interpreter, and note build-id. Emit declared dependency records with reason `elf-dtneeded` and attach version needs. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-003 | TODO | Parse PE imports, delay-load tables, manifests/SxS metadata, and subsystem flags. Emit edges with reasons `pe-import` and `pe-delayimport`, plus SxS policy metadata. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-004 | TODO | Parse Mach-O load commands (`LC_LOAD_DYLIB`, `LC_REEXPORT_DYLIB`, `LC_RPATH`, `LC_UUID`, fat headers). Handle `@rpath/@loader_path` placeholders and slice separation. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-005 | TODO | Implement resolver engine modeling loader search order for ELF (rpath/runpath/cache/default), PE (SafeDll search + SxS), and Mach-O (`@rpath` expansion). Works against virtual image roots, producing explain traces. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-006 | TODO | Build heuristic scanner for `dlopen`/`LoadLibrary` strings, plugin ecosystem configs, and Go/Rust static hints. Emit edges with `reason_code` (`string-dlopen`, `config-plugin`, `ecosystem-heuristic`) and confidence levels. | Native Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-007 | TODO | Serialize AOC-compliant observations: entrypoints + dependency edges + environment profiles (search paths, interpreter, loader metadata). Integrate with Scanner writer API. | Native Analyzer Guild, SBOM Service Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-008 | TODO | Author cross-platform fixtures (ELF dynamic/static, PE delay-load/SxS, Mach-O @rpath, plugin configs) and determinism benchmarks (<25 ms / binary, <250 MB). | Native Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-009 | TODO | Provide optional runtime capture adapters (Linux eBPF `dlopen`, Windows ETW ImageLoad, macOS dyld interpose) writing append-only runtime evidence. Include redaction/sandbox guidance. | Native Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NATIVE-20-010 | TODO | Package native analyzer as restart-time plug-in with manifest/DI registration; update Offline Kit bundle + documentation. | Native Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Native/TASKS.md)
SCANNER-ANALYZERS-NODE-22-001 | TODO | Build input normalizer + VFS for Node projects: dirs, tgz, container layers, pnpm store, Yarn PnP zips; detect Node version targets (`.nvmrc`, `.node-version`, Dockerfile) and workspace roots deterministically. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-002 | TODO | Implement entrypoint discovery (bin/main/module/exports/imports, workers, electron, shebang scripts) and condition set builder per entrypoint. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-003 | TODO | Parse JS/TS sources for static `import`, `require`, `import()` and string concat cases; flag dynamic patterns with confidence levels; support source map de-bundling. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-004 | TODO | Implement Node resolver engine for CJS + ESM (core modules, exports/imports maps, conditions, extension priorities, self-references) parameterised by node_version. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-005 | TODO | Add package manager adapters: Yarn PnP (.pnp.data/.pnp.cjs), pnpm virtual store, npm/Yarn classic hoists; operate entirely in virtual FS. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
[Scanner & Surface] 130.A) Scanner.IV
Depends on: Sprint 130.A - Scanner.III
Summary: Scanner & Surface focus on Scanner (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCANNER-ANALYZERS-NODE-22-006 | TODO | Detect bundles + source maps, reconstruct module specifiers, and correlate to original paths; support dual CJS/ESM graphs with conditions. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-007 | TODO | Scan for native addons (.node), WASM modules, and core capability signals (child_process, vm, worker_threads); emit hint edges and native metadata. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-008 | TODO | Produce AOC-compliant observations: entrypoints, components (pkg/native/wasm), edges (esm-import, cjs-require, exports, json, native-addon, wasm, worker) with reason codes/confidence and resolver traces. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-009 | TODO | Author fixture suite + performance benchmarks (npm, pnpm, PnP, bundle, electron, worker) with golden outputs and latency budgets. | Node Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-010 | TODO | Implement optional runtime evidence hooks (ESM loader, CJS require hook) with path scrubbing and loader ID hashing; emit runtime-* edges. | Node Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-011 | TODO | Package updated analyzer as restart-time plug-in, expose Scanner CLI (`stella node *`) commands, refresh Offline Kit documentation. | Node Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-NODE-22-012 | TODO | Integrate container filesystem adapter (OCI layers, Dockerfile hints) and record NODE_OPTIONS/env warnings. | Node Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
SCANNER-ANALYZERS-PHP-27-001 | TODO | Build input normalizer & VFS for PHP projects: merge source trees, composer manifests, vendor/, php.ini/conf.d, `.htaccess`, FPM configs, container layers. Detect framework/CMS fingerprints deterministically. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-002 | TODO | Composer/Autoload analyzer: parse composer.json/lock/installed.json, generate package nodes, autoload edges (psr-4/0/classmap/files), bin entrypoints, composer plugins. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-003 | TODO | Include/require graph builder: resolve static includes, capture dynamic include patterns, bootstrap chains, merge with autoload edges. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-004 | TODO | Runtime capability scanner: detect exec/fs/net/env/serialization/crypto/database usage, stream wrappers, uploads; record evidence snippets. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-005 | TODO | PHAR/Archive inspector: parse phar manifests/stubs, hash files, detect embedded vendor trees and phar:// usage. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-006 | TODO | Framework/CMS surface mapper: extract routes, controllers, middleware, CLI/cron entrypoints for Laravel/Symfony/Slim/WordPress/Drupal/Magento. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-007 | TODO | Container & extension detector: parse php.ini/conf.d, map extensions to .so/.dll, collect web server/FPM settings, upload limits, disable_functions. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-008 | TODO | Produce AOC-compliant observations: entrypoints, packages, extensions, modules, edges (require/autoload), capabilities, routes, configs. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
[Scanner & Surface] 130.A) Scanner.V
Depends on: Sprint 130.A - Scanner.IV
Summary: Scanner & Surface focus on Scanner (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCANNER-ANALYZERS-PHP-27-009 | TODO | Fixture suite + performance benchmarks (Laravel, Symfony, WordPress, legacy, PHAR, container) with golden outputs. | PHP Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-010 | TODO | Optional runtime evidence hooks (if provided) to ingest audit logs or opcode cache stats with path hashing. | PHP Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-011 | TODO | Package analyzer plug-in, add CLI (`stella php inspect | PHP Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PHP-27-012 | TODO | Policy signal emitter: extension requirements/presence, dangerous constructs counters, stream wrapper usage, capability summaries. | PHP Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Php/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-001 | TODO | Build input normalizer & virtual filesystem for wheels, sdists, editable installs, zipapps, site-packages trees, and container roots. Detect Python version targets (`pyproject.toml`, `runtime.txt`, Dockerfile) + virtualenv layout deterministically. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-002 | TODO | Entrypoint discovery: module `__main__`, console_scripts entry points, `scripts`, zipapp main, `manage.py`/gunicorn/celery patterns. Capture invocation context (module vs package, argv wrappers). | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-003 | TODO | Static import graph builder using AST and bytecode fallback. Support `import`, `from ... import`, relative imports, `importlib.import_module`, `__import__` with literal args, `pkgutil.extend_path`. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-004 | TODO | Python resolver engine (importlib semantics) handling namespace packages (PEP 420), package discovery order, `.pth` files, `sys.path` composition, zipimport, and site-packages precedence across virtualenv/container roots. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-005 | TODO | Packaging adapters: pip editable (`.egg-link`), Poetry/Flit layout, Conda prefix, `.dist-info/RECORD` cross-check, container layer overlays. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-006 | TODO | Detect native extensions (`*.so`, `*.pyd`), CFFI modules, ctypes loaders, embedded WASM, and runtime capability signals (subprocess, multiprocessing, ctypes, eval). | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-007 | TODO | Framework/config heuristics: Django, Flask, FastAPI, Celery, AWS Lambda handlers, Gunicorn, Click/Typer CLIs, logging configs, pyproject optional dependencies. Tagged as hints only. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-008 | TODO | Produce AOC-compliant observations: entrypoints, components (modules/packages/native), edges (import, namespace, dynamic-hint, native-extension) with reason codes/confidence and resolver traces. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-009 | TODO | Fixture suite + perf benchmarks covering virtualenv, namespace packages, zipapp, editable installs, containers, lambda handler. | Python Analyzer Guild, QA Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-010 | TODO | Optional runtime evidence: import hook capturing module load events with path scrubbing, optional bytecode instrumentation for `importlib` hooks, multiprocessing tracer. | Python Analyzer Guild, Signals Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-PYTHON-23-011 | TODO | Package analyzer plug-in, add CLI commands (`stella python inspect | Python Analyzer Guild, DevOps Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
[Scanner & Surface] 130.A) Scanner.VI
Depends on: Sprint 130.A - Scanner.V
Summary: Scanner & Surface focus on Scanner (phase VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCANNER-ANALYZERS-PYTHON-23-012 | TODO | Container/zipapp adapter enhancements: parse OCI layers for Python runtime, detect `PYTHONPATH`/`PYTHONHOME` env, record warnings for sitecustomize/startup hooks. | Python Analyzer Guild (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-001 | TODO | Build input normalizer & VFS for Ruby projects: merge source trees, Gemfile/Gemfile.lock, vendor/bundle, .gem archives, `.bundle/config`, Rack configs, containers. Detect framework/job fingerprints deterministically. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-002 | TODO | Gem & Bundler analyzer: parse Gemfile/Gemfile.lock, vendor specs, .gem archives, produce package nodes (PURLs), dependency edges, bin scripts, Bundler group metadata. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-003 | TODO | Require/autoload graph builder: resolve static/dynamic require, require_relative, load; infer Zeitwerk autoload paths and Rack boot chain. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-004 | TODO | Framework surface mapper: extract routes/controllers/middleware for Rails/Rack/Sinatra/Grape/Hanami; inventory jobs/schedulers (Sidekiq, Resque, ActiveJob, whenever, clockwork). | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-005 | TODO | Capability analyzer: detect os-exec, filesystem, network, serialization, crypto, DB usage, TLS posture, dynamic eval; record evidence snippets with file/line. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-006 | TODO | Rake task & scheduler analyzer: parse Rakefiles/lib/tasks, capture task names/prereqs/shell commands; parse Sidekiq/whenever/clockwork configs into schedules. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-007 | TODO | Container/runtime scanner: detect Ruby version, installed gems, native extensions, web server configs in OCI layers. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-008 | TODO | Produce AOC-compliant observations: entrypoints, packages, modules, edges (require/autoload), routes, jobs, tasks, capabilities, configs, warnings. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-009 | TODO | Fixture suite + performance benchmarks (Rails, Rack, Sinatra, Sidekiq, legacy, .gem, container) with golden outputs. | Ruby Analyzer Guild, QA Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-010 | TODO | Optional runtime evidence integration (if provided logs/metrics) with path hashing, without altering static precedence. | Ruby Analyzer Guild, Signals Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-011 | TODO | Package analyzer plug-in, add CLI (`stella ruby inspect | Ruby Analyzer Guild, DevOps Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ANALYZERS-RUBY-28-012 | TODO | Policy signal emitter: rubygems drift, native extension flags, dangerous constructs counts, TLS verify posture, dynamic require eval warnings. | Ruby Analyzer Guild (src/Scanner/StellaOps.Scanner.Analyzers.Lang.Ruby/TASKS.md)
SCANNER-ENTRYTRACE-18-502 | TODO | Expand chain walker with init shim/user-switch/supervisor recognition plus env/workdir accumulation and guarded edges. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md)
SCANNER-ENTRYTRACE-18-503 | TODO | Introduce target classifier + EntryPlan handoff with confidence scoring for ELF/Java/.NET/Node/Python and user/workdir context. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md)
[Scanner & Surface] 130.A) Scanner.VII
Depends on: Sprint 130.A - Scanner.VI
Summary: Scanner & Surface focus on Scanner (phase VII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCANNER-ENTRYTRACE-18-504 | TODO | Emit EntryTrace AOC NDJSON (`entrytrace.entry/node/edge/target/warning/capability`) and wire CLI/service streaming outputs. | EntryTrace Guild (src/Scanner/__Libraries/StellaOps.Scanner.EntryTrace/TASKS.md)
SCANNER-ENV-01 | TODO | Replace ad-hoc environment reads with `StellaOps.Scanner.Surface.Env` helpers for cache roots and CAS endpoints. | Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md)
SCANNER-ENV-02 | TODO | Wire Surface.Env helpers into WebService hosting (cache roots, feature flags) and document configuration. | Scanner WebService Guild, Ops Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-ENV-03 | TODO | Adopt Surface.Env helpers for plugin configuration (cache roots, CAS endpoints, feature toggles). | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md)
SCANNER-EVENTS-16-301 | BLOCKED (2025-10-26) | Emit orchestrator-compatible envelopes (`scanner.event.*`) and update integration tests to verify Notifier ingestion (no Redis queue coupling). | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-EVENTS-16-302 | DOING (2025-10-26) | Extend orchestrator event links (report/policy/attestation) once endpoints are finalised across gateway + console. | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-GRAPH-21-001 | TODO | Provide webhook/REST endpoint for Cartographer to request policy overlays and runtime evidence for graph nodes, ensuring determinism and tenant scoping. | Scanner WebService Guild, Cartographer Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-LNM-21-001 | TODO | Update `/reports` and `/policy/runtime` payloads to consume advisory/vex linksets, exposing source severity arrays and conflict summaries alongside effective verdicts. | Scanner WebService Guild, Policy Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-LNM-21-002 | TODO | Add evidence endpoint for Console to fetch linkset summaries with policy overlay for a component/SBOM, including AOC references. | Scanner WebService Guild, UI Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-SECRETS-01 | TODO | Adopt `StellaOps.Scanner.Surface.Secrets` for registry/CAS credentials during scan execution. | Scanner Worker Guild, Security Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md)
SCANNER-SECRETS-02 | TODO | Replace ad-hoc secret wiring with Surface.Secrets for report/export operations (registry and CAS tokens). | Scanner WebService Guild, Security Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-SECRETS-03 | TODO | Use Surface.Secrets to retrieve registry credentials when interacting with CAS/referrers. | BuildX Plugin Guild, Security Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md)
SCANNER-SURFACE-01 | TODO | Persist Surface.FS manifests after analyzer stages, including layer CAS metadata and EntryTrace fragments. | Scanner Worker Guild (src/Scanner/StellaOps.Scanner.Worker/TASKS.md)
SCANNER-SURFACE-02 | TODO | Publish Surface.FS pointers (CAS URIs, manifests) via scan/report APIs and update attestation metadata. | Scanner WebService Guild (src/Scanner/StellaOps.Scanner.WebService/TASKS.md)
SCANNER-SURFACE-03 | TODO | Push layer manifests and entry fragments into Surface.FS during build-time SBOM generation. | BuildX Plugin Guild (src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/TASKS.md)
[Scanner & Surface] 130.A) Scanner.VIII
Depends on: Sprint 130.A - Scanner.VII
Summary: Scanner & Surface focus on Scanner (phase VIII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.DotNet/TASKS.md)
Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Go/TASKS.md)
Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Node/TASKS.md)
Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/TASKS.md)
Seq | ID | Description | Status (src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Rust/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_140_runtime_signals.md

65
docs/implplan/SPRINT_140_runtime_signals.md Normal file
View File

@@ -0,0 +1,65 @@
# Sprint 140 - Runtime & Signals
[Runtime & Signals] 140.A) Graph
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
Summary: Runtime & Signals focus on Graph).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
GRAPH-INDEX-28-001 | TODO | Define canonical node/edge schemas, attribute dictionaries, identity rules, and seed fixtures; publish schema doc. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-002 | TODO | Implement SBOM ingest consumer producing artifact/package/file nodes and edges with `valid_from/valid_to`, scope metadata, and provenance links. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-003 | TODO | Project Concelier linksets into overlay tiles (`affected_by` edges, evidence refs) without mutating source observations; keep advisory aggregates in overlay store only. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-004 | TODO | Integrate VEX statements (`vex_exempts` edges) with justification metadata and precedence markers for overlays. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-005 | TODO | Hydrate policy overlays into graph (`governs_with` nodes/edges) referencing effective findings and explain hashes for sampled nodes. | Graph Indexer Guild, Policy Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-006 | TODO | Generate graph snapshots per SBOM with lineage (`derived_from`), adjacency manifests, and metadata for diff jobs. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-007 | TODO | Implement clustering/centrality background jobs (Louvain/degree/betweenness approximations) with configurable schedules and store cluster ids on nodes. | Graph Indexer Guild, Observability Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-008 | TODO | Provide incremental update + backfill pipeline with change streams, retry/backoff, idempotent operations, and backlog metrics. | Graph Indexer Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-009 | TODO | Add unit/property/integration tests, synthetic large graph fixtures, chaos testing (missing overlays, cycles), and determinism checks across runs. | Graph Indexer Guild, QA Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
GRAPH-INDEX-28-010 | TODO | Package deployment artifacts (Helm/Compose), offline seed bundles, and configuration docs; integrate Offline Kit. | Graph Indexer Guild, DevOps Guild (src/Graph/StellaOps.Graph.Indexer/TASKS.md)
[Runtime & Signals] 140.B) SbomService
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
Summary: Runtime & Signals focus on SbomService).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SBOM-AIAI-31-001 | TODO | Provide `GET /sbom/paths?purl=...` and version timeline endpoints optimized for Advisory AI (incl. env flags, blast radius metadata). | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-AIAI-31-002 | TODO | Instrument metrics for path/timeline queries (latency, cache hit rate) and surface dashboards. | SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-CONSOLE-23-001 | TODO | Provide Console-focused SBOM catalog API (`/console/sboms`) with filters (artifact, license, scope, asset tags), pagination cursors, evaluation metadata, and immutable JSON projections for raw view drawer. Document schema + determinism guarantees. | SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-CONSOLE-23-002 | TODO | Deliver component lookup endpoints powering global search and Graph overlays (component neighborhoods, license overlays, policy deltas) with caching hints and tenant enforcement. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-ORCH-32-001 | TODO | Register SBOM ingest/index sources with orchestrator, embed worker SDK, and emit artifact hashes + job metadata. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-ORCH-33-001 | TODO | Report backpressure metrics, honor orchestrator pause/throttle signals, and classify error outputs for sbom jobs. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-ORCH-34-001 | TODO | Implement orchestrator backfill + watermark reconciliation for SBOM ingest/index, ensuring idempotent artifact reuse. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-001 | BLOCKED (2025-10-27) | Publish normalized SBOM projection schema (components, relationships, scopes, entrypoints) and implement read API with pagination + tenant enforcement. | SBOM Service Guild, Cartographer Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-002 | BLOCKED (2025-10-27) | Emit change events (`sbom.version.created`) carrying digest/version metadata for Graph Indexer builds; add replay/backfill tooling. | SBOM Service Guild, Scheduler Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-003 | BLOCKED (2025-10-27) | Provide entrypoint/service node management API (list/update overrides) feeding Cartographer path relevance with deterministic defaults. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-21-004 | BLOCKED (2025-10-27) | Wire observability: metrics (`sbom_projection_seconds`, `sbom_projection_size`), traces, structured logs with tenant info; set alerts for backlog. | SBOM Service Guild, Observability Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-23-001 | TODO | Extend projections to include asset metadata (criticality, owner, environment, exposure flags) required by policy rules; update schema docs. | SBOM Service Guild, Policy Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-SERVICE-23-002 | TODO | Emit `sbom.asset.updated` events when metadata changes; ensure idempotent payloads and documentation. | SBOM Service Guild, Platform Events Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-VULN-29-001 | TODO | Emit inventory evidence with `scope`, `runtime_flag`, dependency paths, and nearest safe version hints, streaming change events for resolver jobs. | SBOM Service Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
SBOM-VULN-29-002 | TODO | Provide resolver feed (artifact, purl, version, paths) via queue/topic for Vuln Explorer candidate generation; ensure idempotent delivery. | SBOM Service Guild, Findings Ledger Guild (src/SbomService/StellaOps.SbomService/TASKS.md)
[Runtime & Signals] 140.C) Signals
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
Summary: Runtime & Signals focus on Signals).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SIGNALS-24-003 | BLOCKED (2025-10-27) | Implement runtime facts ingestion endpoint and normalizer (process, sockets, container metadata) populating `context_facts` with AOC provenance. | Signals Guild, Runtime Guild (src/Signals/StellaOps.Signals/TASKS.md)
SIGNALS-24-004 | BLOCKED (2025-10-27) | Deliver reachability scoring engine producing states/scores and writing to `reachability_facts`; expose configuration for weights. | Signals Guild, Data Science (src/Signals/StellaOps.Signals/TASKS.md)
SIGNALS-24-005 | BLOCKED (2025-10-27) | Implement Redis caches (`reachability_cache:*`), invalidation on new facts, and publish `signals.fact.updated` events. | Signals Guild, Platform Events Guild (src/Signals/StellaOps.Signals/TASKS.md)
[Runtime & Signals] 140.D) Zastava
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner
Summary: Runtime & Signals focus on Zastava).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ZASTAVA-ENV-01 | TODO | Adopt Surface.Env helpers for cache endpoints, secret refs, and feature toggles. | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer/TASKS.md)
ZASTAVA-ENV-02 | TODO | Switch to Surface.Env helpers for webhook configuration (cache endpoint, secret refs, feature toggles). | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook/TASKS.md)
ZASTAVA-SECRETS-01 | TODO | Retrieve CAS/attestation access via Surface.Secrets instead of inline secret stores. | Zastava Observer Guild, Security Guild (src/Zastava/StellaOps.Zastava.Observer/TASKS.md)
ZASTAVA-SECRETS-02 | TODO | Retrieve attestation verification secrets via Surface.Secrets. | Zastava Webhook Guild, Security Guild (src/Zastava/StellaOps.Zastava.Webhook/TASKS.md)
ZASTAVA-SURFACE-01 | TODO | Integrate Surface.FS client for runtime drift detection (lookup cached layer hashes/entry traces). | Zastava Observer Guild (src/Zastava/StellaOps.Zastava.Observer/TASKS.md)
ZASTAVA-SURFACE-02 | TODO | Enforce Surface.FS availability during admission (deny when cache missing/stale) and embed pointer checks in webhook response. | Zastava Webhook Guild (src/Zastava/StellaOps.Zastava.Webhook/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_150_scheduling_automation.md

148
docs/implplan/SPRINT_150_scheduling_automation.md Normal file
View File

@@ -0,0 +1,148 @@
# Sprint 150 - Scheduling & Automation
[Scheduling & Automation] 150.A) Orchestrator.I
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph
Summary: Scheduling & Automation focus on Orchestrator (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ORCH-AIRGAP-56-001 | TODO | Enforce job descriptors to declare network intents; reject or flag any external endpoints in sealed mode before scheduling. | Orchestrator Service Guild, AirGap Policy Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-AIRGAP-56-002 | TODO | Surface sealing status and time staleness in job scheduling decisions; block runs when staleness budgets exceeded. | Orchestrator Service Guild, AirGap Controller Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-AIRGAP-57-001 | TODO | Add job type `mirror.bundle` to orchestrate bundle creation in connected environments with audit + provenance outputs. | Orchestrator Service Guild, Mirror Creator Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-AIRGAP-58-001 | TODO | Capture import/export operations as timeline/evidence entries, ensuring chain-of-custody for mirror + portable evidence jobs. | Orchestrator Service Guild, Evidence Locker Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OAS-61-001 | TODO | Document orchestrator endpoints in per-service OAS with standardized pagination, idempotency, and error envelope examples. | Orchestrator Service Guild, API Contracts Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OAS-61-002 | TODO | Implement `GET /.well-known/openapi` in service and ensure version metadata aligns with runtime build. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OAS-62-001 | TODO | Ensure SDK paginators and operations support orchestrator job operations; add SDK smoke tests for schedule/retry APIs. | Orchestrator Service Guild, SDK Generator Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OAS-63-001 | TODO | Emit deprecation headers and documentation for legacy orchestrator endpoints; update notifications metadata. | Orchestrator Service Guild, API Governance Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OBS-50-001 | TODO | Wire `StellaOps.Telemetry.Core` into orchestrator host, instrument schedulers and control APIs with trace spans, structured logs, and exemplar metrics. Ensure tenant/job metadata recorded for every span/log. | Orchestrator Service Guild, Observability Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OBS-51-001 | TODO | Publish golden-signal metrics (dispatch latency, queue depth, failure rate), define job/tenant SLOs, and emit burn-rate alerts to collector + Notifications. Provide Grafana dashboards + alert rules. | Orchestrator Service Guild, DevOps Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OBS-52-001 | TODO | Emit `timeline_event` objects for job lifecycle (`job.scheduled`, `job.started`, `job.completed`, `job.failed`) including trace IDs, run IDs, tenant/project, and causal metadata. Add contract tests and Kafka/NATS emitter with retries. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OBS-53-001 | TODO | Generate job capsule inputs for evidence locker (payload digests, worker image, config hash, log manifest) and invoke locker snapshot hooks on completion/failure. Ensure redaction guard enforced. | Orchestrator Service Guild, Evidence Locker Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OBS-54-001 | TODO | Produce DSSE attestations for orchestrator-scheduled jobs (subject = job capsule) and store references in timeline + evidence locker. Provide verification endpoint `/jobs/{id}/attestation`. | Orchestrator Service Guild, Provenance Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-OBS-55-001 | TODO | Implement incident mode hooks (sampling overrides, extended retention, additional debug spans) and automatic activation on SLO burn-rate breach. Emit activation/deactivation events to timeline + Notifier. | Orchestrator Service Guild, DevOps Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-32-001 | TODO | Bootstrap service project, configuration, and Postgres schema/migrations for `sources`, `runs`, `jobs`, `dag_edges`, `artifacts`, `quotas`, `schedules`. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
[Scheduling & Automation] 150.A) Orchestrator.II
Depends on: Sprint 150.A - Orchestrator.I
Summary: Scheduling & Automation focus on Orchestrator (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ORCH-SVC-32-002 | TODO | Implement scheduler DAG planner + dependency resolver, job state machine, and critical-path metadata without yet issuing control actions. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-32-003 | TODO | Expose read-only REST APIs (sources, runs, jobs, DAG) with OpenAPI, validation, pagination, and tenant scoping. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-32-004 | TODO | Implement WebSocket/SSE stream for job/run updates, emit structured metrics counters/histograms, and add health probes. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-32-005 | TODO | Deliver worker claim/heartbeat/progress endpoints capturing artifact metadata/checksums and enforcing idempotency keys. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-33-001 | TODO | Enable `sources test | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-33-002 | TODO | Implement per-source/tenant adaptive token-bucket rate limiter, concurrency caps, and backpressure signals reacting to upstream 429/503. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-33-003 | TODO | Add watermark/backfill manager with event-time windows, duplicate suppression, dry-run preview endpoint, and safety validations. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-33-004 | TODO | Deliver dead-letter store, replay endpoints, and error classification surfaces with remediation hints + notification hooks. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-34-001 | TODO | Implement quota management APIs, per-tenant SLO burn-rate computation, and alert budget tracking surfaced via metrics. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-34-002 | TODO | Build audit log + immutable run ledger export with signed manifest support, including provenance chain to artifacts. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-34-003 | TODO | Execute perf/scale validation (≥10k pending jobs, dispatch P95 <150ms) and add autoscaling hooks with health probes. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-34-004 | TODO | Package orchestrator container, Helm overlays, offline bundle seeds, provenance attestations, and compliance checklist for GA. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-35-101 | TODO | Register `export` job type with quotas/rate policies, expose telemetry, and ensure exporter workers heartbeat via orchestrator contracts. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-36-101 | TODO | Capture distribution metadata and retention timestamps for export jobs, updating dashboards and SSE payloads. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-37-101 | TODO | Enable scheduled export runs, retention pruning hooks, and failure alerting tied to export job class. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
[Scheduling & Automation] 150.A) Orchestrator.III
Depends on: Sprint 150.A - Orchestrator.II
Summary: Scheduling & Automation focus on Orchestrator (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ORCH-SVC-38-101 | TODO | Standardize event envelope (policy/export/job lifecycle) with idempotency keys, ensure export/job failure events published to notifier bus with provenance metadata. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-41-101 | TODO | Register `pack-run` job type, persist run metadata, integrate logs/artifacts collection, and expose API for Task Runner scheduling. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-SVC-42-101 | TODO | Stream pack run logs via SSE/WS, add manifest endpoints, enforce quotas, and emit pack run events to Notifications Studio. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
ORCH-TEN-48-001 | TODO | Include `tenant_id`/`project_id` in job specs, set DB session context before processing, enforce context on all queries, and reject jobs missing tenant metadata. | Orchestrator Service Guild (src/Orchestrator/StellaOps.Orchestrator/TASKS.md)
WORKER-GO-32-001 | TODO | Bootstrap Go SDK project with configuration binding, auth headers, job claim/acknowledge client, and smoke sample. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md)
WORKER-GO-32-002 | TODO | Add heartbeat/progress helpers, structured logging hooks, Prometheus metrics, and jittered retry defaults. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md)
WORKER-GO-33-001 | TODO | Implement artifact publish helpers (object storage client, checksum hashing, metadata payload) and idempotency guard. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md)
WORKER-GO-33-002 | TODO | Provide error classification/retry helper, exponential backoff controls, and structured failure reporting to orchestrator. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md)
WORKER-GO-34-001 | TODO | Add backfill range execution helpers, watermark handshake utilities, and artifact dedupe verification for backfills. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Go/TASKS.md)
WORKER-PY-32-001 | TODO | Bootstrap asyncio-based Python SDK (config, auth headers, job claim/ack) plus sample worker script. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md)
WORKER-PY-32-002 | TODO | Implement heartbeat/progress helpers with structured logging, metrics exporter, and cancellation-safe retries. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md)
WORKER-PY-33-001 | TODO | Add artifact publish/idempotency helpers (object storage adapters, checksum hashing, metadata payload) for Python workers. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md)
WORKER-PY-33-002 | TODO | Provide error classification/backoff helper mapping to orchestrator codes, including jittered retries and structured failure reports. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md)
WORKER-PY-34-001 | TODO | Implement backfill range iteration, watermark handshake, and artifact dedupe verification utilities for Python workers. | Worker SDK Guild (src/Orchestrator/StellaOps.Orchestrator.WorkerSdk.Python/TASKS.md)
[Scheduling & Automation] 150.B) PacksRegistry
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph
Summary: Scheduling & Automation focus on PacksRegistry).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
PACKS-REG-41-001 | TODO | Implement registry service, migrations for `packs_index`, `parity_matrix`, provenance docs; support pack upload/list/get, signature verification, RBAC enforcement, and provenance manifest storage. | Packs Registry Guild (src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md)
PACKS-REG-42-001 | TODO | Add version lifecycle (promote/deprecate), tenant allowlists, provenance export, signature rotation, audit logs, and Offline Kit seed support. | Packs Registry Guild (src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md)
PACKS-REG-43-001 | TODO | Implement registry mirroring, pack signing policies, attestation integration, and compliance dashboards; integrate with Export Center. | Packs Registry Guild (src/PacksRegistry/StellaOps.PacksRegistry/TASKS.md)
[Scheduling & Automation] 150.C) Scheduler.I
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph
Summary: Scheduling & Automation focus on Scheduler (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCHED-CONSOLE-23-001 | TODO | Extend runs APIs with live progress SSE endpoints (`/console/runs/{id}/stream`), queue lag summaries, diff metadata fetch, retry/cancel hooks with RBAC enforcement, and deterministic pagination for history views consumed by Console. | Scheduler WebService Guild, BE-Base Platform Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md)
SCHED-CONSOLE-27-001 | TODO | Provide policy batch simulation orchestration endpoints (`/policies/simulations` POST/GET) exposing run creation, shard status, SSE progress, cancellation, and retries with RBAC enforcement. | Scheduler WebService Guild, Policy Registry Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md)
SCHED-CONSOLE-27-002 | TODO | Emit telemetry endpoints/metrics (`policy_simulation_queue_depth`, `policy_simulation_latency`) and webhook callbacks for completion/failure consumed by Registry. | Scheduler WebService Guild, Observability Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md)
SCHED-IMPACT-16-303 | TODO | Snapshot/compaction + invalidation for removed images; persistence to RocksDB/Redis per architecture. | Scheduler ImpactIndex Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.ImpactIndex/TASKS.md)
SCHED-SURFACE-01 | TODO | Evaluate Surface.FS pointers when planning delta scans to avoid redundant work and prioritise drift-triggered assets. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-VULN-29-001 | TODO | Expose resolver job APIs (`POST /vuln/resolver/jobs`, `GET /vuln/resolver/jobs/{id}`) to trigger candidate recomputation per artifact/policy change with RBAC and rate limits. | Scheduler WebService Guild, Findings Ledger Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md)
SCHED-VULN-29-002 | TODO | Provide projector lag metrics endpoint and webhook notifications for backlog breaches consumed by DevOps dashboards. | Scheduler WebService Guild, Observability Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md)
SCHED-WEB-20-002 | BLOCKED (waiting on SCHED-WORKER-20-301) | Provide simulation trigger endpoint returning diff preview metadata and job state for UI/CLI consumption. | Scheduler WebService Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md)
SCHED-WEB-21-004 | DOING (2025-10-26) | Persist graph job lifecycle to Mongo storage and publish `scheduler.graph.job.completed@1` events + outbound webhook to Cartographer. | Scheduler WebService Guild, Scheduler Storage Guild (src/Scheduler/StellaOps.Scheduler.WebService/TASKS.md)
SCHED-WORKER-21-203 | TODO | Export metrics (`graph_build_seconds`, `graph_jobs_inflight`, `overlay_lag_seconds`) and structured logs with tenant/graph identifiers. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-23-101 | TODO | Implement policy re-evaluation worker that shards assets, honours rate limits, and updates progress for Console after policy activation events. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-23-102 | TODO | Add reconciliation job ensuring re-eval completion within SLA, emitting alerts on backlog and persisting status to `policy_runs`. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-25-101 | TODO | Implement exception lifecycle worker handling auto-activation/expiry and publishing `exception.*` events with retries/backoff. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-25-102 | TODO | Add expiring notification job generating digests, marking `expiring` state, updating metrics/alerts. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-26-201 | TODO | Build reachability joiner worker that combines SBOM snapshots with signals, writes cached facts, and schedules updates on new events. | Scheduler Worker Guild, Signals Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
[Scheduling & Automation] 150.C) Scheduler.II
Depends on: Sprint 150.C - Scheduler.I
Summary: Scheduling & Automation focus on Scheduler (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCHED-WORKER-26-202 | TODO | Implement staleness monitor + notifier for outdated reachability facts, publishing warnings and updating dashboards. | Scheduler Worker Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-27-301 | TODO | Implement policy batch simulation worker: shard SBOM inventories, invoke Policy Engine, emit partial results, handle retries/backoff, and publish progress events. | Scheduler Worker Guild, Policy Registry Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-27-302 | TODO | Build reducer job aggregating shard outputs into final manifests (counts, deltas, samples) and writing to object storage with checksums; emit completion events. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-27-303 | TODO | Enforce tenant isolation, scope checks, and attestation integration for simulation jobs; secret scanning pipeline for uploaded policy sources. | Scheduler Worker Guild, Security Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-29-001 | TODO | Implement resolver worker generating candidate findings from inventory + advisory evidence, respecting ecosystem version semantics and path scope; emit jobs for policy evaluation. | Scheduler Worker Guild, Findings Ledger Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-29-002 | TODO | Build evaluation orchestration worker invoking Policy Engine batch eval, writing results to Findings Ledger projector queue, and handling retries/backoff. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-29-003 | TODO | Add monitoring for resolver/evaluation backlog, SLA breaches, and export job queue; expose metrics/alerts feeding DevOps dashboards. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-CONSOLE-23-201 | TODO | Stream run progress events (stage status, tuples processed, SLA hints) to Redis/NATS for Console SSE, with heartbeat, dedupe, and retention policy. Publish metrics + structured logs for queue lag. | Scheduler Worker Guild, Observability Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
SCHED-WORKER-CONSOLE-23-202 | TODO | Coordinate evidence bundle jobs (enqueue, track status, cleanup) and expose job manifests to Web gateway; ensure idempotent reruns and cancellation support. | Scheduler Worker Guild, Policy Guild (src/Scheduler/__Libraries/StellaOps.Scheduler.Worker/TASKS.md)
[Scheduling & Automation] 150.D) TaskRunner.I
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph
Summary: Scheduling & Automation focus on TaskRunner (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
TASKRUN-41-001 | TODO | Bootstrap service, define migrations for `pack_runs`, `pack_run_logs`, `pack_artifacts`, implement run API (create/get/log stream), local executor, approvals pause, artifact capture, and provenance manifest generation. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-42-001 | DOING (2025-10-29) | Add loops, conditionals, `maxParallel`, outputs, simulation mode, policy gate integration, and failure recovery (retry/abort) with deterministic state. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-43-001 | DOING (2025-10-29) | Implement approvals workflow (resume after approval), notifications integration, remote artifact uploads, chaos resilience, secret injection, and audit logs. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-AIRGAP-56-001 | TODO | Enforce plan-time validation rejecting steps with non-allowlisted network calls in sealed mode and surface remediation errors. | Task Runner Guild, AirGap Policy Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-AIRGAP-56-002 | TODO | Add helper steps for bundle ingestion (checksum verification, staging to object store) with deterministic outputs. | Task Runner Guild, AirGap Importer Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-AIRGAP-57-001 | TODO | Refuse to execute plans when environment sealed=false but declared sealed install; emit advisory timeline events. | Task Runner Guild, AirGap Controller Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-AIRGAP-58-001 | TODO | Capture bundle import job transcripts, hashed inputs, and outputs into portable evidence bundles. | Task Runner Guild, Evidence Locker Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OAS-61-001 | TODO | Document Task Runner APIs (pack runs, logs, approvals) in service OAS, including streaming response schemas and examples. | Task Runner Guild, API Contracts Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OAS-61-002 | TODO | Expose `GET /.well-known/openapi` returning signed spec metadata, build version, and ETag. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OAS-62-001 | TODO | Provide SDK examples for pack run lifecycle; ensure SDKs offer streaming log helpers and paginator wrappers. | Task Runner Guild, SDK Generator Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OAS-63-001 | TODO | Implement deprecation header support and Sunset handling for legacy pack APIs; emit notifications metadata. | Task Runner Guild, API Governance Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OBS-50-001 | TODO | Adopt telemetry core in Task Runner host + worker executors, ensuring step execution spans/logs include `trace_id`, `tenant_id`, `run_id`, and scrubbed command transcripts. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OBS-51-001 | TODO | Emit metrics for step latency, retries, queue depth, sandbox resource usage; define SLOs for pack run completion and failure rate; surface burn-rate alerts to collector/Notifier. | Task Runner Guild, DevOps Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OBS-52-001 | TODO | Produce timeline events for pack runs (`pack.started`, `pack.step.completed`, `pack.failed`) containing evidence pointers and policy gate context. Provide dedupe + retry logic. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OBS-53-001 | TODO | Capture step transcripts, artifact manifests, environment digests, and policy approvals into evidence locker snapshots; ensure redaction + hash chain coverage. | Task Runner Guild, Evidence Locker Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
[Scheduling & Automation] 150.D) TaskRunner.II
Depends on: Sprint 150.D - TaskRunner.I
Summary: Scheduling & Automation focus on TaskRunner (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
TASKRUN-OBS-54-001 | TODO | Generate DSSE attestations for pack runs (subjects = produced artifacts) and expose verification API/CLI integration. Store references in timeline events. | Task Runner Guild, Provenance Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-OBS-55-001 | TODO | Implement incident mode escalations (extra telemetry, debug artifact capture, retention bump) and align on automatic activation via SLO breach webhooks. | Task Runner Guild, DevOps Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
TASKRUN-TEN-48-001 | TODO | Require tenant/project context for every pack run, set DB/object-store prefixes, block egress when tenant restricted, and propagate context to steps/logs. | Task Runner Guild (src/TaskRunner/StellaOps.TaskRunner/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_160_export_evidence.md

95
docs/implplan/SPRINT_160_export_evidence.md Normal file
View File

@@ -0,0 +1,95 @@
# Sprint 160 - Export & Evidence
[Export & Evidence] 160.A) EvidenceLocker
Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
Summary: Export & Evidence focus on EvidenceLocker).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EVID-OBS-53-001 | TODO | Bootstrap `StellaOps.Evidence.Locker` service with Postgres schema for `evidence_bundles`, `evidence_artifacts`, `evidence_holds`, tenant RLS, and object-store abstraction (WORM optional). | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-53-002 | TODO | Implement bundle builders for evaluation/job/export snapshots collecting inputs, outputs, env digests, run metadata. Generate Merkle tree + manifest skeletons and persist root hash. | Evidence Locker Guild, Orchestrator Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-53-003 | TODO | Expose REST APIs (`POST /evidence/snapshot`, `GET /evidence/:id`, `POST /evidence/verify`, `POST /evidence/hold/:case_id`) with audit logging, tenant enforcement, and size quotas. | Evidence Locker Guild, Security Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-54-001 | TODO | Attach DSSE signing and RFC3161 timestamping to bundle manifests; validate against Provenance verification library. Wire legal hold retention extension and chain-of-custody events for Timeline Indexer. | Evidence Locker Guild, Provenance Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-54-002 | TODO | Provide bundle download/export packaging (tgz) with checksum manifest, offline verification instructions, and sample fixture for CLI tests. | Evidence Locker Guild, DevEx/CLI Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-55-001 | TODO | Implement incident mode hooks increasing retention window, capturing additional debug artefacts, and emitting activation/deactivation events to Timeline Indexer + Notifier. | Evidence Locker Guild, DevOps Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-60-001 | TODO | Deliver portable evidence export flow for sealed environments: generate sealed bundles with checksum manifest, redacted metadata, and offline verification script. Document air-gapped import/verify procedures. | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
[Export & Evidence] 160.B) ExportCenter.I
Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
Summary: Export & Evidence focus on ExportCenter (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DVOFF-64-001 | TODO | Implement Export Center job `devportal --offline` bundling portal HTML, specs, SDK artifacts, changelogs, and verification manifest. | DevPortal Offline Guild, Exporter Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md)
DVOFF-64-002 | TODO | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. | DevPortal Offline Guild, AirGap Controller Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md)
EXPORT-AIRGAP-56-001 | TODO | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Exporter Service Guild, Mirror Creator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-AIRGAP-56-002 | TODO | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-AIRGAP-57-001 | TODO | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-AIRGAP-58-001 | TODO | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. | Exporter Service Guild, Notifications Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-ATTEST-74-001 | TODO | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Attestation Bundle Guild, Attestor Service Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-ATTEST-74-001 | TODO | Implement attestation bundle export job via Export Center. | Exporter Service Guild, Attestation Bundle Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-ATTEST-74-002 | TODO | Integrate bundle job into CI/offline kit packaging with checksum publication. | Attestation Bundle Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-ATTEST-75-001 | TODO | Provide CLI command `stella attest bundle verify/import` for air-gap usage. | Attestation Bundle Guild, CLI Attestor Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-ATTEST-75-001 | TODO | Integrate attestation bundles into offline kit flows and CLI commands. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-ATTEST-75-002 | TODO | Document `/docs/modules/attestor/airgap.md` with bundle workflows and verification steps. | Attestation Bundle Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-OAS-61-001 | TODO | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Exporter Service Guild, API Contracts Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OAS-61-002 | TODO | Provide `/.well-known/openapi` discovery endpoint with version metadata and ETag. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OAS-62-001 | TODO | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. | Exporter Service Guild, SDK Generator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
[Export & Evidence] 160.B) ExportCenter.II
Depends on: Sprint 160.B - ExportCenter.I
Summary: Export & Evidence focus on ExportCenter (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXPORT-OAS-63-001 | TODO | Implement deprecation headers and notifications for legacy export endpoints. | Exporter Service Guild, API Governance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-50-001 | TODO | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Exporter Service Guild, Observability Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-51-001 | TODO | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-52-001 | TODO | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-53-001 | TODO | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-54-001 | TODO | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. | Exporter Service Guild, Provenance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-55-001 | TODO | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-RISK-69-001 | TODO | Add Export Center job handler `risk-bundle` with provider selection, manifest signing, and audit logging. | Exporter Service Guild, Risk Bundle Export Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-RISK-69-002 | TODO | Enable simulation report exports pulling scored data + explainability snapshots. | Exporter Service Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-RISK-70-001 | TODO | Integrate risk bundle builds into offline kit packaging with checksum verification. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-001 | BLOCKED (2025-10-29) | Bootstrap exporter service project, configuration, and Postgres migrations for `export_profiles`, `export_runs`, `export_inputs`, `export_distributions` with tenant scoping + tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-002 | TODO | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-003 | TODO | Deliver JSON adapters (`json:raw`, `json:policy`) with canonical normalization, redaction allowlists, compression, and manifest counts. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-004 | TODO | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-005 | TODO | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
[Export & Evidence] 160.B) ExportCenter.III
Depends on: Sprint 160.B - ExportCenter.II
Summary: Export & Evidence focus on ExportCenter (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXPORT-SVC-35-006 | TODO | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, and viewer/operator RBAC integration. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-001 | TODO | Implement Trivy DB adapter (core) with schema mappings, version flag gating, and validation harness. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-002 | TODO | Add Trivy Java DB variant with shared manifest entries and adapter regression tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-003 | TODO | Build OCI distribution engine (manifests, descriptors, annotations) with registry auth support and retries. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-004 | TODO | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-001 | TODO | Implement mirror delta adapter with base manifest comparison, change set generation, and content-addressed reuse. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-002 | TODO | Add bundle encryption (age/AES-GCM), key wrapping via KMS, and verification tooling for encrypted outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-003 | TODO | Implement export scheduling (cron/event), retention pruning, retry idempotency, and failure classification. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-004 | TODO | Provide verification API to stream manifests/hashes, compute hash+signature checks, and return attest status for CLI/UI. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-43-001 | TODO | Integrate pack run manifests/artifacts into export bundles and CLI verification flows; expose provenance links. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-TEN-48-001 | TODO | Prefix artifacts/manifests with tenant/project, enforce scope checks, and prevent cross-tenant exports unless explicitly whitelisted; update provenance. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
RISK-BUNDLE-69-001 | TODO | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, and DSSE signatures. | Risk Bundle Export Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
RISK-BUNDLE-69-002 | TODO | Integrate bundle job into CI/offline kit pipelines with checksum publication. | Risk Bundle Export Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
RISK-BUNDLE-70-001 | TODO | Provide CLI `stella risk bundle verify` command to validate bundles before import. | Risk Bundle Export Guild, CLI Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
RISK-BUNDLE-70-002 | TODO | Publish `/docs/airgap/risk-bundles.md` detailing build/import/verification workflows. | Risk Bundle Export Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
[Export & Evidence] 160.C) TimelineIndexer
Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
Summary: Export & Evidence focus on TimelineIndexer).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
TIMELINE-OBS-52-001 | TODO | Bootstrap `StellaOps.Timeline.Indexer` service with Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-52-002 | TODO | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe on `(event_id, tenant_id)`, correlation to trace IDs, and backpressure metrics. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-52-003 | TODO | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, and tenant enforcement. Provide OpenAPI + contract tests. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-52-004 | TODO | Finalize RLS policies, scope checks (`timeline:read`), and audit logging for query access. Include integration tests for cross-tenant isolation and legal hold markers. | Timeline Indexer Guild, Security Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-53-001 | TODO | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` endpoint returning signed manifest references. | Timeline Indexer Guild, Evidence Locker Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_170_notifications_telemetry.md

68
docs/implplan/SPRINT_170_notifications_telemetry.md Normal file
View File

@@ -0,0 +1,68 @@
# Sprint 170 - Notifications & Telemetry
[Notifications & Telemetry] 170.A) Notifier.I
Depends on: Sprint 150.A - Orchestrator
Summary: Notifications & Telemetry focus on Notifier (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
NOTIFY-AIRGAP-56-001 | TODO | Disable external webhook targets in sealed mode, default to enclave-safe channels (SMTP relay, syslog, file sink), and surface remediation guidance. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-AIRGAP-56-002 | TODO | Provide local notifier configurations bundled within Bootstrap Pack with deterministic secrets handling. | Notifications Service Guild, DevOps Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-AIRGAP-57-001 | TODO | Send staleness drift and bundle import notifications with remediation steps. | Notifications Service Guild, AirGap Time Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-AIRGAP-58-001 | TODO | Add portable evidence export completion notifications including checksum + location metadata. | Notifications Service Guild, Evidence Locker Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-ATTEST-74-001 | TODO | Create notification templates for verification failures, expiring attestations, key revocations, and transparency anomalies. | Notifications Service Guild, Attestor Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-ATTEST-74-002 | TODO | Wire notifications to key rotation/revocation events and transparency witness failures. | Notifications Service Guild, KMS Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-OAS-61-001 | TODO | Update notifier OAS with rules, templates, incidents, quiet hours endpoints using standard error envelope and examples. | Notifications Service Guild, API Contracts Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-OAS-61-002 | TODO | Implement `/.well-known/openapi` discovery endpoint with scope metadata. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-OAS-62-001 | TODO | Provide SDK usage examples for rule CRUD, incident ack, and quiet hours; ensure SDK smoke tests. | Notifications Service Guild, SDK Generator Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-OAS-63-001 | TODO | Emit deprecation headers and Notifications templates for retiring notifier APIs. | Notifications Service Guild, API Governance Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-OBS-51-001 | TODO | Integrate SLO evaluator webhooks into Notifier rules (burn-rate breaches, health degradations) with templates, routing, and suppression logic. Provide sample policies and ensure imposed rule propagation. | Notifications Service Guild, Observability Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-OBS-55-001 | TODO | Publish incident mode start/stop notifications with trace/evidence quick links, retention notes, and automatic escalation paths. Include quiet-hour overrides + legal compliance logging. | Notifications Service Guild, Ops Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-RISK-66-001 | TODO | Add notification triggers for risk severity escalation/downgrade events with profile metadata in payload. | Notifications Service Guild, Risk Engine Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-RISK-67-001 | TODO | Notify stakeholders when risk profiles are published, deprecated, or thresholds change. | Notifications Service Guild, Policy Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-RISK-68-001 | TODO | Support per-profile routing rules, quiet hours, and dedupe for risk alerts; integrate with CLI/Console preferences. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
[Notifications & Telemetry] 170.A) Notifier.II
Depends on: Sprint 170.A - Notifier.I
Summary: Notifications & Telemetry focus on Notifier (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
NOTIFY-SVC-37-001 | TODO | Define pack approval & policy notification contract, including OpenAPI schema, event payloads, resume token mechanics, and security guidance. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-37-002 | TODO | Implement secure ingestion endpoint, Mongo persistence (`pack_approvals`), idempotent writes, and audit trail for approval events. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-37-003 | TODO | Deliver approval/policy templates, routing predicates, and channel dispatch (email + webhook) with localization + redaction. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-37-004 | TODO | Provide acknowledgement API, Task Runner callback client, metrics for outstanding approvals, and runbook updates. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-38-002 | TODO | Implement channel adapters (email, chat webhook, generic webhook) with retry policies, health checks, and audit logging. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-38-003 | TODO | Deliver template service (versioned templates, localization scaffolding) and renderer with redaction allowlists, Markdown/HTML/JSON outputs, and provenance links. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-38-004 | TODO | Expose REST + WS APIs (rules CRUD, templates preview, incidents list, ack) with audit logging, RBAC checks, and live feed stream. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-39-001 | TODO | Implement correlation engine with pluggable key expressions/windows, throttler (token buckets), quiet hours/maintenance evaluator, and incident lifecycle. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-39-002 | TODO | Build digest generator (queries, formatting) with schedule runner and distribution via existing channels. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-39-003 | TODO | Provide simulation engine/API to dry-run rules against historical events, returning matched actions with explanations. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-39-004 | TODO | Integrate quiet hour calendars and default throttles with audit logging and operator overrides. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-40-001 | TODO | Implement escalations + on-call schedules, ack bridge, PagerDuty/OpsGenie adapters, and CLI/in-app inbox channels. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-40-002 | TODO | Add summary storm breaker notifications, localization bundles, and localization fallback handling. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-40-003 | TODO | Harden security: signed ack links (KMS), webhook HMAC/IP allowlists, tenant isolation fuzz tests, HTML sanitization. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
NOTIFY-SVC-40-004 | TODO | Finalize observability (metrics/traces for escalations, latency), dead-letter handling, chaos tests for channel outages, and retention policies. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
[Notifications & Telemetry] 170.A) Notifier.III
Depends on: Sprint 170.A - Notifier.II
Summary: Notifications & Telemetry focus on Notifier (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
NOTIFY-TEN-48-001 | TODO | Tenant-scope rules/templates/incidents, RLS on storage, tenant-prefixed channels, and inclusion of tenant context in notifications. | Notifications Service Guild (src/Notifier/StellaOps.Notifier/TASKS.md)
[Notifications & Telemetry] 170.B) Telemetry
Depends on: Sprint 150.A - Orchestrator
Summary: Notifications & Telemetry focus on Telemetry).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
TELEMETRY-OBS-50-001 | TODO | Create `StellaOps.Telemetry.Core` library with structured logging facade, OpenTelemetry configuration helpers, and deterministic bootstrap (service name/version detection, resource attributes). Publish sample usage for web/worker hosts. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md)
TELEMETRY-OBS-50-002 | TODO | Implement context propagation middleware/adapters for HTTP, gRPC, background jobs, and CLI invocations, carrying `trace_id`, `tenant_id`, `actor`, and imposed-rule metadata. Provide test harness covering async resume scenarios. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md)
TELEMETRY-OBS-51-001 | TODO | Ship metrics helpers for golden signals (histograms, counters, gauges) with exemplar support and cardinality guards. Provide Roslyn analyzer preventing unsanitised labels. | Telemetry Core Guild, Observability Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md)
TELEMETRY-OBS-51-002 | TODO | Implement redaction/scrubbing filters for secrets/PII enforced at logger sink, configurable per-tenant with TTL, including audit of overrides. Add determinism tests verifying stable field order and timestamp normalization. | Telemetry Core Guild, Security Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md)
TELEMETRY-OBS-55-001 | TODO | Provide incident mode toggle API that adjusts sampling, enables extended retention tags, and records activation trail for services. Ensure toggle honored by all hosting templates and integrates with Config/FeatureFlag providers. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md)
TELEMETRY-OBS-56-001 | TODO | Add sealed-mode telemetry helpers (drift metrics, seal/unseal spans, offline exporters) and ensure hosts can disable external exporters when sealed. | Telemetry Core Guild (src/Telemetry/StellaOps.Telemetry.Core/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_180_experience_sdks.md

326
docs/implplan/SPRINT_180_experience_sdks.md Normal file
View File

@@ -0,0 +1,326 @@
# Sprint 180 - Experience & SDKs
[Experience & SDKs] 180.A) Cli.I
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
Summary: Experience & SDKs focus on Cli (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-AIAI-31-001 | TODO | Implement `stella advise summarize` command with JSON/Markdown outputs and citation display. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIAI-31-002 | TODO | Implement `stella advise explain` showing conflict narrative and structured rationale. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIAI-31-003 | TODO | Implement `stella advise remediate` generating remediation plans with `--strategy` filters and file output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIAI-31-004 | TODO | Implement `stella advise batch` for summaries/conflicts/remediation with progress + multi-status responses. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIRGAP-56-001 | TODO | Implement `stella mirror create | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIRGAP-56-002 | TODO | Ensure telemetry propagation under sealed mode (no remote exporters) while preserving correlation IDs; add label `AirGapped-Phase-1`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIRGAP-57-001 | TODO | Add `stella airgap import` with diff preview, bundle scope selection (`--tenant`, `--global`), audit logging, and progress reporting. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIRGAP-57-002 | TODO | Provide `stella airgap seal | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-AIRGAP-58-001 | TODO | Implement `stella airgap export evidence` helper for portable evidence packages, including checksum manifest and verification. | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ATTEST-73-001 | TODO | Implement `stella attest sign` (payload selection, subject digest, key reference, output format) using official SDK transport. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ATTEST-73-002 | TODO | Implement `stella attest verify` with policy selection, explainability output, and JSON/table formatting. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ATTEST-74-001 | TODO | Implement `stella attest list` with filters (subject, type, issuer, scope) and pagination. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ATTEST-74-002 | TODO | Implement `stella attest fetch` to download envelopes and payloads to disk. | CLI Attestor Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ATTEST-75-001 | TODO | Implement `stella attest key create | CLI Attestor Guild, KMS Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ATTEST-75-002 | TODO | Add support for building/verifying attestation bundles in CLI. | CLI Attestor Guild, Export Guild (src/Cli/StellaOps.Cli/TASKS.md)
[Experience & SDKs] 180.A) Cli.II
Depends on: Sprint 180.A - Cli.I
Summary: Experience & SDKs focus on Cli (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-CORE-41-001 | TODO | Implement CLI core features: config precedence, profiles/contexts, auth flows, output renderer (json/yaml/table), error mapping, global flags, telemetry opt-in. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-EXC-25-001 | TODO | Implement `stella exceptions list | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-EXC-25-002 | TODO | Extend `stella policy simulate` with `--with-exception`/`--without-exception` flags to preview exception impact. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-EXPORT-35-001 | BLOCKED (2025-10-29) | Implement `stella export profiles | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-EXPORT-36-001 | TODO | Add distribution commands (`stella export distribute`, `run download --resume` enhancements) and improved status polling with progress bars. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-EXPORT-37-001 | TODO | Provide scheduling (`stella export schedule`), retention, and `export verify` commands performing signature/hash validation. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-FORENSICS-53-001 | TODO | Implement `stella forensic snapshot create --case` and `snapshot list/show` commands invoking evidence locker APIs, surfacing manifest digests, and storing local cache metadata. | DevEx/CLI Guild, Evidence Locker Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-FORENSICS-54-001 | TODO | Provide `stella forensic verify <bundle>` command validating checksums, DSSE signatures, and timeline chain-of-custody. Support JSON/pretty output and exit codes for CI. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-FORENSICS-54-002 | TODO | Implement `stella forensic attest show <artifact>` listing attestation details (signer, timestamp, subjects) and verifying signatures. | DevEx/CLI Guild, Provenance Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-LNM-22-001 | TODO | Implement `stella advisory obs get/linkset show/export` commands with JSON/OSV output, pagination, and conflict display; ensure `ERR_AGG_*` mapping. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-LNM-22-002 | TODO | Implement `stella vex obs get/linkset show` commands with product filters, status filters, and JSON output for CI usage. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-NOTIFY-38-001 | BLOCKED (2025-10-29) | Implement `stella notify rules | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-NOTIFY-39-001 | BLOCKED (2025-10-29) | Add simulation (`stella notify simulate`) and digest commands with diff output and schedule triggering, including dry-run mode. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-NOTIFY-40-001 | TODO | Provide ack token redemption workflow, escalation management, localization previews, and channel health checks. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-OBS-50-001 | TODO | Ensure CLI HTTP client propagates `traceparent` headers for all commands, prints correlation IDs on failure, and records trace IDs in verbose logs (scrubbed). | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
[Experience & SDKs] 180.A) Cli.III
Depends on: Sprint 180.A - Cli.II
Summary: Experience & SDKs focus on Cli (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-OBS-51-001 | TODO | Implement `stella obs top` command streaming service health metrics, SLO status, and burn-rate alerts with TUI view and JSON output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-OBS-52-001 | TODO | Add `stella obs trace <trace_id>` and `stella obs logs --from/--to` commands that correlate timeline events, logs, and evidence links with pagination + guardrails. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-OBS-55-001 | TODO | Add `stella obs incident-mode enable | DevEx/CLI Guild, DevOps Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ORCH-32-001 | TODO | Implement `stella orch sources | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ORCH-33-001 | TODO | Add action verbs (`sources test | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-ORCH-34-001 | TODO | Provide backfill wizard (`--from/--to --dry-run`), quota management (`quotas get | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-PACKS-42-001 | TODO | Implement Task Pack commands (`pack plan/run/push/pull/verify`) with schema validation, expression sandbox, plan/simulate engine, remote execution. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-PACKS-43-001 | TODO | Deliver advanced pack features (approvals pause/resume, secret injection, localization, man pages, offline cache). | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-PARITY-41-001 | TODO | Deliver parity command groups (`policy`, `sbom`, `vuln`, `vex`, `advisory`, `export`, `orchestrator`) with `--explain`, deterministic outputs, and parity matrix entries. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-PARITY-41-002 | TODO | Implement `notify`, `aoc`, `auth` command groups, idempotency keys, shell completions, config docs, and parity matrix export tooling. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-20-001 | TODO | Add `stella policy new | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-23-004 | TODO | Add `stella policy lint` command validating SPL files with compiler diagnostics; support JSON output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-23-005 | DOING (2025-10-28) | Implement `stella policy activate` with scheduling window, approval enforcement, and summary output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-23-006 | TODO | Provide `stella policy history` and `stella policy explain` commands to pull run history and explanation trees. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-27-001 | TODO | Implement policy workspace commands (`stella policy init`, `edit`, `lint`, `compile`, `test`) with template selection, local cache, JSON output, and deterministic temp directories. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
[Experience & SDKs] 180.A) Cli.IV
Depends on: Sprint 180.A - Cli.III
Summary: Experience & SDKs focus on Cli (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-POLICY-27-002 | TODO | Add submission/review workflow commands (`stella policy version bump`, `submit`, `review comment`, `approve`, `reject`) supporting reviewer assignment, changelog capture, and exit codes. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-27-003 | TODO | Implement `stella policy simulate` enhancements (quick vs batch, SBOM selectors, heatmap summary, manifest download) with `--json` and Markdown report output for CI. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-27-004 | TODO | Add lifecycle commands for publish/promote/rollback/sign (`stella policy publish --sign`, `promote --env`, `rollback`) with attestation verification and canary arguments. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-27-005 | TODO | Update CLI reference and samples for Policy Studio including JSON schemas, exit codes, and CI snippets. | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-POLICY-27-006 | TODO | Update CLI policy profiles/help text to request the new Policy Studio scope family, surface ProblemDetails guidance for `invalid_scope`, and adjust regression tests for scope failures. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-RISK-66-001 | TODO | Implement `stella risk profile list | DevEx/CLI Guild, Policy Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-RISK-66-002 | TODO | Ship `stella risk simulate` supporting SBOM/asset inputs, diff mode, and export to JSON/CSV. | DevEx/CLI Guild, Risk Engine Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-RISK-67-001 | TODO | Provide `stella risk results` with filtering, severity thresholds, explainability fetch. | DevEx/CLI Guild, Findings Ledger Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-RISK-68-001 | TODO | Add `stella risk bundle verify` and integrate with offline risk bundles. | DevEx/CLI Guild, Export Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-SDK-62-001 | TODO | Replace bespoke HTTP clients with official SDK (TS/Go) for all CLI commands; ensure modular transport for air-gapped mode. | DevEx/CLI Guild, SDK Generator Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-SDK-62-002 | TODO | Update CLI error handling to surface standardized API error envelope with `error.code` and `trace_id`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-SDK-63-001 | TODO | Expose `stella api spec download` command retrieving aggregate OAS and verifying checksum/ETag. | DevEx/CLI Guild, API Governance Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-SDK-64-001 | TODO | Add CLI subcommand `stella sdk update` to fetch latest SDK manifests/changelogs; integrate with Notifications for deprecations. | DevEx/CLI Guild, SDK Release Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-SIG-26-001 | TODO | Implement `stella reachability upload-callgraph` and `stella reachability list/explain` commands with streaming upload, pagination, and exit codes. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-SIG-26-002 | TODO | Extend `stella policy simulate` with reachability override flags (`--reachability-state`, `--reachability-score`). | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
[Experience & SDKs] 180.A) Cli.V
Depends on: Sprint 180.A - Cli.IV
Summary: Experience & SDKs focus on Cli (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-TEN-47-001 | TODO | Implement `stella login`, `whoami`, `tenants list`, persistent profiles, secure token storage, and `--tenant` override with validation. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-TEN-49-001 | TODO | Add service account token minting, delegation (`stella token delegate`), impersonation banner, and audit-friendly logging. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VEX-30-001 | TODO | Implement `stella vex consensus list` with filters, paging, policy selection, `--json/--csv`. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VEX-30-002 | TODO | Implement `stella vex consensus show` displaying quorum, evidence, rationale, signature status. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VEX-30-003 | TODO | Implement `stella vex simulate` for trust/threshold overrides with JSON diff output. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VEX-30-004 | TODO | Implement `stella vex export` for consensus NDJSON bundles with signature verification helper. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VULN-29-001 | TODO | Implement `stella vuln list` with grouping, paging, filters, `--json/--csv`, and policy selection. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VULN-29-002 | TODO | Implement `stella vuln show` displaying evidence, policy rationale, paths, ledger summary; support `--json` for automation. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VULN-29-003 | TODO | Add workflow commands (`assign`, `comment`, `accept-risk`, `verify-fix`, `target-fix`, `reopen`) with filter selection (`--filter`) and idempotent retries. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VULN-29-004 | TODO | Implement `stella vuln simulate` producing delta summaries and optional Markdown report for CI. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VULN-29-005 | TODO | Add `stella vuln export` and `stella vuln bundle verify` commands to trigger/download evidence bundles and verify signatures. | DevEx/CLI Guild (src/Cli/StellaOps.Cli/TASKS.md)
CLI-VULN-29-006 | TODO | Update CLI docs/examples for Vulnerability Explorer with compliance checklist and CI snippets. | DevEx/CLI Guild, Docs Guild (src/Cli/StellaOps.Cli/TASKS.md)
[Experience & SDKs] 180.B) DevPortal
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
Summary: Experience & SDKs focus on DevPortal).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVPORT-62-001 | TODO | Select static site generator, integrate aggregate spec, build navigation + search scaffolding. | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md)
DEVPORT-62-002 | TODO | Implement schema viewer, example rendering, copy-curl snippets, and version selector UI. | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md)
DEVPORT-63-001 | TODO | Add Try-It console pointing at sandbox environment with token onboarding and scope info. | Developer Portal Guild, Platform Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md)
DEVPORT-63-002 | TODO | Embed language-specific SDK snippets and quick starts generated from tested examples. | Developer Portal Guild, SDK Generator Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md)
DEVPORT-64-001 | TODO | Provide offline build target bundling HTML, specs, SDK archives; ensure no external assets. | Developer Portal Guild, Export Center Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md)
DEVPORT-64-002 | TODO | Add automated accessibility tests, link checker, and performance budgets. | Developer Portal Guild (src/DevPortal/StellaOps.DevPortal.Site/TASKS.md)
[Experience & SDKs] 180.C) Graph
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
Summary: Experience & SDKs focus on Graph).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
GRAPH-API-28-001 | TODO | Define OpenAPI + JSON schema for graph search/query/paths/diff/export endpoints, including cost metadata and streaming tile schema. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-002 | TODO | Implement `/graph/search` with multi-type index lookup, prefix/exact match, RBAC enforcement, and result ranking + caching. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-003 | TODO | Build query planner + cost estimator for `/graph/query`, stream tiles (nodes/edges/stats) progressively, enforce budgets, provide cursor tokens. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-004 | TODO | Implement `/graph/paths` with depth ≤6, constraint filters, heuristic shortest path search, and optional policy overlay rendering. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-005 | TODO | Implement `/graph/diff` streaming added/removed/changed nodes/edges between SBOM snapshots; include overlay deltas and policy/VEX/advisory metadata. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-006 | TODO | Consume Policy Engine overlay contract (`POLICY-ENGINE-30-001..003`) and surface advisory/VEX/policy overlays with caching, partial materialization, and explain trace sampling for focused nodes. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-007 | TODO | Implement exports (`graphml`, `csv`, `ndjson`, `png`, `svg`) with async job management, checksum manifests, and streaming downloads. | Graph API Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-008 | TODO | Integrate RBAC scopes (`graph:read`, `graph:query`, `graph:export`), tenant headers, audit logging, and rate limiting. | Graph API Guild, Authority Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-009 | TODO | Instrument metrics (`graph_tile_latency_seconds`, `graph_query_budget_denied_total`, `graph_overlay_cache_hit_ratio`), structured logs, and traces per query stage; publish dashboards. | Graph API Guild, Observability Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-010 | TODO | Build unit/integration/load tests with synthetic datasets (500k nodes/2M edges), fuzz query validation, verify determinism across runs. | Graph API Guild, QA Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
GRAPH-API-28-011 | TODO | Provide deployment manifests, offline kit support, API gateway integration docs, and smoke tests. | Graph API Guild, DevOps Guild (src/Graph/StellaOps.Graph.Api/TASKS.md)
[Experience & SDKs] 180.D) Sdk
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
Summary: Experience & SDKs focus on Sdk).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SDKGEN-62-001 | TODO | Choose/pin generator toolchain, set up language template pipeline, and enforce reproducible builds. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKGEN-62-002 | TODO | Implement shared post-processing (auth helpers, retries, pagination utilities, telemetry hooks) applied to all languages. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKGEN-63-001 | TODO | Ship TypeScript SDK alpha with ESM/CJS builds, typed errors, paginator, streaming helpers. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKGEN-63-002 | TODO | Ship Python SDK alpha (sync/async clients, type hints, upload/download helpers). | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKGEN-63-003 | TODO | Ship Go SDK alpha with context-first API and streaming helpers. | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKGEN-63-004 | TODO | Ship Java SDK alpha (builder pattern, HTTP client abstraction). | SDK Generator Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKGEN-64-001 | TODO | Switch CLI to consume TS or Go SDK; ensure parity. | SDK Generator Guild, CLI Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKGEN-64-002 | TODO | Integrate SDKs into Console data providers where feasible. | SDK Generator Guild, Console Guild (src/Sdk/StellaOps.Sdk.Generator/TASKS.md)
SDKREL-63-001 | TODO | Configure CI pipelines for npm, PyPI, Maven Central staging, and Go proxies with signing and provenance attestations. | SDK Release Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md)
SDKREL-63-002 | TODO | Integrate changelog automation pulling from OAS diffs and generator metadata. | SDK Release Guild, API Governance Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md)
SDKREL-64-001 | TODO | Hook SDK releases into Notifications Studio with scoped announcements and RSS/Atom feeds. | SDK Release Guild, Notifications Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md)
SDKREL-64-002 | TODO | Add `devportal --offline` bundle job packaging docs, specs, SDK artifacts for air-gapped users. | SDK Release Guild, Export Center Guild (src/Sdk/StellaOps.Sdk.Release/TASKS.md)
[Experience & SDKs] 180.E) UI.I
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
Summary: Experience & SDKs focus on UI (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
UI-AOC-19-001 | TODO | Add Sources dashboard tiles showing AOC pass/fail, recent violation codes, and ingest throughput per tenant. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-AOC-19-002 | TODO | Implement violation drill-down view highlighting offending document fields and provenance metadata. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-AOC-19-003 | TODO | Add "Verify last 24h" action triggering AOC verifier endpoint and surfacing CLI parity guidance. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-EXC-25-001 | TODO | Build Exception Center (list + kanban) with filters, sorting, workflow transitions, and audit views. | UI Guild, Governance Guild (src/UI/StellaOps.UI/TASKS.md)
UI-EXC-25-002 | TODO | Implement exception creation wizard with scope preview, justification templates, timebox guardrails. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-EXC-25-003 | TODO | Add inline exception drafting/proposing from Vulnerability Explorer and Graph detail panels with live simulation. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-EXC-25-004 | TODO | Surface exception badges, countdown timers, and explain integration across Graph/Vuln Explorer and policy views. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-EXC-25-005 | TODO | Add keyboard shortcuts (`x`,`a`,`r`) and ensure screen-reader messaging for approvals/revocations. | UI Guild, Accessibility Guild (src/UI/StellaOps.UI/TASKS.md)
UI-GRAPH-21-001 | TODO | Align Graph Explorer auth configuration with new `graph:*` scopes; consume scope identifiers from shared `StellaOpsScopes` exports (via generated SDK/config) instead of hard-coded strings. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-GRAPH-24-001 | TODO | Build Graph Explorer canvas with layered/radial layouts, virtualization, zoom/pan, and scope toggles; initial render <1.5s for sample asset. | UI Guild, SBOM Service Guild (src/UI/StellaOps.UI/TASKS.md)
UI-GRAPH-24-002 | TODO | Implement overlays (Policy, Evidence, License, Exposure), simulation toggle, path view, and SBOM diff/time-travel with accessible tooltips/AOC indicators. | UI Guild, Policy Guild (src/UI/StellaOps.UI/TASKS.md)
UI-GRAPH-24-003 | TODO | Deliver filters/search panel with facets, saved views, permalinks, and share modal. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-GRAPH-24-004 | TODO | Add side panels (Details, What-if, History) with upgrade simulation integration and SBOM diff viewer. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-GRAPH-24-006 | TODO | Ensure accessibility (keyboard nav, screen reader labels, contrast), add hotkeys (`f`,`e`,`.`), and analytics instrumentation. | UI Guild, Accessibility Guild (src/UI/StellaOps.UI/TASKS.md)
UI-LNM-22-001 | TODO | Build Evidence panel showing policy decision with advisory observations/linksets side-by-side, conflict badges, AOC chain, and raw doc download links. Docs `DOCS-LNM-22-005` waiting on delivered UI for screenshots + flows. | UI Guild, Policy Guild (src/UI/StellaOps.UI/TASKS.md)
[Experience & SDKs] 180.E) UI.II
Depends on: Sprint 180.E - UI.I
Summary: Experience & SDKs focus on UI (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
UI-LNM-22-002 | TODO | Implement filters (source, severity bucket, conflict-only, CVSS vector presence) and pagination/lazy loading for large linksets. Docs depend on finalized filtering UX. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-LNM-22-003 | TODO | Add VEX tab with status/justification summaries, conflict indicators, and export actions. Required for `DOCS-LNM-22-005` coverage of VEX evidence tab. | UI Guild, Excititor Guild (src/UI/StellaOps.UI/TASKS.md)
UI-LNM-22-004 | TODO | Provide permalink + copy-to-clipboard for selected component/linkset/policy combination; ensure high-contrast theme support. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-ORCH-32-001 | TODO | Update Console RBAC mappings to surface `Orch.Viewer`, request `orch:read` scope in token flows, and gate dashboard access/messaging accordingly. | UI Guild, Console Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-13-007 | TODO | Surface policy confidence metadata (band, age, quiet provenance) on preview and report views. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-20-001 | TODO | Ship Monaco-based policy editor with DSL syntax highlighting, inline diagnostics, and compliance checklist sidebar. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-20-002 | TODO | Build simulation panel showing before/after counts, severity deltas, and rule hit summaries with deterministic diff rendering. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-20-003 | TODO | Implement submit/review/approve workflow with comments, approvals log, and RBAC checks aligned to new Policy Studio roles (`policy:author`/`policy:review`/`policy:approve`/`policy:operate`). | UI Guild, Product Ops (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-20-004 | TODO | Add run viewer dashboards (rule heatmap, VEX wins, suppressions) with filter/search and export. | UI Guild, Observability Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-23-001 | TODO | Deliver Policy Editor workspace with pack list, revision history, and scoped metadata cards. | UI Guild, Policy Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-23-002 | TODO | Implement YAML editor with schema validation, lint diagnostics, and live canonicalization preview. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-23-003 | TODO | Build guided rule builder (source preferences, severity mapping, VEX precedence, exceptions) with preview JSON output. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-23-004 | TODO | Add review/approval workflow UI: checklists, comments, two-person approval indicator, scope scheduling. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-23-005 | TODO | Integrate simulator panel (SBOM/component/advisory selection), run diff vs active policy, show explain tree and overlays. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-POLICY-23-006 | TODO | Implement explain view linking to evidence overlays and exceptions; provide export to JSON/PDF. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
[Experience & SDKs] 180.E) UI.III
Depends on: Sprint 180.E - UI.II
Summary: Experience & SDKs focus on UI (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
UI-POLICY-27-001 | TODO | Update Console policy workspace RBAC guards, scope requests, and user messaging to reflect the new Policy Studio roles/scopes (`policy:author/review/approve/operate/audit/simulate`), including Cypress auth stubs and help text. | UI Guild, Product Ops (src/UI/StellaOps.UI/TASKS.md)
UI-SIG-26-001 | TODO | Add reachability columns/badges to Vulnerability Explorer with filters and tooltips. | UI Guild, Signals Guild (src/UI/StellaOps.UI/TASKS.md)
UI-SIG-26-002 | TODO | Enhance Why drawer with call path visualization, reachability timeline, and evidence list. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-SIG-26-003 | TODO | Add reachability overlay halos/time slider to SBOM Graph along with state legend. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
UI-SIG-26-004 | TODO | Build Reachability Center view showing asset coverage, missing sensors, and stale facts. | UI Guild (src/UI/StellaOps.UI/TASKS.md)
[Experience & SDKs] 180.F) Web.I
Depends on: Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator, Sprint 170.A - Notifier
Summary: Experience & SDKs focus on Web (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-AIAI-31-001 `API routing` | TODO | Route `/advisory/ai/*` endpoints through gateway with RBAC/ABAC, rate limits, and telemetry headers. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-AIAI-31-002 `Batch orchestration` | TODO | Provide batching job handlers and streaming responses for CLI automation with retry/backoff. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-AIAI-31-003 `Telemetry & audit` | TODO | Emit metrics/logs (latency, guardrail blocks, validation failures) and forward anonymized prompt hashes to analytics. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-AOC-19-001 `Shared AOC guard primitives` | DOING (2025-10-26) | Provide `AOCForbiddenKeys`, guard middleware/interceptor hooks, and error types (`AOCError`, `AOCViolationCode`) for ingestion services. Publish sample usage + analyzer to ensure guard registered. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-AOC-19-002 `Provenance & signature helpers` | TODO | Ship `ProvenanceBuilder`, checksum utilities, and signature verification helper integrated with guard logging. Cover DSSE/CMS formats with unit tests. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-AOC-19-003 `Analyzer + test fixtures` | TODO | Author Roslyn analyzer preventing ingestion modules from writing forbidden keys without guard, and provide shared test fixtures for guard validation used by Concelier/Excititor service tests. | QA Guild, BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONSOLE-23-001 `Global posture endpoints` | TODO | Provide consolidated `/console/dashboard` and `/console/filters` APIs returning tenant-scoped aggregates (findings by severity, VEX override counts, advisory deltas, run health, policy change log). Enforce AOC labelling, deterministic ordering, and cursor-based pagination for drill-down hints. | BE-Base Platform Guild, Product Analytics Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONSOLE-23-002 `Live status & SSE proxy` | TODO | Expose `/console/status` polling endpoint and `/console/runs/{id}/stream` SSE/WebSocket proxy with heartbeat/backoff, queue lag metrics, and auth scope enforcement. Surface request IDs + retry headers. | BE-Base Platform Guild, Scheduler Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONSOLE-23-003 `Evidence export orchestrator` | TODO | Add `/console/exports` POST/GET routes coordinating evidence bundle creation, streaming CSV/JSON exports, checksum manifest retrieval, and signed attestation references. Ensure requests honor tenant + policy scopes and expose job tracking metadata. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONSOLE-23-004 `Global search router` | TODO | Implement `/console/search` endpoint accepting CVE/GHSA/PURL/SBOM identifiers, performing fan-out queries with caching, ranking, and deterministic tie-breaking. Return typed results for Console navigation; respect result caps and latency SLOs. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONSOLE-23-005 `Downloads manifest API` | TODO | Serve `/console/downloads` JSON manifest (images, charts, offline bundles) sourced from signed registry metadata; include integrity hashes, release notes links, and offline instructions. Provide caching headers and documentation. | BE-Base Platform Guild, DevOps Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONTAINERS-44-001 `Config discovery & quickstart flag` | TODO | Expose `/welcome` state, config discovery endpoint (safe values), and `QUICKSTART_MODE` handling for Console banner; add `/health/liveness`, `/health/readiness`, `/version` if missing. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONTAINERS-45-001 `Helm readiness support` | TODO | Ensure readiness endpoints reflect DB/queue readiness, add feature flag toggles via config map, and document NetworkPolicy ports. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-CONTAINERS-46-001 `Air-gap hardening` | TODO | Provide offline-friendly asset serving (no CDN), allow overriding object store endpoints via env, and document fallback behavior. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-EXC-25-001 `Exceptions CRUD & workflow` | TODO | Implement `/exceptions` API (create, propose, approve, revoke, list, history) with validation, pagination, and audit logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
[Experience & SDKs] 180.F) Web.II
Depends on: Sprint 180.F - Web.I
Summary: Experience & SDKs focus on Web (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-EXC-25-002 `Policy integration surfaces` | TODO | Extend `/policy/effective` and `/policy/simulate` responses to include exception metadata and accept overrides for simulations. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-EXC-25-003 `Notifications & events` | TODO | Publish `exception.*` events, integrate with notification hooks, enforce rate limits. | BE-Base Platform Guild, Platform Events Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-EXPORT-35-001 `Export routing` | TODO | Surface Export Center APIs (profiles/runs/download) through gateway with tenant scoping, streaming support, and viewer/operator scope checks. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-EXPORT-36-001 `Distribution endpoints` | TODO | Add distribution routes (OCI/object storage), manifest/provenance proxies, and signed URL generation. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-EXPORT-37-001 `Scheduling & verification` | TODO | Expose scheduling, retention, encryption parameters, and verification endpoints with admin scope enforcement and audit logs. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-21-001 `Graph endpoints` | BLOCKED (2025-10-27) | Add gateway routes for graph versions/viewport/node/path/diff/export endpoints with tenant enforcement, scope checks, and streaming responses; proxy Policy Engine diff toggles without inline logic. Adopt `StellaOpsScopes` constants for RBAC enforcement. | BE-Base Platform Guild, Graph Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-21-002 `Request validation` | BLOCKED (2025-10-27) | Implement bbox/zoom/path parameter validation, pagination tokens, and deterministic ordering; add contract tests for boundary conditions. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-21-003 `Error mapping & exports` | BLOCKED (2025-10-27) | Map graph service errors to `ERR_Graph_*`, support GraphML/JSONL export streaming, and document rate limits. | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-21-004 `Overlay pass-through` | BLOCKED (2025-10-27) | Proxy Policy Engine overlay responses for graph endpoints while keeping gateway stateless; maintain streaming budgets and latency SLOs. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-24-001 `Gateway proxy refresh` | TODO | Gateway proxy for Graph API and Policy overlays with RBAC, caching, pagination, ETags, and streaming; zero business logic. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-24-001 `Graph endpoints` | TODO | Implement `/graph/assets/*` endpoints (snapshots, adjacency, search) with pagination, ETags, and tenant scoping while acting as a pure proxy. | BE-Base Platform Guild, SBOM Service Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-24-004 `AOC enrichers` | TODO | Embed AOC summaries sourced from overlay services; ensure gateway does not compute derived severity or hints. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-GRAPH-24-004 `Telemetry aggregation` | TODO | Collect gateway metrics/logs (tile latency, proxy errors, overlay cache stats) and forward to dashboards; document sampling strategy. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-LNM-21-001 `Advisory observation endpoints` | TODO | Surface new `/advisories/*` APIs through gateway with caching, pagination, and RBAC enforcement (`advisory:read`). | BE-Base Platform Guild, Concelier WebService Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-LNM-21-002 `VEX observation endpoints` | TODO | Expose `/vex/*` read APIs with evidence routes and export handlers; map `ERR_AGG_*` codes. | BE-Base Platform Guild, Excititor WebService Guild (src/Web/StellaOps.Web/TASKS.md)
[Experience & SDKs] 180.F) Web.III
Depends on: Sprint 180.F - Web.II
Summary: Experience & SDKs focus on Web (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-LNM-21-003 `Policy evidence aggregation` | TODO | Provide combined endpoint for Console to fetch policy result + source evidence (advisory + VEX linksets) for a component. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-NOTIFY-38-001 `Gateway routing` | TODO | Route notifier APIs (`/notifications/*`) and WS feed through gateway with tenant scoping, viewer/operator scope enforcement, and SSE/WebSocket bridging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-NOTIFY-39-001 `Digest & simulation endpoints` | TODO | Surface digest scheduling, quiet-hour/throttle management, and simulation APIs; ensure rate limits and audit logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-NOTIFY-40-001 `Escalations & localization` | TODO | Expose escalation, localization, channel health, and ack verification endpoints with admin scope enforcement and signed token validation. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OAS-61-001 `Discovery endpoint` | TODO | Implement `GET /.well-known/openapi` returning gateway spec with version metadata, cache headers, and signed ETag. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OAS-61-002 `Standard error envelope` | TODO | Migrate gateway errors to standard envelope and update examples; ensure telemetry logs include `error.code`. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OAS-62-001 `Pagination & idempotency alignment` | TODO | Normalize all endpoints to cursor pagination, expose `Idempotency-Key` support, and document rate-limit headers. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OAS-63-001 `Deprecation support` | TODO | Add deprecation header middleware, Sunset link emission, and observability metrics for deprecated routes. | BE-Base Platform Guild, API Governance Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OBS-50-001 `Telemetry core adoption` | TODO | Integrate `StellaOps.Telemetry.Core` into gateway host, replace ad-hoc logging, ensure all routes emit trace/span IDs, tenant context, and scrubbed payload previews. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OBS-51-001 `Observability health endpoints` | TODO | Implement `/obs/health` and `/obs/slo` aggregations, pulling metrics from Prometheus/collector APIs, including burn-rate signals and exemplar links for Console widgets. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OBS-52-001 `Trace & log proxies` | TODO | Deliver `/obs/trace/:id` and `/obs/logs` proxy endpoints with guardrails (time window limits, tenant scoping) forwarding to timeline indexer + log store with signed URLs. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OBS-54-001 `Evidence & attestation bridges` | TODO | Provide `/evidence/*` and `/attestations/*` pass-through endpoints, enforce `timeline:read`, `evidence:read`, `attest:read` scopes, append provenance headers, and surface verification summaries. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OBS-55-001 `Incident mode controls` | TODO | Add `/obs/incident-mode` API (enable/disable/status) with audit trail, sampling override, retention bump preview, and CLI/Console hooks. | BE-Base Platform Guild, Ops Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-OBS-56-001 `Sealed status surfaces` | TODO | Extend telemetry core integration to expose sealed/unsealed status APIs, drift metrics, and Console widgets without leaking sealed-mode secrets. | BE-Base Platform Guild, AirGap Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-ORCH-32-001 `Read-only routing` | TODO | Expose `/orchestrator/sources | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
[Experience & SDKs] 180.F) Web.IV
Depends on: Sprint 180.F - Web.III
Summary: Experience & SDKs focus on Web (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-ORCH-33-001 `Control + backfill actions` | TODO | Add POST action routes (`pause | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-ORCH-34-001 `Quotas & telemetry` | TODO | Surface quotas/backfill APIs, queue/backpressure metrics, and error clustering routes with admin scope enforcement and audit logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-20-001 `Policy endpoints` | TODO | Implement Policy CRUD/compile/run/simulate/findings/explain endpoints with OpenAPI, tenant scoping, and service identity enforcement. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-20-002 `Pagination & filters` | TODO | Add pagination, filtering, sorting, and tenant guards to listings for policies, runs, and findings; include deterministic ordering and query diagnostics. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-20-003 `Error mapping` | TODO | Map engine errors to `ERR_POL_*` responses with consistent payloads and contract tests; expose correlation IDs in headers. | BE-Base Platform Guild, QA Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-20-004 `Simulate rate limits` | TODO | Introduce adaptive rate limiting + quotas for simulation endpoints, expose metrics, and document retry headers. | Platform Reliability Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-23-001 `Policy pack CRUD` | BLOCKED (2025-10-29) | Implement API endpoints for creating/listing/fetching policy packs and revisions (`/policy/packs`, `/policy/packs/{id}/revisions`) with pagination, RBAC, and AOC metadata exposure. (Tracked via Sprint 18.5 gateway tasks.) | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-23-002 `Activation & scope` | BLOCKED (2025-10-29) | Add activation endpoint with scope windows, conflict checks, and optional 2-person approval integration; emit events on success. (Tracked via Sprint 18.5 gateway tasks.) | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-23-003 `Simulation & evaluation` | TODO | Provide `/policy/simulate` and `/policy/evaluate` endpoints with streaming responses, rate limiting, and error mapping. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-23-004 `Explain retrieval` | TODO | Expose explain history endpoints (`/policy/runs`, `/policy/runs/{id}`) including decision tree, sources consulted, and AOC chain. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-27-001 `Policy registry proxy` | TODO | Surface Policy Registry APIs (`/policy/workspaces`, `/policy/versions`, `/policy/reviews`, `/policy/registry`) through gateway with tenant scoping, RBAC, and request validation; ensure streaming downloads for evidence bundles. | BE-Base Platform Guild, Policy Registry Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-27-002 `Review & approval routes` | TODO | Implement review lifecycle endpoints (open, comment, approve/reject) with audit headers, comment pagination, and webhook fan-out. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-27-003 `Simulation orchestration endpoints` | TODO | Expose quick/batch simulation endpoints with SSE progress (`/policy/simulations/{runId}/stream`), cursor-based result pagination, and manifest download routes. | BE-Base Platform Guild, Scheduler Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-27-004 `Publish & promote controls` | TODO | Add publish/sign/promote/rollback endpoints with idempotent request IDs, canary parameters, and environment bindings; enforce scope checks and emit structured events. | BE-Base Platform Guild, Security Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-POLICY-27-005 `Policy Studio telemetry` | TODO | Instrument metrics/logs for compile latency, simulation queue depth, approval latency, promotion actions; expose aggregated dashboards and correlation IDs for Console. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md)
[Experience & SDKs] 180.F) Web.V
Depends on: Sprint 180.F - Web.IV
Summary: Experience & SDKs focus on Web (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
WEB-RISK-66-001 `Risk API routing` | TODO | Expose risk profile/results endpoints through gateway with tenant scoping, pagination, and rate limiting. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-RISK-66-002 `Explainability downloads` | TODO | Add signed URL handling for explanation blobs and enforce scope checks. | BE-Base Platform Guild, Risk Engine Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-RISK-67-001 `Risk status endpoint` | TODO | Provide aggregated risk stats (`/risk/status`) for Console dashboards (counts per severity, last computation). | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-RISK-68-001 `Notification hooks` | TODO | Emit events on severity transitions via gateway to notifier bus with trace metadata. | BE-Base Platform Guild, Notifications Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-SIG-26-001 `Signals proxy endpoints` | TODO | Surface `/signals/callgraphs`, `/signals/facts` read/write endpoints with pagination, ETags, and RBAC. | BE-Base Platform Guild, Signals Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-SIG-26-002 `Reachability joins` | TODO | Extend `/policy/effective` and `/vuln/explorer` responses to include reachability scores/states and allow filtering. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-SIG-26-003 `Simulation hooks` | TODO | Add reachability override parameters to `/policy/simulate` and related APIs for what-if analysis. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-TEN-47-001 `Auth middleware` | TODO | Implement JWT verification, tenant activation from headers, scope matching, and decision audit emission for all API endpoints. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-TEN-48-001 `Tenant context propagation` | TODO | Set DB session `stella.tenant_id`, enforce tenant/project checks on persistence, prefix object storage paths, and stamp audit metadata. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-TEN-49-001 `ABAC & audit API` | TODO | Integrate optional ABAC overlay with Policy Engine, expose `/audit/decisions` API, and support service token minting endpoints. | BE-Base Platform Guild, Policy Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-VEX-30-007 `VEX consensus routing` | TODO | Route `/vex/consensus` APIs with tenant RBAC/ABAC, caching, and streaming; surface telemetry and trace IDs without gateway-side overlay logic. | BE-Base Platform Guild, VEX Lens Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-VULN-29-001 `Vuln API routing` | TODO | Expose `/vuln/*` endpoints via gateway with tenant scoping, RBAC/ABAC enforcement, anti-forgery headers, and request logging. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-VULN-29-002 `Ledger proxy headers` | TODO | Forward workflow actions to Findings Ledger with idempotency headers and correlation IDs; handle retries/backoff. | BE-Base Platform Guild, Findings Ledger Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-VULN-29-003 `Simulation + export routing` | TODO | Provide simulation and export orchestration routes with SSE/progress headers, signed download links, and request budgeting. | BE-Base Platform Guild (src/Web/StellaOps.Web/TASKS.md)
WEB-VULN-29-004 `Telemetry aggregation` | TODO | Emit gateway metrics/logs (latency, error rates, export duration), propagate query hashes for analytics dashboards. | BE-Base Platform Guild, Observability Guild (src/Web/StellaOps.Web/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_190_ops_offline.md

237
docs/implplan/SPRINT_190_ops_offline.md Normal file
View File

@@ -0,0 +1,237 @@
# Sprint 190 - Ops & Offline
[Ops & Offline] 190.A) Ops Deployment.I
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Ops Deployment (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
COMPOSE-44-001 | TODO | Author `docker-compose.yml`, `.env.example`, and `quickstart.sh` with all core services + dependencies (postgres, redis, object-store, queue, otel). | Deployment Guild, DevEx Guild (ops/deployment/TASKS.md)
COMPOSE-44-002 | TODO | Implement `backup.sh` and `reset.sh` scripts with safety prompts and documentation. | Deployment Guild (ops/deployment/TASKS.md)
COMPOSE-44-003 | TODO | Package seed data container and onboarding wizard toggle (`QUICKSTART_MODE`), ensuring default creds randomized on first run. | Deployment Guild, Docs Guild (ops/deployment/TASKS.md)
DEPLOY-AIAI-31-001 | TODO | Provide Helm/Compose manifests, GPU toggle, scaling/runbook, and offline kit instructions for Advisory AI service + inference container. | Deployment Guild, Advisory AI Guild (ops/deployment/TASKS.md)
DEPLOY-AIRGAP-46-001 | TODO | Provide instructions and scripts (`load.sh`) for importing air-gap bundle into private registry; update Offline Kit guide. | Deployment Guild, Offline Kit Guild (ops/deployment/TASKS.md)
DEPLOY-CLI-41-001 | TODO | Package CLI release artifacts (tarballs per OS/arch, checksums, signatures, completions, container image) and publish distribution docs. | Deployment Guild, DevEx/CLI Guild (ops/deployment/TASKS.md)
DEPLOY-COMPOSE-44-001 | TODO | Finalize Quickstart scripts (`quickstart.sh`, `backup.sh`, `reset.sh`), seed data container, and publish README with imposed rule reminder. | Deployment Guild (ops/deployment/TASKS.md)
DEPLOY-EXPORT-35-001 | BLOCKED (2025-10-29) | Package exporter service/worker Helm overlays (download-only), document rollout/rollback, and integrate signing KMS secrets. | Deployment Guild, Exporter Service Guild (ops/deployment/TASKS.md)
DEPLOY-EXPORT-36-001 | TODO | Document OCI/object storage distribution workflows, registry credential automation, and monitoring hooks for exports. | Deployment Guild, Exporter Service Guild (ops/deployment/TASKS.md)
DEPLOY-HELM-45-001 | TODO | Publish Helm install guide and sample values for prod/airgap; integrate with docs site build. | Deployment Guild (ops/deployment/TASKS.md)
DEPLOY-NOTIFY-38-001 | BLOCKED (2025-10-29) | Package notifier API/worker Helm overlays (email/chat/webhook), secrets templates, rollout guide. | Deployment Guild, DevOps Guild (ops/deployment/TASKS.md)
DEPLOY-ORCH-34-001 | TODO | Provide orchestrator Helm/Compose manifests, scaling defaults, secret templates, offline kit instructions, and GA rollout/rollback playbook. | Deployment Guild, Orchestrator Service Guild (ops/deployment/TASKS.md)
DEPLOY-PACKS-42-001 | TODO | Provide deployment manifests for packs-registry and task-runner services, including Helm/Compose overlays, scaling defaults, and secret templates. | Deployment Guild, Packs Registry Guild (ops/deployment/TASKS.md)
DEPLOY-PACKS-43-001 | TODO | Ship remote Task Runner worker profiles, object storage bootstrap, approval workflow integration, and Offline Kit packaging instructions. | Deployment Guild, Task Runner Guild (ops/deployment/TASKS.md)
DEPLOY-POLICY-27-001 | TODO | Produce Helm/Compose overlays for Policy Registry + simulation workers, including Mongo migrations, object storage buckets, signing key secrets, and tenancy defaults. | Deployment Guild, Policy Registry Guild (ops/deployment/TASKS.md)
[Ops & Offline] 190.A) Ops Deployment.II
Depends on: Sprint 190.A - Ops Deployment.I
Summary: Ops & Offline focus on Ops Deployment (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEPLOY-POLICY-27-002 | TODO | Document rollout/rollback playbooks for policy publish/promote (canary strategy, emergency freeze toggle, evidence retrieval) under `/docs/runbooks/policy-incident.md`. | Deployment Guild, Policy Guild (ops/deployment/TASKS.md)
DEPLOY-VEX-30-001 | TODO | Provide Helm/Compose overlays, scaling defaults, and offline kit instructions for VEX Lens service. | Deployment Guild, VEX Lens Guild (ops/deployment/TASKS.md)
DEPLOY-VEX-30-002 | TODO | Package Issuer Directory deployment manifests, backups, and security hardening guidance. | Deployment Guild, Issuer Directory Guild (ops/deployment/TASKS.md)
DEPLOY-VULN-29-001 | TODO | Produce Helm/Compose overlays for Findings Ledger + projector, including DB migrations, Merkle anchor jobs, and scaling guidance. | Deployment Guild, Findings Ledger Guild (ops/deployment/TASKS.md)
DEPLOY-VULN-29-002 | TODO | Package `stella-vuln-explorer-api` deployment manifests, health checks, autoscaling policies, and offline kit instructions with signed images. | Deployment Guild, Vuln Explorer API Guild (ops/deployment/TASKS.md)
DOWNLOADS-CONSOLE-23-001 | TODO | Maintain signed downloads manifest pipeline (images, Helm, offline bundles), publish JSON under `deploy/downloads/manifest.json`, and document sync cadence for Console + docs parity. | Deployment Guild, DevOps Guild (ops/deployment/TASKS.md)
HELM-45-001 | TODO | Scaffold `deploy/helm/stella` chart with values, component toggles, and pinned image digests for all services; include migration Job templates. | Deployment Guild (ops/deployment/TASKS.md)
HELM-45-002 | TODO | Add TLS/Ingress, NetworkPolicy, PodSecurityContexts, Secrets integration (external secrets), and document security posture. | Deployment Guild, Security Guild (ops/deployment/TASKS.md)
HELM-45-003 | TODO | Implement HPA, PDB, readiness gates, Prometheus scraping annotations, OTel configuration hooks, and upgrade hooks. | Deployment Guild, Observability Guild (ops/deployment/TASKS.md)
[Ops & Offline] 190.B) Ops Devops.I
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Ops Devops (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-AIAI-31-001 | TODO | Stand up CI pipelines, inference monitoring, privacy logging review, and perf dashboards for Advisory AI (summaries/conflicts/remediation). | DevOps Guild, Advisory AI Guild (ops/devops/TASKS.md)
DEVOPS-AIRGAP-56-001 | TODO | Ship deny-all egress policies for Kubernetes (NetworkPolicy/eBPF) and docker-compose firewall rules; provide verification script for sealed mode. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-AIRGAP-56-002 | TODO | Provide import tooling for bundle staging: checksum validation, offline object-store loader scripts, removable media guidance. | DevOps Guild, AirGap Importer Guild (ops/devops/TASKS.md)
DEVOPS-AIRGAP-56-003 | TODO | Build Bootstrap Pack pipeline bundling images/charts, generating checksums, and publishing manifest for offline transfer. | DevOps Guild, Container Distribution Guild (ops/devops/TASKS.md)
DEVOPS-AIRGAP-57-001 | TODO | Automate Mirror Bundle creation jobs with dual-control approvals, artifact signing, and checksum publication. | DevOps Guild, Mirror Creator Guild (ops/devops/TASKS.md)
DEVOPS-AIRGAP-57-002 | TODO | Configure sealed-mode CI tests that run services with sealed flag and ensure no egress occurs (iptables + mock DNS). | DevOps Guild, Authority Guild (ops/devops/TASKS.md)
DEVOPS-AIRGAP-58-001 | TODO | Provide local SMTP/syslog container templates and health checks for sealed environments; integrate into Bootstrap Pack. | DevOps Guild, Notifications Guild (ops/devops/TASKS.md)
DEVOPS-AIRGAP-58-002 | TODO | Ship sealed-mode observability stack (Prometheus/Grafana/Tempo/Loki) pre-configured with offline dashboards and no remote exporters. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
DEVOPS-AOC-19-001 | BLOCKED (2025-10-26) | Integrate the AOC Roslyn analyzer and guard tests into CI, failing builds when ingestion projects attempt banned writes. | DevOps Guild, Platform Guild (ops/devops/TASKS.md)
DEVOPS-AOC-19-002 | BLOCKED (2025-10-26) | Add pipeline stage executing `stella aoc verify --since` against seeded Mongo snapshots for Concelier + Excititor, publishing violation report artefacts. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-AOC-19-003 | BLOCKED (2025-10-26) | Enforce unit test coverage thresholds for AOC guard suites and ensure coverage exported to dashboards. | DevOps Guild, QA Guild (ops/devops/TASKS.md)
DEVOPS-AOC-19-101 | TODO (2025-10-28) | Draft supersedes backfill rollout (freeze window, dry-run steps, rollback) once advisory_raw idempotency index passes staging verification. | DevOps Guild, Concelier Storage Guild (ops/devops/TASKS.md)
DEVOPS-ATTEST-73-001 | TODO | Provision CI pipelines for attestor service (lint/test/security scan, seed data) and manage secrets for KMS drivers. | DevOps Guild, Attestor Service Guild (ops/devops/TASKS.md)
DEVOPS-ATTEST-73-002 | TODO | Establish secure storage for signing keys (vault integration, rotation schedule) and audit logging. | DevOps Guild, KMS Guild (ops/devops/TASKS.md)
DEVOPS-ATTEST-74-001 | TODO | Deploy transparency log witness infrastructure and monitoring. | DevOps Guild, Transparency Guild (ops/devops/TASKS.md)
[Ops & Offline] 190.B) Ops Devops.II
Depends on: Sprint 190.B - Ops Devops.I
Summary: Ops & Offline focus on Ops Devops (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-ATTEST-74-002 | TODO | Integrate attestation bundle builds into release/offline pipelines with checksum verification. | DevOps Guild, Export Attestation Guild (ops/devops/TASKS.md)
DEVOPS-ATTEST-75-001 | TODO | Add dashboards/alerts for signing latency, verification failures, key rotation events. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
DEVOPS-CLI-41-001 | TODO | Establish CLI build pipeline (multi-platform binaries, SBOM, checksums), parity matrix CI enforcement, and release artifact signing. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md)
DEVOPS-CLI-42-001 | TODO | Add CLI golden output tests, parity diff automation, pack run CI harness, and artifact cache for remote mode. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-CLI-43-001 | DOING (2025-10-27) | Finalize multi-platform release automation, SBOM signing, parity gate enforcement, and Task Pack chaos tests. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-CLI-43-002 | TODO | Implement Task Pack chaos smoke in CI (random failure injection, resume, sealed-mode toggle) and publish evidence bundles for review. | DevOps Guild, Task Runner Guild (ops/devops/TASKS.md)
DEVOPS-CLI-43-003 | TODO | Integrate CLI golden output/parity diff automation into release gating; export parity report artifact consumed by Console Downloads workspace. | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md)
DEVOPS-CONSOLE-23-001 | BLOCKED (2025-10-26) | Add console CI workflow (pnpm cache, lint, type-check, unit, Storybook a11y, Playwright, Lighthouse) with offline runners and artifact retention for screenshots/reports. | DevOps Guild, Console Guild (ops/devops/TASKS.md)
DEVOPS-CONSOLE-23-002 | TODO | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, and offline bundle packaging scripts. | DevOps Guild, Console Guild (ops/devops/TASKS.md)
DEVOPS-CONTAINERS-44-001 | TODO | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, and signature verification in CI. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-CONTAINERS-45-001 | TODO | Add Compose and Helm smoke tests (fresh VM + kind cluster) to CI; publish test artifacts and logs. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-CONTAINERS-46-001 | TODO | Build air-gap bundle generator (`src/Tools/make-airgap-bundle.sh`), produce signed bundle, and verify in CI using private registry. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-DEVPORT-63-001 | TODO | Automate developer portal build pipeline with caching, link & accessibility checks, performance budgets. | DevOps Guild, Developer Portal Guild (ops/devops/TASKS.md)
DEVOPS-DEVPORT-64-001 | TODO | Schedule `devportal --offline` nightly builds with checksum validation and artifact retention policies. | DevOps Guild, DevPortal Offline Guild (ops/devops/TASKS.md)
DEVOPS-EXPORT-35-001 | BLOCKED (2025-10-29) | Establish exporter CI pipeline (lint/test/perf smoke), configure object storage fixtures, seed Grafana dashboards, and document bootstrap steps. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md)
[Ops & Offline] 190.B) Ops Devops.III
Depends on: Sprint 190.B - Ops Devops.II
Summary: Ops & Offline focus on Ops Devops (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-EXPORT-36-001 | TODO | Integrate Trivy compatibility validation, cosign signature checks, `trivy module db import` smoke tests, OCI distribution verification, and throughput/error dashboards. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md)
DEVOPS-EXPORT-37-001 | TODO | Finalize exporter monitoring (failure alerts, verify metrics, retention jobs) and chaos/latency tests ahead of GA. | DevOps Guild, Exporter Service Guild (ops/devops/TASKS.md)
DEVOPS-GRAPH-24-001 | TODO | Load test graph index/adjacency APIs with 40k-node assets; capture perf dashboards and alert thresholds. | DevOps Guild, SBOM Service Guild (ops/devops/TASKS.md)
DEVOPS-GRAPH-24-002 | TODO | Integrate synthetic UI perf runs (Playwright/WebGL metrics) for Graph/Vuln explorers; fail builds on regression. | DevOps Guild, UI Guild (ops/devops/TASKS.md)
DEVOPS-GRAPH-24-003 | TODO | Implement smoke job for simulation endpoints ensuring we stay within SLA (<3s upgrade) and log results. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-LNM-22-001 | BLOCKED (2025-10-27) | Run migration/backfill pipelines for advisory observations/linksets in staging, validate counts/conflicts, and automate deployment steps. Awaiting storage backfill tooling. | DevOps Guild, Concelier Guild (ops/devops/TASKS.md)
DEVOPS-LNM-22-002 | BLOCKED (2025-10-27) | Execute VEX observation/linkset backfill with monitoring; ensure NATS/Redis events integrated; document ops runbook. Blocked until Excititor storage migration lands. | DevOps Guild, Excititor Guild (ops/devops/TASKS.md)
DEVOPS-LNM-22-003 | TODO | Add CI/monitoring coverage for new metrics (`advisory_observations_total`, `linksets_total`, etc.) and alerts on ingest-to-API SLA breaches. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
DEVOPS-OAS-61-001 | TODO | Add CI stages for OpenAPI linting, validation, and compatibility diff; enforce gating on PRs. | DevOps Guild, API Contracts Guild (ops/devops/TASKS.md)
DEVOPS-OAS-61-002 | TODO | Integrate mock server + contract test suite into PR and nightly workflows; publish artifacts. | DevOps Guild, Contract Testing Guild (ops/devops/TASKS.md)
DEVOPS-OBS-50-002 | DOING (2025-10-26) | Stand up multi-tenant storage backends (Prometheus, Tempo/Jaeger, Loki) with retention policies, tenant isolation, and redaction guard rails. Integrate with Authority scopes for read paths. | DevOps Guild, Security Guild (ops/devops/TASKS.md)
DEVOPS-OBS-51-001 | TODO | Implement SLO evaluator service (burn rate calculators, webhook emitters), Grafana dashboards, and alert routing to Notifier. Provide Terraform/Helm automation. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
DEVOPS-OBS-52-001 | TODO | Configure streaming pipeline (NATS/Redis/Kafka) with retention, partitioning, and backpressure tuning for timeline events; add CI validation of schema + rate caps. | DevOps Guild, Timeline Indexer Guild (ops/devops/TASKS.md)
DEVOPS-OBS-53-001 | TODO | Provision object storage with WORM/retention options (S3 Object Lock / MinIO immutability), legal hold automation, and backup/restore scripts for evidence locker. | DevOps Guild, Evidence Locker Guild (ops/devops/TASKS.md)
DEVOPS-OBS-54-001 | TODO | Manage provenance signing infrastructure (KMS keys, rotation schedule, timestamp authority integration) and integrate verification jobs into CI. | DevOps Guild, Security Guild (ops/devops/TASKS.md)
[Ops & Offline] 190.B) Ops Devops.IV
Depends on: Sprint 190.B - Ops Devops.III
Summary: Ops & Offline focus on Ops Devops (phase IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-OBS-55-001 | TODO | Implement incident mode automation: feature flag service, auto-activation via SLO burn-rate, retention override management, and post-incident reset job. | DevOps Guild, Ops Guild (ops/devops/TASKS.md)
DEVOPS-ORCH-32-001 | TODO | Provision orchestrator Postgres/message-bus infrastructure, add CI smoke deploy, seed Grafana dashboards (queue depth, inflight jobs), and document bootstrap. | DevOps Guild, Orchestrator Service Guild (ops/devops/TASKS.md)
DEVOPS-ORCH-33-001 | TODO | Publish Grafana dashboards/alerts for rate limiter, backpressure, error clustering, and DLQ depth; integrate with on-call rotations. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
DEVOPS-ORCH-34-001 | TODO | Harden production monitoring (synthetic probes, burn-rate alerts, replay smoke), document incident response, and prep GA readiness checklist. | DevOps Guild, Orchestrator Service Guild (ops/devops/TASKS.md)
DEVOPS-POLICY-27-001 | TODO | Add CI pipeline stages to run `stella policy lint | DevOps Guild, DevEx/CLI Guild (ops/devops/TASKS.md)
DEVOPS-POLICY-27-002 | TODO | Provide optional batch simulation CI job (staging inventory) that triggers Registry run, polls results, and posts markdown summary to PR; enforce drift thresholds. | DevOps Guild, Policy Registry Guild (ops/devops/TASKS.md)
DEVOPS-POLICY-27-003 | TODO | Manage signing key material for policy publish pipeline (OIDC workload identity + cosign), rotate keys, and document verification steps; integrate attestation verification stage. | DevOps Guild, Security Guild (ops/devops/TASKS.md)
DEVOPS-POLICY-27-004 | TODO | Create dashboards/alerts for policy compile latency, simulation queue depth, approval latency, and promotion outcomes; integrate with on-call playbooks. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
DEVOPS-REL-17-004 | BLOCKED (2025-10-26) | Ensure release workflow publishes `out/release/debug` (build-id tree + manifest) and fails when symbols are missing. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-RULES-33-001 | REVIEW (2025-10-30) | Contracts & Rules anchor:<br>• Gateway proxies only; Policy Engine composes overlays/simulations.<br>• AOC ingestion cannot merge; only lossless canonicalization.<br>• One graph platform: Graph Indexer + Graph API. Cartographer retired. | DevOps Guild, Platform Leads (ops/devops/TASKS.md)
DEVOPS-SDK-63-001 | TODO | Provision registry credentials, signing keys, and secure storage for SDK publishing pipelines. | DevOps Guild, SDK Release Guild (ops/devops/TASKS.md)
DEVOPS-SIG-26-001 | TODO | Provision CI/CD pipelines, Helm/Compose manifests for Signals service, including artifact storage and Redis dependencies. | DevOps Guild, Signals Guild (ops/devops/TASKS.md)
DEVOPS-SIG-26-002 | TODO | Create dashboards/alerts for reachability scoring latency, cache hit rates, sensor staleness. | DevOps Guild, Observability Guild (ops/devops/TASKS.md)
DEVOPS-TEN-47-001 | TODO | Add JWKS cache monitoring, signature verification regression tests, and token expiration chaos tests to CI. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-TEN-48-001 | TODO | Build integration tests to assert RLS enforcement, tenant-prefixed object storage, and audit event emission; set up lint to prevent raw SQL bypass. | DevOps Guild (ops/devops/TASKS.md)
[Ops & Offline] 190.B) Ops Devops.V
Depends on: Sprint 190.B - Ops Devops.IV
Summary: Ops & Offline focus on Ops Devops (phase V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-TEN-49-001 | TODO | Deploy audit pipeline, scope usage metrics, JWKS outage chaos tests, and tenant load/perf benchmarks. | DevOps Guild (ops/devops/TASKS.md)
DEVOPS-VEX-30-001 | TODO | Provision CI, load tests, dashboards, alerts for VEX Lens and Issuer Directory (compute latency, disputed totals, signature verification rates). | DevOps Guild, VEX Lens Guild (ops/devops/TASKS.md)
DEVOPS-VULN-29-001 | TODO | Provision CI jobs for ledger projector (replay, determinism), set up backups, monitor Merkle anchoring, and automate verification. | DevOps Guild, Findings Ledger Guild (ops/devops/TASKS.md)
DEVOPS-VULN-29-002 | TODO | Configure load/perf tests (5M findings/tenant), query budget enforcement, API SLO dashboards, and alerts for `vuln_list_latency` and `projection_lag`. | DevOps Guild, Vuln Explorer API Guild (ops/devops/TASKS.md)
DEVOPS-VULN-29-003 | TODO | Instrument analytics pipeline for Vuln Explorer (telemetry ingestion, query hashes), ensure compliance with privacy/PII guardrails, and update observability docs. | DevOps Guild, Console Guild (ops/devops/TASKS.md)
DOCKER-44-001 | TODO | Author multi-stage Dockerfiles for all core services (API, Console, Orchestrator, Task Runner, Conseiller, Excitator, Policy, Notify, Export, AI) with non-root users, read-only file systems, and health scripts. | DevOps Guild, Service Owners (ops/devops/TASKS.md)
DOCKER-44-002 | TODO | Generate SBOMs and cosign attestations for each image and integrate verification into CI. | DevOps Guild (ops/devops/TASKS.md)
DOCKER-44-003 | TODO | Implement `/health/liveness`, `/health/readiness`, `/version`, `/metrics`, and ensure capability endpoint returns `merge=false` for Conseiller/Excitator. | DevOps Guild (ops/devops/TASKS.md)
OPS-ENV-01 | TODO | Update deployment manifests (Helm/Compose) and configuration docs to include Surface.Env variables for Scanner and Zastava services. | DevOps Guild, Scanner Guild (ops/devops/TASKS.md)
OPS-SECRETS-01 | TODO | Define secret provisioning workflow (Kubernetes, Compose, Offline Kit) for Surface.Secrets references and update runbooks. | DevOps Guild, Security Guild (ops/devops/TASKS.md)
OPS-SECRETS-02 | TODO | Embed Surface.Secrets material (encrypted bundles, manifests) into offline kit packaging scripts. | DevOps Guild, Offline Kit Guild (ops/devops/TASKS.md)
[Ops & Offline] 190.C) Ops Offline Kit
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Ops Offline Kit).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-PACKS-43-002 | TODO | Bundle Task Pack samples, registry mirror seeds, Task Runner configs, and CLI binaries with checksums into Offline Kit. | Offline Kit Guild, Packs Registry Guild (ops/offline-kit/TASKS.md)
DEVOPS-OFFLINE-17-004 | BLOCKED (2025-10-26) | Execute `mirror_debug_store.py` after the next release pipeline emits `out/release/debug`, verify manifest hashes, and archive `metadata/debug-store.json` with the kit. | Offline Kit Guild, DevOps Guild (ops/offline-kit/TASKS.md)
DEVOPS-OFFLINE-34-006 | TODO | Bundle orchestrator service container, worker SDK samples, Postgres snapshot, and dashboards into Offline Kit with manifest/signature updates. | Offline Kit Guild, Orchestrator Service Guild (ops/offline-kit/TASKS.md)
DEVOPS-OFFLINE-37-001 | TODO | Export Center offline bundles + verification tooling (mirror artefacts, verification CLI, manifest/signature refresh, air-gap import script). | Offline Kit Guild, Exporter Service Guild (ops/offline-kit/TASKS.md)
DEVOPS-OFFLINE-37-002 | TODO | Notifier offline packs (sample configs, template/digest packs, dry-run harness) with integrity checks and operator docs. | Offline Kit Guild, Notifications Service Guild (ops/offline-kit/TASKS.md)
OFFLINE-CONTAINERS-46-001 | TODO | Include container air-gap bundle, verification docs, and mirrored registry instructions inside Offline Kit. | Offline Kit Guild, Deployment Guild (ops/offline-kit/TASKS.md)
OPS-SECRETS-02 | TODO | Add Surface.Secrets bundles (encrypted creds, manifests) to Offline Kit packaging plus verification script. | Offline Kit Guild, DevOps Guild (ops/offline-kit/TASKS.md)
[Ops & Offline] 190.D) Samples
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Samples).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SAMPLES-GRAPH-24-003 | TODO | Generate large-scale SBOM graph fixture (≈40k nodes) with policy overlay snapshot for performance/perf regression suites. | Samples Guild, SBOM Service Guild (samples/TASKS.md)
SAMPLES-GRAPH-24-004 | TODO | Create vulnerability explorer JSON/CSV fixtures capturing conflicting evidence and policy outputs for UI/CLI automated tests. | Samples Guild, UI Guild (samples/TASKS.md)
SAMPLES-LNM-22-001 | BLOCKED (2025-10-27) | Create advisory observation/linkset fixtures (NVD, GHSA, OSV disagreements) for API/CLI/UI tests with documented conflicts. Waiting on finalized schema/linkset outputs. | Samples Guild, Concelier Guild (samples/TASKS.md)
SAMPLES-LNM-22-002 | BLOCKED (2025-10-27) | Produce VEX observation/linkset fixtures demonstrating status conflicts and path relevance; include raw blobs. Pending Excititor observation/linkset implementation. | Samples Guild, Excititor Guild (samples/TASKS.md)
[Ops & Offline] 190.E) AirGap
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on AirGap).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
AIRGAP-CTL-56-001 | TODO | Implement `airgap_state` persistence, seal/unseal state machine, and Authority scope checks (`airgap:seal`, `airgap:status:read`). | AirGap Controller Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md)
AIRGAP-CTL-56-002 | TODO | Expose `GET /system/airgap/status`, `POST /system/airgap/seal`, integrate policy hash validation, and return staleness/time anchor placeholders. | AirGap Controller Guild, DevOps Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md)
AIRGAP-CTL-57-001 | TODO | Add startup diagnostics that block application run when sealed flag set but egress policies missing; emit audit + telemetry. | AirGap Controller Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md)
AIRGAP-CTL-57-002 | TODO | Instrument seal/unseal events with trace/log fields and timeline emission (`airgap.sealed`, `airgap.unsealed`). | AirGap Controller Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md)
AIRGAP-CTL-58-001 | TODO | Persist time anchor metadata, compute drift seconds, and surface staleness budgets in status API. | AirGap Controller Guild, AirGap Time Guild (src/AirGap/StellaOps.AirGap.Controller/TASKS.md)
AIRGAP-IMP-56-001 | TODO | Implement DSSE verification helpers, TUF metadata parser (`root.json`, `snapshot.json`, `timestamp.json`), and Merkle root calculator. | AirGap Importer Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md)
AIRGAP-IMP-56-002 | TODO | Introduce root rotation policy validation (dual approval) and signer trust store management. | AirGap Importer Guild, Security Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md)
AIRGAP-IMP-57-001 | TODO | Write `bundle_catalog` and `bundle_items` repositories with RLS + deterministic migrations. | AirGap Importer Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md)
AIRGAP-IMP-57-002 | TODO | Implement object-store loader storing artifacts under tenant/global mirror paths with Zstandard decompression and checksum validation. | AirGap Importer Guild, DevOps Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md)
AIRGAP-IMP-58-001 | TODO | Implement API (`POST /airgap/import`, `/airgap/verify`) and CLI commands wiring verification + catalog updates, including diff preview. | AirGap Importer Guild, CLI Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md)
AIRGAP-IMP-58-002 | TODO | Emit timeline events (`airgap.import.started | AirGap Importer Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Importer/TASKS.md)
AIRGAP-TIME-57-001 | TODO | Implement signed time token parser (Roughtime/RFC3161), verify signatures against bundle trust roots, and expose normalized anchor representation. | AirGap Time Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md)
AIRGAP-TIME-57-002 | TODO | Add telemetry counters for time anchors (`airgap_time_anchor_age_seconds`) and alerts for approaching thresholds. | AirGap Time Guild, Observability Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md)
AIRGAP-TIME-58-001 | TODO | Persist drift baseline, compute per-content staleness (advisories, VEX, policy) based on bundle metadata, and surface through controller status API. | AirGap Time Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md)
AIRGAP-TIME-58-002 | TODO | Emit notifications and timeline events when staleness budgets breached or approaching. | AirGap Time Guild, Notifications Guild (src/AirGap/StellaOps.AirGap.Time/TASKS.md)
[Ops & Offline] 190.F) Api
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Api).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
APIGOV-61-001 | TODO | Configure spectral/linters with Stella rules; add CI job failing on violations. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md)
APIGOV-61-002 | TODO | Implement example coverage checker ensuring every operation has at least one request/response example. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md)
APIGOV-62-001 | TODO | Build compatibility diff tool producing additive/breaking reports comparing prior release. | API Governance Guild (src/Api/StellaOps.Api.Governance/TASKS.md)
APIGOV-62-002 | TODO | Automate changelog generation and publish signed artifacts to `src/Sdk/StellaOps.Sdk.Release` pipeline. | API Governance Guild, DevOps Guild (src/Api/StellaOps.Api.Governance/TASKS.md)
APIGOV-63-001 | TODO | Integrate deprecation metadata into Notification Studio templates for API sunset events. | API Governance Guild, Notifications Guild (src/Api/StellaOps.Api.Governance/TASKS.md)
OAS-61-001 | TODO | Scaffold per-service OpenAPI 3.1 files with shared components, info blocks, and initial path stubs. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md)
OAS-61-002 | TODO | Implement aggregate composer (`stella.yaml`) resolving `$ref`s and merging shared components; wire into CI. | API Contracts Guild, DevOps Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md)
OAS-62-001 | TODO | Populate request/response examples for top 50 endpoints, including standard error envelope. | API Contracts Guild, Service Guilds (src/Api/StellaOps.Api.OpenApi/TASKS.md)
OAS-62-002 | TODO | Add custom lint rules enforcing pagination, idempotency headers, naming conventions, and example coverage. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md)
OAS-63-001 | TODO | Implement compatibility diff tooling comparing previous release specs; classify breaking vs additive changes. | API Contracts Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md)
OAS-63-002 | TODO | Add `/.well-known/openapi` discovery endpoint schema metadata (extensions, version info). | API Contracts Guild, Gateway Guild (src/Api/StellaOps.Api.OpenApi/TASKS.md)
[Ops & Offline] 190.G) Bench
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Bench).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
BENCH-GRAPH-21-001 | BLOCKED (2025-10-27) | Build graph viewport/path benchmark harness (50k/100k nodes) measuring Graph API/Indexer latency, memory, and tile cache hit rates. *(Executed within Sprint 28 Graph program).* | Bench Guild, Graph Platform Guild (src/Bench/StellaOps.Bench/TASKS.md)
BENCH-GRAPH-21-002 | BLOCKED (2025-10-27) | Add headless UI load benchmark (Playwright) for graph canvas interactions to track render times and FPS budgets. *(Executed within Sprint 28 Graph program).* | Bench Guild, UI Guild (src/Bench/StellaOps.Bench/TASKS.md)
BENCH-GRAPH-24-002 | TODO | Implement UI interaction benchmarks (filter/zoom/table operations) citing p95 latency; integrate with perf dashboards. | Bench Guild, UI Guild (src/Bench/StellaOps.Bench/TASKS.md)
BENCH-IMPACT-16-001 | TODO | ImpactIndex throughput bench (resolve 10k productKeys) + RAM profile. | Bench Guild, Scheduler Team (src/Bench/StellaOps.Bench/TASKS.md)
BENCH-POLICY-20-002 | TODO | Add incremental run benchmark measuring delta evaluation vs full; capture SLA compliance. | Bench Guild, Policy Guild, Scheduler Guild (src/Bench/StellaOps.Bench/TASKS.md)
BENCH-SIG-26-001 | TODO | Develop benchmark for reachability scoring pipeline (facts/sec, latency, memory) using synthetic callgraphs/runtime batches. | Bench Guild, Signals Guild (src/Bench/StellaOps.Bench/TASKS.md)
BENCH-SIG-26-002 | TODO | Measure policy evaluation overhead with reachability cache hot/cold; ensure 8 ms p95 added latency. | Bench Guild, Policy Guild (src/Bench/StellaOps.Bench/TASKS.md)
[Ops & Offline] 190.H) Provenance
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli
Summary: Ops & Offline focus on Provenance).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
PROV-OBS-53-001 | TODO | Implement DSSE/SLSA `BuildDefinition` + `BuildMetadata` models with canonical JSON serializer, Merkle digest helpers, and deterministic hashing tests. Publish sample statements for orchestrator/job/export subjects. | Provenance Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md)
PROV-OBS-53-002 | TODO | Build signer abstraction (cosign/KMS/offline) with key rotation hooks, audit logging, and policy enforcement (required claims). Provide unit tests using fake signer + real cosign fixture. | Provenance Guild, Security Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md)
PROV-OBS-54-001 | TODO | Deliver verification library that validates DSSE signatures, Merkle roots, and timeline chain-of-custody, exposing reusable CLI/service APIs. Include negative-case fixtures and offline timestamp verification. | Provenance Guild, Evidence Locker Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md)
PROV-OBS-54-002 | TODO | Generate .NET global tool for local verification + embed command helpers for CLI `stella forensic verify`. Provide deterministic packaging and offline kit instructions. | Provenance Guild, DevEx/CLI Guild (src/Provenance/StellaOps.Provenance.Attestation/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_200_documentation_process.md

482
docs/implplan/SPRINT_200_documentation_process.md Normal file
View File

@@ -0,0 +1,482 @@
# Sprint 200 - Documentation & Process
[Documentation & Process] 200.A) Docs Tasks.Md.I
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Tasks (phase Md.I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-AIAI-31-001 | TODO | Publish `/docs/advisory-ai/overview.md` covering capabilities, guardrails, RBAC. | Docs Guild, Advisory AI Guild (docs/TASKS.md)
DOCS-AIAI-31-002 | TODO | Author `/docs/advisory-ai/architecture.md` detailing RAG pipeline, deterministics, caching, model options. | Docs Guild, Advisory AI Guild (docs/TASKS.md)
DOCS-AIAI-31-003 | TODO | Write `/docs/advisory-ai/api.md` describing endpoints, schemas, errors, rate limits. | Docs Guild, Advisory AI Guild (docs/TASKS.md)
DOCS-AIAI-31-004 | TODO | Create `/docs/advisory-ai/console.md` with screenshots, a11y notes, copy-as-ticket instructions. | Docs Guild, Console Guild (docs/TASKS.md)
DOCS-AIAI-31-005 | TODO | Publish `/docs/advisory-ai/cli.md` covering commands, exit codes, scripting patterns. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-AIAI-31-006 | TODO | Update `/docs/policy/assistant-parameters.md` covering temperature, token limits, ranking weights, TTLs. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-AIAI-31-007 | TODO | Write `/docs/security/assistant-guardrails.md` detailing redaction, injection defense, logging. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-AIAI-31-008 | TODO | Publish `/docs/sbom/remediation-heuristics.md` (feasibility scoring, blast radius). | Docs Guild, SBOM Service Guild (docs/TASKS.md)
DOCS-AIAI-31-009 | TODO | Create `/docs/runbooks/assistant-ops.md` for warmup, cache priming, model outages, scaling. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-AIRGAP-56-001 | TODO | Publish `/docs/airgap/overview.md` outlining modes, lifecycle, responsibilities, and imposed rule banner. | Docs Guild, AirGap Controller Guild (docs/TASKS.md)
DOCS-AIRGAP-56-002 | TODO | Author `/docs/airgap/sealing-and-egress.md` covering network policies, EgressPolicy facade usage, and verification steps. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-AIRGAP-56-003 | TODO | Create `/docs/airgap/mirror-bundles.md` describing bundle format, DSSE/TUF/Merkle validation, creation/import workflows. | Docs Guild, Exporter Guild (docs/TASKS.md)
DOCS-AIRGAP-56-004 | TODO | Publish `/docs/airgap/bootstrap.md` detailing Bootstrap Pack creation, validation, and install procedures. | Docs Guild, Deployment Guild (docs/TASKS.md)
DOCS-AIRGAP-57-001 | TODO | Write `/docs/airgap/staleness-and-time.md` explaining time anchors, drift policies, staleness budgets, and UI indicators. | Docs Guild, AirGap Time Guild (docs/TASKS.md)
DOCS-AIRGAP-57-002 | TODO | Publish `/docs/console/airgap.md` covering sealed badge, import wizard, staleness dashboards. | Docs Guild, Console Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.II
Depends on: Sprint 200.A - Docs Tasks.Md.I
Summary: Documentation & Process focus on Docs Tasks (phase Md.II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-AIRGAP-57-003 | TODO | Publish `/docs/modules/cli/guides/airgap.md` documenting commands, examples, exit codes. | Docs Guild, CLI Guild (docs/TASKS.md)
DOCS-AIRGAP-57-004 | TODO | Create `/docs/airgap/operations.md` with runbooks for imports, failure recovery, and auditing. | Docs Guild, Ops Guild (docs/TASKS.md)
DOCS-AIRGAP-58-001 | TODO | Provide `/docs/airgap/degradation-matrix.md` enumerating feature availability, fallbacks, remediation. | Docs Guild, Product Guild (docs/TASKS.md)
DOCS-AIRGAP-58-002 | TODO | Update `/docs/security/trust-and-signing.md` with DSSE/TUF roots, rotation, and signed time tokens. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-AIRGAP-58-003 | TODO | Publish `/docs/dev/airgap-contracts.md` describing EgressPolicy usage, sealed-mode tests, linting. | Docs Guild, DevEx Guild (docs/TASKS.md)
DOCS-AIRGAP-58-004 | TODO | Document `/docs/airgap/portable-evidence.md` for exporting/importing portable evidence bundles across enclaves. | Docs Guild, Evidence Locker Guild (docs/TASKS.md)
DOCS-AIRGAP-DEVPORT-64-001 | TODO | Create `/docs/airgap/devportal-offline.md` describing offline bundle usage and verification. | Docs Guild, DevPortal Offline Guild (docs/TASKS.md)
DOCS-ATTEST-73-001 | TODO | Publish `/docs/modules/attestor/overview.md` with imposed rule banner. | Docs Guild, Attestor Service Guild (docs/TASKS.md)
DOCS-ATTEST-73-002 | TODO | Write `/docs/modules/attestor/payloads.md` with schemas/examples. | Docs Guild, Attestation Payloads Guild (docs/TASKS.md)
DOCS-ATTEST-73-003 | TODO | Publish `/docs/modules/attestor/policies.md` covering verification policies. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-ATTEST-73-004 | TODO | Add `/docs/modules/attestor/workflows.md` detailing ingest, verify, bulk operations. | Docs Guild, Attestor Service Guild (docs/TASKS.md)
DOCS-ATTEST-74-001 | TODO | Publish `/docs/modules/attestor/keys-and-issuers.md`. | Docs Guild, KMS Guild (docs/TASKS.md)
DOCS-ATTEST-74-002 | TODO | Document `/docs/modules/attestor/transparency.md` with witness usage/offline validation. | Docs Guild, Transparency Guild (docs/TASKS.md)
DOCS-ATTEST-74-003 | TODO | Write `/docs/console/attestor-ui.md` with screenshots/workflows. | Docs Guild, Attestor Console Guild (docs/TASKS.md)
DOCS-ATTEST-74-004 | TODO | Publish `/docs/modules/cli/guides/attest.md` covering CLI usage. | Docs Guild, CLI Attestor Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.III
Depends on: Sprint 200.A - Docs Tasks.Md.II
Summary: Documentation & Process focus on Docs Tasks (phase Md.III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-ATTEST-75-001 | TODO | Add `/docs/modules/attestor/airgap.md` for attestation bundles. | Docs Guild, Export Attestation Guild (docs/TASKS.md)
DOCS-ATTEST-75-002 | TODO | Update `/docs/security/aoc-invariants.md` with attestation invariants. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-CLI-41-001 | TODO | Publish `/docs/modules/cli/guides/overview.md`, `/docs/modules/cli/guides/configuration.md`, `/docs/modules/cli/guides/output-and-exit-codes.md` with imposed rule statements. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-CLI-42-001 | TODO | Publish `/docs/modules/cli/guides/parity-matrix.md` and command guides under `/docs/modules/cli/guides/commands/*.md` (policy, sbom, vuln, vex, advisory, export, orchestrator, notify, aoc, auth). | Docs Guild (docs/TASKS.md)
DOCS-CLI-FORENSICS-53-001 | TODO | Publish `/docs/modules/cli/guides/forensics.md` for snapshot/verify/attest commands with sample outputs, imposed rule banner, and offline workflows. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-CLI-OBS-52-001 | TODO | Create `/docs/modules/cli/guides/observability.md` detailing `stella obs` commands, examples, exit codes, imposed rule banner, and scripting tips. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-CONSOLE-OBS-52-001 | TODO | Document `/docs/console/observability.md` showcasing Observability Hub widgets, trace/log search, imposed rule banner, and accessibility tips. | Docs Guild, Console Guild (docs/TASKS.md)
DOCS-CONSOLE-OBS-52-002 | TODO | Publish `/docs/console/forensics.md` covering timeline explorer, evidence viewer, attestation verifier, imposed rule banner, and troubleshooting. | Docs Guild, Console Guild (docs/TASKS.md)
DOCS-CONTRIB-62-001 | TODO | Publish `/docs/contributing/api-contracts.md` detailing how to edit OAS, lint rules, compatibility checks. | Docs Guild, API Governance Guild (docs/TASKS.md)
DOCS-DEVPORT-62-001 | TODO | Document `/docs/devportal/publishing.md` for build pipeline, offline bundle steps. | Docs Guild, Developer Portal Guild (docs/TASKS.md)
DOCS-EXC-25-001 | TODO | Author `/docs/governance/exceptions.md` covering lifecycle, scope patterns, examples, compliance checklist. | Docs Guild, Governance Guild (docs/TASKS.md)
DOCS-EXC-25-002 | TODO | Publish `/docs/governance/approvals-and-routing.md` detailing roles, routing matrix, MFA rules, audit trails. | Docs Guild, Authority Core (docs/TASKS.md)
DOCS-EXC-25-003 | TODO | Create `/docs/api/exceptions.md` with endpoints, payloads, errors, idempotency notes. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md)
DOCS-EXC-25-005 | TODO | Write `/docs/ui/exception-center.md` with UI walkthrough, badges, accessibility, shortcuts. | Docs Guild, UI Guild (docs/TASKS.md)
DOCS-EXC-25-006 | TODO | Update `/docs/modules/cli/guides/exceptions.md` covering command usage and exit codes. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.IV
Depends on: Sprint 200.A - Docs Tasks.Md.III
Summary: Documentation & Process focus on Docs Tasks (phase Md.IV).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-EXC-25-007 | TODO | Publish `/docs/migration/exception-governance.md` describing cutover from legacy suppressions, notifications, rollback. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-EXPORT-37-004 | TODO | Publish `/docs/security/export-hardening.md` outlining RBAC, tenancy, encryption, redaction, restating imposed rule. | Docs Guild (docs/TASKS.md)
DOCS-EXPORT-37-005 | TODO | Validate Export Center docs against live Trivy/mirror bundles once implementation lands; refresh examples and CLI snippets accordingly. | Docs Guild, Exporter Service Guild (docs/TASKS.md)
DOCS-EXPORT-37-101 | TODO | Refresh CLI verification sections once `stella export verify` lands (flags, exit codes, samples). | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-EXPORT-37-102 | TODO | Embed export dashboards/alerts references into provenance/runbook docs after Grafana work ships. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-FORENSICS-53-001 | TODO | Publish `/docs/forensics/evidence-locker.md` describing bundle formats, WORM options, retention, legal hold, and imposed rule banner. | Docs Guild, Evidence Locker Guild (docs/TASKS.md)
DOCS-FORENSICS-53-002 | TODO | Release `/docs/forensics/provenance-attestation.md` covering DSSE schema, signing process, verification workflow, and imposed rule banner. | Docs Guild, Provenance Guild (docs/TASKS.md)
DOCS-FORENSICS-53-003 | TODO | Publish `/docs/forensics/timeline.md` with schema, event kinds, filters, query examples, and imposed rule banner. | Docs Guild, Timeline Indexer Guild (docs/TASKS.md)
DOCS-GRAPH-24-001 | TODO | Author `/docs/ui/sbom-graph-explorer.md` detailing overlays, filters, saved views, accessibility, and AOC visibility. | Docs Guild, UI Guild (docs/TASKS.md)
DOCS-GRAPH-24-002 | TODO | Publish `/docs/ui/vulnerability-explorer.md` covering table usage, grouping, fix suggestions, Why drawer. | Docs Guild, UI Guild (docs/TASKS.md)
DOCS-GRAPH-24-003 | TODO | Create `/docs/modules/graph/architecture-index.md` describing data model, ingestion pipeline, caches, events. | Docs Guild, SBOM Service Guild (docs/TASKS.md)
DOCS-GRAPH-24-004 | TODO | Document `/docs/api/graph.md` and `/docs/api/vuln.md` avec endpoints, parameters, errors, RBAC. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md)
DOCS-GRAPH-24-005 | TODO | Update `/docs/modules/cli/guides/graph-and-vuln.md` covering new CLI commands, exit codes, scripting. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-GRAPH-24-006 | TODO | Write `/docs/policy/ui-integration.md` explaining overlays, cache usage, simulator contracts. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-GRAPH-24-007 | TODO | Produce `/docs/migration/graph-parity.md` with rollout plan, parity checks, fallback guidance. | Docs Guild, DevOps Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.V
Depends on: Sprint 200.A - Docs Tasks.Md.IV
Summary: Documentation & Process focus on Docs Tasks (phase Md.V).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-INSTALL-44-001 | TODO | Publish `/docs/install/overview.md` and `/docs/install/compose-quickstart.md` with imposed rule line and copy-ready commands. | Docs Guild, Deployment Guild (docs/TASKS.md)
DOCS-INSTALL-45-001 | TODO | Publish `/docs/install/helm-prod.md` and `/docs/install/configuration-reference.md` with values tables and imposed rule reminder. | Docs Guild, Deployment Guild (docs/TASKS.md)
DOCS-INSTALL-46-001 | TODO | Publish `/docs/install/airgap.md`, `/docs/security/supply-chain.md`, `/docs/operations/health-and-readiness.md`, `/docs/release/image-catalog.md`, `/docs/console/onboarding.md` (each with imposed rule). | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-INSTALL-50-001 | TODO | Add `/docs/install/telemetry-stack.md` with collector deployment, exporter options, offline kit notes, and imposed rule banner. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-LNM-22-001 | BLOCKED (2025-10-27) | Author `/docs/advisories/aggregation.md` covering observation vs linkset, conflict handling, AOC requirements, and reviewer checklist. | Docs Guild, Concelier Guild (docs/TASKS.md)
DOCS-LNM-22-002 | BLOCKED (2025-10-27) | Publish `/docs/vex/aggregation.md` describing VEX observation/linkset model, product matching, conflicts. | Docs Guild, Excititor Guild (docs/TASKS.md)
DOCS-LNM-22-003 | BLOCKED (2025-10-27) | Update `/docs/api/advisories.md` and `/docs/api/vex.md` for new endpoints, parameters, errors, exports. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md)
DOCS-LNM-22-004 | TODO | Create `/docs/policy/effective-severity.md` detailing severity selection strategies from multiple sources. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-LNM-22-005 | BLOCKED (2025-10-27) | Document `/docs/ui/evidence-panel.md` with screenshots, conflict badges, accessibility guidance. | Docs Guild, UI Guild (docs/TASKS.md)
DOCS-LNM-22-007 | TODO | Publish `/docs/observability/aggregation.md` with metrics/traces/logs/SLOs. | Docs Guild, Observability Guild (docs/TASKS.md)
DOCS-LNM-22-008 | TODO | Write `/docs/migration/no-merge.md` describing migration plan, backfill steps, rollback, feature flags. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-NOTIFY-40-001 | TODO | Publish `/docs/notifications/channels.md`, `/docs/notifications/escalations.md`, `/docs/notifications/api.md`, `/docs/operations/notifier-runbook.md`, `/docs/security/notifications-hardening.md`; each ends with imposed rule line. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-OAS-61-001 | TODO | Publish `/docs/api/overview.md` covering auth, tenancy, pagination, idempotency, rate limits with banner. | Docs Guild, API Contracts Guild (docs/TASKS.md)
DOCS-OAS-61-002 | TODO | Author `/docs/api/conventions.md` capturing naming, errors, filters, sorting, examples. | Docs Guild, API Governance Guild (docs/TASKS.md)
DOCS-OAS-61-003 | TODO | Publish `/docs/api/versioning.md` describing SemVer, deprecation headers, migration playbooks. | Docs Guild, API Governance Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.VI
Depends on: Sprint 200.A - Docs Tasks.Md.V
Summary: Documentation & Process focus on Docs Tasks (phase Md.VI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-OAS-62-001 | TODO | Stand up `/docs/api/reference/` auto-generated site; integrate with portal nav. | Docs Guild, Developer Portal Guild (docs/TASKS.md)
DOCS-OBS-50-002 | TODO | Author `/docs/observability/telemetry-standards.md` detailing common fields, scrubbing policy, sampling defaults, and redaction override procedure. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-OBS-50-003 | TODO | Create `/docs/observability/logging.md` covering structured log schema, dos/don'ts, tenant isolation, and copyable examples. | Docs Guild, Observability Guild (docs/TASKS.md)
DOCS-OBS-50-004 | TODO | Draft `/docs/observability/tracing.md` explaining context propagation, async linking, CLI header usage, and sampling strategies. | Docs Guild, Observability Guild (docs/TASKS.md)
DOCS-OBS-51-001 | TODO | Publish `/docs/observability/metrics-and-slos.md` cataloging metrics, SLO targets, burn rate policies, and alert runbooks. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-ORCH-32-001 | TODO | Author `/docs/orchestrator/overview.md` covering mission, roles, AOC alignment, governance, with imposed rule reminder. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-32-002 | TODO | Author `/docs/orchestrator/architecture.md` detailing scheduler, DAGs, rate limits, data model, message bus, storage layout, restating imposed rule. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-33-001 | TODO | Publish `/docs/orchestrator/api.md` (REST/WebSocket endpoints, payloads, error codes) with imposed rule note. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-33-002 | TODO | Publish `/docs/orchestrator/console.md` covering screens, a11y, live updates, control actions, reiterating imposed rule. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-33-003 | TODO | Publish `/docs/orchestrator/cli.md` documenting commands, options, exit codes, streaming output, offline usage, and imposed rule. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-34-001 | TODO | Author `/docs/orchestrator/run-ledger.md` covering ledger schema, provenance chain, audit workflows, with imposed rule reminder. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-34-002 | TODO | Update `/docs/security/secrets-handling.md` for orchestrator KMS refs, redaction badges, operator hygiene, reiterating imposed rule. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-34-003 | TODO | Publish `/docs/operations/orchestrator-runbook.md` (incident playbook, backfill guide, circuit breakers, throttling) with imposed rule statement. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-34-004 | TODO | Document `/docs/schemas/artifacts.md` describing artifact kinds, schema versions, hashing, storage layout, restating imposed rule. | Docs Guild (docs/TASKS.md)
DOCS-ORCH-34-005 | TODO | Author `/docs/slo/orchestrator-slo.md` defining SLOs, burn alerts, measurement, and reiterating imposed rule. | Docs Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.VII
Depends on: Sprint 200.A - Docs Tasks.Md.VI
Summary: Documentation & Process focus on Docs Tasks (phase Md.VII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-POLICY-23-001 | TODO | Author `/docs/policy/overview.md` describing SPL philosophy, layering, and glossary with reviewer checklist. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-POLICY-23-002 | TODO | Write `/docs/policy/spl-v1.md` (language reference, JSON Schema, examples). | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-POLICY-23-003 | TODO | Produce `/docs/policy/runtime.md` covering compiler, evaluator, caching, events, SLOs. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-POLICY-23-004 | TODO | Document `/docs/policy/editor.md` (UI walkthrough, validation, simulation, approvals). | Docs Guild, UI Guild (docs/TASKS.md)
DOCS-POLICY-23-005 | TODO | Publish `/docs/policy/governance.md` (roles, scopes, approvals, signing, exceptions). | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-POLICY-23-006 | TODO | Update `/docs/api/policy.md` with new endpoints, schemas, errors, pagination. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md)
DOCS-POLICY-23-007 | TODO | Update `/docs/modules/cli/guides/policy.md` for lint/simulate/activate/history commands, exit codes. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-POLICY-23-008 | TODO | Refresh `/docs/modules/policy/architecture.md` with data model, sequence diagrams, event flows. | Docs Guild, Architecture Guild (docs/TASKS.md)
DOCS-POLICY-23-009 | TODO | Create `/docs/migration/policy-parity.md` covering dual-run parity plan and rollback. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-POLICY-23-010 | TODO | Write `/docs/ui/explainers.md` showing explain trees, evidence overlays, interpretation guidance. | Docs Guild, UI Guild (docs/TASKS.md)
DOCS-POLICY-27-001 | BLOCKED (2025-10-27) | Publish `/docs/policy/studio-overview.md` covering lifecycle, roles, glossary, and compliance checklist. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-POLICY-27-002 | BLOCKED (2025-10-27) | Write `/docs/policy/authoring.md` detailing workspace templates, snippets, lint rules, IDE shortcuts, and best practices. | Docs Guild, Console Guild (docs/TASKS.md)
DOCS-POLICY-27-003 | BLOCKED (2025-10-27) | Document `/docs/policy/versioning-and-publishing.md` (semver rules, attestations, rollback) with compliance checklist. | Docs Guild, Policy Registry Guild (docs/TASKS.md)
DOCS-POLICY-27-004 | BLOCKED (2025-10-27) | Write `/docs/policy/simulation.md` covering quick vs batch sim, thresholds, evidence bundles, CLI examples. | Docs Guild, Scheduler Guild (docs/TASKS.md)
DOCS-POLICY-27-005 | BLOCKED (2025-10-27) | Publish `/docs/policy/review-and-approval.md` with approver requirements, comments, webhooks, audit trail guidance. | Docs Guild, Product Ops (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.VIII
Depends on: Sprint 200.A - Docs Tasks.Md.VII
Summary: Documentation & Process focus on Docs Tasks (phase Md.VIII).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-POLICY-27-006 | BLOCKED (2025-10-27) | Author `/docs/policy/promotion.md` covering environments, canary, rollback, and monitoring steps. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-POLICY-27-007 | BLOCKED (2025-10-27) | Update `/docs/policy/cli.md` with new commands, JSON schemas, CI usage, and compliance checklist. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-POLICY-27-008 | BLOCKED (2025-10-27) | Publish `/docs/policy/api.md` describing Registry endpoints, request/response schemas, errors, and feature flags. | Docs Guild, Policy Registry Guild (docs/TASKS.md)
DOCS-POLICY-27-009 | BLOCKED (2025-10-27) | Create `/docs/security/policy-attestations.md` covering signing, verification, key rotation, and compliance checklist. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-POLICY-27-010 | BLOCKED (2025-10-27) | Author `/docs/modules/policy/registry-architecture.md` (service design, schemas, queues, failure modes) with diagrams and checklist. | Docs Guild, Architecture Guild (docs/TASKS.md)
DOCS-POLICY-27-011 | BLOCKED (2025-10-27) | Publish `/docs/observability/policy-telemetry.md` with metrics/log tables, dashboards, alerts, and compliance checklist. | Docs Guild, Observability Guild (docs/TASKS.md)
DOCS-POLICY-27-012 | BLOCKED (2025-10-27) | Write `/docs/runbooks/policy-incident.md` detailing rollback, freeze, forensic steps, notifications. | Docs Guild, Ops Guild (docs/TASKS.md)
DOCS-POLICY-27-013 | BLOCKED (2025-10-27) | Update `/docs/examples/policy-templates.md` with new templates, snippets, and sample policies. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-POLICY-27-014 | BLOCKED (2025-10-27) | Refresh `/docs/aoc/aoc-guardrails.md` to include Studio-specific guardrails and validation scenarios. | Docs Guild, Policy Registry Guild (docs/TASKS.md)
DOCS-RISK-66-001 | TODO | Publish `/docs/risk/overview.md` covering concepts and glossary. | Docs Guild, Risk Profile Schema Guild (docs/TASKS.md)
DOCS-RISK-66-002 | TODO | Author `/docs/risk/profiles.md` (authoring, versioning, scope). | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-RISK-66-003 | TODO | Publish `/docs/risk/factors.md` cataloging signals, transforms, reducers, TTLs. | Docs Guild, Risk Engine Guild (docs/TASKS.md)
DOCS-RISK-66-004 | TODO | Create `/docs/risk/formulas.md` detailing math, normalization, gating, severity. | Docs Guild, Risk Engine Guild (docs/TASKS.md)
DOCS-RISK-67-001 | TODO | Publish `/docs/risk/explainability.md` showing artifact schema and UI screenshots. | Docs Guild, Risk Engine Guild (docs/TASKS.md)
DOCS-RISK-67-002 | TODO | Produce `/docs/risk/api.md` with endpoint reference/examples. | Docs Guild, API Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.IX
Depends on: Sprint 200.A - Docs Tasks.Md.VIII
Summary: Documentation & Process focus on Docs Tasks (phase Md.IX).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-RISK-67-003 | TODO | Document `/docs/console/risk-ui.md` for authoring, simulation, dashboards. | Docs Guild, Console Guild (docs/TASKS.md)
DOCS-RISK-67-004 | TODO | Publish `/docs/modules/cli/guides/risk.md` covering CLI workflows. | Docs Guild, CLI Guild (docs/TASKS.md)
DOCS-RISK-68-001 | TODO | Add `/docs/airgap/risk-bundles.md` for offline factor bundles. | Docs Guild, Export Guild (docs/TASKS.md)
DOCS-RISK-68-002 | TODO | Update `/docs/security/aoc-invariants.md` with risk scoring provenance guarantees. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-RUNBOOK-55-001 | TODO | Author `/docs/runbooks/incidents.md` describing incident mode activation, escalation steps, retention impact, verification checklist, and imposed rule banner. | Docs Guild, Ops Guild (docs/TASKS.md)
DOCS-SDK-62-001 | TODO | Publish `/docs/sdks/overview.md` plus language guides (`typescript.md`, `python.md`, `go.md`, `java.md`). | Docs Guild, SDK Generator Guild (docs/TASKS.md)
DOCS-SEC-62-001 | TODO | Update `/docs/security/auth-scopes.md` with OAuth2/PAT scopes, tenancy header usage. | Docs Guild, Authority Core (docs/TASKS.md)
DOCS-SEC-OBS-50-001 | TODO | Update `/docs/security/redaction-and-privacy.md` to cover telemetry privacy controls, tenant opt-in debug, and imposed rule reminder. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-SIG-26-001 | TODO | Write `/docs/signals/reachability.md` covering states, scores, provenance, retention. | Docs Guild, Signals Guild (docs/TASKS.md)
DOCS-SIG-26-002 | TODO | Publish `/docs/signals/callgraph-formats.md` with schemas and validation errors. | Docs Guild, Signals Guild (docs/TASKS.md)
DOCS-SIG-26-003 | TODO | Create `/docs/signals/runtime-facts.md` detailing agent capabilities, privacy safeguards, opt-in flags. | Docs Guild, Runtime Guild (docs/TASKS.md)
DOCS-SIG-26-004 | TODO | Document `/docs/policy/signals-weighting.md` for SPL predicates and weighting strategies. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-SIG-26-005 | TODO | Draft `/docs/ui/reachability-overlays.md` with badges, timelines, shortcuts. | Docs Guild, UI Guild (docs/TASKS.md)
DOCS-SIG-26-006 | TODO | Update `/docs/modules/cli/guides/reachability.md` for new commands and automation recipes. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-SIG-26-007 | TODO | Publish `/docs/api/signals.md` covering endpoints, payloads, ETags, errors. | Docs Guild, BE-Base Platform Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.X
Depends on: Sprint 200.A - Docs Tasks.Md.IX
Summary: Documentation & Process focus on Docs Tasks (phase Md.X).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-SIG-26-008 | TODO | Write `/docs/migration/enable-reachability.md` guiding rollout, fallbacks, monitoring. | Docs Guild, DevOps Guild (docs/TASKS.md)
DOCS-SURFACE-01 | TODO | Create `/docs/modules/scanner/scanner-engine.md` covering Surface.FS/Env/Secrets workflow between Scanner, Zastava, Scheduler, and Ops. | Docs Guild, Scanner Guild, Zastava Guild (docs/TASKS.md)
DOCS-TEN-47-001 | TODO | Publish `/docs/security/tenancy-overview.md` and `/docs/security/scopes-and-roles.md` outlining scope grammar, tenant model, imposed rule reminder. | Docs Guild, Authority Core (docs/TASKS.md)
DOCS-TEN-48-001 | TODO | Publish `/docs/operations/multi-tenancy.md`, `/docs/operations/rls-and-data-isolation.md`, `/docs/console/admin-tenants.md`. | Docs Guild, Platform Ops (docs/TASKS.md)
DOCS-TEN-49-001 | TODO | Publish `/docs/modules/cli/guides/authentication.md`, `/docs/api/authentication.md`, `/docs/policy/examples/abac-overlays.md`, update `/docs/install/configuration-reference.md` with new env vars, all ending with imposed rule line. | Docs & DevEx Guilds (docs/TASKS.md)
DOCS-TEST-62-001 | TODO | Author `/docs/testing/contract-testing.md` covering mock server, replay tests, golden fixtures. | Docs Guild, Contract Testing Guild (docs/TASKS.md)
DOCS-VEX-30-001 | TODO | Publish `/docs/vex/consensus-overview.md` describing purpose, scope, AOC guarantees. | Docs Guild, VEX Lens Guild (docs/TASKS.md)
DOCS-VEX-30-002 | TODO | Author `/docs/vex/consensus-algorithm.md` covering normalization, weighting, thresholds, examples. | Docs Guild, VEX Lens Guild (docs/TASKS.md)
DOCS-VEX-30-003 | TODO | Document `/docs/vex/issuer-directory.md` (issuer management, keys, trust overrides, audit). | Docs Guild, Issuer Directory Guild (docs/TASKS.md)
DOCS-VEX-30-004 | TODO | Publish `/docs/vex/consensus-api.md` with endpoint specs, query params, rate limits. | Docs Guild, VEX Lens Guild (docs/TASKS.md)
DOCS-VEX-30-005 | TODO | Write `/docs/vex/consensus-console.md` covering UI workflows, filters, conflicts, accessibility. | Docs Guild, Console Guild (docs/TASKS.md)
DOCS-VEX-30-006 | TODO | Add `/docs/policy/vex-trust-model.md` detailing policy knobs, thresholds, simulation. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-VEX-30-007 | TODO | Publish `/docs/sbom/vex-mapping.md` (CPE→purl strategy, edge cases, overrides). | Docs Guild, SBOM Service Guild (docs/TASKS.md)
DOCS-VEX-30-008 | TODO | Deliver `/docs/security/vex-signatures.md` (verification flow, key rotation, audit). | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-VEX-30-009 | TODO | Create `/docs/runbooks/vex-ops.md` for recompute storms, mapping failures, signature errors. | Docs Guild, DevOps Guild (docs/TASKS.md)
[Documentation & Process] 200.A) Docs Tasks.Md.XI
Depends on: Sprint 200.A - Docs Tasks.Md.X
Summary: Documentation & Process focus on Docs Tasks (phase Md.XI).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DOCS-VULN-29-001 | TODO | Publish `/docs/vuln/explorer-overview.md` covering domain model, identities, AOC guarantees, workflow summary. | Docs Guild, Vuln Explorer Guild (docs/TASKS.md)
DOCS-VULN-29-002 | TODO | Write `/docs/vuln/explorer-using-console.md` with workflows, screenshots, keyboard shortcuts, saved views, deep links. | Docs Guild, Console Guild (docs/TASKS.md)
DOCS-VULN-29-003 | TODO | Author `/docs/vuln/explorer-api.md` (endpoints, query schema, grouping, errors, rate limits). | Docs Guild, Vuln Explorer API Guild (docs/TASKS.md)
DOCS-VULN-29-004 | TODO | Publish `/docs/vuln/explorer-cli.md` with command reference, samples, exit codes, CI snippets. | Docs Guild, DevEx/CLI Guild (docs/TASKS.md)
DOCS-VULN-29-005 | TODO | Write `/docs/vuln/findings-ledger.md` detailing event schema, hashing, Merkle roots, replay tooling. | Docs Guild, Findings Ledger Guild (docs/TASKS.md)
DOCS-VULN-29-006 | TODO | Update `/docs/policy/vuln-determinations.md` for new rationale, signals, simulation semantics. | Docs Guild, Policy Guild (docs/TASKS.md)
DOCS-VULN-29-007 | TODO | Publish `/docs/vex/explorer-integration.md` covering CSAF mapping, suppression precedence, status semantics. | Docs Guild, Excititor Guild (docs/TASKS.md)
DOCS-VULN-29-008 | TODO | Publish `/docs/advisories/explorer-integration.md` covering key normalization, withdrawn handling, provenance. | Docs Guild, Concelier Guild (docs/TASKS.md)
DOCS-VULN-29-009 | TODO | Author `/docs/sbom/vuln-resolution.md` detailing version semantics, scope, paths, safe version hints. | Docs Guild, SBOM Service Guild (docs/TASKS.md)
DOCS-VULN-29-010 | TODO | Publish `/docs/observability/vuln-telemetry.md` (metrics, logs, tracing, dashboards, SLOs). | Docs Guild, Observability Guild (docs/TASKS.md)
DOCS-VULN-29-011 | TODO | Create `/docs/security/vuln-rbac.md` for roles, ABAC policies, attachment encryption, CSRF. | Docs Guild, Security Guild (docs/TASKS.md)
DOCS-VULN-29-012 | TODO | Write `/docs/runbooks/vuln-ops.md` (projector lag, resolver storms, export failures, policy activation). | Docs Guild, Ops Guild (docs/TASKS.md)
DOCS-VULN-29-013 | TODO | Update `/docs/install/containers.md` with Findings Ledger & Vuln Explorer API images, manifests, resource sizing, health checks. | Docs Guild, Deployment Guild (docs/TASKS.md)
[Documentation & Process] 200.B) Docs Modules Advisory Ai
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Advisory Ai).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ADVISORY-AI-DOCS-0001 | TODO | Align with ./AGENTS.md | Docs Guild (docs/modules/advisory-ai/TASKS.md)
ADVISORY-AI-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/advisory-ai/TASKS.md)
ADVISORY-AI-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/advisory-ai/TASKS.md)
[Documentation & Process] 200.C) Docs Modules Attestor
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Attestor).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ATTESTOR-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/attestor/TASKS.md)
ATTESTOR-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/attestor/TASKS.md)
ATTESTOR-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/attestor/TASKS.md)
[Documentation & Process] 200.D) Docs Modules Authority
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Authority).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
AUTHORITY-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/authority/TASKS.md)
AUTHORITY-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/authority/TASKS.md)
AUTHORITY-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/authority/TASKS.md)
[Documentation & Process] 200.E) Docs Modules Ci
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Ci).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CI RECIPES-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/ci/TASKS.md)
CI RECIPES-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/ci/TASKS.md)
CI RECIPES-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/ci/TASKS.md)
[Documentation & Process] 200.F) Docs Modules Cli
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Cli).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CLI-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/cli/TASKS.md)
CLI-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/cli/TASKS.md)
CLI-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/cli/TASKS.md)
[Documentation & Process] 200.G) Docs Modules Concelier
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Concelier).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONCELIER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/concelier/TASKS.md)
CONCELIER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/concelier/TASKS.md)
CONCELIER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/concelier/TASKS.md)
[Documentation & Process] 200.H) Docs Modules Devops
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Devops).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DEVOPS-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/devops/TASKS.md)
DEVOPS-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/devops/TASKS.md)
DEVOPS-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/devops/TASKS.md)
[Documentation & Process] 200.I) Docs Modules Excititor
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Excititor).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXCITITOR-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/excititor/TASKS.md)
EXCITITOR-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/excititor/TASKS.md)
EXCITITOR-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/excititor/TASKS.md)
[Documentation & Process] 200.J) Docs Modules Export Center
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Export Center).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXPORT CENTER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/export-center/TASKS.md)
EXPORT CENTER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/export-center/TASKS.md)
EXPORT CENTER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/export-center/TASKS.md)
[Documentation & Process] 200.K) Docs Modules Graph
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Graph).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
GRAPH-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/graph/TASKS.md)
GRAPH-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/graph/TASKS.md)
GRAPH-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/graph/TASKS.md)
[Documentation & Process] 200.L) Docs Modules Notify
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Notify).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
NOTIFY-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/notify/TASKS.md)
NOTIFY-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/notify/TASKS.md)
NOTIFY-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/notify/TASKS.md)
[Documentation & Process] 200.M) Docs Modules Orchestrator
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Orchestrator).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SOURCE---JOB-ORCHESTRATOR-DOCS-0001 | DOING (2025-10-29) | Align with ./AGENTS.md | Docs Guild (docs/modules/orchestrator/TASKS.md)
SOURCE---JOB-ORCHESTRATOR-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/orchestrator/TASKS.md)
SOURCE---JOB-ORCHESTRATOR-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/orchestrator/TASKS.md)
[Documentation & Process] 200.N) Docs Modules Platform
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Platform).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
PLATFORM-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/platform/TASKS.md)
PLATFORM-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/platform/TASKS.md)
PLATFORM-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/platform/TASKS.md)
[Documentation & Process] 200.O) Docs Modules Policy
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Policy).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
POLICY ENGINE-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/policy/TASKS.md)
POLICY ENGINE-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/policy/TASKS.md)
POLICY ENGINE-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/policy/TASKS.md)
[Documentation & Process] 200.P) Docs Modules Registry
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Registry).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
REGISTRY TOKEN SERVICE-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/registry/TASKS.md)
REGISTRY TOKEN SERVICE-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/registry/TASKS.md)
REGISTRY TOKEN SERVICE-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/registry/TASKS.md)
[Documentation & Process] 200.Q) Docs Modules Scanner
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Scanner).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCANNER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/scanner/TASKS.md)
SCANNER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/scanner/TASKS.md)
SCANNER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/scanner/TASKS.md)
[Documentation & Process] 200.R) Docs Modules Scheduler
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Scheduler).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SCHEDULER-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/scheduler/TASKS.md)
SCHEDULER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/scheduler/TASKS.md)
SCHEDULER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/scheduler/TASKS.md)
[Documentation & Process] 200.S) Docs Modules Signer
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Signer).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
SIGNER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/signer/TASKS.md)
SIGNER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/signer/TASKS.md)
SIGNER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/signer/TASKS.md)
[Documentation & Process] 200.T) Docs Modules Telemetry
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Telemetry).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
TELEMETRY-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/telemetry/TASKS.md)
TELEMETRY-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/telemetry/TASKS.md)
TELEMETRY-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/telemetry/TASKS.md)
[Documentation & Process] 200.U) Docs Modules Ui
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Ui).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
CONSOLE UI-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/ui/TASKS.md)
CONSOLE UI-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/ui/TASKS.md)
CONSOLE UI-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/ui/TASKS.md)
[Documentation & Process] 200.V) Docs Modules Vex Lens
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Vex Lens).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
VEX-CONSENSUS-LENS-DOCS-0001 | DOING (2025-10-29) | Align with ./AGENTS.md | Docs Guild (docs/modules/vex-lens/TASKS.md)
VEX-CONSENSUS-LENS-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/vex-lens/TASKS.md)
VEX-CONSENSUS-LENS-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/vex-lens/TASKS.md)
[Documentation & Process] 200.W) Docs Modules Vexer
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Vexer).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
VEXER-DOCS-0001 | DOING (2025-10-29) | See ./AGENTS.md | Docs Guild (docs/modules/vexer/TASKS.md)
VEXER-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/vexer/TASKS.md)
VEXER-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/vexer/TASKS.md)
[Documentation & Process] 200.X) Docs Modules Vuln Explorer
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Vuln Explorer).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
VULNERABILITY-EXPLORER-DOCS-0001 | DOING (2025-10-29) | Align with ./AGENTS.md | Docs Guild (docs/modules/vuln-explorer/TASKS.md)
VULNERABILITY-EXPLORER-ENG-0001 | TODO | Sync into ../../TASKS.md | Module Team (docs/modules/vuln-explorer/TASKS.md)
VULNERABILITY-EXPLORER-OPS-0001 | TODO | Document outputs in ./README.md | Ops Guild (docs/modules/vuln-explorer/TASKS.md)
[Documentation & Process] 200.Y) Docs Modules Zastava
Depends on: Sprint 100.A - Attestor, Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 140.A - Graph, Sprint 150.A - Orchestrator, Sprint 160.A - EvidenceLocker, Sprint 170.A - Notifier, Sprint 180.A - Cli, Sprint 190.A - Ops Deployment
Summary: Documentation & Process focus on Docs Modules Zastava).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
ZASTAVA-DOCS-0001 | TODO | See ./AGENTS.md | Docs Guild (docs/modules/zastava/TASKS.md)
ZASTAVA-ENG-0001 | TODO | Update status via ./AGENTS.md workflow | Module Team (docs/modules/zastava/TASKS.md)
ZASTAVA-OPS-0001 | TODO | Sync outcomes back to ../../TASKS.md | Ops Guild (docs/modules/zastava/TASKS.md)
If all tasks are done - you have reached the end of the sprint plan.

57
docs/modules/advisory-ai/AGENTS.md
View File

@@ -1,22 +1,35 @@
# Advisory AI agent guide
## Mission
Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Review ./architecture.md for retrieval pipeline, guardrails, and profile support.
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Read README/architecture for design context and update as the implementation evolves.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
# Advisory AI agent guide
## Mission
Advisory AI is the retrieval-augmented assistant that synthesizes advisory and VEX evidence into operator-ready summaries, conflict explanations, and remediation plans with strict provenance.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Review ./architecture.md for retrieval pipeline, guardrails, and profile support.
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Read README/architecture for design context and update as the implementation evolves.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
## Required Reading
- `docs/modules/advisory-ai/README.md`
- `docs/modules/advisory-ai/architecture.md`
- `docs/modules/advisory-ai/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

57
docs/modules/attestor/AGENTS.md
View File

@@ -1,22 +1,35 @@
# Attestor agent guide
## Mission
Attestor moves signed evidence through the trust chain by accepting DSSE bundles from Signer, registering them with Rekor v2, and serving deterministic verification payloads to other services.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Attestor agent guide
## Mission
Attestor moves signed evidence through the trust chain by accepting DSSE bundles from Signer, registering them with Rekor v2, and serving deterministic verification payloads to other services.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/attestor/README.md`
- `docs/modules/attestor/architecture.md`
- `docs/modules/attestor/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/authority/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Authority agent guide
## Mission
Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Authority agent guide
## Mission
Authority is the platform OIDC/OAuth2 control plane that mints short-lived, sender-constrained operational tokens (OpToks) for every StellaOps service and tool.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/authority/README.md`
- `docs/modules/authority/architecture.md`
- `docs/modules/authority/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/ci/AGENTS.md
View File

@@ -1,22 +1,34 @@
# CI Recipes agent guide
## Mission
CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# CI Recipes agent guide
## Mission
CI module collects reproducible pipeline recipes for builds, tests, and release promotion across supported platforms.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/ci/README.md`
- `docs/modules/ci/architecture.md`
- `docs/modules/ci/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/cli/AGENTS.md
View File

@@ -1,22 +1,34 @@
# CLI agent guide
## Mission
The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# CLI agent guide
## Mission
The `stella` CLI is the operator-facing Swiss army knife for scans, exports, policy management, offline kit operations, and automation scripting.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/cli/README.md`
- `docs/modules/cli/architecture.md`
- `docs/modules/cli/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/concelier/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Concelier agent guide
## Mission
Concelier ingests signed advisories from dozens of sources and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Concelier agent guide
## Mission
Concelier ingests signed advisories from dozens of sources and converts them into immutable observations plus linksets under the Aggregation-Only Contract (AOC).
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/concelier/README.md`
- `docs/modules/concelier/architecture.md`
- `docs/modules/concelier/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/devops/AGENTS.md
View File

@@ -1,22 +1,34 @@
# DevOps agent guide
## Mission
The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# DevOps agent guide
## Mission
The DevOps module captures release, deployment, and migration playbooks that keep StellaOps deterministic across environments.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/devops/README.md`
- `docs/modules/devops/architecture.md`
- `docs/modules/devops/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

2
docs/modules/devops/runbooks/launch-readiness.md
View File

@@ -13,7 +13,7 @@ This document captures production launch sign-offs, deployment readiness checkpo
| Attestor | Attestor Guild | `ATTESTOR-API-11-201` / `ATTESTOR-VERIFY-11-202` / `ATTESTOR-OBS-11-203` (DONE 2025-10-19) | READY | 2025-10-26T14:10Z | Rekor submission/verification pipeline green; telemetry pack published. |
| Scanner Web + Worker | Scanner WebService Guild | `SCANNER-WEB-09-10x`, `SCANNER-RUNTIME-12-30x` (DONE 2025-10-18 -> 2025-10-24) | READY* | 2025-10-26T14:20Z | Orchestrator envelope work (`SCANNER-EVENTS-16-301/302`) still open; see gaps. |
| Concelier Core & Connectors | Concelier Core / Ops Guild | Ops runbook sign-off in `docs/modules/concelier/operations/conflict-resolution.md` (2025-10-16) | READY | 2025-10-26T14:25Z | Conflict resolution & connector coverage accepted; Mongo schema hardening pending (see gaps). |
| Excititor API | Excititor Core Guild | Wave 0 connector ingest sign-offs (EXECPLAN.Section Wave 0) | READY | 2025-10-26T14:28Z | VEX linkset publishing complete for launch datasets. |
| Excititor API | Excititor Core Guild | Wave 0 connector ingest sign-offs (Sprint backlog reference) | READY | 2025-10-26T14:28Z | VEX linkset publishing complete for launch datasets. |
| Notify Web (legacy) | Notify Guild | Existing stack carried forward; Notifier program tracked separately (Sprint 38-40) | PENDING | 2025-10-26T14:32Z | Legacy notify web remains operational; migration to Notifier blocked on `SCANNER-EVENTS-16-301`. |
| Web UI | UI Guild | Stable build `registry.stella-ops.org/.../web-ui@sha256:10d9248...` deployed in stage and smoke-tested | READY | 2025-10-26T14:35Z | Policy editor GA items (Sprint 20) outside launch scope. |
| DevOps / Release | DevOps Guild | `deploy/tools/validate-profiles.sh` run (2025-10-26) covering dev/stage/prod/airgap/mirror | READY | 2025-10-26T15:02Z | Compose/Helm lint + docker compose config validated; see Section 2 for details. |

49
docs/modules/devops/runbooks/zastava-deployment.md Normal file
View File

@@ -0,0 +1,49 @@
# Zastava Deployment Runbook
> **Audience:** DevOps, Zastava Guild
>
> **Purpose:** Provide steps for deploying Zastava Observer + Webhook in connected and air-gapped clusters.
## 1. Prerequisites
- Kubernetes 1.26+ with admission registration permissions.
- Access to StellaOps Container Registry or offline bundle with Zastava images.
- Authority scopes and certificates configured for Zastava identities.
- Surface.FS cache endpoint (RustFS/S3) reachable from nodes.
## 2. Installation Steps
1. **Prepare namespace & secrets**
- Create Kubernetes namespace (default `stellaops-runtime`).
- Provision secrets (`zastava-mtls`, `zastava-op-token`, `surface-secrets`).
2. **Deploy Observer**
- Apply Helm chart `helm/zastava` with values aligning to Surface.Env settings.
- Confirm DaemonSet pods schedule on all nodes; check `/healthz` endpoints.
3. **Deploy Webhook**
- Install ValidatingWebhookConfiguration with CA bundle and service reference.
- Enable dry-run mode first, monitor logs, then switch `enforce=true` once validations pass.
4. **Configure policies**
- Populate admission policies in Policy Engine; ensure tokens contain `runtime:read` scopes.
- Update CLI/Console settings for runtime posture view.
5. **Observability**
- Scrape metrics (`zastava_observer_*`, `zastava_webhook_*`).
- Stream logs to central collector.
## 3. Air-Gapped Deployment Notes
- Use Offline Kit bundle (`offline/zastava/`) to load images and configuration.
- Validate Surface.FS bundles before enabling enforcement.
- Replace webhook CA with offline authority; document rotation schedule.
## 4. Validation
- Run `stella runtime policy test` against sample workloads.
- Trigger deployment denial for unsigned images; verify Notifier emits alerts.
- Check timeline events for observer telemetry.
## 5. References
- `docs/modules/zastava/architecture.md`
- `docs/modules/scanner/architecture.md`
- `docs/airgap/airgap-mode.md`
- `docs/forensics/timeline.md`

56
docs/modules/excititor/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Excititor agent guide
## Mission
Excititor converts heterogeneous VEX feeds into raw observations and linksets that honour the Aggregation-Only Contract.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Excititor agent guide
## Mission
Excititor converts heterogeneous VEX feeds into raw observations and linksets that honour the Aggregation-Only Contract.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/excititor/README.md`
- `docs/modules/excititor/architecture.md`
- `docs/modules/excititor/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/export-center/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Export Center agent guide
## Mission
Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) with provenance metadata and optional signing for offline or mirrored deployments.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Export Center agent guide
## Mission
Export Center packages reproducible evidence bundles (JSON, Trivy DB, mirror) with provenance metadata and optional signing for offline or mirrored deployments.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/export-center/README.md`
- `docs/modules/export-center/architecture.md`
- `docs/modules/export-center/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/graph/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Graph agent guide
## Mission
Graph module (upcoming) will power graph-indexed queries for SBOM relationships, lineage, and blast-radius analysis.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Graph agent guide
## Mission
Graph module (upcoming) will power graph-indexed queries for SBOM relationships, lineage, and blast-radius analysis.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/graph/README.md`
- `docs/modules/graph/architecture.md`
- `docs/modules/graph/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/notify/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Notify agent guide
## Mission
Notify evaluates operator-defined rules against platform events and dispatches channel-specific payloads with full auditability.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Notify agent guide
## Mission
Notify evaluates operator-defined rules against platform events and dispatches channel-specific payloads with full auditability.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/notify/README.md`
- `docs/modules/notify/architecture.md`
- `docs/modules/notify/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/orchestrator/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Source & Job Orchestrator agent guide
## Mission
The Orchestrator schedules, observes, and recovers ingestion and analysis jobs across the StellaOps platform.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Read the design summaries in ./architecture.md (quota governance, job lifecycle, dashboard feeds).
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Review ./README.md for responsibilities and ensure changes maintain determinism and offline parity.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
# Source & Job Orchestrator agent guide
## Mission
The Orchestrator schedules, observes, and recovers ingestion and analysis jobs across the StellaOps platform.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Read the design summaries in ./architecture.md (quota governance, job lifecycle, dashboard feeds).
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Review ./README.md for responsibilities and ensure changes maintain determinism and offline parity.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
## Required Reading
- `docs/modules/orchestrator/README.md`
- `docs/modules/orchestrator/architecture.md`
- `docs/modules/orchestrator/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/platform/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Platform agent guide
## Mission
Platform module describes cross-cutting architecture, contracts, and guardrails that bind the services together.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Platform agent guide
## Mission
Platform module describes cross-cutting architecture, contracts, and guardrails that bind the services together.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/platform/README.md`
- `docs/modules/platform/architecture.md`
- `docs/modules/platform/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/policy/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Policy Engine agent guide
## Mission
Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Policy Engine agent guide
## Mission
Policy Engine compiles and evaluates Stella DSL policies deterministically, producing explainable findings with full provenance.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/policy/README.md`
- `docs/modules/policy/architecture.md`
- `docs/modules/policy/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/registry/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Registry Token Service agent guide
## Mission
The registry module issues scoped pull tokens for mirrored container registries while enforcing plan and licence constraints.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Registry Token Service agent guide
## Mission
The registry module issues scoped pull tokens for mirrored container registries while enforcing plan and licence constraints.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/registry/README.md`
- `docs/modules/registry/architecture.md`
- `docs/modules/registry/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/scanner/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Scanner agent guide
## Mission
Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Scanner agent guide
## Mission
Scanner analyses container images layer-by-layer, producing deterministic SBOM fragments, diffs, and signed reports.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/scanner/README.md`
- `docs/modules/scanner/architecture.md`
- `docs/modules/scanner/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

147
docs/modules/scanner/design/surface-env.md Normal file
View File

@@ -0,0 +1,147 @@
# Surface.Env Design (Epic: SURFACE-SHARING)
> **Status:** Draft v1.0 — aligns with tasks `SURFACE-ENV-01..05`, `SCANNER-ENV-01..03`, `ZASTAVA-ENV-01..02`, `OPS-ENV-01`.
>
> **Audience:** Scanner Worker/WebService engineers, Zastava engineers, DevOps/Ops teams.
## 1. Goals
Surface.Env centralises configuration discovery for every component that touches the shared Scanner “surface” (cache, manifests, secrets). The library replaces ad-hoc environment lookups with a deterministic, validated contract that:
1. Works identically across Scanner Worker, Scanner WebService, BuildX plug-ins, Zastava Observer/Webhook, and future consumers (Scheduler planners, CLI runners).
2. Supports both connected and air-gapped deployments with clear defaults.
3. Records configuration intent (tenant isolation, cache limits, TLS, feature flags) so Surface.Validation can enforce preconditions before any work executes.
## 2. Architecture Overview
```
+-----------------------+
| Host (Worker/WebSvc) |
| - IConfiguration |
| - ILogger |
| |
| +-----------------+ |
| | SurfaceEnv | | loads env vars / config file
| | - Provider |--+------------------------------+
| | - Validators | |
| +-----------------+ |
| | |
| | IResolvedSurfaceConfiguration |
| v v
| Surface.FS / Surface.Secrets / Surface.Validation consumers
+-------------------------------------------------------------
```
Surface.Env exposes `ISurfaceEnvironment` which returns an immutable `SurfaceEnvironmentSettings` record. Hosts call `SurfaceEnvBuilder.Build()` during startup, passing optional configuration overrides (for example, Helm chart values). The builder resolves environment variables, applies defaults, and executes Surface.Validation rules before handing settings to downstream services.
## 3. Configuration Schema
### 3.1 Common keys
| Variable | Description | Default | Notes |
|----------|-------------|---------|-------|
| `SCANNER_SURFACE_FS_ENDPOINT` | Base URI for Surface.FS service (RustFS, S3-compatible). | _required_ | e.g. `https://surface-cache.svc.cluster.local`. Zastava uses `ZASTAVA_SURFACE_FS_ENDPOINT`; when absent, falls back to scanner value. |
| `SCANNER_SURFACE_FS_BUCKET` | Bucket/container name used for manifests and artefacts. | `surface-cache` | Must be unique per tenant. |
| `SCANNER_SURFACE_FS_REGION` | Optional region (S3-style). | `null` | Required for AWS S3. |
| `SCANNER_SURFACE_CACHE_ROOT` | Local filesystem directory for warm caches. | `/var/lib/stellaops/surface` | Should reside on fast SSD. |
| `SCANNER_SURFACE_CACHE_QUOTA_MB` | Soft limit for local cache usage. | `4096` | Enforced by Surface.FS eviction policy. |
| `SCANNER_SURFACE_TLS_CERT_PATH` | Path to PEM bundle for mutual TLS with Surface.FS. | `null` | If provided, library loads cert/key pair. |
| `SCANNER_SURFACE_TENANT` | Tenant identifier used for cache namespaces. | derived from Authority token | Can be overridden for multi-tenant workers. |
| `SCANNER_SURFACE_PREFETCH_ENABLED` | Toggle surface prefetch threads. | `false` | If `true`, Worker prefetches manifests before analyzer stage. |
| `SCANNER_SURFACE_FEATURES` | Comma-separated feature switches. | `""` | e.g. `validation,prewarm,runtime-diff`. |
### 3.2 Secrets provider keys
| Variable | Description | Notes |
|----------|-------------|-------|
| `SCANNER_SURFACE_SECRETS_PROVIDER` | Provider ID (`kubernetes`, `file`, `inline`). | Controls Surface.Secrets back-end. |
| `SCANNER_SURFACE_SECRETS_ROOT` | Path or secret namespace. | Example: `/etc/stellaops/secrets` for file provider. |
| `SCANNER_SURFACE_SECRETS_TENANT` | Tenant override for secret lookup. | Defaults to `SCANNER_SURFACE_TENANT`. |
### 3.3 Zastava-specific keys
Zastava containers read the same primary variables but may override names under the `ZASTAVA_` prefix (e.g., `ZASTAVA_SURFACE_CACHE_ROOT`, `ZASTAVA_SURFACE_FEATURES`). Surface.Env automatically checks component-specific prefixes before falling back to the scanner defaults.
### 3.4 Configuration precedence
1. Explicit overrides passed to `SurfaceEnvBuilder` (e.g., from appsettings).
2. Component-specific env (e.g., `ZASTAVA_SURFACE_FS_ENDPOINT`).
3. Scanner global env (e.g., `SCANNER_SURFACE_FS_ENDPOINT`).
4. `SurfaceEnvDefaults.json` (shipped with library for sensible defaults).
5. Emergency fallback values defined in code (only for development scenarios).
## 4. API Surface
```csharp
public interface ISurfaceEnvironment
{
SurfaceEnvironmentSettings Settings { get; }
IReadOnlyDictionary<string, string> RawVariables { get; }
}
public sealed record SurfaceEnvironmentSettings
(
Uri SurfaceFsEndpoint,
string SurfaceFsBucket,
string? SurfaceFsRegion,
DirectoryInfo CacheRoot,
int CacheQuotaMegabytes,
X509Certificate2Collection? ClientCertificates,
string Tenant,
bool PrefetchEnabled,
IReadOnlyCollection<string> FeatureFlags,
SecretProviderConfiguration Secrets,
IDictionary<string,string> ComponentOverrides
);
```
Consumers access `ISurfaceEnvironment.Settings` and pass the record into Surface.FS / Surface.Secrets factories. The interface memoises results so repeated access is cheap.
## 5. Validation
Surface.Env invokes the following validators (implemented in Surface.Validation):
1. **EndpointValidator** ensures endpoint URI is absolute HTTPS and not localhost in production.
2. **CacheQuotaValidator** verifies quota > 0 and below host max.
3. **FilesystemValidator** checks cache root exists/writable; attempts to create directory if missing.
4. **SecretsProviderValidator** ensures provider-specific settings (e.g., Kubernetes namespace) are present.
5. **FeatureFlagValidator** warns on unknown feature flag tokens.
Failures throw `SurfaceEnvironmentException` with error codes (`SURFACE_ENV_MISSING_ENDPOINT`, `SURFACE_ENV_CACHE_DIR_UNWRITABLE`, etc.). Hosts log the error and fail fast during startup.
## 6. Integration Guidance
- **Scanner Worker**: call `services.AddSurfaceEnvironment()` in `Program.cs` before registering analyzers. Pass `hostContext.Configuration.GetSection("Surface")` for overrides.
- **Scanner WebService**: build environment during startup, then expose selected values via diagnostics (`/internal/surface` when diagnostics enabled).
- **Zastava Observer/Webhook**: use the same builder; ensure Helm charts set `ZASTAVA_` variables.
- **Scheduler Planner (future)**: treat Surface.Env as read-only input; do not mutate settings.
## 7. Security & Observability
- Never log raw secrets; Surface.Env redacts values by default.
- Emit metric `surface_env_validation_total{status}` to observe validation outcomes.
- Provide `/metrics` gauge for cache quota/residual via Surface.FS integration.
## 8. Offline & Air-Gap Support
- Defaults assume no public network access; endpoints should point to internal RustFS or S3-compatible system.
- Offline kit templates supply env files under `offline/scanner/surface-env.env`.
- Document steps in `docs/modules/devops/runbooks/zastava-deployment.md` and `offline-kit` tasks for synchronising env values.
## 9. Testing Strategy
- Unit tests for each resolver/validator.
- Integration tests for Worker & Observer verifying that missing configuration causes deterministic failures.
- Golden tests for configuration precedence (component overrides, defaults).
## 10. Open Questions / Future Work
- Dynamic refresh of environment (watch ConfigMap) is out of scope for v1.
- Evaluate adding support for environment discovery via `IConfiguration` only (no env vars) for Windows service deployments.
## 11. References
- Surface.FS Design (`docs/modules/scanner/design/surface-fs.md`)
- Surface.Secrets Design (`docs/modules/scanner/design/surface-secrets.md`)
- Surface.Validation Design (`docs/modules/scanner/design/surface-validation.md`)
- AirGap mode overview (`docs/airgap/airgap-mode.md`)

130
docs/modules/scanner/design/surface-fs.md Normal file
View File

@@ -0,0 +1,130 @@
# Surface.FS Design (Epic: SURFACE-SHARING)
> **Status:** Draft v1.0 — aligns with tasks `SURFACE-FS-01..06`, `SCANNER-SURFACE-01..05`, `ZASTAVA-SURFACE-01..02`, `SCHED-SURFACE-01`, `OPS-SECRETS-01..02`.
>
> **Audience:** Scanner Worker/WebService, Zastava, Scheduler, DevOps.
## 1. Purpose
Surface.FS provides a unified content-addressable cache for Scanner-derived artefacts (layer manifests, entry traces, SBOM fragments, runtime deltas). It enables:
- Sharing scan results between Worker, WebService, Zastava Observer/Webhook, Scheduler planners, Export Center, and future CLI operations.
- Deterministic reproduction of scan evidence (manifests and payloads) in both connected and air-gapped environments.
- Efficient data movement by storing manifests once and referencing them via stable pointers.
## 2. Core Concepts
### 2.1 Artefact Key
Each artefact is addressed by a tuple `(tenant, surfaceKind, contentDigest)` where `contentDigest` is a SHA256 of the canonical payload. `surfaceKind` identifies artefact type (see Manifest schema below).
### 2.2 Manifest
Manifests describe the artefact metadata and storage pointers. They are stored in the `surface-manifests` bucket and fetched by consumers before retrieving bulk data.
```json
{
"schema": "stellaops.surface.manifest@1",
"tenant": "acme",
"kind": "layer-entry-trace",
"digest": "sha256:ab12...",
"createdAt": "2025-10-29T12:00:00Z",
"expiresAt": "2025-11-05T12:00:00Z",
"source": {
"scannerBuild": "stellaops/scanner@sha256:deadbeef",
"imageDigest": "sha256:cafe...",
"scanId": "scan-1234"
},
"storage": {
"bucket": "surface-cache",
"objectKey": "tenants/acme/layer-entry-trace/sha256/ab/12/.../payload.json.zst",
"sizeBytes": 524288,
"contentType": "application/json+zstd"
},
"integrity": {
"hash": "sha256:ab12...",
"signature": null
}
}
```
### 2.3 Payload Storage
Large payloads (SBOM fragments, entry traces, runtime events) live in the same object store as manifests (RustFS/S3). Manifests record relative paths so offline bundles can copy both manifest and payload without modification.
## 3. APIs
Surface.FS exposes a gRPC/HTTP API consumed by .NET clients:
| Method | Description |
|--------|-------------|
| `PutManifest(PutManifestRequest)` | Stores manifest + optional payload. Idempotent via `digest`. |
| `GetManifest(GetManifestRequest)` | Returns manifest metadata; 404 if missing. |
| `GetPayload(GetPayloadRequest)` | Streams payload bytes (optionally decompressing). |
| `ListManifests(ListManifestRequest)` | Enumerates manifests for tenant/kind with pagination. |
| `DeleteManifest(DeleteManifestRequest)` | (Optional) Removes manifest/payload based on retention policies. |
.NET client wraps these calls and handles retries using Polly policies.
## 4. Library Responsibilities
Surface.FS library for .NET hosts provides:
- `ISurfaceManifestWriter` / `ISurfaceManifestReader` interfaces.
- Content-addressed path builder (`SurfacePathBuilder`).
- Tenant namespace isolation and bucket configuration (via Surface.Env).
- Local cache management (using `SCANNER_SURFACE_CACHE_ROOT` and quota).
- Metrics: `surface_manifest_put_seconds`, `surface_manifest_cache_hit_total`, etc.
## 5. Retention & Eviction
- Manifests include optional `expiresAt`; Worker defaults to 30 days for SBOM fragments, 7 days for entry traces.
- Background job `SurfaceCacheMaintenanceService` evicts local cache entries exceeding quota, oldest-first.
- Object storage retention policies are managed by DevOps; library exposes metrics but does not auto-delete unless instructed.
## 6. Offline Kit Handling
Offline kits include:
```
offline/surface/
manifests/
tenants/<tenant>/<kind>/<digest>.json
payloads/
tenants/<tenant>/<kind>/<digest>.json.zst
manifest-index.json
```
Import script calls `PutManifest` for each manifest, verifying digests. This enables Zastava and Scheduler running offline to consume cached data without re-scanning.
## 7. Security & Tenancy
- Tenant ID is mandatory; Surface.Validation enforces match with Authority token.
- Manifests/payloads stored in tenant-specific prefixes to prevent leakage.
- Optional manifest signing (future) will use `Surface.Secrets` to load signing keys.
- TLS enforced between hosts and Surface.FS endpoint; certificate pins configured via Surface.Env.
## 8. Observability
- Logs include manifest SHA, tenant, and kind; payload paths truncated for brevity.
- Metrics exported via Prometheus with labels `{tenant, kind, result}`.
- Tracing spans: `surface.fs.put`, `surface.fs.get`, `surface.fs.cache`.
## 9. Testing Strategy
- Unit tests for path builder, manifest serializer, and local cache eviction.
- Integration tests using embedded RustFS or MinIO container to validate API interactions.
- Offline kit tests verifying export/import cycle round-trips manifests and payloads.
## 10. Future Enhancements
- Manifest signing (DSSE) to support tamper detection in hostile environments.
- Differential manifests to optimise large SBOM updates.
- Cross-region replication for multi-site deployments.
## 11. References
- Surface.Env Design (`docs/modules/scanner/design/surface-env.md`)
- Surface.Secrets Design (`docs/modules/scanner/design/surface-secrets.md`)
- Surface.Validation Design (`docs/modules/scanner/design/surface-validation.md`)
- Zastava Deployment Runbook (`docs/modules/devops/runbooks/zastava-deployment.md`)

121
docs/modules/scanner/design/surface-secrets.md Normal file
View File

@@ -0,0 +1,121 @@
# Surface.Secrets Design (Epic: SURFACE-SHARING)
> **Status:** Draft v1.0 — aligns with tasks `SURFACE-SECRETS-01..06`, `SCANNER-SECRETS-01..03`, `ZASTAVA-SECRETS-01..02`, `OPS-SECRETS-01..02`.
>
> **Audience:** Scanner/Zastava engineers, Security Guild, DevOps/Ops teams.
## 1. Goals
Surface.Secrets standardises how Scanner, Zastava, Scheduler, and related services obtain credentials and sensitive material required for surface operations (registry pull secrets, CAS tokens, manifest signing keys). Key requirements:
- Consistent, pluggable providers (Kubernetes Secret, file, inline, future vaults).
- Deterministic lookup keyed by tenant/component to avoid accidental leakage.
- Integration with Surface.Env & Surface.Validation for configuration and pre-flight checks.
- Minimal in-memory exposure; secrets wrapped in secure handles with automatic disposal.
## 2. Secret Types
| Secret Type | Description | Example Consumers |
|-------------|-------------|-------------------|
| `cas-access` | Credentials for RustFS/S3 object storage (access key/secret, session token). | Scanner Worker/WebService, Zastava Observer/Webhook |
| `registry` | Container registry auth (username/password or token). | Scanner Worker (pulling layers for SBOM) |
| `attestation` | DSSE signing key material, Rekor API tokens. | Scanner WebService (delegation), Attestor (future integration) |
| `tls` | Client TLS certificates for Surface.FS or other services. | Scanner Worker, Zastava Observer |
Additional secret types can be registered via `ISurfaceSecretTypeRegistry`.
## 3. Provider Model
```csharp
public interface ISurfaceSecretProvider
{
ValueTask<SurfaceSecretHandle> GetAsync(SurfaceSecretRequest request, CancellationToken ct = default);
}
public sealed record SurfaceSecretRequest
(
string Tenant,
string Component, // e.g. "Scanner.Worker"
string SecretType, // e.g. "cas-access"
string? Name // optional override (e.g., "primary", "mirror-eu")
);
```
### 3.1 Built-in providers
1. **Kubernetes** Reads from `Secret` objects. Configuration:
- `namespace`: derived from `SCANNER_SURFACE_SECRETS_ROOT` or component override.
- Secret name format: `surface-{tenant}-{component}-{secretType}`.
- Supports key mapping (e.g., `accessKey`, `secretKey`, `sessionToken`).
2. **File** Loads JSON/YAML files from a directory (for offline kit, dev). File path derived from root + tenant/component.
3. **Inline** Accepts base64 encoded JSON from env (useful for tests).
### 3.2 Secret Handle
`SurfaceSecretHandle` exposes typed accessors (`AsCredentials()`, `AsTlsCertificate()`) and ensures sensitive data is cleared when disposed.
## 4. Configuration
Surface.Env supplies provider configuration (`SecretsProviderConfiguration`). Example:
```json
{
"provider": "kubernetes",
"namespace": "stellaops-runtime",
"prefix": "surface-",
"fallbackProvider": "file",
"file": {
"root": "/etc/stellaops/secrets"
}
}
```
Fallback provider allows offline development (use file provider if K8s secret missing).
## 5. Validation
Surface.Validation supplies validators:
- `SecretProviderValidator` ensures provider ID is known; checks required configuration (namespace/root).
- `SecretExistenceValidator` optional check verifying required secret types exist at startup (configurable list).
- `SecretRotationValidator` warns when secrets are older than rotation window (uses metadata stored in provider).
Failures produce error codes (`SURFACE_SECRET_PROVIDER_UNKNOWN`, `SURFACE_SECRET_MISSING`, `SURFACE_SECRET_STALE`).
## 6. Security Considerations
- Secrets returned as `SecureString`/byte arrays; never log values.
- Kubernetes provider caches secrets in-memory with TTL (default 10 minutes) to reduce API calls; cache invalidated when `generation` changes.
- File provider enforces permissions (`0600`); rejects world-readable files.
- Inline provider meant for tests only; flag `Surface:Secrets:AllowInline` enables it explicitly.
## 7. Offline & Air-Gap Support
- Offline kits include `offline/secrets/` with encrypted archive plus manifest file enumerating secret metadata (tenant, component, type, checksum).
- Import script decrypts archive using site-specific key and populates file provider root.
- Documented workflow lives in `ops/offline-kit/TASKS.md` and associated runbooks.
## 8. Observability
- Metrics: `surface_secrets_requests_total{provider,result}`.
- Logs: only log secret identifiers, never values.
- Traces: `surface.secrets.get` span showing provider latency.
## 9. Testing Strategy
- Unit tests per provider with fake backends.
- Integration tests in Scanner/Zastava verifying provider selection, fallback, and rotation.
- Security tests ensuring secrets arent leaked in logs or exceptions.
## 10. Future Enhancements
- Support for HashiCorp Vault / AWS Secrets Manager providers.
- Built-in DSSE signing key management for Attestor/Signer.
- Automatic rotation notifications via Notifier.
## 11. References
- `docs/modules/scanner/design/surface-env.md`
- `docs/modules/scanner/design/surface-fs.md`
- `docs/modules/scanner/design/surface-validation.md`
- `docs/modules/airgap/airgap-mode.md`

99
docs/modules/scanner/design/surface-validation.md Normal file
View File

@@ -0,0 +1,99 @@
# Surface.Validation Design (Epic: SURFACE-SHARING)
> **Status:** Draft v1.0 — aligns with tasks `SURFACE-VAL-01..05`, `LANG-SURFACE-01..03`, `ENTRYTRACE-SURFACE-01..02`, `ZASTAVA-SURFACE-02`, `SCANNER-SECRETS-01..03`.
>
> **Audience:** Engineers integrating Surface Env/FS/Secrets, QA guild, Security guild.
## 1. Objectives
Surface.Validation provides a shared validator framework to ensure all surface consumers meet configuration and data preconditions before performing work. It prevents subtle runtime errors by failing fast with actionable diagnostics.
## 2. Core Interfaces
```csharp
public interface ISurfaceValidator
{
ValueTask<ValidationResult> ValidateAsync(SurfaceValidationContext context, CancellationToken ct = default);
}
public sealed record SurfaceValidationContext
(
SurfaceEnvironmentSettings Environment,
IServiceProvider Services,
string ComponentName
);
public sealed record ValidationResult
(
bool IsSuccess,
IReadOnlyCollection<SurfaceValidationIssue> Issues
);
public sealed record SurfaceValidationIssue
(
string Code,
string Message,
SurfaceValidationSeverity Severity,
string? Hint = null
);
```
Validators register with DI (`services.AddSurfaceValidation()`). Hosts call `ISurfaceValidatorRunner.RunAllAsync()` during startup and periodically (optional) to re-check configuration.
## 3. Built-in Validators
| Code | Severity | Description |
|------|----------|-------------|
| `SURFACE_ENV_MISSING_ENDPOINT` | Error | Raised when `SurfaceFsEndpoint` absent. |
| `SURFACE_ENV_CACHE_DIR_UNWRITABLE` | Error | Cache root not writable or disk full. |
| `SURFACE_SECRET_MISSING` | Error | Secret provider cannot locate required secret type. |
| `SURFACE_SECRET_STALE` | Warning | Secret older than rotation window. |
| `SURFACE_FS_ENDPOINT_REACHABILITY` | Error | HEAD request to Surface.FS endpoint failed. |
| `SURFACE_FS_BUCKET_MISMATCH` | Error | Provided bucket does not exist / lacks permissions. |
| `SURFACE_FEATURE_UNKNOWN` | Warning | Feature flag not recognised. |
| `SURFACE_TENANT_MISMATCH` | Error | Tenant from environment differs from Authority token tenant. |
Validation pipeline stops on the first error (severity `Error`) unless `Surface:Validation:ContinueOnError=true` is set (useful for diagnostics mode).
## 4. Extensibility
Consumers can register custom validators:
```csharp
services.AddSurfaceValidation(builder =>
builder.AddValidator<RegistryCredentialsValidator>()
.AddValidator<RuntimeCacheWarmupValidator>());
```
Validators can access DI services (e.g., HttpClient, Authority token provider) through the context. To avoid long-running checks, recommended max validation time is 500ms per validator.
## 5. Reporting & Observability
- Results exposed via `ISurfaceValidationReporter` (default logs structured JSON to `Validation` category).
- Metrics: `surface_validation_issues_total{code,severity}`.
- Optional debug endpoint `/internal/surface/validation` (Scanner WebService) returns last validation run.
## 6. Integration Guidelines
- **Scanner Worker/WebService**: fail startup if any error-level issue occurs; log warnings but continue running.
- **Zastava Webhook**: treat validation errors as fatal (webhook should not enforce policies when surface preconditions fail). Display validation error summary in `/readyz` response to aid debugging.
- **Analysers**: call `SurfaceValidation.Ensure()` before executing heavy work to catch misconfiguration during integration tests.
## 7. Testing Strategy
- Unit tests for built-in validators using in-memory providers.
- Integration tests in Scanner/Zastava verifying validators run during startup and produce expected outcomes.
- Negative tests simulating missing secrets, unreachable endpoints, or mismatched tenants.
## 8. Error Handling & Remediation
- Each issue includes a hint describing remediation steps (e.g., “Verify `SCANNER_SURFACE_FS_ENDPOINT` is reachable from worker nodes”).
- DevOps runbooks should reference issue codes in troubleshooting sections.
- `surface_validation.json` file stored alongside application logs summarises the last run for offline support.
## 9. References
- `docs/modules/scanner/design/surface-env.md`
- `docs/modules/scanner/design/surface-fs.md`
- `docs/modules/scanner/design/surface-secrets.md`
- `docs/modules/devops/runbooks/zastava-deployment.md`

56
docs/modules/scheduler/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Scheduler agent guide
## Mission
Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates re-evaluations across Scanner and Policy Engine.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Scheduler agent guide
## Mission
Scheduler detects advisory/VEX deltas, computes impact windows, and orchestrates re-evaluations across Scanner and Policy Engine.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/scheduler/README.md`
- `docs/modules/scheduler/architecture.md`
- `docs/modules/scheduler/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

57
docs/modules/signer/AGENTS.md
View File

@@ -1,22 +1,35 @@
# Signer agent guide
## Mission
Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Signer agent guide
## Mission
Signer validates callers, enforces Proof-of-Entitlement, and produces signed DSSE bundles for SBOMs, reports, and exports.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/signer/README.md`
- `docs/modules/signer/architecture.md`
- `docs/modules/signer/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/telemetry/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Telemetry agent guide
## Mission
Telemetry module captures deployment and operations guidance for the shared observability stack (collectors, storage, dashboards).
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Telemetry agent guide
## Mission
Telemetry module captures deployment and operations guidance for the shared observability stack (collectors, storage, dashboards).
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/telemetry/README.md`
- `docs/modules/telemetry/architecture.md`
- `docs/modules/telemetry/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/ui/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Console UI agent guide
## Mission
The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Console UI agent guide
## Mission
The Console presents operator dashboards for scans, policies, VEX evidence, runtime posture, and admin workflows.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/ui/README.md`
- `docs/modules/ui/architecture.md`
- `docs/modules/ui/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

57
docs/modules/vex-lens/AGENTS.md
View File

@@ -1,22 +1,35 @@
# VEX Consensus Lens agent guide
## Mission
VEX Lens computes deterministic consensus across conflicting VEX statements while preserving raw provenance.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Review ./architecture.md for consensus algorithm, trust model, and export contracts.
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Read README/architecture for design context and update as the implementation evolves.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
# VEX Consensus Lens agent guide
## Mission
VEX Lens computes deterministic consensus across conflicting VEX statements while preserving raw provenance.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Review ./architecture.md for consensus algorithm, trust model, and export contracts.
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Read README/architecture for design context and update as the implementation evolves.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
## Required Reading
- `docs/modules/vex-lens/README.md`
- `docs/modules/vex-lens/architecture.md`
- `docs/modules/vex-lens/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/vexer/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Vexer agent guide
## Mission
Vexer computes deterministic consensus across VEX claims, preserving conflicts and producing attestable evidence for policy suppression.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Vexer agent guide
## Mission
Vexer computes deterministic consensus across VEX claims, preserving conflicts and producing attestable evidence for policy suppression.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/vexer/README.md`
- `docs/modules/vexer/architecture.md`
- `docs/modules/vexer/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

57
docs/modules/vuln-explorer/AGENTS.md
View File

@@ -1,22 +1,35 @@
# Vulnerability Explorer agent guide
## Mission
Vulnerability Explorer delivers policy-aware triage, investigation, and reporting surfaces for effective findings.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Review ./architecture.md for ledger schema, workflow states, and export requirements.
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Read README/architecture for design context and update as the implementation evolves.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
# Vulnerability Explorer agent guide
## Mission
Vulnerability Explorer delivers policy-aware triage, investigation, and reporting surfaces for effective findings.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Review ./architecture.md for ledger schema, workflow states, and export requirements.
2. Open ../../implplan/SPRINTS.md and locate stories for this component.
3. Check ./TASKS.md and update status before/after work.
4. Read README/architecture for design context and update as the implementation evolves.
## Guardrails
- Uphold Aggregation-Only Contract boundaries when consuming ingestion data.
- Preserve determinism and provenance in all derived outputs.
- Document offline/air-gap pathways for any new feature.
- Update telemetry/observability assets alongside feature work.
## Required Reading
- `docs/modules/vuln-explorer/README.md`
- `docs/modules/vuln-explorer/architecture.md`
- `docs/modules/vuln-explorer/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

56
docs/modules/zastava/AGENTS.md
View File

@@ -1,22 +1,34 @@
# Zastava agent guide
## Mission
Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
# Zastava agent guide
## Mission
Zastava monitors running workloads, verifies supply chain posture, and enforces runtime policy via Kubernetes admission webhooks.
## Key docs
- [Module README](./README.md)
- [Architecture](./architecture.md)
- [Implementation plan](./implementation_plan.md)
- [Task board](./TASKS.md)
## How to get started
1. Open ../../implplan/SPRINTS.md and locate the stories referencing this module.
2. Review ./TASKS.md for local follow-ups and confirm status transitions (TODO → DOING → DONE/BLOCKED).
3. Read the architecture and README for domain context before editing code or docs.
4. Coordinate cross-module changes in the main /AGENTS.md description and through the sprint plan.
## Guardrails
- Honour the Aggregation-Only Contract where applicable (see ../../ingestion/aggregation-only-contract.md).
- Preserve determinism: sort outputs, normalise timestamps (UTC ISO-8601), and avoid machine-specific artefacts.
- Keep Offline Kit parity in mind—document air-gapped workflows for any new feature.
- Update runbooks/observability assets when operational characteristics change.
## Required Reading
- `docs/modules/zastava/README.md`
- `docs/modules/zastava/architecture.md`
- `docs/modules/zastava/implementation_plan.md`
- `docs/modules/platform/architecture-overview.md`
## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.

6
docs/technical/architecture/component-map.md
View File

@@ -40,8 +40,8 @@ Concise descriptions of every top-level component under `src/`, summarising the
- **TimelineIndexer** — Builds timelines of evidence/events for forensics and audit tooling (`docs/forensics/timeline.md`).
## Notification & UI
- **Notifier** — New notifications studio with rule engine, digesting, and channel plug-ins (`docs/notifications/overview.md`).
- **Notify** — Legacy notification service referenced in backlog/cleanup docs; still handles existing deployments (`docs/modules/notify/architecture.md`).
- **Notifier** — Current notifications studio (WebService + Worker under `src/Notifier/StellaOps.Notifier`) delivering rule evaluation, digests, incidents, and channel plug-ins. Built on the shared `StellaOps.Notify.*` libraries; see `docs/notifications/overview.md` and `src/Notifier/StellaOps.Notifier/docs/NOTIFY-SVC-38-001-FOUNDATIONS.md`.
- **Notify (shared libraries / archival hosts)** — The former `StellaOps.Notify.WebService|Worker` hosts were archived on 2025-10-26. The directory now provides the reusable engine, storage, queue, and connector plug-ins that Notifier composes. Legacy guidance in `docs/modules/notify/architecture.md` remains as migration context until the Notifications Studio docs fully supersede it.
- **UI** — Angular console surfacing scans, policy authoring, VEX evidence, runtime posture, and admin flows. Talks to Web gateway, Authority, Policy, Concelier, Scheduler, Notify, etc. (`docs/modules/ui/architecture.md`).
- **DevPortal** — Developer onboarding portal consuming Api definitions, CLI samples, and Authority auth flows (`docs/modules/devops/architecture.md`, dev portal sections).
@@ -71,7 +71,7 @@ High-level flows (see `docs/high-level-architecture.md` for diagrams):
1. **Ingest** — Concelier and Excititor use AOC to ingest advisories/VEX; Scheduler observes deltas.
2. **Scan & Evaluate** — Scanner generates SBOM evidence and hands to Signer/Attestor; Policy Engine merges SBOM, advisory, VEX, runtime signals; RiskEngine prioritises.
3. **Store & Export** — EvidenceLocker and Export Center package results; Registry serves artefacts; AirGap bundles offline editions.
4. **Observe & Notify** — Telemetry captures metrics/traces/logs; Notifier/Notify deliver alerts; UI/CLI/Web expose operations; TimelineIndexer builds audit trails.
4. **Observe & Notify** — Telemetry captures metrics/traces/logs; Notifier (via the shared `StellaOps.Notify.*` libraries) delivers alerts; UI/CLI/Web expose operations; TimelineIndexer builds audit trails.
5. **Govern & Secure** — Authority, IssuerDirectory, Signer, and Attestor maintain trust; Policy governance and console experiences let teams manage waivers and approvals.
Refer back to module-specific documentation for APIs, configuration, schema details, and operational runbooks. This component map will stay updated alongside module architecture changes—log updates in `docs/updates/` whenever new modules are introduced or deprecated.

1
docs/technical/process/README.md
View File

@@ -9,7 +9,6 @@ Use these artefacts to understand team ownership, active workstreams, and histor
## Work Tracking
- [../TASKS.md](../../TASKS.md) Docs Guild task board.
- Sprint plans and historical boards: [../implplan/SPRINTS.md](../../implplan/SPRINTS.md), [../implplan/SPRINTS_PRIOR_20251028.md](../../implplan/SPRINTS_PRIOR_20251028.md), [../implplan/SPRINTS_PRIOR_20251027.md](../../implplan/SPRINTS_PRIOR_20251027.md), [../implplan/SPRINTS_PRIOR_20251025.md](../../implplan/SPRINTS_PRIOR_20251025.md), [../implplan/SPRINTS_PRIOR_20251021.md](../../implplan/SPRINTS_PRIOR_20251021.md), [../implplan/SPRINTS_PRIOR_20251019.md](../../implplan/SPRINTS_PRIOR_20251019.md).
- Execution plan: [../implplan/EXECPLAN.md](../../implplan/EXECPLAN.md).
- Backlog hygiene and consolidation notes: [../backlog/](../../backlog/).
- Task packs and reusable templates: [../task-packs/](../../task-packs/).