stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity

feat: Add guild charters and task boards for various components
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details

Browse Source 
- Introduced guild charters for Scanner Deno, PHP, Ruby, Native, WebService, Java, Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, UI, Zastava Observer, Zastava Webhook, Zastava Core, and Plugin Platform.
- Each charter outlines the mission, scope, required reading, and working agreements for the respective guilds.
- Created task boards for Surface.Env, Surface.FS, Surface.Secrets, Surface.Validation, and Zastava components to track progress and dependencies.
- Ensured all documents emphasize determinism, offline readiness, security, and integration with shared Surface libraries.
This commit is contained in:
master
2025-11-01 02:21:46 +02:00
parent e5629454cf
commit 66cb6c4b8a
227 changed files with 9913 additions and 6210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
docs/implplan/SPRINT_160_export_evidence.md Normal file
View File

@@ -0,0 +1,95 @@
# Sprint 160 - Export & Evidence
[Export & Evidence] 160.A) EvidenceLocker
Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
Summary: Export & Evidence focus on EvidenceLocker).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EVID-OBS-53-001 | TODO | Bootstrap `StellaOps.Evidence.Locker` service with Postgres schema for `evidence_bundles`, `evidence_artifacts`, `evidence_holds`, tenant RLS, and object-store abstraction (WORM optional). | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-53-002 | TODO | Implement bundle builders for evaluation/job/export snapshots collecting inputs, outputs, env digests, run metadata. Generate Merkle tree + manifest skeletons and persist root hash. | Evidence Locker Guild, Orchestrator Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-53-003 | TODO | Expose REST APIs (`POST /evidence/snapshot`, `GET /evidence/:id`, `POST /evidence/verify`, `POST /evidence/hold/:case_id`) with audit logging, tenant enforcement, and size quotas. | Evidence Locker Guild, Security Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-54-001 | TODO | Attach DSSE signing and RFC3161 timestamping to bundle manifests; validate against Provenance verification library. Wire legal hold retention extension and chain-of-custody events for Timeline Indexer. | Evidence Locker Guild, Provenance Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-54-002 | TODO | Provide bundle download/export packaging (tgz) with checksum manifest, offline verification instructions, and sample fixture for CLI tests. | Evidence Locker Guild, DevEx/CLI Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-55-001 | TODO | Implement incident mode hooks increasing retention window, capturing additional debug artefacts, and emitting activation/deactivation events to Timeline Indexer + Notifier. | Evidence Locker Guild, DevOps Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
EVID-OBS-60-001 | TODO | Deliver portable evidence export flow for sealed environments: generate sealed bundles with checksum manifest, redacted metadata, and offline verification script. Document air-gapped import/verify procedures. | Evidence Locker Guild (src/EvidenceLocker/StellaOps.EvidenceLocker/TASKS.md)
[Export & Evidence] 160.B) ExportCenter.I
Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
Summary: Export & Evidence focus on ExportCenter (phase I).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
DVOFF-64-001 | TODO | Implement Export Center job `devportal --offline` bundling portal HTML, specs, SDK artifacts, changelogs, and verification manifest. | DevPortal Offline Guild, Exporter Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md)
DVOFF-64-002 | TODO | Provide verification CLI (`stella devportal verify bundle.tgz`) ensuring integrity before import. | DevPortal Offline Guild, AirGap Controller Guild (src/ExportCenter/StellaOps.ExportCenter.DevPortalOffline/TASKS.md)
EXPORT-AIRGAP-56-001 | TODO | Extend Export Center to build Mirror Bundles as export profiles, including advisories/VEX/policy packs manifesting DSSE/TUF metadata. | Exporter Service Guild, Mirror Creator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-AIRGAP-56-002 | TODO | Package Bootstrap Pack (images + charts) into OCI archives with signed manifests for air-gapped deployment. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-AIRGAP-57-001 | TODO | Integrate portable evidence export mode producing sealed evidence bundles with DSSE signatures and chain-of-custody metadata. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-AIRGAP-58-001 | TODO | Emit notifications and timeline events when Mirror Bundles or Bootstrap packs are ready for transfer. | Exporter Service Guild, Notifications Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-ATTEST-74-001 | TODO | Implement export job producing attestation bundles with manifest, checksums, DSSE signature, and optional transparency log segments. | Attestation Bundle Guild, Attestor Service Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-ATTEST-74-001 | TODO | Implement attestation bundle export job via Export Center. | Exporter Service Guild, Attestation Bundle Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-ATTEST-74-002 | TODO | Integrate bundle job into CI/offline kit packaging with checksum publication. | Attestation Bundle Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-ATTEST-75-001 | TODO | Provide CLI command `stella attest bundle verify/import` for air-gap usage. | Attestation Bundle Guild, CLI Attestor Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-ATTEST-75-001 | TODO | Integrate attestation bundles into offline kit flows and CLI commands. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-ATTEST-75-002 | TODO | Document `/docs/modules/attestor/airgap.md` with bundle workflows and verification steps. | Attestation Bundle Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.AttestationBundles/TASKS.md)
EXPORT-OAS-61-001 | TODO | Update Exporter OAS covering profiles, runs, downloads, devportal exports with standard error envelope and examples. | Exporter Service Guild, API Contracts Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OAS-61-002 | TODO | Provide `/.well-known/openapi` discovery endpoint with version metadata and ETag. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OAS-62-001 | TODO | Ensure SDKs include export profile/run clients with streaming download helpers; add smoke tests. | Exporter Service Guild, SDK Generator Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
[Export & Evidence] 160.B) ExportCenter.II
Depends on: Sprint 160.B - ExportCenter.I
Summary: Export & Evidence focus on ExportCenter (phase II).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXPORT-OAS-63-001 | TODO | Implement deprecation headers and notifications for legacy export endpoints. | Exporter Service Guild, API Governance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-50-001 | TODO | Adopt telemetry core in exporter service + workers, ensuring spans/logs capture profile id, tenant, artifact counts, distribution type, and trace IDs. | Exporter Service Guild, Observability Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-51-001 | TODO | Emit metrics for export planner latency, bundle build time, distribution success rate, bundle size, and define SLOs (bundle availability P95 <90s). Add Grafana dashboards + burn-rate alerts. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-52-001 | TODO | Publish timeline events for export lifecycle (`export.requested`, `export.built`, `export.distributed`, `export.failed`) embedding manifest hashes and evidence refs. Provide dedupe + retry logic. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-53-001 | TODO | Push export manifests + distribution transcripts to evidence locker bundles, ensuring Merkle root alignment and DSSE pre-sign data available. | Exporter Service Guild, Evidence Locker Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-54-001 | TODO | Produce DSSE attestations for each export artifact and distribution target, expose verification API `/exports/{id}/attestation`, and integrate with CLI verify path. | Exporter Service Guild, Provenance Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-OBS-55-001 | TODO | Add incident mode enhancements (extra tracing for slow exports, additional debug logs, retention bump). Emit incident activation events to timeline + notifier. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-RISK-69-001 | TODO | Add Export Center job handler `risk-bundle` with provider selection, manifest signing, and audit logging. | Exporter Service Guild, Risk Bundle Export Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-RISK-69-002 | TODO | Enable simulation report exports pulling scored data + explainability snapshots. | Exporter Service Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-RISK-70-001 | TODO | Integrate risk bundle builds into offline kit packaging with checksum verification. | Exporter Service Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-001 | BLOCKED (2025-10-29) | Bootstrap exporter service project, configuration, and Postgres migrations for `export_profiles`, `export_runs`, `export_inputs`, `export_distributions` with tenant scoping + tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-002 | TODO | Implement planner + scope resolver translating filters into ledger iterators and orchestrator job payloads; include deterministic sampling and validation. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-003 | TODO | Deliver JSON adapters (`json:raw`, `json:policy`) with canonical normalization, redaction allowlists, compression, and manifest counts. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-004 | TODO | Build mirror (full) adapter producing filesystem layout, indexes, manifests, and README with download-only distribution. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-35-005 | TODO | Implement manifest/provenance writer and KMS signing/attestation (detached + embedded) for bundle outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
[Export & Evidence] 160.B) ExportCenter.III
Depends on: Sprint 160.B - ExportCenter.II
Summary: Export & Evidence focus on ExportCenter (phase III).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
EXPORT-SVC-35-006 | TODO | Expose Export API (profiles, runs, download, SSE updates) with audit logging, concurrency controls, and viewer/operator RBAC integration. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-001 | TODO | Implement Trivy DB adapter (core) with schema mappings, version flag gating, and validation harness. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-002 | TODO | Add Trivy Java DB variant with shared manifest entries and adapter regression tests. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-003 | TODO | Build OCI distribution engine (manifests, descriptors, annotations) with registry auth support and retries. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-36-004 | TODO | Extend planner/run lifecycle for distribution targets (OCI/object storage) with idempotent metadata updates and retention timestamps. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-001 | TODO | Implement mirror delta adapter with base manifest comparison, change set generation, and content-addressed reuse. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-002 | TODO | Add bundle encryption (age/AES-GCM), key wrapping via KMS, and verification tooling for encrypted outputs. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-003 | TODO | Implement export scheduling (cron/event), retention pruning, retry idempotency, and failure classification. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-37-004 | TODO | Provide verification API to stream manifests/hashes, compute hash+signature checks, and return attest status for CLI/UI. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-SVC-43-001 | TODO | Integrate pack run manifests/artifacts into export bundles and CLI verification flows; expose provenance links. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
EXPORT-TEN-48-001 | TODO | Prefix artifacts/manifests with tenant/project, enforce scope checks, and prevent cross-tenant exports unless explicitly whitelisted; update provenance. | Exporter Service Guild (src/ExportCenter/StellaOps.ExportCenter/TASKS.md)
RISK-BUNDLE-69-001 | TODO | Implement `stella export risk-bundle` job producing tarball with provider datasets, manifests, and DSSE signatures. | Risk Bundle Export Guild, Risk Engine Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
RISK-BUNDLE-69-002 | TODO | Integrate bundle job into CI/offline kit pipelines with checksum publication. | Risk Bundle Export Guild, DevOps Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
RISK-BUNDLE-70-001 | TODO | Provide CLI `stella risk bundle verify` command to validate bundles before import. | Risk Bundle Export Guild, CLI Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
RISK-BUNDLE-70-002 | TODO | Publish `/docs/airgap/risk-bundles.md` detailing build/import/verification workflows. | Risk Bundle Export Guild, Docs Guild (src/ExportCenter/StellaOps.ExportCenter.RiskBundles/TASKS.md)
[Export & Evidence] 160.C) TimelineIndexer
Depends on: Sprint 110.A - AdvisoryAI, Sprint 120.A - AirGap, Sprint 130.A - Scanner, Sprint 150.A - Orchestrator
Summary: Export & Evidence focus on TimelineIndexer).
Task ID | State | Task description | Owners (Source)
--- | --- | --- | ---
TIMELINE-OBS-52-001 | TODO | Bootstrap `StellaOps.Timeline.Indexer` service with Postgres migrations for `timeline_events`, `timeline_event_details`, `timeline_event_digests`; enable RLS scaffolding and deterministic migration scripts. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-52-002 | TODO | Implement event ingestion pipeline (NATS/Redis consumers) with ordering guarantees, dedupe on `(event_id, tenant_id)`, correlation to trace IDs, and backpressure metrics. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-52-003 | TODO | Expose REST/gRPC APIs for timeline queries (`GET /timeline`, `/timeline/{id}`) with filters, pagination, and tenant enforcement. Provide OpenAPI + contract tests. | Timeline Indexer Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-52-004 | TODO | Finalize RLS policies, scope checks (`timeline:read`), and audit logging for query access. Include integration tests for cross-tenant isolation and legal hold markers. | Timeline Indexer Guild, Security Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
TIMELINE-OBS-53-001 | TODO | Link timeline events to evidence bundle digests + attestation subjects; expose `/timeline/{id}/evidence` endpoint returning signed manifest references. | Timeline Indexer Guild, Evidence Locker Guild (src/TimelineIndexer/StellaOps.TimelineIndexer/TASKS.md)
If all tasks are done - read next sprint section - SPRINT_170_notifications_telemetry.md